airbase-ng + dhcp3 = frustration
So I am trying to start a spoofed AP using airbase-ng and dhcpd3. So I can start airbase just fine but, I hit a road block when I try to get an IP. I can run dhcp. Everything works fine and dandy UNTIL I try to connect to an outside source (Like: google.com) I can assign IPs just fine but, after that it just doesn't want to work.
So this is the script I wrote to setup to setup dhcp and bridge my adatpters
Code:
#! /bin/bash
ifconfig at0 up
ifconfig eth0 up
ifconfig at0 192.168.2.1 netmask 255.255.255.0
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1
#This command moves a conf file from my usb drive into dhcp3. This makes eit easier to edit the files on the go.
cp evil.conf /etc/dhcp3/evil.conf
#this is necessary to unlock the dhcpd directory.
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
dhcpd3 -cf /etc/dhcp3/evil.conf -pf /var/run/dhcpd/dhcpd.pid at0
#I tried using iptables to bridge my interfaces but, it ended up in more headaches. I left it in just in case I ever revisit the idea
#iptables --flush
#iptables --table nat --flush
#iptables --delete-chain
#iptables --table nat --delete-chain
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
#iptables --append FORWARD --in-interface at0 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1
#So this bridges my interfaces
brctl addbr mitm
brctl addif mitm eth0
brctl addif mitm at0
ifconfig mitm up
Next I use this to destroy all my settings so i can get internet again (Once I run that script I lose the internet until I run this script)
Code:
#! /bin/bash
ifconfig eth0 0.0.0.0 down
#Just in case
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 0 > /proc/sys/net/ipv4/ip_forward
#Kills dhcp3
kill `cat /var/run/dhcpd/dhcpd.pid`
ifconfig mitm down
brctl delbr mitm
airmon-ng stop mon0
airmon-ng stop wlan0
ifconfig eth0 down
ifconfig wlan0 down
ifconfig eth0 up
ifconfig wlan0 up
ifdown eth0
ifup eth0
So this is the evil.conf file that is referenced a lot in this code.
Code:
ddns-update-style interim;
#Turning this on stops others from getting an IP
#ignore client-updates;
default-lease-time 60000;
max-lease-time 72000;
authoritative;
subnet 192.168.2.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option ip-forwarding on;
option domain-name-servers 8.8.8.8;
range 192.168.2.2 192.168.2.254;
}
So here is the network lay out.
https://docs.google.com/drawings/pub...Us&w=960&h=720
Some extra diag info for you:
ipconfig (during soft AP attack)
Code:
at0 Link encap:Ethernet HWaddr 00:c0:ca:51:91:4c
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:caff:fe51:914c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:370 (370.0 B)
eth0 Link encap:Ethernet HWaddr 00:14:22:34:d9:ba
inet addr:192.168.1.8 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::214:22ff:fe34:d9ba/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:120832 errors:0 dropped:0 overruns:0 frame:0
TX packets:60065 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:145104195 (145.1 MB) TX bytes:5357983 (5.3 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:564 errors:0 dropped:0 overruns:0 frame:0
TX packets:564 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:43695 (43.6 KB) TX bytes:43695 (43.6 KB)
mitm Link encap:Ethernet HWaddr 00:14:22:34:d9:ba
inet6 addr: fe80::214:22ff:fe34:d9ba/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:234 (234.0 B)
mon0 Link encap:UNSPEC HWaddr 00-C0-CA-51-91-4C-33-34-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1800 Metric:1
RX packets:377 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:62753 (62.7 KB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:1b:77:65:a9:8c
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:7130 errors:0 dropped:0 overruns:0 frame:0
TX packets:5674 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6616442 (6.6 MB) TX bytes:990443 (990.4 KB)
What dhcp3 says:
Code:
Internet Systems Consortium DHCP Server V3.1.3
Copyright 2004-2009 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Wrote 2 leases to leases file.
Listening on LPF/at0/00:c0:ca:51:91:4c/192.168.2/24
Sending on LPF/at0/00:c0:ca:51:91:4c/192.168.2/24
Sending on Socket/fallback/fallback-net
I have also researched the topic and there haven't been any fixes people have submitted that I haven't already tried and failed or, were beyond the scope of my attack.
Also some things of note. When I switched ddns-update-style to either ad-hoc or none it will not give out and IP address.
