A modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
EVILGRADE USAGE EXAM PLE
root@kali:~# evilgrade
[DEBUG] - Loading module: modules/allmynotes.pm [DEBUG] - Loading module: modules/notepadplus.pm [DEBUG] - Loading module: modules/nokia.pm
[DEBUG] - Loading module: modules/winscp.pm [DEBUG] - Loading module: modules/jet.pm [DEBUG] - Loading module: modules/sunjava.pm [DEBUG] - Loading module: modules/bbappworld.pm [DEBUG] - Loading module: modules/gom.pm
[DEBUG] - Loading module: modules/ccleaner.pm
155
[DEBUG] - Loading module: modules/winupdate.pm [DEBUG] - Loading module: modules/vidbox.pm [DEBUG] - Loading module: modules/atube.pm [DEBUG] - Loading module: modules/winzip.pm [DEBUG] - Loading module: modules/apt.pm [DEBUG] - Loading module: modules/mirc.pm [DEBUG] - Loading module: modules/filezilla.pm [DEBUG] - Loading module: modules/dap.pm
[DEBUG] - Loading module: modules/flip4mac.pm [DEBUG] - Loading module: modules/divxsuite.pm [DEBUG] - Loading module: modules/opera.pm [DEBUG] - Loading module: modules/yahoomsn.pm [DEBUG] - Loading module: modules/linkedin.pm [DEBUG] - Loading module: modules/techtracker.pm [DEBUG] - Loading module: modules/fcleaner.pm [DEBUG] - Loading module: modules/appleupdate.pm [DEBUG] - Loading module: modules/trillian.pm [DEBUG] - Loading module: modules/sunbelt.pm [DEBUG] - Loading module: modules/growl.pm [DEBUG] - Loading module: modules/vmware.pm
[DEBUG] - Loading module: modules/panda_antirootkit.pm [DEBUG] - Loading module: modules/orbit.pm
[DEBUG] - Loading module: modules/teamviewer.pm [DEBUG] - Loading module: modules/blackberry.pm [DEBUG] - Loading module: modules/miranda.pm [DEBUG] - Loading module: modules/clamwin.pm [DEBUG] - Loading module: modules/jetphoto.pm [DEBUG] - Loading module: modules/istat.pm
[DEBUG] - Loading module: modules/nokiasoftware.pm [DEBUG] - Loading module: modules/getjar.pm
[DEBUG] - Loading module: modules/sparkle.pm [DEBUG] - Loading module: modules/cpan.pm [DEBUG] - Loading module: modules/cygwin.pm
[DEBUG] - Loading module: modules/express_talk.pm [DEBUG] - Loading module: modules/openoffice.pm [DEBUG] - Loading module: modules/osx.pm
[DEBUG] - Loading module: modules/flashget.pm [DEBUG] - Loading module: modules/amsn.pm [DEBUG] - Loading module: modules/isopen.pm [DEBUG] - Loading module: modules/apptapp.pm
[DEBUG] - Loading module: modules/googleanalytics.pm [DEBUG] - Loading module: modules/autoit3.pm
156
[DEBUG] - Loading module: modules/photoscape.pm [DEBUG] - Loading module: modules/quicktime.pm [DEBUG] - Loading module: modules/itunes.pm [DEBUG] - Loading module: modules/winamp.pm [DEBUG] - Loading module: modules/skype.pm [DEBUG] - Loading module: modules/virtualbox.pm [DEBUG] - Loading module: modules/bsplayer.pm [DEBUG] - Loading module: modules/freerip.pm [DEBUG] - Loading module: modules/paintnet.pm [DEBUG] - Loading module: modules/speedbit.pm _ _ _ (_) | | | _____ ___| | __ _ _ __ __ _ __| | ___ / _ \ \ / / | |/ _` | '__/ _` |/ _` |/ _ \ | __/\ V /| | | (_| | | | (_| | (_| | __/ \___| \_/ |_|_|\__, |_| \__,_|\__,_|\___| __/ | |___/ --- --- www.infobytesec.com - 63 modules available. evilgrade>config skype evilgrade(skype)>start evilgrade(skype)>
[17/5/2014:12:52:11] - [WEBSERVER] - Webserver ready. Waiting for connections ...
evilgrade(skype)>
[17/5/2014:12:52:11] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ...
evilgrade(skype)>
CATEGORIES: S N I F F I N G / S P O O F I N GTAGS: E X P L O I T A T I O N , S P O O F I N G
mitmproxy
MITMPROXY PACKAGE DESCRIPTION
mitmproxy is an SSL-capable man-in-the-middle HTTP proxy. It provides a console interface that allows traffic flows to be inspected and edited on the fly. Also shipped is mitmdump, the command-line version of mitmproxy, with the same functionality but without the frills. Think tcpdump for HTTP.
157
intercept and modify HTTP traffic on the fly
save HTTP conversations for later replay and analysis
replay both HTTP clients and servers
make scripted changes to HTTP traffic using Python
SSL interception certs generated on the fly Source: http://mitmproxy.org/
mitmproxy Homepage | Kali mitmproxy Repo
Author: Aldo Cortesi
License: GPLv3
TOOLS INCLUDED IN THE MITMPROXY PACKAGE
mitmproxy–SSL-capableman-in-the-middleHTTPproxy
root@kali:~# mitmproxy -husage: mitmproxy [options]
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
-b ADDR Address to bind proxy to (defaults to all interfaces) --anticache Strip out request headers that might cause the server to return 304-not-modified.
--confdir CONFDIR Configuration directory. (~/.mitmproxy) -e Show event log.
-n Don't start a proxy server. -p PORT Proxy service port.
-P REVERSE_PROXY Reverse proxy to upstream server: http[s]://host[:port]
-F FORWARD_PROXY Proxy to unconditionally forward to: http[s]://host[:port]
-q Quiet.
-r RFILE Read flows from file.
-s "script.py --bar" Run a script. Surround with quotes to pass script arguments. Can be passed multiple times.
-t FILTER Set sticky cookie filter. Matched against requests. -T Set transparent proxy mode.
-u FILTER Set sticky auth filter. Matched against requests. -v Increase verbosity. Can be passed multiple times. -w WFILE Write flows to file.
-z Try to convince servers to send us un-compressed data. -Z SIZE Byte size limit of HTTP request and response bodies.
158
Understands k/m/g suffixes, i.e. 3m for 3 megabytes. --host Use the Host header to construct URLs for display. --no-upstream-cert Don't connect to upstream server to look up
certificate details. --debug
--palette PALETTE Select color palette: dark, light, solarized_dark, solarized_light
Web App:
-a Disable the mitmproxy web app.
--app-host host Domain to serve the app from. For transparent mode, use an IP when a DNS entry for the app domain is not present. Default: mitm.it
--app-port 80 Port to serve the app from.
--app-external Serve the app outside of the proxy.
Client Replay:
-c PATH Replay client requests from a saved file.
Server Replay:
-S PATH Replay server responses from a saved file. -k Kill extra requests during replay.
--rheader RHEADERS Request headers to be considered during replay. Can be passed multiple times.
--norefresh Disable response refresh, which updates times in cookies and headers for replayed responses.
--no-pop Disable response pop from response flow. This makes it possible to replay same response multiple times.
Replacements:
Replacements are of the form "/pattern/regex/replacement", where the separator can be any character. Please see the documentation for more information.
--replace PATTERN Replacement pattern. --replace-from-file PATH
Replacement pattern, where the replacement clause is a path to a file.
Set Headers:
Header specifications are of the form "/pattern/header/value", where the separator can be any character. Please see the documentation for more information.
159
--setheader PATTERN Header set pattern.
Proxy Authentication:
Specify which users are allowed to access the proxy and the method used for authenticating them. These options are ignored if the proxy is in transparent or reverse proxy mode.
--nonanonymous Allow access to any user long as a credentials are specified.
--singleuser USER Allows access to a a single user, specified in the form username:password.
--htpasswd PATH Allow access to users specified in an Apache htpasswd file.
SSL:
--cert CERT User-created SSL certificate file. --client-certs CLIENTCERTS
Client certificate directory.
Filters:
See help in mitmproxy for filter expression syntax.
