The Kali OS GUI instance is web hosted on the INE website, where:
- The bWAPP web application is accessible at
demo.ine.local
domain.- Info on bWAPP insecure web app here.
📌 Another deliberately vulnerable open-source web app is Mutillidae II. INE provides another similar lab with Mutillidae II to test and learn Burp Suite.
Objective: User Burp Suite and explore its different functionalities as Site Map, Proxy history, scope, Repeater, basic directory enumeration attack with Intruder.
Tools used:
-
Burp Suite
-
A web browser
-
Wordlist:
/usr/share/wordlists/dirb/common.txt
-
Check if the provided machine is reachable:
ping demo.ine.local
- Scan for open ports:
nmap demo.ine.local
- For a more advanced scan:
nmap -sC -sV demo.ine.local
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 19:55 IST
Nmap scan report for demo.ine.local (192.79.113.3)
Host is up (0.0000080s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-git:
| 192.79.113.3:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Remotes:
|_ https://github.com/fermayo/hello-world-lamp.git
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-robots.txt: 5 disallowed entries
|_/ /admin/ /documents/ /images/ /passwords/
| http-title: bWAPP - Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.7 (Ubuntu)
3306/tcp open mysql MySQL 5.5.47-0ubuntu0.14.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0ubuntu0.14.04.1
| Thread ID: 10
| Capabilities flags: 63487
| Some Capabilities: ODBCClient, InteractiveClient, IgnoreSigpipes, SupportsCompression, DontAllowDatabaseTableColumn, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolOld, SupportsTransactions, FoundRows, LongPassword, SupportsLoadDataLocal, Support41Auth, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: AsA)Gjb.[aT`hhRB4|54
|_ Auth Plugin Name: mysql_native_password
MAC Address: 02:42:C0:4F:71:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds
Ports 80 (HTTP) and 3306 (MySQL) are open.
- Start BurpSuite via the GUI or via terminal (
burpsuite
) and create a temporary project with default configurations. - Configure Proxy listener inside Proxy - Options window.
- Turn Intercept mode on from the Proxy - Intercept window.
- Use the Burp's embedded browser or configure external browser to use the Burp proxy (FoxyProxy plugin used in this case)
- Browse to
http://demo.ine.local/
- The page doesn't load, because the request is forwarded to the Burp proxy listener.
- Proxy - Intercept tabs are marked with orange. The proxy is waiting for an action.
Forward
option - send the request as isDrop
option - drop the intercepted requestAction
option - tamper with the request
- Forwarding this request, other
GET /portal.php HTTP/1.1
andGET /login.php HTTP/1.1
request are being made, until the webpage is shown.
- Turn off intercept mode by clicking on the
Intercept is on
button, the web page will load without interception. - Since Burp proxy is enabled in the browser, every request still get logged in the Proxy - HTTP history tab.
- other Firefox requests are listed, use the Host column to sort the list.
📕 The site map aggregates all of the information that Burp has gathered about applications. You can filter and annotate this information to help manage it, and also use the site map to drive your testing workflow.
- A site map is built when Burp proxy intercepts the requests, check it in the Target - Site map tab.
- targets
- list of resources
- requests & responses for those resources
- Interested target web app can be configured in the Target - Scope tab.
- Add the URL to the target scope via the
Add
button or by right-clicking +Add to scope
option in the Site Map list.
- Add the URL to the target scope via the
- Out-of-scope Proxy traffic is disabled, so URLs with different prefix than the target are not logged in the HTTP history.
- Burp intruder can be configured to launch a Directory Enumeration attack.
- Right click a request in the HTTP history tab and send it to the Intruder (
CTRL+I
). - Target fields are already been set.
- Clean Payload Position with
Clear §
button in the Intruder - Positions tab, removing all the § markers from the payload.
- Right click a request in the HTTP history tab and send it to the Intruder (
- Modify the payload by setting a
§path§
variable with theAdd §
button.- This will make the Intruder send GET requests to many locations, supplied next with a wordlist.
-
Specify the wordlist in the Intruder - Payloads - Payload Options section:
- BurpSuite Community Edition = time throttled attacks!
- Enter the next new items, some knownd words (e.g. from the
http://demo.ine.local/robots.txt
file):
admin documents images passwords
- Load a wordlist using the
Load ...
button - /usr/share/wordlists/dirb/common.txt
- Add a Payload Processing rule, in this case prepending a forward slash (/) to all the accessed resources.
- Uncheck
URL-encode ...
in the Payload Encoding to make Burp not encode the payload (including the /).
- From the Intruder - Options - Redirection section, configure the intruder to always follow redirections.
- Launch the attack with the Start attack button, a new windows will appear with the attack results/progress.
- Sort the list by Status.
- For the robots.txt entries there are 2 requests/responses because of the redirection.
- Response 1 =
HTTP/1.1 301 Moved Permanently
- Response 1 =
- Every entry can be double-clicked to have the result in a separate window.
- Select the
/passwords
Payload and send it to the Repeater (CTRL+R
) for tampering with the request.- Meanwhile, Intruder attack can be stopped by closing its window.
Send
the request in the Repeater and use theFollow redirection
button to get the 200 OK status code.
- Right click on the Response body and copy its URL with the
Show response in browser
button.
- Paste the copied URL in the browser and check the response:
- From the Repeater, send a request to fetch
wp-config.bak
- Repeater issued requests can be navigated back and forth with the arrow buttons.
📍 Lab done!