Index

All good things ...

Latest News

Triton
Charon
Athena
Logrip
Lucifer
Azarius
Coy
Unibitch
Caligula
Chameleon

Donate

Contact Rhino




-=[Triton 2.1]=-

.... it's the next logical step.

This program is what is known as an "exploiter". It can be used to probe websites for possible vulnerabilities based on user-customisable pre-defined lists. This is a follow up to the popular -=[Triton 0.3]=- program with a great number of improvements.

This program should only be used against sites where you have the permission to do so.

"Quemadmodum gladius neminem occidit, occidentis telum est." ..... or something like that ;)

Screenshots (click to enlarge)

Where can I download it?

The latest version is 2.1 ... available right here
Older (unsupported) version 2 available here

Trojan warnings

It's been brought to my attention that some anti-virus programs are falsely reporting Triton to contain the "Tryton" virus/trojan. I can see that some network administrators might pick it up as an "unwanted program" because of the scanning ability, but that's about it.

The source code has been shared amongst a few friends for now, and it will be open source at some point in the future, but everyone's welcome to run the program through their favourite network sniffer to verify that the information sent/received is exactly as they were expecting.

Sigh ... there's always something .....

I don't have time to read all this stuff below ... what's new in it?

New in v2.1 ...

  • ... total rewriting of the network components - using the Charon engine
  • ... History page column sizes now kept when switching between tabs.
  • ... No longer automatically adjusts the scan speed down - it'll just kill off unused threads instead.
  • ... Bug fix - Using bad keywords with no good keywords sometimes skipped hits
  • ... Bug fix - Potentially missed hits at the end of scans
  • ... Bug fix - Glitch when using custom headers
  • ... UI glitch - Date column in the history would not sort properly
  • ... Numerous other bug fixes ... some small, some not so.

New in v2.0 ...

  • ... total redesign of UI
  • ... scanning speed improvements
  • ... ability to run multiple lists
  • ... proxy testing integration with Charon
  • ... eliminated the memory issues of version 0.3
  • ... new history section for storing / re-testing past hits
  • ... full header manipulation
  • ... all new "automatic scan" option

What's this automatic scan option?

Each (read: 99.9%) site will, when asked, return in its header information about the type of server it is running. For example, "www.whitehouse.gov" reports back that it is running "Apache". You can select a list to run (e.g., Apache.txt) for each site that returns a particular string. Similarly you could create a "Frontpage.txt" list that runs each time it finds the text "IIS". With this method, once set up, you could just feed a site into Triton and it will run the most appropriate lists.

Won't that take a while for me to set up?

Nobody said life was easy ;)

On the bright side ... it might prompt more working in 'groups' on the internet as you can collect and share lists based on operating system / webserver / etc.

How do I find this "Apache" or "Banner" or whatever?

This is returned in the server reply to a request. You can either use the HTTP Debugger to send a simple request to the site and view the response - else there is a "Server Info" tab in the tools section that will go away and find this information for you.

Ok ... that sounds good ... but can't I just run it like normal?

Sure. There's a 'manual scan' option where you can just select a list or lists and run them like the old one. I heard it best described as "It can be run like a sledgehammer by the masses, or fine tuned to a scalpel by the experts.". That seems fitting depending on how much work you're willing to put into it.

Can Triton just be used as a link checker?

Sure .... just load your pass / link list as the sites and run without any paths selected. It'll just verify the links.

What's the logic behind the keywords?

You can specify multiple keywords / keyphrases and seperate them by the semicolon character (;). The choice of whether to make the searches CaSe SeNsiTiVe or not is found in the 'Options' section.

  • If purely bad keywords are specified (i.e., no good ones) then the hit will only be marked as "Good key" providing none of the bad keywords are found.
  • If purely good keywords are specified (i.e., no bad ones) then the hit will only be marked as "Good key" providing at least one of the good keywords are found.
  • If both good and bad keywords are specified then the hit will only be marked as "Good key" providing at least one of the good keywords and none of the bad keywords are found.

What happens if a proxy goes bad during the scan?

If you're running with a proxy list, then you can set a parameter on the "Connections" tab. This value will be the number of bad replies in a row that a proxy must receive for it to be disabled by the program. By default this is set to 5. If a request hits a "bad" proxy that fails, then it will be automatically retried with the next valid proxy until they are all used up.

There's no "Delete from this list option"?

Press the "Del" key on your keyboard.

Ok ... enough of this overview stuff ... explain the buttons:

Ok ... but just remember I hate writing this crap so it'll be short and sweet.

Sites button:

Most menu options are relatively straightforward. Some could benefit from a little more explanation:

Netblocks:

Netblocks go on the theory that sites co-located on a server only require a single point of entry which can, for example, give a working shell. It will take a site (e.g., http://www.somesite.com) and resolve it to its IP addreess (e.g., http://123.45.67.89) and then run the lists against the ip range surrounding that site (http://123.45.67.1/ - http://123.45.67.254)

Pretest sites:

This should really be run with a direct connection mode. It goes through the selected sites and tests to see if they are up and alive.

Say, for example, you'd entered in an IP range to scan. If any of those IPs are actually dead (in the sense that there aren't any sites running on them) then it'll be a bit of a waste of time and bandwidth to go running

http://deadsite/path1 http://deadsite/path2 http://deadsite/path3

etc. The "Pretest" goes away and see if the site will respond before you waste time running a whole list against it.

It is recommended that this is run with a direct connection. This will give the most accurate results (after taking into account proxy errors). If you attempt to run it without proxies it will prompt you to change the settings.

Paths button:

This is where you can choose between the various scan methods.

Link checking mode      - Select "Manual scan" and deselect all the lists in the manual scan box.  Triton will then take your "Sites" list and just act as an ordinary link / pass checker.

Manual scan mode        - Select "Manual scan" and also the lists you wish to use.  Triton will try all combinations of the loaded sites and the paths in these files.  Within the "Manual scan" mode you also have the option of whether to rotate the sites or the paths first.  For example, consider having 2 sites and 2 paths loaded

Rotate sites first:

http://www.site1.com/path1
http://www.site2.com/path1
http://www.site1.com/path2
http://www.site2.com/path2

Rotate paths first:

http://www.site1.com/path1
http://www.site1.com/path2
http://www.site2.com/path1
http://www.site2.com/path2

This should hopefully aid you if your goal is to minimise the impact your scanning will be having on the sites.

Automatic scan mode     - This is a new feature introduced by this version of Triton.  Once you have selected this mode, you can select which automatic rules to apply to the scan.  The actual implementation of the "Automatic" method has been discussed above.

Exploit list editor

You enter the exploit list editor by double clicking on an existing list in the "Manual scan" box of the "Paths" dialog, or by right clicking on the grid and choosing "Create a new list".  Once inside, everything should be intuitive enough to figure out.

To edit a path, double click it.

To exit from editing a path without saving your changes (to the keywords / path / method / etc) choose "Cancel path"

To save your changes to the current path and update the list select "Save path"

New path        - Clicking this button will create a new path in the list and will open it up for editing.  Note that if you currently have an entry selected in the llist then the new one that is created will be a carbon copy of it.  This is useful if you want to duplicate keywords / headers / etc.

Method / Path / Keys / etc … all easy enough to figure out.

When importing a standard list (by standard, I'm talking about a plain text file containing paths) you have to set up a few paramaters.  Press the "Import list" button and it will prompt you to set a few default options for the list you're going to load.  This includes things such as the method / keywords / etc.  These can all be customised on an individual path basis later.  When you're ready - hit "Continue" and it will prompt you for the actual file and load it according to those paramaters.

To save all your changes and update the text file on your hard drive - select "Save New List"

To undo all the changes you've just made and not save them - select "Cancel all changes"

Connection button:

The options are pretty clear.  Direct connection (no proxy), single proxy or proxy list.  If you're using a proxy list then Triton has a remote link ability to connect to Charon (recommended minimum version of 0.5.1).  Click the "Find Charon" button to locate the Charon.exe executable and the "Launch Charon" button to actually load the program with the proxies currently in your proxy list.  Import / test / filter your proxies with Charon then just close it - the remaining proxies will be transferred to the proxy list of Triton.

Tools button:

These are really to be considered to be a seperate part of Triton.  They were added in as I found myself using them for various purposes at some time or another.

HTTP Debugger

This allows you to craft and send your own HTTP requests to servers and view the result back from them.  The boxes at the top of the page are just to help you craft a request - what is actually sent is the data in the box in the middle of the screen - so if you're using the top selection boxes as a guide then remember to "Build" the request before hitting "Send".

You have 2 choices with regards to proxies - either specify a manual one to use here (useful when the info has been copied over from the history tab) or you can link it back to the "Connection" options and take your default proxy settings from there.

IP Tools

This is used to resolve hostname <--> IP address.  It will accept inputs of various formats and will produce the output to match.  For example,

www.somedomain.com <---> 123.45.67.89
http://www.somedomain.com/somepath <---> http://123.45.67.89/somepath
www.somedomain.com:8080 <---> 123.45.67.89:8080

One thing that is important to remember when converting from IP address to hostname is that it might not be the one you were expecting.  Several hostnames can resolve to the same IP address with the individual routing done on the server end.  That resolution from IP back to Hostname will just be one of those names.

Server info

This can be used to extract the "Banner" from websites.  This is useful as it often contains information about the type of software being used (Operating system / webserver / additional modules etc.)  It is this type of information that can be used with the automatic scan option described above.  The proxy / speed options are those that have been set on the "Connection" / "Progression" tabs.

Link Stripper

A simple site parser looking for links.  You can either just strip the hyperlinks <a href="http://www.somesite.com/path.html">Example</a> or you can also parse the entire text looking for links just written in the text.  You have the ability to load multiple sites and combine all the results.  The proxy / speed options are those that have been set on the "Connection" / "Progression" tabs.

Progression button:

This is where you can watch the scan/prescan/rescan taking place.

Start / Stop / Pause / Resume ... I'm pretty sure you can figure out.  On the right is a slider control where you select the speed for the scan  You might notice that this speed contol will adjust itself down at the start of the scan - this is normal and is dependant on a number of factors.  If you are running a manual mode scan then this will set itself to a maximum of the number of site/path combinations you have selected.  If you are running an automatic scan then it will initially set itself to a maximum of the number of sites you have loaded - until it has figured out which automatic lists to load then it can be changed accordingly.  You're free to moan about this ... but try not to report this as a "bug" else you might get shouted at to RTFM ;).

History button:

The menu options are self explanatory, same with most of the buttons.  The "What's a hit?" button is where you choose what actually gets passed onto this page.  The default options are "200 OK" which is the HTTP 200 response registering a successfull page fetch, and "Good Key" which is for when you are applying keywords to the test and it comes back with a positive result.  By clicking on this button you can add / remove items from the lists.

But what's ...?

If you have a question that you don't know the answer to then it'll most likely fall into one of these three categories:

  1. It's in this help text already.  Read it again.  Twice.  Find it.  Stop reading this line and start now.  Go on.
  2. It's a little too obvious that you really should figure it out for yourself.  Think on it for a bit, then think some more.
  3. It's something I missed or didn't make intuitive enough.  Accept my aplologies, ask me about it, and I'll probably include it in the next file.

I made it to the end of the file .... what reward do I get?

Same as you got charged for this program ... nothing ;)

Speaking of which ... can't you make money from this?

Anything could be sold - but as this is only a hobby and not a business this program will always remain free and devoid of any adware/spyware. Donations are, however, always welcome ;) ... see the link on the left.

Can I have the Triton source code?

Currently it is shared-source ... which means I've given it to a few trusted friends only. Once I've finished the suite of applications they'll all be made open source for everyone to step back in horror at the outstandingly bad coding practices I've worked in. "Comments? .... we don't need no steenking comments!".

How do I contact you?

See the "Contact Rhino" link on the left ;)



© Copyleft Rhino 2006.