# 🔬Burp Suite Basics - Directory Enumeration The Kali OS GUI instance is web hosted on the INE website, where: * The bWAPP web application is accessible at `demo.ine.local` domain. * Info on bWAPP insecure web app [here](http://www.itsecgames.com/index.htm). > 📌 Another deliberately vulnerable open-source web app is [Mutillidae II](https://github.com/webpwnized/mutillidae). INE provides another similar lab with Mutillidae II to test and learn Burp Suite. *Objective*: User Burp Suite and explore its different functionalities as Site Map, Proxy history, scope, Repeater, basic directory enumeration attack with Intruder. ***Tools*** used: * **`Burp Suite`** * A web browser * Wordlist: `/usr/share/wordlists/dirb/common.txt` * Check if the provided machine is reachable: ```bash ping demo.ine.local ``` * Scan for open ports: ```bash nmap demo.ine.local ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-e56cde05b43f9ba82d3d8f73faa18bba89cbff32%2Fimage-20220505162748923.png?alt=media) * For a more advanced scan: ```bash nmap -sC -sV demo.ine.local ``` ```bash Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 19:55 IST Nmap scan report for demo.ine.local (192.79.113.3) Host is up (0.0000080s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-git: | 192.79.113.3:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... | Remotes: |_ https://github.com/fermayo/hello-world-lamp.git | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-robots.txt: 5 disallowed entries |_/ /admin/ /documents/ /images/ /passwords/ | http-title: bWAPP - Login |_Requested resource was login.php |_http-server-header: Apache/2.4.7 (Ubuntu) 3306/tcp open mysql MySQL 5.5.47-0ubuntu0.14.04.1 | mysql-info: | Protocol: 10 | Version: 5.5.47-0ubuntu0.14.04.1 | Thread ID: 10 | Capabilities flags: 63487 | Some Capabilities: ODBCClient, InteractiveClient, IgnoreSigpipes, SupportsCompression, DontAllowDatabaseTableColumn, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolOld, SupportsTransactions, FoundRows, LongPassword, SupportsLoadDataLocal, Support41Auth, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins | Status: Autocommit | Salt: AsA)Gjb.[aT`hhRB4|54 |_ Auth Plugin Name: mysql_native_password MAC Address: 02:42:C0:4F:71:03 (Unknown) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds ``` Ports **80** (HTTP) and **3306** (MySQL) are open. ## Burp Proxy * Start BurpSuite via the GUI or via terminal (`burpsuite`) and create a temporary project with default configurations. * Configure Proxy listener inside **Proxy - Options** window. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-b2d766abf4c97ddc250f6ca9f7e7254768bdb73b%2Fimage-20220505163402028.png?alt=media) * Turn Intercept mode on from the **Proxy - Intercept** window. * Use the Burp's embedded browser or configure external browser to use the Burp proxy (FoxyProxy plugin used in this case) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-fde4f3c20fda26f79784bb09d9fe6913d27a31e1%2Fimage-20220505163603942.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-b98dcc24c148245a013661dc6c182c3cdd604f1b%2Fimage-20220505163806935.png?alt=media) * Browse to `http://demo.ine.local/` * The page doesn't load, because the request is forwarded to the Burp proxy listener. * **Proxy - Intercept** tabs are marked with orange. The proxy is waiting for an action. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-f08bc051c533d63acadc8b40931b77fc26bd5600%2Fimage-20220505164321563.png?alt=media) 1. **`Forward`** option - send the request as is 2. **`Drop`** option - drop the intercepted request 3. **`Action`** option - tamper with the request ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-23442390e9fb010edb7dd46fada86a19cc6daaf3%2Fimage-20220505164637552.png?alt=media) * *Forwarding* this request, other `GET /portal.php HTTP/1.1` and `GET /login.php HTTP/1.1` request are being made, until the webpage is shown. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-53a4c69987fea873eeddb018167ee5e9dde7f044%2Fimage-20220505165141597.png?alt=media) * Turn off intercept mode by clicking on the **`Intercept is on`** button, the web page will load without interception. * Since Burp proxy is enabled in the browser, every request still get logged in the **Proxy - HTTP history** tab. * other Firefox requests are listed, use the Host column to sort the list. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-315b605830bd7aba54a38db042f7c98c7d5b5ae7%2Fimage-20220505165607729.png?alt=media) ## Burp Target > 📕 *The* [*site map*](https://portswigger.net/burp/documentation/desktop/tools/target/site-map) *aggregates all of the information that Burp has gathered about applications. You can filter and annotate this information to help manage it, and also use the site map to drive your testing workflow.* * A site map is built when Burp proxy intercepts the requests, check it in the **Target - Site map** tab. * targets * list of resources * requests & responses for those resources ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-5ba0a521c9920282db80eb42a9c62b083222254c%2Fimage-20220505170254448.png?alt=media) * Interested target web app can be configured in the **Target - Scope** tab. * Add the URL to the target scope via the `Add` button or by right-clicking + `Add to scope` option in the Site Map list. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-4dd656b20537461f05cc1c6d320f640d097ec93e%2Fimage-20220505170530329.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-189c758b72181a801aa017d36fb6f19dcfd68d58%2Fimage-20220505170826304.png?alt=media) * *Out-of-scope Proxy traffic is disabled*, so URLs with different prefix than the target are not logged in the HTTP history. ## Burp Intruder * Burp intruder can be configured to launch a ***Directory Enumeration** attack*. * Right click a request in the HTTP history tab and send it to the Intruder (**`CTRL+I`**). * Target fields are already been set. * Clean Payload Position with **`Clear §`** button in the **Intruder - Positions** tab, removing all the § markers from the payload. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-62b58a40aed7a368b722b37966377f56d56ce84e%2Fimage-20220505171820792.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-1b8b964010453cadd27eaf9a385d6ff571f98aa8%2Fimage-20220505172048037.png?alt=media) * Modify the payload by setting a `§path§` variable with the **`Add §`** button. * This will make the Intruder send GET requests to many locations, supplied next with a wordlist. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-06452b3e773eae24a6062d95d6ae44bbb6151c66%2Fimage-20220505172255558.png?alt=media) * Specify the wordlist in the **Intruder - Payloads - Payload Options** section: * BurpSuite Community Edition = time throttled attacks! * Enter the next new items, some knownd words (e.g. from the *`http://demo.ine.local/robots.txt`* file): > admin documents images passwords * Load a wordlist using the `Load ...` button - **/usr/share/wordlists/dirb/common.txt** ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-a28570088415cb79c2f7db06f06eab9bd106bc72%2Fimage-20220505173104946.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-746acdfa11149017d50f0c8d65dc40c2699636b3%2Fimage-20220505173348357.png?alt=media) * Add a **Payload Processing** rule, in this case prepending a forward slash (**/**) to all the accessed resources. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-b2f4be5002b06880413373637bd3f645dfa2759b%2Fimage-20220505173501579.png?alt=media) * Uncheck **`URL-encode ...`** in the **Payload Encoding** to make Burp not encode the payload (including the **/**). ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-e2307cd36156559e1373abdc9b45406dc4f32649%2Fimage-20220505173824170.png?alt=media) * From the **Intruder - Options - Redirection** section, configure the intruder to *always follow redirections*. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-ed5fa065b5d3a17de4f0f84afec7f7a1849c6ce1%2Fimage-20220505174006012.png?alt=media) * Launch the attack with the **Start attack** button, a new windows will appear with the attack results/progress. * Sort the list by Status. * For the *robots.txt entries* there are 2 requests/responses because of the redirection. * Response 1 = `HTTP/1.1 301 Moved Permanently` * Every entry can be double-clicked to have the result in a separate window. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-690f21fec91b1d53a4735c81f19a5bad2c9e23d7%2Fimage-20220505174322498.png?alt=media) ## Burp Repeater * Select the `/passwords` Payload and send it to the Repeater (**`CTRL+R`**) for tampering with the request. * Meanwhile, Intruder attack can be stopped by closing its window. * **`Send`** the request in the Repeater and use the `Follow redirection` button to get the *200 OK* status code. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-b18a5c63ce416b1418625b4bc11ec5a963bd3d5d%2Fimage-20220505175126725.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-c5f6a6a098c082b4e1219bfafb15e0b455f87882%2Fimage-20220505175259794.png?alt=media) * Right click on the Response body and copy its URL with the `Show response in browser` button. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-81ae96ad8db623b2e53cb56d32dcdab69d1b111f%2Fimage-20220505175545852.png?alt=media) * Paste the copied URL in the browser and check the response: ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-76aa3601cb5e6d3f35715f015cd6dd2cae25c28c%2Fimage-20220505175719019.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-18e176f19846e74e1684eedb17e223354d291bf6%2Fimage-20220505175733249.png?alt=media) * From the Repeater, send a request to fetch `wp-config.bak` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-3d18fb317f15d39c6cdbf77397b04ff70b4de8bb%2Fimage-20220505180049477.png?alt=media) * Repeater issued requests can be *navigated* back and forth with the arrow buttons. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-be9aa18c5da60b3c73f2e0a68eb81c8566eea5a9%2Fimage-20220505180230170.png?alt=media) > 📍 Lab done!