Burp Suite is a combination of powerful web application security tools. These tools demonstrate the real-world capabilities of an attacker penetrating web applications. They can scan, analyze, and exploit web applications using manual and automated techniques. The integration facility between the interfaces of these tools provides a complete attack platform to share information between one or more tools. This makes the Burp Suite a very effective and easy-to-use web application attack framework.
To start Burp Suite, navigate to Applications | Web Application Analysis | burpsuite or use the Terminal to execute the following command:
# burpsuite
When Burp is launched for the first time, you'll be asked to accept the Terms and Conditions and also set up your Project Environment (leaving everything default is sufficient for now):
You will be presented with a Burp Suite window on your screen. All the integrated tools (Target, Proxy, Spider, Scanner, Intruder, Repeater, Sequencer, Decoder, and Comparer) can be accessed via their individual tabs. You can get more details about their usage and configuration through the Help menu or by visiting http://www.portswigger.net/burp/help/. Please note that Burp Suite is available in three different editions: Free (Community), Professional, and Enterprise. The free community edition is the version available in Kali.
As mentioned before, Burp Suite comes with its own Spider. The application-aware spider, or burpspider, is a web crawler, which is essentially a bot that systematically browses a target site along with all its inner pages and maps its structure.
For our example, we'll be using Burp to crack the login credentials to gain access to the DVWA application. First, we need to set up our proxy and verify that the IP is set to the localhost IP and the port should be 8080. Go to the Proxy tab followed by the Options sub-tab:
Also, verify that the Intercept option is on under the Proxy tab, then check for Intercept is on tab:
Once completed, open your browser and head to Options | Preferences | Advanced | Network | Connection Settings.
You'll need to set the browser to your proxy now:
So that's our initial setup. Now, we'll need to visit the target site, in this case, 192.168.0.32/dvwa:
Once the address is entered, it should remain in a connecting loop. However, if you look at the Burp Suite interface, you can see some data:
After clicking Forward a few times, the browser should load to the web page.
In Burp Suite, under the Target tab, you will now have some data in the Site Map tab:
From there, it's a matter of right-clicking on the host and selecting Spider From here or Spider From Host.
Now, somewhere along the line, you should get a popup indicating that burpspider has found a form that is requesting some information. Burpspider will always pop up when it finds a form. Remember, forms can request user credentials or can be a simple search/query/lookup form.
With that said, in our case, it's a login form:
Back on our page on the target site, let's generate some traffic for Burp Suite's Intruder tool by entering some random credentials in the login form on the page.
After entering the credentials, look at our interceptor:
Note the key information we get, the username and password, and verify on the web page how it indicates to us that the credentials we entered were wrong. In this case, it tells us Login failed in a simple string message, however, there may be times where it may be a popup or a cookie.
Now, right-click the target and select Send to Intruder.
Under the Intruder tab, select the Positions tab:
The username and password are the text we entered as the username and the password. Note that by default, more fields or positions may be highlighted. To clear these, simply click on the field we don't want and click the Clear button to the right. These fields or positions are where Intruder will replace it with payloads that we define, in this case, usernames and passwords.
Before we continue, verify that the Attack type is set to Cluster bomb. Now, go to the Payloads tab:
When you click on the Payload set drop-down menu, the count in there should reflect the number of positions in the Positions tab.
Now, select 1, which will correspond to the username field, and set Payload type to Simple list. In the Payload Options section under the Payload Sets section, enter the username in the text field labelled Enter a new item and then click Add. This will be used by Intruder as the username. You can add multiple usernames.
For now, I'll enter only the admin username to test with:
Now, let's set Payload set 2, which is the password field. Instead of entering passwords one by one, click on the Load button and load up one of your password files (rockyou.txt is located in Kali at /usr/share/wordlist):
Once all is set, click Start attack:
This screenshot shows the Results pop-up window. Looking at the results, all attempts got a Status (HTTP Response code) of 302. A quick Google of HTTP response codes indicates that this leads to a redirect, but a redirect to where?
If we click on each result and then select the Response tab, you would see that the only result that redirects to index.php is admin:password. We can now go to the DVWA login page and enter the credentials, granting access to the site.
We can also verify this in Burp Suite by using another tool, Repeater. Repeater is used to manually modify the HTTP requests and data being sent in the requests.
Going back to the Target tab, select the POST request for login.php. This is the form request that is sending the username and password. Right-click it and choose Send to Repeater.
Now, select the Repeater tab:
After password=, remove the incorrect password and enter the password that redirected us to index.php. In this case, the password is password. Once done, click Go:
In the Response panel, we see Location: index.php. Now, click the Follow redirection button on the top. This produces the raw HTML, as well as a rendering, under the Render tab, of what the page should look like:
In this example, we used a few of the common tools that come with Burp Suite. Burp Suite, as an all-in-one application-security toolkit, is a very extensive and powerful web application attack platform.