1 00:00:00,450 --> 00:00:05,100 ‫So another big problem in authentication is insecure login forms. 2 00:00:06,470 --> 00:00:09,980 ‫There may be hundreds of ways to make a form and secure. 3 00:00:11,610 --> 00:00:20,100 ‫So for these examples, I'm going to be in B WEAP and I'll go to Cali first and log in to be webapp 4 00:00:20,790 --> 00:00:27,360 ‫and from the drop down menu above Chew's insecure login form under the broken authentication section. 5 00:00:28,550 --> 00:00:29,900 ‫And the default level is low. 6 00:00:30,910 --> 00:00:37,540 ‫And it is rare to see the first two levels in the real world, actually, but I think it's a lot of 7 00:00:37,540 --> 00:00:37,850 ‫fun. 8 00:00:38,290 --> 00:00:40,500 ‫So let's try and solve them, OK? 9 00:00:40,660 --> 00:00:44,890 ‫So when I try to log in with the wrong credentials, I'm going to get this warning. 10 00:00:46,380 --> 00:00:52,350 ‫So then we view the page source by right clicking and scroll down to the log informed source. 11 00:00:54,220 --> 00:00:58,870 ‫So see here is taxed with a white font color, you know, the log-in label. 12 00:00:59,790 --> 00:01:04,390 ‫And also another text with the same property near the password label. 13 00:01:05,100 --> 00:01:10,490 ‫So if you mark here and here, you're going to display them. 14 00:01:11,160 --> 00:01:12,780 ‫So I'm going to use these values. 15 00:01:16,000 --> 00:01:18,250 ‫And it is done, we've just logged in. 16 00:01:19,410 --> 00:01:20,890 ‫OK, so that was fun. 17 00:01:20,940 --> 00:01:22,470 ‫Let's choose the medium level. 18 00:01:24,220 --> 00:01:25,870 ‫So I'm going to mark here. 19 00:01:27,500 --> 00:01:28,340 ‫But there is nothing. 20 00:01:28,500 --> 00:01:33,530 ‫OK, so view the page source again, scroll down the login form. 21 00:01:34,860 --> 00:01:37,620 ‫And here there are no hidden values. 22 00:01:38,850 --> 00:01:41,610 ‫But see over here, the submit button. 23 00:01:41,640 --> 00:01:45,690 ‫Have a look, you're going to see it executes a JavaScript function. 24 00:01:46,960 --> 00:01:50,890 ‫Now, I think this is the first function that we've seen opening this horse. 25 00:01:52,770 --> 00:01:53,820 ‫So here's a function. 26 00:01:55,140 --> 00:02:01,290 ‫I don't think it's very hard to guess how it uses some of the characters in the string to create a password. 27 00:02:02,430 --> 00:02:04,770 ‫And again, it's it's really a load of fun. 28 00:02:06,550 --> 00:02:08,920 ‫To get the password from this function, just copy it. 29 00:02:11,170 --> 00:02:12,850 ‫And open developer tools. 30 00:02:15,260 --> 00:02:17,510 ‫Go to settings from here and check. 31 00:02:18,390 --> 00:02:22,040 ‫Scratchpad to enable the tab and go there. 32 00:02:23,570 --> 00:02:26,090 ‫So clear here and paste the function. 33 00:02:28,180 --> 00:02:29,940 ‫I'm going to just zoom in a little bit here. 34 00:02:31,190 --> 00:02:32,870 ‫OK, so we don't need these lines. 35 00:02:33,800 --> 00:02:37,910 ‫And to see the result, I'm going to add here return secret. 36 00:02:39,570 --> 00:02:42,450 ‫And an alert message to view the result. 37 00:02:44,890 --> 00:02:46,600 ‫OK, so let's run it. 38 00:02:47,510 --> 00:02:49,630 ‫And it is done, what's this? 39 00:02:50,300 --> 00:02:52,430 ‫Yes, we get the password. 40 00:02:53,430 --> 00:02:56,910 ‫So in case you think I'm joking that I'm going to use this. 41 00:02:58,340 --> 00:02:59,360 ‫OK, we're done. 42 00:03:00,470 --> 00:03:01,490 ‫We've just logged in. 43 00:03:02,730 --> 00:03:03,720 ‫OK, so. 44 00:03:05,010 --> 00:03:11,370 ‫At last, we were going to do a brute force attack, so let's choose the high level. 45 00:03:12,790 --> 00:03:19,360 ‫So here's your new page and view source, if you scroll down, you won't see anything with the form. 46 00:03:20,350 --> 00:03:24,190 ‫So, OK, let me just log in with some wrong credentials and see what's happening. 47 00:03:26,010 --> 00:03:29,370 ‫OK, you get the same warning message and valid credentials. 48 00:03:30,290 --> 00:03:33,200 ‫So now we're going to do the rest with berp. 49 00:03:34,260 --> 00:03:37,440 ‫So enable Foxe proxy, then open burb. 50 00:03:38,970 --> 00:03:40,710 ‫And I'm going to arrange a windows. 51 00:03:43,050 --> 00:03:44,160 ‫Now log in again. 52 00:03:46,590 --> 00:03:49,650 ‫And captures a login request, so. 53 00:03:50,960 --> 00:03:54,980 ‫Send it to intruder and repeat or to use later. 54 00:03:56,770 --> 00:03:58,580 ‫Then forward the request. 55 00:03:59,880 --> 00:04:07,800 ‫OK, so open intruder tab now there are four sub tabs under intruder and under the target tab, you 56 00:04:07,800 --> 00:04:09,840 ‫can configure the target options. 57 00:04:10,760 --> 00:04:17,210 ‫For example, you may force it to use https and then go to the positions tab. 58 00:04:18,640 --> 00:04:26,020 ‫And here you can can figure out where and what to brute force, so berp heuristically select some parameters 59 00:04:26,020 --> 00:04:28,750 ‫to attack, but we don't need them all. 60 00:04:29,890 --> 00:04:31,540 ‫So you can clear them. 61 00:04:32,540 --> 00:04:35,510 ‫And let's just use only the password and username. 62 00:04:36,850 --> 00:04:39,970 ‫So let's choose cluster bomb as the attack type. 63 00:04:41,960 --> 00:04:45,830 ‫OK, so we're done with this, so now go to the payloads tab. 64 00:04:48,140 --> 00:04:55,010 ‫Now, here's a place that we provide data or dictionary files to attack so we can choose two parameters 65 00:04:55,010 --> 00:04:56,250 ‫to attack at the same time. 66 00:04:56,900 --> 00:05:03,290 ‫And here are two payload sets which are available here, but we don't have any payloads yet. 67 00:05:04,100 --> 00:05:07,310 ‫So let's create some payloads first. 68 00:05:07,910 --> 00:05:11,120 ‫We can use crunch or we can try and other as well. 69 00:05:11,900 --> 00:05:17,450 ‫So, in fact, open up your terminal and type C W.L.. 70 00:05:18,720 --> 00:05:26,490 ‫Sewell is another password generator, but it works kind of differently, so it'll crawl a you URL and 71 00:05:26,790 --> 00:05:29,360 ‫extract words to create a word list. 72 00:05:30,000 --> 00:05:35,990 ‫So Type C, W.L. Dash dash help to see options. 73 00:05:37,480 --> 00:05:42,130 ‫OK, then add W as a parameter to say the result. 74 00:05:44,060 --> 00:05:46,670 ‫And the parameters to define the coral depth. 75 00:05:48,020 --> 00:05:56,360 ‫The parameter to define the minimum length of the word that will be extracted and E for including email 76 00:05:56,360 --> 00:05:59,630 ‫addresses and let's include words with numbers. 77 00:06:01,890 --> 00:06:06,720 ‫OK, so I'm going to copy this, your URL and pasted here. 78 00:06:09,640 --> 00:06:12,340 ‫Nothing change and hit enter. 79 00:06:13,540 --> 00:06:17,770 ‫And it executes quickly, so here's a generated wordlist file. 80 00:06:18,980 --> 00:06:19,960 ‫Let's have a look at it. 81 00:06:24,500 --> 00:06:31,790 ‫Now it contains 44 lines, so I'm going to delete some of the entries because it will take time to try 82 00:06:31,790 --> 00:06:36,600 ‫every single one, so I think these ones are going to be enough. 83 00:06:37,400 --> 00:06:43,010 ‫So now go to Berp Intruder, choose the first payload, don't change the payload type. 84 00:06:43,020 --> 00:06:44,210 ‫It's a simple list. 85 00:06:45,160 --> 00:06:47,620 ‫Just come back here and click lowed. 86 00:06:48,810 --> 00:06:50,430 ‫OK, so we load the first payload. 87 00:06:51,340 --> 00:06:55,090 ‫And choose the second payload again, load wordlist. 88 00:06:56,650 --> 00:07:06,100 ‫And Burp automatically calculates the requests that will be sent, and I think if we do this with a 89 00:07:06,100 --> 00:07:10,240 ‫huge list, it's going to slow down our target network in our environment. 90 00:07:11,240 --> 00:07:14,030 ‫So there's nothing change here. 91 00:07:15,380 --> 00:07:17,150 ‫And go to the options tab. 92 00:07:18,720 --> 00:07:20,970 ‫Now, scroll to grip match. 93 00:07:22,860 --> 00:07:28,570 ‫So in this section, we teach Berp to understand when it is going to be successful or not. 94 00:07:29,340 --> 00:07:36,030 ‫So then Berthelsen to each login request, it contains values from our payload list and then analyzes 95 00:07:36,030 --> 00:07:37,980 ‫the associated responses. 96 00:07:39,240 --> 00:07:46,200 ‫And then that way, if it matches something and the response with these strings, it can mark that request 97 00:07:46,200 --> 00:07:46,820 ‫for us. 98 00:07:47,720 --> 00:07:51,710 ‫So the strings are not useful in our scenario, right? 99 00:07:53,140 --> 00:07:54,550 ‫So I'm going to clear them. 100 00:07:56,330 --> 00:08:01,910 ‫And then I'm going to copy this warning on the page and paste to add it here. 101 00:08:03,850 --> 00:08:09,820 ‫And then I'm going to check this box to make berp flag the resulting items containing this warning. 102 00:08:10,240 --> 00:08:10,660 ‫All right. 103 00:08:11,890 --> 00:08:15,370 ‫All right, so, yeah, there's nothing more to configure here, so let's go up. 104 00:08:16,560 --> 00:08:17,970 ‫And start the attack. 105 00:08:20,230 --> 00:08:21,670 ‫So this is the attack window. 106 00:08:23,350 --> 00:08:25,720 ‫And we can wait a little bit for it to finish. 107 00:08:27,500 --> 00:08:32,660 ‫And looky here, berp flags, all the result items containing this warning. 108 00:08:34,180 --> 00:08:40,270 ‫Now, if a result doesn't contain this warning, it means that we're successfully logged in, you get 109 00:08:40,270 --> 00:08:40,360 ‫it? 110 00:08:41,640 --> 00:08:43,650 ‫So let's click this uncheck line. 111 00:08:44,600 --> 00:08:47,690 ‫And below are the details of the request present. 112 00:08:48,680 --> 00:08:50,550 ‫It's rice, bees and bug. 113 00:08:51,080 --> 00:08:52,250 ‫So look at the response. 114 00:08:53,250 --> 00:08:55,260 ‫Here's a successful Log-in message. 115 00:08:56,350 --> 00:09:01,870 ‫OK, so obviously, this is a very basic brute force attack to an insecure login form. 116 00:09:04,150 --> 00:09:08,680 ‫Don't worry, we are going to do a little more advanced ones in the next videos. 117 00:09:08,680 --> 00:09:10,870 ‫But you get the concept right.