Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
214
...
192.168.50.16 offsecwp
Listing 102 - Setting up our /etc/hosts file for offsecwp
The
Intruder
347
Burp feature,
as its name suggests, is designed to automate
a variety of attack
angles, from the simplest to more complex web application attacks.
To learn more about this
feature, let’s simulate a password brute forcing attack.
Since we are dealing with a new target, we can start a new Burp session and configure the Proxy
as we did before. Next, we’ll navigate to http://offsecwp/wp-login.php from Firefox. Then, we will
type “admin” and “test” as respective username and password values, and click
Log in
.
Figure 95: Simulating a failed WordPress login
Returning to Burp, we’ll navigate to
Proxy
>
HTTP History
, right-click on the POST request to /wp-
login.php
and select
Send to Intruder
.
347
(PortSwigger, 2021), https://portswigger.net/burp/documentation/desktop/tools/intruder/using
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
216
We have now instructed the Intruder to modify only the password value on each new request.
Before
starting our attack, let’s provide Intruder with a wordlist.
Knowing that the correct
password is “password”, we can grab the first 10 values from the rockyou wordlist on Kali.
kali@kali:~$
Yüklə
Dostları ilə paylaş: