Author: mer Cokun

Fully Automated Pentest: Automate Everything with Burp Suite Extensions

Quickness is the essence of the war . Sun Tzu

Outline

Overview Minimum Requirements Burp Extension Installation Understanding How Extensions Work

Pentest Automation via Burp Extensions Burp Extensions in NutShell Case Study: Highly Targeted Attacks with Nmap Plugin Case Study: Fully-Automated XSS Verification Case Study: Blind-SQL Injection via Burp Case Study: Padding Oracle via Burp

Questions ?

1

Platform Requirements:

JAVA JDK v1.8+

Jython v 2.0+ (Most Extensions use Creepy JPython)

Jruby v X (Yet Another Java troll to Ruby programmers)

Minimum Requirements 2 Mac OS X ( Apple Java Headaches) - Solution

1. Install Java for Mac from Apple Website http://support.apple.com/kb/dl1572 ) 2. Upgrade Java to Java Development Kit 1.8 from Oracle Website

3. If you run into issues in invoking JAVA v.1.8 when running Burp Suite or extension development

Quick & Dirty Fix : sudo ln -s /Library/Java/JavaVirtualMachines/jdk1.8.0_20.jdk /System/Library/Java/JavaVirtualMachines/1.6.0.jdk

Burp Supports Extensions written by Ruby and Python syntax

For extensions written in Ruby syntax (Jruby required) For extensions written in Python synax (Jython required)

Environment Requirements 3

Jython , successor of Jpython, Python language entirely written in JAVA

Jruby, the same idea , Ruby language entirely written in JAVA

Pros (Jruby & Jython) compare to JAVA: Almost no JAVA programming knowledge required

Relatively rapid development and prototyping

Cons (Jruby & Jython) compare to JAVA Dead slow due to syntax parsing and heap allocation

Memory management issues and extensive heap usage

Gives temptation to hackers feel as if their code being interpreted by python (LOL)

(Jython + Jruby) vs Java 4

Extension Installation 5 uSuggested and Most Preferred Way : Burp Suite >Extensions >

BAppStore

uSome Extensions require Pro version (not because they discriminate poor but due to API/functional limitation J )

u Some Extensions have 3rd party dependencies or wrapper of 3rd apllication (e.g. PhantomJS, Radamsa etc)

Extension Installation (contd) 5

Extension : OK J Extension : Failed L

How Extensions Work (contd) 6

How Extensions Work (contd) 7 Class Name Purpose

BurpExtender To write our own extension

BurpExtenderCallBacks To pass to extensions a set of callback (register actions, mark)

ICookie To retrieve the domain for which the cookie is in scope

IHTTPRequestResponse To retrieve and update details about HTTP messages.

IScanIssue To retrieve details of Scanner issues

IScanQueueItem To retrieve details of items in the active scan queue.

IScannerInsertionPoint To define an insertion point for use by active Scanner checks.

IntroderPayloadProcessor To obtain the name of the payload processor

Burp Extensions in a NutShell 8

Extension Name Purpose

.NET Beautifier Makes VIEWState info human readable

ActiveScan++ Extend passive scanning , path injection, shellshock etc.

Blazer Generate and fuzz custom AMF messages

Bradamsa Generate intruder payload wisely J

CO2 Set of useful tools : sqlmapper, user generator, prettier js, ascii payload processor etc.

Logger++ An extension of history feature in Burp; more detailed and comprehensive

Session Auth Help to identify privilege escalation vulns

WebInspect Connector Newly built, share results between burp and webinspect

Burp Extensions : Additional Scanner Checks 9 Additional passive Scanner checks: Strict-Transport-

Security, X-Content-Type, X-XSS-Protection. In other words, checks the modern browser security headers.

Burp Extensions : Session Auth 10 To Identify authentication privilege escalation

vulnerabilities.

Burp Extensions : Logger++ 11 Captures the requests and responses made by all Burp

tools, and display them in a sortable table. It can also save the logged data in CSV format

Burp Extensions : CO2 12 Set of useful tools : sqlmapper, user generator, prettier js,

ascii payload processor etc.

