🤳Credential Stuffing and Password Spraying
Burp Suite Documentation: Intruder Tool
Introduction
Burp Suite is a powerful set of cybersecurity tools designed for web application security testing. One of its key features is the Intruder tool, which allows users to automate and customize attacks on web applications to identify vulnerabilities. This documentation guides you through the process of using Burp Suite's Intruder tool to perform username and password enumeration.
Password Spraying:
Definition: Password spraying involves attempting a few commonly used passwords against numerous usernames. Instead of a brute force attack with numerous password attempts for a single user, it's a more subtle approach with a limited number of attempts per user.
Objective: The goal is to avoid detection by not triggering account lockouts due to multiple failed login attempts.
Credential Stuffing:
Definition: Credential stuffing is a type of cyberattack where attackers use username and password combinations obtained from previous data breaches on other websites. They try these combinations on various online platforms, exploiting the fact that people often reuse passwords across multiple accounts.
Objective: Attackers leverage the likelihood of users reusing passwords to gain unauthorized access to multiple accounts.
Prerequisites
Before using the Intruder tool, ensure that you have:
Installed and configured Burp Suite.
Basic knowledge of web application security concepts.
Procedure
1. Configure Burp Proxy
Open the Burp Proxy tab.
Confirm that "Intercept is off."
Visit the login page of the target application in your browser.
Return to Burp.
2. Enable Intercept
In the Proxy "Intercept" tab, turn on "Intercept."
Enter arbitrary details in the login page and submit the request.
Captured requests appear in the "Intercept" tab.
3. Send Request to Intruder
Right-click on the captured request.
Select "Send to Intruder."
4. Configure Intruder
Add "username" and "password" as payload positions.
Change the attack type to "Cluster bomb."
Go to the "Payloads" tab.
5. Configure Payloads
In "Payload sets," set "Payload set" to "1" and "Payload type" to "Simple list."
Enter possible usernames in the "Payload settings."
Change "Payload set" to "2" and enter possible passwords.
Click the "Start attack" button.
6. Analyze Results
Observe the responses for different status codes or lengths. Deviations may indicate breached credentials. View the attack window to examine response details.
6. Advanced Analysis of Results
Burp Suite offers a powerful grep
feature that enhances result analysis. Begin by examining the raw output and identifying a distinctive message, such as "error signing you in." Copy this specific error message and navigate to the grep
feature located in the Intruder options. In the grep match
section, paste the error message and clear the output box.
Upon restarting the attack, Burp Suite will efficiently filter and display every page that generates an error containing the specified message. This streamlined process allows you to quickly identify pages without the error message, streamlining the investigation process and pinpointing potential vulnerabilities in a more targeted manner.
Password spraying and credential stuffing is very common on external assessments, it's good to know.
Last updated