1 00:00:00,450 --> 00:00:05,100 So another big problem in authentication is insecure login forms. 2 00:00:06,470 --> 00:00:09,980 There may be hundreds of ways to make a form and secure. 3 00:00:11,610 --> 00:00:20,100 So for these examples, I'm going to be in B WEAP and I'll go to Cali first and log in to be webapp 4 00:00:20,790 --> 00:00:27,360 and from the drop down menu above Chew's insecure login form under the broken authentication section. 5 00:00:28,550 --> 00:00:29,900 And the default level is low. 6 00:00:30,910 --> 00:00:37,540 And it is rare to see the first two levels in the real world, actually, but I think it's a lot of 7 00:00:37,540 --> 00:00:37,850 fun. 8 00:00:38,290 --> 00:00:40,500 So let's try and solve them, OK? 9 00:00:40,660 --> 00:00:44,890 So when I try to log in with the wrong credentials, I'm going to get this warning. 10 00:00:46,380 --> 00:00:52,350 So then we view the page source by right clicking and scroll down to the log informed source. 11 00:00:54,220 --> 00:00:58,870 So see here is taxed with a white font color, you know, the log-in label. 12 00:00:59,790 --> 00:01:04,390 And also another text with the same property near the password label. 13 00:01:05,100 --> 00:01:10,490 So if you mark here and here, you're going to display them. 14 00:01:11,160 --> 00:01:12,780 So I'm going to use these values. 15 00:01:16,000 --> 00:01:18,250 And it is done, we've just logged in. 16 00:01:19,410 --> 00:01:20,890 OK, so that was fun. 17 00:01:20,940 --> 00:01:22,470 Let's choose the medium level. 18 00:01:24,220 --> 00:01:25,870 So I'm going to mark here. 19 00:01:27,500 --> 00:01:28,340 But there is nothing. 20 00:01:28,500 --> 00:01:33,530 OK, so view the page source again, scroll down the login form. 21 00:01:34,860 --> 00:01:37,620 And here there are no hidden values. 22 00:01:38,850 --> 00:01:41,610 But see over here, the submit button. 23 00:01:41,640 --> 00:01:45,690 Have a look, you're going to see it executes a JavaScript function. 24 00:01:46,960 --> 00:01:50,890 Now, I think this is the first function that we've seen opening this horse. 25 00:01:52,770 --> 00:01:53,820 So here's a function. 26 00:01:55,140 --> 00:02:01,290 I don't think it's very hard to guess how it uses some of the characters in the string to create a password. 27 00:02:02,430 --> 00:02:04,770 And again, it's it's really a load of fun. 28 00:02:06,550 --> 00:02:08,920 To get the password from this function, just copy it. 29 00:02:11,170 --> 00:02:12,850 And open developer tools. 30 00:02:15,260 --> 00:02:17,510 Go to settings from here and check. 31 00:02:18,390 --> 00:02:22,040 Scratchpad to enable the tab and go there. 32 00:02:23,570 --> 00:02:26,090 So clear here and paste the function. 33 00:02:28,180 --> 00:02:29,940 I'm going to just zoom in a little bit here. 34 00:02:31,190 --> 00:02:32,870 OK, so we don't need these lines. 35 00:02:33,800 --> 00:02:37,910 And to see the result, I'm going to add here return secret. 36 00:02:39,570 --> 00:02:42,450 And an alert message to view the result. 37 00:02:44,890 --> 00:02:46,600 OK, so let's run it. 38 00:02:47,510 --> 00:02:49,630 And it is done, what's this? 39 00:02:50,300 --> 00:02:52,430 Yes, we get the password. 40 00:02:53,430 --> 00:02:56,910 So in case you think I'm joking that I'm going to use this. 41 00:02:58,340 --> 00:02:59,360 OK, we're done. 42 00:03:00,470 --> 00:03:01,490 We've just logged in. 43 00:03:02,730 --> 00:03:03,720 OK, so. 44 00:03:05,010 --> 00:03:11,370 At last, we were going to do a brute force attack, so let's choose the high level. 45 00:03:12,790 --> 00:03:19,360 So here's your new page and view source, if you scroll down, you won't see anything with the form. 46 00:03:20,350 --> 00:03:24,190 So, OK, let me just log in with some wrong credentials and see what's happening. 47 00:03:26,010 --> 00:03:29,370 OK, you get the same warning message and valid credentials. 48 00:03:30,290 --> 00:03:33,200 So now we're going to do the rest with berp. 49 00:03:34,260 --> 00:03:37,440 So enable Foxe proxy, then open burb. 50 00:03:38,970 --> 00:03:40,710 And I'm going to arrange a windows. 51 00:03:43,050 --> 00:03:44,160 Now log in again. 52 00:03:46,590 --> 00:03:49,650 And captures a login request, so. 53 00:03:50,960 --> 00:03:54,980 Send it to intruder and repeat or to use later. 54 00:03:56,770 --> 00:03:58,580 Then forward the request. 55 00:03:59,880 --> 00:04:07,800 OK, so open intruder tab now there are four sub tabs under intruder and under the target tab, you 56 00:04:07,800 --> 00:04:09,840 can configure the target options. 57 00:04:10,760 --> 00:04:17,210 For example, you may force it to use https and then go to the positions tab. 58 00:04:18,640 --> 00:04:26,020 And here you can can figure out where and what to brute force, so berp heuristically select some parameters 59 00:04:26,020 --> 00:04:28,750 to attack, but we don't need them all. 60 00:04:29,890 --> 00:04:31,540 So you can clear them. 61 00:04:32,540 --> 00:04:35,510 And let's just use only the password and username. 