Skip to content

BwRy/mana

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

101 Commits

apache

apache

 
 

cert

cert

 
 

conf

conf

 
 

core

core

 
 

hostapd-mana @ a7a4f4d

hostapd-mana @ a7a4f4d

 
 

legacy

legacy

 
 

plugin_deps

plugin_deps

 
 

plugins

plugins

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

LICENSE

LICENSE

 
 

Readme.md

Readme.md

 
 

configs.py

configs.py

 
 

mana.py

mana.py

 
 

Repository files navigation

The MANA Toolkit

MANA Toolkit by Dominic White (singe) & Ian de Villiers @ sensepost (research@sensepost.com)

Modular driver code written by Gabriel Ryan (s0lst1c3) and based heavily on MITMf by byt3bl33d3r.

Overview

A toolkit for rogue access point (evilAP) attacks first presented at Defcon 22.

More specifically, it contains the improvements to KARMA attacks we implemented into hostapd, as well as some useful configs for conducting MitM once you've managed to get a victim to connect.

You can read more on our blog at http://www.sensepost.com/blog/11823.html, or watch the talk at https://youtu.be/i2-jReLBSVk or see the text heavy slide version at http://www.slideshare.net/sensepost/improvement-in-rogue-access-points-sensepost-defcon-22

Contents

It contains:

  • kali/ubuntu-install.sh - simple installers for Kali 1.0.9 and Ubuntu 14.04 (trusty)
  • slides - an explanation of what we're doing here
  • run-mana - the controller scripts
  • hostapd-manna - modified hostapd that implements our new karma attacks
  • crackapd - a tool for offloading the cracking of EAP creds to an external tool and re-adding them to the hostapd EAP config (auto crack 'n add)
  • sslstrip-hsts - our modifications to LeonardoNVE's & moxie's cool tools
  • apache - the apache vhosts for the noupstream hacks; deploy to /etc/apache2/ and /var/www/ respectivley

Installation

The simplest way to get up and running is it "apt-get install mana-toolkit" on Kali. If you want to go manual to get the latest version, check below. Make sure to edit the start script to point to the right wifi device.

To get up and running setup a Kali box (VM or otherwise), update it, then run kali-install.sh

To get up and running setup a Ubuntu 14.04 box (VM or otherwise), update it, then run ubuntu-install.sh

If you're installing from git, you can use the following commands after you have grabbed the necessary dependencies:

git clone --depth 1 https://github.com/sensepost/mana
cd mana
git submodule init
git submodule update
make
make install

Pre-Requisites

Software

Check the ubuntu installer for more details on software pre-requisites.

Hardware

You'll need a wifi card that supports "access point"/"master" mode. You can check whether it does by running: iw list You want to see "AP" in the output. Something like:

Supported interface modes:
         * IBSS
         * managed
         * AP
         * AP/VLAN
         * monitor
         * mesh point

More information at https://help.ubuntu.com/community/WifiDocs/MasterMode#Test_an_adapter_for_.22master_mode.22

Three cards that have been confirmed to work well, in order of preference are:

Note, the old silver Alfa (AWUS036H) does not support master mode and will not work, but the new silver Alfa (AWUS050NH) does.

Running

Mana has five modes:

  • start-nat-full.sh - Will fire up MANA in NAT mode (you'll need an upstream link).
  • start-noupstream.sh - Will start MANA in a "fake Internet" mode. Useful for places where people leave their wifi on, but there is no upstream Internet. Also contains the captive portal.
  • start-noupstream-eap.sh - Will start MANA with the EAP attack and noupstream mode.

To perform a MITM attack with HSTS bypass using Mana, start it in NAT mode as follows:

python mana.py --nat --essid Internet --channel 6 --hostname tplink --phy wlan0 --upstream eth0 --sslstrip --dns2proxy --sslsplit --netcreds

To perform a noupstream attack, just use the appropriate flag:

python mana.py --no-upstream-all --phy wlp0s29u1u5 --essid netgear1

For a full listing of Mana commands, refer to the help menu using the --help flag:

python mana.py --help

Captured traffic will be in the various log directories you find in the project directory.

These scripts kill NetworkManager as it prevents hostapd from using the wifi card. If you're using NetworkManager for your upstream connectivity, this can cause problems. Ideally, just manually configure the upstream adapter, however, you could also instruct NetworkManager to ignore certain devices by following the instructions at http://askubuntu.com/questions/21914/how-can-i-make-networkmanager-ignore-my-wireless-card/22166#22166

Adding new plugins

You can add new plugins by placing them in the plugins directory. Added plugins will be automatically loaded and initialized by Mana Toolkit as it runs. Plugin dependencies should be placed in the plugin_deps directory.

