1
00:00:00,420 --> 00:00:01,140
Welcome back.

2
00:00:01,470 --> 00:00:07,560
And in this video, I want to talk about another cool feature of Burset that could allow us to perform

3
00:00:07,560 --> 00:00:11,910
the brute force Singapore login page a lot more easier than we did with Hydra.

4
00:00:12,810 --> 00:00:19,560
So, Broussard, besides you being able to inspect all the packets and intercept the packets and change

5
00:00:19,560 --> 00:00:22,880
them, you can also do some other cool things as well.

6
00:00:22,890 --> 00:00:26,400
And one of those cool things is brute forcing a login page.

7
00:00:27,060 --> 00:00:32,070
Now, this is something that we are going to perform with the community version and the community version

8
00:00:32,070 --> 00:00:33,870
of Burset has some limitations.

9
00:00:34,110 --> 00:00:39,300
The brute force will not go as fast as if you, for example, had the provision, but nonetheless,

10
00:00:39,300 --> 00:00:41,390
let us see how it would look like.

11
00:00:42,030 --> 00:00:46,800
So let's go and visit the login page of our TV W8.

12
00:00:49,610 --> 00:00:54,610
If I navigate right here and here, we must log in to our TBWA.

13
00:00:55,310 --> 00:01:00,530
The first thing that we want to do is we want to specify any credentials right here, for example,

14
00:01:00,530 --> 00:01:01,700
test and test.

15
00:01:02,270 --> 00:01:09,860
And once we click on login, this request that we just performed on our TBWA Page will be saved inside

16
00:01:09,860 --> 00:01:10,330
of our troops.

17
00:01:10,790 --> 00:01:14,060
So under the targets, we got our target machine right here.

18
00:01:14,390 --> 00:01:17,540
And if I find the packet, here it is.

19
00:01:17,900 --> 00:01:19,490
Here is the packet that we sent.

20
00:01:19,500 --> 00:01:26,480
So we sent the post request and we sent our username of test and password of test to the target web

21
00:01:26,480 --> 00:01:26,810
page.

22
00:01:27,650 --> 00:01:32,810
Now, what we want to do in order to perform the brute forcing attack is we want to first right.

23
00:01:32,840 --> 00:01:39,800
Click on this packet, which we use to send our username and password, and we want to send it to intruder.

24
00:01:40,950 --> 00:01:47,280
Click on that and you will see this intruder bar light up, you want to navigate to the intruder and

25
00:01:47,280 --> 00:01:52,570
here there are some options that we want to set before being able to brute force a Web page.

26
00:01:53,400 --> 00:01:56,700
So here under the target tab, there is nothing that we want to change.

27
00:01:56,730 --> 00:02:02,790
Let's just move on to the positions that and in the positions step, you will see this request that

28
00:02:02,790 --> 00:02:03,540
we just sent.

29
00:02:03,960 --> 00:02:10,940
You will see some of the fields that are already selected and you will see this attack type bar up here.

30
00:02:11,610 --> 00:02:17,490
The first thing that we want to change is we want to change the attack type from sniper to cluster bump.

31
00:02:17,730 --> 00:02:23,760
And what it simply means is, since we are going to brute force both username and password, we want

32
00:02:23,760 --> 00:02:26,310
to be able to send both of them at the same time.

33
00:02:26,310 --> 00:02:29,060
And we can do that with the help of cluster bump.

34
00:02:29,400 --> 00:02:34,500
If you, for example, knew the username and you just wanted to brute force the password, you could

35
00:02:34,500 --> 00:02:38,440
select right here, sniper, and then you could just brute force a password.

36
00:02:38,970 --> 00:02:44,340
Right now, we are going to go with the cluster bomb and here we got the five fields selected.

37
00:02:44,700 --> 00:02:46,250
Now, we don't need all of them.

38
00:02:46,260 --> 00:02:48,770
We only need the username and password fields selected.

39
00:02:48,780 --> 00:02:55,410
So what we can do is we can click on this clear button, it will and select all of these fields and

40
00:02:55,410 --> 00:02:59,610
then to select the fields that we want, we can just double click on the field.

41
00:02:59,700 --> 00:03:03,090
For example, username equals test, I double click on test.

42
00:03:03,090 --> 00:03:03,960
It will select it.

43
00:03:03,960 --> 00:03:10,470
Then I click on ADD and I do the same for the password selected right here and I click on ADD.

44
00:03:10,920 --> 00:03:15,960
This will select just username and password and once we do that, we can navigate to the payload step

45
00:03:16,290 --> 00:03:20,300
where we are going to see a bunch of other options that we can also set.

46
00:03:21,000 --> 00:03:25,380
So under this payload sets, this will be the payload set for the user name.

47
00:03:25,380 --> 00:03:30,720
And if I select this number two, this will be the payload set for the password because those are the

48
00:03:30,720 --> 00:03:32,310
only two fields that we selected.

49
00:03:32,910 --> 00:03:37,830
If I go with the user name first, so I change right here to one, I will select the payload type to

50
00:03:37,830 --> 00:03:43,290
be a simple list because we are going to brute force with a list and under the payload options.

51
00:03:43,290 --> 00:03:45,390
I want to load that list.

52
00:03:45,390 --> 00:03:47,040
So I just click on this load button.

53
00:03:47,460 --> 00:03:53,790
Then I can find usernames that the 60 and you can see by default it followed all of the user names from

54
00:03:53,790 --> 00:03:54,330
that list.

55
00:03:54,990 --> 00:03:57,300
Now I can delete this empty field.

56
00:03:57,300 --> 00:03:58,410
We don't really need it.

57
00:03:58,410 --> 00:04:04,320
And once I do that, once I load the user names list right here, I can change from one to two.

58
00:04:04,890 --> 00:04:07,260
And now I leave it once again on simple list.

59
00:04:07,260 --> 00:04:09,640
And here I want to load the passwords.

60
00:04:10,950 --> 00:04:16,800
So once again I find the password suffix and it followed all of the passwords from that file.

61
00:04:17,400 --> 00:04:20,490
Once all of that is ready, that would be pretty much it.

62
00:04:20,580 --> 00:04:22,380
We are ready to start our attack.

63
00:04:22,860 --> 00:04:27,360
So if I click right here on Start Attack, it will tell me that the community edition of BURPS, it

64
00:04:27,360 --> 00:04:29,580
contains a demo version of Berp Intruder.

65
00:04:29,790 --> 00:04:32,400
So some functionality will be disabled.

66
00:04:32,940 --> 00:04:33,810
We already knew that.

67
00:04:33,810 --> 00:04:35,790
So let's just go and click on, OK?

68
00:04:36,920 --> 00:04:38,900
And this will start our attack.

69
00:04:40,220 --> 00:04:45,380
Down here, we can see the progress part as to how fast this goes, and you will notice it goes a little

70
00:04:45,380 --> 00:04:49,690
bit slower than the hydro tool, but nonetheless, it is still brute forcing our page.

71
00:04:50,700 --> 00:04:52,020
Let's wait for it to finish.

72
00:04:54,420 --> 00:04:59,100
And it has finished, but it seems that we didn't get any results right here.

73
00:04:59,430 --> 00:05:04,650
And by the way, inside of the intruder, how we can search for results is you can see all of the combinations

74
00:05:04,650 --> 00:05:06,300
of usernames and passwords right here.

75
00:05:06,570 --> 00:05:11,730
We can see the status and we can also see the length, not the length 40.

76
00:05:11,730 --> 00:05:17,250
Correct username and password will in ninety nine point nine percent of cases, be different than the

77
00:05:17,250 --> 00:05:19,370
incorrect usernames and passwords.

78
00:05:19,800 --> 00:05:23,470
And in this case, it seems that all of them have the same length.

79
00:05:23,490 --> 00:05:28,530
So for some reason, it didn't manage to find our correct username and password.

80
00:05:29,010 --> 00:05:34,920
Now, that could be due to many reasons, but if I just select one of the combinations and I go to the

81
00:05:34,920 --> 00:05:37,980
response, we get the three or two found.

82
00:05:38,310 --> 00:05:42,790
If I scroll down inside the response, it doesn't give us any HTML content.

83
00:05:43,440 --> 00:05:46,740
This usually means that it is performing redirection.

84
00:05:47,280 --> 00:05:55,560
And if I go to our options inside of our intruder all the way down under the options we get follow redirections.

85
00:05:55,770 --> 00:05:56,170
Never.

86
00:05:56,880 --> 00:06:02,790
So what I'm going to do is I'm going to check this on always and I'm going to start the attack once

87
00:06:02,790 --> 00:06:03,120
again.

88
00:06:03,840 --> 00:06:04,580
Click on OK.

89
00:06:06,180 --> 00:06:10,000
And now we can see it has a different type of length.

90
00:06:10,560 --> 00:06:15,900
Now all we need to do is wait for the combination of admin and password and hopefully this time we're

91
00:06:15,900 --> 00:06:20,990
going to get different length of the response for the correct username and password.

92
00:06:21,390 --> 00:06:23,280
So let's wait for this to finish.

93
00:06:25,400 --> 00:06:31,400
OK, so it gets finished and let's scroll all the way down, we can see every response has the length

94
00:06:31,400 --> 00:06:32,980
of one six, three eight.

95
00:06:33,650 --> 00:06:40,130
And if I scroll down here, we can see that the combinations of admin and password, both capital and

96
00:06:40,130 --> 00:06:42,760
lowercase, have different length.

97
00:06:43,340 --> 00:06:48,630
This is a pretty good indication that these are the correct usernames and passwords.

98
00:06:49,520 --> 00:06:55,670
We can also see that it did indeed perform the redirection as we can see multiple requests and multiple

99
00:06:55,670 --> 00:06:56,740
replies right here.

100
00:06:57,290 --> 00:06:58,530
So that would be about it.

101
00:06:59,000 --> 00:07:03,280
This is a simple way that you can perform brute forcing with the help of it.

102
00:07:04,010 --> 00:07:10,010
Now, I'll still prefer Dehydrator due to it being a little bit faster than the Burset intruder.

103
00:07:10,310 --> 00:07:16,040
But this one, however, is easier to perform since for you need to perform different type of syntax

104
00:07:16,040 --> 00:07:22,160
and sometimes it might not work while this is just setting some of the options, selecting the fields

105
00:07:22,160 --> 00:07:24,560
and running the brute force attack.

106
00:07:25,420 --> 00:07:31,300
Now that they finish this in the next election, we are ready to start our coding projects regarding

107
00:07:31,300 --> 00:07:34,240
the Web application penetration testing Suder.