[Script] [Video] FakeAP_pwn (v0.2.1)

[teaker]

W000t! Finally got this damn thing figured out.. working on both my xp and my win7 x64 machines. The problem with the redirect is that script is telling the iptables to redirect port 80-->10000 for sslstrip, and also to redirect port 80-->10.0.0.1, which obviously wont work. So, if you want the redirect to work, just # out line 547 (iptables -t nat -A PREROUTING... --to-port 10000)

Let me know if this works for any of you guys-

[g0tmi1k]

Just downloaded r10.
I've had trouble connecting/obtaining an IP address with each release until I change:
airbase-ng -P -C 0 <--- to a higher number (ie. 50 or 100). After that I am connecting fine.

However, once I am connected, metasploit isn't doing anything. In other words, I can connect and surf the internet, but I am never redirected/exploited. Any ideas?

The -C is only used when you enabled "respond2All". Which be default it doesn't! So I dunno why that is the case for you!

Metasploit isn't meant to do anything then anyway!
DNSSpoof on the other hand...is meant to do something - redirect all the traffic!
Not sure why its not doing it - I need to be at home in my lab to test it all out (been coding it without testing it)

Frustrated with this whole it not redirecting thing :P haha oh well

How long is it taking some of you for VNC to upload to the target? Even after changing the MTU value it seems like it isnt uploading at all,

Your not the only one frustrated, I've been away travelling and I left my WiFi cards at home! )= So I've been trusting other people to test stuff out (as I dont have my lab)...
I don't think im going to release another update for a bit now. I wanna get home and sort it all out. (=

Could you tell me:

• Your WiFi card + driver
• Your kernel version
• Signal strength of the AP
• The time it takes to ping the AP
• The time it takes to ping google.com when connect to the fakeAP
• send me the output of: bash fakeAP_pwn.sh -V > output.txt

[slowz3r]

W000t! Finally got this damn thing figured out.. working on both my xp and my win7 x64 machines. The problem with the redirect is that script is telling the iptables to redirect port 80-->10000 for sslstrip, and also to redirect port 80-->10.0.0.1, which obviously wont work. So, if you want the redirect to work, just # out line 547 (iptables -t nat -A PREROUTING... --to-port 10000)

Let me know if this works for any of you guys-

This guy Wins!, successful Redirect!

Your not the only one frustrated, I've been away travelling and I left my WiFi cards at home! )= So I've been trusting other people to test stuff out (as I dont have my lab)...
I don't think im going to release another update for a bit now. I wanna get home and sort it all out. (=

Could you tell me:

* Your WiFi card + driver
* Your kernel version
* Signal strength of the AP
* The time it takes to ping the AP
* The time it takes to ping google.com when connect to the fakeAP
* send me the output of: bash fakeAP_pwn.sh -V > output.txt

Card+Driver: Linksys WUSB54G v.4, rtl2570
Kernel: 2.6.34
Signal Strength: 100%
Ping AP: 7ms
Ping google: 100ms
Output: Pastebin

Extremely slow MTU is at 1800, and it really shows when its uploading the payload to the target, have yet to get a VNC connection or a shell. But we seem to be getting closer, but speed is an issue

[parrotface]

RC10 progress report
When running script as is
client connects OK - browser has internet connection - does not get our update page - enter 10.0.0.1 and update page OK
Run the download & VNC works (very slow) - meterpreter session opens.

Re-Run the script
transparent=false - payload=sbd -mtu=1800
browser now shows the update page - downloads update & it runs (very slow client would not wait this long if live)
Gets meterpreter session & shell OK

It's getting there now just the problem that the client gets the internet before the our update page and not forced to download first.
The speed problem did not seem this bad in version 2 and I am running exactley the same test lab if that gives you a clue.
many thanks

Just spotter the post by teaker "# out line 547 (iptables -t nat -A PREROUTING... --to-port 10000)"
This works sorry did not spot earlier. Now gives update page first then internet after running download - Great

[slowz3r]

RC10 progress report
When running script as is
client connects OK - browser has internet connection - does not get our update page - enter 10.0.0.1 and update page OK
Run the download & VNC works (very slow) - meterpreter session opens.

Re-Run the script
transparent=false - payload=sbd -mtu=1800
browser now shows the update page - downloads update & it runs (very slow client would not wait this long if live)
Gets meterpreter session & shell OK

It's getting there now just the problem that the client gets the internet before the our update page and not forced to download first.
The speed problem did not seem this bad in version 2 and I am running exactley the same test lab if that gives you a clue.
many thanks

How longs it take for the payload to upload and for a VNC session or a shell to spawn?

longest ive waited for it to upload backdoor.exe was around 4-5 minutes after that I exit

[vvpalin]

Awesome script

Few quick things i noticed ..

line 251, the sleep timer needs to be incresed just a tad, mine kept failing out at 5 seconds so i changed it to 10. That could be because im in a VM tho.

line 261, you might want to change to macchanger -A, as i noticed that a totally random mac would fail sometimes when boxes tried to connect


The last thing really cant be fixed here but its totally worth noting. airbase-ng has "atleast in my opnion" horrible beacons, meaning any windows 7 box can not connect to your fakeAP. It also tends to spew out a TON of beacons with a null ssid so for instance if you look in windows zeroconf "or whatever the hell they call it" youll always see a "Other Network".

