Page 6 of 14 FirstFirst ... 45678 ... LastLast
Results 51 to 60 of 137

Thread: Rogue Accesspoint + MitM Sniffing tutorial

  1. #51
    Junior Member
    Join Date
    Sep 2008
    Posts
    32

    Default

    I've spent quite a few hours working on this a month or so ago based on one of the earlier threads.. and a few more starting from scratch using the scripts/configs posted here.. it seems that no matter what I do, I can't get things to work correctly when using my Alfa card as the Rogue AP.

    I am using the script/commands posted here. I did modifiy the script to remove the -P & -C options from airbase-ng so that the Rogue AP will only respond to the specified ESSID. I also added the "-c 7" parameter to only listen on channel 7.

    Side question - if you don't specify a specific channel via airbase-ng or some other method, isn't the wireless card going to be channel hopping while acting as a Rogue AP? Not sure how that works, where you could be transmitting packets on the wrong frequency?

    Anyhow, back to my main issue.. My client can connect to the Rogue AP with no problems. I can watch the DHCP packets go by on the AT0 interface, and everything looks the way it should. I see the client's DISCOVER and REQUEST as well as the server's OFFER and ACK.

    However when I monitor the wifi0 interface on the client, I never see the DHCP server's ACK packet, and the client is unable to get an IP address.

    I've tried both 1400 and 1500 for MTU's on the Eth/Wlan interfaces with the same results.

    I updated my R8187 drivers to the latest (used spoondrv) as well as the latest version of aircrack-ng (used ezpwn updater tool).

    If I take the same BT USB stick and boot my laptop (Intel 3945 card) with it, and run the same script (after loading the ipwraw driver) the script works without a hitch.

    My client, using the Alfa card, can connect without any problems, and Ettercap will catch plaintext passwords, issue SSL certs and capture user credentials.

    Its been very frustrating trying to get things to work with the Alfa card. I'd be interested to know what version of drivers and aircrack-ng other folks are having success with.

    -- Tom

  2. #52
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    do you think ipv6 is an issue here? I will think about it and get back to you

  3. #53
    Just burned his ISO imported_Silver_Seven's Avatar
    Join Date
    Feb 2008
    Posts
    20

    Default

    Arggggg ....... Has anyone had any success on this within in a VMware session yet ??? I am being persistent here as I was encouraged to see =Tron= recalling to not experiencing any restrictions using airbase-ng under VMware. I am usuing the Alpha too.

    I really want to show a current client of ours a proof of concept on this in the context of a virtual environment. At worst case, I guess I can drop down into an true laptop environment. Anyway, great job on all this guys ........ :-)

  4. #54
    Junior Member
    Join Date
    Sep 2008
    Posts
    85

    Default

    i was having success earlier, but now when i run airbase-ng i cannot seem to locate the rogue AP i have created... any troubleshooting advice?
    patience is appreciated =]

  5. #55
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by Silver_Seven View Post
    Arggggg ....... Has anyone had any success on this within in a VMware session yet ??? I am being persistent here as I was encouraged to see =Tron= recalling to not experiencing any restrictions using airbase-ng under VMware. I am usuing the Alpha too.

    I really want to show a current client of ours a proof of concept on this in the context of a virtual environment. At worst case, I guess I can drop down into an true laptop environment. Anyway, great job on all this guys ........ :-)
    Which part is it that is giving you problems under VMware, ie. how far have you managed to get? I still have yet to experience any real problems with using airbase-ng with my Alfa 500mw under VMware Fusion. I have updated to the latest version of aircrack-ng and am using MTU 1500 on the at0 interface, but apart from that I did not need to make any changes to the script provided by Deathray.
    Quote Originally Posted by benzslr123 View Post
    i was having success earlier, but now when i run airbase-ng i cannot seem to locate the rogue AP i have created... any troubleshooting advice?
    A bit sparse on the information here. As you had it running earlier the best thing to do would probably be to back track your steps and figure out if you did anything differently earlier or have made any changes since then that could be the source of the problem.
    -Monkeys are like nature's humans.

  6. #56
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    StriperTS >
    I have noticed that the rogue ap defaults too channel 1 if none specified.
    So it definitely doesn't channel hop. Regarding drivers, I use the default in a fresh BackTrack 3 Final boot, and use the latest aircrack-ng updated through Fast-Track. I was told by =Tron= that that driver was the "best" to use, seeing that everything works as intended with it. I know you are looking for some additional information on what could be the problem but I can't really say what it is. MTU would be my guess.
    benzslr123 >
    When writing the script, I didn't test it with an atheros based chipset which uses 2 interfaces for the same device. So you may need to modify it in order to get it to work.
    Quote Originally Posted by letmein View Post
    Once surfing though, I can enable the remote_browser plug in on the ettercap shell which shows the websites being visted but cannot get it configured to show passwords etc? I have tried to use ettercap in another shell but it just closes?

    Is this a limitation of this type of setup or a limitation of my brain?
    You basically want ettercap to manipulate all the traffic routed through you box, instead of purely listening which I believe you have ettercap doing. Make sure ettercap is set up equivalent to the script.
    Quote Originally Posted by benzslr123 View Post
    i guess i'm just trying to break down the script and analyze each step, thank you for the replies
    Good and you are also encouraged to do so !
    Quote Originally Posted by Silver_Seven View Post
    Arggggg ....... Has anyone had any success on this within in a VMware session yet ??? I am being persistent here as I was encouraged to see =Tron= recalling to not experiencing any restrictions using airbase-ng under VMware. I am usuing the Alpha too.

    I really want to show a current client of ours a proof of concept on this in the context of a virtual environment. At worst case, I guess I can drop down into an true laptop environment. Anyway, great job on all this guys ........ :-)
    This is purely a guess, but I have a feeling it may be the issue. Often when I use BT3 in vmware on my laptop, something with the clockrate causes everything to be sped up. For example, when I hold down the letter s in a terminal, s will be entered 50 times just by holding it down for 4 seconds. I think that that will also excuse me but 'screw' with the packet forwarding too. It has something to do with power management on the host I believe. I noticed when I had all applications on the host closed and Vista power management on "High Performance", I got more lucky with airbase-ng working but not nearly enough to call it stable. So I believe if you fix the "clock" issues with vmware or experiment on a fast computer, you may get better results. My stationary computer seems to run airbase-ng okay. But again, this is just a shoot in the dark or what do you say in English?? :b
    - Poul Wittig

  7. #57

    Default

    The script is very good and very well written I would like to suggest that you break it up into functions and create a cleanup function that can be trapped for when you hit Crtl-c and cleanup anything left behind, plus add the ability of filtering targets by MAC address, the reason is that many pentests I have been involved there are very strict ROE's (Rules of Engagement) that limit what clients we can attack during a client side attack, also there might be legal ramifications by attacking the wrong target. I see this as a very useful tool in my toolkit if furthered developed. keep up the good work.

    example:
    #Variable initialization
    OUTINT=
    IW=
    DHCPDCONF="/etc/dhcpd.conf"
    MODE=
    FILTER=
    #Capture crtl-c and call cleanup function
    trap cleanup INT

    function usage ()
    {
    help message
    }
    function cleanup ()
    {
    delete route that was added
    kill dhcpd
    kill airbase
    }

    function nat ()
    {
    check if dhcpd conf file provided if not use default
    commands to setup nat
    }

    function ap ()
    {
    start airbase-ng to accept any client and log associations
    }

    function apf ()
    {
    check if filter file provided if not exit
    start airbase-ng with file containing mac address that can connect and log associations
    }

    function mitm ()
    {
    start tcpdump and capture
    start ethercap
    }
    -------MAIN--------
    while getopts ":m:i:f:s:r:d:l:" options; do
    case $options in
    m ) MODE=$OPTARG;;
    i ) IW=$OPTARG;;
    f ) FILTER=$OPTARG;;
    s ) SSID=$OPTARG;;
    o ) OUTINT=$OPTARG;;
    d ) DHCPDCONF=$OPTARG;;
    l ) LOGDEST=$OPTARG;;
    h ) usage;;
    \? ) usage
    exit 1;;
    * ) usage
    exit 1;;

    esac
    done
    if [[ -n "$MODE" && -n "$IW" && -n "$OUTINT" ]]; then

    case $MODE in
    rap) ap
    nat
    mitm;;
    rapf) apf
    nat
    mitm ;;

    esac
    else
    usage
    fi

  8. #58
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default

    write failed: Message too long
    wi_write(): Illegal seek

    Having successfully has this working yesterday, I am using the script from yesterday I am now getting airbase error as above.
    Client connects to Rogue AP but cannot surf to ip address nor www.google etc.???

    Confused.... any one come across this...

    PS using an ALFA card. Have amended script to remove variables and just fixed to my set up (wlan0 and eth0), also added an extra line to set AT0 to MTU 1400.

    Thoughts???

  9. #59
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by letmein View Post
    write failed: Message too long
    wi_write(): Illegal seek

    Having successfully has this working yesterday, I am using the script from yesterday I am now getting airbase error as above.
    Client connects to Rogue AP but cannot surf to ip address nor www.google etc.???

    Confused.... any one come across this...

    PS using an ALFA card. Have amended script to remove variables and just fixed to my set up (wlan0 and eth0), also added an extra line to set AT0 to MTU 1400.

    Thoughts???
    Have you tried the default version of the script without you modifications? It is quite possible that you have by mistake removed an important part of the script, especially if you are not that familiar with the whole set up. Apart from that the script already contains a line for setting the MTU to 1400, and I and a few other people who use the Alfa card have experienced problems using this setting so you could try setting it to 1500 instead.
    -Monkeys are like nature's humans.

  10. #60
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    BadKarmaPR, Thank you so much for your reply. Know that you made a young man in Denmark proud :b.
    Unfortunately, I am extremely new to scripting but am definitely willing to grow the skills.
    Although I would love to expand the script with your suggestions (I also have many more ideas :P),
    at the time being it is pretty far from what I can accomplish without the script working only for my setup.
    Dont feel any pressure, but if you have the time you are welcome to submit a complete script which would resemble mine (in function) and I could update the tutorial (:
    But thanks again, and regarding macfiltering. It started to make me think. I better update the tutorial and notify people that running the script unedited with wireless equipment nearby, will actually mean committing a crime in most countries. Good to know if any newbies out there are blindly running it (:
    - Poul Wittig

Page 6 of 14 FirstFirst ... 45678 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •