Home Hacking Beginners Guide to Burpsuite Payloads (Part 1)

Beginners Guide to Burpsuite Payloads (Part 1)

144
0
SHARE

Hello friends!! Today we are discussing about the “Types of Payload in Burp Suite”. Burp Suite is an application which is used for testing Web application security. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. This tool is written in JAVA and is developed by PortSwigger Security. We are going to use the Intruder feature of Burp Suite, it is used to brute force web applications. There are 18 types of payloads in intruder i.e.

  • Simple list
  • Runtime File
  • Case Modification
  • Numbers
  • Brute Forcer
  • Character substitution
  • Custom iterator
  • Recursive grep
  • Illegal Unicode
  • Character blocks
  • Dates
  • Brute Forcer
  • Null Payloads
  • Character frober
  • Bit Flipper
  • Username generator
  • ECB block shuffler
  • Extension Generated
  • Copy other payload

Simple List

This is one of the simple types of payload, as it allows you to configure a short Dictionary of strings which are used as payload.

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted username and password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the username and password and click on Add button.
  • Choose the Attack type as Cluster Bomb.
  • In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the first file to be selected). Then click on Load button and select your dictionary file for username.

Now select 2 in the Payload set and again give the dictionary file for the password. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the valid combination of username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown.

And to confirm the username and password matched, we will give the matched username and password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the simple list payload attack.

Runtime File

This type of payload allows you to configure a file which reads the payload strings at runtime. This type of payload is needed when we require large list of payloads, to avoid holding the entire list in memory. This payload allows you to configure large list of strings which overcomes the simple list payload type.

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload type” as Runtime File and then give the path of dictionary in the “payload options” as /usr/share/wordists/rockyou.txt which is the largest dictionary in Kali Linux. Select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Case Modification

This type of payload allows you to configure a list of strings and apply various case modifications to each item on the list. This is useful in password guessing attacks, for generating case variations on dictionary words.

The following case modification rules can be selected:

  • No change – The item is used without being modified.
  • To lower case – All letters in the item are converted to lower case.
  • To upper case – All letters in the item are converted to upper case.
  • To Proper name – The first letter in the item is converted to upper case, and the remaining letters are converted to lower case.
  • To Proper Name – The first letter in the item is converted to upper case, and the remaining letters are not changed.

For example, if we select all the modification options, then the item “Raj Chandel” will generate the following payloads:

Raj Chandel

raj chandel

RAJ CHANDEL

Raj chandel

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login , the burp suite will capture the request of the login page in the intercept tab. Send the captured request to the Intruder by right clicking on the space and selecting Send to Intruder option or simply press ctrl + i.

 

 

Read more…

 

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here