This is a Terraform configuration to build a Burp Private Collaborator Server on an Amazon Web Services EC2 Instance. It uses Terraform to create the instance and then uses our Ansible Burp Collaborator Server role from Ansible Galaxy to provision the Burp service.
Some basic awareness of the AWS API and perhaps a little Terraform is assumed but if you're playing with Burp Collaborator you are hopefully technical enough to muddle through if not. Ping us questions if you get stuck @4ARMED.
This configuration assumes you have registered your domain on the AWS Route53 Registrar. There's a very good reason why this is simpler, we don't have to mess about with working out NS servers for the hosted zone and waiting for NS updates to propagate. If we keep it all within the AWS family it's quicker and easier. It's almost like they've thought of this. ;-)
If you want to use an existing domain registered with another provider it is perfectly possible and there are instructions at the end on how to tweak this accordingly.
Just in case you've been living in a cave, everything in this README will cost you money on AWS. Even the free tier won't save you as it costs $0.50 per month for a hosted zone.
4ARMED are not in any way liable for your infrastructure costs. You should know by now not to just run things without understanding what you're doing. :-)
To use this you need to perform a couple of additional steps to be ready to run Terraform. The first is you need an AWS account and a valid access ID and secret (create a programmatic-only IAM user). I'm not going to talk through how to do this as it'll double the length of this document. Sorry! Try here http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html.
Once you have these values they can be plugged in to this to configure the AWS Provider.
This config assumes you will use the AWS CLI credentials store. First install it if you have not already:
pip install aws-cli
Then configure it:
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: ENTER
If you don't have Ansible installed, you will need to do so. I recommend the devel version, it's very stable. If you choose to go main make sure you have at least version 2.2.
pip install git+git://github.com/ansible/ansible.git@devel
git clone https://github.com/4ARMED/terraform-burp-collaborator.git
cd terraform-burp-collaborator
It is assumed that everything else in this doc will be performed with the current working directory in this folder.
We're going to assume you don't have a keypair already in AWS so we'll generate one now and upload it to AWS. You can skip this step if you already have one, just update terraform.tfvars to use the right key_pair_name and place the public key file in this directory.
Feel free to use a different comment or algorithm and it's best to set a passphrase on the key (obvs).
ssh-keygen -b 2048 -t rsa -C private_burp@aws -f mykeypair
Which will produce output like:
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in mykeypair.
Your public key has been saved in mykeypair.pub.
Make sure your keypair file has the same name as your key_pair_name variable as we will look there to upload it to AWS.
You will need to supply your own copy of the latest Burp Suite Professional jar file. Go buy one at the Portswigger website. When you have it copy the jar into this folder. The Ansible playbook will glob in this directory, if you put more than one in you are at the mercy of glob as to which ends up on your server.
In this example I've used the latest version at the time of writing. Given the rate of release these instructions will be out of date in a couple of weeks.
cp /some/path/to/burpsuite_pro_v1.7.21.jar .
Edit the file terraform.tfvars.
# Use whatever region you prefer
region = "eu-west-2"
# Here we are using a different AWS profile from default, you don't have to but this is how if you need to.
profile = "research"
# Adjust according to your region and AZ preference
availability_zone = "eu-west-2a"
# This is the smallest (read cheapest) instance type available. Works ok with this.
instance_type = "t2.nano"
# Make sure the name of your keypair matches the filename minus the .pub suffix.
key_name = "mykeypair"
# You can call this what you like, it's only used to set the hostname
# on the Linux box
server_name = "burp-collaborator"
# Don't use this one. It's ours.
zone = "4armed.net"
# This is a pretty sensible default but again, change it if you like. The only downside is it's long which may
# cause problems if you only have limited injection space.
burp_zone = "collaborator" # This will result in collaborator.4armed.net
# Restrict this to places you will SSH from. The whole Internet is not all so friendly.
permitted_ssh_cidr_block = "0.0.0.0/0"
Now we're ready to run Terraform. First verify everything is ok by running plan:
terraform plan
Assuming you don't get any horrible errors you're ready to go.
terraform apply
Now sit back and behold the awesomeness of infrastructure as code.
