Some lesser known features of Burp Suite

Working with SOCKS Proxy

A SOCKS server is a general purpose proxy server that establishes a TCP connection to another server on behalf of a client, then routes all the traffic back and forth between the client and the server. It works for any kind of network protocol on any port. SOCKS Version 5 adds additional support for security and UDP. The SOCKS server does not interpret the network traffic between client and server in any way, and is often used because clients are behind a firewall and are not permitted to establish TCP connections to servers outside the firewall unless they do it through the SOCKS server. Most web browsers for example can be configured to talk to a web server via a SOCKS server. Because the client must first make a connection to the SOCKS server and tell it the host it wants to connect to, the client must be "SOCKS enabled."

  • Most popular SOCKS proxy is Tor

Playing with SOCKS Proxies

Lets take Tor for example, Now we will setup Tor and some SOCKS setting in our Burp and we know since SOCKS proxy works by taking all the traffic through it, so the destination server can see the IP of the SOCKS Proxy.

  • First lets check public IP of our machine. ip

  • Now lets setup Tor SOCKS proxy setting in my Burp under User Option and we will see, Am I able to see IP of Tor (SOCKS Proxy)in my normal browser when I check it on ICANHAZIP.COM.

bURP SOCKS

After using Tor, it changed my IP when seen into Burp by intercepting icanhazip.com in my normal browser. As it was showing Tor IP address because all the traffic was going via Tor and destination server i.e Icanhazip.com considers Tor to be the client who is sending all the traffic . torip

Using SSH Tunneling

Note : Imagine a situation where a web application that is being assessed has white listed the IP addresses that can access it and the IP address belongs to a remote network. In these scenarios, there is a need for our trusty BURP proxy's traffic to be tunneled through the remote machine.

Burp has a handy feature for tunneling all the traffic through a SOCKS proxy. SOCKS (Socket Secure) is a protocol used for tunneling packets through a proxy server.

  • Using SSH tunneling as a SOCKS proxy is quite useful when we want to give a white-listed IP address to a firewall administrator to access an application.

  • So, the scenario here requires you to have access to a GNU/Linux server with a static IP address, which you can connect to using Secure Shell Server (SSH).

Now here consider Amazon AWS instance (Ubuntu machine). In order to connect to it, I have to do SSH Tunneling. See below figures

  • Step 1

Connect to AWS Ubuntu instance using below code ssh -i "identity-file" -D 12345 ubuntu@ec2-18-218-139-2.us-east-2.compute.amazonaws.com

-D: Tells SSH that we want a SOCKS tunnel on the specified port number (you can choose a number between 1025-65536) connect to aws

  • Step 2

    We are configuring burp to accept socks at port 12345.

Burp socks setting

Now when we check our IP in browser using icanhazip.com, It will show IP of amazon AWS machine.

SSL Pass through

This feature can be useful in cases where it is staright Forward to eliminate SSL errors on the client for example applications that perform SSL certificate pinning. This case only takes place when I encounter domain where I am not able to get client device to negotiate SSL correctly as it may be using mix of both HTTP, HTTPS .

Negotiate_error

By adding that particular request in SSL Pass Through Under Proxy --> Option subtab we can mitigate this error as request to this server will now pass straight through Burp and client can connect in Normal Way. Even we can automate this by checking automatically.

Steps to use SSL Passthrough

Example Twitter Application in Android

Step 1

  • First of all, configured Burp to listen on some Port where Phone can send data through it .

bURP

Step 2

  • Configure Android phone proxy setting in your wifi
  • Followed below link for detailed Explanation

Android Configuration for Burp

Step 3

  • Now Try running Twitter in android. You will find that twitter will not run and will show this error as shown in image.

Twitter_error

Step 4

  • Now configure Burp for SSL Passthrough to get rid of this error
  • Go to Option tab under Proxy and then go to SSL Passthrough option.
  • Configure following settings.

SSL Config

Steps 5

  • Now try to access twitter again and it will be running fine .

SSL Config

Invisible Proxy

When we are testing Thick client application specially when it is Non-Proxy aware, we need to enable Invisible proxy. Because a Thick client is a software which usually runs outside a browser and even it is independent of internet.

A thick client can be a non proxy aware which means it does not have a HTTP proxy option, which means it is not capable of sending request to proxy such as Burp.

Example Binary of Udictionary
Link for binary Download Udict Binary

step 1 :

  • Download Binary of udict as it acts as a thick client and ofcourse does not have a proxy enabling option

Note :Before doing anything we need to ensure that we have Burp CA certificate installed in our root system so that we can trick thick client application to be intercepted by Burp.

  • Steps to install Burp CA certificate in our system, Type the below code in your terminal
  • Generate a new certificate

New cert

  • Save that cert to your Desktop or anywhere you want really. Now its time convert your cert from a .DER to a .PEM

    openssl x509 -inform DER -outform PEM -in bURPca.der -out myca.crt.pem

  • Move Cert :

    cp myca.crt.pem /etc/ssl/certs/myca.crt.pem

  • Go and run just for fun : update-ca-certificates

  • Then add your HTTP proxy environmental variable for the Rest Client to pick up, most cli tools do check this for proxy information. This could be helpful for other tools as well.

    export http_proxy=http://127.0.0.1:443

  • At this point you should be up and running for the use of Burp and your API you fuzz.

Now, Configure Burp Suite for intercepting Thick Client :

  • Step 1

Configure host file so that we can trick thick client to send data via localhost

bURP interface settings

  • Step 2

Configure Listener in Burp

bURP_Listener

  • Step 3

Burp hostname Resolution settings under Project Option.
To find IP address of udict just type : dig api.urbandictionary.com
Now we have mulitple IP here just enter all the IP as shown below with their hostname HOstname Settings

  • Step 4

Now run binary using bash console and pass a valid value to it

./udict-linux-amd64 abc Here abc is a value. You may pass anyword.

results matching ""

    No results matching ""