1 CYB 205 Software Foundations for Cybersecurity Burp Suite Lab The focus of this lab is to gain introductory knowledge and experience with Burp Suite. Burp Suite is a suite of robust web application...

1 answer below »
Please review. Need completed by the end of the day


1 CYB 205 Software Foundations for Cybersecurity Burp Suite Lab The focus of this lab is to gain introductory knowledge and experience with Burp Suite. Burp Suite is a suite of robust web application pentesting tools from the company PortSwigger https://portswigger.net/. Burp Suite is the industry standard for identifying and analyzing vulnerabilities in web applications used by cybersecurity professionals (PentestGeek, 2018). This lab is the successor to the Kali Linux and Metasploitable2 Lab. It is vital for the success of this lab the prior lab must have been completed. Also, both Kali Linux and Metasploitable2 virtual machines (VMs) must be configured properly and operational. The Metasploitable2 VM is plagued with vulnerabilities, it is NOT advisable to allow this VM access to the internet. Refer to the Kali Linux and Metasploitable2 Lab if unsure of the VM’s network configuration. 1. From the Metasploitable2 webpage, select DVWA (Damn Vulnerable Web Application). 2. At the login screen of DVWA input the default username of “admin” all lowercase and the default password of “password” also all lowercase. https://portswigger.net/ 2 3. Upon successful login, the DVWA homepage is presented. 4. Next, set the DVWA security level. Select the “DVWA Security” button on the right-hand side of the page. Set the security level to “low” using the dropdown selection and “submit.” 5. The Firefox web browser must be configured to interact with Burp Suite. To do this, the browser must be configured to use a “manual proxy.” To set a “manual proxy,” click the three small horizontal lines (sometimes referred to as “the hamburger”) in the upper right-hand corner of the Firefox browser. 3 6. When the hamburger is selected, a fly-out menu appears. From the fly-out menu, select “Preferences.” 7. Next, select the “Advanced” option on the left-hand side. Then select the “Settings” button. 8. When the “Settings” menu opens, configure the “Manual proxy configuration.” “HTTP Proxy” address must be “127.0.0.1” and “Port” set to “8080.” Ensure the “No Proxy for” box is completely empty; delete any information in this box. Click “Ok” to continue. E Ensure this area is blank. 4 9. Close the “Preferences” tab and return to DVWA. 10. Start “Burp Suite” by selecting the icon from the left-hand side Kali Linux menu. Also, “Burp Suite” can be started by accessing the “Applications” menu from the top left-hand side. Select “Burp Suite” from the favorites menu. 11. When Burp Suite launches, leave the defaults and click “Next.” 5 12. Start Burp Suite with default settings. 13. When the full Burp Suite application opens, select the “Proxy” tab and then the “Intercept” tab. If “Intercept is on” click the button and ensure “Intercept is off.” For this exercise, “Intercept is off” so traffic intercepted by Burp Suite will not have to be manually forwarded. The application is still intercepting traffic due to earlier proxy setup. 14. Check the “Proxy Listeners” in Burp Suite to ensure settings match that of the Firefox browser. Click the “Options” tab and ensure the “Interface” is set to the loopback IP of 127.0.0.1 with port 8080 and “Running” is checked. When the IP address and the port are shown together, it is known as a socket. 127.0.0.1:8080 should be directly under the interface column, if not, then select edit from the left-hand side and make corrections. Keep this window open. 6 15. With Firefox and Burp Suite properly configured, it is time to start a brute force attack on a web application login page. At the DVWA homepage, select the “Brute Force” option on the left. Also, ensure the security level is set to low as shown in the lower left corner. 16. Enter any username and password in the form and click “Login” (use your imagination and pretend you don’t know the credentials). Now go to Burp Suite and check the “HTTP history” tab. Look for a “200” response in the “Status” column with a “username” in the “URL” field. This indicates a successful response from a server (for more info concerning server response codes: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status). https://developer.mozilla.org/en-US/docs/Web/HTTP/Status 7 17. Look at the information presented. The line with the “200” server response code is highlighted and information pertaining to the host and URL are explained in the “Raw” tab below. The “Get” request shows what credentials were entered in the DVWA web form. The user entered “user” for the username and “qwerty” for the password. The response from the web form shows an incorrect response for these credentials. 8 18. To simplify the brute force attack, create two text files. One text file with a list of possible usernames (screenshot on the left) and another with possible passwords (screenshot on the right). Since this is the free version of Burp Suite, keep the list small and simple as speed is greatly reduced with this version. These text files will serve as payloads for the attack. 19. In the Burp Suite “Raw” tab, right-click within the area. When the pop-up menu appears, select “Send to Intruder.” 