├── .github
    └── ISSUE_TEMPLATE
    │   ├── bug_report.md
    │   └── feature_request.md
├── .gitignore
├── README
├── lists
    ├── crlf-special.txt
    ├── crlf.txt
    ├── openredirects.txt
    └── wordlist.txt
└── smith


/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Bug report
 3 | about: Create a report to help us improve
 4 | 
 5 | ---
 6 | 
 7 | **Describe the bug**
 8 | A clear and concise description of what the bug is.
 9 | 
10 | **To Reproduce**
11 | Steps to reproduce the behavior:
12 | 1. Go to '...'
13 | 2. Click on '....'
14 | 3. Scroll down to '....'
15 | 4. See error
16 | 
17 | **Expected behavior**
18 | A clear and concise description of what you expected to happen.
19 | 
20 | **Screenshots**
21 | If applicable, add screenshots to help explain your problem.
22 | 
23 | **Desktop (please complete the following information):**
24 |  - OS: [e.g. iOS]
25 |  - Browser [e.g. chrome, safari]
26 |  - Version [e.g. 22]
27 | 
28 | **Smartphone (please complete the following information):**
29 |  - Device: [e.g. iPhone6]
30 |  - OS: [e.g. iOS8.1]
31 |  - Browser [e.g. stock browser, safari]
32 |  - Version [e.g. 22]
33 | 
34 | **Additional context**
35 | Add any other context about the problem here.
36 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature request
 3 | about: Suggest an idea for this project
 4 | 
 5 | ---
 6 | 
 7 | **Is your feature request related to a problem? Please describe.**
 8 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 9 | 
10 | **Describe the solution you'd like**
11 | A clear and concise description of what you want to happen.
12 | 
13 | **Describe alternatives you've considered**
14 | A clear and concise description of any alternative solutions or features you've considered.
15 | 
16 | **Additional context**
17 | Add any other context or screenshots about the feature request here.
18 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | out/*
2 | list.txt


--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 |                                /$$   /$$     /$$      
  4 |                               |__/  | $$    | $$      
  5 |         /$$$$$$$ /$$$$$$/$$$$  /$$ /$$$$$$  | $$$$$$$ 
  6 |        /$$_____/| $$_  $$_  $$| $$|_  $$_/  | $$__  $$
  7 |       |  $$$$$$ | $$ \ $$ \ $$| $$  | $$    | $$  \ $$
  8 |        \____  $$| $$ | $$ | $$| $$  | $$ /$$| $$  | $$
  9 |        /$$$$$$$/| $$ | $$ | $$| $$  |  $$$$/| $$  | $$
 10 |       |_______/ |__/ |__/ |__/|__/   \___/  |__/  |__/
 11 | 
 12 |         Simple meg wrapper to sieve through meg's
 13 |         output.
 14 | 
 15 | 
 16 | Initial set-up one-liner
 17 | 
 18 |   This will clone this repository and then move all scripts to 
 19 |   /usr/local/bin.
 20 | 
 21 |     $ git clone git@github.com:EdOverflow/smith.git \
 22 |       && cp smith/smith /usr/local/bin/
 23 | 
 24 | Dependencies
 25 | 
 26 |   - meg (https://github.com/tomnomnom/meg)
 27 | 
 28 | Usage
 29 | 
 30 |   smith <host>
 31 |       smith http://example.com
 32 | 
 33 |   smith <list of hosts>
 34 |       smith list.txt
 35 | 
 36 |   The -s flag stands for 'scan'.
 37 | 
 38 |   smith -s <scan type> <host or list of hosts>
 39 |     smith -s crlf http://example.com
 40 |     smith -s openredirects http://example.com
 41 |     smith -s subdomaintakeovers http://example.com
 42 |     smith -s files http://example.com
 43 | 
 44 |   The -f flag stands for 'find'.
 45 | 
 46 |   smith -f <type>
 47 |     smith -f crlf
 48 | 
 49 |   All types:
 50 |     - crlf
 51 |     - openredirects
 52 |     - subdomaintakeovers
 53 |     - files
 54 | 
 55 | Word lists
 56 | 
 57 |   All word lists are located under the lists/ directory.
