Home > Penetration Testing, Pentest Scripts > Extended functionality for Burp Plugin – Carbonator

Extended functionality for Burp Plugin – Carbonator

I wrote a script to extend the functions of Burp plugin – Carbonator.

Carbonator is an awesome script by Integris Security. Carbonator uses Jython which is easy for me to understand.

Its similar to Sodapop by Redspin. However, the Sodapop script seems broken now.

Below is a link to Sodapop by Redspin

Below is a description for Carbonator from their website.
Carbonator’s purpose is to enable the ability to automate the vulnerability scanning of a large number of web applications.
A single command from a command line can now produce volumes of vulnerability information.

Carbonator can be found here

Burp Carbonator Extension Mod

I made some additional tweaks to the original carbonator.py script as well as created my own launch_burp.py run script.

The additional functionalities that I have included are
1. Allow you to run Burp/Carbonator against a file containing a list of domain names/IPS/urls. Below is a screenshot of the file format.

Carbonator file input containing domain names/urls/ip

2. Run Bing lookup against the IP address of the domain name and find other websites that are hosted on the same IP address (using the IP:x.x.x.x keyword in Bing) and run Burp/Carbonator against these additional websites. These seems to be some false positives in Bing search engine. The script checks to make sure that the domain name resolves to the same IP address.

3. Search Google for links belonging to the domain name (using the site:domain.com keyword) in Google and run Burp/Carbonator against these links. You might find additional website content/links as compared to crawling http://www.domain.com.

My Github repo for the code is at https//github.com/milo2012/carbonator. Please feel free to send me your feedback/comments. Thank you for reading.

  1. August 6, 2014 at 2:30 pm

    Trying to load with jython 2.5.3:

    Traceback (most recent call last):
    File “C:\Users\test\Desktop\carbonator-master\carbonator-master\carbonator.py”, line 60, in registerExtenderCallbacks
    if not self.processCLI():
    File “C:\Users\test\Desktop\carbonator-master\carbonator-master\carbonator.py”, line 196, in processCLI
    elif cli[0] == ‘https’ or cli[0] == ‘http’:
    IndexError: index out of range: 0

    at org.python.core.Py.IndexError(Py.java:246)

    • August 6, 2014 at 2:38 pm

      You need to use the launch_burp.py script . Thanks

  2. August 6, 2014 at 3:03 pm

    Thank you !!! … but now:

    Traceback (most recent call last):
    File “C:\Users\test\Desktop\carbonator-master\carbonator-master\carbonator.py”, line 60, in registerExtenderCallbacks
    if not self.processCLI():
    File “C:\Users\test\Desktop\carbonator-master\carbonator-master\carbonator.py”, line 192, in processCLI
    self.url = URL(self.scheme,self.fqdn,self.port,self.path)
    AttributeError: ‘BurpExtender’ object has no attribute ‘port’

  3. Fran Menta
    August 6, 2014 at 10:24 pm

    hi, what’s wrong?

    $ python launch_burp.py -host localhost
    Traceback (most recent call last):
    File “launch_burp.py”, line 210, in
    site = host
    NameError: name ‘host’ is not defined

    • August 6, 2014 at 10:34 pm

      Try this ? Python launch_burp.py -host http://testphp.vulnweb.com/ or python launch_burp.py -host ? I will catch the exception in the code shortly .

    • August 7, 2014 at 2:39 am

      Hi Fran
      Bug has been fixed. Please perform a git pull. Thanks

  4. Fran Menta
    August 13, 2014 at 5:19 pm

    Really fixed, thanks.
    Dumb Burp question: there’s a way to generate log in another format, like xml instead of html?

  5. August 23, 2014 at 8:27 am

    Hello! From latest burp 1.6.05 I tried with multiple jythons: jython 2.5.4-rc1, 2.7b3… kali jython…

    SyntaxError ‘with’ will become a reserverd keyword in Python 2.6…

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: