Burp Suite User Forum

Create new post

Intruder and SNI

Federico | Last updated: Dec 23, 2022 04:00PM UTC

Hi, In recent assessment I would like to brute-force domains for a class of IP addresses (port 443, with SSL/TLS) using the Intruder of Burp Suite. New intruder versions allow to insert the insertion point also in the target and that's great but in my situation it did not work due to the SNI (Server Name Indication). In fact, if I put an insertion point in the target in which I supply a list of the IP addresses of my target class and another one on the Host header value with all the domains and subdomains I want to brute, it does not work due to the SNI. The SNI uses the IP address to select the certificate and not the Host value. This is correct for the protocol but it would be great to be able to use the value of the Host header for the SNI instead of the target IP address. The same could potentially apply also for the Repeater. I executed the brute-force using a bash script and curl with output to file, but it would be great to use Burp Suite and have all requests/responses in it (I cannot use the proxy option of curl because it breaks SNI the same way of the Intruder). An example of curl command I used that does not break SNI is the following one: curl -i -k --resolve hostname-to-brute.com:443: https://hostname-to-brute.com Thank you!

Liam, PortSwigger Agent | Last updated: Dec 27, 2022 10:21AM UTC

Thanks for your message, Federico. Java ought to handle SNI automatically, provided this is not disabled. Have you changed any of these options? - https://portswigger.net/burp/documentation/desktop/settings/network/tls

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.