Part 3 - Spidering
Video Activity
This lesson offers step by step examples of active and passive spidering in BurpSuite. Using the Cali Linux environment, participants receive instructions in how to conduct active and passive spidering.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson offers step by step examples of active and passive spidering in BurpSuite. Using the Cali Linux environment, participants receive instructions in how to conduct active and passive spidering.
Video Transcription
00:03
>> Let's check out active and
00:03
passive spidering for Burp Suite.
00:03
Here we are
00:03
in our Kali Linux environment.
00:03
What we're going to do is we're going to open up
00:03
IceWeasel and we're going to open up Burp Suite.
00:03
Now while we wait for Burp Suite to open,
00:03
I'm going to click these three bars here.
00:03
Go to Preferences.
00:03
Click on the Advanced tab, go to Settings,
00:03
and then you'll want to set
00:03
your manual proxy configuration
00:03
to 127.0.0.1 with
00:03
port 8080 and there will
00:03
be two entries down here for 127.
00:03
0.0.1 and localhost delete both of them.
00:03
If you don't delete both of them,
00:03
this will not work.
00:03
Then we click Okay and click
00:03
Close and Burp Suite
00:03
is now loaded so now let's browse to our target.
00:03
Our target is 192.168.1.12
00:03
and you'll notice it doesn't load right
00:03
away and that's because the proxy is running and
00:03
when Burp Suite is first turned on,
00:03
the proxy is set to intercept
00:03
is on so I'm going to turn that off.
00:03
But if you turn the intercept on, you'll notice,
00:03
wait for the packets to come. Here we go.
00:03
You'll notice that you can get raw packet information,
00:03
which is really handy with Burp Suite,
00:03
you can actually manually edit
00:03
this information and forward this packet on.
00:03
If you have some cookie or some string
00:03
or variable that you need to edit
00:03
to try to test something in a form field,
00:03
this is where you would edit that item and
00:03
then forward it on to see what it does.
00:03
Let's turn the intercept off.
00:03
It says no route to host.
00:03
Let's check our VM real quick
00:03
[NOISE].
00:03
For some reason, our VM's Ethernet changed so
00:03
this something that you
00:03
should keep in mind that sometimes
00:03
something like this might
00:03
happen so just do an IF Config with 0,
00:03
change to your IP address
00:03
and if it doesn't work because you're not pseudo,
00:03
you'll want to type pseudo bang,
00:03
bang and there we go.
00:03
Let's go back here, and there we go.
00:03
We're now at the Awesome blog.
00:03
Now if we come over to your target,
00:03
we'll see that it's already started passively spidering.
00:03
As we click around to different things,
00:03
you'll notice some things
00:03
happening over here is because that's
00:03
the passive spidering at work here.
00:03
The passive spidering will perform spidering
00:03
here and do it all in the background.
00:03
If you want to adjust what your passive spidering does,
00:03
you can actually come over here and turn it on and
00:03
off to
00:03
prevent it from actually spidering.
00:03
There would be more options if you had the paid version.
00:03
However, we don't have the paid version,
00:03
so we don't have the scanner options in here.
00:03
If you had the paid version,
00:03
there would be more options down here for the scanner.
00:03
Now we have our target.
00:03
If we want to actively spider
00:03
we will right-click on it and then we
00:03
just click Spider This Host and we'll say Yes,
00:03
we would like to modify the scope to include
00:03
all the pages and if we come over here,
00:03
we will see the bytes transferring the requests made.
00:03
Now, here's one of
00:03
those form submissions that I was telling you about.
00:03
You can either click Ignore form or you can put
00:03
in a username and password in here if
00:03
you have a username and password
00:03
and that form will submit,
00:03
and then it will continue spidering even deeper into
00:03
the web application but right
00:03
now we're just going to click Ignore form.
00:03
If we go back to target,
00:03
we'll see that our assets here have
00:03
increased and we have
00:03
also gotten some additional pages here.
00:03
That is active spidering in Nmap.
Up Next
Instructed By
Similar Content
