Smuggler - An HTTP Request Smuggling / Desync Testing Tool

An HTTP Request Smuggling / Desync testing tool written in Python 3

IMPORTANT

This tool does not guarantee no false-positives or false-negatives. Just because a mutation may report OK does not mean there isn't a desync issue, but more importantly just because the tool indicates a potential desync issue does not mean there definitely exists one. The script may encounter request processors from large entities (i.e. Google/AWS/Yahoo/Akamai/etc..) that may show false positive results.

Installation

1. git clone https://github.com/defparam/smuggler.git
2. cd smuggler
3. python3 smuggler.py -h

Example Usage

Single Host:

python3 smuggler.py -u <URL>

List of hosts:

cat list_of_hosts.txt | python3 smuggler.py

Options

usage: smuggler.py [-h] [-u URL] [-v VHOST] [-x] [-m METHOD] [-l LOG] [-q]
                   [-t TIMEOUT] [--no-color] [-c CONFIGFILE]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target URL with Endpoint
  -v VHOST, --vhost VHOST
                        Specify a virtual host
  -x, --exit_early      Exit scan on first finding
  -m METHOD, --method METHOD
                        HTTP method to use (e.g GET, POST) Default: POST
  -l LOG, --log LOG     Specify a log file
  -q, --quiet           Quiet mode will only log issues found
  -t TIMEOUT, --timeout TIMEOUT
                        Socket timeout value Default: 5
  --no-color            Suppress color codes
  -c CONFIGFILE, --configfile CONFIGFILE
                        Filepath to the configuration file of payloads

Smuggler at a minimum requires either a URL via the -u/--url argument or a list of URLs piped into the script via stdin. If the URL specifies https:// then Smuggler will connect to the host:port using SSL/TLS. If the URL specifies http:// then no SSL/TLS will be used at all. If only the host is specified, then the script will default to https://

Use -v/--vhost <host> to specify a different host header from the server address

Use -x/--exit_early to exit the scan of a given server when a potential issue is found. In piped mode smuggler will just continue to the next host on the list

Use -m/--method <method> to specify a different HTTP verb from POST (i.e GET/PUT/PATCH/OPTIONS/CONNECT/TRACE/DELETE/HEAD/etc...)

Use -l/--log <file> to write output to file as well as stdout

Use -q/--quiet reduce verbosity and only log issues found

Use -t/--timeout <value> to specify the socket timeout. The value should be high enough to conclude that the socket is hanging, but low enough to speed up testing (default: 5)

Use --no-color to suppress the output color codes printed to stdout (logs by default don't include color codes)

Use -c/--configfile <configfile> to specify your smuggler mutation configuration file (default: default.py)

Config Files

Configuration files are python files that exist in the ./config directory of smuggler. These files describe the content of the HTTP requests and the transfer-encoding mutations to test.

Here is example content of default.py:

def render_template(gadget):
	RN = "\r\n"
	p = Payload()
	p.header  = "__METHOD__ __ENDPOINT__?cb=__RANDOM__ HTTP/1.1" + RN
	# p.header += "Transfer-Encoding: chunked" +RN	
	p.header += gadget + RN
	p.header += "Host: __HOST__" + RN
	p.header += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36" + RN
	p.header += "Content-type: application/x-www-form-urlencoded; charset=UTF-8" + RN
	p.header += "Content-Length: __REPLACE_CL__" + RN
	return p


mutations["nameprefix1"] = render_template(" Transfer-Encoding: chunked")
mutations["tabprefix1"] = render_template("Transfer-Encoding:\tchunked")
mutations["tabprefix2"] = render_template("Transfer-Encoding\t:\tchunked")
mutations["space1"] = render_template("Transfer-Encoding : chunked")

for i in [0x1,0x4,0x8,0x9,0xa,0xb,0xc,0xd,0x1F,0x20,0x7f,0xA0,0xFF]:
	mutations["midspace-%   02x"%i] = render_template("Transfer-Encoding:%cchunked"%(i))
	mutations["postspace-%02x"%i] = render_template("Transfer-Encoding%c: chunked"%(i))
	mutations["prespace-%02x"%i] = render_template("%cTransfer-Encoding: chunked"%(i))
	mutations["endspace-%02x"%i] = render_template("Transfer-Encoding: chunked%c"%(i))
	mutations["xprespace-%02x"%i] = render_template("X: X%cTransfer-Encoding: chunked"%(i))
	mutations["endspacex-%02x"%i] = render_template("Transfer-Encoding: chunked%cX: X"%(i))
	mutations["rxprespace-%02x"%i] = render_template("X: X\r%cTransfer-Encoding: chunked"%(i))
	mutations["xnprespace-%02x"%i] = render_template("X: X%c\nTransfer-Encoding: chunked"%(i))
	mutations["endspacerx-%02x"%i] = render_template("Transfer-Encoding: chunked\r%cX: X"%(i))
	mutations["endspacexn-%02x"%i] = render_template("Transfer-Encoding: chunked%c\nX: X"%(i))

There are no input arguments yet on specifying your own customer headers and user-agents. It is recommended to create your own configuration file based on default.py and modify it to your liking.

Smuggler comes with 3 configuration files: default.py (fast), doubles.py (niche, slow), exhaustive.py (very slow) default.py is the fastest because it contains less mutations.

specify configuration files using the -c/--configfile <configfile> command line option

Payloads Directory

Inside the Smuggler directory is the payloads directory. When Smuggler finds a potential CLTE or TECL desync issue, it will automatically dump a binary txt file of the problematic payload in the payloads directory. All payload filenames are annotated with the hostname, desync type and mutation type. Use these payloads to netcat directly to the server or to import into other analysis tools.

