Burp Suite:
- Go into Target > Scope
- Add tesla.com (or whatever your target)
- Under Site map, you get the website and subdomains.
- Under Proxy > Options
- Check Is in target scope for request and response
- Turn intercept on
- Test a login and send the result to Repeater or Intruder
- Grab the fail/error message
- Go to Intruder > Options > Grep - Match
- recognize
- Set the correct positions
- If you already know an email is valid and wanna test passwords, clear positions, then add password field only
- Payload Sniper attack:
- Winter24!
- Tesla123!
- Password1!
- Winter2024!
- If Grep doesn’t work, you can check status message (200 vs 302)
- If it does, you can sort by check marks
- If it doesn’t you can sort by status code. The first request it hits that number is the real success login
- Length difference
Payload Pitchfork Attack:
tests user 1 with pass 1
user 2 with pass 2
**Good for a combolist of different accounts in that organization for password reuse.
- payload set 1 (simple list)
- Add emails for targets
- payload set 2 (simple list)
- Add the passwords you wanna try (like from the sniper attack)
Payload Clusterbomb Attack (Password Spraying):
tests user 1 with all passwords
Good for testing lazy/easy to remember passwords on a few verified/valid users
- Same setup as Pitchfork^^
If you start seeing errors, stop the attack. Don’t lock out people from their accounts.