In your browser log into DVWA. Use the username "admin" and the password
"password". As you are still intercepting be prepared to switch back and forth between burpsuite and
the browser to FORWARD the intercepted requests.
Click on DVWA Security and set the script security to low. Once
complete, click on Brute Force in the DVWA menu.
Not insert some fake login information into the Brute Force login screen, such as username "right" password "wrong". Click login. This login attempt should fail, but Burp Suite will
have captured the attempt.
Switch to Burp Suite. In the Site map find dvwa/vulnerabilities/brute. There
should be a few entries. Click on each one until you find the one
which includes the username and password you used in the GET line (it is
also the one with a "tick" in the Params column). Right click in the
Raw box (i.e. the one with the HTTP request) and select Send to Intruder.
Switch to the Intruder tab. In this use the Positions tab. The package
tries to select the fields of interest, but this time we only need the username
and password. Click Clear on the right, then one at a time select
the username and password you used in your attempt, clicking on Add each time
(e.g. the bit after username= and password=). Change the Attack type to
Cluster bomb.
Now select Payloads. Payload set should be 1 and you need the Simple list.
This list is the ones for the first field you selected (the username).
Payload set 2 is for the possible passwords.
Try adding usernames from the following list:
gordon
david
smithy
frank
john
Add passwords from the following list:
123456
1234
password
test
You are ready to go. In the top right of the subwindow, click Start Attack.
This attack only has 20 combinations. Scroll down the list of items and
focus on the Length. If one page is a different length from all the others,
then this might indicate that this attempt reached a different page
from all the rest. Find that attempt. Click on it and view the Response ideally in
Render mode (available if you did not run it as root), or otherwise read the HTML in pretty mode. Look for "Welcome to the password protected area...".
What was the successful login attempt here?
username:
password: