Hunter

Challenge Lab (Easy) - by Tyler Ramsbey

Challenge Lab: Hunter (Easy)www.hacksmarter.org

The following post by 0xb0b is licensed under CC BY 4.0

---

Scenario

Objective / Scope

You are an operator for the Hack Smarter Red Team, currently conducting a black-box assessment on a client's external login portal. As part of the initial reconnaissance phase, our OSINT analysts have compiled a list of potential usernames.

You need to identify which one is a valid username for the web application.

Recon

We use rustscan -b 500 -a 10.1.216.45 -- -sC -sV -Pn to enumerate all TCP ports on the target machine, piping the discovered results into Nmap which runs default NSE scripts -sC, service and version detection -sV, and treats the host as online without ICMP echo -Pn.

A batch size of 500 trades speed for stability, the default 1500 balances both, while much larger sizes increase throughput but risk missed responses and instability.

rustscan -b 500 -a 10.1.216.45 -- -sC -sV -Pn

Like in the scope defined our target has a web server running on port 80.

Next, we run a Feroxbuster scan and detect a login and reset page.

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u 'http://10.1.216.45'

We visit the login page and try to use arbitrary credentials, but we do not receive any response of success or failure to enumerate any users here.

http://10.1.216.45/login

We capture a login request using BurpSuite to identify the request made for later use in FFuF.

Next, we move on to the reset password page.

http://10.1.216.45/reset

Here too, we do not receive any response to enumerate a valid user.

We capture a reset request using BurpSuite to identify the request made for later use in FFuF.

Username Enumeration

Maybe we have missed something, and the response might differ with a valid user, but a wrong password. We try to log in with the usernames provided from the scenario and filter by the response size, but without success.

ffuf -w usernames.txt -u http://10.1.216.45/login -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=FUZZ&passowrd=asdf' -fw 453

We repeat that for the reset page, but again without success.

ffuf -w usernames.txt -u http://10.1.216.45/reset -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'username:FUZZ' -fw 468

So what could we have overlooked? Well, when a reset is performed, it is possible that additional functions are triggered for a valid user, such as sending an email, which could lead to a delay. So we could inspect the duration the request required. With 301 usernames we could find it already in this reset attempts made using FFuF.

ffuf -w usernames.txt -u http://10.1.216.45/reset -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=FUZZ'

We filter for request that take longer than the usual 100 - 200ms. In this case more than 500ms and are. able to spot one request that took 1000ms for the valid user.

ffuf -w usernames.txt -u http://10.1.216.45/reset -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=FUZZ' -ft '<500'

Further Reading

A comprehensive guide on user enumeration on web applications can be found here:

User enumerations on web applicationsVAADATA - Ethical Hacking Services