Results 1 to 10 of 88

Thread: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

Threaded View

  1. #1
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    airssl.sh creates a fake access point using Airbase-ng and uses sslstrip to bypass ssl encryption, it also offers the user the choice to use Driftnet to capture images.

    airssl.sh gives the user the option, on the fly, to configure Airbase-ng and Ettercap, giving the user the possibility to load filters etc. This script also takes into consideration less literate users, offering them the chance to use basic modes for everything.

    Upon execution airssl.sh creates a working directory at /pentest/wireless/airssl, it then creates a dhcpd.conf file to use along with all the other necessary files it needs to work.

    Tutorial.
    Installation and use of airssl.sh is very simple and is covered below.

    Requirements.
    Airssl requires you to have at least 1 WNIC (wireless network interface card) for broadcasting the fake AP, and another WNIC/NIC to be connected to the internet. For the sake of this tutorial, eth1 will connected to the internet and I will use wlan0 to broadcast the fake AP. airssl.sh manually configures ipforwarding, so if you have removed the comments from etter.conf to enable this then please rehash them, i.e. a default etter.conf

    Installing airssl

    1. Right click on your desktop and choose create new, now choose "text file" and finally name it airssl.sh
    2. Copy the script in the next post.
    3. navigate back to your desktop right click on the airssl.sh file you created and then choose open with, then select Kate.
    4. Now hit "ctrl v" to paste the code you copied in the next post, then hit "ctrl s", to save the file and finally "ctrl q" to quit kate.
    5. Now open up a terminal and and write
    Code:
    chmod 755  /root/airssl.sh
    (If airssl.sh is not in /root/ you probably do not need to be reading this tutorial.)

    6. Now open up a terminal and write
    Code:
    /root/airssl.sh
    You should see
    Code:
    AIRSSL 2.0 - Credits killadaninja & G60Jon
    If you do, then Well done, the script has started.

    Using airssl
    The 1st question airssl will ask you is
    Code:
    Enter the networks gateway IP address, this should be listed above. For example 192.168.0.1:
    Above this question airssl has already grepd your gateway`s address and named your wireless device attached to it.

    Code:
    AIRSSL 2.0 - Credits killadaninja & G60Jon
    
    0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
    
    
    Enter the networks gateway IP address, this should be listed above. For example 192.168.0.1:
    This clearly shows that in this circumstance eth1 is the connected device to a gateway address of 192.168.0.1

    So I input 192.168.0.1 and hit enter, this bring airssl to its next question



    Code:
    Enter your interface that is connected to the internet, this should be listed above. For example eth1:
    No problem we know this from our information above and in this circumstance it happens to be eth1.

    so we input eth1 and hit enter, airssl asks us it`s next question.

    Code:
    Enter your interface to be used for the fake AP, for example wlan0:
    If you are unsure the name of the dev you want to use for broadcasting the rouge AP then open a new console, and input
    Code:
    airmon-ng
    For me this returns
    Code:
    Interface       Chipset         Driver
    
    eth1            Broadcom                wl
    wlan0           RTL8187         rtl8187 - [phy0]
    As airssl told us earlier, eth1 is the card connected to the gateway thus the card we want to use for the rouge AP, in this circumstance, must be wlan0.

    So we input wlan0 and hit enter, which brings airssl it`s next question

    Code:
    Enter the ESSID you would like your rogue AP to be called
    What airssl is asking you here is, what do you want your Fake AP to be called, some good ideas might be McDonalds Hotspot, LA X Terminal 1, etc etc. (Note, spaces are allowed)

    For this tutorial we will input Freewifi and hit enter
    Which bring airssl to it`s next question.

    Code:
     Airbase-ng will run in its most basic mode, would you like to
    configure any extra switches?
    
    Choose Y to see airbase-ng help and add switches.
    Choose N to run airbase-ng in basic mode with your choosen ESSID.
    Choose A to run airbase-ng in respond to all probes mode (in this mode your choosen ESSID is not used, but instead airbase-ng responds to all incoming probes), providing victims have auto connect feature on in their wireless settings (MOST DO), airbase-ng will imitate said saved networks and victim will connect to us, likely unknowingly. PLEASE USE THIS OPTION RESPONSIBLY.
    Y, N or A
    The above question is pretty self explanatory, if you want to learn more about the -a switch or any of the switches consult the airbase-ng faq

    For the sake of this tutorial we will choose n, so we input n and continue.

    airssl will print a few lines and open a few xterm windows, (so we can see what is happening with the attack), after a few seconds AIRSSL will ask it`s next question.
    Code:
    Ettercap will run in its most basic mode, would you like to
    configure any extra switches for example to load plugins or filters,
    (advanced users only), if you are unsure choose N
    Y or N
    Again in this tutorial we will choose N, loading Ettercap filters is beyond the depth of this tutorial, consult the Ettercap FAQ to learn more.

    After we input N and hit enter, we should see the next question.

    Code:
    Would you also like to start driftnet to capture the victims images,
    (this may make the network a little slower)
    Y or N
    Again for this tutorial we will choose n however, even the less advanced users may choose y here, nothing complicated will happen we will just see the victims images as they browse these are also saved at /pentest/wireless/airssl/driftftnetdata. What ever you choose the final screen you will see will look like this.
    Code:
    [+] Activated...
    Airssl is now running, after victim connects and surfs their credentials will be displayed in ettercap. You may use right/left mouse buttons to scroll up/down ettercaps xterm shell, ettercap will also save its output to /pentest/wireless/airssl/passwords unless you stated otherwise. Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata
    
    [+] IMPORTANT...
    After you have finished please close airssl and clean up properly by hitting Y,
    if airssl is not closed properly ERRORS WILL OCCUR
    If all went well the attack is now running, using a test computer you should be able to scan for networks and connect to your newly created FakeAP, whilst on the test pc connect to a site you know uses SSL encryption and sign in, you should see credentials displayed in ettercaps xterm shell in plain text. This attack will also filter passwords from unencrypted sites, try one. Passwords saved from Ettercap . Dont forget you can use your right mouse button to scroll up ettercap, (incase you think you missed some credientals).

    Final Note
    As you can see you are still left with one last question, AIRSSL asks you to type Y to clean up properly, after you have finished your session I strongly suggest you take notice of this and do has asked. If you do not choose Y and let airssl close properly your system may become disfunctional. Another serious note if airssl is not working, try getting to this step and choosing Y (to clean up), now try running airssl again, this can help run airssl because it may fix some forwarding or other dev creation errors.
    Last edited by killadaninja; 11-19-2010 at 09:00 AM.

Similar Threads

  1. Replies: 44
    Last Post: 04-08-2011, 02:30 AM
  2. Replies: 6
    Last Post: 10-08-2010, 11:40 PM
  3. sslstrip with ettercap or airspoof not capturing password
    By danielgc in forum OLD BackTrack 4 General Support
    Replies: 3
    Last Post: 08-29-2009, 10:29 PM
  4. Capturing passwords on a big LAN!
    By dxi5t in forum OLD Pentesting
    Replies: 5
    Last Post: 06-10-2008, 05:05 PM
  5. Wifiopn-cap: automated OPN Network capturing script
    By teknecal in forum OLD Tutorials and Guides
    Replies: 2
    Last Post: 04-21-2008, 01:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •