1
00:00:00,180 --> 00:00:01,920
Hello everybody and welcome back.

2
00:00:01,920 --> 00:00:07,130
And in this editorial we will cover some of the burps with attacks that could be useful for us.

3
00:00:07,140 --> 00:00:15,510
So let us start off by turning up our burp suit on so you can turn your Nuremberg suit from the applications

4
00:00:15,540 --> 00:00:24,260
I will just turn my on from the terminal and also if you answered the proxy as me in the previous video

5
00:00:24,280 --> 00:00:29,450
let us just set burp suits to be our proxy so we can intercept our packets.

6
00:00:29,480 --> 00:00:32,130
So just go here on these preferences.

7
00:00:32,150 --> 00:00:33,870
We already covered all of this.

8
00:00:33,890 --> 00:00:36,410
Scroll down to the network settings.

9
00:00:36,470 --> 00:00:40,770
Let me just click here on next for the purple suit and start Burt's suit.

10
00:00:40,970 --> 00:00:43,580
And here go on net for proxy.

11
00:00:43,580 --> 00:00:50,140
And then on settings and just check your manual proxy configuration so click here.

12
00:00:50,160 --> 00:00:50,650
Okay.

13
00:00:50,660 --> 00:00:56,380
And now your burp suit is set as a proxy now as we already know.

14
00:00:56,390 --> 00:00:59,600
Burps it is already set to intercept our packets.

15
00:00:59,630 --> 00:01:04,600
So if we try to for example go on Google dot com we won't be able to connect.

16
00:01:04,610 --> 00:01:07,060
So let us first of all turn that off.

17
00:01:08,120 --> 00:01:13,800
And now we should be able to access the Google page waiting for Google.

18
00:01:13,880 --> 00:01:17,870
Now the Internet is a little bit slow so we will wait for that.

19
00:01:17,960 --> 00:01:23,720
The first thing I want to show you is the burp spider now the spider.

20
00:01:23,720 --> 00:01:28,060
Basically they're active and passive spider tangled web page.

21
00:01:28,100 --> 00:01:32,480
The passive spider ring the burps it dies does by default.

22
00:01:32,510 --> 00:01:39,400
So if we for example visit Google if you go on this arrow it will show you the sub directories of the

23
00:01:39,410 --> 00:01:47,330
Google and you can also go as much as you want as we can see there are a bunch of these files that it

24
00:01:47,330 --> 00:01:49,000
already found in the Google.

25
00:01:49,010 --> 00:01:57,130
Now how does the scanning work or the spy during it basically the watch is the HDMI out page the e-mail

26
00:01:57,140 --> 00:02:03,830
page and here it has a bunch of these links and it clicks on each of these links.

27
00:02:03,830 --> 00:02:11,060
So for example the spider basically just scan through this the email code and found for example this

28
00:02:11,060 --> 00:02:17,900
link and it clicked on it and then it added it to this spider ring folder where it shows all of the

29
00:02:18,320 --> 00:02:20,270
links that are connected on that page.

30
00:02:22,600 --> 00:02:22,900
Now

31
00:02:25,750 --> 00:02:31,680
in order for you to spider web page of course your intercept has to be turned off now.

32
00:02:31,750 --> 00:02:40,420
And if you wanted to scan the page actively you need to right click for example at us right click on

33
00:02:40,420 --> 00:02:45,100
the on the net on the.

34
00:02:45,780 --> 00:02:49,130
Let us choose right here so we can go.

35
00:02:49,340 --> 00:02:58,510
But this is first of all visit the our Oh I swear to machine so we will sit at that and let us see what

36
00:02:58,510 --> 00:03:00,360
it gave for it right here.

37
00:03:00,370 --> 00:03:01,840
It didn't print it out yet.

38
00:03:01,840 --> 00:03:08,170
So let me just reload this page and right now we share it right here.

39
00:03:09,340 --> 00:03:17,350
And for now on it doesn't have anything there but if we go on to be for example this one let me just

40
00:03:17,350 --> 00:03:21,810
see it found the sub directly that we clicked on.

41
00:03:21,910 --> 00:03:30,070
But let's say we want to Spider only this cyber directory actively just click here on yes and you can

42
00:03:30,070 --> 00:03:32,710
see you can read it at the time.

43
00:03:32,740 --> 00:03:39,520
So the one by proxy to stop sending out the scope items that just go here on the spider and we can see

44
00:03:39,520 --> 00:03:47,110
that the requests made and the bytes transferred it is still running as we can see use these settings

45
00:03:47,110 --> 00:03:48,620
to monitor and controls.

46
00:03:48,650 --> 00:03:55,180
Burps Spider to begin spider in both the target application and right click on one or more nodes in

47
00:03:55,180 --> 00:03:58,330
the target site map and to Spider this host branch.

48
00:03:58,330 --> 00:04:07,240
Now this is the active spider ring as we can see the D has a bunch of sub directories itself and you

49
00:04:07,240 --> 00:04:12,430
can find some of the interesting things with just searching those sub directories

50
00:04:15,330 --> 00:04:17,730
now that isn't really that important to us.

51
00:04:17,760 --> 00:04:21,620
So we won't be giving too much of our time to that.

52
00:04:21,690 --> 00:04:28,990
But we want to do is we want to perform our first attack on the old Westport machine.

53
00:04:29,550 --> 00:04:34,170
So uh the first thing we will do will be rather simple.

54
00:04:34,170 --> 00:04:40,710
Let me just open the Firefox and go one step back.

55
00:04:40,710 --> 00:04:43,930
And what you want to do is you want to go on to the.

56
00:04:44,430 --> 00:04:46,560
You're always uh IP address.

57
00:04:46,560 --> 00:04:51,060
And then once you go to this page just click here on the OS web code.

58
00:04:51,210 --> 00:04:59,570
Now it will prompt you with the username and password the user name and password will be web code.

59
00:04:59,580 --> 00:05:05,060
So could the user name that code and put the password.

60
00:05:05,060 --> 00:05:07,900
Also web code.

61
00:05:08,190 --> 00:05:11,220
So just type that and you should be able to log in right here.

62
00:05:11,220 --> 00:05:17,600
We do not want to say password since we will be brute forcing the same log in later on it will ask you.

63
00:05:17,640 --> 00:05:20,430
It will basically prompt you with the welcome screen.

64
00:05:20,430 --> 00:05:28,980
So just click here on start Web goat and here we can have a bunch of attacks that we can perform on

65
00:05:28,980 --> 00:05:30,830
the OSP web code.

66
00:05:30,900 --> 00:05:38,480
Now for the first attack and the rather easy one we want to go on to on to the authentication flaws.

67
00:05:38,640 --> 00:05:41,340
So basically let me just find where that is.

68
00:05:41,340 --> 00:05:42,330
Here it is.

69
00:05:42,570 --> 00:05:44,390
And we want to go on to the.

70
00:05:44,430 --> 00:05:46,110
Forgot password.

71
00:05:46,860 --> 00:05:54,680
So if you go onto the forgot password it will basically ask you for the user name of your own account

72
00:05:54,720 --> 00:05:57,460
in order to change the passport.

73
00:05:57,570 --> 00:05:58,690
Now what.

74
00:05:58,710 --> 00:06:00,790
The problem with this is.

75
00:06:00,940 --> 00:06:06,050
Well first of all we do not know any user name for this specific page.

76
00:06:06,090 --> 00:06:12,420
So if we type here for example g g g g g and submit it will say not a valid user name.

77
00:06:12,420 --> 00:06:14,110
Please try again.

78
00:06:14,120 --> 00:06:21,270
Now the concept of this attack is that we sent a bunch of user names right here and hope that we get

79
00:06:21,390 --> 00:06:28,110
a different response from the server for some of those user names which will basically tell us that

80
00:06:28,170 --> 00:06:30,470
that username exists.

81
00:06:30,480 --> 00:06:34,080
So let me just explain that a little bit better.

82
00:06:34,230 --> 00:06:40,000
For example let's say we send 10 user names into this.

83
00:06:40,000 --> 00:06:49,060
We just typed here 10 different user names and one of them happens to exist on this web page for that

84
00:06:49,210 --> 00:06:50,310
specific one.

85
00:06:50,320 --> 00:06:54,850
It will not print us this error which says not a valid user name.

86
00:06:54,850 --> 00:06:56,050
Please try again.

87
00:06:56,050 --> 00:07:04,750
Which means that our HDP response for the server in its HD AML code won't have this string which will

88
00:07:04,750 --> 00:07:11,700
make the ETP response basically smaller or bigger in terms of bytes.

89
00:07:11,740 --> 00:07:17,800
And we will be able to determine the difference between the HDP response from the not valid user name

90
00:07:17,830 --> 00:07:20,010
and from the valid user name.

91
00:07:20,020 --> 00:07:31,260
Now in order for you to understand this better let us do that in practice so what we want to do is first

92
00:07:31,260 --> 00:07:34,480
of all turn our intercept on for this.

93
00:07:34,530 --> 00:07:42,160
So just go on to intercept on and so our goal right now is to find out a valid username.

94
00:07:42,180 --> 00:07:43,650
So if I hear anything.

95
00:07:43,650 --> 00:07:45,850
So just type here and a thing

96
00:07:48,450 --> 00:07:53,700
here we will receive that packet that we sent which is a post requests since we are posting in this

97
00:07:53,700 --> 00:08:00,750
form right here on this page as we can see and our user name that we're posting is anything.

98
00:08:00,970 --> 00:08:10,030
Now you can just forward this or turn the intercept off and we want to find this packet.

99
00:08:10,190 --> 00:08:14,570
We want to find this packet in the in our brb search.

100
00:08:14,570 --> 00:08:19,750
So let us just find it posts.

101
00:08:20,210 --> 00:08:23,250
What we are looking at the responses.

102
00:08:23,360 --> 00:08:24,770
This is not it.

103
00:08:26,480 --> 00:08:28,350
HOST And so here it is.

104
00:08:28,410 --> 00:08:33,790
This is our post request that we send a few seconds ago which says user name anything.

105
00:08:33,840 --> 00:08:36,700
And we got a not valid user name for that.

106
00:08:36,770 --> 00:08:43,160
So what we want to do with this packet is we want to send it to an intruder.

107
00:08:43,500 --> 00:08:48,930
Now the intruder is basically a brute force for the burps.

108
00:08:48,960 --> 00:08:54,660
So here you can have if you right click on the packet so find your post packet with the user name right

109
00:08:54,660 --> 00:08:58,110
click on it and go send it to intruder.

110
00:08:58,110 --> 00:09:02,770
Once you do that you will see this section right here will turn orange.

111
00:09:02,790 --> 00:09:08,160
So just click on it and you will see these four options right here.

112
00:09:08,160 --> 00:09:13,200
What you want to do is go on to the positions and you will see your packet

113
00:09:16,150 --> 00:09:16,620
now.

114
00:09:16,690 --> 00:09:22,030
The next thing you want to do here you will see that bunch of is that some of these things right here

115
00:09:22,030 --> 00:09:30,630
are selected for example the user name the submit button the our cookie the session IDP HP session the

116
00:09:30,670 --> 00:09:33,140
Jason session HD screen menu.

117
00:09:33,190 --> 00:09:39,370
So what you want to do is click here on clear in order to remove all of that selection and right here

118
00:09:39,370 --> 00:09:42,570
what we want to do is only select our user name.

119
00:09:42,880 --> 00:09:50,710
So just select anything and click here on ad and you will see that out of all of these things only our

120
00:09:50,770 --> 00:09:54,060
user name is selected.

121
00:09:54,090 --> 00:09:55,230
Now why do we do this.

122
00:09:55,230 --> 00:10:02,790
Well we do it basically suburbs it knows which part of the packet to change with the certain list that

123
00:10:02,790 --> 00:10:06,000
we will provide it with different user names.

124
00:10:06,180 --> 00:10:15,420
So if we left it on all of those things before selected it would change all of those things to different

125
00:10:15,510 --> 00:10:20,640
user names and it will make page not load since it would change the link.

126
00:10:20,640 --> 00:10:28,140
The cookie and it would all crash basically but then we cleared it and added on the user name and selected

127
00:10:28,140 --> 00:10:31,100
it and now it will only change the user name.

128
00:10:31,110 --> 00:10:38,020
Now under the attack type you will have four options what you want to select is the sniper option the

129
00:10:38,130 --> 00:10:43,460
sniper option basically uses one list and selects each input position one by one.

130
00:10:43,860 --> 00:10:50,640
So we provide for example the list of five user names which we created on in our terminal or wherever.

131
00:10:50,640 --> 00:10:59,750
You can use the use of the user list basically from the calendar itself since it comes in stock with

132
00:10:59,750 --> 00:11:07,490
bunch of these lists and it will send packets one by one with changing this value right here with a

133
00:11:07,490 --> 00:11:09,540
different user name from the list.

134
00:11:09,560 --> 00:11:11,470
So let us do that.

135
00:11:11,690 --> 00:11:14,000
Once you perform all of this.

136
00:11:14,000 --> 00:11:20,120
So once you select your user name and the you click here on ADD select these sniper attack type option

137
00:11:20,870 --> 00:11:24,730
you want to go onto the payload.

138
00:11:24,750 --> 00:11:31,260
Now the payload sets for now and you want to leave unchanged and in the payload options the same police

139
00:11:31,320 --> 00:11:37,170
you want to click on load in order for us to load list and what we want to go right here we want to

140
00:11:37,170 --> 00:11:40,940
find a list that already comes pre installed in the clinics.

141
00:11:41,010 --> 00:11:43,680
So just go where I go.

142
00:11:43,680 --> 00:11:54,700
So go to this slash directory and go to the user just find it user then go to the share then go to the

143
00:11:54,700 --> 00:12:06,720
word lists to just find the order lists should be somewhere here or lists here.

144
00:12:06,720 --> 00:12:16,130
So click on the word lists click on metal split and from here we want to find the HDP.

145
00:12:16,150 --> 00:12:18,760
Default users dot the 60

146
00:12:21,290 --> 00:12:29,030
HDP default user dot the extent you want to select this user list and click here on open.

147
00:12:29,140 --> 00:12:34,980
And as you can see this is a smaller user listed basic has like 15 passwords or something like that.

148
00:12:35,110 --> 00:12:40,570
And once you click that you want to go on to the start attack.

149
00:12:40,570 --> 00:12:41,840
Now what this will do.

150
00:12:41,860 --> 00:12:47,110
It will exchange our user name input with all of these different users from the list.

151
00:12:47,140 --> 00:12:51,780
So here it will say the community edition the burps it contains a demo version of brb intruder.

152
00:12:51,790 --> 00:12:57,940
Basically this says that the free version of brb should will run slower than the provision birth suit

153
00:12:58,010 --> 00:13:04,300
and in order for you to run this uh brute force faster you need to buy the provision but from now on

154
00:13:04,300 --> 00:13:06,390
we'll just click here on the okay.

155
00:13:06,580 --> 00:13:14,620
Since we don't need it and as you can see it is running all of these user names in the form right here.

156
00:13:14,620 --> 00:13:19,710
So it is sending packets with different user names and as we can see it finished there were 14 user

157
00:13:19,710 --> 00:13:27,550
names and all had status code two hundred but what we want to search right now is the difference in

158
00:13:27,550 --> 00:13:30,290
the length of the response of the server.

159
00:13:31,260 --> 00:13:38,700
That's what I was saying basically as you can see all of these are thirty thousand six hundred six except

160
00:13:38,700 --> 00:13:43,440
one which is thirty thousand five hundred and sixteen.

161
00:13:43,440 --> 00:13:44,460
What does that mean.

162
00:13:44,460 --> 00:13:51,660
That means that it got a different response from the server than all of these others which is a good

163
00:13:51,780 --> 00:13:57,180
thing since it possibly means that this username is a valid username.

164
00:13:58,270 --> 00:14:05,980
As we can see in the any other user name so let's pick this one for example which has this length and

165
00:14:05,980 --> 00:14:10,500
go on to the response and we can try to find they're not a valid user name.

166
00:14:10,500 --> 00:14:19,280
Please try again it will be there it's just very hard to find since this is a huge HDMI file

167
00:14:22,860 --> 00:14:29,920
it doesn't change it doesn't even matter so just find the user name that has different length and if

168
00:14:29,920 --> 00:14:32,290
we paste the eggman right here.

169
00:14:33,450 --> 00:14:39,240
Since we can see that this is the admin is the only one with different lights and we click on the submit

170
00:14:39,840 --> 00:14:46,980
we can see that we proceed to the next step since that username was a valid username and now it says

171
00:14:47,220 --> 00:14:55,690
the what is your favorite color for that account now you can use basically brute force this as well

172
00:14:55,720 --> 00:14:56,700
with the same method.

173
00:14:56,710 --> 00:15:03,070
So just find and create a list with bunch of different colors and brute force this feel the same way

174
00:15:03,070 --> 00:15:08,650
we put forth the user name in it but we wont be doing that right now.

175
00:15:08,710 --> 00:15:17,450
What we want to do next with and by next I mean in the next video is we want to brute force our log

176
00:15:17,490 --> 00:15:17,940
in.

177
00:15:18,070 --> 00:15:25,620
So basically we will be brute forcing the username and password at the same time so we will do that

178
00:15:25,680 --> 00:15:26,620
in the next video.

179
00:15:26,970 --> 00:15:31,410
And until then I hope you have a great day and I will see you later.

180
00:15:31,440 --> 00:15:31,680
Bye.