We'll use the WackoPicko admin section login to test this attack:

1. First, we set up Burp Suite as a proxy to our browser.
2. Browse to http://192.168.56.102/WackoPicko/admin/index.php?page=login.
3. We will see a login form. Let's try test for both username and password.
4. Now, go to Proxy's history and look for the POST request we just made with the login attempt and send it to Intruder.
5. Click on Clear § to clear the pre-selected insertion positions.
6. Now, we add insertion positions on the values of the two POST parameters (adminname and password) by highlighting the value of the parameter and clicking Add §:

7. As we want our list of passwords to be tried against all users, we select Cluster bomb as the attack type:

8. The next step is to define the values that Intruder is going to test against the inputs we selected. Go to the Payloads tab.

9. In the textbox in the Payload Options [Simple list] section, add the following names:
   • user
   • john
   • admin
   • alice
   • bob
   • administrator

10. Now, select list 2 from the Payload set box. This list will be our password list and we'll use the 25 most common passwords of 2017 for this exercise (http://time.com/5071176/worst-passwords-2017/):

11. Start the attack. We can see that all responses seem to have the same length apart from one: the admin/admin combination has a status 303 (a redirection) and a minor length. If we check it, we can see that it's a redirection to the admin's home page: