Not that many sites nowadays probably still use Basic Authentication for their web sites, but some old sites or those “non-standard” web interfaces might. My Sony security camera at work does, for example, which is why I wrote this.
Basic Authorization is, well, primitive. It uses Base64 encoding, which masks the password in a wireshark capture (though it’s not encrypted and in burpsuite a simple right click sends the text into decoder where it is seen). It might fool some basic script kiddies, but anyone serious knows about that “trick”. Which of course is why all authentication should only be done over https, not http.
But back to my security camera. I used Burpsuite to capture the authentication sequence and found out it was using Basic Auth. You can see that in the screen capture below. I won’t get into setting up burpsuite as a proxy to capture the traffic. I use Kali Linux which has a lot of other tools too. If you haven’t used it, check it out.
You can actually see the bottom line says ”Authorization: Basic” and an encoded string. By selecting the text and right clicking you can send this to decoder. You can see what I sent for a username and password in this screen
One note in this is that the request is actually username:password The colon separator is important…
Find this URL in burpsuite in the proxy tabe and right click it and send it to “Intruder”. The Intruder tab should turn yellow. Go to the Intruder tab and then “positions” You should see the request. Highlight the encoded text that we are going to replace and click “Add “ This will set markers around the text to get replaced.
You could perform multiple substitutions but we only need the one.
Now that we have defined what we want to replace, we click on payloads and define what we want to put in there…
It didn’t fit on one screen so the next two pictures show it.
The first one shows the position we are going to change (1 in our case) and then the character set we are going to use. In this case it’s lower case letters and numbers. If you can reduce this at all it will make a huge difference for the time. So if you know it’s your company name and can’t remember the numbers, then take out everything else. Brute force attacks take a long time, even knowing you didn’t use q, z and x saves a lot of time.
You can also define the number of characters. Again if you know it was at least 6 characters adjust the minimum value. The closer you can get the better.
In the next part of this screen we create the rules. The first rule under payload processing says add the Prefix “admin:”. If for example you knew the password began with cat, you could change the prefix to be “admin:cat”. Next we add a rule to encode it back to Base-64
The last trick here is to remove the = from the list of characters to encode.
Once you have that done you simply start the attack and wait, and wait, and wait. Brute force attacks can take days, weeks or months. Don’t watch it…
When you finally get a password that works, the status will change from 401 to something else, like 200.
This attack is far from silent. If you run this every security monitoring tool should set off alarms in minutes. You should warn the security team that this is you. If you fire this off at 2AM and they get woken up, they could be grumpy.