[Script] [Video] fakeAP_pwn (v0.3)

[parrotface]

Hi
Just updated to #115, config = hostapd & transparent mode.
First results of a quick test only:
Client 1 XP sp2 no AV. Gives client internet access instantly, enter 10.0.0.1 in browser and you get download page and also get meterpreter session no problem.
Client 2 Vista with AVG running. No internet access, Downloads OK, Won't run the download, avg picks it up and I told it to ignore, still won't run, AV doing it's job?.
All my previous connection problems have been solved using hostapd, Great script just wish the dns forwarding would work - it did work at about cerca #20.
Still great script Thanks for all the hard work and many many hours spent.

[Scamentology]

Respond2all works perfectly - smart phones seem to be the quickest to connect to the fakeAP.

sslstrip is reporting not installed when it is - I changed /pentest/spoofing/sslstrip/sslstrip.py to /pentest/spoofing/sslstrip/CookieCleaner.py (or whatever file does exist in the sslstrip folder) (sslstrip.py - doesnt seem to be in that folder on my build. perhaps its not configured properly. but it does function when i use it independently.

Ive been changing switching mode - mode="non" to mode="normal" in 4 different places but this just introduces bugs everywhere.
is there a way to make this force "normal" mode without being connected to the internet? I would like the test comp to connect to the AP without the the DNS redirecting to the exploit and without giving them internet. I would hate to have my "subject" mysteriously get internet when hes not connected to anything (in his mind anyway) like when hes driving or working in public with no wifi connection. it keeps switching mode to "non". If hes not on the internet then odds are he wont open explorer. so this mode seems redundant. I will post my solution if i find one but adding another "mode" shouldn't be too hard (just time consuming).

TL;DR: - sslstrip is installed but script says it isn't, also, would like to get connection without internet (on my end) and no DNS redirect to exploit page.

This script when done will force router manufacturers to innovate. I like that.

[joker5bb]

just wanted to let you guys know that I am currently working on getting multiclient support working

[parrotface]

Hi
I realise you are working hard on upgrades and that multi client is one of them. I think it is my fault for not making myself clear. I was not trying to run multi client, I just tried two different boxes to test the results (restarted script between tests). My problem is that the XP box gave me internet connection as soon as I connected and I could only get the download page by entering 10.0.0.1 in the firefox browser. I have tried again today with same results.
Thanks again

[joker5bb]

well remember you can use wireshark and perform a dump of the network activity, this way I could pinpoint the problem.
and I have another way we can setup to do redirection; squid proxy could be the best one

*edit*
i tracked down the problem of giving interent back, It has to do with dns...
working on an optimal way of switching dns enteries, this could be done in many ways

[aeksiler]

Hi everyone, this is my first post here.

Using BT4 on Windows 7 host. My modem is AWUS036H and your latest script (#115) works perfectly.

I tried the normal mode, user can access the internet but its very very slow. Is there any suggested configuration to speed up guest internet speed?

Also, since I am very new to this, is there any tutorials or guides for logging guest data or extraction of passwords while using fakeAP?

I have seen a video where ettercap and sslstrip was used to get gmail password. Can we do this usign fakeAP?

[g0tmi1k]

Hi
Just updated to #115, config = hostapd & transparent mode.
First results of a quick test only:
Client 1 XP sp2 no AV. Gives client internet access instantly, enter 10.0.0.1 in browser and you get download page and also get meterpreter session no problem.
Client 2 Vista with AVG running. No internet access, Downloads OK, Won't run the download, avg picks it up and I told it to ignore, still won't run, AV doing it's job?.
All my previous connection problems have been solved using hostapd, Great script just wish the dns forwarding would work - it did work at about cerca #20.
Still great script Thanks for all the hard work and many many hours spent.

Thanks for trying and reporting back! (= Just a few things
* Did you re-run the script before trying it on "Client 2"?
* Yes its the AV doing its thing. If you read the "help" bit of the thread/blog - it says that it doesn't bypass AV. HOWEVER....You can mod the code to ~try~ and bypass it. With #115 its line 1387 (just uncomment it)
* When you say "No internet access" - is it forwarding to the page? or is NOTHING happening
* So client 2 is working *if it didn't have av*, and client 1 works...just doesn't re-direct?

Respond2all works perfectly - smart phones seem to be the quickest to connect to the fakeAP.

sslstrip is reporting not installed when it is - I changed /pentest/spoofing/sslstrip/sslstrip.py to /pentest/spoofing/sslstrip/CookieCleaner.py (or whatever file does exist in the sslstrip folder) (sslstrip.py - doesnt seem to be in that folder on my build. perhaps its not configured properly. but it does function when i use it independently.

Ive been changing switching mode - mode="non" to mode="normal" in 4 different places but this just introduces bugs everywhere.
is there a way to make this force "normal" mode without being connected to the internet? I would like the test comp to connect to the AP without the the DNS redirecting to the exploit and without giving them internet. I would hate to have my "subject" mysteriously get internet when hes not connected to anything (in his mind anyway) like when hes driving or working in public with no wifi connection. it keeps switching mode to "non". If hes not on the internet then odds are he wont open explorer. so this mode seems redundant. I will post my solution if i find one but adding another "mode" shouldn't be too hard (just time consuming).

TL;DR: - sslstrip is installed but script says it isn't, also, would like to get connection without internet (on my end) and no DNS redirect to exploit page.

This script when done will force router manufacturers to innovate. I like that.

Thanks for the feedback. (=
Yes, SSLStrip is missing for me too - Ill change it in my next update (thanks for pointing this out)
To change modes, you should only edit the bit in the "Defaults" (In #115 its line 39)
I'm not 100% sure that I understand you...
* Normal mode - is designed to "bridge" your internet connection (like 'WiFi Tethering'). Its not meant to force users to go to any site - just like a "normal" connection.
Therefore you HAVE to have a internet connection for "normal" mode.
* Non - your force to a site, once you become infected, your not given internet access. Everything 404'ed

I don't get your last bit.

just wanted to let you guys know that I am currently working on getting multiclient support working

Thanks for the update & work Joker, sorry Ive been busy with personal and other scripts. (=

Hi
I realise you are working hard on upgrades and that multi client is one of them. I think it is my fault for not making myself clear. I was not trying to run multi client, I just tried two different boxes to test the results (restarted script between tests). My problem is that the XP box gave me internet connection as soon as I connected and I could only get the download page by entering 10.0.0.1 in the firefox browser. I have tried again today with same results.
Thanks again

Im planning on sorting out this "DNS" problem (which has been happening for a while now) before I look into v0.4. The issue is that it doesn't happen for me in my lab - so its kinda hard for me to fix something that isnt broken...
Would you be able to post the output of "-d" and screenshots from the attacker and details of the client(s) (Hardware, network & setup)

well remember you can use wireshark and perform a dump of the network activity, this way I could pinpoint the problem.
and I have another way we can setup to do redirection; squid proxy could be the best one

*edit*
i tracked down the problem of giving interent back, It has to do with dns...
working on an optimal way of switching dns enteries, this could be done in many ways

@parrotface, would you be able to share the .cap file from wireshark too?

Ill have a play with squid myself, see what I come up with when I get the time to.
That might work better than the current method - as squid is needed for another part of the script (and would make the ipTables simpler).
Saying that, im getting better results using dnsmasq over dnssppof!

[parrotface]

Hi
Inconsistent results
Not had much time but just tried version 115 again and got same results as reported in #71
Just downloaded version 120. Client very slow to connect and No IP issued. Third attempt connected, got IP, download OK got meterpreter session, NO internet not even using google’s IP address, can ping my router.
Re-tested version 115, every thing worked OK, including full internet after running download, also got meterpreter session.
What's going on?
Re-booted BT4 and run version 115 same results in #71, does this mean that version 120 set-up something and left the environment set for 115.
What is the correct way to restart after a successful meterpreter session because the script has already stopped and Ctrl+C won't work? Do we need run the script again and stop it early to restore the environment? So I guess between the two versions lays the answer to the problems.
Many Thanks

[g0tmi1k]

Hi everyone, this is my first post here.

