Hello fellas, today in this article i would tell you how you can perform brute force attack using Kali Linux and Burp Suite. Brute force attack is a attack in which the attacker submits many username and passwords with hope of eventually guessing correct.
Vulnerability Type:
Broken Web Authentication
Description:
The following tutorial demonstrates a technique to bypass authentication using a simulated login page from the “Mutillidae” training tool. The version of “Mutillidae” we are using is taken from OWASP’s Broken Web Application Project.
Severity:
Intermediate
Requirements:
Kali Linux OS, Metasploitable 2,
Tools Used:
Web Browser, Burpsuite
Exploitation:
1) First, ensure that Burp is correctly configured with your browser.
2) In the Burp Proxy tab, ensure "Intercept is off" and visit the login page of the application you are testing in your browser. Return to Burp.browser. Return to Burp.
3) In the Proxy "Intercept" tab, ensure "Intercept is on".
4) In your browser enter some arbitrary details in to the login page and submit the request.
5) The captured request can be viewed in the Proxy "Intercept" tab.
Right click on the request to bring up the context menu.
Then click "Send to Intruder".
6) Go to the Intruder "Positions" tab.
Clear the pre-set payload positions by using the "Clear" button on the right of the request editor.
Add the "username" and "password" parameter values as positions by highlighting them and using the "Add" button.
Change the attack to "Cluster bomb" using the "Attack type" drop down menu.
7) Go to the "Payloads" tab.
In the "Payload sets" settings, ensure "Payload set" is "1" and "Payload type" is set to "Simple list".
In the "Payload options" settings enter some possible usernames. You can do this manually or use a custom or pre-set payload set.
8) Next, in the "Payload Sets" options, change "Payload" set to "2".
In the "Payload options" settings enter some possible passwords.
You can do this manually or using a custom or pre-set list.
Click the "Start attack" button.
9) In the "Intruder attack" window you can sort the results using the column headers.
In this example sort by "Length" and by "Status".
10) The table now provides us with some interesting results for further investigation.
By viewing the response in the attack window we can see that request 118 is logged in as "admin".
11) The table now provides us with some interesting results for further investigation.
By viewing the response in the attack window we can see that request 118 is logged in as "admin".
So, this is how you perform a brute force using BurpSuite in Kali Linux, if you have any doubt or query mention in comment box below.