Pablo Guides

# Paros$ Pentest Course – Section 1: Introduction & Installation

## Introduction

Paros Proxy is a powerful web application security tool that allows penetration testers and security professionals to intercept and modify HTTP/HTTPS requests and responses. It acts as a man-in-the-middle, enabling users to analyze, modify, and manipulate traffic between a client (browser) and a server. This capability is essential for identifying vulnerabilities and testing the security of web applications.

In this section, we will cover the installation and configuration of Paros Proxy on Kali Linux, followed by a step-by-step guide on how to use it effectively in real-world scenarios.

## Installation and Configuration on Kali Linux

### Prerequisites

Before we begin with the installation, ensure that you have the following:

1. **Kali Linux**: The latest version installed on your system.
2. **Java Runtime Environment (JRE)**: Paros Proxy is a Java-based application, so it requires JRE to run. You can check if JRE is installed with the command:

   java -version

 

3. **Updated System**: It is always a good practice to update your system before installing new software:

   sudo apt update && sudo apt upgrade -y

 

### Installing Paros Proxy

1. **Download Paros**: Visit the official Paros Proxy website or use the following link to download the latest version. You can do this directly from the command line:

   wget http://www.paros-proxy.org/dist/paros-3.2.13.jar

 

Note: Check the Paros website for the latest version as it may change.

2. **Create a Directory for Paros**:

   mkdir -p ~/paros

   mv paros-3.2.13.jar ~/paros/

 

3. **Run Paros Proxy**:

Ensure you have executable permissions on the jar file. You can run Paros Proxy with the following command:

   java -jar ~/paros/paros-3.2.13.jar

 

If you encounter permission issues, you may need to adjust your Java permissions or run it as a superuser.

### Configuration of Paros Proxy

1. **Set Proxy Settings in Your Browser**:
Configure your web browser to use Paros as a proxy. By default, Paros listens on `localhost:8080`. Here is how to configure it in Firefox:

– Open Firefox and go to Preferences.
– Scroll down to Network Settings and click on Settings.
– Select "Manual proxy configuration".
– Enter `127.0.0.1` as the HTTP Proxy and `8080` as the Port.
– Check "Use this proxy server for all protocols".
– Click OK.

2. **Allowing HTTPS Traffic**:
To capture HTTPS traffic, you need to install the Paros CA certificate in your browser. After running Paros Proxy, go to the "File" menu and select "Export CA Certificate". Save the certificate and follow these steps to install it in Firefox:

– Go to Preferences > Privacy & Security.
– Scroll down to Certificates and click on View Certificates.
– Click on the Authorities tab and then click on Import.
– Select the Paros certificate you exported and allow it to identify websites.

3. **Setting Up Local Proxy**: In Paros, navigate to the Proxy settings to ensure it is set up correctly:

– Go to Options > Proxy > Local Proxy.
– Ensure the Host is set to `127.0.0.1` and the Port is `8080`.

### Testing Your Setup

To verify that everything is working correctly, open your browser and navigate to a website such as `http://example.com`. You should see the requests being captured in Paros Proxy.

## Step-by-Step Usage and Real-World Use Cases

Once you have installed and configured Paros Proxy, you can begin using it to assess the security of web applications. Below, we’ll explore various functions and real-world use cases.

### 1. Intercepting HTTP Requests

**Use Case**: You want to inspect how a web application handles user input.

– Open Paros Proxy and start intercepting traffic.
– Navigate to a web application (e.g., a login form).
– Enter some data in the input fields and submit the form.
– Observe the captured requests in Paros.

### 2. Modifying Requests

**Use Case**: Testing for SQL injection vulnerabilities.

– After intercepting a request, find a parameter that accepts user input (e.g., a username).
– Right-click on the request and select "Edit" to modify it.
– Change the parameter to a potential SQL injection string, for example:

[/dm_code_snippet]sql
' OR '1'='1
[/dm_code_snippet]

– Forward the modified request and observe the server's response.

### Code Example for Modifying HTTP Requests

Here’s a simple example of a modified login request in markdown format:

"`http
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

username=admin&password=' OR '1'='1
"`

### 3. Analyzing HTTP Responses

**Use Case**: Identify data leaks in the responses.

– Set up Paros to capture responses.
– After making a request, analyze the response to search for sensitive information such as error messages, stack traces, or other data that should not be exposed.

### 4. Using Spidering to Discover Resources

**Use Case**: To map out all endpoints of a web application.

– In Paros, select the "Spider" option from the menu.
– Start the spidering process on the target application.
– Observe how Paros discovers various paths and resources within the application.

### 5. Generating Reports

At the end of your penetration test, generating a report is crucial to document findings and recommendations.

– Paros has a built-in reporting tool. Go to "File" > "Export" and choose the format for your report.
– You can export the results in HTML or XML formats based on requirements.

## External Reference Links

While the above steps provide a foundation for using Paros Proxy, further reading and resources can enhance your understanding and capabilities:

– [Paros Proxy Official Site](http://www.paros-proxy.org)
– [OWASP – Open Web Application Security Project](https://owasp.org)
– [Burp Suite Documentation](https://portswigger.net/burp/documentation)
– [Java Documentation](https://docs.oracle.com/en/java/)

## Conclusion

Paros Proxy is a versatile tool that can significantly impact your web application security assessments. By following the outlined steps, you can effectively intercept, analyze, and manipulate web traffic to identify vulnerabilities. Practice these techniques, and you'll gain confidence in performing comprehensive penetration tests.

In the next section, we will explore advanced features of Paros Proxy and how to integrate it with other tools for enhanced security testing capabilities.

—

Made by pablo guides / pablo guides