GNU/LinuxKali Linux ToolsScannerSecurity

deblaze

0

deblaze Package Description

Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This tool will allow you to perform method enumeration and interrogation against flash remoting end points. Deblaze came about as a necessity during a few security assessments of flash based websites that made heavy use of flash remoting. I needed something to give me the ability to dig a little deeper into the technology and identify security holes. On all of the servers I’ve seen so far the names are not case sensitive, making it much easier to bruteforce. Often times HTTP POST requests won’t be logged by the server, so bruteforcing may go unnoticed on poorly monitored systems.

Deblaze provides the following functionality:

  • Brute Force Service and Method Names
  • Method Interrogation
  • Flex Technology Fingerprinting

Source: https://github.com/SpiderLabs/deblaze
deblaze Homepage | Kali deblaze Repo

  • Author: Trustwave Holdings, Inc., Jon Rose
  • License: GPLv3

Tools included in the deblaze package

deblaze.py – Performs testing against flash remoting endpoints
root@kali:~# deblaze.py -h
Usage: deblaze [option]

A remote enumeration tool for Flex Servers

Options:
–version             show program’s version number and exit
-h, –help            show this help message and exit
-u URL, –url=URL     URL for AMF Gateway
-s SERVICE, –service=SERVICE
Remote service to call
-m METHOD, –method=METHOD
Method to call
-p PARAMS, –params=PARAMS
Parameters to send pipe seperated
‘param1|param2|param3’
-f SWF, –fullauto=SWF
URL to SWF – Download SWF, find remoting services,
methods,and parameters
–fuzz                Fuzz parameter values
-c CREDS, –creds=CREDS
Username and password for service in u:p format
-b COOKIE, –cookie=COOKIE
Send cookies with request
-A USERAGENT, –user-agent=USERAGENT
User-Agent string to send to the server
-1 BRUTESERVICE, –bruteService=BRUTESERVICE
File to load services for brute forcing (mutually
exclusive to -s)
-2 BRUTEMETHOD, –bruteMethod=BRUTEMETHOD
File to load methods for brute forcing (mutually
exclusive to -m)
-d, –debug           Enable pyamf/AMF debugging
-v, –verbose         Print http request/response
-r, –report          Generate HTML report
-n, –nobanner        Do not display banner
-q, –quiet           Do not display messages

deblaze.py Usage Example

root@kali:~# coming soon

You may also like

Comments

Leave a reply

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

More in GNU/Linux