Next Level API Hacking with Kiterunner

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

modern web applications have moved on from serving files stored in a neat hierarchy on a web server and whilst brute forcing has become a lot faster we need an effective way of discovering routes not just single directories and files using recursion Kite Runner is a tool that enables us to do this it's both fast and can be used to discover routes and endpoints in modern applications it also comes with custom word lists collected from a variety of sources which is a crucial part of our Discovery process so today we'll run through how to get this tool set up on your machine and get started with some scans against a set of apis you'll then be able to use this tool in your next web app pen test or against your next bug Bounty targets as always if you enjoy the video don't forget to like And subscribe and let's dive in so first up let's run through how we can get Kite Runner setup and running on your Kali instance so I'm just going to come to asset notes Kite Runner so this is the GitHub repository and if if we scroll down it looks like there are a couple of different ways to install so we can download the latest release which is probably the easiest way and that's what we're going to do in a second or we can build from source and if you're using Arch you can use yay to install Kite Runner as well so if we scroll back up and come to releases and we see the list of releases here and these are for different architectures so if you don't know what architecture you're running you can just come back to the command line and just do tpkg Dash Dash prints architecture and you can see that I'm running AMD 64 so I will grab the one that says Kai Runner 1.0.2 Linux amd64.tar.gz and I'll just click on it click save and give it a second to download so I'm back here in a folder called Kite Runner that I just created so I'm just going to move dot dot slash Kite Runner the file that we downloaded into this folder and then I'm going to unzip it so we can just do tar Dash XF and the file name and this will extract the file and as you can see we have this binary called Kite Runner so now that we have the binary I'm actually just going to move it to my Ops folder where I keep most of my tools so sudo move KR to slash opt KR and then also I'm going to add a link so that I don't have to type slash opt KR to access it every time I want to run it I just want to be able to type KR and have it run Kite Runner so sudo ln-s opt air and then we're going to put it in user local bin KR so now when I type KR from anywhere in my file system it's going to execute this binary next up we can look at some help so if we just run it as it is we can see some available commands and then I think if we just do KR scan help it will give us the breakdown of help for that particular command the help is actually really really good and has a lot of functionality so I recommend you take a little bit of time to glance through and have a look to see what different flags there are and what they mean so now we actually want to run Kite Runner against a set of apis and what I'm going to do is I'm going to come over to my labs and my items and sudo Docker compose up and if you've been following our live streams you'll be fairly familiar with this application and you'll know that it has a ton of API endpoints and lots of them are vulnerable to Common attacks so to start with I want to look at what word lists are available so KR word lists and then list oops word list list and you can see we have the Alias and the file name and the source and how large it is the file size and if it's cached or not the one that jumps out is the API Roots so this is what we want to discover because we're going to be attacking a set of apis we want to be able to discover what routes are available to us so that we can go ahead and assess them but there are plenty of word lists in here for you to get started with so our basic scan will look something like this KR scan HTTP colon slash slash localhost Dash a and the list that we want to use and as you can see we're getting quite a lot of results already and some of them coming up in red because they're 500s some of them coming up four or threes four out of fours Etc we'll give that a second to run and then we'll take a closer look so now our scan is complete we found that a lot of them come back as 500s and we need to think to ourselves what do these endpoints do are they authenticated do they require a parameter or some kind of data is it just because at the moment we're only looking at get requests and what we can do is we can come in and take a closer look so for example we'll just copy this paste this into our browser and we get access denied this endpoint is accessible only from localhost so unless we have something like server-side request forgery we can maybe take that out of our scope but add it to our notes for later and then we also have API slash items and then we have this trending so this came back as 500 and we can see that we just get a server error for this but maybe if we do just slash items we get cannot get items so this is giving us an indication of the structure of the apis even if we don't have specific endpoints to play with just yet now because this is a lot of results to filter through I'm actually going to run the same attack again and all I'm going to do is add ignore length and ignore the length of 24 so all of these 500s should be filtered out okay so now this is done and if we scroll up we can see that we got this 200 okay so let's take a quick look at this and we get a ton of data back so this is an interesting finding and something that we should definitely dive into we also see some authenticates and registration endpoints that we might want to take a closer look at and we can see that the common structure is slash API and then we have slash users the root slash Dev slash admin and slash items as well so doing this manually with some Brute Force tool and just relying on recursion might not lead to the same results because slash API slash users might just give a 404 not found whereas slash API slash users slash something else might give a result and this highlights the facts that we can't just go directory by directory or file by file down the chain we actually need to think about the full path or the full route to be able to get results and also looking at the content length again a lot of these are probably false positive so here we have a slash API slash users slash refresh token and you can see that the length is 26 and this is similar to a lot of other similar endpoints and if we take a quick look at this we can get user not found so once again we can ignore content length 24 and 26. and we don't need to wait for this to finish entirely but you can see that again we're filtering down the results even more so that we can start looking at endpoints that are actually meaningful and then we can start also moving on to things like post requests put requests delete requests Etc so that's it for this video once again you can join us on live stream on Tuesdays where we do loads of web app hacking and practical API hacking too you can also catch the past live streams over on YouTube under the live tab once again if you enjoyed the video don't forget to like And subscribe and I'll catch you next time

Info

Channel: The Cyber Mentor

Views: 22,147

Rating: undefined out of 5

Keywords:

Id: A5iva21ZfA8

Channel Id: undefined

Length: 8min 1sec (481 seconds)

Published: Mon Jun 05 2023