Overview
RevSuit is a flexible and powerful reverse connection platform designed for receiving connection from target host in
penetration. It currently supports HTTP, DNS, RMI, MySQL and FTP protocols.
Flexible:
- Revsuit can set flexible rules to capture different connections.
- Deploy and run via binaries without worrying about nasty dependency errors.
Powerful:
- Revsuit allows users to customize the response for different connections through rules and supports dynamic response
generation using template variables.
- Support a variety of protocols, and support the in-depth utilization of some protocols, such as DNS rebinding, MySQL
Load Local Data, JDBC Deserialize Exploit, FTP Passive Mode SSRF, etc.
- Native support for use with scanners.
- Support push notifications to popular office software.
- Other thoughtful and detailed features.
Basic Usage
Preparation
Download the latest release firstly.
RevSuit will generate default configuration file on first run. Modify the configuration file according to your needs,
then re-run.
To confirm the location of the connection IP, if there is no qqwry.dat in the current directory or its modification time
is more than 5 days ago. RevSuit will download it.(Support for GeoIP is in the planning stages).
$ ./revsuit
2021/05/16 22:55:10 [ INFO] Downloading qqwry.dat...
____ _____ _ __
/ __ \___ _ __/ ___/__ __(_) /_
/ /_/ / _ \ | / /\__ \/ / / / / __/
/ _, _/ __/ |/ /___/ / /_/ / / /_
/_/ |_|\___/|___//____/\__,_/_/\__/
vBeta0.1
https://revsuit.pro
2021/05/16 22:55:22 [ INFO] Starting HTTP Server at :80, token:your_token
2021/05/16 22:55:22 [ INFO] Start to listen FTP PASV port at :2020, PasvIP is 10.9.8.7
2021/05/16 22:55:22 [ INFO] Starting FTP Server at :21
2021/05/16 22:55:22 [ INFO] Starting MySQL Server at :3306
2021/05/16 22:55:22 [ INFO] Starting RMI Server at :1099
2021/05/16 22:55:22 [ INFO] Starting DNS Server at :53
After running, you can visit the /revsuit/admin/
path of HTTP Server and enter the token to access the control panel.
Create Rules and Receive Connection
Take the creation of HTTP rules as an example:
A few notes are as follows:
- The
name
and flagFormat
of rule are unique.
FlagFormat
uses regular expression syntax, and for different protocols, the fields matched by flagFormat are
different, you can check the corresponding hints to get details when creating rules.
- Rules with high rank will take effect first.
- For different protocol rules, you can make different custom configurations, and for some protocols, template
variables can be used.
- You can set the named grouping of regular expressions in
flagFormat
, and the result of the matching grouping will
also be used as a template variable.
As shown below, we create a rule that uses the built-in template variables and custom template variables of the http
protocol, and names it test_create_rule
:
Then make a request that satisfies the rule and view the response.
The request will be logged on the platform at the same time.
Notice
If you want to be notified of new connections on your office software, you can configure the webhook address of the
relevant software in the configuration file and turn on the Notice
switch for the corresponding rule. Only support to
four software types currently: dingtalk,wechat,lark,slack.(Discord and telegram support is in the plan.)
Import/Export Rules
If you're migrating platforms or purging data, it can be a hassle to recreate rules. That's why the platform supports
import and export of rules.
The entry point for this function is located at Settings>RULES
.
The rules are stored in yaml format for import and export, like the following:
http:
- name: test_create_rule
flag_format: (?P<what>\w+)\?
rank: 0
push_to_client: false
notice: false
response_status_code: "302"
response_headers:
Location: ${query.url}
response_body: ${header.say} ${what}
- name: other_rule
flag_format: other
rank: 1
push_to_client: false
notice: true
response_status_code: "200"
response_headers: { }
response_body: Hello Revsuit!
dns:
... ...
Advance Usage
Use with Scanner
RevSuit was split from my scanner project, so its native support works with scanners.
From RevSuit's perspective, we call a scanner a client.
Create Connection
RevSuit
uses HTTP Server-sent Events
(SSE) to establish a one-way communication channel with the client.
The API for the channel is: /revsuit/api/events?message
.The client first needs to add the Token: your token
header
to the Header, and then access the API to establish the channel. When the platform receives a new connection, the flag
captured by the rule will be passed to the client through this channel.
Here is a simple demo using Golang's sse library as an
example.
Multi-client
As shown above, RevSuit supports multiple clients, and each client in the connected state receives a push of flag
, so
distributed scanning can be supported.
Temporary storage queue
RevSuit will store flag
temporarily in the queue when there is no client connection and send it when the client
connects, so you don't have to worry about missing the vulnerability because the client disconnects. (This is especially
helpful for discovering delay-triggered vulnerabilities.)
Use flagGroup
FlagGroup
is the content matched by the anonymous group in the flagFormat
field of the rule. The platform will check
the content matched in the grouping,and the flag is only pushed to the client when then content(flagGroup
) captured
for the first time.
In a real-world vulnerability scanning scenario, you may send a large number of different payloads for a single
vulnerability point, and they may all be valid, which can result in the backlink platform receiving many requests, yet
they are caused by the same vulnerability. If you don't want the client to receive so many flags
for the same
vulnerability, you can take advantage of the flagGroup
feature of rule's flagFormat.
For example, SSRF scanning.
Firstly create a rule like the following:
http:
- name: ssrf
flag_format: (ssrf[a-z0-9]{6})[0-9]{1,3}
rank: 0
push_to_client: false
notice: false
response_status_code: "200"
response_headers: { }
response_body: "Here is a SSRF!"
Suppose our target is https://www.testvuln.com?url=api.com&p=useless
, and for SSRF we have 5 payloads. The final
request sent by the scanner may
be ['https://www.testvuln.com?url=http://revsuit.com/ssrfa98oni1&p=useless, ... ,'https://www.testvuln.com?url=//revsuit.com/ssrfa98oni5&p=useless
']
. They may all attack successfully.
However, because anonymous grouping is used in the rule's flagFormat
, The platform will query the
connected flagGroup
, in this case ssrfa98oni
, and push flag
to the client only at its first appearance, so the
client will only receive one flag:ssrfa98oni1
. But this is enough, because it already proves that the url
parameter
of the target is vulnerable.
Multi-module collocation
In actual penetration testing scenarios, certain tasks can be done easily and quickly by combining and matching various
modules of RevSuit. The following is an example of a blind XXE scenario, showing how to use RevSuit's HTTP and FTP
modules, combined with template variables, to quickly complete a port scan.
First use create an HTTP rule to return evil.dtd, customize the response to the contents of dtd so that it goes to
connect to RevSuit's FTP service, and use template variables to pass the Host and Port to be scanned to FTP via FTP's
user and password.
Then create an FTP rule that receives the Host and port to be scanned from the user and password template variables, set
to Pasv Address.
Then use BurpSuit to launch the scan, by setting the host and port parameters in the evil.dtd URL to set the target of
the port scan.
The running effect is as follows:
It because the FTP connection will be crashed if Passive Address
is not accessible, we can determine whether the port
is open or not based on whether the connection exits normally.For this example, we successfully detected that port 8005
and 8080 are open.
More Usage
A more detailed wiki is being prepared, you can explore by yourself before it.
Advice and Communication
Submit an issue or contact me through Weixin: Li4n06
Acknowledgements
Reference
Specifically
Thanks to my friend @E99p1ant for all the help and advice I received during the
development of this project.
License
@Apache License 2.0