From 9cceb21b86741870c81c4b8c5ab169f5d5b4c459 Mon Sep 17 00:00:00 2001 From: shendo Date: Sun, 17 Aug 2014 12:44:30 +1000 Subject: [PATCH] Support host in http pattern matching and add imitation of known ip address lookup sites --- README.rst | 4 +++- netsink/conf/http.conf | 12 +++++++++++- netsink/data/ipaddress.html | 13 +++++++++++++ netsink/data/ipaddress.txt | 1 + netsink/modules/http.py | 12 ++++++++---- tests/test_http.py | 20 ++++++++++++++++++++ 6 files changed, 56 insertions(+), 6 deletions(-) create mode 100644 netsink/data/ipaddress.html create mode 100644 netsink/data/ipaddress.txt diff --git a/README.rst b/README.rst index 684a902..5f3dbd4 100644 --- a/README.rst +++ b/README.rst @@ -79,6 +79,7 @@ This project is still in early development, as such the feature set is limited. * DNS redirection based on simple config file * HTTP/HTTPS serving of static files based on url regexes +* Imitate known external IP address lookup sites (thanks to `ipgetter`_ for the compiled list) * IRC service to capture connect and channel joins, etc. * Basic SMTP server support (no auth support yet) * Listening port ranges easily configurable and separate from the modules that handle the traffic. @@ -90,7 +91,7 @@ Planned Additions: * Internal DHCP server to auto configure clients * Expand available fake services to include FTP, etc. * SMTP Authentication support -* HTTP/S response switching based on requested host/server not just URL pattern +* Pluggable fake C2 servers * Better documentation Issues @@ -101,6 +102,7 @@ requests can be made using GitHub's `issues system`_. .. _GitHub: https://github.com/shendo/netsink .. _issues system: https://github.com/shendo/netsink/issues +.. _ipgetter: https://github.com/phoemur/ipgetter .. |build_status| image:: https://secure.travis-ci.org/shendo/netsink.png?branch=master :target: https://travis-ci.org/shendo/netsink diff --git a/netsink/conf/http.conf b/netsink/conf/http.conf index 3a4582d..a71bb4e 100644 --- a/netsink/conf/http.conf +++ b/netsink/conf/http.conf @@ -1,8 +1,18 @@ [http] -responses = test,default +responses = iplookup.txt,iplookup.html,test,default serverstring = Apache/1.3.3.7 (Unix) (Red-Hat/Linux) +[iplookup.txt] +pattern = (ip\.dnsexit\.com|ifconfig\.me/ip|ipecho\.net/plain|checkip\.dyndns\.org/plain|bot\.whatismyipaddress\.com|myexternalip\.com/raw|www\.trackip\.net/ip|icanhazip\.com|wtfismyip\.com/text) +status = 200 +file = ipaddress.txt + +[iplookup.html] +pattern = (ipecho\.net|checkip\.dyndns\.org|ipogre\.com|whatismyipaddress\.com|ip\.my-proxy\.com|websiteipaddress\.com/WhatIsMyIp|getmyipaddress\.org|www\.my-ip-address\.net|myexternalip\.com|www\.canyouseeme\.org|www\.trackip\.net|www\.iplocation\.net|www\.howtofindmyipaddress\.com|www\.ipchicken\.com|whatsmyip\.net|www\.ip-adress\.com|checkmyip\.com|www\.tracemyip\.org|checkmyip\.net|www\.lawrencegoetz\.com/programs/ipinfo|www\.findmyip\.co|ip-lookup\.net|www\.dslreports\.com/whois|www\.mon-ip\.com/../my-ip|myip\.ru|ipgoat\.com|www\.myipnumber\.com/my-ip-address\.asp|www\.whatsmyipaddress\.net|formyip\.com|check\.torproject\.org|www\.displaymyip\.com|www\.bobborst\.com/tools/whatsmyip|www\.geoiptool\.com|www\.whatsmydns\.net/whats-my-ip-address\.html|www\.privateinternetaccess\.com/pages/whats-my-ip|checkip\.dyndns\.com|myexternalip\.com|www\.ip-adress\.eu|www\.infosniper\.net|wtfismyip\.com|ipinfo\.io|httpbin\.org/ip) +status = 200 +file = ipaddress.html + [test] pattern = .*/404$ status = 404 diff --git a/netsink/data/ipaddress.html b/netsink/data/ipaddress.html new file mode 100644 index 0000000..141d1c7 --- /dev/null +++ b/netsink/data/ipaddress.html @@ -0,0 +1,13 @@ + + + What Is My IP Address + + +
Your IP Address Is:
+
+ +11.22.33.44 + +
+ + \ No newline at end of file diff --git a/netsink/data/ipaddress.txt b/netsink/data/ipaddress.txt new file mode 100644 index 0000000..411897e --- /dev/null +++ b/netsink/data/ipaddress.txt @@ -0,0 +1 @@ +11.22.33.44 \ No newline at end of file diff --git a/netsink/modules/http.py b/netsink/modules/http.py index 6396519..632edb9 100644 --- a/netsink/modules/http.py +++ b/netsink/modules/http.py @@ -59,19 +59,23 @@ def handle(self): break # read (and ignore) any body - m = re.match("Content-Length: (?P\d+)", data) + m = re.search("Content-Length: (?P\d+)\r\n", data) if m: self.rfile.read(int(m.group('length'))) # handle request + host = "" + m = re.search(r"Host: (?P[0-9a-zA-Z\-\.\:]+)\r\n", data) + if m: + host = m.group('host').lower() # normalise m = re.match(r"^(?P\w+) (?P\S+) (?PHTTP/\d\.\d)\r\n", data) if m: - self.handlepath(m.group('method'), m.group('path')) + self.handlepath(host, m.group('method'), m.group('path')) - def handlepath(self, method, path): + def handlepath(self, host, method, path): """Search config patterns to find an appropriate file/response to return. """ for x in self.responses: - m = re.match(x.pattern, path) + m = re.match(x.pattern, host + path) if m: data = "" if x.file and x.file != "None": diff --git a/tests/test_http.py b/tests/test_http.py index 731a5f9..3e19345 100644 --- a/tests/test_http.py +++ b/tests/test_http.py @@ -12,3 +12,23 @@ def test_http(): resp = urllib2.urlopen("http://127.0.0.1:{0}/anything/blah.html".format( server.socket.getsockname()[1])).read() assert "Netsink" in resp + +def test_iplookup(): + server = SocketServer.TCPServer(('', 0), http.HTTPHandler) + server.cfg = ModuleConfig('http.conf').cfg + thread.start_new_thread(server.serve_forever, ()) + headers = { "User-Agent": 'Google-Bot', "Host": 'ipgoat.com' } + req = urllib2.Request("http://127.0.0.1:{0}".format( + server.socket.getsockname()[1]), headers=headers) + resp = urllib2.urlopen(req).read() + assert "11.22.33.44" in resp + +def test_iplookup_raw(): + server = SocketServer.TCPServer(('', 0), http.HTTPHandler) + server.cfg = ModuleConfig('http.conf').cfg + thread.start_new_thread(server.serve_forever, ()) + headers = { "Host": 'checkip.dyndns.org' } + req = urllib2.Request("http://127.0.0.1:{0}/plain".format( + server.socket.getsockname()[1]), headers=headers) + resp = urllib2.urlopen(req).read() + assert resp.startswith("11.22.33.44")