How to Attack Login Portals? Initial Access for Pentesters & Red Teamers

For any external pentest or red team operation, initial access to the network is the first big step. You need a way to let yourself into the network. There are several ways to do that like RCE, Phishing campaigns, Physical Breakins etc. But today we’ll discuss one of the frequently used methods of Attacking a login portal (by finding some credentials or creating them) and logging into anything at all in the network.

📑 What’s our Plan?

So our plan is to target the login portals. In other words the company-specific login pages, admin dashboards, roundcube mail login pages, Office365 login etc. To do that first we need a username and password list. After generating a potential credential list using various methods, we need to spray/stuff them. Depending on what kind of login portals we are attacking, our spraying or stuffing method would be different. So let’s jump right into it.

Generate Credential List

To gather usernames and passwords, we will use various tools and sources. Finally, we’ll put them all together to get a winner list. The ways are :

1. Breached Database

Breached data from previous major hacks is a golden place to look for potential credentials. Assume you are on Twitter and Reddit with the same email & passwords which is the case for most of people. One day Reddit got hacked and along with you thousands of other usernames: passwords pair got leaked on the internet. Maybe first in the Dark Web and from there, in the Breached Databases. Now I am a pentester conducting a pentest on Twitter, I searched the Breached Databases and found your credentials, tried them, and successfully logged into your Twitter account because you never changed those passwords.

Exactly this method can help you to get some working pair of credentials from the Breached Databases all over the internet because one of the employees got compromised in some other data breach and leveraging that you can gain the initial foothold.

To discuss the technical part of it, I will showcase multiple websites and tools that can be used to find breached information.

• breach-parse by TCM: This tool is written by TheCyberMentor. Check out the youtube channel I linked, he has loads of awesome resources for both the technical and non-technical aspects of Pentesting. Anyways this tool can be found in this Github Repo. The tool also has a database that you need to download, it will search through the database to get you what you want.

./breach-parse.sh <domain to search> <file to output> [breach data location]

• dehashed.com: A wonderful website to search for emails, passwords, usernames, hashesh from breached databases. It is significantly bigger than the previous 45GB database we downloaded. So there will be way more results this way.

2. Email Gathering

Some login portals require an email and password, so you can use this to collect emails for a particular website.

• hunter.io: This website is mainly for email hunting. But The only problem is it requires a business email to sign up. So either use a business email that you have or generate one using any of the legit methods from this post.
• voilanobert.com: Another website to gather emails. Just create an account using any business name and email you want. It lets you find 50 emails related to a company or domain. So you can get 50 emails from your target company.

3. Password Gathering

Now this is a tricky part. We should already have some passwords or hashes from the breached database search. But we want more. There are different ways create a password list. For example :

• Default Passwords: This is the easy win. Some services have a default password set. For example raspberry pi has a default credential pi:raspberry . So whenever you encounter any known or popular application google their default password and add them to your password list.
• Password Guessing: This means logically guessing a user’s password. People tend to use very simple logic/ideas while creating a password so that they can remember it. Like the current season, current area, pet’s name, favorite team’s name. Usually, password complexity is required to create a password, otherwise, the password is not accepted and the complexity requirement is like “use at least one number and one special character” or “use at least 6 characters”. So the final passwords users create look something like Summer23! Dan1@ Harvard123# etc. So while guessing a password we need to add those possibilities.
• Leaked Passwords: Seclists is a very popular password list. It has an entire directory full of files that contain leaked passwords from different companies and different data breaches. If your targeted company is a tech company, it could be possible the users also have accounts in other tech platforms, so take those platforms leaked passwords and add them to the list. Maybe one of the users was in that data breach and you’ll get the password here also.

4. Customized credential list

• You might have some interesting information like the target pet name, city name, the university they went to. You can put them in a tool called cupp and it will generate the potential passwords created using all those information. Use them on your password list.
  To use the tool, git clone the repository, go into the directory and run the tool in interactive mode with python3.

python3 cupp.py -i

• Now it could be that your target has other websites or pages where you found some usernames and found some interesting words that might be tied to those usernames or the employee names. So what you can do is use a tool called cewl and spider all those interesting words and put them in a file. You can even determine the length of the collected words. This file could be used both as a username and password file.

cewl -d <amount_of_depth> -m <length_of_keyword> > result.txt

After generating a proper username and password list, it’s now time to use them against the login portals.

Attack Strategy against Login Portals

Now we can do 2 types of attacks against them. We can do password stuffing or password spraying.

• Password Stuffing: This means you put every username and password combination and brute force them until you find the working pair(s) of credentials. Of course, this creates more noice and can get you detected because of the big amount of failed attempts.
• Password Spraying: You might have heard this term while using Kerbrute in Internal Pentest/ Active Directory stuff. Essentially it just means we will use a username/email list and use one single password against all of them. This can be less noisy and more beneficial if you know that one particular password might be the right one for example a car company engineer might use something like Tesla23! .

Now if you have figured out what spray you want to do or you are gonna try both, it’s time to start the attack. For brute force or spray, we can use tools like Burpsuite Pro or Zap. The free version of Burpsuite is extremely slow while doing brute force. So if you can manage a license use the pro version. Otherwise, Zap is a free tool that works just like Burpsuite, you can use that too.

Depending on the login portals, your tools might change. Let’s discuss what you want to use against what to avoid detection and gain the most out of it.

• Known Login Portal: If you are trying to spray a Office365 or OWA login portal which is very known and popular, there are special toolkits to do that. These logins are monitored and account-blocking systems are placed to stop threat actors. So to bypass that you have to use proxy servers too. This topic deserves a separate dedicated post. So I’ll briefly mention some toolkits, which you can experiment with for now. TrevorSpray, SprayingToolkit, o365enum.
• Every Other Login Portal: If you are facing any other login portal made by the company. Then you can use Burpsuite/Zap etc. To do that first put random residential in the login portal test:passwordtest and intercept the request with burpsuite or zap. Then select the username and password column to put your payloads in. While doing password spray you will select the username column and put the username’s or emails that you have gathered as payloads. And change the password to the password you want to spray with. Then start the attack. In case of credential stuffing, select both username and password field and put the payloads in. Start the attack.

Identifying Successful Login

Using any of the methods, you have to identify the success hits. For the special toolkits, it will be written that this pair of credentials is a hit. But for burpsuite/zap, you should identify the successful login by comparing multiple things. For example :

• Status Code: Status code 200 usually means that OK, you have logged in. Some pages will redirect you after login, so in that case 301 and 302 would also mean a successful attempt.
• Content-Length: Usually the login page doesn’t contain much words or characters. So the content length is very low. But after successfully logging in you might encounter the real dashboard, in that case the dashboard will contain much more content, which will have a bigger content length. So usually more content length means successful login.
• Anything unusual: Carefully look at the requests being made. Most of the attempts will be unsuccessful, so the header,status code, length, encoding etc will be in a pattern. But for the one/two successful attempts they will change, so anything unusual or out of pattern might also mean successful login.

I hope that helped to give an introduction on Password Attacks and attacking login portals. I will soon write about targeting well known Services like Office365 and using the toolkits. There are new tools every now and then, also the ways of generating a username and password list can be much complex like using the crunch tool or using a username generator tool like namemash.py that can generate usernames/ email combinations from Full Names. Research on them.

Happy Hacking !