airbase-ng + dhcp3 = frustration

[redcodefinal]

So I am trying to start a spoofed AP using airbase-ng and dhcpd3. So I can start airbase just fine but, I hit a road block when I try to get an IP. I can run dhcp. Everything works fine and dandy UNTIL I try to connect to an outside source (Like: google.com) I can assign IPs just fine but, after that it just doesn't want to work.
So this is the script I wrote to setup to setup dhcp and bridge my adatpters

Code:

#! /bin/bash
ifconfig at0 up
ifconfig eth0 up
ifconfig at0 192.168.2.1 netmask 255.255.255.0
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1
#This command moves a conf file from my usb drive into dhcp3. This makes eit easier to edit the files on the go.
cp evil.conf /etc/dhcp3/evil.conf

#this is necessary to unlock the dhcpd directory.
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
dhcpd3 -cf /etc/dhcp3/evil.conf  -pf /var/run/dhcpd/dhcpd.pid at0

#I tried using iptables to bridge my interfaces but, it ended up in more headaches. I left it in just in case I ever revisit the idea

#iptables --flush
#iptables --table nat --flush
#iptables --delete-chain
#iptables --table nat --delete-chain
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
#iptables --append FORWARD --in-interface at0 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1

#So this bridges my interfaces
brctl addbr mitm
brctl addif mitm eth0
brctl addif mitm at0
ifconfig mitm up

Next I use this to destroy all my settings so i can get internet again (Once I run that script I lose the internet until I run this script)

Code:

#! /bin/bash

ifconfig eth0 0.0.0.0 down

#Just in case
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 0 > /proc/sys/net/ipv4/ip_forward

#Kills dhcp3
kill `cat /var/run/dhcpd/dhcpd.pid`
ifconfig mitm down
brctl delbr mitm

airmon-ng stop mon0
airmon-ng stop wlan0

ifconfig eth0  down
ifconfig wlan0 down

ifconfig eth0 up
ifconfig wlan0 up

ifdown eth0
ifup eth0

So this is the evil.conf file that is referenced a lot in this code.

Code:

ddns-update-style interim;

#Turning this on stops others from getting an IP
#ignore client-updates;

default-lease-time 60000;
max-lease-time 72000;

authoritative;

subnet 192.168.2.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option ip-forwarding on;
option domain-name-servers 8.8.8.8;
range 192.168.2.2 192.168.2.254;
}

So here is the network lay out.
https://docs.google.com/drawings/pub...Us&w=960&h=720

Some extra diag info for you:

ipconfig (during soft AP attack)

Code:

at0       Link encap:Ethernet  HWaddr 00:c0:ca:51:91:4c  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::2c0:caff:fe51:914c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:370 (370.0 B)

eth0      Link encap:Ethernet  HWaddr 00:14:22:34:d9:ba  
          inet addr:192.168.1.8  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::214:22ff:fe34:d9ba/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:120832 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60065 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:145104195 (145.1 MB)  TX bytes:5357983 (5.3 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:564 errors:0 dropped:0 overruns:0 frame:0
          TX packets:564 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:43695 (43.6 KB)  TX bytes:43695 (43.6 KB)

mitm      Link encap:Ethernet  HWaddr 00:14:22:34:d9:ba  
          inet6 addr: fe80::214:22ff:fe34:d9ba/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:234 (234.0 B)

mon0      Link encap:UNSPEC  HWaddr 00-C0-CA-51-91-4C-33-34-00-00-00-00-00-00-00-00  
          UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI  MTU:1800  Metric:1
          RX packets:377 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:62753 (62.7 KB)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:1b:77:65:a9:8c  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:7130 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5674 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6616442 (6.6 MB)  TX bytes:990443 (990.4 KB)

What dhcp3 says:

Code:

Internet Systems Consortium DHCP Server V3.1.3
Copyright 2004-2009 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Wrote 2 leases to leases file.
Listening on LPF/at0/00:c0:ca:51:91:4c/192.168.2/24
Sending on   LPF/at0/00:c0:ca:51:91:4c/192.168.2/24
Sending on   Socket/fallback/fallback-net

I have also researched the topic and there haven't been any fixes people have submitted that I haven't already tried and failed or, were beyond the scope of my attack.

Also some things of note. When I switched ddns-update-style to either ad-hoc or none it will not give out and IP address.