Username enumeration using Burp Intruder’s Different Attack Types

Whenever we see a login page in any application we usually try to check whether the default credentials are working or not sometime, we also go ahead with the bruteforcing of username and password. The Bruteforcing of username and password is known as enumeration.

What is username enumeration?

In username enumeration, hacker tries to enumerate valid username in the application. On basis of verbose error hacker can differentiate between the valid and invalid usernames

Example: In below application I provided a wrong username.

In response in got an error message which says Invalid Username

/

Therefore, from here it is clear that we can actually differentiate between valid and invalid usernames.

How to retrieve username enumeration information?

There are multiple ways but generally, attacker or pen-tester uses brute force techniques. For brute force attack, we need a list of common username to figure out the username and a automated tool which can actually automate the things of the testing we have couple of tools for it such as hydra, john the ripper Intruder in Burp Suite. Here I am using the Intruder tab of the burp suite in order to bruteforce the username.

Note: If there is no account lockout on the application after several attempts then we can easily carry out this attack.

To proceed further first we have to intercept the login request and send it to the intruder. In intruder tab, we have four sub tabs.

i. Target: URL of application where attack is going to be performed.

ii. Position: On which parameter we want to perform the attack. Here I selected value of username field and password field.

iii. Payloads: Here we specify how we want to perform processing and which data we are going to use for that. In which order payload are going to processed.

iv. Options: If we want to modify default rules of burp suite or we want to do any match and grep in the intruder.

In above screenshot we can clearly see there is Attack type in ‘Positions Tab’. In attack type, there are couple of options such as Sniper, Battering Ram, Pitchfork and Cluster Bomb.

If we have a single set of payload then ‘Sniper’ or ‘Battering ram’ attack will work and if we have, a multiple set of payload (two set of payload) then ‘pitchfork’ or ‘cluster bomb’ attack will work.

· Sniper:

It places each payload into the selected position in turn one positions at a time i.e. If we have selected multiple positions in the request and we have sniper attack type in place then it is going to put the payload in the first position and then after testing it place the payload in the second position. i.e then if we have 5 Payloads then the intruder will make 10 request 5 for each place.

Total number of fuzz request is equal to the length of the list if we have only one position selected at a time.

After performing fuzzing on username field. I got valid username.

Use:

To fuzz a no of request on individual field.

· Battering ram:

It places the same payload in all the selected position at once. So if we three selected positions, it places the payload all three selected positions at a time.

Since the payload is placed on the positions at the same time so total no of attack requests is equal to entry in the list.

After performing it username field. I got username.

Use:

It is useful where we need to insert same input in 2 or 3 positions at a time.

· Pitchfork:

When we have multiple position, such as username and the password then we can use this attack type.

After selecting this option, we have two set of payload options available.

So in first position I pasted username list (i.e. shown in initial screen shot of blog) and in second payload position I pasted common password list.

Processing of both the list start simultaneously. In the first request, it places 1st payload in first position, 2st payload in second position and same thing happen with consecutive request.

Total no of request is equal to size of smallest list. As in our case, we have both list of equal size of 100.

Use:

It is useful in those attacks where we need to brute force the both username and the password

· Cluster bomb:

If we have two positions here it uses the first payload set and tests it against all first entry of the payload set 2.

As we have two positions, username and password. In username position, it places the payload username list in the username and takes the first entry of the password list and tests it out against all the usernames.

After testing all the username with the first entry of the payload2 it moves ahead to the 2nd entry and tests it against all the usernames

Use:

It is useful for those places where inputs are different and not related to each other.

Remediation

· Show a simple error message stating username or password is incorrect so verbose error doesn’t let the hacker guess the usernames or passwords.

· Apply a rate limiting on the login panel and block out the login after 3–4 incorrect attempts or after several invalid requests.

· Add a captcha

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store