In this part you will be bruteforcing the DVWA login page using Burpsuite
1. Setting Up Burp
on Kali, open a terminal and type "burpsuite" - this will run the program
use "temporary project" and click next
use "burp defaults" and click start burp
click on the proxy tab and under that click on options - you will see that the interface burp is listening in on is "127.0.01:8080" which is port 8080 on your local host
open your firefox browser by typing "firefox" in a new terminal
go to the IP address of your workstation that is running the DVWA webapp
get to the login page and wait
open the menu on the top right and click on preferences
scroll all the way to the bottom and click on "Network Settings..."
choose the "Manual proxy configuration" radio button - put "127.0.0.1" for HTTP Proxy and 8080 for the port
checkmark "also use this proxy for ftp and https:
delete anything under "No proxy for" and leave everything else unchecked
after clicking ok you have configured your browser to send all requests to port 8080 on the localhost which will then be intercepted by burpsuite
you can confirm this by refreshing the webpage which will never finish
bring up burpsuite and go to the "Intercept" tab - you should see your refresh request has populated the fields
click forward until the refresh completes
now you know that everything is working
make sure you switch the security level from the default of "impossible" to "low" - to do this you must click on "DVWA Security" in the menu on the left and change the setting
note that the lowest setting doesn't use CSRF tokens, lockouts, etc so this makes the bruteforcing quite easy
to bruteforce a login you can either manually enter credentials or create a dictionary for burp to use
you can download any of the hundreds of already created dictionaries online or create your own
in the Kali terminal type "echo ''
/home/kali/passwords.txt" to create the file
open the file with nano - type "nano /home/kali/passwords.txt"
note that you can skip the first step using "echo" because the second step will automatically create a new file and open it for you, but I like to reinforce some techniques
in the text file on each new line type in a password you can think of - make sure atleast one password is the correct one(you know the password from following the DVWA guide in part 3 - by default it is "password")
there are dictionaries out there with thousands of words but for this guide we will keep it short and sweet
open firefox and go to DVWA
click on "Bruteforce" in the menu on the left
make sure burpsuite is running
make sure intercept is off(go to "Proxy"
"Intercept" and click "Intercept is on" to switch it to "Intercept is off")
go back to DVWA and type in "admin" for the username and "pass" for the password
click "login" on the webapp to perform the request - since burp is running as a proxy it will log the details of this request before sending it off
go back to burpsuite
"proxy"
"HTTP history" and look under "URL" for "GET - /dvwa/vulnerabilities/brute/?username=" - this is the action you just took by clicking login
right click that action and send to "Intruder"
click on Intruder tab and go to "Positions"
switch the "Attack type" to "Cluster bomb"
click "Clear $" on the right menu to clear all variables
in text box probably on the first line, click "admin" and then click "Add $". Do the same for "pass" and hit "Add $" to add both variables
go to the "Payloads" tab
type "admin" to the right of "Add" under "Payload Options [Simple list]"
change "Payload set" at the top to 2 and then "Payload Type" to "Runtime file" - this is how you will use the wordlist or dictionary file you created
choose "select file" and open your passwords list file
note that you can also leave it as "simple list" and add a bunch of passwords manually like you added "admin" into the first variable
click "Options" tab and go down to "Grep - Match" - click "clear" to get rid of all the useless matches and then type in "incorrect" and click add - Grep is bash command for searching for strings. In this case we want to see what ends up being incorrect - the way that this functionality works is that burp reads the html page response that is received after burp sends the credentials and performs the login action. The server receives the login request and serves an html page based on whether the credentials worked or were incorrect. The reason "Grepping" for "incorrect" works is because if the login failed then the html page response is formatted to now contain the "incorrect" word. You see this in red letters when you manually try to login and fail. Those red letters can be found within the html itself if you were to go and look at the code. They aren't there normally. They are injected upon login failure. If, however, the word "incorrect"
scroll to the bottom for "Redirections" and checkmark "always"
this gives you the indication that those specific credentials have triggered something that the rest hadn't or simply that the login was successful.