Jon Gorenflo - Burp Collaborator

PRESENTERS
• JON GORENFLO
• @FLAKPAKET

DEFINITION
· BURP COL·LAB·O·RA·TOR
/BƏRP KƏˈLABƏˌRĀDƏR/
NOUN
1.A PERSON WHO WORKS JOINTLY WITH OTHERS TO SYNERGIZE THE PRODUCTION
OF A NOISE MADE BY AIR RELEASED FROM THE STOMACH THROUGH THE MOUTH
2.PORTSWIGGER’S WICKED TOOL FOR OUT OF BAND AND EXTERNAL SERVICE
INTERACTION VULNERABILITY DETECTION.

WHAT DOES THAT EVEN MEAN?
•BURP COLLABORATOR RUNS THREE SERVICES TO THAT RESPOND TO ANY REQUEST:
• HTTP
• HTTPS
• DNS
•THE BURP SCANNER INJECTS PAYLOADS THAT HAVE THE POTENTIAL TO FORCE THE
TARGET APPLICATION OR DOWNSTREAM SYSTEM TO QUERY THE BURP COLLABORATOR
SERVER

MMMM KAAAYYYY… SO WHAT?
•AS OF BURP PRO V. 1.6.36, THIS ALLOWS BURP COLLABORATOR TO DETECT
THREE VULNERABILITIES THAT IT PREVIOUSLY COULD NOT:
• EXTERNAL SERVICE INTERACTION (DNS)
• EXTERNAL SERVICE INTERACTION (HTTP)
• OUT-OF-BAND RESOURCE LOAD (HTTP)

EXTERNAL SERVICE INTERACTION (DNS)
• SEVERITY: HIGH
• INDICATES THE ATTACK FORCED THE APPLICATION OR ANOTHER BACKEND SYSTEM TO ATTEMPT TO
INTERACT WITH AN EXTERNAL SERVICE
• IF THIS IS THE ONLY COLLABORATOR ISSUE IDENTIFIED, IT CAN MEAN EGRESS FILTERS PREVENT OTHER
SERVICE INTERACTIONS

EXTERNAL SERVICE INTERACTION (HTTP)
• SEVERITY: HIGH
• INDICATES THE APPLICATION INTERACTED WITH YOUR COLLABORATOR SERVER ON HTTP OR HTTPS
• MEANS THE APPLICATION CAN BE USE TOATTACK OTHER APPLICATIONS OR SERVICES
• THIRD PARTIES
• INTERNAL SYSTEMS
• LOOPBACK ADDRESS & SERVICES

OUT-OF-BAND RESOURCE LOAD ( HTTP )
• SEVERITY: HIGH
• INDICATES THE APPLICATION CAN BE FORCED TO RETRIEVE CONTENT FROMAN ARBITRARY LOCATION,
AND INCORPORATE IT INTO THE APPLICATIONS RESPONSES
• SIMILAR TO REMOTE FILE INCLUSION
• CAN BE USED AS A TWO-WAY ATTACK PROXY TO ATTACK OTHER SYSTEMS
• LIMITED TO ATTACKERS CREATIVITY ( XSS, SQL INJECTION, COMMAND INJECTION, DDOS, ETC. )

THE FULL POTENTIAL
• OUT-OF-BAND XSS
• SUPER-BLIND INJECTIONS
• STORED BLIND INJECTIONS
• DEFERRED INTERACTIONS
• OTHER NETWORK SERVICES: SMTP, NTLM, SSH

OUT OF BAND XSS
• DETECTED BY THE OUT OF BAND RESOURCE LOAD
• THINK REMOTE FILE INCLUSION, BUT WITH A SCRIPT
• SO, IT'S NOT NECESSARILY STORED, IT'S NOT REFLECTED, AND IT'S NOT DOM-BASED
• OTHER CLIENT-SIDE ISSUES COULD INCLUDE HTTP RESPONSE HEADER INJECTION AND OPEN
REDIRECTION

“SUPER BLIND” INJECTION
• INJECTION ATTACKS WHERE THERE IS NO WAY TO DETECT SUCCESS IN THEAPPLICATIONS RESPONSE,
WHETHER IT BE BY CONTENT, TIMING, OR THE LIKE.
• TYPICALLY A BACK END SYSTEM THAT TAKES ACTION ON THE PAYLOAD VIA:
• SQL INJECTION
• COMMAND INJECTION
• XXE INJECTION

OUT OF BAND INJECTION
• SIMILAR TO THE “SUPER BLIND” INJECTION, BUT IN THE APPLICATION ITSELF INSTEAD OF A BACKEND SYSTEM
• DEPENDING ON HOW THE APPLICATION PROCESSES THE RESPONSE, IT COULD BE VULNERABLE TO ANY INPUT-
BASED VULNERABILITY
• SERVER-SIDE CODE EXECUTION
• SQL INJECTION
• COMMAND INJECTION
• XSS
• ETC.

DEFERRED INTERACTION
• STORED VERSIONS OF PREVIOUSLY MENTIONED ATTACKS
• ABLE TO LINK AN ENTRY POINT AND A RETRIEVAL POINT WITHIN THEAPPLICATION
• THERE IS THE POTENTIAL THAT THE INJECTION IS STORED IN A PART OFTHE APPLICATION THE TESTER
DOESN’T HAVE ACCESS TO, OR A DIFFERENT APPLICATION ALTOGETHER.
• CONCEPTUALLY, THINK ABOUT DERAL HEILAND’S XSS ATTACK AGAINST ARUBA WIDS BY SETTING HIS
SSID TO <SCRIPT>ALERT(XSS)</SCRIPT>
• HTTP://FOOFUS.NET/~PERCX/PAPERS/PRACTICAL_EXPLOITATION_SSID.PPTX

TESTING AFTER DNS INTERACTION
• IF COLLABORATOR DETECTS A DNS INTERACTION, BUT NOT THE OTHER TWO, USE EGRESS BUSTING TECHNIQUES
• USE INTRUDER TO INJECT PAYLOADS WHILE ITERATING PORT NUMBERS
• IF YOU HAVE COMMAND INJECTION ON A *NIX BOX, USE NETCAT:
• /bin/nc -zv bc.funsec.net 1-65535 2&>1
• for ((i=0; $i < 65535; i++)); do echo >/dev/tcp/localhost/$i && echo $i open; done
2>/dev/null
• COMMAND INJECTION ON WINDOWS:
• C:> PS C:> 1..1024 | % { echo ((new-object
Net.Sockets.TcpClient).Connect("10.1.1.14",$_)) "$_ is open" } 2>$null
• C:> for /L %i in (1,1,1024) do @((echo open 10.1.1.14 %i)&(echo quit)) | ftp 2>&1 |
find "host" && @echo %i is open

TESTING WITH HTTP(S) INTERACTION
• TRY METASPLOIT SERVICE AUTHENTICATION CAPTURES
• SERVER SIDE REQUEST FORGERY

TESTING OUT OF BAND RESOURCE LOADS
• BEEF
• METASPLOIT BROWSER AUTOPWN
• LOCALHOST SERVICES

MIA: MANUAL TOOLS
• PORTSWIGGER’SANNOUNCEMENT MENTIONS A COLLABORATORCLIENT AND INTRUDER INTEGRATION
THAT WOULD ALLOW YOU TO CUSTOMIZE RESPONSES FROM THE SERVER, BUTNOTHING MORE HAS BEEN
SAID.

OTHER ROADMAP ITEMS
• OUT-OF-BAND VERSIONS OF ALL INPUT-BASED SCAN CHECKS.
• DETECTION OF VARIOUS "SUPER-BLIND" VULNERABILITIES.
• CHECKS FOR STORED VERSIONS OF ALL RELEVANT VULNERABILITIES.
• HANDLING OF DEFERRED INTERACTIONS AND RETROSPECTIVE REPORTING OFRESULTING ISSUES.
• SUPPORT FOR OTHER NETWORK SERVICE PROTOCOLS, AND ASSOCIATED TESTPAYLOADS.
• MANUAL TESTING TOOLS

WHAT DATA DOES THE SERVER STORE?
• IT DOES HAVE:
• SOURCE IP OF SYSTEM INITIATING THE INTERACTION
• THE UNIQUE STRING USED TO IDENTIFY THE REQUEST THAT RESULTED IN THE INTERACTION
• ANY APPLICATION SPECIFIC DATA INCLUDED IN THE REQUEST
• IT DOES NOT HAVE:
• THE ORIGINAL REQUEST MADE MY THE BURP SCANNER TO THE TARGET APPLICATION

SECURITY OF DATA
• EACH INSTANCE OF BURP SUITE GENERATES A SECURE RANDOM SECRET
• EACH COLLABORATOR PAYLOAD HAS A RANDOM IDENTIFIER DERIVED FROM ACRYPTOGRAPHIC HASH OF
THE SECRET
• THE SECRET IS ONLY EVER COMMUNICATED FROM BURP TO THE COLLABORATOR SERVER DURING
POLLING
• THE SERVER TAKES THE SECRET, CALCULATES THE HASH, AND LOOKS FORCORRESPONDING PAYLOADS

WHAT DOES COLLABORATOR DO WITH THE
DATA?
• DETAILS OF INTERACTIONS ARE STORED IN EPHEMERAL PROCESS MEMORY ONLY.
• NO DATA OF ANY KIND IS RECORDED IN PERSISTENT FORM: FOR EXAMPLE, A DATABASE OR LOG FILE.
• DETAILS OF INTERACTIONS ARE TYPICALLY RETRIEVED BY BURP SHORTLYAFTER THEY OCCUR, AND ARE THEN DISCARDED
BY THE SERVER.
• OLD INTERACTIONS THAT HAVE NOT BEEN RETRIEVED ARE DISCARDED AFTER A FIXED INTERVAL. (HOW LONG?)
• THERE IS NO ADMINISTRATIVE FUNCTION FOR VIEWING INTERACTION DETAILS, ONLY THE RETRIEVAL MECHANISM ALREADY
DESCRIBED.
• THE COLLABORATOR SERVER DOES NOT BY DESIGN RECEIVE ANY DATA THATCOULD BE USED TO IDENTIFY ANY INDIVIDUAL
BURP USER (SUCH AS AN ACCOUNT NAME OR LICENSE KEY).

HOW DO I SET UP A PRIVATE SERVER?

SYSTEM REQUIREMENTS
• CAN RUN ON SINGLE CORE CLOUD INSTANCE WITH ONLY 512MB OF RAM
• REQUIRES WILDCARD CERTIFICATE FOR HTTPS INTERACTIONS, AND SECUREPOLLING
• CONFIGURE BASED ON THE EXPECTED VOLUME OF USAGE
• SMALL NUMBER OF EXPECTED USERS
• SUDO JAVA -XMS10M -XMX200M -XX:GCTIMERATIO=19 -JAR BURP.JAR --COLLABORATOR-SERVER
• LARGER NUMBER OF USERS
• SUDO JAVA -XMX3G -XMS3G -JAR BURP.JAR --COLLABORATOR-SERVER

REVIEW-HOW DNS WORKS
Resolving
Name
Server
Root Name
Server
Top Level Domain Name
Server
Authoritative Name
Server

DNS CONFIGURATION
• YOU NEED AN NS RECORD THAT EVENTUALLY LEADS TO YOUR COLLABORATORSERVER
• I CREATED 2 RECORDS:
• NS = NS1.BC.FUNSEC.NET
• A = BC.FUNSEC.NET

DNS CONFIGURATION
• I OWN FUNSEC.NET, AND CREATED THE SUBDOMAIN BC.FUNSEC.NET STRICTLY FOR BURP COLLABORATOR
• COLLABORATOR RESPONDS WITH THE SAME IP NO MATTER WHAT THE QUERY

CONFIG FILE
• LOOKS FOR A COLLABORATOR.CONF FILE IN THE SAME DIRECTORY YOU RAN THE TOOL FROM
• OTHER PATHS CAN BE SPECIFIED WITH THIS ARGUMENT:
• --COLLABORATOR-CONFIG=MYCONFIG.CONFIG

CONFIG FILE – OTHER OPTIONS
The metrics path is
used as a secret key,
so make it good.
This one is the
example on
Portswigger’s site, so
NEVER use it. 

HOW DO YOU SPOT A COLLABORATOR
SERVER?

REFERENCES
• HTTPS://PORTSWIGGER.NET/BURP/HELP/COLLABORATOR_DEPLOYING.HTML
• SERVER SIDE REQUEST FORGERY:HTTP://SETHSEC.BLOGSPOT.COM/2015/12/EXPLOITING-SERVER-SIDE-
REQUEST-FORGERY.HTML
• NATIVE CLI PORT SCANNING: HTTP://BLOG.COMMANDLINEKUNGFU.COM/2010/04/EPISODE-89-LETS-
SCAN-US-SOME-PORTS.HTML
• SUPER BLIND XSS: HTTP://FOOFUS.NET/~PERCX/PAPERS/PRACTICAL_EXPLOITATION_SSID.PPTX
• DNS MADE EASY VIDEOS. (2012, FEBRUARY 27). DNS EXPLAINED. RETRIEVED FEBRUARY 2, 2016, FROM
HTTPS://WWW.YOUTUBE.COM/WATCH?V=72SNZCTFFTA&INDEX=1&LIST=LLG7ONF1ZVQSYEKD9M4BR5-G

Jon Gorenflo - Burp Collaborator

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (18)

Semelhante a Jon Gorenflo - Burp Collaborator

Semelhante a Jon Gorenflo - Burp Collaborator (20)

Mais de centralohioissa

Mais de centralohioissa (20)

Último

Último (20)

Jon Gorenflo - Burp Collaborator

Notas do Editor