aikido bash script

#!/bin/bash

#based on a script by I.Verges

#made by prowl3r

#declare arrays

declare -a WHITE_IPS

declare -a WHITE_MACS

#set here (known) white ips (include the router one). No need to include local IP.

WHITE_IPS=( “192.168.1.1” “192.168.1.2” “192.168.1.3” )

#set here (known)white macs.

WHITE_MACS=( “00:11:22:33:44:55” “22:33:44:55:66” )

#Network interface (eth0, wlan0, ra0)

DEVICE=”eth0”

#network mask (24=255.255.255.0, 16=255.255.0.0)

MASK=24

#help

for opt in $@; do

    if [ “$opt” = “-h” ]; then

        echo “”        

        echo “aikido dirty script by prowl3r for those bt4f paranoids”

        echo “”

        echo “Create the daemon: ‘crontab -e’ and then add the following line:”

        echo “*/5 * * * * /path-to-aikido/aikido”

        echo “(execute every 5 minutes)”

        echo “”

        echo “Start cron just for this session: /etc/init.d/cron start”

        echo “update-rc.d cron defaults (to start cron at boot time)”

        echo “”

        echo “Dont forget to set execution rights and run as root. English lang required”

        echo “”

        echo “To remove, edit crontab and delete aikido line”

        echo “”

        echo “It looks for connected hosts and records IP (and MAC if available).”

        echo “Then confirms it’s a known IP, otherwise it nmap it and prompts for further actions.”

        echo “Please, add your interface as well as known IPs and MACs by editing the script.”

        echo “”

        echo “Use: ./aikido”

        echo “Options:”

        echo ”    -h Show this help stuff”

        exit

    fi

done

#obtain local ip

ip=$(/sbin/ifconfig “$DEVICE” | grep “inet” | awk ‘{print $2}’ | cut -c 6-)

#add local ip to array

WHITE_IPS[${#WHITE_IPS[*]}]=$ip

#get connected hosts and save them in “-” file (standar output)

#redirected to HOST_IPS variable

HOST_IPS=$(/usr/bin/nmap -sP ${WHITE_IPS[0]}/$MASK -oG -)

#cut to get only valid ip format

IPS=$(echo “$HOST_IPS” | grep Host | cut -c 7-20 | tr -d “\()”)

#count lines in archive, or in other words, ips in archive

counter=$(echo “$IPS” | wc -l - | cut -c 1-2)

total=$(expr $counter - 1)

#allow access to X from crontab

export DISPLAY=:0

export XAUTHORITY=”$HOME/.Xauthority”

#search loop

var=0

while [ $var -le $total ]; do

    SKIP_LOOP=0

    let var=$var+1

    #capture ip by line

    adds=$(echo “$IPS” | sed -n “$var p”)

    #remove spaces

    adds=${adds/ /}

    for i in ${WHITE_IPS[*]}

    do

        if [ “$i” == “$adds” ]; then

            SKIP_LOOP=1

            break

        fi

    done

    if [ “$SKIP_LOOP” == “1” ]; then

        continue

    fi

    #obtain and format mac

    ARP=$(/usr/sbin/arp -a $adds)

    if [ “$ARP” == “arp: in 1 entries no match found.” ]; then

        MAC=”Not cached yet”

    else

        MAC=$(echo “$ARP” | awk ‘{print $4}’)

        MAC=${MAC/ /}

    fi

    for i in ${WHITE_MACS[*]}

    do

        if [ “$i” == “$MAC” ]; then

            SKIP_LOOP=1

            break

        fi

    done

    if [ “$SKIP_LOOP” == “1” ]; then

        continue

    fi

    #warn about intruder

    WARNING=$(echo `/bin/date —rfc-3339=seconds`” \n HOST: $adds \n ARP: $MAC”)

    zenity —timeout 20 —title “aikido: Intruder detected” —question —text “$WARNING \n\n*** Is this a known host? *** \n\n .- OK: No action will be taken \n .- Cancel: Full scan and log details”    

    case $? in

        5)

            echo “$WARNING” » /root/aikido.log

            echo “*** Logged due to dialog timeout / unattended computer ***” » /root/aikido.log

            echo “—————————————- x —————————————-” » /root/aikido.log;;

        0) 

            zenity —title “aikido: Known/safe IP notification” —info —text “\n\nPlease add $adds to the whitelist by manually editing the aikido script, otherwise alerts will keep popping up at crontab execution.”;;

        1)    

            SCAN=$(/usr/bin/nmap -A -T5 $adds)

            echo “$WARNING” » /root/aikido.log

            echo “$SCAN” » /root/aikido.log

            echo “—————————————- x —————————————-” » /root/aikido.log

            zenity —width 400 —title “aikido: Preliminary actions taken” —info —text “Host and port/services scan details logged at /root/aikido.log \n\n$WARNING \n\n$SCAN”            

            a=”Nah, I’ll take care myself (keep alert showing)”

            b=”Try to autopwn using fast-track”

            c=”Block this host with iptables”

            d=”Capture tcpdump session for this host”

            OPTION=$(zenity —width 380 —height 230 —title “aikido: Countermeasures” —list —text “Now for the fun part. What you wanna do?” —radiolist —column “Pick” —column “Action” TRUE “Nah, I’ll take care myself (keep alert showing)” FALSE “Try to autopwn using fast-track” FALSE “Block this host with iptables” FALSE “Capture tcpdump session for this host”)

            case $OPTION in

            $a) continue;;

            $b) /opt/kde3/bin/konsole —vt_sz 80x40 -noclose —workdir /pentest/exploits/fasttrack/ -e sh -c ” python fast-track.py -c 2 $adds -r “;;

            $c) tables=$(/sbin/iptables -A INPUT -s $adds -j DROP)

                blocked=$(/sbin/iptables -L)

                zenity —title “aikido: Blocked host notification” —info —text “$blocked”;;

            $d) /usr/sbin/tcpdump -i $DEVICE host $adds -s 1500 -w /root/$adds.pcap &

                zenity —title “aikido: Recording activity for host $adds” —info —text “\n\n *** To stop tcpdump recording, just press OK *** \n\n(Use the following command to replay: \n\ntcpdump -r /root/$adds.pcap)”  

                killall -9 tcpdump;;

            esac;;

    esac

done