Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page

Was this helpful?

  1. Web App Pentesting
  2. Authentication (Portswigger Academy)
  3. Vulnerabilities in password-based login

Broken brute-force protection, IP block

PreviousUsername enumeration via response timingNextUsername enumeration via account lock

Last updated 4 years ago

Was this helpful?

On this lab we are given credentials for an account (wiener:peter) and we are told that the account we need to get access to has the username "carlos".

Testing this login mechanism, we can see that after 4 failed login attempts our IP gets blocked.

But once we login with our valid credentials we manage to circumvent this and successfully login.

So to bypass this IP block brute-force protection, we need to attempt a valid login between every iteration of our brute force attack. To do that, our usernames wordlist (we want to get access to "carlos" account) should look like this:

carlos wiener carlos wiener carlos wiener etc ...

And our password list should look like this:

pass peter pass peter pass peter etc ...

Since its too troublesome to do that one word at the time, we can script the process of creating the wordlists with python.

Using this script we can get our usernames wordlist (names.txt).

And we can also script the passwords list.

Things to keep in mind while creating the wordlists: 1. There are 100 passwords to attempt to bruteforce, meaning we need to have the username "carlos" 100 times in the usernames list. 2. When brute-forcing, we need to make sure that the username "wiener" will always match the password "peter" to bypass the IP block protection.

We can now start the brute-force attack with burpsuite. To attack this login functionality we will use the "Pitchfork" attack, and the "names.txt" wordlist for the username as payload 1 and the "newpasswords.txt" wordlist for the password as payload 2.

We can then start the brute-force attack and wait for the "302" response to pop up in one of the passwords for the username "carlos".

Finding the password allows us to login as the user "carlos" and finish the lab.