Day 028 #FromZeroToHacker - Burp Suite Intruder

Intruder, a Burp Suite in-built fuzzing tool, allows us to take a request, and use it as a template to send many more requests with altered values automatically.

Imagine that you capture a request containing a login attempt with one username. We could configure Intruder to swap out the password field from values from a wordlist, brute-forcing our way in. We can also pass a fuzzing wordlist (Fuzzing is when we take a set of data and apply it to a parameter to test if something exists) and use Intruder to fuzz for subdirectories, endpoints or virtual hosts.

Besides displaying our target and its port, we can see four Intruder sub-tabs:

Positions allow us to select an Attack Type, as well as configure where in the request template we want to insert our payloads
Payload allows us to select values to insert into each of the positions we defined in the previous sub-tab. Here we will load our wordlists that will serve as payloads.
Resource pool allows us to divide our resources between tasks. This lets us run various automated tasks in the background (In the Pro version).
Options allow us to configure the attack behaviour and how Burp handles the attack itself.

Positions

The first thing we need to do when performing an attack with Intruder is look at positions. Positions tell Intruder where to insert payloads from the wordlists.

Burp automatically attempts to determine what places we may want to insert a payload. You can see them highlighted in green and surrounded by silcrows or section sign (§).

On the right-hand, we have three buttons:

Add lets us define new positions by highlighting them and then clicking the button.
Clear removes all defined positions.
Auto attempts to select positions automatically.

Attack Types: Introduction

Let’s move to the Positions sub-tab. There, we have four attack types available:

Sniper
Battering ram
Pitchfork
Cluster bomb

Attack Types: Sniper

Sniper is the most common attack type and the first on the list.

In a sniper attack, we provide just one set of payloads from a wordlist (or “Payload set“). Intruder will take each payload from the payload set and put it into each defined position in turn:

We have two positions defined here: Username and Password.

In a sniper attack, Intruder would take each position and substitute each payload into it in turn. For example, if we have a payload set of 10 words, Intruder will make 20 requests (Requests = Number of words * Number of positions).

This makes Sniper a good tool for single-position attacks (Brute-forcing a password if we know the username or just fuzzing for directories or an API endpoint).

Attack Types: Battering ram

Like Sniper, Battering ram takes one set of payloads (wordlist). Unlike Sniper, Battering ram puts the same payload in every position rather than each position.

Let’s use the same wordlist and example as we did in the Sniper attack

If we use a Battering ram attack, Intruder will take each payload and substitute it into every position at the same time. If we have a 10 words payload set, it would make 10 attacks, and each one would substitute all the positions with the same payload.

Attack types: Pitchfork

Pitchfork is the attack type most likely to use. Think about Pitchfork as being multiple Sniper attacks running at the same time. Instead of using just one payload set, Pitchfork uses one payload set on each position (up to 20 positions).

Pitchfork takes the first item from each list and puts them into the request. It then repeats this for the next request, taking the second item from each list. Intruder will keep doing this until at least one of the lists runs out.

If we have two payload sets, one with 90 lines and one with 100, Intruder will only make 90 requests.

Attack types: Cluster bomb

Like Pitchfork, Cluster bomb allows us to choose multiple payload sets and multiple positions (up to 20 positions). But, unlike Pitchfork, Cluster bomb iterates through each payload set individually, making sure that every combination of payloads is tested.

If we have 2 positions and 2 payload sets of 10 payloads, it will make 100 requests.

This attack type will create a huge amount of traffic, but it is a useful attack when we don’t know the username.

Payloads

Switching over the Payloads sub-tab, we have four sections:

Payload sets, where we can choose which position we want to configure a set for, as well as what type of payload we would like to use. Payload type allows us to select a payload type, such as Recursive grep, numbers or Username generator.
Payload options depend on the current payload type selected. A Simple list payload will give us a box to add and remove payloads to and from the set, whereas Numbers payload allows us to change options such as the range of numbers and the base we are working with.

Payload processing allows us to define rules to be applied to each payload in the set before being sent to the target. We could capitalise every word or skip a payload that matches a regular expression.
Payload encoding allows us to override the default URL encoding options to allow the safe transmission of our payload.

Summary

Time for a recap. We have learned about:

What is Intruder
Positions: What are and how to select them
What different attack types do we have available
Sniper attacks
Battering ram attacks
Pitchfork attacks
Cluster bomb attacks
Payloads: What are, how to select them and different options

Stats

From 137.924th to 134.081th. Now I am in the top 7% in TryHackMe!

Here is also the Skill Matrix:

Resources

Path: Web Fundamentals

Introduction to Web Hacking

TryHackMe: Burp Suite Intruder

Other resources

Learn more about Proxy
Learn more about Repeater
What is fuzzing?
PortSwigger: Burp Intruder
Video: How to Use Burp Suite’s Intruder to Brute Force Attack Authentication
Video A guide to the Burp Suite user interface

Let's learn about

Tutorials and learning resources for programmers

Day 028 #FromZeroToHacker – Burp Suite Intruder

Introduction to Burp Suite

What is Intruder?