We learned how to use some of the main functions, such as: Intercepting packets, Targeting them and Repeating requests.
Today we're gonna discuss about the Intruder.
although i'm not a big fan of the Burp's Intruder it is a nice tool to start with, for those who haven't experienced Brute Force attack yet.
So first thing first, Brute Force Attack - is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It involves systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.
Now after we know what Brute Force attack is, let's try an understand the Intruder.
After I promise to add a nice example
Let's calibrate our Burp with our browser like i tought you, and step in to the Proxy label.
Now open your browser on this link: http://phone.ipkall.com/login.asp
IPKall phone number : aaaa
Password: admin
don't press submit yet!! double check that your proxy-->intercept label is ON.
Now after you'll press Submit, the form will be sent and stop on the Burp's Intercepter.
Is the Burp's icon blinks? Good, now move back to the Burp's intercept label.. do you see the code?
- CODE: SELECT ALL
POST /process.asp?action=verify HTTP/1.1
Host: phone.ipkall.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Origin: http://phone.ipkall.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://phone.ipkall.com/login.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: he-IL,he;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQBBSTR=BPPECJCBBONJIMBIPPKNGEHF
Content-Length: 40
txtDID=aaaa&txtPswd=admin&submit1=Submit
POST request is sent to our host containing this page: /process.asp?action=verify
But we don't have a phone number or a password related to this domain... Now What??
O.k. so press right click with your mouse and pick "Send to Intruder" (#3 from the top).
Now go to the Intruder label.. what do you see?
4 sub-labels - Target, Positions, Payloads and Options.
Target - easy... your host and port.. 80 means HTTP and the SSL option is for ports like 443 (HTTPS) - important to read more about Ports and SSL Protocol.
Positions - Here you can see that Burp identified the page and marked a few parameters with this S note - §verify§.
Payloads - This label used to configure the inputs that will be injected between the two §§ .. the attacker inputs a payload set, and gets an estimated amount of payloads and requests for his attack. This way he can verify rather he needs to pick less or more notes, depend on the time line he has for this attack.
an attacker can also input certain rules or deside whether he want to encode dangerous notes or not.
Options - Irrelevant at this point.
Go back to Positions:
This (§) strange note signals the place you want to inject your input.
But where do we want to inject our input?!... well.. for Brute Force Attack we want to inject the form's Text Fields!
But where R they?.. in the browser it's easy to recognize them... but here it's all one big packet of code!!
Well guys... the trick is to mark them! just like last lesson when we marked the value's parameter with 123
than looking for that string on the respond page in order to inject malicious code. Same goes here..
We wrote some values before we clicked Submit. those values are familiar to us because we used values that unlikley to appear differentlly.
Let's look for 'aaaa' and 'admin'..
Here it is:
txtDID=§aaaa§&txtPswd=§admin§&submit1=§Submit§
Now we know we want to inject the code inside those parameters: txtDID, txtPswd.
There are multiple ways to inject:
1. I have a stolen DID but no Pswd.
2. I have a stolen Pswnd but no DID.
3. I Don't have neither one of them.
and maybe a few more, but those are the main ones.
So let's investigate those three so we will know how to use them:
1. If i have one DID and I want to find it's Password -
at the Positions, leave the txtDID with the string you have, say 'Admin'.
Now empty the txtPswd so it will look like this §§ and erase all other § notes.
It should look like this: txtDID=Admin&txtPswd=§§&submit1=Submit
Now we'll go to Payloads and do the following changes:
a. pick 'Brute Forcer' from the roller bar.
b. select charachters to use. (if the form is case sensitive, add ABCD...XYZ).
c. edit Min. and Max. length.
d. go to the Burp's top bar ---> Intruder ---> start attack.
2. If you have one Pswd and you want to find the DID -
Same as (1), but the code should look like this: txtDID=§§&txtPswd=Admin&submit1=Submit
take the same steps.
3. Same here, Code : txtDID=§§&txtPswd=§§&submit1=Submit
Now when you press the 'Start Attack' option, a window will pop, opening a run-time chart
which is actually attacking this page right now.
On the top bar of that window - press attack ---> pause.
Now look at the chart - the most important culomn you need to mind is the Length!
Most of the pages will appear at the same length, but the right values will change the size of the page
meaning they baypassed the authentication.
Repeat this action a few times on different forms. Later on I will teach you about a nice tool called Bruter. More, I'll show you a nice and easy brute furce attack that i did a few month ago.
It is far more usefull.
See ya next time when we discuss the Spider.
Thank you for reading.
You're welcome to promote me with inboxing the uTest team.
Cheers,
Ce@ser
No comments:
Post a Comment