Skip to content

Kharlam/Lupin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits

Lupin

Lupin

 
 

COPYING

COPYING

 
 

Lupin.py

Lupin.py

 
 

README

README

 
 

target_list.txt

target_list.txt

 
 

Repository files navigation

Lupin is a network MITM tool that automatically steals passwords from Chrome & Firefox password managers.
	
INSTALL:
	*** Requires Python 2.5 or newer, along with the 'twisted' python module.
	* Install twisted:  sudo apt-get install python-twisted-web

RUN:

	1) allow machine to forward: 
	   echo "1" > /proc/sys/net/ipv4/ip_forward

	2) Setup iptables:
	   iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <LupinPort>
	
	3) Run Lupin with optional arguments (See Below).
	
	4) Redirect traffic to your machine:
	   arpspoof -i <networkDevice> -t <targetAddress> <DefaultGatewayAddress>
	   
	   [Setting Lupin as the HTTP proxy on Chrome/Firefox works also... This may be preferable if you are simply testing on your own self and rather not mess with Arp tables]

OPTIONS:
	Run 'python Lupin.py -h' to get the command-line options.
	
    -l <port>, --listen=<port>
    
    -t <targets_file>, --targets=<targets_file>  
      
This is the list of target websites to check against. Each line in this file consists of the domain of the target and that domain's login form POST address as found on the real website's login form. Both addresses should be seperated by a "|" and only one target is allowed per line.
    
     -b <seconds>, --burst=<seconds>
    
Everytime the browser makes a request the refresh animations get triggered. If Lupin iterated through thousands of sites non-stop, the browsers refresh button would spin and reset for the entirety of the attack. Since it is not normal for a refresh animation to last more than a few seconds while a page is loading, Lupin limits the attack to bursts at a time. This option sets the approximate length of each attack burst. This is how long the refresh animation will spin and flicker while the burst is happening. The number of targets checked during this attack burst will depend on the victim's machine and on the network speed. However, on my tests Lupin iterated through about ~55 sites per second.
    
     -s <seconds>, --sleep=<seconds>

Since we limit the attack to bursts, we must sleep in between them. This option sets the number of seconds to wait between bursts. Many legitimate websites refresh periodically so having periodic refresh animations will not set off any alarms...However, a longer sleep time betweeen bursts would be more stealthy than a shorter one. If set to 0, the attack will run nonstop until all targets have been checked.
     
    -f, --focus 

Everytime the browser makes a request the status bar at the bottom of the screen shows the request being made. Since the status bar is relatively small and located at the bottom of the browser, and since the request only shows up for a few microseconds, it is highly unlikely a client will notice any single Lupin request as it flies by. However if hundreds or thousands of requests are being made in succesion, the status bar becomes a legitimate threat to Lupin's stealth. To mitigate this, Lupin will only run when the tab/window is out of focus. The status bar only shows requests for the tab in focus, so running only when out of focus helps keep Lupin stealthy. However, running only when the page is out of focus means that the attack may not run, if the page never loses focus. Setting this flag tells Lupin to run even if the page is in focus.

    -n --nibble

When websites first load, they tend to make a bunch of subsequent requests for stylesheets, scripts, media etc...It is normal for the refresh animations to persist for up to several seconds while a page loads completely. This, coupled with the fact that individual requests fly by the status bar very rapidly, means that it is most likely OK to run an attack burst when a page first loads (while it is in focus). Setting this flag causes Lupin to run a single burst of the attack when the page first loads and then sleeps until the page loses focus. This may be handy if a client does not browse with multiple tabs and never causes the main window to lose focus - under normal conditions, this would mean Lupin will never actually run since it normally waits to lose focus. If the bursts last too long, then all the previous logic does not hold since a long burst will not be amortized by the initial loading of the page.

    --bold

Bold mode dramatically increases the speed in which the attack runs by and the number of target websites checked. It does this by setting '--sleep=0' and also setting the '--focus' flag. Furthermore, the target_list on the client is not obfuscated. This means the scripts don't have to do any work to deobfuscate each entry in the list as it iterates through it. This speed increase comes at the cost of stealth. See above explanations for more details on the stealth costs of setting these flags.  Clients of moderate savviness will know that something is wrong. Although they would have a  hard time figuring out what exactly has happened. If you don't care about alerting the victims and only care about getting as many credentials as possible as quickly as possible then Bold mode is for you.

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published