It is the place where you can generate any message in bytes format or in UTF-8 format.
Navigate
Every serial number represents a socket handler. Use 'previous' and 'next' to navigate through it.
SSL SOCKET
Use this switch to enable SSL socket. Normally this switch is turned off and this will directly send the bytes through the normal socket.
Address
Input the address that you want to send to.
Send button
Click
This will trigger the message/bytes to be send.
Request
If currently the 'UTF-8' switch for request is checked, then the content will be converted to bytes directly. After that, the bytes will be sent. This process will not generate any error.
If currently the 'UTF-8' switch for request is not checked, then the content that represent byte array will be sent.
Response
If currently the 'UTF-8' switch for request is checked, then PentestSuite will try to check if the response byte array can be converted to utf-8 string perfectly.
What is converted perfectly?
Normally the bytes can always converted to some format string, but it can't be sure that it will be translated without damage. That means after translation, the target string can't be translated back to the original bytes.
After this check, PentestSuite will directly display the result if this process is perfect, else it will alert a dialog to show user that the transformation is not perfect.
Once you see this dialog, you can still locate the first imperfect byte index by clicking the button 'locate'. Or you can directly click 'done' and omit this problem. No matter what choice you have chosen, your original bytes will not be affected and will keep the original state. It will just show you the situation and do nothing.
Long click
If you long click this button, you will see this dialog:
And once this switch has been checked and you clicked 'OK', PentestSuite will try to send the message directly through the original socket. THE ORIGINAL SOCKET is defined by current message index:
You have noticed that the automatic generator is here. Click it and you will find the configuration of current message will be sent to it.
Automatic generator
https://pentestsuite.blogspot.com/2021/08/message-automatic-generator.htmlUTF-8 VIEW switch
Either click it or drag it will work.
Introduction
PentestSuite is based on Socket(Java class). It means that it's based on TCP.
Normally you will see a lot of URL is in the form of ...
http://xxx.com
https://yyy.com
and if you enter these URL into your browser search blank and click search, you will be ordering your browser to trigger an HTTP request.
So, you find a lot of requests conforming to HTTP protocol. So what's the TCP used for?
HTTP is based on TCP.
Not only HTTP but also many other protocols like SSH, FTP, etc, they are all based on TCP.
That means you will be able to penetration testing a lot of network protocols.
And you should know that any network protocols is based on byte array, and that means if you want to have full controls on what your machine is sending, you should be able to control what the byte array definitely is when sending your request.
Since bytes is hard to read for humans, so I added this feature so you can convert the original bytes to the UTF-8 encoded string.
And it's not always successful in this process you know, the following sections describe these situations in detail.
From unchecked to checked
It will check if current content is in correct format.You will receive its complaint if content format is not correct.
About content format
Use blank to split these bytes. No greater than ff.
Then it will check if perfect transformation is possible. If not possible, you will see 'Transformation failure'. And it's the same as previous described.
From checked to unchecked
No error will be thrown in this process. Since every string could be transformed perfectly into byte array.
Search
When you are currently at message generator area, you will find the little difference occur in the floating action button:
Changed from
For the first time you click it or long click it anytime, it will pop up a window like this let you to configure the search details:
Input the string that you want to search and just like you expect, this thing will be saved. Next time when you click it directly, you will find you directly trigger the search configured by last time!Enjoy this funny feature and find more reflected XSS within some touches!
Comments
Post a Comment