In the past few months I've been going deep into the world of Cybersecurity. Learning about analysing network packets in depth, scanning networks, finding vulnerabilities and how to exploit them, among other things, has made my passion for Computer Science stronger than ever. In this half write-up half ramble post, I'll try to explain why.
The thought process starts with a lab from Portswigger Academy called Broken brute-force protection, IP block, which you can check out here. In this lab we are given a website with a weak protection against password brute-forcing and need to exploit it to find the password for a user named carlos, which is in a list that is also provided. We are also given a pair of valid credentials wiener:peter.
The login page looks like this after entering a random username and password for testing purposes:
In a regular scenario, we could just leverage Burpsuite's Intruder to iterate over the list of possible passwords while sending requests for each one. But in this case, we have some protection against this kind of brute-forcing:
After three consecutive requests with invalid login credentials, your IP is blocked for one minute. You might think it's a good idea to write a script which waits this one minute before sending another request, but that would take a very long time in any real-world scenario with a huge list of possible passwords. Remember how we are given a pair of valid credentials? The key to solving this lab is to insert requests with valid credentials in between the trial ones. This way, your IP will not be blocked no matter how many invalid requests you make.
To make this process not be repetitive and slow, I saved the possible passwords in a file called passwords.txt, and wrote these two little Python scripts:
These are very straightforward. The first one just inserts the word peter in between every password and spits it out in a new file. The result looks like this, with a total of 200 passwords:
The second script contains pretty much just two usernames, carlos and wiener, intercalated 200 times, to match the passwords.
Those two lists are used in Burp Intruder, with a request captured from the login page. Selecting the attack type pitchfork, we then have intercalating requests, being one with valid credentials followed by another one with possible passwords for carlos.
If we then run this attack, it works just fine to find the password and solve the lab. But why stop there? Reading the official solution for the lab after completing it, I saw that an extension for Burpsuite called Turbo Intruder was mentioned, and I went out to investigate it.
I then came across this amazing talk by James Kettle, the creator of the tool, in which he explains in detail how Turbo Intruder was created and how it manages to be so damn fast by leveraging the features of the HTTP header connection keep-alive (thus having many requests sent after only one Three-Way Handshake) and HTTP request pipelining (send all of your requests and only then worry about getting responses).
In the end, I implemented the solution using Turbo Intruder to apply what I had learned about the tool. It looks like this:
See how the whole process is a lot simpler than using the regular Burp Intruder. The Turbo version allows you to write Python code to handle both the requests and responses, I only needed the passwords.txt file and all the extra logic was implemented within Burp itself.
This last part, I believe, is where the real fun and learning happen. When you have finished the lab and decide to look a bit deeper into one thing or another and end up learning about a bunch of other concepts. Or when you hear about a tool and decide to look up how it was implemented, the ideas that make it be what it is and behave the way it does, or even other ways you can use it.
Exploring, playing around and testing the boundaries of the concepts you learn are the most important part of learning new things. It's what keeps the passion for the subject alive.
Top comments (0)