Intro to BurpSuite Part IV: Being Intrusive
Welcome to our 4th installment of Intro to BurpSuite. This time around we’re going to focus on using another tool in the BurpSuite arsenal to send targeted requests to a web server, rapid-fire. Intruder can be used for a variety of fuzzing and bruteforce techniques using premade lists or automatically generated input. This is amazingly useful for those list-based tasks as well, such as mapping a site or discovering hidden directories and errors.
Before I get started, I should mention that I’m using the same environment settings I created in the first part of the Burp series. I recommend reviewing this post if you’re new to Burp and are just getting started.
Secondly, we’re going to be using some pre-made lists and Burp-generated lists with Intruder, so if you want to follow along exactly, please download the wordlists from SVNDigger. They’re a great starting point and can really help with that first step.
With that all out of the way, we can get into the meat of it with Intruder.
As I mentioned, we’re going to use Intruder to send a massive number of requests, so be aware that unless you lower the request options (which we’ll touch on), this can be a noisy attack. Staying under the radar can be a concern for some red team exercises, but for the purposes of this article, we’re going to be loud and obnoxious.
We’re going to use a basic exercise on hackthissite.org to demonstrate Intruder’s capabilities, but we’re only going to cover one of the primary functions: Simple list. Simple list allows you to attack with a pre-made list (the one from SVN digger that I mentioned, in this case) and Brute Forcer allows you to specify a character set which Burp will then use to generate a list on the fly. This is useful for random values such as passwords with a known character length.
In the first example, we’re going to look at basic exercise number 3 which is located here:
Keep in mind, there’s an easier way to beat this “challenge” but we’re using this site for demonstration purposes, and we’ll leave it to you to use this technique creatively to perhaps tackle some of the more advanced portions of the site as a learning tool.
So we can see that we have a password field and not much else. We also can see that the description mentions a password file. Without much knowledge of the site _(spoiler alert), _we may be inclined to view the source and find some interesting tidbits of information, but in this case, previous experience with hackthissite.org would point us to start sniffing out php pages. And that’s exactly what we’re going to do.
If we send the request to Intruder…
we can see hackthissite.org over 443 on the Target tab. If we take a look at the Positions tab, we see some interesting portions of the request highlighted in orange. These are assumptions BurpSuite makes for possible entry points. These are merely suggestions, but we just want to do some discovery, so let’s take a look at manipulating some of the information in the request.
First, clear the current field sections using the button to the right.
Then put your cursor after “GET /missions/basic/3/” and click “Add §” twice.
You’ll see two section signs (§) highlighted in orange, and you’ll want to append “.php”. Since we’re doing discovery and we have an idea that this is a php based site, we’re appending a file extension since it’s the most likely to occur.
It should look like this:
Now, a little explanation of what’s going on here. We’ve cleared all automatically created sections and added our own. This section sign pair (§§) indicates that we’re going to insert our payload between these two points. So if our payload was the word “admin” it would send the request with:
GET /missions/basic/3/admin.php Burp will send every word in our payload through that entry point. This means that Burp will be sending a large number of pre-determined requests to the server without having to manually enter each one into Repeater or through the proxy. We can then view the results in a consolidated view.
Next, let’s take a look at the Payloads tab.
Defining our Payload
First, we want to define our payload set. For this demonstration, we’re going to choose Simple list and load the list from SVN Digger.
Then we’re going to load the list under Payload Options. Click the “Load…” button and pick the all-extensionless.txt file. We are choosing this file because we defined our extension in the positions tab as “.php”
If done correctly, you should see a list like this pop up in the Payload Options section.
There are some other options, but nothing we have to worry about at this point.
Launching the Attack (or the Discovery in this case)
Let’s go ahead and run the attack. Beginning Intruder can be a bit unintuitive at first. Select “Intruder” from the top of the window in the menu, and click “Start attack”.
This will begin the attack, and you’ll be greeted with a results window. Click the Status column to sort by the response code.
It shouldn’t take too long to see that “password” returns a 200 response. If you take a look at the response in the web browser, you’ll see the password of the password file. Entering that into the password field will pass the challenge.
About that Throttle
I mentioned at the beginning of the post that this was going to be noisy, and I meant it. If you launched this sort of discovery on a pen-test, you would probably raise some alarms. Since we’re hitting a site that is meant to be attacked, we don’t have to worry about it so much. If you’re authorized to go full throttle on a site, this would also be fine, but if you’re trying to remain stealthy, it may be a good idea to take a look at the throttling options offered in the Options tab.
This Request Engine section gives you control over throttling, threads, and retry options, and even allows you to delay the start of the attack. This is useful if you want to send requests with a delay in order to limit the chances of defense discovering your attack.
Now, I want to end this post with the idea that this is simply a demonstration of BurpSuite’s Intruder to introduce newcomers to the interface. If you ran the page through the proxy, you may have noticed that the password.php file was referenced in the parameters and we could have achieved the same results without Intruder, but the beauty of offensive techniques is that you can arrive at a positive result in a variety of ways, some more complicated than others.
Intruder also has many other payload options, including BruteForcer, which allows you to specify a character set and length to your payloads. This is especially useful when attacking passwords where you know the complexity requirements, and it’s especially effective against sites with weak complexity requirements.
There are a few other, more advanced techniques that allow you to use Intruder with a great deal of imagination and creativity to get some interesting results. The tool is built to be versatile and it certainly succeeds in that respect. I don’t want to go down the rabbit hole, but I will be posting more information on some of the more advanced Intruder functions later in the series as we wrap up the modules. For now, we’re just getting warmed up, and I encourage you to stay tuned for more.