Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -java based web pentesting framework
- -used to identify attack vectors and find security flaws
- -it is an intercepting tool
- -intercepts our http requests before they're sent o t server
- client - burpsuite - ... - server
- -features:
- -interception proxy
- -automated security scans
- -manipulate http and https requests
- -brute forcing credentials
- -crawling/spidering a website
- -download burp community edition
- -download tamper data extension for firefox
- -download CA certificate of burpsuite and add it to firefox
- -configure firefox to use burp as it's proxy (IP and port)
- -configure burp to accept requests from firefox (IP and port)
- 1. intercepting http requests:
- -proxy tab = used to intercept all http request going out
- -intercept = to turn intercepting on/off
- -raw = shows the entire http request being intercepted
- -params = shows the parameters being sent by the request. ie: the names of the input parameters and their values
- -headers = shows the headers of the http request being intercepted
- -hex = shows the hex values of the contents of the http request being intercepted
- -HTTP history = keeps a history of all the intercepted http requests and the methods they used (GET/POST)
- //can doubleclick on individual requests to view them in detail
- -options = to configure on which IP and port will burp listen on
- //forward = forwards the intercepted http request
- //drop = drops the intercepted http request
- -turn intercept on
- -forward the request
- -target tab starts blinking
- 2. creating sitemap (spidering/crawling the target website):
- -target tab
- -sitemap = for creating a site map of the target website
- -contents = shows all http requests that were made to each individual item in the site map and the responses to those requests that were received
- -issues = shows the issues (vulnerabilities) discovered in each individual item in the site map
- //these can also be seen in scanner tab
- -scope = for adjusting the scope of our attack
- -sitemap shows the entire sitemap of the target website
- -click on an individual item in the site map and select 'spider this host/spider this branch'
- -spidering begins
- -spider tab = shows that spidering is going on and
- //while spidering if burpsuite encounters any forms, it shows us the form and asks us to either manually enter creds or to ignore that form (and not spider any further in that branch)
- 3. scanning for vulnerabilities
- -scanner tab = shows all the vulnerabilities found while spidering the web site
- -scanner tab can function as a manual scanner:
- -so we can click on some link in the web app
- -this will result in some url
- -and the scanner ta will display all vulns discovered in the web page corresponding to that particular url
- -but this is tiresome
- -so let the spider finish creating the entire site map of the web app
- -then simply click on an individual item in the site map and select 'actively scan this branch'
- -automatically scans for all vulnerabilities in that branch
- -scan queue = shows all ongoing scans scans (when we choose to actively scan this branch)
- -issue definitions = tells us the various types of issues and what they mean
- -options = advanced options for tweaking the scanner
- 4. using burpsuite as an attacking tool
- -say we have a login form in a pg
- -lets say we enter Username = user1 | Password = pass1
- -Username and Password = input parameters
- -user1 and pass1 = values of those input prameters
- -press submit
- -this causes a http POST request
- -in intercept tab we can see the POST request, the input parameters and the values we entered
- -now we need to send this request to intruder
- -rightclick on request and choose 'send to intruder'
- -intruder tab starts blinking
- -intruder tab = can be used for tampering the http requests going out
- -we can use this for cracking passwords using brute force attack
- -target = target of the attack
- -positions = shows us the positions in the post request that we can change/modify and add our own value (called payload)
- -burp intruder automatically selects possible positions that we can modify
- -clear these
- -select a position of your choice
- -press Add
- -attack types:
- -sniper = works with one particular payload at a time
- //payload may be wordlist
- -battering ram = tries one payload against all parameters in the request
- -pitchfork = works with as many payloads as the number of parameters
- -cluster bomb = combination of each word in the wordlist with all the words in the other wordlist(s)
- -payloads = we can write payloads of our choice (ie: the modified values that we'll insert into the positions that we chose)
- -payload set = how many payloads we're going to use
- -payload type = the type of payload we're going to use
- -payload options = tweaking our payload
- -payload encoding = what characters in our payload will be url encoded (so that the web does not block them)
- //IMPORTANT: remove the = sign from the list of characters in payload encoding
- -say we want to do a bruteforce attack
- -so the position we'll select will be the Password= field of the http POST request
- -and our payload will be a wordlist
- -intruder -> start attack
- -displays the attack window
- -attack window = shows the ongoing attack
- -payload = shows all the payloads (words from the wordlist) that burpsuite is inserting into the position that we selected (Password=)
- -status = shows the status of the html page that the payload is resulting in
- -say most of the payloads result in 404 (not found)
- -but a particulr payload results in 302 (redirection)
- -this may indicate that the particular payload (word) has managed to successfully log in while the others simply resulted in a 'not found' pg
- -so that would mean that the particular payload (word) is correct and is in fact a valid password
- -length = shows the size of the html page that the payload is resulting in
- -say most of the payloads result in pgs of the same size
- -but a particulr payload results in a pg of greater size
- -this may indicate that the particular payload (word) has managed to successfully log in while the others simply resulted in a 'not found' pg
- -so that would mean that the particular payload (word) is correct and is in fact a valid password
- -we can also see the entire http requests being send using each of the payloads and the responses that we're receiving
- -the intruder tab was doing the following
- -inserting a particular payload into the chosen position
- -sending the request
- -then inserting another payload into the same position
- -sending another request
- ... and so on ...
- -now say we want to send the same request, multiple times and using multiple payloads at multiple positions
- -so when we submit the form by entering Username = user1 | Password = pass1
- -this causes a http POST request
- -this request can be seen in the proxy tab -> intercept subtab
- -rightclick on the request and slect 'send to repeater'
- -repeater tab starts blinking
- -repeater tab = for sending the same http request multiple times by changing that value of it's input parameters each time
- -press Go
- -request = the http request being sent
- -response = the http response being returned
- -raw = shows the entire http response being returned
- -headers = shows only the headers of the http response being returned
- -hex = shows the hex values of the contents of the http response being returned
- -html = shows the html code of the web pg resulting from the http response being returned
- -render = shows the browser version of the web pg resulting from the http response being returned
- 5. usnig burpsuite for encoding/decoding:
- -we can encode/decode strings into:
- -base64
- -url
- -hex
- -binary
- -md5 hash
- -sha 256 hash etc.
- -say we have a http GET request in the proxt tab -> intercept subtab
- -rightclick and select 'send to decoder'
- -decoder tab starts blinking
- -decoder tab = used for encoding/decoding
- -decode as...
- -encode as...
- -hash...
- -say the request has an input parameter=value eg: Password=<md5 hashed password>
- -select the <md5 hashed password>
- -select hash... -> md5 hash
- -this displays a new request with everything same as before, except the <md5 hashed password> which has now been replaced with it's cleartext value
- -this is especially useful in XSS attacks when we have to encode our javascript payload (ie: the <script>...</script>)
- -smart decode:
- -used when we have an encoded string but don't know what format it is encoded in
- -smart decode automatically detects what format it has been encoded in and tries to decode it
- -another way of encoding/decoding without the use of decoder tab:
- -we have a http GET request in the proxt tab -> intercept subtab
- -select the string you want to decode
- -select 'convert selection' -> choose the format
- ----------------------------------------------------------
Add Comment
Please, Sign In to add comment