Login Brute Force using BurpSuite

Auntor Acharja
3 min readOct 11, 2020

Burp Suite is a set of tools used for penetration testing of web applications. It is the most popular tool among professional web app security researchers and bug bounty hunters. We can do a login brute force using this tool. It is a pre-installed tool in kali Linux. There is an option Intruder in the burp suite. Using intruder we can make a Brute-force attack on password forms, pin forms, and other such forms. For brute force first, we need a strong wordlist for username and password. In this session, I will show the intruder step by step. For brute force, I select the OWSAP owaspbricks/login-3 page.

For setup OWSAP in VMWARE see this video: https://www.youtube.com/watch?v=hh_gw5O6llU

First Configure your burp suite with firefox, see this writeup

https://medium.com/@govindsharma606040/configuration-of-burpsuite-with-firefox-a02bdc2ca615

If you want to see the tutorial then click here :

Part1: https://youtu.be/aaW734RpO0s

Part2: https://youtu.be/50bbqOntBcY

This is my Login Form URL: http://192.168.126.131/owaspbricks/login-3/index.php

Step1: Turn on intercept and submit the login form by dummy username and password. Press Forward if the proxy shows the details.Then select the Post Method Login URL from the site map. See here you can see your dummy username and password

Now right click on the URL and press on Send to Intruder

step 2: Now go to Intruder->positions option. Press Clear and select only username and passwd value and add them with $.Select attack type sniper to Cluster bomb

Step3: Goto Payloads option and add Two payloads (wordlist), One For username and another for password.you can add manually or you can load text file.

Step4: Now go to options and clear all from Grep-match and add Login Form submit error message for me it is Wrong user name or password.And Start Attack.

Step5: Now see there are an unchecked username and password are found and this is our login form username and password.

For More See that Videos:

Part1: https://youtu.be/aaW734RpO0s

Part2: https://youtu.be/50bbqOntBcY

--

--