Penetration Testing with Kali Linux OffSec
|
|
burpsuite
Listing 101 - Starting Burp Suite from a terminal shell After our initial launch, we’ll first notice a warning that Burp Suite has not been tested on our Java Runtime Environment (JRE). 345 Since the Kali team always tests Burp Suite on the Java version shipped with the OS, we can safely ignore this warning. 345 (Oracle, 2022), https://www.java.com/en/download/help/whatis_java.html Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 205 Figure 83: Burp Suite JRE warning Once it launches, we’ll choose Temporary project and click Next . Figure 84: Burp Startup We’ll leave Use Burp defaults selected and click Start Burp . Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 206 Figure 85: Burp Configuration After a few moments, the UI will load. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 207 Figure 86: Burp Suite User Interface The initial four panes of the interface primarily serve as a summary for the Pro version scanner, so we can ignore them. Instead, we are going to focus on the features present on the tabs in the upper bar. Let’s start with the Proxy tool. In general terms, a web proxy is any dedicated hardware or software meant to intercept requests and/or responses between the web client and the web server. This allows administrators and testers alike to modify any requests that are intercepted by the proxy, both manually and automatically. Some web proxies are employed to intercept company-wide TLS traffic. Known as TLS inspection devices, these perform decryption and re-encryption of the traffic and thus nullify any privacy layer provided by the HTTPS protocol. With the Burp Proxy tool, we can intercept any request sent from the browser before it is passed on to the server. We can change almost anything about the request at this point, such as parameter names or form values. We can even add new headers. This lets us test how an application handles unexpected arbitrary input. For example, an input field might have a size limit of 20 characters, but we could use Burp Suite to modify a request to submit 30 characters. In order to set up a proxy, we will first click the Proxy tab to reveal several sub-tabs. We’ll also disable the Intercept tool, found under the Intercept tab. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 208 When Intercept is enabled, we have to manually click on Forward to send each request to its destination. Alternatively, we can click Drop to not send the request. There are times when we will want to intercept traffic and modify it, but when we are just browsing a site, having to click Forward on each request is very tedious. Figure 87: Turning Off Intercept Next, we can review the proxy listener settings. The Options sub-tab shows what ports are listening for proxy requests. Figure 88: Proxy Listeners Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 209 By default, Burp Suite enables a proxy listener on localhost:8080. This is the host and port that our browser must connect to in order to proxy traffic through Burp Suite. Burp Suite is now shipped with its own Chromium-based native web browser, which is preconfigured to work with all Burp’s features. However, for this course we are going to exclusively rely on Kali’s Firefox browser because it is a more flexible and modular option. Let’s demonstrate how to configure our local Kali machine with the Firefox browser to use Burp Suite as a proxy. In Firefox, we can do this by navigating to about:preferences#general, scrolling down to Network Settings , then clicking Settings . Let’s choose the Manual option, setting the appropriate IP address and listening port. In our case, the proxy (Burp) and the browser reside on the same host, so we’ll use the loopback IP address 127.0.0.1 and specify port 8080. In some testing scenarios, we might want to capture the traffic from multiple machines, so the proxy will be configured on a standalone IP. In such cases, we will configure the browser with the external IP address of the proxy. Finally, we also want to enable this proxy server for all protocol options to ensure that we can intercept every request while testing the target application. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 210 Figure 89: Firefox Proxy Configuration. With Burp configured as a proxy on our browser, we can close any extra open Firefox tabs and browse to http://www.megacorpone.com. We should find the intercepted traffic in Burp Suite under Proxy > HTTP History . Figure 90: Burp Suite HTTP History We can now review the various requests our browser performed towards our target website. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 211 If the browser hangs while loading the page, Intercept may be enabled. Switching it off will allow the traffic to flow uninterrupted. As we browse to additional pages, we should observe more requests in the HTTP History tab. By clicking on one of the requests, the entire dump of client requests and server responses is shown in the lower half of the Burp UI. Figure 91: Inspecting the first HTTP request. On the left pane we can visualize the client request details, with the server response on the right pane. With this powerful Burp feature, we can inspect every detail of each request performed, along with the response. We’ll make use of this feature often during upcoming Modules. Why does “detectportal.firefox.com” keep showing up in the proxy history? A captive portal 346 is a web page that serves as a sort of gateway page when attempting to browse the Internet. It is often displayed when accepting a user agreement or authenticating through a browser to a Wi-Fi network. To ignore this, simply enter about:config in the address bar. Firefox will present a warning, but we can proceed by clicking I accept the risk!. Finally, search for “network.captive-portal-service.enabled” and double-click it to change the value to “false”. This will prevent these messages from appearing in the proxy history. 346 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Captive_portal Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 212 Beside the Proxy feature, the Repeater is another fundamental Burp tool. With the Repeater, we can craft new requests or easily modify the ones in History, resend them, and review the responses. To observe this in action, we can right-click a request from Proxy > HTTP History and select Send to Repeater . Figure 92: Sending a Request to Repeater If we click on Repeater , we will observe one sub-tab with the request on the left side of the window. We can send multiple requests to Repeater and it will display them using separate tabs. Let’s send the request to the server by clicking Send . Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 213 Figure 93: Burp Suite Repeater Burp Suite will display the raw server response on the right side of the window, which includes the response headers and un-rendered response content. Figure 94: Burp Suite Repeater with Request and Response The last feature we will cover is Intruder , but first, we’ll need to configure our local Kali’s hosts file to statically assign the IP to the offsecwp website we are going to test. kali@kali:~$ Yüklə Dostları ilə paylaş:
|