In this video walk-through, we covered BurpSuite Intruder, Comparer, Sequencer and Extender as part of TryHackMe Junior Penetration Tester Pathway.. This was part of TryHackMe Burp Suite: Intruder.
The Complete Practical Metasploit Framework Course
Introduction to Burp Suite
Burp Suite is a popular web application security testing tool used for various tasks such as fuzzing, brute force attacks, and credential stuffing.Intruder is one of Burp Suite’s features that allows you to send multiple requests with different inputs to test vulnerabilities like username and password guessing.
Setting Up the Scenario
The user sets up Burp Suite as a proxy to capture and modify web requests. They visit a login page on a test lab and intercept the login request using Burp Suite’s Proxy.Once intercepted, the request is sent to Intruder for further testing.
Burp Suite Intruder Basics
Intruder allows for different attack types based on how payloads (e.g., usernames and passwords) are used to test web applications.The Positions tab in Intruder highlights the parameters (like username and password fields) where payloads will be injected during the attack.
Attack Types
Sniper Mode: This mode uses one payload set (e.g., a list of passwords) and substitutes each value in one position at a time, such as either the username or password field.
Battering Ram Mode: Uses one payload set but injects the same payload into multiple positions (e.g., the same value in both the username and password fields simultaneously).
Pitchfork Mode: This mode allows for two payload sets (e.g., one for usernames and one for passwords) and injects corresponding values from each list simultaneously (e.g., the first username with the first password).
Cluster Bomb Mode: An advanced version of Pitchfork, where all combinations of usernames and passwords are tested (e.g., every username with every password in both lists).
Payload Setup
The video demonstrates how to load wordlists or manually enter payloads (usernames and passwords) for testing. For example, a password wordlist is loaded into Intruder to perform a brute-force attack on the login form.Each attack type handles the payloads differently, allowing the tester to choose the best method based on the scenario.
Practical Example
The user intercepts a login request, configures Intruder, selects the attack type (e.g., Pitchfork), and loads separate wordlists for usernames and passwords.Once the attack is launched, Burp Suite cycles through the payloads, testing each combination until a successful login attempt is identified.
Conclusion
The video emphasizes understanding how to use the different attack modes of Burp Suite Intruder depending on the scenario.For instance, Cluster Bomb is ideal for testing all possible combinations, while Pitchfork works well when testing two sets of inputs (e.g., usernames and passwords) simultaneously.
Video Highlights
Intruder is Burp Suite’s built-in fuzzing tool that allows for automated request modification and repetitive testing with variations in input values. By using a captured request (often from the Proxy module), Intruder can send multiple requests with slightly altered values based on user-defined configurations. It serves various purposes, such as brute-forcing login forms by substituting username and password fields with values from a wordlist or performing fuzzing attacks using wordlists to test subdirectories, endpoints, or virtual hosts. Intruder’s functionality is comparable to command-line tools like Wfuzz or ffuf.
However, it’s important to note that while Intruder can be used with Burp Community Edition, it is rate-limited, significantly reducing its speed compared to Burp Professional. This limitation often leads security practitioners to rely on other tools for fuzzing and brute-forcing. Nonetheless, Intruder remains a valuable tool and is worth learning how to use it effectively.
There are four sub-tabs within Intruder:
- Positions: This tab allows us to select an attack type (which we will cover in a future task) and configure where we want to insert our payloads in the request template.
- Payloads: Here we can select values to insert into the positions defined in the Positions tab. We have various payload options, such as loading items from a wordlist. The way these payloads are inserted into the template depends on the attack type chosen in the Positions tab. The Payloads tab also enables us to modify Intruder’s behavior regarding payloads, such as defining pre-processing rules for each payload (e.g., adding a prefix or suffix, performing match and replace, or skipping payloads based on a defined regex).
- Resource Pool: This tab is not particularly useful in the Burp Community Edition. It allows for resource allocation among various automated tasks in Burp Professional. Without access to these automated tasks, this tab is of limited importance.
- Settings: This tab allows us to configure attack behavior. It primarily deals with how Burp handles results and the attack itself. For instance, we can flag requests containing specific text or define Burp’s response to redirect (3xx) responses.
Room Answers
Ques 1: Which section of the Options sub-tab allows you to control what information will be captured in the Intruder results?
Ans 1: attack resultsQues 2: In which Intruder sub-tab can we define the “Attack type” for our planned attack?
Ans 2: positionsQues 3: If you were using Sniper to fuzz three parameters in a request, with a wordlist containing 100 words, how many requests would Burp Suite need to send to complete the attack?
Ans 3: 300Ques 4: How many sets of payloads will Sniper accept for conducting an attack?
Ans 4: 1Ques 5: Sniper is good for attacks where we are only attacking a single parameter, aye or nay?
Ans 5: ayeQues 6: What would the body parameters of the first request that Burp Suite sends be?
Ans 6: username=ADMIN&password=ADMINQues 7: What is the maximum number of payload sets we can load into Intruder in Pitchfork mode?
Ans 7: 20Ques 8: We have three payload sets. The first set contains 100 lines; the second contains 2 lines; and the third contains 30 lines. How many requests will Intruder make using these payload sets in a Cluster Bomb attack?
Ans 8: 6000Ques 9: Which payload type lets us load a list of words into a payload set?
Ans 9: simple listQues 10: Which Payload Processing rule could we use to add characters at the end of each payload in the set?
Ans 10: add suffixQues 11: Which attack type is best suited for this task?
Ans 11: sniperQues 12: Either using the Response tab in the Attack Results window or by looking at each successful (i.e. 200 code) request manually in your browser, find the ticket that contains the flag. What is the flag?
Ans 12: THM{MTMxNTg5NTUzMWM0OWRlYzUzMDVjMzJl}
New Version Room Answers
In which Intruder tab can we define the “Attack type” for our planned attack?
positions
What symbol defines the start and the end of a payload position?
§
Which Payload processing rule could we use to add characters at the end of each payload in the set?
add suffix
If you were using Sniper to fuzz three parameters in a request with a wordlist containing 100 words, how many requests would Burp Suite need to send to complete the attack?
300
How many sets of payloads will Sniper accept for conducting an attack?
1
What would the body parameters of the first request that Burp Suite sends be?
username=admin&password=admin
What is the maximum number of payload sets we can load into Intruder in Pitchfork mode?
20
We have three payload sets. The first set contains 100 lines, the second contains 2 lines, and the third contains 30 lines.
How many requests will Intruder make using these payload sets in a Cluster bomb attack?
6000
What attack type cycles through the payloads inserting one payload at a time into each position defined in the request?
sniper
What username and password combination indicates a successful login attempt? The answer format is “username:password”.
m.rivera:letmein1
Which attack type is best suited for this task?
sniper
Either using the Response tab in the Attack Results window or by looking at each successful (i.e. 200 code) request manually in your browser, find the ticket that contains the flag.
What is the flag?
THM{MTMxNTg5NTUzMWM0OWRlYzUzMDVjMzjl}
What username and password combination indicates a successful login attempt? The answer format is “username:password”.
o.bennet:bella1
