Any intruder tool alternatives like burpsuit?

Dear Hackers,

I have found a performance problem when I started focusing on the machine Kotarak, follow the workthrough people leave in the machine page, I used burpsuit to run intruder attack on its internal ports which have 65535 ports. the speed is so bad, it comes with about 6.6 port/sec, in order to complete this scan I need more than 6 days!! After that i checked the settings of that scan I found with the community version the thread setting by default is set as 1 and cannot be modified.

So any alternatives like burpsuit can do the job with multi-threads.

Thank you in advance!

Comments

  • edited July 30

    Yeah burp multi threading requires burp pro, but you should be able to in owasp zap, or build your own tool

    Edit: just looked at Kotarak, you can brute those ports easily using wfuzz with the range options

    elseif

  • I found wfuzz can do it the same thing, following is the command:
    wfuzz -c -z range,1-65535 --hl=2 http://10.10.10.55:60000/url.php?path=localhost:FUZZ

  • there ya go, learning wfuzz is worth it

    elseif

  • edited July 30

    Type your comment> @pgpg said:

    So any alternatives like burpsuit can do the job with multi-threads.

    There is also a Burp Extension to the community edition, I believe it's the 'turbo intruder'. I'm not sure about the name, but I believe that's what it's called. It's a community driven, a bit less capable than intruder from what I read, but doesn't have the speed limits of the community intruder. That would probably the best option if you like burp

    As people here mentioned: burp pro goes full speed. But that will set you back a few hundred dollars

    For a specific task, you can always throw out a small script. Doesn't seem too complicated what you're trying to do, but managing all responses and filtering out the juicy ones may be again a different story.

    Zap is similar to burp, but I never bothered to look if it has some kind of intruder-like function... might be worth checking if there's anything down that path.

    if you really want to go fancy, it's actually not too hard to write a burp extension yourself, so you'll always have the possibility to write you own intruder without any limitation.

  • OWASP ZAP is my one-stop shop for webapp testing. It is free and has the "Pro" features you miss in the Burp Free version.

    k4wld
    Discord: k4wld#5627

Sign In to comment.