10.4 Web Tool Burp Suite Lab Instructions

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

19 hours 55 minutes
Video Transcription
I welcome back to the course in the last video we talked about Bird sweet and some of the common things that we can do inside of it. So in this video, we're actually gonna use the tool. Now we're gonna use the free version of it. So I want to stress that the paid version has a lot more features available to us.
So in this lab, we're just gonna go ahead and we're gonna launch the tool. And they were gonna do some configuration changes on our browser.
We're gonna do, Ah, little bit of testing, and they were gonna change your browser back. And then we'll talk about some of the other features inside of burbs. Sweet.
So let's go ahead and get started. So you should be using Callie linen so you can do this inside of Siberia. Labs, however, gonna have some trouble because the proxy has already set up in those labs. So I recommend that if you don't already have virtual box and Callie clinics downloaded on your actual computer, go ahead back to module one and watch those videos to get that installed.
So go ahead and launch your Kelly desktop and get Logan. So again, the password there is root. Excuse me. The password is tour and the user name is route. So route R o t for the user name and then pass for his tour. T o r. So basically route backwards.
Okay, So once we're loved into Callie, we're gonna click on the show applications option. So it's Thies this grouping of circles right here. So the nine circles there, go ahead, click on that.
You're gonna see a search box at the top here. Just go ahead and start type again. Burp sweet. So as soon as you type in, burp is gonna pull it up there for you, go ahead and click on the icon.
It's gonna take a second or so. The launch for us here.
So we searched for a burp. Sweet. We clicked on the burbs. Sweet icon. You notice Notice I haven't air message in the background there. So you might get that Pop oppa's well that your Java run time environment is out of date. We're just going to say, OK, that we don't care about that for this lab. So what? I say okay to that, and then it'll start launching Burke suite for us.
So step number six year the burbs. Sweet. The community edition. So the free version launches for us. Now, we might get a prompt again that the updates available is we're gonna click here, and we don't want to update. Now, what is gonna click on clothes?
All right, so now it'll finally take us to the screen here.
So Step number eight. We want to make sure that temporary project is selected. And that's the only option we have anyway, since we're doing the free version. So we're just gonna say next to that,
and then we want to keep the defaults here, so we're just gonna use the birth defaults, and then we're gonna click on start burp down here at the bottom.
So go ahead and click on that. It's going to start it up for us.
So step number 10 is eventually gonna open other way for us, and then we're gonna click on the proxy tab. So we're basically just gonna make sure that our proxy is set to our local address here.
All right, so a burp suite has opened up. You see a lot of different tabs. We'll talk about some of those a little later on,
we're gonna click on proxy here, the top left,
and then we're gonna click on the options tab.
All right, so we've clicked on proxy, and then the options tap. And now we just want to double check that the interface is set to this address.
So we see. Here it is. It's set to 1 27.0 point 0.1, and then our port is 80 80. So that's correct.
All right, so now we're gonna launch Firefox. CSRC going. Just click on your browser there, tow. Launch it up.
Now you can use different browsers. I recommend you use this one. Just you can follow the configuration changes that were gonna make. But you're welcome to do a similar process for whatever browser that you want to use.
All right, so we've opened fire. Fox E s are at the top right of the browser window. We're gonna click on those three little lines were stacked up on top of each other. So this right here, go ahead and click on that.
It's gonna give you some menu options here. We're gonna click on preferences right there in the center.
It's gonna take a moment or so to pull up.
So once we cook on preferences, we want to click on Advanced here and step step 17. So it's gonna be this little icon that kind of looks like a little wizard's hat.
So once we click on that, we just want to make sure we click on Network at the top here.
Okay, we'll go back to our lab document. So we clicked on Network, and now we're gonna do step 19 here. We're gonna click on settings, and then we're gonna actually configure our proxy. So we're gonna click on settings,
and then we want to select this manual proxy configuration.
All right, screw it on to her next step here. So we want to make sure that our address in there and if it's not in there, go ahead, type it in 1 27.0 point 0.1, and then we want to make sure we select port 80 80.
The other thing, we want to select his uses proxy server for all protocols. Just check that box. If it's not text or checked already and then just click on OK to save your changes.
Okay, so now we can close your browser window and there in the burbs. Sweet. We're gonna click on the intercept tab, and then we're gonna launch Firefox again and just take a look at what happened. So go ahead, close out your browser window there.
Now hear a burp. Sweet. We're gonna click on the intercept half. So this one right here to the left. So you see, there's nothing in there right now.
Now we're gonna click on fire Fire Fox GSR again. We're just gonna pay attention to this area right here and just see if we notice anything happening.
So you'll see we get a little information back right away, even before the browser fully launches for us.
All right, let's move on to the next step of her lab.
now we're gonna type in any your arial that you wanna use there. I'm just gonna do cyber his website for our purposes here. But you can type any of you are a little that you want to. So we're gonna type in the u R l which every web site you want to use
and then what you're You're gonna notice is that the Web site is gonna be lagging a bit, so it's not gonna pull up right away like you might be used to.
So let's go ahead and do that now.
So I'm just gonna type www dot cyber eri
dot i t and then just hit. Enter there. You notice it's going really slow. Normally, that would pull up right away for us.
So what we need to do, Let's look back at our lab here. So inside of birth suite here instead. 28. We want to click the Ford button. So essentially, what we've done as making our local machine a proxy is it requires If anyone wants to go to that web site, for example, we have to stay here in the way we have the setup, click it forward and basically forward all these packets.
So you just kind of click forward et cetera.
Now, what's gonna happen on the browser here is actually gonna fail the authentication and say it's not a secure website and that it has not taken you there, but you'll see that we've got different things. That is, uh, e excuse me. Different packets that is doing here.
So, you see, we get a different kind of air here. We're basically kind of getting a on secure version of Cyber his website there.
I would just continue to Ford all the way through till we got done.
So that's one aspect of it. The user would notice. If we don't automate that process, the user would notice that something's amiss with their system.
All right, so we see far Fox. He may or may not provide air message. In this case, that's a huge Sabri's website. It just takes us to the unsecured version. If you do something like Google or Microsoft, it should spit back in her message for you.
So now we're gonna go back to our browser and we're just gonna reset those settings back to what they originally were.
We're gonna close the browser, and then we're gonna take a look again to see what happens with the website. So let's just go back to our browser here. We're just gonna
click here on the street little lines again. Click on Preferences.
Gonna pull up that for us. We're gonna click the advanced to remember that little wizard's hat down here at the bottom left,
click on network and then click settings. And then we're just gonna revert back to the auto, detect proxy settings for this network,
and then we're gonna click. Okay?
All right. So go ahead. Just close your browser tab there
and close it all the way out there.
Okay, so we've reset the settings here instead. 31 we selected the auto detect proxy settings, and we clicked okay to save the change.
And then we just close your browser windows. So now we're gonna launch Firefox again, and I'm going to try to go back to cyber dot i t You go back to whichever website you had chosen. So let's launch your Web browser.
It might take a second or so to pull up here,
and then I'm gonna type in. I'm gonna move this over here,
and I'm gonna go ahead and type in cyber dot i t so www dot cyber re dot i t. What you're gonna notice is it almost instantly pulls up for us. So library obviously has some videos and stuff. So admit Texas second pull upon this virtual machine here. But you see, it actually pulled up the website for us that time.
And on your end of things, you shouldn't see any other messages that should pull up. Whichever website that Google or Microsoft Whatever. What's that you have chosen? It should pull that up for you.
Okay, We'll go ahead. Just close the browser. No.
All right. So course the warned. Are you able to visit the website now that you change the settings? That So when we reverted our settings back, were you able to actually pull the website?
So in my case, yes, I was I was able to pull up cyber dot i t. And it pulled up just fine for me.
All right. So Step 35 here. We're just gonna talk about a couple of the future is here inside of her up. Sweet. So one feature on a point out that it does have that's only in the paid version is a scanner feature on, And then some of the things that we could do here in the free version a little bit as we can launch different attacks. The code hex, that sort of stuff.
So let's just go ahead and click through some of the taps here So, um,
Skinner here again, this is in the paid version. So it gives you a vulnerability scanner that you can use on websites, Web applications and get a lot of information back. It's actually a pretty cool thing. If you decided to sign up for bird sweet or if you have that through your employer that you get the paid version.
We've also got things like Intruder again. That's where we can run different attacks. And we can also change the attack types here. We've got a couple of different options.
We can modify payloads if we want to.
We could also choose different. We could scroll down a little bit so we can add in some custom stuff here. Other also under the options. We can set different headers,
and, uh, and also, when we get information back, we can do great matches to pull the information that we actually want to see so we could basically flag it and look at the information that we name important to us.
We've also got the Dakota here. That's where we can decode hex information.
You've got different things like the secret here is the repeaters, Theologian ce think here so you'll see that when we were trying to pull the website if failed to negotiate the SSL connections.
So that may right now tell us something If we're actually doing this in a live testing environment,
we've also got Spider, so it'll basically crawl. Three other thing I did want to show you is http history here. So one option here we see all these here. What we can actually do is we can right click on any of these if we Let's say we deem this one pretty important and we want to highlight that so we can look at it later. Let's say we've got thousands of things here in the log, and so we we just want to look at that later on. So
we get this right click on it,
go down here about halfway down to highlight,
and then whatever color we want a pickle. This pick this violent, purplish looking color here.
And so there. Bam! It's highlighted.
So we could do that for whichever things here. If I wanna put cyber, I t as a different color. I can do so
I'll just put that is green.
And we could just do that on different links that we're pulling up here.
So that's another cool feature of it.
So question number two inside of the http the history tab How do we highlight an item? And I should just went over. That s all we do. Is we just right? Click it
go to highlight and then just pick our color essentially whatever we want to use.
So in this video, we talked about burp suite at a very, very high level. We just did a quick test on her browser after we've changed, made some configuration changes. But this is a great tool to use, and especially if you could get the pro version, I recommend that you do so and just play around with it. It's one of those things if you're going to be a penetration tester that you do need to have experience working with
and a lot of your time is gonna be spent with Web application
penetration testing, depending on your employer. But generally, that's what a lot of companies want because they want to know how vulnerable are our Web sites And can the Attackers get in that way?
So in the next module, we're gonna go over a sequel injection
Up Next
Penetration Testing and Ethical Hacking

Do you like breaking things or figuring out how things work? Join thousands of professionals who’ve entered the information security field by taking this class. Taking this ethical hacking course will give you the skills needed to become a professional penetration tester and prepare you for industry certifications, like the CEH.

Instructed By