GhostInTheNet
GhostInTheNet copied to clipboard
cryptolok
Known AP saving
Using the ranges of <48:> for MAC adress as a reservation in some places reduces the entropy, as network admins can just use regex in a list to easily find the owner, even if the adress was changed multiples times, making his work easier.
Using the script does not make the user invisible on WIFI. Using Airodump-ng with a good wireless adapter, the MAC of the user can be found very quickly.
The script won't work inside a virtual machine, the connection will just hang until i disable the script (using nmcli and the graphical nm is the same result).
Why did you comment hostnamectl, and went back to using hostname ?
Edit: There's also the fact that graphical applications that might require root(such as bleachbit) cannot run after the change of hostname. It seems that one way to fix that is by adding the .Xauthority entry, but doing that will create problems at reboot when trying to log in session, and a way to fix that would be to add a line that remove the .Xauthority file after using OFF on the script(which is really bad), or using chown on the .Xauthority file
this is a part of a previous issue #6 you can always spoof your own MAC, I choosed HP vendor because there are lot of them, so you should be well disguised and making a blacklist of HP vendors isn't a viable solution in an enterprise
speaking about WiFi, you can indeed find a user physically, as I mentioned, if you're saying that the original MAC can be retrieved over distance, then I will require some more details on how exactly you would perform that
I personally tested it on multiple VMs along with other users and apparently we have managed to solve some issues regarding NetworkManager #4 #7 , but if there is still some bugs, I would greatly appreciate if you will inform me more about it
You know more than me about stealth subjet so i will trust you about the way you spoof MAC.
I did read your post on your blog about triangulation, no i can't retrieve the original MAC, i just meant if one was to infiltrate a wifi network, someone that has connection passing the same gateway can detect the one using your script with Airodump-ng. It will show the spoofed MAC sure, but the other user will be aware of the presence (though it needs a minimum of interaction with the network {browsing} for the user to show up in Airodump).
About the VMs, i found out that the connection will hang indefinitly if the user has the 'auto-reconnect' feature on any AP, and the solution is to disable that feature and then relaunch the script and connect manually. So maybe adding to the script a line that back up the known hosts to avoid reconnection, and set them back when turning the script OFF.
About NM, i told you everything i know above, it's all coming from .Xauthority, the rest works perfectly. Either deleting .Xauthority or chowning it, though it is not a very important feature to run graphical applications as root, but some users might need to run bleachbit as root or whatever else.
you mean just to detect that somebody has connected to a WiFi network regarding the beacons/data? yes, I agree, perhaps I wasn't mentioning it explicitly by saying "broadcast" in the readme, so I'll update it then note that the same thing can be done with DHCP if using ethernet, even if you specify manually the addressing a solution would be to spoof someone else's MAC for even better stealthing
so, you're using a WiFi adapter for your VM? well I'll admit that such tests were out of my scope, thus I'll investigate deeper into that
it seemed to me, however, that the issue #7 mentioning .Xauthority was solved by chowing it on line 122, perhaps you're speaking about the case that the X session was launched by root originaly? I'll look up more at it
Yes i did not express myself correctly, i was indeed talking about beacons. And yes your script is most efficient when using with WAN. Totally agree with you about spoofing else's MAC, using ingeniosity can fix the few weaknesses the script has.
As for .Xauthority well i dont understand what is going on then, you might want to check https://github.com/g0rbe/duppy it's a script similar to your but written in C++, the owner managed to fix the issue of .Xauthority by chowning it and cleaning the content after each time the user turn OFF the script. I tested it multiple times and it's working.
@cryptolok Last things, i think the sleep time is too long and can hang when it says 'If not connected or taking too long - reconnect manually', especially if one does not want to connect afterward, or can the user CTRL+C at this point without worry ?
And sometimes the hostname does not change though i don't know why(i use nmcli), but noticed the static hostname does not change at all, even when the hostname change successfully.
you can send kill signal at any time, for sure, but it's probably a smart idea to ask user before performing DHCP
by static name you mean /etc/hostname ? that's normal, I won't perform any persistent actions, note that you suppose to launch the script in order to affect the environment, hence the "source/bash" command before the script
I understand, thanks for the answers, it's more stable that way for the system. Though i still dont understand why my hostname does not change, actually it changes to some random numbers while i'm not connected yet, but revert back to the default one the moment i get a connection to an AP/Ethernet. (i can of course change it myself each time, just asking), it might be NM's fault.
random number is a random hostname assigned in this case, try to execute the script within a root shell, if hostname will still change after a network connection, then NM can be the issue, probably will trace its syscalls to determine the problem
I've just commited some changes to usage README, baiscally adding "source/bash" before executing the script on both activation and deactivation, this should force hostname changes and added user confirmation for DHCP I'll see for the NM/Xauth/VM/WiFi a little bit later speaking about @g0rbe work, seems like he/she/it tried to do the same thing in C++, which is totally free to do since he/she/it wrote own code, but I still found C++ somehow atrocious for such task (almost thousand lines of code) and a little bit egocentric of his/her/its part for not mentioning encountered issues for my project...
I've patched a little the way hostname is changed, this would defenitely solve the problem and even perhaps normalize NM comportment waiting for your confirmation
Really appreciating the help @cryptolok thanks. It still does not change the hostname but not to worry about it, its 100% coming from NM as some weeks before there was not problem about it, it appeared after a dist-upgrade i think, i also downloaded a previous version of my OS and there is no problem with your script. So all i can do is wait for them to fix it. I'll tell you if in future updates i see a change of behaviour, so that you don't waste time on problems that aren't your own.
And thanks for the options about choosing own ip, really nice, and i did not read that you made the script reset at reboot without turning it off which is great for stability, awesome.
C++ is a great language but it's best to know one for scripting and one for heavy duty, it makes for versatility, for a task such as your script, bash and python are probably the best.
Before trying that, i tried as usual because i had an update yesterday, and the hostname is changing now, so i can't tell if adding the line would have fixed it.
Also the script is way faster now thanks, but did you notice each time you run it, it create a new connection for the AP ? Probably has to do with the new DHCP feature you added.
Example: if your ap is "Wifi", the next time you connect to it with the script, it creates "Wifi 1", then next time "Wifi 2". Maybe dropping the known AP would be better ?
nice to know about hostname but not so about AP... try to delete the line 136 (nmcli) but it may be normal due to MAC spoofing since the AP is binded to an interface with a specific MAC
Deleting line 136 did the trick, it does not create a new AP anymore thanks. Dropping the know AP i think still would be nice, making the the auto reconnect feature of NM disabled, but i don't know if it can cause issues(it shouldnt?).
Well i know that AP can bind to MAC, but i don't remember your script making multiples clones of the specified AP before, even though you did not update the way you spoof MAC
Anyway the issue can be closed, its great
awesome :) thanks for contribution and feel free to discuss any subject regarding the project
@cryptolok, thanks for being open to suggestion, would it be possible to save the known AP at each startup (/tmp), and get them back when turning off ? "/etc/NetworkManager/system-connections" is the file to look at for AP. I'm suggesting this because it's annoying and not discreet when booting the computer to get directly connected by networkmanager to known AP.
well, the initial point was to automate ethernet connecion, but it's true that I didn't deeply think about the WiFi ... I'll see about it
Hy @cryptolok !
I found in my mail that you mentioned me. ( i check it rarely )
I didn't mentioned you, because i never heard from you until somebody didn't link your repo in parrot forum here.
My basic idea is come from, that i find the way how to ignore ARP when i learned about kernel. Before my code, i use hostname and macchanger often.
I wrote it in c++ because i have to learn it, and it is doesn't influence the result, just it is easier in Shell.
I didn't mentioned you either for the very same reason, I didn't know about you or your work in the first place it is strangely true that I implemented 'hostnamectl' after 11 days of your initial release, but I abandoned the idea since, I don't want permament changes, which hostnamectl does anyway my license is widely persimmive so you're free to do anything you like with my work, it's just looks very similar to mine ... but those things happens I guess I dont care of mentioning, I do my work and try to improve the work of the others and this thread isn't about the subject anyway
so if you have some suggestions about NM issues, I'll gladly consider them as a valauable addition
as of my understanding, I don't see a point of disabling ICMP since, it uses ARP in the first place however, you totally forgot about IPv6 NDP broadcasting that will spoil your stealth
Yeah, i totally forget ipv6.
I noticed at the arm version of parrot, that change the mac automatically, because of the Network Manager .conf file. So i can overwrite the default config with my conf file. If i want random mac i use the random.conf and with preserve.conf i can spoof a selected mac and i can avoid the mac changes of NM (if any).
man nm-system-settings.conf could be a good reading about that.
(english is not my native language, so sorry if i explained myself wrong)