You need to firstly make sure that your proxy settings are correctly set to the localhost with port 8080:
proxy.PNG

Open up Burpsuite and ensure that the intercept option is turned on:

intercept.PNG

Now open up the website you are targeting and type in anything in the username and password fields and clicking on sign in (you just want to intercept the request – it will make sense shortly):

signin.PNG

Your request will be intercepted by Burp, so if you are not seeing anything on the webpage – it’s normal. Go back to Burp to see the details of the request. Right click in the RAW window and click on Send to Intruder (or press CTRL+I). You will see the Intruder tab light up – click on it.

Now you need to select your payload positions and attack type:

intruder.PNG

Make sure you select cluster bomb as your attack type and then click on the payloads option. The 1st payload set needs to be a simple list as this will represent an email/username as seen above: “email=$aa$”, the second will be your password (password=$a$) which needs to be set to brute forcer. (In this example the usernames are known and are entered manually from the ADD field, but a user list could also be uploaded using the LOAD option. Proper foot-printing and reconnaissance of the target will help you when compiling a custom list)

simple.PNG

brute.PNG

Once you are satisfied with the options you have set click on Intruder (the TOP button) and start attack:

startintrude.PNG

Eventually your brute force attack should succeed and will reward you with the correct username/password combination (if you are using a free version of burpsuite then you can expect to wait about an hour for this to finish).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s