sábado, 27 de janeiro de 2024

Smuggler - An HTTP Request Smuggling / Desync Testing Tool


An HTTP Request Smuggling / Desync testing tool written in Python 3


IMPORTANT

This tool does not guarantee no false-positives or false-negatives. Just because a mutation may report OK does not mean there isn't a desync issue, but more importantly just because the tool indicates a potential desync issue does not mean there definitely exists one. The script may encounter request processors from large entities (i.e. Google/AWS/Yahoo/Akamai/etc..) that may show false positive results.


Installation

  1. git clone https://github.com/defparam/smuggler.git
  2. cd smuggler
  3. python3 smuggler.py -h

Example Usage

Single Host:

python3 smuggler.py -u <URL>

List of hosts:

cat list_of_hosts.txt | python3 smuggler.py

Options

usage: smuggler.py [-h] [-u URL] [-v VHOST] [-x] [-m METHOD] [-l LOG] [-q]
[-t TIMEOUT] [--no-color] [-c CONFIGFILE]

optional arguments:
-h, --help show this help message and exit
-u URL, --url URL Target URL with Endpoint
-v VHOST, --vhost VHOST
Specify a virtual host
-x, --exit_early Exit scan on first finding
-m METHOD, --method METHOD
HTTP method to use (e.g GET, POST) Default: POST
-l LOG, --log LOG Specify a log file
-q, --quiet Quiet mode will only log issues found
-t TIMEOUT, --timeout TIMEOUT
Socket timeout value Default: 5
--no-color Suppress color codes
-c CONFIGFILE, --configfile CONFIGFILE
Filepath to the configuration file of payloads

Smuggler at a minimum requires either a URL via the -u/--url argument or a list of URLs piped into the script via stdin. If the URL specifies https:// then Smuggler will connect to the host:port using SSL/TLS. If the URL specifies http:// then no SSL/TLS will be used at all. If only the host is specified, then the script will default to https://

Use -v/--vhost <host> to specify a different host header from the server address

Use -x/--exit_early to exit the scan of a given server when a potential issue is found. In piped mode smuggler will just continue to the next host on the list

Use -m/--method <method> to specify a different HTTP verb from POST (i.e GET/PUT/PATCH/OPTIONS/CONNECT/TRACE/DELETE/HEAD/etc...)

Use -l/--log <file> to write output to file as well as stdout

Use -q/--quiet reduce verbosity and only log issues found

Use -t/--timeout <value> to specify the socket timeout. The value should be high enough to conclude that the socket is hanging, but low enough to speed up testing (default: 5)

Use --no-color to suppress the output color codes printed to stdout (logs by default don't include color codes)

Use -c/--configfile <configfile> to specify your smuggler mutation configuration file (default: default.py)


Config Files

Configuration files are python files that exist in the ./config directory of smuggler. These files describe the content of the HTTP requests and the transfer-encoding mutations to test.

Here is example content of default.py:

def render_template(gadget):
RN = "\r\n"
p = Payload()
p.header = "__METHOD__ __ENDPOINT__?cb=__RANDOM__ HTTP/1.1" + RN
# p.header += "Transfer-Encoding: chunked" +RN
p.header += gadget + RN
p.header += "Host: __HOST__" + RN
p.header += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36" + RN
p.header += "Content-type: application/x-www-form-urlencoded; charset=UTF-8" + RN
p.header += "Content-Length: __REPLACE_CL__" + RN
return p


mutations["nameprefix1"] = render_template(" Transfer-Encoding: chunked")
mutations["tabprefix1"] = render_template("Transfer-Encoding:\tchunked")
mutations["tabprefix2"] = render_template("Transfer-Encoding\t:\tchunked")
mutations["space1"] = render_template("Transfer-Encoding : chunked")

for i in [0x1,0x4,0x8,0x9,0xa,0xb,0xc,0xd,0x1F,0x20,0x7f,0xA0,0xFF]:
mutations["midspace-% 02x"%i] = render_template("Transfer-Encoding:%cchunked"%(i))
mutations["postspace-%02x"%i] = render_template("Transfer-Encoding%c: chunked"%(i))
mutations["prespace-%02x"%i] = render_template("%cTransfer-Encoding: chunked"%(i))
mutations["endspace-%02x"%i] = render_template("Transfer-Encoding: chunked%c"%(i))
mutations["xprespace-%02x"%i] = render_template("X: X%cTransfer-Encoding: chunked"%(i))
mutations["endspacex-%02x"%i] = render_template("Transfer-Encoding: chunked%cX: X"%(i))
mutations["rxprespace-%02x"%i] = render_template("X: X\r%cTransfer-Encoding: chunked"%(i))
mutations["xnprespace-%02x"%i] = render_template("X: X%c\nTransfer-Encoding: chunked"%(i))
mutations["endspacerx-%02x"%i] = render_template("Transfer-Encoding: chunked\r%cX: X"%(i))
mutations["endspacexn-%02x"%i] = render_template("Transfer-Encoding: chunked%c\nX: X"%(i))

There are no input arguments yet on specifying your own customer headers and user-agents. It is recommended to create your own configuration file based on default.py and modify it to your liking.

Smuggler comes with 3 configuration files: default.py (fast), doubles.py (niche, slow), exhaustive.py (very slow) default.py is the fastest because it contains less mutations.

specify configuration files using the -c/--configfile <configfile> command line option


Payloads Directory

Inside the Smuggler directory is the payloads directory. When Smuggler finds a potential CLTE or TECL desync issue, it will automatically dump a binary txt file of the problematic payload in the payloads directory. All payload filenames are annotated with the hostname, desync type and mutation type. Use these payloads to netcat directly to the server or to import into other analysis tools.


