Burpsuite

Burpsuite is sweet

Proxy

Set-up

Configure a local bowser to proxy traffice through Burp. FoxyProxy is easy and free. In FoxyProxy set a loopback address (127.0.0.1) on port 8080 to send the traffic to Burp.

Proxy intercepts all web requests and server responses. While Intercept is on all responses will be held for review or edit until allowed to pass via either "forward" or "drop". While being held the web browser wil appear to stall mid-load.

For https traffic intercepting to work a certificate needs to be manually added.

Turn on proxy and have Burp running
Go to https://portswigger.net/burp/pro
Download cacert.der
Enter "about:preference" in Firefox search
View Certificates and import cacert.der

Burp Suite also has a built in Chromium browser with the certificate pre-configured.

Scoping

Setting the scope of a project allows filter only targeted traffic to the proxy (versus all traffic) which means less requests to go through.

Scope can be set by going to the Target tab (top level nav), right clicking the target address and choosing "add to scope". From there it's common to select the option to stop logging anything out of scope.

Repeater

Repeater is used to replicate and requests, often with edits, on a large scale. The main interface has six sections.

Repeater requests
Controls for the current request
Request and response view: actually seeing what is being sent and received
Inspector for breaking apart requests for anaylsis and deeper edits
Target, which just the IP or domain

Views

Repeater offers four display options when viewing requests and responses.

Pretty: default option, aims for highest level of readability
Raw: pure responses from the server
Hex: byte view of the raw response
Render: shows the page as it would look in the browser

The "\n" button allows display of characters that wouldn't normally be displayed in the Pretty or Raw views.

Inspector gives a "prettified" breakdown of the contents of the requests and responses. Many of these can be edited or alterted prior to sending. Inspector allows for viewing and editing of the following sections:

Query Parameters: the data being sent to the server in the URL
Body Parameters: same thing as query parameters, but for POST requests.
Request Cookies: a modifiable list of cookies
Request Headers: all of the headers, ready for edit (even removal) being sent with requests
Response Headers: the headers sent from the server which obviously cannot be edited

Intruder

Intruder is Burp's fuzzing tool meaning it can be used to crack username/password combinations. By capturing a log-in request, Intruder can then alter it and submit it with numerous combinations of credentials. These can be drawn from a user supplied wordlist or entered manually.

It can also be used to fuzz endpoints, sub-directories, and virtual hosts.

In the Community Edition, Intruder is heavily rate limited and out-performed by alternative applications.

Positions

Positions tell Intruder where to place payloads (usernames/passwords) within a submission. Intruder can make guesses about where these would go and they are book-ended with § and highlighted in green. For example "username=§PecosBill§ password=§Cracked§"

To the right of the submission are three buttons:

Add §: put in new positions within the submission by highlighting them and then hitting the button
Clear §: removes all definted positions
Auto §: makes best guess most likely positions

Attack Types

Intruder has four types of attacks available, each with their own use cases.

Sniper

Sniper is the most commonly used attack. It involves using one set of payloads (e.g. rockyou.txt). When this attack is used Intruder will work through the payloads one at a time. The number of requests Intruder will make is equal to the number of words multipled by the number of positions.

Battering Ram

Battering Ram also takes a single set of payloads. Instead of working through each position in turn, Battering Ram puts the same payload in each position.

Pitchfork

Pitchfork is the second most commonly used attack and functions like multiple snipers running at one. It uses one payload per position (max of 20) and iterates through them all at once. For example with two payloads, userNames and passWords, Pitchfork will run:

userNameA + passWordA
userNameB + passWordB
userNameC + passWordC

Pitchfork will continue until one of the payloads runs out, though ideally all payloads would be of equal length.

Cluster Bomb

Like Pitchfork this attack type uses multiple combinations, but as opposed to working through them in order it works through eat payload indivdually to hit all possible combinations. So instead the attack would look like:

userNameA + passWordA
userNameA + passWordB
userNameA + passWordC
userNameB + passWordA
userNameB + passWordB
userNameB + passWordC
userNameC + passWordA
userNameC + passWordB
userNameC + passWordC

Unlike Pitchfork it's not as vital that all payloads be the same length.

Payloads

The Payloads tab of Intruder has four sections.

Payload Sets

This section allows for the configuration of which payloads go into which positions. In the case of Sniper or Battering Ram attacks there will only be one option from the drop down box (due to the nature of these attacks).

Payload Options

This section will depend on what payload type is currently set. For a simple list, payloads can be manually entered or a file can be uploaded.

Payload Processing

This allows rules to be set that will be applied to each payload before it is sent. This could include capitalizing words or skipping a payload if it meets certain requirements.

Payload Encoding

This section allows default URL encoding options to be overridden.

Decoder

Decoder is for manipulating dating. Captured information can be decoded, but it also allows for encoding of data prior to sending it to the target. It also supports the creating of hashsums.

Its "Smart Decode" will attempt to decode input automatically.