UFONet is an open redirect DDoS tool designed to launch attacks against a target, using insecure redirects in third party web applications, like a botnet. Obviously, only for testing purposes.
The tool abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multi-threading, proxies, origin spoofing methods, cache evasion techniques, etc.
Definition of an “Open Redirect”:
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
From: CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
Usage
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
Options: --version show program's version number and exit -h, --help show this help message and exit -v, --verbose active verbose on requests --update check for latest stable version --check-tor check to see if Tor is used properly --force-yes set 'YES' to all questions --disableisup disable external check of target's status --gui run GUI (UFONet Web Interface) *Configure Request(s)*: --proxy=PROXY Use proxy server (tor: 'http://127.0.0.1:8118') --user-agent=AGENT Use another HTTP User-Agent header (default SPOOFED) --referer=REFERER Use another HTTP Referer header (default SPOOFED) --host=HOST Use another HTTP Host header (default NONE) --xforw Set your HTTP X-Forwarded-For with random IP values --xclient Set your HTTP X-Client-IP with random IP values --timeout=TIMEOUT Select your timeout (default 10) --retries=RETRIES Retries when the connection timeouts (default 1) --threads=THREADS Maximum number of concurrent HTTP requests (default 5) --delay=DELAY Delay in seconds between each HTTP request (default 0) *Search for 'Zombies'*: -s SEARCH Search from a 'dork' (ex: -s 'proxy.php?url=') --sd=DORKS Search from a list of 'dorks' (ex: --sd 'dorks.txt') --sn=NUM_RESULTS Set max number of results for engine (default 10) --se=ENGINE Search engine to use for 'dorking' (default: duck) --sa Search massively using all search engines *Test Botnet*: -t TEST Update 'zombies' status (ex: -t 'zombies.txt') --attack-me Order 'zombies' to attack you (NAT required!) *Community*: --download-zombies Download 'zombies' from Community server: Turina --upload-zombies Upload your 'zombies' to Community server: Turina --blackhole Create a 'blackhole' to share your 'zombies' --up-to=UPIP Upload your 'zombies' to a 'blackhole' --down-from=DIP Download your 'zombies' from a 'blackhole' *Research Target*: -i INSPECT Search for biggest file (ex: -i 'http://target.com') *Configure Attack(s)*: --disable-aliens Disable 'aliens' web abuse of test services --disable-isup Disable check status 'is target up?' -r ROUNDS Set number of rounds (default: 1) -b PLACE Set place to attack (ex: -b '/path/big.jpg') -a TARGET Start Web DDoS attack (ex: -a 'http(s)://target.com') |
Searching for ‘Zombies’
UFONet can dig on different search engines results to find possible ‘Open Redirect’ vulnerable sites. A common query string should be like this:
|
1 2 3 4 |
'proxy.php?url=' 'check.cgi?url=' 'checklink?uri=' 'validator?uri=' |
For example you can begin a search with:
|
1 |
./ufonet -s 'proxy.php?url=' |
Or providing a list of “dorks” from a file:
|
1 |
./ufonet --sd 'dorks.txt' |
By default UFONet will uses a search engine called ‘duck’. But you can choose a different one:
|
1 |
./ufonet -s 'proxy.php?url=' --se 'bing' |
This is the list of available search engines with last time that were working:
|
1 2 3 4 5 |
- duck [07/10/2015: OK!] - google [07/10/2015: OK!] - bing [07/10/2015: OK!] - yahoo [07/10/2015: OK!] - yandex [07/10/2015: OK!] |
You can also search massively using all search engines supported:
|
1 |
./ufonet -s 'proxy.php?url=' --sa |
To control how many ‘zombies’ recieve from search engines you can use:
|
1 |
./ufonet --sd 'dorks.txt' --sa --sn 20 |
At the end of the process, you will be asked if you want to check the list retrieved to see if the urls are vulnerable.
|
1 |
Wanna check if they are valid zombies? (Y/n) |
Also, you will be asked to update the list adding automatically only ‘vulnerable’ web apps.
|
1 |
Wanna update your list (Y/n) |
If you reply ‘Y’ your new ‘zombies’ will be appended to the file named: zombies.txt
Examples:
|
1 2 |
+ with verbose: ./ufonet -s 'proxy.php?url=' -v + with threads: ./ufonet --sd 'dorks.txt' --sa --threads 100 |
You can download UFOnet here:
|
1 |
git clone https://github.com/epsylon/ufonet |
Or read more here.