Bruteforce attack with Damn Vulnerable Web Application

Lets take a look at how to improve brute force attack with choosen list.

Lab Objective:  In this lab you will learn how to set up Damn Vulnerable Web Application (DVWA) and use Burp Suit to practice Brute force attack.

VMs Needed:  Kali Linux

Difficulty : Easy

Prerequisite: Install Lampp server in kali linux machine(optional) or use apache server available, Navigate to DMWA official website, download and install package.


Login to Kali Linux as root

Stop apache server using service apache2 stop command

To start lamp use /opt/lampp/lampp start



Open browser in kali

Navigate to localhost/DVWA-master in firefox.

Login using username admin and password password.

This application can be used to learn variety level of attacks, we will perform basic brute force attack now

Click on DVWA security tab and set SECURITY level to low

Copy login fail message shown in above screenshot here. We will use it later

Now lauch Burp suit application from applications tab on top left screen or you will find it in tool bar in kali VM (refer to following image)

Create a temporary project  and click next

Use burp defaults and click next

Make sure following settings are same or else change them as below accordingly. You will find them under proxy > options tab in Burp suit

We will use same loopback address and port number is firefox proxy settings in browser. Configure browser with same proxy setting to intercept communication from browser. Following are settings

Once above settings are done return to DVWA application and retype same username and password

In burp suit it should capture webpage as shown below.

Right click inside Raw tab and click send to Intruder option

Go to Intruder > positions > click on Clear button (refer following)

Now select username part and password part and click on add button next to it (refer to following screenshot) and also change the attack type to cluster bomb

Go to Payloads tab and make sure to have set 1 and type in usernames you want to test

Now change payload set to 2 and type passwords we want to check in conjunction with username as per below

Finally go to options tab and clear values in Grep table and copy error message obtained while trying initial username and password

Make sure to clear and add only error message obtained from login page (refer back to Step 31).

Go back to Target tab and hit start attack.


And watch closely for output it should bring back original username and password.

Admin is username and password is password for application. Make sure to try these credentials on log in page shown in step 31.

Once lab is completed shut down laamp server by using command /opt/lampp/lampp stop

Remove proxy server settings from firefox advance settings.



Leave a Reply

Your email address will not be published.