[Script] [Video] fakeAP_pwn (v0.3)

[Scamentology]

line 853 in (124) or line 858 in (115)

Code:

   command=$(iwlist $interface scan 2>/dev/null | grep "essid:")

The output of "iwlist wlan0 scan" gives me the following.

Code:

 
/snip
                    Frequency:2.462 GHz (Channel 11)
                    Quality=37/70  Signal level=-73 dBm
                    Encryption key:on
                    ESSID:"?????"
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                              12 Mb/s; 24 Mb/s; 36 Mb/s
                    Bit Rates:9 Mb/s; 18 Mb/s; 48 Mb/s; 54 Mb/s
                    Mode:Master
/snip

When I capitalize "essid" in line 853 it doesn't go into a long loop looking for a network.

It only did this while using 2 wireless cards.

Still getting error code 3 when I enable "extras" (regardless of the configuration) Still investigating what this means.

[g0tmi1k]

running hostapd
real install not VM
restart is that I stop the script and start it again
I relise you are still working hard on the script. I am not tring to run multi client, I am trying it with two different clients (XP sp2 and a Vista box) after restarting the script each time before trying a different client.
I found running #120 stopping the script, then starting #115 the dns worked, but if I re-booted BT4-r1 and run #115 there are problems.
I posted my findings just in case it helped you.
Good work, Many thanks

In that case... Whats your hardware/drivers? Or its something causing interference (either virtual or physical).

The script isn't designed for "restarting" - and I'm not sure if it ever will be designed to (as I didn't plan for it to do it)
The idea is a "one time" thing (hence the reason why it didn't have "auto start when the PC is turn on").

Please do post any results you find/make, as it will help (one way or another)

line 853 in (124) or line 858 in (115)

Code:

 command=$(iwlist $interface scan 2>/dev/null | grep "essid:")

The output of "iwlist wlan0 scan" gives me the following.

Code:

/snip
Frequency:2.462 GHz (Channel 11)
Quality=37/70 Signal level=-73 dBm
Encryption key:on
 ESSID:"?????"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
12 Mb/s; 24 Mb/s; 36 Mb/s
Bit Rates:9 Mb/s; 18 Mb/s; 48 Mb/s; 54 Mb/s
Mode:Master
/snip

When I capitalize "essid" in line 853 it doesn't go into a long loop looking for a network.

It only did this while using 2 wireless cards.

Still getting error code 3 when I enable "extras" (regardless of the configuration) Still investigating what this means.

#116-124 was me trying to sync up version - they are not "stable" (I usually post when they are out). Ive still got one "big" update to release which is the result of it all - just need to test/fix a few things first.

Thanks for the heads up tho on iwlist - Ill look into it Ill see if its any quicker for me.
For the record, which WiFi cards are you using?

"action error Code 3" is when parameter "5" (aka Hold) isn't set correct. Simple answer, its a coding bug *ma bad!*
Thanks for pointing it out - Ill also look into it!

[Scamentology]

Thanks for the heads up tho on iwlist - Ill look into it Ill see if its any quicker for me.
For the record, which WiFi cards are you using?

"action error Code 3" is when parameter "5" (aka Hold) isn't set correct. Simple answer, its a coding bug *ma bad!*
Thanks for pointing it out - Ill also look into it!

I'm using:
AlfaAWUSO36H and the on-board ath9k on my Sony VAIO

I'm currently looking to purchase a card that's supported by Hostapd (edit: LOL ath9k supports it)
Any suggestions? I will continue to post results.

[putupeo]

Hi, I´m developing a tool to extract all wifi passwords stored in target side and send them to your ftp account to see the victim/s wifi passwords.

I discovered your tool fakeap_pwn a few days ago and i decided to develope this tool for people which are interested into extract wifi passwords and not take a reverse shell or vnc control over the target machine.

With this tool the attacker can see the passwords of the victim (Wep & Wpa)

The victim must download and execute the .exe file allocated in our apache server when done the .exe file export allwifi passwords stored and sent them by ftp to our ftp server running in BackTrack
**********************************************
I think fakeap needs this improvements:


1- Add deauth attack to broadcast MAC´s associated to a real AP ex: "linksys"
at the same time we create a fakeAP with the same SSID "linksys" victim AP "linksys" has WPA encryption enabled so when he gets deauthenticated from his real AP will try show active AP´s enabled and will see another AP with the same SSID "linksys" so...