20. When the information is sent to the “Intruder” the “Intruder” tab will highlight orange. Select the tab. Right-click anywhere in the white space. 9 21. Once in the “Intruder” tab, select the “positions” sub-tab and examine the orange highlighted areas. These are the brute force attack areas. The username is “position one” and the password is “position two” and so on. This attack is only concerned with brute forcing positions one and two (username and password). 22. Change the attack type from “Sniper” to “Cluster bomb” via dropdown option. This will allow use of multiple text files for multiple positions. Highlight the text in the window below the “Attack type” and click the “Clear” button on the right. This will remove the “S” shaped type characters from all brute force positions. 23. Double click the entered username, in this case “user”, and click “Add” button to put the “S” shaped characters around the username. Repeat this process for entered password, in this case “admin.” Putting the “S” shaped characters around the username and password fields ensures Burp Suite will only brute force these two positions. 1 2 3 4 5 10 24. Set the payloads in the “Payloads” tab. a. In the “Payload Sets” section, ensure “Payload Set” is “1” which corresponds to the username field to brute force. For the “Payload type” select “Runtime file” from dropdown. In the “Payload Options [Runtime file]” section, navigate to the text file containing the list of possible usernames, highlight the file and click “Open.” b. Repeat this process with “Payload Set” position “2.” Use the dropdown to make this change. This time, the runtime file will be the text document with possible user passwords. 25. Click the “Options” tab and scroll down to the “Grep – Match” section. Clear any text contained in the field by clicking “clear” on the left. Confirm when the dialog box appears. Next, type the word “Incorrect” in the “Add” field and click the “Add” button. This will create a field to show failed brute forced credentials during the attack. 11 26. Scroll up and start the brute force attack by clicking the “Start attack” button and click “OK” when the warning dialog box appears. 27. After the attack has completed (should not take too long) analyze the results. Look at the “Incorrect” column created using the “Grep – match” option created earlier. Highlight a row that does not have an “Incorrect” checkmark in the “Results” area. Below the results area, select the “Response” tab and the “Render” sub-tab. Look for a response that may be the correct username and password credentials. 12 28. Try the credentials indicated by Burp Suite on the DVWA webpage and see if Burp Suite was successful brute forcing the username and password. 29. If the login credentials entered were successful, the “Welcome to the password protected area admin” confirmation should appear as seen below. This completes the Burp Suite lab. 13 References: What Is Burpsuite - Tool Description. (2018). Pentest Geek. Retrieved 20 January 2018, from https://www.pentestgeek.com/what-is-burpsuite Guidelines for Writing a Lab Report Group work: each group will meet prior to beginning lab work. There are three members per group. Each group member rotates the role as outlined below: Manager. The manager delegates the work (including her/his own). At the conclusion of the lab, the manager includes a paragraph indicating who was responsible for each section. The manager of the lab report is ultimately responsible for quality control, which includes formatting. Time keeper. The time keeper creates a timeline for project completion. At the conclusion of the lab, the time keeper includes the timeline, which is a list of the tasks delegated by the manager. The time keeper determines if the tasks were completed per the time line, and if not, when the tasks were completed. Did each person complete their assigned tasks on time? If not, why? Note taker. The note taker maintains a directory (folder) of lab results, findings, and screenshots. The note taker is also responsible for archiving the communications between group members. This allows the professor to review group communication to ensure all group members participated. This folder will be zipped and submitted as part of the lab report. General Guidelines: Lab reports should be written in a clear and concise manner in the 3rd person. For the purposes of this class there should never be any reference to I, he, she, we, etc. For instance, instead of writing “As instructed, I opened all files except for the unallocated space text file.” write “As instructed, all files were opened except the unallocated space text file.” Another example: instead of writing “When attempting to open this file, we receive an error stating that the file was either damaged or is not a supported file type.” Consider
Answered Same DayDec 13, 2021

Answer To: 1 CYB 205 Software Foundations for Cybersecurity Burp Suite Lab The focus of this lab is to gain...

Nithin answered on Dec 14 2021
122 Votes
Solving Damn Vulnerable Web Application (DWWA) bruteforce
1. Launching DWVA
2. Configuring Proxy w
ith Firefox
3. Testing admin/admin
4. Incorrect username password
5. Setting up payloads in Burp
6. Payload list 2
7. Setting up Grep-Match
8. Intruder Attack - 1
9. In the above image, for...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here