Intercepting malware traffic with Burp Proxy
The lab is made of two VMs: a REMnux machine and a Windows machine.
The REMnux machine has 2 network interfaces:
the first one is configured on the virtual LAN segment REMLab
(eth0
with static IP 10.0.0.1
);
the second one is configured in Bridge mode on the host main network interface (eth1
with DHCP); this interface shall not normally be enabled unless Internet access is needed.
The Windows machine has 1 network interface configured on a virtual LAN segment REMLab
with static IP 10.0.0.3
.
Traffic from the Windows machine will pass through the REMnux machine, because of the default gateway. Then, traffic to ports 80 or 443 will be redirected locally on the REMnux machine to port 8080 (ie: Burp). Burp will in turn redirect the traffic to its original destination or locally to a fake service (whichever is needed).
Step 1. Enable IP forwarding
remnux@remnux:~$ sudo sysctl -w net.ipv4.ip_forward=1
Step 2. Enable iptables rules to forward all traffic sent to ports 80 and 443 to the port Burp will be listening to (8080
)
remnux@remnux:~$ sudo iptables -P FORWARD ACCEPT
remnux@remnux:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
remnux@remnux:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
Step 3. Start a fake DNS service to answer any DNS request with the IP of this REMnux host. It can be either fakedns
or inetsim
.
remnux@remnux:~$ fakedns 10.0.0.1
Step 4. Start fake HTTP services with inetsim
. Configure /etc/inetsim/inetsim.conf
and be sure HTTP and HTTPS services are enabled and properly configured, then start the daemon.
remnux@remnux:~$ sudo service inetsim restart
Step 5. Open Burp Suite and configure it as follows:
Proxy -> Intercept
: set intercept is off
Proxy -> Options -> Proxy Listeners
: set or edit a listener to listen on port 8080
on all interfaces (*.8080
); enable invisible proxying; if needed, configure the redirect to the local address INETsim is listening to (10.0.0.1:*
)
Step 6. Export the CA certificate of Burp Suite into a DER file; it shall be imported into the trust store on the Windows host. Go to Proxy -> Options -> Import / Export CA certificate
.
Step 1. Configure the default gateway to the IP of the REMnux host (10.0.0.1
).
Step 2. Configure the DNS address to the IP of the REMnux host (10.0.0.1
).
Step 3. Import the Burp Suite CA certificate (see above) into the browser trust store (either Internet Explorer or Firefox or whatever).