What is BurpSuite? Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.
In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.
Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.
BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.
Requirements and assumptions:
Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed
Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.
on for Firefox from https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.
Video for setup and installation.
You need to install compatible version of java , So that you can run BurpSuite.
About BruteSpray: BruteSpray takes nmap GNMAP/XML output or newline seperated JSONS and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap.
BruteSpay's Installation
With Debian users, the only thing you need to do is this command: sudo apt install brutespray
For Arch Linux user, you must install Medusa first: sudo pacman -S medusa And then, enter these commands to install BruteSpray: Supported Services: ssh, ftp, telnet, vnc, mssql, mysql, postgresql, rsh, imap, nntpp, canywhere, pop3, rexec, rlogin, smbnt, smtp, svn, vmauthdv, snmp. How to use BruteSpray?
First do an Nmap scan with -oG nmap.gnmap or -oX nmap.xml. Command: python3 brutespray.py -h Command: python3 brutespray.py --file nmap.gnmap Command: python3 brutesrpay.py --file nmap.xml Command: python3 brutespray.py --file nmap.xml -i You can watch more details here:
Examples
Using Custom Wordlists: python3 brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5 Brute-Forcing Specific Services: python3 brutespray.py --file nmap.gnmap --service ftp,ssh,telnet --threads 5 --hosts 5 Specific Credentials: python3 brutespray.py --file nmap.gnmap -u admin -p password --threads 5 --hosts 5 Continue After Success: python3 brutespray.py --file nmap.gnmap --threads 5 --hosts 5 -c Use Nmap XML Output: python3 brutespray.py --file nmap.xml --threads 5 --hosts 5 Use JSON Output: python3 brutespray.py --file out.json --threads 5 --hosts 5 Interactive Mode:python3 brutespray.py --file nmap.xml -i Data Specs {"host":"127.0.0.1","port":"3306","service":"mysql"} {"host":"127.0.0.10","port":"3306","service":"mysql"} ... Changelog:Changelog notes are available at CHANGELOG.md.
Kali 2018.3 brings the kernel up to version 4.17.0 and while 4.17.0 did not introduce many changes, 4.16.0 had a huge number of additions and improvements including more Spectre and Meltdown fixes, improved power management, and better GPU support.
New Tools and Tool Upgrades Since our last release, we have added a number of new tools to the repositories, including:
If you would like to check out this latest and greatest Kali release, you can find download links for ISOs and Torrents on the Kali Downloads page along with links to the Offensive Security virtual machine and ARM images, which have also been updated to 2018.3. If you already have a Kali installation you're happy with, you can easily upgrade in place as follows.
root@kali:~# apt update && apt -y full-upgrade
If you come across any bugs in Kali, please open a report on our bug tracker. It's more than a little challenging to fix what we don't know about.
Making sure you are up-to-date
To double check your version, first make sure your network repositories is enabled.
root@kali:~# cat</etc/apt/sources.list deb http://http.kali.org/kali kali-rolling main non-free contrib EOF root@kali:~#
Then after running apt -y full-upgrade, you may require a reboot before checking:
root@kali:~# grep VERSION /etc/os-release VERSION="2018.3" VERSION_ID="2018.3" root@kali:~#
Welcome back, hope you are enjoying this series, I don't know about you but I'm enjoying it a lot. This is part 3 of the series and in this article we're going to learn some new commands. Let's get started Command: w Syntax: w Function: This simple function is used to see who is currently logged in and what they are doing, that is, their processes. Command: whoami Syntax: whoami Function: This is another simple command which is used to print the user name associated with the current effective user ID. Try it and it will show up your user name. If you want to know information about a particular user no matter whether it is you or someone else there is a command for doing that as well. Command: finger Syntax: finger[option] [username] Function: finger is a user information lookup program. The [] around the arguments means that these arguments are optional this convention is used everywhere in this whole series. In order to find information about your current user you can simply type: fingerusername Here username is your current username. To find information about root you can type: finger root and it will display info about root user. Command: uname Syntax: uname[options] Function: uname is used to display information about the system. uname is mostly used with the flag -a, which means display all information like this: uname-a Command: df Syntax: df[option] [FILE ...] Function: df is used to display the amount of space available. If you type df in your terminal and then hit enter you'll see the used and available space of every drive currently mounted on the system. However the information is displayed in block-size, which is not so much human friendly. But don't worry we can have a human friendly output as well using df by typing: df-h the -h flag is used to display the used and available space in a more user friendly format. We can also view the info of a single drive by specifying the drive name after df like this: df-h /dev/sda2 That's it for now about df, let's move on. Command: free Syntax: free[options] Function: free is used to display the amount of free and used physical memory and swap memory in the system. Again the displayed information is in block-size to get a more human readable format use the -h flag like this: free-h Command: cal Syntax: cal[options] Function: cal stands for calendar. It is used to display the calendar. If you want to display current date on the calendar you can simply type: cal and wohooo! you get a nice looking calendar on screen with current date marked but what if you want to display calendar of a previous month well you can do that as well. Say you want to display calendar of Jan 2010, then you'll have to type: cal-d 2010-01 Nice little handy tool, isn't it?
Command: file Syntax: filefilename ... Function: file is an awesome tool, it's used to classify a file. It is used to determine the file type. Let's demonstrate the usage of this command by solving a Noob's CTF challenge using file and base64 commands. We'll talk about base64 command in a bit. Go to InfoSecInstitute CTF Website. What you need to do here is to save the broken image file on your local computer in your home directory. After saving the file open your terminal (if it isn't already). Move to your home directory and then check what type of file it is using the file command: cd fileimage.jpg Shocking output? The file command has identified the above file as an ASCII text file which means the above file is not an image file rather it is a text file now it's time to see it's contents so we'll type: catimage.jpg What is that? It's some kind of gibberish. Well it's base64 encoded text. We need to decode it. Let's learn how to do that. Command: base64 Syntax: base64[option] FILE ... Function: base64 command is used to encode/decode data and then print it to stdout. If we're to encode some text in base64 format we'd simply type base64 hit enter and then start typing the text in the terminal after you're done hit enter again and then press CTRL+D like this: base64 some text here <CTRL+D> c29tZSB0ZXh0IGhlcmUK# output - the encoded string But in the above CTF we've got base64 encoded data we need to decode it, how are we going to do that? It's simple: base64-d image.jpg There you go you've captured the flag. The-d flag here specifies that we want to decode instead of encode and after it is the name of file we want to decode. Voila! So now you're officially a Hacker! Sorry no certificates available here :) That's it for this article meet ya soon in the upcoming article.
(gdb) r 1234567890123456 tarting program: /home/sha0/ncn/inbincible 1234567890123456 ... Yeah!
Ok, but the problem is not in main.main, is main.function.001 who must sent the 0x01 via channel.
This function xors byte by byte the input "1234567890123456" with a byte array xor key, and is compared with another byte array.
=> 0x8049456: xor %ebp,%ecx
This xor, encode the argument with a key byte by byte
The xor key can be dumped from memory but I prefer to use this macro:
(gdb) b *0x8049456 (gdb) commands >i r ecx >c >end (gdb) c Breakpoint 2, 0x08049456 in main.func () ecx 0x1218 Breakpoint 2, 0x08049456 in main.func () ecx 0x4569 Breakpoint 2, 0x08049456 in main.func () ecx 0x3351 Breakpoint 2, 0x08049456 in main.func () ecx 0x87135 Breakpoint 2, 0x08049456 in main.func () ecx 0x65101 Breakpoint 2, 0x08049456 in main.func () ecx 0x1218 Breakpoint 2, 0x08049456 in main.func () ecx 0x4569 Breakpoint 2, 0x08049456 in main.func () ecx 0x3351 Breakpoint 2, 0x08049456 in main.func () ecx 0x87135 Breakpoint 2, 0x08049456 in main.func () ecx 0x65101 Breakpoint 2, 0x08049456 in main.func () ecx 0x1218 Breakpoint 2, 0x08049456 in main.func () ecx 0x4569 Breakpoint 2, 0x08049456 in main.func () ecx 0x3351 Breakpoint 2, 0x08049456 in main.func () ecx 0x87135 Breakpoint 2, 0x08049456 in main.func () ecx 0x65101 Breakpoint 2, 0x08049456 in main.func () ecx 0x1218
The result of the xor will compared with another array byte, each byte matched, a 0x01 will be sent.
The cmp of the xored argument byte, will determine if the channel send 0 or 1
(gdb) b *0x0804946a (gdb) commands >i r al >c >end
At this point we have the byte array used to xor the argument, and the byte array to be compared with, if we provide an input that xored with the first byte array gets the second byte array, the code will send 0x01 by the channel the 16 times.
