Need help with Burp Suite Brute Forcer

[Lasky]

Ok, So, I have been trying to hack into my email all day. I purposely set the password for low payloads. It was only seven characters long and contained the character set ab1. I highlight the password parameter after sending the intercepted message to the intruder, I use sniper, and use the brute forcer payload.

When it's all said and done, I have a couple thousand results, except they vary in length and status, and usually the CORRECT password is in a generic status and length. Am I using brute forcer wrong? Every tutorial I have found only uses preset password lists, but I am looking to get UNIQUE passwords, not generic ones, thats why I use brute forcer. Am I wrong?

I'm fairly new at this and I think only Burp Suite users will know what I'm talking about haha.

Any help would be appreciated greatly.

P.S. I have tried using cluster bomb, with the only payload for the first parameter is my email and the second payload is a brute forcer and still nothing.

-- Sun Oct 14, 2012 1:57 pm --

Forgive me for double posting, but I felt that using screenshots may aid you in helping me. I'm helping you help me

[weekend hacker]

Sorry I've never used this, but if you're trying it out on HTS I should point out that after just a few failed attempts it'll probably throw up a captcha stopping your brute force dead in its tracks.
None of the missions on hts involve brute force so its not really useful on this site. Maybe you could set up a tiny website to test on on your own?

Something like

Code: Select all

<?php
if (($_POST['username']=="Lasky") && ($_POST['password']=="boobies"))
{
  echo "success!";
} else {
  echo "fail :(";
}
?>


should do the trick for testing stuff.

[Lasky]

Even if I could, (which I can't), It still didn't work on my own email :/

I have no idea what I am doing wrong. Also, the password on HTS is insanely hard to crack using this method.

I was wondering, is there any easier way to do this aside from Brute Forcer? Is there any easier password cracks you know using this method? I have seen using cluster bomb against generic admin names (admin, admin 1) against generic password (1234, password, password1, qwerty). However, what if I already know the user name? I need a way to generate the passwords, and get results. So far brute forcer isn't working so well :/

[0phidian]

Even if I could, (which I can't), It still didn't work on my own email :/

I have no idea what I am doing wrong. Also, the password on HTS is insanely hard to crack using this method.

I was wondering, is there any easier way to do this aside from Brute Forcer? Is there any easier password cracks you know using this method? I have seen using cluster bomb against generic admin names (admin, admin 1) against generic password (1234, password, password1, qwerty). However, what if I already know the user name? I need a way to generate the passwords, and get results. So far brute forcer isn't working so well :/

Your email must likely has something implemented to prevent brute force attacks as well. If you want to set up your own website to test look into xampp and apache, you can run it locally.

If you cant figure out what your doing wrong, maybe you should learn more about what your doing, learn how these attacks work on a lower level. Look into POST requests, some knowledge of PHP would also be helpful.

P.S.

i can't

Is something a hacker should never say/think. You may not know how to now,but you can certianly learn.

[Lasky]

Very true. I guess I will get to reading then