The Attack Modes

There are four attack modes in which The BrowserBruter can run. They are

  1. SNIPER
  2. BATTERING RAM
  3. PITCHFORK
  4. CLUSTER BOMB

Learn more about them here

The --attack switch can be used to select attack mode. The value for the --attack option can be either 1, 2, 3 or 4 with each representing respective attack modes as follows - 

    1 = SNIPER
    2 = BATTERING RAM
    3 = PITCHFORK
    4 = CLUSTER BOMB

1. Sniper Attack

alt

  • The Sniper attack will take a single payload file.
  • It will take a list of elements to fuzz.
  • It will place single payload in single element until each element has fuzzed with that single payload. This will be repeated for each payloads.
  • This attack mode is suitable for general penetration testing projects when you want to quickly find vulnerabilities and check the web application against bunch of payloads.

The --elements & --payloads option

The following options are required in this attack mode to specify elements and payloads -

--elements
--payloads

Here the --elements payloads is used to specify the comma separated list of elements to fuzz. For example, here we are specifying username and password elements to fuzz -

  1. alt text

  2. python3 BrowserBruter.py --elements username,password
  3. alt text

alt text

After specifying the elements to fuzz, we now have to specify the payloads file using --payloads option as shown below.

  1. alt text

  2. python3 BrowserBruter.py --elements username,passwords --payloads fuzz.txt

  3. alt text

Now we need to specify the --target and --button options where --target is the URL of the page containing elements to fuzz and --button is the button element which trigger submission of the form. 

python3 BrowserBruter.py --elements username,passwords --payloads fuzz.txt --target http://localhost/login1.php --button btn-default

alt text

After that specify the attack mode as SNIPER using --attack 1 option.

python3 BrowserBruter.py --elements username,passwords --payloads fuzz.txt --target http://localhost/login1.php --button btn-default --attack 1

alt text

Then hit enter and unleash The BrowserBruter!

Here's what is happening:

  1. The BrowserBruter reads the and stores the payloads, let's assume there are three payloads in our list - [payload1, payload2, payload3]
  2. It then reads and prepares list of elements to be fuzzed which are - [username, password]
  3. It then navigates to the target URL.
  4. It then tries to find the 'username' and fills first payload from the payload's list which is 'payload1'.
  5. It then tries to find the '--button' element and clicks it.
  6. Then it again navigates to the target URL and finds 'password' field and inserts first payload from payload's list 'payload1' and submits it using '--button' element.
  7. It repeats this process until all payloads present in payload's list are filled and submitted in each elements to be fuzzed.
  8. This is how Sniper attack will work.

The --fill option

One thing that you will notice is that using above command might sometimes throw an error on web page like username field can not be blank or password field in required, for such cases specify the elements which are required to be filled in order to submit the form. The BrowserBruter will automatically fill the specified elements. More information on this option can be found here.

Re-run the above attack with --fill option to fill the required fields which are username and password.

python3 BrowserBruter.py --elements username,password --payloads fuzz.txt --target http://localhost/login1.php --button btn-default --attack 1 --fill username,password

Here's what is happening:

  1. The BrowserBruter reads the and stores the payloads, let's assume there are three payloads in our list - [payload1, payload2, payload3]
  2. It then reads and prepares list of elements to be fuzzed which are - [username, password]
  3. It then navigates to the target URL.
  4. It then tries to automatically fill the username and password field.
  5. It then tries to find the 'username' and fills first payload from the payload's list which is 'payload1'.
  6. It then tries to find the '--button' element and clicks it.
  7. Then it again navigates to the target URL and finds 'password' field and inserts first payload from payload's list 'payload1' and submits it using '--button' element.
  8. It repeats this process until all payloads present in payload's list are filled and submitted in each elements to be fuzzed.
  9. This is how Sniper attack will work.

No longer any errors related to empty fields after using --fill option.

2. Battering Ram Attack

alt

The Battering Ram attack is same as Sniper attack with only difference is that it fills payloads in all input fields together instead of one by one like sniper attack.

If we continue our previous attack with Battering Ram - 

python3 BrowserBruter.py --elements username,password --payloads fuzz.txt --target http://localhost/login1.php --button btn-default --attack 2
  • alt text

Here's what is happening:

  1. The BrowserBruter reads the and stores the payloads, let's assume there are three payloads in our list - [payload1, payload2, payload3]
  2. It then reads and prepares list of elements to be fuzzed which are - [username, password]
  3. It then navigates to the target URL.
  4. It then tries to find the 'username' and 'password` fills first payload from the payload's list which is 'payload1' in both of them (username,password) together.
  5. It then tries to find the '--button' element and clicks it.
  6. Then it again navigates to the target URL and finds 'password' field and inserts first payload from payload's list 'payload1' and submits it using '--button' element.
  7. It repeats this process until all payloads present in payload's list are filled and submitted.
  8. This is how Battering Ram attack will work.

Notice that here we are not using --fill option there are only two input fields in form and we are fuzzing them both, so in battering ram they both will be filled. If there were any third field which are not fuzzing then we can fill only that specific field using --fill option.

3. PitchFork Attack

alt

The PitchFork and ClusterBomb does not requires --payloads or --elements options, instead they take combination of two --elements-payloads option.

The --elements-payloads option

The --elements-payloads option take values in following format element1:/path/to/payload-file-for-elements1.txt,element2:/path/to/payload-file-for-element2.txt,elementN:/path/to/payload-file-for-elementN.txt where element is the input field to be fuzzed and /path/to/payload-file is file containing payloads for that file.

Following is the working flow of PitchFork Attack:

  1. Get the list of elements and payloads from user.
  2. Create separate list of payloads for their respective elements.
  3. Start the Browser.
  4. Navigate to the target URL.
  5. Fill the payloads in their respective elements.
  6. Submit the form.

Here is an example which we are continuing from previous attacks for better understanding.

python3 BrowserBruter.py --elements-payloads username:usernames.txt,password:passwords.txt --target http://localhost/login1.php --button btn-default --attack 3
  • alt text

Here's what is happening:

Here in usernames.txt file I have following payloads-

admin
zin
hfs

In passwords.txt file I have following payloads-

pass
letmein
12345
  1. The BrowserBruter reads the and stores the payloads for their respective elements. So we have username->admin,zin,hfs & password->pass,letmein,12345.
  2. It then navigates to the target URL.
  3. It then tries to find the 'username' and 'password` fills first payload from the username payload's list which is 'admin' and fills first payload from password payload's list which is pass.
  4. It then tries to find the '--button' element and clicks it.
  5. Then it again navigates to the target URL and finds 'username' and 'password' fields and inserts second payloads from their respective payload's list 'zin' and 'letmein' and submits it using '--button' element.
  6. It repeats this process until all payloads present in each payload's list are filled and submitted.
  7. This is how PitchFork attack will work.

Note: The lists does not requires to have same amount of payloads. i.e. the usernames.txt and passwords.txt does not have to contain equal amount of payloads.

4. ClusterBomb Attack

alt

The ClusterBomb same as PitchFork, does not requires --payloads or --elements options, instead they take combination of two --elements-payloads option.

The --elements-payloads option take values in following format element1:/path/to/payload-file-for-elements1.txt,element2:/path/to/payload-file-for-element2.txt,elementN:/path/to/payload-file-for-elementN.txt where element is the input field to be fuzzed and /path/to/payload-file is file containing payloads for that file.

Following is the working flow of ClusterBomb Attack:

  1. Get the list of elements and payloads from user.
  2. Create separate list of payloads for their respective elements.
  3. Prepare total possible combinations of payloads.
  4. Start the Browser.
  5. Navigate to the target URL.
  6. Fill the payloads in their respective elements.
  7. Submit the form.
  8. Repeat this for each possible combination of payloads.

Here is an example which we are continuing from previous attacks for better understanding.

python3 BrowserBruter.py --elements-payloads username:usernames.txt,password:passwords.txt --target http://localhost/login1.php --button btn-default --attack 4
  • alt text

Here's what is happening:

Here in usernames.txt file I have following payloads-

admin
zin
hfs

In passwords.txt file I have following payloads-

pass
letmein
12345
  1. The BrowserBruter reads the and stores the payloads for their respective elements. So we have username->admin,zin,hfs & password->pass,letmein,12345.
  2. It then prepares each possible combination of payloads as follows
    admin:pass
admin:letmein
admin:12345
zin:pass
zin:letmein
zin:12345
hfs:pass
hfs:letmein
hfs:12345
  3. It then navigates to the target URL.
  4. It then tries to find the 'username' and 'password` fields and fills first payload combination of the payloads which is 'admin' and 'pass', then fills 'admin' in 'username' field and 'pass' in 'password' field.
  5. It then tries to find the '--button' element and clicks it.
  6. Then it again navigates to the target URL and finds 'username' and 'password' fields and inserts second payloads combination 'admin' in 'username' and 'letmein' in 'password' field and submits it using '--button' element.
  7. It repeats this process for all combinations of payloads.
  8. This is how ClusterBomb attack will work.
  9. It is useful in BruterForcing Authentication pages.

Note: The lists does not requires to have same amount of payloads. i.e. the usernames.txt and passwords.txt does not have to contain equal amount of payloads.

Note: The correct combination of username and password in authentication will result in successful authentication and will disrupt the remaining fuzzing process. To avoid this use --remove-session switch. Learn more.

The Result of the attack

Now we have finished our general attacks. Move on to the next section to learn about the result of the attack.

results matching ""

    No results matching ""