Burp for Beginners: How to Use Intruder

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
everyone welcome to this video in the but for beginners series so let me talk about intruder now intruder and you do my own video so don't really use intruder that much but it's actually really really powerful and I want to share some of the cool features I don't call tricks you can do with intruder I really show you how you can make the most out of using it so once again its video sponsored by integrity so in case you've missed it they've kind me off this one some videos my channel if you're unaware of them there a bug gravity platform like Huck hacker wanna bug crowd but their customers are more European focused they're definitely a smaller platform but actually first of all platform they have quite a large range of targets to look at and you're not gonna necessarily find those on other platforms because they're small they're super active on social media they're always interacting with the community on their hackers and you know they don't just stop at having targets they also have XSS challenges now often we get new XSS research coming out and it's kind of like a little CTF but you have prizes so you get to learn new XSS techniques and how to run them and improve your ability find excesses and you also get to win prizes for doing a good job you know me I'm all about the community I really care about giving back to the community and this is why I'm really happy to work with integrity because they give back to the community they invested creators like me but not just me other craters as well and they sponsor newsletters they sponsor like some videos by stuck and they're actually letting me create the content that I want to make without me pushing me to make like focus content for them and I don't take having a sponsor very lightly I really do think integrity provides something great and I really do like want to make sure that the things I advertise to are good good things so I believe that they're great if you're not really a member you can sign up on the with the link on-screen that's going to critique on four slash Katie go dot integrity come forwards Caty and actually some if you've already started signing up and actively hacking I'm so happy I've heard about people finding their first bug people getting some bounties and that's really great and I'm glad you're actually giving them a lot of love coming from my channel because you know without the kind of sponsorship I can't invest in my channel one of the big things that enabled me to get is decent audio equipment so now my video sounded a lot better it's been a problem for a while so I'm really happy that I can work with a company that will let me invest into the channel and I'm really glad that not only am I able to invest in the channel but actually you guys are making some money and you're actually hunting and getting bugs and I'm really happy about that especially those getting the first bug seriously well done to all so if you want to sign up it's go dot integrity convoy slash Katy let's get on with the rest of the video so I made a burp introductory video I made a video repeater but again just to remind you what is burp so buff is a proxy now you kind of may be used to proxies being a thing you used to use to avoid internet filters at school but actually the way burp works is you just send all of your traffic through burp it sits between you and the web now what that means is that burp logs everything and then fundamentally it doesn't just log it it allows you to then send requests resend requests change requests intercept them before they're sent and that is the key to understanding how burp works and today we're going to be changing requests but in a really cool way because what we're gonna be doing is brute forcing now intruder is really a brute-forcing tool it's not just that simple as brute forces passwords though it actually has lots of really cool features but fundamentally we give a list that's our payloads and you tell it where to put it and that's one of our slots and it sends a bunch of requests with those payloads into a slot and this will become more clear when we start to do the demo because it will make sort of more sense because we're a little bit of configuration we can do more with it there's so much we can do with intruder it's crazy so what are we using true default the first thing we use it for is fuzzing for different vulnerabilities we might send a bunch of blind SQL injection payloads to see if what works you know if we're not sure of a database would you send one for every kind of database we enumerate things so we can brute force IDs or fine u8 API endpoints have you seen my API the numeration video I used intruder in that video I'm going to now show you way more tips and tricks oh it's worth watching both you can test for specific vulnerabilities like trying out illegal characters to hunt for file traversal bugs you can also use intruder to search for race conditions so actually intruder is a really important skill to learn because it lets you do so much than just brute force so I need to talk first about our payloads now slot so what is a payload a payload is the value that intruder will put into the request so it's often just a simple list and we just list the possibilities so we can test a lot of options at once we can write our own or we can use kind of these online lists plus DB payload all the things SEC lists to get lists somebody else's written and often we kind of do both like sometimes we'll use payloads sometimes we'll write our own so if we do want to find payload - here are some that you can have a look at the first one over here we get a little laser pointer this one is payload all the things we also have SEC lists how do we have fuss DB now depending on what you're trying to accomplish with intruder you might want to use different lists so this this payload all the things has a list of vulnerabilities and it has the brute force like all the different types of ways to get that vulnerability and it's just easier if you're hunting funner abilities you know SEC lists have a lot of options for discovery so when we're brute forcing to further and find new files on you API endpoints and fuzz DB has a mixture of both it has and attack so actually from that there's you can find quite a lot of payloads that you can use it's up to you which ones you use I mean you might find you really like some less you might find other lists don't really work for you but that's fine you can always just download these and maybe organize them and tag them and you'll be super easy to find stuff so that's finding payloads the next one is slots so it's not tells burp where we want to put the payloads and it's kind of identified with these like little Simonian signs I think there are actually called sexist but they all look like the samolians from the sim so I always think of them as little samolians and we can set more than one and that's really useful doing certain attacks but I'm going to show you just doing one at the moment and again here we have ad clear Auto and we can see that when we put protocol HTTP in these little sections we send two requests one with a FTP and one with HTTP from our list which is here so this is our list and then this is where it goes so demo I'm going to show you how to use intruder and we're going to focus on basic functionality of intruder we're not gonna go super deep I'm just gonna show you the basics right so let's go that set up okay so we're back to I've got buff set up over here and if we've just just opened it we can see here that we can't really low your page because we haven't turned off intercept and what you'll learn is first and you always want to do is turn off intercept just so we can hit everything again this is my target one because I'm gonna be sending a lot of requests and I don't really want to get IP banned for anywhere so I'm literally just going to use my kind of fake website here right so let's talk about intruder so one thing we noticed when we look at this fake website is that we have an API we have users and we have user six now the first thing you want to do here is you want to send to intruder now what do we want to do with this so it's kind of suggested we brute-force the cookies but actually we don't really want to do that we want to clear that now I'm gonna only show you smoke but because I'm going to go into more functionality in a bit so the first thing to go here is okay let's try and look for different IDs so ad section header or a payload marker and we can see that's gone green and that means that that is our first one essentially that's our that's what we're gonna be brute-forcing so if we now go to payloads and we can see we've got a simple list there's all kinds of different ones in here I'll talk about them later we're gonna keep with a simple list and here we might add manually one two three four and five so we wonder will then call five requests and we can see here that it says we've got five payloads and five requests that will then test ID 1 2 5 in that position we're now going to start attack and I'll go okay you're okay about that now we can see that that's now run so the first thing it sends is the kind of initial request now we can configure that but that's fine so we get user ID 6 we can then see we've got 1 & 2 & 3 & 4 & 5 so we can see that we've got these requests that are being sent now we can also shoot their responses I can see here there's no response from 5 there's no response here 3 also doesn't show anything neither does 2 so we know that these IDs don't exist but we don't really know that none of the IDS exists so I want to go is go back here instead of use a simple list let's use numbers now in hence a lot of the numbers is just here and we'll do sequential and we'll do we know 6 exists we'll do 6 to do go to 20 this step of 1 so if we look we'll send 15 requests because it will do 6 7 8 9 10 etc especially yes 20 and we can do start attack again and again we just press ok and we can see that actually we've got some changes here we can see that the length changes now this is really important when we use intruder is that when we look at the length we know something's up if we're testing some vulnerabilities especially length is important one thing you can do is if you go to columns here you can actually see way more so we can see when the response was received and when it was completed so we can see kind of how long it took to respond essentially we can also see time of day as well time out the length the arrow exceptions cetera so we'll go here and we can see that the lengths here of nine four eight don't have anything in it but if we go and sort it the other direction we can see that this is a lip of one three five user ID ten and if we look in here we can see we've got some information in there and this is true for all of these that have a higher length of the response so that's always sorry to look at is whether or not the length differs especially compared to your base request so this is our base request here this is our user ID six okay so now we've got this we can go out we can do other things with this so if we go to this clear we can also change users as well add and we can if you see my other demos with this you probably already know the API endpoints which is grades classes I can't remember its class it might be great in class we've got users and we've got and if we start the attack what we're gonna notice here is that we've still got the ID of six which doesn't really work if there's no ID six right like what if there's only role ID one now one of the cool things we can do here we go back to positions we can actually change this so if we just do this to one or we can do it to just blank we can go start attack again and we can see here that actually this has worked a lot better because on these ones we now have a response so these only go up to ID five so if we just kept the six it wouldn't work and this is really one thing to note when you start playing around with intruder is that sometimes things won't work and you have to figure out how to best get things to work I think since we've got 400 here we've got really big responses because they're errors now errors can be really really useful in understanding how an application works so immediately the error is symfony so we know this is built on PHP we know it's built with Symphony if we see I think the routing is unique to laravel so we might be able to say okay that's using illuminate so that's probably their Abell and that gives us a lot of knowledge about how the web app works into the surface so what the ones that did work we can see we've got lists of stuff we've got rolls we can see the classes and we can also see the grades here and again we see user IDs and class IDs and we can match them so that's kind of the baseline use of intruder I am going to show you one other thing which is doing it two vulnerabilities so when it go here we only go to github and we want to go payload all the things so we'll look at payload all the things and we might have an idea of what kind of vulnerability we're looking for so if we look at our errors which I just closed and if we do ID but we know doesn't exist and start attack we'll see quite a lot these now error and we can see we've got an e not found exception now what we might want to try and do is see if we can cause a database error now one thing is that we might win a testament like blind SQL injection so we know that we're 13 here it must be doing a if user ID equals 13 then show it right very simple probably uses a database so we might go here it might go down to blind SQL in here and in intruder and we can see we've got like a bunch of these ones obviously we've got some blind ones we just want to have a generic blind based one so we're gonna do a time-based and this is as you can see if we have a five second gap between when we get it and when it when we send them Christ and when it arrives we know it's vulnerable to a blind SQL injection we'll go in here we're back here and as you can see we can just press paste done it's already in there we can start the attack and again very simply we just let it get on with it because we're doing blind SQL injection we don't want to have a look at response completed because if it works there's going to be a difference between when it was sent and when it was received so here we can see there's a bit of a time delay is it five exactly no but is there a delay yeah and that's worth investigating and we can see we're getting like invalid text representation invalid input for integer so you know that sort of like well you might want to investigate that further and see if that's actually an SQL injection what we would expect for an SQL injection is really just the difference between when it was sent and when it was received and as you can see it's just this isn't actually vulnerable to blankets protection but you can you can do it and you can keep running these payloads these can be quite slow on but one cool thing you can do is you can use another tool and then send the request into but but I'm just going to be focusing hard to use and true to the best so right we know that doesn't work because I brought my web application to be at least a little bit secure and you know you can do the same thing there's quite a lot of payloads in here maybe we want to look for scroll down here maybe you want to look for XSS right you can just go to intruders and you've got a bunch of XSS payloads in here that you can try and we can go in and we can see if any of those work for us and yeah so this can be really useful for using intruder is really these payloads so that's the basic functionality of how it works I'm going to talk a little bit about some of the advanced functionality and also show you that as well so let's go back to the slides okay so we're back and something you might notice when we were doing that is attack types now I kept mine at sniper but actually there's four different types here we have sniper battering-ram pitchfork and cluster bomb now sniper and battering around work on one payload set but pitchfork and cluster bomb work with multiples there are subtle differences between the fall you should be aware of and they're all used for different things so I'm going to start by talking about sniper and battering ram so both sniper and battering ram use a single set and the real difference is when you have multiple slots so if we have for our request you know we have laser pointer we have a little Somalian sign I think it's more of an s-shaped doesn't matter and we have whatever in here and we have another little Somalian sign and then later on we have a little Somalian so now the difference is is that sniper will fill each slot with each value in the set individually so if you have two slots it will send request one in slot one go through everything insert it every single option in the set then it will go back to the default value and then it will do every single value again I know that sounds confusing it makes more sense in the demo and battering ram put everything in the same slot at the same time so I'm going to very quickly show you what that looks like visually so you can see it okay so we're back looking at this I'm going to clear this list of the old one go back into here and then I'm sniper I'm also going to select users so I have two slots here I go back to payloads and I know I want to test for grades I want to test for roles and I want to test for numbers as well so maybe wanted to now what we'll see when we do this is we send eight requests because we do these four in position 1 which is API slash and these ones in position 2 but importantly on this one users has not changed grades is just on its own so here we have grades 13 so the grades has changed but the number hasn't and here we have users grades so different parts are the same and different parts are different now if I make this a little bit clearer up I can do one one two three four and if I go in here I'm going to change this one to a and this one to be so we can see that on the default one we have a and B these four hair are just sent to position hey but B remains the same these ones sent to position B but a remains the same and that's a really important difference between sniper and battering ram so I'll show you battering ram next so battering ram puts the same payload in both so here we can see our initial one is a be both a and B have the value of one two three four we only send four requests so this changes them at the same time maybe if you have a cookie you might want to send it multiple places so that's kind of the difference between those two let's go back to the slides and I'll talk about the other ones okay so we're back at the slides here that's the difference between sniper and battering ram but let's talk about pitchfork and cluster bomb so well pitchfork while sniper and battering ram use only one payload set pitchfork and cluster bomb used to now pitchfork will join set one and set two together now that's a bit confusing but you can see here that the first one from set one is used with the first one from set two and B will always be with Y and C will always be with X and D will always be with W so that way you can kind of set this this could be our API endpoints and this could be our numbers now that's pitchfork cluster bomb test every combination of the two so can I change the color you can you change the color yeah so with cluster bomb we check a and Z just like an pitch fault we test a my we test a and X and we test a and W and we test bnz be my be an X BN w to create every single combination of the two so I'm going to show you that then time okay so we're back at our demo we have a and B and we're going to set this to pitchfork now if we go back to payloads we can see that we've got payload set 1 and payload set 2 now in this position we kind of want to test API for API endpoints so we might want to test in this one we put in our grades our rolls our users and in payload set 2 we can see it's changed we might want to put in numbers you might test more API we might do from 1 to M 5 step do if we do start a tap and we go to this we can see that we've got grades 1 but then rolls - because payload set - is just being used the next one along right it's if we change this back to a simple list if we do a X Y Z and we go back to list 1 and we clear that to be a B C we can see we only make three requests a with X because that was in position 1 B with Zed because that was in position 2 and C with y now what we kind of wanted you kind of practically is we want to test for an API endpoint and then we want to test for IDs so if we change this to cluster bomb we might change this one back to grade roles users your own classes and we go to two paired set - and we use numbers and we'll test maybe 1 to 20 in terms of IDs and we can see we're making 80 requests because we got a test every combination so if we start the attack here it's gonna take a while but we can see we're testing rolls one grade to grade three classes through we're testing every single Hospital combination with staying like the problem of this is that it can get insane very quickly how am I going to do is we know that these lengths are always garbage so we might want to say okay what does this response contain and that's the error okay that one is showing something so we know classes and three works and this can give us an idea of what what payloads are actually working because we can see here these the IDS that work and you see this is taking a long time the more requests you send the longer it's gonna take and unfortunately with the free version it is gonna take a while so we can we can stop that attack oh we can also edit it while it's being works in progress as well so let's stop that and try something else so that is how it works if you start to add more things here you know maybe you have another slash and you want to also have this add then go to payloads set and you've also got set three as well and again maybe you want some numbers in there if you're doing one to 20 with a step of one we've now got six 1600 requests so it's really important not to go crazy with this because it will take forever so that's the difference between the two right let's go back to the slides and we'll talk about payload types okay so we're back now one thing you might have noticed when I was scrolling through are these payload sets but offers a lot of different types of payloads I'm focusing mostly on numbers and dates and simple lists and null but some of these are really really specialized but for fun I'm going to explain them all I'm gonna show you very quickly how to use numbers date simple lists and null but I will also show you what everything else does at the very end of the video all right so let's have a look at how you can use these so we're back with our demo again same set up so what we're going to do here is we're going to adjust this and we're gonna do a no payload and what is an old payload so one of the things you might want to do is test for race conditions now here I'm just doing a gap if you see my demo you know you can actually do quite a lot here I'm just going to quickly set this up as a what exists is I think it was okay so this is how we can check change a name so one thing you might want to do is do a race condition and you can actually do this an intruder without relying on any specialist tools depending on the speed it may not work 100% but I can show you how you would do it so sent to intruder and actually we don't want to change anything in here we want to reduce this to be the smallest it can possibly be so you might go to repeater and we're gonna see if we can get rid of I think you can get rid of all of that and it will still work yeah we get rid of cache control and cookie I think we can yep okay so the first thing you wanna do when you're doing race conditions is reduce that as much as possible I think you can read can you remove content though yeah you can uh no ads it okay so you want to make the request as small as possible so we're going that to intruder now I want to do here is we actually don't want to adjust anything really because we're just trying to do a race condition so what you can do is you want to send a no requests or ads on the end of URL here and we'll add that add that one will go to payloads and instead of using like a simple list we're gonna go down here and give null payloads I want to generate five null payloads and then this will basically if I show you what the attack looks like we can see that each one is just sending nothing in that little K we added at the end and they're all just nothing so here's how you can do this you want to speed this up as much as possible so the first thing you want to do is send it don't store their responses don't make enough I'd used our service mode and you want to use you can use ones thread so this is how we then send a null payload and in the pre munition you can change the number of threads and send them exactly the same time so one thing we may want to do with this one is try and change the name go to this go back to users center a pizza user ID eight send that and see which one would have worked basically and see how much how much you can hit it so that's how you do a null payload we can also give dates now dates you don't see very often but it's very similar to how numbers work so in numbers we have sequential random integer division whatever in dates it's the same so we have from June to if I put this to the 20th of June we have one payload if I put it to the 23rd we have more if we start the attack it's gonna mess it up we can see the date' is being added there next to the 8 I highlight that burp should tell me it's not timing it's fine if I change that from the surface mode to default ok so this won't work because this doesn't accept dates as an option but we can see here that it is sending the date object if we go go here smart the code we can see it sending that thing and it's sending the 9th the 19th or 20th 21st 22nd 23rd and that's actually really easy to do with the paler types here there's a lot of other ones I'm gonna talk about them but those the primary ones you use you use your simplest you use numbers you might use dates and you will probably use null payloads so back to the slides ok so I showed some of these other settings kind of during my kind of talk there but here are the here the ones would like to note up to note the request engine settings allows you to control the requests to make them happen at the same time to throttle them not available on the free version and you can use other tools to do essentially at the same thing but if you do pay for it you can also change the number of threads when you do a intruder you can also have columns which show even more information like the date the time the response received and completed really useful SQL injection and then we also have grep so grep allows you to flag responses matching expressions so I'm going to show you how to do that and I'm also going to tell you about every single type you can put in to intruder so let's have a look at the advanced stuff then ok so we're back the first thing I want to show is the grep so when we go back to this one here and we have our a and our B and we know we want to do a cluster bomb because we want to have grades Royals users and then we want to have in the second one our numbers now what we kind of have with this is we sending quite a lot of payloads which are just producing garbage here this isn't a natural request this isn't responding anything there's something wrong there now what we noticed when we look at all of these is that they all have an ID so if we could search for the word ID we could flag those requests so let me show you how to do that so we go back to options and we scroll down to a grep match we can use this one here I don't know that has everything it has UID so we can clear that and we can use our own now one thing we want to look for is ID now if we go back here we start at AK press ok we can see whether or not ID exists in their response and if it does we know that these are the requests were interested in because they're the ones that contain stuff now unfortunately now we're getting a bunch of errors which is happening because the fluorophore does not found on or a b and but actually for everything else it seems to be working pretty well that we can check for ID we can check for other ones as well you know maybe you want to look for ones that contain names as well maybe we're looking for kind of confidential information so maybe you want to see grades and see if that appears anywhere we go back up here and we do is start attack and we can see that all of these become this little check box so we can cross-reference them and say ok that one contains ID it doesn't contain name so that's one really cool thing the second really cool thing is actually you can extract information so if you want to extract everything after ID for example and really if you're learning how to use but learning how to so the great stuff is really helpful because it can just make it so much quicker to look at stuff so that is most of the advanced features look what payload sets ok so the first we got is a simple list it's a list runtime file now the problem with buff it uses a lot of memory and if you have a really big file like gigabytes you are not gonna have enough spaced on on your RAM to be able to hold everything that allows you to read the payload strings from a file and then you're not loading them all into memory custom iterator so it this lets you configure less and then generate payloads using like different ways of imagining the list and then I can kind of customize these a lot in like how it works so if we look at the custom iterator now we can see that ad just gets added on the end and we've got BD and it just it kind of combines two things together character substitution this is really useful if you do passwords because people will just change you know an eye to a 1 and O 2 a 0 a B to an 8 okay we can see here the password is being changed to password with the full password with snes's and we can see that it soldier um case modification lets you put stuff in uppercase and lowercase if I put in grade here case modification 3 we can see that this will send grade grade with a capital letter grade in all caps and with some of them you know if you have gray boundary it will also send kind of camel case and the case you'd have when you were programming or I forgot to add it and that can be really useful if you're not really sure how it might work and change and change things recursive grap it allows you to basically extract information and then make a payload from it so you send a request get information from the request to inform the next one that's really complex I'm not going to show that one illegal Unicode has illegal Unicode ones in it alright character blocks creates blocks of characters in the string and we can make aaaa if I show you that hmm you can see we've got a hundred days one hundred and fifty A's 458 658 many many many days and this is really useful when you're dealing with like buffer overflows because sending that can easily overflow the buffer alright we've got numbers who talked about dates we talked about brute force Oh which is just a brute like it can brute force things if I change this to ABC it will do AAA AAA BBB CAA and it will just go through every single possible combination of those characters right null payloads we talked about character Frogger basically it's about long strings I don't really understand it bit flipper useful if you're dealing with encrypted data flips bits username generator generates usernames useful when you're creating data and again more more stuff to deal specifically with encrypted data the stuff about burp extensions and you can copy other payloads from positions right that is every single type that burp can do so I hope you found this useful and you thought that you know maybe you didn't know about grepping maybe you you know wanted to see more about different types of payloads maybe you didn't know every single payload type I hope you found something useful in this so let's go back to the slides and I finished off this video so thank you very much for watching this video on how to use intruder intruder is such a complex tool there's so many things you can do with intruder you can I get such a versatile tool it's incredible so I hope you found this really useful and helpful thank you very much to integrity for sponsoring this video you can see my link on the screen it's Godot integrity comm /k T if you want to sign up please do be nice to all of my sponsors very nice to me and I want to share things that I think are gonna be useful for you folks No thank you for everyone who's already signed up and please do sign up if you haven't already and that concludes the marathon that is intruder so thank you for watching I will see you all next time
Info
Channel: InsiderPhD
Views: 14,005
Rating: undefined out of 5
Keywords: burp suite, intruder, brute forcing, race conditions, berp suite, burp suite professional, free burp, burp pentesting, insiderphp, insiderphd, burp video, burp tutorial
Id: mibKttwhbRk
Channel Id: undefined
Length: 40min 58sec (2458 seconds)
Published: Sat Jul 04 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.