Brute Force Website Login Page using Burpsuite (Beginner Guide)


Hello friends!! This is a beginner guide on Brute Force attack using Brup suite. In this article we had demonsrated login page brute force attack on a web application “DVWA”.

Table of Content
§  Introduction to Brute Force Attack
§  Vector of Brute force Attack
§  What is wordlist or dictionary?
§  Lab Set -up Requirement
§  Password Brute Force Using Sniper Attack
§  Username & Password Brute Force Using Cluster Bomb Attack

Introduction to Brute Force Attack

Brute force play a vital role in web penetration testing because is the simplest method to gain access to a site or server by checking the correct username or password by calculating every possible combination that could generate a username or password.

For example:  You have 3 digits PIN for login into an account but when you forget the PIN, so you  will try different values till the time you identify the right match to unlock the account.

Vector of Brute force Attack
§  Using Default login credential such as admin:admin or admin:password
§  Weak password or PIN such as 123
§  Birth Date or Name such as raj:1111

As per Internet security 8 letter character is considered as the standard number for shortest length of a password because the probability of guessing complex password is much larger. For such reason, there are many software and scripts that reduce manual efforts of guessing password or PIN by generating a wordlist or dictionary.

What is wordlist or dictionary?

Wordlist or dictionary is a collection of words which are quite useful while making brute force attack. There are several tools which let you generate your own dictionary that you can use in brute force attack.
Read the given below articles to know more about wordlist genertaing tools


Lab Set -up Requirement
Target: DVWA (read from here)
Attacking tool: Installed Burp Suite (Any Platform Windows/Kali Linux)

Password Brute Force Using Sniper Attack
Burp Suite: Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Importantly, it gives us another way to manage our attacks as the alternative to metasploit.

§  To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences.
§  Then select advanced option and further go to Network then select Settings.
§  Now, select Manual proxy Configuration.



Now, on the other hand open DVWA and log into it using its default username and password. Once you log in, click on Brute Force. And also make sure that security is low or medium. When you click on brute force, it will ask you the username and password for login. Now suppose you don’t know the password for login into an account.
To make brute force attack first you need to enter random password and then intercept the browser request using burp suite as explain in next step.



Now open burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off tab.
Then go back to DVWA-Brute Force page and click on login tab.
As you can observe that we have successfully intercepted browser request.



Send the captured data to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i
Then select Positions tab and follow the below steps:
§  Choose the Attack type as sniper.
§  Click on clear tab to deselect the selected area.



Now select password as shown below in the given image and then click on add tab.




In the above image we have selected password that means we will need a dictionary file for username password. Since I have ready create a dictionary as password.txt but you can create your own dictionary as per your situation.
So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the password file). Then click on Load button and browse and select your dictionary file for password.






Now all you have to do is go to Intruder menu and select Start attack to launch the brute force attack.
Sit back and relax because now the burp suite will do its work and match the username and password and to give you the correct password for given username.
The moment it will find the correct value, it will have larger the value of length as shown:



Username & Password Brute Force Using Cluster Bomb Attack
In above scenario you saw, how easily we were able to guess the correct password when we knew the username. But what you will do when you don’t know anything, neither username nor password? 

So don’t anxiety while facing such scenario, because Burp suite has many options to shoot brute force attack in various situation, similarly “Cluster Bomb” is the attack type which will help us in brute forcing the username and password filed simultaneously.

Now once again repeat above steps to capture the browser request and this time enter random credential and do not forget to configure burp suite setting before hitting on login tab.






As you can observe that we have successfully intercepted browser request and then send the captured data to the intruder.


Then select Positions tab and follow the below steps:
§  Choose the Attack type as “cluster bomb”.
§  Click on clear tab to deselect the selected area.
§  Then select username and password as shown below in the given image and then click on add tab.



Since in above situation we was making brute force attack on single password field therefore we had uploaded one dictionary for guessing correct password but this we selected two payload position therefore we have you upload two dictionary for username and password respectively.

Therefore set payload 1 along with simple list as payload type and upload username wordlist.



And set payload 2 along with simple list as payload type and upload password wordlist.



Now all you have to do is go to Intruder menu and select Start attack to launch the brute force attack.
Sit back and relax because now the burp suite will do its work and match the username and password and to give you the correct username and password.
The moment it will find the correct value, it will have larger the value of length as shown:



In this article we have used Burp suite for brute force on web application but there so many other famous penetration testing tools that are quite useful in brute force attack. You can follow given below link to read related articles.


HAppY HAckinG!!!

0 comments:

Post a Comment