BurpSuite Brute Force Guide

TL;DR

This guide shows you how to use Burp Suite’s Intruder tool for brute-force attacks, focusing on common scenarios like password cracking and finding hidden directories. We’ll cover setting up the attack, using payloads, and analysing results.

1. Setting Up Your Attack

1. Capture Traffic: First, you need to intercept traffic with Burp Suite’s Proxy. Navigate to the target website and perform the action you want to brute-force (e.g., login attempt).
2. Send to Intruder: Right-click on the intercepted request in Burp’s Proxy history and select “Send to Intruder”.
3. Select Injection Points: In Intruder, identify the parameter you want to brute-force (e.g., username or password field). Highlight it and click ‘Add’. This marks where Burp will insert your payloads. You can add multiple injection points if needed.

2. Choosing Your Payloads

1. Payload Positions: Ensure the correct payload position is selected (usually $1 for the first injection point, $2 for the second, etc.).
2. Load Payload Sets: Click ‘Payloads’ and choose a suitable payload set. Common options include:
   • Wordlist: Use a pre-made list of usernames or passwords (e.g., /usr/share/wordlists/rockyou.txt).
   • Brute Force: Generate all possible combinations within a specified character set and length.
   • Fuzzing: Randomly generate payloads to discover unexpected inputs.
3. Configure Payload Options: Adjust payload options as needed:
   • Wordlist Path: Specify the path to your wordlist file.
   • Character Set: Define the characters used for brute-force attacks (e.g., lowercase letters, numbers).
   • Payload Length: Set the minimum and maximum length of generated payloads.

3. Attack Configuration

1. Connections Tab: Configure connection settings under the ‘Connections’ tab:
   • Threads: Increase the number of threads for faster attacks (be mindful of server limitations). A value between 10-20 is a good starting point.
   • Client IP: If you need to rotate IPs, configure this setting.
2. Grep – Match & Extract Tab: Use the ‘Grep’ tab to identify successful requests based on specific patterns in the response (e.g., “Login Successful”). This helps filter out irrelevant results.

   Match: Login Successful

4. Running and Analysing Results

1. Start Attack: Click ‘Start’ to begin the brute-force attack.
2. Analyse Results: Monitor the results in Intruder’s output window.
   • Status Codes: Look for 200 OK responses, which might indicate success.
   • Response Content: Examine the response content for clues about successful logins or hidden directories.
   • Grep Matches: Filter results based on your defined grep patterns.
3. Save Results: Save the attack results to a file for further analysis.

5. Common Scenarios

1. Password Cracking: Use a wordlist of common passwords against a login form.
2. Directory Brute-Forcing: Use a wordlist of common directory names to discover hidden directories on a web server.
3. Parameter Discovery: Brute-force parameter names to identify undocumented parameters in a URL.

6. Important Considerations

• Legal Restrictions: Always obtain permission before performing brute-force attacks on any system. Unauthorized access is illegal.
• Rate Limiting: Be aware of rate limiting mechanisms implemented by the target server. Slow down your attack if necessary to avoid being blocked.
• Cyber security Best Practices: Brute force attacks are noisy and can be detected easily. Consider using more stealthy techniques when possible.