Hi g0tmi1k

Thanks for answer.

Okay, try setting the mode to "non", as you don't want to allow an Internet connection after becoming infected.
I did tried it, but the result is the same, see the output please:
[*] fakeAP_pwn v0.3 (#126)
[+] Diagnostics mode
[>] Analyzing: Environment
[!] 'wlan0' isn't a wireless interface
[i] Found: wlan1
[+] Detecting: Kernel
[+] Detecting: Hardware
[+] Testing: Network
[i] interface=eth0
[i] wifiInterface=wlan1
[i] apInterface=at0
[i] essid=Free-WiFi
[i] channel=1
[i] apType=airbase-ng
[i] mode=non
[i] payload=wkv
[i] backdoorPath=/root/backdoor.exe
[i] www=/var/www/fakeAP_pwn
[i] respond2All=true
[i] macMode=random
[i] fakeMac=00:05:7c:9a:58:3f
[i] extras=false
[i] mtuMonitor=1800
[i] mtuAP=1400
[i] diagnostics=true
[i] verbose=1
[i] debug=false
[i] gateway=
[i] ourIP=10.0.0.1
[i] port=28493
[i] wifiDriver=rtl8187
[>] Configuring: Environment
[>] Removing: Temp files
[>] Stopping: Daemons & Programs
./fakeAP_pwn.sh: line 75: 6629 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
[>] Configuring: Wireless card
[i] monitorInterface=mon0
[>] Configuring: MAC address
[i] mac=00:0a:00:70:4d:95 (Mediatek Corp.)
[>] Creating: Scripts
[>] Creating: Exploit (Windows)
[>] Creating: Access point
[>] Configuring: Network
[>] Configuring: Permissions
[>] Starting: DHCP
[>] Starting: DNS
[>] Starting: Exploit
[>] Starting: Web server
[+] Testing: Web server
[>] Monitoring: Connections
[i] Waiting for the target to run the "update" file

But the problem remains, people associate, but very fast the MAC change to incomplete and I can't access anyone, neither over ICMP, TCP or UDP.

Also, I see this frequently:

[>] Stopping: Daemons & Programs
./fakeAP_pwn.sh: line 75: 6629 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"

Is it a well-known problem?

Alot of clients are trying to connect/probing... That might an issue.
So, I can't be in a place where a lot of wireless network is in use? There is a workaround?

Your also using VM as well as airbase-ng. Both of theses have issues.
Why VM is bad? Because of performance? What do you recommend?

See, I tried hostapd, but if failed very ugly, see below please.
[*] fakeAP_pwn v0.3 (#126)
[+] Diagnostics mode
[>] Analyzing: Environment
[!] 'wlan0' isn't a wireless interface
[i] Found: wlan1
Usage: iw [options] command
Options:
--debug enable netlink debugging
--version show version
Commands:
help
event
list
phy <phyname> info
dev <devname> set channel <channel> [HT20|HT40+|HT40-]
phy <phyname> set channel <channel> [HT20|HT40+|HT40-]
dev <devname> set freq <freq> [HT20|HT40+|HT40-]
phy <phyname> set freq <freq> [HT20|HT40+|HT40-]
phy <phyname> set name <new name>
dev <devname> set meshid <meshid>
dev <devname> set monitor <flag> [...]
dev <devname> info
dev <devname> del
dev <devname> interface add <name> type <type> [mesh_id <meshid>] [flags ...]
phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [flags ...]
dev <devname> station dump
dev <devname> station set <MAC address> plink_action <open|block>
dev <devname> station del <MAC address>
dev <devname> station get <MAC address>
dev <devname> mpath dump
dev <devname> mpath set <destination MAC address> next_hop <next hop MAC address>
dev <devname> mpath new <destination MAC address> next_hop <next hop MAC address>
dev <devname> mpath del <MAC address>
dev <devname> mpath get <MAC address>
reg set <ISO/IEC 3166-1 alpha2>
dev <devname> get mesh_param <param>
dev <devname> set mesh_param <param> <value>
[!] wlan1 *MIGHT* not suported by hostapd
[+] Detecting: Kernel
[+] Detecting: Hardware
[+] Testing: Network
[+] Testing: Internet connection
[i] interface=eth0
[i] wifiInterface=wlan1
[i] apInterface=wlan1
[i] essid=Free-WiFi
[i] channel=1
[i] apType=hostapd
[i] mode=transparent
[i] payload=wkv
[i] backdoorPath=/root/backdoor.exe
[i] www=/var/www/fakeAP_pwn
[i] respond2All=true
[i] macMode=random
[i] fakeMac=00:05:7c:9a:58:3f
[i] extras=false
[i] mtuMonitor=1800
[i] mtuAP=1400
[i] diagnostics=true
[i] verbose=1
[i] debug=false
[i] gateway=192.168.167.2
[i] ourIP=10.0.0.1
[i] port=37800
[i] wifiDriver=rtl8187
[>] Configuring: Environment
[>] Removing: Temp files
[>] Stopping: Daemons & Programs
./fakeAP_pwn.sh: line 75: 5619 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
[i] interface (eth0) IP=192.168.167.129
[>] Configuring: Wireless card
[!] Couldn't detect monitorInterface
[i] Quiting
./fakeAP_pwn.sh: line 75: 5656 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
[>] Restoring: Environment
[>] Restoring: Programs[*] Done! (= Have you... g0tmi1k?

Ideas?

I'm guessing the "arp -a on windows" issue is because of airbase-ng. Not 100% sure mind you.
I can't confirm because hostapd is not working.

airbase-ng is kind of broken? There is a fix?

Does the target have a gateway IP? DNS?
Yes.

I don't understand what you're saying about about "WPATARGET".
The fakeAP you created was called "Free-WiFi", "WPATARGET" is scanning for networks (hence its probing). [So yes, the ESSID are different?]
The fakeAP you create is "Open", I have no idea if "WPATARGET" is protected.
Sorry, it's more like a general wireless hacking question, not completely related to the outputs above.

I mean, I configured the fake AP to answer to all probes. I want to compromise the network called WPATARGET, my fake AP will answer when someone ask for WPATARGET (I see this on the logs).

However, the real WAPTARGET has WPA protection and my fake AP is OPEN. So my question is, the real clients (my victims) any how will connect to my fake (OPEN) WPATARGET? Or no way, since the original use encryption (WPA).

I mean, assuming the target clients use Windows Zero configuration and has WPATARGET saved.

Thanks a lot and congratulations for good work.