Burp and SSH Tunneling

Imagine a situation where a web application that is being assessed has white listed the IP addresses that can access it and the IP address belongs to a remote network. In these scenarios, there is a need for our trusty BURP proxy's traffic to be tunneled through the remote machine.

BURP has a handy feature for tunneling all the traffic through a SOCKS proxy. SOCKS (SOCKet Secure) is a protocol used for tunneling packets through a proxy server. Many SSH clients like PUTTY supports creation of a local SOCKS proxy that will tunnel all traffic through remote SSH server. In putty, there is a Tunnels option under Connection->SSH->Tunnel. The local SOCKS proxy port is to be added there as shown below.

After the ssh client (PUTTY) is connected to remote ssh server, a local port (in this case 8085) is opened on the local interface. This is the local SOCKS proxy port through which all BURP traffic will be tunneled.

In BURP proxy, under Options->Connections, the “use SOCKS proxy” should be selected and the SOCKS proxy host and port should be filled with the local loopback and local port (8085).

Now all BURP traffic will be tunneled through the remote SSH server. This also is a quick and dirty way to bypass network proxy (like in offices and colleges). To do that, the browser should be pointed towards the SOCKS proxy and you just might be able to check gmail at work :)