#Burp suite repeater send shortcut password
With the username and password parameters handled, we now need to find a way to grab the ever-changing loginToken and session cookie. Up until this point, we have configured Intruder in almost the same way as our previous credential stuffing attack this is where things start to get more complicated. Now switch over to the Payloads sub-tab and load in the same username and password wordlists we used for the support login attack. The other two positions will be handled by our macro. 2- Clear all of the predefined positions and select only the username and password form fields. Capture the request and send it to Intruder.Ĭonfigure the positions the same way as we did for bruteforcing the support login: 1- Set the attack type to be "Pitchfork". Activate the Burp Proxy and attempt to log in. Well done, you have successfully bruteforced the support login page with a credential stuffing attack ! You should find the username m.rivera with the password : letmein1 Once we have sorted our results, one request should stand out as being different ! Click "Ok" and start the attack ! Note: This will take a few minutes to complete in Burp Community - hence the relatively small lists in use A warning about the rate-limiting in Burp Community will appear. We have done all we need to do for this very simple attack, so go ahead and click the "Start Attack" button. We also need the Attack type to be "Pitchfork". Send the request from the Proxy to Intruder by right-clicking and selecting "Send to Intruder" or by using the Ctrl + I shortcut. Note: It doesn't matter what credentials you use here - we just need the request. Activate the Burp Proxy and try to log in, catching the request in your proxy. We will be using the usernames.txt and passwords.txt lists. The last list contains the combined email and password lists.
These contain lists of leaked emails, usernames, and passwords, respectively.
#Burp suite repeater send shortcut zip file
The zip file should contain four wordlists. It doesn't matter whether you do this by clicking the download link in the task or by using the files hosted on your deployed machine.
Download and unzip the BastionHostingCreds.zip zipfile.