Turbo Intruder with Burp Macros - CSRF tokens
I was testing some brute force attacks against Roundcube. I tried Burp Suite, ZAP and my own python script. Burp Community Edition was kind of slow. I couldn't get ZAP to get the correct CSRF token and the python script was faster than Burp but still a little slow. Then I found Turbo Intruder which is an extension in Burp. It's very fast because: "Turbo Intruder uses a HTTP stack hand-coded from scratch with speed in mind. As a result, on many targets it can seriously outpace even fashionable asynchronous Go scripts."
When I finally figured out how to get Turbo Intruder to get a new CSRF token for each request using Burp's Sessions Macros, I compared it to my python script and it definitely was much faster. For the same attack (number of password attempts on one user), the python script took about 30 minutes and Turbo Intruder took about 3 minutes.
Here is a quick list of how to get it set up in Burp Suite (See screenshots below):