A Simple Brute Force Attack using Burp Suite and DVWA as Target

 I have just downloaded Burp Suite and have been playing with Damn Vulnerable Web Application (DVWA) for quite sometime now. As my first experiment, I tried to use Burp Suite's brute forcing features. 

By the way, Burp Suite is a popular application testing software and DVWA is website which I installed on a WAMP Server designed to have several levels of security misconfigurations allowing Cyber Security Professionals to simulate several scenarios especially the Top 10 OWASP. 

Here is how I performed the attack:

1. I opened Burp Suite, I just used the default settings and configuration, normally 2 popup screens will first appear asking if you have an existing project and custom configuration. From the main window, I clicked on the Proxy button and below it, I can see that Intercept is Off and there is also an Open Browser button. The current state is intercept is off meaning it will not intercept any traffic from the browser. The default browser of Burp Suite is already configured so all I have to do is open it.
   
   
   
2. After opening the browser, I open the WAMP Server. Once it is running, I browsed the DVWA website by using the url http:\\localhost/dvwa and the login screen opens promting me enter my username and password.
   
   
   
3. I turned on the intercept by pressing the Intercept Button, then entered my username and password(I purposely entered the wrong password). I got the following result in Burp Suite which means it was able to intercept the web request:
   
   
   
4. Looking at the  bottom, it was able to capture the username and password I entered.
   
   
   
5. I right clicked the text that appeared and a chose the Send to Intruder  from the context menu. The Intruder Button at the top beside the Proxy menu changes in color so I clicked it, and the following screen appeared:
   
   
   
6. I changed the attack type to Bomb Cluster, I clicked the Clear button at  the right to remove all highlighted fields and I selected the username I then clicked the Add button above the clear button, I did the same to the password I entered. I pressed the Payload tab and the following screen appeared:
   
   
   
7. I left the  combo boxes at the top as is and added "admin" payload options, this means that the payload set 1(combo box) has a value of "admin", I can enter several usernames in this list to simulate a password spray attack but since the post is about brute force, I only entered 1 username. Then I changed the payload set to 2 and added several passwords.
8. Finally I pressed the button Start Attack and the following screen appeared:
   
   
   
9.  I clicked each row to check the response and I got the following result, all of the entries produced the same response except the last one:
   

   

   
   
   
   
10. So in conclusion, the password is "test" which is correct.

That wraps up my first experiment with Burp Suite.