Turbo Intruder | How to use Turbo Intruder | BurpSuite | DOS Attack

solo
5 min readOct 27, 2020

Hey Guys !!! Hope you guys are well! Thanks for the great response to my previous writeup.

So lets start. Do you guys know what is Turbo Intruder and how to use it? If Yes than you can simply skip this writeup. This writeup is just basic on how to use Turbo Intruder in BurpSuite. I am going to use this tool in my next writeup so I thought to explain about this so no one get confuse in that writeup. In this tutorial I have used this on DOS Attack purpose but you can also use it for fast bruteforce attack. Bcoz its really faster than normal Burp’s Intruder!!!

What is Turbo Intruder?
- If you have used intruder in BurpSuite than you may get the idea what Turbo Intruder is by it’s name. Turbo Intruder is a BurpSuite’s extension to send multiple http request at the same time to the target server. You can say that its an advance version of BurpSuite’s Intruder. You can send billions of request at the same time using Turbo Intruder. And Its really fast.

Note : I am using BurpSuite Professional version, I dont know Turbo Intruder is available for Community edition or not so please verify it by yourself. If you can see this options (as mentioned below) than do the same to install it.

Disclaimer : This writeup is just for educational purpose. Please do not try this anywhere if you don't have permission. I am not responsible for your any activities.

Installation of Turbo Intruder :
- 1. Open the BurpSuite
2. Go to Extender tab

3. Go to BApp Store and find Turbo Intruder

4. Click on Install button (I have already installed that's why I have “reinstall” button instead of Install)
5. Done!!!

How to use Turbo Intruder :
- 1. Intercept the request where you want to perform the attack
Here I am using a simple vulnerable website to show you a demo
2. Select the value where you want to perform the attack

3. Right Click and send this request to turbo intruder

4. Now set your wordlist path here(I am using kali linux in this tutorial, If you are using window then simply copy your wordlist path and paste it here)

if you dont know how to set the path or getting errors while setting up the path than use the default path(which is already added in turbo intruder script)and copy your wordlist to this default path and name it here (this works for linux only bcoz there is not path like this in window or other OS)

5. Now here comes the main part of your attack.
Here this “concurrentConnection” is your thread level. Means how many connection you want at the same time. The default value will be set to 5.

And next is “requestPerConnection” as you can see this by its name this is your request amount per one connection.It’s default value is set to 100.

So now you are going to send 100 request per one connection and you have 5 connections at the same time. Yeah you are going to send a lot of requests. It may be possible that not all the 100 requests are going to pass successfully but its still going to work trust me!!!
6. Now Start the Attack and see the magic!!!

Here you can see something called “RPS”.

This is your “Request Per Second” If its more than 100 or 150 than normal site’s server may not be able to handle this and will shutdown soon. To verify your attack try to visit the site from different browser or from your phone. If its taking more than regular time to load or showing server down response than congrats you performed DOS Attack on the site!!!!

If the site is still not down then dont worry, we will do it too! LOL!!!

Now play with your RPS by changing the values of your “concurrentConnection” & “requestPerConnection”. Try to keep your connections at low and your requestPerConnection to high. And if its not working than you can also make your concurrentConnection to high and requests to low. For Example : concurrentConnection=500 and requestPerConnection=5.

Please keep in mind that your internet speed and your system configuration will affect your RPS. So better internet speed and better system will give more accurate result. And also watch for your wordlist length , if its short then attack will finish soon bcoz its too fast.
And sometimes I have faced the issue that its showing 0 RPS but its still working, verify it by visiting the site from different browser or from your phone.

If you guys have any queries regarding to this than please comment below. And also If you performed your first DOS Attack after reading this tutorial than please let me know your experience , I would really love to here about that.
PS : I was so happy when I did my first DOS Attack!!! It was really great experience.

Thank You soo much guys for reading it…See you in next writeup…It will be on DOS Attack! Stay Tuned!!!

Happy Hacking | Happy Hunting

--

--

solo

Penetration Tester | Bug Bounty Hunter | Ethical Hacker |