Brute Force Attacks
The course is part of this learning path
This course covers brute force attacks as well as the features of Burpsuite as well.
Hi, now in this lecture we're going to cover the other payload positions, other attack types actually, we have already seen the sniper, right? So, I'm going to close this thing down. I'm going to close the intercept again because I will try to get this as a fresh request, okay? So, I'm even going to log out and I'm even going to log in, because we have been working with this for quite time. So, maybe we broke something. It's always a good idea to start fresh. And I believe one of the attacks that we have started in the previous section is still running. So, I have closed this down as well. Now, what we're going to do, maybe we can come across in the situation that we don't even know the username and we don't even know the password as well. So, we can do an attack that combines these two things together, okay? Of course, it will be much more slower or it will be much more costly, but if that's the case there is nothing you can do, you have to learn about how to do this. So, what I'm going to do, I'm going to do another request in here and get that request and send it to intruder, and then we're going to see the different type of attacks, how we can combine the attacks like how we can combine the username and password and try to find them both. So, I'm going to turn this intercept on one more time. My Burp Proxy is still running. So, I'm going to say test and test, and here you go. Now, we have the username and password. I'm just going to send this to intruder okay? So, in here let me go to position, and yes everything is highlighted one more time. I'm going to clear all of this, because we are only interested in the username this time and the password. So, let me just choose the password. So, rather than sniper, let's go for something else because in sniper we cannot choose the payload setting here. For example, let me go for pitchfork and see what happens. So, if I come over here, as you can see I can set the payload set and one represents the first highlighted and two represents the second highlighted parameter as you might guess. So, over here I'm just going to add some payload to payload set 1 like test, guest, admin, administrator. It doesn't make sense to go for big word listing here. And for the payload set 2, I'm just going to go for some pass, so maybe test, password or maybe something like this, it's pretty common as well believe it or not. So, let me come over here and just give the password. So, this is for the password set, and for the options I'm not going to change anything, and this is for the username set, okay? So, I have chosen pitchfork, and if I start the attack let's see what happens. So, as you can see it's already finished but it didn't do exactly what we want, right? So, it tested the test against pass, guest against test, admin against password, and administrator against password as well. But it didn't combine them, so we expected to see like four different guesses for every username that we have chosen. So, rather than doing that it just matched them together and just tested them in order. So, if you want an attack like that then it's very good, right? So, maybe you may want to test this like we have done right now. But that's not what we had in mind. So, we don't want to go with pitchfork. Maybe if we choose battering ram but as you can see we cannot choose two payloads in that case. So, let me go for a cluster bomb. So, I'm not changing anything. But if I start the attack and you will see that it's exactly doing what we want. Okay so cluster bomb is the way to go in this case. So, it's testing every pass that we have for the every username that we have in the payloads. And we can see if we have a different length in here and let me filter this out and here you go, payload 1 is admin, payload 2 is password. So, if you don't know the username and if you don't know the password, then you definitely go for this one because as you can already see, we already found the username and password. So, you have seen different attack types. In the intruder, you generally go for the sniper or the cluster bomb most of the time. But if you have specific reasons to go for the other ones, then just go for it and try to find your way. So, cluster bombs and sniper are the choices that I generally use. More than 90% of the time you generally want to go for sniper, because it would be too hard in the cluster bombs and other things, but if you just come across in a situation like that, just don't hesitate to use the other ones as well. So, that's it for the brute force. We're going to stop here and continue with my favorite SQL Injections.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.