Burp Suite User Forum

Login to post

Use Burp Suite with redsocks

Jackpot | Last updated: Apr 25, 2021 07:39AM UTC

Firstly, I'm new to Burp, therefore I may have many misunderstandings about it. I'm using redsocks (patched version actually) to redirect all TCP traffic through Burp Suite. Then I found that non HTTP(S) traffic (like nslookup -vc, aka DNS over TCP) just won't go through Burp. My redsocks is patched with https://github.com/darkk/redsocks/pull/162, so that: Any TCP will be redirected through HTTP CONNECT [hostname]:[port] In this case, [hostname] can be either the host name (usually domain name) parsed from HTTP Post header or TLS SNI extension (which seems to be similar to Burp's invisible proxy feature), or just the IP address (in case that no host name could be successfully parsed). Without this patch, hostname can only be IP address. After googling, I'm now aware of nope-proxy. However, after loading the nope-proxy extension, nslookup -vc still doesn't seem to go through Burp. Then... it seems that nope-proxy doesn't even know the target hostname/IP address? In my opinion, with redsocks, things like lister.py will no longer be needed at all, maybe - if I didn't misunderstand the situation. With Fiddler, nslookup -vc just goes through it transparently. (however Fiddler doesn't support HTTP/2 so far, while Burp supports it) By the way: (1) If HTTP CONNECTs were sent with IP address rather than parsed host name, with Burp's invisible proxy enabled, I still see IP addresses appearing in Burp's HTTP history. However this doesn't seem to bother me in any way. (2) I cannot post this with Chrome, captcha js seemed to be blocked, "blocked:csp". With Firefox I still have to turn security.csp.enable = false. It seemed that "https://www.gstatic.cn/recaptcha/releases/dpzVjBAupwRfx3UzvXRnnAKb/recaptcha__zh_cn.js" can't be loaded.

Jackpot | Last updated: Apr 25, 2021 08:15AM UTC

After reflecting on this, I think maybe it would be really cool for Burp Suite to act as a shadowsocks server. Please see https://shadowsocks.org for more details. Hint: it's very simple & cross-platform. For example: Currently, on the Android device which has an app I want to capture traffic, I have installed shadowsocks-android to redirect all (TCP) traffic to my ss-server. My ss-server is set up inside an Ubuntu VM. Then I redirect traffic of ss-server to redsocks, and then redsocks redirect the traffic to Burp Suite outside the VM. If Burp Suite itself supports ss-server, I won't need to deal with the hassle around VM/iptables/redsocks etc.

Jackpot | Last updated: Apr 25, 2021 08:26AM UTC

There are many other possibilities, like OpenWrt router with ss-redir (part of shadowsocks-libev) or just redsocks installed. With such a router I can redirect any TCP traffic to Burp Suite without touching any network-related stuff of the target device at all.

Uthman, PortSwigger Agent | Last updated: Apr 26, 2021 11:06AM UTC

Hi, Are you asking for Burp to act as a socks proxy?

Jackpot | Last updated: Apr 28, 2021 07:36AM UTC

>Are you asking for Burp to act as a socks proxy? Sort of, because SOCKS header gives the destination hostname and port. However such info is actually given by HTTP CONNECT as well. I'm not sure whether I have grasped the usage of nope-proxy, however to my current understanding, nope-proxy is not intended to accept HTTP CONNECT as well. It seems that nope-proxy can't know the destination hostname/port from incoming connection directly, so that lister.py is required.

Uthman, PortSwigger Agent | Last updated: Apr 28, 2021 08:32AM UTC

Thanks for the feedback. If you have any specific questions about nope-proxy, you will need to raise these with the original author on GitHub: - https://github.com/summitt/Burp-Non-HTTP-Extension/issues It looks like nope is focused on DNS and TCP traffic. In terms of the socks proxy settings in Burp, do the options under User options > Connections > SOCKS Proxy meet your requirements?

Jackpot | Last updated: Apr 29, 2021 03:23AM UTC

> It looks like nope is focused on DNS and TCP traffic. I hope that Burp itself can just let (HTTP/SOCKS/SHADOWSOCKS-)tunneled DNS or other non-HTTP(S) traffic to go through it. However it would certainly be awesome if nope could handle this situation. >do the options under User options > Connections > SOCKS Proxy meet your requirements? Hmm, this option seems to be "let Burp use a SOCKS proxy", not "let Burp itself act as a SOCKS proxy", doesn't it?

Uthman, PortSwigger Agent | Last updated: Apr 29, 2021 12:51PM UTC

Can you provide some more detail on what you are trying to do and why?

Jackpot | Last updated: May 01, 2021 08:12AM UTC

I'm redirecting all Internet traffic to Burp. However I found that Burp doesn't seem to let non-HTTP(S) traffic go through it.

Uthman, PortSwigger Agent | Last updated: May 04, 2021 08:17AM UTC

Thanks for the feedback. Burp is an HTTP proxy so it allows you to proxy HTTP/HTTPS traffic. For a socks proxy, you can use one in conjunction with Burp by adding it to User options > Connections > SOCKS proxy. However, Burp itself cannot be configured as a SOCKS proxy. - https://portswigger.net/burp/documentation/desktop/options/connections

You need to Log in to post a reply. Or register here, for free.