Author: mer Co!

kun
Fully Automated Pentest: Automate Everything
with Burp Suite Extensions
Quickness is the essence of the war . Sun Tzu
Outline
! Overview
! Minimum Requirements
! Burp Extension Installation
! Understanding How Extensions Work
! Pentest Automation via Burp Extensions
! Burp Extensions in NutShell
! Case Study: Highly Targeted Attacks with Nmap Plugin
! Case Study: Fully-Automated XSS Verification
! Case Study: Blind-SQL Injection via Burp
! Case Study: Padding Oracle via Burp
! Questions ?
1
Platform Requirements:
JAVA JDK v1.8+
Jython v 2.0+ (Most Extensions use Creepy JPython)
Jruby v X (Yet Another Java troll to Ruby programmers)

Minimum Requirements
2
Mac OS X ( Apple Java Headaches) - Solution


1. Install Java for Mac from Apple Website http://support.apple.com/kb/dl1572 )
2. Upgrade Java to Java Development Kit 1.8 from Oracle Website

3. If you run into issues in invoking JAVA v.1.8 when running Burp Suite or
extension development
Quick & Dirty Fix : sudo ln -s /Library/Java/JavaVirtualMachines/jdk1.8.0_20.jdk
/System/Library/Java/JavaVirtualMachines/1.6.0.jdk
Burp Supports Extensions written by Ruby and Python syntax
! For extensions written in Ruby syntax (Jruby required)
! For extensions written in Python synax (Jython required)
Environment Requirements
3
! Jython , successor of Jpython, Python language entirely
written in JAVA
! Jruby, the same idea , Ruby language entirely written in
JAVA
! Pros (Jruby & Jython) compare to JAVA:
Almost no JAVA programming knowledge required
Relatively rapid development and prototyping

! Cons (Jruby & Jython) compare to JAVA
Dead slow due to syntax parsing and heap allocation
Memory management issues and extensive heap usage
Gives temptation to hackers feel as if their code being
interpreted by python (LOL)

(Jython + Jruby) vs Java
4
Extension Installation
5
! Suggested and Most Preferred Way : Burp Suite >Extensions >
BAppStore
! Some Extensions require Pro version (not because they
discriminate poor but due to API/functional limitation " )
! Some Extensions have 3
rd
party dependencies or wrapper of 3
rd

apllication (e.g. PhantomJS, Radamsa etc)

Extension Installation (contd)
5

Extension : OK "
Extension : Failed #




How Extensions Work (contd)
6
How Extensions Work (contd)
7
Class Name Purpose
BurpExtender To write our own extension
BurpExtenderCallBacks To pass to extensions a set of
callback (register actions, mark)
ICookie To retrieve the domain for which
the cookie is in scope
IHTTPRequestResponse To retrieve and update details
about HTTP messages.
IScanIssue To retrieve details of Scanner
issues
IScanQueueItem To retrieve details of items in the
active scan queue.
IScannerInsertionPoint To define an insertion point for
use by active Scanner checks.
IntroderPayloadProcessor To obtain the name of the
payload processor




Burp Extensions in a NutShell
8
Extension Name Purpose
.NET Beautifier Makes VIEWState info human readable
ActiveScan++ Extend passive scanning , path injection,
shellshock etc.
Blazer Generate and fuzz custom AMF messages
Bradamsa Generate intruder payload wisely "
CO2 Set of useful tools : sqlmapper, user generator,
prettier js, ascii payload processor etc.
Logger++ An extension of history feature in Burp; more
detailed and comprehensive
Session Auth Help to identify privilege escalation vulns
WebInspect Connector Newly built, share results between burp and
webinspect




Burp Extensions : Additional Scanner Checks
9
$ Additional passive Scanner checks: Strict-Transport-
Security, X-Content-Type, X-XSS-Protection. In other
words, checks the modern browser security headers.





Burp Extensions : Session Auth
10
$ To Identify authentication privilege escalation
vulnerabilities.





Burp Extensions : Logger++
11
$ Captures the requests and responses made by all Burp
tools, and display them in a sortable table. It can also save
the logged data in CSV format




Burp Extensions : CO2
12
$ Set of useful tools : sqlmapper, user generator, prettier js,
ascii payload processor etc.




Highly Targeted Attacks: Nmap Parser
13
$ BurpSuites Nmap Parser extension could be leveraged to
perform a highly targeted attack against large number of
domains.




Highly Targeted Attacks: Nmap Parser
14
$ Once nmap results stored in XML file correctly parsed,
it would be added to scope of current scope.




Highly Targeted Attacks: Nmap Parser
15
$ Schedule the scans and let BurpSuite collect all
information to collect for you. The scan could also be
stage and scheduled to run on specific time period.




Highly Targeted Attacks: Nmap Parser
16
$ Schedule the scans and let BurpSuite collect all
information to collect for you. The scan could also be
staged and scheduled to run on specific time period.
This is how your credit card information is
being hacked by the criminals in real life!




Fully Automated XSS Verification
17
$ xssValidator extension of Burp Suite could be
leveraged to fully automate XSS verification process.




Fully Automated XSS Verification
18
$ Before starting the XSS verification process, we need
to install at least one wrapper to support extension .
$ Enable the payload extension after running wrapper.




Fully Automated XSS Verification
19
$ Enable payload processing unit for xssVerifier.
$ Finally, create a grep-and-match rule for intruder.




Fully Automated XSS Verification
19
$ Content of xss.js




Fully Automated XSS Verification
20
$ Let the fun begin "




Case Study: Blind SQL Injection via Burp
21
! SQL Injection Types:
! Error Based (Cause Error in Response)
Run a query that will force database to result in an error.
(E.g. non-existing table name, column number mismatch etc.)
Prerequisite: Verbosity in SQL Error messages should be turned
on and of course, error must be rendered in the response.

! Boolean Based (Deduce TRUE/FALSE Responds)
Inject a payload which alter the outcome of the original
query which results in different returned page content.

! Time Based (Cause Delay in Response)
Inject a payload that trigger a delay time for the SQL Server
while processing our query, which in turn slows down the
response time of our request.




Case Study: Blind SQL Injection via Burp
22
Boolean Based SQLi via Burp




Case Study: Blind SQL Injection via Burp
23
Time Based SQLi via Burp




Case Study: Blind SQL Injection via Burp
24
Filter Evasion
Comments: or 1=1# , or 1=1 -. or 1=1/* (MySQL < 5.1) ,' or 1=1;%00
WhiteSpaces: %20 %09 %0a %0b %0c %0d %a0 /**/ , or+(1)sounds/**/like1%a0-
Integer representations: ceil(pi()+pi()): 7, floor(version()+pi()): 8
Hex Encoding (Almost always work):

For more details on filter evasion:
SQLi Filter Evasion: https://websec.wordpress.com/tag/sql-filter-evasion/
Rsnakes SQLi CheatSheet: http://ha.ckers.org/sqlinjection/
Ferruhs SQLi CheatSheet : http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
Many others : Just Google it .






Case Study: Padding Oracle via Burp
25
Background
Its is a side channel attack which is performed on the padding of a
cryptographic message
A block cipher operates on data in fixed-size blocks 64-bit for DES,
128-bit for AES, etc
-> What happens if the length of the data isn't a multiple of the block size?
-> What happens if more than one block is identical, and therefore encrypts
identically?




Case Study: Padding Oracle via Burp
26
Padding Padding Padding .
ANSI X.923 Null bytes ending with length of padding

PKCS7
Depending on padding block length ( [01], [02 02] , [03 03 03] etc )







Case Study: Padding Oracle via Burp
27
Trivially break the cipher






Case Study: Padding Oracle via Burp
27
Exploiting ASP.NET Oracle Padding - MS10-070
(CVE-2010-3332)
Checking target with a popular padding verifier (.bat)


Padbuster Exploit:
http://downloads.securityfocus.com/vulnerabilities/exploits/43316.pl




Case Study: Padding Oracle via Burp
28
Exploiting ASP.NET Oracle Padding - MS10-070
(CVE-2010-3332)
If Exploitation Successful ASP.NET page would reveal the
database credentials.


29




Questions ?
30