Home > Software > OTORI - Instructions
OTORI - Instructions
This article describes security testing-related software whose use may be restricted or prohibited in your place of residence or your workplace. The penalties for violating laws and regulations regarding security testing-related tools can be severe. Ensuring that you are allowed to use this software is your responsibility.
The software described is a "preview release" which is not yet feature-complete and which is has not been tested on a variety of systems. Even if you are allowed to use the software, you should do so with caution, on systems which can be easily restored to their previous state if they are damaged.
This document describes all of the command-line options for On The Outside, Reaching In. If you are learning how to use it, I recommend going through the four tutorials linked at the end of this document first — this should answer most common questions about syntax and whatnot.
Important: if you run On The Outside, Reaching In with the --help option, you will see a number of options not described in this document which are labeled "this option is not currently implemented or supported". That label is the reason they're not discussed here — the code to support those options is not implemented. The only reason I didn't comment them out entirely is because it involved many fewer changes to the source code.
Basic Options
Option | Arguments | Purpose |
-h or --help | Display the built-in help | |
--list | List all available exploit modules | |
--module | MODULE_ID | Use the specified exploit module (this option is required for all modes other than --help and --list) |
--console-verbosity | debug | info | warning | error | critical | Limit console output to the specified level or above. Warning: debug is extremely verbose. |
--log | LOG_FILE_PATH | Write a log file in addition to the console output. |
--log-verbosity | debug | info | warning | error | critical | Limit log file output to the specified level or above. Warning: debug is extremely verbose. |
--reportfile | FILE_PATH | Write a tab-delimited report file regarding successful and failed downloads. Warning: is probably buggy, hasn't been extensively tested. |
--no-ansi | Do not use ANSI codes to make the console output look awesome and amazing and like you are a "l33+" super-hacker hacking some radical "zero-days" and "pwning" some "boxes" |
Mode Selection
Option | Arguments | Purpose |
--clone | Clone remote content | |
--dos-lulz | Attempt a "billion laughs" denial-of-service attack | |
--dos-quad | Attempt a "quadratic blowup" denial-of-service attack |
Overall Behaviour Control
Option | Arguments | Purpose |
--module-options | one or more module options | Module-specific settings (URLs, etc.) |
--swamm-url-base | URL | The base She Wore A Mirrored Mask URL |
--swamm-url-read | URL | The She Wore A Mirrored Mask URL used for read operations |
--swamm-url-write | URL | The She Wore A Mirrored Mask URL used for write operations |
--swamm-url-append | URL | The She Wore A Mirrored Mask URL used for append operations |
--swamm-url-delete | URL | The She Wore A Mirrored Mask URL used for delete operations |
--swamm-url-store-add | URL | The She Wore A Mirrored Mask URL used for adding stored request/response pairs |
--swamm-url-store-delete | URL | The She Wore A Mirrored Mask URL used for deleting stored request/response pairs |
Behaviour Control For --clone Mode
Option | Arguments | Purpose |
--singleuri | URI | Attempt to download this single URI (file:///etc/passwd, etc.) |
--exacturilist | PATH_TO_EXACT_URI_LIST_FILE | A relative path to a file containing a list of exact URIs to download |
--rooturi | REQUESTED_ROOT_URI | When exploiting systems that support returning directory listings, attempt a recursive download starting from this URI (file:///home/, etc.). |
--rooturilist | PATH_TO_ROOT_URI_LIST_FILE | Same as --rooturi, except each URI in the list is iterated through. |
--outputbase | BASE_OUTPUT_PATH | Write output starting in this directory. |
--uriblacklist | PATH_TO_TARGET_URI_BLACKLIST_FILE | Use the regular expressions in this file to filter which directories will be traversed. Generally intended for use with the two recursive modes. |
--preserve | When downloading content, do not overwrite existing local files with the same paths. | |
--overwrite | When downloading content, overwrite existing local files with the same paths. | |
--version | When downloading content, if any local files exist with the same paths, name the new files with a version identifier to prevent the original from being overwritten. Note: existing directories will be renamed instead of the new directory having the versioned name. | |
--noerrorfiles | If the module reports an error for a given file, discard the results instead of writing them to an output file. | |
--noemptyfiles | If an empty file is returned, discard it instead of storing a local copy. | |
--nowhitespacefiles | If a downloaded file contains only whitespace characters, discard it instead of storing a local copy. | |
--noemptydirs | Do not retain directories if no content within them was successfully downloaded. | |
--maxdepth | D | Do not recurse more than D levels (3, 10, etc.) in recursive modes. |
--retries | R | If a recoverable error is encountered, retry up to R times before giving up (default is 0). |
--request-timeout | S | Wait S seconds before giving up on a single request. |
--request-waittime | W | Wait W milliseconds in-between requests (to help avoid triggering IDS/IPS or rate-limiting). |
--request-waittime-window | X | When using --request-waittime, vary the request time randomly by X milliseconds on either side of the fixed window (to look less like an automated process). |
--http-user-agent | USER_AGENT | Specify a fixed User-Agent string to send to servers. If this request is not specified, a random (realistic) value will be selected. |
--http-cookie | COOKIE_STRING | Send this HTTP cookie with each request. |
Behaviour Control For Denial-of-Service Modes
Option | Arguments | Purpose |
--dos-lulz-base | LB | When operating in --dos-lulz mode, use this many "lulzstring" values as the base (default: 10). The total repetitions of the DoS content will be LB raised to the LE power. |
--dos-lulz-exp | LE | When operating in --dos-lulz mode, use this many tiers of "lulz" (default: 9). The total repetitions of the DoS content will be LB raised to the LE power. |
--dos-quad-base | QB | When operating in --dos-quad mode, use this many "lulzstring" values as the base (default: 10000). The total repetitions of the DoS content will be QB times QM. |
--dos-quad-mult | QM | When operating in --dos-quad mode, use this many "lulzstring" values as the multiplier (default: 10000). The total repetitions of the DoS content will be QB times QM. |
--dos-string | DOS_STRING | Use this string as the "lulzstring" which will be expanded in memory (default: -- Summon the Lulz --). |