Lets take a look at how to improve brute force attack with choosen list.
Lab Objective: In this lab you will learn how to set up Damn Vulnerable Web Application (DVWA) and use Burp Suit to practice Brute force attack.
VMs Needed: Kali Linux
Difficulty : Easy
Prerequisite: Install Lampp server in kali linux machine(optional) or use apache server available, Navigate to DMWA official website, download and install package.
Login to Kali Linux as root
Stop apache server using service apache2 stop command
To start lamp use /opt/lampp/lampp start
Open browser in kali
Navigate to localhost/DVWA-master in firefox.
Login using username admin and password password.
This application can be used to learn variety level of attacks, we will perform basic brute force attack now
Click on DVWA security tab and set SECURITY level to low
Copy login fail message shown in above screenshot here. We will use it later
Now lauch Burp suit application from applications tab on top left screen or you will find it in tool bar in kali VM (refer to following image)
Create a temporary project and click next
Use burp defaults and click next
Make sure following settings are same or else change them as below accordingly. You will find them under proxy > options tab in Burp suit
We will use same loopback address and port number is firefox proxy settings in browser. Configure browser with same proxy setting to intercept communication from browser. Following are settings
Once above settings are done return to DVWA application and retype same username and password
In burp suit it should capture webpage as shown below.
Right click inside Raw tab and click send to Intruder option
Go to Intruder > positions > click on Clear button (refer following)
Now select username part and password part and click on add button next to it (refer to following screenshot) and also change the attack type to cluster bomb
Go to Payloads tab and make sure to have set 1 and type in usernames you want to test
Now change payload set to 2 and type passwords we want to check in conjunction with username as per below
Finally go to options tab and clear values in Grep table and copy error message obtained while trying initial username and password
Make sure to clear and add only error message obtained from login page (refer back to Step 31).
Go back to Target tab and hit start attack.
And watch closely for output it should bring back original username and password.
Admin is username and password is password for application. Make sure to try these credentials on log in page shown in step 31.
Once lab is completed shut down laamp server by using command /opt/lampp/lampp stop
Remove proxy server settings from firefox advance settings.