☎️
Contrxl
  • 🏡Home
  • ❓Anonymity Tools
  • ⌨️Cisco
    • Networking Basics
      • Communication in a Connected World
      • Network Components, Types and Connections
      • Wireless and Mobile Networks
      • Home Networking Technologies
      • Communication Protocols
      • Network Media
      • The Access Layer
      • The Internet Protocol
      • IPv4 and Network Segmentation
  • 💾Intune
    • ADMX Configuration
    • App Deployment
    • App Updating/Patching
    • File Deployment
    • Remediations
  • 🎓Learning Links
  • 💻Microsoft
    • 📘Microsoft Portal Links
    • Configure SIEM Security Operations using Microsoft Sentinel
      • Create and Manage Microsoft Sentinel Workspaces
        • Introduction
        • Plan for the Microsoft Sentinel Workspace
        • Create a Microsoft Sentinel Workspace
        • Manage Workspaces Across Tenants Using Azure Lighthouse
        • Understand Microsoft Sentinel Permissions and Roles
        • Manage Microsoft Sentinel Settings
        • Configure Logs
  • 📰News & Information
  • 💡OSINT
    • IP & Domain OSINT
    • Email & Username OSINT
    • Vulnerability OSINT
  • 📚Projects
    • ‼️A Simulation Study of DDoS
  • ⚒️Tools
    • Burp Suite
      • Repeater
      • Intruder
      • Other Modules
    • GoPhish
    • Hydra
    • John the Ripper
    • Metasploit
      • Exploitation
      • Meterpreter
    • NMAP
    • Wireshark
  • 🖥️TryHackMe
    • Learning Paths
      • Complete Beginner
        • 1. Complete Beginner Intro
        • 2. Linux Fundamentals
        • 3. Introductory Networking
        • 3.1 Network Exploitation Basics
        • 4. OWASP Top 10 Exploits
        • 5. Upload Vulnerabilities
        • 5.1 An Example Methodology
        • 6. Cryptography - Hashing
        • 7. Cryptography - Encryption
        • 8. Active Directory Basics
        • 9. What the Shell?
        • 10. Linux Privesc
        • 11. More Linux Privesc
      • Jr Penetration Tester
        • Walking an Application
        • Content Discovery
        • Subdomain Enumeration
        • Authentication Bypass
        • IDOR
        • File Inclusion
        • SSRF
        • XSS (Cross-site Scripting)
        • Command Injection
        • SQL Injection
        • Passive Reconnaissance
        • Active Reconnaissance
        • Protocols and Servers
        • Protocol and Server Attacks
        • Vulnerabilities
        • Exploiting Vulnerabilities
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • CompTIA Pentest+
        • Planning and Scoping
          • Pentesting Fundamentals
          • Red Team Engagements
          • Governance and Regulation
        • Tools and Code Analysis
          • Metasploit: Introduction
          • Wireshark: The Basics
          • Burp Suite: The Basics
          • Hydra
          • Python Basics
        • Attacks and Exploits
          • Phishing
          • Windows Local Persistence
          • Breaching Active Directory
          • Lateral Movement & Pivoting
Powered by GitBook
On this page
  1. Tools
  2. Burp Suite

Intruder

Usage of Burp Suite Intruder tool.

Introduction

Burp Suite Intruder allows automated request manipulation and enables tasks like fuzzing and brute-forcing. Intruder allows for customisable, automated attacks and provides the ability to modify specific parts of a request and perform repetitive tests with variations of input data. The functionality is comparable to CLI tools like Wfuzz or ffuf. It should be noted that in the Community Edition of Burp Suite, Intruder is heavily rate limited.

There are four tabs within intruder:

  • Positions : allows selection of an attack type and where the payload should be inserted.

  • Payloads : allows selection of payloads for insertion into defined positions. There are various options such as loading items from a wordlist.

  • Resource Pool : not particularly important in Community Edition, allows for resource allocation among automated tasks.

  • Settings : configure attack behaviours, e.g. tell Burp to flag requests with specific text.

Positions

Burp will automatically try to detect the most probable payload positions. Where these are not correct you can modify them with the "Add", "Clear", and "Auto" options on the right hand side.

Payloads

Allows you to create, assign and configure attack payloads. This tab is divided into four sections:

  1. Payload sets : choose the position to put a payload set and select the type of payload to use. If using an attack type that only allows a single payload set, the "Payload Set" drop-down will have only one option. Using attack types that require multiple payload sets will show one item in the drop-down for each position.

  2. Payload settings : provides options specific to the select payload type. For example, when using the "Simple List" payload type, we can manually add or remove payloads to or from the set using Add, Paste or Load buttons.

  3. Payload processing : define rules to apply to each payload in the set before it is sent to the target.

  4. Payload encoding : customise encoding options for payloads.

Sniper

Default attack type and most commonly used, very effective in single position attacks such as brute-forcing or fuzzing for API endpoints.

Battering Ram

Like Sniper except it places the payload in every position simultaneously.

Pitchfork

Equivalent to having multiple Sniper attacks running simultaneously, pitchfork uses one payload set per position and iterates through them simultaneously.

Cluster Bomb

Allows multiple payload sets to be chosen, one per position. Cluster bomb iterates through each of these individually, ensuring every combination is tested.

Last updated 11 months ago

⚒️
  • Introduction
  • Positions
  • Payloads
  • Sniper
  • Battering Ram
  • Pitchfork
  • Cluster Bomb