1
00:00:00,390 --> 00:00:02,660
Welcome to part three of this module

2
00:00:05,770 --> 00:00:12,880
this module is going to be looking at brute forcing Web site Loggins using burp sweet.

3
00:00:12,880 --> 00:00:19,430
It should hopefully be a bit more engaging them a theory heavy module on spider ring that preceded it.

4
00:00:19,630 --> 00:00:25,480
However if you are just starting out I recommend watching these videos covering burp suite in order

5
00:00:25,780 --> 00:00:32,880
starting from Module 1 for instructions on how to set up the proxy and to see the nature of the target.

6
00:00:32,890 --> 00:00:40,580
I am testing against which is still going to be met a split able to for those of you wondering why I'm

7
00:00:40,600 --> 00:00:45,090
not using a later version such as met a split Table 3.

8
00:00:45,100 --> 00:00:51,940
The reason is that at the time of this recording met a split able to has the widest range of vulnerable

9
00:00:51,940 --> 00:00:54,660
Web applications installed on it.

10
00:00:56,070 --> 00:01:00,000
In the last video I conducted a spider against multiple a day.

11
00:01:00,510 --> 00:01:07,500
So in this video our target will be the down vulnerable web application that comes pre installed with

12
00:01:07,500 --> 00:01:14,530
metal split able to I will mention that if you are following along with these videos but you are using

13
00:01:14,530 --> 00:01:16,270
virtual box at all.

14
00:01:16,270 --> 00:01:22,960
You can install down vulnerable web app in Cali and host it right from within the operating system in

15
00:01:22,960 --> 00:01:24,490
order to conduct your tests.

16
00:01:24,490 --> 00:01:31,300
However I don't really recommend this running met a split able to on a virtual machine is much simpler

17
00:01:31,720 --> 00:01:35,490
and you can run virtual box within an installed version of.

18
00:01:35,530 --> 00:01:38,310
If you have it running on a partition.

19
00:01:38,680 --> 00:01:45,670
Alrighty so I already have -- vulnerable Web application open as you can see it is running on the

20
00:01:45,670 --> 00:01:56,790
IP address of the Met a split able to machine which in my case is 10 0 0 on 8 and yours may vary for

21
00:01:56,790 --> 00:01:58,830
instructions on how to get this IP.

22
00:01:58,830 --> 00:02:01,380
Please see the prior modules.

23
00:02:01,380 --> 00:02:09,300
The point of this tutorial will be to demonstrate how to hack into this web site using burps sweet although

24
00:02:09,300 --> 00:02:12,030
this will of course be a simulation.

25
00:02:12,030 --> 00:02:14,820
It will be very close to the real thing.

26
00:02:16,150 --> 00:02:24,670
In the course of this series will be going over brute forcing techniques command execution CSR f file

27
00:02:24,670 --> 00:02:32,590
inclusion Eskew l injection and cross site scripting all of which is listed here but to start out for

28
00:02:32,590 --> 00:02:34,230
the purposes of this tutorial.

29
00:02:34,480 --> 00:02:42,970
We're going to click on -- vulnerable Web application security and because I want to keep things simple

30
00:02:44,050 --> 00:02:54,310
we're going to toggle this down to low and hit submit the attack you are about to see performed while

31
00:02:54,310 --> 00:02:59,260
simple has a shockingly high success rate in the real world.

32
00:02:59,350 --> 00:03:06,940
Many Web sites especially older Web sites tend to have mis configured elements or weaker security.

33
00:03:06,940 --> 00:03:11,640
And this is represented by the low setting within -- vulnerable web app.

34
00:03:11,770 --> 00:03:17,230
As you become more proficient you may wish to toggle the setting to medium or high.

35
00:03:17,260 --> 00:03:23,530
However for right now we'll just stick with low and this will simulate a Web site with inadequate brute

36
00:03:23,530 --> 00:03:32,560
force protections something I failed to mention in prior modules but will bring up now if you are testing

37
00:03:32,620 --> 00:03:42,280
any sort of tool against dam vulnerable web app you can click on The View ideas log to get an idea of

38
00:03:42,280 --> 00:03:46,260
what an administrator would be able to actually see on their end.

39
00:03:46,270 --> 00:03:50,100
So this is just a little aside I wanted to add while we're right here.

40
00:03:50,140 --> 00:03:51,730
So now we're going to bring it burp sweet

41
00:03:57,150 --> 00:03:58,390
and while this is loading

42
00:04:02,370 --> 00:04:06,330
we need to once again make sure that we have our proxy enabled.

43
00:04:06,330 --> 00:04:17,140
So we're gonna come over to preferences click settings under the connection tab and manual proxy and

44
00:04:17,140 --> 00:04:24,370
you want to make sure that it says 127 0 0 0 1 port 80 80.

45
00:04:24,370 --> 00:04:28,930
I believe in a prior video I accidentally said 880 I apologize for that.

46
00:04:28,930 --> 00:04:35,530
It is 80 80 and make sure that use this proxy server for all protocols is checked.

47
00:04:35,530 --> 00:04:36,400
Then click OK

48
00:04:40,380 --> 00:04:45,610
so I'm just going to use temporary project again and we're going to use burp defaults.

49
00:04:45,780 --> 00:04:47,430
Since this is the community edition

50
00:04:52,570 --> 00:04:57,340
already now back in brb sweet we go to the proxy tab.

51
00:04:58,750 --> 00:05:02,220
And we're gonna start off by setting intercept off.

52
00:05:02,220 --> 00:05:06,750
This is because I want to demonstrate something intercept off just means as such.

53
00:05:06,810 --> 00:05:12,930
Essentially that we are not intercepting the requests to and from the web applications that we are targeting

54
00:05:14,760 --> 00:05:19,140
so I'm actually going to back out of this back to the log and prompt

55
00:05:25,120 --> 00:05:36,520
so now if we just put in a random user name and password let's say ninja for the user name and secret

56
00:05:36,520 --> 00:05:40,120
for the password click log in

57
00:05:42,850 --> 00:05:46,900
and we get the exact the result that we expected log and failed.

58
00:05:46,900 --> 00:05:53,530
So now we flip back over to burp sweet we're going to turn intercept back on.

59
00:05:53,630 --> 00:05:59,700
Just wanted to show you what this looks like and we'll try this again.

60
00:05:59,790 --> 00:06:06,570
Ninja secret click log in.

61
00:06:06,600 --> 00:06:11,610
Now we're not actually going to the request is not actually going to go through until we click the forward

62
00:06:11,640 --> 00:06:12,510
button.

63
00:06:12,540 --> 00:06:14,070
We don't want to do that just yet.

64
00:06:14,070 --> 00:06:24,240
We're gonna go back to burp sweet and here we go right away under the proxy tab and intercept tab we

65
00:06:24,240 --> 00:06:31,260
can see the raw catch and this is what I wanted to draw your attention to because the failed log in

66
00:06:31,260 --> 00:06:37,590
message before gave us what we needed to know as far as the expected fields.

67
00:06:37,680 --> 00:06:43,990
We know that it's expecting user name and password

68
00:06:49,430 --> 00:06:52,610
and that is verified right here in the raw catch.

69
00:06:52,610 --> 00:06:57,860
Now there's a lot of data contained here in the raw catch and we could speak at length about what all

70
00:06:57,860 --> 00:07:05,150
of it really means but just for the moment just to keep things on point let's concentrate on the information

71
00:07:05,150 --> 00:07:06,780
that we need here.

72
00:07:06,800 --> 00:07:13,220
The most important thing right now for our purposes of hacking this Web site through brute forcing is

73
00:07:13,220 --> 00:07:14,570
this Get request

74
00:07:22,030 --> 00:07:26,540
again the get request has two values username and password.

75
00:07:26,560 --> 00:07:31,610
We also see the failed username and password that we entered a few moments ago.

76
00:07:31,810 --> 00:07:37,430
The failed values themselves are not what is important but the fields are.

77
00:07:37,810 --> 00:07:43,250
We're going to be using intruder located under the intruder tab.

78
00:07:43,390 --> 00:07:49,840
Intruder allows us to edit the parameters within the request to manipulate them so that we can get the

79
00:07:49,840 --> 00:07:51,840
desired result.

80
00:07:51,850 --> 00:07:58,660
Intruder is the functionality within burp that allows us to perform attacks like brute forcing the raw

81
00:07:58,660 --> 00:08:09,410
catch data so we're going to click on the raw catch and select send two intruder

82
00:08:14,550 --> 00:08:19,500
afterwards we can just click forward because we don't need that particular request anymore

83
00:08:27,310 --> 00:08:36,550
from here we go to intruder and we select the position sub tab we can see that the raw data we sent

84
00:08:36,550 --> 00:08:44,770
from the catch is displayed within certain fields already highlighted these highlights indicate different

85
00:08:44,770 --> 00:08:52,000
possible payloads these are different fields that we can brute force for right away we can see the raw

86
00:08:52,000 --> 00:09:00,990
data we sent from the catch is displayed here with certain fields already highlighted these fields indicate

87
00:09:01,110 --> 00:09:06,570
different possible payloads they are different fields that we can brute force for.

88
00:09:06,570 --> 00:09:14,620
In this particular case we have the user name value the password value the log in value the security

89
00:09:14,620 --> 00:09:23,680
value and the P H P SS s I.D. but we don't actually need all of these for the simple brute forcing operation

90
00:09:23,680 --> 00:09:29,230
that we are going to be performing all we need to hack this low security target is the user name and

91
00:09:29,230 --> 00:09:30,230
password.

92
00:09:30,250 --> 00:09:36,190
Start by clicking the clear button with the symbol next to it and be careful not to confuse it with

93
00:09:36,190 --> 00:09:39,820
the clear button in the lower right hand corner of the screen

94
00:09:42,630 --> 00:09:48,750
This will remove all of the pre highlighted payload markers no values are currently selected to brute

95
00:09:48,750 --> 00:09:54,780
force against meaning that we'll have to select the manually before that we need to change our attack

96
00:09:54,780 --> 00:09:57,180
type to cluster bomb

97
00:10:03,440 --> 00:10:10,070
well I had hoped to keep the theory to a minimum and this module is important to quickly go over these

98
00:10:10,070 --> 00:10:17,780
different attack types burp intruder supports various attack types views determine the way in which

99
00:10:17,780 --> 00:10:24,350
payloads are assigned to payload positions the attack type can be selected by using this drop down menu

100
00:10:24,920 --> 00:10:33,620
and the request template editor the following attack types are available sniper this uses a single set

101
00:10:33,620 --> 00:10:41,170
of payloads it targets each payload position and turn and places each payload into that position intern

102
00:10:41,840 --> 00:10:48,950
positions that are not targeted for a given request are not affected the position markers are removed

103
00:10:49,010 --> 00:10:57,740
and any enclosed text that appears between them in the template remains unchanged this attack is useful

104
00:10:57,740 --> 00:11:05,060
for fuzzing a number of request parameters individually for common variables the total number of requests

105
00:11:05,090 --> 00:11:10,700
generated in the attack is the product of the number of positions and the number of payloads in the

106
00:11:10,700 --> 00:11:16,400
payload set was a bit of a mouthful battering ram.

107
00:11:16,610 --> 00:11:25,120
This uses a single set of payloads it iterate through the payloads and places the same payload into

108
00:11:25,240 --> 00:11:32,950
all of the defined payload positions at once this attack type is useful when an attack requires the

109
00:11:32,950 --> 00:11:40,990
same input to be inserted in multiple places within the request for example a user name within a cookie

110
00:11:41,380 --> 00:11:48,220
and a body parameter the total number of requests generated in this attack is the number of payloads

111
00:11:48,310 --> 00:11:55,480
in the payload set and that should hopefully make more sense from the get to the next step Pitchfork

112
00:11:56,590 --> 00:12:04,630
this uses multiple payload sets there are different payloads set for each defined position up to I believe

113
00:12:04,630 --> 00:12:11,890
a maximum of 20 the attack iterate through all payloads set simultaneously and place places one payload

114
00:12:12,280 --> 00:12:14,470
into each defined position.

115
00:12:14,470 --> 00:12:21,820
In other words the first request will place the first payload from payload set one into position 1 and

116
00:12:21,820 --> 00:12:29,170
the first payload from payload set 2 in the position to the second request will place the second payload

117
00:12:29,170 --> 00:12:36,160
from payload set one into position 1 and the second payload from payload set 2 into position 2 and so

118
00:12:36,160 --> 00:12:36,790
on.

119
00:12:37,060 --> 00:12:44,740
This attack type is useful where an attack requires different but related input to be inserted in multiple

120
00:12:45,100 --> 00:12:53,080
places within the request again for example a user name and one parameter and a known I.D. number corresponding

121
00:12:53,080 --> 00:12:59,200
to that username and another parameter the total number of requests generated in the attack is the number

122
00:12:59,200 --> 00:13:06,800
of payloads in the smallest payload set however the one that we're going to be using cluster bomb this

123
00:13:06,800 --> 00:13:14,300
uses multiple payload sets there is a different payload set for each defined position again up to a

124
00:13:14,300 --> 00:13:23,270
maximum 20 the attack iterate through each payload set in turn so that all permutations of payload combinations

125
00:13:23,270 --> 00:13:24,710
are tested for.

126
00:13:25,100 --> 00:13:32,180
In other words if there are two payload positions the attack will place the first payload for payloads

127
00:13:32,180 --> 00:13:39,170
set two into position 2 and iterate through all of the payloads and payloads set one in position one

128
00:13:39,860 --> 00:13:46,940
it will then place the second payload set to in position to and iterate through all of the payloads

129
00:13:46,940 --> 00:13:54,020
and payloads set one in position one in this attack type is useful where an attack requires different

130
00:13:54,380 --> 00:14:01,200
and unrelated or unknown inputs to be inserted multiple places within the request.

131
00:14:01,490 --> 00:14:08,480
For example one guessing credentials a user name and one parameter and a password and another parameter

132
00:14:08,990 --> 00:14:14,570
the total number of requests generated in the attack is the product of the number of payloads in all

133
00:14:14,570 --> 00:14:21,950
defined payload sets and this may be extremely large so if that seemed a bit over complicated to you

134
00:14:21,950 --> 00:14:24,710
at this stage the game I do apologize.

135
00:14:24,770 --> 00:14:31,160
Essentially what we're saying here is that we're selecting the cluster bomb attack type because it targets

136
00:14:31,220 --> 00:14:36,460
usernames and passwords which are the two fields that we are attempting to brute force.

137
00:14:36,470 --> 00:14:39,470
Now we need to select the values themselves.

138
00:14:39,470 --> 00:14:43,560
It doesn't matter that the user name and password we submitted are wrong.

139
00:14:43,580 --> 00:14:48,380
Just highlight them and click the Add button like this.

140
00:14:48,380 --> 00:14:51,100
First we highlight ninja.

141
00:14:51,110 --> 00:15:00,810
It's wrong but that's OK and we click Add then we highlight secret being careful not to get anything

142
00:15:00,810 --> 00:15:07,250
else into the highlight such as the equal sign or the ampersand and we click the Add button.

143
00:15:07,470 --> 00:15:13,440
As you can see both fields are now encompassed in the little symbols shown next to the ADD button.

144
00:15:13,440 --> 00:15:19,440
This is telling burp sweet to substitute those values with the characters that it will be using in the

145
00:15:19,440 --> 00:15:21,210
attack for this attack.

146
00:15:21,210 --> 00:15:29,390
Make extra sure that no other values are selected once that is done we are almost there.

147
00:15:29,390 --> 00:15:35,570
The last thing to do is go into payloads for payload type.

148
00:15:35,570 --> 00:15:42,870
We want to select simple list this indicates to burp sweet that we want to use a word list to brute

149
00:15:42,870 --> 00:15:45,180
force the target values.

