In this video walk-through, we covered BurpSuite Intruder, Comparer, Sequencer and Extender as part of TryHackMe Junior Penetration Tester Pathway.. This was part of TryHackMe Burp Suite: Intruder.
The Complete Practical Metasploit Framework Course
Challenge Description
Learn how to use Intruder to automate requests in Burp Suite & Take a dive into some of Burp Suite’s lesser-known modules.
Video Highlights
Intruder is Burp Suite’s built-in fuzzing tool that allows for automated request modification and repetitive testing with variations in input values. By using a captured request (often from the Proxy module), Intruder can send multiple requests with slightly altered values based on user-defined configurations. It serves various purposes, such as brute-forcing login forms by substituting username and password fields with values from a wordlist or performing fuzzing attacks using wordlists to test subdirectories, endpoints, or virtual hosts. Intruder’s functionality is comparable to command-line tools like Wfuzz or ffuf.
However, it’s important to note that while Intruder can be used with Burp Community Edition, it is rate-limited, significantly reducing its speed compared to Burp Professional. This limitation often leads security practitioners to rely on other tools for fuzzing and brute-forcing. Nonetheless, Intruder remains a valuable tool and is worth learning how to use it effectively.
There are four sub-tabs within Intruder:
- Positions: This tab allows us to select an attack type (which we will cover in a future task) and configure where we want to insert our payloads in the request template.
- Payloads: Here we can select values to insert into the positions defined in the Positions tab. We have various payload options, such as loading items from a wordlist. The way these payloads are inserted into the template depends on the attack type chosen in the Positions tab. The Payloads tab also enables us to modify Intruder’s behavior regarding payloads, such as defining pre-processing rules for each payload (e.g., adding a prefix or suffix, performing match and replace, or skipping payloads based on a defined regex).
- Resource Pool: This tab is not particularly useful in the Burp Community Edition. It allows for resource allocation among various automated tasks in Burp Professional. Without access to these automated tasks, this tab is of limited importance.
- Settings: This tab allows us to configure attack behavior. It primarily deals with how Burp handles results and the attack itself. For instance, we can flag requests containing specific text or define Burp’s response to redirect (3xx) responses.
Room Answers
Ques 1: Which section of the Options sub-tab allows you to control what information will be captured in the Intruder results?
Ans 1: attack resultsQues 2: In which Intruder sub-tab can we define the “Attack type” for our planned attack?
Ans 2: positionsQues 3: If you were using Sniper to fuzz three parameters in a request, with a wordlist containing 100 words, how many requests would Burp Suite need to send to complete the attack?
Ans 3: 300Ques 4: How many sets of payloads will Sniper accept for conducting an attack?
Ans 4: 1Ques 5: Sniper is good for attacks where we are only attacking a single parameter, aye or nay?
Ans 5: ayeQues 6: What would the body parameters of the first request that Burp Suite sends be?
Ans 6: username=ADMIN&password=ADMINQues 7: What is the maximum number of payload sets we can load into Intruder in Pitchfork mode?
Ans 7: 20Ques 8: We have three payload sets. The first set contains 100 lines; the second contains 2 lines; and the third contains 30 lines. How many requests will Intruder make using these payload sets in a Cluster Bomb attack?
Ans 8: 6000Ques 9: Which payload type lets us load a list of words into a payload set?
Ans 9: simple listQues 10: Which Payload Processing rule could we use to add characters at the end of each payload in the set?
Ans 10: add suffixQues 11: Which attack type is best suited for this task?
Ans 11: sniperQues 12: Either using the Response tab in the Attack Results window or by looking at each successful (i.e. 200 code) request manually in your browser, find the ticket that contains the flag. What is the flag?
Ans 12: THM{MTMxNTg5NTUzMWM0OWRlYzUzMDVjMzJl}
New Version Answers
In which Intruder tab can we define the “Attack type” for our planned attack?
positions
What symbol defines the start and the end of a payload position?
§
Which Payload processing rule could we use to add characters at the end of each payload in the set?
add suffix
If you were using Sniper to fuzz three parameters in a request with a wordlist containing 100 words, how many requests would Burp Suite need to send to complete the attack?
300
How many sets of payloads will Sniper accept for conducting an attack?
1
What would the body parameters of the first request that Burp Suite sends be?
username=admin&password=admin
What is the maximum number of payload sets we can load into Intruder in Pitchfork mode?
20
We have three payload sets. The first set contains 100 lines, the second contains 2 lines, and the third contains 30 lines.
How many requests will Intruder make using these payload sets in a Cluster bomb attack?
6000
What attack type cycles through the payloads inserting one payload at a time into each position defined in the request?
sniper
What username and password combination indicates a successful login attempt? The answer format is “username:password”.
m.rivera:letmein1
Which attack type is best suited for this task?
sniper
Either using the Response tab in the Attack Results window or by looking at each successful (i.e. 200 code) request manually in your browser, find the ticket that contains the flag.
What is the flag?
THM{MTMxNTg5NTUzMWM0OWRlYzUzMDVjMzjl}
What username and password combination indicates a successful login attempt? The answer format is “username:password”.
o.bennet:bella1
Video Walkthrough
