We can use the existence of error messages like “Sorry, that username already exists!” to produce a list of valid usernames already signed up on the system by using the ffuf tool below. The ffuf tool uses a list of commonly used usernames to check against for any matches.
1 |
user@localhost$ ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.11.12.13/user/signup -mr "Sorry, that username already exists!" > valid_usernames.txt |
In the above example, the -w
argument selects the file’s location on the computer that contains the list of usernames that we’re going to check exists. The -X
argument specifies the request method, this will be a GET request by default, but it is a POST request in our example. The -d
argument specifies the data that we are going to send. In our example, we have the fields username, email, password and cpassword. We’ve set the value of the username to FUZZ. In the ffuf tool, the FUZZ keyword signifies where the contents from our wordlist will be inserted in the request. The -H
argument is used for adding additional headers to the request. In this instance, we’re setting the Content-Type
to the webserver knows we are sending form data. The -u
argument specifies the URL we are making the request to, and finally, the -mr
argument is the text on the page we are looking for to validate we’ve found a valid username.
Using the valid_usernames.txt file we generated in the previous task, we can now use this to attempt a brute force attack on the login page (http://10.11.12.13/customers/login).
1 |
user@localhost$ ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.11.12.13/customers/login -fc 200 |