Username Enumeration with Burp Suite Intruder

Wednesday, July 31, 2013

Burp Suite is an excellent tool used for web application security. There are a couple of tools bundled within Burp (e.g. Spider, Scanner, Intruder, Repeater and more), but in this post we will be focusing on how to use Burp Intruder to enumerate usernames on a website.

What we need:


Prerequisites:
  • Burp Suite must be installed and configured to work with the browser proxy. I use the chrome extension Proxy SwitchySharp (thanks Alton) to quickly switch between direct connection and the proxy versus having to go into the browser proxy settings every time.
Please remember, this is solely for educational purposes. This example was performed on a virtual web lab used to practice web app security.

1. Find the web page that processes usernames. Start burp with intercept on under the Proxy tab and enter a username to check for validation. The screenshot below shows username 'jamesbond' being validated (i.e. the website checks to ensure the username is not being used).


2. Since Intercept is on Burp Suite will intercept the request and display it within the Proxy tab as shown below.


3. Right Click > Send to Intruder


4. Now within Intruder there are many different attack types, however for this example the Sniper attack will work just fine. Ensure there are no extra fields other then the username parameter is being highlighted under the Positions tab. The screenshot below shows the 'Cookie' value being highlighted. Simply click on the Clear button while highlighting the value to clear the value.




5.  Click on the Payload tab within Intruder. This is where we define our payload type and options. The payload type will be left at the default value of 'simple list' whilst the payload options will be modified.

The payload options should be clear at this point. There are two methods here, one may enter one item (username in this case) at a time or populate the list by loading a text file containing usernames.




6. Almost done! Intruder also contains an option tab with a 'Grep - Match' options. We can sort the results of the enumeration attack.

If we take a look at the source code for the application, we can see that the application returns a '1' if a username is not in use. With this knowledge we can now insert some values into the Grep options within Intruder.


We add a 0 and 1 into the 'Grep-Match' options similar to the way we added usernames into the payload options above. Remember 1 is returned if the username is not taken, 0 will be returned if the username is valid and currently in use (what we want to find).


7. At the top of the Burp Suite application click on Intruder > Start attack. Sit back and watch the Brute Force attack in action.


Success! Burp Suite found two usernames from our provided list (afrid and david) as valid usernames.