 58 | 
 59 |   - crlf.txt
 60 |   - crlf-special.txt
 61 |   - openredirects.txt
 62 |   - wordlist.txt
 63 | 
 64 | Contributing
 65 | 
 66 |   I welcome contributions from the public. The issue tracker is
 67 |   the preferred channel for bug reports and feature requests. 
 68 |   The bug tracker utilises several labels to help organise and 
 69 |   identify issues. Whenever submitting a new issue, please use 
 70 |   the GitHub issue search first — check if the issue has already 
 71 |   been reported.
 72 | 
 73 |   Make sure to run https://github.com/koalaman/shellcheck when you 
 74 |   are done editing or create a shell script. This will help 
 75 |   maintain clean and uniform code throughout the project.
 76 | 
 77 |   If you would like to submit a patch via email, that is fine too.
 78 |   Just run the following command and send the patch to contact 
 79 |   [at] edoverflow [dot] com:
 80 | 
 81 |     $ git format-patch -<n> <SHA1>
 82 | 
 83 | Legal Disclaimer
 84 | 
 85 |   This project is made for educational and ethical testing purposes 
 86 |   only. Usage of this tool for attacking targets without prior mutual 
 87 |   consent is illegal. Developers assume no liability and are not 
 88 |   responsible for any misuse or damage caused by these scripts.
 89 | 
 90 | Donations
 91 | 
 92 |   If you would like to support my work, you can use any of the 
 93 |   addresses below:
 94 | 
 95 |   Liberapay: https://liberapay.com/EdOverflow
 96 | 
 97 |   Bitcoin: 1E2fZRNrrkCKPnWpKZAsJzByBoyoBURADN
 98 | 
 99 |   Ethereum: 0xe98FC23fB4A8762d700c0354979dA5Db6c29Acc3
100 |   
101 |   Buy me a coffee: https://www.buymeacoffee.com/edoverflow
102 | 
103 | License
104 | 
105 |   MIT License — Copyright (c) 2018 EdOverflow
106 | 


--------------------------------------------------------------------------------
/lists/crlf-special.txt:
--------------------------------------------------------------------------------
1 | /%%0a0ax-smith:edoverflow
2 | /%u000ax-smith:edoverflow


--------------------------------------------------------------------------------
/lists/crlf.txt:
--------------------------------------------------------------------------------
 1 | /%0ax-smith:edoverflow
 2 | /%0d%0ax-smith:edoverflow
 3 | /%0dx-smith:edoverflow
 4 | /%23%0ax-smith:edoverflow
 5 | /%23%0d%0ax-smith:edoverflow
 6 | /%23%0dx-smith:edoverflow
 7 | /%25%30%61x-smith:edoverflow
 8 | /%25%30ax-smith:edoverflow
 9 | /%250ax-smith:edoverflow
10 | /%25250ax-smith:edoverflow
11 | /%2e%2e%2f%0d%0ax-smith:edoverflow
12 | /%2f%2e%2e%0d%0ax-smith:edoverflow
13 | /%2F..%0d%0ax-smith:edoverflow
14 | /%3f%0d%0ax-smith:edoverflow
15 | /%3f%0dx-smith:edoverflow


--------------------------------------------------------------------------------
/lists/openredirects.txt:
--------------------------------------------------------------------------------
 1 | /%09/example.com
 2 | /%2f%2fexample.com
 3 | /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
 4 | /%5cexample.com
 5 | /%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
 6 | /.example.com
 7 | //%09/example.com
 8 | //%5cexample.com
 9 | ///%09/example.com
10 | ///%5cexample.com
11 | ////%09/example.com
12 | ////%5cexample.com
13 | /////example.com
14 | /////example.com/
15 | ////\;@example.com
16 | ////example.com/
17 | ////example.com/%2e%2e
18 | ////example.com/%2e%2e%2f
19 | ////example.com/%2f%2e%2e
20 | ////example.com/%2f..
