Smuggler - An HTTP Request Smuggling / Desync Testing Tool

An HTTP Request Smuggling / Desync testing tool written in Python 3

IMPORTANT

This tool does not guarantee no false-positives or false-negatives. Just because a mutation may report OK does not mean there isn't a desync issue, but more importantly just because the tool indicates a potential desync issue does not mean there definitely exists one. The script may encounter request processors from large entities (i.e. Google/AWS/Yahoo/Akamai/etc..) that may show false positive results.

Installation

1. git clone https://github.com/defparam/smuggler.git
2. cd smuggler
3. python3 smuggler.py -h

Example Usage

Single Host:

python3 smuggler.py -u <URL>

List of hosts:

cat list_of_hosts.txt | python3 smuggler.py

Options

usage: smuggler.py [-h] [-u URL] [-v VHOST] [-x] [-m METHOD] [-l LOG] [-q]
                   [-t TIMEOUT] [--no-color] [-c CONFIGFILE]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target URL with Endpoint
  -v VHOST, --vhost VHOST
                        Specify a virtual host
  -x, --exit_early      Exit scan on first finding
  -m METHOD, --method METHOD
                        HTTP method to use (e.g GET, POST) Default: POST
  -l LOG, --log LOG     Specify a log file
  -q, --quiet           Quiet mode will only log issues found
  -t TIMEOUT, --timeout TIMEOUT
                        Socket timeout value Default: 5
  --no-color            Suppress color codes
  -c CONFIGFILE, --configfile CONFIGFILE
                        Filepath to the configuration file of payloads

Smuggler at a minimum requires either a URL via the -u/--url argument or a list of URLs piped into the script via stdin. If the URL specifies https:// then Smuggler will connect to the host:port using SSL/TLS. If the URL specifies http:// then no SSL/TLS will be used at all. If only the host is specified, then the script will default to https://

Use -v/--vhost <host> to specify a different host header from the server address

Use -x/--exit_early to exit the scan of a given server when a potential issue is found. In piped mode smuggler will just continue to the next host on the list

Use -m/--method <method> to specify a different HTTP verb from POST (i.e GET/PUT/PATCH/OPTIONS/CONNECT/TRACE/DELETE/HEAD/etc...)

Use -l/--log <file> to write output to file as well as stdout

Use -q/--quiet reduce verbosity and only log issues found

Use -t/--timeout <value> to specify the socket timeout. The value should be high enough to conclude that the socket is hanging, but low enough to speed up testing (default: 5)

Use --no-color to suppress the output color codes printed to stdout (logs by default don't include color codes)

Use -c/--configfile <configfile> to specify your smuggler mutation configuration file (default: default.py)

Config Files

Configuration files are python files that exist in the ./config directory of smuggler. These files describe the content of the HTTP requests and the transfer-encoding mutations to test.

Here is example content of default.py:

def render_template(gadget):
	RN = "\r\n"
	p = Payload()
	p.header  = "__METHOD__ __ENDPOINT__?cb=__RANDOM__ HTTP/1.1" + RN
	# p.header += "Transfer-Encoding: chunked" +RN	
	p.header += gadget + RN
	p.header += "Host: __HOST__" + RN
	p.header += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36" + RN
	p.header += "Content-type: application/x-www-form-urlencoded; charset=UTF-8" + RN
	p.header += "Content-Length: __REPLACE_CL__" + RN
	return p


mutations["nameprefix1"] = render_template(" Transfer-Encoding: chunked")
mutations["tabprefix1"] = render_template("Transfer-Encoding:\tchunked")
mutations["tabprefix2"] = render_template("Transfer-Encoding\t:\tchunked")
mutations["space1"] = render_template("Transfer-Encoding : chunked")

for i in [0x1,0x4,0x8,0x9,0xa,0xb,0xc,0xd,0x1F,0x20,0x7f,0xA0,0xFF]:
	mutations["midspace-%   02x"%i] = render_template("Transfer-Encoding:%cchunked"%(i))
	mutations["postspace-%02x"%i] = render_template("Transfer-Encoding%c: chunked"%(i))
	mutations["prespace-%02x"%i] = render_template("%cTransfer-Encoding: chunked"%(i))
	mutations["endspace-%02x"%i] = render_template("Transfer-Encoding: chunked%c"%(i))
	mutations["xprespace-%02x"%i] = render_template("X: X%cTransfer-Encoding: chunked"%(i))
	mutations["endspacex-%02x"%i] = render_template("Transfer-Encoding: chunked%cX: X"%(i))
	mutations["rxprespace-%02x"%i] = render_template("X: X\r%cTransfer-Encoding: chunked"%(i))
	mutations["xnprespace-%02x"%i] = render_template("X: X%c\nTransfer-Encoding: chunked"%(i))
	mutations["endspacerx-%02x"%i] = render_template("Transfer-Encoding: chunked\r%cX: X"%(i))
	mutations["endspacexn-%02x"%i] = render_template("Transfer-Encoding: chunked%c\nX: X"%(i))

There are no input arguments yet on specifying your own customer headers and user-agents. It is recommended to create your own configuration file based on default.py and modify it to your liking.

Smuggler comes with 3 configuration files: default.py (fast), doubles.py (niche, slow), exhaustive.py (very slow) default.py is the fastest because it contains less mutations.

specify configuration files using the -c/--configfile <configfile> command line option

Payloads Directory

Inside the Smuggler directory is the payloads directory. When Smuggler finds a potential CLTE or TECL desync issue, it will automatically dump a binary txt file of the problematic payload in the payloads directory. All payload filenames are annotated with the hostname, desync type and mutation type. Use these payloads to netcat directly to the server or to import into other analysis tools.

Helper Scripts

After you find a desync issue feel free to use my Turbo Intruder desync scripts found Here: https://github.com/defparam/tiscripts DesyncAttack_CLTE.py and DesyncAttack_TECL.py are great scripts to help stage a desync attack

License

These scripts are released under the MIT license. See LICENSE.

Download Smuggler

Related news

1. Pentest Tools Download
2. Hacking Tools For Windows 7
3. Pentest Tools Open Source
4. Hacking Tools 2019
5. Hack And Tools
6. Pentest Recon Tools
7. Pentest Tools For Mac
8. Hack Tool Apk
9. Hacker Tools Software
10. Pentest Tools Online
11. Install Pentest Tools Ubuntu
12. Hacker Search Tools
13. Pentest Tools
14. New Hack Tools
15. Hack Tool Apk
16. Pentest Tools Kali Linux
17. Hacker
18. Pentest Tools Linux
19. Physical Pentest Tools
20. Hack Website Online Tool
21. Best Pentesting Tools 2018
22. What Are Hacking Tools
23. Hacking Tools Usb
24. How To Install Pentest Tools In Ubuntu
25. Hacker Tools For Ios
26. Pentest Recon Tools
27. Nsa Hacker Tools
28. Hacker Tools 2019
29. Pentest Tools Port Scanner
30. Hacking Tools For Pc
31. Hack Tools For Pc
32. Hackrf Tools
33. Pentest Tools
34. Hacking Tools 2020
35. Hacking Tools For Mac
36. Hack Tools
37. Hack Tools For Pc
38. Hack Tools For Ubuntu
39. Termux Hacking Tools 2019
40. Pentest Box Tools Download
41. Hacker Security Tools
42. Hacking Tools For Beginners
43. Hacker Tools 2019
44. Pentest Tools List
45. Hacker Tool Kit
46. Hackers Toolbox
47. Pentest Tools For Ubuntu
48. Nsa Hack Tools
49. Nsa Hack Tools
50. Pentest Tools Port Scanner
51. Hacker Tools Github
52. New Hacker Tools
53. Hacking Tools Mac
54. Pentest Tools Download
55. Best Hacking Tools 2019
56. Hacking App
57. Hacker Tools Github
58. Hacking Tools For Games
59. Hacker Tools Apk
60. Bluetooth Hacking Tools Kali
61. Pentest Tools Download
62. Pentest Tools For Mac
63. Hacker Tools For Mac
64. Hacking Tools For Windows Free Download
65. Hacker Tools Free Download
66. Hacker Tools Online
67. Hacking Tools Hardware
68. Nsa Hacker Tools
69. Hacking Tools 2019
70. Install Pentest Tools Ubuntu
71. Hacking Tools 2019
72. Hacker Tools For Windows
73. Pentest Tools Kali Linux
74. Pentest Tools Subdomain
75. Hacker Tools For Ios
76. Hacker Tools Free Download
77. What Is Hacking Tools
78. Physical Pentest Tools
79. Hacking Tools Name
80. Hacking Tools For Windows
81. World No 1 Hacker Software
82. Pentest Tools For Android
83. Hacker Tools Windows
84. Hacking Tools Windows 10
85. Pentest Tools Kali Linux
86. How To Make Hacking Tools
87. Hacking Tools Pc
88. Hacking Tools Name
89. Ethical Hacker Tools
90. Hacking Apps
91. Hacker
92. Hack Tools Mac
93. Hackers Toolbox
94. Hacks And Tools
95. Hacker Tools Mac
96. Github Hacking Tools
97. Hacking Tools Github
98. Hacking Tools Hardware
99. Pentest Tools For Android
100. Pentest Tools Open Source
101. Hacking Tools Windows 10
102. Hacking Tools Software
103. Hacker Tools Free Download
104. Hack Apps
105. Growth Hacker Tools
106. Pentest Tools For Windows
107. Hack Tools Mac
108. Hack Tools For Ubuntu
109. Pentest Automation Tools
110. How To Make Hacking Tools
111. Pentest Tools Windows
112. Usb Pentest Tools
113. Hacker Tools Apk Download
114. Pentest Tools For Mac
115. Best Hacking Tools 2020
116. Hacking Tools For Windows 7
117. Termux Hacking Tools 2019
118. Tools 4 Hack
119. Hacker Tools Windows
120. Hackers Toolbox
121. Hacker Tools Apk
122. Hack Tools For Ubuntu
123. Hacker Tools 2020
124. Best Hacking Tools 2020
125. Hack Tools For Windows
126. Nsa Hack Tools
127. World No 1 Hacker Software
128. Tools For Hacker
129. Hack Tools For Games
130. Hacker Techniques Tools And Incident Handling
131. Github Hacking Tools
132. Hacker Tools 2019
133. Hack Tools Mac
134. Top Pentest Tools
135. Pentest Tools Url Fuzzer
136. Nsa Hack Tools
137. Hacker Hardware Tools
138. Hack Tools For Windows
139. Hack Rom Tools
140. Pentest Tools
141. Top Pentest Tools
142. Hacking Tools 2020
143. Install Pentest Tools Ubuntu
144. Pentest Tools Port Scanner
145. Hacking Tools For Windows 7
146. Hacking Tools Windows
147. Hack Tools Online
148. Game Hacking
149. Physical Pentest Tools
150. Hacking Tools For Windows 7