Page 1 of 9 123 ... LastLast
Results 1 to 10 of 185

Thread: [Script] [Video] FakeAP_pwn (v0.2.1)

Hybrid View

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Script][Video] fakeAP_pwn.sh (v0.2.5)

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/3622180
    Download video:
    http://www.mediafire.com/?pmnasjkp3jc7t0k


    ~ V0.3 FINAL IS OUT ~
    [Script] [Video] fakeAP_pwn (v0.3)



    What is this?

    An update to the script, fakeAP_pwn. This is a bash script to automate creating a 'Fake Access Point' and 'pwn' whoever connects to it! The FakeAP is transparent (allowing the target to afterwards surf the inter-webs once they have been exploited!), and the payload is either SBD (Secure BackDoor - similar to netcat!) or VNC (remote desktop).


    How does this work?
    > Creates a fake AP and DHCP server.
    > Runs a web server & creates an exploit with metasploit.
    > Waits for the target to connect, download and run the exploit.
    > Once successfully exploited it grants access to allow the target to surf the inter-webs.
    > Uploads a backdoor; SBD or VNC, via the exploit
    > The attacker has the option to run a few 'sniffing' programs (from the dnsiff suite) to watch what the target does on the FakeAP!


    What do I need?

    > Two interfaces, one for Internet (wired/wireless) and the other for becoming an access point (wireless only - must support monitor mode)
    > A Internet connection (though you could modify it so its non transparent)
    > Airmon-ng, dhcpd3, apache, metasploit, dnsiff suite --- All on BackTrack!
    > The script! fakeAP_pwn-v0.2.5.tar.gz (490.3 KB, SHA1:541d91c19ff32777317385218820233a62f1dc76)


    Whats in the tar.gz?
    > fakeAP_pwn.sh --- Bash script
    > www/index.php --- The page the target is forced to see before they have access to the Internet.
    > www/Linux.jpg, OSX.jpg, Windows.jpg --- OS pictures
    > www/sbd.exe --- SBD Backdoor> www/vnc-g0tmi1k.exe --- VNC Backdoor


    How to use it?1.) Extract the tar.gz file (via tar zxf fakeAP_pwn-v0.2.5.tar.gz).
    2.) Copy the "www" folder to /var/www (cp www/* /var/www/)
    3.) Make sure to "Start Network" and to have an IP address. (via start-network and dhclient [Internet Interface])
    4.) Edit fakeAP_pwn.sh with your "internet" and "wireless" interface. (You can view your interfaces via ifconfig and use kate to edit the file.)
    5.) bash fakeAP_pwn.sh (don't forget to be in the correct folder!)
    6.) Wait for a connection...
    7.) ...Game Over.

    Commands:
    Code:
    tar zxf fakeAP_pwn-v0.2.5.tar.gz
    cd fakeAP_pwn-v0.2.5
    cd fakeAP_pwn
    cp www/* /var/www
    ifconfig
    kate fakeAP_pwn.sh
    bash fakeAP_pwn.sh




    Notes:


    • This time it should work for everyone, just not me =P
    • The video uses fakeAP_pwn.sh v0.2.1
    • It's worth doing this "manually" (without the script) before using the script, so you have an idea of what's happening, and why. The script is only meant to save time.
    • I'm running BackTrack 4 Final in VM, The target is running Windows 7 Ultimate (fully up-to-date 2010-05-13), with no firewall, no AV and no UAC. Tested with windows XP SP3 Professional as well.
    • The connection is reversed - so the connection comes from the target to the attacker, therefore, as the attacker is the server, it could help out with firewalls...
    • As you can see in the code, one day I plan for this to also "affect" Linux and/or OSX...but its taken me this long to update it - so don't hold your breath!

    Song: Medicin - Summer Drummer
    Video length: 3:20
    Capture length: 8:12

    Blog Post: http://g0tmi1k.blogspot.com/2010/05/...ppwn-v021.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/28363-%5Bscript%5D-%5Bvideo%5D-fakeap_pwn-v0-2-1-a.html#post161837



    v0.2.5
    > Removed silly typos

    v0.2.4
    + Added arguments
    + Checks for superuser
    + Checks interfaces/paths/files exists
    + Improved transparent mode (Thanks joker5bb)
    > General code improvements
    > Updated the help message

    v0.2.3
    + Fakes the MAC address (Thanks joker5bb)
    + Fix “wicd” bug (Thanks joker5bb)
    + Randomizes ports each time
    + Reversed VNC - No need to type in password now
    + Stops and removes existent backdoors
    + Stops services and programs (Thanks joker5bb)
    + Uses “msfencode” - to prevent detection
    + Webpage now has a "favicon"
    > Fix a few minor features - Couple of silly typos (Thanks joker5bb)
    > General code improvements
    > Improved "clean up" code
    > Improved the WiFi interface (Thanks joker5bb)
    > Renamed the backdoor files
    > Renamed the output windows

    v0.2.2
    + Fix gateway bug
    + Fix DHCP PID Bug
    + Checks for other index files. And acts on it.
    + Checks to make sure user copied www/. Else acts on it.
    + Added more tools to "extra".
    + Added extra settings (Response to all requests & WiFiName)
    > Improved debug info
    > Aligned the output windows
    > General code improvements
    > Improved chances of DHCP working (Might need more work)
    > "Started" work on transparent (Needs more work)
    > "Started" work on allow a custom backdoor (Needs more work)
    - Removed Linux/OSX - was confusing people

    v0.2.1
    + Remade first release
    > Created Video

    v0.1
    + First public release
    Last edited by g0tmi1k; 03-05-2011 at 02:17 PM.
    Have you...g0tmi1k?

  2. #2
    Just burned his ISO
    Join Date
    May 2010
    Posts
    5

    Default Re: [Script] [Video] FakeAP_pwn (v0.2.1)

    g0tmi1k, i have a question about the setting inside the .sh script,

    my internet connection is wlan0, while my external card i used for monitoring is wlan1..
    how should i adjust the setting inside the .sh script for it to work out? cause it would seem ur script puts wlan0 into monitor mode when execute it.. which doesnt sound right to me, shouldnt it be wlan1?

  3. #3
    Member joker5bb's Avatar
    Join Date
    Feb 2010
    Posts
    166

    Default Re: [Script] [Video] FakeAP_pwn (v0.2.1)

    how would you do a non-transparent mode?
    i cant get it to work

    i have tried instructions from here http://pastebin.com/f1333c8f3
    Last edited by joker5bb; 05-16-2010 at 05:16 PM.

  4. #4
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Script] [Video] FakeAP_pwn (v0.2.1)

    Quote Originally Posted by joker5bb View Post
    how would you do a non-transparent mode?
    i cant get it to work

    i have tried instructions from here Bash | #Non Transparent - Target cant - G0tmi1k - f1333c8f3 - Pastebin.com
    I'm not 100% but a rough idea would be to do this:
    On line 232. (echo "[>] Give target inter-webs back...")
    Comment out (using # at the start of the lines) all the lines unitl line 241. (iptables --table nat -A POSTROUTING -o $gateway_interface -j MASQUERADE).
    Again, I dunno if this will work, its just an idea, and I'm currently away from my test lab to try it out myself or find a 100% working solution. This anyway SHOULD block everything on port 80 (due to line 213).
    Have you...g0tmi1k?

  5. #5
    Member joker5bb's Avatar
    Join Date
    Feb 2010
    Posts
    166

    Default Re: [Script] [Video] FakeAP_pwn (v0.2.1)

    first off you need to fix your dhcpd.conf

    Code:
    ddns-update-style interim;
    default-lease-time 86400;
    max-lease-time 90000;
    authoritative;
    log-facility local7;
    
    subnet 10.0.0.0 netmask 255.255.255.0 {
      range 10.0.0.150 10.0.0.250;
      option subnet-mask 255.255.255.0;
      option broadcast-address 10.0.0.255;
      option routers 10.0.0.1;
      option domain-name "Home.com";
      option domain-name-servers 40.175.42.254, 40.175.42.253;
      option netbios-name-servers 10.0.0.100;
     }
    Last edited by joker5bb; 05-17-2010 at 02:16 AM.

  6. #6
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Script] [Video] FakeAP_pwn (v0.2.1)

    Quote Originally Posted by joker5bb View Post
    first off you need to fix your dhcpd.conf
    Could I ask whats wrong with mine?

