Saturday, May 27, 2023

Smuggler - An HTTP Request Smuggling / Desync Testing Tool


An HTTP Request Smuggling / Desync testing tool written in Python 3


IMPORTANT

This tool does not guarantee no false-positives or false-negatives. Just because a mutation may report OK does not mean there isn't a desync issue, but more importantly just because the tool indicates a potential desync issue does not mean there definitely exists one. The script may encounter request processors from large entities (i.e. Google/AWS/Yahoo/Akamai/etc..) that may show false positive results.


Installation
  1. git clone https://github.com/defparam/smuggler.git
  2. cd smuggler
  3. python3 smuggler.py -h

Example Usage

Single Host:

python3 smuggler.py -u <URL>

List of hosts:

cat list_of_hosts.txt | python3 smuggler.py

Options

 
usage: smuggler.py [-h] [-u URL] [-v VHOST] [-x] [-m METHOD] [-l LOG] [-q]
                   [-t TIMEOUT] [--no-color] [-c CONFIGFILE]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target URL with Endpoint
  -v VHOST, --vhost VHOST
                        Specify a virtual host
  -x, --exit_early      Exit scan on first finding
  -m METHOD, --method METHOD
                        HTTP method to use (e.g GET, POST) Default: POST
  -l LOG, --log LOG     Specify a log file
  -q, --quiet           Quiet mode will only log issues found
  -t TIMEOUT, --timeout TIMEOUT
                        Socket timeout value Default: 5
  --no-color            Suppress color codes
  -c CONFIGFILE, --configfile CONFIGFILE
                        Filepath to the configuration file of payloads

Smuggler at a minimum requires either a URL via the -u/--url argument or a list of URLs piped into the script via stdin. If the URL specifies https:// then Smuggler will connect to the host:port using SSL/TLS. If the URL specifies http:// then no SSL/TLS will be used at all. If only the host is specified, then the script will default to https://

Use -v/--vhost <host> to specify a different host header from the server address

Use -x/--exit_early to exit the scan of a given server when a potential issue is found. In piped mode smuggler will just continue to the next host on the list

Use -m/--method <method> to specify a different HTTP verb from POST (i.e GET/PUT/PATCH/OPTIONS/CONNECT/TRACE/DELETE/HEAD/etc...)

Use -l/--log <file> to write output to file as well as stdout

Use -q/--quiet reduce verbosity and only log issues found

Use -t/--timeout <value> to specify the socket timeout. The value should be high enough to conclude that the socket is hanging, but low enough to speed up testing (default: 5)

Use --no-color to suppress the output color codes printed to stdout (logs by default don't include color codes)

Use -c/--configfile <configfile> to specify your smuggler mutation configuration file (default: default.py)


Config Files

Configuration files are python files that exist in the ./config directory of smuggler. These files describe the content of the HTTP requests and the transfer-encoding mutations to test.

Here is example content of default.py:

def render_template(gadget):
	RN = "\r\n"
	p = Payload()
	p.header  = "__METHOD__ __ENDPOINT__?cb=__RANDOM__ HTTP/1.1" + RN
	# p.header += "Transfer-Encoding: chunked" +RN	
	p.header += gadget + RN
	p.header += "Host: __HOST__" + RN
	p.header += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36" + RN
	p.header += "Content-type: application/x-www-form-urlencoded; charset=UTF-8" + RN
	p.header += "Content-Length: __REPLACE_CL__" + RN
	return p


mutations["nameprefix1"] = render_template(" Transfer-Encoding: chunked")
mutations["tabprefix1"] = render_template("Transfer-Encoding:\tchunked")
mutations["tabprefix2"] = render_template("Transfer-Encoding\t:\tchunked")
mutations["space1"] = render_template("Transfer-Encoding : chunked")

for i in [0x1,0x4,0x8,0x9,0xa,0xb,0xc,0xd,0x1F,0x20,0x7f,0xA0,0xFF]:
	mutations["midspace-%   02x"%i] = render_template("Transfer-Encoding:%cchunked"%(i))
	mutations["postspace-%02x"%i] = render_template("Transfer-Encoding%c: chunked"%(i))
	mutations["prespace-%02x"%i] = render_template("%cTransfer-Encoding: chunked"%(i))
	mutations["endspace-%02x"%i] = render_template("Transfer-Encoding: chunked%c"%(i))
	mutations["xprespace-%02x"%i] = render_template("X: X%cTransfer-Encoding: chunked"%(i))
	mutations["endspacex-%02x"%i] = render_template("Transfer-Encoding: chunked%cX: X"%(i))
	mutations["rxprespace-%02x"%i] = render_template("X: X\r%cTransfer-Encoding: chunked"%(i))
	mutations["xnprespace-%02x"%i] = render_template("X: X%c\nTransfer-Encoding: chunked"%(i))
	mutations["endspacerx-%02x"%i] = render_template("Transfer-Encoding: chunked\r%cX: X"%(i))
	mutations["endspacexn-%02x"%i] = render_template("Transfer-Encoding: chunked%c\nX: X"%(i))

There are no input arguments yet on specifying your own customer headers and user-agents. It is recommended to create your own configuration file based on default.py and modify it to your liking.

Smuggler comes with 3 configuration files: default.py (fast), doubles.py (niche, slow), exhaustive.py (very slow) default.py is the fastest because it contains less mutations.

specify configuration files using the -c/--configfile <configfile> command line option


Payloads Directory

Inside the Smuggler directory is the payloads directory. When Smuggler finds a potential CLTE or TECL desync issue, it will automatically dump a binary txt file of the problematic payload in the payloads directory. All payload filenames are annotated with the hostname, desync type and mutation type. Use these payloads to netcat directly to the server or to import into other analysis tools.


Helper Scripts

After you find a desync issue feel free to use my Turbo Intruder desync scripts found Here: https://github.com/defparam/tiscripts DesyncAttack_CLTE.py and DesyncAttack_TECL.py are great scripts to help stage a desync attack


License

These scripts are released under the MIT license. See LICENSE.



Related word


Posted by at No comments:

Backtrack4



The Remote Exploit Development Team has just announced BackTrack 4 Beta. BackTrack is a Linux based LiveCD intended for security testing and we've been watching the project since the very early days. They say this new beta is both stable and usable. They've moved towards behaving like an actual distribution: it's based on Debian core, they use Ubuntu software, and they're running their own BackTrack repositories for future updates. There are a lot of new features, but the one we're most interested in is the built in Pico card support. You can use the FPGAs to generate rainbow tables and do lookups for things like WPA, GSM, and Bluetooth cracking. BackTrack ISO and VMWare images are available here.




Related links
  1. Termux Hacking Tools 2019
  2. Pentest Tools Port Scanner
  3. Hacking Tools For Mac
  4. Pentest Tools Find Subdomains
  5. Hacker Tool Kit
  6. Hak5 Tools
  7. Hack Tools For Ubuntu
  8. Hacking Tools
  9. Pentest Tools Github
  10. Hacking Tools Usb
  11. Hacking Tools Download
  12. Pentest Tools Kali Linux
  13. Hacking Tools Windows 10
  14. Nsa Hack Tools Download
  15. Hacking Tools Download
  16. Hacking Tools 2019
  17. Hacker Tools For Windows
  18. Hacking Tools Free Download
  19. Nsa Hack Tools
  20. Tools Used For Hacking
  21. Hacking Tools Name
  22. How To Make Hacking Tools
  23. Pentest Tools Review
  24. Hacker Tools Free
  25. Pentest Tools Tcp Port Scanner
  26. Hacking Tools For Pc
  27. Pentest Tools Url Fuzzer
  28. Hack Tools For Ubuntu
  29. Pentest Recon Tools
  30. Hack App
  31. World No 1 Hacker Software
  32. Nsa Hack Tools
  33. Hacking Tools Mac
  34. Pentest Tools Website Vulnerability
  35. Hacking Tools Kit
  36. Pentest Tools Framework
  37. Pentest Tools Url Fuzzer
  38. Hacking Tools Github
  39. Hacking Tools
  40. Hack Tools 2019
  41. Hacker Tools For Mac
  42. Wifi Hacker Tools For Windows
  43. Hacking Tools For Kali Linux
  44. Pentest Tools Subdomain
  45. Underground Hacker Sites
  46. Pentest Tools Free
  47. Pentest Tools Android
  48. What Is Hacking Tools
  49. Pentest Recon Tools
  50. Pentest Tools Port Scanner
  51. Hacking Tools Hardware
  52. How To Make Hacking Tools
  53. Hack App
  54. Pentest Tools Subdomain
  55. Hacking Tools Kit
  56. Hacker Tools For Pc
  57. How To Hack
  58. Hack Tools For Pc
  59. What Are Hacking Tools
  60. Black Hat Hacker Tools
  61. What Are Hacking Tools
  62. Github Hacking Tools
  63. Hacking Tools Hardware
  64. Hack Tools
  65. Github Hacking Tools
  66. Pentest Tools For Ubuntu
  67. Growth Hacker Tools
  68. Physical Pentest Tools
  69. Pentest Tools Website Vulnerability
  70. Hack Tools 2019
  71. Hack Tools Pc
  72. Nsa Hack Tools Download
  73. Pentest Tools Open Source
  74. Hacker Tools Apk
  75. What Is Hacking Tools
  76. Beginner Hacker Tools
  77. Pentest Recon Tools
  78. Underground Hacker Sites
  79. Pentest Recon Tools
  80. Hack Tools For Windows
  81. Hacking Tools For Beginners
  82. Hacker Tools For Windows
  83. Best Hacking Tools 2019
  84. Hacking Tools Pc
  85. Pentest Tools Online
  86. Hacker Tool Kit
Posted by at No comments:

DMitry: Deepmagic Information Gathering Tool


"DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more." read more...


Download: http://packetstormsecurity.org/UNIX/misc/DMitry-1.2a.tar.gz

More information
Posted by at No comments:

Friday, May 26, 2023

Evil Limiter: Taking Control Of Your Network Bandwidth







Ever wanted to block someone from the network or limit their bandwidth without having the network admin privileges? Well Evil Limiter has got you covered then.

 An amazing tool to help you control your network without having access to the admin panel.
Today I'm gonna show you how to use this interesting tool to take control of your network.

Requirements:

1. A PC or Laptop with Linux OS.
2. A Network Adapter.
3. Access to the Network you want to control.
4. sudo or root access on your Linux OS.

 First of all we will download the tool from its github repository:
https://github.com/bitbrute/evillimiter

 You can download and extract the zip file from the link above or you can clone evillimiter repository using git like this:

 git clone https://github.com/bitbrute/evillimiter 

 Now lets install the downloaded tool on our machine
Step 1: Move inside the downloaded github repository

 cd evillimiter

 Step 2: To install type

 sudo python3 setup.py install

 wait for the installation to finish (May take some time)

 Step 3: To run type

 sudo evilimiter

 Voila! That's it, you got it up and running on your machine

 Now how do you control your network with it, its very easy.
It should detect your network automatically but yeah you can set it up manually as well using the command line argument -i.

 After you have selected the right interface to control, you need to scan your network for live hosts. To perform the scan type

 scan

 you can pass an optional flag to the scan command which is range which will help you to specify the range of ip addresses you want to scan like this

 scan --range 192.168.1.1-192.168.1.100


The above command will scan a total of 100 hosts from 192.168.1.1 to 192.168.1.100

 Now after you have scanned your network next thing is to list the hosts that have been discovered during the scan for that you type the hosts command like this

 hosts


Now you know the hosts on your network and now you should know which host you wanna block or limit based on the mac address of the host. Remember the host id of the host that you want to block or limit bandwidth of and lets do the magic.
to block a host from using the internet we simply specify the block command followed by the host id of the host that we want to block like this

 block 1


if instead of blocking the host we just want to limit his internet bandwidth we can do just that by using the limit command followed by the host id and then the bandwidth that we want to allocate to that particular host like this

 limit 1 100kbits


Wohooo! yeah its that easy and yes you can do all this without having the network admin role.
Now if you want to show mercy on that poor guy (blocked host), you can set him free by using the free command followed by the host id like this:

 free 1


Well isn't administrating your network bandwidth so easy now.
Hope you enjoyed this tutorial.:)

Continue reading


Posted by at No comments:
Subscribe to: Posts (Atom)