Josh_Hacking

Lesson
Detailed Info

BruteForce Attack

A brute-force attack is a password attack that can be used to attempt to crack the login page by our password list. These attack can improve the speed of the attack by checking a list of thousand passwords in a short time.

When password-guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because a brute-force search takes too long. Longer passwords, passphrases and keys have more possible values, making them exponentially more difficult to crack than shorter ones.

For this session we are going to use Burpsuite for password guessing attacks.

Before watching the video, try the lab task using your own creativity.

First, Connect you browser with Burp Suite so that we can capture all the request and response.

In the Burp Proxy tab, ensure "Intercept is off" and visit the login page of the application you are testing in your browser.

Return to Burp.

In the Proxy "Intercept" tab, ensure "Intercept is on".

In your browser enter some arbitrary details in to the login page and submit the request.

The captured request can be viewed in the Proxy "Intercept" tab.

Right click on the request to bring up the context menu.

Then click "Send to Intruder".

Note: You can also send requests to the Intruder via the context menu in any location where HTTP requests are shown, such as the site map or Proxy history.

Go to the Intruder "Positions" tab.

Clear the pre-set payload positions by using the "Clear" button on the right of the request editor.

Add the "username" and "password" parameter values as positions by highlighting them and using the "Add" button.

Change the attack to "Cluster bomb" using the "Attack type" drop down menu.

Go to the "Payloads" tab.

In the "Payload sets" settings, ensure "Payload set" is "1" and "Payload type" is set to "Simple list".

In the "Payload options" settings enter some possible usernames. You can do this manually or use a custom or pre-set payload list.

Next, in the "Payload Sets" options, change "Payload" set to "2".

In the "Payload options" settings enter some possible passwords. You can do this manually or using a custom or pre-set list.

Click the "Start attack" button.

In the "Intruder attack" window you can sort the results using the column headers.

In this example sort by "Length" and by "Status".

The table now provides us with some interesting results for further investigation.

By viewing the response in the attack window we can see that request 118 is logged in as "admin".

To confirm that the brute force attack has been successful, use the gathered information (username and password) on the web application's login page.

Complete the task https://inetsecurity.net.in/adminpage/vulnerabilities/bruteforce/index.php