Home

Awesome

                   Aerial v. 0.14.0.9  - Thu 09 Oct 2014

What is it ?

Aerial is on of the easiest ways to create a full capable*, high speed*, at any band (5GHz or 2.4GHz), high through IEEE 802.11n* or not, with Wi-Fi protected setup* (WPS) or not, Software Access point on a Kali-Linux box with manipulated/intercepted/injected/ forced/proxied/MITMed or not traffic.

*When Hostapd is used and depending on your wireless NIC's capabilities.

History

Aerial is the continuous development of 2009's "wlan_nick" bash script:

First of all Aerial is a HUGH bash script. Maybe it's the longest bash script you ever seen. It's an 8000 lines long including comments, references, examples etc. I think, this is no good. I'm sure that there is a easiest way to write it but unfortunately I only know bash scripting and my programming skills are very limited. (Self learning person). My main concerned was and is to write it in a way that it should be understandable by me. My main goal was to setup a safe environment to run my tests and do my experiments and as an result I write Aerial. Aerial is a summary of various small bash scripts. I modified it allot, I add so many examples of correct usage, so it could be understandable by any person and not only by me. I decide to release it to the public with the hope that it should be useful for someone else except me.

About the script

The script is meanly splitted in two major sections:

  1. How will we create the SoftAP and how we want it to act. e.g. Hostapd or airbase-ng based / in which band it will broadcast / it should be encrypted (WEP/WPA2) or not (OPEN) / WPS should be enabled/ DHCP server / DNS forward etc.
  2. Now that we have created the SoftAP, what we should do with the incoming and outgoing traffic ? (encrypted or not). Here comes the "14 modes". As long as we have the clients connected to our Kali box, we can do whatever we want with that traffic. We can intercept, proxy, redirect, do MITM attacks, force the clients to visit a specific page, inject Java code etc.

Installation

No installation is required. Just run it by :

sh Aerial.sh

Relax and let the script download/install, create CA certificates etc that is needed. DO NOT INTERRUPT IT. Let it finish. A new folder named "Aerial" will be created. Everything you want to find will be in that folder, e.g. -aerial.conf (This script's configuration file) -hostapd.conf (Hostapd configuration file) -CA-certificates folder and the included certificates. -Backup folder with the included files. -etc

When a "Mode" in executed then a new folder will be created with the corresponding name (e.g sslsplit) into the "Aerial" folder with all the files (configuration, logs etc) that invoke that "Mode". So the only thing that you have to do, is to run any "Mode" and then look at the corresponding folder of that "Mode". If a "Mode" is never executed, none folder will be created for that "Mode".

Features

Fourteen Access Point modes :

1.  Simple WLAN - Clients can access Internet.
----------------------------------------------
    Aerial will act as an Access Point. No interception, no nothing.
    Mode's folder name:none

2.  Transparent HTTP Proxied WLAN Optimized for low Internet Speeds RTR*
------------------------------------------------------------------------
    When low Internet speed is the case, this mode might be founded useful.
    We are trying to achieve high "HIT" rates with Squid3 and in some case we 
    violating http regulations. We keep cached files longer then it should be.
    Of course this mode can be used as an http proxied WLAN.
    This is the only not that we cache file into our disk (HDD/SDD).
    Mode's folder name:none - Suid3's log : /var/log/squid3

3.  Airchat - Wireless Fun: Clients will chat with AP and each other.
---------------------------------------------------------------------
    Then client's of our WLAN they will forced to chat with our SoftAP and each other.
    They cannot access the Internet.
    Mode's folder name:none - Airchat's folder: /var/www/

4.  TOR - Transparent anonymous Surfing - Deep Web access .onion sites.
-----------------------------------------------------------------------
    The clients of our WLAN will Transparently, Anonymous surfing the web 
    through the TOR network and they can access .onion sites. DNS queries will
    also passed through TOR. In this mode we also running ARM an relay monitor program.
    Mode's folder name:none.

