How I use weapons!

Dirty0124 (@dirtycoder0124)
 AGENDA
• Mastering Burp Suite
• Hackbar (Manual Sql Injection)
• SqlMap (Automate Sql Injection)
• SoapUI (Testing for Web Services)
 Burp Suite
• Intercept browser traffic using man-in-the-middle
proxy
• You can intercept and edit all requests made by your
browser
• Vulnerability Scanner
• Very Useful for Manual Penetration Testing
• Crawler
• Fuzzer

A Great tool if you know how to use it.

 Burp Suite

Browser Burp Suite Web Server

 Burp Suite
• Latest Burp Suite version is 1.7.29
• 2 Burp Suites Editions Available

– Community Edition (Free)

– Professional Edition
Burp Suite
 Configure Your Browser
• Use Mozilla Firefox addon : Proxy Switcher
Configure Your Browser
 Configure Your Browser
• Open Burp Suite and check proxy listener is
active or not.
• Go to Proxy->Options
 Install CA Certificate
• In Mozilla visit http://burp and click on CA
Certificate to download.
 Install CA Certificate
• In Firefox open the Firefox Menu.
• Click on “Options"
 Install CA Certificate
• Select the "Advanced" tab.
• Select the "Certificates" tab and click "View
Certificates"
Install CA Certificate
 Install CA Certificate
• Click "Import", select the Burp CA certificate file that you
previously saved and click “Open”.

• In the dialog box that pops up, check the box "Trust this CA
to identify web sites", and click "OK".

• Close all dialogs and restart Firefox.

• If everything has worked, you should now be able to visit

any HTTPS URL via Burp without any security warnings.
Burp Suite is ready to use.

Some Tips and Tricks

 Burp Suite Settings
• You must be using burp suite for a long time.
– Do you capture HTTP Response?
– Do you use filters?
– Can you filter only for 3xx to find open redirection
vulnerability?
– What is scope option in Burp Suite?
• We will cover all these things in next few
slides
 Burp Suite Settings
• Target scope - The target scope configuration
tells Burp the items that you are currently
interested in and willing to attack.
• You should configure this early in your testing,
as it can control which items are displayed in
the Proxy history and Target site map, which
messages are intercepted in the Proxy, and
which items may be spider and scan.
Burp Suite Settings
(Define Scope)
 Burp Suite Settings
(Intercept Response)
• Intercept Response only of your target
 Burp Suite Settings
(Intercept Response)
 Burp Suite Settings
(Filter)
• Why Filter is Useful ?

• Searching your defined target is very massive

in Burp if there is no filter option.

• Check the site view in next slide.

Burp Suite Settings
(Filter)
 Burp Suite Settings
(Filter)
• Now apply filter
– Right click on filter
– Check show “only in-scope item”
Burp Suite Settings
(Filter)
 Burp Suite Settings
(Filters)
• FILTER BY HTTP STATUS CODE

• Very useful if you are looking for Invalidated

redirects and forwards (Open Redirects)

• HTTP status code 3xx used for redirection.

• Filter will show you only result having HTTP status

code 3xx.
 Burp Suite Settings
(Filters)
• Right Click on Filter
• Go to “Filter by status code”
• Uncheck all except 3xx (redirection).
 Burp Suite Settings
(Filters)
• And Check the Result
Ok, Now we know Basic settings
and Filters in Burp Suite
Let’s Explorer Useful Options in
Burp Suite
Burp Suite Options
 Target Window
• Target Window is very important as it shows
your target in scope and spider result.

• This window contains two Options

– Sitemap & Scope (Scope is done in previous PPT)

• Sitemap is further divided into 5 windows

Burp Suite Options
 Proxy Tab
• Proxy tab is further divided into 4 tabs

– Intercept (Display Current HTTP Request and

Response)

– HTTPHistory (All history of HTTP Requests)

– WebSockets History (Display websockets request)

– Options (Done in Previous PPT)

Proxy Tab
Perform Multiple Actions
Proxy->Http history Tab
 SPIDER
• You can pause spider from here
SCANNER
 INTRUDER
• Burp Intruder is a tool for automating
customized attacks against web applications.

• It is extremely powerful and configurable, and

can be used to perform a huge range of
tasks, from simple brute-force guessing of
web directories through to active exploitation
of complex blind SQL injection vulnerabilities
 INTRUDER
• The Burp Suite’s Intruder option comes with 4
attack modes, viz.,
– Sniper
– Battering Ram
– Pitchfork
– Cluster Bomb
INTRUDER
 INTRUDER
• SNIPPER
– The sniper attack enumerates over each
parameter, one at a time. So if you have multiple
parameters, it will enumerate the first parameter
with all the payloads from the wordlist supplied
and then move on to the second and so on
 INTRUDER
• Battering Ram
– The battering ram attack enumerates over
multiple parameters with the same payload for all
the parameters.
 INTRUDER
• Pitchfork
– The pitchfork attack type enumerates over
multiple parameters at the same time using
different payloads for each parameter at the same
time.
 INTRUDER
• Cluster Bomb
– The cluster bomb attack type enumerates over
multiple parameters by using all the possible
combinations of payloads from the multiple
wordlists.
 REPEATER
• It is very important tab. I use it a lot
• Very useful to test an http request by editing
value again and again.
• You can check the Response right there.
• Good to test for Sql Injection, XSS
REPEATER
 SEQUENCER
• Burp Sequencer is a tool for analyzing the
quality of randomness in a sample of data
items.
• You can use it to test an application's session
tokens or other important data items that are
intended to be unpredictable, such as anti-
CSRF tokens, password reset tokens, etc.
 SEQUENCER
• Send request to SEQUENCER
 SEQUENCER (How to use?)
• The penetration tester wants to check the
randomness of PHPSESSID in the response.
That’s why he needs to choose it in “Token
Location Within Response.” Then click “Start
live capture” to launch Burp Suite Sequencer.
SEQUENCER (How to use?)
 SEQUENCER (How to use?)
• Analyzing Randomness of PHPSESSID
• When this tool has been launched, requests
are sent and values of PHPSESSID are analyzed
in the responses.
• The analysis can start after 100 requests
(“Analyze now” button).
SEQUENCER
 DECODER
• Burp Decoder is a simple tool for transforming
encoded data into its canonical form, or for
transforming raw data into various encoded and
hashed forms. It is capable of intelligently
recognizing several encoding formats.

• You can load data into Decoder in two ways:

– Type or paste it directly into the top editor panel.
– Select data anywhere within Burp, and choose "Send
to Decoder" from the context menu.
DECODER
 COMPARER
• Burp Comparer is a simple tool for performing
a comparison (a visual "diff") between any
two items of data.

Some common uses for Burp Comparer are

described in next slide
 COMPARER
• When looking for username enumeration conditions, you can compare
responses to failed logins using valid and invalid usernames, looking for
subtle differences in the responses.

• When an Intruder attack has resulted in some very large responses with
different lengths than the base response, you can compare these to
quickly see where the differences lie.

• When comparing the site maps or Proxy history entries generated by

different types of users, you can compare pairs of similar requests to see
where the differences lie that give rise to different application behavior.

• When testing for blind SQL injection bugs using Boolean condition
injection and other similar tests, you can compare two responses to see
whether injecting different conditions has resulted in a relevant difference
in responses.
COMPARER
 EXTENDER
• It is used to install burp add-ons.
• Very useful to enhance burp’s functionality
• User can install add-ons from BApp store
• User can also install add-ons which are open
source and available on net.
EXTENDER
EXTENDER – Install Open Source
addon
 EXTENDER
• You need jython to install python based addon
• Download jython and provide path of your
jython file to Burp.
 EXTENDER
• Some useful Burp suite add-ons
– Active Scan++
– CO2
– JSON Beautifier
– Reflected Parameters
– XssValidator
XssValidator
XSSValidator in BApp Store
 XssValidator
• Step 1: Intercept a Request with some
parameter, for example "search" Request and
send to "Intruder".
 XssValidator
• Step 2: Navigate to "Intruder" > under
"Payload Sets" > select "Payload type:
Extension-generated" > under "Payload
Options” > click "Select generator" (drop-
down menu)> window will open select
"Extension payload generator: XSS Validator
Payloads" > "Selected generator: XSS Validator
Payloads" > Click "OK".
XssValidator
 XssValidator
• Step 3: Navigate to "XSSValidator" > copy
"Grep Phrase" in XSSValidator> Navigate to
"Intruder" > Under "Options“ tab > under
"Grep-Match", click "Clear” to clear all the
Grep match > Paste the Grep Phrase already
copied from "XssValidator".
XssValidator
XssValidator
 XssValidator
• Start Attack
 XssValidator
• Observe that Attack has been started and the
payloads are brute forced on the “search”
parameter.
 XssValidator
• To observe the response in the browser, navigate to any
"Response" (positive response) and Right-Click to select
"Show response in browser".
XssValidator
XssValidator
Cross-Site Request Forgery
(CSRF)
POC WITH BURP SUITE
 CSRF
• Cross-Site Request Forgery (CSRF) is an attack
that forces an end user to execute unwanted
actions on a web application in which they're
currently authenticated.
 CSRF
• Step 1:-