I was kicking around a way to solve this last night and one of the ideas that i came up with was using a combo of aireplay-ng and packetforge-ng to grep out a beacon from a pcap "Or you could make your own " then having an option in airbase-ng to replay your custom beacon.

Anyways great script and thanks again

[g0tmi1k]

W000t! Finally got this damn thing figured out.. working on both my xp and my win7 x64 machines. The problem with the redirect is that script is telling the iptables to redirect port 80-->10000 for sslstrip, and also to redirect port 80-->10.0.0.1, which obviously wont work. So, if you want the redirect to work, just # out line 547 (iptables -t nat -A PREROUTING... --to-port 10000)

Let me know if this works for any of you guys-

You posted this as I was typing my reply... =P
Thanks for the fix!
I'll edit it for the next release (also got the self updater working too!)
and look into getting SSLStrip to work as well as dnsspoof...

This guy Wins!, successful Redirect!




Card+Driver: Linksys WUSB54G v.4, rtl2570
Kernel: 2.6.34
Signal Strength: 100%
Ping AP: 7ms
Ping google: 100ms
Output: Pastebin

Extremely slow MTU is at 1800, and it really shows when its uploading the payload to the target, have yet to get a VNC connection or a shell. But we seem to be getting closer, but speed is an issue

Glad to know it works for someone else!
Thanks for the info too! (=

RC10 progress report
When running script as is
client connects OK - browser has internet connection - does not get our update page - enter 10.0.0.1 and update page OK
Run the download & VNC works (very slow) - meterpreter session opens.

Re-Run the script
transparent=false - payload=sbd -mtu=1800
browser now shows the update page - downloads update & it runs (very slow client would not wait this long if live)
Gets meterpreter session & shell OK

It's getting there now just the problem that the client gets the internet before the our update page and not forced to download first.
The speed problem did not seem this bad in version 2 and I am running exactley the same test lab if that gives you a clue.
many thanks

Just spotter the post by teaker "# out line 547 (iptables -t nat -A PREROUTING... --to-port 10000)"
This works sorry did not spot earlier. Now gives update page first then internet after running download - Great

Glad that its now working for you!
Just gotta get the speed up for you...

Could you also tell me:
* Your WiFi card + driver
* Your kernel version
* Signal strength of the AP
* The time it takes to ping the AP
* The time it takes to ping google.com when connect to the fakeAP
* send me the output of: bash fakeAP_pwn.sh -V > output.txt

How longs it take for the payload to upload and for a VNC session or a shell to spawn?

longest ive waited for it to upload backdoor.exe was around 4-5 minutes after that I exit

It should be less than 20 seconds - and that's on a bad day!
*saying that - it depends on the signal strength*
Im not 100% sure why its so slow - but I've got a couple of ideas to try (I'll let you know!)

[parrotface]

How longs it take for the payload to upload and for a VNC session or a shell to spawn?

longest ive waited for it to upload backdoor.exe was around 4-5 minutes after that I exit

Mine takes about 2 mins not actualy timed it.

Further testing has shown another problem which I have had previously.
If I start my attack machine without eth0 connected to my network it fails because eth0 does not have a IP address.
Now before running script "ifconfig eth0 192.168.3.101 netmask 255.255.255.0 broadcast 192.168.3.255" the script now runs.
I guess this is a fairly simple fix with an if statement No IP then ifconfig etc etc.
After downloading and running the update mine took approx 90 seconds to get a meterpreter>

[parrotface]

Glad to know it works for someone else!
Thanks for the info too! (=


Glad that its now working for you!
Just gotta get the speed up for you...

Could you also tell me:
* Your WiFi card + driver
* Your kernel version
* Signal strength of the AP
* The time it takes to ping the AP
* The time it takes to ping google.com when connect to the fakeAP
* send me the output of: bash fakeAP_pwn.sh -V > output.txt

Wifi card = Atheros built into eeepc - driver ath5k
client XP SP2 HP laptop shows max signal strength
kernel version 2.6.30.9
ping 10.0.0.1 17ms, 7ms, 18ms, 3ms, average 11ms re- pings average 38ms, 28ms, 3ms
ping google.co.uk 83, 47, 50, 63 average 60ms re-ping average 81, 94, 59ms
How do I bash fakeAP_pwn.sh -V > output.txt? I ran bash fakeAP_pwn.sh -V > output.txt something happened when the script ran but can't find any file output.txt
thanks

[joker5bb]

it is running slow because of airbase-ng, its just broken