domingo, 4 de junio de 2023

Smuggler - An HTTP Request Smuggling / Desync Testing Tool


An HTTP Request Smuggling / Desync testing tool written in Python 3


IMPORTANT

This tool does not guarantee no false-positives or false-negatives. Just because a mutation may report OK does not mean there isn't a desync issue, but more importantly just because the tool indicates a potential desync issue does not mean there definitely exists one. The script may encounter request processors from large entities (i.e. Google/AWS/Yahoo/Akamai/etc..) that may show false positive results.


Installation
  1. git clone https://github.com/defparam/smuggler.git
  2. cd smuggler
  3. python3 smuggler.py -h

Example Usage

Single Host:

python3 smuggler.py -u <URL>

List of hosts:

cat list_of_hosts.txt | python3 smuggler.py

Options

 
usage: smuggler.py [-h] [-u URL] [-v VHOST] [-x] [-m METHOD] [-l LOG] [-q]
                   [-t TIMEOUT] [--no-color] [-c CONFIGFILE]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target URL with Endpoint
  -v VHOST, --vhost VHOST
                        Specify a virtual host
  -x, --exit_early      Exit scan on first finding
  -m METHOD, --method METHOD
                        HTTP method to use (e.g GET, POST) Default: POST
  -l LOG, --log LOG     Specify a log file
  -q, --quiet           Quiet mode will only log issues found
  -t TIMEOUT, --timeout TIMEOUT
                        Socket timeout value Default: 5
  --no-color            Suppress color codes
  -c CONFIGFILE, --configfile CONFIGFILE
                        Filepath to the configuration file of payloads

Smuggler at a minimum requires either a URL via the -u/--url argument or a list of URLs piped into the script via stdin. If the URL specifies https:// then Smuggler will connect to the host:port using SSL/TLS. If the URL specifies http:// then no SSL/TLS will be used at all. If only the host is specified, then the script will default to https://

Use -v/--vhost <host> to specify a different host header from the server address

Use -x/--exit_early to exit the scan of a given server when a potential issue is found. In piped mode smuggler will just continue to the next host on the list

Use -m/--method <method> to specify a different HTTP verb from POST (i.e GET/PUT/PATCH/OPTIONS/CONNECT/TRACE/DELETE/HEAD/etc...)

Use -l/--log <file> to write output to file as well as stdout

Use -q/--quiet reduce verbosity and only log issues found

Use -t/--timeout <value> to specify the socket timeout. The value should be high enough to conclude that the socket is hanging, but low enough to speed up testing (default: 5)

Use --no-color to suppress the output color codes printed to stdout (logs by default don't include color codes)

Use -c/--configfile <configfile> to specify your smuggler mutation configuration file (default: default.py)


Config Files

Configuration files are python files that exist in the ./config directory of smuggler. These files describe the content of the HTTP requests and the transfer-encoding mutations to test.

Here is example content of default.py:

def render_template(gadget):
	RN = "\r\n"
	p = Payload()
	p.header  = "__METHOD__ __ENDPOINT__?cb=__RANDOM__ HTTP/1.1" + RN
	# p.header += "Transfer-Encoding: chunked" +RN	
	p.header += gadget + RN
	p.header += "Host: __HOST__" + RN
	p.header += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36" + RN
	p.header += "Content-type: application/x-www-form-urlencoded; charset=UTF-8" + RN
	p.header += "Content-Length: __REPLACE_CL__" + RN
	return p


mutations["nameprefix1"] = render_template(" Transfer-Encoding: chunked")
mutations["tabprefix1"] = render_template("Transfer-Encoding:\tchunked")
mutations["tabprefix2"] = render_template("Transfer-Encoding\t:\tchunked")
mutations["space1"] = render_template("Transfer-Encoding : chunked")

for i in [0x1,0x4,0x8,0x9,0xa,0xb,0xc,0xd,0x1F,0x20,0x7f,0xA0,0xFF]:
	mutations["midspace-%   02x"%i] = render_template("Transfer-Encoding:%cchunked"%(i))
	mutations["postspace-%02x"%i] = render_template("Transfer-Encoding%c: chunked"%(i))
	mutations["prespace-%02x"%i] = render_template("%cTransfer-Encoding: chunked"%(i))
	mutations["endspace-%02x"%i] = render_template("Transfer-Encoding: chunked%c"%(i))
	mutations["xprespace-%02x"%i] = render_template("X: X%cTransfer-Encoding: chunked"%(i))
	mutations["endspacex-%02x"%i] = render_template("Transfer-Encoding: chunked%cX: X"%(i))
	mutations["rxprespace-%02x"%i] = render_template("X: X\r%cTransfer-Encoding: chunked"%(i))
	mutations["xnprespace-%02x"%i] = render_template("X: X%c\nTransfer-Encoding: chunked"%(i))
	mutations["endspacerx-%02x"%i] = render_template("Transfer-Encoding: chunked\r%cX: X"%(i))
	mutations["endspacexn-%02x"%i] = render_template("Transfer-Encoding: chunked%c\nX: X"%(i))

There are no input arguments yet on specifying your own customer headers and user-agents. It is recommended to create your own configuration file based on default.py and modify it to your liking.

Smuggler comes with 3 configuration files: default.py (fast), doubles.py (niche, slow), exhaustive.py (very slow) default.py is the fastest because it contains less mutations.

specify configuration files using the -c/--configfile <configfile> command line option


Payloads Directory

Inside the Smuggler directory is the payloads directory. When Smuggler finds a potential CLTE or TECL desync issue, it will automatically dump a binary txt file of the problematic payload in the payloads directory. All payload filenames are annotated with the hostname, desync type and mutation type. Use these payloads to netcat directly to the server or to import into other analysis tools.


Helper Scripts

After you find a desync issue feel free to use my Turbo Intruder desync scripts found Here: https://github.com/defparam/tiscripts DesyncAttack_CLTE.py and DesyncAttack_TECL.py are great scripts to help stage a desync attack


License

These scripts are released under the MIT license. See LICENSE.



Related news

  1. Pentest Tools Website
  2. Hacker
  3. Hack And Tools
  4. Hacker Tool Kit
  5. Usb Pentest Tools
  6. Hacking App
  7. Hacking Tools Software
  8. Hacking Tools For Mac
  9. Hacker Tools Github
  10. Hacking Tools Kit
  11. How To Make Hacking Tools
  12. Hacker Tools For Ios
  13. Hackers Toolbox
  14. Hacker Tools For Windows
  15. Hacking Tools For Games
  16. Termux Hacking Tools 2019
  17. Hack Tools
  18. Pentest Tools Framework
  19. Hack Tools For Mac
  20. Hacking Apps
  21. Hacker Tools Mac
  22. Hacking Tools 2019
  23. Tools For Hacker
  24. Pentest Tools Review
  25. Hacking Tools Mac
  26. Pentest Reporting Tools
  27. Hacking Tools Software
  28. Pentest Tools Android
  29. Pentest Tools Github
  30. Pentest Tools List
  31. Pentest Box Tools Download
  32. Hacker Tools 2019
  33. Pentest Tools For Windows
  34. Hacker Tools Free Download
  35. Pentest Tools Online
  36. Hacking Tools 2020
  37. Usb Pentest Tools
  38. Hacker Hardware Tools
  39. Pentest Automation Tools
  40. Hack Tool Apk
  41. Hacker Security Tools
  42. Hacker Tools 2019
  43. Game Hacking
  44. Hack Tool Apk
  45. Physical Pentest Tools
  46. Hacking Tools Pc
  47. Pentest Tools Website
  48. Hack Tools Pc
  49. Hacker Tools Software
  50. How To Make Hacking Tools
  51. New Hacker Tools
  52. Hacking Tools Online
  53. Pentest Tools For Mac
  54. Pentest Tools Online
  55. Hack Website Online Tool
  56. Hack Tools
  57. Hacker Tools List
  58. Hacker Tools Hardware
  59. Best Pentesting Tools 2018
  60. Physical Pentest Tools
  61. Growth Hacker Tools
  62. Hacker Tools
  63. Hacking Tools Hardware
  64. Hack App
  65. Pentest Tools Tcp Port Scanner
  66. Hack Apps
  67. Pentest Tools Windows
  68. Hack App
  69. Hack Tools For Ubuntu
  70. Hack Tools Online
  71. Pentest Tools Website Vulnerability
  72. Hacker Tools 2020
  73. Hacker Tools Mac
  74. Free Pentest Tools For Windows
  75. Hacking Tools Mac
  76. Pentest Tools List
  77. Pentest Tools For Android
  78. Hacking Tools Windows
  79. Hack Tool Apk
  80. Android Hack Tools Github
  81. Hacking Tools Software
  82. Hacking Tools For Beginners
  83. What Are Hacking Tools
  84. Hack Tools For Pc
  85. Usb Pentest Tools
  86. Hacker Techniques Tools And Incident Handling
  87. What Is Hacking Tools
  88. Pentest Tools
  89. Hacker Tools Online
  90. Easy Hack Tools
  91. Free Pentest Tools For Windows
  92. Hacking Tools For Windows Free Download
  93. Hack Rom Tools
  94. Hacking Tools For Windows 7
  95. Pentest Tools Review
  96. Pentest Tools Website Vulnerability
  97. Hack Website Online Tool
  98. Hacker Tool Kit
  99. Pentest Tools For Ubuntu
  100. Hacking Tools 2019
  101. Hacking Tools Usb
  102. Pentest Tools Download
  103. Hacking Tools For Kali Linux
  104. Pentest Tools Subdomain
  105. Tools For Hacker
  106. Hacking Tools Pc
  107. Physical Pentest Tools
  108. Beginner Hacker Tools
  109. Hacker Tools 2019
  110. Hacking Tools Mac
  111. Hack Tools For Ubuntu
  112. Hak5 Tools
  113. Android Hack Tools Github
  114. Pentest Box Tools Download
  115. Hacking Tools Mac
  116. Hacking Tools Kit
  117. Pentest Reporting Tools
  118. Hack Tool Apk
  119. Hack Tools For Mac
  120. Hack Tool Apk
  121. Pentest Tools Linux
  122. Hacker Tools Mac
  123. Hack Tools
  124. Hack Tool Apk
  125. Pentest Tools Alternative
  126. Growth Hacker Tools
  127. Hacker Tools For Mac
  128. Pentest Tools Kali Linux
  129. Hacking Tools 2019
  130. How To Hack
  131. Hacker Tools Mac
  132. Hacker Tools For Mac
  133. Hack Tools Download
  134. Best Pentesting Tools 2018
  135. Pentest Automation Tools
  136. Hacker Tools Apk Download
  137. Pentest Tools Review
  138. Pentest Automation Tools
  139. Hacking Tools Free Download
  140. Hacking Tools For Games
  141. Hack Tools Github
  142. Pentest Tools Framework
  143. Hacker Tools Mac
  144. Hacker Techniques Tools And Incident Handling
  145. Hack App
  146. Game Hacking

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)