Burpsuite -- brute force cracking of intruder

Fate whispers to the warrior , You can't resist the storm ; The warrior whispered back , I am the storm ！

It is mainly understood from the perspective of testing , Required functionality , This passage intruder Brute force cracking of modules , Realize the attack of verification code . The principle of intrusion module is based on the parameters existing in the access link / Variable , Call local dictionary 、 Attack load , Perform a penetration test on the parameters ; This article completes the company's mobile phone number + The verification code login module has been successfully cracked , Verification times of verification code are not verified , Provides blasting opportunities

intruder Main function module introduction

burpsuite intruder Pre invasion preparations

① burpsuite Set up the proxy and get the target domain name

② Visit the target website

③ Set target domain

④ Close the agent

burpsuite intruder Set intrusion options

The interface diagram is attached below , There is basically no need to modify the options , If the test machine is configured properly, you can , Modify the number of threads in the request engine , Speed up cracking

 burpsuite intruder Execute intrusion

One 、 stay proxy Open the target of the intercepted attack in the agent

Two 、 Click on action Send the target of the attack to  intruder 

3、 ... and 、 Get into intruder Interface

① Check target Is the goal right , Generally normal

② Set it up positions page ,【 In this test , Just keep smscode add add$ Parameters 】

  Explain the four options of attack type

sniper【 The sniper 】	Crack the variables in turn , One shot, one bullet
Battering ram【 Siege hammer 】	Crack the variables at the same time ,
Pitch fork【 A pitchfork is like a nine tooth harrow 】	Each variable corresponds to a dictionary
Cluster bomb【 cluster bomb 】	Each variable corresponds to a dictionary and performs intersection cracking

③ payload Page setup

 payload Type settings 【 This verification code can be selected numbers】

  Commonly used payload Type introduction

simple list	Simple list
numbers	A list of numbers
dates	Date list
bruce forcer	Brute force

payload option Set up

 payload processing Set up Default not set 【 This test does not need to be set 】

You can process strings 、 for example MD5 encryption 、 Character interception 、 Add prefixes, suffixes, etc

  Four 、 perform attack

  After execution , Click on length Length value , Generally speaking, the response length of a successful crack is different from that of an unsuccessful crack