Advance Web Application Testing using Burpsuite

at 10:30 PM Monday, February 26, 2018 0 comments

Hello friends!! Today we are going to discus advance option of Burpsuit pro for web penetration testing; here we had used Bwapp lab which you can install from here and acunetix vulnerable web application which is available online for making web application penetration practices.

Burp suite Advance Usage
·         Burp Infiltrator
·         Macros
·         Burp Clickbandit
Burp Infiltrator
Burp Infiltrator is a tool used to target web applications in order to test them using Burp Scanner. Burp Infiltrator is used to target application so that Burp can detect cases where its input can pass unsafe APIs on the server side.
Burp Infiltrator supports applications which are written in:
  • Java, Groovy, Scala, or other JVM languages (JRE versions 1.4 - 1.8)
  • C#, VB, or other .NET languages (.NET versions 2.0 and later)
Let’s start !!
First, we need to enable the Burp Infiltrator from the Burp tab in burpsuite where we have to select the Burp Infiltrator option. Then we will see a Burp Infiltrator box will appear where you have to select the type of application you want to instrument as you shown in the image




 After that we need to select the folder where we want the Infiltrator file to be saved, so that we can enable it later using the terminal.




Next we will give the path of the folder where the infiltrator file will be saved as shown in the image.




Than the Burp Infiltrator file will be saved as burp_infiltrator_java.jar.




Now to enable the burp infiltrator file we will go to the path of the file using the terminal, than to execute it we need to give the command java –jar burp_infiltrator_java.jar --non interactive. Then Press Enter the file will be executed.




We have used --non interactive in our command so that it will automatically configured the default settings else we have to manually configure all the settings. Now we can intercept the request of any website or application based on the supported parameters as shown in the image.




Turn off Intercept Tab. Select the Target Tab where we can see a Sub Tab in it as Site Map as shown in the image.




Then select the Url you want to scan using burp infiltrator, just Right click on the Url then select option Actively scan this host this will give all the issues related to the Website or application we want to scan. All the Issues related to the Url scanned can be seen in the Issue box as shown in the image.




Macros
Burp suite has a new session handling ability which can be used to run macros, according to session handling rules. A macro can be said as a predefined sequence of one or more than one request. The cases in Macros may include:
·         Fetching a page such as a user's home page just to check whether the current session is still valid or not.
·         By performing a login operation to obtain a new valid session.
·         A token or nonce obtained can be used as a parameter in another request.
The Macros can be recorded using your browser. When defining a macro, Burp suite displays the Proxy history, from which you can select the requests to be used for the macro. You can select from previously made requests, or record a fresh macro and select the new items from the history. When you have recorded the macro, the macro editor shows the details of the items in the macro, which you can review and configure as per requirement.
Let’s start!!
First we have intercepted the login request of Bwapp Lab where we have given the default username and password as shown in the image.




The request is captured in the Intercept Tab then Right Click anywhere around the captured request, next we need to select the option Do Intercept which has a sub option Response to this request. Click on it.




 Then we have forward the captured request until we are successfully logged into the Bwapp Lab.
After that go to Project options Tab where we need to select the Sessions Tab as shown in the image.




Click on Add Button under the Session Handling Rules which will open a Session handling rule editor window where we have given a name to the Rule under the Rule description as shown in the image.




 Click on Add Button under Rule Action then select Check session is valid option which will open a window for Session handling action editor then give a expression you want the burp suite to look up in the Url like we have given login.php and Tick the option If session is invalid, perform the action below as shown in the image.




Click on Add Button under Select Macro which open a window of Macro Recorder where we will select the item from the proxy history that we want to include in the Macro as shown in the image, Click Ok.



Next the Macro Editor window will open where we will give a name to the macro in the Macro description field as shown in the image. Click Ok.


After this we will get back to Session handling rule editor where we will click on the Scope tab then we need to tick the options Extender, Proxy under Tools Scope and Include all URL’s under URL Scope, Click Ok now the macro will be running in the background.
As you can see in the image we are on the login page of the Bwapp Lab where we have not given any login details.




We made a simple change in the URL we replaced login.php with portal.php as shown in the image.




This has successfully logged us into Bwapp Lab without giving any login details.



