ip address support

README.md

@@ -1,5 +1,62 @@
-This is a Burp Suite Pro extension which augments your in-scope proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator.
-
-To use it, simply install it and browse the target website. Findings will be presented in the 'Issues' tab. You can easily customise injected payloads by editing /resources/injections
+# Collaborator Everywhere (with IP support)
 
-For further information, please refer to the whitepaper at [https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface](https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface)
+**This is a fork of @albinowax's Collaborator Everywhere plugin which works with IP addresses (instead of domain names). It can be useful when testing the application inside internal networks that have no access to and cannot be accessed from the internet.**
+
+For information about Collaborator Everywhere, please refer to the [original repository](https://github.com/PortSwigger/collaborator-everywhere/).
+
+## What has changed
+
+1. It checks whether Burp Collaborator Server location is in domain format (like oastify.com/yu8990wrjiubqd253...) or IP address one (like 10.16.0.1).
+2. For domain format, the *injection headers* are as in original. For IP address format the payloads are in a [separate file](https://github.com/afine-com/collaborator-everywhere-with-ip-support/blob/master/resources/injections-ip-address-mode).
+Bear in mind that in many cases pingbacks were made by DNS, and it is not possible to achieve that using only IP addresses.
+
+# Usage
+## Start Collaborator Server
+###Prepare configuration file for Burp Collaborator:
+Replace `192.168.1.55` with your IP address. 
+```
+{
+    "workerThreads":10,
+    "eventCapture": {
+        "localAddress":["192.168.1.55", "127.0.0.1"],
+        "publicAddress":"192.168.1.55", "http": { "ports": 80 },
+        "polling": {
+            "localAddress": "127.0.0.1",
+            "publicAddress": "192.168.1.55",
+            "http": { "ports": 8080 },
+        }
+    },
+    "logLevel": "DEBUG"
+}
+```
+Save it as *local-collaborator.cfg*
+
+### Run collaborator server
+You have to use Burp Suite JAR. Remember to change the paths. 
+```
+sudo java -jar burpsuite_pro.jar --collaborator-server --collaborator-config=local-collaborator.cfg
+```
+
+## Configure Burp Collaborator Server
+1. Project options > Burp Collaborator Server > Use a private Collaborator server (check).
+2. Set *Server location* for your local IP address.
+3. Select *Poll over unencrypted HTTP*.
+4. Click `Run health check ...` - everything apart from HTTPS, SMTPS and DNS should show *Success*.
+
+## Install Collaborator Everywhere (with IP support)
+1. Download the newest JAR from [Releases](https://github.com/afine-com/collaborator-everywhere-with-ip-support/releases/).
+2. Extender > Extensions > Add
+3. Click `Select file ...` in *Extension file (.jar)* and choose downloaded JAR file.
+
+You should see following output:
+```
+Collaborator IP address mode (payloads will be made using the IP address instead of domain)
+Restart the plugin if you change Collaborator Server Mode.
+Calculated your IPs: [192.168.1.55]
+Loaded Collaborator Everywhere (with IP support) v1.3
+```
+
+Observe in *Logger* that headers are added to the requests in *Scope*.
+
+### Fork credits
+@linoskoczek  & @mackeysec (AFINE Team)

resources/injections-ip-address-mode

@@ -0,0 +1,45 @@
+# Lines starting with # are ignored
+#param,u,http://%s/
+#param,href,http://%s/
+#param,action,http://%s/
+#param,host,%s
+#param,http_host,%s
+#param,email,root@%s
+#param,url,http://%s/
+#param,load,http://%s/
+#param,preview,http://%s/
+#param,target,http://%s/
+#param,proxy,http://%s/
+#param,from,http://%s/
+#param,src,http://%s/
+#param,ref,http://%s/
+#param,referrer,http://%s/
+# %h is replaced with corresponding Host header
+# Useful in cases like Host, Origin, etc.
+#header,Host,%s:80@%h
+#header,Origin,http://%s
+#header,X-Forwarded-Host,http://%s
+#header,X-Host,http://%s
+#header,Via,1.1 http://%s
+header,X-Forwarded-Server,http://%s
+header,Proxy-Host,http://%s
+header,Destination,http://%s
+header,Proxy,http://%s
+header,X-Original-URL,http://%s
+header,Profile,http://%s/wap.xml
+header,X-Arbitrary,http://%s
+header,X-HTTP-DestinationURL,http://%s
+header,X-Forwarded-Proto,http://%s
+header,Contact,root@%s
+header,From,root@%s
+header,User-Agent,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@%s
+header,Referer,http://%s/ref
+header,X-Wap-Profile,http://%s/wap.xml
+header,X-Forwarded-For,http://%s
+header,True-Client-IP,http://%s
+header,Client-IP,http://%s
+header,X-Client-IP,http://%s
+header,X-Real-IP,http://%s
+header,X-Originating-IP,http://%s
+header,CF-Connecting_IP,http://%s
+header,Forwarded,for=http://%s;by=http://%s;host=http://%s

settings.gradle

@@ -1 +1 @@
-rootProject.name = 'collaborator-everywhere'
+rootProject.name = 'collaborator-everywhere-with-ip-support'

src/burp/BurpExtender.java

@@ -4,9 +4,10 @@
 import java.net.UnknownHostException;
 import java.text.SimpleDateFormat;
 import java.util.*;
+import java.util.regex.Pattern;
 
 public class BurpExtender implements IBurpExtender {
-    private static final String name = "Collaborator Everywhere";
+    private static final String name = "Collaborator Everywhere (with IP support)";
     private static final String version = "1.3";
 
     // provides potentially useful info but increases memory usage
@@ -160,13 +161,13 @@ public long getTimestamp() {
 
 class Correlator {
 
-    private IBurpCollaboratorClientContext collab;
     private HashMap<String, Integer> idToRequestID;
     private HashMap<String, String> idToType;
     private HashMap<Integer, MetaRequest> requests;
     private HashMap<Integer, Integer> burpIdToRequestID;
     private HashSet<String> client_ips;
     private int count = 0;
+    protected IBurpCollaboratorClientContext collab;
 
     Correlator() {
         idToRequestID = new HashMap<>();
@@ -175,11 +176,23 @@ class Correlator {
         burpIdToRequestID = new HashMap<>();
         collab = Utilities.callbacks.createBurpCollaboratorClientContext();
         client_ips = new HashSet<>();
-
         try {
-            String pollPayload = collab.generatePayload(true);
-            Utilities.callbacks.makeHttpRequest(pollPayload, 80, false, ("GET / HTTP/1.1\r\nHost: " + pollPayload + "\r\n\r\n").getBytes());
-            for (IBurpCollaboratorInteraction interaction: collab.fetchCollaboratorInteractionsFor(pollPayload)) {
+            String hostOrIp = collab.generatePayload(true);
+            String getPath = "/";
+            String payload = hostOrIp;
+            String[] splittedPollPayload = hostOrIp.split("/");
+            if(splittedPollPayload.length == 2 &&
+                    (Utilities.isIPv4Address(splittedPollPayload[0]) || Utilities.isIPv6Address(splittedPollPayload[0]))) {
+                Utilities.out("Collaborator IP address mode (payloads will be made using the IP address instead of domain)");
+                hostOrIp = splittedPollPayload[0];
+                getPath += splittedPollPayload[1];
+                payload = hostOrIp + getPath;
+            } else {
+                Utilities.out("Collaborator domain name mode (default, payloads will be made using domain name)");
+            }
+            Utilities.out("Restart the plugin if you change Collaborator Server Mode.");
+            Utilities.callbacks.makeHttpRequest(hostOrIp, 80, false, ("GET " + getPath +" HTTP/1.1\r\nHost: " + hostOrIp + "\r\n\r\n").getBytes());
+            for (IBurpCollaboratorInteraction interaction: collab.fetchCollaboratorInteractionsFor(payload)) {
                 client_ips.add(interaction.getProperty("client_ip"));
             }
             Utilities.out("Calculated your IPs: "+ client_ips.toString());
@@ -188,7 +201,7 @@ class Correlator {
             Utilities.out("Unable to calculate client IP - collaborator may not be functional");
         }
         catch (java.lang.IllegalArgumentException e) {
-            Utilities.out("The Collaborator appears to be misconfigured. Please run a health check via Project Options->Misc. Also, note that Collaborator Everywhere does not support the IP-address mode.");
+            Utilities.out("The Collaborator appears to be misconfigured. Please run a health check via Project Options->Misc.");
         }
 
     }
@@ -208,7 +221,7 @@ String generateCollabId(int requestCode, String type) {
         String id = collab.generatePayload(false);
         idToRequestID.put(id, requestCode);
         idToType.put(id, type);
-        return id+"."+collab.getCollaboratorServerLocation();
+        return collab.getCollaboratorServerLocation()+"/"+id;
     }
 
     String getLocation() {
@@ -243,8 +256,12 @@ class Injector implements IProxyListener {
 
     Injector(Correlator collab) {
         this.collab = collab;
-
-        Scanner s = new Scanner(getClass().getResourceAsStream("/injections"));
+        Scanner s;
+        if(Utilities.isIPv4Address(collab.collab.getCollaboratorServerLocation()) || Utilities.isIPv6Address(collab.collab.getCollaboratorServerLocation())) {
+            s = new Scanner(getClass().getResourceAsStream("/injections-ip-address-mode"));
+        } else {
+            s = new Scanner(getClass().getResourceAsStream("/injections"));
+        }
         while (s.hasNextLine()) {
             String injection = s.nextLine();
             if (injection.charAt(0) == '#') {
@@ -253,7 +270,6 @@ class Injector implements IProxyListener {
             injectionPoints.add(injection.split(",", 3));
         }
         s.close();
-
     }
 
     public byte[] injectPayloads(byte[] request, Integer requestCode) {

src/burp/Utilities.java

@@ -9,6 +9,7 @@
 import java.net.URL;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.regex.Pattern;
 
 
 public class Utilities {
@@ -143,6 +144,20 @@ public static byte[] addOrReplaceHeader(byte[] request, String header, String va
         }
     }
 
+    private static final Pattern PATTERN_IPV4 = Pattern.compile(
+            "^(([01]?\\d\\d?|2[0-4]\\d|25[0-5])\\.){3}([01]?\\d\\d?|2[0-4]\\d|25[0-5])$");
+
+    private static final Pattern PATTERN_IPV6 = Pattern.compile(
+            "^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:)?((25[0-5]|(2[0-4]|1?[0-9])?[0-9])\\.){3}(25[0-5]|(2[0-4]|1?[0-9])?[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1?[0-9])?[0-9])\\.){3}(25[0-5]|(2[0-4]|1?[0-9])?[0-9]))");
+
+    public static boolean isIPv4Address(final String ip) {
+        return PATTERN_IPV4.matcher(ip).matches();
+    }
+
+    public static boolean isIPv6Address(final String ip) {
+        return PATTERN_IPV6.matcher(ip).matches();
+    }
+
 }
 
 class CustomScanIssue implements IScanIssue {