d4rtht3ll3ctus' root vault

Burp Intruder

5 min read

Target

From Proxy history, intercept request and then Send to Intruder, or use the shortcut [CTRL+I] to send it to Intruder.

We can then go to Intruder by clicking on its tab or with the shortcut [CTRL+SHIFT+I], which takes us right to Burp Intruder:

On the first tab, ‘Target’, we see the details of the target we will be fuzzing, which is fed from the request we sent to Intruder.

Positions

The second tab, ‘Positions’, is where we place the payload position pointer, which is the point where words from our wordlist will be placed and iterated over

So, we will need to select DIRECTORY as the payload position, by either wrapping it with § or by selecting the word DIRECTORY and clicking on the Add § button:

the DIRECTORY in this case is the pointer’s name, which can be anything, and can be used to refer to each pointer, in case we are using more than position with different wordlists for each.

The final thing to select in the target tab is the Attack Type. The attack type defines how many payload pointers are used and determines which payload is assigned to which position. For simplicity, we’ll stick to the first type, Sniper, which uses only one position. Try clicking on the ? at the top of the window to read more about attack types, or check out this link.

Note : Be sure to leave the extra two lines at the end of the request, otherwise we may get an error response from the server.

 There are four main things we need to configure:

  • Payload Sets
  • Payload Options
  • Payload Processing
  • Payload Encoding

Payload Sets

The first thing we must configure is the Payload Set. The payload set identifies the Payload number, depending on the attack type and number of Payloads we used in the Payload Position Pointers.

In this case, we only have one Payload Set, as we chose the ‘Sniper’ Attack type with only one payload position. If we have chosen the ‘Cluster Bomb’ attack type, for example, and added several payload positions, we would get more payload sets to choose from and choose different options for each. In our case, we’ll select 1 for the payload set.

Next, we need to select the Payload Type, which is the type of payloads/wordlists we will be using. Burp provides a variety of Payload Types, each of which acts in a certain way. For example:

  • Simple List: The basic and most fundamental type. We provide a wordlist, and Intruder iterates over each line in it.

  • Runtime file: Similar to Simple List, but loads line-by-line as the scan runs to avoid excessive memory usage by Burp.

  • Character Substitution: Lets us specify a list of characters and their replacements, and Burp Intruder tries all potential permutations.

There are many other Payload Types, each with its own options, and many of which can build custom wordlists for each attack. Try clicking on the ? next to Payload Sets, and then click on Payload Type, to learn more about each Payload Type. In our case, we’ll be going with a basic Simple List.

Next, we must specify the Payload Options, which is different for each Payload Type we select in Payload Sets. For a Simple List, we have to create or load a wordlist. To do so, we can input each item manually by clicking Add, which would build our wordlist on the fly. The other more common option is to click on Load, and then select a file to load into Burp Intruder.

We will select /opt/useful/seclists/Discovery/Web-Content/common.txt as our wordlist. We can see that Burp Intruder loads all lines of our wordlist into the Payload Options table:

Tip: In case you wanted to use a very large wordlist, it’s best to use Runtime file as the Payload Type instead of Simple List, so that Burp Intruder won’t have to load the entire wordlist in advance, which may throttle memory usage.

Payload Processing

Another option we can apply is Payload Processing, which allows us to determine fuzzing rules over the loaded wordlist. For example, if we wanted to add an extension after our payload item, or if we wanted to filter the wordlist based on specific criteria, we can do so with payload processing.

Let’s try adding a rule that skips any lines that start with a . (as shown in the wordlist screenshot earlier). We can do that by clicking on the Add button and then selecting Skip if matches regex, which allows us to provide a regex pattern for items we want to skip. Then, we can provide a regex pattern that matches lines starting with ., which is: ^\..*$:

Payload Encoding

The fourth and final option we can apply is Payload Encoding, enabling us to enable or disable Payload URL-encoding.

Finally, we can customize our attack options from the Options tab. There are many options we can customize (or leave at default) for our attack

For example, we can set the number of retried on failure and pause before retry to 0.

Another useful option is the Grep - Match, which enables us to flag specific requests depending on their responses.

 After that, we can type 200 OK to match any requests with this string and click Add to add the new rule Finally, we’ll also disable Exclude HTTP Headers, as what we are looking for is in the HTTP header:

Attack

Similarly, we can use Burp Intruder to do any type of web fuzzing and brute-forcing, including brute forcing for passwords, or fuzzing for certain PHP parameters, and so on. We can even use Intruder to perform password spraying against applications that use Active Directory (AD) authentication such as Outlook Web Access (OWA), SSL VPN portals, Remote Desktop Services (RDS), Citrix, custom web applications that use AD authentication, and more. However, as the free version of Intruder is extremely throttled, in the next section, we will see ZAP’s fuzzer and its various options, which do not have a paid tier.

Graph View