Rogue Accesspoint + MitM Sniffing tutorial

[JF1980]

This seems more effective than cracking WPA given the time it would take for a dictionary attack to find a complex key.

Can you emulate an AP, disassociate clients from the real AP and then capture the WPA key for the AP as the client tries to reconnect?

[letmein]

My understanding is that you can:-

create a fake AP (have successfully gotten working)

disassociate clients from a genuine AP and if their computer is set to reconnect automatically it "may" connect to the fake AP if the signal is strong enough. Alterntaivley if your windows box is set to connect to an AP automatically but currently isnt, the fake AP can be set to use the SSID being brioadcast by the windows machine to create a fake AP. (have got this part working)

to obtain the WPA key you would need to run Metasploit, which will only be successful if the connected machine is unpatched and has certain firewall ports open. Once the box is broken you could install wirelesskeyviewer or alternativley run the wirelesskeyharvester (see other thread - although I havent managed to get this working), another alternative is the rogue updates such a notepad plus etc (again not managed to get working)

[imported_=Tron=]

This seems more effective than cracking WPA given the time it would take for a dictionary attack to find a complex key.

Can you emulate an AP, disassociate clients from the real AP and then capture the WPA key for the AP as the client tries to reconnect?

I assume you mean that you would create a rogue WPA encrypted AP and expect to capture the WPA key once the client, believing it is his own AP, tries to connect using it. The answer is no, the WPA handshake is a serie of challenges and responses and the key will not be transmitted in clear text at any point.

But take a look at this thread instead as it presents an interesting alternative for getting the key. The process is a bit more complex and involves the attacker exploiting the client and obtaining all saved wireless keys from his windows registry file once he connect to the fake WAP.

[JF1980]

Has the original post been updated to reflect the most recent script or is there a newer / refined version available?

[imported_Deathray]

To achieve what my tutorial is aimed at, the original script will still work
perfectly with the latest svn - no new features or anything in airbase-ng
could of been added to the script since it was made until now.

[janus]

Yes BadKarmaPR, I sure did. I am not sure what it is. I reinstalled a new image to a lappy and have it working ........ :-)

Hi guys,

It seems I'm having a similar problem with my VM BT3 install with the Alfa USB card.
After much reading and poking around I noticed that I'm getting malformed packets in wireshark (monitoring wlan0 because on at0 wireshark shows no traffic). I have the BT3 final Alfa patch (I believe it is the latest), latest VM tools and VM Ware (6.5.1 I believe) and my DHCPCD.conf is the same as yours.
I guess I could try messing around with the MTU settings a bit more as that seems to be an issue with the Alfa, but other than that i don't really know where to look more.

Am I correct in assuming you got this working with an Alfa card in VM Ware? If so I wonder why myself and silver seven are having problems.

Any ideas welcome.

[imported_Deathray]

Hi guys,

It seems I'm having a similar problem with my VM BT3 install with the Alfa USB card.
After much reading and poking around I noticed that I'm getting malformed packets in wireshark (monitoring wlan0 because on at0 wireshark shows no traffic). I have the BT3 final Alfa patch (I believe it is the latest), latest VM tools and VM Ware (6.5.1 I believe) and my DHCPCD.conf is the same as yours.
I guess I could try messing around with the MTU settings a bit more as that seems to be an issue with the Alfa, but other than that i don't really know where to look more.

Am I correct in assuming you got this working with an Alfa card in VM Ware? If so I wonder why myself and silver seven are having problems.

Any ideas welcome.

Nope, I never managed to fix my issues within VMWare unfortunately.
If I recall correctly maybe a small percentage of the packets seen in wireshark came out right but far from anything that would work. From what I have heard, (think it was Tron) the patch for rtl8187 conained in BT3 is still the latest one you can get. Yes you could try playing a bit more with the MTU or go and explore some more - but don't get your hopes up. Boot BackTrack from a usb and to start having fun

[imported_=Tron=]

Nope, I never managed to fix my issues within VMWare unfortunately.
If I recall correctly maybe a small percentage of the packets seen in wireshark came out right but far from anything that would work. From what I have heard, (think it was Tron) the patch for rtl8187 conained in BT3 is still the latest one you can get. Yes you could try playing a bit more with the MTU or go and explore some more - but don't get your hopes up. Boot BackTrack from a usb and to start having fun

Yes my setup using the latest version of VMware fusion, with VMware tools installed, and my AWUS036H running on the default r8187 driver is still working just fine. I do see the malformed packets as well when monitoring the wlan0 interface, but running Wireshark on at0 instead shows all the traffic normally. The only problems I am still having is related to the –p option, but this does not seem to be all that uncommon with the current version of airbase-ng. I am afraid that I can’t give any helpful hints on how to fix the problems a lot of the users seem to have, as apart from setting the MTU to 1500 I do nothing differently from the tutorial.

[Mattthhdp]

Hey guys !, i need your help,

so i run the script with no probleme, everything is working fine but .... (yea always a but :P)

i can ping almost all site like google.com or yahoo.com
but i cannot ping hotmail.com

so few search in wireshark and i see

No Time Source Destination Protocol Info
83 308.. 10.0.0.254 208.67.222.222 ICMP Destination unreachable (Port unrechable)


so the source is ok (it's the ip of my ''victim'' pc, the destination is the Dhcp
i know that the problem is the Unreachable port but ... how can i ''open it'' ??

[imported_cybrsnpr]

Hey guys !, i need your help,

so i run the script with no probleme, everything is working fine but .... (yea always a but :P)

i can ping almost all site like google.com or yahoo.com
but i cannot ping hotmail.com

Some sites block ICMP. If you can ping other sites, you have connectivity. What is the problem?