We'll use the WackoPicko admin section login to test this attack:
- First, we set up Burp Suite as a proxy to our browser.
- Browse to http://192.168.56.102/WackoPicko/admin/index.php?page=login.
- We will see a login form. Let's try test for both username and password.
- Now, go to Proxy's history and look for the POST request we just made with the login attempt and send it to Intruder.
- Click on Clear § to clear the pre-selected insertion positions.
- Now, we add insertion positions on the values of the two POST parameters (adminname and password) by highlighting the value of the parameter and clicking Add §:
- As we want our list of passwords to be tried against all users, we select Cluster bomb as the attack type:
- The next step ...