Page 4 of 12 FirstFirst ... 23456 ... LastLast
Results 31 to 40 of 112

Thread: How to: E-Z setup a Multi Mode WLAN based on a Fake AP

  1. #31
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Sorry for being late to respond. I had read your replies, this morning at work and since then I am smiling all the time. You make my day guys.
    I was start worrying not why isn't working this script for you (it was the most possible situation) but why in the hell it was working for me. Anyway. Back to topic.

    yeehawjared, you are a living advertisement for my script. Glad to here to get to work everything that scripts can do.
    For some reason I have to `airmon-ng start wifi0` prior to running your script. After that everything works.
    Among other things this shouldn't happened. I will search for this.

    Sustained download rates of 600+Kbps.
    That's quite impressing for a FakeAP.

    I did notice that when running sslstrip, the reports are all IPs - not domains. Kind of useless without the domain names of the websites.
    When running the script at mode 4 at the end you already getting a message about that. "In Transparent Proxy-ed and SSLstriped WLAN mode you cannot see domain names in reports, only IPs." I am working on that. I trying to find something (don't laugh) "reverse DNS". Not domains to IP's. But IP's to domains. I don't even know if this exists.We will see.

    I really hope to see this tool evolve over time. I'd be very interested in supporting this and trying new things.
    Me too. Please feel free (you or anybody) to ask anything that you don't understand in the script.

    I'm going to keep playing around with different things and report back what works / what breaks with new functionality.
    Any feedback will be very helpful.

    What would really be nice is sslsniff...
    The basic idea was to use sslsniff, not sslstrip, but until now it's impossible for me to getting to work. So, I make a U turn and end-up with the 2nd option:sslstrip. If I can get a single working example with sslsniff I will add it to the script right away. Maybe I am missing something. Don't know.

    So, you or anybody who can give any informations for:

    1) how to install correctly this God damn thing in BT4PF ( I hate sslsniff )
    Please refer to:
    http://forums.remote-exploit.org/bac...iff-0-6-a.html
    or
    http://forums.remote-exploit.org/wir...tml#post154891

    2) Which browsers are or should be vulnerable ( I had read something about: a) any applications that uses microsoft's CryptAPI. b) Microft already provide patches. ).

    I am seriously doubt that anyone, at least here, was able to install-run correctly sslsniff. I hope I am wrong, so we all can "play" with.

    Quote Originally Posted by BT2008 View Post
    Results: http and https is working, so far so good Nick
    But there are no registrations of visited https sites in the output-ssl.log,
    Do you have any idea?
    There are registration, but it's very dificult to find them since we are logging everything with sslstrip. So, you can:
    1) You can open up the script with a text editor and go at the end of the script you will see a line:
    Code:
    xterm -e "proxychains sslstrip -s -f -k --write $HOME_DIR/output-ssl.log"&
    the "-s" reffers to Log all SSL traffic to and from server. See sslstrip --help to log what you are interesting for.
    2) You can use sarg's reports (you will see only IPs) or
    3) You can use urlsnarf
    Code:
    urlsnarf -i at0 or ath0 (it depends on how you create the softAP)
    Thank you guys.

    Nick

  2. #32
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    2

    Default Fakeap issues

    Hello, I have tested this script out on a few different machines with varying success. This is probably due to me using an ALFA usb card as my FakeAP. For some reason I am having a lot of issue getting airbase to work correctly. I see the client associating I can sometimes get limited connectivity but nothing past that. I was wondering if you had any ideas as to how I could go about fixing this. I appreciate the great script though. Looking forward to hearing your suggestions.

    Thanks
    Blitzman

  3. #33
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    First off all, welcome to the forums.

    It seems to be an issue with some alpha cards and airbase-ng. BT4's patched drivers are excellent for injection and other stuff but, maybe, may not being the best choice to use them with airbase-ng as an FakeAP.

    As for the Atheros cards and airbase-ng, I already know that there is a HUGH difference between ath5k (BT4PF) and ath_pci (madwifi-ng) modules. On the other hand when I installed compat-wireless drivers for a zd1211rw wifi card, which I own, the differences for airbase-ng data rates, was very small.

    So, I suggest you to dig a little more with drivers. Your feedbacks would be very useful, for other people who might use any FakeAP based scripts and Alpha cards, in the future.

    Unfortunately I don't own one of these cards to test with.

    Here are some links you may start with: (Don't know which card you have)

    Realtek RTL8187L/RTL8187B mac80211 driver
    rtl8187 [Aircrack-ng]

    ALFA-*AWUS036H & ALFA-*AWUS050NH
    TUTORIAL: Installing drivers RTL8187, r8187, RT2800usb on UBUNTU

    If you don't want to mess with drivers you can "play" with the MTU value of the interfaces.

    You may check this:
    #469 (airbase-ng MTU problems) – Aircrack-ng

    and this

    "The workaround is to increase the MTU of the master interface or decrease the MTU of the TUN/TAP. The MTU of the monitor mode interface should be the cards max (~2300?), while the MTU of the TUN/TAP should still be the normal ethernet max (1500 ~ 1518/1522). Setting the MTU manually fixes the problem"
    Custom Query – Aircrack-ng

    They are not very related to your problem but you may found useful informations for MTU, which affects the alpha cards + airbase-ng as vvpalin told us in another post.

    Looking forward for your results.

    Thank you for the good words.

    Nick

  4. #34
    Senior Member MikeCa's Avatar
    Join Date
    Jan 2010
    Location
    DC
    Posts
    129

    Default

    Nick: Using this new script all options seem to work when using my iPhone as the client to the generated AP. I was not able to browse any sites using my iMac using any of the modes in wlan_nick. I tried decreasing mtu to 1000 but that did not help (the iPhone worked when keeping the MTU at 1500, which did not work in previous version).

    As a reminder: I am using the 36H ALFA card as the fake AP and eth0 all running in VMWare Fusion.

    Great job, I am reinstalling this iMac to Snow Leopard and will see if I can get a connection to the fake AP.

    FOLLOW UP EDIT: I reinstalled my iMac and am confused. Sometimes my iMac will function with simple wlan (never works with 3 or 4) and sometimes it doesn't (I have tried MTU 1000 and 1400, doesn't seem to correlate to whether the connection works or not). I'll have to get back to this. The iPhone via wifi always works.

  5. #35
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Quote Originally Posted by mikec View Post
    Sometimes my iMac will function with simple wlan (never works with 3 or 4) and sometimes it doesn't (I have tried MTU 1000 and 1400, doesn't seem to correlate to whether the connection works or not).
    mikec,
    I am not familiar with iMac. But, as long as I remember when I was searching about something I end up in a iMac forum. Some guy have had problems with his router's DHCP and his iMac. The solution was to disable IPv6 on iMac.

    You may try also this link:
    Mac DHCP Wireless Connection Broken With Self-Assigned IP Address ~ IT Professionals

    Sorry for being so unhelpful.

    Please report back any findings.

    Nick

    PS. As I understand your iPhone worked when keeping the MTU at 1500. And that MTU refers to "at0" ? Right ?
    Can you please tell me what is the MTU value for your's monitor mode interface? (mon0)
    How high can you get this above 1500 ? (I am referring to mon0)

    I believe I am starting to understand what to do and which should be the MTU values for wlan0-mon0 and at0 for the creation of the FakeAP.

  6. #36
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    2

    Question Your response is much apperciated

    One question,
    After doing some of the reading you subscribed I am wondering if you were suggesting switching to the Driver r8187/Stacks-ieee80211. I do have the ALFA-AWUS036h and I think the default BT4 driver is the RTL8187/Stacks-*mac80211. Was this the idea you were thinking of when you mentioned changing over to the drivers. I believe the ieee is made a bit more for aircrack. Its seems like everyone likes the mac80211 but I can give the ieee version a shot if thats what you meant.

    Thanks again for the great welcome.

    Blitzman

  7. #37
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Quote Originally Posted by Blitzman View Post
    ... I am wondering if you were suggesting switching to the Driver r8187/Stacks-ieee80211.
    I don't blame you for wondering. You already notice the level of my English.

    Yes, Blitzman. My idea is to give the ieee version (or any other version that exists) a shot and to see how airbase-ng likes it. If it likes it more than mac80211 then I can add a subroutine to the script and if a RTL8187 based card founded if the system, then we could install the ieee version and use them for the creation of the FakeAP. After that we could uninstall them easily and go back to the mac version. As I already did with atheros based cards.

    If you got any positive results with it please write down a txt file and include all necessary informations.
    What modules is used by your card (BT4PF modules)
    From where did you download the ieee version drivers
    How did you compiled - installed
    etc

    Then send it to me so I include it to the script. I thing that would be great for you and other owners of a RTL8187 cards.

    Nick

  8. #38
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default Two more modes added

    MOD EDIT: From Nick the Greek: "Please download from the 1st post".
    Today I upload a new version of my script.

    Among other things I added 2 more modes. One funny and one not that funny.

    5. Upside down, Blur, Swirl client's browser images
    6. Forced downloading files
    The 1st mode is a modification of the Upside-Down-Ternet.
    Upside-Down-Ternet

    I just added compatibility with bmp files and you can drive crazy your client with:
    a) Flipped images.
    b) Blurred images
    c) Swirled images

    This is very funny and I hope you find it also funny. The first time I tried this was with my wife and until today she accuse me for any "weird" image that she see in her' s laptop.

    When I was modifying the redirect script for upside-down, I got one idea. What if I don't redirect only the images (modify them and then send them back with apache) but to send to our clients ,when they ask for, different files? So, what I do.

    First of all for testing my script will create 4 zero bytes files in /tmp/bad_files/ and these will be:
    test.exe, test.zip, test.rar, test.doc.(No contents here)

    Let's say a client surfs to web and decide to download a foo.exe file from "www.foo.com". My redirect script listens if a *.exe, *.zip, *.rar or *.doc file is asked from our clients. If that happened the redirect script:
    1) Make a copy of a test.(matching extension exe or zip or rar or doc) to /var/www/files/
    2) Rename the above file with the filename that is asked to download our client
    3) Serves this file to our client (with apache2)
    So in our case the test.exe from /tmp/bad_files/ will be copied to /var/www/files/, renamed to foo.exe and then send back to our client via apache2.

    In conclusion ANY time that our clients decide to download ANY file with a extension of exe,zip,rar,doc (of course this extensions can be changed) then they will be forced to download our fake files. The beautifully part is that the filename will be the original (renamed) and the showing download location will be the original.

    The 6th option "Forced downloading files" isn't tested very much but until now all goes fine.
    I only tried with http sites and I believe it won't work with https.

    Please report back any positive-negative results.

    Enjoy

    Nick

    PS When running modes 5 or 6, it may be useful to add a cron job like this:

    Code:
    #min    hour   day      mon     wkday   command
    *       */6    *        *       *       rm /var/www/images/*
    *       */6    *        *       *       rm /var/www/files/*
    Save it to file cleanup.cron and execute it with:

    Code:
    crontab cleanup.cron
    So, the contents of /var/www/images/ and /var/www/files/ folders will be emptied (6 times/hour) , since, at least with images, it may be full.

  9. #39
    prowl3r
    Guest

    Default

    Nice Nick, but aren't you missing something?

  10. #40
    Senior Member
    Join Date
    Jan 2010
    Posts
    140

    Default

    This really looks like a great project. I have downloaded and will test either tonight or friday. My hardware Acer AspireOne d150-1577 with alfa awus036h network card. I will report my findings.

Page 4 of 12 FirstFirst ... 23456 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •