Need help with Burp Suite Brute Forcer

General technological topics without their own forum go here

Need help with Burp Suite Brute Forcer

Post by Lasky on Sat Oct 13, 2012 7:17 pm
([msg=70129]see Need help with Burp Suite Brute Forcer[/msg])

Ok, So, I have been trying to hack into my email all day. I purposely set the password for low payloads. It was only seven characters long and contained the character set ab1. I highlight the password parameter after sending the intercepted message to the intruder, I use sniper, and use the brute forcer payload.

When it's all said and done, I have a couple thousand results, except they vary in length and status, and usually the CORRECT password is in a generic status and length. Am I using brute forcer wrong? Every tutorial I have found only uses preset password lists, but I am looking to get UNIQUE passwords, not generic ones, thats why I use brute forcer. Am I wrong?

I'm fairly new at this and I think only Burp Suite users will know what I'm talking about haha.

Any help would be appreciated greatly.

P.S. I have tried using cluster bomb, with the only payload for the first parameter is my email and the second payload is a brute forcer and still nothing.

-- Sun Oct 14, 2012 1:57 pm --

Forgive me for double posting, but I felt that using screenshots may aid you in helping me. I'm helping you help me :)

Image

Image

Image
User avatar
Lasky
New User
New User
 
Posts: 3
Joined: Sat Oct 13, 2012 7:11 pm
Blog: View Blog (0)


Re: Need help with Burp Suite Brute Forcer

Post by weekend hacker on Sun Oct 14, 2012 1:56 pm
([msg=70148]see Re: Need help with Burp Suite Brute Forcer[/msg])

Sorry I've never used this, but if you're trying it out on HTS I should point out that after just a few failed attempts it'll probably throw up a captcha stopping your brute force dead in its tracks.
None of the missions on hts involve brute force so its not really useful on this site. Maybe you could set up a tiny website to test on on your own?

Something like
Code: Select all
<?php
if (($_POST['username']=="Lasky") && ($_POST['password']=="boobies"))
{
  echo "success!";
} else {
  echo "fail :(";
}
?>

should do the trick for testing stuff.
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
User avatar
weekend hacker
Administrator
Administrator
 
Posts: 191
Joined: Sun Apr 13, 2008 2:39 pm
Location: 127.0.0.1
Blog: View Blog (0)


Re: Need help with Burp Suite Brute Forcer

Post by Lasky on Sun Oct 14, 2012 5:38 pm
([msg=70151]see Re: Need help with Burp Suite Brute Forcer[/msg])

Even if I could, (which I can't), It still didn't work on my own email :/

I have no idea what I am doing wrong. Also, the password on HTS is insanely hard to crack using this method.

I was wondering, is there any easier way to do this aside from Brute Forcer? Is there any easier password cracks you know using this method? I have seen using cluster bomb against generic admin names (admin, admin 1) against generic password (1234, password, password1, qwerty). However, what if I already know the user name? I need a way to generate the passwords, and get results. So far brute forcer isn't working so well :/
User avatar
Lasky
New User
New User
 
Posts: 3
Joined: Sat Oct 13, 2012 7:11 pm
Blog: View Blog (0)


Re: Need help with Burp Suite Brute Forcer

Post by 0phidian on Sun Oct 14, 2012 6:07 pm
([msg=70152]see Re: Need help with Burp Suite Brute Forcer[/msg])

Lasky wrote:Even if I could, (which I can't), It still didn't work on my own email :/

I have no idea what I am doing wrong. Also, the password on HTS is insanely hard to crack using this method.

I was wondering, is there any easier way to do this aside from Brute Forcer? Is there any easier password cracks you know using this method? I have seen using cluster bomb against generic admin names (admin, admin 1) against generic password (1234, password, password1, qwerty). However, what if I already know the user name? I need a way to generate the passwords, and get results. So far brute forcer isn't working so well :/


Your email must likely has something implemented to prevent brute force attacks as well. If you want to set up your own website to test look into xampp and apache, you can run it locally.

If you cant figure out what your doing wrong, maybe you should learn more about what your doing, learn how these attacks work on a lower level. Look into POST requests, some knowledge of PHP would also be helpful.

P.S.
i can't

Is something a hacker should never say/think. You may not know how to now,but you can certianly learn.
User avatar
0phidian
Poster
Poster
 
Posts: 245
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: Need help with Burp Suite Brute Forcer

Post by Lasky on Sun Oct 14, 2012 9:29 pm
([msg=70154]see Re: Need help with Burp Suite Brute Forcer[/msg])

Very true. I guess I will get to reading then :P
User avatar
Lasky
New User
New User
 
Posts: 3
Joined: Sat Oct 13, 2012 7:11 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests