Username enumeration via account lock

Lab Description

Walkthrough

Step 1: Understanding the Logic Flaw

The lab description mentions a logic flaw in account locking. Upon initial testing:

Using a wrong username results in the error: "Invalid username or password."
After repeated attempts with an invalid username, the account does not get locked, suggesting account lockouts apply only to valid usernames.

This is an indication that we can use account lockouts as a mechanism to enumerate valid usernames.

The account lockout mechanism is usually triggered after multiple failed login attempts. However, we hypothesized that this logic might only apply to valid usernames and not invalid ones.

Step 2: Testing with Null Payloads To test this:

Burp Suite Intruder Configuration:
- Payload Set: Used the Null Payload option, which generates a specific number of empty payloads (in this case, 50).
- This allowed us to send 50 login attempts with the same invalid username.
Invalid Username Input:
- We used an arbitrary (allegedly invalid) username and any random password.
- The payload repeatedly sent requests with this invalid username.

Step 3: Observing Results After 50 repeated requests:

The error message remained the same: "Invalid username or password."
Importantly, no lockout message was displayed, and the system did not mention being locked out due to too many attempts.

Step 4: Enumerating Usernames To identify valid usernames:

Configure Burp Suite Intruder.
- Payload Set 1: Load the Candidate Usernames list.
- Payload Set 2: Use Null Payloads (repeating each username multiple times).
Use the Cluster Bomb attack type to test each username 10 times with an invalid password.

Why repeat attempts?

A valid username will trigger an account lockout after multiple failed login attempts.
Invalid usernames will not trigger any lockout, and the response will stay consistent.

This will make burp send each username 10 times with the wrong password to trigger the lockout

Step 5: Analyzing Results

Use Burp Suite's Grep - Extract feature to highlight responses.
- Filter for differences in the error message or response length.

A valid username will display an account lockout message instead of "Invalid username or password.

Step 6: Brute-Forcing the Password With the valid username identified:

Modify the Intruder attack to focus on brute-forcing the password.
- Use Payload Set 1: Fixed username (valid).
- Use Payload Set 2: Candidate passwords.

Step 7: Observing Response Anomalies While brute-forcing:

Notice a response length differs slightly, inspect the request.
A shorter response or the absence of an error message often indicates a successful login.

Step 8: Accessing the Account

Using the identified password, log in with the valid username and confirm access to the account page.

PreviousBroken Brute-Force Protection, IP Block Next2FA broken logic

Last updated 1 year ago

hashtagLab Description

hashtagWalkthrough

hashtagStep 1: Understanding the Logic Flaw

hashtagStep 2: Testing with Null Payloads To test this:

hashtagStep 3: Observing Results After 50 repeated requests:

hashtagStep 4: Enumerating Usernames To identify valid usernames:

hashtagStep 5: Analyzing Results

hashtagStep 6: Brute-Forcing the Password With the valid username identified:

hashtagStep 7: Observing Response Anomalies While brute-forcing:

hashtagStep 8: Accessing the Account