[Network Security] Penetration Testing Tool - Burp Suite

---

foreword

The article is long. Before reading it, it is recommended to understand the following four questions

Question 1. What is Burp Suite?

Burp Suite is an integrated penetration testing tool that integrates a variety of penetration testing components, enabling us to better complete penetration testing and attacks on web applications automatically or manually.

In penetration testing, we use Burp Suite to make the testing work faster and more efficient

Question 2: Where is the concrete function of Burp Suite? (some examples)

1. Attack the website and obtain the user login name and password

2. Attack the website to obtain password and token

Attack the website under the condition of obtaining CSRF token, get the correct user name and login password

3. Attack the website, skip the verification code input stage

Tamper with the response value, skip the verification code and enter the next level of webpage

Question 3. How to install and configure Burp Suite?

Configuring Burp Suite Tutorial:
[Network Security] Burpsuite v2021.12.1 Installation & Activation & Configuration & Quick Start

Question 4. How to use Burp Suite?

The official website learning link is as follows:
https://portswigger.net/support

https://portswigger.net/burp/documentation/desktop

The official website online document has a detailed introduction to all parameters of all modules in the tool

1. Proxy module

1.1 Interface Layout

Interface Explanation Document

https://portswigger.net/burp/documentation/contents

1.1.1 Menu bar

(1) menu bar Burp

infiltrator:渗透者，对java程序中做安全扫描，生成jar包
clickbandit:点击劫持，生成一个点击劫持的工具来验证漏洞
collaborator:有些漏洞没有回显，添加一个服务器

(2) menu bar project

(3) Menu bar Intruder

(4) Menu Bar Repeater

(5) Menu bar Window

Each window on the home page can independently occupy the entire screen

(6) Menu bar Help

local documentation

1.1.2 Module bar

(1) Module bar Dashboard (dashboard)

Tasks (vulnerability scanning and crawling tasks)

(2) Module column Target (target)

scope defines a scanning rule

(3) Module column Proxy (proxy)

Intercept the browser's HTTP packets (including requests and responses), which is equivalent to a middleman

Home introduction

(4) Module column Intruder (intrusion)

For the intercepted request (address), set the attack load (payload), and use the dictionary for penetration testing

For example: directory scanning, password brute force cracking, stress testing, FUZZ, etc.

(5) Module bar Repeater (replay)

1. Analyze the specific request and response content of each step

2. Modify the request and response content

3. Resend request content

(6) Module column Sequencer (sequencer)

Used to evaluate whether key fields such as Token and Session can be forged (whether it is fixed or predictable)

(7) Module column Decoder (decoding)

Encode and decode request data

(8) Module column Comparer (comparator)

compare the two results

(9) Module column Logger (log)

(10) Module column Extender (plug-in)

1.2 Proxy module

1.2.1 Browser proxy settings

web proxy

It is inconvenient for one computer to communicate with other computers

Function: break through IP restrictions, hide IP, speed up access

How to transfer the data sent by the browser to the proxy on the BP, which needs to be set

1.2.1.1 Computer Settings

Turn on the proxy in the computer (not recommended, affecting speed)

1.2.1.2 Browser Settings

Open the browser, set, search proxy

1.2.1.3 Browser plug-ins

(1) Firefox browser

Search for "foxy proxy" in the browser add-on component, click to install

After the installation is successful, the agent appears

Add a proxy, click Options, enter burp proxy for the title, proxy type HTTP, proxy IP and BP are consistent, 127.0.0.1, port and BP match 8080, username and password are ignored

In this way, a BP agent is obtained

(2) Google Chrome

search

crxdl.com

Search in plugin search

proxy

Download one of them, then open the address in Google Chrome

chrome://extensions

Modify the downloaded installation package to .crx file to .zip, just drag it in

If the above method reports an error, you need to open the developer mode on this page

chrome://extensions

Choose to load the unpacked extension

Select the main folder, you can

1.2.2 BP proxy settings

easiest setup

The default listening port in option

Turn on interception

After opening, BP is always monitoring, and at this time, you need to open the BP proxy of the browser

initial monitoring

1.2.2.1 forward release

The following are the specific meanings

Currently in the Firefox browser, enter Baidu URL, open Baidu

baidu.com

The browser will circle and cannot open the URL

After clicking release

URL can be opened normally

1.2.2.2 drop

After discarding, the browser displays

1.2.2.3 Intercept main interface

1.2.2.4 Options

listening port

Process the data requested by the client to the server

Intercept server response

Do other automated substitutions for requests and responses

TLS penetration (without BP)

1.2.3 BP intercepts HTTPS data

Website certificate:
1. The operating system installs the root certificate, which contains the public key of the CA.
2. The certificate issued by the CA contains the public key of the organization, and signs the summary of the public key of the organization with the public key of the CA.
3. The browser uses the public key of the CA. The public key checks the abstract and confirms that the organization’s public key is legal.
4. The browser uses the organization’s public key to negotiate a session key with the server
. 5. The browser communicates with the server using the session key.

HTTPS

When the BP does not install the certificate, the browser will pop up a security warning

1.2.3.1 Download BP certificate method one

After the browser and BP are turned on, enter in the browser

http://burp/

1.2.3.2 Download BP certificate method 2

In BP, Proxy, Options

select export

Export in DER format

After downloading, import the certificate into the browser

In the browser settings, enter "Certificates",

import in authority

and trust

1.2.4 BP Intercepts Mobile APP Data

If you want to infiltrate the mobile app or the server of the app, you first need to catch the app

(1) Turn on the computer Burp monitor

First of all, the computer needs to be connected to WiFi instead of a wired network, so that the mobile phone and the computer can be in the same network environment (if the wired network of the desktop computer and the WiFi of the mobile phone are in the same network environment, it is also possible).

Open cmd on the computer and enter ipconfig -all to view the IPv4 address of the WLAN:

For example, the current IP is 192.168.10.142, remember it and use it later. Start Burp, open Proxy - Options - Add

In the added window that opens, fill in 8080 for the port, and select the IP address you just saw for the binding address, as shown in the figure:

Click OK to confirm. At this time, the listener should check the new one instead of the default one:

(2) Configure mobile WiFi proxy

First connect your phone to the same WiFi as your computer. From your phone's Settings, go to Wi-Fi settings

Long press the name of the currently connected WiFi, and click the pop-up "Modify Network".

In the window that opens, check "Show advanced options"

Enable proxy: Click the proxy switch, and select "Manual" in the pop-up window.

After enabling the proxy switch, you need to configure the proxy:

The proxy has been configured. Then all network requests on the phone will be sent to Burp.

Note: It is not that you will have network requests when you are operating the App. The App on the mobile phone is accessing the network all the time, so many irrelevant packets will be caught.

It is recommended to turn on Burp's interception switch before manual operation, so that packets can be captured accurately.

Turn on the interception switch in Proxy-Intercept:

For example: when the mobile browser opens Baidu search, the communication packet is captured by Burp on the computer:

At this point, the packet capture settings are complete.

(3) Mobile phone installation certificate

For HTTPS websites, the client needs to encrypt the message with the server's key before sending it.

When the proxy is configured, the client (browser) requests a certificate from Burp, but Burp does not have a certificate, and the browser will prompt that it is not safe. Or, if the server's certificate is used to encrypt, what Burp captures is the encrypted message, which cannot be viewed or modified.

So the complete process is like this:

The client first encrypts the message with burp's key. After burp decrypts the plaintext, it encrypts the message with the server's key.

So here we need to install the burp certificate on the phone.

Select the first one, DER format certificate, click Next

It is very important to choose the saved CA path (such as the D drive) and name the file suffix .cer, because the mobile phone can only install the certificate type of .cer, and the default der format cannot be recognized and installed. Click Save, then Next

When the export is complete, close the window:

Send the file to the mobile phone, such as using WeChat's "File Transfer Assistant". "Open with another app" on your phone.

Select "Certificate Installer" to open, just one time

Write the name of the certificate, select WLAN, confirm, the installation is successful.

Search for "certificate" in the settings, user credentials, and view the certificate:

You can see the installed certificates

(4) Cancel burp capture

If you don't need to grab the phone's package anymore, and you need normal access, just cancel the proxy. Long press the WiFi name to enter the settings - display advanced options - proxy, set to "none", save, you can

2. Target module

2.1 The role of the Target module

Record all traffic passing through BP

1. HTTP History is recorded in chronological order

2. Target is classified and recorded by host or domain name

After requesting Taobao, target plans and records by site

作用
1、把握网站的整体情况 

2、对一次工作的域进行分析 

3、分析网站存在的攻击面

Attack surface:
A collection of attack methods that can be adopted for a software system. The larger the attack surface of a software, the greater the security risk. The
attack surface includes: fields, protocols, interfaces, services, and hardware attack points

2.2 Target sets the target scope

Purpose: What traffic is recorded and what traffic is not recorded

2.2.1 Determine the same domain

协议、域名和端口必须都相同才算一个域

目录、文件、参数可以不同

Just like in the following table, except that the two domain names in the first row are the same domain, the rest are not the same domain

The protocol in the second line is different.
The main domain name in the third line is different.
The subdomain name in the fourth line is different.
The port in the fifth line is different.

Domain 1	Domain 2
http://www.baidu.com/	http://www.baidu.com/admin?a=1
http://www.baidu.com/	https://www.baidu.com/
http://www.baidu.com/	http://www.baidu.cn/
http://www.baidu.com/	http://blog.baidu.com/
http://www.baidu.com:80/	http://www.baidu.com:7298

2.2.2 Limiting the scope of domains

Only intercept the site, not the content in the site

Whitelist: only these I will block

Blacklist: as long as these are not blocked

For example,
only intercept https://www.baidu.com/
but not https://www.baidu.com/blog

The blacklist path is generally a subpath of the whitelist

2.2.3 Usage Scenarios

1、限定Sitemap和HTTP history记录哪些域的内容
2、限定Spider抓取哪些域的内容
3、限定Scanner扫描哪些域的安全漏洞

Advanced black and white list rule settings

regular expressions can be added

2.3 Sitemap Sitemap

Purpose: Recorded result preservation

2.3.1 Sitemap record type

1、自动（爬行）
	全面但耗费时间
	
2、手动（浏览器访问）
	只记录一次的站点地图
	要求设置好BP和浏览器的代理，并且在访问前关掉拦截

First delete the HTTP history and Target site map

In Intercept, all sitemaps will appear

2.3.2 Default interception

Block some files by default

2.3.3 Interface

2.4 Target result operation

Just right click

2.4.1 Add to scope

It means that there is a whitelist generated for this domain name, and all content except this path will not be recorded in the sitemap

2.4.2 Send to module

sent to the corresponding module

2.4.3 Request in browser

open in browser

2.4.4 Engagement tools

interactive tools

（1）search

Check the exact content

Find the img tag

（2）Find comments

find notes

（3） Find script

Find scripts under domain

（4）Find Reference

View website source

There are many hyperlinks in the webpage, if you want to know where to jump from, you need a reference

作用：
告诉服务器当前请求是从哪个页面链接过来的 

应用场景： 
1、来源统计
2、防盗链

（5）Analyze target

Attack Surface Analysis

Display dynamic links, static links, how many parameters there are

（6）Discover content

Discover content for a domain

Use the built-in dictionary to do a directory scan to determine if certain files or folders exist

（7）Schedule task

timed task

Pausing a task affects many tasks

（8）Manual testing

Manual Test Simulator

2.4.5 Compare site maps

Compare the two response results of HTTP

For example, use different accounts and log in with different parameters

3. Scanning module

3.1 Overview of Vulnerability Scanning

漏洞扫描工具

AWVS、Appscan、Nessus、Openvas、Goby、 Xray、ZAP

3.1.1 Two major functions (Crwal&Audit)

Two functions, crawling and auditing

Active Scanning and Passive Scanning

3.1.2 Three filtering states

3.1.3 Active scanning

Active scanning has a large impact area and is not recommended

Active scan:

1. Method: Crawl all links and detect vulnerabilities
2. Features: Send a large number of requests
3. Use occasions: development and test environments
4. Targeting vulnerabilities:
client-side vulnerabilities, such as XSS, HTTP header injection, and operation redirection.
Server-side vulnerabilities, such as SQL injection, command line injection, and file traversal.

3.1.4 Passive scanning

Passive scanning:
1. Method: Only detect the address of the BP proxy server without crawling
2. Features: Send limited requests
3. Use occasion: production environment
4. For vulnerabilities:
(1) The submitted password is unencrypted plaintext.
(2) Attributes of insecure cookies, such as lack of HttpOnly and security flags.
(3) The scope of the cookie is missing.
(4) Cross-domain script inclusion and site reference leaks.
(5) Autofill form values, especially passwords.
(6) SSL-protected content caching.
(7) Directory listing.
(8) The response is delayed after submitting the password.
(9) Insecure transmission of session tokens.
(10) Leakage of sensitive information, such as internal IP addresses, email addresses, stack tracking and other information leakage.
(11) Unsafe ViewState configuration.
(12) Wrong or irregular Content-Type directive

3.2 Scan function

Select New scan, select the website you built in the scan address, pupstudy

3.2.1 Scan information

3.2.2 Detailed configuration

3.2.2.1 Crawl configuration

(1) Crawling operation settings

(2) Crawl limit

(3) Crawling error handling

3.2.2.2 Audit Configuration

(1) Audit operation settings

(2) Scan result vulnerability report

(3) Scan error handling

(4) Insertion point type

3.2.3 Login settings

If the scanned address needs to log in (backend page), you need to give the account number and password

3.2.4 Crawl crawling example

After setting it up, it has now started crawling

Select crawl in the settings

Select View details to view detailed content

Already crawled to 6 addresses

All crawled addresses are recorded in the logger

3.2.5 Example of passive crawling

Choose Passive Crawl

Choose the first, crawl and audit

First create a crawl configuration

Click on these items and save

Then create a new audit configuration

It shows that it is crawling, and the audit must be performed after the crawl is over, and no loopholes will be reported before the audit

3.3 Live Scan function

Select passive scan

3.4 Generate scan report

After the task is over, the BP report can be exported (must be after the end)

4. Repeater module

4.1 Repeater function

1、发起HTTP请求，分析响应 
2、重放请求

4.2 How to use

new window,

By sending to this module, point send, the content can be modified

5. Intruder module

Translation: invader

Most used for password blasting

5.1 Module function & principle

原理

请求参数进行修改，分析响应内容，获得特征数据

本质：
1、自动化发起HTTP请求
2、基于现成字典或者生成字典

用途

1、猜测用户名、密码等
2、寻找参数、目录等
3、枚举商品ID、验证码等
4、模糊测试（FUZZ）

可替代工具：
wfuzz（全部功能）、dirb（目录扫描）、hydra（暴
破）……

5.2 Password brute force combat & bypass verification code

Stay tuned. . . . . .