joenorton8014/new-http-fuzz-interactive.py

## new-http-fuzz-interactive.py
import socket
import random
import argparse
import ssl
import time
import sys


# Some customizations on a fuzzer from SANS660
# Original SANS script is here - https://gist.github.com/joenorton8014/f6ac55d7f26023b8d5169edae6e8218a

def main():
    http_verbs = []
    args = buildargparser()
    timestamp = Get_File_Timestamp()
    f = open("httpfuzz-log-" + str(timestamp) + ".txt", "w")

    if args.i:
        print("Starting interactive mode:")
        Send_Interactive(f)

    else:
        if args.t:
            target = args.t
        else:
            print("Please provide a fuzzing target")
        if args.p:
            port = args.p
        else:
            print("Please provide a port for the HTTP web app")
            sys.exit()
        if args.v:
            if args.v == "ALL":
                http_verbs = ["GET", "HEAD", "DELETE", "PUT", "TRACE", "POST", "OPTIONS", "CONNECT"]
            else:
                http_verbs = [args.v]
        else:
            print("Please define a verb to use during the fuzzing - GET, HEAD, DELETE, PUT, TRACE, POST, OPTIONS, CONNECT or ALL'")
            sys.exit()
        if args.m:
            string_length = args.m
        else:
            print("Please a numeric value for the max string length")
            sys.exit()

        if args.s:
            secure_connection = True
        else:
            secure_connection = False

        if secure_connection == True:
            print("Sending junk to the local webserver")
            Send_HTTPS_Packets(http_verbs,target,port,string_length,f)
        elif secure_connection == False:
            print("Sending junk to the local webserver")
            Send_HTTP_Packets(http_verbs,target,port,string_length,f)


def buildargparser():
    parser = argparse.ArgumentParser(prog='http-fuzz.py', description='A Simple HTTP/s Fuzzer')
    parser.add_argument('-i', help='Interactive questions to define fuzzing techniques.' , required=False, action='store_true')
    parser.add_argument('-t', help='Fuzzing target',required=False)
    parser.add_argument('-p', help='Port the web app is running on',required=False)
    parser.add_argument('-v', help='HTTP verb to fuzz. Options are - GET, HEAD, DELETE, PUT, TRACE, POST, OPTIONS, CONNECT or ALL',required=False)
    parser.add_argument('-m', help='Max string length to fuzz',required=False)
    parser.add_argument('-s', help='Is the site https? If so add the -s argument',required=False, action='store_true')
    return parser.parse_args()

def Get_File_Timestamp():
    day = time.strftime("%Y-%m-%d_")
    clock = time.strftime("%I%M%S")
    timestamp = day+clock
    return timestamp

def randstring(string_length):
    s = ""
    for i in range(random.randint(1,int(string_length))):
        s += chr(random.randint(0x30,0x7a))
    return s

def Send_HTTP_Packets(http_verbs,target,port,string_length,f):
    x = 0
    while 1:
        print("Fuzzing verbs set " + str(x))
        f.write("Fuzzing verbs set " + str(x) + "\n")
        for verb in http_verbs:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((target,int(port)))
            junkA = randstring(string_length)
            junkB = randstring(string_length)
            junkC = randstring(string_length)
            junkD = randstring(string_length)
            junkE = randstring(string_length)
            pckt = verb +" /" + junkA + " HTTP/1.1\r\nReferer: http://" + junkB + "\r\nHost: http://" + junkC + "\r\n" + junkD + ": " + junkE + "\r\n\r\n"
            f.write(pckt)
            s.send(pckt.encode('utf-8'))
            s.close()
            x += 1


def Send_HTTPS_Packets(http_verbs,target,port,string_length,f):
    x = 0
    while 1:
        print("Fuzzing verbs set " + str(x))
        f.write("Fuzzing verbs set " + str(x) + "\n")
        for verb in http_verbs:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s_secure = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS)
            s_secure.connect((target,int(port)))

            junkA = randstring(string_length)
            junkB = randstring(string_length)
            junkC = randstring(string_length)
            junkD = randstring(string_length)
            junkE = randstring(string_length)
            pckt = verb +" /" + junkA +" HTTP/1.1\r\nReferer: http://"+ junkB +"\r\nHost: http://" + junkC + "\r\n" + junkD + ": " + junkE + "\r\n\r\n"
            f.write(pckt)
            s_secure.send(pckt.encode('utf-8'))
            s_secure.close()
            x += 1

# Still working on this one:
def Send_Interactive(f):
    target = input('Fuzzing target? ')
    port = input('Port to fuzz? ')
    tls = input('Is the target web app TLS? ')
    string_length = input('What is the max size of the fuzzing string? ')
    verb = input('Which verb do you want to use?  - GET, HEAD, DELETE, PUT, TRACE, POST, OPTIONS, or CONNECT ? ')
    fuzz_verb = input('Do you want to fuzz the value sent in the verb? ')
    fuzz_referer = input('Fuzz the referer field in the header? ')
    fuzz_host = input('Fuzz the host field in the header? ')
    fuzz_useragent = input('Fuzz the user agent field in the header? ')
    fuzz_data = input('Fuzz the data field in the packet? ')
    print("Sending junk to the local webserver")
    stuff_to_fuzz = []
    if fuzz_verb == 'yes':
        stuff_to_fuzz.append('fuzz_verb')
    if fuzz_referer == 'yes':
        stuff_to_fuzz.append('fuzz_referer')
    if fuzz_host == 'yes':
        stuff_to_fuzz.append('fuzz_host')
    if fuzz_useragent == 'yes':
        stuff_to_fuzz.append('fuzz_useragent')
    if fuzz_data == 'yes':
        stuff_to_fuzz.append('fuzz_data')
    x = 0
    while 1:
        print("Fuzzing verbs set " + str(x))
        f.write("Fuzzing verbs set " + str(x) + "\n")
        junkA = randstring(string_length)
        junkB = randstring(string_length)
        junkC = randstring(string_length)
        junkD = randstring(string_length)
        junkE = randstring(string_length)

        if "fuzz_verb" in stuff_to_fuzz:
            fuzz_verb = junkA
        else:
            fuzz_verb = 'index.html'
        if "fuzz_referer" in stuff_to_fuzz:
            fuzz_referer = junkB
        else:
            fuzz_referer = '127.0.0.1'
        if "fuzz_host" in stuff_to_fuzz:
            fuzz_host = junkC
        else:
            fuzz_host = target
        if "fuzz_useragent" in stuff_to_fuzz:
            fuzz_useragent = junkD
        else:
            fuzz_useragent = 'Mozilla5.0/just_kidding_im_fuzzing'
        if fuzz_data in stuff_to_fuzz:
            fuzz_data = junkE
        else:
            fuzz_data = 'This is a fuzzing test :)'

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        if tls == 'yes':
            s_secure = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS)
            s_secure.connect((target,int(port)))

            pckt = verb +" /"+ fuzz_verb +" HTTP/1.1\r\nUserAgent: " + fuzz_useragent + "\r\nReferer: http://"+ fuzz_referer +"\r\nHost: http://"+ fuzz_host +"\r\n"+ fuzz_data +": " +"\r\n\r\n"
            f.write(pckt)

            s_secure.send(pckt.encode('utf-8'))
            s_secure.close()
            x += 1
        else:
            s.connect((target,int(port)))
            pckt = verb +" /"+ fuzz_verb +" HTTP/1.1\r\nUserAgent: " + fuzz_useragent + "\r\nReferer: http://"+ fuzz_referer +"\r\nHost: http://"+ fuzz_host +"\r\n"+ fuzz_data +": " +"\r\n\r\n"
            f.write(pckt)
            s.send(pckt.encode('utf-8'))
            s.close()
            x += 1


main()
	import socket
	import random
	import argparse
	import ssl
	import time
	import sys


	# Some customizations on a fuzzer from SANS660
	# Original SANS script is here - https://gist.github.com/joenorton8014/f6ac55d7f26023b8d5169edae6e8218a

	def main():
	http_verbs = []
	args = buildargparser()
	timestamp = Get_File_Timestamp()
	f = open("httpfuzz-log-" + str(timestamp) + ".txt", "w")

	if args.i:
	print("Starting interactive mode:")
	Send_Interactive(f)

	else:
	if args.t:
	target = args.t
	else:
	print("Please provide a fuzzing target")
	if args.p:
	port = args.p
	else:
	print("Please provide a port for the HTTP web app")
	sys.exit()
	if args.v:
	if args.v == "ALL":
	http_verbs = ["GET", "HEAD", "DELETE", "PUT", "TRACE", "POST", "OPTIONS", "CONNECT"]
	else:
	http_verbs = [args.v]
	else:
	print("Please define a verb to use during the fuzzing - GET, HEAD, DELETE, PUT, TRACE, POST, OPTIONS, CONNECT or ALL'")
	sys.exit()
	if args.m:
	string_length = args.m
	else:
	print("Please a numeric value for the max string length")
	sys.exit()

	if args.s:
	secure_connection = True
	else:
	secure_connection = False

	if secure_connection == True:
	print("Sending junk to the local webserver")
	Send_HTTPS_Packets(http_verbs,target,port,string_length,f)
	elif secure_connection == False:
	print("Sending junk to the local webserver")
	Send_HTTP_Packets(http_verbs,target,port,string_length,f)



	def buildargparser():
	parser = argparse.ArgumentParser(prog='http-fuzz.py', description='A Simple HTTP/s Fuzzer')
	parser.add_argument('-i', help='Interactive questions to define fuzzing techniques.' , required=False, action='store_true')
	parser.add_argument('-t', help='Fuzzing target',required=False)
	parser.add_argument('-p', help='Port the web app is running on',required=False)
	parser.add_argument('-v', help='HTTP verb to fuzz. Options are - GET, HEAD, DELETE, PUT, TRACE, POST, OPTIONS, CONNECT or ALL',required=False)
	parser.add_argument('-m', help='Max string length to fuzz',required=False)
	parser.add_argument('-s', help='Is the site https? If so add the -s argument',required=False, action='store_true')
	return parser.parse_args()

	def Get_File_Timestamp():
	day = time.strftime("%Y-%m-%d_")
	clock = time.strftime("%I%M%S")
	timestamp = day+clock
	return timestamp

	def randstring(string_length):
	s = ""
	for i in range(random.randint(1,int(string_length))):
	s += chr(random.randint(0x30,0x7a))
	return s

	def Send_HTTP_Packets(http_verbs,target,port,string_length,f):
	x = 0
	while 1:
	print("Fuzzing verbs set " + str(x))
	f.write("Fuzzing verbs set " + str(x) + "\n")
	for verb in http_verbs:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,int(port)))
	junkA = randstring(string_length)
	junkB = randstring(string_length)
	junkC = randstring(string_length)
	junkD = randstring(string_length)
	junkE = randstring(string_length)
	pckt = verb +" /" + junkA + " HTTP/1.1\r\nReferer: http://" + junkB + "\r\nHost: http://" + junkC + "\r\n" + junkD + ": " + junkE + "\r\n\r\n"
	f.write(pckt)
	s.send(pckt.encode('utf-8'))
	s.close()
	x += 1


	def Send_HTTPS_Packets(http_verbs,target,port,string_length,f):
	x = 0
	while 1:
	print("Fuzzing verbs set " + str(x))
	f.write("Fuzzing verbs set " + str(x) + "\n")
	for verb in http_verbs:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s_secure = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS)
	s_secure.connect((target,int(port)))

	junkA = randstring(string_length)
	junkB = randstring(string_length)
	junkC = randstring(string_length)
	junkD = randstring(string_length)
	junkE = randstring(string_length)
	pckt = verb +" /" + junkA +" HTTP/1.1\r\nReferer: http://"+ junkB +"\r\nHost: http://" + junkC + "\r\n" + junkD + ": " + junkE + "\r\n\r\n"
	f.write(pckt)
	s_secure.send(pckt.encode('utf-8'))
	s_secure.close()
	x += 1

	# Still working on this one:
	def Send_Interactive(f):
	target = input('Fuzzing target? ')
	port = input('Port to fuzz? ')
	tls = input('Is the target web app TLS? ')
	string_length = input('What is the max size of the fuzzing string? ')
	verb = input('Which verb do you want to use? - GET, HEAD, DELETE, PUT, TRACE, POST, OPTIONS, or CONNECT ? ')
	fuzz_verb = input('Do you want to fuzz the value sent in the verb? ')
	fuzz_referer = input('Fuzz the referer field in the header? ')
	fuzz_host = input('Fuzz the host field in the header? ')
	fuzz_useragent = input('Fuzz the user agent field in the header? ')
	fuzz_data = input('Fuzz the data field in the packet? ')
	print("Sending junk to the local webserver")
	stuff_to_fuzz = []
	if fuzz_verb == 'yes':
	stuff_to_fuzz.append('fuzz_verb')
	if fuzz_referer == 'yes':
	stuff_to_fuzz.append('fuzz_referer')
	if fuzz_host == 'yes':
	stuff_to_fuzz.append('fuzz_host')
	if fuzz_useragent == 'yes':
	stuff_to_fuzz.append('fuzz_useragent')
	if fuzz_data == 'yes':
	stuff_to_fuzz.append('fuzz_data')
	x = 0
	while 1:
	print("Fuzzing verbs set " + str(x))
	f.write("Fuzzing verbs set " + str(x) + "\n")
	junkA = randstring(string_length)
	junkB = randstring(string_length)
	junkC = randstring(string_length)
	junkD = randstring(string_length)
	junkE = randstring(string_length)

	if "fuzz_verb" in stuff_to_fuzz:
	fuzz_verb = junkA
	else:
	fuzz_verb = 'index.html'
	if "fuzz_referer" in stuff_to_fuzz:
	fuzz_referer = junkB
	else:
	fuzz_referer = '127.0.0.1'
	if "fuzz_host" in stuff_to_fuzz:
	fuzz_host = junkC
	else:
	fuzz_host = target
	if "fuzz_useragent" in stuff_to_fuzz:
	fuzz_useragent = junkD
	else:
	fuzz_useragent = 'Mozilla5.0/just_kidding_im_fuzzing'
	if fuzz_data in stuff_to_fuzz:
	fuzz_data = junkE
	else:
	fuzz_data = 'This is a fuzzing test :)'

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	if tls == 'yes':
	s_secure = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS)
	s_secure.connect((target,int(port)))

	pckt = verb +" /"+ fuzz_verb +" HTTP/1.1\r\nUserAgent: " + fuzz_useragent + "\r\nReferer: http://"+ fuzz_referer +"\r\nHost: http://"+ fuzz_host +"\r\n"+ fuzz_data +": " +"\r\n\r\n"
	f.write(pckt)

	s_secure.send(pckt.encode('utf-8'))
	s_secure.close()
	x += 1
	else:
	s.connect((target,int(port)))
	pckt = verb +" /"+ fuzz_verb +" HTTP/1.1\r\nUserAgent: " + fuzz_useragent + "\r\nReferer: http://"+ fuzz_referer +"\r\nHost: http://"+ fuzz_host +"\r\n"+ fuzz_data +": " +"\r\n\r\n"
	f.write(pckt)
	s.send(pckt.encode('utf-8'))
	s.close()
	x += 1


	main()