├── LICENSE ├── README.md └── main.go /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2019 Travis Biehn 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 4 | 5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CURRYFINGER 2 | `CURRYFINGER` measures a vanilla request for a particular URL against requests directed to specific IP addresses with forced TLS SNI and HTTP Host headers. The tool takes a string edit distance, and emits matches according to a rough similarity metric threshold. 3 | 4 | Use it to find the real origin server behind popular CDNs. 5 | 6 | Kudos to [christophetd/CloudFlair](https://github.com/christophetd/CloudFlair) for the inspiration. 7 | 8 | Check out the corresponding [post](https://dualuse.io/blog/curryfinger/) for details and example usage. 9 | 10 | # REQUIREMENTS 11 | 12 | ```sh 13 | go get -u github.com/corpix/uarand 14 | go get -u github.com/texttheater/golang-levenshtein/levenshtein 15 | ``` 16 | 17 | # BUILDING 18 | 19 | ```sh 20 | go build 21 | ``` 22 | 23 | # COMPLAINTS 24 | 25 | Yes. 26 | 27 | # LICENSE 28 | 29 | MIT. -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019, Travis Biehn 3 | * All rights reserved. 4 | * 5 | * This source code is licensed under the MIT license found in the 6 | * LICENSE file in the root directory of this source tree. 7 | * 8 | */ 9 | 10 | package main 11 | 12 | import ( 13 | "context" 14 | "crypto/tls" 15 | "flag" 16 | "io" 17 | "io/ioutil" 18 | "log" 19 | "net" 20 | "net/http" 21 | "os" 22 | "strings" 23 | "sync" 24 | "time" 25 | 26 | "github.com/corpix/uarand" 27 | 28 | "github.com/texttheater/golang-levenshtein/levenshtein" 29 | ) 30 | 31 | var e = log.New(os.Stderr, "", 0) 32 | var l = log.New(os.Stdout, "", 0) 33 | 34 | var timeout = flag.Duration("timeout", 30*time.Second, "Timeout the check.") 35 | var keepalive = 0 * time.Millisecond 36 | 37 | var DefBits = flag.Int("mbits", 500, "Match in the first -mbits.") 38 | 39 | var Threshold = flag.Int("perc", 50, "Match at -perc[entage] similarity") 40 | 41 | var Threads = flag.Int("threads", 200, "Number of -threads to use.") 42 | 43 | var ShowSample = flag.Bool("show", false, "Show sample responses.") 44 | 45 | var UserAgent = flag.String("ua", "", "Specify User Agent, otherwise we'll generate one.") 46 | 47 | func main() { 48 | e.Print(ban) 49 | 50 | reconfile := flag.String("file", "", "read ips from specified -file instead of stdin.") 51 | domain := flag.String("url", "https://example.org", "-url to check.") 52 | 53 | flag.Parse() 54 | 55 | inputStream := os.Stdin 56 | if strings.EqualFold(*UserAgent, "") { 57 | rand := uarand.Default.GetRandom() 58 | UserAgent = &rand 59 | } 60 | 61 | e.Print("[I] Starting on ", *domain, " with UA ", *UserAgent) 62 | 63 | if !strings.EqualFold(*reconfile, "") { 64 | var err error 65 | inputStream, err = os.Open(*reconfile) 66 | if err != nil { 67 | e.Println("Could not open specified file", *reconfile) 68 | e.Fatal(err) 69 | } 70 | } 71 | 72 | bits, err := ioutil.ReadAll(inputStream) 73 | if err != nil { 74 | e.Println("Could not read all the bits") 75 | e.Fatal(err) 76 | } 77 | 78 | testIps := strings.Split(strings.Replace(string(bits), "\r\n", "\n", -1), "\n") 79 | 80 | var wg sync.WaitGroup 81 | 82 | wg.Add(1) 83 | 84 | go test(&wg, *domain, testIps) 85 | 86 | wg.Wait() 87 | } 88 | 89 | func test(wg *sync.WaitGroup, target string, testIPs []string) { 90 | defer wg.Done() 91 | 92 | //Vanilla. 93 | dialer := &net.Dialer{ 94 | Timeout: *timeout, 95 | KeepAlive: keepalive, 96 | DualStack: true, 97 | } 98 | transport := &http.Transport{ 99 | Dial: dialer.Dial, 100 | } 101 | transport.TLSClientConfig = &tls.Config{ 102 | InsecureSkipVerify: true, 103 | } 104 | 105 | client := http.Client{ 106 | Timeout: *timeout, 107 | Transport: transport, 108 | } 109 | 110 | req, err := http.NewRequest("GET", target, nil) 111 | req.Header.Set("User-Agent", *UserAgent) 112 | 113 | res, err := client.Do(req) 114 | 115 | og := "" 116 | if err != nil { 117 | e.Print(err) 118 | } else { 119 | reader := io.LimitReader(res.Body, int64(*DefBits)) 120 | bits, err := ioutil.ReadAll(reader) 121 | if err != nil { 122 | e.Print(err) 123 | } 124 | og = string(bits) 125 | } 126 | 127 | client.CloseIdleConnections() 128 | transport.CloseIdleConnections() 129 | 130 | jobs := make(chan AssessParcel, len(testIPs)) 131 | for w := 1; w <= *Threads; w++ { 132 | go assessWorker(w, jobs) 133 | } 134 | var workerGroup sync.WaitGroup 135 | 136 | workerGroup.Add(len(testIPs)) 137 | for _, ip := range testIPs { 138 | jobs <- AssessParcel{ 139 | OriginalContent: og, 140 | Target: target, 141 | TestIP: ip, 142 | Wg: &workerGroup, 143 | } 144 | } 145 | 146 | close(jobs) 147 | workerGroup.Wait() 148 | } 149 | 150 | type AssessParcel struct { 151 | OriginalContent string 152 | Target string 153 | TestIP string 154 | Wg *sync.WaitGroup 155 | } 156 | 157 | func assessWorker(id int, jobs <-chan AssessParcel) { 158 | for j := range jobs { 159 | ip := net.ParseIP(j.TestIP) 160 | if ip != nil { 161 | e.Print("[T@", id, "] Is ", j.Target, " hosted on ", j.TestIP, "?") 162 | assess(j.OriginalContent, j.Target, ip.String()) 163 | } 164 | j.Wg.Done() 165 | } 166 | } 167 | 168 | func assess(og string, target string, testIP string) { 169 | 170 | //Jacked. 171 | 172 | jackedDialer := &net.Dialer{ 173 | Timeout: *timeout, 174 | KeepAlive: keepalive, 175 | DualStack: true, 176 | } 177 | 178 | jackedTransport := &http.Transport{ 179 | DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) { 180 | // redirect all connections to 127.0.0.1 181 | addr = testIP + addr[strings.LastIndex(addr, ":"):] 182 | return jackedDialer.DialContext(ctx, network, addr) 183 | }, 184 | } 185 | jackedTransport.TLSClientConfig = &tls.Config{ 186 | InsecureSkipVerify: true, 187 | } 188 | 189 | jackedClient := http.Client{ 190 | Timeout: *timeout, 191 | Transport: jackedTransport, 192 | } 193 | 194 | req, err := http.NewRequest("GET", target, nil) 195 | req.Header.Set("User-Agent", *UserAgent) 196 | 197 | res, err := jackedClient.Do(req) 198 | 199 | jacked := "" 200 | if err != nil { 201 | e.Print(err) 202 | } else { 203 | reader := io.LimitReader(res.Body, int64(*DefBits)) 204 | 205 | bits, err := ioutil.ReadAll(reader) 206 | if err != nil { 207 | e.Print(err) 208 | } 209 | jacked = string(bits) 210 | } 211 | 212 | jackedClient.CloseIdleConnections() 213 | jackedTransport.CloseIdleConnections() 214 | 215 | matchBits := *DefBits 216 | 217 | if len(og) < matchBits || len(jacked) < matchBits { 218 | matchBits = len(og) 219 | if len(jacked) < len(og) { 220 | matchBits = len(jacked) 221 | } 222 | } 223 | 224 | if matchBits < 5 { 225 | e.Print("[E] ", testIP, "==", target, " Not enough bytes to be meaningful. len(og): ", len(og), " len(jacked): ", len(jacked)) 226 | l.Print("miss ", testIP, " ", target, " ", 0, " percent in ", 0, " bytes") 227 | return 228 | } 229 | 230 | distance := levenshtein.DistanceForStrings([]rune(og[:matchBits]), []rune(jacked[:matchBits]), levenshtein.DefaultOptions) 231 | 232 | matchy := 100 - int(float32(float32(distance)/float32(matchBits))*100) 233 | 234 | e.Print("[I] ", testIP, "==", target, " Similarity in first ", matchBits, " bits computed as: ", matchy, "% @ distance: ", distance) 235 | 236 | if *ShowSample { 237 | e.Print("[D] Original Sample:") 238 | e.Print(og[:matchBits]) 239 | e.Print("[D] Measurement Sample:") 240 | e.Print(jacked[:matchBits]) 241 | } 242 | if matchy > 50 { 243 | l.Print("match ", testIP, " ", target, " ", matchy, " percent in ", matchBits, " bytes") 244 | } else { 245 | l.Print("miss ", testIP, " ", target, " ", matchy, " percent in ", matchBits, " bytes") 246 | } 247 | } 248 | 249 | var ban = ` 250 | mmm m m mmmmm mmmmm m m mmmmmm mmmmm mm m mmm mmmmmm mmmmm 251 | m" " # # # "# # "# "m m" # # #"m # m" " # # "# 252 | # # # #mmmm" #mmmm" "#" #mmmmm # # #m # # mm #mmmmm #mmmm" 253 | # # # # "m # "m # # # # # # # # # # "m 254 | "mmm" "mmmm" # " # " # # mm#mm # ## "mmm" #mmmmm # " 255 | 256 | dualuse.io - FINE DUAL USE TECHNOLOGIES` 257 | --------------------------------------------------------------------------------