Credential Harvesting via MiTM – Burp Suite Tutorial

In this step by step tutorial we will discuss some of the more advanced use cases for the Burp Suite. Credential harvesting through Man In The Middle attack vectors can be your saving grace during an otherwise uneventful penetration test. You can watch a video version of this tutorial Here. This guide is intended to be educational as well as entertaining. The author does not condone or encourage illegal hacking activities.

Enable Routing

The first thing you’ll want to do is enable your attacking machine to route traffic. This way, when your victim machine makes a request to an external HTTP server you will forward the request and intercept the server’s response. This behavior is necessary for credential harvesting attacks. If it helps, you can think of yourself as an interception proxy much like the one we are using in this tutorial.

$ echo 1 > /proc/sys/net/ipv4/ip_forward

#ProTip When you try this on your own and things inevitably don’t work as easily as I have described them, check this first!

Configure IP Tables

This step creates two firewall rules which will forward all outbound requests to port 80 and 443 to your attacking machine. If your IP address is ‘192.168.10.100’, then replace ‘x.x.x.x’ with that address. Later we’ll tell Burp Suite to listen on these two ports.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination x.x.x.x
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination x.x.x.x

Configure Burp Suite

Next, we will tell Burp Suite to stand up two listening proxies, one on port 80 and one on port 443:

Click on the proxy tab and then click on the options sub-tab.
Click the add button and type ‘443’ for the bind port.
Select the all interfaces radio button.
Click on the request handling tab and check the invisible proxy support box.

If you’ve purchased or otherwise “acquired” an SSL certificate you can configure it on the certificate tab. If not, leave those settings the way they are. Repeat the above steps for port ’80’ as well.

Burp Suite Tutorial – MiTM Credential Harvesting

#ProTip Don’t sweat it if you can’t obtain a legitimate SSL Certificate. 90% of all users will click “continue anyway and die slowly of cancer” if prompted.

Poisoning With ARPSpoof

The last thing you need to do before you can begin credential harvesting is poison your victim’s ARP cache. This affectively causes the victim to think that you are their primary gateway. Assuming your victim is at ‘192.168.1.101’.

$ arpspoof -i eth0 -t 192.168.1.101 192.168.1.1

#ProTip Treat this attack vector like a scalpel and not a machine gun. That is, only poison carefully picked individual targets not entire subnets.

Credential Harvesting

Now you just have to sit back and wait for your victim to log into an HTTP or HTTPS application. Their credentials will be displayed inside a POST request within the Burp Suite interface. Pay attention to the alerts log in Burp Suite. This information can help you troubleshoot potential connectivity issues. With luck, you’ll find a user authenticating to a home grown .NET application or the company Intranet page using their Active Directory credentials.

Credential Harvesting POST Request