Configuring Burp + FoxyProxy + Firefox

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey this is oxdf and today i'm looking at burp suite foxy proxy how i use them together to go after a web target on hack the box or otherwise burp is an incredibly powerful tool it's a web proxy so the idea is that i will have firefox send all my traffic through burp and it can record modify change um hold for me um very interact with in different ways these web requests and then the responses come back it can also it also records and potentially modifies those um i'm not going to do an overview of burp there's a ton of great resources on the internet about how to use burp i just wanted to show how i set things up so that it's easiest for me and so that when you read a blog post and you see me saying oh i noticed inburp that or i then kicked it over to repeater and did this that you have some idea what i'm talking about so with that i'll get started if you're running a distribution like parrot or cali the burp will be pre-installed i'm actually setting up a new ubuntu vm today i've already installed burp but just to show you it you know it's super easy search for burp suite on google grab this port swigger link here under products community edition there is there are paid editions um they have lots of features that i don't use but i'm sure could be very use valuable but the community edition works fine for me um click here you can get the download um and you're gonna get a sh script to run and install it um and then once you're done you run that it'll show up and be up here in the menu if i search for burp it'll come up right here because i basically am using burp at all times if i'm doing anything with hack the box for example it's going to run through burp so i basically always have burp running um i will i can grab it here and drag it up and drop in my quick launch bar i can launch it from there and it'll work because i'm using the free version temporary project is my only option here burp defaults works fine um burp has really tiny text by the by default i actually came in here under user options display and upped those to this kind of larger font hopefully it's visible to you on youtube um it makes it look a little bit awkward and compressed in places it didn't it's not meant to be run with such big text but i think it's better that way so just be aware of that there's a few windows that i really use when i'm looking at burp the first one is the proxy this is the the guts of what burp is it is a proxy here on the intercept window this will show so if i go to visit a website and intercept is turned on it'll actually catch the request right here and hold it here until i click drop or forward or i can modify it and then click one of those as well right now intercept is off if i click this button it's now on so it's as easy as that button to turn it on and off one of the things by default burp always starts up with intercept on it actually drives me crazy because i will often forget about it be trying to load a website going why is this website not loading why is it taking so long and then finally i remember it's in burp so under user options miss you can come down here under proxy interception and i have it enable interception at startup i set it to always disable the default is always enabled you do whatever you like i'm just making you aware that it's there so that's the intercept window the http history window is probably where i spend most my time as i start to make requests to websites they'll show up in here and i'll give you a demo in a minute if you ever are dealing with websockets the websocket history is useful and it's worth being aware of the proxy options as well by default there is a single listener that is listening on localhost 8080 but i could add another one and you can do different things with different listeners by default there's no redirect so for example um let's say but i but i could set up a redirect i guess is the point if i wanted to um have a listener that went through burp and then everything got sent to this one port on this one host i can do that i would just put it in here and then it would override then i could just send my request directly to that port and um to local host that listening port and it would go through to the target by leaving no redir by leaving no redirection basically then if i have you know i have to have firefox or or my script proxying through burp and then it handles the you know where is it actually intending to go hopefully that makes sense so i don't need to add a new listener here there are other cool things you can do here in the options you can intercept client requests or server responses and make modifications oh see here's where you do that here's where you pick what gets intercepted there's modifications as well to responses etc you can do a match and replace um so if you wanted to you know there's been times in the past where you get the site is sending back a 302 but it's also sending back the full page and so maybe i just want to replace 302 found with 200 okay and then i faked as if i bypassed the login you could do that here in match and replace so the other window that i use a lot is the repeater window so i can come back here either at a intercepted request or at in the http history and i'll show an example of this later but i can grab it and i can send it over to repeater and then here i can send the same request over and over again let's say i want to test for sql injection i can try adding a single single quote or you can start to build out your command injection or you can you know once you get a command injection working you can make change the command run it again and see the output and really quickly see the results of different commands so the repeater window is really useful for that so there's my quick two-minute inter overview of burp um what i really wanted to show today is how i get to burp so in firefox you can go into the settings you're probably never going to do this but just so you're aware of the core functionality search for proxy and