Practical | how to use burp suite for password blasting!

Hello everyone , I'm Ango ！

The last article explained the use of Burp Suite Tools to grab bags 、 Complete steps of data interception modification

Recommend a great packet capture analysis tool - Burp Suite

In this article, we continue to talk about BP A practical function module in the tool 「 Intruder 」

Use BP The tool Intruder Module height configurable , You can blast the password of the target website , It is generally used in the security penetration test scenarios of websites

It works by , In the original network packet , Use different variable values to replace the request parameters , Then simulate the request to get different response results , So as to achieve the purpose of blasting

1、Intruder Function label

BP The tool  Intruder The module contains 5  A feature tag

Namely ：

• Target

  Used to specify the target server to be attacked Host、 Port number and SSL Connect

• Positions

  Set the parameters and attack types in the request

• Payloads

  Set the data set for the above parameters 、 Parameter code 、 Encryption and other functions

• Resource Pool

  Specify the request thread and delay time

• Options

  Request header 、 The result of the attack 、 Redirection and other related configurations

2、 Attack types

Intruder When performing password explosion , There can be 4 There are four attack types to choose from

Namely ：Sniper（ Sniper mode ）、Battering ram（ Broken city hammer mode ）、Pitchfork（ Tuning fork mode ）、Cluster bomb（ Cluster bomb mode ）

Here, the login interface contains 「  user name 、 password  」2 Take two parameters as an example

Sniper Use a set of data sets , In turn $ Marked variables are exploded , namely ： For a parameter variable , Use a data set

Use scenarios ： Single goal , Known user name , The password is unknown

Battering ram Use a set of data sets , At the same time $ All variables marked are exploded , namely ： For multiple parameter variables , Use a data set

Use scenarios ： Two single goals , Mutual indifference

Pitchfork Use multiple sets of data , Simultaneous blasting is $ Tagged variables , namely ： For multiple parameter variables , Use multiple data sets

Use scenarios ： Unknown user name and password , Each user name only uses one password to attack

Cluster bomb Use multiple sets of data to combine （ The cartesian product ） after , Blast several blasting point variables in turn , namely ： For multiple variables , Use a combination of multiple data sets

Practical scenarios ： Two goals , Each user name uses all passwords to carry out an attack

3、 Let's fight

Suppose we need to blast the password of the target website

First , We need to perform packet capture analysis on the developer toolbar , stay BP  In the tools Proxy  Option to configure interception rules

such as , The login interface contains keywords 「 login 」, We can configure it as follows

next , Turn on the interception function , Enter any user name in the browser 、 password , Perform login operation , In this way BP This request can be intercepted in the tool interception module

Click on 「 Action 」 Button , Select to send the packet to  Intruder modular

then , stay  Intruder Module configuration 5 A feature tag

PS： Generally speaking ,Target Just leave the label as default , No additional configuration is required

stay Positions  Under the label , We need to click on the... On the right first 「 Clear § 」 Button to clear the default parameter label

Then the mouse selects the value that needs to be set as a variable , Click on the right 「 Add § 」 Button to set it as a variable

notes ： For the convenience of demonstration , Only the user name 、 The password is set to variable

Here we choose the attack type 「 Cluster bomb 」, Let all user names and passwords randomly combine to attack

next , We are  Payloads  Under the label , The user name is indexed according to the parameter 、 Configure different data sets for passwords

It's important to point out that , Datasets can be imported from local files , You can also add it manually or paste it from the clipboard

here  Resource Pool and  Options The configuration page remains the default

Last , Click on the 「 Start attack 」 Button to blast the password of the target website , The results will be displayed in the form of a pop-up box

such , We can intuitively judge the available account portfolio data of the target website through the response results

4、 Add up

Face some simple websites , In the user name 、 On the premise that the password dictionary data is perfect , The probability of using the above steps for password blasting is very high

But for some websites that contain verification codes , We need to do more to identify the verification code , And then in Payloads Under the function tab, set the picture recognition result to the parameter

Here's a recommended one BP plug-in unit 「 captcha-killer 」, Limited by length , You can expand this part by yourself

https://github.com/c0ny1/captcha-killer

If you think the article is good , Please   give the thumbs-up 、 Share 、 Leaving a message.   Next , Because this will be the strongest driving force for me to continue to output more quality articles ！

Recommended reading

Recommend a great packet capture analysis tool - Burp Suite

use Python Remote control Windows The server , It's great to use ！

END

Haowen and his friends watch ~