weape.sh

1. #!/usr/bin/env bash
2. # wEAPe - Wireless EAP Extractor
3. # Daniel Compton
4. # 08/2013
5. # Daniel Compton
6. # www.commonexploits.com
7. # contact@commexploits.com
8. # Twitter = @commonexploits
9. # Tested on Bactrack 5 & Kali Nessus version 4 & 5
10.  
11.  
12. # Script begins
13. #===============================================================================
14.  
15. VERSION="0.2"
16.  
17. clear
18. echo ""
19. echo -e "\e[00;32m#############################################################\e[00m"
20. echo ""
21. echo -e "   wEAPe Wireless EAP Extractor $VERSION "
22. echo ""
23. echo -e "   EAP Domain Username Extractor"
24. echo ""
25. echo -e "\e[00;32m#############################################################\e[00m"
26. echo ""
27.  
28. #Dependency checking
29.  
30. #Check for tshark
31. which tshark>/dev/null
32. if [ $? -eq 0 ]
33.         then
34.                 echo ""
35. else
36.                 echo ""
37.             echo -e "\e[01;31m[!]\e[00m Unable to find the required Tshark program, install and try again"
38.         exit 1
39. fi
40.  
41.  
42. #Check for Airmon-ng
43. which airmon-ng >/dev/null
44. if [ $? -eq 0 ]
45.         then
46.                 echo ""
47. else
48.                 echo ""
49.         echo -e "\e[01;31m[!]\e[00m Unable to find the required Airmon-NG program, install and try again"
50.         exit 1
51. fi
52.  
53. #Dependency checking
54.  
55. #Check for Airodump-NG
56. which airodump-ng >/dev/null
57. if [ $? -eq 0 ]
58.         then
59.                 echo ""
60. else
61.                 echo ""
62.         echo -e "\e[01;31m[!]\e[00m Unable to find the required Airodump-ng program, install and try again"
63.         exit 1
64. fi
65.  
66.  
67. #Check for screen
68. which screen >/dev/null
69. if [ $? -eq 0 ]
70.         then
71.                 echo ""
72. else
73.                 echo ""
74.         echo -e "\e[01;31m[!]\e[00m Unable to find the required Screen program, install and try again"
75.         exit 1
76. fi
77.  
78. echo -e "\e[01;33m[-]\e[00m In order to extract EAP packets you will need to associate (not authenticate) with the access point of interest"
79. echo ""
80. echo -e "\e[01;33m[-]\e[00m Your wireless network card must support packet injection."
81. echo ""
82. sleep 3
83. echo -e "\e[01;32m[-]\e[00m Now checking your wireless card..."
84. echo ""
85. # fix for occasional RFKILL errors
86. rfkill unblock all >/dev/null
87.  
88. # check for wifi mon interface
89. MONCHK=$(airmon-ng |grep -i "mon" |wc -l)
90. if [ "$MONCHK" = 0 ]
91.     then
92.     echo ""
93.     echo -e "\e[01;31m[!]\e[00m Unable to find any wireless interfaces in monitor mode."
94.     echo ""
95.     echo -e "\e[01;32m[-]\e[00m The following interfaces exist:"
96.     echo "--------------------------------------------------------"
97.     airmon-ng
98.         echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m"
99.         echo -e "\e[01;31m[?]\e[00m Enter the interface you would like to put into monitor mode and press ENTER. i.e wlan0"
100.         echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m"
101.     echo ""
102.     read WLANTMP
103.     echo ""
104.     echo -e "\e[01;32m[-]\e[00m Now attempting to put your adaptor "$WLANTMP" into monitor mode...please wait"
105.     echo ""
106.     sleep 2
107.     airmon-ng stop "$WLANTMP" >/dev/null
108.     sleep 3
109.     airmon-ng start "$WLANTMP" >/dev/null
110.     echo ""
111.     echo -e "\e[01;33m[-]\e[00m If an "SIOCSIFFLAGS:" error was displayed against "$WLANTMP", then you card/driver is not compatable"
112.     echo ""
113.     echo -e "\e[01;32m[-]\e[00m Press Enter to continue if you did not see the "SIOCSIFFLAGS" error."
114.     echo ""
115.     read ENTERKEY
116.     sleep 3
117.     airmon-ng |grep -i "mon" >/dev/null
118.         if [ $? = 0 ]
119.             then
120.                 MADEMON=$(airmon-ng |grep -i "mon" |awk '{print $1}')
121.                 echo -e "\e[01;32m[+]\e[00m Success, created "$MADEMON" interface in monitor mode."
122.                 echo ""
123.                 MONINT="$MADEMON"
124.         else
125.             echo ""
126.             echo -e "\e[01;31m[!]\e[00m Unable to create a monitor interface, script will exit."
127.             echo ""
128.             echo -e "\e[01;31m[!]\e[00m Your card or driver may not be compatable. Fix and run the script again"
129.             echo ""
130.             exit 1
131.         fi
132.  
133. elif [ "$MONCHK" = 1 ]
134.     then
135.     echo ""
136.     MONINT=$(airmon-ng |grep "mon" |awk '{print $1}')
137.     echo -e "\e[01;32m[+]\e[00m I found "$MONINT" interface, I will use that for the script."
138.     echo ""
139. else
140.     echo ""
141.     echo -e "\e[01;32m[-]\e[00m Multiple interfaces exist in monitor mode:"
142.         echo "-------------------------------------------------------------------"
143.     airmon-ng |grep -i "mon"
144.     echo ""
145.     echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m"
146.         echo -e "\e[01;31m[?]\e[00m Enter the interface you would like to use and press ENTER. i.e mon0"
147.         echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m"
148.         echo ""
149.     read MONINT
150.     echo ""
151. fi
152. sleep 3
153. clear
154. echo ""
155. echo -e "\e[01;33m[-]\e[00m You need to associate with the access point in question before any information can be extracted"
156. echo ""
157. echo -e "\e[01;33m[-]\e[00m Note: it should be access points that only have MGT within the AUTH column, which means it is using 802.1x"
158. echo ""
159. echo -e "\e[01;33m[-]\e[00m Also it should be an access point with traffic or is likely to have traffic. check under Data column"
160. echo ""
161. echo -e "\e[01;33m[-]\e[00m You will be presented a list all wireless networks. When you have identified the SSID of interest press CTRL C"
162. echo ""
163. echo -e "\e[01;32m[-]\e[00m Press ENTER to continue"
164. echo ""
165. read ENTERKEY
166. airodump-ng $MONINT
167.  
168. echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m"
169. echo -e "\e[01;31m[?]\e[00m Please enter the BSSID from above for the access point of interest (not SSID) i.e '00:AE:x:x:x:x:x'"
170. echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m"
171. echo ""
172. read BSSIDTMP
173. BSSID=$(echo "$BSSIDTMP"| sed -e 's/^[ \t]*//' |sed 's/[ \t]*$//')
174. echo -e "\e[1;31m---------------------------------------------------------------------------------------\e[00m"
175. echo -e "\e[01;31m[?]\e[00m Please enter the channel number of of the access point of interest i.e 6"
176. echo -e "\e[1;31m---------------------------------------------------------------------------------------\e[00m"
177. echo ""
178. read CHAN
179. echo ""
180. echo -e "\e[01;32m[-]\e[00m I will now run a background process to assoicate with this access point..."
181. echo ""
182. screen -d -m -S eappeap_dump airodump-ng -i $MONINT -c $CHAN --bssid $BSSID
183. echo ""
184. echo -e "\e[01;32m[-]\e[00m Now sniffing traffic looking for EAP packets.."
185. echo ""
186. echo -e "\e[01;33m[-]\e[00m Note this can take some time as it depends on finding EAP traffic and users authenticating."
187. echo ""
188. echo -e "\e[01;32m[-]\e[00m Leave script running and users will appear if they authenticate, CTRL C to cancel"
189. echo ""
190. echo -e "\e[01;32m-------------------------------------------------------------------------------------\e[00m"
191. echo -e "\e[01;32m[+]\e[00m Capturing Traffic, press CTRL C once you have seen sufficent usernames"
192. echo -e "\e[01;32m-------------------------------------------------------------------------------------\e[00m"
193. tshark -i "$MONINT" -R eap -V 2>&1 |grep "Identity: *[a-z]\|*[A-Z]\|*[0-9]"
194. echo ""
195. echo -e "\e[01;33m[-]\e[00m All airodump-ng processes are being stopped.."
196. echo ""
197. killall airodump-ng >/dev/null 2>&1
198. exit 0
199. # Script end