Last active
July 21, 2022 14:25
-
-
Save FrankSpierings/7a275472f69222b60a974c8e5baab17e to your computer and use it in GitHub Desktop.
MITM SSID setup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "proxy":{ | |
| "request_listeners":[ | |
| { | |
| "certificate_mode":"per_host", | |
| "listen_mode":"all_interfaces", | |
| "listener_port":8080, | |
| "running":true, | |
| "support_invisible_proxying":true | |
| } | |
| ] | |
| }, | |
| "user_options":{ | |
| "misc":{ | |
| "enable_proxy_interception_at_startup":"never" | |
| } | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| DIR=$(realpath $(dirname $0)) | |
| CONFIG=${DIR}/burp-mitm-config.json | |
| env GDK_SCALE=2 ~/BurpSuitePro/BurpSuitePro --config-file=${CONFIG} 2>/dev/null & |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # MITM script that attempts to setup a SSID listening on <CLIENT_INTERFACE> using hostapd and dnsmasq. | |
| # - <CLIENT_INTERFACE> will be brought up with a new IP address (and brought down & flushed on shutdown) | |
| # - IPv4 Forwarding will be enabled (and restored on shutdown) | |
| # - Required iptables rules will be inserted (and removed on shutdown) | |
| # - hostapd, dnsmasq & tcpdump will be started inside a TMUX session (and all will be killed on shutdown) | |
| # | |
| # Requirements: | |
| # - apt install tcpdump tmux hostapd dnsmasq procps iptables sed iproute2 | |
| # | |
| # In case of any problems: | |
| # - check the tmux session | |
| # - attempt to killall dnsmasq and hostapd. | |
| # - did you start the proxy? | |
| # - is the uplink actually working? | |
| # Change these variables below | |
| CLIENT_INTERFACE=wlx001122334455 | |
| UPLINK_INTERFACE=wlan0 | |
| SSID=MITM | |
| SSID_PASSWORD=password | |
| # The variables below should not need to be changed | |
| IP=/sbin/ip | |
| IPTABLES=/sbin/iptables | |
| DNSMASQ=/usr/sbin/dnsmasq | |
| SED=/bin/sed | |
| SYSCTL=/sbin/sysctl | |
| TMUX=/usr/bin/tmux | |
| PKILL=/usr/bin/pkill | |
| CAT=/bin/cat | |
| TCPDUMP=/usr/sbin/tcpdump | |
| HOSTAPD=/usr/sbin/hostapd | |
| DNSMASQ_PIDFILE=/var/run/dnsmasq-mitm.pid | |
| HOSTAPD_PIDFILE=/var/run/hostapd-mitm.pid | |
| TMUX_SESSION_NAME=MITM | |
| IPTABLES_COMMENTS=$(echo MITM | shasum | cut -f1 -d ' ') | |
| HOSTAPD_CONFIG=$(mktemp /tmp/hostapd.conf.XXX) | |
| CLIENT_SEGMENT_CIDR=192.168.234.0/24 | |
| # Replaces the fourth octet with .254 within CLIENT_SEGMENT_CIDR | |
| CLIENT_INTERFACE_CIDR=$(echo "${CLIENT_SEGMENT_CIDR}" | ${SED} 's/\.[[:digit:]]\{1,3\}/.254/3') | |
| CLIENT_INTERFACE_IP=$(echo ${CLIENT_INTERFACE_CIDR} | ${SED} 's/\/.*//') | |
| # Defines the proxy | |
| PROXY=${CLIENT_INTERFACE_IP} | |
| PROXYPORT=8080 | |
| # Check if we are running as root | |
| if [[ $EUID -ne 0 ]]; then | |
| echo "This script must be run as root" | |
| exit 1 | |
| fi | |
| # Enable forwarding, if required and save the original state. | |
| ORIGVAL_FORWARDING=$(${SYSCTL} -n "net.ipv4.conf.all.forwarding") | |
| if [ $ORIGVAL_FORWARDING -eq 0 ]; then | |
| echo -n 'Enabling IPv4 forwarding: ' | |
| ${SYSCTL} -w "net.ipv4.conf.all.forwarding=1" | |
| fi | |
| # Setup the client-side interface | |
| echo "Flushing ip address of interface '${CLIENT_INTERFACE}'" | |
| ${IP} addr flush dev ${CLIENT_INTERFACE} | |
| echo "Assigning new address to interface '${CLIENT_INTERFACE}': ${CLIENT_INTERFACE_CIDR}" | |
| ${IP} addr add "${CLIENT_INTERFACE_CIDR}" dev ${CLIENT_INTERFACE} | |
| echo "Bringing link up for interface '${CLIENT_INTERFACE}'" | |
| ${IP} link set up dev "${CLIENT_INTERFACE}" | |
| # Setup iptables forwarding, the comment is abused to tear down the inserted rules later on | |
| echo "Injecting iptables rules" | |
| # Hide behind UPLINK_INTERFACE IP | |
| ${IPTABLES} -m comment --comment "${IPTABLES_COMMENTS}" -t nat -s ${CLIENT_SEGMENT_CIDR} -I POSTROUTING -o ${UPLINK_INTERFACE} -j MASQUERADE | |
| # Allow incoming DHCP to dnsmasq | |
| ${IPTABLES} -m comment --comment "${IPTABLES_COMMENTS}" -I INPUT -i ${CLIENT_INTERFACE} -p udp --dport 67:68 --sport 67:68 -j ACCEPT | |
| # Allow incoming DNS to dnsmasq | |
| ${IPTABLES} -m comment --comment "${IPTABLES_COMMENTS}" -I INPUT -i ${CLIENT_INTERFACE} -p udp --dport 53 -j ACCEPT | |
| ${IPTABLES} -m comment --comment "${IPTABLES_COMMENTS}" -I INPUT -i ${CLIENT_INTERFACE} -p tcp --dport 53 -j ACCEPT | |
| # Allow incoming proxy requests | |
| ${IPTABLES} -m comment --comment "${IPTABLES_COMMENTS}" -I INPUT -i ${CLIENT_INTERFACE} -p tcp --dport ${PROXYPORT} -j ACCEPT | |
| # Redirect web traffic to the proxy | |
| ${IPTABLES} -m comment --comment "${IPTABLES_COMMENTS}" -t nat -I PREROUTING -i ${CLIENT_INTERFACE} -p tcp --dport 80 -j DNAT --to-destination ${PROXY}:${PROXYPORT} | |
| ${IPTABLES} -m comment --comment "${IPTABLES_COMMENTS}" -t nat -I PREROUTING -i ${CLIENT_INTERFACE} -p tcp --dport 443 -j DNAT --to-destination ${PROXY}:${PROXYPORT} | |
| # Allow forwarding of client traffic to the uplink | |
| ${IPTABLES} -m comment --comment "${IPTABLES_COMMENTS}" -I FORWARD -i ${CLIENT_INTERFACE} -o ${UPLINK_INTERFACE} -j ACCEPT | |
| ${IPTABLES} -m comment --comment "${IPTABLES_COMMENTS}" -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # Setup tmux session (in the background) | |
| ${TMUX} new-session -s "${TMUX_SESSION_NAME}" -d | |
| # Start dnsmasq listening to the CLIENT_INTERFACE in the tmux session | |
| CLIENT_INTERFACE_IPSTART=$(echo "${CLIENT_SEGMENT_CIDR}" | ${SED} 's/\.[[:digit:]]\{1,3\}/.1/3' | ${SED} 's/\/.*//') | |
| CLIENT_INTERFACE_IPSTOP=$(echo "${CLIENT_SEGMENT_CIDR}" | ${SED} 's/\.[[:digit:]]\{1,3\}/.100/3' | ${SED} 's/\/.*//') | |
| ${TMUX} split-window -t "${TMUX_SESSION_NAME}" -d "${DNSMASQ} --pid-file=${DNSMASQ_PIDFILE} --except-interface=lo --log-facility=- --log-queries --log-dhcp --bind-interfaces --interface=${CLIENT_INTERFACE} --dhcp-range=${CLIENT_INTERFACE_IPSTART},${CLIENT_INTERFACE_IPSTOP}; read" | |
| # Write the temporary hostapd.conf file | |
| echo "Writing hostapd configuration: '${HOSTAPD_CONFIG}'" | |
| ${CAT} > "${HOSTAPD_CONFIG}" << _EOF | |
| interface=${CLIENT_INTERFACE} | |
| ssid=${SSID} | |
| channel=1 | |
| wpa_passphrase=${SSID_PASSWORD} | |
| auth_algs=1 | |
| beacon_int=100 | |
| ctrl_interface=/var/run/hostapd | |
| ctrl_interface_group=0 | |
| dtim_period=2 | |
| eapol_key_index_workaround=0 | |
| eapol_version=2 | |
| fragm_threshold=2346 | |
| hw_mode=g | |
| ieee8021x=0 | |
| ignore_broadcast_ssid=0 | |
| logger_stdout=-1 | |
| logger_stdout_level=0 | |
| logger_syslog=-1 | |
| logger_syslog_level=10 | |
| max_num_sta=256 | |
| rts_threshold=2347 | |
| wme_ac_be_acm=0 | |
| wme_ac_be_aifs=3 | |
| wme_ac_be_cwmax=10 | |
| wme_ac_be_cwmin=4 | |
| wme_ac_be_txop_limit=0 | |
| wme_ac_bk_acm=0 | |
| wme_ac_bk_aifs=7 | |
| wme_ac_bk_cwmax=10 | |
| wme_ac_bk_cwmin=4 | |
| wme_ac_bk_txop_limit=0 | |
| wme_ac_vi_acm=0 | |
| wme_ac_vi_aifs=2 | |
| wme_ac_vi_cwmax=4 | |
| wme_ac_vi_cwmin=3 | |
| wme_ac_vi_txop_limit=94 | |
| wme_ac_vo_acm=0 | |
| wme_ac_vo_aifs=2 | |
| wme_ac_vo_cwmax=3 | |
| wme_ac_vo_cwmin=2 | |
| wme_ac_vo_txop_limit=47 | |
| wme_enabled=0 | |
| wpa=2 | |
| wpa_group_rekey=0 | |
| wpa_key_mgmt=WPA-PSK | |
| wpa_pairwise=CCMP | |
| _EOF | |
| # Start hostapd listening to the CLIENT_INTERFACE in the tmux session. | |
| # Manually record its PID, as we want to keep logging in the foreground and the pidfle parameter only works while using daemon mode. | |
| ${TMUX} split-window -t "${TMUX_SESSION_NAME}" -d "${HOSTAPD} ${HOSTAPD_CONFIG} & echo \$! > "${HOSTAPD_PIDFILE}"; read" | |
| # Start tcpdump listening to the CLIENT_INTERFACE in the tmux session | |
| ${TMUX} split-window -t "${TMUX_SESSION_NAME}" -d "sleep 5; ${TCPDUMP} -i ${CLIENT_INTERFACE} -s0 -U; read" | |
| # Kill the first (empty) tmux pane in the session | |
| ${TMUX} kill-pane -t "${TMUX_SESSION_NAME}":1 | |
| echo | |
| echo "We should be up and running." | |
| echo "Check out 'tmux a -t ${TMUX_SESSION_NAME}'" | |
| read -p "Press ENTER to shutdown...." | |
| # | |
| # Shutdown & cleanup | |
| # | |
| echo | |
| echo "Shutting down..." | |
| echo "Killing processes" | |
| # Kill dnsmasq | |
| ${PKILL} -F "${DNSMASQ_PIDFILE}" | |
| # Kill hostapd | |
| ${PKILL} -F "${HOSTAPD_PIDFILE}" | |
| # Kill tmux session | |
| ${TMUX} kill-session -t "${TMUX_SESSION_NAME}" | |
| # Remove temporary hostapd.conf | |
| echo "Removing temporary hostapd configuration file: '${HOSTAPD_CONFIG}'" | |
| rm ${HOSTAPD_CONFIG} | |
| # Forwarding | |
| if [ $ORIGVAL_FORWARDING -eq 0 ]; then | |
| echo -n 'Disabling IPv4 forwarding: ' | |
| ${SYSCTL} -w "net.ipv4.conf.all.forwarding=0" | |
| fi | |
| # Removing iptables, based on the comments and their reverse order | |
| echo "Deleting iptables rules" | |
| ${IPTABLES} -t nat -L POSTROUTING --line-numbers -n | grep "${IPTABLES_COMMENTS}" | cut -d ' ' -f1 | tac | xargs -n 1 -L1 iptables -t nat -D POSTROUTING | |
| ${IPTABLES} -t nat -L PREROUTING --line-numbers -n | grep "${IPTABLES_COMMENTS}" | cut -d ' ' -f1 | tac | xargs -n 1 -L1 iptables -t nat -D PREROUTING | |
| ${IPTABLES} -L FORWARD --line-numbers -n | grep "${IPTABLES_COMMENTS}" | cut -d ' ' -f1 | tac | xargs -n 1 -L1 iptables -D FORWARD | |
| ${IPTABLES} -L INPUT --line-numbers -n | grep "${IPTABLES_COMMENTS}" | cut -d ' ' -f1 | tac | xargs -n 1 -L1 iptables -D INPUT | |
| # Client-side interface | |
| echo "Flushing ip address of interface '${CLIENT_INTERFACE}'" | |
| ${IP} addr flush dev ${CLIENT_INTERFACE} | |
| echo "Bringing link down for interface '${CLIENT_INTERFACE}'" | |
| ${IP} link set down dev "${CLIENT_INTERFACE}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment