With Burp Suite we can initiate dictionary attacks against a website. This time in this simulated attack we will brute force the login field of the Juice Shop web application. We already know the email address of an admin user, so we have to make sure to find the right password.
Important note: hacking in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!
What is a Brute Force attack?
Brute Force is a type of attack when an Ethical Hacker or a Black Hat attacker tries to guess some text data to crack PIN numbers, passwords, user names or other encryption. Brute Force has different types or complexity from a person typing and guessing passwords to the more complex automated attacks.
We used dictionary based attacks in the previous articles with Hydra. It means that we had a list of passwords and/or user names in files, and our tool used their combinations in every possible permutation to try to break in to a service. Burp Suite can perform such attacks to crack web applications. We will leverage this functionality to attack our Juice Shop installation.
Attack preparation
In this simulated attack we will use a dictionary installed in Kali to the /usr/share/wordlists/fern-wifi/common.txt file. It contains a list of possible admin passwords.
Let’s open the Juice Shop in the browser and fire up the Burp Suite!
The hacker’s machine: Kali Linux [192.168.23.131]
The attacked machine: Debian Bullseye [192.168.23.133]
The two machines can see each other on the network.
The Juice Shop web application is running.
The attack
We have to navigate to the login page in Juice Shop.
Let’s make sure that in the Proxy tab the Intercept mode is turned on now.
In the browser we have to set up the Burp proxy as our default proxy.
Let’s try to log in with the admin@juice-sh.op user and a random password. The Burp proxy will catch our request.
{"email":"admin@juice-sh.op","password":"pw"}We have to forward this request to the Intruder with right clicking on the text, or with using Ctrl + I.
On the Intruder tab let’s clear all variables with the button on the right, and format the payload like the followings:
{"email":"admin@juice-sh.op","password":"§pw§"}Let’s navigate to the Payloads tab, and Load a password dictionary file. We will use the /usr/share/wordlists/fern-wifi/common.txt now.
Click on the Start attack button and acknowledge the notification with clicking the OK.
In the new window we can order our results by Status. Every status message starting with 4xx are errors, we need a successful status message that is 2xx. It will mean that the login with the password was successful.
We just found the admin user’s password!
Double check it
We can right click on the line with the Status 200 message, and send the data to Repeater.
We will see the following payload in the request:
{"email":"admin@juice-sh.op","password":"admin123"}Clicking on the Send button will show us that the response is successful:
HTTP/1.1 200 OKLog in to the website
We know the admin user’s email address and password, thus now we can log in to the site using this data.
The password was easy to guess and a simple dictionary attack brought us luck. The more complex a password is the more time to crack it with such techniques.
Always use complex passwords and multi-factor-authentication whenever is possible!
If you have anything to share then please visit my Tom’s IT Cafe Discord Server!
Tom's IT Cafe 