DVWA Series 12 using Burpsuite for brute force

Below we use Burpsuite's intruder module to brute force the password.

First enter the user name admin, enter a discretionary password, such as 123, and then block the packet.

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http ://s3.51cto.com/wyfs02/m01/77/c3/wkiom1zucz6ijzvraaegjbybxd0742.png "height=" 223 "/>

Will intercept the packet "Send to Intruder", and then set the variable to be cracked in the position option. Burpsuite will automatically set a number of variables, click the "Clear" button to clear the default variables, and then select Password 123, click the "Add" button to set it to the variable to be cracked.

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http ://s3.51cto.com/wyfs02/m01/77/c2/wkiol1zucaxgg5vcaadh26oe2g0386.png "height="/>

Because there is only one variable, the "Attack type" attack Type here selects Sniper.

Then set in the "payloads" option, because there is only one variable, so "Payload set" is automatically set to 1, "Payload type" here is set to "Brute forcer". Set the character set used for brute force cracking in the "Payload Options" below, along with the minimum and maximum password lengths.

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http ://s3.51cto.com/wyfs02/m02/77/c2/wkiol1zucaejvilzaafjkrvt928444.png "height=" 399 "/>

Finally, select "Intruder/start Attack" in the menu bar to start the brute force hack.

Of course this pure brute force hack takes a long time, and a better approach is to use a password dictionary. Set "Payload type" to "Runtime file" in "Payload sets", then select the dictionary file in the Payload options, and from the "Payload count" hint you can see a total of 54,843 passwords in this dictionary. Note that Burpsuite does not support Chinese, and the file name and path should be in English. Once setup is complete, also select "Intruder/start attack" to start the hack.

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http ://s3.51cto.com/wyfs02/m00/77/c2/wkiol1zucaitmjxiaaeyo2w3d7m338.png "height=" 301 "/>

The length of time to crack depends on the size of the password dictionary and CPU computing power, after the completion of the crack, you can find the correct password through the different length.

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http ://s3.51cto.com/wyfs02/m01/77/c3/wkiom1zucawyo7myaaelxxkl4eq347.png "height=" 263 "/>

This article from "a pot of turbid wine" blog, reproduced please contact the author!

DVWA Series 12 using Burpsuite for brute force