Helper Scripts

After you find a desync issue feel free to use my Turbo Intruder desync scripts found Here: https://github.com/defparam/tiscripts DesyncAttack_CLTE.py and DesyncAttack_TECL.py are great scripts to help stage a desync attack

License

These scripts are released under the MIT license. See LICENSE.

Download Smuggler

Related news

1. Hack And Tools
2. Hack Tools For Mac
3. Hacker Hardware Tools
4. Hack Apps
5. Install Pentest Tools Ubuntu
6. Hack Tools
7. Pentest Tools Android
8. Hack Tools
9. Hacking Tools 2020
10. Wifi Hacker Tools For Windows
11. Android Hack Tools Github
12. Hacking Tools Free Download
13. Pentest Tools Review
14. Hack Website Online Tool
15. Hacker Hardware Tools
16. Hack App
17. Hacking Tools For Kali Linux
18. Hacking Tools For Kali Linux
19. Hack Tools For Games
20. Hackers Toolbox
21. Pentest Tools Bluekeep
22. Tools 4 Hack
23. Pentest Tools Find Subdomains
24. How To Hack
25. Nsa Hacker Tools
26. Hacking Tools Online
27. Hacking Tools Windows 10
28. Pentest Automation Tools
29. Tools Used For Hacking
30. Easy Hack Tools
31. Hack Website Online Tool
32. Hack Tools
33. How To Hack
34. Hacking Tools 2020
35. Hacker Tools For Pc
36. Nsa Hack Tools
37. Hacker Tools Apk Download
38. Growth Hacker Tools
39. Nsa Hack Tools Download
40. Pentest Tools Android
41. Hack Tools
42. Hackrf Tools
43. Hacker Tools 2020
44. Blackhat Hacker Tools
45. Hacking Tools 2020
46. Hacking Tools For Windows Free Download
47. Hacking Tools
48. Beginner Hacker Tools
49. Github Hacking Tools
50. Hacker Tools Online
51. Pentest Tools Android
52. Hacking Apps
53. Hacker Hardware Tools
54. Pentest Tools For Android
55. Black Hat Hacker Tools
56. Hacking Tools For Windows 7
57. Hacking Tools Name
58. Pentest Tools Port Scanner
59. Pentest Tools Website Vulnerability
60. Game Hacking
61. How To Install Pentest Tools In Ubuntu
62. Pentest Reporting Tools
63. Hacker Tools Linux
64. Hacker Tools Online
65. Hacker Tools Software
66. Pentest Tools Android
67. Hacking Tools Github
68. World No 1 Hacker Software
69. Pentest Tools Download
70. Computer Hacker
71. Hacking Tools Usb
72. Free Pentest Tools For Windows
73. Hack Tools 2019
74. Best Hacking Tools 2019
75. Hack Tool Apk
76. Hacker Tools Mac
77. Android Hack Tools Github
78. Hacker Tools Free
79. Pentest Tools Website
80. Termux Hacking Tools 2019
81. Tools 4 Hack
82. Hack Tools Download
83. Pentest Tools Android
84. Pentest Tools Bluekeep
85. Pentest Tools Linux
86. Pentest Tools Github
87. Hack Tools Online
88. Game Hacking
89. Hacking Tools Name
90. Best Hacking Tools 2020
91. Hack Tools Download
92. Physical Pentest Tools
93. Hacker Search Tools
94. Hacker Tools Free
95. Pentest Tools Android
96. Black Hat Hacker Tools
97. Hack Rom Tools
98. Install Pentest Tools Ubuntu
99. Growth Hacker Tools
100. Computer Hacker
101. Hacking Tools And Software
102. Hacker Tool Kit
103. Pentest Reporting Tools
104. Pentest Tools Windows
105. Hacker Tools Linux
106. Pentest Tools Download
107. Hacking Tools 2020
108. Install Pentest Tools Ubuntu
109. New Hacker Tools
110. Hacker Tool Kit
111. Hack Tools For Games
112. Hack Rom Tools
113. Hacking Tools Kit
114. Hacking Tools Pc
115. Pentest Tools For Android
116. Kik Hack Tools
117. Tools For Hacker
118. Tools 4 Hack
119. Hack Tools Download
120. Hacking Tools Free Download
121. Hacker Tools Free Download
122. Hak5 Tools
123. Hack Tools Pc
124. Hacker Tool Kit
125. Hacker Tools Github
126. Hackrf Tools
127. What Is Hacking Tools
128. Hacker Tools Mac
129. Hackrf Tools
130. Pentest Tools Linux
131. Pentest Tools For Windows
132. Hacker Tools Software
133. Pentest Tools Review
134. Hack Tools Download
135. Hacking Tools Free Download
136. Hacking Tools Kit
137. Easy Hack Tools
138. Pentest Tools Kali Linux
139. Hacking Tools Windows 10
140. Pentest Tools For Windows
141. Wifi Hacker Tools For Windows
142. Hacking Tools Windows
143. Hacker Tools Apk
144. Pentest Tools Apk
145. Pentest Tools Nmap
146. Hack Tool Apk
147. Hacking Tools Windows
148. Hacking App
149. Hacker Tools For Windows
150. Hack Tools 2019
151. Github Hacking Tools
152. Hacking Tools Pc
153. Hack Website Online Tool
154. Computer Hacker
155. Termux Hacking Tools 2019