Proxying non-http protocols via BURP

This article will shortly describe the mechanisms and tools that allow the interception of any UDP or TCP traffic via Burp proxy. The main driver behind this endeavour was the ability to inject and modify the packets for various protocols via intuitive Burp interface.

Burp is a powerful proxy for web application pentests, but only speaks http and https. So , in order to redirect traffic which is not http/https via Burp we need to configure another intermediate component that will listen for a desired traffic , direct this traffic to Burp so we can tamper with it, and Burp will forward it further to the destination server.

This intermediate component is mitm_relay.py, a python script available at  Github. https://github.com/jrmdev/mitm_relay

Implementation

The first step is to run mitm_relay.py. 

-l =IP address on which the local server will listen. I set it to listen on all available interfaces (0.0.0.0)
-p=where is Burp proxy running (127.0.0.1, port 8080)
-r= relay mechanism, in our case we listen on port 5300 and redirect anything from local 5300 to www.google.com , port 80. 

Let us check that there is local listener running on 5300 

Note that the local port 5300 is referenced in relay option (-r):
-r tcp:5300:www.google.com:80
This means that connection to a local IP and port 5300 will be relayed to www.google.com port 80, but via proxy/BURP (-p 127.0.0.1:8080). If we check the Burp , requests are there, containing "CLIENT_REQUEST" and "SERVER_RESPONSE" attributes in the URL.

You can inspect the traffic to and from Burp within the mitm_relay.py console:
The example below is an example for a SIP /VOIP interception
Configure a listener (listens on port 5060, forwards to 185.91.12.103:5060, some internet SIP server I have chosen just to check the operation)
Let us select a random SIP server available on the internet.



After that, configure SIP client, in my case I use Jitsi. (Registrar is randomly selected 4.4.4.4 as I don't have a proper SIP account to actually authnticate the connection). Note the proxy is 127.0.0.1, port 5060 where mitm_relay.py is awaiting the connection. Also, I force SIP over TCP (SIP is natively a UDP-based protocol).

Checking Burp for response shows that the destination SIP server asks for authentication (Note "SERVER_RESPONSE" is outlined. This is ok  and we don't have a valid SIP, the connection is dropped.



Comments

Popular posts from this blog

Signature verification bypass vulnerability in some Huawei routers

Attacking encrypted VOIP (SIP) protocols

DNS insights - UDP vs TCP and EDNS