come here and you can manually configure a proxy so you can say send my http requests through this http localhost port 8080. you can say also also send my https requests um through the same through the same one or i can set up a separate one for just https um it is important to note this https traffic is still going to an http url because burp is going to receive it on the non-secure version and then if it's meant to go https it'll wrap it up and send it over tls as necessary but either way the burp listener is not speaking https so you don't want to get confused there all of that said it doesn't matter for here because you're not going to use this it's a jet you could set it this way but then it's used for everything you're using in firefox if you try to go to google it's going to google hates being proxied and it's going to complain it's going to not work it's going to look terrible you're going to come back in here you're going to turn it off it's a lot of steps to do so with that in mind we're going to use foxy proxy and so we'll go to foxy proxy here this is a firefox plug-in there's chrome versions as well i will add it add it here it was added great close this close this so by default right now if i click on foxyproxy up here at the top there's nothing here there are no proxies so i need to configure it so i'll click on the options and i'll come here and i'll click add and i'll create a new new proxy i'll call it burp it's an http proxy the address is 127.001 the port is 8080. i don't need to use a name or password and i can save this is where a lot of people get to i mean i think almost everyone uses foxyproxy or something like it if they're using burp but a lot of people stop right here and i can see right now i made of typo it's not 127.27 although that would probably work um let's save that there and then what i can do with just this much so far is i can come here and i can say okay i want to go to google okay now i want to go to google through burp let's try let's watch it yell it does not like this um and google doesn't even let you advance and go through um but because what happened is now that i'm going now that my request is being intercepted um google's detecting that the tls is being broken it does not like that it's very sensitive to that and it's saying no this isn't safe so i can turn it back off and ctrl shift r to refresh and i'm back in google i don't know how i got seasonal holidays in there but great i'm at google that works but for me what i like to do is configure this a little bit more and to use this top option use enabled proxies by pattern and order and so what you've got to do is come in here and for each proxy that you have set up there's a patterns option you can come in here and what this is going to do is i'm going to define when i use when i use burp and when i don't there's a weird bug here that i have to you have to add all the rows you're going to add before you start typing if you type if you fill in one and then click add it resets it i don't i can't explain why but it's to just add a bunch of rows and then then start typing so let's say i got hack the box i'm going to take anything that's 10.10.10.star this is a wild card there is more complicated regular expression i've had not great luck with it so i'm just going to stick with these kind of blunt wild card expressions you do need a star on the front um i want it to intercept all http and https and i want to be enabled and so that one looks good i have another one i'll call hdb and this time i'll do 10.10.11.star because we've overrun the 10 10 10 ip space um let's see now i've got some h hack the box dhcp servers so if you ever do release arena or if you pay for vip plus you might get something in the 1010 129 area so we'll make sure to add that in here and then i'm going to have a hack the box url or i guess not urls but domains and so i'll do star.htbstar and so now anything that's matching that will come through when i was doing oscp i had a whole set of patterns in here for oscp stuff that i wanted to go through burp and i specifically had a black listen for some of the stuff i didn't want to go through like the i think what they call it but the dashboard that controls machines and stuff so you can set up as many of these as you want and when you're done you hit save now i'm back here i'm enabled by proxies by enabled by patterns and if i just go to you know cnn.com major website it loads just fine this is not the most reliable but it shows it shows red here because it's not actually using foxy proxy and if i look in foxy proxy under the or look in burp under the proxy history there's no history um if i let me real quick just uh clear out some history to make sure i don't have any cash here sure um if i go to i've got the seal web box fired up in hack the box it was recently retired um i believe it's 250 and i believe it's an https site um so i'm going to get my normal https it doesn't like the certificate i've come down here um i can it's interesting i can actually view the certificate and it's using a port swigger that's the company that makes burp certificate but it's also showing the seal.htb site as well so you can actually add your certificates add the port sugar certificates to firefox so they don't show up here but it will accept the rest can continue for now and you can see right away as the site is loading um the history is populating so i'll come back to that in a minute and what's cool about this is now what i can do is i can just come here and say i'm gonna click around on this website um that didn't really do anything here's a contact us page it's my name oxdfoxdfco.hackthebox numbers and let's see if we can cross-site script bold tag like that and send all right i don't see anything about whether that's sent or not but we'll that'll be fine for now let's see enter my extf at aol.com oao.com [Music] okay nothing particularly interesting there let's see here's another form interact with it um beans and we'll add a single quote to see if we can catch you know some sort of sql injection um so now i can i can come here and i can browse on this site and i can explore the site try to you know manually spider it until i feel like i've seen everything there is to offer um and then i'm gonna come back here and go look at the http history and so you know right away i'm often looking for post requests because that's probably what those forms were filling in and i actually don't see any post requests in here but i see these get requests to here's vegetable green beans and here's enter your email equals you know oxtf ao.com and here's this this one seems to have the full form in it um and so you know for any one of these i can click on it and i can come down here and again a large text mix is kind of awkward but you can see you know here's the request the http get request that was sent and here's the response that came back um so when you see in one of my blog posts i say oh look let's look at the tech stack and look at the headers and see what we find um i'm probably looking at the what you know as i was scrolling around what kind of headers were coming back and so here's my nginx header i'm sure i'm sure nmap picked that up but if this was you know there might be other interesting things here i might be looking for a cookie getting set or a cookie being sent that would have been set somewhere this is probably not the best example because i'm not actually getting there's not actually anything as far as i know exploitable on this website um but you know i can get a feel for things um i can also look and say oh i want to look at those form submits so it was you know looks like all of them are going to question mark and then event you know vegetable equals green beans enter your emails equals this and right away i can notice all of them are returning the same length so one nine nine six six one nine nine six six one nine nine six six which is the same length as just requesting the root on its own um that's not that's there's no guarantee that means the server's not doing anything with it but it just does mean the server is sending back the same page either way and that's a pretty good indicator that this especially in a hack-the-box context that um this is a dead form that's just sort of there to look nice but it's not actually implemented but let's say i wanted to check it further so i've got this vegetable search right if i right click anywhere in here and do repeater and go over to repeater i've got now i get the request here and the response over here so i can send this and look at the response um i can say okay what you know what if i wanted to check for put a command injection i don't i don't know why command injection will be here but let's just see if let's see if it could happen so i could do a ping minus c1 10.10.14.6 and send this and see what happens i get a 505 error that's that's interesting uh it's probably because i need to url encode this highlight that highlight that and push control u to url and code send that again now i'm getting back at 200. um and so you know i could open up tcpdump sudo tcp dump minus i ton zero icmp so i'm just filtering on icmp traffic and i could send this and make that really big and nothing i didn't get pings back if i'd gotten pings back you would have seen it um it would have looked like let's say 10 10 14 6. so here you know you see in this case pings coming in so that's that's a long way of saying there's no command injection here which is not surprising if you've done this box you'd know that but the point is you can do those kinds of tests here very quickly and you can look for responses we can see that even with um you know this command injection we're still seeing exactly one nine nine six six bytes um we could check for let's see what about um double quote you know okay we got a we got a 400 bad request and we're getting actual errors here which i wasn't actually expecting so um it's an invalid character in the request target um so just with this i can i can get some information about that it's using this coyote package this is a java application those all might be somewhat interesting in my numeration not the point of this talk or video i'm guessing if i url and code this what is it present 2 2 and resend now i'm back to 200. so that it's it was just throwing an error it wasn't actually doing anything with it it was in the pre-processing that was causing that to be an error um so but anyway that's not the point um the point is i can you know this is where because i've got these patterns set up um i can fire up site you know nmap shows me there's a web server i go right there in firefox i can play around a little bit and then all my history is saved for me you know what have i been doing oh okay it's right here i can go through and look for interesting requests i can go through a look at the headers look for what might be going on and it's there it's and you know i don't have to think about it or set it up um the one caveat to that is that burp will break things occasionally so it's always worth having in the back of your head that if something's not working like you expect try turning burp off and trying again um some wordpress sites load really funny through burp sometimes um you know the one that really gets me has gotten me twice ntlm authentication on a windows server breaks in burp i do not know why but it does and so if you think if you think you know i should be able to authenticate to this site but it's not popping in a request for author i'm giving it the right creds but it's not loading um try turning burp off and running it again because you know you'll waste a lot of time doing that it's very rare but it's at least worth being aware of so um with that set up foxy proxy it's awesome go and spend the few extra minutes configure your patterns so you don't have to worry about it and uh it's totally worth it so thanks for sticking around till the end and i will talk to you next time [Music] you

Info

Channel: 0xdf

Views: 480

Rating: undefined out of 5

Keywords:

Id: iTm33Miymdg

Channel Id: undefined

Length: 18min 59sec (1139 seconds)

Published: Tue Nov 30 2021