Cluster Bomb takes one word list per position, and then tests every possible combination in sequence.
For example, assume one three-element word list containing one
, two
, and three
, a second three-element word list containing alpha
, beta
, and gamma
, and the body date foo=position1&bar=position2
. Then if position1
and position2
are both defined as positions, Cluster Bomb will produce the following sequence of attempts:
foo=one&bar=alpha
foo=one&bar=beta
foo=one&bar=gamma
foo=two&bar=alpha
foo=two&bar=beta
foo=two&bar=gamma
foo=three&bar=alpha
foo=three&bar=beta
foo=three&bar=gamma
This is a good approach for attacking login forms if you don’t already know the actual credentials, but want to fuzz using some set of likely values (like rockyou.txt).
Obviously this is the most expensive attack in terms of connections/time, and thus also the one most likely to get you noticed!