[Tutorial] How to: Create Fake AP (with a auto bash script!)

**imported_frozen** · 06-28-2009, 10:03 AM

got it to work now, i had to use this:
hxxp://sourceforge.net/projects/dnspentest
--> java ServerKernelMain 10.0.0.1 10.0.0.1

**imported_g0tmi1k** · 06-28-2009, 10:15 AM

fnord0
Again, thanks

SBD (Secure BackDoor) isnt part of metasploit! Its like netcat!
I used SBD as a backdoor, so if later if I wish to get access again it makes life alot easier, instead of re using metasploit and exploiting them. For example if the service(s) which I was exploiting could be closed/stop or they could of done a system update stopping the exploit but by using SBD, I'm straight back in

!

If you wish to get the lastest SBD:
Filename: sbd-1.36.tar.gz
HomePage: Tigerteam
Download Link:http://packetstormsecurity.org/UNIX/...bd-1.36.tar.gz
Source: .:[ packet storm ]:. - http://packetstormsecurity.org/

*There is a (out of date?) version included with backback: /pentest/windows-binaries/tools/ *

I'm doing all the SBD from ./msfcli via a script (fakeap_pwn.rb)
I could also of done it from ./msfconsole and used fakeap_pwn.rc - which then calls fakeap_pwn.rb later - I just cut out the middle man! (NOT in the 7z). For both of them, you use AutoRunScript to call the script.

Thanks for the links - Im going to give them a read!

Does any of that help?

~g0tmi1k

Edit:
dnspentest - I tired using that (the commands are in the script, just comment out). For some reason that didn't work for me!

**imported_frozen** · 06-28-2009, 11:29 AM

dnsspoof -i at0 -f /tmp/dns-spoof

/tmp/dns-spoof:
10.0.0.1 *.* *

does also work.

another problem:
the connection via the fake ip is unbearable slow, i can't load a website completely.
it stops loading content, if the title of the website appears in the browser. the "received packets" also increase only from time to time...
seems that the connection is not very stable, rarely it loads a page in the first try. any ideas to improve the connection / the routing to the other network interface?

/edit just noticed, that i can access some pages e.g. mozilla.com (except downloading) with regular speed, but the bigger part of pages is unaccessible

**hm2075** · 06-28-2009, 11:40 AM

Interesting work here, hope my work on the wireless key grabber and fake ap with transparency has helped here

I've not been playing with Fake ap's for quite some time but I am impressed by how much progress is being made,

I am curious though, how do you automatically get the victim to surf normally after they have visited your splash page without allowing other users in?

at
# They give us access to their system, so lets give them internet back

are you not giving everyone "internet" back?

**fnord0** · 06-28-2009, 12:45 PM

Originally Posted by g0tmi1k

Does any of that help?

ohhh yes! just what I was looking for, and then some! thanks for the explanation! I really appreciate it! I look forward to more of yr posts to this site my friend =)

take care, and thanks for the schooling

**fnord0** · 06-28-2009, 12:54 PM

Originally Posted by frozen

another problem:
the connection via the fake ip is unbearable slow, i can't load a website completely.
it stops loading content, if the title of the website appears in the browser. the "received packets" also increase only from time to time...
seems that the connection is not very stable, rarely it loads a page in the first try. any ideas to improve the connection / the routing to the other network interface?

/edit just noticed, that i can access some pages e.g. mozilla.com (except downloading) with regular speed, but the bigger part of pages is unaccessible

that sounds like MTU issue... (or fragmentation?) I noticed that the airbase-ng attempts to change the MTU to 1800 (or sumpthin) and then fails back to 1500 (at least on mine, and I swear I've seen others mention this)...
IIRC NAT is taking place (I am not looking at the script right now), BUT this may require you to change the MTU on the box you are browsing the web to 1492, or 1476... sorry cant recall exact #, but google MTU and browsing issues and I bet u might possibly find an answer.
also I could be completely off as well, others in this post may be able to assist. can you ping with 1500byte ping size to www.yahoo.com (etc) and not getting packet loss? if u get packet loss, it MAY be MTU... I just saying...

**imported_frozen** · 06-28-2009, 01:51 PM

with an mtu of 1500 or 1800 it works
but which value do i have to use, does it matter? higher = better? (probably not

)

**imported_vvpalin** · 06-28-2009, 03:29 PM

Read up on what MTU is. Im going to say this now. The alfa card has horrible probs with airbase because of it. In fact the client will pretty much only be able to browse google and nothing else.

There is one thing i would add to this, and thats sslstrip. I wrote up a guide on it a little while ago just to prove that it worked. It did however as i said it was less than worthless with the alfa.

http://forums.remote-exploit.org/bt4...-sslstrip.html

**dominatus** · 07-06-2009, 02:24 AM

Been trying to get this working. Have so far gotten a Windows XP SP2 victim to connect, however, been having dhcpd-issuance problems. Another victim box, Windows Vista SP1, cannot connect to the network at all! "Windows cannot connect to TestNet." The reason for the error supposedly is that the wireless network signal is too weak, yet I'm using a Ubiquiti SRC (ath5k) card with an antenna right next to the victim machine. Also, the signal is strong in the Windows Wireless Assistant.

This is getting frustrating.

**dominatus** · 07-06-2009, 03:13 AM

Okay, got the Windows XP SP 2 victim to download a wkv.exe variant and execute it, although the data transmission rates are so SLOW, took seriously 10-15 minutes just for it to upload and execute.

Doing a simple ping from the victim machine:

Reply from 72.14.213.104 (google.com): bytes = 32 time=594ms TTL=49
Request timed out.
Reply from 72.14.213.104 (google.com): bytes = 32 time=107ms TTL=49
Reply from 72.14.213.104 (google.com): bytes = 32 time=110ms TTL=49

That's a 25% packet loss and the transmission rate for a 32 byte packet was a whopping half a second. No wonder it took so long to upload a small .exe file.

The MTU I have set right now is 1800. To those who have it working smooth and fast, what MTU are you using?

Also, I'm still having problems with the DHCP addressing. When I normally connect to routers the DHCP is automatically renewed. However, with airbase-ng, I must get on the victim computer and do a /release /renew for DHCP to work. Also, every few minutes the victim gets disconnected from the AP and reconnects. I'm assuming this is a packet-size issue as well.

Anyone else having similar problems/any solutions? Thanks everyone for contributing. Oh, and if you want your gateway interface automatically loaded with FakeAP_pwn.sh: replace the "export gateway" line with:

export gatewayip=`route | awk '/^default/ {getline; print $2}'` #get gateway for our device connected to internet, replace "default" with corresponding `route` information

BackTrack Linux - Penetration Testing Distribution

Thread: [Tutorial] How to: Create Fake AP (with a auto bash script!)

Thread Tools

Search Thread

Display

Posting Permissions