The following operations will be performed:
- Create AWS security group permitting all Burp Collaborator traffic plus SSH to your permitted_ssh_cidr_block CIDR.
- Create EC2 instance using Ubuntu Xenial (16.04) image for your chosen region in your default VPC.
- Create an A record for your chosen hostname in your AWS hosted zone pointing to the IP address of new EC2 instance
- Create an NS record for your chosen hostname pointing to the A record just created.
- Run the 4ARMED.burp-collaborator Ansible playbook on the EC2 instance to install and configure Burp Collaborator.
If you want to use this Terraform config but are using a domain registered somewhere other than AWS (and not transferred in) you can use a slightly different version of this Terraform plan. You will also need to manually update the DNS at your register to point an A record to your new EC2 instance and an NS record for the zone too.
There is a different version of main.tf that does not include the route53 section at main.tf.nonawsdomain. To use this simply take a backup of the main.tf
file and then copy this nonawsdomain version over it.
cp main.tf{,.aws}
cp main.tf{.nonawsdomain,}
Now run the plan
and apply
steps as above. It will output the public IP address that you will need for your dns updates but just in case you miss it somehow you can run anytime:
terraform output public_ip
For the DNS updates, here is what you need to do:
- Create an A record for your
burp_zone
pointing to the public IP. In my case, myburp_zone
isburp-collaborator
so my A record entry looks like (I use Namecheap for my DNS needs), wherex.y.z.p
should be the public IP of your instance obtained fromterraform output public_ip
:
A Record | burp-collaborator | x.y.z.p | Automatic
- Create an NS record for your
burp_zone
pointing toburp_zone.zone
. In my case, myburp_zone
isburp-collaborator
and myzone
isanshumanbhartiya.com
so my entry looks like this:
NS Record | burp-collaborator | burp-collaborator.anshumanbhartiya.com. | Automatic
If everything went ok you should be able to plug the hostname of your new private server into Burp and test it out.
Fire up Burp Suite Professional and go to Project options > Misc > Burp Collaborator Server and check the box for Use a private Collaborator server.
In Server location enter the hostname of your server. Hint, this will be the value of burp_zone
prepended to zone
from terraform.tfvars. In our example collaborator.4armed.net
. You will also need to tick the box for Poll over unencrypted HTTP at the moment as we have used a self-signed certificate.
LetsEncrypt lets you create free
wildcard certificates for your domain now so lets use that to generate a SSL cert for our domain:
-
SSH onto the instance that was created for the Burp Collaborator server. The command should look like
ssh -i <ssh-private-key> ubuntu@<public-ip>
-
Run the following commands (after replacing your email and domain which are marked as redacted below):
apt-get update
apt-get install python-minimal
python --version
apt-get install git-core
git --version
cd /opt
git clone https://github.com/certbot/certbot.git
cd certbot
./certbot-auto certonly --manual --preferred-challenges=dns --email <redacted> --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.<redacted>.com
After the last command, you will be asked to verify a TXT record on your domain to verify the ownership. Simply, go to your DNS management console and create a TXT record that should look like this:
TXT Record | _acme-challenge | whatever_value_you_are_asked_to_add | Automatic
PS - Notice that we are actually creating a wildcard SSL cert for *.yourdomain.com
so this should serve not only burp-collaborator.yourdomain.com
but also any other subdomains.
Once the certificate and key are successfully created, make sure the certificate is valid by typing ./certbot-auto certificates
-
Next, copy the cert file from the EC2 instance over to the local directory and overwrite the
burp.crt
file with that. -
Copy the key file from the EC2 instance over the local directory and overwrite the
burp.pk8
file with that. -
Run
ansible-playbook -i inventory playbook.yml --tags setup,restart
-
Your Burp Collaborator server should successfully restart and you can now access it over SSL as well. Go back to your Burp under Project Options -> Misc and uncheck
Poll over unencrypted HTTP
and Run a health check. Everything should be Green.
Congratulations, You are all set with your own private Burp Collaborator server!!
When you've had your fun, if you want to kill the whole thing just run:
terraform destroy