Sorry for being late to respond. I had read your replies, this morning at work and since then I am smiling all the time. You make my day guys.
I was start worrying not why isn't working this script for you (it was the most possible situation) but why in the hell it was working for me.Anyway. Back to topic.
yeehawjared, you are a living advertisement for my script. Glad to here to get to work everything that scripts can do.
Among other things this shouldn't happened. I will search for this.For some reason I have to `airmon-ng start wifi0` prior to running your script. After that everything works.
That's quite impressing for a FakeAP.Sustained download rates of 600+Kbps.
When running the script at mode 4 at the end you already getting a message about that. "In Transparent Proxy-ed and SSLstriped WLAN mode you cannot see domain names in reports, only IPs." I am working on that. I trying to find something (don't laugh) "reverse DNS". Not domains to IP's. But IP's to domains. I don't even know if this exists.We will see.I did notice that when running sslstrip, the reports are all IPs - not domains. Kind of useless without the domain names of the websites.
Me too. Please feel free (you or anybody) to ask anything that you don't understand in the script.I really hope to see this tool evolve over time. I'd be very interested in supporting this and trying new things.
Any feedback will be very helpful.I'm going to keep playing around with different things and report back what works / what breaks with new functionality.
The basic idea was to use sslsniff, not sslstrip, but until now it's impossible for me to getting to work. So, I make a U turn and end-up with the 2nd option:sslstrip. If I can get a single working example with sslsniff I will add it to the script right away. Maybe I am missing something. Don't know.What would really be nice is sslsniff...
So, you or anybody who can give any informations for:
1) how to install correctly this God damn thing in BT4PF ( I hate sslsniff)
Please refer to:
http://forums.remote-exploit.org/bac...iff-0-6-a.html
or
http://forums.remote-exploit.org/wir...tml#post154891
2) Which browsers are or should be vulnerable ( I had read something about: a) any applications that uses microsoft's CryptAPI. b) Microft already provide patches. ).
I am seriously doubt that anyone, at least here, was able to install-run correctly sslsniff. I hope I am wrong, so we all can "play" with.
There are registration, but it's very dificult to find them since we are logging everything with sslstrip. So, you can:Originally Posted by BT2008
Results: http and https is working, so far so good Nick
But there are no registrations of visited https sites in the output-ssl.log,
Do you have any idea?
1) You can open up the script with a text editor and go at the end of the script you will see a line:
the "-s" reffers to Log all SSL traffic to and from server. See sslstrip --help to log what you are interesting for.Code:xterm -e "proxychains sslstrip -s -f -k --write $HOME_DIR/output-ssl.log"&
2) You can use sarg's reports (you will see only IPs) or
3) You can use urlsnarf
Thank you guys.Code:urlsnarf -i at0 or ath0 (it depends on how you create the softAP)
Nick
Fakeap issues
Hello, I have tested this script out on a few different machines with varying success. This is probably due to me using an ALFA usb card as my FakeAP. For some reason I am having a lot of issue getting airbase to work correctly. I see the client associating I can sometimes get limited connectivity but nothing past that. I was wondering if you had any ideas as to how I could go about fixing this. I appreciate the great script though. Looking forward to hearing your suggestions.
Thanks
Blitzman
First off all, welcome to the forums.
It seems to be an issue with some alpha cards and airbase-ng. BT4's patched drivers are excellent for injection and other stuff but, maybe, may not being the best choice to use them with airbase-ng as an FakeAP.
As for the Atheros cards and airbase-ng, I already know that there is a HUGH difference between ath5k (BT4PF) and ath_pci (madwifi-ng) modules. On the other hand when I installed compat-wireless drivers for a zd1211rw wifi card, which I own, the differences for airbase-ng data rates, was very small.
So, I suggest you to dig a little more with drivers. Your feedbacks would be very useful, for other people who might use any FakeAP based scripts and Alpha cards, in the future.
Unfortunately I don't own one of these cards to test with.
Here are some links you may start with: (Don't know which card you have)
Realtek RTL8187L/RTL8187B mac80211 driver
rtl8187 [Aircrack-ng]
ALFA-*AWUS036H & ALFA-*AWUS050NH
TUTORIAL: Installing drivers RTL8187, r8187, RT2800usb on UBUNTU
If you don't want to mess with drivers you can "play" with the MTU value of the interfaces.
You may check this:
#469 (airbase-ng MTU problems) – Aircrack-ng
and this
"The workaround is to increase the MTU of the master interface or decrease the MTU of the TUN/TAP. The MTU of the monitor mode interface should be the cards max (~2300?), while the MTU of the TUN/TAP should still be the normal ethernet max (1500 ~ 1518/1522). Setting the MTU manually fixes the problem"
Custom Query – Aircrack-ng
They are not very related to your problem but you may found useful informations for MTU, which affects the alpha cards + airbase-ng as vvpalin told us in another post.
Looking forward for your results.
Thank you for the good words.
Nick
Nick: Using this new script all options seem to work when using my iPhone as the client to the generated AP. I was not able to browse any sites using my iMac using any of the modes in wlan_nick. I tried decreasing mtu to 1000 but that did not help (the iPhone worked when keeping the MTU at 1500, which did not work in previous version).
As a reminder: I am using the 36H ALFA card as the fake AP and eth0 all running in VMWare Fusion.
Great job, I am reinstalling this iMac to Snow Leopard and will see if I can get a connection to the fake AP.
FOLLOW UP EDIT: I reinstalled my iMac and am confused. Sometimes my iMac will function with simple wlan (never works with 3 or 4) and sometimes it doesn't (I have tried MTU 1000 and 1400, doesn't seem to correlate to whether the connection works or not). I'll have to get back to this. The iPhone via wifi always works.
mikec,
I am not familiar with iMac. But, as long as I remember when I was searching about something I end up in a iMac forum. Some guy have had problems with his router's DHCP and his iMac. The solution was to disable IPv6 on iMac.
You may try also this link:
Mac DHCP Wireless Connection Broken With Self-Assigned IP Address ~ IT Professionals
Sorry for being so unhelpful.
Please report back any findings.
Nick
PS. As I understand your iPhone worked when keeping the MTU at 1500. And that MTU refers to "at0" ? Right ?
Can you please tell me what is the MTU value for your's monitor mode interface? (mon0)
How high can you get this above 1500 ? (I am referring to mon0)
I believe I am starting to understand what to do and which should be the MTU values for wlan0-mon0 and at0 for the creation of the FakeAP.
Your response is much apperciated
One question,
After doing some of the reading you subscribed I am wondering if you were suggesting switching to the Driver r8187/Stacks-ieee80211. I do have the ALFA-AWUS036h and I think the default BT4 driver is the RTL8187/Stacks-*mac80211. Was this the idea you were thinking of when you mentioned changing over to the drivers. I believe the ieee is made a bit more for aircrack. Its seems like everyone likes the mac80211 but I can give the ieee version a shot if thats what you meant.
Thanks again for the great welcome.
Blitzman
I don't blame you for wondering. You already notice the level of my English.
Yes, Blitzman. My idea is to give the ieee version (or any other version that exists) a shot and to see how airbase-ng likes it. If it likes it more than mac80211 then I can add a subroutine to the script and if a RTL8187 based card founded if the system, then we could install the ieee version and use them for the creation of the FakeAP. After that we could uninstall them easily and go back to the mac version. As I already did with atheros based cards.
If you got any positive results with it please write down a txt file and include all necessary informations.
What modules is used by your card (BT4PF modules)
From where did you download the ieee version drivers
How did you compiled - installed
etc
Then send it to me so I include it to the script. I thing that would be great for you and other owners of a RTL8187 cards.
Nick
Two more modes added
MOD EDIT: From Nick the Greek: "Please download from the 1st post".
Today I upload a new version of my script.
Among other things I added 2 more modes. One funny and one not that funny.
The 1st mode is a modification of the Upside-Down-Ternet.5. Upside down, Blur, Swirl client's browser images
6. Forced downloading files
Upside-Down-Ternet
I just added compatibility with bmp files and you can drive crazy your client with:
a) Flipped images.
b) Blurred images
c) Swirled images
This is very funny and I hope you find it also funny. The first time I tried this was with my wife and until today she accuse me for any "weird" image that she see in her' s laptop.
When I was modifying the redirect script for upside-down, I got one idea. What if I don't redirect only the images (modify them and then send them back with apache) but to send to our clients ,when they ask for, different files? So, what I do.
First of all for testing my script will create 4 zero bytes files in /tmp/bad_files/ and these will be:
test.exe, test.zip, test.rar, test.doc.(No contents here)
Let's say a client surfs to web and decide to download a foo.exe file from "www.foo.com". My redirect script listens if a *.exe, *.zip, *.rar or *.doc file is asked from our clients. If that happened the redirect script:
1) Make a copy of a test.(matching extension exe or zip or rar or doc) to /var/www/files/
2) Rename the above file with the filename that is asked to download our client
3) Serves this file to our client (with apache2)
So in our case the test.exe from /tmp/bad_files/ will be copied to /var/www/files/, renamed to foo.exe and then send back to our client via apache2.
In conclusion ANY time that our clients decide to download ANY file with a extension of exe,zip,rar,doc (of course this extensions can be changed) then they will be forced to download our fake files. The beautifully part is that the filename will be the original (renamed) and the showing download location will be the original.
The 6th option "Forced downloading files" isn't tested very much but until now all goes fine.
I only tried with http sites and I believe it won't work with https.
Please report back any positive-negative results.
Enjoy
Nick
PS When running modes 5 or 6, it may be useful to add a cron job like this:
Save it to file cleanup.cron and execute it with:Code:#min hour day mon wkday command * */6 * * * rm /var/www/images/* * */6 * * * rm /var/www/files/*
So, the contents of /var/www/images/ and /var/www/files/ folders will be emptied (6 times/hour) , since, at least with images, it may be full.Code:crontab cleanup.cron
Nice Nick, but aren't you missing something?
This really looks like a great project. I have downloaded and will test either tonight or friday. My hardware Acer AspireOne d150-1577 with alfa awus036h network card. I will report my findings.
Posting Permissions