Highly Targeted Attacks: Nmap Parser 13 BurpSuites Nmap Parser extension could be leveraged to

perform a highly targeted attack against large number of domains.

Highly Targeted Attacks: Nmap Parser 14 Once nmap results stored in XML file correctly parsed,

it would be added to scope of current scope.

Highly Targeted Attacks: Nmap Parser 15 Schedule the scans and let BurpSuite collect all

information to collect for you. The scan could also be stage and scheduled to run on specific time period.

Highly Targeted Attacks: Nmap Parser 16 Schedule the scans and let BurpSuite collect all

information to collect for you. The scan could also be staged and scheduled to run on specific time period.

This is how your credit card information is being hacked by the criminals in real life!

Fully Automated XSS Verification 17 xssValidator extension of Burp Suite could be leveraged to fully automate XSS verification process.

Fully Automated XSS Verification 18 Before starting the XSS verification process, we need to install at least one wrapper to support extension .

Enable the payload extension after running wrapper.

Fully Automated XSS Verification 19 Enable payload processing unit for xssVerifier.

Finally, create a grep-and-match rule for intruder.

Fully Automated XSS Verification 19 Content of xss.js

Fully Automated XSS Verification 20 Let the fun begin J

Case Study: Blind SQL Injection via Burp 21 SQL Injection Types:

Error Based (Cause Error in Response) Run a query that will force database to result in an error. (E.g. non-existing table name, column number mismatch etc.)

Prerequisite: Verbosity in SQL Error messages should be turned on and of course, error must be rendered in the response.

Boolean Based (Deduce TRUE/FALSE Responds) Inject a payload which alter the outcome of the original query which results in different returned page content.

Time Based (Cause Delay in Response) Inject a payload that trigger a delay time for the SQL Server while processing our query, which in turn slows down the response time of our request.

Case Study: Blind SQL Injection via Burp 22 Boolean Based SQLi via Burp

Case Study: Blind SQL Injection via Burp 23 Time Based SQLi via Burp

Case Study: Blind SQL Injection via Burp 24 Filter Evasion Comments: or 1=1# , or 1=1 -. or 1=1/* (MySQL < 5.1) ,' or 1=1;%00

WhiteSpaces: %20 %09 %0a %0b %0c %0d %a0 /**/ , or+(1)sounds/**/like1%a0-

Integer representations: ceil(pi()+pi()): 7, floor(version()+pi()): 8

Hex Encoding (Almost always work):

For more details on filter evasion:

SQLi Filter Evasion: https://websec.wordpress.com/tag/sql-filter-evasion/

Rsnakes SQLi CheatSheet: http://ha.ckers.org/sqlinjection/

Ferruhs SQLi CheatSheet : http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

Many others : Just Google it .

Case Study: Padding Oracle via Burp 25 Background Its is a side channel attack which is performed on the padding of a cryptographic message

A block cipher operates on data in fixed-size blocks 64-bit for DES, 128-bit for AES, etc

-> What happens if the length of the data isn't a multiple of the block size? -> What happens if more than one block is identical, and therefore encrypts identically?

Case Study: Padding Oracle via Burp 26 Padding Padding Padding . ANSI X.923 Null bytes ending with length of padding

PKCS7

Depending on padding block length ( [01], [02 02] , [03 03 03] etc )

Case Study: Padding Oracle via Burp 27 Trivially break the cipher

Case Study: Padding Oracle via Burp 27 Exploiting ASP.NET Oracle Padding - MS10-070 (CVE-2010-3332)

Checking target with a popular padding verifier (.bat)

Padbuster Exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/43316.pl

Case Study: Padding Oracle via Burp 28 Exploiting ASP.NET Oracle Padding - MS10-070 (CVE-2010-3332)

If Exploitation Successful ASP.NET page would reveal the database credentials.

29

Questions ?

30