Burp Suite: Intruder - TryHackMe Junior Penetration Tester 4.3

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up guys in our last lesson we learned how to use burp sweeper Peter to duplicate requests in burp Suite today we're going to learn how to use an intruder to automate requests in a burp sweep I'm Brock for Brock card security and let's get hacking [Music] first things first once you're gonna try hack me go ahead and log into your Junior penetration tester dashboard we're going to hop into burp Suite room 3 burp Suite Intruder the previous rooms of this module we have covered burp Suites proxy and repeater functionality if you have not completed those rooms or are not familiar with these aspects of the framework then you're advised to complete at least the burp Basics room before proceeding if you haven't gone through the burp Suite Basics room then what are you doing here go ahead and click on the link here to visit my Bruce Lee Basics tutorial it's going to be really helpful especially if you're going through a lesson like this this room will cover the third of Berkeley suite's primary modules Intruder tutor allows us to automate requests which is very useful when fuzzing or brute forcing we'll be looking at how to use Intruder to perform both of these functions in conjunction with the other tools we've already covered let's begin deploy the Machine by clicking the green start machine button and once we see that array we can go ahead and click this blue start attack box button that is if you're not using your own attack VM if you're not using the attack box and want to connect to this machine without the VPN you can certainly do so using this link once the machine has fully loaded and an IP address is displayed and while that's loading we can go ahead and completed what what's Intruder Intruder is burp Suites inbuilt fuzzing tool it allows us to take a request usually captured in the proxy before being passed into Intruder and use it as a template to send many more requests with slightly altered values automatically for example by capturing a request containing a login attempt we could then configure Intruder to swap out the username and password fields for values from a word list effectively allowing us to Brute Force the login form similarly we could pass in a fuzzing word list and use Intruder to fuzz for subdirectories and points or virtual hosts this functionality is very similar to that provided by command line tools such as W fuzz or ffuf in short as a method for automating requests ensure is powerful there's just one problem to access the full speed of intruder we need burp professional now hold on before you guys go we can still use intruder with burp community me but in his Heavenly rate limit the speed restriction means that many hackers choose to use other tools for fuzzing and brute forcing so keep that in mind guys but limitations aside Intruder is still very useful so it's well worth learning to use it properly go ahead and click on Burp Suite Community Edition temporary project use burp defaults once you've got burp Suite open you can go ahead and click on the project options tab then under nisk scroll down and click allow the embedded browser to run without a Sandbox now we can go back to proxy open a browser and type in tryhackme.com we've got some action going on in burp Suite we'll right click and send to ensure or control I now let's get a look at the Intruder interface the first view we get is relatively sparse interface that allows us to choose our Target assuming that we send a request in from the proxy by using Ctrl I right clicking and selecting send to Intruder this should already be populated for us there are four other Intruder sub tabs positions allows us to select an attack type as well as configure where in the request template we wish to insert our payloads payloads allows us to select values to insert shirt into each one of the positions we defined in the previous sub tab for example we may choose to load items in from a word list to service payloads however these can get inserted into the template depending on the attack type we chose in the positions tab there are many payload types to choose from anything from a simple word list to rejects is based on responses from the server payload sub tab also allows us to alter Intruders Behavior with regards to payloads for example we can Define pre-processing rules to apply to each payload example being adding a prefix or suffix matching and replacing or skip if the payload matches a defined rejects resource pool is not particularly useful to us at least in burp Community it allows us to divide our resources between tasks but Pro would allow us to run various types of automated tasks in the background which is where we may wish to manually allocate our available memory and processing power between these automated tasks and Intruder without access to these automated tasks there is little point in using this so we won't devote much time to it as we with most of the other group tools Intruder allows us to configure attack behavior in the options sub tab the settings here apply primarily to how burp panels results and how burp handles the attack itself for example we can choose to flag requests that contain specified pieces of text or Define how burp responds to a redirect like the number of retries on a network failure we will take a closer look at some of these sub tabs in the upcoming tasks for now just get to know where things are in the interface fuzzing is when we take a set of data and apply it to parameter to test functionality to see if it's something that exists for example we may choose to fuzz for endpoints in a web application this would involve taking each word in a word list and adding it to the end of a request to see how the web server responds for example taking the IP address and then do a forward slash and putting the next word in the URL to test if that web page exists okey dokey which section of the options sub tab allows you to control what information will be captured in the Intruder result well because I'm not option serve to have I can see that attack results is most likely the settings that control what information is captured in the attack results in which Intruder subtap can we Define the attack type for our planned attack go to positions you'll remember we saw all these different attack types that we can use nice job when we are looking to perform an attack with the Intruder the first thing we need to do is look at the positions positions tells Intruder where to insert payloads which we'll look at in an upcoming test let's switch over to the position sub tab notice that burp will attempt to determine the most likely places we may wish to insert a payload automatically these are highlighted in green and surrounded by silcrows if you'll notice on the right hand side of the interface we have the buttons labeled add silk row clear also crows and auto Soul Crow they each do what they sound like if we click add it'll highlight them in the editor clear will remove all defined positions and auto attempts to select the most likely positions automatically as you can see for this page it's not able to can be useful if we clear this silk grows already and we've somehow one in the back go ahead play around make sure that you're comfortable with the process of adding clearing and automatically selecting positions once you've done that go ahead and click complete and clear all selected positions and if you've got a page like mine then it's pretty easy to clear all the positions because there wasn't any there to begin with and select the value of the host header and add it as a position so the host can be an IP address it can be a domain name like try acme.com so all you're going to do is just go to the left of whatever your host name is and click add and at the end of the hostname go ahead and add another one now we can see it's locked in in that green should look something like that go ahead and click completed and we're going to clear this position and then click the auto button again to reselect the default position so now we're going to go ahead and clear this position and you can click Auto but obviously for our page it wasn't able to make a determination because try Hackman just won Joni weak points I guess your editor should be back looking like it did in the first of this task now an introduction to attack types let's switch to the position sub Tab and look the attack types drop down menu there are four attack types available sniper battery Ram Pitchfork and clutcher we will look at each of these in turn because they each deserve their own lesson go ahead and read through the attack types introduction and first up the sniper the most common attack when conducting a sniper attack we provide one set of people for example this could be a single file containing a word list or a range of numbers from here on out we will refer to a list of items to be slotted into requests using the burp Suite terminology of a payload set Intruder will take each payload in a payload set and put it into each defined position and turn take a look at our example template there are two positions defined here targeting the username and password parameters now sniper attack Intruder will take each position and substitute each payload into it in turn for example let's assume we have a word list what three words burp sweet and intrude with the two positions that we have above Intruder would use these words to make six requests the first request would try burp in exploited second would be sweet and exploited third would be Intruder and exploited fourth would be pen tester and burp but why the change in the username fifth pen tester suite and then finally pin tester and sugar notice how our Intruder starts with the first position the username and tries each of our payloads burp sweet and true then moves to the second position and tries the same payloads again the second position was the password burp sweet Intruder we can calculate the number of requests that Intruder sniper will make as requests equaling the number of words by the number of positions this quality makes sniper very good for single position attacks example a password Brute Force if we know the username or fuzzing for API endpoints if you were using sniper to fuzz three parameters in requests with the word list containing 100 words how many requests would burp Suite need to send to complete the attack I know usually there's not a lot of math involved in cyber security but I gotta admit it's good to practice these things you guys still remember your algebra remember if there's three parameters there's really three slots so burps we have to try each word in that single parameter so 100 in the first parameter 100 in the second parameter and 103rd prep comes out to 300. how many sets of payloads will Sniper accept for conducting an attack if we remember from up here when conducting a sniper attack we provide one set of payments this is known as the payload set sniper is good for attacks where we are only attacking a single parameter a or nay if you said nay then you would be incorrect A is the right answer we are just using a single print sniper zeros in on a specific parameter whether that's the username or the password just like a Brute Force attack let's check out the battery like sniper battery Ram takes one set of payloads for example word list unlike sniper though the battery Ram puts the same payload in every position rather than each position in turn they're breaking through door after door after door let's use the same word list and example requests as we did in the last task to illustrate this we get our same parameters we got username and password trying to log into this IP address if we use battery Ram to attack this Intruder will take each payload and substitute it into every position at once burp suite and Intruder to make the three requests so it just go straight ahead and do burp burp sweet sweet and Intruder Intruder all at the same time as can be seen in the table each item in our list of payloads gets put into every position for each request true to the name battery and RAM just throws payloads at the Target to see what sticks so if you want more zero within approach that's where sniper would come in here but if you're just trying to bust through everything and see what works that's where battery Ram comes in as a hypothetical question you need to perform a battery Ram Intruder attack on the example request above if have a word list with two words in it admin and guest and the positions in the template look something like this with a username and then we have password what would be the body parameters of the first request that burp