Private Burp Collaborator
Next: OOB & Blind Testing using DNS Exfiltration
Note: This is not a new article, it just some comments and additional guidelines for setting up based on my experience.
Main Reference: https://teamrot.fi/self-hosted-burp-collaborator-with-custom-domain/
I have followed the above reference and I was able to create my private burp collaborator server.
Why I needed to build a private burp collaborator server
The main reason was to use custom domain like safestwebsite.com names instead of abcsomerandomxyz.burpcollaborator.net
Sometimes traffic containing the default burp collaborator is blocked at firewalls and WAFs. The effort vs reward was high, so opted for a private collaborator.
Step 1: Create AWS EC2 server - free tier
You need a EC2 server, you can use EC2 free tier or buy EC2 server, whichever works for you. I have used free tier. For the complete steps follow the Main Reference.
Specifications (already there in main reference) :
- OS : latest ubuntu (free tier)
- Hardware: t2.micro
- Disk Space < 30GB
- hours/month = 750 hours (if you are using only one server then you dont have to worry). Read AWS documentation to understand how “hours” are billed.
- Validity = 1 year
- Make sure you select an alert of free tier (this is not mentioned in Main Reference). This will ensure that you will be notified if you are charged additional cost.
An Important instruction about this AWS elastic IPs
- The assigned AWS IP address will change if you reboot or restart the server. This will affect your AWS public dns name, which means your nameserver record of your domain has to be changed. And even after changing all these value and deploying a new burp collaborator server, you may get error while deployment.
- In this case, (the only way for me that worked was), buy a new domain (free in my case). Map that domain to this new AWS domain name. And now don't stop the server.
Step 2: Buy Domain Name
Buy using Godaddy
Refer this article, https://teamrot.fi/self-hosted-burp-collaborator-with-custom-domain/. Godaddy steps are different from others. But godaddy is paid, so I would prefer freenom instead.
Buy using freenom
- After buying the domain (valid for 1 year) go to the domain setting and click nameserver
Nameserver 1: your_AWS_EC2_public_dns_name
Nameserver 2: one.one.one.one (cloudfare)
Now all done one the domain side.
Step 3: Allow the required ports
As you already know, this is not a sensitive server. We will not be using it to save any sensitivities data, it will only be used for validating/checking the out-of-band attacks.
You can always remove those port that are not being tested from these rules, but if you know know which ports you will be testing, then I would suggest you to keep this ports allowed. There are no threat as such, as no service is running on these ports (just stop if any) . Only the collaborator service should be running on port 9443 and 9090 which only my attacker machine public IP has access to.
Note: If you do not have a static public IP (generally ISP and broadband providers does not give static public IP), your ISP will keep on changing your public IP, so this means, you many need to change this IPs frequently.
Step 4: Installing and configuring collaborator server.
Ref: https://github.com/putsi/privatecollaborator
On the AWS Ubuntu Server
You need to download the latest burpsuite pro software (.sh format) and copy it to the ~/privatecollaborator folder. A burpsutie license is not require, just the installation files are.
git clone https://github.com/putsi/privatecollaborator && cd privatecollaboratorthe below command is incase you have not install burpsuite pro earlier (which will be the case mostly)
sudo ./install.sh safestwebsite.com your_email@gmail.com burpsuite_pro_linux_v2021_12_1.shIf you have already install BurpSuitePro (.sh), make sure that you have installed it using sudo else the installation path will be different, I recommend to remove burpsuite pro and use the above to install, if still you need to install on top of existing burpsuite pro, then run the below command
sudo ./install.sh safestwebsite.com your_email@gmail.comFinally, start the collaborator service. You can check status to verify if it is started.
sudo service burpcollaborator startStep 5: At the burp collaborator client’s end
Step 1..4 are for burp collaborator server. This is the server which is the main component. This next step is the burp collaborator client. The client gives a gui to see the results and generate new out-of-band checking URLs.
Go to your burpsuite tool, then click on the “Project Option” tab. Then click on “Misc” sub tab.
Then run the health check, if all the configuration are good then you will get the below result.
Go to your burp collaborator client.
- click “Copy to clipboard”.
- paste in on the search bar of your browser
- then come back to the client and click on “Poll now”
- You should see a list of entries, this validates that the burp collaborator is working properly
If you are getting an error
If you are facing issues in here, given you have properly followed each and every step, then it means the Main Reference is not appliance at that point of time. But I would highly suggest you to review all steps as these worked for me.
Then, you need to follow the Offical Portswigger article.
What Next?
Burp collaborator is useful but there is a restriction how can you use it. And the most important requirement is, the collaborator client should be able to connect to collaborator server. If due to some reason the testing environment does not allow this, then burp collaborator will be of no use. Also you do not see all requests for the private collaborator, the client will only show requests originating from the client only. To solve this problem you can follow the below article,
Next: DNS Exfiltration and OOB Testing
