Password Guessing Attack

Scenario: Check if a user account exists for which password is same as the username.

In Mutillidae, go to the login page by clicking on "Login/Register" link.

Ensure Burp is in intercept mode.
Login to the Mutillidae application.
Intercept the login request and, assuming that usernames have already been enumerated, send the request to Intruder.

Mark the payload positions and choose an appropriate attack type (Pitchfork in this case).

Choose payload type as 'Simple list' for the username input field, and load enumerated username list.

To test the scenario where username and password are same, select Copy other payload option and set the value for 'Copy from position' payload option as 1, for password input field.

Note: To perform the test against a separate list of passwords, select payload type as 'Simple list' and load the desired password list.

Go to Intruder > Options > Grep - Extract and identify the position to extract usernames returned by the server. If a user is successfully logged-in, then username passed in the request would match the username returned in the server's response, otherwise the two usernames would not match (as per the current system's behavior).

Go to Intruder > Options > Grep - Match and enter a unique text, say 'Logged In User' that identifies server response for a valid login scenario.

Check the status of the column as set in step #6 (above).

5. Save attack results and extract the valid username/password combinations.

PreviousSecurity Misconfiguration NextUser Enumeration

Last updated 4 years ago