Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Wireless Key Harvester --- including video

  1. #11
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Quote Originally Posted by hm2075 View Post
    maybe a merge is in order


    Still no joy with airbase-ng -P and deauth mode, this is the only thing that is missing, it's difficult to create our evil twin network, any help guys?
    Ive been having the same issue with -P. It is doing what it advertises of sending out replies to any kind of request from clients, however this causes some extremely suspicious behavior on the clients network list. Basically any AP that the client has as a trusted network will pop onto the network list. This can cause a flood of ESSIDs and I wonder if that isn't the problem itself.

    I think a more practical implimentation would be to skip the -P and spoof mac/bssid/essid of the network you want to hit then try to overpower the real AP. The most effective way to do this I think would be to have an unsecured network setup on airbase that is an identical copy of the WPA network you are trying to spoof. Im pretty certain you can spoof WPA encryption through airbase while leaving the network itself open. The client would then see two identical networks, one airbase, and one legit.

    Now assuming you have a powerful NIC and antenna you could simply deauth the clients using a 2nd card and hope they will manually reconnect to the strongest signal. If however you cant seem to beat the signal of the legit AP drastic measures may be required.

    One way ive found for doing this is to make your fake AP on a different channel from the legit AP. Most people don't notice what channel their AP is set to, windows doesnt even display it by default. So lets say you make the fake ap channel 1 and the legit AP is channel 6. You could then in theory use MDKs destruction mode to jam the crap out of channel 6, or even better a real RF jammer and blow the real APs signal away completely. Thus leaving your fake AP as the only option.

    I have also heard you can crash routers with certain packet floods, if this works then you could crash the router and force a reboot giving you a few minutes to fish out some clients to connect to your fake AP.

    These are both rather drastic and could cause some serious damage to a network so be careful.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  2. #12
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I found that you don't need to deauth the client. If you have something like this
    airbase-ng -e "there ap" -a "there mac ap" -I 5 -x 500 after about 30-100sec they will slowly lose the connection with the real ap,after that sent out some probes, after about another 1min, it show up on there computer "169.ip". It displays the name of the network as unsceured now instead of wpa.
    I'm try to not have to click stuff on the target, but that might have made it connect.
    Been try the -P & -C 60 command,but know luck.

    Test with 3bars for real ap, and 5bars for fake.
    Just some ramblings but if you could get alot of infomation the same as the real ap,windows wireless cleint just might connect to the strongist or annoying ap(being yours).

  3. #13
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    same here, I can deauth, get them to sort of associate with my fake ap but I get a 169. address too,

    seems odd, when I check airodump-ng on my other card it doesn't show the victim as associated anywhere

  4. #14
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Quote Originally Posted by hm2075 View Post
    same here, I can deauth, get them to sort of associate with my fake ap but I get a 169. address too,

    seems odd, when I check airodump-ng on my other card it doesn't show the victim as associated anywhere

    I also found airbase-ng won't change mac or channel, you need to do this manually with iwconfig and macchanger prior to running airbase, this may just be a 8187 issue

  5. #15
    Junior Member
    Join Date
    Nov 2007
    Posts
    33

    Default

    hi, nice work hm2075 but im having problems with java, when i excecute the java command, i get "java.lang.NoClassDefFoundError:......" any ideas,?

  6. #16
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    maybe an update of java is required,

    its easy in ubuntu but not so sure with bt3

  7. #17
    Junior Member NaZirCon's Avatar
    Join Date
    Sep 2007
    Posts
    71

    Default

    Quote Originally Posted by amsterash View Post
    hi, nice work hm2075 but im having problems with java, when i excecute the java command, i get "java.lang.NoClassDefFoundError:......" any ideas,?
    Try to move .class files from "bytecode" folder to the folder where corresponding .java files reside. Or specify the .class path.

    From dnspentest Readme :

    To use this server you only have to be root and create the bytecodes (in the folder
    "./bytecode" we have provided they).

    To run:
    #> java ServerKernelMain <Server IP> <IP of fake response>

    If you have some problems try:
    #> java ServerKernelMain -classpath . <Server IP> <IP of fake response>
    Beer is served only to members of the trade union!

  8. #18
    Junior Member
    Join Date
    Nov 2007
    Posts
    33

    Default

    im still having the same results,java.lang.noclassdef... i have tried to move the class files, still nothing. anyonther ideas

    thanks

  9. #19
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Found an amazing little piece of software called Sweetspot. Basically this allows you to setup an http login screen like any starbucks or hotel would have.
    I found out it is called making a "Captive Portal" and it works by creating a software firewall on your gateway, then keeping a list of all assigned IPs. Newly assigned IPs are listed as "captured" and all HTTP requests are redirected to your local server. Once the client registers and the firewall recieves confirmation from the internal server the IP is then reclassified as "released" and can browse the internet.

    http://en.wikipedia.org/wiki/Captive_portal
    http://sweetspot.sourceforge.net/
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  10. #20
    new2bt3
    Guest

    Default

    Quote Originally Posted by Revelati View Post
    Found an amazing little piece of software called Sweetspot. Basically this allows you to setup an http login screen like any starbucks or hotel would have.
    I found out it is called making a "Captive Portal"
    Captive Portals are useful use it with a Walled Garden and/or Radius Servers

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •