You need to firstly make sure that your proxy settings are correctly set to the localhost with port 8080:
Open up Burpsuite and ensure that the intercept option is turned on:
Now open up the website you are targeting and type in anything in the username and password fields and clicking on sign in (you just want to intercept the request – it will make sense shortly):
Your request will be intercepted by Burp, so if you are not seeing anything on the webpage – it’s normal. Go back to Burp to see the details of the request. Right click in the RAW window and click on Send to Intruder (or press CTRL+I). You will see the Intruder tab light up – click on it.
Now you need to select your payload positions and attack type:
Make sure you select cluster bomb as your attack type and then click on the payloads option. The 1st payload set needs to be a simple list as this will represent an email/username as seen above: “email=$aa$”, the second will be your password (password=$a$) which needs to be set to brute forcer. (In this example the usernames are known and are entered manually from the ADD field, but a user list could also be uploaded using the LOAD option. Proper foot-printing and reconnaissance of the target will help you when compiling a custom list)
Once you are satisfied with the options you have set click on Intruder (the TOP button) and start attack:
Eventually your brute force attack should succeed and will reward you with the correct username/password combination (if you are using a free version of burpsuite then you can expect to wait about an hour for this to finish).