sweet sends B well I'd probably go through the first word in the word list admin so it would try username equaling admin and the password equaling admin and sure enough that's what it do but you've got to be careful using that battery because if you knock on that many doors down you're probably gonna alert their I.T team anyhow two down two more to go the Pitchfork is the attack type you're most likely to use it may help to think of Pitchfork as being like having numerous snipers running simultaneously where sniper uses one payload set which it uses on every position simultaneously Pitchfork uses one payload set per position up to a maximum of 20 and iterates through them all at once this type of attack can take a little time to get your head around so let's use our Brute Force example from before but this time we need two wordless our first word list will be usernames it contains three entries Joel Harriet and Alex let's say that Joel Harriet and Alex have had their passwords linked we know that Joel's password is j031 area's password is emma1815 and Alex's password is SK number one two L's we can use these two lists to perform a pitchfork attack on the login form from before the process for carrying out this attack will not be covered in this task but you will get plenty of opportunities to perform attacks like this later when using Intruder in Pitchfork mode the request made would look something like this we have a request one with a username Joel and password with his password j031 and then we have Harriet and Alex see how Pitchfork takes the first item from each list and puts them into the request one per position it then repeats this for the next request taking the second item from each list and substituting it into the template whereas battery Ram didn't really make much sense it's because you're putting in the same username for the password so in this case it would be Joel Joel and then j031 j031 Pitchfork is useful because we're able to Target Two parameters with two payload sets Intruder will keep doing this until one or all of the lists Runs Out ideally our payload set should be identical lengths when working in a pitchfork as Intruder will stop testing as soon as one of the lists complete for example if we had two lists one for username one for a password if we had 100 usernames but only 90 passwords it'd stop at that 90th password this attack type is exceptionally useful when forming things like credential stuffing attacks which we just encountered a small scale version of this we'll be looking more into this later in this room what's the maximum number of payload sets we can load into Intruder in Pitchfork mode we can have 20 payload sets working simultaneously iterating through them all at once cluster bomb like Pitchfork cluster bomb allows us to choose multiple payload sets one per position to a maximum of 20 however most Pitchfork iterates through each payload 7 simultaneously cluster bomb iterates through each payload set individually making sure that every possible combination of payloads is tested sounds like it should be kind of backwards there because you know Pitchfork you can only use individually cluster bomb it just goes everywhere again the best way to visualize this is with an example let's use the same password list as before Joel Harriet Alex for our usernames and we have our second payload set j031 and the other two passwords but this time let's assume that we don't know which password belongs to which user we have three users and three paths but we don't know how to match them up in this case we could use a cluster bomb attack by applying every combination of values the request table for our username and password positions looks something like this you can see right off the bat that it starts using username Joel and then password j031 okay so we're trying two different parameters there with a different username and a different password and then it's sticking with that same first password but moving the second username so it's a little more sophisticated and I don't know why they didn't name this one the Pitchfork anyway cluster bomb will iterate through every combination of provided payload sets to ensure that every possibility has been tested this attack type can create a huge amount of traffic equal to the number of lines in each payload so that's why they call it a cluster bomb because pretty much every single username and password is tested that can create a lot of traffic equal to the number of lines in each payload multiplied together so be careful equally when using burp Community it's Intruder rate limit be aware the cluster bomb attack with any moderately sized payload set will take pretty long time that said this is another extremely useful attack type for any kind of credential bird forcing where a username is enough see there's nothing cluster Bond would be like that but I guess it makes sense if it's trying each individual username and password for trying pretty much everything and maximizing our surface area of attack we got three payload sets the first set contains 100 lines the second contains two lines and the third contains 30 lines how many requests will Intruder make using these payload sets in a cluster bomb attack get out your chalkboard because it's going to try every username and every password from every list it's going to try every line for each of these set so you shouldn't need a chalkboard you just multiply 100 lines from the first set by two lines from the second set that's 200 take that 200 and multiply it by 30 lines for the last set that is 6 000 tries which will generate some traffic alright you guys need to brush up on your algebra payloads that was a lot of theory so kudos for you reading it listening to me there will be plenty of practicals in the upcoming task but first it's imperative that we understand how to create a sign and use payload switch over to the payload sub tab this is split into four sections the payload sets section allows us to choose which position we want to configure a set for as well as what type of paint load we would like to use we use an attack type that only allows for a single payload for example a sniper or battery Ram the drop down menu for payload set will only have one option regardless of how many positions we have to find if we're using one of the attack types that use multiple payload sets like the Pitchfork or cluster bomb then there will be more items in the drop down for each position multiple positions should be read from top to bottom then left right when being assigned numbers in the payload set drop down for example with two positions the username and password the first item in the payload set drop down would refer to the username second would refer to the password field the second drop down in this section allows us to select a payloaded type by default this is a simple list which as the name suggests let us load in a word list to you there are many other payload types of available some common ones include a recursive grip numbers and username generate it's well worth pre-reusing this list to get a feel for the wide range of options available so we'd use a simple as for things like strings like usernames and passwords recursive grep will work recursively we may need the response from the previous request in the attack or numbers can be sequential or random within a given ring and specified form the payload type username generator lets you configure list of names emails using various common schemes you can enter your items such as first name dot last name at example.org payload options the second box will differ depending on the payload type we select for the current payload set for example a simple list payload will give us a box to add and remove payloads from the set as you may have noticed every time we've clicked a different payload type the payload options box would change as well we can do this manually using the add text box paste in lines with paste or load it from a file remove button remove the currently selected line all the clear button clears the entire list but be warned putting extremely large lists in here can cause burp to Crash by contrast the options for a numerous payload type allows us to change options such as the range of numbers used and the base that we're working with for example we can do numbers 1 through 100 and have a minimum integer of four digits payload processing allows us to Define rules to be applied to each payload in the set before being sent to the tart for example we could capitalize every word or skip the payload if it matches a rejects you may not use this section particularly regularly but you will definitely appreciate it when you need it finally we have the payload encoding section this section allows us to override the default URL encoding options that are applied automatically to allow for the safe transmission of our payload sometimes it can be beneficial to not URL encode these standard unsafe characters which is where this section comes in can either adjust the list of characters to be encoded or outright uncheck the URL these characters checkbox which when combined these sections allow us to perfectly tailor our payload sets for any attack we wish to carry out which payload type lets us load a list of words into a payload set well if we scroll back up to first one simple list simple list which payload processing rule could we use to add characters at the end of each payload in the set well if we go to payload processing and add it's not going to be the ad prefix but the add suffix rule on to the next one we've covered a lot in the last section it's now past time that we put it all into practice let's try and gain access to the support portal by going to slash support slash login this is a fairly typical login portal looking at the source code for the form we can see that there are no protective measures in place we have the username and the password ready to grab this lack of protective measures means that we could very easily attack this form using the cluster bomb attack for Brute Force but there's a much easier option available it's attached to this task and available using wget and then HTTP the URL on Port 9999 forward slash credentials forward slash bastionhostingcredits.zip for the sake of anyone using the attack box it's a list of leaked credentials for Bastion hosting employee so if you're on your local machine you can just go ahead and click this download task files button using the attack box go ahead and open up a terminal and type in that command using that command of the default root home directory we can see that it's zipped up here so go ahead and extract here and we can see inside that there's a list of different lists fashion hosting was hit with a Cyber attack and we can see inside is a list of lead credentials for bash and hosting employees Bastion hosting was hit with a Cyber attack three months ago the attack resulted in all of their employee usernames emails and plain text passwords being leaked employees were told to change their passwords immediately however maybe one or two of them didn't listen as we have a list of known usernames each associated with the pass password we can avoid a straight brute force and instead use a credential stuffing attack this will blessedly be much quicker when using the rate limited version of intruder once you've downloaded and unzipped that bash and hosting credits file it doesn't matter whether you do this by clicking the down Link in the task or by using the files hosted on your deployed machine go ahead and click complete the zipped file should contain four word lists these contain these contain lists of linked emails usernames and passwords respectively the last list contains the combined email and password list once you confirm that you can see all four go ahead and click completed navigate to the IP address they give forward slash support forward slash login and you can do that in your chromium web browser but before you do make sure that proxy is turned off for now then go to your chromium web browser and type in that address and it'll take you to the support login page enter whatever you like but before you log in go ahead and turn on The Intercept once that's on go back to your Chromium browser and click log in you should see a Flash coming from burp suite and we got our request click completed now send that request from the proxy to Intruder by right clicking and using send to Intruder or simply by pressing Ctrl I press completed looking in the positions sub tab we should see that the auto selection should have chosen the username and password parameters so we don't need to do anything else in terms of defining our positions if you have already visited certain