Burp Suite Free Edition and NTLM authentication in ASP.net applications

As you know, Burp Suit is a scanner for advanced Web Application Security researchers. However, the free version of Burp is more like Firebug analogue, but much more functional.

Let’s see how to install it and use for website analysis. This analysis may be necessary to find vulnerabilities or somehow automate the work with the site. Let’s take, for example, ASP.net applications with NTLM-authorization, which is rather unpleasant to analyze.

Go to the site https://portswigger.net/burp/freedownload and download burp installer as a bash script:

Burp Suite Free Edition

$chmod +x burpsuite_free_linux_v1_7_26.sh
$ sudo ./burpsuite_free_linux_v1_7_26.sh
[sudo] password for user:
Unpacking JRE ...
Starting Installer ...

The graphical installer will start:

Burp installation

Binaries will be in /usr/local/bin

Burp 528mb

Launching Burp Suit Free Edition:

Burp in XFCE Menu

At the first start, we agree with the license agreement:

Burp license

Here is one of the free version limitations – you can not save the project to hard drive:

Burp disk based projects

This is what the main Burp interface looks like. On the Proxy tab we see that the proxy server 127.0.0.1:8080 is already running. Let’s set it in Firefox web browser.

Burp proxy

Configure in Advanced-> Network (also delete everything in “No Proxy for”)

Burp Firefox configuration

To make Firefox stop swearing certificate substitution, you need to download the certificate from burb/cert

Burp save cert

And add it in the interface Advanced -> Certificate Manager -> Authorities

Burp add certificate

Excellent. Now you can open a site, you want to analyze. To load site fully ensure that in Proxy tap “intercept is off”

Burp intercept is off

Now, if the site is uses NTLM authorization, then proxy will not work. The site will constantly request a username and password. How is fix this? Go to User options-> Connections and add the account:

Burp authentication

Now everything should be loaded successfully. Go to Proxy -> HTTP history and look at the requests. When you see a request with an interesting Response, you can send it to Repeater and execute it once again.

Burp http history

Here is the same request in Repeater. If it is normally executed you can copy request as curl command.

Burp copy as curl

Just keep in mind that NTLM authorization won’t be in a curl command and you will need to add:

-v --ntlm --negotiate -u username:password

And curl request, you can, in its turn, translate to python almost automatically with the help of https://curl.trillworks.com/ service.

Small update on python and NTLM. Python “requests” library doesn’t support NTLM authentication by default. You need to install requests-ntlm:

sudo pip install requests-ntlm

Usage example:

import requests
from requests_ntlm import HttpNtlmAuth

headers = {
    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
    'Upgrade-Insecure-Requests': '1',
}

r = requests.get('https://app.corporation.com/?a=param_value', headers=headers, verify=False,
                 auth=HttpNtlmAuth(domain + "\\" + user,password))

print(r.text)

ASP.NET means it is Windows, so don’t forget to clear the text from “\r” 😉

2 thoughts on “Burp Suite Free Edition and NTLM authentication in ASP.net applications

  1. Pingback: Automating Opera browser with Selenium WebDriver and Python | Alexander V. Leonov

  2. Pingback: New Nessus 7 Professional and the end of cost-effective Vulnerability Management (as we knew it) | Alexander V. Leonov

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.