Some lesser known features of Burp Suite
Working with SOCKS Proxy
A SOCKS server is a general purpose proxy server that establishes a TCP connection to another server on behalf of a client, then routes all the traffic back and forth between the client and the server. It works for any kind of network protocol on any port. SOCKS Version 5 adds additional support for security and UDP. The SOCKS server does not interpret the network traffic between client and server in any way, and is often used because clients are behind a firewall and are not permitted to establish TCP connections to servers outside the firewall unless they do it through the SOCKS server. Most web browsers for example can be configured to talk to a web server via a SOCKS server. Because the client must first make a connection to the SOCKS server and tell it the host it wants to connect to, the client must be "SOCKS enabled."
- Most popular SOCKS proxy is Tor
Playing with SOCKS Proxies
Lets take Tor for example, Now we will setup Tor and some SOCKS setting in our Burp and we know since SOCKS proxy works by taking all the traffic through it, so the destination server can see the IP of the SOCKS Proxy.
First lets check public IP of our machine.
Now lets setup Tor SOCKS proxy setting in my Burp under User Option and we will see, Am I able to see IP of Tor (SOCKS Proxy)in my normal browser when I check it on ICANHAZIP.COM.
After using Tor, it changed my IP when seen into Burp by intercepting icanhazip.com in my normal browser. As it was showing Tor IP address because all the traffic was going via Tor and destination server i.e Icanhazip.com considers Tor to be the client who is sending all the traffic .
Using SSH Tunneling
Note : Imagine a situation where a web application that is being assessed has white listed the IP addresses that can access it and the IP address belongs to a remote network. In these scenarios, there is a need for our trusty BURP proxy's traffic to be tunneled through the remote machine.
Burp has a handy feature for tunneling all the traffic through a SOCKS proxy. SOCKS (Socket Secure) is a protocol used for tunneling packets through a proxy server.
Using SSH tunneling as a SOCKS proxy is quite useful when we want to give a white-listed IP address to a firewall administrator to access an application.
So, the scenario here requires you to have access to a GNU/Linux server with a static IP address, which you can connect to using Secure Shell Server (SSH).
Now here consider Amazon AWS instance (Ubuntu machine). In order to connect to it, I have to do SSH Tunneling. See below figures
- Step 1
Connect to AWS Ubuntu instance using below code
ssh -i "identity-file" -D 12345 ubuntu@ec2-18-218-139-2.us-east-2.compute.amazonaws.com
-D: Tells SSH that we want a SOCKS tunnel on the specified port number (you can choose a number between 1025-65536)
- Step 2
We are configuring burp to accept socks at port 12345.
Now when we check our IP in browser using icanhazip.com, It will show IP of amazon AWS machine.
SSL Pass through
This feature can be useful in cases where it is staright Forward to eliminate SSL errors on the client for example applications that perform SSL certificate pinning. This case only takes place when I encounter domain where I am not able to get client device to negotiate SSL correctly as it may be using mix of both HTTP, HTTPS .
By adding that particular request in SSL Pass Through Under Proxy --> Option subtab we can mitigate this error as request to this server will now pass straight through Burp and client can connect in Normal Way. Even we can automate this by checking automatically.
Steps to use SSL Passthrough
Example Twitter Application in Android
Step 1
- First of all, configured Burp to listen on some Port where Phone can send data through it .
Step 2
- Configure Android phone proxy setting in your wifi
- Followed below link for detailed Explanation
Android Configuration for Burp
Step 3
- Now Try running Twitter in android. You will find that twitter will not run and will show this error as shown in image.
Step 4
- Now configure Burp for SSL Passthrough to get rid of this error
- Go to Option tab under Proxy and then go to SSL Passthrough option.
- Configure following settings.
Steps 5
- Now try to access twitter again and it will be running fine .
Invisible Proxy
When we are testing Thick client application specially when it is Non-Proxy aware, we need to enable Invisible proxy. Because a Thick client is a software which usually runs outside a browser and even it is independent of internet.
A thick client can be a non proxy aware which means it does not have a HTTP proxy option, which means it is not capable of sending request to proxy such as Burp.
Example Binary of Udictionary
Link for binary Download Udict Binary
step 1 :
- Download Binary of udict as it acts as a thick client and ofcourse does not have a proxy enabling option
Note :Before doing anything we need to ensure that we have Burp CA certificate installed in our root system so that we can trick thick client application to be intercepted by Burp.
- Steps to install Burp CA certificate in our system, Type the below code in your terminal
- Generate a new certificate
Save that cert to your Desktop or anywhere you want really. Now its time convert your cert from a .DER to a .PEM
openssl x509 -inform DER -outform PEM -in bURPca.der -out myca.crt.pem
Move Cert :
cp myca.crt.pem /etc/ssl/certs/myca.crt.pem
Go and run just for fun :
update-ca-certificates
Then add your HTTP proxy environmental variable for the Rest Client to pick up, most cli tools do check this for proxy information. This could be helpful for other tools as well.
export http_proxy=http://127.0.0.1:443
- At this point you should be up and running for the use of Burp and your API you fuzz.
Now, Configure Burp Suite for intercepting Thick Client :
- Step 1
Configure host file so that we can trick thick client to send data via localhost
- Step 2
Configure Listener in Burp
- Step 3
Burp hostname Resolution settings under Project Option.
To find IP address of udict just type :
dig api.urbandictionary.com
Now we have mulitple IP here just enter all the IP as shown below with their hostname
- Step 4
Now run binary using bash console and pass a valid value to it
./udict-linux-amd64 abc
Here abc is a value. You may pass anyword.