other pages on the site then you may have a session cookie if so this will also be selected make sure to clear your positions and select only the username and password if this happens to you we also need the attack type to be Pitchfork so we'll go up here instead of sniper we'll go to the third one Pitchfork click completed let's switch over to the payloads sub tab we should find that we have two payload sets available although these aren't named we know from the fact that the username field is to the left of the password field and that the First Position will be for usernames the second position will be for passwords we can leave both of these as the simple list payload type and the first payload set the username go to payload options choose load then select our list of usernames in the attack box if you download those files in the default root home directory and unzipped it it should be right here and we're going to click usernames open now we can see our list has been populated by employee usernames from the Bastion hosting company I would do the same thing for the second payload set the password and then list of passwords so we'll click payload set number two still using a simple list and we're going to go into load and click passwords this process can be seen here as well click completed we have done all we need to do for this very simple attack now all we need to do is go ahead and click the start and attack button a warning about the rate limiting and Burke Community will appear click OK and start the attack this will take a few minutes to complete in Burke Community hence the relatively small list in use click completed as that's credential stuffing you'll notice we have a new problem burp sent 100 requests but how are we supposed to know which ones if any are valid the most common solution to this problem is to use the status code of the response to differentiate between successful or unsuccessful login attempts this only works if there is a difference in the status codes ideally successful login requests will give us a 200 Response Code and failed login requests would provide us with a 401 however in many cases this one included we are just given a 302 redirect for all requests instead so that Solutions out the next most common solution is to use the length of the responses to identify differences between them for example a successful login attempt may have a response with 400 bytes in it whereas an unsuccessful login attempt May yield a response 600 bytes in it so successful 400 bytes unsuccessful 600 bytes usually well I can see we're getting a lot of 600 but there's one of 591. you can go ahead and make this easier by clicking sort length go up to the top and we'll see m dot Rivera with password let me in a one that one sticks out as being different go ahead and click complete as you may have guessed the request with the shorter response length was made with the valid credentials the fact we can confirm by attempting to log in with the credentials used in the successful request all right let's go ahead and test it out go ahead and proxy and turn that intercept off and we can make a little notepad here with the username and the password now when we're going to log in it's going to say invalue and even password because we just tried 100 username and passwords and only one of them seem to work so now we can go to our notepad and copy that username so then note that these are selected randomly from list is that machine boots will be different every time you deploy a new instance of the machine and the password make sure the intercept is off and there we go looks like we have a couple tickets here interesting looks like they're in the middle of transferring their public website to a VPS package the server crashed a few minutes ago and they can't bring it back up to the web console sounds like they're getting hacked well done you've successfully Brute Force the support login page with the credential stuffing attack click completed on that in the previous task we gained access to the support system now it's time to see what we can do with it the home interface shows us a table of tickets if we click on any of the rows in the table we get redirected to a page where we can view the full ticket looking at the URL we can see that these pages are numbered the example URL being the IP address forward slash support forward slash ticket and then forward slash the ticket number so what does this mean the numbering means that we know the tickets aren't being identified by hard to guess ID they're simply assigned an integer identifier forward slash support forward slash ticket forward slash number what happens if we use Intruder to fuzz the support ticket number endpoint one of two things will happen number one the endpoint has been set up correctly only to allow us to view tickets that are assigned to our current user or number two the endpoint has not had the correct Access Control set which would allow us to read all the existing tickets if this is the case then the vulnerability is called an idor insecure direct object reference is present if you have not checked out the idor room I recommend it go ahead and click that link here it's a pretty fun room and I adore vulnerabilities are real in web applications today let's try fuzzing this endpoint which attack type is best suited for this task so we can go ahead and turn intercept on if you don't have that traffic go ahead and turn the proxy on and then submit another request now we can send this to Intruder and we're going to try and attack type because it's just one number I think the sniper attack would be best suited nice configure an appropriate position and payload the tickets are stored at values between 1 and 100 then start the attack we're gonna go in here to payloads and select the payload type to numbers for the number range we're going to start at one and go to 100. the step will put one which means it's going to try one after the other if we did two then it would do every other one and we're gonna leave it as sequential and before we start our attack make sure you reposition the payload markers go ahead and clear off all the payload markers and right where we're going to try these numbers click an add at the beginning and add another one at the end of that number now we can see it's highlighted and we'll go ahead and start the attack let me give you a pop-up saying that burp sweet Community is throttled go ahead and click OK anyways and fire away we can see that the numbers are going in one after the other trying to see if there's any tickets that are open where are already starting to see that there's some different status and length times well that's loading we can go ahead and start to order this by status and we can see that there's one two three four tickets that have already popped up with a status code of 200. most likely indicating that there is a ticket waiting for us there and it looks like the five tickets have returned with a status of 200 indicating that they exist click complete on that now either using the response tab in the attack results window or by looking at each successful ie200 code request manually in your browser and find the ticket that contains the flag now we could go into the web browser and type in 647 and so on but we're going to implement a faster method so we can just click on the response for each one of these numbers number six looks like there's a request doesn't look like anything's there number 47 number 57 number 78 doesn't look like anything there how about we try ticket number 83 and boom looks like I can save you guys some time it is in ticket number 83. we'll go ahead and copy that flag and paste it in cancer is correct nice job I'm using your first sniper number attack in burp Intruder alright let's kick it up a notch to csrf token bypass oh no way I actually said let's crank this up a notch let's kick it up a notch with this extra mile exercise this challenge will be a slightly harder variant of the credential stuffing attack that we carried out a few tasks go only this time there will be measures in place to make brute forcing harder if you are comfortable using burnt macros please feel free to do this challenge blind otherwise read on let's start by catching requests to http 10.10.47.86 forward slash admin forward slash blog and review the response so we'll go ahead and turn the intercept off and then go to the Chromium browser and then after the IP address test go ahead and type in forward slash admin forward slash login and we can go ahead and put it whenever you like here as long as you put something then before we click the login we can go ahead and turn the intercept on and go back and log in should see verbs we lighten up and sure enough we have the login page we have the same username and password field as before but now there's also a session cookie set in the response as well as a CRF cross site request forgery token included in the form as a hidden field if we refresh the page we should see that both of these change with each request this means that we will need to extract valid values for both every time we make a request in other words every time we attempt to log on we will need unique values for the session cookie and login token hidden form input enter macros in many cases we could do this kind of thing using a payload type called recursive grep which would be a lot easier than what we're going to have to do here unfortunately because the web app redirects us back to the login page rather than simply showing us both of our Target parameters we will need to do this the hard way specifically we will have to define a macro I.E a short set of repeated actions to be executed before each request this will grab a unique session cookie and a matching login token then substitute them into each request of our attack before we get into the tricky stuff let's deal with what we know once you've gone to the admin login page activated proxy and attempted to log in capture that request and send it to recruiter go ahead and click completed configure the positions the same way as we did for brute forcing the support login set the attack type to be Pitchfork and clear all of the predefined positions and select only the username and password form Fields the other two positions will be handled by our macro and if you scroll to the end of the cookie session you can see that there's a payload markers that you can clear right there and we'll clear that one from the login token we will clear that one from the csrf token and this one from the token then go ahead and click completed now switch over to the payloads sub Tab and load in the same username and password word list we used for the support login attack payloads so make sure for payload set one you go ahead select one and Bash and hosting creds you load the usernames list and for payload set 2 we go ahead and load the passwords list up until this point we have configured Intruder almost the same way as our previous credential stuffing attack this is where things start to get a little more complicated go ahead and click complete it with the username and password parameters handled we now need to find a way to grab the ever-changing login token in session cooking because it seem to change every time we try to load the page unfortunately recursive grip won't work here due to the redirect response so we can't do this entirely within Intruder we will need to build a macro macros allow us to perform the same set of actions repeatedly kind of like burp tweet repeater in this case however we simply want to send a get request to forward slash admin forward slash login forward slash fortunately setting this up is a very easy process switch over to the project options tab then the sessions sub tab scroll down to the bottom of the sub tab to the macro section and click the add button the menu that appears will show us our request history if there isn't a get request to 10.10.47.86 forward slash admin forward slash login in the list already navigate to this location in your browser and you should see a suitable request appear in the list and we want the one preferably with a status code of 200 go ahead and click OK finally give the macro a suitable name then click OK again to finish the process also a helpful GIF shown here because there's a lot of steps comparatively speaking click completed now that we have a macro defined we need to set session handling rules that Define how the macro should be used still in the session sub tab of project options scroll up to the session handling rules section and choose to add a new rule a new window will pop up with two tabs in it details and scope we are in the detail tab by default fill an appropriate description