Update base image, work with latest burp, and a few other improvements (#14)

* Update README to explain NS record requirement a bit better

* add gitignore to ignore burp jars

* Improve init.sh

 Docker needs sudo privs unless you add your user to the docker group. 

- Added a func to check if docker perms are good. 
- Asks user if they wanna add user to docker group
- improved script by using funcs instead of repeating code

* Copy the certs dir over recursively.

the original cp command was failing with ZSH. This shoudl do the same thing and work in all shells

* Update certificaterenewal.sh

Moved chown cmd from run.sh to here to be able to use $DOMAIN var

* Update run.sh

Move chown command to cert renewal script

* Update Dockerfile

Use latest Debian and the compatible Java for latest burp as of july 12 2024

* Update init.sh

After MANY MANY hours of troubleshooting....

the symlinks to the cert fies are wrong when they come from certbot container. 

This fixes them, applies the permissions so that only the burp user on the container can read the privkey file, and finally, FINALLY, burp collab runs

docker logs burp                                                                                             +
2024-07-12 23:33:29.092 : Using configuration file /opt/burp/conf/burp.config
2024-07-12 23:33:29.311 : Listening for SMTP on 0.0.0.0:8025
2024-07-12 23:33:29.312 : Listening for SMTP on 0.0.0.0:8587
2024-07-12 23:33:29.312 : Listening for HTTP on 0.0.0.0:9090
2024-07-12 23:33:29.312 : Listening for HTTP on 0.0.0.0:8080
2024-07-12 23:33:29.318 : Listening for DNS on 0.0.0.0:8053
2024-07-12 23:33:29.426 : Listening for SMTPS on 0.0.0.0:8465
2024-07-12 23:33:29.427 : Listening for HTTPS on 0.0.0.0:8443
2024-07-12 23:33:29.427 : Listening for HTTPS on 0.0.0.0:9443

* Update README.md

Add UFW docker fix

Author: intrudir

.gitignore

@@ -0,0 +1 @@
+/burp/pkg/*

README.md

@@ -4,12 +4,39 @@ This repository includes a set of scripts to install a Burp Collaborator Server
 The objective is to simplify as much as possible the process of setting up and maintaining the server.
 
 ## Setup your domain
+Delegate a domain or subdomain to your soon-to-be burp collaborator server IP address. At the minimum you'll need an NS record for the domain/subdomain to be used.  
 
-Delegate a subdomain to your soon to be burp collaborator server IP address. At the minimum you'll need a NS record for the subdomain to be used (e.g. burp.example.com) pointing to your new server's A record:
+For example, if your collaborator domain is `burpserver.example`, you need to make NS records pointing with an A record to the public IP of the server: `1.2.3.4`
 
-```burp.example.com IN NS burpserver.example.com```
+Here as an example `dig` command to confirm:
+```bash
+dig NS burpserver.example
 
-```burpserver.example.com IN A 1.2.3.4```
+Output:
+; <<>> DiG 9.10.6 <<>> NS burpserver.example
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49449
+;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4000
+;; QUESTION SECTION:
+;burpserver.example.                       IN      NS
+
+;; ANSWER SECTION:
+burpserver.example.                308     IN      NS      ns2.burpserver.example.
+burpserver.example.                308     IN      NS      ns1.burpserver.example.
+
+;; ADDITIONAL SECTION:
+ns2.burpserver.example.            308     IN      A       1.2.3.4
+ns1.burpserver.example.            308     IN      A       1.2.3.4
+
+;; Query time: 52 msec
+;; SERVER: 8.8.8.8#53(8.8.8.8)
+;; WHEN: Fri Jul 12 11:20:29 EDT 2024
+;; MSG SIZE  rcvd: 104
+```
 
 Check https://portswigger.net/burp/documentation/collaborator/deploying#dns-configuration for further info.
 
@@ -53,7 +80,56 @@ The init.sh script will be renamed and disabled, so no accidents may happen.
 ## Updating Burp Suite
 
 * Download it and make sure you put it in ```./burp/pkg/burp.jar```
-* Restart the container with ```docker restart burp```  
+* Restart the container with ```docker restart burp```
+
+## Docker and UFW
+If you use UFW/IPTables as your firewall on the host, both UFW and docker modify the same [iptables](https://en.wikipedia.org/wiki/Iptables "iptables") configurations. Whatever UFW rules you have set, running a docker container completely ignores them and allows traffic, regardless of whether you explicitly block access. In order to fix the issue and be able to use UFW properly with docker, read this: 
+
+https://blog.jarrousse.org/2023/03/18/how-to-use-ufw-firewall-with-docker-containers/
+
+These instructions assume you have the default docker set up and didn't try to fix the problem yourself yet.
+**Download `ufw-docker` script**
+```bash
+sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
+sudo chmod +x /usr/local/bin/ufw-docker
+```
+
+Then using the following command to modify the `after.rules` file of `ufw`
+```bash
+ufw-docker install
+```
+
+reboot the host and check if you can access the ports of your container.
+
+Now allow the traffic to the ports on the containers
+- Use the actual port thats open on the container, not the one its binded to on the host
+- `burp` is the container name, so thats what we use with below command
+```bash
+docker ps -a
+sudo ufw-docker allow burp 8443
+```
+<img width="1718" alt="Pasted image 20240713201717" src="https://github.com/user-attachments/assets/be02f47e-5088-4d55-a5fa-ae3e9b137430">
+
+I have provided the commands conventiently for you here:
+```bash
+sudo ufw-docker allow burp 8053
+sudo ufw-docker allow burp 8053/udp
+sudo ufw-docker allow burp 8080
+sudo ufw-docker allow burp 8443
+sudo ufw-docker allow burp 8465
+sudo ufw-docker allow burp 8587
+sudo ufw-docker allow burp 8080
+```
+
+I HIGHLY recommend restricting access to your polling port from an IP address or network. Don't allow the general internet to use your burp collab server for free!
+- `your_whitelisted_ip` is your public IP to allow access from
+- `your_containers_local_ip` is 172.x.x.x
+
+```bash
+ufw route allow proto tcp from your_whitelisted_ip to your_containers_local_ip port 9443
+```
+
+You should be good to go and have your UFW locked down!
 
 ---
 **Author:** [Bruno Morisson](https://twitter.com/morisson)

burp/Dockerfile

@@ -2,15 +2,25 @@ FROM debian:bullseye-slim
 
 RUN apt-get update && \
     apt-get -yqq dist-upgrade
-RUN apt-get -yqq install openjdk-17-jdk && \
+
+# Install wget to download JDK
+RUN apt-get -yqq install wget && \
     apt-get autoremove -yqq && \
     apt-get clean && \
     /bin/rm -rf /var/lib/apt/lists/*
 
+# Download and install Oracle JDK 21
+RUN wget https://download.oracle.com/java/21/latest/jdk-21_linux-x64_bin.deb && \
+    dpkg -i jdk-21_linux-x64_bin.deb && \
+    rm jdk-21_linux-x64_bin.deb
+
+# Create a user and group for Burp
 RUN groupadd -g 999 burp && \
     useradd -r -u 999 -g burp -d /opt/burp burp
- 
+
+# Switch to the burp user
 USER burp
+
 ADD entrypoint.sh /opt/burp/entrypoint.sh
 WORKDIR  /opt/burp
 ENTRYPOINT ["/opt/burp/entrypoint.sh"]

burp/run.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
 echo Starting burp... && \
-chown 999:999 $PWD/burp/keys/privkey.pem && \
 docker run -d --restart=always --name burp --hostname burp -p 53:8053 -p 53:8053/udp -p 80:8080 -p 443:8443 -p 25:8025 -p 587:8587 -p 465:8465 -p 9090:9090 -p 9443:9443    -v $PWD/burp/keys:/opt/burp/keys:ro  -v $PWD/burp/conf:/opt/burp/conf:ro -v $PWD/burp/pkg:/opt/burp/pkg:ro burp  && \
 echo Done.

certbot/certificaterenewal.sh

@@ -26,7 +26,8 @@ docker stop burp
 docker rm burp
 cd $BASEDIR && \
 ./certbot/renew.sh $DOMAIN  && \
-/bin/cp -f $BASEDIR/certbot/letsencrypt/live/$DOMAIN/*.pem $BASEDIR/burp/keys && \
+/bin/cp -r -f $BASEDIR/certbot/letsencrypt/live/$DOMAIN/ $BASEDIR/burp/keys && \
+chown 999:999 $PWD/burp/keys/$DOMAIN/privkey.pem && \
 ./burp/run.sh && \
 echo Certificate renewed
 

init.sh

@@ -1,61 +1,105 @@
-#!/bin/sh
+#!/bin/bash
 
-if [ -e ./init.sh_has_been_run ]; then
-echo Script has already been run. Bailing out.
-exit 0
-fi
+set -e
 
-if [ ! -e ./burp/pkg/burp.jar ]; then
-echo ERROR: no burp.jar found. Make sure it is in ./burp/pkg/burp.jar
-exit 0
-fi
+# Check if a file exists
+check_file() {
+    if [ "$1" == "burp.jar" ]; then
+        local file_path="./burp/pkg/$1"
+    else
+        local file_path="$1"
+    fi
 
-which docker > /dev/null 2>&1
+    if [ ! -e "$file_path" ]; then
+        echo "ERROR: $file_path not found. Make sure it is in the correct location."
+        exit 0
+    fi
+}
 
-if [ $? -eq 1 ]; then
-echo ERROR: docker is missing. Please install first
-exit 0
-fi
+# Check if a command exists
+check_command() {
+    which "$1" > /dev/null 2>&1
+    if [ $? -eq 1 ]; then
+        echo "ERROR: $1 is missing. Please install first."
+        exit 0
+    fi
+}
 
-which bc > /dev/null 2>&1
+handle_docker_permission_error() {
+    echo "ERROR: Permission denied while trying to connect to the Docker daemon. Your user likely needs to use 'sudo' with docker, but we can add your user to the docker group and it should fix this."
+    read -p "Would you like to add your user to the Docker group to fix this? (y/n): " choice
+    if [ "$choice" == "y" ]; then
+        sudo usermod -aG docker $USER
+        echo "User added to the Docker group. Please log out and back in for the changes to take effect, then try the init script again."
+    else
+        echo "Exiting script. Please fix the Docker permissions manually."
+    fi
+    exit 1
+}
 
-if [ $? -eq 1 ]; then
-echo ERROR: bc is missing. Please install first
-exit 0
+if [ -e ./init.sh_has_been_run ]; then
+    echo "Script has already been run. Bailing out."
+    exit 0
 fi
 
-which openssl > /dev/null 2>&1
-if [ $? -eq 1 ]; then
-echo ERROR: openssl is missing. Please install first
-exit 0
-fi
+check_file "burp.jar"
+check_command "docker"
+check_command "bc"
+check_command "openssl"
 
 if [ $# -ne 2 ]; then
-echo usage: ./init.sh \<domain\> \<ip\>
-exit 0
+    echo "Usage: ./init.sh <domain> <ip>"
+    exit 0
 fi
 
 DOMAIN=$1
 IP=$2
-METRICS=`LC_CTYPE=C tr -dc A-Za-z0-9 < /dev/urandom | fold -w 10 | head -1`
-
-echo Initialization to be done with domain *.$1 and public ip $2 && \
-read -p "Press any key to continue, or CTRL-C to bail out" var_p  && \
-
-docker build  -t certbot-burp certbot/certbot-dns-burp && \
-docker build  -t burp burp && \
-./certbot/new.sh $DOMAIN && \
-/bin/cp -f ./certbot/letsencrypt/live/$DOMAIN/*.pem ./burp/keys && \
-/bin/sed -i "s/DOMAIN/$DOMAIN/g" ./burp/conf/burp.config && \
-/bin/sed -i "s/IP/$IP/g" ./burp/conf/burp.config && \
-/bin/sed -i "s/jnaicmez8/$METRICS/g" ./burp/conf/burp.config && \
-./burp/run.sh && \
-/bin/mv ./init.sh ./init.sh_has_been_run && \
-/bin/chmod 000 ./init.sh_has_been_run && \
-/bin/sed -i "s/__DOMAIN__/$DOMAIN/g" ./certbot/certificaterenewal.sh && \
-/bin/sed -i "s#__BASEDIR__#$PWD#g" ./certbot/certificaterenewal.sh && \
-
-echo 
-echo SUCCESS! Burp is now running with the letsencrypt certificate for domain *.$DOMAIN
+METRICS=$(LC_CTYPE=C tr -dc A-Za-z0-9 < /dev/urandom | fold -w 10 | head -1)
+
+echo "Initialization to be done with domain *.$1 and public IP $2"
+read -p "Press any key to continue, or CTRL-C to bail out" var_p
+
+{
+    # check if docker works
+    docker container ls || handle_docker_permission_error
+
+    # build the containers
+    docker build -t certbot-burp certbot/certbot-dns-burp
+    docker build -t burp burp
+
+    # Get certs for the first time. The certbot container will be removed automatically afterwards.
+    ./certbot/new.sh $DOMAIN
+
+    # The symlinks from certbot will be wrong.
+    # Copy the actual certificate files from the archive directory to burp/keys
+    sudo cp ./certbot/letsencrypt/archive/$DOMAIN/cert1.pem ./burp/keys/cert.pem
+    sudo cp ./certbot/letsencrypt/archive/$DOMAIN/chain1.pem ./burp/keys/chain.pem
+    sudo cp ./certbot/letsencrypt/archive/$DOMAIN/fullchain1.pem ./burp/keys/fullchain.pem
+    sudo cp ./certbot/letsencrypt/archive/$DOMAIN/privkey1.pem ./burp/keys/privkey.pem
+    
+    # Change ownership of the privkey.pem file to UID 999 and GID 999
+    sudo chown 999:999 ./burp/keys/privkey.pem
+
+    # Replace placeholders in burp config
+    sudo /bin/sed -i "s/DOMAIN/$DOMAIN/g" ./burp/conf/burp.config
+    sudo /bin/sed -i "s/IP/$IP/g" ./burp/conf/burp.config
+    sudo /bin/sed -i "s/jnaicmez8/$METRICS/g" ./burp/conf/burp.config
+    
+    # run the burp container
+    ./burp/run.sh
+    sudo /bin/mv ./init.sh ./init.sh_has_been_run
+    sudo /bin/chmod 000 ./init.sh_has_been_run
+    
+    # replace placeholders in renewal script
+    sudo /bin/sed -i "s/__DOMAIN__/$DOMAIN/g" ./certbot/certificaterenewal.sh
+    sudo /bin/sed -i "s#__BASEDIR__#$PWD#g" ./certbot/certificaterenewal.sh
+} || {
+    echo "An error occurred during the execution of the script. Please check the output for details."
+    exit 1
+}
+
+echo
+echo "SUCCESS! Burp is now running with the letsencrypt certificate for domain *.$DOMAIN"
 echo
-echo Your metrics path was set to $METRICS. Change addressWhitelist to access it remotely.
+echo "Your metrics path was set to $METRICS. Change addressWhitelist to access it remotely."
+echo "Initialization script has completed."