- Understand brute force password cracking concept
- Understand web password cracking concept
- Understand basic Burp Suite usage
- Kali Linux light version
- Burp Suite Community Edition
- 4G network with a Huawei mobile wifi router
Target: Brute force Wifi router admin password through the web console interface.
- Burp Suite is not available by default in Kali light, needs to be installed: apt-get install burpsuite
- Note: There’s no ifconfig by default in Kali anymore, use “ip a” instead.
- Start Burp suite with all default options, make sure Intercept in Proxy tab is on
- Start Firefox browser, change proxy to 127.0.0.1 port 8080, delete any information in the No Proxy for field at the bottom. Also, select the “Use this proxy server for all protocols” button.
- Access the wifi router web console https://192.168.1.1
- Traffic starts to show up in Burp proxy, review them and Forward them to allow the main page to be loaded fully
- Click Login from the main page and Forward the packages in Burp proxy to allow the log in dialog to be popped up. See the User name is “admin” by default.
- Try to input password “1234” and click Log In button
- Back to Burp proxy and Forward the packages until seeing Post /api/user/login package. In this package, username and password are sent to server with <Username> and <Password> tags. Go to HTTP history tab, select that Login session and you can see the Response package returns an Error code, means password is not correct.
- Note that the Password is encoded with base64.
- Right click the package content and select Send to Intruder or press Ctrl+i, the Intruder tab will turn Red.
- Go to Intruder tab, Attack Target was filled automatically.
- Go to Positions, check the $$, those are the positions that we can replace with our values to perform attack. Password value is the 4th position.
- Go to Payloads, select Payload type: Custom iterator
- Position: 4. If there’s a password list file, select Load. If not, add the values in Add text box one by one.
- Payload Processing: Add Encode base64-encode rule.
- Payload Encoding: Uncheck URL-encode these characters. We need to do this or encoded Password in the attack payload will not match the router web console’s one.
- Click Start Attack
- In the Attack result window, we’ll see all payloads have been sent. There’s only 1 with Lenght 265 in the list. Select that one. The encoded password is “YWRtaW4” which is “admin” in plain text. The smaller length of this payload is because of smaller Response length. Check the Response tab, the length is 61 with message OK, means that is the correct password.