Burpsuite: Advanced Ethical Hacking Tutorial
10.1 Acquiring Burpsuite
At this point, we need a tool so that we can do some web application testing. And the tool I'm going to go get now is a tool called Burp Suite. Now Burp Suite is a commercial offering, meaning you're going to have to pay for it if you want the professional edition. There is a less functional edition that's just the free edition, and you don't get things like The Burp Intruder and Burp Scanner as well as the ability to save and restore and do searches and some other things. So you can get started with just some very basic tests using the Free Edition. Or frankly, the Professional Edition is very reasonably priced compared to some of the other commercial offerings which are In the thousands of dollars. This is only $299 per user per year. So, Burp Suite is actually a really web application tester, it's got a lot of functionality in it. That gives us a lot of flexibility to do some very interesting things. So, I'm going to get Burp Suite at this point, and we're going to take a look at how that actually works and how we can do some web application testing. With Burp Suite. So I'm going to download Burp at this point and we're going to go through the process of doing the download and then we'll get started once the download is complete.
10.2 Installing Burpsuite
At this point we've download Burp Suite, and now we can go through the process of actually getting it running. Really, there's actually no installation required, because you'll see right here that it's a jar, which means it's a Java archive. And the Java archive actually has the entire application built into it. Meaning it's really an executable all to itself. So, one of the other advantages to having this Java executable is that it's actually going to run on a number of platforms that support Java. So, Right now I'm getting Burpsuite open so that we can run it and as I said not really any installation. Now if you buy the professional version its actually going to have you install a licence Right here all it's doing is it's asking me to agree to their license agreement. So I'm going to accept that and then the program is actually going to come up and run at that point. So it's a pretty simple process, there's not actually installation involved. And, it just comes up and runs because it's Java. So, as I said, one of the other advantages to Java is that we can run it on multiple platforms. So, right now, I'm running it on Mac, I can run it on Linux, I can run it on Windows. So that's how we do the installation of Burpsweed. As I said very simple, not a traditional installer. Just really accepting the license agreement. That's really all that it takes. And if you buy the professional version You will get a license that you can then install. The very first time that you run Burp it will prompt you to do that. So it's a pretty simple process.
10.3 Running Burpsuite And Configuring Your Browser
So I've got Burp Suite running at this point. And right now I'm actually running the professional version. I did download the free version. I have it here. But in order to demonstrate all of the functionality and go through some of the tests that we're going to be looking at, I'm going to use the professional version. So I've got the professional version here. The other thing that I need to do is I actually need to configure m browser so that it can use Burp Sweep. So Burp is an intercepting proxy so you can see here that intercept is on. So. I'm going to shut off intercept right now because I don't want to actually do any intercepting. And you can see here the proxy listeners are configured under the options. So, right now, I am listening on the loop back interface or the local host interface on port 8080. And What I want to do now is do a configuration of Firefox. So I'm going to go to preferences and I'm going to go to network here and go to connect settings And right now I want to do a manual proxy configuration so that I'm going to specify my proxy server as my local host. [00:01:26] So that's 127.0.0.1 port 8080. So I need to set my proxy so that everything that the browser does goes through burp sweep. Now, I may actually want to set a proxy bypass. So no proxy for anything I'm doing on local host for example, I don't want to do that. [00:01:51] I don't want to send that through Burp. There maybe some other things, so for example we have seen that. Firefox does a lot of update checking. So if I want to make sure that bypasses burp, then I'm going to add a no proxy setting for Mozilla.org. Anything that the browser is doing under the hood, you may want to actually set no proxy for so it doesn't actually go through Burp suite. [00:02:22] So we can keep the interface with Burp uncluttered and we're only going to see the sites that we actually want to work on. So I'm going to close that now, and I can close out my settings. And now that we've got Burp up and running, and the proxy is ready to go, we can actually use Firefox now. [00:02:44] To run through Burp Suite. [00:02:45]
So we've got Burp Suite running, we've got Firefox configured at this point. So what I want to do now is I want to go to a webpage. And now what I can do is I can bring Burp Suite back and Make sure that I'm not using a cache copy here. So I'm going to do a reload to force it to go through. So now I've actually got a site here in Burp Suite and what I can do at this point is. I can go do a spider. And what a spider is, is a process where we go through all of the pages that are available on that particular site. And it's pretty easy to do a spider with verb suite. I've got my target here under site map. And here's the site that I actually want to use. So if I right-click that, I can spider this host. And it's going to ask if I want to modify the scope to include the items outside the scope? Because we haven't actually added this previously. It's not within scopes. So we're going to add that item to the scope. And we can go over here and see that we've actually added. This particular site to the scope. And of course, we could do any number of sites in our scope. We could add, for example, I could make sure that I'm doing HTTPS and I could do the same thing here, where I'm doing 192/. because this is in regular expression. And a dot in regular expression or regex means any character, so we have to escape that. So I'm going to do .1/. $39 means that's the end. So port here is going to be 443 and I put a dollar at the end. So now we've just added HTTPS with this particular server into the scope. So anytime we run across a case where we're doing HTTPS or encrypted transmissions, we can actually see that. So if I go over the Spider here, you can see the Spider is running. And we've got a queue And actually the queue is cleared at this point. There's nothing actually left. So we've run through all of the pages that are available and we've got a list of pages that we could actually do something with. So we've completed our spider at this point.
10.5 Passive Scanning
One of the nice things about Suite is it gives me the ability to do passive scanning. What I want to do here is I want to take a look at a specific page, and I'm just going to go click around here a little bit, and I'm going to say, enter some data here and, We'll do that and then let's go back to the main page and see what else that we've got. Let's take a look at this section and now I can put in and admin username and login. And it'll bring up this particular page here. Once I log in correctly. I've got some pages that I've gone to visit. Now I can go back to Burp Suite and what Burp Suite has been doing Is it's been looking at all of the pages that I've been going to and just checking to see what's going on as I've been visiting the pages. I don't actually have to do a scan which can start to look like a scan in the logs. And you can start triggering alerts on the web server side. If somebody were looking for something like that. Where with something like Burp Suite and this proxy, it's got the ability to take a look at everything on the way through. And then we can actually see what's going on. And it will do some evaluations. It's not going to do a full bore Scan against it and check for absolutely everything. But we can actually check for some simple things. So, you can see here, we've got some results. And again, I haven't actually done a scan. What it did was it found some results just based on me clicking through here. This is Passive scanning. We're actually just using the website in a normal fashion and allowing Burp Suite to pay attention to the request and the response and see what it finds. In this case we were going to a website and we sent through a password But we weren't using HTTPS and so what Verb Suite is done here is, it's plug this as a clear tech submission of password which is genuinely considered to be a no, no. You don't want to send passwords through unencrypted. We've also got something here that says cookie without HttpOnly flag set. That's another issue that maybe worth flagging to somebody. And now we've got some potential click jacking over here. So you can see that Burp Suite has actually been paying attention as we've been going through the site and it has found some issues. The more pages that I visit, the more things that Burp Suite has the potential to find, and so I may actually get a number of other results here.
10.6 Active Scanning
So at this point, we're really done with Firefox so the moment. It's actually loaded up some pages for us inside Burp Suite and we've done a little bit of tinkering around. We've done a little bit of passive scanning so far. What we're going to get into now is active scanning. Now again, this isn't. Particularly complex, it's actually very simple. We're just going to right click on the target that we want. And if we wanted we could actually do multiple. So let's go back to just the single one though. Because the process is really the same. So we're going to right click on that one target that we want to look at. And we're going to actively scan this host. So what comes up is the active scanning wizard. So we're going to remove duplicate items with the same URL and parameters. Looks like there's 19 there. We could actually just remove items with no parameters. If there are no parameters, there's not a lot of programmatic access to the site in that way. It's just a static page. So there may be no particular reason to spend a lot of time there. I'm actually going to leave those along right now. I could remove things with Java Script or gif or JPEG or ping or CSS and not take a look at those, if I wanted to. In this case though, I'm going to leave that alone, and it doesn't really matter anyway because for this particular site. We've actually turned up no items there, so I'm going to go to next. It's going to show me the list of items that we have selected for scanning, and you can see here, we've got the number of parameters in a column, we've got the number of cookies, and the status that we received when we did some checking with it previously, the length The mime type and the extension. You can see there's some prl pages, some html, some php and it looks like there's a text page as well. So we're going to run this through the wizard now. I'm just going to click okay. And now the Scanner is actually going to start. So if I click over here I can go over to scan queue. So under scanner I've got results and I've got scan queue. So right here I've got my scan queue and we can see the number of requests that were made. If there were any errors we would get the number of errors and then we get the status which is the status of the scan. As opposed to the status of the testing that it's doing. We've got some issues that have been found and you can see they get color coded, as well. There's some informational items. There's a couple of critical items. Looks like three critical items and a medium risk item. The scan is going to through and it's going to make all of the requests that it needs to make in order to complete the scan. And then we'll be able to look at the results and see what we've actually found, and what we may be able to do some further testing with.
