BurpSuite Pro Presentation x
-
Upload
oemer-coskun -
Category
Documents
-
view
150 -
download
0
description
Transcript of BurpSuite Pro Presentation x
-
Author: mer Cokun
Fully Automated Pentest: Automate Everything with Burp Suite Extensions
Quickness is the essence of the war . Sun Tzu
-
Outline
Overview Minimum Requirements Burp Extension Installation Understanding How Extensions Work
Pentest Automation via Burp Extensions Burp Extensions in NutShell Case Study: Highly Targeted Attacks with Nmap Plugin Case Study: Fully-Automated XSS Verification Case Study: Blind-SQL Injection via Burp Case Study: Padding Oracle via Burp
Questions ?
1
-
Platform Requirements:
JAVA JDK v1.8+
Jython v 2.0+ (Most Extensions use Creepy JPython)
Jruby v X (Yet Another Java troll to Ruby programmers)
Minimum Requirements 2 Mac OS X ( Apple Java Headaches) - Solution
1. Install Java for Mac from Apple Website http://support.apple.com/kb/dl1572 ) 2. Upgrade Java to Java Development Kit 1.8 from Oracle Website
3. If you run into issues in invoking JAVA v.1.8 when running Burp Suite or extension development
Quick & Dirty Fix : sudo ln -s /Library/Java/JavaVirtualMachines/jdk1.8.0_20.jdk /System/Library/Java/JavaVirtualMachines/1.6.0.jdk
-
Burp Supports Extensions written by Ruby and Python syntax
For extensions written in Ruby syntax (Jruby required) For extensions written in Python synax (Jython required)
Environment Requirements 3
-
Jython , successor of Jpython, Python language entirely written in JAVA
Jruby, the same idea , Ruby language entirely written in JAVA
Pros (Jruby & Jython) compare to JAVA: Almost no JAVA programming knowledge required
Relatively rapid development and prototyping
Cons (Jruby & Jython) compare to JAVA Dead slow due to syntax parsing and heap allocation
Memory management issues and extensive heap usage
Gives temptation to hackers feel as if their code being interpreted by python (LOL)
(Jython + Jruby) vs Java 4
-
Extension Installation 5 uSuggested and Most Preferred Way : Burp Suite >Extensions >
BAppStore
uSome Extensions require Pro version (not because they discriminate poor but due to API/functional limitation J )
u Some Extensions have 3rd party dependencies or wrapper of 3rd apllication (e.g. PhantomJS, Radamsa etc)
-
Extension Installation (contd) 5
Extension : OK J Extension : Failed L
-
How Extensions Work (contd) 6
-
How Extensions Work (contd) 7 Class Name Purpose
BurpExtender To write our own extension
BurpExtenderCallBacks To pass to extensions a set of callback (register actions, mark)
ICookie To retrieve the domain for which the cookie is in scope
IHTTPRequestResponse To retrieve and update details about HTTP messages.
IScanIssue To retrieve details of Scanner issues
IScanQueueItem To retrieve details of items in the active scan queue.
IScannerInsertionPoint To define an insertion point for use by active Scanner checks.
IntroderPayloadProcessor To obtain the name of the payload processor
-
Burp Extensions in a NutShell 8
Extension Name Purpose
.NET Beautifier Makes VIEWState info human readable
ActiveScan++ Extend passive scanning , path injection, shellshock etc.
Blazer Generate and fuzz custom AMF messages
Bradamsa Generate intruder payload wisely J
CO2 Set of useful tools : sqlmapper, user generator, prettier js, ascii payload processor etc.
Logger++ An extension of history feature in Burp; more detailed and comprehensive
Session Auth Help to identify privilege escalation vulns
WebInspect Connector Newly built, share results between burp and webinspect
-
Burp Extensions : Additional Scanner Checks 9 Additional passive Scanner checks: Strict-Transport-
Security, X-Content-Type, X-XSS-Protection. In other words, checks the modern browser security headers.
-
Burp Extensions : Session Auth 10 To Identify authentication privilege escalation
vulnerabilities.
-
Burp Extensions : Logger++ 11 Captures the requests and responses made by all Burp
tools, and display them in a sortable table. It can also save the logged data in CSV format
-
Burp Extensions : CO2 12 Set of useful tools : sqlmapper, user generator, prettier js,
ascii payload processor etc.
-
Highly Targeted Attacks: Nmap Parser 13 BurpSuites Nmap Parser extension could be leveraged to
perform a highly targeted attack against large number of domains.
-
Highly Targeted Attacks: Nmap Parser 14 Once nmap results stored in XML file correctly parsed,
it would be added to scope of current scope.
-
Highly Targeted Attacks: Nmap Parser 15 Schedule the scans and let BurpSuite collect all
information to collect for you. The scan could also be stage and scheduled to run on specific time period.
-
Highly Targeted Attacks: Nmap Parser 16 Schedule the scans and let BurpSuite collect all
information to collect for you. The scan could also be staged and scheduled to run on specific time period.
This is how your credit card information is being hacked by the criminals in real life!
-
Fully Automated XSS Verification 17 xssValidator extension of Burp Suite could be leveraged to fully automate XSS verification process.
-
Fully Automated XSS Verification 18 Before starting the XSS verification process, we need to install at least one wrapper to support extension .
Enable the payload extension after running wrapper.
-
Fully Automated XSS Verification 19 Enable payload processing unit for xssVerifier.
Finally, create a grep-and-match rule for intruder.
-
Fully Automated XSS Verification 19 Content of xss.js
-
Fully Automated XSS Verification 20 Let the fun begin J
-
Case Study: Blind SQL Injection via Burp 21 SQL Injection Types:
Error Based (Cause Error in Response) Run a query that will force database to result in an error. (E.g. non-existing table name, column number mismatch etc.)
Prerequisite: Verbosity in SQL Error messages should be turned on and of course, error must be rendered in the response.
Boolean Based (Deduce TRUE/FALSE Responds) Inject a payload which alter the outcome of the original query which results in different returned page content.
Time Based (Cause Delay in Response) Inject a payload that trigger a delay time for the SQL Server while processing our query, which in turn slows down the response time of our request.
-
Case Study: Blind SQL Injection via Burp 22 Boolean Based SQLi via Burp
-
Case Study: Blind SQL Injection via Burp 23 Time Based SQLi via Burp
-
Case Study: Blind SQL Injection via Burp 24 Filter Evasion Comments: or 1=1# , or 1=1 -. or 1=1/* (MySQL < 5.1) ,' or 1=1;%00
WhiteSpaces: %20 %09 %0a %0b %0c %0d %a0 /**/ , or+(1)sounds/**/like1%a0-
Integer representations: ceil(pi()+pi()): 7, floor(version()+pi()): 8
Hex Encoding (Almost always work):
For more details on filter evasion:
SQLi Filter Evasion: https://websec.wordpress.com/tag/sql-filter-evasion/
Rsnakes SQLi CheatSheet: http://ha.ckers.org/sqlinjection/
Ferruhs SQLi CheatSheet : http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
Many others : Just Google it .
-
Case Study: Padding Oracle via Burp 25 Background Its is a side channel attack which is performed on the padding of a cryptographic message
A block cipher operates on data in fixed-size blocks 64-bit for DES, 128-bit for AES, etc
-> What happens if the length of the data isn't a multiple of the block size? -> What happens if more than one block is identical, and therefore encrypts identically?
-
Case Study: Padding Oracle via Burp 26 Padding Padding Padding . ANSI X.923 Null bytes ending with length of padding
PKCS7
Depending on padding block length ( [01], [02 02] , [03 03 03] etc )
-
Case Study: Padding Oracle via Burp 27 Trivially break the cipher
-
Case Study: Padding Oracle via Burp 27 Exploiting ASP.NET Oracle Padding - MS10-070 (CVE-2010-3332)
Checking target with a popular padding verifier (.bat)
Padbuster Exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/43316.pl
-
Case Study: Padding Oracle via Burp 28 Exploiting ASP.NET Oracle Padding - MS10-070 (CVE-2010-3332)
If Exploitation Successful ASP.NET page would reveal the database credentials.
-
29
Questions ?
-
30