Fully Automated Pentest: Automate Everything

with Burp Suite Extensions

Author: Ömer Coşkun

Quickness is the essence of the war . Sun Tzu

¡  Overview
Outline
1
¡  Minimum Requirements
¡  Burp Extension Installation
¡  Understanding How Extensions Work

¡  Pentest Automation via Burp Extensions

¡  Burp Extensions in NutShell
¡  Case Study: Highly Targeted Attacks with Nmap Plugin
¡  Case Study: Fully-Automated XSS Verification
¡  Case Study: Blind-SQL Injection via Burp
¡  Case Study: Padding Oracle via Burp

¡  Questions ?
 Minimum Requirements

Platform Requirements:
JAVA JDK v1.8+
2
Jython v 2.0+ (Most Extensions use Creepy JPython)
Jruby v X (Yet Another Java troll to Ruby programmers)

Mac OS X ( Apple Java Headaches) - Solution

1.  Install Java for Mac from Apple Website http://support.apple.com/kb/dl1572 )

2.  Upgrade Java to Java Development Kit 1.8 from Oracle Website

3.  If you run into issues in invoking JAVA v.1.8 when running Burp Suite or
extension development
Quick & Dirty Fix : sudo ln -s /Library/Java/JavaVirtualMachines/jdk1.8.0_20.jdk
/System/Library/Java/JavaVirtualMachines/1.6.0.jdk
 Environment Requirements
Burp Supports Extensions written by ‘Ruby’ and ‘Python’ syntax
¡  For extensions written in Ruby syntax (Jruby required)
3
¡  For extensions written in Python synax (Jython required)
 (Jython + Jruby) vs Java

¡  Jython , successor of Jpython, Python language entirely

written in JAVA
4
¡  Jruby, the same idea , Ruby language entirely written in
JAVA

¡  Pros (Jruby & Jython) compare to JAVA:

Almost no JAVA programming knowledge required
Relatively rapid development and prototyping

¡  Cons (Jruby & Jython) compare to JAVA

Dead slow due to syntax parsing and heap allocation
Memory management issues and extensive heap usage
Gives temptation to hackers feel as if their code being
interpreted by python (LOL)
 Extension Installation

u Suggested and Most Preferred Way : Burp Suite >Extensions >

BAppStore
5
u Some Extensions require Pro version (not because they
discriminate poor but due to API/functional limitation J )

u  Some Extensions have 3rd party dependencies or wrapper of 3rd

apllication (e.g. PhantomJS, Radamsa etc)
 Extension Installation (cont’d)
5
Extension : OK J Extension : Failed L
How Extensions Work (cont’d)
6
Class Name
How Extensions Work (cont’d)

Purpose
7
BurpExtender To write our own extension

BurpExtenderCallBacks To pass to extensions a set of

callback (register actions, mark)
ICookie To retrieve the domain for which
the cookie is in scope
IHTTPRequestResponse To retrieve and update details
about HTTP messages.
IScanIssue To retrieve details of Scanner
issues
IScanQueueItem To retrieve details of items in the
active scan queue.
IScannerInsertionPoint To define an insertion point for
use by active Scanner checks.
IntroderPayloadProcessor To obtain the name of the
payload processor
Extension Name
Burp Extensions in a NutShell

Purpose
8
.NET Beautifier Makes VIEWState info human readable

ActiveScan++ Extend passive scanning , path injection,

shellshock etc.
Blazer Generate and fuzz custom AMF messages

Bradamsa Generate intruder payload wisely J

CO2 Set of useful tools : sqlmapper, user generator,

prettier js, ascii payload processor etc.
Logger++ An extension of history feature in Burp; more
detailed and comprehensive
Session Auth Help to identify privilege escalation vulns

WebInspect Connector Newly built, share results between burp and

webinspect
 9
Burp Extensions : Additional Scanner Checks

Ø Additional passive Scanner checks: Strict-Transport-

Security, X-Content-Type, X-XSS-Protection. In other
words, checks the modern browser security headers.
 10
Burp Extensions : Session Auth

