mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-12-22 17:15:06 +01:00
Added DancingRightToLeft.py script.
This commit is contained in:
parent
6079c3aefe
commit
b12ab57e05
112
phishing/DancingRightToLeft.py
Normal file
112
phishing/DancingRightToLeft.py
Normal file
@ -0,0 +1,112 @@
|
||||
#!/usr/bin/python3
|
||||
#
|
||||
# A script abusing Right-To-Left Override unicode byte to rename phishing payloads.
|
||||
#
|
||||
# Sources:
|
||||
# - http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing
|
||||
# - https://www.mozilla.org/en-US/security/advisories/mfsa2009-62/
|
||||
# - https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/
|
||||
# - https://twitter.com/ffforward/status/1486743442801704974
|
||||
#
|
||||
# Mariusz Banach, mgeeky, "22
|
||||
# <mb [at] binary-offensive.com>
|
||||
#
|
||||
|
||||
import os, sys
|
||||
import shutil
|
||||
import string
|
||||
import argparse
|
||||
|
||||
RTLO = '\u202E' # Right-To-Left Override
|
||||
|
||||
def rightToLeftOverride(phrase):
|
||||
|
||||
for i in range(len(phrase)-1)[::-1]:
|
||||
if options['simulate']:
|
||||
cand = phrase[:i] + phrase[i:][::-1]
|
||||
else:
|
||||
cand = phrase[:i] + Constants['RTLO'] + phrase[i:]
|
||||
|
||||
def opts(argv):
|
||||
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <filename> <decoy-extension>')
|
||||
parser.add_argument('filename', help='Payload file that we wish to rename.')
|
||||
parser.add_argument('decoy_extension', help='Extension that we wish our payload to mimic via RTLO')
|
||||
parser.add_argument('-p', '--padding', default=' ', help='If current file extension length is different than decoy extension length, pad filename with this character. Default: space.')
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
args.filename = os.path.abspath(args.filename)
|
||||
|
||||
if args.decoy_extension.startswith('.'):
|
||||
args.decoy_extension = args.decoy_extension[1:]
|
||||
|
||||
if '.' not in args.filename:
|
||||
print('[!] Input filename does not have extension! You must point this script to the existing file having some original extension.')
|
||||
sys.exit(1)
|
||||
|
||||
return args
|
||||
|
||||
def main(argv):
|
||||
print('''
|
||||
:: Dancing Right-To-Left
|
||||
|
||||
A script abusing Right-To-Left Override unicode byte to rename phishing payloads.
|
||||
|
||||
Mariusz Banach / mgeeky '22, (@mariuszbit)
|
||||
<mb@binary-offensive.com>
|
||||
''')
|
||||
|
||||
args = opts(argv)
|
||||
if not args:
|
||||
return False
|
||||
|
||||
filename, ext = os.path.splitext(args.filename)
|
||||
filename2 = os.path.basename(filename)
|
||||
ext = ext.replace('.', '')
|
||||
|
||||
if len(ext) == 0:
|
||||
print('[!] Input filename does not have extension! You must point this script to the existing file having some original extension.')
|
||||
sys.exit(1)
|
||||
|
||||
targetext = args.decoy_extension[::-1]
|
||||
q = ''
|
||||
|
||||
if len(targetext) < len(ext):
|
||||
filename2 += (len(ext) - len(targetext)) * args.padding
|
||||
q = '"'
|
||||
|
||||
elif len(targetext) > len(ext):
|
||||
filename2 += (len(targetext) - len(ext)) * args.padding
|
||||
q = '"'
|
||||
|
||||
out1 = filename2 + '\\u202e' + targetext + '.' + ext
|
||||
rest = targetext + '.' + ext
|
||||
out2 = filename2 + rest[::-1]
|
||||
out3 = filename2 + RTLO + targetext + '.' + ext
|
||||
|
||||
print(f'''INPUT:
|
||||
|
||||
Payload Filename : {os.path.basename(args.filename)}
|
||||
Payload Extension : {q}.{ext}{q}
|
||||
Decoy payloads' extension as : {q}.{args.decoy_extension}{q}
|
||||
|
||||
OUTPUT:
|
||||
|
||||
Your file was named in following way : {q}{out1}{q}
|
||||
|
||||
Your filename will look like this (simulated) : {q}{out2}{q}
|
||||
Your filename will look like this (real display) : {out3}
|
||||
''')
|
||||
|
||||
old = args.filename
|
||||
new = os.path.dirname(old) + os.sep + filename2 + RTLO + targetext + '.' + ext
|
||||
|
||||
#
|
||||
# Using manual bytes copy cause I was having some weird issues with shutil.copy()
|
||||
#
|
||||
with open(old, 'rb') as oldfile:
|
||||
with open(new, 'wb') as newfile:
|
||||
newfile.write(oldfile.read())
|
||||
|
||||
if __name__ == '__main__':
|
||||
main(sys.argv)
|
@ -1,6 +1,32 @@
|
||||
## Phishing and Social-Engineering related scripts, tools and CheatSheets
|
||||
|
||||
|
||||
- **`DancingRightToLeft.py`** - A script abusing Right-To-Left Override unicode byte to rename phishing payloads.
|
||||
|
||||
```
|
||||
PS> py DancingRightToLeft.py 502.html fax
|
||||
|
||||
:: Dancing Right-To-Left
|
||||
|
||||
A script abusing Right-To-Left Override unicode byte to rename phishing payloads.
|
||||
|
||||
Mariusz Banach / mgeeky '22, (@mariuszbit)
|
||||
<mb@binary-offensive.com>
|
||||
|
||||
INPUT:
|
||||
|
||||
Payload Filename : 502.html
|
||||
Payload Extension : ".html"
|
||||
Decoy payloads' extension as : ".fax"
|
||||
|
||||
OUTPUT:
|
||||
|
||||
Your file was named in following way : "502 \u202exaf.html"
|
||||
|
||||
Your filename will look like this (simulated) : "502 lmth.fax"
|
||||
Your filename will look like this (real display) : 502 xaf
|
||||
```
|
||||
|
||||
- [**`decode-spam-headers.py`**](https://github.com/mgeeky/decode-spam-headers) - This tool accepts on input an `*.EML` or `*.txt` file with all the SMTP headers. It will then extract a subset of interesting headers and using **79+** tests will attempt to decode them as much as possible.
|
||||
|
||||
This script also extracts all IPv4 addresses and domain names and performs full DNS resolution of them.
|
||||
|
Loading…
Reference in New Issue
Block a user