Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Wireless Key Harvester --- including video

  1. #1
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default Wireless Key Harvester --- including video

    A fork from this project http://forums.remote-exploit.org/showthread.php?t=18369


    Video : http://blip.tv/file/1573599/
    Command: http://pastebin.com/f56bf91f1


    Similar to karma.rc, but more direct, user is forcefully disconnected, connects to our access point, gets redirected and downloads our exploit and we grab wireless keys.

    It's setup so thats it's mostly automated, victims will come and go, meterpreter script will dump keys into a key folder

    Jobs to do if people want to help
    (1) Fully automate the setting up of the access point --- fairly simple to do, check out the karma script

    (2) This is where your suggestions and updates will be greatly appreciated, uploading wireless key viewer is quite lame, we want to dump the registry, grab hashes, maybe even upload permanent exploits. I've made a start with the harvester.rb file.... it's at the bottom of the pastebin link.
    scripting is not my thing and I still consider myself a newbie --- 6hours of googling makes my eyes hurt
    Hope this is a start for all!

    (3) We need to investigate the -P command in airbase-ng, when using I find it very difficult to get a victim to connect, any suggestions on where to look?
    and an improvement to our fake update page --- could change it to something else --- wireless gateway requires you to download a token to access the internet or something similar

  2. #2
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Great job, pretty impressive! Got to try it out!! (:
    But a tip for the social engineering part - I would recommend changing the text to something like:
    Critical Vulnerability in Windows Vista, Windows Vista, Windows 2000 found 12/10-2008.
    Prior to using our free services, please patch to avoid spreading malware into our network.
    OS Universal patch available here:
    download or visit Microsoft's site regarding MS08-067
    That would feel more real instead of faking a genuine Microsoft Update.
    - Poul Wittig

  3. #3
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    the update page is the minor bit, i'm sure we have lots of creative people here, the important bit is the harvester.rb file, it's very difficult when they are limited examples of scripts available, all in all I think I found at most 10 meterpreter scripts.

    bed time for me now

  4. #4
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Brilliant work HM2075! Once more you have accomplished just about everything I was trying to do in about half the time it would take me to puzzle it out myself. I am still working on a program for automation but it is coming along slowly. Im teaching myself mostly from the ground up and the holiday season is really hectic in my line of work so I have had very little time to work on it.

    I have one suggestion. If you can get them to download and execute a program, I would reccomend a rootkit. Ive been fooling around with the HackerDefender rootkit recently and its ability to hide processes, and subvert countermeasures make it extremely hard to detect and to get rid of. I wouldn't try using one in a normal pentest since you would probably have to wipe the drive of any infected system, but if you really want to get into a system and stay there these things are great.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  5. #5
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    just a quick update -- i think it is quite easy to have transparency mode integrated

    i.e. user firsts connects and is forced to "upgrade"

    post exploitation we can kick off a script that allows traffic for that ip address or mac address

  6. #6
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
    /etc/init.d/dhcp3-server restart

    This command doesn't work in BT3??

    I guess I need to use dchpd.conf but unsure, any one come across and got any pointers??

  7. #7
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by letmein View Post
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
    /etc/init.d/dhcp3-server restart

    This command doesn't work in BT3??

    I guess I need to use dchpd.conf but unsure, any one come across and got any pointers??
    You will want to use dhcpd instead of dhcp3 as you are probably running BT3. Try replacing the command with the following
    Code:
    dhcpd -d -f -cf /etc/dhcpd.conf at0
    -Monkeys are like nature's humans.

  8. #8
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default

    Tron, thanks for this, will give it a go and report back!

  9. #9
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Seeing more and more info popping up about this on the forums. Ill do my best to keep posts linked up since it has started to sprawl. Anyhow here is Deathray's extreamly informative tutorial and script further refining the Transparency process AND finally getting ettercap working with real-time sniffing over a TUN device whoohoo!

    http://forums.remote-exploit.org/showthread.php?t=19048
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  10. #10
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    maybe a merge is in order


    Still no joy with airbase-ng -P and deauth mode, this is the only thing that is missing, it's difficult to create our evil twin network, any help guys?

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •