In the last article we introduced some of the useful features that  Burpsuite has to offer when performing a Web Application Penetration Te...

Burp Suite Tutorial – Web Application Penetration Testing (Part 2)

Saturday, December 26, 2015 Sensei Fedon 0 Comments

In the last article we introduced some of the useful features that Burpsuitehas to offer when performing a Web Application Penetration Test. In part 2 of this series we will explore some additional functionality including: Validating Scanner Results, Exporting Scanner Reports, Parsing XML Results, Saving a Burp Session and Burp Extensions. Lets get right to it!

Burp Suite Tutorial – Validating Scanner Results

Its always a good idea to thoroughly validate the results of any automated scanning tool. Burpsuite provides everything you need to do this on the “Scanner/Results” tab. Click on a node in the left pane to see the identified vulnerabilities associated with that target. The right-hand lower pane displays the verbose Request/Response information pertaining to the specific vulnerability selected from the right-hand upper pane.
The “Advisory” tab contains information about the vulnerability including a high-level detail, description and proposed recommendation. The “Request” & “Response” tabs will display exactly what Burpsuite sent to the target application in order to check for the vulnerability as well as what was returned by the application. Take a look at the example below.
Burp Suite Tutorial - Validating Scanner Results
Figure #1 – Validating Scanner Results

0 comments:

Burp Suite  from Portswigger is one of my favorite tools to use when performing a Web Application Penetration Test. The following is a ste...

Burp Suite Tutorial – Web Application Penetration Testing (Part 1)

Saturday, December 26, 2015 Sensei Fedon 0 Comments


Burp Suite from Portswigger is one of my favorite tools to use when performing a Web Application Penetration Test. The following is a step-by-step Burp Suite Tutorial. I will demonstrate how to properly configure and utilize many of Burp’s features. After reading this, you should be able to perform a thorough web application penetration test. This will be the first in a two-part article series.
Don't Go To Jail!
Don’t Go To Jail!
   What we will cover:
  • Outbound SOCKS Proxy Configuration
  •  Intercept & Scope Configuration
  • Manual Application Walkthrough
  • Using The Spider & Discover
  • Using The Repeater Tab
  • Using The Intruder Tab
  • Text Specific Searching
  • Using The Automated Scanner
Disclaimer: Testing web applications that you do not have written authorization to test is illegal and punishable by law.

Burp Suite Tutorial – Configure Outbound SOCKS Proxy

Depending on the scope of your engagement, it may be necessary to tunnel your burp traffic through an outbound socks proxy. This ensures that testing traffic originates from your approved testing environment.  I prefer to use a simple SSH which works nicely for this purpose. SSH out to your testing server and setup a socks proxy on your localhost via the ‘–D’ option like this.
ssh –D 9292 –l username servername
Navigate to the Options tab located near the far right of the top menu in Burp.  From the “Connections” sub-tab, Scroll down to the third section labeled “SOCKS Proxy”.  Type in localhost for the host option and 9292 for the port option.
Burp Suite Tutorial - SOCKS Proxy Settings
Now burp is configured to route traffic through your outbound SSH tunnel. Configure your browser’s proxy settings to use burp. Navigate to www.whatismyip.com and ensure your IP address is coming from your testing environment.
#ProTip I use a separate browser for web application testing.  This ensures I don’t accidently pass any personal data to one of my client’s sites such as the password to my gmail account for example.
I also prefer to use a proxy switching addon such as “SwitchySharp” for Google Chrome. This allows me to easily switch back and forth between various proxy configurations that I might need during different engagements. Here is what my configuration settings look like for Burp.
Burp Suite Tutorial - SwitchySharp Proxy Settings
Figure #2 – SwitchySharp Proxy Settings

Burp Suite Tutorial – Configure Intercept Behavior

The next thing I do is configure the proxy intercept feature. Set it to only pause on requests and responses to and from the target site.  Navigate to the “Proxy” tab under the “Options” sub-tab. The second and third headings display the configurable options for intercepting requests and responses. Uncheck the defaults and check “URL Is in target scope”.  Next turn intercept off as it is not needed for the initial application walkthrough. From the “Intercept” sub-tab ensure that the toggle button reads “Intercept is off”
Burp Suite Tutorial - Proxy Intercept Settings
Figure #3 – Proxy Intercept Settings

Burp Suite Tutorial – Application Walkthrough

For some reason, a lot of people like to skip this step. I don’t recommend this. During the initial walkthrough of your target application it is important to manually click through as much of the site as possible.  Try and resist the urge to start analyzing things in burp right a way. Instead, spend a good while and click on every link and view every page. Just like a normal user might do. Think about how the site works or how it’s “supposed” to work.
You should be thinking about the following questions:
  • What types of actions can someone do, both from an authenticated and unauthenticated perspective?
  • Do any requests appear to be processed by a server-side job or database operation?
  • Is there any information being displayed that I can control
If you stumble upon any input forms, be sure to do some manual test cases. Entering a single tick and hit submit on any Search form or zip code field you come across. You might be surprised at how often security vulnerabilities are discovered by curious exploration and not by automated scanning.

