Using Web Proxies - Proxying Tools

I’m having an issue with the question at the end of this module. It goes as follows:

“Try running ‘auxiliary/scanner/http/http_put’ in Metasploit on any website, while routing the traffic through Burp. Once you view the requests sent, what is the last line in the request?”

I understand the material and how to use Metasploit but there are always errors stating “The file probably did not upload” and nothing gets intercepted within Burp Suite.

Any suggestions? Also, noob question, but is it actually safe to run this against any website?

Thanks in advance!

Hey, we all start somewhere, so don’t worry about noob questions.

So the point of the exercise is to show that you can connect Metasploit to BurpSuite. Make sure you are connecting the two correctly. The answer lies in the request sent from Metasploit to BurpSuite. So once you run the scanner, check the request that BurpSuite captured. Make sure Intercept is on. Don’t bother looking at the output of MSF because it doesn’t matter.

Unless you are forwarding the traffic from the proxy, it doesn’t matter what website you choose because the traffic will never go there. You can just drop the requests.

Thanks for the reply. That’s why I was worried because, even though I set proxies within MSF, if Burp isn’t capturing the request, doesn’t that make it ‘sketchy’ that the request does in fact go directly to the website rather than being dropped?

Just to be sure, what I did is set the proxies option within MSF to and then my RHOSTS to any website. I ensured my Burp Suite intercept was on as well. Nothing is coming through.

If you type options in MSF you should see that the format is HTTP:

1 Like

Wow, I totally missed that… Thank you.

Does that mean that before, MSF tried using the tool directly on the website without it being dropped? Isn’t that a no-no?

Haha, don’t worry about it. I mean I wouldn’t make a habit of it, but you weren’t conducting a DOS attack or running a crazy vuln test. There are bots out there doing a lot worse then running HTTP PUT scans.

Absolutely, that’s what I figured. Just wanted to make sure. Cheers to you, really appreciate the help!

1 Like

I’m stumped. I don’t understand how to get the answer to the question at all. I’ve tried multiple web sites and the only response at the end that I ever get is “Connection: close”. And the hint says the answer contains ‘msf’ but I don’t see that anywhere in any response I’ve ever received. Is anyone able to give a hint as to how to get the answer?