Pin and One-time Password Attacks

How to create a simple web fuzzer to bruteforce your way into any 6 digit code

This scenario is pretty common. Many web applications and services either require a 6 digit code for authentication or the knowledge of a one-time password and other types of short codes. In this tutorial we will show how we can easily build a bruteforce with the SecApps Fuzzer to solve this particular problem during penetration tests and bug bounty hunting adventures.

The Setup

Other tutorials already do a pretty good job at discussing how to use the SecApps Fuzzer from start to finish. In this tutorial we will simply concentrate on generating 6 digit codes. Open the fuzzer and construct a basic request that will carry the operation. You can capture a sample request from the target application using HTTPView.

In this example, our request looks like this:

POST http://httpbin.org/post HTTP/1.1
Content-Type: application/x-www-form-urlencoded

pin=123456

Copy the request. Click the application icon (the one that looks like a grid of 9 squares). Select the Import Request option. Paste the request to automatically parse the request and break it down to fields.

Let’s create a counter that will go from 0 to 999999. In the pin field start typing counter. Select the counter generator and configure the start and stop values accordingly.

While this setup is sufficient for going over the total number of combinations, notice that single digit numbers, and in fact any number below 6 digits does not look like a pin. In order to fix that we need to add a pad which wrapps the counter.

Let’s start from scratch. Delete the counter and start by writing format. Select the Format transform from the list. Within the configuration screen select Pad for the format.

Inside the input field we need to set up the counter we did setup previously. Start by typing counter. Select the counter generator. Your screen will look like the one in the screenshot below.

Press Esc or click outside the Counter Generator configuration screen. Use the range input to adjust the length to the desired size. In this case the length should be 6 digits wide. The final configuration looks like the screenshot below.

Fuzzing

With the request set up we can start the fuzzer. Use the filters and column sorting (by status code, length and type) to locate the responses which deviate from the expected behaviour when the pin is wrong. In no time you will be able to find the right combination.

Conclusion

In this tutorial we were able to quickly come up with a custom fuzzer to bruteforce 6 digit codes. You can create similar types of fuzzer customisations in no time. You can also save your creations in your local and remote personal and team drives and share them with the help of fiddles.