NETATTACK 2 - An Advanced Wireless Network Scan and Attack Script

NETATTACK 2 is a python script that scans and attacks local and wireless networks. Everything is super easy because of the GUI that makes it unnecessary to remember commands and parameters.

FUNCTIONS

SCAN-FUNCTIONS

• Scan for Wi-Fi networks
• Scan for local hosts in your network

ATTACK-FUNCTIONS

• Deauthing ONE / MULTIPLE targets
  
• Deauthing every AP in your area
  
• Kicking (ALL) user/s off your internet ( ARP-Poisoning )
  

REQUIREMENTS
LINUX!

• nmap
• argparse (Python)
• scapy (Python)
• iw

Download NETATTACK 2

Read More

WiFi-Pumpkin v0.8.5 - Framework for Rogue Wi-Fi Access Point Attack

WiFi-Pumpkin is a very complete framework for auditing Wi-Fi security. The main feature is the ability to create a fake AP and make Man In The Middle attack, but the list of features is quite broad.

Installation

• Python 2.7

 git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
 cd WiFi-Pumpkin
 ./installer.sh --install

or download .deb file to install

sudo dpkg -i wifi-pumpkin-0.8.5-all.deb
sudo apt-get -f install # force install dependencies if not install normally

refer to the wiki for Installation

Features

• Rogue Wi-Fi Access Point
• Deauth Attack Clients AP
• Probe Request Monitor
• DHCP Starvation Attack
• Credentials Monitor
• Transparent Proxy
• Windows Update Attack
• Phishing Manager
• Partial Bypass HSTS protocol
• Support beef hook
• ARP Poison
• DNS Spoof
• Patch Binaries via MITM
• Karma Attacks (support hostapd-mana)
• LLMNR, NBT-NS and MDNS poisoner (Responder)
• Pumpkin-Proxy (ProxyServer (mitmproxy API))
• Capture images on the fly
• TCP-Proxy (with scapy)

Plugins

Plugin	Description
dns2proxy	This tools offer a different features for post-explotation once you change the DNS server to a Victim.
sslstrip2	Sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping attacks based version fork @LeonardoNve/@xtr4nge.
sergio-proxy	Sergio Proxy (a Super Effective Recorder of Gathered Inputs and Outputs) is an HTTP proxy that was written in Python for the Twisted framework.
BDFProxy-ng	Patch Binaries via MITM: BackdoorFactory + mitmProxy, bdfproxy-ng is a fork and review of the original BDFProxy @secretsquirrel.
Responder	Responder an LLMNR, NBT-NS and MDNS poisoner. Author: Laurent Gaffie

Transparent Proxy

Transparent proxies(mitmproxy) that you can use to intercept and manipulate HTTP traffic modifying requests and responses, that allow to inject javascripts into the targets visited. You can easily implement a module to inject data into pages creating a python file in directory "plugins/extension/" automatically will be listed on Pumpkin-Proxy tab.

Plugins Example Dev

from mitmproxy.models import decoded # for decode content html
from plugins.extension.plugin import PluginTemplate

class Nameplugin(PluginTemplate):
   meta = {
       'Name'      : 'Nameplugin',
       'Version'   : '1.0',
       'Description' : 'Brief description of the new plugin',
       'Author'    : 'by dev'
   }
   def __init__(self):
       for key,value in self.meta.items():
           self.__dict__[key] = value
       # if you want set arguments check refer wiki more info. 
       self.ConfigParser = False # No require arguments 

   def request(self, flow):
       print flow.__dict__
       print flow.request.__dict__ 
       print flow.request.headers.__dict__ # request headers
       host = flow.request.pretty_host # get domain on the fly requests 
       versionH = flow.request.http_version # get http version 
       
       # get redirect domains example
       # pretty_host takes the "Host" header of the request into account,
       if flow.request.pretty_host == "example.org":
           flow.request.host = "mitmproxy.org"
           
       # get all request Header example 
       self.send_output.emit("\n[{}][HTTP REQUEST HEADERS]".format(self.Name))
       for name, valur in flow.request.headers.iteritems():
           self.send_output.emit('{}: {}'.format(name,valur))
           
       print flow.request.method # show method request 
       # the model printer data
       self.send_output.emit('[NamePlugin]:: this is model for save data logging')

   def response(self, flow):
       print flow.__dict__
       print flow.response.__dict__
       print flow.response.headers.__dict__ #convert headers for python dict
       print flow.response.headers['Content-Type'] # get content type
        
       #every HTTP response before it is returned to the client
       with decoded(flow.response):
           print flow.response.content # content html
           flow.response.content.replace('</body>','<h1>injected</h1></body>') # replace content tag 
      
       del flow.response.headers["X-XSS-Protection"] # remove protection Header
       
       flow.response.headers["newheader"] = "foo" # adds a new header
       #and the new header will be added to all responses passing through the proxy

About plugins
plugins on the wiki

TCP-Proxy Server
A proxy that you can place between in a TCP stream. It filters the request and response streams with (scapy module) and actively modify packets of a TCP protocol that gets intercepted by WiFi-Pumpkin. this plugin uses modules to view or modify the intercepted data that possibly easiest implementation of a module, just add your custom module on "plugins/analyzers/" automatically will be listed on TCP/UDP Proxy tab.

from scapy.all import *
from scapy_http import http # for layer HTTP
from default import PSniffer # base plugin class

class ExamplePlugin(PSniffer):
    _activated     = False
    _instance      = None
    meta = {
        'Name'      : 'Example',
        'Version'   : '1.0',
        'Description' : 'Brief description of the new plugin',
        'Author'    : 'your name',
    }
    def __init__(self):
        for key,value in self.meta.items():
            self.__dict__[key] = value

    @staticmethod
    def getInstance():
        if ExamplePlugin._instance is None:
            ExamplePlugin._instance = ExamplePlugin()
        return ExamplePlugin._instance

    def filterPackets(self,pkt): # (pkt) object in order to modify the data on the fly
        if pkt.haslayer(http.HTTPRequest): # filter only http request 
        
            http_layer = pkt.getlayer(http.HTTPRequest) # get http fields as dict type
            ip_layer = pkt.getlayer(IP)# get ip headers fields as dict type
            
            print http_layer.fields['Method'] # show method http request
            # show all item in Header request http
            for item in http_layer.fields['Headers']:
                print('{} : {}'.format(item,http_layer.fields['Headers'][item]))
            
            print ip_layer.fields['src'] # show source ip address 
            print ip_layer.fields['dst'] # show destiny ip address 
            
            print http_layer # show item type dict
            print ip_layer # show item type dict
            
            return self.output.emit({'name_module':'send output to tab TCP-Proxy'}) 

Download WiFi-Pumpkin

Read More

netattack - Scan and Attack Wireless Networks

The netattack.py is a python script that allows you to scan your local area for WiFi Networks and perform deauthentification attacks. The effectiveness and power of this script highly depends on your wireless card.

USAGE

EASY

SCANNING FOR WIFI NETWORKS

python netattack.py -scan -mon

This example will perform a WiFi network scan. The BSSID, ESSID and the Channel will be listet in a table.

-scan | --scan

This parameter must be called when you want to do a scan. It's one of the main commands. It is searching for beacon frames that are sent by routers to notify there presence.

-mon | --monitor

By calling this parameter the script automatically detects you wireless card and puts it into monitoring mode to capture the ongoing traffic. If you know the name of your wireless card and it's already working in monitoring mode you can call

-i

This can be used instead of -mon.

DEAUTHENTIFICATION ATTACK

python netattack.py -deauth -b AB:CD:EF:GH:IJ:KL -u 12:34:56:78:91:23 -c 4 -mon

This command will obviously perform a deauthentification attack.

-deauth | --deauth

This parameter is a main parameter as well as scan. It is necessary to call if you want to deauth attack a certain target.

-b | --bssid

With -b you select the AP's MAC-Address (BSSID). The -deauth parameter requires one or multiple BSSID's

-u | --client

If you don't want to attack the whole network, but a single user/client/device, you can do this with -u. It is not necessary.

