Burp Intruder

2/14/2022by admin
This article is a part of the Guide for Burp Suite series. Within the previous article, we learn about some of the features of the Intruder tab. Now we'll move forward and see how to work with the Burp Intruder tab. So Let's Get Started.

Burp Intruder is a tool for automating customized attacks against web applications. It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities. After discussing Burp Suite setup, and the Proxy and Target tools in the last blog post, this post discussed the Spider, Repeater and Intruder tools. Spider is used to more thoroughly map out a site, Repeater is used for manually tampering and replaying requests, and Intruder is used to automate a large number of requests with parameterized values.

The Burp Intruder allows a tester to brute-force or fuzz specific portions ofan HTTP message, using customized payloads. For all the Practical we will be using OWAS Juice Shop which is running on a docker.
Burp Intruder
The following are the steps you can go through to use Burp Intruder.
1. Open the Firefox browser and enable the network proxy from the Foxyproxy extension.
2. In the Firefox browser, visit the login screen of the OWASP Juice Shop and try to log into the application. For example, type Email as '[email protected]' and password as 'test'.
3. In burp, Go to the Proxy tab, and the HTTP History sub-tab and find the login attempt.
4. Select the login attempt request in the HTTP history, right-click the Request tab, and select 'Send to Intruder' as shown below.
5. In burp, go to the 'Intruder' tab, and the 'Target' sub-tab. This tab defines your target application. Thesesettings are pre-populated by Burp.
Burp Intruder
6. Go to the 'Positions' tab, click the 'Clear §' button from the right-hand side menu. Select the password field by highlighting it with your cursor. Now click the 'Add §' button from the right-hand side menu. Now you should have the payload markerswrapping around the password field as shown below.
7. Go to the 'Payloads' tab, Payload Sets allows us to set the number of payloads as well as thetype. For our purposes, we will use the default settings for Sniper, allowingus to use one payload with a Payload type of Simple list.
8. In the 'Payload Options' section, we can configure a custom payload orload a pre-configured one from a file. For now, we will add some value to our payload. In the text box, type text, and then click the 'Add' button to create our custom payload as shown below.
9. Go to the 'Options' tab, in the 'Request Engine' and enter the number of threads and other details so that it can create less noiseon the network while running Intruder.
10. Finally, we are ready to start Intruder. On either the 'Target' or the 'Payloads' tabs, click the 'Start attack' button to start the Intruder.

Burp Intruder Vs Repeater

When the attack has started, an attack results table will appear. This allowsus to see all payloads send by the intruder. It also allows us to see all requests and responses from this table.
Note that the payload of 'admin123' in thepassword parameter produced a status code of '200'. Thismeans we got an authentication token and we can loge in tot he application with the 'admin123' password.
Congratulations! finally, we know how to work with the Burp Intruder tab. In the next Part, we will discuss the Sequencer tab.
#burpsuite #burpsuitetutorial #burp #webapplicaitonpentesting

Hi Everyone,

It is like a week i did not post any article. Today I am going to share a simple way to enumerate web applications with Burpsuite intruder. There is no rocket science here. It is just basic knowledge on how to use burpsuite functionalities that could help you to get the job done quickly

First, I am going to use the vulnerability of an application called manage engine service plus that allow the attacker to enumerate user of the application.

This is how we can find it. Please ensure that you have set the browser and burpsuite all work together.

Lets go. First when open the web page of the application you will be prompted with username and password in order to login to the application.

The application sends the username to the server for validation before you even press the login button. We can see at the back there is traffic captured in the burpsuite like this. Here I put user as pentest. The application sends a search request for the name pentest to the server

And the server will respond as below. The server will return with null value if the user is not found in the server.

With the above scenario, How do we automate the process so that we do not need to try one by one.

Lets do it. when you get the http GET request to the server like what i mentioned above, you can send it to the intruder for automation by pressing ctrl + i. And now you can go to intruder tab in burpsuite

The next step is to set where they payload will be automated. You need to go to position tab.

Burpsuite will automatically detect and highlight any possible position that can be automated for you. But in this case we only want to automate search variable. So, the next step is to press clear to remove the detection.

The next step is to highlight word “pentest” and press add. Burp will change the anotation from pentest to $pentest$.

The next step is to setup the payload. You need to go to payload tab

what you need to do in this tab is to set the payload for the burp to run the automation. So this payload will be read and put as a request to the server by changing the value $pentest$ that you have set in the position tab.

In this case, I would use simple dictionary attack. Here is the way I load the dictionary to the Burp

In the above screen, press load. Then you need to specify where is your dictionary placed in the disk.

Press open after you selected the dictionary. Burp will load all the text within the text file you specified that will look like below

Then basically, you are ready to start the attack. But I encourage you to also set variable the options tab such as how many treads should burpsuite do to request the server at one time. There is one configuration that I highly recommend for you to set is to grep and flag the server respond in the below section

Burp Intruder Payloads

The above function will make your life easier to detect the server response. Remember that based on our analysis previously, the application will return null when it does not find the username in its database. So we can grep the null value and flag this for us.

First you need to press clear in order to remove all pre input value by Burp. You need to add new item ‘null’ in the field and press add like below

Now everything is set. You can start the attack by pressing the button start attack

A new windows will pop up that run the enumeration that send the payload to the server. After Burpsuite finished the enumeration. we can see the result in result tab.

in the above screen you can see that there is a column call null. this column is telling us that actually burp flag the result that it find the null value in the server response.

Burp Intruder Free

Burp Intruder

In the null colum we can also find there is a line that is not tagged with null. it means that burpsuite does not find null value in the server response which is “Not in Domain”

Burp Intruder Sniper

So with the tag is helping us to spot the difference between responses directly. So with this result, we can conclude that username guest and administrator are actually found in the database where we can use this information for further attack.

Comments are closed.