Website Hacking Series; Part A: Bruteforcing using Burpsuite

Cover Image: Anonymus hacker picture (source: KatzarmarMuvhar / wikimedia commons)

Disclaimer: This article is for educational purposes and seeks to promote ethical hacking and superior cybersecurity practices in organizations and private entities. It does not advocate for any malicious intent. Furthermore, all materials used in this tutorial are solely personal and intentionally set vulnerable. I, therefore, absolve myself from any future unauthorized scripting from parties reading this article that may compromise the integrity of respective wireless networks

Website / Web application hacking is one of the most common attacks in this era. Have you ever wanted to log in to a website but were unable to log in due to “This site contains malware”? Well, that means that hackers like me are trying to compromise the system. Jokes aside, I haven’t hacked any website without permission, by the way, most of the time this website error results from malicious hacking since hackers tend to upload malicious scripts, usually written in PHP, to loops within the system.

In this article, we begin with the basic brute force to hack the Damn Vulnerable Web Application (DVWA) with the credentials we will set at the start of our article. DVWA is a playground to exploit web hacking skills for anyone basically. You can also try the problems from CTF competitions.

In this 5-episode series, I will be using DVWA for web app hacking.

Requirements

• Kali Linux Separate OS /VMware Kali Linux
• Burpsuite(installed by default in Kali)
• DVWA (download from https://github.com/digininja/DVWA )
• MySQL ( installed by default in kali)
• Apache (installed by default in kali)
• Basic mastery of MySQL

NB : [This is quite a lengthy article, mostly image demonstrations, and requires absolute commitment to master the scripting. However, it is very basic as minimal scripting is actually needed since we are using already built-up GUI tools which are very easy to navigate]

Procedure

1. Installing & running DVWA. This video offers the best explanation for getting DVWA up and running and explains in video my script instructions below (if you succeed, jump to step 2 directly ). However, we begin as below

• Navigate to your File system folder, Right click and click “Open Terminal Here”.

Here, you need to right-click and open a new terminal. Check the next step in navigation. we are only targeting the var function

• Type cd var/www/html to go to the html folder in the terminal and then clone the DVWA from https://github.com/digininja/DVWA to begin DVWA installation. After cloning, make DVWA executable [use root permissions ]. We now navigate to the config folder in DVWA to set up the PHP. Make a copy of the php.dist.ini as below. Next, we edit the config.inc.php file to suit our own preferences. We set our username as admin and password as password (I hope no organization uses this for an admin password). After editing using nano; hit ctrl + o then enter then ctrl +x to exit.

Observe the Next window below

Change the fields highlighted in red and click ctrl + o then ctrl + x to effect the changes

• cd back to the home using cd ~. Start my Mysql services as below using root privileges. Start MySQL, kali use MariaDB, and Use the commands below to create an admin user and exit the SQL. We can see the password is hashed by MD5 as well.

The fields highlighted in red are SQL scripts we need to type to create a new user called admin with their passwords set to “password”.

• Time to start the apache server and configure the system to allow us to use port 127.0.0.1 for DVWA using admin. The commands on the screenshot below help you do the job perfectly. Our most important step here is to set the allow_url_fopen = on & allow_url_include=on if they were off. We then start apache2. [All the screenshots are installed]

Script to open the next window

Change the fields highlighted in the arrow below to on incase it was off

• Time to load up DVWA.Open Firefox browser and type: 127.0.0.1/DVWA/setup.php. Scroll down and click “create/reset Database”.

Click the create/reset database and observe the messages below.

• After that, change the URL to 127.0.0.1/DVWA/login.php. Verify you have the window as below. Type “admin” for username and “password” for a password to log in.

Type the user name and password we just set: admin and password.

2. When you are now logged in, head over to the brute force section. We can try logging in as ‘admin’ using any password to observe the login error below “user and/or …..incorrect’

Click brute force, then type a random username and password to observe the error below [except the admin + password combo lol :) ]

3. Scroll down the brute force page so that we observe the login.php file. A basic overview of the code tells us that if the user logs in successfully, a printed message would be “Welcome to password protected area” and an avatar. That is the most important notification for us. You can note that

Click the view source to observe the login PHP script as below. We note what should be expected in the case of successful login

4. Install the FoxyProxy Standard extension to firefox to help us forward the proxy to burpsuite. Once installed you will see the Icon as highlighted below and click options. The window below should show burp and the host set to 127.0.0.1. We need to then click edit and change the port to 8080 as below [In case it is not set]. Click save

Open any black window and type Foxyproxy extension. After its installed, you can click its icon on the nav bar then options to see the window above. The default port is 8080 but click edit to set

5. We need to open burpsuite now and click Proxy. Turn on the intercept as highlighted below.

Click proxy, then intercept and set it on. Burpsuite community is installed by default in kali.

6. Go back to the DVWA and try logging in using “test” and a random password. Open the Foxyproxy extension and set the burp. After clicking the login button, you should be redirected to the window below in the burp suite automatically [Last image below].

Figure 6.1 : Type a random username. I used test and typed a random password. Also, click the fox proxy extension and set it to burp. Click login and you will be automatically led to the figure below as well

Figure 6.2 : Observe that the intercept is successfully and burp captured the test and our random password.

7. From this window, right-click and click send to the intruder. Open the Intruder page and observer the second image below [last one]

A perfect illustration of what to do: just right-click and send it to intruder. Observe next window

8. We now need to start creating the payloads. Click Refresh to remove all default payloads. Highlight the username = test and password = password and click auto$ as shown below. They should now appear as username = $test$ and password = $password$ Select the Cluster bomb attack from the attack type. We should see 2 payloads set below the window

After opening this window for the first time, click clear to remove any default payloads. Then click test and click $add$ to set it as a payload. Finally, click also the password variable and click $add$ to add to the payload. You should see then 2 successful payload positions.

9. Click the payload section. On the payload set, Select 1 which should mean the $test$ payload. Here, we apply all the names we suspect the website uses. We can use admin for the case of this demonstration. But attackers try all the combinations. Next select, payload set to 2 to begin setting the $password$ combination. Here we will type all the combinations we can use. Also include the password, which is the actual password for the case of this article.

Set any usernames you suspect

Set any passwords you suspect to be true. Then click attack as said in step 10.

10. Once set, click start attack. The window below should appear. Be patient [brute forcing lol ]

11. After the attack ends, we observe the intruder attack window. We can actually observe the length section and see that the only unique combination is for the admin + password combination at 4778 while others are at 4879. It’s highlighted below.

The others are 4879 while this one is 4778 which should be a green flag its possibly the password response

12. Click the row and select the response. Remember we noted from step 3, we should observe a message like “Welcome to password protected area” after a successful login. In the response window, type “Welcome” and note if there is a match. And voila!! We note there is a match. [Observe the screenshot below].

Indeed, we note its the response hence we can determine admin and password are indeed the passwords of the brute force window challenge website

13. The final step is to go back to the DVWA, brute force window and log in with the admin plus password combination. DON’T forget to off the Foxyproxy and intercept in burpsuite [Window in step 5]. Type in the password and observe the screen below.

Type admin and password below to receive the prompt below. The fields disappear after logging in but I used the admin + password combo to get the field values

14. We have successfully brute-forced the website!

Follow up Notes

1. You can construct basic websites and enable the login page function. You can then exercise this scripting tutorial to experience a real-world practicum.
2. Ramp up your knowledge of these languages: PHP, HTML & CSS and MySQL to better understand how overall website dynamics operate.
3. Practice! Mastering such complex hacking tricks takes time and absolute commitment and patience to learn. You wanna be a hacker right? Well, it’s always not what you see in movies…..This is what hacking looks like.

Recommendations

1. Users in an organization should never share their intranet login credentials with anyone or carelessly leave hints on their desks or even phones where an attacker can access them unless advised.

[Thanks for reading , Be an ethical hacker out there :) ]