 Burp Clickbandit
Burp Clickbandit option in burp suite is a tool used for generating clickjacking attacks. When you know a web page that is vulnerable to clickjacking, we can use Burp Clickbandit to create an attack, and to confirm the vulnerability can be successfully exploited. When running Burp Clickbandit on untrusted websites. Malicious JavaScript from the target site can take the authority of the HTML output that is generated by Burp Clickbandit. There are two modes in Burp Clickbandit as follows:
Record Mode
Burp Clickbandit first opens in record mode. Then we need to perform one or more mouse clicks to record your clickjacking attack, as this will involve performing the mouse clicks that the victim user needs to perform for making some desired action. We can also use the "disable click actions" checkbox to record clicks without the target page handling them. When you have finished recording, click the "Finish" button to enter review mode.
Review Mode
When you have finished recording your clickjacking attack, Burp Clickbandit enters into review mode. This lets you review the generated attack, with the attack user interface over the original page UI. You can click the buttons on the attack UI to verify that the attack works.
List of commands that are available in review mode:
  • + And - buttons are used to zoom in and out.
  • The "toggle transparency" button allows you to show or hide the original page UI.
  • The "reset" button restores the generated attack, as it was before any further clicks were made.
  • The "save" button is used to save an HTML file containing the attack. This can be used as a real-world exploit as clickjacking vulnerability.
  • You can use the keyboard arrow keys to reposition the attack UI over the original page UI, if not correctly aligned with the original page UI.
Let’s start!!
Burp Clickbandit runs on browser using JavaScript. It can work on all latest browsers except for Microsoft IE and Edge.
To run Clickbandit, go to the Burp menu and select "Burp Clickbandit".
Click the "Copy Clickbandit to clipboard" button. This will copy the Clickbandit script to your clipboard.


  • In your browser, visit the web page that you want to test, in the same way we regularly do. Then in your browser, open the web developer console. This might also be called "developer tools" or "JavaScript console". Paste the Clickbandit script by editing allow pasting before pasting copied code into the web developer console, and press enter.



  • The Burp Clickbandit Logo will appear at the top of the browser window and the original page will be loaded with in the frame which ready for the attack to be performed, this is said to be the record mode of burp clickbandit. Then we need to perform one or more mouse clicks to record your clickjacking attack, as this will involve performing the mouse clicks that the victim user needs to perform for making some desired action. We can also use the "disable click actions" checkbox to record clicks without the target page handling them. When you have finished recording, click the "Finish" button to enter review mode.

·         When you have finished recording your clickjacking attack, Burp Clickbandit enters into review mode. This lets you review the generated attack, with the attack user interface over the original page UI.

·         Click on Save Button, allows you to save an html file containing the attack. This can be used as a real-world exploit as clickjacking vulnerability.

·         We have opened the saved html file which shows a transparent UI we have created over the original UI with a click button in the red box appearing on the page.

·         We can click the buttons on the attack UI to verify that the attack works. A message will appear the, you’ve been Clickjacked as shown in the image.

Labels:

Understanding Guide for Nmap Timing Scan (Firewall Bypass)

at 8:09 AM 0 comments

In this article we are going to scan the target machine with normal Nmap scan along with Timing template and the time between packets can be confirmed by analysis of Nmap traffic through Wireshark.

Timing template in nmap is defined by –T<0-5> having -T0 as the slowest and –T5 as the fastest. By default all nmap scans run on –T3 timing template. Timing template in Nmap is used to optimize and improve the quality and performance of scan to get desired results.

Let’s start!!

Nmap Insane (-T5) Scan

This template is used for sending packets insanely fast and waits only 0.3 seconds for response. The time difference between two packets sent is upto 5 milliseconds. This timing template makes the scan superfast but the accuracy is sacrificed sometimes. Nmap gives-up on a host if it couldn’t complete the scan within 15 minutes. Other than that, -T5 should be used only on fast network and high end systems as sending packets this fast can affect the working of the network or system and can result into system failure.
For using timing template use the attribute –T<0-5> after Nmap while scanning a target network
nmap -T5 -p21-25 192.168.1.104




Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds
Packet 1 has Arrival Time of 04:41:04.557153433




Packet 2 has Arrival Time of 04:41:04.557225304
The difference between the arrival time of Packet 1 and Packet 2 is about 0.07 milliseconds.




Nmap Aggressive (-T4) Scan

This template is used for sending packets very fast and waits only 1.25 seconds for response. The time difference between two packets sent is upto 10 milliseconds. Nmap official documentation recommends using –T4 for “reasonably modern and reliable networks”.
nmap –T4 –p21-25 –d 192.168.1.104




Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds
Packet 1 has Arrival Time of 05:58:34.636899267




Packet 2 has Arrival Time of 05:58:34.637122896
The difference between the arrival time of Packet 1 and Packet 2 is about 0.2 milliseconds.




Nmap Normal(-T3) Scan

This is the default nmap timing template which is used when -T argument is not specified.
nmap –T3 –p21-25 –d 192.168.1.104




Packet 1 has Arrival Time of 06:01:12.574866212




Packet 1 has Arrival Time of 06:01:12.575059033
The difference between the arrival time of Packet 1 and Packet 2 is about 0.1 milliseconds.




Nmap Polite (-T2) Scan
This template is used for sending packets quickly then –T0 and –T1 but still slower than normal scan. The time difference between two packets sent is 0.4 seconds.
nmap -T2 -p21-25 192.168.1.104



Packet 1 has Arrival Time of 06:07:38.139876513


Packet 2 has Arrival Time of 06:01:12.540686453
The difference between the arrival time of Packet 1 and Packet 2 is about 0.4 seconds.
Nmap Sneaky (-T1) Scan

This template is used for sending packets quickly but still slower than normal scan. The time difference between two packets sent is 15 seconds.
nmap -T1 -p21-25 192.168.1.104
Packet 1 has Arrival Time of 06:17:02.354879724
Packet 2 has Arrival Time of 06:17:17.371063606
The difference between the arrival time of Packet 1 and Packet 2 is about 15 seconds.
Nmap Paranoid (-T0) Scan

This template is used for sending packets very slowly as only one port is scanned at a time. The time difference between two packets sent is 5 minutes.
nmap -T0 -p21-25 192.168.1.104
Packet 1 has Arrival Time of 06:32:25.043303267
Packet 2 has Arrival Time of 06:37:25.080804929
The difference between the arrival time of Packet 1 and Packet 2 is about 5 minutes.
Evading Time Based Firewall rules using timing templates

Block Insane T5 scan
Even though we can speed up the scan by –T5 and –T4 templates, there are chances that the target system is using some kind of firewall rules to secure itself. Here are some examples of the firewall rules and methods to bypass them.
This rule will block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 1 second.
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds  1 --hitcount 1 -j DROP
If you’re scanning more than 1 port on a target system having above rule, the result will not be as desired. Like if we use -T5 or -T4 in nmap scan, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But -T5 has also --max-retries set to 2 means it will retry to get reply from ports 2 more times hence there will be 3 out 5 ports with accurate open/close status and the rest 2 with filtered status
nmap -T5 -p21-25 192.168.1.104
From given below image you can observe that it has shown 3 ports are open and 2 ports are filtered.
The packet transfer between the target and the victim is captured through wireshark, it clearly shows that the TCP SYN packets are send multiple times on ports 22 and 23 and didn’t received any reply packet for those request packet.
Bypass Insane T5 Firewall filter
1st method
Use --max-retries argument to increase the --max-retries value so that each retry gives accurate status of one port at a time. Execute given below command for increasing maximum retries with T5 scan here I had 4 you can modify it as per your requirement.
nmap -T5 -p21-25 192.168.1.104 --max-retries 4
now if you notice from given below image you can observe that it has shown all 5ports are open.
Here, the packet transfer shows that in each retry one different port sends the reply in order to confirm its statusas shown in given below image.
2nd Method
The second method is to use a timing template which has a greater time difference between packets, like here we can use time template below T5 i.e. from T4 to T0 to bypass above rule.
nmap -T4 -p21-25 192.168.1.104
or
nmap -T3 -p21-25 192.168.1.104
or
nmap -T2 -p21-25 192.168.1.104
or
nmap -T1 -p21-25 192.168.1.104
or
nmap -T0 -p21-25 192.168.1.104
Here, the packet transfer shows that in each port sends the reply as the time difference between the packets is around 6 seconds.
Block Aggressive T4, Normal T3 & Polite T2 Scan
Now given below rules will block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 3 seconds.
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds  3 --hitcount 1 -j DROP
Here we are using -T4 for scanning 5 ports, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But –T4 has also --max-retries set to 6 means it will retry to get reply from ports 6 more times but as the time limit exceeds the total time taken by all retries it will show all ports filtered
nmap -T4 -p21-25 192.168.1.104
or
nmap -T3 -p21-25 192.168.1.104
or
nmap -T2 -p21-25 192.168.1.104
or


Result of T4, T3, and T2 scan can be as either all port will be filtered or any one port can show open/close state. From given below image you can observe that it has shown all 5 ports are filtered.


Here we can see that none of the packets got reply




Bypass Aggressive T4, Normal T3 & Polite T2 Firewall filter
To bypass this kind of rule we have to use a Timing Template which is slower than -T4
nmap -T1 -p21-25 192.168.1.104
Here we can see that all the packets got reply because time interval in T1 is almost 15 seconds.
Block Sneaky (-T1) Scan
Now this rule is to block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 200 seconds.
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds  200 --hitcount 1 -j DROP
Now repeat the T1 scan again as given below and this time you will found that firewall is blocking our Nmap probes for identify open/close state of any port.

nmap -T1-p21-25 192.168.1.104

Results of T1 scan can be as either all port will be filtered or any one port can show open/close state. From given below image you can observe that it has shown all 4 ports are filtered.
Here we can see that only one of the packets got reply rest are drop by firewall.


Bypass Sneaky (-T1) Scan
To bypass this kind of rule we have to use a Timing Template which has time difference in packets for more than 200 seconds, therefore use paranoid time scan because time difference between two packets is near about 5 mints as discussed above.
nmap -T0 -p21-25 192.168.1.104
From given below image you can observe that it has taken 1813.61 sec which is close to 30 mints for scanning 5 ports and found open state for all 5 ports.


Here we can see that we have got response of every packet even though the firewall had the security rules set.
To evade any type of IPS or Firewall, you need to remember that it will take much longer time than usual to scan the target system using slower timing template so try to specify a small number of ports so that the slower scans doesn’t take time to scan the ports that you don’t intended to.




Labels:
Subscribe to: Posts (Atom)