Smuggler - An HTTP Request Smuggling / Desync Testing Tool

An HTTP Request Smuggling / Desync testing tool written in Python 3

IMPORTANT

This tool does not guarantee no false-positives or false-negatives. Just because a mutation may report OK does not mean there isn't a desync issue, but more importantly just because the tool indicates a potential desync issue does not mean there definitely exists one. The script may encounter request processors from large entities (i.e. Google/AWS/Yahoo/Akamai/etc..) that may show false positive results.

Installation

1. git clone https://github.com/defparam/smuggler.git
2. cd smuggler
3. python3 smuggler.py -h

Example Usage

Single Host:

python3 smuggler.py -u <URL>

List of hosts:

cat list_of_hosts.txt | python3 smuggler.py

Options

usage: smuggler.py [-h] [-u URL] [-v VHOST] [-x] [-m METHOD] [-l LOG] [-q]
                   [-t TIMEOUT] [--no-color] [-c CONFIGFILE]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target URL with Endpoint
  -v VHOST, --vhost VHOST
                        Specify a virtual host
  -x, --exit_early      Exit scan on first finding
  -m METHOD, --method METHOD
                        HTTP method to use (e.g GET, POST) Default: POST
  -l LOG, --log LOG     Specify a log file
  -q, --quiet           Quiet mode will only log issues found
  -t TIMEOUT, --timeout TIMEOUT
                        Socket timeout value Default: 5
  --no-color            Suppress color codes
  -c CONFIGFILE, --configfile CONFIGFILE
                        Filepath to the configuration file of payloads

Smuggler at a minimum requires either a URL via the -u/--url argument or a list of URLs piped into the script via stdin. If the URL specifies https:// then Smuggler will connect to the host:port using SSL/TLS. If the URL specifies http:// then no SSL/TLS will be used at all. If only the host is specified, then the script will default to https://

Use -v/--vhost <host> to specify a different host header from the server address

Use -x/--exit_early to exit the scan of a given server when a potential issue is found. In piped mode smuggler will just continue to the next host on the list

Use -m/--method <method> to specify a different HTTP verb from POST (i.e GET/PUT/PATCH/OPTIONS/CONNECT/TRACE/DELETE/HEAD/etc...)

Use -l/--log <file> to write output to file as well as stdout

Use -q/--quiet reduce verbosity and only log issues found

Use -t/--timeout <value> to specify the socket timeout. The value should be high enough to conclude that the socket is hanging, but low enough to speed up testing (default: 5)

Use --no-color to suppress the output color codes printed to stdout (logs by default don't include color codes)

Use -c/--configfile <configfile> to specify your smuggler mutation configuration file (default: default.py)

Config Files

Configuration files are python files that exist in the ./config directory of smuggler. These files describe the content of the HTTP requests and the transfer-encoding mutations to test.

Here is example content of default.py:

def render_template(gadget):
	RN = "\r\n"
	p = Payload()
	p.header  = "__METHOD__ __ENDPOINT__?cb=__RANDOM__ HTTP/1.1" + RN
	# p.header += "Transfer-Encoding: chunked" +RN	
	p.header += gadget + RN
	p.header += "Host: __HOST__" + RN
	p.header += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36" + RN
	p.header += "Content-type: application/x-www-form-urlencoded; charset=UTF-8" + RN
	p.header += "Content-Length: __REPLACE_CL__" + RN
	return p


mutations["nameprefix1"] = render_template(" Transfer-Encoding: chunked")
mutations["tabprefix1"] = render_template("Transfer-Encoding:\tchunked")
mutations["tabprefix2"] = render_template("Transfer-Encoding\t:\tchunked")
mutations["space1"] = render_template("Transfer-Encoding : chunked")

for i in [0x1,0x4,0x8,0x9,0xa,0xb,0xc,0xd,0x1F,0x20,0x7f,0xA0,0xFF]:
	mutations["midspace-%   02x"%i] = render_template("Transfer-Encoding:%cchunked"%(i))
	mutations["postspace-%02x"%i] = render_template("Transfer-Encoding%c: chunked"%(i))
	mutations["prespace-%02x"%i] = render_template("%cTransfer-Encoding: chunked"%(i))
	mutations["endspace-%02x"%i] = render_template("Transfer-Encoding: chunked%c"%(i))
	mutations["xprespace-%02x"%i] = render_template("X: X%cTransfer-Encoding: chunked"%(i))
	mutations["endspacex-%02x"%i] = render_template("Transfer-Encoding: chunked%cX: X"%(i))
	mutations["rxprespace-%02x"%i] = render_template("X: X\r%cTransfer-Encoding: chunked"%(i))
	mutations["xnprespace-%02x"%i] = render_template("X: X%c\nTransfer-Encoding: chunked"%(i))
	mutations["endspacerx-%02x"%i] = render_template("Transfer-Encoding: chunked\r%cX: X"%(i))
	mutations["endspacexn-%02x"%i] = render_template("Transfer-Encoding: chunked%c\nX: X"%(i))

There are no input arguments yet on specifying your own customer headers and user-agents. It is recommended to create your own configuration file based on default.py and modify it to your liking.

Smuggler comes with 3 configuration files: default.py (fast), doubles.py (niche, slow), exhaustive.py (very slow) default.py is the fastest because it contains less mutations.

specify configuration files using the -c/--configfile <configfile> command line option

Payloads Directory

Inside the Smuggler directory is the payloads directory. When Smuggler finds a potential CLTE or TECL desync issue, it will automatically dump a binary txt file of the problematic payload in the payloads directory. All payload filenames are annotated with the hostname, desync type and mutation type. Use these payloads to netcat directly to the server or to import into other analysis tools.

Helper Scripts

After you find a desync issue feel free to use my Turbo Intruder desync scripts found Here: https://github.com/defparam/tiscripts DesyncAttack_CLTE.py and DesyncAttack_TECL.py are great scripts to help stage a desync attack

License

These scripts are released under the MIT license. See LICENSE.

Download Smuggler

More articles

1. Ethical Hacker Tools
2. Hack Tools For Ubuntu
3. Hacker Tools Free
4. Pentest Tools Free
5. Hackrf Tools
6. Hackers Toolbox
7. Pentest Tools For Ubuntu
8. Pentest Tools Url Fuzzer
9. Hacking Tools And Software
10. Hackers Toolbox
11. Hacker Security Tools
12. Hacker Tool Kit
13. Hack Tools 2019
14. Best Pentesting Tools 2018
15. Tools For Hacker
16. Pentest Tools Android
17. Hacking Tools
18. Hacker Tools Windows
19. Pentest Tools Open Source
20. Hacker Tools For Ios
21. Hacker Tools For Ios
22. Pentest Tools Website
23. Pentest Tools Open Source
24. Pentest Tools Linux
25. Easy Hack Tools
26. Hacker Tools Online
27. Hacker
28. Hacker Tools For Windows
29. Hacker Search Tools
30. Hack Tool Apk
31. Hacker Tools For Pc
32. Game Hacking
33. Hack App
34. Computer Hacker
35. Hacker Tools Software
36. Pentest Tools Find Subdomains
37. Hacker Tools For Pc
38. What Are Hacking Tools
39. Nsa Hack Tools
40. Hacker Tools
41. Pentest Tools Alternative
42. Pentest Tools Tcp Port Scanner
43. Nsa Hacker Tools
44. Hacking Tools Windows 10
45. Hacker Tools
46. Hack Tools
47. Growth Hacker Tools
48. Hacker Security Tools
49. Hacker Tool Kit
50. Hacker Tools Online
51. Pentest Box Tools Download
52. What Is Hacking Tools
53. Android Hack Tools Github
54. Pentest Tools Nmap
55. Hacker Tools Free
56. Hack Tool Apk
57. Underground Hacker Sites
58. Hack Tools For Ubuntu
59. Pentest Tools Windows
60. Hacking Tools Github
61. Pentest Tools Alternative
62. Hacker Tools Free Download
63. Hacking Tools Online
64. Pentest Tools Review
65. Easy Hack Tools
66. What Is Hacking Tools
67. Hacking Apps
68. Hackrf Tools
69. Growth Hacker Tools
70. Hacking Tools Software
71. Hacking Tools Name
72. Computer Hacker
73. Hacking Tools Windows 10
74. Hacking Tools Windows
75. Hacking Tools And Software
76. Pentest Tools Android
77. Hack Tool Apk No Root
78. Hacking Tools Kit
79. Android Hack Tools Github
80. Hacker
81. Hack Tools
82. World No 1 Hacker Software
83. Pentest Tools Tcp Port Scanner
84. Github Hacking Tools
85. Pentest Tools Apk
86. Hacking Tools Kit
87. Game Hacking
88. Hacking Tools Free Download
89. Hacker Tools For Windows
90. Pentest Tools Url Fuzzer
91. Hackers Toolbox
92. Hacker Tools Online
93. Pentest Automation Tools
94. Hack Website Online Tool
95. Game Hacking
96. Hacker Hardware Tools
97. Pentest Tools Windows
98. How To Make Hacking Tools
99. Hacker Tools 2020
100. Underground Hacker Sites
101. Hacker Tools Hardware
102. Free Pentest Tools For Windows
103. New Hacker Tools
104. Hack Tools
105. Pentest Tools Apk
106. Black Hat Hacker Tools
107. Hack Tools Pc
108. Pentest Tools Url Fuzzer
109. Hacker Security Tools
110. Hacker Tools For Ios
111. Hacking Tools 2019
112. Hacker Tools For Mac
113. Hacking Tools
114. Bluetooth Hacking Tools Kali
115. Hack Tools Pc
116. Hack Tools For Windows
117. Hacking Tools For Windows Free Download
118. How To Install Pentest Tools In Ubuntu
119. Pentest Tools Linux
120. Hacking Tools Windows
121. Pentest Automation Tools
122. Pentest Tools Kali Linux
123. Android Hack Tools Github
124. Growth Hacker Tools
125. Hack Tools
126. Hacking Tools Hardware
127. Hacking Tools For Mac
128. Hacker Security Tools
129. Hacking Tools For Mac
130. Pentest Tools Github
131. Hacking Tools For Windows Free Download
132. Top Pentest Tools
133. New Hack Tools
134. Hacker Tools Free
135. Hacking Tools Windows
136. Pentest Tools Android
137. Free Pentest Tools For Windows
138. Hack Tools For Games
139. Pentest Tools Kali Linux
140. Physical Pentest Tools
141. Hacking Tools 2019
142. Pentest Tools Windows
143. Pentest Tools Framework
144. What Is Hacking Tools
145. Best Pentesting Tools 2018
146. Pentest Tools Online
147. Hacking Tools 2019
148. Hacking Tools Hardware
149. Hacking Tools For Pc
150. Best Hacking Tools 2019
151. Computer Hacker
152. Pentest Tools Review
153. Nsa Hack Tools
154. Ethical Hacker Tools
155. Free Pentest Tools For Windows
156. Hacker Tools List
157. Hack Rom Tools
158. Underground Hacker Sites
159. Pentest Tools Find Subdomains