XAMPP Attack: Finding Victim’s IP with Burp Suite

TL;DR

This guide shows how to use Burp Suite to identify a victim’s IP address when attacking an XAMPP server. We’ll focus on intercepting requests and extracting the IP from HTTP headers.

Prerequisites

• XAMPP Server running
• Burp Suite installed and configured (Community Edition is sufficient)
• A basic understanding of web application architecture.

Steps to Find the Victim’s IP Address

1. Configure Burp Suite Proxy:
   • Start Burp Suite.
   • Go to Proxy → Options.
   • Ensure your browser is configured to use Burp Suite as its proxy (usually localhost, port 8080). Check your browser settings for ‘proxy server’.
2. Access the XAMPP Application:
   • Open your web browser and navigate to the URL of your XAMPP application (e.g., http://localhost/). This will route all traffic through Burp Suite.
3. Intercept HTTP Requests:
   • In Burp Suite, go to the Proxy → HTTP History tab. You should see requests appearing as you interact with the XAMPP application.
   • If requests aren’t showing, ensure ‘intercept is on’ in the Proxy options.
4. Examine HTTP Headers:
   • Select a request from the HTTP History tab.
   • Go to the Details sub-tab.
   • Look for headers that might contain the victim’s IP address. Common headers to check include:
     • X-Forwarded-For: This header often contains the client’s IP address, especially if there are proxies in front of the server.
     • Client-IP: Some applications use this custom header.
     • Remote_Addr: This is a common server variable passed as a header.
5. Example Header Extraction (X-Forwarded-For):

   If you find an X-Forwarded-For header, it might look like this:

   X-Forwarded-For: 192.168.1.100, 10.0.0.5

   The first IP address (192.168.1.100 in this example) is usually the client’s IP.

6. Using Burp Suite Repeater for More Control:
   • Right-click on a request in HTTP History and select ‘Send to Repeater’.
   • In Repeater, you can modify the request and resend it. This is useful if the IP address isn’t immediately visible but might be logged after a specific action.
7. Check for Logging in Application Code (if accessible):
   • If you have access to the XAMPP application’s source code, look for logging statements that record client IP addresses. These logs might be stored in files or databases.

Important Considerations

• IP Address Spoofing: The X-Forwarded-For header can be easily spoofed by the client, so it’s not always reliable.
• Privacy: Obtaining someone’s IP address without their consent is generally unethical and potentially illegal. This guide is for educational purposes only.
• Network Configuration: The presence of proxies or firewalls can affect how IP addresses are reported.