Cyber Security Technical Blog

Using Fiddler for Burp Suite Windows Native Authentication (Kerberos)

Written by Karl Schuttler | Oct 28, 2024 2:46:46 PM

Using Fiddler for Burp Suite Windows Native Authentication (Kerberos)

By Karl Schuttler | January XX, 2024 | Application Security

(from https://www.tumblr.com/jimintomystery/188773196992/snail-riding-frog-riding-turtle, I just searched “animals riding animals” - looking for a “piggy back” type image with more than 2 beings)

 

Burp Suite Professional can’t do native Kerberos authentication. You’ll recognize these hosts when you receive an HTTP 401 Unauthorized response with the “WWW-Authenticate: Negotiate” header, indicating Kerberos. The Burp Suite extension Berseko (“Kerberos Authentication” in the BApp Store) promises to relieve this strain, but has not been updated since 2021 and unfortunately does not work out of the box.

 

To work around this issue, we’ll discuss how to use an upstream Fiddler proxy to perform the authentication component for us. Fiddler only works on Microsoft Windows, so Mac or Linux users will need to identify another method.

 

Configure Fiddler

After installing Fiddler, use the Rules > Customize Rules option to open the rules text editor:

 

Use the Find tool to identify the OnBeforeRequest(oSession: Session) function:

 

Add the following statement after the comments, including your target hostname and credentials (credit to Eric Law), and then save:

 

       if (oSession.HostnameIs("testapplication.com"))

       {

           // Don't forget to use a double \\ in the string below

           oSession["X-AutoAuth"] = "domain\\username:password";

       }

 

As Fiddler is the last proxy in the chain, we need to set it to use no further upstream proxies (“No Proxy”) in the Tools > Options > Gateway window:

 

Configure Burp

Burp needs to be configured to use Fiddler as its upstream proxy server via the Settings > Network > Connections > Upstream Proxy Servers option. Fiddler’s default listening port is 8888:

 

 

 

From here, you should be able to just access your target application as normal without being prompted for any additional authentication. Any traffic you send through Burp to the target hostname will receive an Authorization header from Fiddler.

What’s Next?

Still running into authentication issues? Consider installing the Fiddler Kerberos.NET plugin, which will allow you to get more insight into the authentication handshake process and debug the problem. Want to keep sharpening your Burp Suite skills? Continue your journey down the rabbit hole and check out another article.