Professional Community

Kerberos Upstream Proxy

An extension to allow the use of Burp Suite with an upstream proxy that requires Kerberos authentication.

How it works

  1. Using the settings you provide, this extension obtains a Kerberos TGT token and starts a proxy running locally.
  2. When requests go into this proxy a header is added ("Proxy-Authorization: Negotiate ") to the request.
  3. The local proxy forwards the request (with the authorization header) to your real upstream proxy.

Usage

  1. Configure standard Burp listener (default is 127.0.0.1:8080); it can be whatever you want, just as long as the port doesn't conflict with what we set in the extension later.
  2. Go to "Kerberos Upstream Proxy" tab.
  3. Configure all settings.
    • Realm should be all uppercase and is probably your domain name.
    • KDC should be a domain controller.
    • Upstream Proxy Host should be the hostname of the proxy that requires Kerberos auth.
    • Upstream Proxy Port should be the port of the proxy that requires Kerberos auth.
    • Local Proxy Port should be an unused port on 127.0.0.1 that will receive incoming requests from Burp.
    • krb5.conf Path should be the full path where you'd like to save krb5.conf (auto-populated by the extension). Note: if using Windows use forward-slashes for separation.
    • Username should be your domain username (just the username, not the domain).
    • Password should be your domain password.
    • (Optional) Require Local Auth should be enabled if you wish to require authentication to use the proxy you're hosting locally.
    • (Optional) Local Auth Value should be set to a string of your choosing which will be used as the local authentication password, if enabled.
  4. (Optional) Click "Save Settings" button at bottom of the page to save for next time.
  5. Click "Start Proxy" button at the bottom of the page.
  6. n Burp Settings -> Network -> Connections, under "Upstream proxy servers", add a proxy server the following options:
    • Destination host: *
    • Proxy host: 127.0.0.1
    • Proxy port: Port number from "Local Proxy Port"
    • Authentication
      • If "Require Local Auth" is disabled: Type: None
      • If "Require Local Auth" is enabled: Type: Basic, Username: <anything>, Password: <string from Local Auth Value>
  7. Done! Now you can use the Burp browser (or any browser pointing to the Burp Proxy listener) with your upstream proxy that requires Kerberos.

Author

Author

Drew Green

Version

Version

1.3

Rating

Rating

Popularity

Popularity

Last updated

Last updated

10 May 2024

Estimated system impact

Estimated system impact

Overall impact: Empty

Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.