Changeset 116 for trunk/bin/bletchley-http2py

Timestamp:

10/11/16 14:12:00 (8 years ago)

Author:

tim

Message:

made requests library the default
improved documentation in output script
fixed a bug in protocol detection

File:

• trunk/bin/bletchley-http2py (modified) (11 diffs)

trunk/bin/bletchley-http2py

@@ -7 +7 @@
 This script reads a raw HTTP request and writes to stdout a Python
 script.  The generated script sends the same (or a very similar) 
-request using the standard httplib/http.client library, or optionally
-using the more user friendly python-requests library.
+request using the Requests library, or optionally, the built-in 
+http.client library.
 
 Certainly if you have a raw request, you could simply send it via TCP
@@ -15 +15 @@
 or any number of other annoying things, then using an HTTP library is a 
 lot more convenient.  This script attempts to make the conversion from a
-raw HTTP request to HTTP library calls easy.
+raw HTTP request to HTTP library calls easy for pentesting automation.
 
 
 Copyright (C) 2011-2013 Virtual Security Research, LLC
-Copyright (C) 2014-2015 Blindspot Security LLC
+Copyright (C) 2014-2016 Blindspot Security LLC
 Author: Timothy D. Morgan
 
@@ -51 +51 @@
     'requestfile', type=bopen, nargs='?', default=sys.stdin.buffer, 
     help='A file containing an HTTP request.  Defaults to stdin if omitted.')
-parser.add_argument(
-    '--requests', action='store_true', help='Generate a script that uses the'
-    ' python-requests module rather than http.client (this will likely become'
-    ' the default in the future).')
+group = parser.add_mutually_exclusive_group()
+group.add_argument('--requests', action='store_true',
+                   help='Generate a script that uses the Requests module'
+                        ' rather than http.client (default).')
+group.add_argument('--native', action='store_false', dest='requests',
+                   help='Generate a script that uses Pythons built-in http.client'
+                        ' rather than the Requests module.')
+parser.set_defaults(requests=True)
 
 args = parser.parse_args()
@@ -93 +97 @@
     value = value.lstrip(' ').rstrip('\r')
 
-    # Skip headers that have to do with transfer encodings and connection longevity
+    # Skip headers that have to do with transfer encodings, connection longevity, and caching
+    # XXX: maybe add these back as commented-out headers to the output?
     if name.lower() not in ['accept','accept-language',
                             'accept-encoding','accept-charset',
                             'connection', 'keep-alive', 'host', 
-                            'content-length', 'proxy-connection']:
+                            'content-length', 'proxy-connection',
+                            'if-none-match']:
         headers.append((name,[value]))
 
@@ -121 +127 @@
 
 if protocol == None:
-    protocol == 'http'        
+    protocol = 'http'
 if port == None:
     if protocol == 'https':
@@ -169 +175 @@
     sys.stderr.write('ERROR: Could not import requests module.  Ensure it is installed.\\n')
     sys.stderr.write('       Under Debian, the package name is "python3-requests"\\n.')
+    sys.stderr.write('       Alternatively, re-generate this script using the --native option.\\n.')
     sys.exit(1)
 ''')
@@ -183 +190 @@
 def sendRequest(session, data=None):
     data = data.decode('utf-8')
-    # TODO: use "data" below, wherever your token normally appears
+    # TODO: Replace the token you wish to target in this request with the "data" variable. 
+    #       Then specify the starting value for that token at the end of this script.
     method = %s
     path = %s
@@ -192 +200 @@
     # Set verify=True if you want to validate the server cert
     return session.request(method, url, headers=headers, data=body, allow_redirects=False, verify=False)
-    ''' % (repr(method), repr(path), pprint.pformat(headers, indent=14), formatted_body))
+    ''' % (repr(method), repr(path),
+           pprint.pformat(headers, width=80-14).replace('\n','\n'+' '*14),
+           formatted_body))
 
     print('''    
 
-def fetch(data, other=None):
+def processResponse(data, other=None):
     global session
     ret_val = None
@@ -253 +263 @@
 
 
-def fetch(data, other=None):
+def processResponse(data, other=None):
     ret_val = False
     connection = newConnection()
@@ -274 +284 @@
 
 print('''
-token = b'TODO: paste your encoded ciphertext here'
+token = b'TODO: paste your encoded ciphertext here (typically moved from the sendRequest function)'
 ciphertext = decode(token)
 
 # TODO: Use this to verify you get the response you expect.  
 #       Once everything is working, use the commented code below to conduct specific attacks.
-fetch(ciphertext)
+processResponse(ciphertext)
 
 
 # Padding Oracle Attacks 
-# poa = POA(fetch, {block size}, ciphertext, threads=1, log_file=sys.stderr)
+# poa = POA(processResponse, {block size}, ciphertext, threads=1, log_file=sys.stderr)
 # print(poa.probe_padding()) # sanity check
 # print(poa.decrypt())
@@ -290 +300 @@
 # Byte-by-byte probing of ciphertext
 #   Maybe start with this as a fast but gentle probe:
-# result = chosenct.probe_bytes(fetch, ciphertext, [1,128], max_threads=2)
+# result = chosenct.probe_bytes(processResponse, ciphertext, [1,128], max_threads=2)
 #   This is more in-depth (every bit of each byte) and more threads
-# result = chosenct.probe_bytes(fetch, ciphertext, [1,2,4,8,16,32,64,128], max_threads=5)
+# result = chosenct.probe_bytes(processResponse, ciphertext, [1,2,4,8,16,32,64,128], max_threads=5)
 #   Yet more intensive (every byte value against every byte):
-# result = chosenct.probe_bytes(fetch, ciphertext, list(range(1,256)), max_threads=8)
+# result = chosenct.probe_bytes(processResponse, ciphertext, list(range(1,256)), max_threads=8)
 # 
 # print(result.toHTML())