Burp Suite Tutorial – Configure Your Target Scope

Now that you have a good feel for how your target application works its time to start analyzing some GETs and Posts. However, before doing any testing with burp it’s a good idea to properly define your target scope.  This will ensure that you don’t send any potentially malicious traffic to websites that you are not authorized to test.
#ProTip I am authorized to test www.pentestgeek.com. *You* are not.
Head over to the “Target” tab and then the “Site map” sub-tab.  Select your target website from the left display pane.  Right click and choose “Add to scope’.  Next highlight all other sites in the display pane, right click and select Remove from scope.  If you’ve done this correctly your scope should look something like the image below.
Burp Suite Tutorial - Scope Settings
Figure #4 – Scope Settings

Burp Suite Tutorial – Initial Pilfering

Click on the “Target” tab and the “Site Map” sub tab.  Scroll down to the appropriate site branch and expand all the arrows until you get a complete picture of your target site.  This should include all of the individual pages you browsed as well as any javascript and css files. Take a moment to soak all of this in, try and spot files that you don’t recognize from the manual walkthrough.  You can view the response of each request in a number of different formats located on the “Resposne” tab of the bottom right display pane. Browse through each respond searching for interesting gems. Things you might be surprised to find include:
  • Developer comments
  • Email addresses
  • Usernames & passwords if you’re lucky
  • Path disclosure to other files/directories
  • Etc…

Burp Suite Tutorial – Search Specific Keywords

You can also leverage burp to do some of the heavy lifting for you. Right click on a node, from the “Engagement tools” sub-menu select “Search”. One of my favorite searches is to scan for the string “set-cookie”. This lets you know which pages are interesting enough to require a unique cookie. Cookies are commonly used by web application developers to differentiate between requests from multiple site users. This ensures that user ‘A’ doesn’t get to view the information belonging to user ‘B’. For this reason it is a good idea to identify these pages and pay special attention to them.
Burp Suite Tutorial - Search Specific Keywords
Figure #5 – Search Specific Keywords

Burp Suite Tutorial – Using Spider and Discover

After a good bit of manual poking and prodding it’s usually beneficial to allow burp to spider the host.  Just right click on the target’s root branch in the sitemap and select “Spider this host”.
Burp Suite Tutorial - Spider Feature
Figure #6 – Spider Feature
Once the spider has finished, go back to your site-map and see if you picked up any new pages.  If you have, take a manual look at them in your browser and also within burp to see if they produce anything interesting.  Are there any new login prompts, or input boxes for example? If you’re still not satisfied with all that you have found you can try Burp’s discovery module.  Right click on the target site’s root branch and from the “Engagement tools” sub-menu select “Discover Content”.  On most sites this module can and will run for a long time so it’s a good practice to keep an eye on it. Make sure that it completes or shut it off manually before it runs for too long.

Burp Suite Tutorial – Using The Repeater

The Repeater tab is arguably one of the most useful features in Burp Suite. I use it hundreds of times on every web application that I test. It is extremely valuable and also incredibly simple to use. Just right click on any request within the “Target” or “Proxy” tab and select “Send to Repeater”. Next click over to the “Repeater” tab and hit “Go”. You will see something like this.
Burp Suite Tutorial - The Repeater
Figure #7 – The Repeater
Here you can manipulate any part of the HTTP request headers and see what the response looks like. I recommend spending some good time here playing with every aspect of the HTTP request. Especial any GET/POST parameters that are besting sent along with the request.

Burp Suite Tutorial – Using The Intruder

If you are limited on time and have too many requests and individual parameters to do a thorough manual test. The Burp Intruder is a really great and powerful way to perform automated and semi-targeted fuzzing. You can use it against one or more parameters in an HTTP request. Right click on any request just as we did before and this time select “Send to Intruder”. Head over to the “Intruder” tab and click on the “Positions” sub-tab. You should see something like this.
Burp Suite Tutorial - Intruder Positions
Figure #8 – Intruder Positions
I recommend using the “Clear” button to remove what is selected at first. The default behavior is to test everything with an ‘=’ sign. Highlight the parameters you wan’t to fuzz and click “Add”. Next you need to go to the “Payloads” sub-tab and tell Burp which test cases to perform during the fuzzing run. A good one to start off with is “Fuzzing – full”. this will send a number of basic test cases to every parameter that you highlighted on the “Positions” sub-tab.
Burp Suite Tutorial - Intruder Payloads
Figure #9 – Intruder Payloads

Burp Suite Tutorial – Automated Scanning

The last thing that I do when testing a web application is perform an automated scan using Burp. Back on your “Site map” sub-tab, right click on the root branch of your target site and select “Passively scan this host”. This will analyze every request and response that you have generated during your burp session. It will produce a vulnerability advisor on the “Results” sub-tab located on the “Scanner” tab. I like to do the passive scan first because it doesn’t send any traffic to the target server. Alternatively you can configure Burp to passively analyze requests and responses automatically in the “Live scanning” sub-tab. You can also do this for Active Scanning but I do not recommend it.
When doing an active scan I like to use the following settings.
Burp Suite Tutorial - Active Scan Settings
Figure #10 – Active Scan Settings

Burp Suite Tutorial – End Of Part1

Hopefully you’ve learned some useful techniques for performing Web Application Penetration Testing. In Part 2, we will go over some more of Burp’s features. We will cover reporting and exporting session data for collaboration with other pentesters. I look forward to seeing you there. Thank you for reading and as always, Hack responsibly.
Source: pentestgeek.com

0 comments:

Windows Registry hack can make your Windows Defender a super adware killer Everyone hates including me hates adware. They are worst u...

An easy Registry hack in Windows Defender makes it a efficient adware killer

Sunday, December 20, 2015 Sensei Fedon 0 Comments


Windows Registry hack can make your Windows Defender a super adware killer

Everyone hates including me hates adware. They are worst unwanted critters of any operating system especially Windows 7/8.1 or the newly released Windows 10. Though there are several trusted Apps to remove such malware it is always better to have a native application that can kill such adware in the bud.
Yesterday Microsoft announced that its new enterprise security products come with a new feature that also stops potentially unwanted software and adware. The functionality was actually first made available to enterprises. To protect them against unwanted applications, Microsoft added a new opt-in feature to the enterprise solutions System Center Endpoint Protection (SCEP) and Forefront Endpoint Protection (FEP). Combined with Windows Defender these applications are able to block downloading and installing unwanted software. The Windows Defender detect and remove now also potentially unwanted applications (PUAs) such as adware that piggybacking is installed with freeware tools.
However this was only for enterprises and businesses. Luckily for us, a German website, Heise has discovered that tweaking the Windows Defender entry in the Windows Registry can make it a potent adware killer. Windows Defender is Microsoft’s security solution and available on all systems since Windows 8, it can be considered the successor to Microsoft’s Security Essentials.
Easy registry hack makes Windows Defender an adware killer
Courtesy Heise

How to go about it

Heise has discovered that using a registry hack it’s also possible to consumers to get the additional protection.  According to Heise the hack works well in Windows 7, Windows 8.1 and Windows 10 Home and Pro versions. It can easily kill the adware once you make changes in your Registry Keys.

How To Open Registry Editor

  1. In Windows 10 or Windows 8.1, right-click or tap-and-hold the Start button and then choose Run. Prior to Windows 8.1, Run is most easily available from the Apps screen.In Windows 7 or Windows Vista, click on Start.In Windows XP, click on the Start button and then click Run….
  2. In the search box, or Run window, type the following:
    regedit
    and then press Enter.
    Note: Depending on your version of Windows, and how it’s configured, you may see a User Account Control dialog box where you’ll need to confirm that you want to open Registry Editor.
  3. Registry Editor will open.
To activate the adware killer feature in Windows Defender an entry in the registry under “HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows Defender \ MpEngine” with a DWORD named “MpEnablePus” with the value “1” is to be made.  
To enable the feature you can add the text below to ‘defender.reg’. After you open the file the changes are made. You can also download this file (save as). Double click on the file and it will automatically be saved in the Registry.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine] “MpEnablePus”=dword:00000001
Do remember to backup your Registry before embarking on this hack. Also kindly do it at your own risk.

0 comments: