DVWA Brute Force Attack with XAMPP

TL;DR

This guide shows you how to perform a brute-force attack on the DVWA (Damn Vulnerable Web Application) login form using Burp Suite, running within an XAMPP environment on Windows with Ubuntu installed via WSL2. This is for educational purposes only – do not use these techniques against systems without explicit permission.

Prerequisites

• XAMPP installed and running on Windows
• Ubuntu installed within Windows Subsystem for Linux (WSL2)
• DVWA installed in your XAMPP htdocs directory. Ensure it’s configured with a weak username/password for testing.
• Burp Suite Community Edition installed and running on Ubuntu (within WSL2).

Steps

1. Start XAMPP and DVWA: Make sure your Apache server is running in XAMPP. Open a web browser and navigate to http://localhost/dvwa to access the DVWA login page.
2. Configure Burp Suite Proxy: In Burp Suite, verify that the proxy listener is configured correctly (usually on 127.0.0.1:8080).
3. Configure Browser to use Burp Suite as a Proxy: Configure your web browser (e.g., Firefox) to use Burp Suite as its HTTP and HTTPS proxy. The settings should be:
   • Proxy Address: 127.0.0.1
   • Port: 8080
4. Capture DVWA Login Request: With your browser proxy set to Burp Suite, attempt a failed login on the DVWA page (using incorrect credentials). This will capture the HTTP request in Burp Suite.
5. Send Request to Intruder: In Burp Suite, go to the ‘Proxy’ tab, find the captured login request, right-click it, and select “Send to Intruder”.
6. Configure Intruder Payload Positions: Within the Intruder window:
   • Go to the ‘Positions’ tab.
   • Identify the parameter in the POST request that contains the username or password (usually named ‘username’ and/or ‘password’).
   • Click on the parameter name to add a payload position marker (£). Add markers for both username and password if you want to brute-force both simultaneously.
7. Select Payload Type: Go to the ‘Payloads’ tab.
   • Under ‘Payload type’, select “Wordlist”.
   • Click on ‘Load…’ and choose a wordlist file containing potential usernames and passwords (e.g., /usr/share/wordlists/rockyou.txt). You may need to install this if it’s not present:

     sudo apt update && sudo apt install rockyou

     .

8. Configure Payload Options: Configure the payload options as needed:
   • ‘Payload encoding’: Usually ‘UTF-8’ is sufficient.
   • ‘Concurrent requests’: Increase this to speed up the attack (e.g., 30). Be mindful of your system resources and DVWA configuration.
   • ‘Clear text payload’: Check this box if the password field isn’t encrypted in the request.
9. Start Attack: Click ‘Start attack’. Intruder will now send multiple requests to the DVWA login form, trying each username/password combination from your wordlist.
10. Analyze Results: In the ‘Results’ tab, look for responses with a status code of 200 (OK) or other indicators of successful authentication. The response body will likely contain clues about whether the login was successful.
    • Filter results by ‘Status Code’ to quickly identify potential matches.
    • Examine the ‘Response’ tab for each request to see if the DVWA page changed after a successful login (e.g., you are redirected to the welcome page).

Important Considerations

• Rate Limiting: DVWA may have rate limiting in place, which can slow down or block your attack. Adjust the ‘Concurrent requests’ setting accordingly.
• Account Lockout: Repeated failed login attempts might lock out the account. Be cautious and use a smaller wordlist initially.
• Wordlist Selection: The effectiveness of the brute-force attack depends heavily on the quality of your wordlist. Use a comprehensive wordlist that is relevant to the target system.
• Legal Implications: Performing unauthorized brute-force attacks is illegal and unethical. This guide is for educational purposes only, and you should only use it against systems you have explicit permission to test.