In this third part of the Burp Suite series, you will learn how to actually collect proxied traffic with Burp Suite and use it launch and actual brute force attack. It will run somewhat parallel to our guide on Testing WordPress Logins with Hydra. In this case, though, you will use Burp Suite to gather information on WordPress.
The purpose of this guide is to illustrate how the information gathered by Burp Suite’s proxy can be used to conduct a penetration test. Do Not use this on any machines or networks that you do not own.
For this guide, you will also need Hydra installed. It’s not going to go into depth on how to use Hydra, you can check out our Hydra SSH guide for that. Kali Linux already has Hydra installed by default, so if you’re using Kali, don’t worry. Otherwise, Hydra should be in your distro’s repositories.
A Failed Login
Before you start, make sure that Burp is still proxying traffic to your local WordPress site. You’re going to need to capture some more traffic. This time, you’re going to focus on the login process. Burp will gather all of the information that you need to be able to launch a brute force attack on the WordPress install to test the strength of user login information.
http://localhost/wp-login.php. Take a look at that request and the response generated. There really shouldn’t be anything to exciting there just yet. You can clearly see the HTML of the login page in the request. Find the
form tags. Make note of the
name options for the input fields on that form. Also, notice the cookie that must be submitted along with that form.
It’s time collect some really useful info. Enter in a login and password that you know are going to cause the login to fail and submit. Check out the parameters that were submitted with the request. You can clearly see the login information that you submitted alongside the names of the input fields that you saw in the page source. You can also see the name of the submit button and that cookie that gets sent along with the form.
A Successful Login
With the information about a failed login logged in Burp Suite, you can now see what a successful login looks like. You can probably guess what the request is going to look like, but the response is going to be somewhat surprising. Go ahead and submit a correct login information to the form.
The successful submission will generate several new requests, so you’re going to have to look back to find the failed request. The request that you need should be directly after it. Once you have it. Take a look at its parameters. They should look very similar but have the correct credentials entered.
Now, take a look at the response from the server. There’s no HTML there. The server redirects in response to a successful form submission. The headers are going to serve as the best source of information, then, for testing for successful logins. Take note of what information is there. Go back and look at the unsuccessful login. Do you notice anything that was there for the successful one and not the unsuccessful login? The
Location header is a pretty good indicator. WordPress doesn’t redirect for failed request. The redirect can then serve as a test condition.
Using The Information
You’re ready to use Hydra to test out the strength of your WordPress passwords. Before you start up Hydra, make sure that you have a wordlist or two for Hydra to test usernames and passwords against.
Below is the command that you can use to test out your passwords. Take a look at it first, and the breakdown is after it.
$ hydra -L lists/usrname.txt -P lists/pass.txt localhost -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
-P flags both specify the username and password wordlists for Hydra to test with.
-V just tells it to output the results of every test into the console. Obviously,
localhost is the target. Hydra should then load the
http-form-post module for testing a form with a POST request. Remember, that was in the form submission request too.
The last part is a long string that tells Hydra what to pass into the form. Each section of the string is separated out with a
/wp-login.php is the page that Hydra will test.
log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1 is the collection of fields that Hydra should interact with separated by
&. Notice that this string uses the field names from the params.
^PASS^ are variables that Hydra will populate from the wordlists. The last piece is the test condition. It tells Hydra to look for the word, “Location,” in the responses that it receives to see if a login was successful.
Hopefully, when Hydra completes its test, you won’t see any successful logins. Otherwise, you’re going to need to rethink your password.
You’ve now successfully used Burp Suite as an information gathering tool to conduct a real test of your locally hosted WordPress installation. You can clearly see how easy it is to extract valuable information from the requests and responses collected through the Burp Suite proxy.
The next and final guide in the series will cover many of the other tools available in Burp Suite. They all revolve around the proxy, so you already have a solid foundation. These tools may just make some tasks easier.