Sometimes people try a simple way to hide access to parts of the site using the basic access authentication method based on HTTP user agent. It’s not very sophisticated, or super effective, but you can often come across this solution. It will definitely block a regular user and if the login and password is not admin and 12345 it will definitely stop someone. I often come across using this solution as the first security, for example, the admin login interface has an example.com/admin address and this part of the site is additionally blocked by basic access authentication. Recently I got the admin credentials (don’t as me how) for logging into one system, but basic access authentication got in the way. I already thought I was an admin, yet such a simple solution stopped me for a while.
Yes, you hear right, for a while, because mostly this login and password is short and simple. Everyone sets something simple there and shows more effort only in the target system to have a complicated password and saved in KeePass. It is not a rule, but in my career basic auth stopped me only once, and it was not today :)
The only difficulty for a young student of the hacking arts to perform brute force attack for that login form is that the login and password are sent as encoded string using Base64. For example admin:superpassword looks like the following YWRtaW46c3VwZXJoYXPFgm8=. You can test it and decode here. Below I’ll show you two of the many ways to prepare a proper payload and execute an attack.
Using Burp
I assume you already know the basics of Burp. So intercept the request with the provided fake login and password field and send it to the intruder.
Look for a request with an Authorization: part.
1 | GET /admin HTTP/2 |
In Burp decode Base64 string, select string and Right Click->Convert Selection->Base64->Base64-decode. You can also use CyberChief to practice decoding and using the CyberChief tool.
Once decoded you can see that login and pass looks like username:password. Now we need to prepare input and encode it to be able to push it and bruteforce auth form.
Select encoded content §username:password§. Attack type is Sniper attack. Payload type is Brute Forcer. In payload processing, add prefix for user admin: and Base64-Encode. It is important to remove the = character for encoding, because = is used by Base64 for padding. The complete setup can be seen on the screenshot below.
If you also want to add a list of users and a list of passwords, select Cluster bomb attack, your first payload list then will be a simple list with users in the form of usernam1:, username2: etc., with payload processing only Base64 encoding and the second payload will also be a simple list but, with passwords, also encoded.
Thanks to these two examples, you can combine whatever you want. But there is an even simpler solution.
Using ffuf
Fuff is a great fuzzer and there is one awesome script build for it, ffuf_basicauth.sh.
This script will generate a username:password string based on your user name and password lists and then encode it using Base64. So finally you have a finished payload that you can use in a Burp in sniper attack or use it directly with fuff.
1 | ./ffuf_basicauth.sh usernames.txt passwords.txt |ffuf -w -:AUTH -u https://example.com/endpoint -H "Authorization: Basic AUTH" -fc 403 |
Sweet right? In general people who use basic auth for websites are trying to make it harder to access to some part of websites, but in general they use some simple combination of username and password. You can use already build lists like CommonAdminBase64.txt or just names in comparison with 2023-200_most_used_passwords.txt and everyone’s favorite RockYou from SecList.
Today’s guide was simple and short, but sometimes I find simple tasks to do, and I think it is worth documenting them for others, so… thats all folks!
In the end, all the simple tasks together will allow you to do the magic and hack whatever you want.