5.  I2P - Manual anonymous Surfing - Deep Web access .i2p sites
---------------------------------------------------------------
    The clients of our WLAN will Manual, Anonymously* surfing the web and they can 
    access .i2p sites through i2p network. This is the only NON transparent mode. You
    have to manually set your client's browser to use our http and https proxy that is
    running into the Kali box. DNS requests will pass also through our Linux box and as
    such we might have DNS leaks. Finally please have in mind that i2p network is extremely
    slow. Sometimes you have to let it run for an hour or more to be able to visit some pages.
    Mode's folder name:none.
     
6.  MiTM - Transparent SSLstriped WLAN (Sslstrip).
--------------------------------------------------
    The all known sslstrip. The clients of our WLAN will Transparently and "sslstripped"
    surfing the web. Limitations see "Known bugs" below.
    Mode's folder name: ../../Aerial/sslstrip/

7.  MiTM - Transparent Proxied and SSLstriped WLAN (Squid3 <-> Sslstrip) RTR*
-----------------------------------------------------------------------------
    Same as above but in this mode we cached transparently the visited pages with Squid3.
    Mode's folder name: ../../Aerial/sslstrip/

8.  MiTM - Flip, Blur, Swirl, ASCII, Tourette client's browser images RTR*
--------------------------------------------------------------------------
    Mode's folder name:none - Suid3's log : /var/log/squid3 and /var/www/images/

    8.1 Upside down images RTR*
    ---------------------------
    Your clients browser (http) images will be Upside Down.

    8.2 Blur images RTR*
    --------------------
    Your clients browser (http) images will be Blurred.

    8.3 Swirl images RTR*
    ---------------------
    Your clients browser (http) images will be Swirled.

    8.4 ASCII Images RTR*
    ---------------------
    Your clients browser (http) images will be converted into ASCII art.

    8.5 Tourette Images RTR*
    ------------------------
    Your clients browser (http) images will be added by words.

9.  MiTM - Forced downloading files RTR*
----------------------------------------
Your clients will be forced to download our files. The clients will transparently HTTP 
Proxied BUT they will be forced to download our test.(exe, zip, rar, doc, msi) when they
asked to download ANY file from ANY HTTP site and that file matches the above extension, 
*.exe *.zip *.rar *.doc *.msi. Then the script will rename our test.* to the original 
filename and will serve it back to the client. Only http sites will get affected. This 
mode has no affect to https sites.
Mode's folder name: ../../Aerial/bad_files/

10. MiTM - Transparent and scalable SSL/TLS intercepted WLAN (SSLsplit).
------------------------------------------------------------------------
The clients of WLAN will surf our transparent and scalable SSL/TLS intercepted WLAN.
The clients can surf the web and we Transparently sniffing:
non-SSL traffic  : HTTP, WhatsApp and
SSL-based traffic: HTTPS, SMTP over SSL and IMAP over SSL.
SSLsplit is a generic transparent TLS/SSL proxy for performing man-in-the-middle attacks 
on all kinds of secure communication protocols. Using SSLsplit, you can intercept and 
save SSL-based traffic and thereby listen in on any secure connection.
Mode's folder name: ../../Aerial/sslsplit/
Search script     : ../../Aerial/sslsplit/search.sh

11. MiTM - Transparent HTTP(S) intercepted WLAN (mitmproxy).
------------------------------------------------------------
Almost same as the above. The clients of WLAN will surf our transparent 
SSL/TLS intercepted WLAN. The main difference is that mitmproxy is an interactive 
console program that allows traffic flows to be inspected and edited on the fly.
Mode's folder name: ../../Aerial/mitmproxy/


12. MiTM - Honey Proxy - Transparent HTTP(S) intercepted WLAN.
--------------------------------------------------------------
The same as the above. The clients of WLAN will surf our transparent SSL/TLS 
intercepted WLAN. In this mode we get transparent HTTP(S) WLAN traffic investigating
and analysis. HoneyProxy is a lightweight man-in-the-middle proxy that helps you
analyze HTTP(S) traffic flows. It is tailored to the needs of security researchers 
and allows both real-time and log analysis. It focuses on features that are useful
in a forensic context and allows extended visualization capabilities.
Mode's folder name: ../../Aerial/honeyproxy/					

13. SiTM - Squid in The Middle - Transparent HTTP(S) proxied WLAN RTR*
----------------------------------------------------------------------
The clients of our WLAN they will be transparent http and https proxied.
Mode's folder name:none - Suid3's log : /var/log/squid3.
Dynamically generated certificates folder: /var/lib/ssl_db/

14. JiTM - JavaScript in The Middle - Java Code Inject RTR*"
----------------------------------------------------------------------
Squid will inject each JavaScript file passing through the proxy.
You can inject:
     1. A simple script that inject an annoying alert with a message.
     2. A script that captures the submitted form content without being noticed by the user.
        (submitted form must be in Java and it's not working quite well).
     3. Your own Java Script.
Mode's folder name: ../../Aerial/Java_Inject/

(*RTR: Real Time Reports with SARG.)

(1) Disable bss neighbor check/force 40 MHz channels patch.

By default Hostapd does a check for overlapping channels with neighboring bss's before enabling 40 MHz channels as proposed by IEEE 802.11(a/g)n. This however might result in switching to 20 MHz channels in dense wlan areas:

hostapd -d /etc/hostapd/hostapd.conf
40 MHz affected channel range: [2407,2457] MHz
Neighboring BSS: 00:19:xx:xx:xx:xx freq=2412 pri=0 sec=0
Neighboring BSS: 9c:c7:xx:xx:xx:xx freq=2412 pri=1 sec=0
Neighboring BSS: 88:25:xx:xx:xx:xx freq=2412 pri=1 sec=5
40 MHz pri/sec mismatch with BSS 88:25:xx:xx:xx:xx <2412,2432> (chan=1+) vs. <2442,2422>
20/40 MHz operation not permitted on channel pri=7 sec=3 based on overlapping BSSes

As a matter of fact hostapd acts as the regulations required, but most manufactures does not perform that check and they broadcast with 40Mhz channels width no matter what. With this patch we let hostapd do that check but the results are ignored and we forcing hostapd to use 40Mhz channel width.

A working/forced example of 40MHz channel width :

hostapd -d /etc/hostapd/hostapd.conf
40 MHz affected channel range: [2407,2457] MHz
Neighboring BSS: 00:19:xx:xx:xx:xx freq=2412 pri=0 sec=0
Neighboring BSS: 9c:c7:xx:xx:xx:xx freq=2412 pri=1 sec=0
Neighboring BSS: 88:25:xx:xx:xx:xx freq=2412 pri=1 sec=5
40 MHz pri/sec mismatch with BSS 88:25:xx:xx:xx:xx <2412,2432> (chan=1+) vs. <2442,2422>
20/40 MHz operation not permitted on channel pri=7 sec=3 based on overlapping BSSes
DFS 0 channels required radar detection
nl80211: Set freq 2442 (ht_enabled=1, vht_enabled=0, bandwidth=40 MHz, cf1=2422 MHz, cf2=0 MHz)
HT40: control channel: 7  secondary channel: 3
Completing interface initialization

Known bugs

Credits to repzeroworld (Kali Forums) for clarifying me how sslstrip works.

Tested

The Latest Version

Details of the latest version can be found on the Kali forums and here at github :

Documentation

No documentation available yet. Only this README file.

Licensing

Please see the file called COPYING.

Credits / Videos

hackyard.net https://hackyard.net/aerial-wifi.hy

Ozzy(66) for his great videos: ( https://vimeo.com/user2284430)

Fake AP Mitmproxy https://vimeo.com/114373690

Fake AP-Transparent Proxy - Inject code in exe/dll with BackdoorFactory Proxy https://vimeo.com/112569640

zimmaro's Video [kali]one test with Aerial https://vimeo.com/117293271

To my mentor: Gitsnik

zqPPhM6/IM6czrHPgc6szrrOuSDOvM6/z4Uu

Contacts

You can contact me at :

(c) 2014 Nick_the_Greek