Quick Guide: How to Brute Force with Burp Suite

burp suite
Table of Contents

This tutorial walks you through a simple brute force attack using Burp Suite. It’s hands-on, and while concise, it covers the essentials.

For the best experience, I recommend viewing this on a desktop.

Tools and Setup

Burp Suite Professional
Wordlist used: rockyou.txt (14 million passwords) (download)
Application attacked: Damn Vulnerable Web Application (DVWA)

Background

In this example, DVWA is hosted on a machine within the same local network, using an unencrypted HTTP connection. We’ll use Burp Suite’s built-in Chromium browser to intercept and manipulate the traffic.

Step-by-Step Breakdown

Intercepting the Request

Using Burp Suite’s proxy feature, launch the embedded browser. This lets you inspect the network traffic. Once you attempt a login, Burp will catch the communication.

The key here is to pause the process at just the right moment—right after the POST request has been made but before the login information is sent to the server. This gives us a chance to manipulate the request before the server even sees it.

Setting Up Intruder

With Burp Suite holding the request, you can read the user’s input in cleartext. From here, send the request to the “Intruder” tool within Burp.

Highlight the section containing the password, and click “Add.” This transforms the password field into a variable. Burp Suite will now try different passwords from your wordlist (in this case, rockyou.txt) as the payload for a brute force attack.

Identifying Successful Attempts

Here’s the tricky part: How do we distinguish between failed and successful login attempts?

Burp Suite has a helpful feature called “Grep Match.”

By monitoring DVWA, you’ll notice that when a login attempt fails, the URL (login.php) remains the same, and the page reloads with an error message like “Login failed.” With this in mind, we can set Burp to flag responses that include login.php in the headers, which will indicate failed attempts.

If login.php isn’t in the response, that means you’ve found the correct password.

Executing the Attack

With the Intruder configured and Grep Match in place, click on Attack.

It will try every password in the wordlist and flag each failed attempt. The ones that aren’t flagged? Those will obviously be the correct passwords.

Quick Video Tutorial

 

This tutorial is aimed at learning how brute-force attacks work, but keep in mind the ethical boundaries—only practice in legal environments like DVWA.

Latest articles
Picture of Endri Bedini
Endri Bedini

Endri Bedini is a laureate in Mechanical Engineering with over 20 years of experience in various technology fields, including Electronics, IT, and Healthcare Equipment. Throughout his career, Endri has honed his skills and expertise, earning a reputation for his exceptional problem-solving abilities and innovative thinking. In addition to his work in technology, Endri has a deep interest in Science, Astronomy, AI, Psychology, Sociology, Nature, and Evolution. He is committed to staying up-to-date with the latest developments in these fields, and his insights are informed by his broad range of knowledge and interests.

Read also

Receive new posts and updates at your e-mail address.

Subscription Form
Scroll to Top