1
00:00:00,390 --> 00:00:01,530
-: Welcome back.

2
00:00:01,530 --> 00:00:04,800
And in this video I want to talk about another cool feature

3
00:00:04,800 --> 00:00:06,930
of Burp Suite that could allow us

4
00:00:06,930 --> 00:00:08,340
to perform the brute forcing

5
00:00:08,340 --> 00:00:10,500
of a login page a lot more easier

6
00:00:10,500 --> 00:00:12,810
than we did with Hydro Tool.

7
00:00:12,810 --> 00:00:16,050
So Burp Suite, besides you being able

8
00:00:16,050 --> 00:00:17,460
to inspect all the packets

9
00:00:17,460 --> 00:00:20,220
and intercept the packets and change them,

10
00:00:20,220 --> 00:00:22,890
you can also do some other cool things as well.

11
00:00:22,890 --> 00:00:27,090
And one of those cool things is brute forcing a login page.

12
00:00:27,090 --> 00:00:29,130
Now this is something that we're going to perform

13
00:00:29,130 --> 00:00:30,660
with the community version

14
00:00:30,660 --> 00:00:32,520
and the community version of Burp Suite

15
00:00:32,520 --> 00:00:34,140
has some limitations.

16
00:00:34,140 --> 00:00:36,180
The brute forcing will not go as fast as

17
00:00:36,180 --> 00:00:39,300
if you, for example, had the pro version, but nonetheless

18
00:00:39,300 --> 00:00:42,000
let us see how it would look like.

19
00:00:42,000 --> 00:00:46,113
So let's go and visit the login page of our DVWA.

20
00:00:49,620 --> 00:00:52,350
If I navigate right here and here

21
00:00:52,350 --> 00:00:54,063
we must log in to our DVWA.

22
00:00:55,320 --> 00:00:57,810
The first thing that we want to do is we want to

23
00:00:57,810 --> 00:01:00,570
specify any credentials right here, for example

24
00:01:00,570 --> 00:01:02,310
test and test.

25
00:01:02,310 --> 00:01:04,200
And once we click on login

26
00:01:04,200 --> 00:01:06,570
this request that we just performed

27
00:01:06,570 --> 00:01:10,800
on our DVWA page will be saved inside of our Burp Suite.

28
00:01:10,800 --> 00:01:14,460
So under the targets, we got our target machine right here.

29
00:01:14,460 --> 00:01:16,890
And if I find the packet,

30
00:01:16,890 --> 00:01:17,910
here it is.

31
00:01:17,910 --> 00:01:19,440
Here is the packet that we send.

32
00:01:19,440 --> 00:01:22,860
So we send a post request and we send our username

33
00:01:22,860 --> 00:01:27,690
of test and password of test to the target webpage.

34
00:01:27,690 --> 00:01:29,070
Now what we want to do,

35
00:01:29,070 --> 00:01:31,500
in order to perform the brute forcing attack is

36
00:01:31,500 --> 00:01:34,920
we want to first right click on this packet

37
00:01:34,920 --> 00:01:36,510
which we use to send our username

38
00:01:36,510 --> 00:01:39,903
and password and we want to send it to Intruder.

39
00:01:40,980 --> 00:01:45,270
Click on that and you will see this Intruder bar light up.

40
00:01:45,270 --> 00:01:46,980
You want to navigate to the Intruder.

41
00:01:46,980 --> 00:01:49,890
And here there are some options that we want to set

42
00:01:49,890 --> 00:01:53,430
before being able to brute force a webpage.

43
00:01:53,430 --> 00:01:55,800
So here under the Target tab, there is nothing

44
00:01:55,800 --> 00:01:56,670
that we want to change.

45
00:01:56,670 --> 00:01:59,040
Let us just move on to the Positions tab.

46
00:01:59,040 --> 00:02:02,238
And in the Positions tab you will see this request

47
00:02:02,238 --> 00:02:03,960
that we just sent.

48
00:02:03,960 --> 00:02:07,920
You will see some of the fields that are already selected

49
00:02:07,920 --> 00:02:11,640
and you will see this attack type bar up here.

50
00:02:11,640 --> 00:02:13,740
The first thing that we want to change is we want to

51
00:02:13,740 --> 00:02:17,760
change the attack type from sniper to cluster bomb.

52
00:02:17,760 --> 00:02:20,460
And what this simply means is since we are going to

53
00:02:20,460 --> 00:02:23,087
brute force both username and password,

54
00:02:23,087 --> 00:02:26,310
we want to be able to send both of them at the same time.

55
00:02:26,310 --> 00:02:29,430
And we can do that with the help of cluster bomb.

