Table of contents
BURP installation, configuration, basic use
BRUP installation and configuration
The use of target in penetration attack and defense
BURP installation, configuration, basic use
BRUP installation and configuration
Preconditions:
Install jdk11 and configure environment variables
First download the official installation package and the corresponding version of burploader, use burploader to activate
1. Install burp
Choose an installation directory for burp according to your own usage habits
2. After the installation is complete, enter the burp main directory, put burploader.jar in the main directory, and run
3. If it is the green version of jdk, double-clicking may fail to run. Win11 can open the terminal and enter java -jar in it. Your burp main directory name\burploader.jar. After successful operation, the interface is as shown in the figure, click run row burp
4. Copy the content of the license to the large box at the beginning, click next, then click manual activation, copy the content of copy the following data ... to the activation request, and then copy the content of the activation responder below to paste below ... and click next can be successfully activated.
5. Sinicization tutorial (if necessary), copy the Sinicization package to the burp main directory
6. Optimize the startup method: Create two text files and rename the suffix to .bat, one for Chinese startup and the other for Chinese startup.
The content of the Chinese startup is:
@java --illegal-access=permit -Dfile.encoding=utf-8 -javaagent:BurpSuiteChs.jar -noverify -javaagent:burploader.jar -jar burpsuite_pro.jar
The content of the English startup is:
@java --illegal-access=permit -Dfile.encoding=utf-8 -noverify -javaagent:burploader.jar -jar burpsuite_pro.jar
After saving, you can double-click to start
7. Browser settings, take firefox as an example, enter the firefox application store to search for switchy, and download the following plug-ins
8. Set the proxy mode of the proxy as shown in the figure below
9. Set burp as shown in the figure below to achieve the purpose of linkage with the browser. When you need to use burp to capture packets, switch the browser to proxy mode
10. Enter http://burp , click the upper right corner to download the certificate, search for the certificate in the browser settings, check the certificate-certificate authority-import, and import it.
After importing, you will be prompted with an option to trust or not. Select all and import.
Since then burp can be used normally
Introduction to HTTP
http request packet format
Request method Request resource (directory structure/directory file/parameters [GET]) HTTP version
host: host name
User-Agent: Basic environment information of the client
Content-Type: the type of parameter passed
Content-Length: request packet length
Referer: The source of the previous step.
X-Forwarded-For: current identity ip
Cookie: User ID
http response packet format
HTTP version return status value server custom variable
Date: date
Server: server related information
X-Powered-By: current programming language environment
Content-Length: return packet length
The front-end code that currently responds back to the client (browser)
http status value
When a request is sent to your server to display a page on your site (for example, when a user visits your page through a browser or when it is crawled by Googlebot), the server returns an HTTP status code in response to the request.
This status code provides information about the status of the request, telling Googlebot about your site and the requested page.
Some common status codes are:
200 - The server successfully returned the page
404 - The requested page does not exist
503 - Server Timeout
1xx (provisional response)
Status codes that indicate a provisional response and require the requester to proceed.
100 (Continue) The requester should continue making the request. The server returns this code to indicate that it has received the first part of the request and is waiting for the rest.
101 (Switch protocol) The requester has asked the server to switch the protocol, and the server has confirmed and is ready to switch.
2xx (Success) A status code indicating that the request was successfully processed.
200 (Success) The server has successfully processed the request. Usually, this means that the server served the requested web page. If this status code is displayed for your robots.txt file, Googlebot has successfully retrieved the file.
201 (Created) The request was successful and the server created a new resource.
202 (Accepted) The server has accepted the request but has not yet processed it.
203 (Unauthorized Information) The server has successfully processed the request, but the returned information may have come from another source.
204 (No Content) The server successfully processed the request, but did not return any content.
205 (Reset Content) The server successfully processed the request, but did not return any content. Unlike the 204 response, this response requires the requester to reset the document view (for example, clear the form content to enter new content).
206 (Partial Content) The server successfully processed a partial GET request.
3xx (Redirect) Further action is required to complete the request. Typically, these status codes are used for redirection. Google recommends that you use no more than 5 redirects per request. You can use Webmaster Tools to see if Googlebot is having trouble crawling redirected pages. The Web Crawl page under Diagnostics lists URLs that Googlebot was unable to crawl due to redirect errors.
300 (Multiple Choices) The server can perform various operations in response to the request. The server can choose an operation according to the requester (user agent), or provide a list of operations for the requester to choose.
301 (Moved Permanently) The requested webpage has permanently moved to a new location. When the server returns this response (in response to a GET or HEAD request), it automatically forwards the requester to the new location. You should use this code to tell Googlebot that a page or site has permanently moved to a new location.
302 (temporarily moved) The server currently responds to requests from web pages in different locations, but the requester should continue to use the original location to respond to future requests. This code is similar to a 301 code for GET and HEAD requests and automatically redirects the requester to a different location, but you should not use this code to tell Googlebot that a page or site has moved, as Googlebot will continue to crawl the original location and indexed.
303 (See other locations) The server returns this code when the requester should use separate GET requests for different locations to retrieve the response. For all requests except HEAD, the server automatically goes to other locations.
304 (Not Modified) The requested webpage has not been modified since the last request. When the server returns this response, no web page content is returned. You should configure your server to return this response (known as the If-Modified-Since HTTP header) if the web page hasn't changed since the requester's last request. The server can save bandwidth and overhead by telling Googlebot that the page hasn't changed since the last time it was crawled.
305 (Using Proxy) The requester can only use a proxy to access the requested web page. If the server returns this response, it also indicates that the requester should use a proxy.
307 (temporary redirection) The server currently responds to requests from web pages in different locations, but the requester should continue to use the original location to respond to future requests. This code is similar to the <a href=answer.py?answer=>301</a> code for GET and HEAD requests and automatically redirects the requester to a different location, but you should not use this code to tell Googlebot a pages or sites have moved because Googlebot continues to crawl and index the original location.
4xx (Error Request) These status codes indicate that something might have gone wrong with the request, preventing the server from processing it.
400 (Bad Request) The server did not understand the syntax of the request.
401 (Unauthorized) The request requires authentication. The server may return this response for web pages requested after login.
403 (Forbidden) The server rejected the request. If you see this status code when Googlebot tries to crawl valid pages on your site (you can see this on the Web Crawl page under Google Webmaster Tools Diagnostics), your server or host is probably rejecting the visited by Googlebot.
404 (Not Found)
The server could not find the requested web page. For example, this code is often returned for web pages that do not exist on the server.
If you don't have a robots.txt file on your site and you see this status code on the robots.txt page of the Diagnostics tab of Google Webmaster Tools, then this is the correct status code. However, if you have a robots.txt file and you see this status code, your robots.txt file may be named wrong or located in the wrong location (it should be at the top level domain, called robots.txt).
If you see this status code for URLs crawled by Googlebot (on the HTTP Errors page in the Diagnostics tab), it means that Googlebot may be following an invalid link (an old link or a mistyped link) from another page.
405 (Method Forbidden) The method specified in the request is disabled.
406 (Not Accepted) Unable to respond to the requested web page with the requested content attributes.
407 (Proxy Authorization Required) This status code is similar to <a href=answer.py?answer=35128>401 (Unauthorized)</a>, but specifies that the requester should be authorized to use a proxy. If the server returns this response, it also indicates that the requester should use a proxy.
408 (Request Timed Out) The server timed out while waiting for the request.
409 (Conflict) The server encountered a conflict while completing the request. The server MUST include information about the conflict in the response. A server may return this code in response to a PUT request that conflicts with a previous request, along with a list of differences between the two requests.
410 (Deleted) This response is returned by the server if the requested resource has been permanently deleted. This code is similar to the 404 (Not Found) code, but is sometimes used in place of the 404 code in cases where the resource previously existed and now does not exist. If the resource has moved permanently, you should use 301 to specify the new location of the resource.
411 (Valid Length Required) The server does not accept a request without a Valid Content-Length header field.
412 (Precondition not met) The server did not meet one of the preconditions set by the requester in the request.
413 (The request entity is too large) The server cannot process the request because the request entity is too large and exceeds the processing capacity of the server.
414 (The requested URI is too long) The requested URI (usually a URL) is too long for the server to handle.
415 (Unsupported Media Type) The requested format is not supported by the requested page.
416 (The requested range does not meet the requirements) If the page cannot provide the requested range, the server will return this status code.
417 (Expectation not met) The server did not meet the "Expectation" request header field.
5xx (Server Error) These status codes indicate that an internal error occurred while the server was processing the request. These errors may be an error with the server itself, rather than an error with the request.
500 (Internal Server Error) The server encountered an error and was unable to complete the request.
501 (not yet implemented) The server is not capable of fulfilling the request. For example, this code might be returned when the server does not recognize the request method.
502 (Bad Gateway) The server, acting as a gateway or proxy, received an invalid response from an upstream server.
503 (Service Unavailable) The server is currently unavailable (due to overloading or down for maintenance). Usually, this is only a temporary state.
504 (Gateway Timeout) The server acts as a gateway or proxy, but did not receive the request from the upstream server in time.
505 (HTTP Version Unsupported) The server does not support the HTTP protocol version used in the request.
Detailed burp function
target tag
It is used to collect all the request traffic sent by the current browser (client web) and the response traffic returned by the target server, similar to traffic monitoring.
Column 1 is traffic information, which contains the traffic you requested
Column 2 is an expanded list of content in column 1
Column 3 is important information, which contains some vulnerability information (but basically useless) gray and blue represent normal, red represents a problem
Column 4 is a detailed introduction to the content in column 3
Columns 5 and 6 are the contents of the request packet and response packet
The use of target in penetration attack and defense
- More assets that can be used to collect target sites
- It can detect some automatically loaded interfaces, content, etc. Some content cannot be directly seen by visitors, but it can be seen at a glance by capturing packets.
dashboard dashboard
Represents some monitoring issues and logs and shows the feasibility of the current burp automatically crawling the target website
scanner scanner
The scanner scanner can automatically crawl the target site, and you can start scanning the corresponding site by right-clicking to select the content in the target
1 is the specific details of the scan, you can choose audit and crawl mode
2 is the scanning configuration, you can choose the scanning depth, speed and other information
3 is a function that can realize automatic login
4 is the resource pool
5 is used to specify the protocol used for scanning
6 Specify the URL to scan
proxy tag
It is mainly used to capture packets. After the monitoring is turned on, the data packets can be intercepted and the next action can be selected.
forward represents sending this package
drop means discarding a packet
intercept stands for intercepting packets/dropping all packets (switch)
action represents all the operations to be performed by this packet, and you can choose to send this packet to other tags for further operations.
intruder label
It can be used to brute force crack user names and passwords, blast directories, or parameters
Example of blasting:
Turn on the target machine, start monitoring and capturing packets, and enter the account name and password at will
Send packets with sensitive information to Intruder
Configure the parameters and location of brute force cracking, the target remains unchanged by default
Determine the location of the blast, only the password is blasted, so only add variable identifiers to the password, check the password field and click add$ on the right
Load the password dictionary file.
Adjust the thread (the default is fine)
Finally start attacking in the upper right corner
Current state of blasting
To find which blasting is successful, you can click length to sort, which is a process of finding differences
repeater tag
It is possible to send multiple requests with changes and changes, and get the response status.
In it, you can edit the data packet and send it, and view the real-time reply traffic
comparer comparison label
It can be used to compare the different content in the two data packets, and the different content will be highlighted and selected
