Lab: Credentials Enumeration based on different responses

The lab shows how to brute force credentials using a standard Sniper attack on a website's authentication page using Burpsuite Intruder.

This lab did not provide any user credentials, however it did give two wordlists for usernames and passwords respectively, I saved those and then accessed the website to have a look around:

I navigated to the login page and put random credentials to capture the request the page sent back:

Having access to that I sent it to Intruder for enumeration, I initially chose to enumerate for only the username using the default 'Sniper' attack, then I loaded the wordlist for usernames:

After the usernames were done enumerating I sorted in descending for the content length to look for the uncommon ones:

And there was only one username which gave a different message, i.e., A warning for incorrect password, the usual one was incorrect username.

Then I moved on to enumerating the passwords for the recognised user, 'att':

I loaded the passwords wordlist for the payload and set a filter after starting the attack to only show redirects as those would only be the responses which occur from a successful login:

And only one entry remained which was 'dallas':

I used the username and password I identified to log in as user 'att':