Start a new temp project in Burp Suite.
We will be using Burp Suite Browser.
- Click on Proxy.
- Under Proxy click Intercept.
- Now click on Open Browser.
- Enter the IP Address of the DVWA Virtual Machine.
now you have this site.
Username: admin
Password: password
- Go to DVWA Security.
- Now Select medium in the drop down menu and submit. You get the following alert.
- For confirmation on bottom left side you can check.
- Now click on Brute Force.
Now in burpsuite, click on Intercept is off to turn the intercept on.
Try entering the username admin and password pass and login.
Now lets send this information to Intruder.
Click on Action then Send to Intruder or Press Ctrl + i.
select pass and click on add.
now we have set pass as the variable.
Go to Intuder -> Payloads
In payload settings, lets load up this file from SecLists.
Click on load then goto the location of the file and select the file.
After Setup You get this
Go to Intruder -> Settings -> Grep Match
Clear all and add incorrect and Incorrect to the list.
Now start the attack.
We can see changes in the row 2 in length and incorrect.
So we searched for incorrect passwords so all incorrect passwords are marked 1
the the password for admin user is password.
The only problem faced was, there is a dely of 2 seconds.
Simmilarly there are few other users in the database their passwords are
- admin:password
- 1337:charley
- gordonb:abc123
- Pablo:letmein
- Smithy:password