table of Contents
1. Blasting double fields (username and password)
2. Special password blasting (authentication information)
The brute force cracking module intruder in burp supports multiple modes of brute force cracking, as follows
1. Form brute force cracking
1. Blasting double fields (username and password)
1. As follows, enter the user name and password to intercept the data packet
2. Send to intruder, click Positions, click clear, select the user name and password field values, click add, and then select Cluster bomb for the attack type (attack type). The steps are as follows
3. Then select Payloads, add a dictionary
Payload set 1 represents the username of the first field
Then add the password dictionary as follows
3. Start the attack
Click on the upper right corner
4. View the result, click length, length represents the character length of the returned data, if the login is successful, then his page is definitely different, so the data length is also different, according to this you can judge whether the login is successful
2. Blasting a single field
Sometimes we know the user name so we just want to blast the password. At this time, select Sniper as the attack type, and the others are the same as above.
2. Special password blasting (authentication information)
Sometimes we encounter this situation, we have to blast this
1. Capture
2. Discover the authentication information and perform base64 decoding to view
It turned out to be the user name and password, in the format of user name: password, to blast them
3. Select the field to blast
4. Choose custome iterator as the payload type, and we can perform our custom stitching. The position of the position is our stitching method.
Field 1 means user name, add it to the user name dictionary
Join:
Add password dictionary
5. Base64 encode it later
6. Ready to attack
