# Broken brute-force protection, IP block On this lab we are given credentials for an account (wiener:peter) and we are told that the account we need to get access to has the username "carlos". Testing this login mechanism, we can see that after 4 failed login attempts our IP gets blocked. ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEdlxtLtdAnb9EZtJLs%2F-MEhgRN99rHAuECR0MiH%2Fimage.png?alt=media\&token=93b21afe-ff88-4237-834b-86b72cd31d22) But once we login with our valid credentials we manage to circumvent this and successfully login. So to bypass this IP block brute-force protection, we need to attempt a valid login between every iteration of our brute force attack. To do that, our usernames wordlist (we want to get access to "carlos" account) should look like this: carlos\ wiener\ carlos\ wiener\ carlos\ wiener\ etc ... And our password list should look like this: pass\ peter\ pass\ peter\ pass\ peter\ etc ... Since its too troublesome to do that one word at the time, we can script the process of creating the wordlists with python. ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEhvM-tP_s6fDw3fM6r%2F-MEhwQ7HkZQq8Z-8P2e-%2Fimage.png?alt=media\&token=42bf2b4a-dced-4102-b5e1-56e65d58fd8d) Using this script we can get our usernames wordlist (names.txt). ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEdlxtLtdAnb9EZtJLs%2F-MEhiMmK7QEt2daDxeG5%2Fimage.png?alt=media\&token=80cfb4c1-87aa-4a98-b04c-013628d50d89) And we can also script the passwords list. ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEdlxtLtdAnb9EZtJLs%2F-MEhibHCA8p3NJ3FFzaj%2Fimage.png?alt=media\&token=d39f5f3c-d623-4a92-8b41-4af79e9e215c) ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEdlxtLtdAnb9EZtJLs%2F-MEhimjdEftcOHYbHvmN%2Fimage.png?alt=media\&token=e99d3c69-bde8-46a4-b1f5-bbe25f59d29f) {% hint style="success" %} Things to keep in mind while creating the wordlists:\ \ 1\. There are 100 passwords to attempt to bruteforce, meaning we need to have the username "carlos" 100 times in the usernames list.\ 2\. When brute-forcing, we need to make sure that the username "wiener" will always match the password "peter" to bypass the IP block protection. {% endhint %} We can now start the brute-force attack with burpsuite. To attack this login functionality we will use the "Pitchfork" attack, and the "names.txt" wordlist for the username as payload 1 and the "newpasswords.txt" wordlist for the password as payload 2. ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEdlxtLtdAnb9EZtJLs%2F-MEhkcZtKF9wZZPiU-lT%2Fimage.png?alt=media\&token=c2179449-fa87-4747-bd2c-254ea31f8087) ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEdlxtLtdAnb9EZtJLs%2F-MEhkrlXAyPBIn4qnZfc%2Fimage.png?alt=media\&token=c9d6fd03-62ea-4191-9523-f8c218e6871d) ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEdlxtLtdAnb9EZtJLs%2F-MEhkwUPTk90FRSs3_-_%2Fimage.png?alt=media\&token=cfa64d8e-9b6c-4192-bfbe-2916b39d011d) We can then start the brute-force attack and wait for the "302" response to pop up in one of the passwords for the username "carlos". ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEdlxtLtdAnb9EZtJLs%2F-MEhtQbFasVKp6uncKmU%2Fimage.png?alt=media\&token=3f1441b1-03ce-4bdf-8c38-60f6f6d1d783) Finding the password allows us to login as the user "carlos" and finish the lab. ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-MEdlxtLtdAnb9EZtJLs%2F-MEhtdzpPvEleGF-ipg5%2Fimage.png?alt=media\&token=937c55af-c834-4c16-a5d5-f3ad500873ed)