150
00:15:45,180 --> 00:15:52,280
In other words burp sweet is now going to swap out the values we just selected ninja and secret for

151
00:15:52,290 --> 00:15:56,280
words and characters contained within a list that we will supply it.

152
00:15:57,660 --> 00:16:02,300
Payload options just below that is where you select your word list.

153
00:16:02,430 --> 00:16:08,400
In this demonstration I'm not going to use an actual word list but if you were going up against a real

154
00:16:08,400 --> 00:16:16,860
site you would simply click the load button and select the word list file which is typically a document

155
00:16:16,860 --> 00:16:24,540
file Kelly Linux comes with several excellent word lists already on it for programs like this that call

156
00:16:24,540 --> 00:16:30,930
for them and word lists can actually be created and even tailored for your target using applications

157
00:16:30,930 --> 00:16:38,650
like cool and cup and these will be looked at further down the line when we get to them but this is

158
00:16:38,770 --> 00:16:40,560
not a target in the real world.

159
00:16:40,600 --> 00:16:44,500
So there is no need to go to extremes and use a fancy list.

160
00:16:44,500 --> 00:16:47,170
Therefore I'm going to add words manually.

161
00:16:47,170 --> 00:16:52,660
This is something you might try before resorting to a word list if you already know a lot about the

162
00:16:52,660 --> 00:16:57,710
target 3 reconnaissance and your open source intelligence gathering.

163
00:16:57,730 --> 00:17:04,570
Perhaps you already have some idea of what the user name and password might be based on usernames and

164
00:17:04,570 --> 00:17:07,460
passwords that a target is known to use.

165
00:17:07,570 --> 00:17:14,920
A common mistake in security practice is to reuse the same usernames and passwords over and over and

166
00:17:15,040 --> 00:17:18,040
even professionals sometimes fall into this trap.

167
00:17:19,220 --> 00:17:23,800
We'll go ahead and use the add button to put in some words.

168
00:17:23,960 --> 00:17:25,880
These are going to be common user names

169
00:17:30,280 --> 00:17:34,450
admin as we added it adds to our temporary

170
00:17:37,030 --> 00:17:38,140
administrator

171
00:17:40,880 --> 00:17:41,810
route.

172
00:17:43,920 --> 00:17:49,640
Test super user and that should be enough you get the idea.

173
00:17:50,420 --> 00:17:55,660
There we go that covers the first payload for cluster bomb which is the user name.

174
00:17:55,670 --> 00:17:59,930
Now we're gonna go and we're gonna change two payloads set to

175
00:18:04,110 --> 00:18:09,020
which right away gives us a blank canvas for more usernames and passwords.

176
00:18:09,030 --> 00:18:13,680
Now if he did want to use one of the default word lists that came with Cally

177
00:18:17,000 --> 00:18:18,200
just click load

178
00:18:21,920 --> 00:18:26,340
and we'll go over to and user

179
00:18:29,470 --> 00:18:30,120
share

180
00:18:34,800 --> 00:18:45,160
and now I have to find word lists word lists and the ones that I recommend using are found in the Met

181
00:18:45,160 --> 00:18:46,960
a split folder.

182
00:18:46,960 --> 00:18:48,670
There are quite a few.

183
00:18:48,760 --> 00:18:50,030
They're all quite good.

184
00:18:51,500 --> 00:19:00,170
Though default user pass for user names and default pass for services or in my opinion Excellent.

185
00:19:00,230 --> 00:19:02,960
But you could use any of these that you wish.

186
00:19:02,960 --> 00:19:08,240
You can also use your own that you download off the Internet from trustworthy sources or ones that you

187
00:19:08,240 --> 00:19:08,930
regenerate.

188
00:19:08,930 --> 00:19:16,120
As I said but I'm not going to be doing that so I will cancel out of this and now I'm going to add some

189
00:19:16,690 --> 00:19:19,000
common passwords pass

190
00:19:21,940 --> 00:19:22,930
password

191
00:19:25,430 --> 00:19:26,300
admin

192
00:19:30,050 --> 00:19:30,610
route

193
00:19:34,420 --> 00:19:41,380
God because it's used more often than think can Cordy.

194
00:19:41,610 --> 00:19:42,960
That should be good enough.

195
00:19:43,110 --> 00:19:54,210
So just to reiterate payload 1 is the set for usernames and payload 2 is the set for passwords so everything

196
00:19:54,210 --> 00:19:55,010
is ready.

197
00:19:55,230 --> 00:20:04,340
Now we go up to intruder and it's as easy as clicking start attack and this is basically just telling

198
00:20:04,340 --> 00:20:10,570
us that the community addition is slow and the addition that you pay for is awesome.

199
00:20:10,730 --> 00:20:11,580
So we click Okay.

200
00:20:13,750 --> 00:20:15,130
And now the attack has begun.

201
00:20:15,130 --> 00:20:18,950
As you can see it's performing the brute forcing

202
00:20:22,600 --> 00:20:24,610
we'll have to give it a minute to finish.

203
00:20:24,690 --> 00:20:30,010
It shouldn't take very long since we're not using a wide combination of usernames and passwords.

204
00:20:30,010 --> 00:20:32,940
That's another reason that I didn't want to use a word list.

205
00:20:33,130 --> 00:20:38,950
It might it might make this process drag a bit going to maximize it.

206
00:20:46,380 --> 00:20:52,360
And as you can see it's going through all the combinations for the words that we provided it so if you

207
00:20:52,360 --> 00:20:56,910
did provide it with a word list this would be a lot of different combinations.

208
00:20:56,920 --> 00:20:57,970
OK.

209
00:20:58,150 --> 00:21:04,540
So as much as I wish this had gone smoothly and easily it didn't.

210
00:21:05,410 --> 00:21:08,510
However it's a good example of what can happen.

211
00:21:08,560 --> 00:21:14,310
So in a perfect world you will get results that look like this.

212
00:21:14,620 --> 00:21:19,740
And what you would look for are differences in status and length.

213
00:21:19,750 --> 00:21:25,460
Notice that all of these numbers are the same in this case 3 0 2 and 354.

214
00:21:25,810 --> 00:21:34,240
These indicate that with all of these log and requests the same length of a response was returned.

215
00:21:34,360 --> 00:21:39,270
Status is a little more complicated to get into what that means but if either of these were different

216
00:21:39,280 --> 00:21:44,770
it would be a strong indicator that you found the user name and or the password.

217
00:21:44,770 --> 00:21:48,270
But as you can see none of them are different.

218
00:21:48,370 --> 00:21:54,550
And this actually means that -- vulnerable web app has slightly better security even at the lowest

219
00:21:54,550 --> 00:21:57,550
setting than it really probably should.

220
00:21:57,550 --> 00:22:00,460
In fact in prior tests I didn't run into this problem.

221
00:22:00,460 --> 00:22:03,430
However there are still things you can do.

222
00:22:03,460 --> 00:22:05,590
Now the user name and password are here.

223
00:22:05,590 --> 00:22:07,990
I know that for a fact because I know what they are.

224
00:22:08,620 --> 00:22:13,840
So we're actually going to have to dig a little deeper into these results to find them.

225
00:22:13,930 --> 00:22:20,740
And the reason this is bad news is if you're doing this against a a real Web site with real security

226
00:22:20,740 --> 00:22:27,040
and you're using real word lists you're going to have a lot more than 30 requests to look through

227
00:22:29,610 --> 00:22:34,690
so we'll look through these what we're looking for in these get requests.

228
00:22:34,730 --> 00:22:40,170
Is anything different so I clicked this one it's the same.

229
00:22:40,170 --> 00:22:47,940
I'm actually going to scroll down and in all these cases they're the same until we get here to add Ben

230
00:22:47,940 --> 00:22:48,870
and password.

231
00:22:48,870 --> 00:22:51,300
Now I know that this is the correct answer.