Using BT4 on Windows 7 host. My modem is AWUS036H and your latest script (#115) works perfectly.

I tried the normal mode, user can access the internet but its very very slow. Is there any suggested configuration to speed up guest internet speed?

Also, since I am very new to this, is there any tutorials or guides for logging guest data or extraction of passwords while using fakeAP?

I have seen a video where ettercap and sslstrip was used to get gmail password. Can we do this usign fakeAP?

Im guessing your using airbase-ng? Hostapd is alot quicker.
It works better for me also if I don't have it in a VM.

Enable "Extras" for logging programs or you can also use your own, just have to use the interface "at0" (if your use airbase-ng), or the same as $wifiInterface (if your using hostapd)

Hi
Inconsistent results
Not had much time but just tried version 115 again and got same results as reported in #71
Just downloaded version 120. Client very slow to connect and No IP issued. Third attempt connected, got IP, download OK got meterpreter session, NO internet not even using google’s IP address, can ping my router.
Re-tested version 115, every thing worked OK, including full internet after running download, also got meterpreter session.
What's going on?
Re-booted BT4 and run version 115 same results in #71, does this mean that version 120 set-up something and left the environment set for 115.
What is the correct way to restart after a successful meterpreter session because the script has already stopped and Ctrl+C won't work? Do we need run the script again and stop it early to restore the environment? So I guess between the two versions lays the answer to the problems.
Many Thanks

Whats going on is... #116-120 = test build (NOT STABLE).
I was using it to sync a few things between machines, its not meant for public use (I usually post a reply when there is a "stable" build out).
Im still testing stuff out atm - trying to find a "fix" for this on going DNS issuse.

Inconsistent results = an issue with airbase-ng (I believe). I've found hostapd is alot quicker & stable.
Also, I find my "real" install of backtrack gives better results over my VM.

I'm not sure what you mean by "restart". Restarting the script? Backtrack? The targets PC?
At the mo, its designed for one client, one time infection. I'm trying to sort out all the bugs before making it more "complex" than what it is already is.

I have another way we can setup to do redirection; squid proxy could be the best one

*edit*
i tracked down the problem of giving interent back, It has to do with dns...
working on an optimal way of switching dns enteries, this could be done in many ways

I had a mess about with using squid to control the traffic, but I couldn't get it to work (well).
* I somehow managed to get it to work via using some perl scripts - though it did slow down the internet connection ALOT.
* Using yet some more 3rd party addons/software it work quicker - however it wasn't "easy" to install/setup.
* I found using squid to block all the pages did work... but then I couldn't edit squids "block file/page" to match our needs.

As I see it... To direct traffic:
> IPtables
> DNS (dnsspoof, dnsmasq, ettercap, metasploit)
> Proxy (Squid)

[parrotface]

Inconsistent results = an issue with airbase-ng (I believe). I've found hostapd is alot quicker & stable.
Also, I find my "real" install of backtrack gives better results over my VM.

I'm not sure what you mean by "restart". Restarting the script? Backtrack? The targets PC?
At the mo, its designed for one client, one time infection. I'm trying to sort out all the bugs before making it more "complex" than what it is already is.

running hostapd
real install not VM
restart is that I stop the script and start it again
I relise you are still working hard on the script. I am not tring to run multi client, I am trying it with two different clients (XP sp2 and a Vista box) after restarting the script each time before trying a different client.
I found running #120 stopping the script, then starting #115 the dns worked, but if I re-booted BT4-r1 and run #115 there are problems.
I posted my findings just in case it helped you.
Good work, Many thanks