Wireless Key Harvester --- including video
A fork from this project http://forums.remote-exploit.org/showthread.php?t=18369
Video : http://blip.tv/file/1573599/
Command: http://pastebin.com/f56bf91f1
Similar to karma.rc, but more direct, user is forcefully disconnected, connects to our access point, gets redirected and downloads our exploit and we grab wireless keys.
It's setup so thats it's mostly automated, victims will come and go, meterpreter script will dump keys into a key folder
Jobs to do if people want to help
(1) Fully automate the setting up of the access point --- fairly simple to do, check out the karma script
(2) This is where your suggestions and updates will be greatly appreciated, uploading wireless key viewer is quite lame, we want to dump the registry, grab hashes, maybe even upload permanent exploits. I've made a start with the harvester.rb file.... it's at the bottom of the pastebin link.
scripting is not my thing and I still consider myself a newbie --- 6hours of googling makes my eyes hurt
Hope this is a start for all!
(3) We need to investigate the -P command in airbase-ng, when using I find it very difficult to get a victim to connect, any suggestions on where to look?
and an improvement to our fake update page --- could change it to something else --- wireless gateway requires you to download a token to access the internet or something similar
Great job, pretty impressive! Got to try it out!! (:
But a tip for the social engineering part - I would recommend changing the text to something like:
Critical Vulnerability in Windows Vista, Windows Vista, Windows 2000 found 12/10-2008.
Prior to using our free services, please patch to avoid spreading malware into our network.
OS Universal patch available here: download or visit Microsoft's site regarding MS08-067
That would feel more real instead of faking a genuine Microsoft Update.
- Poul Wittig
the update page is the minor bit, i'm sure we have lots of creative people here, the important bit is the harvester.rb file, it's very difficult when they are limited examples of scripts available, all in all I think I found at most 10 meterpreter scripts.
bed time for me now
Brilliant work HM2075! Once more you have accomplished just about everything I was trying to do in about half the time it would take me to puzzle it out myself. I am still working on a program for automation but it is coming along slowly. Im teaching myself mostly from the ground up and the holiday season is really hectic in my line of work so I have had very little time to work on it.
I have one suggestion. If you can get them to download and execute a program, I would reccomend a rootkit. Ive been fooling around with the HackerDefender rootkit recently and its ability to hide processes, and subvert countermeasures make it extremely hard to detect and to get rid of. I wouldn't try using one in a normal pentest since you would probably have to wipe the drive of any infected system, but if you really want to get into a system and stay there these things are great.
Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."
Neo: "What if I take both?"
Morpheus: "Don't do that! You end up like Nick Nolte!"
just a quick update -- i think it is quite easy to have transparency mode integrated
i.e. user firsts connects and is forced to "upgrade"
post exploitation we can kick off a script that allows traffic for that ip address or mac address
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
/etc/init.d/dhcp3-server restart
This command doesn't work in BT3??
I guess I need to use dchpd.conf but unsure, any one come across and got any pointers??
You will want to use dhcpd instead of dhcp3 as you are probably running BT3. Try replacing the command with the followingOriginally Posted by letmein
Code:dhcpd -d -f -cf /etc/dhcpd.conf at0
-Monkeys are like nature's humans.
Tron, thanks for this, will give it a go and report back!
Seeing more and more info popping up about this on the forums. Ill do my best to keep posts linked up since it has started to sprawl. Anyhow here is Deathray's extreamly informative tutorial and script further refining the Transparency process AND finally getting ettercap working with real-time sniffing over a TUN device whoohoo!
http://forums.remote-exploit.org/showthread.php?t=19048
Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."
Neo: "What if I take both?"
Morpheus: "Don't do that! You end up like Nick Nolte!"
maybe a merge is in order
Still no joy with airbase-ng -P and deauth mode, this is the only thing that is missing, it's difficult to create our evil twin network, any help guys?
Posting Permissions