then switch over to the scope tab I'll just say use sweet scope in the tools scope section deselect every check box other than Intruder we do not need this rule to apply anywhere else in the URL scope section choose use sweet scope we'll set the macro to only operate on sites that have been added to the global scope this was discussed in burp Basics if you have not set a global scope keep the use custom scope option as default and add the machine IP to the scope in this section how do you know if you have a global scope set now this may seem tricky first it's really not back in burp Suite Basics it was explained that you can set a scope to just capture the traffic that you want to so for our purposes today we may not want to limit traffic we just want to make sure we can at least see the targets traffic regardless of what you have in your target scope we should be able to leave the default use custom scope option selected and just add the IP address the machine IP which was populated from clicking the green start machine button in task one a nice helpful gift showing the steps here once you've reached that point click completed now we need to switch back over to the details Tab and look at the rule actions section click the add button this will cause a drop down menu to appear with a list of actions we can add select run a macro from this list in the new window that appears select the macro we created earlier as it stands this macro will now overwrite all of the parameters in our Intruder requests before we send them this is great as it means that we will be getting the login tokens and session cookies added straight into our requests that said we should restrict which parameters and cookies are being updated before we start our attack select update only the following parameters then click the edit button next to the input box below the radio button in the enter a new item text Field title login token with a capital T press add then close so that was for the token now we need to do the same for the session cookie select update only the following cookies then click the relevant edit but enter session in the enter a new item text field press add then close finally press ok to confirm our action if that was a little fast there is a helpful GIF that they've displayed that's showing the process click completed and now in this session handling rule editor go ahead and click OK nice we have added that rule now we'll click completed phew no process you should now have a macro defined that will substitute in the csrf token in session cookie all that's left to do is switch back to Intruder and start the attack note you should be getting 302 status code responses for every request in this attack if you see 403 errors then your macro is not working properly most likely it has to do with not having a global scope added which we did in the burp Suite Basics room so for some reason it's not working go ahead and try setting up the use custom scope option as default and add the IP address to the scope in this section for me I'm going to try it start attack okay boom boom boom 302 302 yeah baby go ahead and click completed as with the support login and credential stuffing attack we carried out the response codes here are all the same 302 redirects once again order your responses by length to find the valid credentials your results won't be quite as clear-cut as last time you will see quite a few different response links however the response that indicates a successful login should still stand out as being quite significantly shorter there we go oh Bennett with a length of 654. could this be the former Governor of New Jersey John o'bennett who in January of 2002 served as governor for four days I don't know so for some reason when I tried to enter those Bennett credentials it work what he did was shut off my machines entirely then once your machines were off you can go ahead and reopen try hack me then go to learning dashboard then go back into the burp Suite Intruder room and restart the machine with the green start machine button once that's started you can go ahead and click the blue start attack box button and we'll wait for that IP address to renew nice we got a new IP address okay so now that our machine's loaded we should be able to just open up a web browser any web browser and type in the IP address HTTP coin slash 10.10.21.3 for me it's going to be different for you then once we have that IP address in there with the dots we do forward slash admin forward slash login then one more slash and press enter and we should be brought back to the admin page we should load this I don't know why it does that so I had to turn off the machines close grips would entirely come back into verb suite and then try this again nevertheless once we've done a little troubleshooting sure enough if we type in O DOT Ben it for the username and then using a password of b-e-l-l-a1 and click login we have our successful login page looks like the profits for 2021 is displayed and it looks like it's the opposite of the stock market right now we have Pony the admins account using a burp Suite Intruder Pitchfork attack and we were able to use macros to substitute the token and the session cookie that's pretty impressive guys especially if you're just a beginner give yourself a pat on the back and go ahead and click complete and sometimes for whatever reason it just helps to take a break and come back to it maybe the next day I don't know how but sometimes it'll work you have now completed the Intruder room this room looked at how to use the Intruder aspect of the group Suite framework when automating requests you should now be comfortable using Intruder in its various attack types when attacking a web application should also be comfortable with the concept of using macros to extend the functionality of burp the examples given here are only the tip of the iceberg shooter can be used anytime you need to automate request your imagination is the limit in the Next Room of the module we'll be looking at some of burp Suites lesser known module so I invite you to stick around for that for now click completed on I can use Intruder and time for the bonus question use Intruder to automate the column enumeration of the Union SQL I and the repeater extra mile exercise if we click that link will be sent back to the burp Suite repeater room which we just did in the last episode but now we have a new trick up Our Sleeve go to task 8 SQL I with repeater the extra mile task to refresh you guys memory there is a union SQL injection vulnerability in the ID parameter of the slash about Slash ID endpoint we're going to find this vulnerability and execute an attack to retrieve the notes about the CEO stored in the database but we're going to use a little trick up Our Sleeve now we have burp Suite Intruders to use to automate and speed up a little bit more of these tasks we know that there's a vulnerability and we know where it is now we just need to exploit it for this room make sure you go up here to the Task 1 and start the machine with the green start machine button that will give us the IP address here in task 8. if you have not gone through the burp Suite repeater room yet I encourage you to because it shows the traditional methods of performing an attack like this as SQL y injection attack with repeater we have Bert Suite Intruder we have a new toy to play with and this should go a little smoother okay so now we can go ahead and open up burp Suite temporary project for defaults if you haven't done so already go to Project options Miss allow the embedded browser to run without a Sandbox then go to proxy and open a browser now we'll type in the IP address HTTP coin slash slash 10.10.248.127 forward slash about four slash two once you press enter you should get some action and burps we do not here's our request usually all you have to do is just put an apostrophe at the end of the URL and this should cause a server to error if it has a sqli that's present and I'll send it to repeat it to demonstrate just that and when we hit send sure enough the response gives a 500 internal server error and this responds and repeater gives us some useful information the database table we're selecting from is called people in the query selecting five columns a first name last name pfp link Rule and buy we can guess where these fit into the page which will be helpful for when we choose where to place our responses now if you remember from the lesson once we found the table name and column rows we used a union query to select the column names for the people table from The Columns table in the information schema default database this simple query let us know that we were able to return the First Column Name ID which had been inserted into the page title but we wanted to see all the columns so we used the group concat function to amalgamate all the column names into a single output we successfully identified the eight column names on the table ID first name last name pfp link rule short rule bio and notes once we've identified the eight column names they give us our Target column which is note which is in the table people however they give us the ID of the CEO which is one we can find that by simply clicking on Jameson Wolf's profile on the about page and checking the ID in the URL this has given us information not just on James and wolf but on all of these execs Olivia Parsons the Chief Information officer has an ID of two the CTO has an ID of three cfo4 605 and the chief strategy officer with a six however what if it didn't show James Wolfe's ID we could craft a query an intruder to automate that task so we can hop back over to Intruder once we've sent that request to Intruder from the proxy we could craft a query saying get forward slash about forward slash zero Union select notes the notes column and then null then we'll put four null columns to avoid the query from erroring out then we're gonna do a space from from the people table where the ID equals one now this is where Intruder comes in right before the one will add a payload marker and after the one we will add a paler marker so this will test numerically the ID for everyone in that people's table and request their notes make sure that you chosen a sniper attack and for payloads payload type go to numbers and we're going to go from 1 to 300 and for each step we'll just do one at a time now if we go back to positions now we can go ahead and click Start attack I'm gonna give you that error message just click OK going through each ID numerically in that people's table and requesting their notes and right off the bat we can see that the first six entries all have the status code of 200 which means I guess a page exists there however of the links only one has a length that's different from the other five this would be request with ID 1 which has a length of 3619 compared to three five four five and sure enough if we click the response tab we can go ahead and see that the flag is there so you can go back to the brute completed nice job guys you have completed the burp tweet and trim River give yourself fat on the back I said you guys are learning some pretty cool stuff you use tools today like the slacker to individually scope in on a specific parameter the battering ram to just try everything at one to pitch for to do a new name and password at the same time and the cluster bomb which goes through and tries pretty much every combination to every parade overall Intruder is a helpful tool in automating web application pen testing tabs so it may be a good idea to get familiar with it we're all adults here the video if you like it subscribe if you want to see more you've completed the room so you can go ahead and share this on social media with your friends I'm Rob from broadcast security and I'll see you in the next room where we're going to go over books with other modules we're going to cover things like the decoder the compare in Sequel Securities it's gonna be pretty fun so we'll see in the next lesson and for now keep hustling and take care

Info

Channel: Brock Rosen

Views: 5,794

Rating: undefined out of 5

Keywords: penetration testing, jrpenetrationtster, pentester, howto, introduction, burp suite, burpsuite, burp, beginner, free course, foundation, ethical hacking, cybersecurity, web app pentesting, webapp, cyber security, how to hack, junior, free, training, what is intruder?, what is burp suite?, community, tutorial, attack types, intruder positions, sniper, battering ram, pitchfork, cluster bomb, intruder payloads, challenge, csrf token bypass, example, conclusion, bonus, answers, explained, walkthrough

Id: eaOk-N1UQuU

Channel Id: undefined

Length: 47min 23sec (2843 seconds)

Published: Wed Mar 29 2023