11 Nov, 2015

Introducing Httpillage

by John Poulin

httpillage is a tool designed to provide the ability to easily improve the traditional testing flow by allowing the attacker to distribute the attacks across many different nodes.

Penetration testers and application security consultants generally have an environment that includes an attacker with a single computer, attacking one or more targets. These targets are usually connected to the internet, but may also be local to the attacker. Part of our jobs as consultants is to demonstrate impact for a certain vulnerability. Many times, however, reports contain impact statements that are theoretical, such as “An attacker could….” While these theoretical statements may be accurate, they provide little to no value to development teams that are under tight deadlines to produce code. Developers often only care about the things that an attacker actually did.

Image of traditional Flow

Certain attacks could benefit greatly from being distributed. These attacks, such as username enumeration or online attacks against user credentials, could easily be delivered by multiple computers to improve the effectiveness of the attack.

httpillage is a tool designed to easily improve the traditional testing flow by allowing the tester to distribute the attacks across many different nodes.

httpillage Architecture

httpillage consists of two major parts: A command and control server (C&C) and nodes. Nodes are deployed on servers seperate from the tester’s machine. These nodes continually poll the C&C server to determine whether there is any work for them to do.

Httpillage Flowchart

The tester creates the job directly within the web interface of the C&C server. Jobs will only be available for execution after they have a status of active. After creation, the job’s status and response flags can be viewed directly within the web interface.

Httpillage Job Interface

There are currently three attack types for Jobs: Repeat, Dictionary and Bruteforce.

  • Repeat: Designed for repeating a baseline request in rapid fashion, with a large quantity of threads. Useful in performance testing. Repeating jobs will automatically scale the thread count in an attempt to send requests as fast as the node can handle.
  • Dictionary: Iterate through a dictionary file to inject paylods in the HTTP request via custom defined payload markers {P}
  • Bruteforce: Perform bruteforce attacks against a specified keyspace. Currently supports uppercase (u), lowercase (l) and numeric (d). To test a keyspace that matches [a-z][0-9]{3} provide the charset: lddd.

Httpillage Job Types

For Dictionary and Bruteforce attacks, the C&C is responsible for allocating and distributing work for the nodes.

Response flagging allows the tester to search for patterns or strings in the HTTP responses. This allows the tester to verify the successs of the provided payloads. For example, in Wordpress, the login mechanism responds with the phrase “incorrect” if the username exists and the password is incorrect. To launch a username enumeration attack, we can leverage a response flag that will search for the phrase incorrect in the HTTP response body.

Some Caveats

Distributing attacks against applications can very quickly become too burdensome for the application server, causing unexpected results such as server downtime. As such, it is important to create / allocate nodes responsibly to ensure you don’t create a denial-of-service condition. For example, attacking a single web-host with 100 nodes is generally excessive. In such a circumstance I would begin testing with 5 nodes, increasing as necessary.

Always ensure that you have client permissions before attempting such attacks, particularly in production.

Getting Started

For the most up-to-date documentation, please refer to the GitHub repository.

More Information

httpillage was announced at LASCON 2015. Slides are available on slideshare (http://www.slideshare.net/forcedrequest/httpillage-lascon2015). Conference video will be posted once it is available.