Kali Linux

Kali LInux Tutorials

Hacking Castle

Hacking Castle

Hacking

Ethical Hacking and Cybersecurity Tutorials

Metasploit

Hacking with Metasploit

SQLMAP

Hacking in android in termux using sqlmap

Sunday, May 24, 2020

Burp Suite Complete Guide (Part 2- Proxy Module)

We are Done with Configuring Burp Suite with Firefox Browser now its time to use it. 

Burp Suite has a number of modules inbuilt in it which acts as a different set of tools itself so we will be going to see each one of them separately with practical examples and detailed but useful descriptions and settings options in them.  

After intercepting browser request Proxy Module pops up automatically which is the one we will see in this post.

Burp Suite Proxy Module Tutorial


Going to use DVWA for getting some requests and we will find out how to analyze those requests and filter out important things we need to find also some settings and configurations with a proxy module.

 Now Head over to it directly.

So we will Understand Proxy module requests with CSRF (Cross-Site Request Forgery) Vulnerability. which is directly associated with crafting requests to gain victim credentials.


Burp Suite Intercept Tab


Before changing the password in DVWA make sure to switch proxy in FoxyProxy and keep intercept on.

DVWA

After hitting on the change tab you will see Burp Suite will Automatically pop up and request which is going to send to DVWA application is intercepted by it. 

Burp suite intercepted request

Which looks like this, It is a classic GET request sent to web Application which reveals us many things how web application interacting with the browser, like
User-Agent, Cookie, Encoding, and Referer, etc. are the things we can use or craft and make our forged requests.

Head over to the CSRF tutorial to know more about crafting requests.

 Burp Suite Forward Tab


After analyzing or  crafting requests we can forward it to web application by using Forward tab (Web-Application stuck till the request are forwarded and then respond according to the request after pressing forward)

Burp Suite Drop Tab


Some Times you need to only analyze requests but not send it to a web application ( pentesting web with limited requests) for example it comes very handily when you have only 3 requests to send to a web application and after wrong entries it will block requests after that. 
After Pressing Drop this page will show up

Intercept drop request


 This says the request is dropped by the user and after pressing back you will come up with the same page you received request.

 Burp Suite Action Tab


Another very important tab in Burp Suite which allows it to interact with other modules within such as Intruder, Repeater, Comparator, and Decoder. 


Change Request Method -  With interaction tools it gives us one-click functionality to change request method, It changes GET request into POST request in one click saving lots of time and hassle.

Change Body Encoding - works well when you need to change body encoding of request just click on Change Body encoding and it does it for you.

Copy URL -  Lot of you are thinking after modifying and crafting requests how to get URL of that request then Click on Copy URL and it will copy it for you.

Copy as curl command - Many Time requests need additional to run with curl then click on a copy as curl command and it is ready to paste in terminal as curl command and it will execute directly from curl. (important sometimes )

Action tab Also gives a copy to file and paste from file feature which is useful and very handy to use. also save item can save requests so we can use it next time with intercepting again.

Don't intercept this request - If you  want to don't intercept request some host, IP, File Extensions, or Directory then click on don't intercept this request and select which of then you don't want to intercept. if you getting uninteresting requests or unwanted things then use this filter rules.

Do Intercept response allows us to intercept the response of requests that is currently displaying requests response intercepted and used for pen-testing.

URL encoding While Typing can automatically encode the URL of requests while editing requests.



Proxy Module Intercept requests

  • Raw Requests - 

These are the request you get when burp suite pops up and shows your browser request send to an application you can also modify request in this tab this is the basic way burp suite show you requests, nothing fancy but useful and easy to understand


  • Param Requests -

 Also called Parameterised requests which are very easy to see and very distinct where you can put parameters in a request.


Burp suite request parameters

This is the request of this page.

DVWA Burp suite request parameters


Here we can clearly see Username and Password Parameters where we can use inputs or send it to other modules to work with.
We can also see a cookie parameter which is also very useful in terms of hacking such as session hijacking.



  • Headers (Request Headers)

If you having trouble in distinguishing various headers in raw requests then jump up to the header tab and you will see all headers and requests associated with them are seen here in a very good tabular manner.

header requests burp suite

As you can see in the picture you can get a clear idea of Host, user agent, referrer, cookies, and lots of other things here well described.


  • Hex Requests - 

In this tab all requests are in Hex. Hex language is not that much used but can be used in some cases like MAC addresses, HTML & CSS codes, and Assembly codes and memory dumps. 


Burp suite requests in HEX

As you can see it's difficult to understand and BIT of a headache we leave it to understand by systems and machines.


  • HTTP History Tab (Proxy)

This the place where all of our formal intercepted requests are stored and we can also access them again from here.


Burp suite proxy HTTP history

A big advantage of this HTTP history is it gives pretty good information about the request that is host, GET or POST request, URL, Parameters, and so on...
We can also add filters and find the request we want.

Websocket History gives us a little bit of different information such as Direction, TLS, and listening ports. 


Burp Suite Proxy Options

 

Proxy Listeners


Proxy listeners create a local HTTP proxy server that helps to connect with browser and different HTTP clients. When configured it will listen and intercept all the requests traveling from browser to web and also responses from client to server.
By default this proxy listener is set to 127.0.0.1:8080 and the browser also needed to configure on this proxy.

All browsers can be listened and intercepted using this one proxy only if we want to test an unusual application or need to work with non-browser based applications then we can use different proxy listeners as per use.


Intercept client response




This control setting allows requests and responses coming in the intercept tab and we can also apply several settings to filter requests and responses.



Proxy intercept Client request burp suite

Several rules can be used by activated or deactivated by using checkboxes. these rules are even added removed or modified by our use.


We can filter requests and responses by using many parameters such as URL, IP addresses, MIME type, port number, HTML and CSS types, various parameters, cookies, HTTP methods, status codes, Lenth and so on..this rules can also be adjusted to work within the scope.
you can use boolean logic such as AND and OR to process in order or to combine requests.

Proxy intercept Client response burp suite


Automatically fix missing or superfluous new lines at end of requests - if any edited request doesn't have blank line following the header then burp will add this. 
If edited request which contains URL encoded parameters in any new line character then burp will remove that line.
this option is sometimes useful vell editing a large amount of requests in intercept and avoids issuing invalid requests to the server.

Automatically update Content-Length - this functionality controls the content length of the header message when it has been modified by the user.
useful when HTTP body has been modified.

Intercepting WebSocket messages


This setting checkboxes can control which WebSocket messages are blocked for editing and viewing in the intercept tab. 

you can configure outgoing messages which are client to the server or incoming messages which are server to the client you want to intercept.


Burp Suite Responce modification


 Responce Modification -


You can use this option to automatically modification or rewrite HTML in the Application response.

client-side controls can be removed using the following options 


  • Unhide hidden form field ( for easy identification we have sub-option that prominently highlight unhidden field on-screen
  • Enable Disabled form field
  • Remove input field length limits
  • remove JavaScript form validation
This is options which can be useful for client-side logic for testing purpose

  • Remove all JavaScript
  • Remove <object> tags

These are some options used to deliver sslstrip like attacks to the victim user whose traffic is unwittingly listened by burp suite. using this options with force TLS in outgoing requests to effectively strip TLS from the user's connection.


  • Convert HTTPS link to HTTP
  • Remove the secure flag from cookies

Match and Replace 


Another very important option of burp suite which allows us to change or replace parts of passing through the proxy for each HTTP requests. rules for match and replace can be executed in turn and application replacement are made

Burp Suite Match ans replace

Rules can be defined separately for the first line of request, body, header, or requests and responses, each rule can be specified with literal match string or regex pattern and string to replace with it.

There are many rules default available to assist with tasks,
they are disabled by default.

If you having a problem with regex here is a cheat sheet to make your day easier.


Regex chest sheet

Match and replace can be very useful when fuzz testing user agents and other parameters.


TLS pass through



This setting can be useful when application using different HTTP and HTTPS connections or passing through problematic TLS connection then this setting will pass through TLS connection directly and requests and responses from the connection made available to intercept.

If option checkbox automatically adds entries on client TLS negotiation is enabled then burp will add a relevant server in TLS pass through the list when the client fails to TLS negotiation. ( fail to recognize burp CA certificates)

 Miscellaneous


This setting is to control certain behavior of the proxy module,
let's see them one by one.



  • Use HTTP/1.0 in request to server 

This option is used to force HTTP version 1.0 in request to server, by default any HTTP request can be send by burp suite. 
Useful when some legacy server strictly requires HTTP version 1.0 to function correctly.
Leave it unchecked in other instances.


  • Use HTTP/1.0 in response to client

Current browsers support both versions of HTTPS i.e. 1.0 and 1.1 and version 1.0 has some reduced functionality over 1.1 but 1.0 can be useful when control of browser behavior is needed such as when performing HTTP pipelining.
Keep it unchecked except when using such things.

  • Set response header connection:close 

This option can be useful when need to prevent HTTP pipelining in some situations.
Keep it unchecked otherwise.

  • Set "Connection:Close" on incoming requests 

This option may help in sometime in HTTP pipeline prevention in some cases.

  • Strip Proxy-* headers in incoming requests 

Sometimes browsers sent information to proxy servers that are intended to be used. some attacks like buffer overflow can cause site to include sensitive data or requests to the browser within the header. burp proxy strips the header for getting that information.
keep this option checked so burp will not leave headers unmodified.
  • Remove unsupported encoding from Accept-Encoding headers in incoming requests

The browser uses various types of encoding for compression of content etc. this encoding sometimes causes problem when processing requests in burp so burp by default remove these unsupported encodings to reduce the chance they can be used and get clear request.
If you working with a server that supports only unsupported encoding then uncheck this option. 

  • Strip Sec-WebSocket-Extensions headers in incoming requests 
Sometimes Browsers offer many extensions to WebSocket connections for compression of content etc.
Some encoding in this extension can cause problems to burp when processing those responses, so by default burp remove this headers to reduce the chances of that extension being used.
If testing needs to mandate certain extensions then uncheck this option.

  • Unpack GZIP / deflate in requests - 
Many applications compress these message body in requests. this option can automatically unpack compressed bodies and make them available but some times application can be break if they see compression has been removed by a burp.
check it only when the application seems to accept it.

  • Unpack GZIP / deflate in response

Most websites over there use GZIP to compress content in response. using this option can help you to unpack compressed responses bodies.
you can also prevent servers from compressing response by removing Accept-Encoding  header from requests in the match and replace feature.

  • Disable web interface at http://burp 
This option can be used when you want to use your listener to accept connections that are unprotected interface and prevent others from gaining access to Burps in-browser interface.

  • Suppress Burp error messages in the browser

when some errors happen in burp then burp sends some error messages to the browser. but sometimes we need to run burp suite in stealth mode in attack such as man in the middle than where a victim can know our presence by these errors so we can suppress these messages and disguises our involvement with a burp.

  • Don't send items to proxy history or live tasks 

when you want to do some specific task like authenticating upstream server or performing any match and replace operation then you don't want to incur the memory and storage overhead with their logging details you can use this option this will prevent burp suit from logging any requests and tasks such as live auditing and passive crawling.
  • Don't send items to Proxy history or live tasks if out of scope 

 This option is useful to avoid accumulating project data for out of scope items. this prevent burp suit from logging any out of scope request to proxy history or sending them to live tasks such as passive crawling and live auditing.






Share:

Thursday, May 21, 2020

Burp Suite Complete Guide (Part 1-Installation & Configuration)


Burp Suite is the best Penetration Testing tool specially made for Cyber Security experts which Test websites, servers, and Networks with its combination of automated and manual tools.

 Well, every Cyber Security person knows how useful Burp Suite is, and those who want to Learn it you came to the right place.

Now Instead of explaining tools all over here, I will explain all combinations of tools with practical for better understanding.

So, let's dive into it.

Downloading and Installing Burp Suite 


In Kali Linux Full version burp suite comes preinstalled if it's not just type

# sudo apt install burpsuite 


Installing Burp Suite for Windows and Mac 


Just Check out this link

Choose your OS and Download the version you want.


Now you are Confused about Which version to download I am here to help.

Burp Suite has 3 versions 

Enterprise - Automated Testings for organizations and developers who didn't have any knowledge of penetration testing burp suite automated integrations cover you up here.
Price - $3,999 per year.

Professional -  For Serious Cyber Security persons  Penetration testers and Bug Bounty Hunters those who want to scale there skill using burp suite. Has Automated and manual tools to help with hunting bugs and vulnerabilities.
Price - $399 per user, per year.

Community Addition - This Version has limited manual testing tools to start with and good for researchers and penetration testers who want to learn or just using for hobbie.
Price - Free

You guys came here to learn right? then go for community addition and learn how to use it first.

If you are serious about Cyber Security and Penetration testing then go for Professional version you will surely not disappointed by it obviously if you can afford it. 

Now. we installed a burp suite we need to configure it with browser.


Configuring Burp Suite with Firefox Browser



 I use the Firefox Browser and recommended you to use the same because it has more hacking related extensions than any other browsers to make your life easier.

FoxyProxy is an extension you need to install now because of its switches Proxies in just one click.

Google it or visit here.


install it and click on the fox icon and go to options.
Add 

proxy - 127.0.0.1
Port - 8080



Configuring Burp Suite with Browser

save it and you will see that it's added on the menu of FoxyProxy.



Now let's open up the Burp suite. 


I am using Burp Suite Community Edition for this tutorial


use a temporary project 

use burp  default

 And Burp Suite Application will start up showing you all the options after configuring we will see them one by one.

For Testing Purpose we will be using DVWA you still don't know how to install it then click here.

login to DVWA then click on proxy we added using an icon of FoxyProxy.

Foxyproxy Configuring Burp Suite with Browser



This means your browser requests will be routed from the burp suite and we have total control over requests we are sending.
clicking on anything on DVWA.

And you will see your Burp suite will fire up with a proxy tab and request your browser sent.


Burp suite proxy setup
 


 we configured our Burp suite with HTTP connections successfully but with HTTPS site this will occur. 

Burp suite proxy setup on HTTPS

 Intercept SSL (HTTPS) Requests in Burp Suite


We need to download Certificates of Burp and add them to the browser.

Type http://burp in the URL bar and hit enter.


burp certificates

Click on CA Certificate and save the file.

Now Go to 

Preference > Privacy and Security > Scroll to Certificates > Click on view Certificates

Now click on import and select cacert.der 

burp certificates configure
 Tick on both checkboxes and click OK.

That's it now refresh page and burp suite will pop up with requests.


Burp suite configuration with HTTPS sites

After Forwarding the requests page will open up normally.


That's it, we configured burp suite Successfully now ready to head over to learn how to use it. 








Share:

Sunday, May 3, 2020

John The Ripper Full Tutorial (Linux,windows,hash,wifi handshake cracking)

John The Ripper Full Tutorial 


john the ripper is an advanced password cracking tool used by many which is free and open source. John the Ripper initially developed for UNIX operating system but now it works in Fifteen different platforms.

John The Ripper widely used to reduce the risk of network security causes by weak passwords as well as to measure other security flaws regarding encryptions. John The Ripper uses a wide variety of password cracking techniques against user accounts of many operating systems, password encryptions, and hashes.
such as crypt password hash types( MD5, DES or Blowfish).
Windows NT/XP/2000/2003/LM hash.
Also, Password stored in MySQL, LDAP, and others.


John The Ripper is a combination of the number of password crackers in one package makes it one of the best password testing and breaking program which autodetects password hashes and customizable password cracker.

John the Ripper has an official free version, a community enhanced version, and also a pro version.

In this tutorial, we will see the most common password cracking like Linux password, Zip file protected with a password, Windows password, and Wifi Handshake file cracking.


Installing and Downloading John the Ripper.


first, we need to install John The Ripper,
it comes preinstalled in Kali Linux 

to install in other Linux Os simply use command.

# sudo apt-get install john 

For Windows, Mac and Android go to the official site of JTR 

Type John in terminal to see options.

John The Ripper Full Tutorial

 
  1.  Cracking Linux user Passwords: 

 Cracking Linux password in John The Ripper also called as unshadowing because Linux passwords are saved in Shadow files which located in

      /etc/shadow
so cracking Linux password or unshadow password simply use this command in John The Ripper.

# john /etc/shadow


Cracking Linux Password:


As you can see John cracked the password in the shadow file.
This process sometimes takes time depending upon password complexity and the number of users. 

 -------XXX-------
  • Decrypting MD5 hash: 

There are lots of hash types of present over the internet but we are going to use MD5 in this article MD5 hash is a new type of encryption now widely used so let's crack the hash.
 first, we need to store the hash in .txt file which can then accessible for john the ripper using the command.

 I stored MD5 hash in MD5hash.txt and used this command.

# john --format=raw-MD5 /root/Desktop/MD5hash.txt


Decrypting MD5 hash:


So John cracked the hash successfully and also correctly.


You can also decrypt other hashes like MD5 just changing command of hash format.

 ---------XXX--------

  •  Cracking password protected Zip/RAR file: 

 Zip/RAR file is the most commonly used password protection to files and is widely used. we many times stumbled upon password-protected ZIP file which has lots of valuable data in it. So here we will crack the Zip file password in Kali Linux.
 Lots of Folks Asking about how to create password protected file in Linux, So let's cover them up also.

First select file which you want to password encrypted and right-click on it and select Create Archive.
create password protected file in Linux


After that select which compression you want to choose we will ZIP which is way bottom in there.

create password protected file in Linux

Now, Click on other options where you can see the password field type password you want and click on create. 

create password protected file in Linux

So this is how you can create a password-protected ZIP file in Kali Linux. 

 We created a password-protected Zip file now we will Decrypt it using John The Ripper.

Firstly we need to Export hashes to .txt file using this command.


# zip2john [Zipfile]>zipfile.txt
 

This command will export zip keys to .txt file which we will feed to John The Ripper. in my case.

 Cracking password protected Zip/RAR file:

 It's okay if this shows that, if you check zipfile.txt or cat it you will see their zip keys are exported successfully.

Now use this command to crack those keys in john.

# john --format=zip [zip.txt]

 Cracking password protected Zip/RAR file:

As you can see the password is decrypted successfully.

If you want to crack a password of RAR compression then Use the command.

# rar2john [zipfile]>zipkey.txt

 -------XXX--------
  • Cracking windows user password:

Windows password is stored in SAM and SYSTEM files located in

C:\Windows\System32\Config


Just copy these files using CMD type these commands


reg save hklm\SYSTEM     (for SYSTEM file)


reg save hklm\SAM      (for SAM file)

Now take this files in Kali Linux and need to extract Windows keys so we can crack them use this command

# samdump2 SYSTEM SAM>keys.txt

Details of windows users password will be saved in keys.txt and now we can feed it to John the ripper so it can crack it.

# john --format=LM --user=administrator keys.txt

you can choose the username you want to crack simply specify there instead of an administrator. and john will crack those passwords for you.

If you want to use a custom wordlist then use this command.

# john --wordlist=[wordlist.txt] --user=administrator keys.txt


----------XXX----------
  • Cracking WPA/WPA2 handshake using John The Ripper.

Here I will only show you how to crack WPA/WPA2 handshake not to capture it. (that's for another day)

The captured handshake must be in .hccap file it not then convert it.

now use this command to export keys in a handshake.
# hccap2john [capture]>keys.txt
now keys will be exported to keys.txt so we will crack this handshake using a custom wordlist.
use this command.
# john --wordlist=[wordlist.txt] /keys.txt
and john will start cracking process, a succession of attack depends upon password must be present in wordlist if that wordlist was not worked try a different one.

---------XXX------------

This is how you can crack various password hashes, encryptions, and user passwords using John the Ripper.

Conclusion:


These are the most common password encryptions you will encounter many times in your experience with hacking and penetration testing and john the ripper is here to help you with every one of them. you will get pretty much ideas about how to crack other password encryptions using John The Ripper.

sometimes it takes too much time to crack a password or it gets failed of password not found in many cases than using custom wordlists can help you here but the cracking password is dependent upon password complexity and a number of character used. 
  Such as using variables like (!@#$%^&*_<>)  and combining it with lowercase and uppercase with more than 12 characters long passwords can make password cracking insanely difficult.



Share:

Popular Posts