Support host in http pattern matching and add imitation of known ip a…

…ddress lookup sites

README.rst

@@ -79,6 +79,7 @@ This project is still in early development, as such the feature set is limited.
 
 * DNS redirection based on simple config file
 * HTTP/HTTPS serving of static files based on url regexes
+* Imitate known external IP address lookup sites (thanks to `ipgetter`_ for the compiled list)
 * IRC service to capture connect and channel joins, etc.
 * Basic SMTP server support (no auth support yet)
 * Listening port ranges easily configurable and separate from the modules that handle the traffic. 
@@ -90,7 +91,7 @@ Planned Additions:
 * Internal DHCP server to auto configure clients
 * Expand available fake services to include FTP, etc.
 * SMTP Authentication support
-* HTTP/S response switching based on requested host/server not just URL pattern
+* Pluggable fake C2 servers
 * Better documentation
 
 Issues
@@ -101,6 +102,7 @@ requests can be made using GitHub's `issues system`_.
 
 .. _GitHub: https://github.com/shendo/netsink
 .. _issues system: https://github.com/shendo/netsink/issues
+.. _ipgetter: https://github.com/phoemur/ipgetter
 
 .. |build_status| image:: https://secure.travis-ci.org/shendo/netsink.png?branch=master
    :target: https://travis-ci.org/shendo/netsink

netsink/conf/http.conf

@@ -1,8 +1,18 @@
 [http]
 
-responses = test,default
+responses = iplookup.txt,iplookup.html,test,default
 serverstring = Apache/1.3.3.7 (Unix) (Red-Hat/Linux)
 
+[iplookup.txt]
+pattern = (ip\.dnsexit\.com|ifconfig\.me/ip|ipecho\.net/plain|checkip\.dyndns\.org/plain|bot\.whatismyipaddress\.com|myexternalip\.com/raw|www\.trackip\.net/ip|icanhazip\.com|wtfismyip\.com/text)
+status = 200
+file = ipaddress.txt
+
+[iplookup.html]
+pattern = (ipecho\.net|checkip\.dyndns\.org|ipogre\.com|whatismyipaddress\.com|ip\.my-proxy\.com|websiteipaddress\.com/WhatIsMyIp|getmyipaddress\.org|www\.my-ip-address\.net|myexternalip\.com|www\.canyouseeme\.org|www\.trackip\.net|www\.iplocation\.net|www\.howtofindmyipaddress\.com|www\.ipchicken\.com|whatsmyip\.net|www\.ip-adress\.com|checkmyip\.com|www\.tracemyip\.org|checkmyip\.net|www\.lawrencegoetz\.com/programs/ipinfo|www\.findmyip\.co|ip-lookup\.net|www\.dslreports\.com/whois|www\.mon-ip\.com/../my-ip|myip\.ru|ipgoat\.com|www\.myipnumber\.com/my-ip-address\.asp|www\.whatsmyipaddress\.net|formyip\.com|check\.torproject\.org|www\.displaymyip\.com|www\.bobborst\.com/tools/whatsmyip|www\.geoiptool\.com|www\.whatsmydns\.net/whats-my-ip-address\.html|www\.privateinternetaccess\.com/pages/whats-my-ip|checkip\.dyndns\.com|myexternalip\.com|www\.ip-adress\.eu|www\.infosniper\.net|wtfismyip\.com|ipinfo\.io|httpbin\.org/ip)
+status = 200
+file = ipaddress.html
+
 [test]
 pattern = .*/404$
 status = 404

netsink/data/ipaddress.html

@@ -0,0 +1,13 @@
+<html>
+	<head>
+		<title>What Is My IP Address</title>
+	</head>
+	<body>
+		<div style="text-align:center;font-size:26px;padding-top:0px;color:#000;">Your IP Address Is:</div>
+		<div style="text-align:center;font-size:26px;padding-top:10px;font-weight:bold;color:#007cc3;">
+<!-- do not script -->
+11.22.33.44
+<!-- do not script -->
+		</div>
+	</body>
+</html>

netsink/data/ipaddress.txt

@@ -0,0 +1 @@
+11.22.33.44

netsink/modules/http.py

@@ -59,19 +59,23 @@ def handle(self):
                 break
 
         # read (and ignore) any body
-        m = re.match("Content-Length: (?P<length>\d+)", data)
+        m = re.search("Content-Length: (?P<length>\d+)\r\n", data)
         if m:
             self.rfile.read(int(m.group('length')))
         # handle request
+        host = ""
+        m = re.search(r"Host: (?P<host>[0-9a-zA-Z\-\.\:]+)\r\n", data)
+        if m:
+            host = m.group('host').lower() # normalise
         m = re.match(r"^(?P<method>\w+) (?P<path>\S+) (?P<version>HTTP/\d\.\d)\r\n", data)
         if m:
-            self.handlepath(m.group('method'), m.group('path'))
+            self.handlepath(host, m.group('method'), m.group('path'))
 
-    def handlepath(self, method, path):
+    def handlepath(self, host, method, path):
         """Search config patterns to find an appropriate file/response to return.
         """
         for x in self.responses:
-            m = re.match(x.pattern, path)
+            m = re.match(x.pattern, host + path)
             if m:
                 data = ""
                 if x.file and x.file != "None":

tests/test_http.py

@@ -12,3 +12,23 @@ def test_http():
     resp = urllib2.urlopen("http://127.0.0.1:{0}/anything/blah.html".format(
                             server.socket.getsockname()[1])).read()
     assert "Netsink" in resp
+
+def test_iplookup():
+    server = SocketServer.TCPServer(('', 0), http.HTTPHandler)
+    server.cfg = ModuleConfig('http.conf').cfg
+    thread.start_new_thread(server.serve_forever, ())
+    headers = { "User-Agent": 'Google-Bot', "Host": 'ipgoat.com' }
+    req = urllib2.Request("http://127.0.0.1:{0}".format(
+                            server.socket.getsockname()[1]), headers=headers)
+    resp = urllib2.urlopen(req).read()
+    assert "11.22.33.44" in resp
+
+def test_iplookup_raw():
+    server = SocketServer.TCPServer(('', 0), http.HTTPHandler)
+    server.cfg = ModuleConfig('http.conf').cfg
+    thread.start_new_thread(server.serve_forever, ())
+    headers = { "Host": 'checkip.dyndns.org' }
+    req = urllib2.Request("http://127.0.0.1:{0}/plain".format(
+                            server.socket.getsockname()[1]), headers=headers)
+    resp = urllib2.urlopen(req).read()
+    assert resp.startswith("11.22.33.44")