Ethical Hacking Institute Course in Pune-India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
When you’re attacking a web server, it’s not uncommon for that single machine to serve several web
applications, some of which you might not be aware of. Of course, you want to discover these
hostnames exposed on the same web server because they might give you an easier way to get a shell.
It’s not rare to find an insecure web application or even development resources located on the same
machine as your target. Microsoft’s Bing search engine has search capabilities that allow you to query
Bing for all websites it finds on a single IP address (using the “IP” search modifier). Bing will also
tell you all of the subdomains of a given domain (using the “domain” modifier).
Now we could, of course, use a scraper to submit these queries to Bing and then scrape the HTML in
the results, but that would be bad manners (and also violate most search engines’ terms of use). In
order to stay out of trouble, we can use the Bing API to submit these queries programmatically and
then parse the results ourselves. We won’t implement any fancy Burp GUI additions (other than a
context menu) with this extension; we simply output the results into Burp each time we run a query,
and any detected URLs to Burp’s target scope will be added automatically. Because I already walked
you through how to read the Burp API documentation and translate it into Python, we’re going to get
right to the code.
Crack open bhp_bing.py and hammer out the following code:
from burp import IBurpExtender from burp import IContextMenuFactory from javax.swing import JMenuItem from java.util import List, ArrayList from java.net import URL import socket import urllib import json import re import base64 bing_api_key = "YOURKEY" class BurpExtender(IBurpExtender, IContextMenuFactory): def registerExtenderCallbacks(self, callbacks): self._callbacks = callbacks self._helpers = callbacks.getHelpers() self.context = None # we set up our extension callbacks.setExtensionName("BHP Bing") callbacks.registerContextMenuFactory(self) return def createMenuItems(self, context_menu): self.context = context_menu menu_list = ArrayList() menu_list.add(JMenuItem("Send to Bing", actionPerformed=self.bing_ menu)) return menu_list
This is the first bit of our Bing extension. Make sure you have your Bing API key pasted in place;
you are allowed something like 2,500 free searches per month. We begin by defining our
BurpExtender class that implements the standard IBurpExtender interface and the
IContextMenuFactory, which allows us to provide a context menu when a user right-clicks a
request in Burp. We register our menu handler so that we can determine which site the user
clicked, which then enables us to construct our Bing queries. The last step is to set up our
createMenuItem function, which will receive an IContextMenuInvocation object that we will use
to determine which HTTP request was selected. The last step is to render our menu item and have the
bing_menu function handle the click event. Now let’s add the functionality to perform the Bing
query, output the results, and add any discovered virtual hosts to Burp’s target scope.
def bing_menu(self,event): # grab the details of what the user clicked http_traffic = self.context.getSelectedMessages() print "%d requests highlighted" % len(http_traffic) for traffic in http_traffic: http_service = traffic.getHttpService() host = http_service.getHost() print "User selected host: %s" % host self.bing_search(host) return def bing_search(self,host): # check if we have an IP or hostname is_ip = re.match("[0-9]+(?:\.[0-9]+){3}", host) if is_ip: ip_address = host domain = False else: ip_address = socket.gethostbyname(host) domain = True bing_query_string = "'ip:%s'" % ip_address self.bing_query(bing_query_string) if domain: bing_query_string = "'domain:%s'" % host self.bing_query(bing_query_string)
Our bing_menu function gets triggered when the user clicks the context menu item we defined. We
retrieve all of the HTTP requests that were highlighted and then retrieve the host portion of the
request for each one and send it to our bing_search function for further processing. The
bing_search function first determines if we were passed an IP address or a hostname. We then
query Bing for all virtual hosts that have the same IP address as the host contained within the
HTTP request that was right-clicked. If a domain has been passed to our extension, then we also do a
secondary search for any subdomains that Bing may have indexed. Now let’s install the plumbing
to use Burp’s HTTP API to send the request to Bing and parse the results. Add the following code,
ensuring that you’re tabbed correctly into our BurpExtender class, or you’ll run into errors.
def bing_query(self,bing_query_string): print "Performing Bing search: %s" % bing_query_string # encode our query quoted_query = urllib.quote(bing_query_string) http_request = "GET https://api.datamarket.azure.com/Bing/Search/Web?$. format=json&$top=20&Query=%s HTTP/1.1\r\n" % quoted_query http_request += "Host: api.datamarket.azure.com\r\n" http_request += "Connection: close\r\n" http_request += "Authorization: Basic %s\r\n" % base64.b64encode(":%s" % . bing_api_key) http_request += "User-Agent: Blackhat Python\r\n\r\n" json_body = self._callbacks.makeHttpRequest("api.datamarket.azure.com",. 443,True,http_request).tostring() json_body = json_body.split("\r\n\r\n",1)[1] try: r = json.loads(json_body) if len(r["d"]["results"]): for site in r["d"]["results"]: print "*" * 100 print site['Title'] print site['Url'] print site['Description'] print "*" * 100 j_url = URL(site['Url']) if not self._callbacks.isInScope(j_url): print "Adding to Burp scope" self._callbacks.includeInScope(j_url) except: print "No results from Bing" pass return
Okay! Burp’s HTTP API requires that we build up the entire HTTP request as a string before sending
it off, and in particular you can see that we need to base64-encode our Bing API key and use
HTTP basic authentication to make the API call. We then send our HTTP request to the Microsoft
servers. When the response returns, we’ll have the entire response including the headers, so we split
the headers off and then pass it to our JSON parser. For each set of results, we output some
information about the site that we discovered and if the discovered site is not in Burp’s target
scope, we automatically add it. This is a great blend of using the Jython API and pure Python in a
Burp extension to do additional recon work when attacking a particular target.
www.extremehacking.org
Cyber Suraksha Abhiyan, CEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India