Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to use http tunnel to use burpsuite to intercept tcp packets of a certain app. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

Demand

The previous burpsuite can only block http-related application traffic, but it can not block tcp traffic very well, and it can not be well forwarded by http tunnel for non-https tcp traffic, resulting in some programs that need tcp pre-verification unable to catch http packets. Now we have barely built a wheel on the basis of NoPE. NoPE plug-in is mainly through dns, if it is for a specific application, or hard-coded ip tcp traffic interception, it is not very convenient, now provides a http tunnel proxy method, with proxifier is more convenient.

The tools used are:

Squid is used to set up http proxy (or something like mitmproxy or charles, but set the certificate)

Burpsuite+Burp-Non-HTTP-Extension is used to intercept tcp or http data

Proxifier, used to establish http tunnel forwarding tcp

The data flow is as follows:

Where it is intercepted by Burp-Non-HTTP-Extension

Download address of Burp-Non-HTTP-Extension:

Https://github.com/summitt/Burp-Non-HTTP-Extension/releases

After preparing the above tools, we use squid to set up a http proxy snooping local 127.0.0.1 assuming that the listening port is 3128, or some other http proxy. Remember to set "http_access allow all"

Set up such a monitoring service with Burp-Non-HTTP-Extension. Listen port fill in 8080 address address fill in 127.0.0.1 server port fill in 3128, that is, forward the traffic of port 8080 to the http agent of 3128.

At the same time, establish an agent rule on proxifier to forward the traffic of a program to port 8080 through http tunnel, such as listening to the netcat program here.

One of the pitfalls is that the dns setting of this proxifier needs to be set to detect dns settings automatically instead of resolve hostnames through proxy, because some proxy may not have this feature. Otherwise, an ERROR_INVALID_ARGUEMENT error will be reported.

After that, you can happily monitor, the effect is as follows, you can also intercept changes and replay, but beware of timeouts.

If it is a mobile app, you can use the Night God simulator to run the app and then use proxifier to proxy virtual box.

Of course, if it is an application that is sensitive to agents, you can also set up agents like this in wifi on mobile phones.

Settings-"WIFI, long press the name of the company's internal WIFI, select" modify Network ", check" Show Advanced options ", and change the proxy settings to" Manual ". You can fill in the host and port of the HTTP agent.

Or use Android's proxydroid or ios's small rocket to make it insensitive to agents and force app to leave agents. The same is true on computers, set up system agents for programs that are sensitive to agents, and use proxifier or proxychains4 for programs that are not sensitive, if app or the program comes with its own settings.

After reading the above, do you have any further understanding of how to use http tunnel to intercept tcp packets of an app using burpsuite? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.