use Burpsuite to blast a weak password. Faculty numberPosted in 2015-11-18 | Categories in Burpsuite | 1 Reviews | 26 readsPrepare
So-called 工欲善其事, its prerequisite, the first of course is to download a burpsuite, you can baidu,google find a cracked version of, of course, you can also use the Kali system comes with, but the Kali system comes with a thread limit, only allow single-threaded, so or to find a cracked version of it!
It is important to note that Burpsuite is written in Java, so learn to run the Java environment, just as Sqlmap needs a Python runtime environment.
Process
- Website Login Interface
School network authentication interface automatically jump 10.255.200.1
, from the login interface can be seen, do not need to fill out the verification code, no login IP restrictions, the explanation can be unlimited blasting, yes!
- Browser configuration
Use the browser plug-in or Internet options to set the proxy
ip:127.0.0.1 端口:8080
- Burpsuite Configuration
Double-click Burploader.jar under Windows, the default listening port is 8080, or you can change it yourself
It's important to note that we need a lot of blasting here, so we need to shut down both the request and the response.
Proxy->Options
Intercept Client requests and Intercept Server requests are checked for cancellation
- Grab first package
After the basic configuration is complete, we're going to start grabbing a package.
- start blasting
View the crawled package in Burpsuite, right-click on the Send to intruder
Modify the parameters to explode, and note that the mode changes to battering ram
Set your payload, also can be said to be a dictionary, after a lot of staff number of the comparison, the basic staff number format is
year + (/100/200/300) + (000~999)
For example + + +
Of course excluding the other English letters of the Community Student Union computer room and so on account
- Filter results
Sort the ' length ' field on the result of the blast, and you can see that some of the returned bytes are not the same length
End
Verify the filtered results, and be careful!在网址为10.255.200.1的登录页面中验证
最后的最后,本次只用于测试学习,对任何他人造成的危害行为概不负责,要本着学习的态度
Original link: http://blog.alpace.xyz/2015/11/18/20151118/
Use Burpsuite to blast a weak password. Faculty number