56
00:02:29,430 --> 00:02:32,220
If you, for example, knew the username and you just

57
00:02:32,220 --> 00:02:35,040
wanted to brute force the password, you could select right

58
00:02:35,040 --> 00:02:37,170
here, sniper, and then you could

59
00:02:37,170 --> 00:02:39,000
just brute force a password.

60
00:02:39,000 --> 00:02:41,310
Right now we're going to go with the cluster bomb

61
00:02:41,310 --> 00:02:44,700
and here we got the five fields selected.

62
00:02:44,700 --> 00:02:47,550
Now we don't need all of them, we only need the username

63
00:02:47,550 --> 00:02:48,750
and password field selected.

64
00:02:48,750 --> 00:02:52,770
So what we can do is we can click on this clear button

65
00:02:52,770 --> 00:02:55,620
it will unselect all of these fields, and then

66
00:02:55,620 --> 00:02:57,510
to select the fields that we want, we can

67
00:02:57,510 --> 00:02:59,760
just double click on the field.

68
00:02:59,760 --> 00:03:01,830
For example, username equals test.

69
00:03:01,830 --> 00:03:03,930
I double click on test, it will select it.

70
00:03:03,930 --> 00:03:07,740
Then I click on add and I do the same for the password.

71
00:03:07,740 --> 00:03:10,920
Select it right here and I click on add.

72
00:03:10,920 --> 00:03:12,990
This will select just username and password.

73
00:03:12,990 --> 00:03:14,940
And once we do that, we can navigate

74
00:03:14,940 --> 00:03:17,730
to the payload step where we are going to see bunch

75
00:03:17,730 --> 00:03:21,000
of other options that we can also set.

76
00:03:21,000 --> 00:03:23,010
So under these payload sets

77
00:03:23,010 --> 00:03:25,380
this will be the payload set for the username.

78
00:03:25,380 --> 00:03:27,840
And if I select this number two

79
00:03:27,840 --> 00:03:29,820
this will be the payload set for the password

80
00:03:29,820 --> 00:03:32,940
because those are the only two fields that we selected.

81
00:03:32,940 --> 00:03:34,470
If I go with the username first,

82
00:03:34,470 --> 00:03:36,330
so I change right here to one,

83
00:03:36,330 --> 00:03:38,790
I will select the payload type to be a simple list

84
00:03:38,790 --> 00:03:40,260
because we are going to brute force

85
00:03:40,260 --> 00:03:43,260
with a list and under the payload options,

86
00:03:43,260 --> 00:03:45,390
I want to load that list.

87
00:03:45,390 --> 00:03:47,460
So I just click on this load button

88
00:03:47,460 --> 00:03:51,030
then I can find usernames.txt, and you can see

89
00:03:51,030 --> 00:03:55,020
by default it'll load all of the usernames from that list.

90
00:03:55,020 --> 00:03:57,300
Now I can delete this empty field.

91
00:03:57,300 --> 00:03:58,440
We don't really need it.

92
00:03:58,440 --> 00:03:59,820
And once I do that,

93
00:03:59,820 --> 00:04:01,962
once I load the username list right here

94
00:04:01,962 --> 00:04:04,920
I can change from one to two

95
00:04:04,920 --> 00:04:07,230
and now I leave it once again on simple list.

96
00:04:07,230 --> 00:04:10,950
And here I want to load the passwords.txt.

97
00:04:10,950 --> 00:04:13,470
So once again, I find the passwords.txt

98
00:04:13,470 --> 00:04:17,430
and it will load all of the passwords from that file.

99
00:04:17,430 --> 00:04:20,670
Once all of that is ready, that would be pretty much it.

100
00:04:20,670 --> 00:04:22,890
We are ready to start our attack.

101
00:04:22,890 --> 00:04:25,080
So if I click right here on start attack

102
00:04:25,080 --> 00:04:26,820
it'll tell me that the community edition

103
00:04:26,820 --> 00:04:29,790
of Burp Suite contains a demo version of Burp Intruder.

104
00:04:29,790 --> 00:04:32,463
So some functionality will be disabled.

105
00:04:32,463 --> 00:04:33,810
We already knew that.

106
00:04:33,810 --> 00:04:35,913
So let's just go and click on, okay,

107
00:04:36,990 --> 00:04:39,033
and this will start our attack.

108
00:04:40,200 --> 00:04:42,180
Down here we can see the progress bar

109
00:04:42,180 --> 00:04:43,980
as to how fast this goes.

110
00:04:43,980 --> 00:04:45,840
And you will notice it goes a little bit slower

111
00:04:45,840 --> 00:04:47,700
than the Hydra Tool, but nonetheless

112
00:04:47,700 --> 00:04:49,833
it is still brute forcing our page.

113
00:04:50,700 --> 00:04:52,143
Let's wait for it to finish.

114
00:04:54,480 --> 00:04:56,430
And it has finished, but it seems

115
00:04:56,430 --> 00:04:59,490
that we didn't get any results right here.

116
00:04:59,490 --> 00:05:01,170
And by the way, inside of the Intruder

117
00:05:01,170 --> 00:05:03,810
how we can search for results is you can see all

118
00:05:03,810 --> 00:05:06,600
of the combinations of usernames and passwords right here.

119
00:05:06,600 --> 00:05:09,900
We can see the status and we can also see the length.

120
00:05:09,900 --> 00:05:12,450
Now the length for the correct username

121
00:05:12,450 --> 00:05:16,433
and password will in 99.9% of cases be different

122
00:05:16,433 --> 00:05:19,860
than the incorrect usernames and passwords.

123
00:05:19,860 --> 00:05:21,660
And in this case it seems

124
00:05:21,660 --> 00:05:23,460
that all of them have the same length.

125
00:05:23,460 --> 00:05:24,870
So for some reason it

126
00:05:24,870 --> 00:05:29,040
didn't manage to find our correct username and password.

127
00:05:29,040 --> 00:05:31,380
Now that would be due to many reasons,

128
00:05:31,380 --> 00:05:34,020
but if I just select one of the combinations

129
00:05:34,020 --> 00:05:38,340
and I go to the response, we get the 302 Found.

130
00:05:38,340 --> 00:05:40,500
If I scroll down inside of the response

131
00:05:40,500 --> 00:05:43,440
it doesn't give us any HTML content.

132
00:05:43,440 --> 00:05:47,280
This usually means that it is performing redirection.

133
00:05:47,280 --> 00:05:49,502
And if I go to our options

134
00:05:49,502 --> 00:05:52,650
inside of our intruder all the way down

135
00:05:52,650 --> 00:05:56,910
under the options we get follow redirections never.

136
00:05:56,910 --> 00:06:00,248
So what I'm going to do is I'm going to check this

137
00:06:00,248 --> 00:06:03,810
on always and I'm going to start the attack once again.

138
00:06:03,810 --> 00:06:04,743
Click on okay,

139
00:06:06,210 --> 00:06:08,370
and now we can see

140
00:06:08,370 --> 00:06:10,560
it has different type of length.

141
00:06:10,560 --> 00:06:12,090
Now all we need to do is wait

142
00:06:12,090 --> 00:06:14,220
for the combination of admin and password

143
00:06:14,220 --> 00:06:17,310
and hopefully this time we are going to get different length

144
00:06:17,310 --> 00:06:18,510
of the response

145
00:06:18,510 --> 00:06:21,420
for the correct username and correct password.

146
00:06:21,420 --> 00:06:23,433
So let's wait for this to finish.

147
00:06:25,440 --> 00:06:26,910
Okay, so it has finished.

148
00:06:26,910 --> 00:06:28,650
And let's scroll all the way down.

149
00:06:28,650 --> 00:06:33,650
We can see every response has the length of 1638.

150
00:06:33,690 --> 00:06:35,760
And if I scroll down here

151
00:06:35,760 --> 00:06:38,970
we can see that the combinations of admin and password

152
00:06:38,970 --> 00:06:43,320
both capital and lower case, have different length.

153
00:06:43,320 --> 00:06:45,060
This is a pretty good indication

154
00:06:45,060 --> 00:06:49,530
that these are the correct usernames and correct passwords.

155
00:06:49,530 --> 00:06:52,800
We can also see that it did indeed perform the redirection,

156
00:06:52,800 --> 00:06:54,720
as we can see multiple requests

157
00:06:54,720 --> 00:06:57,330
and multiple replies right here.

158
00:06:57,330 --> 00:06:59,010
So that will be about it.

159
00:06:59,010 --> 00:07:02,040
This is a simple way that you can perform brute forcing

160
00:07:02,040 --> 00:07:04,020
with the help of Burp Suite.

161
00:07:04,020 --> 00:07:06,510
Now, I'll still prefer the Hydro Tool due

162
00:07:06,510 --> 00:07:10,320
to it being a little bit faster than the Burp Suite Intruder

163
00:07:10,320 --> 00:07:13,440
but this one however, is easier to perform since for

164
00:07:13,440 --> 00:07:15,240
Hydra you need to perform different type

165
00:07:15,240 --> 00:07:18,390
of syntax and sometimes it might not work.

166
00:07:18,390 --> 00:07:21,060
While this is just setting some of the options

167
00:07:21,060 --> 00:07:25,440
selecting the fields, and running the brute force attack.

168
00:07:25,440 --> 00:07:26,940
Now that we finish this

169
00:07:26,940 --> 00:07:27,870
in the next section

170
00:07:27,870 --> 00:07:30,660
we are ready to start our coding projects

171
00:07:30,660 --> 00:07:33,690
regarding the web application penetration testing.

172
00:07:33,690 --> 00:07:34,523
See you there.