In this tutorial we are going to see how we can use intruder option in Burp Suite. Intruder helps us to find injection points to inject payloads into the website.
In this example we are going to see how to use intruder for password cracking.
First of all type the wrong password and enter login.
In “http history” we can see I entered the wrong password as “123” and in the response tab we can see error message; “Invalid credentials or user not activated.
Right click on the website and click sent to intruder or use CTRL + I.
In “target” tab we specify the target for our example “BeeWapp” ip address.
In “positions” tab we select the position of the payload. By default all the possible injection point will be selected. Click “clear” it and select the point we want to inject and click “add”.
In “payload” tab select the “payload type” as simple list and “payload options”, select “add from list”.
The “paste” option allows us to add a number of list that we assume to be correct. The “load” option on the other hand provides an opportunity to add a wordlist that we can use.
Since we know the password was 3 letter we will select this.
The “request engine” section we have the same settings as they were in the “spider section”. Refer to the previous tutorial.
Click “start attack” to start attacking.
From the result length we can see that for the word “bug” we get a different length . It may be the correct password or we get another vulnerability.
Lets try to log in with “bug” as password.
We successfully logged in.