├── README.md └── weape.sh /README.md: -------------------------------------------------------------------------------- 1 | wEAPe 2 | ===== 3 | 4 | Weape-Wireless-EAP-Extractor Script 5 | 6 | ============================================ 7 | 8 | Auto extracts EAP 802.1x user names 9 | 10 | Developed by Daniel Compton at Info-Assure Ltd 11 | 12 | https://github.com/commonexploits/weape.git 13 | 14 | 15 | Installing 16 | ======================= 17 | git clone https://github.com/commonexploits/weape.git 18 | 19 | 20 | How To Use 21 | ======================= 22 | ./weape.sh 23 | 24 | 25 | Features 26 | ======================= 27 | 28 | * Sets up wireless card into monitor mode 29 | * Lists all APs 30 | * Associates with AP's you wish 31 | * Extracts domain user names from any connects using EAP 32 | 33 | Requirements 34 | ======================= 35 | * airodump tool set 36 | 37 | Tested on Backtrack 5 and Kali. 38 | 39 | 40 | Screen Shot 41 | ======================= 42 | Screenshot 43 | 44 | Screenshot 45 | 46 | Change Log 47 | ======================= 48 | 49 | Version 0.2 - Beta release 50 | 51 | ** Note this script as in early stages, as I can only test and edit whilst working on jobs that have 802.1x it limits the development. 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /weape.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # wEAPe - Wireless EAP Extractor 3 | # Daniel Compton 4 | # 08/2013 5 | # Daniel Compton 6 | # www.commonexploits.com 7 | # contact@commexploits.com 8 | # Twitter = @commonexploits 9 | # Tested on Bactrack 5 & Kali Nessus version 4 & 5 10 | 11 | 12 | # Script begins 13 | #=============================================================================== 14 | 15 | VERSION="0.2" 16 | 17 | clear 18 | echo "" 19 | echo -e "\e[00;32m#############################################################\e[00m" 20 | echo "" 21 | echo -e " wEAPe Wireless EAP Extractor $VERSION " 22 | echo "" 23 | echo -e " EAP Domain Username Extractor" 24 | echo "" 25 | echo -e "\e[00;32m#############################################################\e[00m" 26 | echo "" 27 | 28 | #Dependency checking 29 | 30 | #Check for tshark 31 | which tshark>/dev/null 32 | if [ $? -eq 0 ] 33 | then 34 | echo "" 35 | else 36 | echo "" 37 | echo -e "\e[01;31m[!]\e[00m Unable to find the required Tshark program, install and try again" 38 | exit 1 39 | fi 40 | 41 | 42 | #Check for Airmon-ng 43 | which airmon-ng >/dev/null 44 | if [ $? -eq 0 ] 45 | then 46 | echo "" 47 | else 48 | echo "" 49 | echo -e "\e[01;31m[!]\e[00m Unable to find the required Airmon-NG program, install and try again" 50 | exit 1 51 | fi 52 | 53 | #Dependency checking 54 | 55 | #Check for Airodump-NG 56 | which airodump-ng >/dev/null 57 | if [ $? -eq 0 ] 58 | then 59 | echo "" 60 | else 61 | echo "" 62 | echo -e "\e[01;31m[!]\e[00m Unable to find the required Airodump-ng program, install and try again" 63 | exit 1 64 | fi 65 | 66 | 67 | #Check for screen 68 | which screen >/dev/null 69 | if [ $? -eq 0 ] 70 | then 71 | echo "" 72 | else 73 | echo "" 74 | echo -e "\e[01;31m[!]\e[00m Unable to find the required Screen program, install and try again" 75 | exit 1 76 | fi 77 | 78 | echo -e "\e[01;33m[-]\e[00m In order to extract EAP packets you will need to associate (not authenticate) with the access point of interest" 79 | echo "" 80 | echo -e "\e[01;33m[-]\e[00m Your wireless network card must support packet injection." 81 | echo "" 82 | sleep 3 83 | echo -e "\e[01;32m[-]\e[00m Now checking your wireless card..." 84 | echo "" 85 | # fix for occasional RFKILL errors 86 | rfkill unblock all >/dev/null 87 | 88 | # check for wifi mon interface 89 | MONCHK=$(airmon-ng |grep -i "mon" |wc -l) 90 | if [ "$MONCHK" = 0 ] 91 | then 92 | echo "" 93 | echo -e "\e[01;31m[!]\e[00m Unable to find any wireless interfaces in monitor mode." 94 | echo "" 95 | echo -e "\e[01;32m[-]\e[00m The following interfaces exist:" 96 | echo "--------------------------------------------------------" 97 | airmon-ng 98 | echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m" 99 | echo -e "\e[01;31m[?]\e[00m Enter the interface you would like to put into monitor mode and press ENTER. i.e wlan0" 100 | echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m" 101 | echo "" 102 | read WLANTMP 103 | echo "" 104 | echo -e "\e[01;32m[-]\e[00m Now attempting to put your adaptor "$WLANTMP" into monitor mode...please wait" 105 | echo "" 106 | sleep 2 107 | airmon-ng stop "$WLANTMP" >/dev/null 108 | sleep 3 109 | airmon-ng start "$WLANTMP" >/dev/null 110 | echo "" 111 | echo -e "\e[01;33m[-]\e[00m If an "SIOCSIFFLAGS:" error was displayed against "$WLANTMP", then you card/driver is not compatable" 112 | echo "" 113 | echo -e "\e[01;32m[-]\e[00m Press Enter to continue if you did not see the "SIOCSIFFLAGS" error." 