All About HackingBlackhat Hacking ToolsFree CoursesHacking

Writing Burp Extensions (Shodan Scanner) 2023

In this article, we will have an overview of writing Burp extensions. At the end of the post, we’ll have an extension that will take any HTTP request, determine the IP address of the domain, and get specific information using the Shodan API.

I have divided the article into the following hierarchy so you can skip some sections if you already know.

Introducing the Burp Extender interface[Writing Burp Extensions]

  • Environment settings
  • Writing a Simple Port Scanner using the Shodan API
  • Naming extension
  • Create a context menu
  • Creating an action function
  • Reference


Introducing the Extender interface


The theory behind writing a Burp extension revolves around understanding the basic concepts of OOPS and having some familiarity with any programming language. Burp provides several ways to interact with the exposed interfaces and extend its functionality with various tools such as Target, Repeater, Scanner, etc. In this phase we will look at some of these interfaces and how we can use them to create our first extension .

For this writeup, we will mainly use the following burp interface:

  • iBurpExtender
  • IContextMenuFactory
  • In addition to the interfaces mentioned above, we will also use the following library from core java
  • javax.swing
  • iBurpExtender


The Burp documentation says: “All extensions must implement this interface. The reason is quite simple, to create our extension we need to register it first. This is done by extending a function called registerExtenderCallbacks. It gives us access to some functions implemented by the IBurpExtenderCallbacks interface.

IContextMenuFactory


This interface deals primarily with context-specific data; this is facilitated by the number of functions implemented by the IContextMenuInvocation interface. These functions can be used to load or add information to any context provided by burp, i.e. we can define exactly where our context menu item should appear in the burp tools (Repeater/Scanner/Target Section).

javax.swing


We will use the java swing library to create a graphical user interface.

Environment settings


Our goal for this writeup will be to create a context menu item called “Scan with Shodan” and when the user selects this option, our code should retrieve the HTTP host value from the selected request and send the IP address of the host to the Shodan API server and show us the results in the output section on the extension tab.

Let’s break down our goal for this phase into different steps:

  • Get Shodan API Key
  • Getting the Jython Standalone Jar File
  • Environment settings
  • Get Shodan API Key
  • To get Shodan API key, we need to register an account here. Then go to your profile section and copy your key. Place this key start_scan function in the code shown in the sections below.
  • Download/Install Jython Standalone Jar File
    Since we will be accessing the Java libraries through Python, we need an interpreter to translate our python code into a Java interface, we will be using Jython. Download the Jython jar file from here.

Environment settings


Now we’ll set up our environment to load our extension when it’s done.

steps:

  • Open the Burp tool
  • Go to the Extender tab > options
  • Under Python Environment, select the downloaded Jython jar file
  • Writing a Simple Port Scanner using the Shodan API

Naming extension

Let’s import the necessary interfaces from the belch mentioned in the above section and register our extension by overloading the registerExtenderCallbacks function. Next, we instantiate the IBurpExtenderCallbacks function by assigning the callbacks to the self class variable. callbacks. We set our extension name using a function called “setExtensionName” from the callback instance. We also register a ContextMenuFactory so we can create a context menu and add the desired entry to it.

Create a context menu


Let’s create our context menu item by overloading a function from the IBurpContextMenuFactory interface. Looking at the documentation provided by portswigger, we can see that we can use the createMenuItems function and it needs one argument, and that should be the IContextMenuInvocatoin interface. Next, this function needs to return a list of JMenuItem.

Let’s overload the function and add our item name to the list of menu items. JMenuItem takes several arguments such as item name, icon, action, etc. But we are only interested in the name and the actionPerformed. The actionPerformed argument takes a function and calls it when you click a menu item.

Here we use python lambda functions to pass more than one argument to our function. We then return a list of menu items added so far.

Creating an action function


Then we added two functions called startThreaded and start_scan. The reason we added the startThreaded function is that all mouse click events are asynchronous, so when we call our extension, our belch will hang completely as it waits for the event to complete. Since our desired task will take a few seconds to complete, we need it to run as a background thread.

Also Read:BIOS/UEFI Forensics:Firmware Acquisition and Analysis Appr0aches

The start_scan function takes an invocation instance and uses the getSelectedMessages function to retrieve the HTTP request/response objects from which it was invoked.

Next, we used the IHttpRequestResponse interface to retrieve the HTTP service object and get the host name using the getHost function. Since the Shodan API will need an IP address to retrieve the required information, we used the gethostbyname function from the python sockets library to accomplish this task.

We initiated an https request using the Python urllib2 module, loaded the JSON data into the response variable, and printed it to the output console.

Steps to load and run the Burp extension:
Go to extender tab > extensions > add > select extension type > select extension file > click next.
If everything went according to the instructions, your extension should load in the Extensions tab.
Select any request from the proxy history and click on the context menu item created earlier
You should now see the results in the Extension Output tab.

Since we are currently getting the data in the output console, I leave it up to the diligent reader to update the target tab with the information obtained.

Example


The target card should now contain the following items:

  • www.example.com:80
  • www.example.com:443
  • www.example.com:22


The complete source code can be downloaded here.

References

https://portswigger.net/burp/extender/api/index.html

https://portswigger.net/burp/extender/

https://www.shodan.io/

Leave a Reply

Your email address will not be published. Required fields are marked *