How Cyberseer detect Burpsuite using the Darktrace

Published: 5th August

Burpsuite is a graphical tool for testing Web application security and vulnerabilities that can be used for penetration testing. It’s a framework which allows an adversary not only to carry out reconnaissance but also gives them the ability to intercept and manipulate traffic from a victim, meaning it can be used for a Man-in-The-Middle (MiTM) style of attack.

It comes with a heap of built-in functions and is included in the Kali Operating System. It should also be noted that not all usage of Burpsuite is a bad thing, for example, it can be legitimately used by web developers in order to test robustness of web applications. This article covers how Cyberseer implement models to detect potential use of this framework on the network.

Testing Burpsuite

The usage of Burpsuite can leave some key indicators of compromise (IOCs) within the network traffic. In the following scenario we’re going to take a look and see what happens when the intercept function is used against a victim’s computer. This is a common use case for Burpsuite as it offers the attacker the ability to view, edit and choose which web requests are forwarded onto the destination.

It’s possible to demonstrate its power by showing what happens when we use the intercept function on a sample login page over HTTP. In this example the victim’s PC is configured to use our machine as a proxy server, so when the victim attempts to authenticate their credentials are passed through in headers ‘user’ and ‘pwd’ and we can see this in the clear.

Supporting Burpsuite alert: Coding script

The introduction of HTTPS makes it a little harder, in the example above a warning was displayed on the victim’s PC similar to below. This would have required them to click through to proceed past the warning.

Supporting Burpsuite alert: your connection is not private alert

The introduction of HTTP Strict Transport Security (HSTS) will cause this method of intercepting traffic over HTTPS to fail. HSTS allows websites to force HTTPS connections and also dictates none of the traffic ever be sent in clear text.

When modern browsers detect a self-signed certificate on a website that uses HSTS they will close the connection because it is deemed to be insecure and can be a sign that a MiTM attack is occurring. It is a common misconception that all HTTPS sites are secure, however, the major players such as Google, Facebook etc will all enforce HSTS. Read more about HSTS here

Identifying Burpsuite in a network traffic flow:

When we analyse relevant network traffic, we can clearly see the following Burpsuite related IOCs.

Proxy headers Burpsuite on our attacker’s machine is acting as a proxy server which means when the victim makes an HTTP connection a proxy request is placed in the HTTP headers:

1556870587.8471 CiolERuBKC2hvIx00 58776 8080 — — 1 [PROXY-CONNECTION -> keep-alive] 0 [HOST,PROXY-CONNECTION,USER-AGENT] Spotify/1.1.0 OSX/OS X 10.14.2 [x86 8] 1.0 Connection established CONNECT 200 0

In this scenario the device does not usually connect through a proxy server meaning this is abnormal activity; this can be verified by looking at the historical logs for the device.

Using the included the proxy destination ( it is possible to verify if this is normal behaviour for the environment by seeing what other devices connect to this device on the proxy port (8080). This can be achieved using the Advanced Search function in Darktrace with the following query:

@fields.dest_ip: AND @fields.dest_port:8080

A ‘scoring’ of the source IP addresses connecting to this device around this timeframe shows us which device connected the most. While there was a connection from another device the percentage figure shows us that this device makes up the majority of the connections.

Supporting Burpsuite alert technical graph 3

Using this information we’re able to further refine the search, limiting it to that source IP address we are presented with the following graph:

Supporting Burpsuite alert technical graph

The graph above is set to show week’s view and the spike shows us that these type of connections are not normal for the device – so we need to dig deeper into why this is occurring.

Attempts to proxy HTTPS

We mentioned earlier about Burpsuite using self-signed certificates, we can see that as well. Burpsuite is developed by PortSwigger, so looking for the default certificate included in Burpsuite we can see the following:

03/05 08:03:06×5091556870586.5859 CJF1f24MkvKZd9pp00 58775 8080 — — 1163420158 1794140158 FATGIu3olCPvv4Ss00 [email protected],CN=PortSwigger,OU=PortSwigger,O=PortSwigger,L=London,ST=London,C=GB rsa sha1WithRSAEncryption 1024 rsaEncryption [email protected],CN=PortSwigger,OU=PortSwigger,O=PortSwigger,L=London,ST=London,C=GB 65537 3 00 true

Furthermore, we can also see the untrusted certificate warning that is presented back to the client:

03/05 07:59:27notice1556870367.3719 CN71ua4450TyTbhG00 58356 8080 tcp — SSL::Invalid_Server_Cert dt-534–01– SSL certificate validation failed with (self signed certificate) [email protected],CN=PortSwigger,OU=PortSwigger,O=PortSwigger,L=London,ST=London,C=GB 8080 950

As Burpsuite is also acting as a proxy server for HTTPS, we can see that Darktrace has identified that the attacker’s machine is now acting as a server:

03/05 07:59:31notice1556870371.5329 CWqx9SspmubsLeP00 58354 8080 tcp — ProtocolDetector::Server_Found dt-534–01– SSL server on port 8080/tcp SSL 8080 950

From an analyst’s perspective this would immediately raise suspicions as to why a device has started serving other devices.

Unusual events

The Darktrace technology is constantly assessing device traffic to determine if a device is acting outside of its normal pattern of behaviour. All of the IOCs above clearly show that this device is deviating from its typical network behaviour.

Machine learning based anomaly analytics interprets this, tracks it and incorporates it into a mathematic model. When we look at the relevant timeframe in the device’s graph, the system identified the above as unusual activity for this device as it was observed making a large volume of connections over a short period of time:

Supporting Burpsuite alert technical graph 2

And the solution?

Cyberseer’s analysts build custom models to detect this type of activity and push them out across our customer base. Analysts can combine factual and unusualness components in to models. The unusualness of a connection is determined through the machine learning process.

Darktrace constantly assesses connections to determine if the activity is anomalous for the device and devices similar to it. This is made available to an analyst in the form of a score for how unusual the connection is.In our initial investigation steps, we used 2 queries to determine what was normal behaviour for the device.

We could have also achieved the same results, in a single step if we looked for the unusualness score. This reduces the amount of manual triage required; it means the model can filter out connections that are normal (ie, a lower score of unusualness) which reduces the possibility for false positive breaches where the connections are legitimate.

For the example used in the post, Cyberseer analysts built a model with the following components:

• Anomalous Connections over a strength of 50%.
• Common Proxy Ports (3128, 8080, 8443).
• PortSwigger Signed Certificates.
• When a destination is first observed with “PROXY-CONNECTION” in the packet header.
• The first time “ProtocolDetector::Server_Found” is observed.

With this combination, Cyberseer were able to re-test using a different device and Darktrace placed a high priority model at the top of the threat tray.

Given the nature of Burpsuite and that is has very few reasons to be legitimately used in an organisation, analysts are able to quickly report the activity to the customer so that they can investigate the source of the activity and understand why Burpsuite is being used within the environment.

By Nathan Webb
Forensic Analyst

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control