Multiple Ways to Exploiting HTTP Authentication

In this article, we will learn about how to configure the password-protected Apache Web Server
to restrict from online visitors without validation so that we can hide some essential and critical
information to the unauthenticated users and how to penetrate it’s the weak configuration to
break its security and exploit it.
Table of Content
Introduction to HTTP Basic Authentication
▪ Lab Set_up Requirement
Setup Password Authentication
▪ Installing the Apache utility Package
▪ Creating the Password File
▪ Configuring Access Control inside the Virtual Host Definition
▪ Configuring Access Control with .htaccess Files
▪ Confirm the Password Authentication
Exploiting HTTP Authentication
▪ xHydra
▪ Hydra
▪ Ncrack
▪ Medusa
▪ Metasploit
▪ Burp Suite
Introduction to HTTP Basic Authentication
In the context of an HTTP transaction, basic access authentication is a method for an HTTP user
agent to provide a username and password when requesting.
HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access
controls to web resources because it doesn’t require cookies, session identifiers, or login pages;
rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need
for handshakes.
The BA mechanism provides no confidentiality protection for the transmitted credentials. They
are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is,
therefore, typically preferred used in conjunction with Basic Authentication.
For more details read from wikipedia.org

www.hackingarticles.in 1 www.ignitetechnologies.in
Lab Setup Requirement
Apache Server (Ubuntu 14.04)
Penetration Testing Machine (Kali Linux)
Set Up Password Authentication
Installing the Apache utility Package
Let’s start with the following command to install an Apache2 utility package called ‘htpasswd’.
The htpasswd is used to create and update the flat-files used to store usernames and password
for basic authentication of HTTP users.

sudo apt-get install apache2 apache2-utils

Creating the Password File

Now use the htpasswd command to create a password file that Apache will use to authenticate
users and use a hidden file “.htpasswd” in our /etc/apache2 configuration directory to store
password.
sudo htpasswd -c /etc/apache2/.htpasswd raj
cat /etc/apache2/.htpasswd

Configuring Access Control inside the Virtual Host Definition

Now save the following configuration in 000-default.conf file.

gedit /etc/apache2/sites-enabled/000-default.conf

www.hackingarticles.in 2 www.ignitetechnologies.in
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>

Configuring Access Control with .htaccess Files

Open the main Apache configuration file to enable password protection using .htaccess files and
add the following line as highlighted.

sudo gedit /etc/apache2/apache2.conf

ServerName localhost

www.hackingarticles.in 3 www.ignitetechnologies.in
Enable .htaccess processing by changing the AllowOverride directive “None” to “All” in the block
for the /var/www directory and then save the file and restart the apache service.

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

www.hackingarticles.in 4 www.ignitetechnologies.in
Next, you need to add an htaccess file to the directory you wish to restrict. Here, I want to restrict
the entire website which is could be through /var/www/html, but you can place this file in any
directory where you wish to restrict access:

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

sudo service apache2 restart

While configuring .htaccess file we had added few options for the block directory. Let’s see what
this configuration denotes.
AuthType Basic: This will set up a basic authentication for our site.
AuthName “Restricted Contents”: This will show the name of the authentication at the prompt.
AuthUserFile /etc/apache2/.htpasswd : This will show the location of the authentication file.
Require Valid-user: This will be used by one user who has confirmed their authentication who
are permitted to access the website.

www.hackingarticles.in 5 www.ignitetechnologies.in
Confirm the Password Authentication
Try to access your restricted content in a web browser to confirm that your content is protected.
I will be accessible with a username and password prompt that looks like this:

If you will try to access the website without authentication or canceled the Required
Authentication page then it will displace 401 error Unauthorized Access.

www.hackingarticles.in 6 www.ignitetechnologies.in
If you are valid users and try to access password protected website by using the valid credential,
for example, we had created an account with raj: 123 to access apache HTTP service.

As you can observe that, now we are able to access the content of the website.

www.hackingarticles.in 7 www.ignitetechnologies.in
Exploiting HTTP Authentication
xHydra
This is the graphical version to apply dictionary attack via FTP port to hack a system. For this
method to work:
Open xHydra in your Kali. And select Single Target option and there give the IP of your victim PC.
And select HTTP in the box against Protocol option and give the port number 80 against the port
option.

www.hackingarticles.in 8 www.ignitetechnologies.in
Now, go to Passwords tab and select Username List and give the path of your text file, which
contains usernames, in the box adjacent to it.
Then select Password List and give the path of your text file, which contains all the passwords, in
the box adjacent to it.

www.hackingarticles.in 9 www.ignitetechnologies.in
After doing this, go to the Start tab and click on the Start button on the left.
Now, the process of dictionary attack will start. Thus, you will obtain the username and password
of your victim.

www.hackingarticles.in 10 www.ignitetechnologies.in
Hydra
Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50
protocols, including telnet, FTP, HTTP, https, SMB, several databases, and much more
Now, we need to choose wordlist. As with any dictionary attack, the wordlist is key. Kali has
numerous wordlists built right in.
Run the following command

hydra -L user.txt -P pass.txt 192.168.0.105 http-get

-L: denotes the path for username list
-P: denotes the path for the password list
Once the commands are executed it will start applying the dictionary attack and so you will have
the right username and password in no time. As you can observe that we had successfully
grabbed the HTTP username as raj and password as 123.

Ncrack
Ncrack is a high-speed network authentication cracking tool. It was built to help companies
secure their networks by proactively testing all their hosts and networking devices for poor
passwords.
Run the following command

ncrack -U user.txt -P pass.txt http://192.168.0.105

Here
-U: denotes the path for username list
-P: denotes the path for the password list
As you can observe that we had successfully grabbed the HTTP username as raj and password as
123.

www.hackingarticles.in 11 www.ignitetechnologies.in
Medusa
Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports
many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few
Run the following command

medusa -h 192.168.0.105 -U user.txt -P pass.txt -M http -f

Here
-U: denotes the path for username list
-P: denotes the path for the password list
As you can observe that we had successfully grabbed the HTTP username as raj and password as
123.

Metasploit
This module attempts to authenticate to an HTTP service. Open Kali terminal
type msfconsole and then type:

use auxiliary/scanner/http/http_login
msf auxiliary(scanner/http/http_login) > set user_file user.txt
msf auxiliary(scanner/http/http_login) > set pass_file pass.txt
msf auxiliary(scanner/http/http_login) > set rhosts 192.168.0.105

www.hackingarticles.in 12 www.ignitetechnologies.in
msf auxiliary(scanner/http/http_login) > set stop_on_success true
msf auxiliary(scanner/http/http_login) > exploit

www.hackingarticles.in 13 www.ignitetechnologies.in
Burp Suite
Now here I had just typed the random value for authentication in order to fetch the request
through Burp Suite. So before you sent the request to server turn on the burp suite and select
proxy tab then, click on the intercept is on after then send the user authentication by clicking ok

Thus the sent request is captured by burp suite which you can see in the given below image. In
the screenshot, I had highlighted some value in the last line. Here it says the type of
authentication provided is basic and if you have read above theory of basic authentication I had
described that it is encoded in base64.
Now time to generate the encoded value for authentication inside the burp
suite. Click on action tab select send to intruder for HTTP Fuzzing attack.

Now open intruder frame and click on the position. Configure the position where payload will be
inserted into the request. The attack type determines the way in which the payload is assigned
to the payload position. Now select “the encoded value of authentication” for payload position
and click to ADD button on the left side of the frame.

www.hackingarticles.in 14 www.ignitetechnologies.in
The base64 encoded value of Authentication is a combination of username and password now
the scenario is to generate the same encoded value of authentication with the help of user
password dictionary, Therefore, I have made a dictionary which contains both user password
names in a text file.
In order to use the dictionary as payload click on payload tab under intruder; now load your
dictionary which contains user password names from payload options.

www.hackingarticles.in 15 www.ignitetechnologies.in
But we want to send a request in the encoded value of our payload. To encode your payload click
on ADD button available under payload processing.
A new dialog box will generate to select the rule to choose an encode option from the list; now
select base64 from drag down the list of URL encode key character for payload processing.

This will start a brute force attack and try to match string for user authentication. In the
screenshot, you can observe the status “200 OK” and length “11788” of the highlighted value is
different from the rest of the values. This means we can use this encoded value to bypass the
user authentication, which occurs from request number 5. Now check the username and
password on the 5th line in the dictionary. In the dictionary I found raj: 123 have matching
authentication.
Or you can also use this encoded Auth value to bypass the Apache HTTP authentication page via
burp suite intercepted data.

Copy the above auth value and paste replace it with intercepted authorization a shown in below
and forward the request to access restricted content.

www.hackingarticles.in 16 www.ignitetechnologies.in
Booom!!! Here we have successfully access the content of the website.

Hope you people have enjoyed this article and learned how weak configuration security can
easily breach and the unauthorized person can access the restrict content of your website.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information
Security Consultant Social Media Lover and Gadgets. Contact here

www.hackingarticles.in 17 www.ignitetechnologies.in