Penetration Testing with Kali Linux OffSec
|
|
cat /etc/hosts
Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 214 ... 192.168.50.16 offsecwp Listing 102 - Setting up our /etc/hosts file for offsecwp The Intruder 347 Burp feature, as its name suggests, is designed to automate a variety of attack angles, from the simplest to more complex web application attacks. To learn more about this feature, let’s simulate a password brute forcing attack. Since we are dealing with a new target, we can start a new Burp session and configure the Proxy as we did before. Next, we’ll navigate to http://offsecwp/wp-login.php from Firefox. Then, we will type “admin” and “test” as respective username and password values, and click Log in . Figure 95: Simulating a failed WordPress login Returning to Burp, we’ll navigate to Proxy > HTTP History , right-click on the POST request to /wp- login.php and select Send to Intruder . 347 (PortSwigger, 2021), https://portswigger.net/burp/documentation/desktop/tools/intruder/using Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 215 Figure 96: Sending the POST request to Intruder We can now select the Intruder tab in the upper bar, choose the POST request we want to modify, and move to the Positions sub-tab. Knowing that the user admin is correct, we only need to brute force the password field. First, we’ll press Clear on the right bar so that all fields are cleared. We can then select the value of the pwd key and press the Add button on the right. Figure 97: Assigning the password value to the Intruder payload generator Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 216 We have now instructed the Intruder to modify only the password value on each new request. Before starting our attack, let’s provide Intruder with a wordlist. Knowing that the correct password is “password”, we can grab the first 10 values from the rockyou wordlist on Kali. kali@kali:~$ Yüklə Dostları ilə paylaş:
|