Wireless Key Harvester --- including video

[Revelati]

maybe a merge is in order


Still no joy with airbase-ng -P and deauth mode, this is the only thing that is missing, it's difficult to create our evil twin network, any help guys?

Ive been having the same issue with -P. It is doing what it advertises of sending out replies to any kind of request from clients, however this causes some extremely suspicious behavior on the clients network list. Basically any AP that the client has as a trusted network will pop onto the network list. This can cause a flood of ESSIDs and I wonder if that isn't the problem itself.

I think a more practical implimentation would be to skip the -P and spoof mac/bssid/essid of the network you want to hit then try to overpower the real AP. The most effective way to do this I think would be to have an unsecured network setup on airbase that is an identical copy of the WPA network you are trying to spoof. Im pretty certain you can spoof WPA encryption through airbase while leaving the network itself open. The client would then see two identical networks, one airbase, and one legit.

Now assuming you have a powerful NIC and antenna you could simply deauth the clients using a 2nd card and hope they will manually reconnect to the strongest signal. If however you cant seem to beat the signal of the legit AP drastic measures may be required.

One way ive found for doing this is to make your fake AP on a different channel from the legit AP. Most people don't notice what channel their AP is set to, windows doesnt even display it by default. So lets say you make the fake ap channel 1 and the legit AP is channel 6. You could then in theory use MDKs destruction mode to jam the crap out of channel 6, or even better a real RF jammer and blow the real APs signal away completely. Thus leaving your fake AP as the only option.

I have also heard you can crash routers with certain packet floods, if this works then you could crash the router and force a reboot giving you a few minutes to fish out some clients to connect to your fake AP.

These are both rather drastic and could cause some serious damage to a network so be careful.

[compaq]

I found that you don't need to deauth the client. If you have something like this
airbase-ng -e "there ap" -a "there mac ap" -I 5 -x 500 after about 30-100sec they will slowly lose the connection with the real ap,after that sent out some probes, after about another 1min, it show up on there computer "169.ip". It displays the name of the network as unsceured now instead of wpa.
I'm try to not have to click stuff on the target, but that might have made it connect.
Been try the -P & -C 60 command,but know luck.

Test with 3bars for real ap, and 5bars for fake.
Just some ramblings but if you could get alot of infomation the same as the real ap,windows wireless cleint just might connect to the strongist or annoying ap(being yours).

[hm2075]

same here, I can deauth, get them to sort of associate with my fake ap but I get a 169. address too,

seems odd, when I check airodump-ng on my other card it doesn't show the victim as associated anywhere

[hm2075]

same here, I can deauth, get them to sort of associate with my fake ap but I get a 169. address too,

seems odd, when I check airodump-ng on my other card it doesn't show the victim as associated anywhere

I also found airbase-ng won't change mac or channel, you need to do this manually with iwconfig and macchanger prior to running airbase, this may just be a 8187 issue

[amsterash]

hi, nice work hm2075 but im having problems with java, when i excecute the java command, i get "java.lang.NoClassDefFoundError:......" any ideas,?

[hm2075]

maybe an update of java is required,

its easy in ubuntu but not so sure with bt3

[NaZirCon]

hi, nice work hm2075 but im having problems with java, when i excecute the java command, i get "java.lang.NoClassDefFoundError:......" any ideas,?

Try to move .class files from "bytecode" folder to the folder where corresponding .java files reside. Or specify the .class path.

From dnspentest Readme :

To use this server you only have to be root and create the bytecodes (in the folder
"./bytecode" we have provided they).

To run:
#> java ServerKernelMain <Server IP> <IP of fake response>

If you have some problems try:
#> java ServerKernelMain -classpath . <Server IP> <IP of fake response>

[amsterash]

im still having the same results,java.lang.noclassdef... i have tried to move the class files, still nothing. anyonther ideas

thanks

[Revelati]

Found an amazing little piece of software called Sweetspot. Basically this allows you to setup an http login screen like any starbucks or hotel would have.
I found out it is called making a "Captive Portal" and it works by creating a software firewall on your gateway, then keeping a list of all assigned IPs. Newly assigned IPs are listed as "captured" and all HTTP requests are redirected to your local server. Once the client registers and the firewall recieves confirmation from the internal server the IP is then reclassified as "released" and can browse the internet.

http://en.wikipedia.org/wiki/Captive_portal
http://sweetspot.sourceforge.net/

[new2bt3]

Found an amazing little piece of software called Sweetspot. Basically this allows you to setup an http login screen like any starbucks or hotel would have.
I found out it is called making a "Captive Portal"

Captive Portals are useful use it with a Walled Garden and/or Radius Servers