– Visit : - http://testphp.vulnweb.com/login.php

– Username : test
– Password: test
 CSRF
• Step 2: Capture the request by click on update
button
CSRF
 CSRF
• Change phone no and click on “test in
browser”
CSRF
CSRF
CSRF
CSRF
 Pro Tips
• Add website to scope
• Now make sure “Intercept is off”
• Visit site and explorer every link and form.
• Burp Suite works best in this environment.
Invisible Proxy in Burp Suite
 Invisible Proxy
• We all know Acunetix, Nikto, nmap.
• But we don’t know, how they find
vulnerabilities?
• What payloads they use?
• Or simply what they do?
Invisible Proxy is the Solution
 SETUP
1. Make change in your system host file
– 127.0.0.1 indeed.com
2. On Invisible proxy in Burp Suite
3. Run Acunetix or any other scanner on
– 127.0.0.1:8080
4. Capture the Request and learn from the
scanner
 Entry in Host File
• Path: C:\Windows\System32\drivers\etc
Setting in Burp Suite
Acunetix
Request Captured
HACKBAR
 HackBar
• HackBar is a Firefox addon
• It is used to do manual SQL Injection on web.
• Useless if you are using traditional HackBar
 Modified HackBar
• There are several modified hackbar versions
available on net.
• ~/@H3LL4R_H5H is nice one
 Modified HackBar
• Download :

– https://addons.mozilla.org/en-US/firefox/addon/~h3ll4r_h5h-hackmod/

• Very useful for manual SQL Injection Attack.

• Inbuilt SQL DIOS (Dump-in-One-Shot)

• Great list of XSS payloads.

• URL encode & decode.

• HEX encode & decode.

• Base64 encode & decode.

• Many other useful options.

Modified HackBar

Normal HackBar
Modified Hackbar DIOS
MOZILLA FIREFOX ADDONS

Hacking with Firefox

 1. Proxy Switcher
• Connect Burp Suite on one click
• URL: https://addons.mozilla.org/en-US/firefox/addon/proxy-switcher/
 2. VPN
• ZenMate is the best free VPN for browsing anonymously.
• URL :https://addons.mozilla.org/en-US/firefox/addon/zenmate-security-
privacy-vpn/
 3. Modified Hackbar
• Useful for Sql Injection, XSS, LFI
• URL: https://addons.mozilla.org/en-US/firefox/addon/~h3ll4r_h5h-
hackmod/
 4. Tamper Data
• Proxy for Browser
• URL: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
 5. Cookie Manager ++
• Useful to edit web session
• URL: https://addons.mozilla.org/en-US/firefox/addon/cookies-
manager-plus/
 6. No Redirect
• Useful to bypass login page
• URL: https://addons.mozilla.org/en-US/firefox/addon/noredirect/
 7. User Agent Switcher
• You can change user agent value using this
addon
• URL: https://addons.mozilla.org/de/firefox/addon/user-agent-
switcher/
SQLMAP
 SQLMAP Introduction
• Sqlmap is an open source penetration testing
tool that automates the process of detecting
and exploiting SQL injection flaws and taking
over of database servers.
 Supported Database
• MySQL
• Oracle
• PostgreSQL
• Microsoft SQL Server
• Microsoft Access
• IBM DB2
• SQLite
• Firebird
• Sybase
• SAP MaxDB
• HSQLDB
• Informix database management systems.
 FEATURES
• Support to enumerate users, password hashes, privileges, roles,
databases, tables and columns.

• Full support for six SQL injection techniques: boolean-based blind, time-
based blind, error-based, UNION query-based, stacked queries and out-
of-band.

• Automatic recognition of password hash formats and support for cracking

them using a dictionary-based attack.

• Support to dump database entirely

• Support to download and upload any file from the database server
underlying file system when the database software is MySQL, PostgreSQL
or Microsoft SQL Server.
Cheat Sheet 1
Cheat Sheet 2
SQLMAP

How to use?
Crawl The Target [My Fav.]
Find Database
 Customization
• Sometimes Sqlmap fails to detect Sql Injection
• Solution is to increase your Detection Phase
 Customization
• By default sqlmap will test all GET and POST
parameters specified,

• In some cases you might want to test additional entry

points such as HTTP headers. It is possible to specify it
with specific options, but the most straight forward
technique is to use the --level option.

• There is 5 levels available in sqlmap (default being level

1). Level 2 adds HTTP Cookie header testing, level 3
adds HTTP User-Agent/Referer headers.
Customization
Find Tables
Find Columns
Extract Data
Shell Upload
Dump Database
SoapUI
 ReadyAPI
• SoapUI is now ReadyAPI

• A software used to test web services (APIs)

• SoapUI can test both WSDL and REST APIs

• Developers use this software to develop APIs.

• Very helpful for Security Testing of Web Services

ReadyAPI
Security Testing with SoapUI

Testing Web Services

 ReadyAPI
• Go to File->New->Security Test
 ReadyAPI
• Or you can select Security Test from Dashboard
 ReadyAPI
• Select the URL option.
 ReadyAPI
• Enter the following URL and click Next:
– http://maps.googleapis.com/maps/api/geocode/xml?address=1600+A
mphitheatre+Parkway,+Mountain+View,+CA&sensor=false
 ReadyAPI
• Select Security Tests you want to perform
 ReadyAPI
• Now click on Edit button
 ReadyAPI
• Unselected Red Marked Option
 ReadyAPI
• Click on RUN
 ReadyAPI
• After completion, click on view summery
report
 ReadyAPI
• Test Report