BASH scripts for performing various functions related to auditing 802.11* security using android phones with patched firmware.
- rooted phone, running some variant of android that supports bash. LineageOS and Kali Nethunter which is based on Lineage have the upgraded toybox binary which includes a pseudo-bash shell instead of just dash.
- Nexmon https://github.com/seemoo-lab/nexmon - Nexmon is firmware patches that enable monitor and packet injection modes on certain broadcom chipsets. Best support is the Google Nexus 5, the Nexus 6P. Nexus 5 has the best support combine with the smallest size, best ergonomics and lightest weight is the most portable.
WARNING - THESE CHIPSETS HAVE A KNOWN EXPLOIT IN THEM. DON'T USE AS A DAILY DRIVER OR AS A COMMUNICATIONS DEVICE
phone_packages/ - directory with pre-assembeled and tested packages for specific phones along with an ADB install script tested.
bash_completion/ - directory with bash completion scripts
binaries/ - directory with staticly compiled binaries for all needed tools
libraries/ - precompiled libraries needed for capture
wifi_capture.sh - capture packets with tcpdump. files are saved to Downloads/ directory in Android, named and datestamped.
subcommands are:
-
ap_beacon - captures 802.11 base station beacons, optionally specify MAC
-
ap_handshake - captures 802.11 WPA/WPA2 handshakes, optionally specify MAC
-
all_by_mac - captures all frames associated with MAC address specified
-
all_by_name - captures all frames associated with ESSID name
-
custom - use raw tcpdump syntax
-
help - show usage and commands
-
test - test if everything is setup correctly
-
kill - stop capture, write to files, reload android API for files, and exit
wifi_attack.sh - run various 802.11 Wireless attacks. Front end for various tools. Subcommands are:
-
flood_auth - Flood auth requests. If a parameter is given it is assumed to be the MAC address of the AP.(MDK3)
-
confuse_wids - Confuse a WIDS system. Needs an SSID as a parameter.(MDK3)
-
tkip_shutdown - Perform the "Michael Shutdown" exploit against a target AP. AP must be using TKIP encryption. Needs an AP MAC address as a second parameter.(MDK3) You can use "tkip_shutdown qos " to use the TKIP QoS exploit in conjunction.(MDK3)
-
decloak - Attempt to decloak an access point(get the SSID) that is hidden. saves file to Download/ (MDK3)
-
deauth - De-auth clients from a specified AP. You must specify the MAC address of the AP.(aireplay-ng)
-
deauth-client - De-auth specific client from AP. Specify AP and client such as: deauth-client
-
reaver_wps - Bruteforce target AP with reaver. need to specify AP MAC address(ESSID). You may specify "pixie" as the second parameter to use pixiewps to try a pixiedust attack.(reaver)
-
help - This message
-
test - Test nexutil install
-
kill - Stop attack and exit
Hijacker is a GUI front end for nexmon/aircrack: https://github.com/chrisk44/Hijacker
Saved actions for the "Hijacker" app for android. needs Nexmon and root. Allows for custom actions with variables.
hijacker_actions/ - directory with actions for using these scripts in the app
Connectbot is an ssh and local terminal app that allows limited scripting and automation. https://github.com/connectbot/connectbot
connectbot/ - directory with a connectbot connection database preconfigured to run our scripts on local terminal.