UFONet – Open Redirect DDoS Tool

UFONet is an open redirect DDoS tool designed to launch attacks against a target, using insecure redirects in third party web applications, like a botnet. Obviously, only for testing purposes.

The tool abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multi-threading, proxies, origin spoofing methods, cache evasion techniques, etc.

Definition of an “Open Redirect”:

An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

From: CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)

Usage

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

Options:   --version             show program's version number and exit   -h, --help            show this help message and exit   -v, --verbose         active verbose on requests   --update              check for latest stable version   --check-tor           check to see if Tor is used properly   --force-yes           set 'YES' to all questions   --disableisup         disable external check of target's status   --gui                 run GUI (UFONet Web Interface)     *Configure Request(s)*:     --proxy=PROXY       Use proxy server (tor: 'http://127.0.0.1:8118')     --user-agent=AGENT  Use another HTTP User-Agent header (default SPOOFED)     --referer=REFERER   Use another HTTP Referer header (default SPOOFED)     --host=HOST         Use another HTTP Host header (default NONE)     --xforw             Set your HTTP X-Forwarded-For with random IP values     --xclient           Set your HTTP X-Client-IP with random IP values     --timeout=TIMEOUT   Select your timeout (default 10)     --retries=RETRIES   Retries when the connection timeouts (default 1)     --threads=THREADS   Maximum number of concurrent HTTP requests (default 5)     --delay=DELAY       Delay in seconds between each HTTP request (default 0)     *Search for 'Zombies'*:     -s SEARCH           Search from a 'dork' (ex: -s 'proxy.php?url=')     --sd=DORKS          Search from a list of 'dorks' (ex: --sd 'dorks.txt')     --sn=NUM_RESULTS    Set max number of results for engine (default 10)     --se=ENGINE         Search engine to use for 'dorking' (default: duck)     --sa                Search massively using all search engines     *Test Botnet*:     -t TEST             Update 'zombies' status (ex: -t 'zombies.txt')     --attack-me         Order 'zombies' to attack you (NAT required!)     *Community*:     --download-zombies  Download 'zombies' from Community server: Turina     --upload-zombies    Upload your 'zombies' to Community server: Turina     --blackhole         Create a 'blackhole' to share your 'zombies'     --up-to=UPIP        Upload your 'zombies' to a 'blackhole'     --down-from=DIP     Download your 'zombies' from a 'blackhole'     *Research Target*:     -i INSPECT          Search for biggest file (ex: -i 'http://target.com')     *Configure Attack(s)*:     --disable-aliens    Disable 'aliens' web abuse of test services     --disable-isup      Disable check status 'is target up?'     -r ROUNDS           Set number of rounds (default: 1)     -b PLACE            Set place to attack (ex: -b '/path/big.jpg')     -a TARGET           Start Web DDoS attack (ex: -a 'http(s)://target.com')

Searching for ‘Zombies’

UFONet can dig on different search engines results to find possible ‘Open Redirect’ vulnerable sites. A common query string should be like this:

1 2 3 4

'proxy.php?url='         'check.cgi?url='         'checklink?uri='         'validator?uri='

For example you can begin a search with:

1	./ufonet -s 'proxy.php?url='

Or providing a list of “dorks” from a file:

1	./ufonet --sd 'dorks.txt'

By default UFONet will uses a search engine called ‘duck’. But you can choose a different one:

1	./ufonet -s 'proxy.php?url=' --se 'bing'

This is the list of available search engines with last time that were working:

1 2 3 4 5

- duck [07/10/2015: OK!]         - google [07/10/2015: OK!]         - bing [07/10/2015: OK!]         - yahoo [07/10/2015: OK!]         - yandex [07/10/2015: OK!]

You can also search massively using all search engines supported:

1	./ufonet -s 'proxy.php?url=' --sa

To control how many ‘zombies’ recieve from search engines you can use:

1	./ufonet --sd 'dorks.txt' --sa --sn 20

At the end of the process, you will be asked if you want to check the list retrieved to see if the urls are vulnerable.

1	Wanna check if they are valid zombies? (Y/n)

Also, you will be asked to update the list adding automatically only ‘vulnerable’ web apps.

1	Wanna update your list (Y/n)

If you reply ‘Y’ your new ‘zombies’ will be appended to the file named: zombies.txt

Examples:

1 2	+ with verbose:     ./ufonet -s 'proxy.php?url=' -v      + with threads:     ./ufonet --sd 'dorks.txt' --sa --threads 100

You can download UFOnet here:

1	git clone https://github.com/epsylon/ufonet

Or read more