Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Trying to send Intruder a encrypted password

Goose | Last updated: Feb 13, 2017 04:12AM UTC

I am trying BurpSuite Pro and have the following question. On an application that I am testing, I was able to get the application to give me a valid user log name. When I look at the Intercept the request to log I see all the values I am looking for. I typed the password admin123 for the ADMIN user and I got the following on the PASSWORD= Host: 192.168.100.9 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/json; charset=utf-8 Token: undefined X-Requested-With: XMLHttpRequest Referer: https://192.168.100.9/login/ Content-Length: 186 Connection: close {"UserID":"ADMIN","Password":"0f6b1fcde8810109bf7392902dfdb48d0e84baa0879ef06782bbf7dfaf62604c"... Do I need to attempt to guess the encryption before sending the Password value to the Intruder?, I have a word list of passwords that I would like to try Thanks for any pointers

PortSwigger Agent | Last updated: Feb 13, 2017 10:21AM UTC

If you are entering "admin123" into your browser, and the request contains "0f6b1fcde88..." then presumably there is some client-side script that is encrypting/obfuscating the password. You should be able to read the script to understand what is happening - no need to guess what is going on.

Burp User | Last updated: Feb 13, 2017 07:35PM UTC

Thanks for the heads up. The application does a server side encryption, the client provided me the portion of the code that does the hashing on the server: if (this.firstTry) { pswdhash = (pswd === "") ? "" : loginUtil.HashPassword256(userID + pswd); } else { pswdhash = loginUtil.HashPassword(pswd); newPswdhash = loginUtil.HashPassword256(userID + pswd); } If I use SHA-256 and mix ADMINadmin123 I get the right values. I just need to add ADMIN in front of my word list and create the new wordlist with the hashed values. Any tool you recommend to create my new hash table. Thanks

PortSwigger Agent | Last updated: Feb 14, 2017 10:02AM UTC

You can do this using Burp Intruder's payload processing rules. Use your list of passwords as payloads, and add a payload processing rule to add a prefix (ADMIN) and another rule to do a SHA-256 hash. You might need a further rule to convert the result to ASCII hex or URL-encode, depending on how it needs to be submitted.

Burp User | Last updated: Feb 14, 2017 06:17PM UTC

The recommendation worked, thanks

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.