Red Team Hands-On Lab: Bruteforce attack admin portal.

-

 Bruteforce attack admin portal

Introduction

A Red Team hands-on lab for brute-forcing an admin portal is a controlled exercise that simulates an attacker testing weak credentials, account lockout policies, MFA implementation, and logging/alerting set up an isolated test environment (or a purposely vulnerable app), seed it with varied user accounts and passwords, and capture telemetry so you can observe how defenses respond; use tools like Burp Intruder or Hydra with slow, measured attacks (or password-spraying techniques) while avoiding harm, validate success signatures on test accounts, and document every step and finding so defenders can tune rate limits, anomaly detection, and incident response and always run these exercises only with explicit written authorization.

In this blog we will make use of: nmap,hydra, docker/docker compose to simulate our exercise.

We firstly need to setup the vuln app using docker in our ubuntu vm.

Make sure to check the docker docs if u don't have it installed 👉 click here

The hackme file is brought from the tcm security academy, all credits goes to them, get it from 👉 here 

Create a folder, unzip the file there and cd into it and run "sudo docker compose up" to install/boot up the webapp.

Access the vulnerable webapp on port 5000.


Now we spin up an nmap scan against it.

We can see several services up and running on the target, for this demonstration we will have to focus on the webapp itself.

We need to check the login portal and see how it works, and what are the parameters we need to use to bruteforce it with a list of random passwords.



After figuring that out we'll make use of the hydra tool.

If you don't have hydra install it, do install it through this command: "sudo apt install hydra -y" 

Assuming the admin user is simply "admin", we can construct the following hydra command: 

hydra -l admin -P passwords.txt  -f [The Target IP address] -s 5000 http-post-form  "/login:username=^USER^&password=^PASS^:Login"

What each piece means:

  • hydra — the program (a parallelized login cracker).

  • -l admin — use a single username (admin). (-L would be a file of usernames.)

  • -P passwords.txt — use the wordlist file passwords.txt for candidate passwords. (-p would be a single password.)

  • -f — stop/exit as soon as a valid credential is found (fail-fast).

  • <target-ip> — the target host (replace with the real IP or hostname).

  • -s 5000 — use TCP port 5000.

  • http-post-form — the Hydra module for submitting an HTTP POST form. Its argument is a triple with three parts separated by colons:

    1. the URL path to the login handler (e.g. /login),

    2. the POST body with placeholders ^USER^ and ^PASS^ (here username=^USER^&password=^PASS^), and

    3. a failure indicator string or pattern that Hydra looks for in the response to know the attempt failed (for example an “Invalid credentials” message). If that string is not present Hydra may treat the attempt as successful.

A few important notes: the exact http-post-form triple must match the real form parameters and the web app’s failure message; incorrect values make the attack noisy + ineffective. 

From a defensive point of view, look for many rapid login attempts from the same IP/username, spikes in authentication failures, and enforce rate-limiting, lockouts, MFA, and good logging to detect and block this behavior.



Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Example of A Day in the Life of a Junior (Associate) Security Analyst

-
The day begins early for the Junior Security Analyst, stepping into the office or logging into their remote workstation. The quiet hum of servers and the glow of multiple screens set the stage for another day at the heart of the cybersecurity battlefield. Their first task is to review the handover notes from the previous shift or the daily briefing. This update includes summaries of unresolved incidents, ongoing investigations, and any notable changes in the organization’s threat landscape. Equipped with this crucial information, the analyst prepares to navigate a world where even the smallest anomaly could signify a major threat. Logging into the array of tools—a Security Information and Event Management (SIEM) platform, endpoint detection systems, firewalls, and intrusion detection/prevention systems (IDS/IPS)—the analyst is immediately immersed in the flow of alerts. Every beep, flash, and log entry represents a potential threat. The first challenge is triage. Like a digital detecti...
Read more