![]() You will see in the request dialogue at the bottom at line 14 shows our username and password. If we right-click anywhere in this section and select 'Send to Intruder' we will be able to interact with the request and add variables for our dictionary attack. When Burp Suite receives the request in the Intruder tab, it automatically detects the username and password section as areas of interest and sets variables there for us. Using these variables we can repeatedly attempt to break the site using any combination of the values contained in our dictionary. Set the 'Attack type' dropdown to 'Cluster bomb', as this type gets Burp to try every payload combination. ![]() Then navigate to the payloads tab so we can set the payload. Per the story of this attack, we would now research online to attempt to find a possible default credential list for this platform. As this is a simulated exercise and not a real platform, we have been provided with a list of possible usernames and passwords. This list is short, most likely for ease of use and brevity, however in real world situations the list could be far longer - resulting both in longer execution times and greater possibility of detection. In the Payloads tab there are two payloads we need to set, one for the usernames and one for the passwords. The order of the payloads is chronological so because our username field is first in the request, list the three usernames into the payload box, by entering one at a time into the text box and selecting Add. Once the usernames have been done click the 'Payload set' drop down and select 2. ![]() Then repeat the process for the passwords. ![]() Results tab listing all possible combinations This is the final part of the attack finished from our perspective, click back to the Positions tab and hit 'Start Attack'. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |