From A to Z | Burp Suite Tutorial

TurkHackTeam.Org/.Net/.Com.TR
The reason I wanted to show you how to use burp suite is to make you aware, to
prevent serious damages in cyber security area. This post intended to be used for
educational purposes. As Turkhackteam, we do not accept any legal or criminal
liability in any way and from any possible damages that you may suffer or cause
to harming to third parties by using, interpreting the information.
CONTENTS
A-WHAT IS BURP SUITE?
1- Why BURP SUITE?
1.1-What is Http?
1.2-What is Https?
1.3-What is SSL?
1.4-What is Proxy?
B-BURP SUITE SETUP
1-for Linux;
2-for Windows;
C-HTTPS SUPPORT
1-Proxy Configuration
1.1-for Edge (Windows 10);
1.2-for Firefox (Linux);
2-Disable to the SSL Warning;
2.1-for Windows;
2.1-for Linux;
D-THE TARGET SECTION
1-SiteMap Tab;
2-Scope Tab;
E-THE PROXY SECTION
1-Intercept Tab;
2-HTTP History Tab;
3-WebSocket History Tab;

4-Options Tab;
F-THE SCAN SECTION;
1-New Scan;
1.1-Details;
1.2-Audit Items;
1.3-Issue Activity;
1.4-Event Log;
G-THE INTRUDER SECTION
1-Target;
2-Positions;
2.1-Sniper;
2.2-Bettering Ram;
2.3-Pitchfork;
2.4-Cluster Bomb;
3-Payloads;
4-Options;
H-THE REPEATER SECTION
I-THE SEQUENCER SECTION
1-Live Capture Part;
1.1-Select Live Capture
1.2-Token L-o-c-a-t-i-o-n Within Response
1.3-Live Capture Options
2-Manuel Load Part;
3-Analysis Options Part;
3.1-Token Handling
3.2-Token Analysis
SUMMARY
J-THE DECODER SECTION
K-THE COMPARER SECTION
L-THE EXTENDER SECTION
1-Extensions Part;
2-BApp Store Part;
CO2
A-WHAT IS BURP SUITE?
Burp Suite is a proxy tool, written in java and developed by PortSwigger Security.
It enables web applications to establish a connection between the client and the
browser.
1-Why Burp Suite?
1) It has a dynamic structure in terms of functionality.
2) Hacking, i.e. It is perfect for penetration testing.
3) Does not require any other programs for pentest because It provides all the
tools in itself.
4) In addition to the tools that Burp Suite contains, personal tools can be
developed and added easily.

5) Professional version has a vulnerability scanning.
1.1-What is Http?
Hyper Text Transfer Protocol. It is the protocol that enables web pages to be
viewed over network.
1.2-What is Https?
It has the same function as Http protocol. But the only difference is, it has an
algorithm that encrypts messages in the server through SSL certificate.
1.3-What is SSL?
Secure Sockets Layer, for this system to work, you must have a key(password)
and a certificate on the server that provides server support. so you can take
advantage of this feature.
1.4-What is Proxy?
It is the structure that enables analysis of requests and responses, incoming and
outgoing requests over the Http/Https protocol. Shortly, It acts as an
intermediate server that allows us to examine traffic over the web because of
Proxy.
B-BURP SUITE SETUP
I will show how to install with details on Windows and Linux. But If you are using
the Parrot or Kali Linux, Burp Suite already comes preinstalled.
1-for Linux;
We need to install OpenJDK for Burp Suite.
Bu resim yeniden boyutlandırıldı, tam halini görmek için tıklayınız.

Firstly, We should find out If there is java:
Kod:
Java --version
If there isn't, write this code for install it:
Kod:
sudo apt-get install openjdk-11-jdk openjdk-11-jre
The latest version was 11, as you can see it looks like 11 on my Parrot. My advice
to you is to install the latest version.

Then type "Burp Suite Download" in Google. We should click on the first link from
the results.

We download it from the official website. Download the latest version

Well, we will install the free version but If you want you can download the
professional version from the first part. In the second part, choose your system
and lastly, download the installation file.

Go to the file that you've downloaded. We open Burp Suite with this code:
Kod:
sudo java -jar -Xmx2g burpsuite_file.jar

Click I Accept.

Click Next.

and click Start Burp.

the installation has finished.
2-for Windows;

type "Burp Suite Download" We should click on the first link from the results.

We download it from the official website.

We will install the free version but If you want you can download the professional
version from the first part. In the second part, choose your system and lastly,
download the installation file.

If we want we can change the file name using the save button. After we clicked
the "save" button, installation process is starting.

run the .exe file as administrator, It will ask a question like "are you sure?" click
Yes.

And click Next after the progress bar.

select the folder where you would like Burp Suite Community Edition to be
installed, then click Next.

If you want to create a start menu folder then select the start menu folder in
which you would like setup to create the program's shortcuts, then click next.

Click Finish and open Burp Suite.

Click I Accept

To continue, click Next

click Start Burp Suite.

the installation has finished
C-HTTPS SUPPORT
As you know, since the fraud and malicious software over http have increased a
lot. So, a https ssl certified encryption algorithm has been developed as a solution
for this. It is not permitted to perform any improper activity with the software or
tool from the browser. It is possible to make transactions over http address while
we are using Burp Suite, It will give warning like "your connection is not secure
in https transactions!" That's why we produce certificates with Burp Suite and
introduce it to our browser, So we make sure that the requests and actions in this
certificate are completely safe.
1-Proxy Configuration
https://portswigger.net/support/conf...work-with-burp btw, I didn't see any
information about Edge, I need to show you with details
1.1-for Edge (Windows 10);

Kod:
Proxy >Options > Edit > Binding > Loopback only > OK
Well, we dont need to do this because it is already default. In any way, I showed
in the screenshot about what happened. We should open our browser.

Kod:
… > Options > Advanced > Intermediate Server Settings, open it.
Btw, use intermediate server option is closed to you. We should open it, fill the
required fields as you can see in the screenshot.
1.2-for Firefox (Linux);
Kod:
Firefox > Options > General > Network Proxy Settings

We select Manual proxy configuration and click OK
2-Disable to the SSL Warning;

2.1-for
Windows;

Kod:
Proxy >Options >import/export CA cert > Certificate in DER format > Next
Here, we are creating a new certificate.

Kod:
Select file > Save > Next
We have determined where to save the certificate and it was successfully
exported.

Done,Close it

We are opening the certificate.
Kod:
Install Certificate >Choose Current User > Next

Kod:
Place all certificates in the following storage area > browse > Trusted
certificate's root privileges

Click Finish.

Click
OK.

And as you can see, we have entered the https address without any problems.
2.1-for Linux;
Same process, you can look at the above for create a certificate with burp suite.

Our
certificate is something like this

Kod:
Firefox > Settings > Privacy and Security
Click View Certificates

We should select our certificate

D-THE TARGET SECTION
1-SiteMap Tab;
As its name signifies, it specifies the map of website. I mean, it provides us
comprehensive documênts about websites that we opened. Not only that, it can
show us errors too, that exist in website.

Getting information about all websites is complex in functionality, but we can
target this complex construct for our purpose by filtering.

Choices of filtering: by request type, by MIME type, by status code, by search
term, by file extension, by annotation.
2-Scope Tab;
It allows for researching on that target by telling Burp what's the current target.

Click right to the domain
and select "Add to Scope". By this way, we added our domain into Scope. Let's
check it out.

It's the section where we provide request and response between browser and
web server.
1-Intercept Tab;
It's used for displaying and editing HTTP and WebSocket messages between
browser and web server. It's a tab where we can catch our requests and
responses from browser to web server.
Forward: We click on the "Forward" option to send this message to server or
browser after you looked over (and if it's necessary, changed it).
Drop: We use it when we want to stop sending message.
Intercept On/Off
On: Messages are captured or forwarded automatically, based on options
configured to block HTTP and WebSocket messages.
Off: All messages are forwarded automatically.
Action: Shows a menu of available actions that can be performed on the displayed
message.
2-HTTP History Tab;
You must be familiar with this from Sitemap tab of Target section. It's a tab
where we can get detailed documênts of website.

3-WebSocket History Tab;
It's a tab where WebSocket history are searched.
WebSocket: A computer communications protocol, providing full-duplex
communication channels over a single TCP connection.

4-Options Tab;
It's a tab where we get all options such as proxy configuration, message option,
server option

F-THE SCAN SECTION;
It's my one of favourite Burp features. It's a combination of the Spider and
Scanner section in older versions. It both scans targeted website and gives
documênts of it, and scans vulnerabilities.
1-New Scan;

As you can see, scanning of targeted website is started

Click 'View Details' button to display details about scan.
1.1-Details;
Here is the details:

1.2-Audit Items;

Audit Items: It shows all of the website's consist documênt.
1.3-Issue Activity;

Issue Activity: It shows high and low risk vulnerabilities of targeted website.
1.4-Event Log;
It's a tab where all of the logs between server and us keep.
G-THE INTRUDER SECTION
It's variables being manipulated by masking methods. Masked variables are
shown with “$” symbol. Main usage purpose is brute force.

Let's send values that belong to user and pass variable from login webpage we
caught earlier, to Intruder.
1-Target;

Targeted website's infos automatically come here. If we want, we can input it
manually too.
2-Positions;
This is where caught login website request sent goes to.

Firstly, as you can see, it masking automatically. 'Auto' button also does same
process. But i don't recommend you to do that because it's unreliable.

So, first step will be selecting all and click 'Clear' button to clear all of masking.

Choose the user admin pass admin part and click 'Add' to adding only this part to
masking.

There are 4 types of attack. Payload can be differ, depends on this types.
2.1-Sniper;
It is the process of sending a single request. We choose the Sniper attack type
and go to the payloads section.

Payloads Sets
Because it is a Sniper attack, it performs an attack through a variable. You can
also see it in Payloads set section.
Payloads Options
We can assign a value from the" Add " section ourselves. If we want, we can
include an existing list in the "Load" section. Or if you say that I want to copy
from ".. somewhere and throw here, thanks to add "Paste" button. Here you can
delete a value you do not want with the "Remove" button. Or all of them thanks
to the "Clear" button allows you to delete that all things.

Here, it tells us that it will make four attempts by assigning us to only one
variable via "user" or "pass", considering of two possibilities.

I tried to show it above, it only conducted four attempts on a variable "user" or
"pass" depending on the list we created. The value in the other variable has
already been assigned to the existing value.
It's returned us 200 now, so from here we're seeing that the entry attempt failed.
But if the try out had been successful, it would have returned 302 in the "Status"
section.
2.2-Bettering Ram;
Although it looks the same as sniper attack, there is a difference. It assigns the
same value to the two variables whose lists are "user" and "pass". We're
choosing the Bettering Ram attack from positions. We're going to Payloads.

Here, it tells us that it will give us two trial by assigning the same value to 2
variables, given the possibility of two possibilities. So it says it'll try with our
"user" and "pass" variables by assigning the same value. As you can see, if we
look at the "Status" section again, we'll see that 200 returns. So we understand
that our attempt failed. If our transaction were successful, it would have
returned 302 in the "Status" section.
2.3-Pitchfork;
It is an attack type that creates two lists and allows the first list to try out on the
"user" variable, allowing the second list to try out on the "pass" variable. We
select the Pitchfork attack type from "Positions" section. Then we go to the
Payloads Section.

As you can see, we've created two lists. Our first list also experimented with the
"user" variable. Our second variable also allowed the "pass" variable to
experiment.
2.4-Cluster Bomb;
Even though it looks the same as a pitchfork attack, there's a difference, and it
assigns value to variables as diagonals of the two lists we create.

We've created our lists, and accordingly, it's determined the number of attempts.
We're going to say "Start Attack" and start our attack.

As I tried to show above, the cross-diagonal method and the values in our first
list were matched to the values in our second list and allowed experiments. As we
saw in the "Status" section, the entry failed.

It is also worth examining the image above so that you can see it in more detail.
3-Payloads;

Payloads Sets
Payload set;Shows the number of lists we create.
Payload Type; to determine the type of attack.
So it's on the list? Or by brute force? Using letters or numbers only? We can
choose to attack.
Payloads Options
If we want, we can assign a value from the "Add" section ourselves. We can
include a list in "Load" if we want.
Or if you say that if you say you want to copy it from somewhere and throw it
here, you can add it through the "Paste" button.Here you can delete a value you
don't want with the "Remove" button. Or it's all through the "Clear" button,
allowing you to clean up what's up.
The "Add from list" button we can also use lists already available within the
program.
Payloads Processing

When carrying out the attack, we throw out the rules we want to comply with.
Add; add rules that need to be followed when processing lists.
Edit; Edit rules that must be followed when processing lists.
Remove; Delete the rule that must be followed when processing lists.
Up; It has to be followed, in the order of the rules, it tops what we want.
Down; It has to be followed in the order of the rules to lower what we want to
the lower level.
Payloads Encoding
This setting can be used to code the characters selected in the last load as urls for
secure transmission within HTTP requests.
4-Options;

Request Headers
These settings control whether the attacker will update the configured request
headers during attacks.
Request Engine
These settings control the engine used for making HTTP requests in the Intruder
attack. In other words, we make the settings such as how long we will send
requests to the server and how long it will be reconnected after disconnection.
Attack Results
These settings control what information is captured in the attack results. It
enables to show whether requests, responses and rejected feedbacks between us
and the server are displayed.
Grep - Match
These settings can be used to flag the result items containing specified
expressions in the response. It can still paste the word as usual. And it can install
from another locâtions. It can delete existing word and we can clear the whole

list. And determines case sensitive. If we want the http header to be included in
this search or not, we can set up the necessary options.
Grep - Extract
These settings can be used to extract useful information from responses into the
attack results table. We can add, edit, delete the item to extract information that
doesn't benefit us from the returned results. And we can pull it on top/bottom in
order of importance. We can clear the whole list and we can specify the length of
the item and get clearer results.
Grep – Payloads
These settings can be used to flag result items containing reflections of the
submitted payload. We can exclude http headers and make them case sensitive.
It can match with results that caught earlier. We can cofigure search responses
for strings.
Redirections
These settings control how Burp handles redirections when performing attacks.
H-THE REPEATER SECTION
It provides the opportunity to perform the processes that we make in order to
catch the requests on the Login page in Proxy section. We send the request that
we captured on the login page to the "Repeater" section.

Change the "user", "pass" and click Go button, we can see the response given by
the server on the right side. So, replacing the required fields repeatedly is a more
functional tool for practicality.
I-THE SEQUENCER SECTION
It is the tool used to analyze the foreseeability quality of tokens in data items.
You can use it to test session tokens, anti-CSRF tokens, password reset tokens or
other undpredictable data items of an application. It is important because the
cookies could be taken with this method.

We send the token (phid value etc.) that we want to analyze to the Sequencer
section.
1-Live Capture Part;

Kod:
For this, we should go the Sequencer section > Live Capture part.
1.1-Select Live Capture
It shows that you send from Burp tools. Select the request that returns the token
or other item that you want to resolve. So, we select the data we will analyze and
click Start button.

1.2-Token L-o-c-a-t-i-o-n Within Response
It allows us to select a token that can be resolved by defining responses returned
to the server.
the following options:
Cookie: If the response sets any cookie, this option will allow you to choose a
cookie to be parsed. This is the most common method for get over the session
tokens.
Form field: If the response contains any HTML form fields, this option will allow
you to choose a form field. This method is often used to send anti-CSRF tokens
and other tokens to clients.
Custom Locâtion: You can use this option to specify a specific locâtion within the
response that contains the data that you want to analyze.
1.3-Live Capture Options
These settings control the engine used for making HTTP requests and harvesting
tokens when performing the live capture.
Number of threads: This option controls the number of concurrent requests the
live capture is able to make.
Throttle between requests: Optionally, the live capture can wait a specified delay
(in milliseconds) before every request.
Ignore token whose length deviates by X characters: You can optionally configure
the live capture to ignore tokens whose length deviates by a given threshold from
the average token length.
2-Manuel Load Part;
Live Capture section automatically captured the live request and sent the token.
In this section, the information in the text file that we captured is transferred to
this section. To do this we go to Sequence section > Manual Load section. This
function allows you to load Sequencer with a sample of tokens that you have
already obtained, and then perform the statistical analysis on the sample.

Use the Paste button to paste the tokens from the clipboard, or the Load button
to load them from file. When our process is finished, it offers the opportunity to
clean the screen with the help of the Clear button.
3-Analysis Options Part;
The "Analysis options" tab lets you configure how tokens are handled, and which
types of tests are performed during the analysis.
Kod:
for this, go to Sequencer section > Analysis Options part.

3.1-Token Handling
These settings control how tokens are handled during analysis.
3.2-Token Analysis
These options control the types of analyses that are performed. You can
individually enable or disable each type of character-level and bit-level test.
Sometimes, after performing an initial analysis with all tests enabled, you may
want to disable certain tests to reflect your better understanding of the tokens'
characteristics, or to isolate the effects of any unusual characteristics manifested
by your sample. In the results window, after modifying any of the analysis
options you can click the "Redo analysis" button to re-perform the analysis with
your new settings, and update the results.
SUMMARY
The "summer" locâtion of each section tells us the summary of the analysis. It is
enough to look at these places and examine them. We can achieve certain results.

J-THE DECODER SECTION
On sites, the WAF (firewall) system encrypts personal information. Thus, all
transactions are encrypted and provide a secure infrastructure. But of course, I
will show you that we can simply capture and decode this encryption on a site
with SQL Injection vulnerability

.
We always listened to our site before we searched for this process, we caught it
before returning the request, and the encrypted request from there was right
click on the mouse and say> “Send Decoder”.

The "‘ "sign in the URL address is encrypted as" 27% ". We call it" Decoder as
"and we do the analysis according to what kind of encryption is done. We click on
the "URL" button.

We broke the password and showed us the normal URL section. But we don't just
decrypt it. If we want, we can encrypt the address we want, any structure with
an encryption algorithm that we want.
Kod:
“Encode as” > “URL” Well, I should select the URL because because I encrypted
the URL.
Our transaction is over. This time i encrypted the entire URL.
K-THE COMPARER SECTION
It is a tool for us to compare words and bytes. Sometimes we want to see the
answers given to us from the server, different reactions at the same time. This
means looking at it from a distance like a third person and sometimes it helps.

Now it has come to compare the data we sent. We go to the "Comparer" section.
We can compare it as "Words" or "Bytes".

We got some results. A word and byte based result has returned as above. The
values in orange show the changing values in comparison. Deleted values appear
in blue. The values added later are considered yellow.
L-THE EXTENDER SECTION
Thanks to this tool, it is possible to add the software coded by the developers and
the software coded by yourself to the burp suite program
1-Extensions Part;

We come from Extender section to Extensions section. Here, we can add a
software we developed to the burp suite, while we can delete a software that we
added or change its order.
2-BApp Store Part;

From the Extender section, we enter the> BApp Store section. It is possible to
find the software of other developers here.
I want to talk about the most popular "C02" software.
CO2
Using SQLMap, we can exploit a site with SQL injection vulnerability.

To use this feature, sqlmap application must be python. We choose where they
are located. Thus, the application can run when we make the necessary options.

As a result, we can scan by using sqlmap written in python and take advantage of
openness. The only good part of being useful is that it is automatic, but my
personal opinion is that i do not recommend it.

User Generator - Displays the name and surname or username of a name on the
most commonly used historical basis.

Name Mangler - Manages them to create a list of potential usernames that can be
left to the intruder to test valid entries.

CeWLer - Can be used to extract a word list from HTML files.

Masher - Starts with combining words from the list provided, then adds and
modifies characters to create new passwords.

BasicAuther - When given a list of usernames and passwords, they extract the
appropriate BasicAuth strings that can later be left to intruders.
TurkHackTeam.Org/.Net/.Com.TR

From A to Z | Burp Suite Tutorial

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to From A to Z | Burp Suite Tutorial

Similar to From A to Z | Burp Suite Tutorial (20)

Recently uploaded

Recently uploaded (20)

From A to Z | Burp Suite Tutorial