-c | --channel

By adding this parameter, your deauthentification attack is going to be performed on the entered channel. The usage of -c is highly recommended since the attack will be a failure if the wrong channel is used. The channel of the AP can be seen by doing a WiFi scan (-scan). If you don't add -c the attack will take place on the current channel.
The -mon or -i is necessary for this attack as well.

DEAUTHENTIFICATION ATTACK ON EVERYBODY

python netattack.py -deauthall -i [IFACE]

When this command is called, the script automatically searches for AP in your area. After the search it start deauth-attacking all of the found AP's. The -deauthall parameter only needs an interface to get it working. ATTENTION: If you want all of this attacks to be as efficient as possible, have a look at the following "ADVANCED"-section

ADVANCED

-p | --packetburst

This parameter is understood as the packetburst. Especially when you are targeting multiple AP's or even performing a -deauthall attack, the command is a must have. It defines the amount of deauth-packages to send after switching the target. When not adding the parameter it is going to be set to 64 by default. But that is highly unefficient if you are attacking 4+ AP's.

-t | --timeout

This parameter can be added to a -scan or -deauth. If it's added to the -scan parameter it defines the delay while switching the channel. It is set to 0.75s by default, so it is waiting 0.75s on each channel to collect beacon frames. If it's added to the -deauth parameter, it defines the delay between each packetburst. This can be used to decrease the intense of the attack or to attack the target(s) at a certain time.

-cf | --channelformat

This parameter can only be added to -scan. It shows a more detailed output while scanning. It's mainly recommended when the location changes and with it the AP's.

-a | --amount

This parameter can only be added to -deauth. It defines a certain amount of packetbursts to send. This can be used for taking down the WiFi for a certain time.

REQUIREMENTS

• Python 2.5+ (not Python 3+)
• Modules:
  • scapy
  • argparse
  • sys
  • OS
  • threading
  • logging
• iw(config)
• OFC LINUX

DISCLAIMER AND LICENSE
THE OWNER AND PRODUCER OF THIS SOFTWARE IS NOT LIABLE FOR ANY DAMAGE OR ANY LAW VIOLATIONS CAUSED BY THE SOFTWARE.

Download netattack

Read More

LINSET - WPA/WPA2 Hack Without Brute Force

How it works

• Scan the networks.
• Select network.
• Capture handshake (can be used without handshake)
• We choose one of several web interfaces tailored for me (thanks to the collaboration of the users)
• Mounts one FakeAP imitating the original
• A DHCP server is created on FakeAP
• It creates a DNS server to redirect all requests to the Host
• The web server with the selected interface is launched
• The mechanism is launched to check the validity of the passwords that will be introduced
• It deauthentificate all users of the network, hoping to connect to FakeAP and enter the password.
• The attack will stop after the correct password checking

Are necessary tengais installed dependencies, which Linset check and indicate whether they are installed or not.

It is also preferable that you still keep the patch for the negative channel, because if not, you will have complications relizar to attack correctly

How to use

$ chmod +x linset
$ ./linset

Download LINSET

Read More

WiFiPhisher - Fast automated phishing attacks against WiFi networks

Wifiphisher is a security tool that mounts fast automated phishing attacks against WiFi networks in order to obtain secret passphrases and other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases.

Wifiphisher works on Kali Linux and is licensed under the MIT license.

From the victim's perspective, the attack makes use in three phases:

1. Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well.
2. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed.
3. Victim is being served a realistic router config-looking page. wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials, for example one that asks WPA password confirmation due to a router firmware upgrade.

Usage

Short form	Long form	Explanation
-m	maximum	Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5
-n	noupdate	Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n
-t	timeinterval	Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like 'no buffer space' try: -t .00001
-p	packets	Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2
-d	directedonly	Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs
-a	accesspoint	Enter the MAC address of a specific access point to target
-jI	jamminginterface	Choose the interface for jamming. By default script will find the most powerful interface and starts monitor mode on it.
-aI	apinterface	Choose the interface for the fake AP. By default script will find the second most powerful interface and starts monitor mode on it.

Screenshots

Targeting an access point

A successful attack

Fake router configuration page

Requirements

• Kali Linux.
• Two wireless network interfaces, one capable of injection.

Download WiFiPhisher

Read More