Intercept non-HTTP communication via BurpSuite
Burp Suite doesn’t intercept non HTTP/WebSocket communication, however some apps use, for example, plain TCP connection. I wrote a simple python server and client that exchanged messages via the mentioned method. It’s important to mention that the server and client can send all messages via connection that has been made once, so it’s good to remember that the method shown here supports this.
In this case, to hijack messages, we would have to use some other tool than we usually do. Burp Suite has the extension “Non HTTP Proxy (NoPE)” which allows us to intercept TCP communication and even make DNS servers automatically resolve domain names to our fake server, or discover for what sort of domain the app is asking.
I set up a client to connect to Burp with purpose of skipping the DNS aspect, so now we must instruct Burp that port 10000 should redirect to 192.168.1.11:10000.
Now, if the client sends a message,.
.we will see it in TCP History and vice versa:
Message from client to server:
And message from server to client:
Now we know how to see what the internal part of TCP messages looks like, however we also want to be able to modify data. To achieve that we use TCP Intercept window by enabling the intercepting option.
If, after that, app sends a message to the server, communication will pause and we will see the message in panel:
From this point we can modify data, so I changed the message and forwarded it.
And message from the server to the client.
And, nonetheless, what I also modified and forwarded.
Now the app and server show us that they send messages, but the received ones are modified.
Modified messages can be easily found in TCP History, because of the header “Edited”.
It can also be done automatically by python script. For example, I wrote script what replace the word “Test” with “Python”.
After enabling script and sending another message, client and server also show us that they exchange messages but received already modified ones.
In the TCP History tab messages changed by python, they also have a unique header: