Proxying non-http protocols via BURP
This article will shortly describe the mechanisms and tools that allow the interception of any UDP or TCP traffic via Burp proxy. The main driver behind this endeavour was the ability to inject and modify the packets for various protocols via intuitive Burp interface.
Burp is a powerful proxy for web application pentests, but only speaks http and https. So , in order to redirect traffic which is not http/https via Burp we need to configure another intermediate component that will listen for a desired traffic , direct this traffic to Burp so we can tamper with it, and Burp will forward it further to the destination server.
This intermediate component is mitm_relay.py, a python script available at Github. https://github.com/jrmdev/mitm_relay
Implementation
The first step is to run mitm_relay.py.
Checking Burp for response shows that the destination SIP server asks for authentication (Note "SERVER_RESPONSE" is outlined. This is ok and we don't have a valid SIP, the connection is dropped.
Burp is a powerful proxy for web application pentests, but only speaks http and https. So , in order to redirect traffic which is not http/https via Burp we need to configure another intermediate component that will listen for a desired traffic , direct this traffic to Burp so we can tamper with it, and Burp will forward it further to the destination server.
This intermediate component is mitm_relay.py, a python script available at Github. https://github.com/jrmdev/mitm_relay
Implementation
The first step is to run mitm_relay.py.
-l =IP address on which the local server will
listen. I set it to listen on all available interfaces (0.0.0.0)
-p=where is Burp proxy running (127.0.0.1, port 8080)
-r= relay mechanism, in our case we listen on port 5300 and redirect anything from local 5300 to www.google.com , port 80.
Let us check that there is local listener running on 5300
-p=where is Burp proxy running (127.0.0.1, port 8080)
-r= relay mechanism, in our case we listen on port 5300 and redirect anything from local 5300 to www.google.com , port 80.
Let us check that there is local listener running on 5300
Note that the local port 5300 is referenced in relay
option (-r):
-r tcp:5300:www.google.com:80
This means that connection to a local IP and port 5300
will be relayed to www.google.com port 80,
but via proxy/BURP (-p 127.0.0.1:8080). If we check the Burp , requests are there, containing "CLIENT_REQUEST" and "SERVER_RESPONSE" attributes in the URL.
You can inspect the traffic to and from Burp within the mitm_relay.py console:
The example below is an example for a SIP /VOIP interception
Configure a listener (listens on port 5060, forwards
to 185.91.12.103:5060, some internet SIP server I have chosen just to check the operation)
After that, configure SIP client, in my case I use Jitsi. (Registrar is randomly selected 4.4.4.4 as I don't have a proper SIP account to actually authnticate the connection). Note the proxy is 127.0.0.1, port 5060 where mitm_relay.py is awaiting the connection. Also, I force SIP over TCP (SIP is natively a UDP-based protocol).
Comments
Post a Comment