Victim detect another AP with the same SSID and needs to be online cause we are sending deauth attack to broadcast from his router MAC so he will try to connect to our fakeAP and you know all the rest... xD

2- Add different index.php files using a youtube index file or microsoft index will give to the fake index a greater degree of credibility

3- Even better than deauth to broadcast is add to fakeap a flood option and cause a massive reboot/freeze of all APs so if all APs are rebooting excepting our fake AP, victims of all APs will be offline and they will have only one AP to connect, our fake AP and Wep & Wpa passwords will come to us xD
**********************************************
My tool is not finished im noob in soft developing so forgive me
I´m developing it in Visual Basic 2010
Now my tool export passwords and send them to our FTP server

Im testing it over my fake AP

When it´s finished i can send it to you and you can include it in the next fakeap_pwn release

I would be happy if you did

I wait for an answer
Regards

[g0tmi1k]

fakeAP_pwn v0.3 #125
Download: [OUT-OF-DATE]
Added: IP info
Added: Logging of IPTables
Added: Port check & Kill apps
Changed: "DHCP Server" (Using dhcpd3 again)
Changed: "Temp" output folder
Fixed: Display bug (when gateway was wrong)
Fixed: Hostapd detecting bug
Fixed: Install "apps" bug
Fixed: IPTables - "Clear" bug
Fixed: IPTables - "Force" bug
Fixed: www/ folder copy bug
Updated: "Help" screen (Removed unused commands)
Updated: Internal working (Bug fixes, Renamed values, Uses less output windows, etc)
Updated: Metasploit script
Updated: Ping tests
Updated: Screen outputs

It's worth re-downloading the tar.gz instead of using "-u".

[RexBudman]

Hello g0tm1lk, thankyou for the update to the script.

I am having an issue in running the script. I have all the packages installed as per the BT4R1 package. However according to the script, these modules are not installed. However, dsniff installs correctly, assuming it is updated, but when it came to sslstrip even though it is installed, it still prompted me to install and i got an error as the instalation failed.
[*] fakeAP_pwn v0.3 (#125)
[>] Analyzing: Environment
[!] sslstrip isn't installed
[~] Would you like to try and install it? [Y/n]: y
[!] action. Error code: 1
[!] Failed to install sslstrip
[i] Quiting
[>] Restoring: Environment[*] Done! (= Have you... g0tmi1k?

Also, when changing the "extras" value to "false" it wont detect an access point at all...

LOG: http://pastebin.com/LFfHXbs0

[Scamentology]

Hello g0tm1lk, thankyou for the update to the script.

I am having an issue in running the script. I have all the packages installed as per the BT4R1 package. However according to the script, these modules are not installed. However, dsniff installs correctly, assuming it is updated, but when it came to sslstrip even though it is installed, it still prompted me to install and i got an error as the instalation failed.
[*] fakeAP_pwn v0.3 (#125)
[>] Analyzing: Environment
[!] sslstrip isn't installed
[~] Would you like to try and install it? [Y/n]: y
[!] action. Error code: 1
[!] Failed to install sslstrip
[i] Quiting
[>] Restoring: Environment[*] Done! (= Have you... g0tmi1k?

Also, when changing the "extras" value to "false" it wont detect an access point at all...

LOG: http://pastebin.com/LFfHXbs0

I had the same issue. just change the file it points to (line 715 of v125) there is no sslstrip.py int that directory so it assumes its not installed.

For the other problem capitalize "essid" in line 819. and again in line 344.

I hope that's helpful.

IT WORKS!!! Fantastic stuff gotm1lk

[RexBudman]

Hey thanks for that response and yes It worked once i implimented your fix.

New error - http://pastebin.com/ME58TUYX

http://pastebin.com/dS6KV8p2


I hope I am not being a pain in the arse, I just want to post the bugs.

Once the program reaches this point, regardless of detecting fakeAP, it does not appear when probed by seperate machine.

[Scamentology]

Yeah I'm getting that too. He mentions what error code 3 is earlier in the thread.

Hey thanks for that response and yes It worked once i implimented your fix.

New error - http://pastebin.com/ME58TUYX

http://pastebin.com/dS6KV8p2

Any reason I might be getting this output from msfconsole while running your script (even in normal mode). It isn't making the fakeap.rb script in the tmp folder in this mode (which is brilliant I might add) so I have no idea yet. any ideas? I love exploring stuff.

RbReadline Error: SignalException SIGTERM /o pt/metasploit3/msf3/lib/rbreadline.rb:4435:in `read'/opt/metasploit3/msf3/lib/rb readline.rb:4435:in `rl_getc'/opt/metasploit3/msf3/lib/rbreadline.rb:4484:in `se nd'/opt/metasploit3/msf3/lib/rbreadline.rb:4484:in `rl_read_key'/opt/metasploit3 /msf3/lib/rbreadline.rb:4659:in `readline_internal_charloop'/opt/metasploit3/msf 3/lib/rbreadline.rb:4755:in `readline_internal'/opt/metasploit3/msf3/lib/rbreadl ine.rb:4777:in `readline'/opt/metasploit3/msf3/lib/readline_compatible.rb:72:in `readline'/opt/metasploit3/msf3/lib/rex/ui/text/input/readline.rb:90:in `pgets'/ opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:127:in `run'./msfconsole:117

EDIT: Nevermind - I figured it out

[g0tmi1k]

I'm using:
AlfaAWUSO36H and the on-board ath9k on my Sony VAIO

I'm currently looking to purchase a card that's supported by Hostapd (edit: LOL ath9k supports it)
Any suggestions? I will continue to post results.

My Linksys WUSB54G (rt73usb) works great with hostapd!
Whereas
Alfa AWUS036H (rtl8187) --- Doesn't work
Intel Link 5100 (iwlagn) --- Doesn't work

Hi, I´m developing a tool to extract all wifi passwords stored in target side and send them to your ftp account to see the victim/s wifi passwords.

I discovered your tool fakeap_pwn a few days ago and i decided to develope this tool for people which are interested into extract wifi passwords and not take a reverse shell or vnc control over the target machine.

With this tool the attacker can see the passwords of the victim (Wep & Wpa)

The victim must download and execute the .exe file allocated in our apache server when done the .exe file export allwifi passwords stored and sent them by ftp to our ftp server running in BackTrack
**********************************************
I think fakeap needs this improvements:


1- Add deauth attack to broadcast MAC´s associated to a real AP ex: "linksys"
at the same time we create a fakeAP with the same SSID "linksys" victim AP "linksys" has WPA encryption enabled so when he gets deauthenticated from his real AP will try show active AP´s enabled and will see another AP with the same SSID "linksys" so...

Victim detect another AP with the same SSID and needs to be online cause we are sending deauth attack to broadcast from his router MAC so he will try to connect to our fakeAP and you know all the rest... xD

2- Add different index.php files using a youtube index file or microsoft index will give to the fake index a greater degree of credibility

3- Even better than deauth to broadcast is add to fakeap a flood option and cause a massive reboot/freeze of all APs so if all APs are rebooting excepting our fake AP, victims of all APs will be offline and they will have only one AP to connect, our fake AP and Wep & Wpa passwords will come to us xD
**********************************************
My tool is not finished im noob in soft developing so forgive me
I´m developing it in Visual Basic 2010
Now my tool export passwords and send them to our FTP server

Im testing it over my fake AP

When it´s finished i can send it to you and you can include it in the next fakeap_pwn release

I would be happy if you did

I wait for an answer
Regards

I've sent you a reply via email about this. (=
Short reply:
> Yes, fakeAP_pwn needs ALOT of improvements.
> The idea of cloning is already planned.
> There is now a new index.php that looks better.

Hello g0tm1lk, thankyou for the update to the script.

I am having an issue in running the script. I have all the packages installed as per the BT4R1 package. However according to the script, these modules are not installed. However, dsniff installs correctly, assuming it is updated, but when it came to sslstrip even though it is installed, it still prompted me to install and i got an error as the instalation failed.[*] fakeAP_pwn v0.3 (#125)
[>] Analyzing: Environment
[!] sslstrip isn't installed
[~] Would you like to try and install it? [Y/n]: y
[!] action. Error code: 1
[!] Failed to install sslstrip
[i] Quiting
[>] Restoring: Environment[*] Done! (= Have you... g0tmi1k?

Also, when changing the "extras" value to "false" it wont detect an access point at all...

LOG: http://pastebin.com/LFfHXbs0

Thanks for telling me about this on IRC. Fixed in 126. (=

I had the same issue. just change the file it points to (line 715 of v125) there is no sslstrip.py int that directory so it assumes its not installed.

For the other problem capitalize "essid" in line 819. and again in line 344.

I hope that's helpful.

IT WORKS!!! Fantastic stuff gotm1lk

Thanks for the tip & thanks

Hey thanks for that response and yes It worked once i implimented your fix.

New error - http://pastebin.com/ME58TUYX

http://pastebin.com/dS6KV8p2


I hope I am not being a pain in the arse, I just want to post the bugs.

Once the program reaches this point, regardless of detecting fakeAP, it does not appear when probed by seperate machine.

Fixed in 126. (=
Your not a pain, far from it

Yeah I'm getting that too. He mentions what error code 3 is earlier in the thread.

Any reason I might be getting this output from msfconsole while running your script (even in normal mode). It isn't making the fakeap.rb script in the tmp folder in this mode (which is brilliant I might add) so I have no idea yet. any ideas? I love exploring stuff.

RbReadline Error: SignalException SIGTERM /o pt/metasploit3/msf3/lib/rbreadline.rb:4435:in `read'/opt/metasploit3/msf3/lib/rb readline.rb:4435:in `rl_getc'/opt/metasploit3/msf3/lib/rbreadline.rb:4484:in `se nd'/opt/metasploit3/msf3/lib/rbreadline.rb:4484:in `rl_read_key'/opt/metasploit3 /msf3/lib/rbreadline.rb:4659:in `readline_internal_charloop'/opt/metasploit3/msf 3/lib/rbreadline.rb:4755:in `readline_internal'/opt/metasploit3/msf3/lib/rbreadl ine.rb:4777:in `readline'/opt/metasploit3/msf3/lib/readline_compatible.rb:72:in `readline'/opt/metasploit3/msf3/lib/rex/ui/text/input/readline.rb:90:in `pgets'/ opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:127:in `run'./msfconsole:117

EDIT: Nevermind - I figured it out

How did you fix it?



Thanks guys for reporting/testing.
Using the log feature helps alot (and giving the fixes helps even more )

fakeAP_pwn v0.3 #126
Fixed: ESSID bug
Fixed: Route bug
Fixed: SSLStrip bug
Removed: "Extras" --- Needs more testing, will be added back in later
http://code.google.com/p/fakeap-pwn/source/detail?r=126
http://www.mediafire.com/?8t88l8il0gedh8g