Burp suite intruder module (4)

Burp suite's intruder module (iii) intruder introduction:

Burp intruder is a powerful tool used to automatically customize attacks against web applications. It can be used to automatically execute all types of tasks that may occur during your testing.

 

Scaner module configuration details target

Used to configure detailed information about attacks on the target server. The required options are host, which is the IP address or host name of the target server. Port (port)-this is the port number of the HTTP/s service. Use https (Use https), whether the specified SSL should be used. The easiest way to configure these details is to select a request from any location in the burpsuite you want to attack and select the "send to intruder" option in the context menu. This will send the selected request. In the intruder, a new tab will be automatically filled with the target and location tabs.

Positions

Used to configure the request temlate attack, along with payloads markers and attack type.

Request Template

The main request editor is used to define the request template that will be exported from all attack requests. For each attack request, burpsuite accepts the request template and sends one or more payloads to the location defined by the payload tag. The simplest way to create a request template is to select a request from any location in the burpsuite you want to attack and select the "send to intruder" option in the context menu. This will send the selected request. On the intruder tab, the target and positions tabs will be automatically filled in.

Payload markers

The payload flag uses the § character and has the following functions:

1) Each pair of tags specifies the location of a payload.

2) A pair of markers can be attached with some text from any template requirement between them.

3) When a payload location is assigned a payload, both the tag and any contained text will be replaced with the payload.

4) When a payload location does not have the assigned payload, the tag will be deleted, but the text contained will remain unchanged.

 

Attack type

Burp intruder supports various attack types-These determine the Load Distribution Method to the payload warehouse. You can select the attack type from the drop-down menu above the request template editor. The following attack types are available:

Sniper (sniper)-This will use a single set of payloads. Its targets are in the order of each payload, and each payload is sent to that location in turn. This is not an effect on the location of a given request-the location tag is removed and any closed text that appears between them in the template remains unchanged. This type of attack is very useful for some common vulnerability in Request Parameters of some fuzzy tests. The total number of requests generated in an attack is the product of the number of locations and the number of payloads set in the payload.

Battering RAM (impact object)-use a group of payloads. The same payloads is repopulated to all defined payload warehouses by means of iterative payload methods. This type of attack is useful when one of the attacks requires the same input to be inserted in multiple places in the request (for example, the user name and cookie parameter in a cookie. The total number of requests generated in the attack is the number set in the payload.

For example, if you generate a group of numbers 1-9, it is 1-1, 2-2, 3-3 in the form of pitchfork (crossover)-This will use multiple payloads sets. There are different payload groups for each defined location (up to 20. By setting attack iterations for all payload, you can set a payload to each defined location.

For example, if multiple values are set and one dictionary is set for each payload, the values are 1-1--2--3.
In other words, the first request will place the payload set 1 of the first payload to positions 1, and from the first payload set 2 in the payload to positons 2; the second request will place the second payload set 1 to positions 1, and from the second payload set 2 in payload to postions2, such attacks require different but related input to be inserted in multiple places. This type of attack is a useful request (for example, a parameter in the user name, and another known idnumber in the user name ). The total number of requests generated in the attack is the minimum number of payload groups in the payload.

Cluster Bomb (cluster bomb)-multiple payload sets are used. You can set different payload sets for each defined positions (up to 20. By setting attack iterations for each payload, all the combinations of payload are arranged for testing.
For example, if three dictionaries are set to 10, a total of 1000 matching modes are available.

That is to say, if there are two payload locations, the attack will place the first payload from set 2 to positions 2, and by positions 1 in all payload set 1 of the payload; then it sets the second payload from load 2 to location 2, and set 1 to position 1 through the loading cycle through the payload. One of the attacks requires different and irrelevant or unknown input to insert this type of attack in multiple places is very useful in the request (such as the guess credential, In a parameter username, and when the password is another parameter ). The total number of requests generated in an attack is the product of the number of payload sets defined for all loads-this may be very large.

 

Payloadstypes

Burp intruder contains the following types of attack:

Simple list -- simple dictionary

Runtime file -- run file

Custom iterator -- custom iterator

Character substitution -- character replacement

 

We also recommend a type that is useful in password guessing.

Case modification -- this load type allows you to configure a string list and modify each project under various circumstances. This may be very useful for password guessing attacks, which are used to generate changes in words in the dictionary. You can modify rules in the following situations:

No change-this project can be used without modification.

To lower case-All letters in the project are converted to lowercase letters.

To upper case -All letters in the project are converted to uppercase letters.

To propername-the first letter in the project is converted to uppercase, and the subsequent letters are converted to lowercase.

To propername-the first letter in the project is converted to uppercase, and subsequent letters are not changed.

Payload Processing

Before being used, you can define rules to execute various processing tasks for each payload. The defined rules are executed in sequence and can be turned on and off to help debug and configure any problems. The processing rules of the payload are useful in many situations where you need to generate unusual payload, alternatively, the payload can be reached in a broader structure or when the preencoding solution package is used.

Add prefix-Add a text prefix

Add suffix-Add a text suffix

Match/replace-replace any part of the payload that matches a specific regular expression with a text string.

Substring-the specified offset (0-Index) and start with the specified length.

Reverse substring-for the sub-rule, the end of the payload specified by the final offset is counted backward, and the length is offset backward from the end.

Modify case -This modified payload, if applicable. Modify the payload type with the same options.

Encode-URL, HTML, base64, ASCII code, or hexadecimal string to build a variety of platforms: use different plans to encode the payload.

Hash-Hash add raw payload-the original load value is added to the current processing value before or after this. It can be useful, for example, if you need to submit the same payload in raw and hash tables. Skip raw payload-checks whether the currently processed value matches the specified regular expression. If so, skips the payload and moves to the next one. This may be useful, for example, if you know that a parameter value must have a minimum length and a list to be skipped, any value shorter than this length.

Invoke burp extension-call a burp exxtension (Extension) to handle the load. The extension must have an intruder payload processor registered. You can select the desired processor from the list of registered extended available processors currently loaded.

 

Payload Encoding

You can configure which payload characters should be safe transmission in URL-encoded HTTP requests. Any configured URL encoding is last applied, and any payload processing rules are executed. It is recommended that you use this setting for final URL encoding, instead of a payload processing rule, because the grep option can be used for the payload to check the response before the final URL encoding application echo the payload ..

 

 

Optins

This tab contains request headers, request engine, attack results, grep match, grep_extrack, grep payloads, and redirections. Before launching an attack, you can edit these options on the UI of the main intruder. Most settings can also be modified in the running window during the attack.

Request headers

These settings control whether to update the configuration request header in the attack intruder. Note that you have full control over the request header's compliance with the payload positions (payload position) label. These options can be used to update the header of each request, which is usually helpful.
The following options are available:
Update Content-Length header (update Content-Length header)-This option enables intruder (intruder) to add or update each request of the Content-Length header, the value that matches the length of the HTTP body of the specified request. This function is usually used to insert a variable-length payload into the template for the attack on the subject of the HTTP request is crucial. If the correct value is not specified, the target server may return an error, which may not fully respond to the request, or may wait for the request to continue receiving data indefinitely.
Set connection: Close (set connection: Close)-This option enables intruder to add or update the connection header value to close (close )". In some cases (when the server itself does not return a valid Content-Length or transfer-encoding header), this option allows attacks to be executed more quickly.

Request Engine

Set the engine used to control intruder (intruder) attacks in HTTP requests ). The following options are available:

Number of threads (number of execution processes)-[Professional edition] This option controls the number of concurrent requests for attacks.

Number of Retries on network failure (number of retries due to network faults)-if a connection error or other network problems occurs, burp will discard and move the number of previously retried requests. Intermittent network faults are common during testing, so it is best to retry the request several times in case of a fault.

Pause before retry. If the server is down, busy, or intermittent, it is best to wait for a short period of time and try again.

Throttle between requests (throttling between requests)-burp can wait for a specified delay (in milliseconds) before each request ). This option is useful to avoid overloading the application or being more concealed. Alternatively, you can configure a variable latency (with the given initial value and increment ). This option can be used to test the Session Timeout interval of application execution.

Start Time (Start Time)-This option allows you to configure the attack to start immediately, or to start in the paused state after the specified delay. If the attack is configured, it may be useful to save these alternatives at some point in the future for future use.

Careful use of these options allows you to fine tune the attack engine, depending on the impact on application performance, and in your own processing capabilities and bandwidth. If you find that the attack runs slowly, but the application performs well and your CPU usage is low, you can increase the number of threads to make your attack faster. If you find a connection error, the application is slowing down or your computer is locked, you should reduce the number of threads and increase the number of retry intervals between network faults and retries.

 

Attack results

These settings control which information is captured for attack effects. The following options are available:

Store requests/responses (store requests/responses)-These options determine whether the attack will save the content of a single request and response. The storage requests and responses occupy disk space in your temporary directory, but allow you to view these in the public during the attack. If necessary, repeat a single request and send it to other burp tools.

Make unmodified baseline request (Basic unmodified request)-If this option is selected, apart from the configured attack request, burp sends a template request to set the base value and all the payload locations. This request is displayed as a project in the result table #0 . This option is useful in providing a response to the attack response base for comparison.

Use Denial-of-Service Mode (DOS mode)-If this option is selected, the attack will send a request. If this option is selected, the attack will not wait for processing and receive any response from the server. As long as each request is sent, the TCP connection is closed. This function can be used to execute DOS Application Layer attacks on Vulnerable applications, by repeatedly sending the server that starts the High-load task, at the same time, avoid waiting for the server to respond to requests that lock local resources by holding open sockets.

Store full payloads (Save the complete payload)-If this option is selected, burp stores the results of all payload values. This option takes up extra memory, but if you want to perform some operations at runtime, such as modifying payload grep setting ), or you may need to resend the request and modify the request template.

Grep-match

Set the project that can be used to include the expression flag result specified in the response. For each item in the configuration list, burp adds a check box to indicate whether the item is found in the new result column of each response. Then, you can add the matching results to the group sorting column (by clicking the column title.
Using this option can be very powerful, help analyze big sets of scores, and quickly find interesting projects. For example, you can find a successful logon in a password-based attack scan phrase, such as "password incorrect (incorrect password)" or "Login successful (logon successful; in the test of the SQL injection vulnerability, messages including "ODBC" and "error" can be scanned to identify vulnerable parameters.
In addition to the expression matching list, the following options are available:

Match (matching type)-whether the specified expression is a simple string or regular expressions (regular expression ).

Case Sensitive match (case sensitive match)-specifies whether the expression should be case sensitive.

Exclude HTTP headers (excluding HTTP headers)-whether the specified HTTP Response Header should be excluded from the check.

Grep-extrack

It can be used to extract useful information from the response to the attack result table. For each item in the configuration list, burp adds a new column containing the text extracted from the item. You can then sort the data extracted by this column (by clicking the column title) command.

Note: This is especially useful. You can extract it from the response email address, mobile phone number, and so on.

You can use regular expressions, provided that you can write regular expressions. Someone in the wooyun Community mentioned how to match the mobile phone number at that time, which can be extracted from here.

 

Grep-payloads

Set the result item that can be used to contain the reflected flag of the submitted payload. If this option is enabled, burp adds a check box that indicates whether the current load value is found in the new result column of each response. (If more than one payload is used, separate columns add each payload set. )
This function can detect cross-site scripting and other injection-response vulnerabilities. It can be useful when user input is dynamically inserted into the application response.
The following options are available:

Case Sensitive match (case sensitive match)-Specifies whether payload (load) is case sensitive.

Exclude HTTP headers (excluding HTTP headers)-whether the specified HTTP Response Header should be excluded from the check.

Match against pre-URL-encoded payloads (matching the preurl encoding payload)-this is the normal URL encoding payload configured for inturder (intruders) requests. However, these are often decoded by applications and echoed in their original form. You can use this option to use payload burp check responses in their pre-encoding form.

 

 

Redirections

Controls how burp redirects during attacks. It usually follows redirection to achieve your attack target. For example, in a password-based attack, the result of each attempt may only be displayed through the following redirection. During the fuzzy testing, the relevant feedback may only show the error message returned after the initial redirect response.
The following options are available: Follow redirections (Follow redirection)-controls the targets that are followed by redirection. The following options are available:

1) Never (never)-intruders do not follow any redirection.

2) On-site only (unique on-site)-Intruders will only redirect to the same web page "website", that is, using the same host, the port and Protocol are the URLs used in the original request.

3) In-scope only (unique within the scope of investigation)-intruder will only follow the URL that is redirected to the target range within the scope of the suite.

4) Always (always)-intruder will follow redirection to any URL. You should exercise caution when using this option-occasionally, web applications may accidentally attack when redirecting request parameters to a third party in relay and following redirection.

Process cookies in redirections (cookie redirection during the process)-If this option is selected, any cookies set in the redirect response will be resubmitted after the redirection target. For example, if you are trying to brute force crack the login challenge, it may be necessary. It always returns a redirection to a page to display the login result, and a new session to respond to every login attempt to create.
Burp will follow up to 10 chain redirection if necessary. In the results table, the column shows whether the redirection is followed by each individual result, and the Redirect link in the complete request and response is stored with each result project. The redirect type burp will process (3xx status code, refresh header, etc.) and configure it in a set of full redirect options.
Note redirection: in some cases, only one single-thread attack may be required for the following redirection. In this case, the application stores the results of the initial request in the session and provides a redirection response to retrieve this.
Automatic next redirection may sometimes cause problems-for example, if the application responds to some malicious requests redirected to the logout page, the following redirection may cause your session to be terminated, it would not have done so.

Use burpsuite intruder

Use burpsuite intruder to perform the following steps:

1First, make sure that the burp is installed and running, and you have configured your browser to work with the burp.

2If you haven't done so, browse some target applications around and fill in the sitemap of burp with detailed information about the content and functions of the application. Before doing so, you need to speed up the process by entering the Proxy Server tab, intercepting the sub-tab, and disabling proxy interception (if the button is displayed as "intercept is on ", click it to switch the screenshot status to off ).

3To the proxy tab, you can also go to site map and on the history tab. Discover an interesting prospective requirement that your target application contains some parameters. Select a single request and select "send to intruder" from the context menu ".

4) To the intruder label. Burp intruder allows you to configure multiple attacks at the same time. Each request sent to intruder is opened on its Attack Tab, which is the default sequential number. You can double-click the label header to rename the tab, drag the tab to re-order, and close and open the new tab.

5) For you to send the request to create the intruder tab, look at the target and positions tabs. These have been automatically filled in the details of the request you sent.

6) Burp intruder works in essence and adopts the requirements of the Basic Template (the one you sent there). Through some payloads loops, these payloads are sent to the defined positions within the scope of basic requirements, and issue the requirements for each result. The location tag is used for configuration, where the payload is inserted to the location where the basic requirements are met. As you can see, burpsuite has been trying to place a payload for automatic speculation. By default, the payload is placed into all request parameters and cookie values. Each payload tag defines a location for the payload and can be requested from the matrix, which will replace the content of the payload when the payload position is used to include some text. For more information, see help for payload markers.

7) The buttons in the request editor can be used to add and clear the payload flag. Try to add payload position in the new location request, delete other markers, and see the effect. When you understand how payload positions works, click "auto §" to restore the default payload positions configured for burpsuite. If you modify the request text, repeat the steps.3Create a new intruder Attack Tab with its original request.

8) To the payloads tab. This allows you to define the loads to be placed in the defined payload warehouse. Keep the default settings (use the "simple list" of the payload) and add some test strings to the list. You can enter "enter"new In the item box, click Add and enter your own string. Alternatively, you can use the "add from file" drop-down menu and select "fuzzing-quick" from the built-in load string [Professional edition] list.

9) Now, you have configured the minimum option to launch the attack. Go to the intruder menu and select start attack ".

10) Opens an attack in a new window that is included in the results tab. The results table contains obtained information and key details, such as the used payload, HTTP status code, and response length. You can select any project in the table, to view the complete request and response entries for each request. You can also sort the table by clicking the column title and filter the table content using the filter bar. These features work in the same way as proxy history.

11) The attack window contains other labels, showing the configurations used for the current attack. You can modify most of these configurations. Go to the options tab, scroll down to "grep-match", and check "response expressions matching the results of the flag and project ". This causes intruder to check the matches for each expression item and flag in the response match list. By default, the list shows some common error strings that are useful when fuzzing is displayed, but can be configured if you want your own strings. Return to the result tab, and you can see that intruder has added columns for each project in the list. These include check boxes to indicate whether the expression is found in each response. If you are lucky, your basic Fuzzy testing may cause an error that exists in some response error messages.

12) Now, select any project in the table and look forward to the response from the project. Discover an interesting string in response (such as webpage title, or error message. Right-click the project in the table and select "define extrace grep from response" from the context menu ". In the dialog box, select an interesting response string and click OK ". The results table now contains a new column, which extracts the text from each response (which can be different in each case ). You can use this function to locate the tens of thousands of responses to interesting data in large attacks. Note that you can also configure the option tab in the "extrace grep" project before or during the attack.

13Select any project in the result table and open the context menu. Select "send to repeater" and go to the repeater tab. You will see that the selected request has been copied to the repeater tool for further testing. Many other useful options are available in context menus. Send detailed information about the overall test workflow for projects between burpsuite tools.

14) You can use the "save" menu to save the result table or the entire attack in the result window. You can load the result table to another tool or spreadsheet program. You can reload the saved attack in the UI intruder menu of the main burp.15These steps only describe a simple use case of intruder. For fuzzing requirements, there are some standard attack strings and error messages in grep search. You can use intruder for many different types of attacks, including many different payloads and attack options.

 

Example:

The general steps are as follows:
1. Proxy server address, visit this website address, and try to log on to the website

2. Burp intercepts data and sends it to Repeater

3. The next step is to send the message to the intruder. Generally, the target is not required. It is automatically filled out and positions is selected.

 

Note: The default attack type is Sniper.

 

4. Click Clear $ first, select the password location, and click Add $

 

5. Switch to payloads and set payload type. select our dictionary

 

6. Switch to options to set the number of processes, the number of retries after the failure, and filter the results.

Clear grep-match to save interference.

In addition, the system determines whether the attack is successful by returning the response characters. If the response is successful after login, index. php is returned and added to the system.

 

7. Click Start attack under intruder to start brute force cracking. You can determine the difference from other methods by length.

 

 

Burp suite intruder module (4)