114 | echo "" 115 | read ENTERKEY 116 | sleep 3 117 | airmon-ng |grep -i "mon" >/dev/null 118 | if [ $? = 0 ] 119 | then 120 | MADEMON=$(airmon-ng |grep -i "mon" |awk '{print $1}') 121 | echo -e "\e[01;32m[+]\e[00m Success, created "$MADEMON" interface in monitor mode." 122 | echo "" 123 | MONINT="$MADEMON" 124 | else 125 | echo "" 126 | echo -e "\e[01;31m[!]\e[00m Unable to create a monitor interface, script will exit." 127 | echo "" 128 | echo -e "\e[01;31m[!]\e[00m Your card or driver may not be compatable. Fix and run the script again" 129 | echo "" 130 | exit 1 131 | fi 132 | 133 | elif [ "$MONCHK" = 1 ] 134 | then 135 | echo "" 136 | MONINT=$(airmon-ng |grep "mon" |awk '{print $1}') 137 | echo -e "\e[01;32m[+]\e[00m I found "$MONINT" interface, I will use that for the script." 138 | echo "" 139 | else 140 | echo "" 141 | echo -e "\e[01;32m[-]\e[00m Multiple interfaces exist in monitor mode:" 142 | echo "-------------------------------------------------------------------" 143 | airmon-ng |grep -i "mon" 144 | echo "" 145 | echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m" 146 | echo -e "\e[01;31m[?]\e[00m Enter the interface you would like to use and press ENTER. i.e mon0" 147 | echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m" 148 | echo "" 149 | read MONINT 150 | echo "" 151 | fi 152 | sleep 3 153 | clear 154 | echo "" 155 | echo -e "\e[01;33m[-]\e[00m You need to associate with the access point in question before any information can be extracted" 156 | echo "" 157 | echo -e "\e[01;33m[-]\e[00m Note: it should be access points that only have MGT within the AUTH column, which means it is using 802.1x" 158 | echo "" 159 | echo -e "\e[01;33m[-]\e[00m Also it should be an access point with traffic or is likely to have traffic. check under Data column" 160 | echo "" 161 | echo -e "\e[01;33m[-]\e[00m You will be presented a list all wireless networks. When you have identified the SSID of interest press CTRL C" 162 | echo "" 163 | echo -e "\e[01;32m[-]\e[00m Press ENTER to continue" 164 | echo "" 165 | read ENTERKEY 166 | airodump-ng $MONINT 167 | 168 | echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m" 169 | echo -e "\e[01;31m[?]\e[00m Please enter the BSSID from above for the access point of interest (not SSID) i.e '00:AE:x:x:x:x:x'" 170 | echo -e "\e[1;31m------------------------------------------------------------------------------------------------------------------\e[00m" 171 | echo "" 172 | read BSSIDTMP 173 | BSSID=$(echo "$BSSIDTMP"| sed -e 's/^[ \t]*//' |sed 's/[ \t]*$//') 174 | echo -e "\e[1;31m---------------------------------------------------------------------------------------\e[00m" 175 | echo -e "\e[01;31m[?]\e[00m Please enter the channel number of of the access point of interest i.e 6" 176 | echo -e "\e[1;31m---------------------------------------------------------------------------------------\e[00m" 177 | echo "" 178 | read CHAN 179 | echo "" 180 | echo -e "\e[01;32m[-]\e[00m I will now run a background process to assoicate with this access point..." 181 | echo "" 182 | screen -d -m -S eappeap_dump airodump-ng -i $MONINT -c $CHAN --bssid $BSSID 183 | echo "" 184 | echo -e "\e[01;32m[-]\e[00m Now sniffing traffic looking for EAP packets.." 185 | echo "" 186 | echo -e "\e[01;33m[-]\e[00m Note this can take some time as it depends on finding EAP traffic and users authenticating." 187 | echo "" 188 | echo -e "\e[01;32m[-]\e[00m Leave script running and users will appear if they authenticate, CTRL C to cancel" 189 | echo "" 190 | echo -e "\e[01;32m-------------------------------------------------------------------------------------\e[00m" 191 | echo -e "\e[01;32m[+]\e[00m Capturing Traffic, press CTRL C once you have seen sufficent usernames" 192 | echo -e "\e[01;32m-------------------------------------------------------------------------------------\e[00m" 193 | tshark -i "$MONINT" -R eap -V 2>&1 |grep "Identity: *[a-z]\|*[A-Z]\|*[0-9]" 194 | echo "" 195 | echo -e "\e[01;33m[-]\e[00m All airodump-ng processes are being stopped.." 196 | echo "" 197 | killall airodump-ng >/dev/null 2>&1 198 | exit 0 199 | # Script end 200 | --------------------------------------------------------------------------------