Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This lesson offers step by step examples of active and passive spidering in BurpSuite. Using the Cali Linux environment, participants receive instructions in how to conduct active and passive spidering.

Video Transcription

00:04
So let's check out active and pass. Aspiring for burb. Sweet.
00:15
All right, so here we are.
00:17
Callie Lennox Environment. What we're gonna do is we're gonna open up ice weasel,
00:21
and we're gonna open up. Perp sweet.
00:23
Now we wait for Bob Sweet open. Gonna click these three bars here,
00:28
go to preferences.
00:32
Click on the advanced ham go settings,
00:35
and then you'll want to set your manual proxy configuration of 1270.0. That one with Port 80 80.
00:42
And there will be two entries down here for 1270.0 dot one and local host delete both of them if you don't leave both of them that this will not work. So then we click okay
00:53
and click close
00:57
and who is now loaded. So now let's browse to our target's four targets Will 92.168 dot 1.12
01:04
and you notice it doesn't load right away. That's because the proxy is running. And when the proxy is first turned on, well, when birth sweets first turn on the proxy set to intercept is on, so I'm gonna turn it off.
01:18
But if you turn intercept on, you'll notice.
01:22
Wait for the package to come.
01:26
Here we go,
01:27
so you'll notice that you can get
01:30
the raw packet information, which is really handy with birth sweet so you can actually manually edit this information and forward this packet on. So
01:42
if you have some kind of cookie or some kind of string or variable that you need to edit,
01:49
try to test something in a foreign field. This is where you would edit that item and then forward it on to see what it does.
01:56
Let's turn intercept off.
02:05
Who says No rap to host. Let's check our VMRO quick
02:24
for some reason, our V EMS
02:28
Ethernet change. So there's something
02:31
that you should keep in mind that sometimes something might like this might happen.
02:36
So just doing I've configured zero changed your I p address. And
02:40
if it doesn't work because you're not pseudo, you'll wanna type pseudo bang bang
02:45
and there go
02:47
and let's go back here
02:50
And there we go. We're now at the awesome Blawg.
02:53
Now, if we remember their target,
02:57
we'll see that it's already started
03:00
passively
03:01
Spider ring. So
03:04
as we click around toe different things,
03:08
you'll notice something's happening over here is because that's the
03:14
the That's the passive spider ring at work here.
03:21
So the passive spider ring will perform spider ring here
03:24
and, uh,
03:27
do it all in the background.
03:30
And if you wanna adjust what you're passive Spider Ring does.
03:36
You can actually come over here and turn it on and off,
03:39
um,
03:46
to prevent it from from, actually Spider Ring.
04:00
There would be more options if you had the paid version. However, we don't have the paid version, so we don't have the scanner options in here. If you had to pay version, there would be
04:11
more options down here for the scanner.
04:17
So now we have our target
04:19
if we want to. Actively, Spider will right click on that,
04:24
and then we just click Spider this host
04:28
and we'll say Yes, we would like to modify the scope to include all the pages.
04:32
And if we come over here, we'll see the bites transferring the requests made. Now, here's one of those form submissions that I was telling you about it. You can either click, ignore form,
04:44
or you can put in a user name and password in here. If you have a user name and password that formal submit. And then it will continue Spider Ring even deeper into the Web application. But right now we're gonna click, ignore form.
04:58
We'll go back to Target. We'll see that
05:00
our assets here have increased and we have also gotten some additional pages here.
05:10
So that is active Spider Ring and and Matt.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor