Skip to content

Route Configuration

Jump to bottom
Max Harley edited this page Sep 8, 2019 · 11 revisions

Serving Files

In the server_root directory chosen during the server configuration section, place any files you want to serve as a payload.

Along with those files, optionally create a <payload_name>.info file. For example, if you want to host a payload called index.html, make index.html.info. .info files are YML which contain filtering information for the payload you are hosting.

Filtering Options

Below is a list of filtering options which can be used in .info files.

serve

Number of times to serve file

Example

This will serve the file once before not allowing the file to be accessed anymore

serve: 1

authorized_useragents

List of User Agent strings to allow. This is a regex search.

Example

All user agents with the string Linux will be allowed as well as the iPhone user agent.

authorized_useragents:
  - Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
  - *Linux*
  - ^Moz*ll*$

blacklist_useragents

List of User Agent strings to block. This is a regex search, so the entire user agent does not need to be specified

Example

authorized_useragents:
  - Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1

authorized_iprange

List of IPs or IP ranges who are allowed to view a file

Example

authorized_iprange:
  - 192.168.0.1
  - 192.168.10.1/24

authorized_methods

Authorized HTTP methods

Example

authorized_methods:
  - GET
  - PUT

authorized_headers

Dictionary of headers which must be present

Example

authorized_headers:
  Hacked: yes

The request with a header of Hacked and a value of yes, like below, would be allowed to access the payload.

GET / HTTP/1.1
Host: google.com
Hacked: yes
...

authorized_ja3

Authorized JA3 hashes to access the file. More information about JA3 can be found [here][ja3].

Example

authorized_ja3:
  - e7d705a3286e19ea42f587b344ee6865
  - 6734f37431670b3ab4292b8f60f29984

blacklist_iprange

Blacklisted IPs from accessing a payload

Example

blacklist_iprange:
  - 94.130.90.152

prereq

Prerequisite paths which must be hit, in order, before the payload will be served.

Example

In this case, when /first is requested, it is automatically served. When /second is accessed, the user will be served a 404 page. When /first is accessed, and then /second is accessed after, /second will be successfully hosted. When /first is accessed and then /second is accessed, you will finally be able to get /payload.

first.info



second.info


prereq:
  - /index


payload.info


prereq:
  - /first
  - /second


content_type


Sets the Content-Type for the payload being served. More information about the Content-Type header can be found [here][contenttype]


Example


content_type: application/msword


disposition


Sets Content-Disposition header for the payload. There are two sub-keys: type and file_name. type can either be inline or attachment. file_name is the name for the attachment if the attachment option is chosen


Example


disposition:
  type: attachment
  file_name: file.docx


exec


Executes a program, gives the HTTP request to stdin, and checks stdout against an output variable.


Example


exec:
  script: /home/user/test.py
  output: success


add_headers


Adds the header to all HTTP responses.


Example


add_headers:
  Accept-Encoding: gzip


add_headers_success


Adds the header to an HTTP response if the page was successfully reached


add_headers_failure


Adds the header to an HTTP response if the request was denied


times_served


Number of times a payload has been accessed. This variable is for satellite to do record-keeping.


not_serving


Boolean to determine if the file should be served. This is mostly used by the satellite server for record-keeping, but can be set manually to now allow a payload to be hosted.


Example


not_serving: true


on_failure


Specifies what happens when the request does not match the prerequisites. There are two options: redirection, available through on_failure.redirect, and rendering a web page, available through on_failure.render.


Example: Redirection


on_failure:
  redirect: https://google.com


Example: Rendering


The page rendered must meet the prereqs in the rendered page. In this example, the same request must match all preconditions for /index.html or else the response will be the default fail message.


on_failure:
  render: /index.html


proxy


Proxy route to a different address


Example


proxy: http://localhost:2222


credential_capture


Pulls credentials from POST or PUT request and dumps it to credential_capture.file_output.


Example


credential_capture:
  file_output: /tmp/creds


authorized_countries


Uses the MaxMind GeoIP2 country database to only allow access to specific countries. The ISO 3116 country codes which can be used are listed here.


Example


geoip:
  authorized_countries:
    - US
    - CA


blacklist_countries


Uses the MaxMind GeoIP2 country database to deny access to specific countries. The ISO 3116 country codes which can be used are listed here.


Example


geoip:
  blacklist_countries:
    - CA


              


          



  
          

            

              

                

                  

                    

                  

                

              


            
Clone this wiki locally