62 00:04:36,850 --> 00:04:39,970 So let's choose cluster bomb as the attack type. 63 00:04:41,960 --> 00:04:45,830 OK, so we're done with this, so now go to the payloads tab. 64 00:04:48,140 --> 00:04:55,010 Now, here's a place that we provide data or dictionary files to attack so we can choose two parameters 65 00:04:55,010 --> 00:04:56,250 to attack at the same time. 66 00:04:56,900 --> 00:05:03,290 And here are two payload sets which are available here, but we don't have any payloads yet. 67 00:05:04,100 --> 00:05:07,310 So let's create some payloads first. 68 00:05:07,910 --> 00:05:11,120 We can use crunch or we can try and other as well. 69 00:05:11,900 --> 00:05:17,450 So, in fact, open up your terminal and type C W.L.. 70 00:05:18,720 --> 00:05:26,490 Sewell is another password generator, but it works kind of differently, so it'll crawl a you URL and 71 00:05:26,790 --> 00:05:29,360 extract words to create a word list. 72 00:05:30,000 --> 00:05:35,990 So Type C, W.L. Dash dash help to see options. 73 00:05:37,480 --> 00:05:42,130 OK, then add W as a parameter to say the result. 74 00:05:44,060 --> 00:05:46,670 And the parameters to define the coral depth. 75 00:05:48,020 --> 00:05:56,360 The parameter to define the minimum length of the word that will be extracted and E for including email 76 00:05:56,360 --> 00:05:59,630 addresses and let's include words with numbers. 77 00:06:01,890 --> 00:06:06,720 OK, so I'm going to copy this, your URL and pasted here. 78 00:06:09,640 --> 00:06:12,340 Nothing change and hit enter. 79 00:06:13,540 --> 00:06:17,770 And it executes quickly, so here's a generated wordlist file. 80 00:06:18,980 --> 00:06:19,960 Let's have a look at it. 81 00:06:24,500 --> 00:06:31,790 Now it contains 44 lines, so I'm going to delete some of the entries because it will take time to try 82 00:06:31,790 --> 00:06:36,600 every single one, so I think these ones are going to be enough. 83 00:06:37,400 --> 00:06:43,010 So now go to Berp Intruder, choose the first payload, don't change the payload type. 84 00:06:43,020 --> 00:06:44,210 It's a simple list. 85 00:06:45,160 --> 00:06:47,620 Just come back here and click lowed. 86 00:06:48,810 --> 00:06:50,430 OK, so we load the first payload. 87 00:06:51,340 --> 00:06:55,090 And choose the second payload again, load wordlist. 88 00:06:56,650 --> 00:07:06,100 And Burp automatically calculates the requests that will be sent, and I think if we do this with a 89 00:07:06,100 --> 00:07:10,240 huge list, it's going to slow down our target network in our environment. 90 00:07:11,240 --> 00:07:14,030 So there's nothing change here. 91 00:07:15,380 --> 00:07:17,150 And go to the options tab. 92 00:07:18,720 --> 00:07:20,970 Now, scroll to grip match. 93 00:07:22,860 --> 00:07:28,570 So in this section, we teach Berp to understand when it is going to be successful or not. 94 00:07:29,340 --> 00:07:36,030 So then Berthelsen to each login request, it contains values from our payload list and then analyzes 95 00:07:36,030 --> 00:07:37,980 the associated responses. 96 00:07:39,240 --> 00:07:46,200 And then that way, if it matches something and the response with these strings, it can mark that request 97 00:07:46,200 --> 00:07:46,820 for us. 98 00:07:47,720 --> 00:07:51,710 So the strings are not useful in our scenario, right? 99 00:07:53,140 --> 00:07:54,550 So I'm going to clear them. 100 00:07:56,330 --> 00:08:01,910 And then I'm going to copy this warning on the page and paste to add it here. 101 00:08:03,850 --> 00:08:09,820 And then I'm going to check this box to make berp flag the resulting items containing this warning. 102 00:08:10,240 --> 00:08:10,660 All right. 103 00:08:11,890 --> 00:08:15,370 All right, so, yeah, there's nothing more to configure here, so let's go up. 104 00:08:16,560 --> 00:08:17,970 And start the attack. 105 00:08:20,230 --> 00:08:21,670 So this is the attack window. 106 00:08:23,350 --> 00:08:25,720 And we can wait a little bit for it to finish. 107 00:08:27,500 --> 00:08:32,660 And looky here, berp flags, all the result items containing this warning. 108 00:08:34,180 --> 00:08:40,270 Now, if a result doesn't contain this warning, it means that we're successfully logged in, you get 109 00:08:40,270 --> 00:08:40,360 it? 110 00:08:41,640 --> 00:08:43,650 So let's click this uncheck line. 111 00:08:44,600 --> 00:08:47,690 And below are the details of the request present. 112 00:08:48,680 --> 00:08:50,550 It's rice, bees and bug. 113 00:08:51,080 --> 00:08:52,250 So look at the response. 114 00:08:53,250 --> 00:08:55,260 Here's a successful Log-in message. 115 00:08:56,350 --> 00:09:01,870 OK, so obviously, this is a very basic brute force attack to an insecure login form. 116 00:09:04,150 --> 00:09:08,680 Don't worry, we are going to do a little more advanced ones in the next videos. 117 00:09:08,680 --> 00:09:10,870 But you get the concept right.