Web server that applies HTML & HTTP evasions dynamically
Report Bug
·
Request Feature
HTMLMTH is a web server that applies HTML & HTTP evasions dynamically to outgoing traffic.
To get a local copy up and running follow these simple steps.
sudo apt update
sudo apt install -y libtidy-dev
sudo apt install -y git
git clone git@github.com:ZwCreatePhoton/htmlmth.git
sudo apt install -y curl
sudo apt install -y python2.7
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py | python2.7
python2.7 -m pip install virtualenv
python2.7 -m virtualenv venv_htmlmth
./venv_htmlmth/bin/python2 -m pip install --ignore-installed -r htmlmth/requirements.txt There are three scripts of interest: output_cases.py, EvasionHTTPServer.py, and scripting_encoder_server.py
EvasionHTTPServer.py
This script implements the HTTP(S) server that applies lists of evasions (AKA "cases") dynamically.
EvasionHTTPServer Usage Example 1
./venv_htmlmth/bin/python2 htmlmth/htmlmth/EvasionHTTPServer.py -i 0.0.0.0 -p 8000 -ipv 4 -sesh 127.0.0.1 -sesp 5000 -b htmlmth/examples/baselines/example.html -c htmlmth/examples/cases/example.py -tc example-middle-011Host an Evasion HTTP server instance on 0.0.0.0:8000 that hosts the file examples/baselines/example3.html as the baseline content and uses the case example-middle-011 from examples/cases/example.py as the applied evasion.
When http://SERVERIP:8000/ is visited, the returned content should be the baseline with the following modifications (example-middle-011):
- HTML comments removed AKA the evasion:
htmlmth.evasions.html.remove_html_comments - 414 HTTP status code AKA evasion:
htmlmth.evasions.http.status_code_4xx.parameterize(statuscode=414)
EvasionHTTPServer Usage Example 2
./venv_htmlmth/bin/python2 htmlmth/htmlmth/EvasionHTTPServer.py -i 0.0.0.0 -p 8000 -ipv 4 -sesh 127.0.0.1 -sesp 5000 -b htmlmth/examples/baselines/example3.yaml -c htmlmth/examples/cases/example.py -tc htmlmth/examples/cases/example3.yamlHost an Evasion HTTP server instance on 0.0.0.0:8000 that hosts the baseline HTTP resources defined in examples/baselines/example3.yaml as the baseline contents and uses the cases listed in examples/cases/example3.yaml and defined in examples/cases/example.py as the applied evasions.
When http://SERVERIP:8000/example.html is visited, the returned content should be the baseline with the following modifications (example-middle-011):
- HTML comments removed AKA the evasion:
htmlmth.evasions.html.remove_html_comments - 414 HTTP status code AKA evasion:
htmlmth.evasions.http.status_code_4xx.parameterize(statuscode=414)
When http://abc.com:8000/ is visited (where abc.com points to SERVERIP), the returned content should be the baseline with the following modifications (example-null-001):
- No modifications
output_cases.py
This script serializes evaded content to disk.
output_cases Usage Example 1
rm -r out ; mkdir out ; ./venv_htmlmth/bin/python2 htmlmth/htmlmth/output_cases.py -sesp 5000 -sesh 127.0.0.1 -sesp 5000 -o out -b htmlmth/examples/baselines/example3.yaml -c htmlmth/examples/cases/example.py -bch abc.com -ldSerialize the evaded content to the out directory using the baseline HTTP resources defined in examples/baselines/example3.yaml as the baseline contents and all the cases defined in examples/cases/example.py as the applied evasions. Content is served up as if it were accessed using the hostname abc.com. Long descriptions will be printed to stdout.
scripting_encoder_server.py
Some evasions utilize a closed source vbscript/jscript encoder by Microsoft. This script acts as a server that uses the encoder to return back encoded content. The server is required by some evasions to generate the evaded content. This script must run on a Windows host accessible from the machine running output_cases.py or EvasionHTTPServer.py.
When using output_cases.py or EvasionHTTPServer.py, specify the ip (using the -sesh parameter) and the port (using the -sesp parameter) that the script is listening on. The default port is 5000.
If an evasion uses scripting_encoder_server.py and it is not accessible, a requests.exceptions.ConnectionError will occur.
python.exe -m pip install flask
set FLASK_APP=scripting_encoder_server.py
python.exe -m flask run --host=0.0.0.0To see the available evasions, please refer to the evasions directory.
To see practical examples of cases, please refer to the HtmlmthCases repo.
Distributed under the MIT License. See LICENSE for more information.
ZwCreatePhoton - @ZwCreatePhoton
Project Link: https://github.com/ZwCreatePhoton/htmlmth