232
00:22:51,420 --> 00:22:59,310
And if we go down and we look at the location the location is index P HP for all of these other results

233
00:22:59,640 --> 00:23:09,900
we get log in P HP meaning that we didn't get through the log in page but here we get index CHP which

234
00:23:09,900 --> 00:23:17,040
means that we did in fact get through and that means that the user name is admin and the password is

235
00:23:17,040 --> 00:23:25,800
password so that can be a real pain when you don't get an immediate result what you're normally looking

236
00:23:25,800 --> 00:23:33,120
through looking for like I said is you're looking for the length the one that is different or the status

237
00:23:33,300 --> 00:23:34,660
the one that is different.

238
00:23:34,920 --> 00:23:38,860
But if they're all the same you're going to have to go through them one by one.

239
00:23:38,940 --> 00:23:40,520
And here we found it.

240
00:23:40,860 --> 00:23:45,410
We found that it did log in and get to the index page.

241
00:23:45,720 --> 00:23:47,380
So that's a bit of a pain.

242
00:23:47,640 --> 00:23:50,240
But this is how the tool works.

243
00:23:50,250 --> 00:23:55,890
And when you go up against better security that's the kind of examination you're going to have to give

244
00:23:55,890 --> 00:23:55,990
it.

245
00:23:56,010 --> 00:23:59,140
You'll have to eyeball your results very carefully.

246
00:23:59,220 --> 00:24:05,700
With luck you won't have that problem and it will be immediately obvious from this number being different

247
00:24:05,700 --> 00:24:08,170
or this number being different in any case.

248
00:24:08,220 --> 00:24:09,630
That's about it.

249
00:24:09,630 --> 00:24:15,840
That's how we get the username and password for a Web site through brute forcing techniques.

250
00:24:15,840 --> 00:24:22,530
Now this technique will tend to fail if the Web site is well programmed and limits the number of number

251
00:24:22,530 --> 00:24:28,150
of logging attempts you can make to a certain number before locking you out.

252
00:24:28,200 --> 00:24:32,420
Most high end Web sites do that not all of them.

253
00:24:33,030 --> 00:24:37,690
And this technique can be used against other applications as well.

254
00:24:37,800 --> 00:24:39,760
So that's worth keeping in mind.

255
00:24:40,020 --> 00:24:47,310
And it really was about this straightforward like I said if we used a word list the number of combinations

256
00:24:47,310 --> 00:24:52,380
that would have tried would have been much greater meaning it would take a lot more time to look through

257
00:24:52,380 --> 00:24:53,550
all of these requests.

258
00:24:53,580 --> 00:24:55,490
So just keep that in mind.

259
00:24:55,540 --> 00:25:00,940
And the attack method is extremely effective against low security sites.

260
00:25:01,380 --> 00:25:06,000
And I'm actually surprised that -- vulnerable web app had as good a security as it did.

261
00:25:06,000 --> 00:25:11,460
It must have been upgraded from the last time I used it because last time I had no problem the length

262
00:25:11,460 --> 00:25:12,960
was very obviously different.

263
00:25:13,140 --> 00:25:17,230
Oh well it can happen so as always.

264
00:25:17,230 --> 00:25:22,840
Never use these techniques against any Web site or target that you did not personally own or have written

265
00:25:22,840 --> 00:25:25,830
permission to conduct a penetration test against.

266
00:25:25,900 --> 00:25:28,330
Otherwise you could be breaking the law.

267
00:25:28,330 --> 00:25:34,810
Also keep in mind that these methods are not stealthy and will be brilliantly visible to an administrator

268
00:25:34,810 --> 00:25:37,090
as well as your Internet service provider.

269
00:25:37,210 --> 00:25:42,840
For more information on anonymity please see the module covering those techniques.

270
00:25:42,870 --> 00:25:49,230
I hope you found this tutorial helpful even though the final result was a bit difficult to pin down

271
00:25:49,790 --> 00:25:55,790
and I hope that you have a good idea of how to use burp suite to test your own systems using brute force.

272
00:25:55,800 --> 00:25:56,190
Thank you.