Jump to content

Wifite Auto Attack Script + Site Survey


Vulture
 Share

Recommended Posts

With the recent update to Site Survey the pineapple is now morphing into an AP based attack platform instead of just focusing on clients (KARMA). I believe the flagship of projects that highlights AP based attacks is Aircrack-ng once you have become knowledgeable with the ins and outs, a python script named Wifite which automates much of the process.

I have taken the Wifite r68 version and modified it slightly for the pineapple.

What this script does:

Any capture you are making via Site Survey can have this script run against it. It will execute a series of attacks based on the type of AP, WEP/WPA. WPA attacks will attempt to deauth then capture a quality handshake, then strip the excess capture data out of the resulting file. WEP attacks follow a multiple stage attack that is better covered on the Wifite support page. Both methods will hide your MAC.

What this script does not do:

This script does not crack WEP or WPA captures, it simply produces the capture files for offsite processing. Using any attack method is very taxing on the pineapple and tends to lock it up in my experience.

Prerequisites:

Pineapple IV 1.1.1

USB Drive

Installed Modules: OPKG, Site Survey

OPKG Packages to USB: pyrit, sslstrip (This will also ensure you have all python libraries)

1) Download the script: http://www.2shared.com/file/zusD0Q7S/wifite.html

2) Download http://scapy.net/ 2.0 file and unzip, then transfer to your USB drive on your pineapple

3) Through SSH terminal execute "python setup.py install" in the directory you transferred the scapy directory into.

4) Open the web interface for the pineapple and go to the Site Survey module, make sure captures are installed to USB if not this won't work.

4) Execute the script via "python wifite.py --file {CAPTURE FILE NAME} --ivs {#}" see notes below

{CAPTURE FILE NAME} - Name of the capture file in /usb/captures this will be something like capture_####.cap you only need the capture_#### part NOT THE EXTENSION. Directory is assumed to be /usb/captures/

{#} - The number of IVS to capture before stopping only applicable for WEP APs

-Vulture

Link to comment
Share on other sites

I've been doing a lot of stuff similar to this lately. Sitwon was nice enough to give me some advice in a thread I made in the application forums. It appears that this script is heavily reliant on "find" which I have been advised not to use. I rewrote one of the functions to use regex which will allow much more versatility when parsing info. I'll have to time it to verify but I think it's faster also.

def getmac():
    proc=subprocess.Popen(['whatever command u want to run'], stdout=subprocess.PIPE) #executes process
    vis=proc.communicate()[0] #communicates w/generator object
    readable = vis.split('\n') #divides into tupples
    searchmac_string = '([a-fA-F0-9]{2}[:|\-]){5}[a-fA-F0-9]{2}'#searches for 6 consecutive pairs of hexdecimal characters
    for x in readable: # iterates through generator object
        a = re.compile(searchmac_string).search(x)#compiles search string
        if a: #if search string is found, will append it to list and print out for humans to read
            print(x[a.start():a.end()])
            TARGETS.append(a)

Link to comment
Share on other sites

I've been doing a lot of stuff similar to this lately. Sitwon was nice enough to give me some advice in a thread I made in the application forums. It appears that this script is heavily reliant on "find" which I have been advised not to use. I rewrote one of the functions to use regex which will allow much more versatility when parsing info. I'll have to time it to verify but I think it's faster also.

def getmac():
    proc=subprocess.Popen(['whatever command u want to run'], stdout=subprocess.PIPE) #executes process
    vis=proc.communicate()[0] #communicates w/generator object
    readable = vis.split('\n') #divides into tupples
    searchmac_string = '([a-fA-F0-9]{2}[:|\-]){5}[a-fA-F0-9]{2}'#searches for 6 consecutive pairs of hexdecimal characters
    for x in readable: # iterates through generator object
        a = re.compile(searchmac_string).search(x)#compiles search string
        if a: #if search string is found, will append it to list and print out for humans to read
            print(x[a.start():a.end()])
            TARGETS.append(a)

I know most of the programming communities have recommended regex over a "find" style command. I am not sure if it really makes a bid difference here since most of the reads are done in a polling style with seconds between them. I noticed after I posted that there was a much newer version on the google code site that looks coded much cleaner, however I just wanted functionality and thought I would share.

I know this script works well on both WEP and WPA (without reaver) attacks and was easily producing 50000 IVS in about 5 minutes. Handshakes are also captured quite quickly without much user interaction and running a single instance has never locked my pineapple.

Let me know if you notice any difference using regex but I usually see loads around 2.0 when both this script and Site Survey's capture is running

Link to comment
Share on other sites

First off, I'm still a n00b when it comes to python, well computers in general, so don't mark what I say in stone.

To my knowledge, regex is going to be faster because it uses C libraries or is somehow based on C. From what I have read C is always going to run a little faster than Python as it's already compiled (ie - the apache server w/java applet attack is going to be smoother than the python server w/java applet attack as apache is written in c). Regex is also a lot more versatile. Find is only going to match characters where regex is going to match character patterns.

I haven't messed with wifite-ng in a few weeks, but from what I remember, it had a little difficulty capturing WPA handshakes because it only sent 3 deauth packets one time then just waited. Perhaps the probability of a successful WPA handshake capture might increase if deauths are sent every minute or more than one time.

Another issue that this script has it that it's writing the output of airodump-ng to a file. While this isn't an 'incorrect' way of doing it, there are other ways you can pipe stdout so that you don't have to write to a file (which should also be faster) and it's more of a linuxy way of coding the function. If you look in the thread I made in the applications and coding forum Sitwon gives an explanation of how to code this.

Link to comment
Share on other sites

Another issue that this script has it that it's writing the output of airodump-ng to a file. While this isn't an 'incorrect' way of doing it, there are other ways you can pipe stdout so that you don't have to write to a file (which should also be faster) and it's more of a linuxy way of coding the function. If you look in the thread I made in the applications and coding forum Sitwon gives an explanation of how to code this.

the pineapple only has 32MB of ram, keeping the captured data in ram would overload whats leftover quickly.

Link to comment
Share on other sites

First off, I'm still a n00b when it comes to python, well computers in general, so don't mark what I say in stone.

To my knowledge, regex is going to be faster because it uses C libraries or is somehow based on C. From what I have read C is always going to run a little faster than Python as it's already compiled (ie - the apache server w/java applet attack is going to be smoother than the python server w/java applet attack as apache is written in c). Regex is also a lot more versatile. Find is only going to match characters where regex is going to match character patterns.

I haven't messed with wifite-ng in a few weeks, but from what I remember, it had a little difficulty capturing WPA handshakes because it only sent 3 deauth packets one time then just waited. Perhaps the probability of a successful WPA handshake capture might increase if deauths are sent every minute or more than one time.

Another issue that this script has it that it's writing the output of airodump-ng to a file. While this isn't an 'incorrect' way of doing it, there are other ways you can pipe stdout so that you don't have to write to a file (which should also be faster) and it's more of a linuxy way of coding the function. If you look in the thread I made in the applications and coding forum Sitwon gives an explanation of how to code this.

I completely agree with the last part on outputting to the file, however this script is meant to integrate with Site Survey in the next few version. Essentially it is primed to display this log in Site Survey so the user never needs to go into a bash session :)

Wifite in my option, at least version 68 does a pretty bang up job on IVS gathering and handshake acquiring. For WPA handshakes the script deauths the AP, then adds each client to its deauth list and continues to deauth a client every 3 seconds.

There are still issues with the script I am working out and will post them, but this wasn't really meant to be a clean code job, just a get it working without issues job. B)

I would encourage anyone out there that wants to enhance this, or publish a script of their own to do so. It will only assist further with Site Survey down the road.

Link to comment
Share on other sites

I've looked through the script a bit but I'm still quite confused. How exactly do we work this with Site Survey? I ran the script from an SSH session and it just made a bunch of monitors (mon0-mon9) and then I had to force-quit the session. So either it's a configuration mistake on my part (most likely) or I simply don't know how to utilize this script correctly.

Link to comment
Share on other sites

Vulture, so this script does not find wep keys or crack wpa keys. It's just preparing the captured packets from site survey?

why not run this on the computer before you run the full crack? I think I am missing something.

The intent is not to need a PC/laptop for the field work. The script captures the necessary information to perform offsite cracking of the IVS and handshake. You likely aren't going to crack a handshake in the field anyways. Think of it almost as war-harvesting in a sense.

Link to comment
Share on other sites

I've looked through the script a bit but I'm still quite confused. How exactly do we work this with Site Survey? I ran the script from an SSH session and it just made a bunch of monitors (mon0-mon9) and then I had to force-quit the session. So either it's a configuration mistake on my part (most likely) or I simply don't know how to utilize this script correctly.

You probably are not running any current captures with Site Survey, the script is bound to mon0 which is assumed when you are using Site Survey. However, the mon.wan0 is the default if you have not down/up the adapters. If you have, it is very odd because there are no calls to airmon-ng in the script. It does not work directly with Site Survey right now, it requires you to start the capture via Site Survey, then using the terminal execute the script against the captured file.

Link to comment
Share on other sites

Oh alright, I get it now, the only thing now is how do I change Site Survey to write to /usb/captures? I looked and I can't seem to find anything about that.

For the moment you can't with the v1.3.6 of SIte Survey. I sent v1.4 to Seb. Just wait for it and you will have everything ready to use ;)

Link to comment
Share on other sites

  • 2 years later...
  • 6 months later...
  • 2 months later...
  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...