Metasploit set rhosts file

January 31st, 2015

Just a quick tip I don’t see documented a bunch of places, when you want to feed metasploit a list of targets in a file you need to use the following syntax.

set rhosts file:/path/to/file

Below is a screenshot for context.

metasploit set rhosts file

Brute force MySQL with Nmap

December 24th, 2014

Just a quick one liner, you can also incorporate this into a huge sweep of the network which will hopefully identify MySQL databases with weak or default credentials.

nmap -p 3306 --script mysql-brute --script-args userdb=user.txt,passdb=pass.txt

Sqlmap – crawl and discover SQL injections

September 7th, 2014

I use these command line switches to automate the process, I’ve had some good results.

python -u --forms --batch --crawl=10 --cookie=jsessionid=12345 --level=5 --risk=3


-u = URL

--forms = Parse and test forms

--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers

--crawl = how deep you want to crawl a site

--cookie = put cookie in here if you want to do an authenticated scan

--level = different levels of tests, 1 is default and 5 is the most

--risk = different risk of tests, 1 is default and 3 is the most

Burp extension environment for Python

December 7th, 2013

This post will explain how to setup Burp so that you can use Python to write Burp extensions. Burp has an API that allows for extensions which add to the functionality of Burp. The Burp suite itself is written in Java so Burp natively supports Java extensions but through Jython you can now use Python scripts to build extensions. This comes in handy if you are more comfortable using Python day to day.

The first thing you’ll need to do is download Jython, I downloaded the traditional installer which will end in a JAR extension. In order for the installer to work you’ll need to have already installed the Java runtime environment (JRE). Now double click the JAR file to install.

I chose the standard installation type.

Next it should hopefully recognize where your JRE is installed.

Hopefully you get to the last window during the install process that says congratulations.

Now that Jython is installed correctly we need to fire up Burp and configure it to use Jython for our Python scripts. Once in Burp go to the Extender tab then the Options. There you will see a section labeled “Python Environment”, simply point to the location of your Jython JAR file. I accept the defaults during install and my location was C:\jython2.5.4rc1\jython.jar. See screen shot below.

After this we are ready to load our first Python extension to Burp. Go back to the Burp extension page and download the HelloWorld zip fie which contains a Python example. Under the Extensions tab you can click “Add”, choose the Python extension type and simply pick the example. After loading the extension you should see the window below.

You’ll also see some errors generated in the Errors tab.

This is normal as the example is meant to show you what errors would look like as well. There you have it you have just loaded your first Python extension in Burp. Hopefully I will follow up with extensions I find useful and how they can help in performing application security assessments. Feel free to contact me or leave feedback.

Burp suite tip / tutorial: History logs at the top

August 31st, 2013

When performing an assessment of a web application I’ll spend most of my time in the History tab under the Proxy tab quite a bit. By default Burp will append the latest request to the bottom of that History log which means that I have to keep scrolling down to see my latest request to the application. This can be annoying and it’s better if my latest request were at the top of the History log. Luckily this is an easy fix with the proper sort in the History tab, simply click on the first column which will keep your latest request at the top.