Burpsuite is a collection of tools and plugins for any web application security testing bundled into a single executable jar file. It contains about 8 useful tools for performing spidering, fuzzing, decoding etc. But the prime feature is that, it is an intercepting proxy which works on application layer. So even HTTPS connections passing through burpsuite are visible. In this article, we will see how to use burp intruder to bruteforce inputs in a web application. For those who are new to burpsuite, read this article on Getting started with Burpsuite. Others can proceed straightaway.
The burp intruder is a feature in burpsuite which helps to perform extensive fuzz testing. It helps us to enumerate varaious parameters in a request with supplied wordlist. From password bruteforcing to XSS testing, we can perform all kinds of fuzzing using this amazing plugin in burpsuite.
How Intruder works ?
In order to get started with intruder, we need to get the request captured. This can be a GET or POST request depending on the web-application. Once the rwquest is captured, it can be sent to intruder. Then intruder analyses variable positions in the request where a payload can be inserted. The payload is simply a wordlist we supply. After the wordlist is supplied, the intruder can run through all the combinations in the wordlist on the positions set.
In this, lab a simple brute-force against a password is performed. This tutorial shows performing this on mutillidae. You can perform this on any login form.
Step 1: Setup Burp as Intercepting Proxy
For this you need to setup the burp as proxy first. If you are not clear on this, refere to Getting Started with Burpsuite article.
Step 2: Capture the request
After you have configured burp, start intercepting & open the target page.
Opening the Target Page
Forwarding the Request
Step 3: Capture the POST request
Capture the POST request where the username & password is supplied to the web-application. This can occasionally be a GET request also. Anyway the idea is we need to capture a request in which some variable value is supplied to the server.
Click on the Action button in the top right and select send to intruder.
Sending to Intruder
Then, you will be shown the Intruder options and first target will be shown. This page/tab contains target options like host port use SSL etc. Just cross verify whether the target you are attacking is displayed correctly in this section and proceed to next
Intruder – Host Options
Next, go to Positions Tab. This is where we set the variables to be attacked/fuzzed. Burp will automatically populate all positions where a fuzz test can be run. You can customize it by using the options in the Right side of the tab.
In this case, clear all positions & add position in the password variable. It’s seen at the bottom of the whole request. Do this by clicking the add button. First keep the cursor just after the “=” and click add. Then go to the last letter of feild and place the cursor there. Add a position there also otherwise the whole content after the position will be taken as a single position. Just like closing brackets in programing or in Maths make sure to open a position and close it.
Setting Position & Type
Once the position is set, confirm whether the Attack type is Sinper. This attack type works just like sniper gun. It fires the payload precisely at a single point. If you have multiple positions, it will fire the payload at the first position and then move on to the second and so on.(One at a time). Speaking of payload, keep reading, it will be explained in the next para so move on to the Payloads tab.
The Payloads tab is where you set the wordlist or list of variables to be run against the payload positions we set previously. There are numerous possibilities & combinations you can try here. You can load a list containing all the words or strings, or you can generate words based on the characters you supply etc. It can be specified in the Payload type drop down menu. Try browsing trhough all of them and you will understand the power of Intruder. For now we supply a simple list. Select the payload type as simple list & click the load button to open an explorer window. Select your wordlist that contains passwords. In Kali, sme default wordlists are supplied inside “/usr/share/wordlists/”. For this one I have selected, “/usr/share/wordlists/metasploit-jtr/password.lst”.
Loading word list
After it has been loaded successfully, you can see the contents of the list in the area beside the Load button. You can also edit the contents using the other buttons present there.
Step 5: Start Attack.
Once everything is set, click the intruder menu from the top and select Start Attack.
Starting the Attack
Now the intruder attack window pops up which shows the ongoing attack. Here you can see details like HTTP code & length of the response. Now comes the difficult part of analysing the results. Depending upon the target and nature of attack, the results vary. From a bunch of results, you need to analyse it properley. One method to do it is to analyze the pattern of results. For some entries, there may be a difference in the response code or length. This may be a successful attack or may be the failed attack. It depends on the target & nature of attack. In this case, I know the server would return an HTTP 302 if the username & password are right. So I will be on the lookout for this. The idea here is what I said just now, look for patterns & variations from patterns. Check the variation in detail first. It may contain the details of a successful attack.
In the above screenshot, we have a 302 response which concludes it may be a successful attack. If you have such a result, click on the particular request from the main area, and look at the results tab below.
Here we have got a cookie with uid=1 for a request with username = admin, which means this particular request has been successful. Look for the payload in the top section or analyze the Request tab to view the password which was supplied. Here in this case, the password is “admin”. So you have successfully carried out a password brute force.
This article has been lengthy and lot of concepts & procedures were involved. Carry out this by yourself along with this post open if you haven’t done this yet. Then you will come across many issues and you will understand the different techniques to run this attack.
If you find this informative or like this, Please share this article.
Getting Started with Burpsuite & Running a basic Web-Spider
Burpsuite is a collection of tools bundled into a single suite made for Web Application Security or Penetration testing. Its a java executable and hence its cross platform. Kali Linux comes with Buprsuite free edition installed. There is also a professional version available. The main features of burpsuite is that it can function as an intercepting proxy. Burpsuite intercepts the traffic between a web browser and the web server.
Other Features include:
Application AwareSpider : Used for spidering/crawling a given scope of pages.
Scanner : Automatically scans for vulnerabilities just like any other automated scanners
Intruder : Used to perform attacks & bruteforces on pages in a highly customize-able manner.
Repeater : Used for manipulating and resending individual requests.
Sequencer : Used mainly for testing/fuzzing session tokens.
Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.
Comparer & Decoder used for misc purposes that might come along the way when you conduct a Web Security test
Spidering a Website
A web crawler is a bot program which systematically browses the pages of a website for the purpose of indexing. Precisely a web crawler maps the structure of a website by browsing all its inner pages. The crawler is also reffered to as spider or automatic indexer. Burpsuite has got its own spider called the burpspider. The burp spider is a program which crawls into all the pages of a target specified in the scope. Before starting the burp spider, burpsuite has to to be configured to intercept the HTTP traffic.
Interface & Options
Like any other GUI/Windows tool, burpsuite contains a standard menu bar, 2 rows of tabs & different set of panels as seen below.
The above figure shows the options & details about the target. In the above figure there are mainly 4 sections. They are described against the corresponding numbers as follows:
Tool & Options selector Tabs – Select between Various tools & settings of burpsuite
Sitemap View – Displays the sitemap once spider has started
Requests Queue – Displays the requests being made
Request/Response Details – The HTTP requests made & the responses from the servers.
Lab 1 : Spidering a website
Spidering is a major part of recon while performing Web security tests. It helps the pentester to identify the scope & archetecture of the web-application.As described earlier, burpsuite has it’s own spider called the burp spider which can crawl into a website.
Scenario: Attacker – Kali Linux VM, IP = 192.168.0.105
Target – OWASP Broken Web Application VM, IP = 192.168.0.160
Step 1 : Setup Proxy. First start burpsuite and check details under proxy tab in Options sub-tab. Ensure IP is localhost IP & port is 8080.
Also ensure that Intercept is ON in the Intercept Sub-Tab
Then on IceWeasel/Firefox, Goto Options > Preferences > Network > Connection Settings. Choose Manual Proxy Configuration
If you want, you can try installing proxy add-ons. Here is one such. Install the proxy selector from addons page and goto preferences
Goto Manage Proxies & add a new proxy filling out the relevant information. It’s simple.
Click the Proxy Selector button at the Top right & select the Proxy you just created.
Step 2 : Getting Content into Burp After you have setup the proxy, goto the target normally by entering the URL in the address bar. You can notice that the page will not be loading up. This is because burpsuite is intercepting the connection.
Meanwhile in burpsuite, you can see the request details. Click forward to forward the connection. Then you can see that the page has loaded up in the browser.
Comming back to burpsuite, you can see that all sections are populated.
Step 3 : Scope Selection & Starting Spider Now narrow down the target as you want. Here the target/mutillidae is selected. Right click the mutillidae from the sitemap & select Spider from Here option
After the spider starts, You get a prompt as shown in the following figure. It’s a login form. If you know the details, fill in as needed & thus the spider wil be able to crawl from the inside also. You can skip this step by pressing the Ignore Form button.
Step 4 : Manipulating Details Now you can see as the spider runs, the tree inside of the mutillidae branch gets populated. Also the requests made are shown in the queue and the details are shown in the Request tab.
Move on to different Tabs and see all the underlying information.
Finally check if spider is finished by viewing the Spider tab.
These are the very basics & starting point of a web security test. Spidering is an important part of the recon during the test and by clearly executing this, we can understand about the architecture of the target site. In upcomming tutorials, we will extend this to other tools in the Burpsuite set of tools.