BURPSUITE:AUNTENTICACIÓN WEB ..Hackeando vamos ..

Hacking web authentication "Madrid".. Recordando "BurpSuite" ...

Hoy alguien, en una "conversación" me ha preguntado

Juan Carlos, que piensas de BurpSuite? .... Si os digo la verdad me hubieran faltado horas para explicar todo lo que conozco de BurpSuite, pero he preferido alabar su Proxy existente dentro de esta Suite de Test de Penetration en Aplicaciones Web .. o no web .. ahora me explico, porque también he estado observando por foros y otros artículos donde solo se nombra a BurpSuite como una Tools para Pentest ...

Bueno , en mi "humilde" opinión cuando se creó el "Spider" de BurpSuite precisamente no estaban pensando en hacer pentest a empresas, no majetes no .. lo que ocurrió con BurpSuite es como todo .. que los hackers tenemos que comer .. y crearon una herramienta "acojonate" donde los MiTm son cosas de "risa" .. aunque la verdad para hacer un Man In The Middle no es que haya que ser un "Gurú" .. pero si que es verdad que podeís estar pensando 

RECORDANDO MAN IN THE MIDDLE .. Un poquito anda ...

"Si todos decís lo mismo pero nadie explica paso a paso como hacer un "ManInTheMiddle" ... sois todos iguales, esto es una película .. y además, eso es un lío .. no se qué de envenenar .. o era suplantar ... bueno no se, algo así ... la ARP y hacer pensar al otro tío que tu eres el "bueno" y así te quedas con todo lo que pase por  en medio ... eso es una película, y además, no entiendo ni "papa" ... hablaís raro y sois raros ... "

Para los que esteís pensando esto o cosas similares o simplemente quereís hacer ya de una vez un Man In the Middle .. pues mirar, directamente hay que ser muy muy lelo para no encontrar manuales a día de ayer de como hacer un MiTM, paso a paso y desde cero ..

Por cierto, existe suplantacíón y envenenamiento .. por lo tanto, los ManInTheMiddle son muy extensos .. pero no en la técnica, sino en los escenarios sobre los que es posible hacer un MItM

Pero os voy a dejar unos videos anda ...

                                                  Un Poquito de Chicha

Cain Y Abel .. me encanta !!!

Ahora en Wireless

                                                         

Pero como he oído paso a paso .. pues esa es la pista que teneís ... si vaís camino de ser hacker, con "paso a paso" y google teneís lo que vosotros quereís ... porque no es el motivo de este Post explicar ( otro día quizás ..) como hacer un MitM ... Sinceramente me aburriría menos explicándo un Man In The Browser ... por ejemplo !!! ainsssssssss

BURPSUITE .. ENTRANDO EN MATERIA S3RI4 ...

Mascadita la técnica .. que conste en acta señoría !! :P

Ah majetes en Inglés, porque desde Facebook me están diciendo .. y lo entiendo ( Siria, Pakistan y Usa que tiré de su idioma y como Burp mejor bajarlo en Inglés ... )

Pasitos ( For Dummies ..) :P

1. Set the browser proxy to Burpsuite

2. In the Burpsuite, go to Proxy -> Intercept -> "Intercept is on"

3. Go to Proxy -> Option -> "generate CA-signed per-host certificates" for each time the 

user connects to a SSL protected website, Burpsuite will generate a server certificate for 

that host, signed by a unique CA certificate which is generated in Burpsuite during its 

installation. The purpose of this is to reduce the SSL errors that occur because of the 

proxy in between

1)HTTP-Basic Authentication

HTTP-Basic authentication uses a combination of a username and password to authenticate 

the user. The process starts when a user sends a GET request for a resource without providing 

any authentication credentials. The request is intercepted by Burpsuite and looks something 

like this.

The server responds back with a “Authorization Required” message in its header. We can 

see the packet in Wireshark. As we can see from the header, the authentication is of the 

type “Basic”. The browser is quick to recognize this and displays a popup to the user 

requesting for a Username and a Password. Note that the popup is displayed by the 

browser and not the web application.

Once we type in the username and password and intercept the request again using 

Burpsuite, we get something as shown in the figure below.The last line says 

“Authorization: Basic aW5mb3NlYzppbmZvc2VjaW5zdGl0dXRl”. This is basically the extra 

thing being passed in the header now. The text after Basic holds the key. These are 

basically the credentials in encoded form.The username and password are concatenated 

with a colon (:) in between and the whole thing is then encoded using the Base64 

algorithm

One of the problems with HTTP-Basic Authentication is that the data is being passed over 

in plaintext. This risk can be removed by using SSL, which will send the data in encrypted 

format, and hence the value in the Authorization header will not be visible. However it 

will still be vulnerable to many client side attacks, including MITM. It is also vulnerable to 

Brute force attacks which we will see in the coming sections

2)HTTP-Digest Authentication:

 Digest Authentication was designed as an improvement 

over the HTTP Basic Authentication. One of the major improvements is that the data is  

not passed over in cleartext but in encrypted format. The user first makes a request to the 

page without any ... any what ... any credentials. The server replies back with a WWW-

Authenticate header indicating that credentials are required to access the resource. The 

server also sends back a random value which is usually called a “nonce”. The browser then 

uses a cryptographic function to create a message digest of the username, password, 

nonce, the HTTP methods, and the URL of the page. The cryptographic function used in 

this case is a one way function, meaning that the message digest can be created in one 

direction but cannot be reversed back to reveal the values that created it.

 By default,Digest authentication uses MD5cryptographic hashing algorithm.

bUT ... HAHAHA!!!  ....Digest Access authentication is less vulnerable to Eavesdropping attacks than Basic 

Authentication, but is still vulnerable to replay attacks, i.e., if a client can replay the 

message digest created by the encryption, the server will allow access to the client. 

However, to thwart this kind of attack, server nonce sometimes also contains timestamps. 

Once the server gets back the nonce, it checks its attributes and if the time duration is 

exceeded, it may reject the request from the client. One of the other good things about 

Digest access authentication is that the attacker will have to know all the other 4 values 

(username, nonce, url, http method) in order to carry out a Dictionary or a Brute force ....attack of course lusers ....  

This process is more computationally expensive than simple brute force attacks and also 

has a larger keyspace which makes brute force attack less likely to succeed.

3)Form Based Authentication: Form Based Authentication uses a form (usually in html) with input tags to allow users to enter their username and password. Once 

the user submits the information, it is passed over through either GET or POST methods 

via HTTP or HTTPs to the server. On the server side if the credentials are found to be 

correct, then the user is authenticated and some random token value or session id is given 

to the user for subsequent requests. One of the good features of Form Based 

authentication is that their is no standardized way of encoding or encrypting the 

username/password, and hence it is highly customizable, which makes it immune to the 

common attacks which were successful against HTML Basic and Digest Authentication 

mechanisms. Form Based Authentication is by far the most popular authentication method 

used in Web applications. Some of the issues with Form Based Authentication is that 

credentials are passed over in plaintext unless steps such as employment of TLS (Transport 

Layer Security) are not taken.

BurpSuite...Attacking Web Authentication

                                  

 1.  Go to the form and submit a request using anyusername/password for now, then intercept the request

........ Once you have the request, right click on it and click on “send to intruder”

                                   

 2. Go to intruder tab -> under the target tab -> configure the target

3. Go to position tab of intruder tab -> Hit clear button -> Highlighted user,password text and......................................................................................>

 hit add button lusers ... ainssss !! :P

                                  

then the step  4.....  Change the attack type "sniper" to "cluster bomb" 

**Basically the idea of cluster bomb is to use Multiple payload sets (1 for username and 1 for the password). The attack will start by trying all the values in Payload 1 with first value in Payload 2, then by trying all the values in Payload 1 with second value in Payload 2 and so on. As we can see in the image below, our attack type is set to “Cluster Bomb”.

                                        

 5.  Go to payload tab -> select payload set 1

 -> hit load button and  

-> choose the file that contain list of username

                                          

 6. select payload set 2 -> hit load button -> choose the file that contain list of password

                                           

easy .. and the step .....7.  Go to option tab -> Selected “store requests” and “store response”

Come Hacker step 8. Click on intruder on the top left and click on “start attack”

Easy ... !!! i don´t know ....

If you want the detail of each step, please go to the Source. This post is just summarie

from the Source. 

Source: http://resources.infosecinstitute.com/authentication-hacking-pt1/ç

Pues eso si quieres complentar esto pinchas arriba y tienes todo ... pero vamos que tienes en Google miles de fuentes a las que acudir mejores que yo ... o no, no lo se ..

Yo por lo menos hablo en dos idiomas jajajaja !!! :p