Dictionary attacks on login pages with Burp Suite
Burp Suite's Intruder has the ability to perform fuzzing and bruteforce attacks against as many parts of an HTTP request as we want to; it is particularly useful when performing dictionary attacks against login pages.
In this recipe, we will use Burp Suite's Intruder with the dictionary we generated in Chapter 2, Reconnaissance, to gain access through a login.
Getting ready
Having a password list is necessary for this recipe, it can be a simple word list from the language the target is in, a list of the most common passwords, or the list we generated in the Using John the Ripper to generate a dictionary recipe in Chapter 2, Reconnaissance.
How to do it...
The first step is to set up Burp Suite as a proxy to our browser.
Browse to
http://192.168.56.102/WackoPicko/admin/index.php.We will see a login page; let's try and test for both username and password.
Now go to the proxy's history and look for the POST request we just made with the login attempt...
