This repository includes a set of scripts to install a Burp Collaborator Server in a docker environment, using a LetsEncrypt wildcard certificate. The objective is to simplify as much as possible the process of setting up and maintaining the server.
Delegate a domain or subdomain to your soon-to-be burp collaborator server IP address. At the minimum you'll need an NS record for the domain/subdomain to be used.
For example, if your collaborator domain is burpserver.example, you need to make NS records pointing with an A record to the public IP of the server: 1.2.3.4
Here as an example dig command to confirm:
dig NS burpserver.example
Output:
; <<>> DiG 9.10.6 <<>> NS burpserver.example
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49449
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;burpserver.example. IN NS
;; ANSWER SECTION:
burpserver.example. 308 IN NS ns2.burpserver.example.
burpserver.example. 308 IN NS ns1.burpserver.example.
;; ADDITIONAL SECTION:
ns2.burpserver.example. 308 IN A 1.2.3.4
ns1.burpserver.example. 308 IN A 1.2.3.4
;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jul 12 11:20:29 EDT 2024
;; MSG SIZE rcvd: 104Check https://portswigger.net/burp/documentation/collaborator/deploying#dns-configuration for further info.
- Internet accessible server
- bash
- docker
- bc
- openssl
- Burp Suite Professional
- Clone or download the repository to the server (tested on ubuntu 16.04) to a directory of your choice.
- Put the Burp Suite JAR file in
./burp/pkg/burp.jar(make sure the name is exactlyburp.jar, and it is the actual file not a link) - Run init.sh with your subdomain and server public IP address as argument:
./init.sh burp.example.com 1.2.3.4
This will start the environment for the subdomain burp.example.com, creating a wildcard certificate as *.burp.example.com.
I'm using an ugly hack on the certbot-dns-cloudflare plugin from certbot, where it just runs a local dnsmasq with the required records, and makes all of this automagically happen.
If everything is OK, burp will start with the following message:
Burp is now running with the letsencrypt certificate for domain *.burp.example.com
You can check by running docker ps, and going to burp, and pointing the collaborator configuration to your new server.
Keep it mind that this configuration configures the polling server on port 9443.
The init.sh script will be renamed and disabled, so no accidents may happen.
- There's a renewal script in
./certbot/certificaterenewal.sh. When run, it renews the certificate if it expires in 30 days or less; - Optionally, edit the RENEWDAYS variable if you wish to. By default it will renew the certificate every 60 days. If you want to force the renewal to check if everything is working, just set it to 89 days, and run it manually. Remember to set it back to 60 afterwards.;
- Set your crontab to run this script once a day.
- Download it and make sure you put it in
./burp/pkg/burp.jar - Restart the container with
docker restart burp
If you use UFW/IPTables as your firewall on the host, both UFW and docker modify the same iptables configurations. Whatever UFW rules you have set, running a docker container completely ignores them and allows traffic, regardless of whether you explicitly block access. In order to fix the issue and be able to use UFW properly with docker, read this:
https://blog.jarrousse.org/2023/03/18/how-to-use-ufw-firewall-with-docker-containers/
These instructions assume you have the default docker set up and didn't try to fix the problem yourself yet.
Download ufw-docker script
sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
sudo chmod +x /usr/local/bin/ufw-dockerThen using the following command to modify the after.rules file of ufw
ufw-docker installreboot the host and check if you can access the ports of your container.
Now allow the traffic to the ports on the containers
- Use the actual port thats open on the container, not the one its binded to on the host
burpis the container name, so thats what we use with below command
docker ps -a
sudo ufw-docker allow burp 8443
I have provided the commands conventiently for you here:
sudo ufw-docker allow burp 8053
sudo ufw-docker allow burp 8053/udp
sudo ufw-docker allow burp 8080
sudo ufw-docker allow burp 8443
sudo ufw-docker allow burp 8465
sudo ufw-docker allow burp 8587
sudo ufw-docker allow burp 8080I HIGHLY recommend restricting access to your polling port from an IP address or network. Don't allow the general internet to use your burp collab server for free!
your_whitelisted_ipis your public IP to allow access fromyour_containers_local_ipis 172.x.x.x
ufw route allow proto tcp from your_whitelisted_ip to your_containers_local_ip port 9443You should be good to go and have your UFW locked down!
Author: Bruno Morisson
Thanks to Fábio Pires (check his burp collaborator w/letsencrypt tutorial) and Herman Duarte (for betatesting and fixes)