Brute Forcing Web Logins with Burp Suite

No replies
Nu11By73's picture
Joined: 2012/01/07

Brute Forcing Web Based Logins with Burp Suite!

Since I did not see a tutorial here about brute forcing web based logins, I decided to write this one. I will post it here in a new topic since I do not have access to the tutorial writing section anymore and if Rat or another admin wants to move it to the tutorial section they are welcome to it.
First thing is first, this tutorial is for educational purposes and I am not responsible for the outcome or legal proceeding that you might incur by using this against a site you do not own.

Let’s open burp suite and browse to the page that holds the login. Be sure to set your proxy settings accordingly for your browser, this includes http and https.
Next send a test login and capture the request and response.
As you can see the request holds the data that we will be sending to intruder.
POST /frontpage?destination=frontpage HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: SESS3c9d2d92965d13ceb0185eaa78847a3a=ro6b3v32eb55q9eug7ea995f31; has_js=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
Now in the left pane, we will right click on the request and click send to intruder.
In the repeater pane you should a few tabs.
Click on the positions tab, and then click clear in the right hand side of the window.
Now double click on the name value, and click add.
Then do the same for pass.
Your new request should look as follows.
Now in the drop down, select cluster bomb and navigate to the payloads tab.
In the payloads options, for payload set one, you need to set this to a wordlist file.
Click load, select your username wordlist.
Now, click the payload set drop down and select payload 2
Click load, select your password wordlist.
At the top of the window you will see intruder on the file menu.
Click it and select start attack!
Once the test is done, there will be a bunch of results in the results window. How will you know that you have a valid login? Click length twice, the ones with the bigger length values are most likely valid credentials.