1 Test Environment Introduction
1. Use burpsuit tools for brute force
2, the test environment for the DVWA module in the OWASP environment
2 Test Steps2.1 Set Browser proxy
Run First Burpsuit Tool, set the listening address and port, then set the proxy IP and address in the browser . such as:
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/8A/DC/wKiom1g9V9vRzWDoAABOVmV3FQw454.png "style=" float: none; "title=" 1.png "alt=" Wkiom1g9v9vrzwdoaabovmv3fqw454.png "/>
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/8A/D8/wKioL1g9V9zQVigiAABekfc-iGw962.png "style=" float: none; "title=" 2.png "alt=" Wkiol1g9v9zqvigiaabekfc-igw962.png "/>
2.2 Crawl landing page data
Open Burpsuit interception function, crawl landing page login account and password, this password is actually wrong, the next thing we need to explode is this password.
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/8A/DC/wKiom1g9V92x8UF6AAB8Pxg00y0725.png "title=" 3.png " Style= "Float:none;" alt= "Wkiom1g9v92x8uf6aab8pxg00y0725.png"/>
2.3 sent to the intrusion module (Intrudermodule)
On the request page that you just intercepted, right-click to select Send to intrusion module.
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/8A/D8/wKioL1g9V92g8ZuJAACCnjR1MP4060.png "title=" 4.png " Style= "Float:none;" alt= "Wkiol1g9v92g8zujaaccnjr1mp4060.png"/>
2.4 intrusion Module setup parameters
Select Intruder menu into the Intrusion module, click "Position", and then click on the right side of the "clear$" so the parameters are clear, select username,password field, and then click "add$", which indicates that the following only needs to include both fields, if you want to explode multiple field contents, the same way.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/8A/DC/wKiom1g9V97R_xvRAACZmkMDvTQ643.png "title=" 5.png " Style= "Float:none;" alt= "Wkiom1g9v97r_xvraaczmkmdvtq643.png"/>
Select the attack mode and select "Cluster Bomb".
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/8A/D8/wKioL1g9V9-CdS-5AACebRE04Uw217.png "title=" 6.png " Style= "Float:none;" alt= "Wkiol1g9v9-cds-5aacebre04uw217.png"/>
2.5 Set Attack dictionary
Click on the "payloads" menu to enter the set attack dictionary, attack dictionary password can be added by a password, you can also load the password dictionary. the 1 representation of the Payload set column is the username field content,and 2 indicates the content of the Password field, which is based on the previous Positions sets the order of the parameters that are determined.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/8A/DC/wKiom1g9V-DxR-saAAB6KdTVP0Q326.png "title=" 7.png " Style= "Float:none;" alt= "Wkiom1g9v-dxr-saaab6kdtvp0q326.png"/>
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/8A/D8/wKioL1g9V-DgVj6eAABsHOWhthY294.png "title=" 8.png " Style= "Float:none;" alt= "Wkiol1g9v-dgvj6eaabshowhthy294.png"/>
2.6 start attacking
Click "start Attack" to attack. A window will pop up after the attack.
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/8A/DC/wKiom1g9V-GB3vv9AACunyiKxjs987.png "title=" 9.png " alt= "Wkiom1g9v-gb3vv9aacunyikxjs987.png"/>
2.7 analysis of attack results
from the result analysis of the length field has a row of value is not the same as the value of the other rows, then the difference is the final result, that is, the 5075 value in this test line is the correct password, password is admin. The blasting was successful.
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/8A/DC/wKiom1g9V-LyF6d-AABXZUAU4K8416.png "title=" 10.png "Style=" Float:none; "alt=" Wkiom1g9v-lyf6d-aabxzuau4k8416.png "/>
This article is from "Eagle a" blog, please make sure to keep this source http://laoyinga.blog.51cto.com/11487316/1877874
DVWA Learning Article One: Brute force