[Script] [Video] FakeAP_pwn (v0.2.1)

[kernel831]

Running RC-44 now, Ran into a problem with apache. When I connect to the download page on the web server the download link for the .exe is no longer found.
My guess is that the payloads are not being renamed correctly for the download? I think that things may be getting overcomplicated with the update system on top of making the new htdocs directory in /var/www/

[pentest09]

hi joker yeah i think so was using 1.1 and 2 etc betas and all working fine then tried the latest few and a few lines of code needed ammending for wireless card ie: space " removed on line 124 i think and now using the 0.3RC32 version and it does not give me the apache web page it has worked in vmware before was thinking maybe its my alpha 1mw usb but it injects and sniffs monitor mode fine in airodump.


was searching for the old versions to test for simplicity and check all the way up to see if its the script it was all working so easy just ifconfig my eth0 for its ip and make sure my wlan0 was in lsusb and run and it set it all up give fake page then allowed interwebs, payload was picked up and i was manually replacing with my multi encoded one then 'milk" told me that he did an encoded version tried it and it worked and popped up vnc so nice undetected.


Anyway reminiscing lol please help

[joker5bb]

ok so i will add
ifconfig $interface up
so that will bring up eth0 or what ever you have that set to

but the latest version is r44
http://code.google.com/p/fakeap-pwn/source/checkout

so test that out

and what line has to be changed?

[pentest09]

Thanks joker, i have just tried a vmware machine using seperate wifi card via usb and connected to the ap direct, when i type in 10.0.0.1 in address bar i get the page but cannot down load the payload and when i copy the payload over and run it it doesnt copmplete the session just stuck on the sending stage . can i get hold of the older versions 1.2/3 ect because they worked fine and i can just edit the payload in the script and replace with the shikata_gai_nai section of your new scripts.


seems like a dhcp prob not redirecting. its doing my head in it was soooo soooo good when it works, has anyone else had this problem?

[slowz3r]

Using the latest version I get a whole page not found on server deal, and some apache blah blah blah crap, could be i finally got my new laptop and I screwed something up hmmm...Anyone get anything similar with the latest update?

EDIt* it does redirect though so thats good

EDIt* or it could have something to do with running in VMware?

[joker5bb]

apache setup and redirection are all working
only metasploit part needs improvement

[g0tmi1k]

I would, but there was an incident with my Laptop involving a wiffle ball bat, Waiting on my new Dell to get here.

You mentioned something about VMware, and i haven't gone and tried it but would it work running in VMware or no? Cuz i haven't run windows on a PC in a long time and i figure when i get my new laptop i keep it that way for at least a week

Wiffle ball bat you say?! Do tell =P

Yes, running in a VM (Virtual Machine - VMware, VirtualBox etc) may cause "problems". Personally I code it and run it in a VM, and 90% of the time its great. Its gives "better" results if you don't use VM though.
I also don't run windows on my main machine(s) - just have it in the lab. (=

Hmm.. Using r32, I am connecting and obtaining an IP address, but am not being redirected to the update site. What happened to fakeDNS?

FakeDNS was removed, cos I believe its not needed.
What mode do you have it in? (using -v or -V)
Could you give any information on the setup?

I running on my pc with a windows xp in vmware with usb wifi, i update the fakeAP_pwn to RC32 and dhcpd3 version is:

root@bt:~# dhcpd3 --version
isc-dhcpd-V3.1.1

the "client" is connecting but stuck in DHCP and loop with this msg:

DHCPDISCOVER from 00:21:e8:34:a9:59 (BlackthornE) via at0
DHCPOFFER on 10.0.0.150 to 00:21:e8:34:a9:59 (BlackthornE) via at0

Fake Access point says:

Got directed probe request from 00:21:e8:34:a9:59 - "Free-WiFi"

The scripts start like this:[*] g0tmilk's fakeAP_pwn v0.3-RC32
[>] Checking environment...
[i] ESSID=Free-WiFi
[i] fakeAPchannel=1
[i] interface=eth0
[i] wifiInterface=wlan0
[i] monitorInterface=mon0
[i] payload=wkv
[i] backdoorPath=/root/backdoor.exe
[i] metasploitPath=/opt/metasploit3/bin
[i] htdocsPath=/var/www/fakeAP_pwn
[i] mtu=1500
[i] apMode=transparent
[i] respond2All=false
[i] fakeAPmac=set
[i] extras=false
[i] debug=false
[i] verbose=1
[i] gatewayIP=192.168.1.1
[i] ourIP=192.168.1.104
[i] port=27724
[>] Stopping services and programs...
[>] Setting up wireless card...
[>] Changing MAC Address...
[i] macAddress=04:01:02:9a:58:3f (Rco Security Ab)
[>] Creating scripts...
[>] Creating exploit...(Windows)
[>] Creating fake access point...
[>] Setting up our end...
[>] Starting DHCP server...
[>] Starting Metasploit...
[>] Starting Web server...[*] Waiting for target to run the "update"

Wifi N? what do u mean with that?

Thx in advance! and sorry for my english

DHCP - A Loop? Did you make the output window bigger to see?
WiFi N - IEEE 802.11n
On the targets IP - does it get the IP address from the DHCP?

he means 802.11N the newest wireless connection standard for computers and networks,

Thanks for filling in for me.

i added hostapd support, so test that out

Thanks joker - Just wanted to say that hostapd isnt for everyone (unlike airbase-ng)
"current version supports Linux (Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211)."

gorgeous, amazing job, with the popularity of the wifi this tool it's excelent, i will probe and come later to give me review, regards.

Thanks for the thanks!
Please do!

My wifi card is:

Intel 802.11a/b/g

Thats great!

Hi all hope someone can help?

I have used G0tmilks fake_ap_pwn since early versions without the shikata gai_nai payload and up until recently when i run it it seems to just hang with me not being able to get the update page on my vic machine bfore it was working pukka. Now with the recent updates to the script i cant get it to work

running bt4 final
vmware 7 on win7 works in vmware btw before.

ifconfig eth0 up
/etc/init.d/networking start

wlan0 ready all xterms setup and handler waiting on 10.0.0.x etc

before when i connected to the ap i had to type in an http address and the update/patch icon appeared but recently not a thing
and it used to work an give me internet after exploit run.

i have checked the server 127.0.0.1 and 10.0.0.1 and "it works" appears.

but i get forbidden on the wepage now when run on the vic machine.

please help.

WOW - old school fan
I personally haven't made any changes/tested it since R32 - not sure what release you are using at the mo.
Okay. so it sounds like its not forwarding you - this is a on going problem.
I want to use "Blackhole routing" wherewas Joker wants to use a DNS services.
Its something we are looking into

Somehow the script doesn't start my preffered network devices. I choose eth0 with internet and wlan0 and mon0 for fakeAP. But in midst of the process it starts at0 and eth0 is that suppose to happen?

Also wanted to check if the 10.0.0.0 ip ranges are supposed to be changed to my network enviroment?

Yes - this is meant to happen!
eth0 = Internet
wlan0 = WiFi
mon0 = Monitor Interface (this is created from your WiFi device)
at0 = The interface of the FakeAP

This script creates its own class of network - 10.0.0.0, so that it doesnt "interfere" with your current network.

I need a WiFi /n ?

No. You dont. kernel831 belives it creates "problems"

Running RC-44 now, Ran into a problem with apache. When I connect to the download page on the web server the download link for the .exe is no longer found.
My guess is that the payloads are not being renamed correctly for the download? I think that things may be getting overcomplicated with the update system on top of making the new htdocs directory in /var/www/

I haven't touch it since R32, so I'll give it a test as soon as I can and see whats what.

hi joker yeah i think so was using 1.1 and 2 etc betas and all working fine then tried the latest few and a few lines of code needed ammending for wireless card ie: space " removed on line 124 i think and now using the 0.3RC32 version and it does not give me the apache web page it has worked in vmware before was thinking maybe its my alpha 1mw usb but it injects and sniffs monitor mode fine in airodump.


was searching for the old versions to test for simplicity and check all the way up to see if its the script it was all working so easy just ifconfig my eth0 for its ip and make sure my wlan0 was in lsusb and run and it set it all up give fake page then allowed interwebs, payload was picked up and i was manually replacing with my multi encoded one then 'milk" told me that he did an encoded version tried it and it worked and popped up vnc so nice undetected.


Anyway reminiscing lol please help

It sounds like its apache, not your WiFi card. I may look into using a different web server.
What old version did you get working?

Thanks joker, i have just tried a vmware machine using seperate wifi card via usb and connected to the ap direct, when i type in 10.0.0.1 in address bar i get the page but cannot down load the payload and when i copy the payload over and run it it doesnt copmplete the session just stuck on the sending stage . can i get hold of the older versions 1.2/3 ect because they worked fine and i can just edit the payload in the script and replace with the shikata_gai_nai section of your new scripts.


seems like a dhcp prob not redirecting. its doing my head in it was soooo soooo good when it works, has anyone else had this problem?

Yes. Alot of people have. Not sure why though. I'll look into it.

Using the latest version I get a whole page not found on server deal, and some apache blah blah blah crap, could be i finally got my new laptop and I screwed something up hmmm...Anyone get anything similar with the latest update?

EDIt* it does redirect though so thats good

EDIt* or it could have something to do with running in VMware?

Yes, there using "VM's" (VMware or VirtualBox) can make "problems"

apache setup and redirection are all working
only metasploit part needs improvement

What needs improving on the metasploit part?

[joker5bb]

using hostapd with nl80211 will support all wireless card drivers listed here:
Drivers - Linux Wireless
that have AP mode

[slowz3r]

Wiffle ball bat you say?! Do tell =P

Yes, running in a VM (Virtual Machine - VMware, VirtualBox etc) may cause "problems". Personally I code it and run it in a VM, and 90% of the time its great. Its gives "better" results if you don't use VM though.
I also don't run windows on my main machine(s) - just have it in the lab. (=



Yes, there using "VM's" (VMware or VirtualBox) can make "problems"

Well, I was in in the garage, where I have my lab stuff set up and i had my laptop on a chair with the screen open and my 12 year old brother comes out with a wiffle ball bat and a ball and decides he wants to hit some balls from in the garage, needless to say he hit my laptop farther than he hit the ball


I guess I'll be setting up a dual boot then

[pentest09]

right just noticed in the xterm dhcp :
unable to add reverse map from 100.0.0.100 in-addr.arpa is this the problem? and how to rectify?