Persistent Automated Collaborator

Description

Used for continuous retrieval and saving of Burp Collaborator results.

Useful in DNS exfiltration ^1

Instructions

Note: Make sure to note and replace the "KEY"

  1. In Burp go to Project options -> Misc and check Poll over unencrypted HTTP
  2. Open Collaborator: Burp menu -> Burp Collaborator client
  3. Run tshark:
    1. sudo tshark -Y http -T fields -e http.request.method -e http.request.uri -e http.host -e http.request.uri
  4. ‘Poll’ interactions in the Collaborator client and observe following request in tshark:
    1. GET polling.burpcollaborator.net /burpresults?biid=KEY
  5. Acquire one or more (depending on your needs) Collaborator’s hostnames (number to generate & 'copy to clipboard')
  6. Now you can retreive (also after closing the Collaborator client) interactions with your Collaboarator’s hostnames by requesting:
    1. curl http://polling.burpcollaborator.net/burpresults?biid=KEY

Filtered Command

curl http://polling.burpcollaborator.net/burpresults?biid=KEY | cut -d \" -f 24|cut -d . -f 1

Loop Command

while true; do VALUE=$(curl -s -XGET "https://polling.burpcollaborator.net/burpresults?biid=KEY" | cut -d \" -f 24|cut -d . -f 1| tr -d {|tr -d \} ) && if [ -n "$VALUE" ]; then echo $VALUE >> ~/Results/BurpSuite/Collaborator.txt; fi && sleep 1; done

Update (October 23, 2020)

Please also see Collabfiltrator

[^2]: Same person's blog