Wednesday , May 20 2020
Home / Ethical Hacking / Bypass HTTP Basic Authentication with Nmap and Metasploit
Bypass HTTP Basic Authentication

Bypass HTTP Basic Authentication with Nmap and Metasploit

Basic HTTP authentication is a method for providing username and password when making a request for particular web resources. The client sends the user name and password as unencrypted base64 encoded text.

When an anonymous request for protected resource is received by HTTP, it can force the use of Basic authentication by rejecting the request with a 401 (Access Denied) status code.

HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="Server Results"
Content-Length: 0

The word Basic in WWW-Authenticate shows the user must use the basic authentication method to access the protected resources. The realm can be set to any value that describes the secure area in particular resources.

GET /protectedfiles/ HTTP/1.1
Authorization: Basic adsadWNoOmY=

When successful attempt is made, HTTP status becomes 200 OK. adsadWNoOmY=
is the basic64 encoded version of username and password.

Bypass HTTP Basic Authentication with Nmap

The bypass can be done with Nmap (Network Mapper) a security scanner. It is used to discover hosts and services on a computer network. Nmap comes with more than 130 NSE scripts that helps in discovering nearly every possible information in a network.

For hands on practice, click here. The hints to bypass the authentication are provided in the link. For username and password, create two separate files in Kali Linux. I’m creating a directory first.

Enter and write:

Type Ctrl+O > Enter > Ctrl+X

Lets make a password file, according to the hint given i.e 5 characters and uses only a,s,d lowercase. Password examples – asddd, aassd, ssdaa etc.

Crunch command helps in making combinations for brute forcing. Crunch is followed by 5 minimum or 5 maximum characters that could include ‘asd’. The resultant combinations are saved into pass.txt file.

Now use the nmap http-brute command to bypass the http basic authentication. Following is the command.

nmap -p 80 --script http-brute --script-args 'http-brute.hostname=pentesteracademy, http-brute.method=POST, http-brute.path=/path/webapp/basicauth, 
userdb=/root/demo/users.txt, passdb=/root/demo/pass.txt' -n -v pentesteracademy

We are checking for port 80, the hostname should be the site for which you are bypassing authentication. Method and path should be checked by viewing the source page for login page. The complete path for user.txt and pass.txt should be given. -n shows no dns and -v is the verbose mode. At last the site name should be written.

Bypass HTTP Basic Authentication with Metasploit

Metasploit helps in finding security issues, verify vulnerability mitigations & manage security assessments.

Follow the commands in screenshots.

After the run command, within few minutes you will get the same password “aaddd”.


About Kamran Mohsin

Kamran Mohsin
Kamran Mohsin is a Certified Ethical Hacker. Currently working as a Penetration Tester within a private company in Pakistan. He is also doing Masters in information Security. He worked in web development (front-back-end) from recent back years. With the passage of time he took interest in Hacking and started to write blogs on IS from late 2015.

Check Also

Pakistan First OSCE Certified

Pakistan First OSCE Certified

Etizaz Mohsin is Pakistan first OSCE Certified who successfully achieved Offensive Security Certified Expert Certification …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: