In this article we will learn to prosecute dictionary attack from BurpSuite. And we will try and crack the password of DVWA Lab.
Burp Suite: Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Importantly, it gives us another way to manage our attacks as the alternative to metasploit.
To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences.
Then select advanced option and further go to Network then select Settings.
Now, select Manual proxy Configuration
And this way your manual proxy will be active as you can see below too.
Now, on the other hand open DVWA and log into it using its default username and password.
Once you log in, click on Brute Force. And also make sure that security is low or medium.
When you click on brute force, it will ask you the username and password. Here, before giving username and password open burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off tab.
As you turn on the interception, then give any password you like just so that the burp suite can capture it.
Send the captured material to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i
Now open the Intruder tab then select Positions tab and following will be visible:
Choose the Attack type as Cluster Bomb.
Now select username and password as shown below:
In the above image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.
So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the username file). Then click on Load button and browse and select your dictionary file for username.
Now select 2 in the Payload set and again similar give the dictionary file for the password.
Now all you have to do is go to Intruder menu and select Start attack from the drop down menu.
Sit back and relax because now the burp suite will do its work and match the username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown:
And to confirm it from the response as it will be “Welcome to the password protected area admin”
And this way its all done.
Shivam Gupta is An Ethical Hacker, Cyber Security Expert, Penetration Tester, India. you can contact here