Advantage of Ethical Hacking Hacking is quite useful in the following purpose- 1-To recover lost information, especially in case you lost your password. 2-To perform penetration testing to strengthen computer and network security.
3-To put adequate preventative measure in place to prevent security breaches. 4-To have a computer system that prevents malicious hackers from gaining access.
5-Fighting against terrorism and national security breaches.
Welcome to my another tutorial of PHP and MYSQL. In the previous tutorial I've briefly discussed How to make a PHP file and How to save the PHP file in the root directory of the server. How to run PHP script over the Web Browser etc.
Now in this tutorial I've discussed about inserting data into database by getting the values from user with the help of HTML form. One thing should be remembered that getting a values from users by HTML form is the only way to get values from users in PHP.
How To Insert Data into Database
Step 1:
Open your text editor and create HTML form.
Step 2:
Make a database connection in PHP.
Step 3:
Write an INSERT query for the sake of insertion data into database like INSERT INTO table_Name(table_Attribute1, table_Attribute2....) VALUES('1', 'Alex'...); etc. Now watch the video to make a better understanding the concept of insertion.
Bob was tasked to break into XYZcorporation, so he pulled up the facility on google maps to see what the layout was. He was looking for any possible entry paths into the company headquarters. Online maps showed that the whole facility was surrounded by a security access gate. Not much else could be determined remotely so bob decided to take a drive to the facility and get a closer look.
Bob parked down the street in view of the entry gate. Upon arrival he noted the gate was un-manned and cars were rolling up to the gate typing in an access code or simply driving up to the gate as it opening automatically.Interestingly there was some kind of wireless technology in use.
How do we go from watching a car go through a gate, to having a physical device that opens the gate?
We will take a look at reversing a signal from an actual gate to program a remote with the proper RF signal.Learning how to perform these steps manually to get a better understanding of how RF remotes work in conjunction with automating processes with RFCrack.
In the the previous blogs, we sniffed signals and replayed them to perform actions. In this blog we are going to take a look at a signal and reverse it to create a physical device that will act as a replacement for the original device. Depending on the scenario this may be a better approach if you plan to enter the facility off hours when there is no signal to capture or you don't want to look suspicious.
Recon:
Lets first use the scanning functionality in RFCrack to find known frequencies. Weneed to understand the frequencies that gates usually use. This way we can set our scanner to a limited number of frequencies to rotate through. The smaller rage of frequencies used will provide a better chance of capturing a signal when a car opens the target gate. This would be beneficial if the scanning device is left unattended within a dropbox created with something like a Kali on a Raspberry Pi. One could access it from a good distance away by setting up a wifi hotspot or cellular connection.
Based on research remotes tend to use 315Mhz, 390Mhz, 433Mhz and a few other frequencies. So in our case we will start up RFCrack on those likely used frequencies and just let it run. We can also look up the FCID of our clicker to see what Frequencies manufactures are using. Although not standardized, similar technologies tend to use similar configurations. Below is from the data sheet located at https://fccid.io/HBW7922/Test-Report/test-report-1755584 which indicates that if this gate is compatible with a universal remote it should be using the 300,310, 315, 372, 390 Frequencies. Most notably the 310, 315 and 390 as the others are only on a couple configurations.
RFCrack Scanning:
Since the most used ranges are 310, 315, 390 within our universal clicker, lets set RFCrack scanner to rotate through those and scan for signals.If a number of cars go through the gate and there are no captures we can adjust the scanner later over our wifi connection from a distance.
Currently Scanning: 433000000 To cancel hit enter and wait a few seconds
Example of logging output:
From the above output you will see that a frequency was found on 390. However, if you had left this running for a few hours you could easily see all of the output in the log file located in your RFCrack/scanning_logs directory.For example the following captures were found in the log file in an easily parseable format:
Analyzing the signal to determine toggle switches:
Ok sweet, now we have a valid signal which will open the gate. Of course we could just replay this and open the gate, but we are going to create a physical device we can pass along to whoever needs entry regardless if they understand RF. No need to fumble around with a computer and look suspicious.Also replaying a signal with RFCrack is just to easy, nothing new to learn taking the easy route.
The first thing we are going to do is graph the capture and take a look at the wave pattern it creates. This can give us a lot of clues that might prove beneficial in figuring out the toggle switch pattern found in remotes. There are a few ways we can do this. If you don't have a yardstick at home you can capture the initial signal with your cheap RTL-SDR dongle as we did in the first RF blog. We could then open it in audacity. This signal is shown below.
Let RFCrack Plot the Signal For you:
The other option is let RFCrack help you out by taking a signal from the log output above and let RFCrack plot it for you.This saves time and allows you to use only one piece of hardware for all of the work.This can easily be done with the following command:
From the graph output we see 2 distinct crest lengths and some junk at either end we can throw away. These 2 unique crests correspond to our toggle switch positions of up/down giving us the following 2 possible scenarios using a 9 toggle switch remote based on the 9 crests above:
Possible toggle switch scenarios:
down down up up up down down down down
up up down down down up up up up
Configuring a remote:
Proper toggle switch configuration allows us to program a universal remote that sends a signal to the gate. However even with the proper toggle switch configuration the remote has many different signals it sends based on the manufacturer or type of signal.In order to figure out which configuration the gate is using without physically watching the gate open, we will rely on local signal analysis/comparison.
Programming a remote is done by clicking the device with the proper toggle switch configuration until the gate opens and the correct manufacturer is configured. Since we don't have access to the gate after capturing the initial signal we will instead compare each signal from he remote to the original captured signal.
Comparing Signals:
This can be done a few ways, one way is to use an RTLSDR and capture all of the presses followed by visually comparing the output in audacity. Instead I prefer to use one tool and automate this process with RFCrack so that on each click of the device we can compare a signal with the original capture. Since there are multiple signals sent with each click it will analyze all of them and provide a percent likelihood of match of all the signals in that click followed by a comparing the highest % match graph for visual confirmation. If you are seeing a 80-90% match you should have the correct signal match.
Note:Not every click will show output as some clicks will be on different frequencies, these don't matter since our recon confirmed the gate is communicating on 390Mhz.
In order to analyze the signals in real time you will need to open up your clicker and set the proper toggle switch settings followed by setting up a sniffer and live analysis with RFCrack:
Open up 2 terminals and use the following commands:
#Setup a sniffer on 390mhz Setup sniffer:python RFCrack.py -k -c -f 390000000.
#Monitor the log file, and provide the gates original signal Setup Analysis: python RFCrack.py -c -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c -n.
Cmd switches used
-k = known frequency
-c = compare mode
-f = frequency
-n = no yardstick needed for analysis
Make sure your remote is configured for one of the possible toggle configurations determined above. In the below example I am using the first configuration, any extra toggles left in the down position: (down down up up up down down down down)
Analyze Your Clicks:
Now with the two terminals open and running click the reset switch to the bottom left and hold till it flashes. Then keep clicking the left button and viewing the output in the sniffing analysis terminal which will provide the comparisons as graphs are loaded to validate the output.If you click the device and no output is seen, all that means is that the device is communicating on a frequency which we are not listening on.We don't care about those signals since they don't pertain to our target.
At around the 11th click you will see high likelihood of a match and a graph which is near identical. A few click outputs are shown below with the graph from the last output with a 97% match.It will always graph the highest percentage within a click.Sometimes there will be blank graphs when the data is wacky and doesn't work so well. This is fine since we don't care about wacky data.
You will notice the previous clicks did not show even close to a match, so its pretty easy to determine which is the right manufacture and setup for your target gate. Now just click the right hand button on the remote and it should be configured with the gates setup even though you are in another location setting up for your test.
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.05
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.12
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.20
Percent Chance of Match for press is: 0.19
Percent Chance of Match for press is: 0.25
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.97
Percent Chance of Match for press is: 0.90
Percent Chance of Match for press is: 0.88
Percent Chance of Match for press is: 0.44
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
Graph Comparison Output for 97% Match:
Conclusion:
You have now walked through successfully reversing a toggle switch remote for a security gate. You took a raw signal and created a working device using only a Yardstick and RFCrack.This was just a quick tutorial on leveraging the skillsets you gained in previous blogs in order to learn how to analyzeRF signals within embedded devices. There are many scenarios these same techniques could assist in.We also covered a few new features in RF crack regarding logging, graphing and comparing signals.These are just a few of the features which have been added since the initial release. For more info and other features check the wiki.
