Skip to content

Penetration Testing Lab

Offensive Techniques & Methodologies

  • Methodologies
    • Red Teaming
      • Persistence
  • Resources
    • Papers
      • Web Application
    • Presentations
      • Defcon
      • DerbyCon
      • Tools
    • Videos
      • BSides
      • Defcon
      • DerbyCon
      • Hack In Paris
  • Contact
    • About Us
Posted on December 21, 2012

Brute Force Attack With Burp

by Administrator.In Web Application.9 Comments on Brute Force Attack With Burp

In many occasions as a penetration testers we will have to face a web application where it will contain a login form which we will have to test it for weak credentials.Burp Suite is probably the best tool to be used when assessing web applications.Burp’s main use is to be a proxy interceptor,however provides a lot of other functions to penetration testers and it can also be used to attack a login form.In this article we will examine how we can use Burp in order to perform a brute force attack on a web application.

Let’s say that we have the following login form:

Login Form
Login Form

 

We will try to submit a username and a password and we will use the Burp Suite in order to capture the HTTP request.

Capturing the HTTP Request
Capturing the HTTP Request

 

Then we will send the request to the Intruder (Action—>Send to Intruder) and we will clear the positions on the request that we will not need to insert payloads which are the $low$ and session cookie.So we will leave the following positions:

Clearing Positions
Remaining Positions

 

As an attack type we will choose the cluster bomb because this type of attack it can take each word of the username list and it can run it against each word of the password list in order to discover the correct credentials.

Now it is time to set the payloads on the three positions.So we will load our wordlists that contains usernames and passwords in the payload options of Burp and for the 3rd position we will just put as an option $Login$.In the next three images you can see this configuration.

Payload Set 1 - Usernames
Payload Set 1 – Usernames

 

Payload Set 2 - Passwords
Payload Set 2 – Passwords

 

Payload Set 3 - Login
Payload Set 3 – Login

 

Everything now is ready and we can start the attack on the Intruder.The Intruder will start sending HTTP requests to the form based on our payloads and it will try all the possible combinations.

Cluster Bomb - Intruder
Cluster Bomb – Intruder

 

After the inspection of the responses we will notices that Burp has successfully logged in under the credentials smithy/password.

Discovery of valid credentials
Discovery of valid credentials

 

We can now go back to the application and to try to get access to the admin area with this username and password.

Access in the admin area
Access in the admin area

 

Conclusion

As we saw in this post Burp is also capable to perform brute force attacks against web applications.Login forms can be found almost in every web application and the intruder tool can help the penetration tester to automate his tests.The discovery of valid administrator credentials can make the difference in black-box penetration tests.

Rate this:

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
  • Tumblr
  • Skype
  • WhatsApp
  • Telegram
  • Pinterest
  • Pocket
  • Email

Like this:

Like Loading...

Related

BurpDVWADVWA Brute ForceLogin FormWeb Application Pentest

9 Comments

  1. Robin says:
    December 21, 2012 at 10:39 am

    Why are you leaving the login field as a variable but then using a static value in it? May as well remove it from the list.

    Reply
  2. Yuval says:
    December 21, 2012 at 6:27 pm

    What’s new in this attack?!

    Reply
  3. netbiosX says:
    December 21, 2012 at 6:34 pm

    There is nothing new in this attack Yuval.It is just a demonstration of how you can use Burp to perform this type of attack.

    Reply
  4. Manoj Singh says:
    December 24, 2012 at 6:21 am

    The Payload for Brute force can be SQL injection vectors in username and Password with Cluster Bomb.

    Reply
  5. LethalDuck says:
    December 28, 2012 at 10:07 pm

    Couldn’t you just use THC-Hydra?
    No bloated GUI is needed then.

    Reply
    1. Robin says:
      January 13, 2013 at 9:56 pm

      Burp is much better and a lot more powerful, I wouldn’t bother with anything else

      Reply
  6. LethalDuck says:
    December 28, 2012 at 10:10 pm

    Here’s the steps:
    http://seclists.org/pen-test/2008/May/114

    Reply
  7. Sally says:
    January 13, 2013 at 1:56 pm

    I see a software at http://www.eguardo.com . Interestingly they provide an API to stop brute force attacks on Microsoft.NET, PHP and Java. I tried and working…

    Reply
  8. Pingback: Miscellaneous | Annotary

Leave a Reply to LethalDuck Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Google photo

You are commenting using your Google account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

Post navigation

Previous Previous post: HTTP Methods Identification
Next Next post: ARP Poisoning Script

Search Topic

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,185 other followers

Recent Posts

  • Lateral Movement – Services
  • Indirect Command Execution
  • Spyse – A Cyber Security Search Engine
  • Persistence – COM Hijacking
  • Persistence – DLL Hijacking

Categories

  • Coding (10)
  • Exploitation Techniques (19)
  • External Submissions (3)
  • General Lab Notes (22)
  • Information Gathering (12)
  • Infrastructure (2)
  • Maintaining Access (4)
  • Mobile Pentesting (7)
  • Network Mapping (1)
  • Post Exploitation (13)
  • Privilege Escalation (14)
  • Red Team (84)
    • Credential Access (2)
    • Defense Evasion (22)
    • Lateral Movement (1)
    • Persistence (24)
  • Social Engineering (11)
  • Tools (7)
  • VoIP (4)
  • Web Application (14)
  • Wireless (2)

@ Twitter

  • Extended Process List with search functionality for process listing github.com/thesnoom/extps… 20 hours ago
  • JSON DataSet for macOS mapped to MITRE ATT&CK Tactics github.com/sbousseaden/ma… 1 day ago
  • @hasherezade @ben_eater 661K subscribers!!!! OMG! I really need to improve on my videos! 1 day ago
  • If you miss it earlier this week, here is the video about Process Herpaderping - Windows Defender Evasion youtu.be/FIDCLMvH6Vs 2 days ago
  • MSSQL Lateral Movement research.nccgroup.com/2021/01/21/mss… 2 days ago
Follow @netbiosX

Pentest Laboratories Discord

  • Discord

Pen Test Lab Stats

  • 5,023,576 hits

Facebook Page

Facebook Page
Blog at WordPress.com.
  • Methodologies
    • Red Teaming
      • Persistence
  • Resources
    • Papers
      • Web Application
    • Presentations
      • Defcon
      • DerbyCon
      • Tools
    • Videos
      • BSides
      • Defcon
      • DerbyCon
      • Hack In Paris
  • Contact
    • About Us
Cancel
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
%d bloggers like this: