IntroBefore I get started, I should mention that I'm using the same environment settings I created in the first part of the Burp series. I recommend reviewing this post if you're new to Burp and are just getting started.
Secondly, we're going to be using some pre-made lists and Burp-generated lists with Intruder, so if you want to follow along exactly, please download the wordlists from SVNDigger. They're a great starting point and can really help with that first step.
With that all out of the way, we can get into the meat of it with Intruder.
As I mentioned, we're going to use Intruder to send a massive number of requests, so be aware that unless you lower the request options (which we'll touch on), this can be a noisy attack. Staying under the radar can be a concern for some red team exercises, but for the purposes of this article, we're going to be loud and obnoxious.
We're going to use a basic exercise on hackthissite.org to demonstrate Intruder's capabilities, but we're only going to cover one of the primary functions: Simple list. Simple list allows you to attack with a pre-made list (the one from SVN digger that I mentioned, in this case) and Brute Forcer allows you to specify a character set which Burp will then use to generate a list on the fly. This is useful for random values such as passwords with a known character length.
In the first example, we're going to look at basic exercise number 3 which is located here:
Keep in mind, there's an easier way to beat this "challenge" but we're using this site for demonstration purposes, and we'll leave it to you to use this technique creatively to perhaps tackle some of the more advanced portions of the site as a learning tool.
So we can see that we have a password field and not much else. We also can see that the description mentions a password file. Without much knowledge of the site (spoiler alert), we may be inclined to view the source and find some interesting tidbits of information, but in this case, previous experience with hackthissite.org would point us to start sniffing out php pages. And that's exactly what we're going to do.
The SetupIf we send the request to Intruder...
It should look like this:
Burp will send every word in our payload through that entry point. This means that Burp will be sending a large number of pre-determined requests to the server without having to manually enter each one into Repeater or through the proxy. We can then view the results in a consolidated view.