A powerful, feature-rich exploit server built in Go with TLS encryption, web interface, and advanced security testing capabilities. Designed for penetration testing, security research, and educational purposes.
- π TLS/HTTPS Support - End-to-end encryption with configurable certificates
- π― HTTP Response Crafting - Create custom HTTP responses with full control over headers, status codes, and content
- π MITM Proxy - Man-in-the-middle request forwarding and inspection
- π Real-time Logging - Live request monitoring with WebSocket updates
- π AES Encryption - Request logging with AES-128/192/256 encryption
- π Web Interface - Modern, responsive UI for all operations
- Custom HTTP Methods - Support for standard and custom HTTP methods
- Header Manipulation - Full control over HTTP headers and response crafting
- WebSocket Support - Real-time communication for live updates
- Docker Ready - Containerized deployment with Docker and Docker Compose
- OpenShift Compatible - Enterprise deployment templates included
- Certificate Management - Automated certificate generation scripts
- Go 1.21+ for development
- Docker for containerized deployment
# Clone the repository
git clone https://github.com/AmadeusITGroup/exploit-server.git
cd exploit-server
# Install dependencies
go mod download
# Run the server (HTTP on port 8080)
# Note: Uses default encryption key with warning message
go run cmd/iolite/main.go
# Optionally set custom encryption key to avoid warning
# export EXPLOIT_SERVER_KEY=your32characterencryptionkey1234# Set environment variables with TLS certificates
export EXPLOIT_SERVER_KEY=your32characterencryptionkey1234
export EXPLOIT_SERVER_CERT_FILE=/path/to/your/certificate.crt
export EXPLOIT_SERVER_KEY_FILE=/path/to/your/private.key
# Run the server (HTTPS on port 8443)
go run cmd/iolite/main.go
When running without TLS certificates:
- Main Interface: http://localhost:8080
- Response Crafting: http://localhost:8080/craft
- MITM Interface: http://localhost:8080/mitm
- Request Logs: http://localhost:8080/logs
When running with TLS certificates:
- Main Interface: https://localhost:8443
- Response Crafting: https://localhost:8443/craft
- MITM Interface: https://localhost:8443/mitm
- Request Logs: https://localhost:8443/logs
The /craft endpoint provides a web interface for creating custom HTTP responses:
-
Configure Response Parameters:
- URL path to intercept
- HTTP method (GET, POST, etc.)
- HTTP version and status code
- Custom headers (copy-pastable format)
- Response body content
-
Save and Test:
- Responses are stored in memory
- Incoming requests matching URL and method return crafted responses
- Multiple responses can be configured simultaneously
The /mitm endpoint enables man-in-the-middle request forwarding:
-
Configure Target:
- Set target URL for request forwarding
- All matching requests are proxied to the target
- Responses are forwarded back to the original client
-
Monitor Traffic:
- View real-time request/response data
- Inspect headers, body content, and timing
The /logs endpoint provides comprehensive request monitoring:
- Real-time Updates: WebSocket-based live request monitoring
- Encrypted Storage: All request data encrypted with AES
- Detailed Information: Method, path, headers, body, and timestamps
- Export Capabilities: JSON API for programmatic access
| Variable | Description | Required | Default |
|---|---|---|---|
EXPLOIT_SERVER_KEY |
AES encryption key (16, 24, or 32 chars) | β | 1234567890123456 |
EXPLOIT_SERVER_CERT_FILE |
Path to TLS certificate | β | - |
EXPLOIT_SERVER_KEY_FILE |
Path to TLS private key | β | - |
EXPLOIT_SERVER_PORT |
Server port | β | 8443 (HTTPS) / 8080 (HTTP) |
Development: TLS certificates are optional. When not provided, the server runs on HTTP (port 8080) for easy development.
Production: For secure deployment, provide both certificate and key files to enable HTTPS (port 8443).
# Production example with proper certificates
export EXPLOIT_SERVER_CERT_FILE=/etc/ssl/certs/server.crt
export EXPLOIT_SERVER_KEY_FILE=/etc/ssl/private/server.keyThe server includes a default encryption key (1234567890123456) for development and deployment convenience. This allows the application to run immediately without configuration, but should be changed for production use.
Development: The default key is acceptable for testing and development purposes.
Production: Always use a strong, unique 32-character encryption key:
export EXPLOIT_SERVER_KEY=your_strong_32_character_key_hereGET /api/craft- List all crafted responsesPOST /api/craft- Create new crafted responseDELETE /api/craft- Delete crafted response(s)
GET /api/mitm- Get current MITM configurationPOST /api/mitm- Set MITM target URLDELETE /api/mitm- Clear MITM configuration
GET /api/logs- Get encrypted request logsWebSocket /ws- Real-time log updates
Development:
- Self-signed certificates are acceptable
- Default encryption keys for testing
- Local network access only
Production:
- Use certificates from trusted Certificate Authority
- Strong, unique 32-character encryption keys
- Implement proper network security controls
- Regular security updates and monitoring
-
TLS Configuration:
- Use HTTP for development and testing
- Enable HTTPS with proper certificates for production
- Regularly rotate certificates in production environments
-
Encryption Keys:
- Use cryptographically secure random keys
- Never share keys in version control
- Unique keys per deployment
-
Network Security:
- Implement firewall rules
- Use VPN for remote access
- Monitor for suspicious activity
-
Access Control:
- Restrict server access to authorized users
- Implement authentication for sensitive operations
- Regular access reviews
exploit-server-iolite/
βββ cmd/iolite/ # Application entry point
βββ pkg/api/ # Core API handlers
β βββ serve.go # HTTP server and routing
β βββ craft.go # Response crafting logic
β βββ mitm.go # MITM proxy functionality
β βββ log.go # Request logging and WebSocket
β βββ utilsApi.go # Encryption utilities
βββ web/http/ # Web interface files
β βββ craft.html # Response crafting UI
β βββ mitm.html # MITM interface
β βββ logs.html # Log viewing interface
β βββ *.js # Frontend JavaScript
βββ Dockerfile # Container image for OpenShift deployment
# Clone repository
git clone https://github.com/AmadeusITGroup/exploit-server.git
cd exploit-server
# Download dependencies
go mod download
# Build binary
go build -o iolite ./cmd/iolite
# Run for development (HTTP)
export EXPLOIT_SERVER_KEY=your32characterencryptionkey1234
./iolite
# Run tests
go test ./...- Gorilla WebSocket: Real-time communication
- Go Standard Library: HTTP server, TLS, encryption
Connection Issues:
# Check if server is listening (HTTP development)
netstat -tlnp | grep 8080
# Check if server is listening (HTTPS production)
netstat -tlnp | grep 8443
# Test HTTP connectivity (development)
curl http://localhost:8080
# Test HTTPS connectivity (production)
curl -k https://localhost:8443Certificate Issues (Production only):
# Verify certificate validity
openssl x509 -in /path/to/server.crt -text -noout
# Check certificate file permissions
ls -la /path/to/certificates/Encryption Key Issues:
# Verify key length
echo -n "your-key-here" | wc -c- Test application response to various HTTP inputs
- Simulate malicious server responses
- Analyze client-side vulnerability handling
Contributions are welcome! Please feel free to submit pull requests, report bugs, or suggest new features.
- Follow Go coding standards
- Update documentation as needed
- Ensure security best practices
This project is licensed under the MIT License - see the LICENSE file for details.
This tool is intended for educational purposes, authorized penetration testing, and security research only. Users are responsible for ensuring compliance with applicable laws and regulations. The authors are not responsible for any misuse of this software.
For questions, issues, or feature requests:
- Open an issue in the repository
- Check existing documentation
- Review troubleshooting section
Note: Always use this tool responsibly and in accordance with applicable laws and organizational policies.