Null Payloads with Turbo Intruder

2022-02-17

Burp Suite is a penetration testing tool that PortSwigger offers.
In this tool, there is a Burp Intruder which is used for automating attacks like the Brute Force Attack.
This is useful but processings are very slow in the free edition.
Using the Turbo Intruder extension, we can do that much faster.

*Although I know that you know, we should use it for your owned server or security platforms like HackeTheBox, HackerOne, etc.

Install Turbo Intruder

In Burp Suite, click the Extender tab -> BApp Store. Then install the Turbo Intruder.

Open Turbo Intruder

In the Proxy tab or the Repeater tab in the Burp Suite, after confirming that the desired Request is displayed, click the Message Actions -> Extensions -> Turbo Intruder -> Send to turbo intruder.

After that, window of the Turbo Intruder will open.

Edit code in Turbo Intruder to Null Payloads

In the Turbo Intruder, we will update Python code to the Null Payloads.

This is for Continue Indefenitely:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=10,
pipeline=False
)

# Add it for infinite loops
i = 0
while i < 1:
engine.queue(target.req, None)


def handleResponse(req, interesting):
if interesting:
table.add(req)

If you want to set as the specific payloads, for example, 100 payloads, edit as follow:

1
2
3
4
5
6
7
8
9
10
11
def queueRequests(...):
# ...

# Add it for 100 loops
i = 0
while i < 100:
engine.queue(target.req, None)
i += 1

def handleResponse(...):
# ...

Change values of concurrentConnection and requestsPerConnection according to the situation.

Start attacking

And push the Attack on the bottom.

Then, the Null payloads attack will start.