SESSION 14
===========
INTRODUCTION TO BURP SUITE
===========================
Burp Suite is a graphical tool for testing Web application security. Burp Scanner can automatically move parameters between different locations, such as URL parameters and cookies for doing Vulnerability Assessment and Penetration Testing of a Web Application.
The tool is written in Java and developed by a organization named PortSwigger Security. We also use Burp Suite for Tampering of data moving through one Node to another.
There are particularly 2 Versions of Burp Suite :
= Professional Version $349.00 per user, per year having all the functions.
= Community Edition which is free of cost.
Features of Burp Suite :
================
= Proxy Services : In Burpsuite, everything starts with setting up your browser to Burp’s proxy. It sets up as a Socket in Burp which initiates and tells that where to intercept the data. It lets you tamper the request and response the way you want it. You can change form methods from GET to POST or vice-versa, unhide hidden fields, enable disabled fields etc.
= Intruder : A Intruder is like a master spy in Burp Suite which helps in attacking to the Web Application in many ways. Burp Intruder is meant for exploitation and automating attacks. For that Intruder is a very good and efficient request sender and response collector. This is basically used for performing powerful customized attacks to find and exploit unusual vulnerabilities.
It is further having Payloads and Attack Modes. Payloads are the data malicious or non-malicious we sent to a web application. Attack Modes define how to send it. Attacks Modes are “Cluster Bomb”, “Sniper” etc.
= Scanner : The scanner can interact with your web application and can detect simple security issues like if the password is being submitted in GET method or advanced vulnerabilities. You can set the speed of scanning, pause and resume, choose scan areas and more.
= Spider : Spidering or web crawling , is the process of automatically following all the links on a web page to discover both static and dynamic web resources of the web application.
= Repeater : Repeater can select a request from Target or other sources and send it to Repeater to further tampering with the request by changing the data being sent, request method, cookie values and many other client side values.
BRUTE FORCING USING BURP SUITE
===============================
Brute Force Attack : Brute forcing is a trial and error method used by application programs to decode encrypted data such as passwords by hit and trial through exhaustive effort by employing intellectual strategies.
Let us first understand the flaw through which Brute Forcing is working. Brute Forcing is working because of the flaw of Filtration on Login Forms. If there is not any extra layer of security or any limit to enter the credentials, Brute Forcing can be done.
Demonstration on DVWA, LVS and demo.testfire.net .
Using Burp Suite Community Edition.
STEPS :
=======
= Opening up the Target’s Web Application, where we want to Brute Force.
= Setting Up Proxy Settings in Browser
– Browser Setting > Network Setting > Proxy Configuration > Manual Proxy > Enter a Socket with local host > 127.0.0.1:9500
– Check mark it > Use this proxy server for all protocol
– Clear all details from “No Proxy for”.
– Click on Apply.
= Opening up Burp Suite
= Go to Proxy > Options > Enter Proxy Socket which we entered on the Browser Settings.
= Click on Intercept > Intercept is ON (This will start capturing moving packets)
= Enter anything on the Login Form, Either Username and Password or both with anything.
= Burp Suite will start blinking.
= Burp Suite have captured a Packet, Select that Packet from Burp Suite containing credentials > Right Click > Send to Intruder.
= Turn Off Intercept Mode.
= Go to Intruder > Position > Clear
= Select the Parameters you want to start brute forcing on.
– Select value of username < Add - Select value of password < Add = Select the Attacking Mode = Sniper Mode : If you know either one of Username or Password. = Cluster Bomb Mode : If you don’t know anything about Credentials and you want to Bruteforce on both Username and Password. = Go to Payloads > Setting up a Wordlist in Payloads > Giving a Default list on any random Credentials for Login into DVWA or demo.testfire.net
= Select Values for Payloads
Payload : 1 > list of usernames
Payload : 2 > list of passwords
= Options > Grep Match > Clear
= Username and/or password incorrect. < Add = Click on “Start Attack” = Examine the Length Codes of the Payloads = There must be some common Length Number, Click on every Different one. = Go to Response of that Payload. = Click on Render. (Which will show you the image of Web Application in itself) = Find out the Correct Username and Password and enter. AUTHENTICATION BYPASS USING BURPSUITE ====================================== When we consider Brute forcing by Burp suite, if a login form is not having any of the password we entered in the Payloads, we can see and examine that if a website is Vulnerable to Authentication Bypass or not. Steps - For Authentication Bypass, we first have to scan the vulnerabilities and check that if Authentication Bypass can happen or not. If Yes, we have to put Username : 1'or'1'='1 Password : 1'or'1'='1 Username : admin'or'1'or'1'='1 Password : admin'or'1'or'1'='1 Username : x’or’x’=’x Password : x’or’x’=’x ----------------------------------------------------------------------------------------------------------------------------------- FILE INCLUSION VULNERABILITY =========================== File Inclusion Vulnerability leads a Attacker to access the already included files which are already present on the Web Server and may contain some Critical Data. So by accessing those files through URL, the Attacker can use that critical data which contains the critical data and misuse that. TYPES OF FILE INCLUSION : = LFI - Local File Inclusion (LFI) vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information. = RFI - Remote File Inclusion (RFI) vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local machine, the attacker is able to execute code on the Remote Web Application Server. Demonstration of LFI on DVWA. STEPS : (../) - Going a Folder Backwards. = http://127.0.0.1/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd
Getting the data in warning and errors by back slashing (../) .
————————————————————————————————————————————
COMMAND EXECUTION VULNERABILITY
=================================
Command injection/execution is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data to a system shell (CMD). In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
Demonstration on LVS and DVWA.
STEPS – Pinging on the Input Method of the Web Application.
————————————————————————————————————————————
TASK
=====
1. Finding 5 Commands that can work for Command Execution/Injection.
2. What is passwd file on the Server?
3. POC of Brute Forcing on DVWA with both Usernames and Passwords using Cluster Bomb. (Should be Short)
https://tipstrickshack.blogspot.com/2013/01/sql-injection-authentication-bypass.html
https://ufile.io/02m9z
https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/