Showing posts with label Cyber Forensics Tools. Show all posts
Showing posts with label Cyber Forensics Tools. Show all posts

Payload Processing Rule in Burp suite (Part 1)

Hello friends!! Today we are going to discuss “Payload Processing” option of Burpsuite which is advance functionality comes under Intruder Tab for making brute force attack.
Payload Processing
Payload Processing can be defined as when payloads are generated using payload types, they can be further manipulated or filtered using various processing rules and payload encoding.
Payload Processing Rules
These rules are defined to perform various processing task on each payload before it is used. These rules are executed in a sequence, and they can be used to help debug any problem with the configuration. Payload processing rules are useful in situations where you need to generate different payloads, or where we want to wrap payloads within a wider structure or encoding scheme.
There are 12 types of payload processing rules available:
  • Add prefix
  • Add suffix
  • Match / Replace
  • Substring
  • Reverse substring
  • Modify case
  • Encode  
  • Decode
  • Hash
  • Add raw payload
  • Skip if matches regex
  • Invoke Burp extension
Let's start!!

Add Prefix
This processing rule adds up a prefix before the payload.
First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.
Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.
·         Press on the Clear button given at right of window frame. 
·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
·         Choose the Attack type as sniper.
  • In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.
 Before executing the attack we have added a payload processing rule to the payload type which is Add Prefix and we have given an input string “hash” which is added as a prefix with every input strings in the dictionary, as shown in the result window of the attack.
Select Start Attack in the Intruder menu as shown in the image.
Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.
Add Suffix
This processing rule adds up a suffix after the payload.
First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.
Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.
·         Press on the Clear button given at right of window frame. 
·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
·         Choose the Attack type as sniper.
In the given below image we have selected password that means we will need one dictionary files for password.
Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.
Before executing the attack we have added a payload processing rule to the payload type which is Add Suffix and we have given an input string “1234” which is added as a suffix with every input strings in the dictionary, as shown in the result window of the attack.
Select Start Attack in the Intruder menu as shown in the image.
Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.
Use this combination of username and password for login to verify your brute force attack for correct password.
Match / Replace
This processing rule is used to replace any part of the payload that match a specific regular expression, with a string.
First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.
Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.
·         Press on the Clear button given at right of window frame. 
·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
·         Choose the Attack type as sniper.
  • In the given below image we have selected password that means we will need one dictionary files for password.
Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.
Before executing the attack we have added a payload processing rule to the payload type which is Match / Replace and we have given an input “9870” in the Match Regex which will match the input given with the input strings in the dictionary, if the there is a certain match than it will replace it with the input “1234” given in the Replace with as shown in the image.
Select Start Attack in the Intruder menu.
Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.
Use this combination of username and password for login to verify your brute force attack for correct password.
Substring
This processing rule is used to extracts a sub-portion of the payload, starting from a specified offset up to a specified length. Here the offset and length are counted from the front.
First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.
Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.
·         Press on the Clear button given at right of window frame. 
·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
·         Choose the Attack type as sniper.
  • In the given below image we have selected password that means we will need one dictionary files for password.
Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.
Before executing the attack we have added a payload processing rule to the payload type which is Substring and we have given an input “0” in From option which specifies the offset and a input “3” in the Length option which specifies the length of the input strings.
For example if “password” is word in dictionary and we had applied above filter so it will place alphabet p = 0; a = 1; s = 2 and s = 3 hence it will read only pass from whole word “password”.
The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.
Select Start Attack in the Intruder menu.
Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.
Use this combination of username and password for login to verify your brute force attack for correct password.
Reverse Substring
This processing rule is used as a substring rule, but the end offset is specified counting backwards from the end of the payload, and the length is counted backwards from the end offset.
First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.
Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.
·         Press on the Clear button given at right of window frame. 
·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
·         Choose the Attack type as sniper.
  • In the given below image we have selected password that means we will need one dictionary files for password.
 Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.
Before executing the attack we have added a payload processing rule to the payload type which is Reverse Substring and we have given an input “2” in From option which specifies the offset and an input “9” in the Length option which specifies the length of the input strings and they are similar to the Substring rule but it works from backwards of a offset and the length is counted backwards where the offset ends.
For example if “admin123456” is word in dictionary and we had applied above filter so it will place alphabet 4 = 0; 3 = 1 ; 2 = 2 ; 1 = 3 ; n = 4 ; i = 5 ; m = 6 ; d = 7 ; d = 8 ; a = 9  hence it will read  only ‘admin1234’ from whole word “admin123456”.
The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.
Select Start Attack in the Intruder menu.
Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.
Use this combination of username and password for login to verify your brute force attack for correct password.

Modify Case
This processing rule can be used to modify the case of the payload, if needed. This rule has the same options available for the Case Modification payload type which we have explained in Part-1 of the Payload types article.
Source: portswigger.net






















Digital Forensics Investigation through OS Forensics (Part 3)

In Part 2 of this article we have covered Recent Activity, Deleted File Search, Mismatch File Search, Memory Viewer and Prefetch Viewer. This article will cover some more features/ functionalities of OSForensics.
To Read Part 2 of this article click here.
Raw Disk Viewer
On a drive data is generally stored in file system files and directories but when it comes to forensics we need a more deeper inspection of drives we can have a evidence within the raw sectors of the drive , image . These sectors are not accessible through Operating system but we can access the raw sectors through OS Forensic’s Raw Disk Viewer.
Raw Disk Viewer includes text/hex searching, highlighting of relevant disk offsets, and decoding of known disk structures (such as MBR, GPT)

To start with open OSF and click on Raw Disk Viewer
From the disk dropdown select the Evidence we want to investigate.
Click on the config button and make the required changes. We can specify the sector range limit, highlight the file types by different colors, include/exclude file system objects.
To look for a particular file/sector/offset click on Jump To button, we can see a screen to select any particular file or offset.
To get the details of any particular file select file and browse the file .
Click on open and then OK, the file will open in HEX for investigation.

Click on the decode button to get the details of the file. This will provide the cluster number and sector of the file.
Right click on the file to get all the available options of the file/offset/cluster.
Click on Search button, a screen will appear where we can search for Hex or Text and continue . This will search the particular text or Hex within the raw sectors and will display the result.
Click on bookmark button on the main screen of Raw Disk Viewer . we can create the bookmarks for the relevant evidences.
Create a new bookmark by specifying its start offset and end offset. We can differentiate the bookmark through its color.
The bookmark saved will get listed .
 If we click on the bookmark the offset range will get highlighted on the main screen and will mark the starting of the offset with a flag and color of the the flag is that of the bookmark.
This concludes Raw Disk Viewer.

Registry Viewer
Registry viewer enables  to investigate  the registries of an evidence.
To start with open the registry viewer, we can select the drive/evidence we want to work on. All the registry files in that particular drive/evidence will get listed on the right side.
Double Click on any file and we can navigate to the registries and can get all the details.
This concludes Registry Viewer

File System Browser
File system browser enables us to navigate to the Drive/Evidence.
We can navigate through all the files/directories and perform multiple activies . In file system browser we have the other options of OSF as well like File search, Mismatch search, Create Index, Create signature. Some of these features we have already talked about and some of them we will discuss in coming articles.
WE can check the “Show Deleted File” option  by clicking on Tools > Option > Show Deleted File.
 The deleted files/directories (if any) will also get listed and will marked with a red cross .
This concludes File System Browser.

Passwords
Passwords feature enable us to retrieve the password related information of the evidence. These passwords could be passwords stored within the browser, Windows Login Passwords, WE can also create a rainbow table by making the multiple combination of the passwords and retrieve the passwords from the rainbow table. Under OSF passwords  also have an option to decrypt an encrypted file.
To start with open OSF and select passwords
The first tab is to Find Passwords & Keys , this will allow to the recover the stored password from the browser , outlook , windows auto logon passwords , etc.  We can either do the live acquisition of current machine or Scan Drive and select any drive or evidence.
Click on Config button, check the passwords you want to recover. Select the decrepton settings based on requirements, we can include our dictionary file or can use an automatic dictionary. If credentials are known we can provide windows login credentials and click OK.

Click on Acquire passwords button to start the process.
All the passwords / product keys will get listed.
The below image is the passwords  acquisition of the Current Machine for better understanding as the evidence we re working on doesn’t any stored wireless network.
Select Windows Login Password , select the Drive/evidence and click Acquire passwords

All the information will get listed. If there is any saved password it will get listed also we can get info about it also we can get NT hash and LM Hash of the password from which we can recover the password.
We have an option to generate rainbow table. This is used to create a list of passwords with different combinations and permutations. We can choose from the different options / combinations from the drop down . More huge and  complex the inputs are the longer the time it will take.
Browse the file path where we want to save the table and if required modify the parameters. Click on create rainbow table button to start with the process.
Depending on the complexity the process will start.
Password through rainbow table. If the password is within the rainbow table we have created and we have the NT hash and LM Hash we can recover the passwords  (however this ). TO achieve this we need to add the folder of the Rainbow table under “Select Rainbow Table” and can either enterthe raw hash or can browse the file which may contain the hash , if the password is present within the rainbow table , we will get the password .
In the image we are browsing the file “hash.txt” , we have saved in windows login password (shown above)and the rainbow table we have created .
Click on recover Password/s button to start the process , if the password present in Hash.txt is found in rainbow table we will get the result .

In the above we haven’t found the password as it must be not present inside the table. Also these tables have certain limitations and have the success rate of 95 % (approx). Their are other methods as well for recovery of passwords we will be discussing on other articles.

This concludes Passwords.
For more on OSForensics wait for the next article.