Plugin Format

To create a new plugin for Mana Toolkit, first create a python file in the mana/plugins directory. For example:

mana/plugins/example_plugin.py

At the of your plugin file, import the Plugin class from plugin.py:

	# in example_plugin.py
	from plugin import Plugin

Any dependencies needed by your plugin should be loaded from mana/plugin_deps, as shown below:

	# in example_plugin.py
	from plugin import Plugin
	from plugin_deps import example_daemon

Finally, import any needed modules from core in the following manner:

	# in example_plugin.py
	from plugin import Plugin
	from plugin_deps import example_daemon
	from core import utils, iptables

After adding necessary import statements to your plugin file, define your plugin Class inheriting from Plugin like this:

	# in example_plugin.py
	from plugin import Plugin
	from plugin_deps import example_daemon
	from core import utils, iptables

	class Example_plugin(Plugin):

Then give your plugin a name without any whitespace, as well as an optname to be used by argparse. You can also add a description:

	# in example_plugin.py
	from plugin import Plugin
	from plugin_deps import example_daemon
	from core import utils, iptables

	class Example_plugin(Plugin):

		name = 'example_plugin'
		optname = 'example'
		desc = 'An example plugin.'

You can tell Mana Toolkit to sleep n seconds after starting your plugin by adding a sleep_time class variable. This can be useful for giving your plugin enough time to load before starting the next daemon. For example, to make Mana Toolkit sleep 3 seconds after starting example_plugin, we add sleep_time = 3 as shown here:

	# in example_plugin.py
	from plugin import Plugin
	from plugin_deps import example_daemon
	from core import utils, iptables

	class Example_plugin(Plugin):

		name = 'example_plugin'
		optname = 'example'
		desc = 'An example plugin.'
		sleep_time = 3

Once we've added our class variables, we define an initialize function. Your initialize function should take the options namespace from argparse as an argument, and use it to create a self.configs dictionary as shown below:

	# in example_plugin.py
	from plugin import Plugin
	from plugin_deps import example_daemon
	from core import utils, iptables

	class Example_plugin(Plugin):

		name = 'example_plugin'
		optname = 'example'
		desc = 'An example plugin.'
		sleep_time = 3

		def initialize(self, options):

			self.configs = {

				'interface' ; options.phy,
				'ssid' : options.ssid,
				'name' : options.name,
			}

The value of self.configs will be passed to your plugin's daemon process before it begins to run. Any code that should run before the plugin starts, such as iptables configurations or modifying a config file, should be placed within initialize().

The options() method takes an argparse ArgumentParser as an argument. You can use it to add plugin specific command line arguments to Mana Toolkit:

	# in example_plugin.py
	from plugin import Plugin
	from plugin_deps import example_daemon
	from core import utils, iptables

	class Example_plugin(Plugin):

		name = 'example_plugin'
		optname = 'example'
		desc = 'An example plugin.'
		sleep_time = 3

		def initialize(self, options):

			self.configs = {

				'interface' ; options.phy,
				'ssid' : options.ssid,
				'name' : options.name,
			}

		def options(self, options):

			options.add_argument('--name',
							dest='name',
							type=str,
							required=False,
							default='jimmy',
							help='Pass your name as a command line argument.')

Finally, the code needed to start your plugin should be placed in a static method named _start(). The _start() method should take a single dictionary as an argument, which will be identical to the dictionary you created in your initialize() method. The code in _start() should be a blocking call to a daemon using os.system(), or a blocking call to a python module. For example:

	# in example_plugin.py
	from plugin import Plugin
	from plugin_deps import example_daemon
	from core import utils, iptables

	class Example_plugin(Plugin):

		name = 'example_plugin'
		optname = 'example'
		desc = 'An example plugin.'
		sleep_time = 3

		def initialize(self, options):

			self.configs = {

				'interface' ; options.phy,
				'ssid' : options.ssid,
				'name' : options.name,
			}

		def options(self, options):

			options.add_argument('--name',
							dest='name',
							type=str,
							required=False,
							default='jimmy',
							help='Pass your name as a command line argument.')

		@staticmethod
		def _start(configs):

			# get values from configs dictionary
			interface = configs['interface']
			name = configs['name']

			# start blocking call to daemon
			example_daemon.run(interface, name)

About

Our mana toolkit for wifi rogue AP attacks and MitM - see hostapd-mana too

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • HTML 85.7%
  • JavaScript 7.9%
  • Python 4.5%
  • Shell 1.1%
  • Classic ASP 0.5%
  • Makefile 0.2%
  • CSS 0.1%