Welcome back folks, Today we’re going to demonstrate Dictionary Attack Websites Login Pages using Burp Suite. And will try to Crack Passwords.

What is Burp Suite?

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. It’s a java base web application, so it’s multiplatform where you can use it in windows OS, Linux OS and any other operating system.

According to the Burp Suite website, Burp Suite contains the following key components:

  • An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
  • An application-aware Spider, for crawling content and functionality.
  • An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
  • An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
  • A Repeater tool, for manipulating and resending individual requests.
  • A Sequencer tool, for testing the randomness of session tokens.
  • The ability to save your work and resume working later.
  • Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

Dictionary Attack Website’s Login Page using Burp Suite

Let’s get started!

This is our target, We know they have login and register page.

Let’s dive into login page

This is just a normal looking login page contains username and password fields. let’s take a look at source code.

It doesn’t have any security restrictions and security checks so we’re good to go!

Let’s fire up Brup Suite.

First of all we have to turn on intercept, I hope you already know how to setup proxy with Firefox. If not let me show you how.

  • To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences.
  • Then select advanced option and further go to Network then select Settings.
  • Now, select Manual proxy Configuration

And this way your manual proxy will be active as you can see below too.

Let’s get started!

I’m intercepting Request from our target and i know that our target has a username with “admin” but we don’t know the password that’s what we’re going to Dictionary Attack.

When you saw your request on Intercept right click on it and send to Intruder. Brup Suite will add all he required information to start attack.

After that goto Positions Tab and Change the Attack Type to: Cluster Bomb (The Differences Between Attack Types here: Understanding Burp Suite Intruder Attack Types)

After that click on Clear and Auto.

Now we’re going to set our Payloads, Goto Tab Payloads and your Payload Set: 1 is username which we’re going to add “admin” because we already know our target username is admin.

Payload Set: 2 will be our Wordlists for Password which we’re going to load here. Click on Load to add your wordlist which you want to dictionary attack I’m using rockyou.txt which is default in Kali Linux.

You can find a lot of good stuff here:

And you can find some of them here: Large Password Lists

Now we’re all set, It’s time to start attack and pray that we have his password in wordlists 🙂 ..

And that is how it can be done! Let me know your comments!