httpillage is a tool designed to provide the ability to easily improve the traditional testing flow by allowing the attacker to distribute the attacks across many different nodes.
Certain attacks could benefit greatly from being distributed. These attacks, such as username enumeration or online attacks against user credentials, could easily be delivered by multiple computers to improve the effectiveness of the attack.
httpillage is a tool designed to easily improve the traditional testing flow by allowing the tester to distribute the attacks across many different nodes.
httpillage consists of two major parts: A command and control server (C&C) and nodes. Nodes are deployed on servers seperate from the tester’s machine. These nodes continually poll the C&C server to determine whether there is any work for them to do.
The tester creates the job directly within the web interface of the C&C server. Jobs will only be available for execution after they have a status of active. After creation, the job’s status and response flags can be viewed directly within the web interface.
There are currently three attack types for Jobs: Repeat, Dictionary and Bruteforce.
For Dictionary and Bruteforce attacks, the C&C is responsible for allocating and distributing work for the nodes.
Response flagging allows the tester to search for patterns or strings in the HTTP responses. This allows the tester to verify the successs of the provided payloads. For example, in Wordpress, the login mechanism responds with the phrase “incorrect” if the username exists and the password is incorrect. To launch a username enumeration attack, we can leverage a response flag that will search for the phrase incorrect in the HTTP response body.
Distributing attacks against applications can very quickly become too burdensome for the application server, causing unexpected results such as server downtime. As such, it is important to create / allocate nodes responsibly to ensure you don’t create a denial-of-service condition. For example, attacking a single web-host with 100 nodes is generally excessive. In such a circumstance I would begin testing with 5 nodes, increasing as necessary.
Always ensure that you have client permissions before attempting such attacks, particularly in production.
For the most up-to-date documentation, please refer to the GitHub repository.
httpillage was announced at LASCON 2015. Slides are available on slideshare (http://www.slideshare.net/forcedrequest/httpillage-lascon2015). Conference video will be posted once it is available.