Skip to content

Instantly share code, notes, and snippets.

@binkybear

binkybear/gist:fa5dff0ebe263c94b1ec

Last active May 24, 2018 01:46
Show Gist options
  • Save binkybear/fa5dff0ebe263c94b1ec to your computer and use it in GitHub Desktop.
Save binkybear/fa5dff0ebe263c94b1ec to your computer and use it in GitHub Desktop.
Download ZIP
Passive Scanner (for Nethunter)
Raw
gistfile1.sh
#!/bin/bash
#
# Passively scan for targets using tshark to capture pcap
# then parse out pcap for interesting activity/clients.
# Order: tshark (capture), p0f (fingerprint), dsniff (plaintext),
# tcptrace (parse ip src > ip dst)
#
# + Dependencies tshark, tcptrace, dsniff
#
# + To run and capture traffic for five minutes:
# ./filename.sh wlan0 5
NOW=$(date +"%m-%d-%y-%H%M%S")
INTERFACE=$1
SECONDS=$(($2 * 60))
CAPTURE="/captures/tshark/tshark_$NOW.pcap"
GATEWAY=$(/sbin/ip route | awk '/default/ { print $3 }')
IPADDRESS=$(/sbin/ifconfig $INTERFACE | awk -F ' *|:' '/inet addr/{print $4}')
OUTPUT="/captures/passive/passive_$NOW.log"
if [ "$*" == "" ]; then
echo usage: $0 interface minutes
echo
exit
fi
# create required files
mkdir -p /captures/tshark/
mkdir -p /captures/passive/
#[ $# -eq 0 ] && { echo "Usage: $0 interface minutes_to_capture"; exit 1; }
clear
echo ""
echo "[+] Your current select interface is: $INTERFACE"
echo "[+] Your current IP is: $IPADDRESS"
echo "[+] Your current Gatway IP is: $GATEWAY"
echo "[+] Final log will be saved to $OUTPUT"
touch $OUTPUT
# Tshark capture
echo "[+] Starting tshark on $INTERFACE and writing to $CAPTURE for $2 minute(s)"
echo ""
tshark -n -i $INTERFACE -w $CAPTURE -F pcap -a duration:$SECONDS
echo "[-] Stopping tshark "
echo "[+] Starting p0f"
echo " ------------ P0F OUTPUT ------------- " >> $OUTPUT
p0f -r $capture -o $OUTPUT
echo "[+] Scanning $CAPTURE for plain text passwords"
echo "" >> $OUTPUT
echo " ------------ DSNIFF OUTPUT ------------- " >> $OUTPUT
dsniff -p $CAPTURE >> $OUTPUT
echo "[+] Scanning $CAPTURE for HTTP traffic"
echo "" >> $OUTPUT
echo " ------------ URLSNARF OUTPUT ------------- " >> $OUTPUT
urlsnarf -p $CAPTURE >> $OUTPUT
echo "[+] Scanning $CAPTURE for SMTP/POP Email"
echo "" >> $OUTPUT
echo " ------------ MAILSNARF OUTPUT ------------- " >> $OUTPUT
mailsnarf -p $CAPTURE >> $OUTPUT
echo "[+] Scanning $CAPTURE for NFS Files"
echo "" >> $OUTPUT
echo " ------------ FILESNARF OUTPUT ------------- " >> $OUTPUT
filesnarf -p $CAPTURE >> $OUTPUT
echo "[+] Scanning $CAPTURE for Chat messages"
echo "" >> $OUTPUT
echo " ------------ MSGSNARF OUTPUT ------------- " >> $OUTPUT
msgsnarf -p $CAPTURE >> $OUTPUT
# Parse out pcap file to log using
# From: https://github.com/phreakocious/pcap-scripts/blob/master/summarizePcaps.sh
echo "" >> $OUTPUT
echo " ----------- UNIQUE IPs/MAC ------------ " >> $OUTPUT
declare -A IPTOMAC
echo \# filename clientmac clientip clientport servermac serverip serverport
for FILE in $CAPTURE; do
while read MAC IP; do
IPTOMAC[$IP]=$MAC
done < <(tshark -Tfields -e eth.src -e ip.src -e eth.dst -e ip.dst -r $FILE -R tcp 2> >(grep -v dangerous) |
awk '{print $1,$2; print $3,$4}' |
sort | uniq)
tcptrace -n $FILE |
egrep '^\s+[0-9]:' |
sed -r -e 's/^\s+[0-9]:\s//' -e 's/:/ /g' -e 's/\s+-\s+/ /' -e 's/\s+\(.*//' |
while read CLIENTIP CLIENTPORT SERVERIP SERVERPORT; do
echo "$FILE ${IPTOMAC[$CLIENTIP]} $CLIENTIP $CLIENTPORT ${IPTOMAC[$SERVERIP]} $SERVERIP $SERVERPORT"
echo "$FILE ${IPTOMAC[$CLIENTIP]} $CLIENTIP $CLIENTPORT ${IPTOMAC[$SERVERIP]} $SERVERIP $SERVERPORT" >> $OUTPUT
done
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment