Using Burp with ProxyCannon

ProxyCannon is an amazing tool for automatically routing your traffic through multiple cloud servers to diversify the source IP addresses of your traffic. (Thank you #_shellIntel). As a pentester, I want to have my BurpSuite proxy traffic routed through ProxyCannon to help avoid detection of scans and attacks. Just yesterday I was performing a password spray against a login portal to check for weak password use and ended up having my IP address blocked. ProxyCannon to the rescue! This blog will explain how to set up BurpSuite to route traffic through your ProxyCannon server.

We will start with the assumption that you have ProxyCannon running somewhere on a Linux server like so:

ProxyCannon Startup using Three Cloud Servers

In this case I have used the “-rl 3” option which will start three servers and rotate one of these servers out of use every few minutes, replacing it with a new one. The IP addresses of all the servers used will be written to a log file in the /tmp directory. Although only three servers are used at any one time, many servers will be used over time as old ones are changed out for new ones, so expect many IP addresses in your log file.

IMPORTANT NOTE: Consider the effective number of servers in use to be “n -1”
If you desire to use two different IP’s for your traffic, start three servers with ProxyCannon. This is because ProxyCannon is always putting one of the servers on the back burner so it can rotate it out of use and replace it, effectively reducing your traffic down to one less IP than you had spun up.

If you are using Burp on your ProxyCannon server itself, you don’t need to do anything else, it just works. Otherwise, read on.

We need to configure BurpSuite to route its traffic through our ProxyCannon server which ultimately results in all traffic appearing to come from the randomized Amazon server instances.

Enable SSH connections to your ProxyCannon instance (I leave this as a Googling exercise for you to figure out). Next, create a SOCKS proxy and configure Burp to use it. Both Linux and Windows instructions are included below.

Create SOCKS proxy to Your ProxyCannon Server (Linux)

This is very easy on Linux, the following command will create the SOCKS proxy to your ProxyCannon Server on port 9876

ssh -D 9876 <your proxy cannon IP>

*Check out the “-N” and “-f” options as well

Create SOCKS proxy to Your ProxyCannon Server (Windows)

For Windows we will use Putty, which you can download and install from here, and set up the SOCKS proxy as described nicely here. The key element of this process is shown in the image below.

Configure SOCKS Proxy on Windows with Putty

Now we just need to configure Burp to use the SOCKS proxy.

Configure Burp to use the SOCKS Proxy

Under the “User options→Connections” tab in Burp set the configuration like this:

Burp SOCKS Proxy Configuration

And there you have it, all your Burp traffic will be routed through the rotating IP addresses managed by ProxyCannon. Other things to consider configuring are the rate of your requests when using Burp Intruder. If your intruder options are set to use multiple threads and no delay (throttle) then you may end up with more requests coming from a single IP than you want. Consider this in combination with the number of ProxyCannon instances you spin up to make your best guess of what may go undetected by your target.

Burp Intruder Options

Other Things to Consider

Sometimes things go wrong with ProxyCannon and it gives up and shuts itself down. In this case, your Burp traffic goes back to using your true IP. This isn’t good because now you have revealed yourself and made your attack more likely to be detected, raising the awareness of the defenders. To resolve this issue I added the following to the ProxyCannon cleanup code:

os.system("lsof -i tcp:22 | grep ESTABLISHED | awk '{print $2}' | xargs kill")

The added code kills any active ssh sessions, effectively cutting off your Burp traffic from the network if you are using the SOCKS proxy method outlined in this blog post. You don’t get any more responses from your Burp scan or attack but it protects you from sending traffic from your own IP address.

If ProxyCannon is not able to perform a successful shutdown, you will end up with unterminated instances. It is a good idea to keep an eye on the Amazon console to make sure all instances are terminated so you can avoid unnecessary expense. Go to console.aws.amazon.com and click Services→ EC2 to view your dashboard. Make sure the correct region is selected in the upper right-hand corner (ProxyCannon uses “N. Virginia” by default) and then click on Running Instances.

From this view you can right-click an instance and manually terminate it. Even if you don’t need to do manual cleanup, watching this page as ProxyCannon runs will cause you to giggle with pleasure and is therefore highly recommended.

Also keep an eye on the number of elastic IPs in use. There should be none after ProxyCannon has shut down. You are only allowed five elastic IPs per region, if these don’t get terminated correctly by ProxyCannon and you reach the limit you will get an “AddressLimitExceeded” error as shown below.

To resolve this, select all of the elastic IPs in the Amazon console, right-click and select “release addresses”. This will clear things up for you.

You can apply for a limit increase with Amazon if necessary.

The ProxyCannon can use different Amazon regions as well. You can find a list of regions here. To specify another region you must specify the region and a valid image ID. You can find available image IDs by going through the “Launch Instance” wizard manually on the Amazon console after setting your desired region.

 Here is an example of using proxyCannon to spin up instances in the us-west-2 region.

And one last note, I have noticed that when running a Burp Intruder attack with a single thread that the attack will hang at random intervals when running through the cannon. The intruder results won’t show any more requests being sent and trying to pause the attack will result in a hung “Waiting to pause” state. This will last from about 10 minutes to even much longer. I haven’t found a solution to this one yet but it does tend to recover eventually. Use more threads in your Burp intruder configuration if you can to a avoid complete halting of your attack.

Good luck and only use your knowledge for good!