Burp Suite User Forum

Create new post

what payload type I should use in intruder , if password pattern has characters that are known

Sam | Last updated: Oct 13, 2018 11:19PM UTC

I am trying to brute forcing a login page using the intruder , attack type cluster bomb , I have defined the payload set 1 for username , in payload set 2 I want to brute the password , noting that I know that the pass length is 8 characters , and characters 3 & 4 are known for me , example I know that they will be ## , so I want the payload type that can help me brute force character 1, 2, 5 ,6 ,7 & 8 , skipping 3 & 4 because they are known, 1 & 2 are alphabets ( lowercase/uppercase) and 5,6,7,& 8 are digital numbers. Thanks for help

PortSwigger Agent | Last updated: Oct 15, 2018 07:18AM UTC

You will need to use two separate payload positions within the password and the Brute Forcer payload type. Define a position covering characters 1 and 2, set the character set to the alphabet and min length and max length to 2. Do similar for characters 5-8, with the character set as digits, and the length as 4.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.