Persistent Automated Collaborator

Description

Used for continuous retrieval and saving of Burp Collaborator results.

Useful in DNS exfiltration ¹

Instructions

Note: Make sure to note and replace the "KEY"

1. In Burp go to Project options -> Misc and check Poll over unencrypted HTTP
2. Open Collaborator: Burp menu -> Burp Collaborator client
3. Run tshark:
   1. sudo tshark -Y http -T fields -e http.request.method -e http.request.uri -e http.host -e http.request.uri
4. ‘Poll’ interactions in the Collaborator client and observe following request in tshark:
   1. GET polling.burpcollaborator.net /burpresults?biid=KEY
5. Acquire one or more (depending on your needs) Collaborator’s hostnames (number to generate & 'copy to clipboard')
6. Now you can retreive (also after closing the Collaborator client) interactions with your Collaboarator’s hostnames by requesting:
   1. curl http://polling.burpcollaborator.net/burpresults?biid=KEY

Filtered Command

curl http://polling.burpcollaborator.net/burpresults?biid=KEY | cut -d \" -f 24|cut -d . -f 1

Loop Command

while true; do VALUE=$(curl -s -XGET "https://polling.burpcollaborator.net/burpresults?biid=KEY" | cut -d \" -f 24|cut -d . -f 1| tr -d {|tr -d \} ) && if [ -n "$VALUE" ]; then echo $VALUE >> ~/Results/BurpSuite/Collaborator.txt; fi && sleep 1; done

Update (October 23, 2020)

Please also see Collabfiltrator

---

1. @mzet- ↩

2. Same person's blog ↩

---

Last update: January 27, 2021