Sunday, January 6, 2013

Burp ‘Em if got ‘Em!!

 

Burp Your Network Devices

 

Purpose

The purpose of this tutorial is to show you how to automate an attack on a network device that uses a web login. This tutorial is for educational purposes ONLY. Do not attempt this on devices you do not have EXPLICIT permission.

 

Setup

You will need a device to test the attack against. I am using a wireless camera. You will also need a copy of Burp Suite. There is a free and professional version. I will be using Backtrack 5 R3 which includes a copy of Burp Suite.

The first step will be to configure Burp Suite to act as a proxy. Choose the proxy tab and ensure that “intercept is on” under the intercept tab.

clip_image001

Next, you’ll need to configure the proxy listeners. Choose the options tab and configure the proxy listeners for port 8080 and that the “Generate CA-signed per-host certificates” is checked.

clip_image002

clip_image003

The last step is to configure your browser to use Burp Suite as a proxy. I am using Firefox so your setup may be different.

clip_image004

 

Authentication Analysis

We will use Burp Suite to capture the http requests to determine the type of authentication used by your network device. Some of the authentication types include HTTP-Basic, HTTP-Digest, and Form Based Authentication. In this example, we’ll be looking at HTTP-Basic which is easily compromised due to the simplicity of its encoding. Let’s see what type of authentication my wireless camera uses and I will illustrate how easy it is to decode the password used in the transmission.

 

Demo

With Burp Suite open, navigate to your network device using the browser configured with the proxy settings. You will need to click the forward button for each HTTP request that occurs. Attempt to login to the device. I generally look up the default administrator account online for the device manufacture and any password. Remember at this point the goal is to determine the type of authentication used.

clip_image005

Navigate to the History tab under Proxy. Walk through the steps. You should see a Request referencing Authorization. I this example, you can see the device is using HTTP-Basic Authentication.

clip_image006

Notice the encoded characters after Basic. This uses Base 64 encoding which combines the username and password. Once it is decoded, it will be represented as username:password. Notice the colon, this separates the two. Decoding is trivial. Highlight the characters and right-click and select Send to Decoder. Navigate to the decoder tab and choose decode as – Base64. Notice, the characters are decoded to show the username and password I used in the web popup.

clip_image007

clip_image008

clip_image009

Now that we know the type of authentication, we can send this to the Intruder to configure our attack.

clip_image010

Navigate to the Intruder tab. Under the Positions tab, we need to locate and highlight the Base64 string and chose “Clear” and “Add” from the right side of the screen.

clip_image011

clip_image012

Click on the Payloads tab. Under the Payload Options [Simple list] section we’ll add the passwords we want to use in our attack. You can use a password dictionary if you’d like, but for this example, we’ll use a simple set of passwords.

Under Payload Processing, we’ll specify a prefix (admin:) and Base64-encode. Do not forget the colon.

clip_image013

Under Payload Encoding, uncheck the URL-encode these characters box.

clip_image014

The last step is to launch the attack. Select Intruder and Start attack. A window will pop-up showing the login attempts. Look for a status code of 200. Select the line. You should see the Base64 characters which you can send to the decoder. They should match up with your password list. Again, decode as Base64 as done above.

clip_image015

clip_image016

clip_image017

clip_image018

 

Conclusion

I’ve just touched the surface of using the Burp Suite and HTTP authentication types. Give it a try for yourself. The best way to defend your router against these type of attacks is to use a complex password which is unlikely to be in a password dictionary, enabled https if possible, and change your password regularly. Please provide comments and any suggestions.

No comments:

Post a Comment