Deploy a private Burp Collaborator Server in Azure

Javier Olmedo
Jun 17 · 6 min read

Table of contents


1. Azure machine and port forwarding

Azure Network Admin Panel
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install default-jre
sudo mkdir -p /usr/local/collaborator
sudo mv /usr/local/collaborator/burpsuite_pro_v1.7.37.jar /usr/local/collaborator/collaborator.jar

2. Get a free custom domain

Freenom domain admin panel

3. Make a collaborator configuration file

sudo nano /usr/local/collaborator/collaborator.config
{
"serverDomain" : "burp.mydomain.tk",
"workerThreads" : 10,
"eventCapture": {
"localAddress" : ["10.*.*.*"],
"publicAddress" : "40.*.*.*",
"http": {
"ports" : 80
},
"https": {
"ports" : 443
},
"smtp": {
"ports" : [25, 587]
},
"smtps": {
"ports" : 465
},
"ssl": {
"certificateFiles" : [
"/usr/local/collaborator/keys/privkey.pem",
"/usr/local/collaborator/keys/cert.pem",
"/usr/local/collaborator/keys/fullchain.pem" ]
}
},
"polling" : {
"localAddress" : "10.*.*.*",
"publicAddress" : "40.*.*.*",
"http": {
"port" : 9090
},
"https": {
"port" : 9443
},
"ssl": {
"hostname" : "burp.mydomain.tk"
}
},
"metrics": {
"path" : "hackpuntes",
"addressWhitelist" : ["0.0.0.0/24"]
},
"dns": {
"interfaces" : [{
"name": "ns1",
"localAddress" : "10.*.*.*",
"publicAddress" : "40.*.*.*"
}],
"ports" : 53
},
"logLevel" : "INFO"
}

4. Create files needed to generate and move certificates

sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x ./certbot-auto
sudo nano /usr/local/collaborator/configure_certs.sh
#!/bin/bash

CERTBOT_DOMAIN=$1
if [ -z $1 ];
then
echo "Missing mandatory argument. "
echo " - Usage: $0 <domain> "
exit 1
fi
CERT_PATH=/etc/letsencrypt/live/$CERTBOT_DOMAIN/
mkdir -p /usr/local/collaborator/keys/

if [[ -f $CERT_PATH/privkey.pem && -f $CERT_PATH/fullchain.pem && -f $CERT_PATH/cert.pem ]]; then
cp $CERT_PATH/privkey.pem /usr/local/collaborator/keys/
cp $CERT_PATH/fullchain.pem /usr/local/collaborator/keys/
cp $CERT_PATH/cert.pem /usr/local/collaborator/keys/
echo "Certificates installed successfully"
else
echo "Unable to find certificates in $CERT_PATH"
fi

5. Get certificates from Let´s Encrypt

Error DNS problem: SERVFAIL looking up
Top menu of Azure
Azure console
$caaRecords = @()
$caaRecords += New-AzureRmDnsRecordConfig -CaaFlag "0" -CaaTag "iodef" -CaaValue "me@mydomain.tk"
$caaRecords += New-AzureRmDnsRecordConfig -CaaFlag "0" -CaaTag "issue" -CaaValue "letsencrypt.org"
New-AzDnsRecordSet -Name "@" -RecordType CAA -ZoneName "MYDOMAIN.TK" -ResourceGroupName [AZURE-DNS-ZONE] -Ttl 3600 -DnsRecords $caaRecords
DNS Zone of Azure
./certbot-auto certonly -d mydomain.tk -d *.mydomain.tk  --server https://acme-v02.api.letsencrypt.org/directory --manual --agree-tos --no-eff-email --manual-public-ip-logging-ok --preferred-challenges dns-01
Verification of Let´s Encrypt
Azure DNS Zone
Verification script of Let´s Encrypt
chmod +x /usr/local/collaborator/configure_certs.sh && /usr/local/collaborator/configure_certs.sh burp.mydomain.com

6. Run Collaborator

sudo nano .bashrc
alias collaborator='sudo java -jar /usr/local/collaborator/collaborator.jar --collaborator-server --collaborator-config=/usr/local/collaborator.config'
collaborator
Run Collaborator
sudo nano /etc/systemd/system/collaborator.service
[Unit]
Description=Burp Collaborator Server Daemon
After=network.target

[Service]
Type=simple
User=$USER
UMask=007
ExecStart=/usr/bin/java -Xms10m -Xmx200m -XX:GCTimeRatio=19 -jar /usr/local/collaborator/collaborator.jar --collaborator-server --collaborator-config=/usr/local/collaborator/collaborator.config
Restart=on-failure

# Configures the time to wait before service is stopped forcefully.
TimeoutStopSec=300

[Install]
WantedBy=multi-user.target
systemctl enable collaborator
systemctl start collaborator

7. Configure Burp Suite to use private Collaborator

Health Check on Burp Suite

8. Acknowledgement


InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring

Javier Olmedo

Written by

Security Researcher & Ethical Hacker - Author blog https://hackpuntes.com

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring