Pin and One-time Password Attacks

This scenario is pretty common. Many web applications and services either require a 6 digit code for authentication or the knowledge of a one-time password and other types of short codes. In this tutorial we will show how we can easily build a bruteforce with the SecApps Fuzzer to solve this particular problem during penetration tests and bug bounty hunting adventures.
The Setup
Other tutorials already do a pretty good job at discussing how to use the SecApps Fuzzer from start to finish. In this tutorial we will simply concentrate on generating 6 digit codes. Open the fuzzer and construct a basic request that will carry the operation. You can capture a sample request from the target application using HTTPView.
In this example, our request looks like this:
POST http://httpbin.org/post HTTP/1.1
Content-Type: application/x-www-form-urlencoded
pin=123456
Copy the request. Click the application icon (the one that looks like a grid of 9 squares). Select the Import Request
option. Paste the request to automatically parse the request and break it down to fields.
Let’s create a counter that will go from 0 to 999999. In the pin field start typing counter
. Select the counter generator and configure the start and stop values accordingly.
While this setup is sufficient for going over the total number of combinations, notice that single digit numbers, and in fact any number below 6 digits does not look like a pin. In order to fix that we need to add a pad which wrapps the counter.
Let’s start from scratch. Delete the counter and start by writing format
. Select the Format transform from the list. Within the configuration screen select Pad
for the format.
Inside the input field we need to set up the counter we did setup previously. Start by typing counter
. Select the counter generator. Your screen will look like the one in the screenshot below.
Press Esc
or click outside the Counter Generator configuration screen. Use the range input to adjust the length to the desired size. In this case the length should be 6 digits wide. The final configuration looks like the screenshot below.
Fuzzing
With the request set up we can start the fuzzer. Use the filters and column sorting (by status code, length and type) to locate the responses which deviate from the expected behaviour when the pin is wrong. In no time you will be able to find the right combination.
Conclusion
In this tutorial we were able to quickly come up with a custom fuzzer to bruteforce 6 digit codes. You can create similar types of fuzzer customisations in no time. You can also save your creations in your local and remote personal and team drives and share them with the help of fiddles.