Bypass HTTP Basic Authentication with Nmap and Metasploit

0
Bypass HTTP Basic Authentication

Basic HTTP authentication is a method for providing username and password when making a request for particular web resources. The client sends the user name and password as unencrypted base64 encoded text.

When an anonymous request for protected resource is received by HTTP, it can force the use of Basic authentication by rejecting the request with a 401 (Access Denied) status code.

HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="Server Results"
Content-Length: 0

The word Basic in WWW-Authenticate shows the user must use the basic authentication method to access the protected resources. The realm can be set to any value that describes the secure area in particular resources.

GET /protectedfiles/ HTTP/1.1
Host: www.kamranmohsin.com
Authorization: Basic adsadWNoOmY=

When successful attempt is made, HTTP status becomes 200 OK. adsadWNoOmY=
is the basic64 encoded version of username and password.

Bypass HTTP Basic Authentication with Nmap

The bypass can be done with Nmap (Network Mapper) a security scanner. It is used to discover hosts and services on a computer network. Nmap comes with more than 130 NSE scripts that helps in discovering nearly every possible information in a network.

For hands on practice, click here. The hints to bypass the authentication are provided in the link. For username and password, create two separate files in Kali Linux. I’m creating a directory first.

Enter and write:

Type Ctrl+O > Enter > Ctrl+X

Lets make a password file, according to the hint given i.e 5 characters and uses only a,s,d lowercase. Password examples – asddd, aassd, ssdaa etc.

Crunch command helps in making combinations for brute forcing. Crunch is followed by 5 minimum or 5 maximum characters that could include ‘asd’. The resultant combinations are saved into pass.txt file.

Now use the nmap http-brute command to bypass the http basic authentication. Following is the command.

nmap -p 80 --script http-brute --script-args 'http-brute.hostname=pentesteracademy
lab.appspot.com, http-brute.method=POST, http-brute.path=/path/webapp/basicauth, 
userdb=/root/demo/users.txt, passdb=/root/demo/pass.txt' -n -v pentesteracademy
lab.appspot.com

We are checking for port 80, the hostname should be the site for which you are bypassing authentication. Method and path should be checked by viewing the source page for login page. The complete path for user.txt and pass.txt should be given. -n shows no dns and -v is the verbose mode. At last the site name should be written.

Bypass HTTP Basic Authentication with Metasploit

Metasploit helps in finding security issues, verify vulnerability mitigations & manage security assessments.

Follow the commands in screenshots.

After the run command, within few minutes you will get the same password “aaddd”.

 

Leave a Reply