When performing a brute-force attack to identify valid credentials, consider the following factors:

1. Status Code:
   Pay attention to the HTTP status codes returned by the server. Different status codes can indicate whether the login attempt was successful, failed, or resulted in an error.

2. Response Length:
   Analyze the length of the response body. A valid login attempt may return a different content length compared to an invalid one. A mismatch in response length could indicate a valid or invalid credential set.

3. Response Content Differences:
   Look for subtle differences in the response message. For example, an invalid login might return a message like "Invalid username or password," while a valid login might return "No username or password." Even small variations, such as missing punctuation (e.g., a period), could indicate a valid username and may allow for username enumeration.

   • Length
   • Time
   • Trigger Error (Valid user account might have a time out for entering password (like time out after 5 invalid password attempt, this mean that there is a user with this username))
     • Purposely create this lockout with user list to find users

4. Timing Analysis:
   Pay attention to response times. If a username is valid and a long (incorrect) password is entered, the system may take longer to respond, as it verifies the username before checking the password. A delay in response time could be an indicator of a valid username.

Extra Information

Bypass IP blocking

• X-Forwarded-For ---> Set new IP
• Add valid credential during brute force (Bypass IP block) - 1/2 will result in valid login (Our account) ![[sublime_text_B2otPr0cIs.png]]