Helper Scripts

After you find a desync issue feel free to use my Turbo Intruder desync scripts found Here: https://github.com/defparam/tiscripts DesyncAttack_CLTE.py and DesyncAttack_TECL.py are great scripts to help stage a desync attack


License

These scripts are released under the MIT license. See LICENSE.



Read more
  1. Hacking Tools For Windows 7
  2. Hacking Tools For Games
  3. Hacker Tools Apk Download
  4. Hacker Tools Mac
  5. Pentest Tools Android
  6. Pentest Tools Free
  7. Hak5 Tools
  8. Physical Pentest Tools
  9. How To Hack
  10. Hacker Tools
  11. Pentest Tools Website Vulnerability
  12. Hacking Tools 2020
  13. Hacker Tools Windows
  14. New Hacker Tools
  15. Pentest Tools For Android
  16. How To Hack
  17. Pentest Tools For Windows
  18. Pentest Tools Online
  19. Pentest Tools Website Vulnerability
  20. Pentest Tools Bluekeep
  21. Hack Tools Download
  22. New Hacker Tools
  23. Hak5 Tools
  24. Hack Tools Github
  25. How To Make Hacking Tools
  26. Hacker Tools 2019
  27. Hack Tools For Windows
  28. Pentest Automation Tools
  29. Pentest Tools Windows
  30. Hacker Tools Linux
  31. Hack App
  32. Hack Tool Apk No Root
  33. Hack App
  34. Hacker Tools Apk
  35. Computer Hacker
  36. Hack Apps
  37. Tools 4 Hack
  38. Best Pentesting Tools 2018
  39. Pentest Tools Nmap
  40. Hack Tool Apk
  41. Nsa Hack Tools Download
  42. Kik Hack Tools
  43. What Is Hacking Tools
  44. Pentest Tools For Android
  45. Hacking Tools Windows
  46. What Is Hacking Tools
  47. Pentest Tools For Ubuntu
  48. Nsa Hack Tools
  49. Usb Pentest Tools
  50. Pentest Tools For Android
  51. Pentest Box Tools Download
  52. Hack Tools Download
  53. Hacker Tools Apk Download
  54. Install Pentest Tools Ubuntu
  55. Easy Hack Tools
  56. Pentest Tools Download
  57. Hacking Tools Github
  58. Hack Tools Github
  59. Hacking Tools Windows
  60. Hacking Tools For Pc
  61. How To Hack
  62. Hack Tool Apk
  63. Hack Tools For Windows
  64. Hacking Tools Online
  65. Hacker Tools For Pc
  66. Pentest Tools Apk
  67. Hacker Tools 2019
  68. Best Hacking Tools 2019
  69. Hack Tools For Ubuntu
  70. Hacker Tools 2020
  71. Hack Tools For Games
  72. Hack Tools For Pc
  73. How To Install Pentest Tools In Ubuntu
  74. Hacker Tools
  75. Pentest Reporting Tools
  76. Hacking Tools 2020
  77. Pentest Automation Tools
  78. Pentest Tools For Android
  79. Hacker Tools Github
  80. Pentest Tools
  81. Hacker Security Tools
  82. Hacker Tools Software
  83. Pentest Tools Website
  84. What Is Hacking Tools
  85. Hack App
  86. Pentest Tools Online
  87. Hacker Tools For Pc
  88. Hacker Tools
  89. Pentest Tools Tcp Port Scanner
  90. Hacker Tool Kit
  91. Hacking Tools Pc
  92. Hack Tools For Windows
  93. Hacking App
  94. Hacking Tools For Beginners
  95. Hacking Tools Windows 10
  96. Hacking Tools Mac
  97. New Hacker Tools
  98. Kik Hack Tools
  99. Hak5 Tools
  100. Pentest Tools Tcp Port Scanner
  101. Hack Tools Github
  102. Hack Tools Github
  103. Pentest Tools Linux
  104. Hack Tools Pc
  105. Install Pentest Tools Ubuntu
  106. Hacking Tools Pc
  107. What Is Hacking Tools
  108. Nsa Hack Tools Download
  109. Hack Tools Pc
  110. Wifi Hacker Tools For Windows
  111. Hacking Tools Free Download
  112. Pentest Tools Port Scanner
  113. Hack Tools For Pc
  114. Hacker Tools For Windows
  115. Pentest Tools Find Subdomains
  116. Pentest Reporting Tools
  117. Hacker Tools Online
  118. Pentest Tools For Ubuntu
  119. Pentest Tools Github
  120. Hacker Tools For Mac
  121. Pentest Tools For Android
  122. How To Install Pentest Tools In Ubuntu
  123. Bluetooth Hacking Tools Kali
  124. Pentest Tools Online
  125. Hack Tool Apk No Root
  126. Hacker Tools Apk Download
  127. Ethical Hacker Tools
  128. Pentest Tools For Mac
  129. How To Make Hacking Tools
  130. Pentest Tools Review
  131. Pentest Tools For Windows
  132. Hacker Tools 2020
  133. Hack Tools For Mac
  134. Tools 4 Hack
  135. Hack Tools
  136. Bluetooth Hacking Tools Kali
  137. Hack Tool Apk
  138. Hacker Tools Software
  139. Pentest Tools Windows
  140. Hacker Tools Software
  141. Top Pentest Tools
  142. Hack Rom Tools
  143. Hak5 Tools
  144. Hacker Search Tools
  145. What Are Hacking Tools
  146. Hack Tools For Pc
  147. Free Pentest Tools For Windows
  148. Hacking Tools For Games

Sem comentários: