0d1n v2.5 releases, Web security tool to make fuzzing at HTTP

0d1n Web security tool to make fuzzing at HTTP

0d1n is an Open Source web application bruteforcer and Fuzzer, its objective is to automate exhaustive tests to search anomalies. At another point view, this anomaly can be a vulnerability, These tests can follow web parameters, files, directories, forms and others

Why is this tool made in C language?

  • C has a high delay time for writing and debugging, but no pain no gain, it has a fast performance, in addition, the C language is run at any architecture like Mips, ARM and others… in the future can follow mobile implementations. Other benefits of C is that it has a good and high profile to write optimizations if you want to write some lines in ASSEMBLY code with AES-NI or SiMD instructions, this is a good choice.
  • Why you don’t use POO ? in this project I follow ”KISS” principle: http://pt.wikipedia.org/wiki/Keep It Simple
  • C language has a lot of old school dudes like a kernel hacker.

You can do:

*brute force login and passwords in auth forms

*directory disclosure ( use PATH list to brute, and find HTTP status code )

*test to find SQL Injection and XSS vulnerabilities

*Options to load ANTI-CSRF token each request

*Options to use random proxy per request

*other functions…

Changelog v2.5

  • Fix time bug
  • Fix fork() bug
  • Improve scanning

Installation 0d1n Web security tool

require libcurl-dev or libcurl-devel(on rpm linux based)

$ git clone https://github.com/CoolerVoid/0d1n/

need libcurl to run
$ sudo apt-get install libcurl-dev
if rpm distro

$ sudo yum install libcurl-devel
$ make
$./0d1n

Usage

       ~.             ~
         01...___|__..10.
          1010   101   101
           0101  :Bug  :Sec   `.oo'
           :101  |010  |101  ( (`-'
 .---.    1010  ;110  ;010   `.`.
/ .-._)  111-"""|"""'-000      `.`.
( (`._) .-.  .-. |.-.  .-.  .-. ) )
 \ `---( 1 )( 0 )( 1 )( 1 )( 0 )-' /
 `.    `-'  `-'  `-'  `-'  `-'  .'
   `---------------------------'
0d1n Web Hacking Tool 2.5 BeTa
--host :        Host to scan or  GET method to fuzz  site.com/page.jsp?var=^&var2=^
--post :        POST method fuzz params  ex: 'var=^&x=^...'
--cookie :    COOKIE  fuzz params  ex: 'var=^&var2=^...'
--custom :    Load external HTTP Request template file to change points with lexical char '^' to fuzzing
(note: if you use this argv the payload list need be urlencoded) '
--agent :    UserAgent fuzz  params  ex: 'firefox version ^...'
--method :    Change method to Custom http method like DELETE, PUT, TRACE, CONNECT...
--header :    Add line on http header
--payloads :    Payload list to inject
--find_string_list :    Strings list to find on response
--find_regex_list :     Regex list to find on response(this regex is posix)
--cookie_jar :   Load cookie jar file
--log : Create text output of result
--UserAgent :   Custom UserAgent
--CA_certificate :      Load CA certificate to work with SSL
--SSL_version : Choice SSL version by number:
        1 = SSLv1
        2 = SSLv2
        3 = SSLv3
        4 = TLSv1.0
        5 = TLSv1.1
        6 = TLSv1.2
--threads : Number of threads to use, default is 4
--timeout :     Timeout to wait Response
--proxy :   Proxy_address:port to use single proxy tunnel
        example: format [protocol://][user:password@]machine[:port]
--proxy-rand :   Use proxy list to use random proxy per Request
        example: format [protocol://][user:password@]machine[:port]
--tamper : Payload tamper to try bypass filters
   Choice one option :
    encode64 : to encode payload to 64 base
    randcase : to use lower and upper case random position in string
    urlencode :  converts characters into a format that can be transmitted over the Internet, percent encoding
    double_urlencode : converts payload two times with urlencode
    spaces2comment:  change spaces ' ' to comment '/**/'
    unmagicquote: change apostrophe to a multi-byte %bf%27
    apostrophe2nullencode: change apostrophe to illegal double unicode counterpart
    rand_comment: to use random comment '/**/' position in payload string
    rand_space: write random ' ' blank spaces
    replace_keywords: replace especial words, SELECT to SELselectECT etc...
--token_url : Url of form that you need get anti-csrf token
--token_name : Name of anti-csrf token to get and use at your request
NOTE: if you using any token to bypass anti-csrf protection, you use {token} var at your POST or GET or custom request
if you make this 0d1n change {token} to token of form... example --post 'var=^&token={token}&var2=test'

Enable-options-args:
--save_response :   Enable save response highlights view when you click at http status code in datatables
--json_headers :   Enable add JSON headers in Request

example 1 to find SQL-injection:
./0d1n --host 'http://site.com/view/1^/product/^/' --payloads payloads/sqli_list.txt --find_string_list sqli_str2find_list.txt --log log1337 --tamper randcase --threads 5 --timeout 3 --save_response

example 2 to Bruteforce in simple auth:
./0d1n --host 'http://site.com/auth.py' --post 'user=admin&password=^' --payloads payloads/wordlist.txt --log log007 --threads 10 --timeout 3

example 3 to search XSS and pass anti-csrf token:
./0d1n --host https://page/test.php --post 'csrf={token}&pass=^' --payloads payloads/xss.txt --find_string_list payloads/xss.txt --token_url https://page/test.php --token_name name_token_field --log logtest --save_response
Notes:
Look the character '^', is lexical char to change to payload list lines...
Coded by Cooler_
 coolerlair[at]gmail[dot]com



--- DEBUG-START ---

 Sat Dec 30 18:17:08 2017 0d1n.c[167] main():
 Need more arguments.


--- DEBUG-END ---

 

Source: Github

 

Share