[Guide] How to Generating Scan Reports Using Nmap (Output Scan)

[Guide] How to Generating Scan Reports Using Nmap (Output Scan) - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Generating Scan Reports Using Nmap (Output Scan) (/Thread-Guide-How-to-Generating-Scan-Reports-Using-Nmap-Output-Scan)

[Guide] How to Generating Scan Reports Using Nmap (Output Scan) - NINZA - 05-14-2020

Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but there are sometimes where we want to save the nmap scan. Nmap output scan is used to save the result of nmap scan in different formats.
Let’s Begin
Requirement
Attacker: Kali Linux
Target’s IP: 192.168.1.113
Normal Output Format
-oN <filespec> (normal output)
Nmap supports different formats for saving scan results. Depending on your needs, you can choose between a normal, XML, and grepable output. Normal mode saves the output as you see it on your screen, minus the runtime debugging information. This mode presents the findings in a well structured and easy-to-understand manner.
nmap 192.168.1.113 -oN /root/Desktop/nmap
1
nmap 192.168.1.113 -oN /root/Desktop/nmap
[Image: 1.png?w=687&ssl=1]

Now the scan is saved on desktop and we can access it using cat or text editor.
cat Desktop/nmap
[Image: 2.png?w=687&ssl=1]

XML Output Format
-oX <filespec> (XML output)
XML stands for Extensible Markup Language is a usually known, tree-structured file format supported by Nmap.To save the scan results to a file in the XML format; add the option -oX <filename>, as shown in the following command:
nmap -p80 192.168.1.113 -oX ~/Desktop/nmap.xml
1
nmap -p80 192.168.1.113 -oX ~/Desktop/nmap.xml
[Image: 3.png?w=687&ssl=1]

Nmap also consist of additional debugging information when you save the scan results in this format.
An XML file, when generated, will contain the following information:

Host and port states
Services
Timestamps
Executed command
Nmap Scripting Engine output
Run statistics and debugging information

You can view the output in Gedit, It will look as shown below
[Image: 4.png?w=687&ssl=1]

We can also convert the Nmap scan which we saved in the xml format earlier to a portable html format using the given command:
xsltproc Desktop/nmap.xml –o nmap.html

Now open the nmap.html file in your favourite browser. Here is a screenshot depicting the converted html report. As you can see that it is very simply formatted and Easy to Read and Understand.
[Image: 5.2.png?w=687&ssl=1]

Script kiddie output
-oS <filespec> (ScRipT KIdd|3 oUTpuT)
Script kiddie output is like interactive output, except that it is post-processed to better suit the l33t HaXXorZ, this option was made to make fun of script kiddies.
nmap 192.168.1.113 -oS /root/Desktop/nmap
1
nmap 192.168.1.113 -oS /root/Desktop/nmap
[Image: 5.png?w=687&ssl=1]

Now we can see that the file is saved on desktop which is as similar as normal scan output result.
cat Desktop/nmap
[Image: 6.png?w=687&ssl=1]

Grepable Output Format
-oG <filespec> (grepable output)
The grepable format was included to help users extract information from logs without having to write a parser, as this format is meant to be read/parsed with standard UNIX tools. To save the scan results to a file in the grepable format, add the option -oG <filename>, as shown in the following command:
nmap 192.168.1.113 -oG /root/Desktop/nmap
1
nmap 192.168.1.113 -oG /root/Desktop/nmap
[Image: 7.png?w=687&ssl=1]

In grepable mode, each host is placed on the same line with the format <field name>:
<value>,and each field is separated by tabs (\t). The number of fields depends on what
Nmap options were used for the scan.
There are eight possible output fields:

Host: This field is always included, and it consists of the IP address and reverse DNS name if available
Status: This field has three possible values—Up, Down, or Unknown
Ports: In this field, port entries are separated by a comma and a space character, and each entry is divided into seven fields by forward slash characters (/)
Protocols: This field is shown when an IP protocol (-sO) scan is used
Ignored: This field shows the number of port states that were ignored
OS: This field is only shown if OS detection (-O) was used
Seq Index: This field is only shown if OS detection (-O) was used
IP ID Seq: This field is only shown if OS detection (-O) was used

cat Desktop/nmap
[Image: 8.png?w=687&ssl=1]

Saving Output in ALL Format
-oA <basename> (Output to all formats)
Nmap supports the alias option -oA <basename>, which saves the scan results in all of the available formats—normal, XML, and grepable. The different files will be generated with the extensions .nmap, .xml, and .gnmap
nmap 192.168.1.113 -oA /root/Desktop/nmap
1
nmap 192.168.1.113 -oA /root/Desktop/nmap
[Image: 9.png?w=687&ssl=1]

Now we check the directory and find all the 3 types of file available to us.
[Image: 10.png?w=687&ssl=1]

Scanning port is a technique used by penetration tester for identifying the state of computer network services associated with the particular port number. For example, port 80 is available for HTTP service and port 22 is available for SSH service. We suggest using Nmap for enumerating port state, for best practice click

[To see content please register here]

and learn Nmap working in detail.
Moreover, Metasploit also serves port scanning for enumerating computer network services and make it easier as compare to Nmap.
Let’s start!!
Requirement
Attacker: Kali Linux (192.168.1.103)
Target: Ubuntu (192.168.1.105)
Open the terminal and add given below iptables rules for incoming packet traffic in target’s network which will drop the tcp ACK packet on port 80 and SYN packet on port 22 respectively.
sudo iptables -I INPUT -p tcp --tcp-flags ALL ACK --dport 80 -j DROP
sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN --dport 22 -j DROP
1
2
sudo iptables -I INPUT -p tcp --tcp-flags ALL ACK --dport 80 -j DROP
sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN --dport 22 -j DROP
[Image: 1.png?w=687&ssl=1]

ACK Scan
Now open the terminal in your Kali Linux and type msfconsole to load Metasploit framework and execute given below auxiliary command to run the specific module.
This module will Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.
Now as specified in given below command this module will send ack packet on port 21, 22, 80,443 to enumerate state of the firewall for these ports. If it receives reset packet as a reply from destination port then it will display unfiltered state for that particular port and if does not receive reset packet from destination port then it will not show any comment for that particular port which means the port is protected by the firewall.
use auxiliary/scanner/portscan/ack
msf auxiliary(ack) > set rhosts 192.168.1.105
msf auxiliary(ack) > set ports 21,22,80,443
msf auxiliary(ack) >exploit
1
2
3
4
use auxiliary/scanner/portscan/ack
msf auxiliary(ack) > set rhosts 192.168.1.105
msf auxiliary(ack) > set ports 21,22,80,443
msf auxiliary(ack) >exploit
From given below image you can observe that it is showing TCP unfiltered for port 21,22,443 and did not comment for port 80 hence port 80 is filtered. This scan can be only used for identifying the state of the firewall in terms of port filter or unfiltered.
[Image: 2.png?w=687&ssl=1]

We had used Wireshark for demonstrating ack scan and here you can observe that port 80 doesn’t reply with RST packet which means ack packet for port 80 has been blocked by the network administrator.
[Image: 3.png?w=687&ssl=1]

SYN Scan
This module enumerates open TCP services using a raw SYN scan, the here syn packet will be sent on port 21, 22, 80,443 to enumerate state open/closed for these ports. If it receives syn, ack packet as a reply from destination port then it will display OPEN state for that particular port and if does not receives syn, ack packet from destination port then it will not show any comment for that particular port which indicates filtered or Closed state for that particular port.
use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set rhosts 192.168.1.105
msf auxiliary(syn) > set ports 21,22,80,443
msf auxiliary(syn) >exploit
1
2
3
4
use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set rhosts 192.168.1.105
msf auxiliary(syn) > set ports 21,22,80,443
msf auxiliary(syn) >exploit
From given below image you can observe that it is showing TCP OPEN for port 21,80,443 and did not comment for port 22 hence port 22 is filtered or closed.
[Image: 4.png?w=687&ssl=1]

Again we had used Wireshark for demonstrating syn scan and here you can observe that port 22 doesn’t reply with SYN, ACK packets which mean SYN packet for port 22 has been blocked by the network administrator.
Moreover, you can observe the following packet communication between the source and destination port.

Source port sends SYN packet to the destination port
Source port receives SYN, ACK packet from the destination port
Source port sends RST packet to the destination port

TCP Scan
Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set rhosts 192.168.1.105
msf auxiliary(tcp) > set ports 21,22,80,443
msf auxiliary(tcp) >exploit
1
2
3
4
use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set rhosts 192.168.1.105
msf auxiliary(tcp) > set ports 21,22,80,443
msf auxiliary(tcp) >exploit
This scan is similar as SYN scan only the difference is that it follows TCP full communication i.e. 4-way handshake and SYN scan is followed half TCP communication.
From given below image you can observe that it is showing TCP OPEN for port 21,80,443 and did not comment for port 22 hence port 22 is filtered or closed.
[Image: 6.png?w=687&ssl=1]

Here you can observe that port 22 doesn’t reply with SYN, ACK packets which mean SYN packet for port 22 has been blocked by the network administrator.
Moreover, you can observe the following packet communication between the source and destination port.

Source port sends SYN packet to the destination port
Source port receives SYN, ACK packet from the destination port
Source port sends ACK packet to the destination port
Source port sends FIN, ACK packet to the destination port

XMAS Scan
Enumerate open|filtered TCP services using a raw “Xmas” scan; this sends probes containing the FIN, PSH, and URG flags.
Instead of using TCP 3-way handshake communication this scan uses other tcp flags for TCP communication for enumerating state of ports.
use auxiliary/scanner/portscan/xmas
msf auxiliary(xmas) > set rhosts 192.168.1.105
msf auxiliary(xmas) > set ports 21,22,80,443
msf auxiliary(xmas) >exploit
1
2
3
4
use auxiliary/scanner/portscan/xmas
msf auxiliary(xmas) > set rhosts 192.168.1.105
msf auxiliary(xmas) > set ports 21,22,80,443
msf auxiliary(xmas) >exploit
From given below image you can observe that, this time it has shown TCP OPEN| FILTERED for all ports i.e. 21,22,80,443
[Image: 8.png?w=687&ssl=1]

If you notice given below image here source port sends FIN, PUSH and URG packets to the destination and destination port didn’t send any reply to source port which indicates above specified port are open and if any destination port sends RST, ACK packet to source port then it indicated that particular port is closed.
[Image: 9.png?w=687&ssl=1]

What is Mimikatz?
Mimikatz is a Tool made in C Language by

[To see content please register here]

. It is a great tool to extract plain text passwords, hashes and Kerberos Tickets from Memory. It can also be used to generate Golden Tickets.
You can get Mimikatz In ZIP from

[To see content please register here]

. Or you can build it for git from

[To see content please register here]

.
Mimikatz comes in 2 architectures: x32 and x64. Here is a screenshot of the x64 mimikatz bash.
[Image: 1.png?w=687&ssl=1]

Generate Skeleton Key with Mimikatz
Victim: Windows Server 2012 R2 (Domain Controller)
Attacker: Mimikatz (On Windows Server 2012 R2)
In this attack, what mimikatz installs the patch on the Domain Controller to accept “mimikatz” as a new login password? It can be thought as a Master Key which will open the Active Directory to the attacker. This attack can be performed as shown below.
First, I will try to login on my Server using mimikatz as a password.
[Image: 2.png?w=687&ssl=1]

As you can see clearly that we cannot login into the server using ‘mimikatz’ as a password.
[Image: 3.png?w=687&ssl=1]

Now I will log in the server using its password which is ‘T00r’.
[Image: 4.png?w=687&ssl=1]

And as you can see below I have logged in the Server using the correct password
[Image: 5.png?w=687&ssl=1]

If you ever are logged in on a server or have a server unlocked, you can create a skeleton key to be stored inside the memory of the Server by using Mimikatz.
Launch the Mimikatz Terminal according to the architecture of the server (x32, x64). Now first we will get the debugging privilege in Mimikatz using
privilege::debug
1
privilege::debug
And then we will inject the mimikatz skeleton key in the memory of server using
misc: Confused

keleton
1
misc: Confused

keleton
With this, we have our skeleton key successfully injected on the server.
Note: You will have to open mimikatz with Administrative Privilege to create a Skeleton Key.
[Image: 6.png?w=687&ssl=1]

Now I will try to login the server using the skeleton key “mimikatz” we just injected in the memory. Remember last time we tried to log in the server using mimikatz as a password we were unsuccessful.
[Image: 7.png?w=687&ssl=1]

But this time ‘mimikatz’ was accepted as a password. This does not mean that we reset the original password ‘T00r’. The server will continue to log in using ‘T00r’ but now it will also accept ‘mimikatz’ as a password too.
Now, remember that we injected the skeleton key in the memory, not in storage so the next time that admin restarts the server we will lose the access. So the best way to protect your Domain Controller from Skeleton Key is a practice of restarting the Server Frequently or prevents mimikatz from accessing the memory.
[Image: 8.png?w=687&ssl=1]

Blue Screen of Death (BSOD) with Mimikatz
Attacker: Mimikatz (on Windows 7)
Victim: Windows 7
We can perform a Blue Screen of Death or BSOD attack using mimikatz. This shows how powerful this tool is. To perform the BSOD on a System follow the steps mentioned below:

Run mimikatz with Administrator
Start mimidrv service

!+
1
!+

Now Initiate the BSOD as given below in the following command.
!bsod
1
!bsod
[Image: 10.png?w=687&ssl=1]

As you can see below we have the Blue Screen of Death Error
Note: This attack can corrupt data and potentially harm the system. Use Carefully !!
[Image: 11.png?w=687&ssl=1]

Display Hostname
You can extract hostname of the Victim System by typing hostname in the mimikatz Terminal.
hostname
1
hostname
We have extracted the hostname of the system as Pavan-pc
[Image: 13.png?w=687&ssl=1]

Golden Ticket Generation with Mimikatz
Attacker: Mimikatz on Windows Server 2012 R2
Victim: Windows Server 2012 R2
To Generate a Golden Ticket, we will require the following information:

Domain
SID
NTLM Hash

Let’s get the Domain First.
To get the Domain we will run the ipconfig /all from the Command Line or PowerShell
[Image: 14.png?w=687&ssl=1]

Domain on my Server is Pavan.local
Now to get SID we will use whoami /user command as shown in given below image.

Now we will mimikatz itself to extract the NTLM hash required to generate the Ticket.
First, we will get the Debugging Privilege using the following command given below.
privilege::debug
1
privilege::debug
And now to extract hashes we will run following command given below.
sekurlsa::logonpasswords
1
sekurlsa::logonpasswords
[Image: 16.png?w=687&ssl=1]

And now we have it all that we need to generate the Ticket.
Syntax: Kerberos::golden /domain:[Domain] /sid:[SID] /rc4:[NTLM Hash] /user:[Username To Create] /id:500 /ptt
kerberos::golden /domain Tongue

AVAN.LOCAL /sid:S-1-5-21-1118594253-693012904-2765600535 /rc4:9a7a6f22651d6a0fcc6e6a0c723c9cb0 /user:hacker /id:500 /ptt
1
kerberos::golden /domain Tongue

AVAN.LOCAL /sid:S-1-5-21-1118594253-693012904-2765600535 /rc4:9a7a6f22651d6a0fcc6e6a0c723c9cb0 /user:hacker /id:500 /ptt
Here I am creating the golden key for a user named ‘hacker’; you can use any of the existing users of the Domain or create a new one.
I am using the [/ppt] option to pass the ticket in the current session.
[Image: 17.png?w=687&ssl=1]

Now run the command prompt to the access of Share Folder and execute given below command:
pushd \\WINSERVER01\c$
1
pushd \\WINSERVER01\c$
Now we are in Z: drive execute given below command for NT directory services
cd WINDOWS\NTDS
DIR
1
2
cd WINDOWS\NTDS
DIR
As you can see that we get the access to the shared folder which cannot be accessed without Admin Access but we had obtained it without using CMD as administrator. From given below image you can observe that it is showing 8 files and 2 folders.
[Image: 18.png?w=687&ssl=1]

Remotely Generating Golden Ticket
Attacker: Kali
Victim: Windows Server 2012 R2
Firstly get a Meterpreter Access of the Server which you can learn from

[To see content please register here]

Once gaining the meterpreter upload the mimikatz folder to the victim system using the command
upload -r /root/Desktop/mimi c:\
1
upload -r /root/Desktop/mimi c:\
Remember to use -r so that upload command uploads recursively.
[Image: 20.png?w=687&ssl=1]

Open the shell and extract Domain using ipconfig /all
[Image: 21.png?w=687&ssl=1]

And SID using the whoami /user
[Image: 22.png?w=687&ssl=1]

Now go to the location where we uploaded the mimikatz earlier and run mimikatz.exe as shown below
[Image: 23.png?w=687&ssl=1]

Now let’s extract the krbtgt NTLM hash using the following command
lsadump::lsa /inject /name:krbtgt
1
lsadump::lsa /inject /name:krbtgt
[Image: 24.png?w=687&ssl=1]

Now using all the information extracted let’s generate a golden ticket in the same way we did above.
kerberos::golden /domain:pavan.loc /sid:S-1-5-21-97841242-3460736137-492355079 /rc4:e847d2e54044172830e3e3a6b8438853 /user:Hacker /id:500 /ptt
1
kerberos::golden /domain:pavan.loc /sid:S-1-5-21-97841242-3460736137-492355079 /rc4:e847d2e54044172830e3e3a6b8438853 /user:Hacker /id:500 /ptt
[Image: 25.png?w=687&ssl=1]

Now let’s take the access of Share Folder and as you can see that we get access to the shared folder which cannot be accessed without Admin Access.
Hence we successfully generated a golden ticket in a Windows Server Remotely via Kali
[Image: 25.png?w=687&ssl=1]

Hack the Minesweeper Game
We all have played Minesweeper Game, and it is tough to get all the mines right but those days of worry are over. To show that the Mimikatz is a powerful but a playful Tool, here I will hack the minesweeper game using Mimikatz.
Firstly open Mimikatz of your respective architecture.
[Image: 27.png?w=687&ssl=1]

And then open the Minesweeper Game
[Image: 28.png?w=687&ssl=1]

To load minesweeper in the mimikatz by using
minesweeper::infos
1
minesweeper::infos
You can see in the above screenshot that the minesweeper grid is shown in the mimikatz shell.
[Image: 29.png?w=687&ssl=1]

Now click on any Random block on the minesweeper.
[Image: 30.png?w=687&ssl=1]

Now run the previous command again and now we have locations of mine on the grid.
[Image: 31.png?w=687&ssl=1]

You can verify this image with the One with Mimikatz shell.
[Image: 32.png?w=687&ssl=1]

Today we are going to discuss the advance option of Burp Suite pro for web penetration testing; here we had used Bwapp lab which you can install from

[To see content please register here]

and acunetix vulnerable web application which is available online for making web application penetration practices.
Burp suite Advanced Usage

Burp Infiltrator
Macros
Burp Clickbandit

Burp Infiltrator
Burp Infiltrator is a tool used to target web applications in order to test them using Burp Scanner. Burp Infiltrator is used to targeting application so that Burp can detect cases where its input can pass unsafe APIs on the server-side.
Burp Infiltrator supports applications which are written in:

Java, Groovy, Scala, or other JVM languages (JRE versions 1.4 – 1.8)
C#, VB, or other .NET languages (.NET versions 2.0 and later)

Let’s start!!
First, we need to enable the Burp Infiltrator from the Burp tab in burpsuite where we have to select the Burp Infiltrator option. Then we will see a Burp Infiltrator box will appear where you have to select the type of application you want to instrument as you shown in the image
[Image: 1.png?w=687&ssl=1]

After that, we need to select the folder where we want the Infiltrator file to be saved so that we can enable it later using the terminal.
[Image: 2.png?w=687&ssl=1]

Next, we will give the path of the folder where the infiltrator file will be saved as shown in the image.
[Image: 3.png?w=687&ssl=1]

Than the Burp Infiltrator file will be saved as burp_infiltrator_java.jar.
[Image: 4.png?w=687&ssl=1]

Now to enable the burp infiltrator file we will go to the path of the file using the terminal, then to execute it we need to give the command java –jar burp_infiltrator_java.jar –non-interactive. Then Press Enter the file will be executed.
[Image: 5.png?w=687&ssl=1]

We have used –non-interactive in our command so that it will automatically configure the default settings else we have to manually configure all the settings. Now we can intercept the request of any website or application based on the supported parameters as shown in the image.
[Image: 6.png?w=687&ssl=1]

Turn off the Intercept Tab. Select the Target Tab where we can see a SubTab in it as Site Map as shown in the image.
[Image: 7.png?w=687&ssl=1]

Then select the Url you want to scan using burp infiltrator, just Right click on the Url then select option Actively scan this host this will give all the issues related to the Website or application we want to scan. All the Issues related to the Url scanned can be seen in the Issue box as shown in the image.
[Image: 8.png?w=687&ssl=1]

Macros
Burp suite has a new session handling ability which can be used to run macros, according to session handling rules. A macro can be said as a predefined sequence of one or more than one request. The cases in Macros may include:

Fetching a page such as a user’s home page just to check whether the current session is still valid or not.
By performing a login operation to obtain a new valid session.
A token or nonce obtained can be used as a parameter in another request.

The Macros can be recorded using your browser. When defining a macro, Burp suite displays the Proxy history, from which you can select the requests to be used for the macro. You can select from previously made requests, or record a fresh macro and select the new items from the history. When you have recorded the macro, the macro editor shows the details of the items in the macro, which you can review and configure as per requirement.
Let’s start!!
First, we have intercepted the login request of Bwapp Lab where we have given the default username and password as shown in the image.
[Image: 9.png?w=687&ssl=1]

The request is captured in the Intercept Tab then Right Click anywhere around the captured request, next we need to select the option Do Intercept which has a sub-option Response to this request. Click on it.
[Image: 10.png?w=687&ssl=1]

Then we have forward the captured request until we are successfully logged into the Bwapp Lab.
After that go to Project options Tab where we need to select the Sessions Tab as shown in the image.
[Image: 12.png?w=687&ssl=1]

Click on Add Button under the Session Handling Rules which will open a Session handling rule editor window where we have given a name to the Rule under the Rule description as shown in the image.
[Image: 13.png?w=687&ssl=1]

Click on Add Button under Rule Action then select Check session is valid option which will open a window for Session handling action editor then give an expression you want the burp suite to look up in the Url like we have given login.php and Tick the option If session is invalid, perform the action below as shown in the image.
[Image: 14.png?w=687&ssl=1]

Click on Add Button under Select Macro which opens a window of Macro Recorder where we will select the item from the proxy history that we want to include in the Macro as shown in the image, Click Ok.
[Image: 15.png?w=687&ssl=1]

Next, the Macro Editor window will open where we will give a name to the macro in the Macro description field as shown in the image. Click Ok.
[Image: 16.png?w=687&ssl=1]

After this we will get back to Session handling rule editor where we will click on the Scope tab then we need to tick the options Extender, Proxy under Tools Scope and Include all URL’s under URL Scope, Click Ok now the macro will be running in the background.
[Image: 17.png?w=687&ssl=1]

As you can see in the image we are on the login page of the Bwapp Lab where we have not given any login details.
[Image: 18.png?w=687&ssl=1]

We made a simple change in the URL we replaced login.php with portal.php as shown in the image.
[Image: 19.png?w=687&ssl=1]

This has successfully logged us into Bwapp Lab without giving any login details.
[Image: 20.png?w=687&ssl=1]

Burp Clickbandit
Burp Clickbandit option in burp suite is a tool used for generating clickjacking attacks. When you know a web page that is vulnerable to clickjacking, we can use Burp Clickbandit to create an attack and to confirm the vulnerability can be successfully exploited. When running Burp Clickbandit on untrusted websites. Malicious JavaScript from the target site can take the authority of the HTML output that is generated by Burp Clickbandit. There are two modes in Burp Clickbandit as follows:
Record Mode
Burp Clickbandit first opens in record mode. Then we need to perform one or more mouse clicks to record your clickjacking attack, as this will involve performing the mouse clicks that the victim user needs to perform for making some desired action. We can also use the “disable click actions” checkbox to record clicks without the target page handling them. When you have finished recording, click the “Finish” button to enter review mode.
Review Mode
When you have finished recording your clickjacking attack, Burp Clickbandit enters into review mode. This lets you review the generated attack, with the attack user interface over the original page UI. You can click the buttons on the attack UI to verify that the attack works.
List of commands that are available in review mode:

+ And – buttons are used to zoom in and out.
The “toggle transparency” button allows you to show or hide the original page UI.
The “reset” button restores the generated attack, as it was before any further clicks were made.
The “save” button is used to save an HTML file containing the attack. This can be used as a real-world exploit as clickjacking vulnerability.
You can use the keyboard arrow keys to reposition the attack UI over the original page UI, if not correctly aligned with the original page UI.

Let’s start!!
Burp Clickbandit runs on the browser using JavaScript. It can work on all latest browsers except for Microsoft IE and Edge.
To run Clickbandit, go to the Burp menu and select “Burp Clickbandit”.
Click the “Copy Clickbandit to clipboard” button. This will copy the Clickbandit script to your clipboard.
[Image: 21.png?w=687&ssl=1]

In your browser, visit the web page that you want to test, in the same way, we regularly do. Then in your browser, open the web developer console. This might also be called “developer tools” or “JavaScript console”. Paste the Clickbandit script by editing allow pasting before pasting copied code into the web developer console, and press enter.
[Image: 22.png?w=687&ssl=1]

The Burp Clickbandit Logo will appear at the top of the browser window and the original page will be loaded within the frame which readies for the attack to be performed, this is said to be the record mode of burp clickbandit. Then we need to perform one or more mouse clicks to record your clickjacking attack, as this will involve performing the mouse clicks that the victim user needs to perform for making some desired action. We can also use the “disable click actions” checkbox to record clicks without the target page handling them. When you have finished recording, click the “Finish” button to enter review mode.
[Image: 23.png?w=687&ssl=1]

When you have finished recording your clickjacking attack, Burp Clickbandit enters into review mode. This lets you review the generated attack, with the attack user interface over the original page UI.
[Image: 24.png?w=687&ssl=1]

Click on Save Button, allows you to save an html file containing the attack. This can be used as a real-world exploit as clickjacking vulnerability.
[Image: 25.png?w=687&ssl=1]

We have opened the saved html file which shows a transparent UI we have created over the original UI with a click button in the red box appearing on the page.
[Image: 26.png?w=687&ssl=1]

We can click the buttons on the attack UI to verify that the attack works. A message will appear the, you’ve been clickjacked as shown in the image.
[Image: 27.png?w=687&ssl=1]