Automatizing Burp + Carbonator + Slack

tl;dr

I few days ago I decided to try to automatize some activities using Burp. The main goal was to install it in my VPS (without GUI) and try to interact as little as possible. I started to research about Carbonator, Burpa and other alternatives and I discovered that there wasn’t any updated guide (or I didn’t find it) about how to set up everything from zero without GUI. During these days I’ve been talking with another researchers and I came out with the idea of resuming all this steps and information in one post in order to set this down for anyone who needs it.

That said, I’m going to explain the requirements and steps in order to install Burpsuite Pro with Carbonator in your VPS without graphical interface. I created a small script (it’s not the best script atm, I know) which will consume hosts from a file and will run Carbonator on them. With this, we will only need to fill up this file with the host and port to scan and we will get the notification on our Slack channel with the report generated. At the end we will get something like this:

I want to say thanks to @viyat and @phr0nak who gave me a few pointers about Burp API and carbonator.

Requirements

  • Server without GUI (ssh access)
  • Burpsuite Pro
  • Slack Team to post results
  • Slack Bot with access token

Things to take into account

  • Your Server will need at least 1GB RAM (I tested it using this amount and it works fine)
  • You will need to active your Burp pro in a new machine
  • Before moving to the VPS I did all the steps on Linux (this allowed me to copy a few folder that will be necessary in further steps)

Steps

> Note that this steps will be needed if you don’t have GUI in your VPS. If you do, configure your Burp extension directly on your VPS

In your laptop:

    1. Download your java Burp pro standalone file.
    2. Open Burp using the following command: java -jar burpsuite_pro_vX.X.XX.jar
    3. Configure and install all the extensions you will want to use during your testing (Active Scan++, Additional Scanner Checks, etc)
    4. Save your project and user configurations in different files.
    5. Copy your java file and your .Burpsuite folder. You will find it in your home folder /home/username/.Bupsuite (this will contain all the installed extensions)

    In your VPS:

    1. Create a new folder
    2. Paste your java file inside the new folder and then, your .Burpsuite folder on your user folder /home/username/.Burpsuite
    3. Open Burp using the following command: java -jar burpsuite_pro_vX.X.XX.jar
    4. It will require your license. Copy and paste it on the command line and Accept terms and conditions.
    5. If it gets executed successfully, now we have our Burp working properly in our VPS.
    6. If you don’t have your Slack team already you can create it from here
    7. Once created, generate a new Slackbot (here) and save the token
    8. Clone the script I made hosted in my Github: https://github.com/niemand-sec/Burp-Scan-Them-All
    9. Lets configure a few things before starting:
    source = 'pending_hosts.txt'
    burp = "burpsuite_pro_v1.7.27.jar" // Burp file
    slack_token = "<yourstokenhere>" // Token Generated
    cache_fix = True // Set true if you want to clear OS cache between each Burp, this is recommended for low memory RAM VPS (you will need run it as sudo)
    slack_username = "niemand" // Your slack username
    slack_channel = "burpreports"
    Settings
    1. Lets create our pending_hosts.txt. The format is quite simple: CSV with port,hostname,scheme,folder
    2. 443,niemand.com.ar,https,niemand.com.ar-test
      443,noexistingdomain.niemand.com.ar,https,niemand.com.ar-test
      80,example.com,http,example.com
    1. One last thing: Create a config folder and drop your user and project config file you saved on the step 4 (use same name as in the script “project-config.json” and “user-config.json”)
    2. And finally: python run_scans.py

TODO:

– Add more try/catch and notify slack about possible errors
– Feed pending_host file via Slack?
– Improve command line outputs

Feedback

If you have interesting info to share and discuss just hit me up on twitter.