Brute Force
Last updated
Last updated
Using the valid_usernames.txt file I generated in the previous task, I can now use this to attempt a brute force attack on the login page (http://10.10.13.84/customers/login). A brute force attack is an automated process that tries a list of commonly used passwords against either a single username or, like in this case, a list of usernames.
This ffuf command is a little different to the previous one. Previously I used the FUZZ keyword to select where in the request the data from the wordlists would be inserted, but because Im using multiple wordlists, I have to specify my own FUZZ keyword. In this instance, we've chosen W1
for our list of valid usernames and W2
for the list of passwords I will try. The multiple wordlists are again specified with the -w
argument but separated with a comma. For a positive match, I'm using the -fc
argument to check for an HTTP status code other than 200.