10.7 Investigating Results
We've been doing some scanning here and I've got a number of results from the site that we've been looking at. I want to look through some of these. We will take a look at how you would go about actually taking a look at these results and the different ways That you may be able to use to see what's going on. [00:00:20] Now, as you're going through these, you may want to follow up manually, and that may require using something like Netcat or Tellnet to get into the server and issuing connections there may require Going to the browser and actually issuing the specific items through the form pages. It may require different ways of actually following up here, what we're really going to be talking about is how you can go about seeing what actually happened once you're in burp suite. [00:00:54] So here we're in burp suite and I've got this Cross-site scripting Reflected issue. And, right here, you can see there's just the advisory. What I need to do is clock on one of the specific issues and that gives me two additional tabs here. I've got a Request tab and a Response tab. [00:01:13] Let's take a look at the Request tab. This is actually the request. It's just the raw request with all of the HTTP headers. Exactly as they were sent to the server. We can see it broken out with the different parameters. Here are the headers that are broken out by field and here's the hexadecimal if you're interested in taking a look at it in that way. [00:01:36] The response we actually get a little different again. Here's the raw If you want to just look at the response here. You can see the HTTP headers. We've got an HTTP 1.1.200 OK. So we've got a request that succeeded. And here we've got the headers, and again the hexidecimal. Here's the HTML if you want to read the HTML. But, here's what's really useful. You can see a render here, and this is what it would actually look like inside the page. Now, I don't see much of anything here that stands out to me, although I can see where Burp Suite may have flagged the fact that it actually put in the brackets and some of the text that was actually there. So, here we actually got the alert script back. And the render here didn't actually generate the alert box, but they may just be because Burp Suite doesn't do that or is incapable of doing that. So here's something that you may actually want to follow up on and figure out what was actually sent. This is where we go back to the request, and here's where I could put in This data here. So I could copy this out and then I could go back to my browser and I could actually go to this page. And let's actually take a look at that right now. All right, I'm at the page now that I actually generated the problem. And so let's paste this in here and see what we get back. And sure enough, we got an alert box back. Now, where we didn't through Burp Sweep. So here is actually an example were you want to follow this up with a browser because it is not necessarily clear whether this generated the alert box or not. So This is pretty clear actually, the fact that it showed the script here. Suggests pretty strongly that something did happen. Although again its were you want to go back to the browser and see what really happened. Because even though you can render it doesnt necessarily mean that your going to see What really happened inside of Burp Suite. We've got some other issues we could take a look at. Here's one that's a potential SQL injection. And we've got a request and here's the response. And again, we could go back to render and see what actually happened here. And it doesn't look like anything happened. So not really clear why this particular requests seems to have gotten flag the SQL injection since it doesn't look like anything actually happened. Here's the second request and we'll take a look at the response over here. And we'll flip down through the HTML and again, I don't see much of anything in the HTML that would suggest to me that this was a SQL injection that actually succeeded. So again, it's one of those where you probably want to go back and double check this through the browser itself. [ And see how it actually behaves. May have actually captured something incorrectly or Burp Suite may have just flagged something because it didn't completely understand what had actually happened. So again this is the case where you probably want to go back to the raw Request and I'm going to go back to the request over here. Go back to the raw request and actually make some changes. So here's where we would issue a get request and you could actually send that to the browser and see how that responded. So that's how you would go about actually investigating results Some of it is a question of just looking to see what burps we'd flagged and see whether it makes sense. Often, we've got to go validate what burps we have seen. Maybe do some additional playing around and see if you can duplicate what burps we thought that saw. For example, that sequel injection may have seen something that It thought would potentially open the door to a SQL injection, but the response that was actually captured didn't actually indicate that we'd gotten any real success doing a SQL injection attack. So again, you may want to go do a little bit of additional work there.
10.8 Password Attacks
So at this point, I actually want to take a look at doing some password attacks using Burp Suite. And the first thing I need to do is, I need to go to a webpage. And we're going to effectively seed Burp Suite with some data that it's going to be able to use. So we're bringing out the Damn Vulnerable Web Application. And I'm just going to plug some bogus values in here just so we can generate a request and now I'm going to minimize this. I'm going to go over to Burp Suite. So I've got my request here with my Username and password, and you can see the two parameters down here as well as the login button that was submitted. So now I'm going to right click on that and I'm going to send this off to the intruder. Now, I'm going to go to the intruder tab over here And then we've got the target tab here, and we've got the host and the port. And the important thing here is the positions. It's flagged some parameters that it thinks it can actually do some manipulation with. So it's actually found the security, and it's found the PHP session ID. And I actually want to clear that one. And then I'm going to clear this one as well. And we'll clear the login [INAUDIBLE] because we don't need that. So I've got my username and password, those are my payload positions and I'm going to do a cluster bomb attack here. The reason I'm doing a cluster bomb as opposed. To a snipe. A sniper is going to give me the ability to use one payload. And that payload could be like a user name. A list of users. So I really need to have the ability to specify to payloads. And that's actually going to be my cluster bomb attack. So now I'm going to go over to payloads and I'm going to specify what each one is. And I got my payload set 1. [00:01:54] And you can see over here, this is my first position and this is my second position. So my payload set 1 is going to be my username. So I'm going to use a simple list here. And we're going to add a list of usernames And I actually want to, I'm going to add admin and now in my payload set 2, which if we go back over to positions, that's my password. So now I can set a simple list here as well. And I can add in passwords. And we're just going to add in password here. So I'm going to add that. So now it's really just as simple as actually running the attack. I could do some additional payload processing. I could add some rules here, like adding prefixes, suffixes, doing some replacing, doing some case modification, encoding, decoding. There's a lot of different processing rules I could add. In this case All I really want to do is I want to plug in usernames and passwords into the two fields and see if we can find a username and password combination. So I'm going to go up to Intruder and I'm going to start the attack. Now, you can see that we've got A very large number of combinations between the user name and the password we've gotta check every username against every password and vice versa. So we've got a lot of requests that we're going to end up making and you can see we get 302 I'm actually going to make this a little bit larger. So we can see here. And you can see I've got the request, and I can take a look at the response. That's the raw response. And what I get is a 302 found. And we can just take a look at the headers over here as well. So, we're going to keep getting 302s, and eventually. It should end up hitting on the right user name and password combination after it's run through all of these. And it does take some time to run through all of these requests. And this is on my local network. If you were doing this over a wide area network like LIke the internet, for example, you would probably be running a little bit slower than this. Course, depends on the bandwidth that you've got. It depends on the capacity of the server, how fast it is, all of those sorts of things. But there are a lot of requests to be made here. Looks like, what do we got, something like 30 million requests to make, and that's just going to take some time, but that's how you would do some brute force, pass word checking using Burpsweed. You would use the intruder and you would use a cluster bomb attack and set your pay load positions. To the username and password list, and of course you could actually specify your own lists if that's what you wanted to do, but Burpsuite does include a username list and a password list just as part of the package that you get with Burpsuite. So that's how you would do password checking and guessing using Burpsuite.
10.9 Fuzzing Attacks
We've done some basic work with Burp Suite at this point. One of the things I want to look at now is doing some fuzzing attacks. Now fuzzing attacks are really useful for a lot of different reasons. Of course, when you're fuzzing, some of the things you could be fuzzing are Doing different ways of doing a sequel injection. Or, maybe cross site scripting. Or you could just be looking to see if you can break a session token or do some work with Maybe causing a denial of service attack to demonstrate that the application code is potentially weak or not doing really good input validation. So lots of good reasons to do fuzzing. So let me show you a few things about fuzzing with Burp Suite. So let's just do a little bit of playing around on the website just so we've got some things to look at in Burp Suite. We need some requests to be able to look at here so that we can actually Go send them off to where we're going to do the fuzzing, so right here I've got a request, you can see I've got the player and the admin, and what I want to do is I want to send this to the intruder. Now I'm going to go off to the intruder here And I've got the target, and now I need to go to the positions and you can see over here we've got two sections that are highlighted. So these are where we're actually going Going to be setting payloads. So, the payload is where I'm actually going to be doing the fuzzing work. So, I need to select the variables that I want to do some playing with and I think the first thing we want to do is Clear this one out, and I just want to fuzz the admin. So, the Sniper attack is fine for this, we're only going to be doing one. And, my Payload set is going to be number 1. If there were multiple payloads, I could pull that down and select those. My payload type I'm actually going to do a simple list. And let's do some quick fuzzing here. So we're just going to send some garbage in basically And see how that actually works. So I've got my payload set up, and now I can just run the attack. So it's going to run through the attack, and we're going to see what the status is. So this was just some very simple garbage that I sent in and we got to 200 okay from all of it. Now I could do a full fuzzing attack here and I'd get a whole lot of other things around SQL injection, command injection, those sorts of things. [00:03:10] So now I want to do a start attack again. And we're going to run through all of the attacks. I'm still getting two hundreds and I could look at the request and the response here just to see what it looks like. Let's look at the response and see whether we get anything unusual here or not. And it doesn't look like there is much of anything interesting that we're getting back from this. So it doesn't look like we really got much of any results there. So what I could also do is I could do some iteration. And I could do this, for example. And we could run through the custom iterator and do an attack on that as well. So now I'm just flipping through all of those types of things. Of course I could also add in anything that I wanted to here. So I could add that in as well. So you can see I've got some flexibility. I could use the built-in Lists that are available with verb suite or I could create my own. So there's different things that I can do with the pay loads, I can also do things like character substitution. So I can change characters And what this does is it gives me the ability to do things like changing letters into numbers. So sometimes you'll change a letter into a number because the letter looks a little bit like the number. And now what I can do is Select one of these let's select the full again and just see what we can do here. So I'm going to start the attack and it's going to pop the attack open and you can see we're starting to Do some different things where we're sending in zeros instead of Os and there are a number of other characters that are being converted into numbers. Of course, that's the built-in thing and you'll see at the moment we're going to be testing 600 and 56,670 tests. We're going to be running all of those because of the different combinations of letters and numbers that we've been changing around here. So I'm actually going to pause that and cancel it. But you can see where Burp Suite gives me a lot of capability to be doing some different things with fuzzing attacks. I could do a brute forcer and I could set the minimum length and maximum length on that and We could do some brute force attacks. So there's a lot of capabilities that Burp Sweep has to send variable data and variable length data into a web application just to see what sort of results that we can get and whether that's going to lead us anywhere useful or not.
10.10 Doing Sequencing
One of the things that we haven't really looked at a lot is whether different parameters like a session ID may be vulnerable to attack. Now Burp Suite actually comes with a component that will do some testing around that for us. So, what I want to do here is first of all I'm going to go to a website just to seed up, verb sweep with some information here. And, we're going to go to just a side on my local system. And we've got this up and running. So, now what I want to do is, I'm actually just get a little bit more in here. I'm actually going to log in. So, we've got that going now. And now I'm going to go back to Burp Suite and I can open this up here. And let me go to the log in page. And I'm actually going to send this. To the sequencer, which is the tool that we're actually going to be working on here. So at this point, we've got some data here. I've actually got a record. Quest, and the thing about the request that I'm really interested in is this PHP session ID, and I want to know weather the session ID is actually random, or if it's something that I may be able to guess. So, we've got some Different settings here. I could set a form field and I'm going to leave the form field alone. I could actually set a custom location, I could do different live capture options. I'm not going to do that. What I want to do is take a look at the other options, I'm going to leave all of those alone, and. Now, what I'm going to do is I'm going to start the live capture. And now what the capture is going to be doing is it's going to go do a lot of checking against the server And it's going to compare the tokens. So we've actually got auto analyze here and I'm going to turn that on. And it should actually give me an analysis after every 100, so at this point it looks like the randomness within the sample is extremely poor. That's only after 100 though, so we don't really have enough data at this point in order to be able to give us a real accurate assessment of whether it's really poor, or whether it may be a little bit better than that. [00:02:44] Since this is an application that's designed to be broken into, I'm guessing it's probably not going to be very good. But a hundred, two hundred, probably isn't a lot of tokens to do this sort of analysis. So at this point we've gone through something over 300, we're on our way to 400. But you can pretty easily see now, that we've got some. Information that we can look at to determine whether that session ID, which is the one that I'm actually looking at, is random or whether it's not random. So we can take a look at the character level analysis. And we can see that we've got Some confidence in each character position. And then we've got the effective entropy and the reliability. So, the reliability at this point is poor, because we just don't have enough tokens to be able to know. Actually, it flipped over on my while we were doing that. So, that's the character level analysis. Now, I could do a count, take a look at transitions. I want to look at the bit level analysis, and FIPS is actually a test of security or encryption that is performed on devices, and you would get FIPS compliance. And it's a government level Or a government-sponsored program that gives some assurance about the level of encryption of the reliability or the strength of the encryption and the security of a particular device. So this is the sequencer that comes with Burp Suite and it's capable of testing whether different tokens are actually random or whether they're not random.
10.11 Using the Intruder
One of the really effective tools that Burp Suite has is something that's called The Intruder. Now The Intruder we would use to do a number of different things. And let's just pick something up here and we're going to see. Actually let me go back to the scanner and see this SQL injection thing That we thought that we had seen. So now I'm going to go back to the target. I'm going to select the request that I want to play around with. So that was just the root page of the directory DVWA. And I'm going to send this to the intruder. So it's going to populate this tab over here with the intruder. And here I've got my target and my port and now we've got some positions here. What I think I want to do here is, let's just do a sniper attack. You can see I've got a number of different types of attacks and this have to do with the number of payloads that you've got and the different types of payloads , So we're going to send this into the intruder, and now I can go over to my positions. We can actually do some work with this particular request. I'm going to select these. These are actually variables, or something that Burp Suite has flagged as being potential variables. That we may want to do some playing with. So I'm going to undo that one and I'm going to undo this one here. We're going to leave this one alone, so now I can go over to my payloads. And I've only got one payload set, which is this position right here. We've flagged this as a payload. And now I'm going to choose a simple list, although you can see I have got a number of different payload types that I've got. And from the list here I'm going to go down to doing Fuzzing with SQL injection. This is what's actually going to be set into this particular field right here, is all of these results. It's going to go iterating through all of these. And we'll see what we actually get once we have run through all of these. So this is a number of SQL injection attacks and we can go and run this now. So I'm going to go up to the intruder tab. I'm going to say, start attack and it's going to pop up this other box here. Let me open this up a little bit more so we can see what's going on. So we're getting status 302, this again is the request; and lets take a look at the response. Says 302 found, but it doesn't appear to have given us any data here. So, it doesn't look like we actually had any success doing any of these types of attacks. We're getting 302s. The length is the same. If I had seen a different length then I might be inclined to take a look at something a little bit further, but This length of 372 for all of them suggests to me that we didn't actually get much of anything back. So I can actually close this down now. Let's take a look at some of the other lists that Burp Suite comes with built into it. Now there are lists of course that you can create all on your own. You can add a new item right here and just click add. And you can create your own list, and you can certainly do that. But we've got some quick fuzzing, full fuzzing. We've got user names and passwords. So if I wanted to try a brute force of a username and password I could actually do that from here. So I could select usernames and I didn't clear these out so I've got these usernames at the end of my list here. So that is a way that you could try to brute force usernames and passwords. I could also just do An a to z list, and at the end here we should see a to z. So, that's something else I could do. Now, if I were to go up above I could do something like a character substitution. So in addition to these lists here, let's do short words for example. We're going to do this substitution on all of these. So for a we're going to substitute a 4, for b an 8 and so on and so fourth. I can also do some Different payload processing. Like I could do a match replace, for example. So if I were to see something foo, I could replace it with wubble, just as an example. I can do a reverse of the substring from Let's say zero to eight. We could just reverse everything that we had. I could modify the case to everything being lower case to proper name or to proper name this way where we've got upper case here. This is sometimes calles CAMEL case where it kind of looks like this. So there are a number of different ways you can do payload processing and you can create payloads with the intruder. It opens up a lot of doors for doing a lot of exploring with web applications and seeing what kinds of vulnerabilities you can turn up using this intruder capability that Burp Suite has.
About the On-Demand Webinar
About the Webinar