search

2. Brute force Attacks

Some burpsuite pointers:

  • Run through FoxyProxy the website

  • In burpsuite - Proxy > HTTP History

  • Try the login on the website to capture the request in Burp

  • We send the POST request to Intruder in Burp

  • We then select the password we want to bruteforce like literally highlight the password field value we introduced in burp and click on Add so it can select that area for introducing payloads

  • In order to get some good starting passwords lists it's good to install seclists:sudo apt install seclists

  • seclists location in kali after can be found in:/usr/share/seclists and password lists location under/usr/share/seclists/Passwords

We can also use an open-source tool for bruteforcing called ffuf

  • first we copy the request from Burp > Proxy to a

  • In terminal we write:ffuf -request req.txt -request-proto http -w /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt

We can also filter by size with -fs attribute to exclude showing up results for the sizes we already know are wrong in the first tries:

ffuf -request req.txt -request-proto http -w /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt -fs 1814

Previous1. IntroductionNext3. MFA Multi Factor Authentication Attacks