21 | ////example.com//
22 | ///\;@example.com
23 | ///example.com
24 | ///example.com/
25 | ///example.com/%2e%2e
26 | ///example.com/%2e%2e%2f
27 | ///example.com/%2f%2e%2e
28 | ///example.com/%2f..
29 | ///example.com//
30 | //example.com
31 | //example.com/
32 | //example.com/%2e%2e
33 | //example.com/%2e%2e%2f
34 | //example.com/%2f%2e%2e
35 | //example.com/%2f..
36 | //example.com//
37 | //example%00.com
38 | //example%E3%80%82com
39 | //https:///example.com/%2e%2e
40 | //https://example.com/%2e%2e%2f
41 | //https://example.com//
42 | /<>//example.com
43 | /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
44 | /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
45 | /?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
46 | /\/\/example.com/
47 | /\/example.com/
48 | /example.com/%2f%2e%2e
49 | /http://%67%6f%6f%67%6c%65%2e%63%6f%6d
50 | /http://example.com
51 | /http:/example.com
52 | /https:/%5cexample.com/
53 | /https://%09/example.com
54 | /https://%5cexample.com
55 | /https:///example.com/%2e%2e
56 | /https:///example.com/%2f%2e%2e
57 | /https://example.com
58 | /https://example.com/
59 | /https://example.com/%2e%2e
60 | /https://example.com/%2e%2e%2f
61 | /https://example.com/%2f%2e%2e
62 | /https://example.com/%2f..
63 | /https://example.com//
64 | /https:example.com
65 | //example.com/..;/docs/config
66 | //example.com/..;/examples/jsp
67 | //example.com/..;/css
68 | /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
69 | /redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
70 | /redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
71 | 


--------------------------------------------------------------------------------
/lists/wordlist.txt:
--------------------------------------------------------------------------------
 1 | /webstats/
 2 | /explore
 3 | /explore/repos
 4 | /phpinfo.php
 5 | /info.php
 6 | /phptest.php
 7 | /.htaccess
 8 | /phppgadmin
 9 | /.ssh/id_rsa
10 | /.ssh/id_rsa.pub
11 | /cgi-bin/printenv.pl
12 | /metrics
13 | /.git
14 | /.git/config
15 | /wp-config.php
16 | /Jenkinsfile
17 | /Gemfile
18 | /Gemfile.lock
19 | /phpmyadmin/
20 | /phpmyadmin/ChangeLog
21 | /admin/phpMyAdmin/index.php
22 | /admin/phpmyadmin/index.php
23 | /admin/phpmyadmin2/index.php
24 | /claroline/phpMyAdmin/index.php
25 | /phpMyAdmin.old/index.php
26 | /phpMyAdmin/index.php
27 | /phpMyAdmin/phpMyAdmin/index.php
28 | /phpMyAdmin/scripts/setup.php
29 | /phpMyAdminold/index.php
30 | /phpMyadmin_bak/index.php
31 | /phpmyadmin-old/index.php
32 | /phpmyadmin/index.php
33 | /phpmyadmin/phpmyadmin/index.php
34 | /phpmyadmin/scripts/setup.php
35 | /phpmyadmin0/index.php
36 | /phpmyadmin1/index.php
37 | /phpmyadmin2/index.php
38 | /tools/phpMyAdmin/index.php
39 | /typo3/phpmyadmin/index.php
40 | /web/phpMyAdmin/index.php
41 | /www/phpMyAdmin/index.php
42 | /xampp/phpmyadmin/index.php
43 | /env
44 | /application.wadl
45 | /.pgsql_history
46 | /.sqlite_history
47 | /.mysql_history
48 | /.bash_history
49 | /icingaweb2
50 | /solr
51 | /otrs
52 | 


--------------------------------------------------------------------------------
/smith:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Variables
  4 | GREEN='\033[0;32m'
  5 | END='\033[0m'
  6 | DELAY='100' # in milliseconds
  7 | CONCURRENCY='200'
  8 | 
  9 | request() {
 10 | 	meg -d "$DELAY" -c "$CONCURRENCY" "$@"
 11 | }
 12 | 
 13 | # List created by https://github.com/tomnomnom/
 14 | declare -A searches=(
 15 | 	# ["Search term"]="Name of the service"
 16 | 	["There is no app configured at that hostname"]="Heroku"
 17 | 	["NoSuchBucket"]="AWS"
 18 | 	["No Such Account"]=""
 19 | 	["You're Almost There"]=""
 20 | 	["There's nothing here"]="Azure"
 21 | 	["The request could not be satisfied"]="Cloudfront"
 22 | 	["Your CNAME settings"]=""
 23 | 	["InvalidBucketName"]="AWS"
 24 | 	["PermanentRedirect"]="AWS"
 25 | 	["The specified bucket does not exist"]="AWS"
 26 | 	["Repository not found"]="Bitbucket"
 27 | 	["Bad Request: ERROR: The request could not be satisfied"]="Cloudfront"
 28 | 	["Sorry, We Couldn't Find That Page"]="AWS"
 29 | 	["Fastly error: unknown domain:"]="Fastly"
 30 | 	["The feed has not been found."]="Feedpress"
 31 | 	["The thing you were looking for is no longer here, or never was"]="Ghost"
 32 | 	["Please renew your subscription"]="Tilda"
 33 | 	["There isn't a Github Pages site here."]="Github"
 34 | 	["We could not find what you're looking for."]="Help Juice"
 35 | 	["No settings were found for this company:"]="Help Scout"
 36 | 	["No such app"]="Heroku"
 37 | 	["is not a registered InCloud YouTrack"]="JetBrains"
 38 | 	["Unrecognized domain"]="Mashery"
 39 | 	["Sorry, this shop is currently unavailable."]="Shopify"
 40 | 	["You are being redirected"]="Statuspage"
 41 | 	["project not found"]="Surge.sh"
 42 | 	["The requested URL was not found on this server."]="Unbounce"
 43 | 	["This UserVoice subdomain is currently available!"]="UserVoice"
 44 | 	["Do you want to register"]="Wordpress"
 45 | 	["Help Center Closed"]="Zendesk"
 46 | 	["This domain is for sale"]="Domain for sale"
 47 | )
 48 | 
 49 | # Echo message and then grep through the out/ directory.
 50 | test() {
 51 | 	# test <message> <term>
 52 | 	results=$(grep -rliE "$2" out)
 53 | 	if [[ -n "$results" ]]; then
 54 | 		echo -e "${GREEN}==> $1 <==${END}"
 55 | 		while read -r url; do
 56 | 			head -1 "$url";
 57 | 		done <<< "$results"
 58 | 		echo
 59 | 	fi
 60 | }
 61 | 
 62 | declare -A stuff=(
 63 | 	# ["Search term"]="Name of the thing we are looking for"
 64 | 	["webalizer"]="Webalizer instances"
 65 | 	["Explore GitLab"]="GitLab instances"
 66 | 	["phppgadmin:"]="Phppgadmin instances"
 67 | 	["RewriteEngine"]="htaccess files"
 68 | 	["Gitea Version:"]="Gitea instances"
 69 | 	["PHP Version"]="phpinfo() pages"
 70 | 	["ssh-rsa"]="Public ssh keys"
 71 | 	["Apache Server Status for"]="Apache Server Status files"
 72 | 	["GATEWAY_INTERFACE=\"CGI"]="Perl CGI environment variables"
 73 | 	["machine{name"]="Prometheus instances"
 74 | 	["\[remote \"origin\"\]"]="GIT configuration files"
 75 | 	["define\('WP_HOME"]="Wordpress configuration files"
 76 | 	["stage\('Build'\)"]="Jenkins instances"
 77 | 	["gem '"]="Gemfiles"
 78 | 	["BUNDLED WITH"]="Gemfile.lock files"
 79 | 	["Welcome to phpmyadmin"]="PhpMyAdmin instances"
 80 | 	["phpMyAdmin - ChangeLog"]="PhpMyAdmin Changelogs"
 81 | 	["env</title>"]="Ruby on Rails environment variables"
 82 | 	["<resources base="]="Application.wadl file"
 83 | 	["SELECT \* FROM"]="Database history files"
 84 | 	["solr-spec"]="Apache Solr"
 85 | 	["icinga web 2"]="Icinga monitoring"
 86 | 	["cd \.\."]="Bash history"
 87 | 	["otrs-web"]="OTRS ticket system"
 88 | 	["Powered by Atlassian"]="Atlassian product"
 89 | )
 90 | 
 91 | # This function handles all the files to look for
 92 | # in the out/ directory.
 93 | files() {
 94 | 	for str in "${!stuff[@]}"; do
 95 | 		test "${stuff[$str]}" "$str";
 96 | 	done
 97 | }
 98 | 
 99 | # Grep for CRLF injection vulnerabilities.
100 | # Payloads are in x-smith:edoverflow format to bypass
101 | # most exclusion lists.
102 | crlf() {
103 | 	test "CRLF injection vulnerabilities" "< x-smith: ?edoverflow"
104 | }
105 | 
106 | # Grep for open redirects.
107 | openredirects() {
108 | 	test "Open redirect vulnerabilities" '< location: (https?:)?[/\\]{2,}example.com'
109 | }
110 | 
111 | # When it comes to subdomain takeovers, we output the results from
112 | # fetching the top-level directory into a separate directory called sub.
113 | # The reason behind this is because we often rely on 404 error codes
114 | # to find potential subdomain takeovers. So any 404s returned from the
115 | # other scanning options will return a lot of false-positives in this
116 | # function.
117 | subdomaintakeovers() {
118 | 	echo -e "${GREEN}==> Potential subdomain takeovers <==${END}"
119 | 	for str in "${!searches[@]}"; do 
120 | 		RESULTS=$(grep -rliE "$str" sub)
121 | 		if [[ -n "$RESULTS" ]]; then
122 | 			while read -r url; do
123 | 				line=$(head -1 "$url")
124 | 				echo "Potential "${searches[$str]}" subdomain takeover on $line.";
125 | 			done <<< "$RESULTS"
126 | 			echo
127 | 		fi
128 | 	done
129 | }
130 | 
131 | # This functions looks for actual security vulnerabilities.
132 | vulnerabilities() {
133 | 	crlf
134 | 	openredirects
135 | 	subdomaintakeovers
136 | }
137 | 
138 | error() {
139 | 	echo """
140 | Simple wrapper for meg that sieves through meg's output for you.
141 | 
142 | Usage:
143 | 	smith <host>
144 | 	    smith http://example.com
145 | 
146 | 	smith <list of hosts>
147 | 	    smith list.txt
148 | 
149 | 	The -s flag stands for 'scan'.
150 | 
151 | 	smith -s <scan type> <host or list of hosts>
152 | 		smith -s crlf http://example.com
153 | 		smith -s openredirects http://example.com
154 | 		smith -s subdomaintakeovers http://example.com
155 | 		smith -s files http://example.com
156 | 
157 | 	The -f flag stands for 'find'.
158 | 
159 | 	smith -f <type>
160 | 		smith -f crlf
161 | 
162 | 	All types:
163 | 		- crlf
164 | 		- openredirects
165 | 		- subdomaintakeovers
166 | 		- files
167 | 
168 | Word lists:
169 | 	All word lists are located under the lists/ directory.
170 | 
171 | 	- crlf.txt
172 | 	- crlf-special.txt
173 | 	- openredirects.txt
174 | 	- wordlist.txt
175 | 	"""
176 | 	exit 1
177 | }
178 | 
179 | # Check if meg is installed and ensure that the
180 | # list of hosts contains the protocol: 
181 | # https://github.com/tomnomnom/meg/issues/19.
182 | checkmeg() {
183 | 	if [[ ! -x "$(command -v meg)" ]]; then
184 | 		echo "You need to install meg in order to perform this task."
185 | 		echo "https://github.com/tomnomnom/meg"
186 | 		exit 1
187 | 	fi
188 | }
189 | 
190 | # Keeping the output from previous scans can skew your results and 
191 | # result in duplicates.
192 | empty() {
193 | 	if [[ -d "out" ]]; then
194 | 		read -p "Would you like to empty the out/ directory before scanning? (y/n) " REPLY
195 | 		if [[ $REPLY =~ ^[Yy]$ ]]; then
196 | 			rm -rf out/
197 | 		fi
198 | 	fi
199 | 
200 | 	if [[ -d "sub" ]]; then
201 | 		read -p "Would you like to empty the sub/ directory before scanning? (y/n) " REPLY
202 | 		if [[ $REPLY =~ ^[Yy]$ ]]; then
203 | 			rm -rf sub/
204 | 		fi
205 | 	fi
206 | }
207 | 
208 | # This sort of acts as the main() function.
209 | if [[ $1 == "" ]] || [[ $1 == "-h" ]] || [[ $1 == "--help" ]]; then
210 | 	error
211 | elif [[ $1 == "-f" ]]; then
212 | 
213 | 	#=================================================
214 | 	# If nothing is specified, just perform a search 
215 | 	# in the out/ directory.
216 | 	#=================================================
217 | 
218 | 	if [[ $2 == "crlf" ]]; then
219 | 		crlf
220 | 	elif [[ $2 == "openredirects" ]] || [[ $2 == "or" ]]; then
221 | 		openredirects
222 | 	elif [[ $2 == "subdomaintakeovers" ]]; then
223 | 		subdomaintakeovers
224 | 	elif [[ $2 == "files" ]]; then
225 | 		files
226 | 	else
227 | 		error
228 | 	fi
229 | elif [[ $1 == "-s" ]]; then
230 | 	checkmeg
231 | 	empty
232 | 
233 | 	#=================================================
234 | 	# These are the individual scanning options.
235 | 	#=================================================
236 | 
237 | 	if [[ $2 == "crlf" ]]; then
238 | 		# Use Go HTTP client for the usual CRLF payloads.
239 | 		request lists/crlf.txt "$3" 2> /dev/null
240 | 		# Use the rawhttp library for special CRLF injection cases.
241 | 		request -r lists/crlf-special.txt "$3" 2> /dev/null
242 | 		crlf
243 | 	elif [[ $2 == "openredirects" ]] || [[ $2 == "or" ]]; then
244 | 		# Use Go HTTP client for the open redirects list.
245 | 		request lists/openredirects.txt "$3" 2> /dev/null
246 | 		openredirects
247 | 	elif [[ $2 == "subdomaintakeovers" ]]; then
248 | 		request / "$3" sub 2> /dev/null
249 | 		subdomaintakeovers
250 | 	elif [[ $2 == "files" ]]; then
251 | 		# Use Go HTTP client for main word list.
252 | 		request lists/wordlist.txt "$3" 2> /dev/null
253 | 		files
254 | 	else
255 | 		error
256 | 	fi
257 | else
258 | 	checkmeg
259 | 	empty
260 | 
261 | 	#=================================================
262 | 	# If no flag is specified, just perform a general
263 | 	# scan with all available options.
264 | 	#=================================================
265 | 
266 | 	# Use Go HTTP client for main word list.
267 | 	request lists/wordlist.txt "$1" 2> /dev/null
268 | 	# Use Go HTTP client for the open redirects list.
269 | 	request lists/openredirects.txt "$1" 2> /dev/null
270 | 	# Use Go HTTP client for the usual CRLF payloads.
271 | 	request lists/crlf.txt "$1" 2> /dev/null
272 | 	# Use the rawhttp library for special CRLF injection cases.
273 | 	request -r lists/crlf-special.txt "$1" 2> /dev/null
274 | 	request / "$1" sub 2> /dev/null
275 | 	files
276 | 	vulnerabilities
277 | fi
278 | 


--------------------------------------------------------------------------------