[Script] [Video] fakeAP_pwn (v0.3)

[joker5bb]

I just got back to testing and I got bind9 to do all dns lookups to us.
here is how to do it:

Code:

nano /etc/bind/named.conf.default-zones

zone "." {
type master;
file "/etc/bind/db.home.com";
};

Code:

nano /etc/bind/db.home.com

$TTL 604800
@ IN SOA ns.home.com. root.home.com. (
6444666 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS 192.168.1.1
IN A 192.168.1.1
* IN A 192.168.1.1

Code:

/etc/init.d/bind9 restart

[g0tmi1k]

Ahh ok.. damn so even if they send the WPA key it will be like capturing the handshake and doing a standard dictionary attack? No real benefit to it? Or does this capture reveal more of the key like its length or something for example?

If you have that kind of ability to have them connected to your fake ap you would think you could get the key with no fuss.

Maybe running a app to infiltrate there system is necessary after all. There WPA key is stored under network properties under the ESSID.

Thanks for the reply Ill keep looking into this..

Yes, it's just a different way to get the handshake that is needed to crack WPA/WPA2.
The advanage is some people have "issues" with deauthing the client, this way they connect to you *Just have to wait for them to do so. FakeAP + Deauth ~MAY~ work, when just Deauth doesn't.*
As far as I know - its the same info. (and there isn't a way of knowing the length until you found the key =P)

The reason why it is a "fuss", is because its all salted (Not sent in plain-text - it compare hashs instead), hence why you need the SSID (and with rainbow tables - you have to create a new table for each SSID).

You can use WirlessKeyView to create a text file with all the networks (just have to find a different way into the system run it), OR use a bigger dictionary until you crack it.

A nice little phishing attack serve it up from webserver on bt? bit like login phishing neat idea. No need for a host banning you

Keep up the good work
regards dee

The issues I believe with a phishing attack, if people are just surfing around for a WiFi, they connect, open their browser, see that they need to login, then they just move on to another network.
If they they use they just need to run a program before they can use the internet - I believe there is a greater chance that they will stay.

I'm not sure what you mean by "host banning".

well im redoing the whole thing with jquery & ajax
there will be client-side and server-side validation, output to .txt file with ip & passphrase
also we can write commands to php file to check if the passphrase is correct.
We are now talking of using 3 wifi cards.

Well done with the new web page & bind9 work
Nice new attack to try =) maybe bind9 might the DNS answer that some people need =D
Side note: 3 WiFi cards = Health issues?! :P

Well then luckily I have 3 wifi cards

=O I'm running out of USB ports...

[joker5bb]

Im testing out Coovachilli for the multiclient feature for fakeap_pwn. In vmware hostapd is too slow. I need to build a dedicated test server.

[studlymidget]

I'm getting some weird things from this script.

Whenever it fires up, my victim box (win 7) shows every wireless ap from my bt box (btr2).

When i connect to "Free Wifi" i sometimes get nothing but an "IE Cannot Display Webpage error" or a continuous search loop.

Any ideas?

id be happy to provide more information.

Best regards ,

The Midget

[pablo10590]

My setup and problem

Attacker: VMWare backtrack 4 + rtl8187l + fakeAP_pwn 0.3 115
Target: Windows 7 (no antivirus/firewall etc is my own computer)

Target can find the network find, can connect fine, gets IP etc, loads up the spoof webpage, downloads the backdoor.

However that is it? Nothing else happens.

So on the attacker it's stuck at "sending stage (xxxxx bytes) to 10.0.0.151"

On the target the program is running, checked process list, but nothing is happening? Tried leaving it running for few minutes, nada, tried hostapd but that doesn't load, tried different browsers and different wireless adaptors for the ap, no diff???

[leg3nd]

Thanks fnord0 for testing/feedback.

Hmm...
After a quick google search of, IceTransOpen, I found this.
Source: https://lists.ubuntu.com/archives/ub...ry/066789.html
Personally I wouldn't delete it, just move it somewhere safe...
ORSource: http://www.ubuntux.org/dapper-gnome-error


I've just downloaded a fresh copy from mediafire, and tested it with my Linksys WUSB54GC using BackTrack 4 R1 (In VirtualBox) and I didn't get any like that...
So the programs/commands run correctly (e.g. it works & you can see all the xterm windows?), just getting that output?

Thanks for the thanks!

Hey I have narrowed down this error a bit more and was curious if anyone had found a solution..

It makes sense that you would not have gotten the error in a BT4 R1 installation because it doesn't seem to be an issue in R1.

I tried these solutions and all it did was start giving me the same error, but now in terminator as well.. So I restored the backed up folders and I am back to square one.

Xterm throws out these errors all over the place while terminator has no problems.

So basically this seems to only be an issue with BT4 R2 installations, or maybe a fluxbox problem. (im not using KDE, maybe fnord0 is using fluxbox too?).

Regardless, it seems that full functionality is available in xterm, but these errors all over the place do make most my scripts a bit messy.

Any help or advice is appreciated.

[nitroglico]

Very nice... I will help to enhance it and post my progress here

[joker5bb]

Today I went back to bind9, and i finally made it work properly, this method below would be the solution for dns.
For me it worked really fast with hostapd, please test it out - this is not in the scipt yet

edit /etc/bind/named.conf

options {
directory "/var/cache/bind";
auth-nxdomain no;
recursion yes;
allow-recursion {any;};
allow-query {any;};
};
zone "." {
type master;
file "/etc/bind/db.root";
};

edit /etc/bind/db.root

$TTL 604800
@ IN SOA localhost. root.localhost. (
1337 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS 192.168.1.1
@ IN A 192.168.1.1
* IN A 192.168.1.1

start bind9

Code:

/etc/init.d/bind9 start

next step is squid proxy - insert our own javascript in to web pages

*if hostapd does not work for you, make sure you are using mac80211-based drivers and check if it has AP mode support for your wireless card
check with "iw list"

Possible fixes:
-If it hostapd does not work correctly upgrade to latest drivers
-using fragmentation patch on mac80211 breaks hostapd
-try out the dev version of hostapd

[Jaylong]

after updating to v #112 the script gave me an error:

Code:

[>] Analyzing: Environment
fakeAP_pwn.sh: line 531: wlan0: command not found
[!] Internet access: Failed.
[i] Switching mode: non

changed line 531 to:

Code:

if  [ ! "$command" ]  ; then

don't know if i messed it up, but it's working again. using gprs-modem via usb (wvdial) at ppp0.

can you tell me how can it work again,my problemi is it stuck Analyzing: Environment or Internet access: Failed

[Jaylong]

i get new version from this site #127,yesterday it worked well ,it is amazing ...but today i use it again but

Code:

[>] Analyzing: Environment # here is stuck long time then 
[!] Internet access: Failed
[i] Switching mode: non
[>] Configuring: Environment

i have no idea about this ,yesterday it worked ,