Wednesday, August 1, 2012

Chaining Ratproxy and Burp

I got this idea from a SANS Instructor (Justin Searle) in a SEC 542 class.  We didn't go into detail and really we didn't talk about this scenario specifically only that you can chain Ratproxy with another proxy.  When the course ended, I wanted to figure out how to do this.

Why would you want to do this?

Both of these tools are proxies, and are particularly useful to Pen Testers.  They also fill different needs.  The Burp Suite (I'm using the free vers.) is a Java Application created by Dafyyd Stuttard which has an extensive tool set that allows for modifications of GET and POST requests as well as a myriad of automated tools for pen testing a website that I won't cover in this post.  Ratproxy is a command line proxy, written by Michal Zalewski, that passively (or actively depending on arguments) monitors traffic for potential security vulnerabilities.  Alone each tool is highly useful and together would be even better versus running each tool on its own and then rinse and repeat with the other tool.

The Problem:

Both applications really don't have much documentation for doing this either except for maybe a reference to the fact that you can do it.  The order in which you chain these is crucial when you understand how these proxies function.  Ratproxy passively monitors traffic and Burp has the ability to modify that traffic before sending it to the web server hence you want this order so the traffic can be monitored by Ratproxy first and then any modification does not interfere with Ratproxy.

The Solution:

You want to make sure that you set your Browser or other application to the port that Ratproxy is listening on and then set Ratproxy to redirect to the port that Burp is listening on.  The reason for this order is due to functionality as listed above. 

Run Ratproxy:

For this exercise I was using Ratproxy 1.5.8.  Start Ratproxy by running the following command:

ratproxy -p 8081 -P

-p specifies what port Ratproxy should listen on
-P specifies the ip address and port the downstream proxy is listening on (Burp)

Run Burp:

For this exercise I was using Burp  There really isn't much you have to do with this as Burp is already running by default on port 8080.  You can go into the Proxy Options, as shown in the screenshot below, to configure another port or listening interface for Burp.

You should now be able to use both Proxies.