Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Brute Force Website Login Page using Burpsuite (Beginner Guide)

$
0
0

In this article we will learn to prosecute dictionary attack from BurpSuite. And we will try and crack the password of DVWA Lab.

Burp Suite:Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Importantly, it gives us another way to manage our attacks as the alternative to metasploit.

To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences.


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Then select advanced option and further go to Network then select Settings .


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Now, select Manual proxy Configuration


Brute Force Website Login Page using Burpsuite (Beginner Guide)

And this way your manual proxy will be active as you can see below too.


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Now, on the other hand open DVWA and log into it using its default username and password.


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Once you log in, click on Brute Force . And also make sure that security is low or medium.


Brute Force Website Login Page using Burpsuite (Beginner Guide)

When you click on brute force, it will ask you the username and password. Here, before giving username and password open burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off tab.


Brute Force Website Login Page using Burpsuite (Beginner Guide)

As you turn on the interception, then give any password you like just so that the burp suite can capture it.

Send the captured material to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Now open the Intruder tab then select Positions tab and following will be visible:


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Choose the Attack type as Cluster Bomb .


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Now select username and password as shown below:


Brute Force Website Login Page using Burpsuite (Beginner Guide)

In the above image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the username file). Then click on Load button and browse and select your dictionary file for username.


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Now select 2 in the Payload set and again similar give the dictionary file for the password.


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Now all you have to do is go to Intruder menu and select Start attack from the drop down menu.


Brute Force Website Login Page using Burpsuite (Beginner Guide)

Sit back and relax because now the burp suite will do its work and match the username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown:


Brute Force Website Login Page using Burpsuite (Beginner Guide)

And to confirm it from the response as it will be “Welcome to the password protected area admin”


Brute Force Website Login Page using Burpsuite (Beginner Guide)

And this way its all done.

Shivam Gupta isAn Ethical Hacker , Cyber Security Expert, Penetration Tester, India. you can contact here


Viewing all articles
Browse latest Browse all 12749

Trending Articles