1
00:00:01,480 --> 00:00:02,170
Welcome back.

2
00:00:02,500 --> 00:00:04,630
Time to perform our brute force attacks.

3
00:00:05,050 --> 00:00:10,270
We're going to cover a couple of examples of brute force, whether with Burset or some other tool,

4
00:00:10,780 --> 00:00:14,480
but nonetheless, the principle behind them is always the same.

5
00:00:14,890 --> 00:00:20,980
We want to use lists with a bunch of usernames and passwords to try to get credentials of a certain

6
00:00:20,980 --> 00:00:21,370
account.

7
00:00:21,700 --> 00:00:23,560
So this doesn't always work.

8
00:00:23,770 --> 00:00:30,590
Matter of fact, it usually won't work unless the target has a common user name or a weak password.

9
00:00:31,570 --> 00:00:35,910
The first example that we cover is going to be with our Burset intruder.

10
00:00:36,250 --> 00:00:42,100
We only saw a couple of examples of using intruder, but right now we're going to take a look at a different

11
00:00:42,100 --> 00:00:43,840
approach to this attack.

12
00:00:44,440 --> 00:00:49,900
So first, that we want to do is we want to navigate to this application that says a wasp bricks.

13
00:00:50,170 --> 00:00:54,990
Click on that and it will lead us to this page under the bricks tab.

14
00:00:55,000 --> 00:00:58,270
We will have some tab that says login pages.

15
00:00:58,630 --> 00:00:59,410
Click on that.

16
00:01:00,220 --> 00:01:04,360
And here we will have multiple login pages that we can practice on.

17
00:01:04,660 --> 00:01:08,050
Now, for this example, we're going to go with login number one.

18
00:01:08,290 --> 00:01:11,320
And then if you want, you can practice on the rest of the log.

19
00:01:11,320 --> 00:01:12,850
It's the steps to performing.

20
00:01:12,850 --> 00:01:16,660
This attack will be the same for each challenge right here.

21
00:01:17,300 --> 00:01:19,360
OK, let's navigate to log in one.

22
00:01:19,660 --> 00:01:24,850
And we have a simple login for if we type, test and test.

23
00:01:26,030 --> 00:01:29,060
It will tell us wrong username or password.

24
00:01:29,630 --> 00:01:34,550
OK, let's intercept this request right here inside of our Burset.

25
00:01:37,620 --> 00:01:45,060
And let's send it straight to the intruder here, we can turn off the intercept right afterwards and

26
00:01:45,060 --> 00:01:49,350
let's navigate to our position, step inside of our HTP request.

27
00:01:50,290 --> 00:01:53,110
Sit down here, we have our username and password field.

28
00:01:54,240 --> 00:02:01,130
Now, before, when we used intruder, we used this attack type sniper and we only targeted one field,

29
00:02:01,860 --> 00:02:07,910
right now we're going to target two fields at the time, the user name field and the password field.

30
00:02:08,370 --> 00:02:15,480
So let's first clear all the other payloads and let's double click on username, click on that and double

31
00:02:15,480 --> 00:02:22,880
click on password and also click on Add under the attack type one to switch from sniper to cluster bomb.

32
00:02:22,890 --> 00:02:28,380
And if you remember correctly, the cluster bomb is the attack type where we can use multiple payload

33
00:02:28,380 --> 00:02:30,320
sets in order to perform the attack.

34
00:02:30,630 --> 00:02:36,040
In other words, we have multiple input fields that we want to brute force the username and password.

35
00:02:36,660 --> 00:02:41,010
Now let's go to the payload step and it looks rather the same just this time.

36
00:02:41,010 --> 00:02:48,360
We have payload set one and we can also choose payload set to the first one is the user name payload

37
00:02:48,360 --> 00:02:48,620
set.

38
00:02:48,630 --> 00:02:52,230
And here we want to load a list that contains the user names.

39
00:02:53,010 --> 00:02:58,830
Now, in real life scenario, you would use a list much bigger than we use in our examples, because

40
00:02:58,830 --> 00:03:06,360
for this attack, we're going to use the default users again, which is in our WORDLIST directory inside

41
00:03:06,360 --> 00:03:07,540
the display directory.

42
00:03:08,010 --> 00:03:14,370
This list only has like 14 common usernames, but this is just to prove that the attack works.

43
00:03:14,370 --> 00:03:21,150
In reality, you would use a much, much bigger list once you select it right here, click on set and

44
00:03:21,150 --> 00:03:22,080
select paillard.

45
00:03:22,080 --> 00:03:24,630
Set number two under the payload set.

46
00:03:24,630 --> 00:03:28,800
Number two, we want to load HTTP default passwords.

47
00:03:29,340 --> 00:03:35,670
In other words, it's called http underscore default underscore pass dot the the double click on that

48
00:03:35,880 --> 00:03:39,600
and it will load 19 common passwords right here.

49
00:03:40,290 --> 00:03:46,830
If we just do this and we start the attack, as it says right here, it will have a number of two hundred

50
00:03:46,830 --> 00:03:48,330
and sixty six combinations.

51
00:03:48,660 --> 00:03:50,940
So this will take a minute or two to finish.

52
00:03:51,390 --> 00:03:55,050
But as soon as we start we notice something strange.

53
00:03:55,800 --> 00:04:00,810
Every single request or every single response almost has a different length.

54
00:04:01,350 --> 00:04:05,550
So how are we going to determine which username and password is correct?

55
00:04:05,910 --> 00:04:07,410
We need some other approach.

56
00:04:07,950 --> 00:04:10,560
So let's close this for just a second.

57
00:04:10,560 --> 00:04:14,400
We're going to stop this attack and let's go back to our page.

58
00:04:14,820 --> 00:04:20,550
Once we typed in the incorrect username and password, we got this message right here.

59
00:04:21,269 --> 00:04:27,660
So maybe we can use something like this to determine which username is incorrect and which password

60
00:04:27,660 --> 00:04:28,350
is incorrect.

61
00:04:29,250 --> 00:04:30,810
Let's go back to it.

62
00:04:31,380 --> 00:04:39,510
And if we navigate to options tab right here, we're going to see this option that says grep equals

63
00:04:39,510 --> 00:04:39,900
match.

64
00:04:40,680 --> 00:04:46,560
These settings can be used to flag result items containing specified expressions.

65
00:04:47,670 --> 00:04:55,000
So let's clear this list and let's perhaps add this statement right here.

66
00:04:55,440 --> 00:04:59,820
So, in other words, what this means, let me just paste it first,

67
00:05:02,670 --> 00:05:08,440
that it will flag each result that contains this sentence in its response.

68
00:05:08,940 --> 00:05:16,030
In other words, it should flag every incorrect username and password combination that it tries.

69
00:05:16,890 --> 00:05:21,720
Let's run the attack again to go back to payloads and start the attack.

70
00:05:24,000 --> 00:05:30,900
Now, you can see each of these usernames and passwords combination is getting flagged, except one

71
00:05:30,900 --> 00:05:38,280
of we got this admin and admin combination that didn't get flagged, which means that the sentence of

72
00:05:38,280 --> 00:05:42,400
wrong username or password isn't contained in its response.

73
00:05:43,350 --> 00:05:48,000
This most likely means that this is a correct username and password combination.

74
00:05:48,090 --> 00:05:54,210
As we can see, the rest of them are all flagged and it's still going with this attack.

75
00:05:54,210 --> 00:05:57,800
But we can stop it since we already found the correct username and password.

76
00:05:58,140 --> 00:06:03,600
In reality, this attack would take much, much longer with much, much more combinations of usernames

77
00:06:03,600 --> 00:06:04,470
and passwords.

78
00:06:04,740 --> 00:06:09,250
And even at the end, you might not be able to find any correct combination.

79
00:06:09,690 --> 00:06:16,080
Nonetheless, let's give it a try to our correct combination to see whether it worked and let's type

80
00:06:16,080 --> 00:06:18,300
admin and add.

81
00:06:19,320 --> 00:06:19,950
Cement.

82
00:06:21,370 --> 00:06:25,510
And it worked, we successfully locked in, as it gave us right here.

83
00:06:26,110 --> 00:06:30,440
Now you can try this on other examples as well inside of these bricks application.

84
00:06:30,850 --> 00:06:35,770
However, in the next video, we're going to take a look at a more useful tool for brute force attacks,

85
00:06:36,280 --> 00:06:37,720
which is called Hydra.