Rogue Accesspoint + MitM Sniffing tutorial

[Mattthhdp]

Some sites block ICMP. If you can ping other sites, you have connectivity. What is the problem?

Well ... i wanna know why i dont have acces to all site ^^


As i thinking, i don't know if that can help but !

With my laptop ''the bridge between the wireless and the Eth0 (internet) i have acces to hotmail.com
but with my desktop, i don't ...


and (out of subjet) into the shell were i have run the bash file, i've got this, and i really don't know what it is

X Error: BadWindow (invalid Window parameter) 3
Major opcode: 20
Minor opcode: 0
Resource id: 0x3000007

That dosen't seem to affect anything but ... sometimes with and error we can do bunch of think

[toohxc]

I have read this whole thread about ten times and I am still not getting something right. My /etc/dhcpd.conf matches the one in the first post and I am using BadKarma's script.

the command I am using is

Code:

./mitmap.sh -m apa -i wifi0 -o eth0 -s testnet -d /etc/dhcpd.conf

The following is then posted.

Code:

Master Mode: ath0
Current MAC: 06:c0:aa:02:c4:6f (unknown)
Faked MAC:   00:40:62:92:af:84 (E-systems, Inc./garland Div.)
Starting Atheros Card in Karma Mode Succesful
DHCPD started succesfully
Starting Packet capture to /root/apmitm-Jan-20-09-021240.cap

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Listening on wifi0... (802.11)

Privileges dropped to UID 0 GID 0...

  28 plugins
  39 protocol dissectors
  53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Starting Unified sniffing...


Text only Interface activated...
Hit 'h' for inline help

Everything looks good right? Well then I go to my other laptop (sitting about 15 feet away) boot up vista and then wireless assistant pops up finding "testnet" I try to connect, it takes awhile then spits back "this is taking longer than expected" then fails. I then open a command prompt and issue a "ipconfig /all" and the wireless card has a 169 address which is APIPA. Which was issued by the computer and not the DHCP server. At this point I cannot ping 10.0.0.1, nor can I access the internet. I did have wireshark running on at0 (10.0.0.1) and everything looks normal, there are some malformed packets but not all of them are. I would post the dump from wireshark but pastebin doesnt seem to like the size or format. To me it seems like dhcpd isnt giving out ip addresses.

I am not sure what to do from here, could someone help?

Also when i try running

Code:

./mitmap.sh -m ap -i wifi0 -o eth0 -s testnet -d /etc/dhcpd.conf

I dont get any errors but the ap is not viewable by the vista laptop.

I know this is long but I hope the more information I give the easier it will be for someone to help me. Also spec on my setup are, MacBook running a hard drive install of bt3.

[BadKarmaPR]

the apa mode is only for atheros cards, so you would use it with ath0, if your card is not atheros and it is supported for injection use the ap mode. to test if injection is supported run aireplay-ng -9 <wifi card>
you can download the latest version here
http://www.darkoperator.com/mitmap.tar.gz

[toohxc]

the apa mode is only for atheros cards, so you would use it with ath0, if your card is not atheros and it is supported for injection use the ap mode. to test if injection is supported run aireplay-ng -9 <wifi card>
you can download the latest version here
http://www.darkoperator.com/mitmap.tar.gz

See that part was sort of confusing me because with kismet it uses wifi0, but then in spoonwep2 and spoonWPA I select ath0 with atheros drivers. With my current drive set (madwifi-ng) ath0's parent is wifi0.

Has there been an update to your script recently?

[BadKarmaPR]

I updated it for my self but did not post the update.

[toohxc]

I updated it for my self but did not post the update.

Well I downloaded you new one and executed a

Code:

./mitmap.sh -m apa -i ath0 -o eth0 -s FreeWifi -d /etc/dhcpd.conf

and recieved

Code:

Master Mode: ath0
Current MAC: 06:c0:aa:02:c4:6f (unknown)
Faked MAC:   00:01:5a:e7:fe:24 (Digital Video Broadcasting)
Starting Atheros Card in Karma Mode Succesful
DHCPD started succesfully
Starting Packet capture to /root/apmitm-Jan-20-09-030825.cap

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Listening on ath0... (Ethernet)

  ath0 ->       00:01:5A:E7:FE:24          10.0.0.1     255.255.255.0

Privileges dropped to UID 0 GID 0...

  28 plugins
  39 protocol dissectors
  53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Starting Unified sniffing...


Text only Interface activated...
Hit 'h' for inline help

DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER
DHCP: [00:15:AF:CE:AE:E0] DISCOVER

Still only an APIPA address on the client trying to connect. Looks like my issues is with the dhcp server...

[BadKarmaPR]

for my script in that mode make sure the dhcpd.conf file has as the interface to give out the addresses ath0 and not at0

[FrankFruter]

Well I downloaded you new one and executed a

and recieved

Still only an APIPA address on the client trying to connect. Looks like my issues is with the dhcp server...

Check out my post on page 8 of this thread!

[toohxc]

for my script in that mode make sure the dhcpd.conf file has as the interface to give out the addresses ath0 and not at0

so i tried

Code:

./mitmap.sh -m apa -i ath0 -o eth0 -s testnet

and it works without a problem. client connects and everything, I guess the issue occurred then I was specifying the -d /etc/dhcpd.conf . It doesnt make much sense to me but it works now so I wont complain. Thanks for the help!

[Virlath]

Wich sniffers are you guys using on your Rogue AP box?
I've got everything to work, the Rogue Ap works fine, no dns error, It is visible and all that.

So my question is. Is there any better program to us than urlsnarf? If someone simply surtf to hotmail.com i'll get a massive spam with tons of different url's. Not just 'hotmail.com'

If i want to sniff ssh, i've tried Ettercap, and it work well. But my question is. What will Ettercap sniff if i simply run sniff with it, nothing more. Not dhcp spoofing, arp poisoning etc?

To sniff ssh i need to activare arp poisoning, but why? Is that needed? Or can i do it another way? Since the traffic is already going through my own 'Rogue AP'?

I need more tip on wich sniffers to use.

Edit: I have 2 different Wireless cards/adapters. one Atheros one and The ALFA 500mw adapter. I can setup a rogueAP with the Atheros card withoout any trouble at all. Problem here is that this signal is not as wide and wont go as far as the alfa one. So i try to setup this Alfa 500mw as Rogue AP. airbase starts the faked AP, i can see probes and everything runs just fine. but the ap wont show up. I is not visible. I am running the same command line as i use with the other card.
I've tried different lines, e.g airbase-ng -e "essid" -v ath0/wlan0 (depending on wich one i use) or airbase-ng -e "essid" -P -C -c <channel> -v ath0/wlan0
and so on. Nothing will make the rogueAP on my Alfa adapter to show. Why is that? What is making the ap not showing?