Ø  To Identify authentication privilege escalation

vulnerabilities.
 11
Burp Extensions : Logger++
Ø  Captures the requests and responses made by all Burp
tools, and display them in a sortable table. It can also save
the logged data in CSV format
 12
Burp Extensions : CO2
Ø  Set of useful tools : sqlmapper, user generator, prettier js,
ascii payload processor etc.
 13
Highly Targeted Attacks: Nmap Parser
Ø  BurpSuite’s Nmap Parser extension could be leveraged to
perform a highly targeted attack against large number of
domains.
 14
Highly Targeted Attacks: Nmap Parser
Ø  Once nmap results stored in XML file correctly parsed,
it would be added to scope of current scope.
 15
Highly Targeted Attacks: Nmap Parser
Ø  Schedule the scans and let BurpSuite collect all
information to collect for you. The scan could also be
stage and scheduled to run on specific time period.
 16
Highly Targeted Attacks: Nmap Parser
Ø  Schedule the scans and let BurpSuite collect all
information to collect for you. The scan could also be
staged and scheduled to run on specific time period.

This is how your credit card information is

being hacked by the criminals in real life!
 17
Fully Automated XSS Verification
Ø  xssValidator extension of Burp Suite could be
leveraged to fully automate XSS verification process.
 18
Fully Automated XSS Verification
Ø  Before starting the XSS verification process, we need
to install at least one wrapper to support extension .

Ø  Enable the payload extension after running wrapper.

 19
Fully Automated XSS Verification
Ø Enable payload processing unit for xssVerifier.

Ø  Finally, create a grep-and-match rule for intruder.

 19
Fully Automated XSS Verification
Ø Content of xss.js
 20
Fully Automated XSS Verification
Ø Let the fun begin J
Case Study: Blind SQL Injection via Burp

¡  SQL Injection Types:

¡  Error Based (Cause Error in Response)
21
Run a query that will force database to result in an error.
(E.g. non-existing table name, column number mismatch etc.)
Prerequisite: Verbosity in SQL Error messages should be turned
on and of course, error must be rendered in the response.

¡  Boolean Based (Deduce TRUE/FALSE Responds)

Inject a payload which alter the outcome of the original
query which results in different returned page content.

¡  Time Based (Cause Delay in Response)

Inject a payload that trigger a delay time for the SQL Server
while processing our query, which in turn slows down the
response time of our request.
Case Study: Blind SQL Injection via Burp
Boolean Based SQLi via Burp 22
Case Study: Blind SQL Injection via Burp
Time Based SQLi via Burp 23
Case Study: Blind SQL Injection via Burp
Filter Evasion
Comments: ‘ or 1=1# , ‘ or 1=1– -. ‘ or 1=1/* (MySQL < 5.1) ,' or 1=1;%00
24
WhiteSpaces: %20 %09 %0a %0b %0c %0d %a0 /**/ , ‘or+(1)sounds/**/like“1“–%a0-

Integer representations: ceil(pi()+pi()): 7, floor(version()+pi()): 8

Hex Encoding (Almost always work):

For more details on filter evasion:

SQLi Filter Evasion: https://websec.wordpress.com/tag/sql-filter-evasion/

Rsnake’s SQLi CheatSheet: http://ha.ckers.org/sqlinjection/

Ferruh’s SQLi CheatSheet : http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

Many others : Just Google it ….

Case Study: Padding Oracle via Burp
Background

It’s is a side channel attack which is performed on the padding of a

25
cryptographic message

A block cipher operates on data in fixed-size blocks — 64-bit for DES,

128-bit for AES, etc

-> What happens if the length of the data isn't a multiple of the block size?
-> What happens if more than one block is identical, and therefore encrypts
identically?
Case Study: Padding Oracle via Burp
Padding Padding Padding ….

ANSI X.923 Null bytes ending with length of padding

26
PKCS7
Depending on padding block length ( [01], [02 02] , [03 03 03] … etc )
Case Study: Padding Oracle via Burp
Trivially break the cipher 27
Case Study: Padding Oracle via Burp
Exploiting ASP.NET Oracle Padding - MS10-070
(CVE-2010-3332)
27
Checking target with a popular padding verifier (.bat)

Padbuster Exploit:
http://downloads.securityfocus.com/vulnerabilities/exploits/43316.pl
Case Study: Padding Oracle via Burp
Exploiting ASP.NET Oracle Padding - MS10-070
(CVE-2010-3332)
28
If Exploitation Successful ASP.NET page would reveal the
database credentials.
Questions ?
29
30