What is Brute Force?
A brute force attack is a trial-and-error method, used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. ~TechoPediaThis attack is hugely dependent on system resources and computing power. An attack of this nature can time and resource consuming, and the success of these attacks depends on the number of combinates that can be made, rather than the number of login attempts.
Counter Measures:-
The following measures can be used to defend against brute force attacks:- Requiring users to create complex passwords
- Limiting the number of times a user can unsuccessfully attempt to log in
- Temporarily locking out users who exceed the specified maximum number of failed login attempts
Let’s get started…
What do we need?
So to get started we need somethings ready.You need to have Burp Suite installed and configured on your system. You can read this article to get started how to setup Burp Suite.
And here is the video that you can follow setting up you burp. If you are new to Burp suite and don’t know how it works and how to use Burp then you can follow this complete guide to getting started with Burp.
Burp Suite Tutorial Web Penetration Tool Kit
And the second most important thing that you need is a testing lab. You should always consider creating a testing lab before doing anything else so in this case, I am using Metasploitable 2.
How To Setup Security Testing Lab (Full Virtual Envournment)
After you have done that now we can actually start the process.
Step#1:
Run Metasploitable 2 virtual machine
Open the open Metasploitable 2 IP in your browser and then select DVWA
and you will see the login page right after you click on DVWA
Now we are ready and we will start the brute force attack.
Step#2:
Now we will open burp suite and change browser proxy setting to burps proxy.
Now as the proxy is set up let’s move on to the next step.
Step#3
Now go back to the Metasploitable tab and log in to DVWA with username = admin and password = password. In the burp, the site makes sure the Proxy is intercepting the requests.
And when you will click on login you will see something like this.
Here click on “Brute force“.
Now enter any random username and password and click on login and you will get the login request in the interceptor.
You can see the requests over here as the username and password are sent in the post request.
Right click on the request and click on “Send to Intruder“.
Step#4:
Now go to intruder tab and click on “Positions” tab, and then click on clear.
Select username and password paraments and then click on add.
And from the Attack type select “Cluster Bomb” what will this do is select one username from your wordlist and try all other words as password for that username.
Step#5:
Now click on “Payloads” and change the “Payload Set” from 1 to 2.
After that, you need to import your brute force wordlist that you will use to brute force. So in “Payload Options” click on “Load”
Step#6:
Now all you need to do is click on “Start Attack“.
You can see that total words in my wordlist are 19 and as we have selected Cluster Bomb 50,176 request will be made. For example, everyone Username will have 19 password tries so 19*19= 361.
Now we will wait.
And if the password is wrong you can see it in the response “Username and/or password incorrect”
And to confirm it from the response as it will be “Welcome to the password protected area admin”