how to brute-force a login using burpsuite

ok dont do anything sussy to vulnerable sites (ya might get in legal trouble😳unless ur smart) also tis is for educational purposes only really don't do this on sm1's website yeyey k on with the thread. i ain't in any sort of way responsible if you do this and get in trouble. ur responsible for ur own retardness.

 

so kids today we r gonna learn to brute force into a login page of a vulnerable website and make its owner bankrupt j k

 

inorder 2 do that we need burpsuite and kali linux which most of you don't have but that's okay. don't ask me how to install burp suite on kali you idiot. 

 

First, ensure that Burp is correctly configured with your browser. In the Burp Proxy tab, ensure "Intercept is off" and visit the login page of the application you are testing in your browser.

 

Return to Burp. In the Proxy "Intercept" tab, ensure "Intercept is on".

 

In your browser enter some arbitrary details in to the login page and submit the request.

 

The captured request can be viewed in the Proxy "Intercept" tab. Right click on the request to bring up the context menu. Then click "Send to Intruder".

 

Go to the Intruder "Positions" tab. Clear the pre-set payload positions by using the "Clear" button on the right of the request editor. Add the "username" and "password" parameter values as positions by highlighting them and using the "Add" button. Change the attack to "Cluster bomb" using the "Attack type" drop down menu. 

 

Go to the "Payloads" tab. In the "Payload sets" settings, ensure "Payload set" is "1" and "Payload type" is set to "Simple list". In the "Payload options" settings enter some possible usernames. 

 

You can do this manually or use a custom or pre-set payload list. Next, in the "Payload Sets" options, change "Payload" set to "2". In the "Payload options" settings enter some possible passwords.

 

You can do this manually or using a custom or pre-set list. Click the "Start attack" button. In the "Intruder attack" window you can sort the results using the column headers. 

 

In this example sort by "Length" and by "Status". The table now provides us with some interesting results for further investigation. By viewing the response in the attack window we can see that request 118 is logged in as "admin. 

 

To confirm that the brute force attack has been successful, use the gathered information (username and password) on the web application's login page,

 

let me know if you have any errors.

 

and for the love of god don't be a retard and do this I am not responsible if anybody does this and shi.t on me because "I informed them how to do it", this is p u r e l y for educational purposes only.

if that's what you call it lol