#!/usr/bin/env python3
"""
verbal.py 0.1 - HTTP(S) Request Method Security Scanner
Copyright (c) 2017 Marco Ivaldi <raptor@0xdeadbeef.info>
"The Other Way to Pen-Test" --HD Moore & Valsmith
Verbal is a HTTP request method security scanner. It
tries a series of interesting HTTP methods against a
list of website paths, in order to determine which
methods are available and accessible. The following
HTTP methods are currently supported (HEAD and POST
aren't that interesting, while DELETE and PATCH would
be too dangerous to blindly try as part of an automated
scan):
GET: request a representation of a resource
OPTIONS: get communication options for a resource
TRACE: perform a message loop-back test
DEBUG: start/stop remote debugging session on IIS
PUT: replace a resource with the request payload
Requirements:
Python 3 (https://pythonclock.org/ is ticking...)
Requests (http://docs.python-requests.org/)
Example usage:
$ ./verbal.py -A -u http://example.com -d directories.txt
TODO:
Test thoroughly, especially the PUT scanner
Introduce spidering capabilities and IP address scanning
Implement support for additional methods (e.g. CONNECT)
Get the latest version at:
https://github.com/0xdea/tactical-exploitation/
"""
VERSION = "0.1"
BANNER = """
verbal.py {0} - HTTP(S) Request Method Security Scanner
Copyright (c) 2017 Marco Ivaldi <raptor@0xdeadbeef.info>
""".format(VERSION)
import sys
import argparse
import re
import requests
# disable InsecureRequestWarning
import urllib3
urllib3.disable_warnings()
def http_method_scanner(args):
"""
Generic HTTP request method scanner
"""
base = args.u.rstrip("/")
timeout = args.t
dirs = set()
if args.d:
dirs = {d.rstrip().strip("/") + "/" for d in args.d}
dirs.add("")
if args.all: # activate all additional scanners
args.trace = True
args.debug = True
args.put = True
print("*** Scanning {0} ***\n".format(base))
for d in sorted(dirs):
url = base + "/" + d
print(url)
# base scanners
scan_get(url, timeout)
scan_options(url, timeout)
# additional scanners
if args.trace:
scan_trace(url, timeout)
if args.debug:
scan_debug(url, timeout)
if args.put:
scan_put(url, timeout)
print("")
print("*** Finished {0} ***\n".format(base))
def scan_get(url, timeout):
"""
GET method and Directory Listing scanner
"""
try:
r = requests.get(
url=url,
timeout=timeout,
verify=False)
print(
" GET" + "\t\t> "
+ str(r.status_code) + " ("
+ str(requests.status_codes._codes[r.status_code][0]) + ")")
except (KeyboardInterrupt, SystemExit):
sys.exit(1)
except Exception as err:
print("\n// error: {0}".format(err))
sys.exit(1) # exit in case of error
else: # bonus check;)
p = re.compile("(Index of )|(To Parent Directory)") # apache, iis
if p.search(r.text):
print(" Directory Listing is enabled")
def scan_options(url, timeout):
"""
OPTIONS method scanner
"""
try:
r = requests.options(
url=url,
timeout=timeout,
verify=False)
print(
" OPTIONS" + "\t> "
+ str(r.status_code) + " ("
+ str(requests.status_codes._codes[r.status_code][0]) + ")")
print(" " + "Methods: " + r.headers["allow"])
except (KeyboardInterrupt, SystemExit):
sys.exit(1)
except Exception as err:
pass # ignore errors
def scan_trace(url, timeout):
"""
TRACE method scanner
"""
try:
r = requests.request(
url=url,
timeout=timeout,
verify=False,
method="TRACE")
print(
" TRACE" + "\t> "
+ str(r.status_code) + " ("
+ str(requests.status_codes._codes[r.status_code][0]) + ")")
except (KeyboardInterrupt, SystemExit):
sys.exit(1)
except Exception as err:
print(" // error: {0}".format(err))
def scan_debug(url, timeout):
"""
DEBUG method scanner
"""
target = url + "verbal.aspx"
headers = {
"Accept" : "*/*",
"Command" : "stop-debug"}
try:
r = requests.request(
url=target,
timeout=timeout,
verify=False,
method="DEBUG",
headers=headers)
print(
" DEBUG" + "\t> "
+ str(r.status_code) + " ("
+ str(requests.status_codes._codes[r.status_code][0]) + ")")
except (KeyboardInterrupt, SystemExit):
sys.exit(1)
except Exception as err:
print(" // error: {0}".format(err))
def scan_put(url, timeout): # TODO: test thoroughly
"""
PUT method scanner
"""
# interesting file types to check
filetypes = ["txt", "html", "xml", "js", "php", "asp", "aspx", "jsp"]
print(" PUT")
for t in filetypes:
target = url + "verbal." + t
try:
r = requests.put(
url=target,
timeout=timeout,
verify=False,
data="PENTEST")
print(
" " + t + "\t> "
+ str(r.status_code) + " ("
+ str(requests.status_codes._codes[r.status_code][0]) + ")")
except (KeyboardInterrupt, SystemExit):
sys.exit(1)
except Exception as err:
print(" // error: {0}".format(err))
def get_args():
"""
Get command line arguments
"""
parser = argparse.ArgumentParser()
parser.set_defaults(func=http_method_scanner)
# http methods
parser.add_argument(
"-T", "--trace",
action="store_true",
help="TRACE method scanner")
parser.add_argument(
"-D", "--debug",
action="store_true",
help="DEBUG method scanner")
parser.add_argument(
"-P", "--put",
action="store_true",
help="PUT method scanner")
parser.add_argument(
"-A", "--all",
action="store_true",
help="Scan all supported methods")
# targets
parser.add_argument(
"-u",
metavar="BASE_URL",
required=True,
help="target base URL")
parser.add_argument(
"-d",
metavar="DIR_FILE",
type=argparse.FileType("r"),
help="file containing a list of directories")
# other arguments
parser.add_argument(
"-t",
metavar="TIMEOUT",
type=int,
default=5,
help="timeout in seconds (default: 5)")
if len(sys.argv) == 1:
parser.print_help()
sys.exit(0)
return parser.parse_args()
def main():
"""
Main function
"""
print(BANNER)
if sys.version_info[0] != 3:
print("// error: this script requires python 3")
sys.exit(1)
args = get_args()
args.func(args)
if __name__ == "__main__":
main()
