I. Introduction
I have explained the installation process of burpsuite in detail before. If you don’t understand it, you can see the installation tutorial of burpsuite: http://t.csdn.cn/uVx9X Here is a supplementary explanation. After installing burpsuite and setting up the proxy , it will appear that if the accessed url uses the http protocol, you can capture packets, and if the accessed url uses the HTTPS protocol, an error message as shown below will appear:
This is actually because there is no CA certificate installed. We only need to enter the value in the address bar http://burp and click CA Certificate in the upper right corner. At this time, a certificate file named cacert.der will be downloaded automatically, as shown in the figure below:
Then there are two ways to import the CA certificate The way, here is a relatively simple way, so that everyone can solve the problem faster.
Method: Find the location of the downloaded CA, double-click to open it, and install the certificate according to the prompts, as shown in the figure below:
Then import the certificate in the browser, click on the upper right corner of the browser → Options → search for "Certificate" in the upper right corner of the search → Import, find the downloaded certificate, and then confirm (the new version of Firefox has been improved, and the certificate import is placed in: Options->Privacy and Security->Security->Certificate->View Certificate->Import Certificate->OK)
2) Burpsuite function introduction:
1. User options module:
1) Set the font size in BP:
user interface: set the font size of its own functional modules
HTTP Message Display: set the font size of the option content of the intercepted package below
2. Proxy module: (you can truncate, view, and modify all data transmitted between the client and the server)
1) Configure the browser proxy:
first set it in the Internet option, as shown in the figure below (note that "for The local address does not use a proxy server", otherwise there will be a phenomenon that 127.0.0.1 cannot be used to intercept data packets, and only the local IP address can be used. 2) Capture packets and change packets: Proxy—intercept
—intercept in BP is on (intercept is off means to turn off the truncation proxy function), and then visit a URL in the browser, at this time BP will grab the request packet (at this time, it will grab all the requested data packets, we can Forward until See the desired data packet, or find the desired packet in http history), we can change the packet (Action sends the intercepted HTTP or HTTPS request to other corresponding modules for a series of operations) Click Forward to modify the Send the packet to the server and perform normal access; or Drop discards the captured packet; Raw, Params, Headers, and Hex under intercept display the intercepted packet in different formats. Raw: Captured request packet
Params
: The parameter information of the request packet, including the parameters of the GET/POST request, the cookie parameter
Headers: the header information of the request packet
Hex: the binary content of the information in Raw
Options in Action:
Among them:
1) Change request method By appropriately moving all relevant request parameters into this request, the request method can be automatically switched between POST and GET. Use this option to quickly test the limits of your application by sending malicious requests.
2) Change body encoding For all requests, you can switch the encoding of the message body between application/X-WWW format URL encoding and multiple forms/data.
3) Copy URL Completely copy the current URL to the clipboard.
4) Cope as curl command
5) Cope to file This function allows you to select a file and copy the content of the message to this file. This is handy for binary data, which can cause problems when copying via the pasteboard. The copy operation is performed on the selected text, if there is no selected content, it is for the entire message.
6) Pase form file This function allows you to select a file and paste the contents of the file into the message. This is handy for binary data, which can cause problems when copying via the pasteboard. The paste operation will replace the selected content, or insert the content at the cursor position if there is no content selected.
7) Save item This function allows you to specify a file, and save the selected request and response to this file in XML format, which includes all metadata such as: response length, HTTP status code and MIME type.
8) Don't intercept requests Through these commands, you can quickly add rules for interception actions to prevent intercepted messages. These messages have the same characteristics as the current message (such as remote host, resource type, and response encoding).
10) Do intercept is only valid for requests, which allows you to forcibly intercept requests and responses.
11) Convert seiection These functions allow you to quickly encode and decode selected text in a variety of schemes.
12) URL-encode as you type If this option is turned on, the symbols you enter like & and = will be replaced by the equivalent URL encoding.
3. Module Repeater (packet modification, replay)
Let’s grab a package to see, after capturing the package, right click Send to Repeater to send to the retransmission module,
In the Repeater module, we can modify the packet at will. After modification, click go to send the package. After that, the package returned by the server will be displayed on the right, as shown in the figure below:
4. Intruder module (blasting)
Intruder blasting is mainly composed of four modules:
1: Target is used to configure the detailed information of the target server for attacking.
2: Positions Set the insertion point of Payloads and the attack type (attack mode).
3: Payloads Set payload, configuration dictionary
4: Options This tab includes request headers, request engine, attack results, grep match, grep_extrack, grep payloads and redirections. You can edit these options on the main Intruder UI before launching an attack, and most settings can also be modified while an attack is already running
Target option: Set the attack information, as shown in the figure below:
position option: configure the attack type and attack point, Attack-type attack type, here are four options:
1) Sniper: crack the variables sequentially, if there are multiple attack points, multiple attack points will be executed in sequence. Only one password dictionary can be used
2) Battering ram: Decipher variables at the same time. If there are multiple attack points, multiple mark points are simultaneously performed. Only one password dictionary can be used
3) Pitchfork: Each variable tag corresponds to a dictionary, and the corresponding item of each dictionary is taken. Set at least 2 attack points, and set up 20 attack points at most. A password dictionary is set for each attack point .
4) Cluster bomb: Each variable corresponds to a dictionary, and the intersection is cracked, trying various combinations. Set at least 2 attack points, and set up 20 attack points at most. Works with username+password combinations .
Example: Now there are two password dictionaries, each of which contains 5 blasting characters. Set two blasting points, Sniper will try 10 times, Battering ram will try 5 times, Pitchfork will try 5 times, and Cluster bomb will try 25 times.
Payloads option: configure the attack payload payload
1) Payload Sets: Set the quantity type of payload here. You can define one or more payloads, the number of payloads depends on the attack type definition, for the attack types defined in the unknown tab, the payload type can be provided for each payload, and each payload type can be used in different ways Customization, payload type:
Simple list: Simple dictionary
Runtime file: Running file
Custom iterator: Custom iterator (any character can be added before and after the dictionary)
Character substitution: Character replacement
Case modification: Instance modification
Recursive grep: Recursive
illegal unicode: Illegal character
Character blocks: Character blocks
Numbers: Number combination
Dates: Date combination
Brute force: Brute force cracking
Null payloads: Empty payload
Username generator: Username generation
copy other payload: Copy other payload
Payload Options[Simple list]: This option will change according to the settings of Payload Sets.
Payload Processing: Encode, encrypt, intercept and other operations on Payload, base64 encode the payload as shown in the figure below:
Payload Encoding: bp will automatically URL-encode some characters in the payload by default, we can check it or cancel it, as shown in the figure below:
Options: Some settings for request headers, request process and request results. This tab contains request headers, request engine, attack results, grep match, grep_extrack, grep payloads and redirections. These options can be edited on the main Intruder UI before an attack is launched , and most settings can also be modified while an attack is already running in a window.
learning path
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction to learn (if you need it, you can private message "data" in the background to get it yourself)
At the same time, there are supporting videos for each section corresponding to the growth route:
