Brute Forcing Passwords with Burp Suite

Burp Suite is a tool for security testing on web applications, and can exploit or uncover certain vulnerabilities. It does this by setting up a proxy between you and the internet. It intercepts all requests and listens on the port for any requests to forward.

To set it up, you need Firefox and the Burp Suite application, which is available here. You first need to open Firefox and click Options > Advanced > Network > Settings. It should then give you options to configure the local Burp Suite proxy.

capture

Once your settings look the same as this, click OK and then proceed to install Burp Suite and open up the program. You will be greeted with the option to select a temporary project or to create a new one. You can choose either one, but if your just playing around, then temporary is ideal. Once you choose which one you want, you will see many tabs that have various functions.

capture

Go to Firefox and navigate to a website of your choice. You will see that the proxy tab lights up and gives you information. You can then drop or forward the request. If you click forward, then you will be connected to the website.

capture

If you go to a website with a login form, you can try to brute force it with various combinations. You can click the intruder tab once you intercept from the desired login page. Then, you can choose a host address and port number.

capture

You would then set the attack positions to be the username and password fields. After this you would define dictionary lists for the payloads

capture

Finally, you would add items to the list in order to be brute forced. This can be done in the form of a dictionary list.

Capture.PNG

You can do this with many different combinations, and the correct one will have a slightly different status code, such as 200 for all except one, which is 210. The 210 one would be the correct credentials for that site.

These are just some of the basics in Burp Suite and it has much more advanced functionality you can take advantage of.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s