搭建自己的Burp Collaborator服务器详细指南<\/h1>

1. Burp Collaborator简介<\/h2>

Burp Collaborator是一种外部服务，在使用Burp Suite进行渗透测试时，可以借助该服务来发掘各种安全漏洞。主要用途包括：<\/p>

检测带外XSS漏洞：当应用程序从外部URL获取内容并在响应中返回时<\/li>
检测基于注入的漏洞：如SQL盲注等不会导致响应内容或时间变化的漏洞<\/li>

检测邮件标题注入等特定服务相关的漏洞<\/li> <\/ul>

2. 准备工作<\/h2>

在开始搭建前，需要准备以下资源：<\/p>

VPS服务器<\/strong>：推荐使用Debian系统<\/li>
域名<\/strong>：用于配置DNS记录和SSL证书<\/li>
Let's Encrypt<\/strong>：用于获取免费的通配符SSL证书<\/li>

Burp Suite Pro<\/strong>：需要专业版jar文件<\/li> <\/ol>
3. 搭建环境<\/h2>
3.1 安装必要软件<\/h3>
# 更新包索引<\/span> <\/span><\/span>sudo apt-get update <\/span><\/span> <\/span><\/span># 安装Java运行时环境(JRE)<\/span> <\/span><\/span>sudo apt-get install default-jre <\/span><\/span> <\/span><\/span># 安装iptables-persistent<\/span> <\/span><\/span>sudo apt-get install iptables-persistent <\/span><\/span><\/code><\/pre>3.2 创建工作目录<\/h3> sudo mkdir -p \/usr\/local\/collaborator\/ <\/span><\/span><\/code><\/pre>将burpsuite_pro_<latest_version>.jar<\/code>上传到\/usr\/local\/collaborator\/<\/code>目录<\/p> 3.3 创建专用系统用户<\/h3> sudo adduser --shell \/bin\/nologin --no-create-home --system collaborator <\/span><\/span>sudo chown collaborator \/usr\/local\/collaborator <\/span><\/span><\/code><\/pre>4. 配置Collaborator服务器<\/h2> 4.1 创建配置文件<\/h3> 创建\/usr\/local\/collaborator\/collaborator.config<\/code>文件，内容如下（需根据实际情况修改）：<\/p> { <\/span><\/span> "serverDomain"<\/span>: "my-subdomain-for-burp.example.com"<\/span>, <\/span><\/span> "workerThreads"<\/span>: 10<\/span>, <\/span><\/span> "eventCapture"<\/span>: { <\/span><\/span> "localAddress"<\/span>: ["54.38.**.**"<\/span>], <\/span><\/span> "publicAddress"<\/span>: "54.38.**.**"<\/span>, <\/span><\/span> "http"<\/span>: {"ports"<\/span>: 3380<\/span>}, <\/span><\/span> "https"<\/span>: {"ports"<\/span>: 33443<\/span>}, <\/span><\/span> "smtp"<\/span>: {"ports"<\/span>: [3325<\/span>, 33587<\/span>]}, <\/span><\/span> "smtps"<\/span>: {"ports"<\/span>: 33465<\/span>}, <\/span><\/span> "ssl"<\/span>: { <\/span><\/span> "certificateFiles"<\/span>: [ <\/span><\/span> "\/usr\/local\/collaborator\/keys\/privkey.pem"<\/span>, <\/span><\/span> "\/usr\/local\/collaborator\/keys\/cert.pem"<\/span>, <\/span><\/span> "\/usr\/local\/collaborator\/keys\/fullchain.pem"<\/span> <\/span><\/span> ] <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> "polling"<\/span>: { <\/span><\/span> "localAddress"<\/span>: "54.38.**.**"<\/span>, <\/span><\/span> "publicAddress"<\/span>: "54.38.**.**"<\/span>, <\/span><\/span> "http"<\/span>: {"port"<\/span>: 39090<\/span>}, <\/span><\/span> "https"<\/span>: {"port"<\/span>: 39443<\/span>}, <\/span><\/span> "ssl"<\/span>: { <\/span><\/span> "certificateFiles"<\/span>: [ <\/span><\/span> "\/usr\/local\/collaborator\/keys\/privkey.pem"<\/span>, <\/span><\/span> "\/usr\/local\/collaborator\/keys\/cert.pem"<\/span>, <\/span><\/span> "\/usr\/local\/collaborator\/keys\/fullchain.pem"<\/span> <\/span><\/span> ] <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> "metrics"<\/span>: { <\/span><\/span> "path"<\/span>: "jnaicmez8"<\/span>, <\/span><\/span> "addressWhitelist"<\/span>: ["0.0.0.0\/1"<\/span>] <\/span><\/span> }, <\/span><\/span> "dns"<\/span>: { <\/span><\/span> "interfaces"<\/span>: [{ <\/span><\/span> "name"<\/span>: "ns1.my-subdomain-for-burp.example.com"<\/span>, <\/span><\/span> "localAddress"<\/span>: "54.38.**.**"<\/span>, <\/span><\/span> "publicAddress"<\/span>: "54.38.**.**"<\/span> <\/span><\/span> }], <\/span><\/span> "ports"<\/span>: 3353<\/span> <\/span><\/span> }, <\/span><\/span> "logLevel"<\/span>: "INFO"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>注意<\/strong>：所有端口号必须高于1024，以便Collaborator能以非root用户身份运行。<\/p> 5. 设置通配符SSL证书<\/h2> 5.1 安装Certbot<\/h3> cd \/usr\/local\/collaborator\/ <\/span><\/span>wget https:\/\/dl.eff.org\/certbot-auto <\/span><\/span>chmod a+x .\/certbot-auto <\/span><\/span><\/code><\/pre>5.2 创建证书配置脚本<\/h3> 创建\/usr\/local\/collaborator\/configure_certs.sh<\/code>：<\/p> #!\/bin\/bash <\/span><\/span><\/span><\/span> <\/span><\/span>CERTBOT_DOMAIN=<\/span>$1 <\/span><\/span>if<\/span> [<\/span> -z $1 ]<\/span>; then<\/span> <\/span><\/span> echo "Missing mandatory argument."<\/span> <\/span><\/span> echo " - Usage: <\/span>$0 <domain>"<\/span> <\/span><\/span> exit 1<\/span> <\/span><\/span>fi<\/span> <\/span><\/span> <\/span><\/span>CERT_PATH=<\/span>\/etc\/letsencrypt\/live\/$CERTBOT_DOMAIN\/ <\/span><\/span>mkdir -p \/usr\/local\/collaborator\/keys\/ <\/span><\/span> <\/span><\/span>if<\/span> [[<\/span> -f $CERT_PATH\/privkey.pem &&<\/span> -f $CERT_PATH\/fullchain.pem &&<\/span> -f $CERT_PATH\/cert.pem ]]<\/span>; then<\/span> <\/span><\/span> cp $CERT_PATH\/privkey.pem \/usr\/local\/collaborator\/keys\/ <\/span><\/span> cp $CERT_PATH\/fullchain.pem \/usr\/local\/collaborator\/keys\/ <\/span><\/span> cp $CERT_PATH\/cert.pem \/usr\/local\/collaborator\/keys\/ <\/span><\/span> chown -R collaborator \/usr\/local\/collaborator\/keys <\/span><\/span> echo "Certificates installed successfully"<\/span> <\/span><\/span>else<\/span> <\/span><\/span> echo "Unable to find certificates in <\/span>$CERT_PATH"<\/span> <\/span><\/span>fi<\/span> <\/span><\/span><\/code><\/pre>5.3 获取证书<\/h3> .\/certbot-auto certonly -d my-subdomain-for-burp.example.com -d *.my-subdomain-for-burp.example.com \ <\/span><\/span><\/span><\/span> --server https:\/\/acme-v02.api.letsencrypt.org\/directory \ <\/span><\/span><\/span><\/span> --manual --agree-tos --no-eff-email \ <\/span><\/span><\/span><\/span> --manual-public-ip-logging-ok \ <\/span><\/span><\/span><\/span> --preferred-challenges dns-01 <\/span><\/span><\/code><\/pre>按照提示操作，需要添加两条DNS TXT记录：<\/p> _acme-challenge.my-subdomain-for-burp.example.com<\/code> → YKoOF0jc6wqZJLUIhF3YQJ8MzyWWfkT3weW24_8hhBU<\/code><\/li> _acme-challenge.my-subdomain-for-burp.example.com<\/code> → s10-sRD0KPJfFujYl5_ql6TEQkwkVppLZLW45ITK-d4<\/code><\/li> <\/ol> 5.4 安装证书<\/h3> chmod +x \/usr\/local\/collaborator\/configure_certs.sh <\/span><\/span>\/usr\/local\/collaborator\/configure_certs.sh my-subdomain-for-burp.example.com <\/span><\/span><\/code><\/pre>6. 测试Collaborator服务器<\/h2> sudo -H -u collaborator bash -c "java -Xms10m -Xmx200m -XX:GCTimeRatio=19 -jar \/usr\/local\/collaborator\/burpsuite_pro_1.7.33.jar --collaborator-server --collaborator-config=\/usr\/local\/collaborator\/collaborator.config"<\/span> <\/span><\/span><\/code><\/pre>成功启动后应看到类似输出：<\/p> 2018-04-08 19:46:36.082: Using configuration file \/usr\/local\/collaborator\/collaborator.config 2018-04-08 19:46:37.473: Listening for DNS on 54.38.**.**:3353 2018-04-08 19:46:37.486: Listening for HTTP on 54.38.**.**:39090 ... <\/code><\/pre> 7. 配置DNS<\/h2> 在DNS服务器上添加以下记录：<\/p> NS记录：ns1.my-subdomain-for-burp.example.com<\/code><\/li> A记录：指向VPS的IP地址（如54.38..<\/strong>）<\/li> <\/ol> 8. 配置iptables端口转发<\/h2> iptables -t nat -A PREROUTING -i ens3 -p udp --dport 53<\/span> -j REDIRECT --to-port 3353<\/span> <\/span><\/span>iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 9090<\/span> -j REDIRECT --to-port 39090<\/span> <\/span><\/span>iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 25<\/span> -j REDIRECT --to-port 3325<\/span> <\/span><\/span>iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 80<\/span> -j REDIRECT --to-port 3380<\/span> <\/span><\/span>iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 587<\/span> -j REDIRECT --to-port 33587<\/span> <\/span><\/span>iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 465<\/span> -j REDIRECT --to-port 33465<\/span> <\/span><\/span>iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 9443<\/span> -j REDIRECT --to-port 39443<\/span> <\/span><\/span>iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 443<\/span> -j REDIRECT --to-port 33443<\/span> <\/span><\/span>iptables-save <\/span><\/span><\/code><\/pre>9. 将Collaborator设置为系统服务<\/h2> 创建\/etc\/systemd\/system\/collaborator.service<\/code>：<\/p> [Unit]<\/span> <\/span><\/span>Description<\/span>=<\/span>Burp Collaborator Server Daemon<\/span> <\/span><\/span>After<\/span>=<\/span>network.target<\/span> <\/span><\/span> <\/span><\/span>[Service]<\/span> <\/span><\/span>Type<\/span>=<\/span>simple<\/span> <\/span><\/span>User<\/span>=<\/span>collaborator<\/span> <\/span><\/span>UMask<\/span>=<\/span>007<\/span> <\/span><\/span>ExecStart<\/span>=<\/span>\/usr\/bin\/java -Xms10m -Xmx200m -XX:GCTimeRatio=19 -jar \/usr\/local\/collaborator\/burpsuite_pro_1.7.33.jar --collaborator-server --collaborator-config=\/usr\/local\/collaborator\/collaborator.config<\/span> <\/span><\/span>Restart<\/span>=<\/span>on-failure<\/span> <\/span><\/span>TimeoutStopSec<\/span>=<\/span>300<\/span> <\/span><\/span> <\/span><\/span>[Install]<\/span> <\/span><\/span>WantedBy<\/span>=<\/span>multi-user.target<\/span> <\/span><\/span><\/code><\/pre>启用并启动服务：<\/p> systemctl enable collaborator <\/span><\/span>systemctl start collaborator <\/span><\/span><\/code><\/pre>10. 配置Burp Suite<\/h2> 在Burp Suite中进行以下配置：<\/p> 打开"Project Options" > "Misc"选项卡<\/li> 设置： Server location: my-subdomain-for-burp.example.com<\/code><\/li> Polling location (optional): my-subdomain-for-burp.example.com:9443<\/code><\/li> <\/ul> <\/li> <\/ol> 11. 验证<\/h2> 至此，自定义的Burp Collaborator服务器已搭建完成。可以通过Burp Suite发送测试请求来验证服务器是否正常工作。<\/p>