    I dont think this is right for mysetup
    Code:
    option domain-name-servers 40.175.42.254, 40.175.42.253;
    You have theses as extra stuff:
    Code:
    ddns-update-style interim;
    authoritative;
    log-facility local7;
       option netbios-name-servers 10.0.0.100;
    What do they do/why do I need them, as it works okay, for me, how it is!
    Last edited by g0tmi1k; 05-17-2010 at 12:17 PM.
    Have you...g0tmi1k?

  7. #7
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: [Script] [Video] FakeAP_pwn (v0.2.1)

    Quote Originally Posted by g0tmi1k View Post
    Could I ask whats wrong with mine?
    There's nothing wrong with either of them. Some people just have different setups to others. Neither of your dhcp config's would work on my kit for example, which means that I have to adapt them to suit my needs rather than telling you flat out it is wrong

    Just as a note, non-transparency involves redirecting them to begin with, and then passing everything along, you would have to add or remove iptables rules dynamically. I haven't really applied my mind to the problem, but you can't force a user to go through a proxy/strip session unless it is transparent, that much I remember from a few years of looking into it. So, to put it another way, sniff credentials without user input requires transparent proxying. Sniffing credentials with user input (or just ignoring the sniffing stage whatsoever) removes the need for transparent proxying. At that point there isn't much purpose to non-stripping sniffing.

    Unless, you know, you actually know how to sniff passwords out of something other than http/https traffic
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  8. #8
    Member
    Join Date
    Jan 2010
    Location
    Netherlands
    Posts
    84

    Default Re: [Script] [Video] FakeAP_pwn (v0.2.1)

    g0tmi1k just posted a update on his blog:
    ( g0tmi1k: [Script] [Video] fakeAP_pwn (v0.2.1) )
    g0tmi1k said...

    @Everyone:
    Before I make a post about it - here is v0.2.2-beta2
    fakeAP_pwn.sh

    + Fix Gatway Bug
    + Fix DHCP PID Bug
    + Checks for other index files. And acts on it.
    + Checks to make sure user copied www/. And acts on it.
    + Added more tools to "extra"
    + Added extra settings (Respone to all requests, WiFiName)
    > "Improved" chances of DHCP working <-- Needs more work
    > "Started" work on transparent <-- Needs more work
    > "Started" work on allow a custom backdoor <-- Needs more work
    - Removed Linux/OSX - was confusing people
    17 May 2010 17:50

  9. #9
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    13

    Question Re: [Script] [Video] FakeAP_pwn (v0.2.1)

    Thanks nivong & g0tmi1k, for the update, but still isn't working.

    2 AP's show up in Windows & Wicd. One labeled "Other Network" & "Free-Wifi (as it should)

    When I look to investigate the problem it states a problem with the DNS. Here's the error in Windows...
    •The Domain Name Server (DNS) is not reachable.
    •The Domain Name Server (DNS) does not have a listing for the website's domain.

  10. #10
    Just burned his ISO
    Join Date
    Feb 2010
    Location
    uk
    Posts
    23

    Default Re: [Script] [Video] FakeAP_pwn (v0.2.1)

    great script worked first time on eeepc does what it says on the can !!.
    not tried v2.2 yet
    suggestion would it be possible to include hm2075 wireless key grabber?
    many thanks

Page 1 of 9 123 ... LastLast

Similar Threads

  1. Replies: 6
    Last Post: 10-08-2010, 11:40 PM
  2. Script help
    By isdigit in forum OLD Newbie Area
    Replies: 2
    Last Post: 08-21-2009, 02:35 AM
  3. Video: Nmap Video Tutorial 2: Port Scan Boogaloo
    By Irongeek in forum OLD Tutorials and Guides
    Replies: 0
    Last Post: 05-30-2008, 08:07 PM
  4. Video: Nmap Video Tutorial 2: Port Scan Boogaloo
    By Irongeek in forum OLD BT1, Whax and Auditor Videos
    Replies: 0
    Last Post: 05-30-2008, 08:07 PM
  5. LZM Script/lzm2dir script
    By unseen in forum OLD Tutorials and Guides
    Replies: 2
    Last Post: 11-29-2007, 02:51 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •