#!/usr/bin/env python
try:
	import readline
except:
	pass
from src.core.setcore import bcolors, get_version, check_os, meta_path

# grab version of SET
define_version = get_version()

# check operating system
operating_system = check_os()

# grab metasploit path
msf_path = meta_path()

PORT_NOT_ZERO = "Port cannot be zero!"
PORT_TOO_HIGH = "Let's stick with the LOWER 65,535 ports..."

main_text = " Select from the menu:\n"

main_menu = ['Social-Engineering Attacks',
             'Fast-Track Penetration Testing',
             'Third Party Modules',
             'Update the Metasploit Framework',
             'Update the Social-Engineer Toolkit',
             'Update SET configuration',
             'Help, Credits, and About']

main = ['Spear-Phishing Attack Vectors',
        'Website Attack Vectors',
        'Infectious Media Generator',
        'Create a Payload and Listener',
        'Mass Mailer Attack',
        'Arduino-Based Attack Vector',
        'SMS Spoofing Attack Vector',
        'Wireless Access Point Attack Vector',
        'QRCode Generator Attack Vector',
        'Powershell Attack Vectors',
        'Third Party Modules']

spearphish_menu = ['Perform a Mass Email Attack',
                   'Create a FileFormat Payload',
                   'Create a Social-Engineering Template',
                   '0D']

spearphish_text = ("""
 The """ + bcolors.BOLD + """Spearphishing""" + bcolors.ENDC + """ module allows you to specially craft email messages and send
 them to a large (or small) number of people with attached fileformat malicious
 payloads. If you want to spoof your email address, be sure "Sendmail" is in-
 stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
 flag to SENDMAIL=ON.

 There are two options, one is getting your feet wet and letting SET do
 everything for you (option 1), the second is to create your own FileFormat
 payload and use it in your own attack. Either way, good luck and enjoy!
""")

webattack_menu = ['Java Applet Attack Method',
                  'Metasploit Browser Exploit Method',
                  'Credential Harvester Attack Method',
                  'Tabnabbing Attack Method',
                  'Man Left in the Middle Attack Method',
                  'Web Jacking Attack Method',
                  'Multi-Attack Web Method',
                  'Victim Web Profiler',
                  'Create or import a CodeSigning Certificate',
                  '0D']

fasttrack_menu = ['Microsoft SQL Bruter',
                 'Custom Exploits',
		 'SCCM Attack Vector',
		 'Dell DRAC/Chassis Default Checker',
                 '0D']

fasttrack_text = ("""
Welcome to the Social-Engineer Toolkit - """ + bcolors.BOLD + """Fast-Track Penetration Testing platform""" + bcolors.ENDC + """. These attack vectors
have a series of exploits and automation aspects to assist in the art of penetration testing. SET
now incorporates the attack vectors leveraged in Fast-Track. All of these attack vectors have been 
completely rewritten and customized from scratch as to improve functionality and capabilities. 
""")

fasttrack_exploits_menu1 = ['MS08-067 (Win2000, Win2k3, WinXP)',
                           'Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)',
                           'Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit',
                           'RDP | Use after Free - Denial of Service',
                           'MySQL Authentication Bypass Exploit',
                           'F5 Root Authentication Bypass Exploit',
                           '0D']

fasttrack_exploits_text1 = ("""
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Exploits Section""" + bcolors.ENDC + """. This 
menu has obscure exploits and ones that are primarily python driven. This will continue to grow over time.
""")

fasttrack_mssql_menu1 = ['Scan and Attack MSSQL',
                        'Connect directly to MSSQL',
                        '0D']

fasttrack_mssql_text1 = ("""
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Microsoft SQL Brute Forcer""" + bcolors.ENDC + """. This
attack vector will attempt to identify live MSSQL servers and brute force the weak account passwords that
may be found. If that occurs, SET will then compromise the affected system by deploying a binary to 
hexadecimal attack vector which will take a raw binary, convert it to hexadecimal and use a staged approach
in deploying the hexadecimal form of the binary onto the underlying system. At this point, a trigger will occur
to convert the payload back to a binary for us.
""")

webattack_text = ("""
 The Web Attack module is  a unique way of utilizing multiple web-based attacks
 in order to compromise the intended victim.

 The """ + bcolors.BOLD + """Java Applet Attack""" + bcolors.ENDC + """ method will spoof a Java Certificate and deliver a 
 metasploit based payload. Uses a customized java applet created by Thomas
 Werth to deliver the payload.

 The """ + bcolors.BOLD + """Metasploit Browser Exploit""" + bcolors.ENDC + """ method will utilize select Metasploit
 browser exploits through an iframe and deliver a Metasploit payload.

 The """ + bcolors.BOLD + """Credential Harvester""" + bcolors.ENDC + """ method will utilize web cloning of a web-
 site that has a username and password field and harvest all the 
 information posted to the website.

 The """ + bcolors.BOLD + """TabNabbing""" + bcolors.ENDC + """ method will wait for a user to move to a different
 tab, then refresh the page to something different.

 The """ + bcolors.BOLD + """Man Left in the Middle Attack""" + bcolors.ENDC + """ method was introduced by Kos and 
 utilizes HTTP REFERER's in order to intercept fields and harvest 
 data from them. You need to have an already vulnerable site and in-
 corporate <script src="http://YOURIP/">. This could either be from a
 compromised site or through XSS.

 The """ + bcolors.BOLD + """Web-Jacking Attack""" + bcolors.ENDC + """ method was introduced by white_sheep, Emgent 
 and the Back|Track team. This method utilizes iframe replacements to 
 make the highlighted URL link to appear legitimate however when clicked 
 a window pops up then is replaced with the malicious link. You can edit
 the link replacement settings in the set_config if its too slow/fast.

 The """ + bcolors.BOLD + """Multi-Attack""" + bcolors.ENDC + """ method will add a combination of attacks through the web attack
 menu. For example you can utilize the Java Applet, Metasploit Browser,
 Credential Harvester/Tabnabbing, and the Man Left in the Middle attack
 all at once to see which is successful.
""")

webattack_vectors_menu = ['Web Templates',
                          'Site Cloner', 
                          'Custom Import\n',
                          ]

webattack_vectors_text = ("""
 The first method will allow SET to import a list of pre-defined web 
 applications that it can utilize within the attack.

 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.

 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   """)

teensy_menu = ['Powershell HTTP GET MSF Payload',
               'WSCRIPT HTTP GET MSF Payload',
               'Powershell based Reverse Shell Payload',
               'Internet Explorer/FireFox Beef Jack Payload',
               'Go to malicious java site and accept applet Payload',
               'Gnome wget Download Payload',
               'Binary 2 Teensy Attack (Deploy MSF payloads)',
               'SDCard 2 Teensy Attack (Deploy Any EXE)',
               'SDCard 2 Teensy Attack (Deploy on OSX)',
               'X10 Arduino Sniffer PDE and Libraries',
               'X10 Arduino Jammer PDE and Libraries',
               'Powershell Direct ShellCode Teensy Attack',
	       'Peensy Multi Attack Dip Switch + SDCard Attack',
               '0D']

teensy_text = ("""
 The """ + bcolors.BOLD + """Arduino-Based Attack""" + bcolors.ENDC + """ Vector utilizes the Arduin-based device to
 program the device. You can leverage the Teensy's, which have onboard
 storage and can allow for remote code execution on the physical
 system. Since the devices are registered as USB Keyboard's it
 will bypass any autorun disabled or endpoint protection on the
 system.

 You will need to purchase the Teensy USB device, it's roughly
 $22 dollars. This attack vector will auto generate the code
 needed in order to deploy the payload on the system for you.

 This attack vector will create the .pde files necessary to import
 into Arduino (the IDE used for programming the Teensy). The attack
 vectors range from Powershell based downloaders, wscript attacks, 
 and other methods.

 For more information on specifications and good tutorials visit:

 http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

 To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html
 Special thanks to: IronGeek, WinFang, and Garland

 This attack vector also attacks X10 based controllers, be sure to be leveraging
 X10 based communication devices in order for this to work.

 Select a payload to create the pde file to import into Arduino:
""")

sms_attack_menu = ['Perform a SMS Spoofing Attack', 
                   'Create a Social-Engineering Template',
                   '0D']

sms_attack_text = ("""
 The """ + bcolors.BOLD + """SMS""" + bcolors.ENDC + """ module allows you to specially craft SMS messages and send them
 to a person. You can spoof the SMS source. 

 This module was created by the team at TB-Security.com.

 You can use a predefined template, create your own template or specify 
 an arbitrary message. The main method for this would be to get a user to
 click or coax them on a link in their browser and steal credentials or
 perform other attack vectors.
""")

wireless_attack_menu = ['Start the SET Wireless Attack Vector Access Point',
                        'Stop the SET Wireless Attack Vector Access Point',
                        '0D']


wireless_attack_text = """
 The """ + bcolors.BOLD + """Wireless Attack""" + bcolors.ENDC + """ module will create an access point leveraging your
 wireless card and redirect all DNS queries to you. The concept is fairly
 simple, SET will create a wireless access point, dhcp server, and spoof
 DNS to redirect traffic to the attacker machine. It will then exit out
 of that menu with everything running as a child process. 

 You can then launch any SET attack vector you want, for example the Java
 Applet attack and when a victim joins your access point and tries going to
 a website, will be redirected to your attacker machine.

 This attack vector requires AirBase-NG, AirMon-NG, DNSSpoof, and dhcpd3.

"""

infectious_menu = ['File-Format Exploits', 
                   'Standard Metasploit Executable',
                   '0D']


infectious_text = """
 The """ + bcolors.BOLD + bcolors.GREEN + """Infectious """ + bcolors.ENDC + """USB/CD/DVD module will create an autorun.inf file and a
 Metasploit payload. When the DVD/USB/CD is inserted, it will automatically
 run if autorun is enabled.""" + bcolors.ENDC + """

 Pick the attack vector you wish to use: fileformat bugs or a straight executable.
"""
   

# used in create_payloads.py
if operating_system != "windows":
    if msf_path != False:
            payload_menu_1 = [
'Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker',
'Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker',
'Windows Bind Shell                      Execute payload and create an accepting port on remote system',
'Windows Bind Shell X64                  Windows x64 Command Shell, Bind TCP Inline',
'Windows Shell Reverse_TCP X64           Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP X64     Connect back to the attacker (Windows x64), Meterpreter',
'Windows Meterpreter Egress Buster       Spawn a meterpreter shell and find a port home via multiple ports',
'Windows Meterpreter Reverse HTTPS       Tunnel communication over HTTP using SSL and use Meterpreter',
'Windows Meterpreter Reverse DNS         Use a hostname instead of an IP address and spawn Meterpreter',
'SE Toolkit Interactive Shell            Custom interactive reverse toolkit designed for SET',
'SE Toolkit HTTP Reverse Shell           Purely native HTTP shell with AES encryption support',
'RATTE HTTP Tunneling Payload            Security bypass payload that will tunnel all comms over HTTP',
'ShellCodeExec Alphanum Shellcode        This will drop a meterpreter payload through shellcodeexec',
'PyInjector Shellcode Injection          This will drop a meterpreter payload through PyInjector',
'MultiPyInjector Shellcode Injection     This will drop multiple Metasploit payloads via memory',
'Import your own executable              Specify a path for your own executable\n']

if operating_system == "windows" or msf_path == False:
    payload_menu_1 = [
        'SE Toolkit Interactive Shell    Custom interactive reverse toolkit designed for SET',
        'SE Toolkit HTTP Reverse Shell   Purely native HTTP shell with AES encryption support',
        'RATTE HTTP Tunneling Payload    Security bypass payload that will tunnel all comms over HTTP\n']

payload_menu_1_text = """
What payload do you want to generate:

  Name:                                       Description:
"""

# used in gen_payload.py

payload_menu_2 = [
'Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker',
'Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker',
'Windows Bind Shell                      Execute payload and create an accepting port on remote system.',
'Windows Bind Shell X64                  Windows x64 Command Shell, Bind TCP Inline',
'Windows Shell Reverse_TCP X64           Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP X64     Connect back to the attacker (Windows x64), Meterpreter',
'Windows Meterpreter Egress Buster       Spawn a meterpreter shell and find a port home via multiple ports',
'Windows Meterpreter Reverse HTTPS       Tunnel communication over HTTP using SSL and use Meterpreter',
'Windows Meterpreter Reverse DNS         Use a hostname instead of an IP address and use Reverse Meterpreter',
'Download/Run your Own Executable        Downloads an executable and runs it\n'
]


payload_menu_2_text = """\n"""

payload_menu_3_text = ""
payload_menu_3 = [
'Windows Reverse TCP Shell              Spawn a command shell on victim and send back to attacker',
'Windows Meterpreter Reverse_TCP        Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse VNC DLL                Spawn a VNC server on victim and send back to attacker',
'Windows Reverse TCP Shell (x64)        Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP (X64)  Connect back to the attacker (Windows x64), Meterpreter',
'Windows Shell Bind_TCP (X64)           Execute payload and create an accepting port on remote system',
'Windows Meterpreter Reverse HTTPS      Tunnel communication over HTTP using SSL and use Meterpreter\n']

# called from create_payload.py associated dictionary = ms_attacks
create_payloads_menu = [
'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)',
'SET Custom Written Document UNC LM SMB Capture Attack',
'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow',
'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)',
'Adobe Flash Player "Button" Remote Code Execution',
'Adobe CoolType SING Table "uniqueName" Overflow',
'Adobe Flash Player "newfunction" Invalid Pointer Use',
'Adobe Collab.collectEmailInfo Buffer Overflow',
'Adobe Collab.getIcon Buffer Overflow',
'Adobe JBIG2Decode Memory Corruption Exploit',
'Adobe PDF Embedded EXE Social Engineering',
'Adobe util.printf() Buffer Overflow',
'Custom EXE to VBA (sent via RAR) (RAR required)',
'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun',
'Adobe PDF Embedded EXE Social Engineering (NOJS)',
'Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow',
'Apple QuickTime PICT PnSize Buffer Overflow',
'Nuance PDF Reader v6.0 Launch Stack Buffer Overflow', 
'Adobe Reader u3D Memory Corruption Vulnerability',
'MSCOMCTL ActiveX Buffer Overflow (ms12-027)\n']

create_payloads_text = """
 Select the file format exploit you want.
 The default is the PDF embedded EXE.\n
           ********** PAYLOADS **********\n"""

browser_exploits_menu = [
'Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free (2012-12-27)',
'Java 7 Applet Remote Code Execution (2012-08-26)',
'Microsoft Internet Explorer execCommand Use-After-Free Vulnerability (2012-09-14)',
'Java AtomicReferenceArray Type Violation Vulnerability (2012-02-14)',
'Java Applet Field Bytecode Verifier Cache Remote Code Execution (2012-06-06)',
'MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (2012-06-12)',
'Microsoft XML Core Services MSXML Uninitialized Memory Corruption (2012-06-12)',
'Adobe Flash Player Object Type Confusion  (2012-05-04)',
'Adobe Flash Player MP4 "cprt" Overflow (2012-02-15)',
'MS12-004 midiOutPlayNextPolyEvent Heap Overflow (2012-01-10)',
'Java Applet Rhino Script Engine Remote Code Execution (2011-10-18)',
'MS11-050 IE mshtml!CObjectElement Use After Free  (2011-06-16)',
'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability (2011-04-11)',
'Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute (2011-06-01)',
'Internet Explorer CSS Import Use After Free (2010-11-29)',
'Microsoft WMI Administration Tools ActiveX Buffer Overflow (2010-12-21)',
'Internet Explorer CSS Tags Memory Corruption (2010-11-03)',
'Sun Java Applet2ClassLoader Remote Code Execution (2011-02-15)',
'Sun Java Runtime New Plugin docbase Buffer Overflow (2010-10-12)',
'Microsoft Windows WebDAV Application DLL Hijacker (2010-08-18)',
'Adobe Flash Player AVM Bytecode Verification Vulnerability (2011-03-15)',
'Adobe Shockwave rcsL Memory Corruption Exploit (2010-10-21)',
'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow (2010-09-07)',
'Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution (2010-08-30)',
'Microsoft Help Center XSS and Command Execution (2010-06-09)',
'Microsoft Internet Explorer iepeers.dll Use After Free (2010-03-09)',
'Microsoft Internet Explorer "Aurora" Memory Corruption (2010-01-14)',
'Microsoft Internet Explorer Tabular Data Control Exploit (2010-03-0)',
'Microsoft Internet Explorer 7 Uninitialized Memory Corruption (2009-02-10)',
'Microsoft Internet Explorer Style getElementsbyTagName Corruption (2009-11-20)',
'Microsoft Internet Explorer isComponentInstalled Overflow (2006-02-24)',
'Microsoft Internet Explorer Explorer Data Binding Corruption (2008-12-07)',
'Microsoft Internet Explorer Unsafe Scripting Misconfiguration (2010-09-20)',
'FireFox 3.5 escape Return Value Memory Corruption (2009-07-13)',
'FireFox 3.6.16 mChannel use after free vulnerability (2011-05-10)',
'Metasploit Browser Autopwn (USE AT OWN RISK!)\n']

browser_exploits_text = """
 Enter the browser exploit you would like to use [8]:
"""

# this is for the powershell attack vectors
powershell_menu = ['Powershell Alphanumeric Shellcode Injector',
                  'Powershell Reverse Shell',
                  'Powershell Bind Shell',
                  'Powershell Dump SAM Database',
                  '0D']

powershell_text = ("""
The """ + bcolors.BOLD + """Powershell Attack Vector""" + bcolors.ENDC + """ module allows you to create PowerShell specific attacks. These attacks will allow 
you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell 
provides a fruitful  landscape for deploying payloads and performing functions that  do not get triggered by 
preventative technologies.
""")


encoder_menu = ['avoid_utf8_tolower (Normal)',
                'shikata_ga_nai (Very Good)',
                'alpha_mixed (Normal)',
                'alpha_upper (Normal)',
                'call4_dword_xor (Normal)',
                'countdown (Normal)',
                'fnstenv_mov (Normal)',
                'jmp_call_additive (Normal)',
                'nonalpha (Normal)',
                'nonupper (Normal)',
                'unicode_mixed (Normal)',
                'unicode_upper (Normal)',
                'alpha2 (Normal)',
                'No Encoding (None)',
                'Multi-Encoder (Excellent)',
                'Backdoored Executable (BEST)\n']

encoder_text = """
Below is a list of encodings to try and bypass AV. 

Select one of the below, 'backdoored executable' is typically the best.
"""

dll_hijacker_text = """
 The DLL Hijacker vulnerability will allow normal file extenstions to 
 call local (or remote) .dll files that can then call your payload or 
 executable. In this scenario it will compact the attack in a zip file
 and when the user opens the file extension, will trigger the dll then
 ultimately our payload. During the time of this release, all of these
 file extensions were tested and appear to work and are not patched. This
 will continiously be updated as time goes on.
"""

fakeap_dhcp_menu = ['10.0.0.100-254',
                    '192.168.10.100-254\n']

fakeap_dhcp_text = "Please choose which DHCP Config you would like to use: "

banner_text = bcolors.BLUE + """
  [---]       The Social-Engineer Toolkit (""" + bcolors.YELLOW + """SET""" + bcolors.BLUE+""")          [---]
  [---]        Written by:""" + bcolors.RED + """ David Kennedy """ + bcolors.BLUE + """(""" + bcolors.YELLOW + """ReL1K""" + bcolors.BLUE + """)         [---]
  [---]        Development Team: """ + bcolors.RED + """Thomas Werth""" + bcolors.BLUE + """            [---]
  [---]        Development Team: """ + bcolors.RED + """JR DePre (pr1me)""" + bcolors.BLUE + """        [---]
  [---]        Development Team: """ + bcolors.RED + """Joey Furr (j0fer)""" + bcolors.BLUE + """       [---]
  [---]        Development Team: """ + bcolors.RED + """Garland""" + bcolors.BLUE + """                 [---]
  [---]                 Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+"""                   [---]
  [---]         Codename: '""" + bcolors.YELLOW + """Convergence Edition""" + bcolors.BLUE + """'          [---]
  [---]     Report """ + bcolors.RED +"""bugs""" + bcolors.BLUE + """ to:"""+ bcolors.GREEN + """ davek@secmaniac.com    """ + bcolors.BLUE+"""[---]
  [---]         Follow me on Twitter: """ + bcolors.PURPLE+ """dave_rel1k""" + bcolors.BLUE+"""         [---]
  [---]        Homepage: """ + bcolors.YELLOW + """http://www.secmaniac.com""" + bcolors.BLUE+"""        [---]

""" + bcolors.GREEN + """   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    """ + '\n' + bcolors.BLUE + """    DerbyCon 2011 Sep30-Oct02 - http://www.derbycon.com.\n""" + bcolors.ENDC