1
00:00:01,030 --> 00:00:07,390
OK, let's take a look at another example of broken out in the kitchen with the forgot password.

2
00:00:08,350 --> 00:00:14,200
Now, an example of this, we're going to take a look at our Web, go to introduce ourselves to the

3
00:00:14,200 --> 00:00:20,260
Web code in the previous video, and now we're about to do another challenge using this application.

4
00:00:20,680 --> 00:00:22,420
So let's click on our Web.

5
00:00:22,500 --> 00:00:22,750
Good.

6
00:00:23,420 --> 00:00:26,670
Let's log in with guest and guest.

7
00:00:27,490 --> 00:00:29,340
We can log in with that one.

8
00:00:29,350 --> 00:00:33,550
We know that there is an overseas account and we also know that there is a basic account.

9
00:00:34,510 --> 00:00:36,970
But it doesn't matter for this task.

10
00:00:37,000 --> 00:00:44,140
All we have to do is start our webroot right here and navigate to the authentication floors and then

11
00:00:44,230 --> 00:00:45,850
forgot password.

12
00:00:46,870 --> 00:00:47,350
OK.

13
00:00:48,350 --> 00:00:55,130
Now, let's read through the task Web applications frequently provide their users the ability to retrieve

14
00:00:55,260 --> 00:00:56,270
forgotten passwords.

15
00:00:56,900 --> 00:01:02,180
Unfortunately, many Web applications failed to implement the mechanism properly.

16
00:01:02,750 --> 00:01:08,060
The information required to verify the identity of the user is often overly simplistic.

17
00:01:08,780 --> 00:01:10,820
OK, let's take a look at the general goals.

18
00:01:11,240 --> 00:01:15,800
Users can retrieve their password if they answer the secret question properly.

19
00:01:16,310 --> 00:01:20,120
There is no lockout mechanism on this forgot password page.

20
00:01:20,780 --> 00:01:28,040
OK, and that is the first vulnerability every time a page should block an account or block an IP address.

21
00:01:28,250 --> 00:01:32,690
Once they typed the second question incorrectly for three or five times.

22
00:01:32,900 --> 00:01:38,240
And also once they type the password incorrectly for multiple times, then the page should lock you

23
00:01:38,240 --> 00:01:40,490
out or block you for a certain period of time.

24
00:01:40,730 --> 00:01:46,490
And that is a good practice against brute force attacks that we're going to take a look at in the next

25
00:01:46,490 --> 00:01:46,970
section.

26
00:01:47,390 --> 00:01:49,630
But for now, let's solve this challenge.

27
00:01:49,940 --> 00:01:52,220
So Web good password recovery.

28
00:01:52,520 --> 00:01:58,590
Please input your username city admin if you do not have an account required fields username.

29
00:01:59,270 --> 00:02:04,070
Now, we already know of a couple of user names, but for this video we're going to try to brute force

30
00:02:04,070 --> 00:02:04,640
the username.

31
00:02:05,030 --> 00:02:11,750
We will use a list of most common user names in order to see whether this application has a user name

32
00:02:11,750 --> 00:02:12,210
like that.

33
00:02:12,740 --> 00:02:14,090
So how are we going to do that?

34
00:02:14,240 --> 00:02:15,950
Well, it's rather simple.

35
00:02:16,370 --> 00:02:18,340
Let's type anything right here.

36
00:02:18,350 --> 00:02:23,030
So, for example, it's type test and we are going to intercept our request.

37
00:02:23,600 --> 00:02:29,030
Let's submit this HTTP request, and this is the one that we want to use.

38
00:02:29,150 --> 00:02:35,510
As we can see, we have a field called username and that field we want to send to intruder.

39
00:02:37,000 --> 00:02:42,970
Let's turn off the intercept, of course, we are going to get not a valid username because test account

40
00:02:42,970 --> 00:02:44,560
does not exist on this page.

41
00:02:45,450 --> 00:02:52,830
But inside of our intruder, we can set our payloads accordingly in order to try to get a username.

42
00:02:53,670 --> 00:03:00,210
OK, let's clear out all of the fields and this can be considered a semi brute force attack because

43
00:03:00,210 --> 00:03:04,320
we are going to try to brute force a username as well as the secret question.

44
00:03:05,250 --> 00:03:11,340
OK, first of all, we want to select the username field I selected by clicking on ADD.

45
00:03:11,670 --> 00:03:14,520
And now we want to go to Pilates here.

46
00:03:14,520 --> 00:03:17,940
We want to load a list of most common user names.

47
00:03:17,940 --> 00:03:22,590
And luckily our clinics actually has some wordlist that can help us do this.

48
00:03:23,220 --> 00:03:25,170
All we have to do is click on load.

49
00:03:26,060 --> 00:03:31,880
And navigate to the wireless directory, so make sure that you go first to this large directory, then

50
00:03:31,880 --> 00:03:34,070
to the user right here.

51
00:03:35,660 --> 00:03:45,230
Then let's go to share, then let's try to find wordlist directory, which is right here in the word

52
00:03:45,230 --> 00:03:52,910
lists, I'm going to go to MLO it and from here I can choose the best list that fits this challenge.

53
00:03:52,910 --> 00:03:56,960
And for this, I'm going to go with HTP default users.

54
00:03:56,960 --> 00:04:04,100
Dot, I'm going to double click on that and it will load these user names right here as my paillard

55
00:04:04,100 --> 00:04:04,550
list.

56
00:04:05,060 --> 00:04:06,270
OK, awesome.

57
00:04:06,920 --> 00:04:09,590
All we have to do right now is start the attack.

58
00:04:10,270 --> 00:04:10,720
And.

59
00:04:11,690 --> 00:04:15,530
How are we going to know which username is correct and which isn't?

60
00:04:16,250 --> 00:04:22,550
Well, usually it's rather simple and I'll show you in just a second how we can recognize it, OK?

61
00:04:22,580 --> 00:04:24,680
Our username, Brute Force has finished.

62
00:04:24,680 --> 00:04:26,420
And here are all of the results.

63
00:04:26,690 --> 00:04:30,950
As you can see, for each of these user names, we got status, 200 hundred.

64
00:04:31,310 --> 00:04:35,360
And there's not really anything right here that says which is name is correct.

65
00:04:35,360 --> 00:04:39,620
And if we even found a single correct user name out of these ones.

66
00:04:40,100 --> 00:04:46,940
But if we take a closer look at the length of our response, which is right here, this number is the

67
00:04:46,940 --> 00:04:48,110
length of our response.

68
00:04:48,500 --> 00:04:56,000
You will notice that all user names have the same length except this one, except the admin username.

69
00:04:56,920 --> 00:05:02,110
Usually this is an indication that there is something different with this type of username because it

70
00:05:02,110 --> 00:05:06,110
gave a different response than the rest of these ones.

71
00:05:07,030 --> 00:05:10,630
So the next thing that we can do, we find the username with different lenth.

72
00:05:10,960 --> 00:05:12,460
We right click on it.

73
00:05:13,000 --> 00:05:17,320
We request or show response in browser, then we copy the link.

74
00:05:18,180 --> 00:05:20,970
And navigate to that link inside of our browser.

75
00:05:22,250 --> 00:05:26,340
And here is the secret question since we got the secret question.

76
00:05:26,360 --> 00:05:34,860
That means that we found our existing username and the secret question is, what is your favorite color?

77
00:05:35,450 --> 00:05:41,960
As you can see, this is a really, really bad question for security because there are like 10 colors

78
00:05:41,960 --> 00:05:46,980
in existence and we can easily brute force that the same way that we brute force the username.

79
00:05:47,480 --> 00:05:49,610
So let's do that right here.

80
00:05:49,920 --> 00:05:52,790
We're going to go to our website.

81
00:05:53,200 --> 00:05:56,740
Let's go to our proxy and turn on the intercept.

82
00:05:57,440 --> 00:06:01,820
Right now, we're going to type test once again because we don't really care what we write right here.

83
00:06:01,850 --> 00:06:09,560
All we want is to send this request to the intruder, turn off the intercept and let's navigate to our

84
00:06:09,560 --> 00:06:10,280
positions.

85
00:06:10,890 --> 00:06:17,170
Let's clear all of these fields and let's only double click the color field and click on it.

86
00:06:18,080 --> 00:06:21,740
Now we go to payloads and here we can manually type the colors.

87
00:06:21,740 --> 00:06:29,150
For example, let's go for green, blue, yellow, and let's type every single color that we can think

88
00:06:29,150 --> 00:06:29,450
of.

89
00:06:29,960 --> 00:06:30,550
Let's go.

90
00:06:30,560 --> 00:06:31,880
It's green.

91
00:06:32,870 --> 00:06:41,180
Let's go with black, white and let me see brown, perhaps.

92
00:06:41,180 --> 00:06:46,010
And maybe I forgot something, but let's give it a try with these colors first.

93
00:06:46,460 --> 00:06:49,670
So we loaded nine payloads or nine colors.

94
00:06:49,670 --> 00:06:51,590
And if we start the attack.

95
00:06:53,190 --> 00:06:59,160
We're pretty much looking for the same thing, we're looking for a color with a different response.

96
00:07:00,120 --> 00:07:05,080
But here we actually got more than two lengths, we got callers with this length.

97
00:07:05,550 --> 00:07:12,660
We got callers with this lenth right here, and we got a single color with this length, which is three

98
00:07:12,660 --> 00:07:13,980
one nine seven three.

99
00:07:14,190 --> 00:07:19,770
And usually this is the one that you want to check first because it has a unique length, which usually

100
00:07:19,770 --> 00:07:21,540
means that it's the correct.

101
00:07:22,760 --> 00:07:31,160
So let's right click on Green and let's show Responsive browser this and navigate to our Firefox and

102
00:07:31,160 --> 00:07:31,940
paste the link.

103
00:07:32,780 --> 00:07:39,870
And here it is, we successfully guessed the username as well as the secret question for this account.

104
00:07:40,310 --> 00:07:42,770
So what exactly was a vulnerability here?

105
00:07:43,220 --> 00:07:45,300
Well, there are two things wrong with this.

106
00:07:45,710 --> 00:07:50,860
The first thing is that it doesn't block us after certain incorrect requests.

107
00:07:51,410 --> 00:07:56,480
And the second thing is that the second question is rather easy.

108
00:07:56,810 --> 00:07:58,890
And we guessed it in two seconds.

109
00:07:59,360 --> 00:08:03,530
Now, we could finish this challenge and we have username admin, color green.

110
00:08:03,800 --> 00:08:06,470
And here is the password for the admin account.

111
00:08:07,250 --> 00:08:08,290
OK, awesome.

112
00:08:08,720 --> 00:08:15,340
We have one more challenge or one more example left to do from our own wesp web application.

113
00:08:15,680 --> 00:08:21,020
And after that, we're going to move to the brute forcing Section C, you the next lecture.