2013-12-03 04:56:55 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
/*
|
|
|
|
gophish - Open-Source Phishing Framework
|
|
|
|
|
|
|
|
The MIT License (MIT)
|
|
|
|
|
|
|
|
Copyright (c) 2013 Jordan Wright
|
|
|
|
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
|
|
in the Software without restriction, including without limitation the rights
|
|
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
|
|
|
|
The above copyright notice and this permission notice shall be included in
|
|
|
|
all copies or substantial portions of the Software.
|
|
|
|
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
|
|
THE SOFTWARE.
|
|
|
|
*/
|
2013-12-06 23:39:40 +00:00
|
|
|
import (
|
2020-04-27 03:51:39 +00:00
|
|
|
"fmt"
|
2017-12-09 21:42:07 +00:00
|
|
|
"io/ioutil"
|
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 14:36:18 +00:00
|
|
|
"net/http"
|
2014-05-27 01:29:12 +00:00
|
|
|
"os"
|
2018-12-15 21:42:32 +00:00
|
|
|
"os/signal"
|
2014-01-09 06:42:05 +00:00
|
|
|
|
2017-06-09 05:14:03 +00:00
|
|
|
"gopkg.in/alecthomas/kingpin.v2"
|
|
|
|
|
2016-01-10 17:03:17 +00:00
|
|
|
"github.com/gophish/gophish/config"
|
|
|
|
"github.com/gophish/gophish/controllers"
|
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 14:36:18 +00:00
|
|
|
"github.com/gophish/gophish/dialer"
|
2020-01-18 17:58:34 +00:00
|
|
|
"github.com/gophish/gophish/imap"
|
2018-05-04 00:07:41 +00:00
|
|
|
log "github.com/gophish/gophish/logger"
|
2019-05-31 18:58:18 +00:00
|
|
|
"github.com/gophish/gophish/middleware"
|
2016-01-10 17:03:17 +00:00
|
|
|
"github.com/gophish/gophish/models"
|
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 14:36:18 +00:00
|
|
|
"github.com/gophish/gophish/webhook"
|
2013-12-03 04:56:55 +00:00
|
|
|
)
|
|
|
|
|
2020-04-27 03:51:39 +00:00
|
|
|
const (
|
|
|
|
modeAll string = "all"
|
|
|
|
modeAdmin string = "admin"
|
|
|
|
modePhish string = "phish"
|
|
|
|
)
|
|
|
|
|
2017-06-09 05:14:03 +00:00
|
|
|
var (
|
2018-02-23 04:26:59 +00:00
|
|
|
configPath = kingpin.Flag("config", "Location of config.json.").Default("./config.json").String()
|
|
|
|
disableMailer = kingpin.Flag("disable-mailer", "Disable the mailer (for use with multi-system deployments)").Bool()
|
2020-04-27 03:51:39 +00:00
|
|
|
mode = kingpin.Flag("mode", fmt.Sprintf("Run the binary in one of the modes (%s, %s or %s)", modeAll, modeAdmin, modePhish)).
|
|
|
|
Default("all").Enum(modeAll, modeAdmin, modePhish)
|
2017-06-09 05:14:03 +00:00
|
|
|
)
|
2014-07-24 02:04:38 +00:00
|
|
|
|
2013-12-03 04:56:55 +00:00
|
|
|
func main() {
|
2017-09-06 02:54:32 +00:00
|
|
|
// Load the version
|
2024-01-02 21:10:40 +00:00
|
|
|
version := os.Getenv("GOPHISH_VERSION")
|
|
|
|
if version == "" {
|
|
|
|
versionBytes, err := ioutil.ReadFile("./VERSION")
|
|
|
|
if err != nil {
|
|
|
|
log.Fatal(err)
|
|
|
|
}
|
|
|
|
version = string(versionBytes)
|
2017-09-06 02:54:32 +00:00
|
|
|
}
|
2024-01-02 21:10:40 +00:00
|
|
|
kingpin.Version(version)
|
2017-09-06 02:54:32 +00:00
|
|
|
|
2017-06-09 05:14:03 +00:00
|
|
|
// Parse the CLI flags and load the config
|
2017-09-06 02:54:32 +00:00
|
|
|
kingpin.CommandLine.HelpFlag.Short('h')
|
2017-06-09 05:14:03 +00:00
|
|
|
kingpin.Parse()
|
2017-09-06 02:54:32 +00:00
|
|
|
|
|
|
|
// Load the config
|
2018-12-15 21:42:32 +00:00
|
|
|
conf, err := config.LoadConfig(*configPath)
|
2018-10-06 20:47:31 +00:00
|
|
|
// Just warn if a contact address hasn't been configured
|
|
|
|
if err != nil {
|
|
|
|
log.Fatal(err)
|
|
|
|
}
|
2018-12-15 21:42:32 +00:00
|
|
|
if conf.ContactAddress == "" {
|
2018-10-06 20:47:31 +00:00
|
|
|
log.Warnf("No contact address has been configured.")
|
|
|
|
log.Warnf("Please consider adding a contact_address entry in your config.json")
|
|
|
|
}
|
2017-09-06 02:54:32 +00:00
|
|
|
config.Version = string(version)
|
2017-12-09 21:42:07 +00:00
|
|
|
|
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 14:36:18 +00:00
|
|
|
// Configure our various upstream clients to make sure that we restrict
|
|
|
|
// outbound connections as needed.
|
|
|
|
dialer.SetAllowedHosts(conf.AdminConf.AllowedInternalHosts)
|
|
|
|
webhook.SetTransport(&http.Transport{
|
|
|
|
DialContext: dialer.Dialer().DialContext,
|
|
|
|
})
|
|
|
|
|
2020-01-17 04:21:58 +00:00
|
|
|
err = log.Setup(conf.Logging)
|
2018-10-06 20:47:31 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2018-02-23 04:26:59 +00:00
|
|
|
// Provide the option to disable the built-in mailer
|
2014-06-29 21:44:16 +00:00
|
|
|
// Setup the global variables and settings
|
2018-12-15 21:42:32 +00:00
|
|
|
err = models.Setup(conf)
|
2014-03-25 03:38:59 +00:00
|
|
|
if err != nil {
|
2018-05-04 00:07:41 +00:00
|
|
|
log.Fatal(err)
|
2017-12-09 21:42:07 +00:00
|
|
|
}
|
2020-01-18 17:58:34 +00:00
|
|
|
|
2017-12-09 21:42:07 +00:00
|
|
|
// Unlock any maillogs that may have been locked for processing
|
|
|
|
// when Gophish was last shutdown.
|
|
|
|
err = models.UnlockAllMailLogs()
|
|
|
|
if err != nil {
|
2018-05-04 00:07:41 +00:00
|
|
|
log.Fatal(err)
|
2014-03-25 03:38:59 +00:00
|
|
|
}
|
2018-12-15 21:42:32 +00:00
|
|
|
|
|
|
|
// Create our servers
|
|
|
|
adminOptions := []controllers.AdminServerOption{}
|
|
|
|
if *disableMailer {
|
|
|
|
adminOptions = append(adminOptions, controllers.WithWorker(nil))
|
|
|
|
}
|
|
|
|
adminConfig := conf.AdminConf
|
|
|
|
adminServer := controllers.NewAdminServer(adminConfig, adminOptions...)
|
2019-05-31 18:58:18 +00:00
|
|
|
middleware.Store.Options.Secure = adminConfig.UseTLS
|
2018-12-15 21:42:32 +00:00
|
|
|
|
|
|
|
phishConfig := conf.PhishConf
|
|
|
|
phishServer := controllers.NewPhishingServer(phishConfig)
|
|
|
|
|
2020-01-18 17:58:34 +00:00
|
|
|
imapMonitor := imap.NewMonitor()
|
2020-04-27 03:51:39 +00:00
|
|
|
if *mode == "admin" || *mode == "all" {
|
|
|
|
go adminServer.Start()
|
|
|
|
go imapMonitor.Start()
|
|
|
|
}
|
|
|
|
if *mode == "phish" || *mode == "all" {
|
|
|
|
go phishServer.Start()
|
|
|
|
}
|
2018-12-15 21:42:32 +00:00
|
|
|
|
|
|
|
// Handle graceful shutdown
|
|
|
|
c := make(chan os.Signal, 1)
|
|
|
|
signal.Notify(c, os.Interrupt)
|
|
|
|
<-c
|
|
|
|
log.Info("CTRL+C Received... Gracefully shutting down servers")
|
2020-04-27 03:51:39 +00:00
|
|
|
if *mode == modeAdmin || *mode == modeAll {
|
|
|
|
adminServer.Shutdown()
|
|
|
|
imapMonitor.Shutdown()
|
|
|
|
}
|
|
|
|
if *mode == modePhish || *mode == modeAll {
|
|
|
|
phishServer.Shutdown()
|
|
|
|
}
|
2020-01-18 17:58:34 +00:00
|
|
|
|
2013-12-06 23:39:40 +00:00
|
|
|
}
|