0xma Cyber Security Articles

May 6, 2022

Brute-Force Pins Using wfuzz

In this tutorial, we will see how to brute-force PINs using wfuzz. The web site has a "Forgot Password" button that will prompt for a username. Upon submitting the username, it will send a PIN to the email address associated with the username.

This is the login page of the website. Click on "Forgot Password?".

Login page of the website.

Enter in a valid username. The web application will send a PIN code to the email associated with this username.

Entering a valid username.

Let's enter in a random PIN code.

Entering a random PIN code.

The response is "Invalid Pincode".

Invalid pincode response.

Trying to brute-force the PIN code results in "429 | Too Many Requests".

429 too many requests response after brute forcing the PIN codes.

This is the response in Burp Suite.

420 too many requests in Burp Suite.

In order to brute force the PIN code we have to use an additional HTTP header. Let's generate a list of 10,000 IP addresses that are unique.

Generating a list of 10000 random IP addresses.

The IP address starts from and ends with

IP address range.

This list contains a bunch of HTTP headers that we can use in this scenario. We will be using the second one "X-Forwarded-For" with the list of IP addresses that we have generated.

HTTP headers to modify the source.

Let's run wfuzz to brute force the PINs. Note that the range of PIN codes is from 0000 to 9999 and for the "X-Forwarded-For" header we are using the "ip_list.txt" file. However, it returns a lot of results.

Running wfuzz to brute force the PIN codes.

It filters all the irrelevant results which have 5651 characters in the response. Finally, it finds the PIN code. Note that the response also includes the IP address that was used in the "X-Forwarded-For" header.

wuzz finds the PIN code.

Enter in the username and PIN code.

Entering the username and PIN code.

Enter in a new password.

Enter in a new password.

Login with the new password.

Logging in with the new password.

We are able to login to the website.

Website login.

If you liked reading this article, you can follow me on Twitter: mujtabareads.