Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Username enumeration via account lock

Gurpreet | Last updated: Jun 09, 2020 11:30PM UTC

I am trying on this lab with 1 to 5 on payload 1 . I set the invalid password 20 letters long to get response time but my session is keep getting expired when i reach the testing around 400th attack out of 500 in total. Page response becomes 404. I there a possibility if i break the user names list in half and do the attack twice ? or i am missing anything. Also , how about real world session , how we can retain it while doing test like this ?

Michelle, PortSwigger Agent | Last updated: Jun 10, 2020 11:47AM UTC

How long has your session been running when this happens? If you refresh browser pages within the lab itself whilst the attack is running, does this change the behavior?

Gurpreet | Last updated: Jun 10, 2020 01:30PM UTC

No it does not change. As I can refresh the page but it does not change the behavior. Session usually runs for 20 minutes or so.

Michelle, PortSwigger Agent | Last updated: Jun 11, 2020 09:17AM UTC

Your idea of splitting the list of usernames and running multiple Intruder attacks is probably the best way of approaching this then. You can keep all the Intruder windows open so it's easier to compare them once you have run through the full list.

s0mbr4 | Last updated: Jun 12, 2020 11:22AM UTC

Hi! I am also having trouble with this lab, I have divided the list of usernames to prevent a session timeout and this is working well. However, for every username I get a 2977 length response with no variation. I'm following the solution accurately as far as I can tell. Is there an alternative way to tackle this?

Michelle, PortSwigger Agent | Last updated: Jun 12, 2020 01:46PM UTC

Could you tell us a bit more about how you set up the attack, please? If you split the list across two attacks you should find some responses on one of the attacks shows a length of 3029. If it's easiest to send screenshots to explain the steps you are taking, you can always email them to us using the address support@portswigger.net

Gurpreet | Last updated: Jun 12, 2020 08:47PM UTC

Hello again Same here. I tried it many ways but response is same. I checked the responses manually for every username but nothing for locked. Everything is incorrect user name and password. I will send you screen shot in email as well.

Michelle, PortSwigger Agent | Last updated: Jun 15, 2020 07:59AM UTC

Thanks, we'll have a look through the screenshots you sent us and reply to your email

Gurpreet | Last updated: Jun 16, 2020 06:36AM UTC

I got this solved using Turbo Intruder with little modification in Python code.

s0mbr4 | Last updated: Jun 18, 2020 04:00PM UTC

Thank you Gurpreet, this also worked for me!

thanseer | Last updated: Jun 23, 2020 05:42AM UTC

I am trying on this lab with playload 1 is username list and playload 2 is 1 to 5 to get response time but my session is keep getting expired when i reach the testing around 400th attack out of 500 in total. Page response becomes 404.

Michelle, PortSwigger Agent | Last updated: Jun 23, 2020 07:47AM UTC

You could try either splitting the username list into two lists or using Turbo Intruder

thanseer | Last updated: Jun 23, 2020 08:24AM UTC

I have divided the list of usernames to prevent a session timeout and this is working well. However, for every username I get a 2977 length response with no variation..i do't know how to use turbo intruder this lab

Michelle, PortSwigger Agent | Last updated: Jun 23, 2020 02:14PM UTC

Some users have had some success with dividing the list of users so it may be worth trying that again, were you using the same request as the base for each attack? If you are using Professional you could also increase the number of threads used for the Intruder attack, although this option is not available in the Community version. If you do need to use Turbo Intruder then you can find some documentation and background on it here: https://portswigger.net/bappstore/9abaa233088242e8be252cd4ff534988 https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack

b | Last updated: Sep 01, 2020 05:48PM UTC

For those also having problems, I think the issue is that the account has to fail 4 times in quick succession which won't happen with the community version of BS. I was even running three instances and it wasn't helping - the problem is that it has to fail that 4th time quickly. So if you run four at a time, whichever one you start last will finally hit the new message and the new content length. I personally feel like the throttling is a bit much on the community version, or that there should at least be an exemption for the web-security-academy.net domain.

Vinton | Last updated: Feb 27, 2021 05:07AM UTC

Running 4 simple list attacks simultaneously worked for me in locking the user. Thanks.

Duncan | Last updated: Apr 21, 2021 04:35AM UTC

Same here. Running 4 simple attacks simultaneously worked for me - I'm using the Community version of BS. Thanks.

Keenan | Last updated: Jun 29, 2021 05:20AM UTC

Yep solution is to run 4 separate attacks, I ran a 5th to just confirm that the 4th one was correct and it was. Thanks for the hint "b".

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.