-i INTERCEPT, --intercept INTERCEPT
Intercept filter expression.
mitmdump(thecommand-linecompaniontomitmproxy)–Asouped-uptcpdumpforHTTP
root@kali:~# mitmdump -husage: mitmdump [options] [filter]
positional arguments: args
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
-b ADDR Address to bind proxy to (defaults to all interfaces) --anticache Strip out request headers that might cause the server to return 304-not-modified.
--confdir CONFDIR Configuration directory. (~/.mitmproxy) -e Show event log.
-n Don't start a proxy server. -p PORT Proxy service port.
160
-P REVERSE_PROXY Reverse proxy to upstream server: http[s]://host[:port]
-F FORWARD_PROXY Proxy to unconditionally forward to: http[s]://host[:port]
-q Quiet.
-r RFILE Read flows from file.
-s "script.py --bar" Run a script. Surround with quotes to pass script arguments. Can be passed multiple times.
-t FILTER Set sticky cookie filter. Matched against requests. -T Set transparent proxy mode.
-u FILTER Set sticky auth filter. Matched against requests. -v Increase verbosity. Can be passed multiple times. -w WFILE Write flows to file.
-z Try to convince servers to send us un-compressed data. -Z SIZE Byte size limit of HTTP request and response bodies. Understands k/m/g suffixes, i.e. 3m for 3 megabytes. --host Use the Host header to construct URLs for display. --no-upstream-cert Don't connect to upstream server to look up
certificate details.
--keepserving Continue serving after client playback or file read. We exit by default.
Web App:
-a Disable the mitmproxy web app.
--app-host host Domain to serve the app from. For transparent mode, use an IP when a DNS entry for the app domain is not present. Default: mitm.it
--app-port 80 Port to serve the app from.
--app-external Serve the app outside of the proxy.
Client Replay:
-c PATH Replay client requests from a saved file.
Server Replay:
-S PATH Replay server responses from a saved file. -k Kill extra requests during replay.
--rheader RHEADERS Request headers to be considered during replay. Can be passed multiple times.
--norefresh Disable response refresh, which updates times in cookies and headers for replayed responses.
--no-pop Disable response pop from response flow. This makes it possible to replay same response multiple times.
161
Replacements:
Replacements are of the form "/pattern/regex/replacement", where the separator can be any character. Please see the documentation for more information.
--replace PATTERN Replacement pattern. --replace-from-file PATH
Replacement pattern, where the replacement clause is a path to a file.
Set Headers:
Header specifications are of the form "/pattern/header/value", where the separator can be any character. Please see the documentation for more information.
--setheader PATTERN Header set pattern.
Proxy Authentication:
Specify which users are allowed to access the proxy and the method used for authenticating them. These options are ignored if the proxy is in transparent or reverse proxy mode.
--nonanonymous Allow access to any user long as a credentials are specified.
--singleuser USER Allows access to a a single user, specified in the form username:password.
--htpasswd PATH Allow access to users specified in an Apache htpasswd file.
SSL:
--cert CERT User-created SSL certificate file. --client-certs CLIENTCERTS
Client certificate directory.
MITMPROXY USAGE EXAMPLE
Run mitmproxy listening (p) on port2139.
root@kali:~# mitmproxy -p 2139
CATEGORIES: S N I F F I N G / S P O O F I N GTAGS: H T T P , H T T P S , P R O X Y , S N I F F I N G , S P O O F I N G
ohrwurm
162
ohrwurm is a small and simple RTP fuzzer that has been successfully tested on a small number of SIP phones. Features:
reads SIP messages to get information of the RTP port numbers
reading SIP can be omitted by providing the RTP port numbers, sothat any RTP traffic can be fuzzed
RTCP traffic can be suppressed to avoid that codecs
learn about the “noisy line”
special care is taken to break RTP handling itself
the RTP payload is fuzzed with a constant BER
the BER is configurable
requires arpspoof from dsniff to do the MITM attack
requires both phones to be in a switched LAN (GW operation only works partially) Source: http://mazzoo.de/blog/2006/08/25#ohrwurm
ohrwurm Homepage | Kali ohrwurm Repo
Author: Matthias Wenzel
License: GPLv2
TOOLS INCLUDED IN THE OHRWURM PACKAGE