xettercap 1.5.7xerob

data/lib/bettercap/proxy/http/response.rb

@@ -0,0 +1,226 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Proxy
+module HTTP
+
+# HTTP response parser.
+class Response
+  # HTTP protocol version
+  attr_accessor :version
+  # Response status code.
+  attr_accessor :code
+  # Response status message
+  attr_accessor :status
+  # Response content type.
+  attr_reader :content_type
+  # Response charset, default to UTF-8.
+  attr_reader :charset
+  # Response content length.
+  attr_reader :content_length
+  # True if this is a chunked encoded response, otherwise false.
+  attr_reader :chunked
+  # A list of response headers.
+  attr_accessor :headers
+  # Response body.
+  attr_accessor :body
+
+  # Return a 200 response object reading the file +filename+ with the specified
+  # +content_type+.
+  def self.from_file( filename, content_type )
+    r = Response.new
+    data = File.read(filename)
+
+    r << "HTTP/1.1 200 OK"
+    r << "Connection: close"
+    r << "Content-Length: #{data.bytesize}"
+    r << "Content-Type: #{content_type}"
+    r << "\n"
+    r << data
+
+    r
+  end
+
+  # Return a 302 response object redirecting to +url+, setting optional +cookies+.
+  def self.redirect( url, cookies = [] )
+    r = Response.new
+
+    r << "HTTP/1.1 302 Moved"
+    r << "Location: #{url}"
+
+    cookies.each do |cookie|
+      r << "Set-Cookie: #{cookie}"
+    end
+
+    r << "Connection: close"
+    r << "\n\n"
+
+    r
+  end
+
+  # Initialize this response object state.
+  def initialize
+    @version = '1.1'
+    @code = 200
+    @status = 'OK'
+    @content_type = nil
+    @charset = 'UTF-8'
+    @content_length = nil
+    @body = nil
+    @headers = {}
+    @headers_done = false
+    @chunked = false
+  end
+
+  # Convert a webrick response to this class.
+  def convert_webrick_response!(response)
+    self << "HTTP/#{response.http_version} #{response.code} #{response.msg}"
+    response.each do |key,value|
+      # sometimes webrick joins all 'set-cookie' headers
+      # which might cause issues with HSTS bypass.
+      if key == 'set-cookie'
+        response.get_fields('set-cookie').each do |v|
+          self << "Set-Cookie: #{v}"
+        end
+      else
+        self << "#{key.gsub(/\bwww|^te$|\b\w/){ $&.upcase }}: #{value}"
+      end
+    end
+    self << "\n"
+    @code = response.code
+    @body = response.body || ''
+  end
+
+  # Parse a single response +line+.
+  def <<(line)
+    # we already parsed the heders, collect response body
+    if @headers_done
+      @body = '' if @body.nil?
+      @body << line.force_encoding( @charset )
+    else
+      chomped = line.chomp
+      Logger.debug "  RESPONSE LINE: '#{chomped}'"
+
+      # is this the first line 'HTTP/<VERSION> <CODE> <STATUS>' ?
+      if chomped =~ /^HTTP\/([\d\.]+)\s+(\d+)\s+(.+)$/
+        @version = $1
+        @code    = $2.to_i
+        @status  = $3
+
+      # collect and fix headers
+      elsif chomped =~ /^([^:\s]+)\s*:\s*(.+)$/i
+        name = $1
+        value = $2
+
+        if name == 'Content-Type'
+          @content_type = value
+          if value =~ /^(.+);\s*charset=(.+)/i
+            @content_type = $1
+            @charset = $2.chomp
+          end
+        elsif name == 'Content-Length'
+          @content_length = value.to_i
+        # check if we have a chunked encoding
+        elsif name == 'Transfer-Encoding' and value == 'chunked'
+          @chunked = true
+          name     = nil
+          value    = nil
+        end
+
+        unless name.nil? or value.nil?
+          if @headers.has_key?(name)
+            if @headers[name].is_a?(Array)
+              @headers[name] << value
+            else
+              @headers[name] = [ @headers[name], value ]
+            end
+          else
+            @headers[name] = value
+          end
+        end
+      # last line, we're done with the headers
+      elsif chomped.empty?
+        @headers_done = true
+      end
+    end
+  end
+
+  # Return true if the response content type is textual, otherwise false.
+  def textual?
+    @content_type and ( @content_type =~ /^text\/.+/ or @content_type =~ /^application\/.+/ )
+  end
+
+  # Return the value of header with +name+ or an empty string.
+  def [](name)
+    ( @headers.has_key?(name) ? @headers[name] : "" )
+  end
+
+  # If the header with +name+ is found, then a +value+ is assigned to it,
+  # otherwise it's created.
+  def []=(name, value)
+    if @headers.has_key?(name)
+      if value.nil?
+        @headers.delete(name)
+      else
+        @headers[name] = value
+      end
+    elsif !value.nil?
+      @headers[name] = value
+    end
+  end
+
+  # Search for header +name+ and apply a gsub substitution:
+  #   value.gsub( +search+, +replace+ )
+  def patch_header!( name, search, replace )
+    value = self[name]
+    unless value.empty?
+      patched = []
+      if value.is_a?(Array)
+        value.each do |v|
+          patched << v.gsub( search, replace )
+        end
+      else
+        patched << value.gsub( search, replace )
+      end
+
+      self[name] = patched
+    end
+  end
+
+  # Return a string representation of this response object, patching the
+  # Content-Length header if the #body was modified.
+  def to_s
+    # update content length in case the body was modified.
+    if @headers.has_key?('Content-Length')
+      @headers['Content-Length'] = @body.nil?? 0 : @body.bytesize
+    end
+
+    s = "HTTP/#{@version} #{@code} #{@status}\n"
+    @headers.each do |name,value|
+      if value.is_a?(Array)
+        value.each do |v|
+          s << "#{name}: #{v}\n"
+        end
+      else
+        s << "#{name}: #{value}\n"
+      end
+    end
+    s << "\n" + ( @body.nil?? "\n" : @body )
+    s
+  end
+end
+
+end
+end
+end

data/lib/bettercap/proxy/http/ssl/authority.rb

@@ -0,0 +1,182 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Proxy
+module HTTP
+module SSL
+
+# Simple wrapper class used to fetch a server HTTPS certificate.
+class Fetcher < Net::HTTP
+  # The server HTTPS certificate.
+  attr_accessor :certificate
+  # Overridden from Net::HTTP in order to save the peer certificate
+  # before the connection is closed.
+  def on_connect
+    @certificate = peer_cert
+  end
+  # Fetch the HTTPS certificate of +hostname+:+port+.
+  def self.fetch( hostname, port )
+    http             = self.new( hostname, port )
+    http.use_ssl     = true
+    http.ssl_timeout =
+    http.open_timeout =
+    http.read_timeout = 10
+
+    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+    http.head("/")
+    http.certificate
+  end
+end
+
+# Used as an on-disk cache of server certificates.
+class Store
+  # The store path.
+  PATH = File.join( Dir.home, '.bettercap', 'certificates' )
+
+  # Create an instance of this class.
+  def initialize
+    unless File.directory?( Store::PATH )
+      Logger.info "[#{'SSL'.green}] Initializing certificates store '#{Store::PATH}' ..."
+      FileUtils.mkdir_p( Store::PATH )
+    end
+
+    @store = {}
+    @lock  = Mutex.new
+  end
+
+  # Find the +hostname+:+port+ certificate and return it.
+  def find( hostname, port )
+    key = Digest::SHA256.hexdigest( "#{hostname}_#{port}" )
+
+    @lock.synchronize {
+      unless @store.has_key?(key)
+        # Certificate not available in memory, search it in the store PATH.
+        filename = File.join( Store::PATH, key )
+        s_cert = load_from_file( filename )
+        # Not available on disk too, fetch it from the server and save it.
+        if s_cert.nil?
+          Logger.info "[#{'SSL'.green}] Fetching certificate from #{hostname}:#{port} ..."
+
+          s_cert = Fetcher.fetch( hostname, port )
+          save_to_file( s_cert, filename )
+        else
+          Logger.debug "[#{'SSL'.green}] Loaded HTTPS certificate for '#{hostname}' from store."
+        end
+
+        @store[key] = s_cert
+      end
+    }
+
+    @store[key]
+  end
+
+  private
+
+  # Load and return a certificate from +filename+ if it exists, also check if
+  # the certificate is expired, in which case it will remove it and return nil.
+  def load_from_file( filename )
+    cert = nil
+    if File.exist?(filename)
+      data = File.read(filename)
+      cert = OpenSSL::X509::Certificate.new(data)
+      # Check if expired.
+      now = Time.now
+      if now < cert.not_before or now > cert.not_after
+        File.delete( filename )
+        cert = nil
+      end
+    end
+    cert
+  end
+
+  # Save the +cert+ certificate to +filename+ encoded as PEM.
+  def save_to_file( cert, filename )
+    File.open( filename, "w+" ) { |file| file.write(cert.to_pem) }
+  end
+end
+
+# This class represents bettercap's HTTPS CA.
+class Authority
+  # Default CA file.
+  DEFAULT = File.join( Dir.home, '.bettercap', 'bettercap-ca.pem' )
+
+  # CA certificate.
+  attr_reader :certificate
+  # CA key.
+  attr_reader :key
+
+  # Create an instance of this class loading the certificate and key from
+  # +filename+ which is expected to be a PEM formatted file.
+  # If +filename+ is nil, Authority::DEFAULT will be used instead.
+  def initialize( filename = nil )
+    install_ca
+    filename ||= Authority::DEFAULT
+
+    Logger.info "[#{'SSL'.green}] Loading HTTPS Certification Authority from '#{filename}' ..."
+
+    begin
+      pem = File.read(filename)
+
+      @certificate = OpenSSL::X509::Certificate.new(pem)
+      @key         = OpenSSL::PKey::RSA.new(pem)
+      @store       = Store.new
+      @cache       = {}
+      @lock        = Mutex.new
+    rescue Errno::ENOENT
+      raise BetterCap::Error, "'#{filename}' - No such file or directory."
+
+    rescue OpenSSL::X509::CertificateError
+      raise BetterCap::Error, "'#{filename}' - Missing or invalid certificate."
+
+    rescue OpenSSL::PKey::RSAError
+      raise BetterCap::Error, "'#{filename}' - Missing or invalid key."
+    end
+  end
+
+  # Fetch the certificate from +hostname+:+port+, sign it with our own CA and
+  # return it.
+  def spoof( hostname, port = 443 )
+    @lock.synchronize {
+      unless @cache.has_key?(hostname)
+        # 1. fetch real server certificate
+        s_cert = @store.find( hostname, port )
+        # 2. Sign it with our CA.
+        s_cert.public_key = @key.public_key
+        s_cert.issuer     = @certificate.subject
+        s_cert.sign( @key, OpenSSL::Digest::SHA256.new )
+        # 3. Profit ^_^
+        @cache[hostname] = s_cert
+      end
+    }
+    @cache[hostname]
+  end
+
+  def install_ca
+    unless File.exist?( Authority::DEFAULT )
+      root   = File.join( Dir.home, '.bettercap' )
+      source = File.dirname(__FILE__) + '/bettercap-ca.pem'
+
+      Logger.info "[#{'SSL'.green}] Installing CA to #{root} ..."
+
+      FileUtils.mkdir_p( root )
+      FileUtils.cp( source, root )
+    end
+  end
+end
+
+end
+end
+end
+end

data/lib/bettercap/proxy/http/ssl/bettercap-ca.pem

@@ -0,0 +1,49 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCaoeZj2x7hY4RV
+L4S6F6GfsEAye1/rTivXQCBsEMdBifPFCWz4i1s5v1CbxO4x4dfgtJiVniGyMsnQ
+pWOsZ/kjt74FIzgA2A7RTsz6+jvxFnw8uNH2UvHAlXerpghBw7F46HTKb7fPGlXI
+eMrXd7SQ9fonNM1fQ0L37+ILAaZIIXjm3bM7KWuM7+8qr2bxLxP9A1ud5ruOLNF+
+jxcCykm6ir/eo3M+4Yo9pOwsIvg9foOw7ahEVSB7nAZB9J2ohbCFfG7sFhKKgWFT
+xKBiEHny8qaD1/16FID/SZVXhFjjK2n8Gd87cIk104392H/MQVWui9rkocwszCov
+jFVOnlhjAgMBAAECggEAAM/Ivc1wpA45q5jMQY3OM2BhdeJf5oRKhp63jNmpshZf
+STF7ePKCUBNJAQhPl8NvtqY8Bs0FsEHD/Wxg0Y7aJ+3W+X/t01NPAJpBSS/3EJTl
+ogv2TiyxSCmAr033zSCR1eiidE2R0Wx59strhSYDtJ8V6Q7F5TIdL9/6d8RScx53
+xT/efogV3ebmXNhOOG6FrjQ5uCW7KZUXRaL3nozhEldFpzjak1XKVgKLv7OBaLwI
+tCgVGkfJpZbTYV2sht32JAwkEyTPtS8/49A4RRu5c62pLiDK5TkQGxtBLBpBTFoi
+f95LeqyApRDR5zTeP8uvHyK/Of5YBLJljkx+YDYugQKBgQDJN4KXOhV4DGVvriwA
+RBEd5nNJ/t/MATcGrFX4uqApdsMux9cpRaNa1hRxn2icm/whHrOFaBROAB7L6Zd4
+uLnrzpwFTq9YMH4AXe+sPphAtuk7ZULj1qkZ3yOjiKAJcJ4LWUxQ3H32KU6GIu+e
+x/e+B95pmk+s9XKajMSkKaMkWwKBgQDEu4fzhRyVvntq1s6D5R9du9eRV/6E5hLs
+gylMx8smzHQ46Ef5df5uEJUfkzyCJmOMGpKAW5czsLgKkx05Xw97xwn++/9lhHas
+E4SFArrIkAvBmiM44fZSKY3sVUWAHKYJy+Lg/7SR4cFVOxRyYhrFLjeXb9mOEdTo
+a6xmM3M6mQKBgDRpqDOaJqN5nyaDGOUM1eSS9a7tm//4xQuQ8mfyvOtwCxFxbqNK
+h22O3A5otogsvXUnGR4D6V4T+/GjrBf/DjbVP6DGSThQkVGpJlgYifI5cvFMxCqy
+7KNXk2HyobUzx4cvQIjDlm/7fH/GM+KJNggi5pVdY6mq2apWRpZ4Xg2HAoGBAJOs
+WQ6Yuq5Ev4uhFn+2+2Z23AeDz8+ejFHw2o2B46KKEiutYGmHAqdH10hOUzs26b5/
+K70iA0uPuXZmm6c3Df5Rl9VI/5sKZbIhLHZTaDWouspmk03df/KIsrnWAEd8Ob5c
+xz8xci+XEHKT2HNL5OBiIuSP1vRnujOEr3I/6JzxAoGBAJlu4gjm8StuL5ALy43a
+K62Nrsio/RhPjVUKXMtzTOgf2f2mRn04YibRNbB5Gzum4oWkjyue7qhBjIt/FX1Z
+kecFhr5JG4u/yyR6R2BMw4Jvh9kV6Y/GnDpSga8sK2P3QKFD01Qtw72x5xCj94CL
+kWqGcTRdiMAWQsRKvndzWAMc
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIJANKD84I3l13QMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQKDAliZXR0ZXJjYXAx
+EjAQBgNVBAMMCWJldHRlcmNhcDAeFw0xNjAyMjMwMTAxNTlaFw0xNzAyMjIwMTAx
+NTlaMEoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQK
+DAliZXR0ZXJjYXAxEjAQBgNVBAMMCWJldHRlcmNhcDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAJqh5mPbHuFjhFUvhLoXoZ+wQDJ7X+tOK9dAIGwQx0GJ
+88UJbPiLWzm/UJvE7jHh1+C0mJWeIbIyydClY6xn+SO3vgUjOADYDtFOzPr6O/EW
+fDy40fZS8cCVd6umCEHDsXjodMpvt88aVch4ytd3tJD1+ic0zV9DQvfv4gsBpkgh
+eObdszspa4zv7yqvZvEvE/0DW53mu44s0X6PFwLKSbqKv96jcz7hij2k7Cwi+D1+
+g7DtqERVIHucBkH0naiFsIV8buwWEoqBYVPEoGIQefLypoPX/XoUgP9JlVeEWOMr
+afwZ3ztwiTXTjf3Yf8xBVa6L2uShzCzMKi+MVU6eWGMCAwEAAaNQME4wHQYDVR0O
+BBYEFBspFbBsNWr57dZicWMDjOaRxQoPMB8GA1UdIwQYMBaAFBspFbBsNWr57dZi
+cWMDjOaRxQoPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJXGBH8H
+DKttB8KIbFzVRVcBQ5Wvw+3oFVlmnotQuxz17fGr2ZXEPiY8/P89MgAUqVkiaIS5
+EZOnIfPu7icGWvT0N3eoxnLaTdCFy0NOHXJh2+zrav5FWsULsmSxOBxItvkxq0fN
+yk1P/5kLmrJKnKUJKH7QDjNeEqJdfSx+dg2435a5pcvrVfjCGrd8F8CIED6sYd0n
+pibpJXi8TILiPrjNhTWT2Y5XflfV3Ho/+jIbeY3wzsApwsBINy0ticABdPhtEGHk
+nkR6dqDv1rSuzify5OdYeLy/UX4R/vv1BS0PLScE1lUB16ybzJ2imWJgOQs6J4E6
+hHakJaVPVAPFWUU=
+-----END CERTIFICATE-----

data/lib/bettercap/proxy/http/ssl/server.rb

@@ -0,0 +1,63 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Proxy
+module HTTP
+module SSL
+
+# Little utility class to handle SSLServer creation.
+class Server
+  # The SSL certification authority.
+  attr_reader :authority
+  # Main SSLContext instance.
+  attr_reader :context
+  # Socket I/O object.
+  attr_reader :io
+
+  # Create an instance from the TCPSocket +socket+.
+  def initialize( socket )
+    @authority    = Authority.new( Context.get.options.proxies.proxy_pem_file )
+    @context      = OpenSSL::SSL::SSLContext.new
+    @context.cert = @authority.certificate
+    @context.key  = @authority.key
+
+    # If the client supports SNI ( https://en.wikipedia.org/wiki/Server_Name_Indication )
+    # we'll receive the hostname it wants to connect to in this callback.
+    # Use the CA we already have loaded ( or generated ) to sign a new
+    # certificate at runtime with the correct 'Common Name' and create a new SSL
+    # context with it, these are the steps:
+    #
+    # 1. Get hostname from SNI.
+    # 2. Fetch upstream certificate from the real server.
+    # 3. Resign it with our own CA.
+    # 4. Create a new context with the new spoofed certificate.
+    # 5. Profit ^_^
+    @context.servername_cb = proc { |sslsocket, hostname|
+      Logger.debug "[#{'SSL'.green}] Server-Name-Indication for '#{hostname}'"
+
+      ctx      = OpenSSL::SSL::SSLContext.new
+      ctx.cert = @authority.spoof( hostname )
+      ctx.key  = @authority.key
+
+      ctx
+    }
+
+    @io = OpenSSL::SSL::SSLServer.new( socket, @context )
+  end
+end
+
+end
+end
+end
+end

data/lib/bettercap/proxy/http/sslstrip/cookiemonitor.rb

@@ -0,0 +1,67 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Proxy
+module HTTP
+module SSLStrip
+
+# Class to handle a cookies for sslstrip.
+class CookieMonitor
+  # Create an instance of this object.
+  def initialize
+    @set = []
+  end
+
+  def add!(request)
+    @set << [request.client, get_domain(request)]
+  end
+
+  # Return true if the +request+ was already cleaned.
+  def is_clean?(request)
+    if request.post?
+      return true
+    elsif request['Cookie'].empty?
+      return true
+    else
+      return @set.include?( [request.client, get_domain(request)] )
+    end
+  end
+
+  # Build cookie expiration headers for the +request+ and add its domain
+  # to our list.
+  def get_expired_headers!(request)
+    domain = get_domain(request)
+    @set << [request.client, domain]
+
+    expired = []
+    request['Cookie'].split(';').each do |cookie|
+      cname = cookie.split("=")[0].strip
+      expired << "#{cname}=EXPIRED; path=/; domain=#{domain}; Expires=Mon, 01-Jan-1990 00:00:00 GMT"
+      expired << "#{cname}=EXPIRED; path=/; domain=#{request.host}; Expires=Mon, 01-Jan-1990 00:00:00 GMT"
+    end
+
+    expired
+  end
+
+  # Return the cookie domain given the +request+ object.
+  def get_domain(request)
+    parts = request.host.split('.')
+    ".#{parts[-2]}.#{parts[-1]}"
+  end
+end
+
+end
+end
+end
+end