Soft AP / Phishing Script [Release]

[lokitround1]

@VulpiArgenti

It worked with a random address, thank you for the help! i don't know how i can get around this but ill try and think of something.

Working on the Terminal Re-sizer. it asks you for your resolution before running the script, and if you only have 1 terminal open it takes up the entire scree, 2 terminals half, etc.

Trying to make it so you can switch between work spaces, which currently is not working ( Bad if you have 4+ Consoles open)

[VulpiArgenti]

Terminal re-sizing would be a nice addition to the script - looking forward to seeing it.

[longjidin]

i am gonna to try it too bro!!........let me know

[BorisTheBlade]

I'm not intending to upgrade my main rig, so I can't comment yet. I'll have a play with R3 in a VM and get back to you in a few days. Do you think this is a specific problem with the script, or a general problem with dhcp3-server ie does dhcp work when you run it manually?

There problem IMO is the DHCP, If it isnt setup properly the script wont work.
I also had to change the standard settings...Things like the router which you set to 192.168.0.1, I had to make it 192.168.1.1 and obviously change the subnet etc.
I finally managed to get your script to work.
Its pretty good actually allthough Option 4 doesnt seem to work on Iphone 4.
Keep up the good work VulpiArgenti

[VulpiArgenti]

UPDATE

• Added new Java 0day (CVE-2013-0422)
• Added browser_autopwn
• Finally fixed the nameserver/dhcpd.conf issues! Should now work whatever the contents of resolv.conf. See from line 707 in the script if you are interested in the parsing.
• More error checking
• Fully working on BT5R3

[PS No changes to the html: existing users need only download the script, not the entire tar bundle.]

[sud0jud0]

sorry for doublepost please delete this

Hey VulpiArgenti,

your script works great. I finally came to a point where i nearly understand it to the bone. What i dont get is the iptables configuration. While the option 4 with dns-spoof is working like a charm redirecting to the portal i created, the configuration of a captive portal (advanced options) via iptables is not working. The victim can connect via 192.168.0.1 but for example google.com is not redirected to 192.168.0.1. My question is if if this option is working for you or is it still under construction? You got a hint for me? Iptables would be great to learn also for firewalling. And what is the sense of the option "stop dns-spoof" here is hasnt startet at all.

cheers
sud0jud0

[sud0jud0]

Oii Vulpi,
I really like your script and it works good even though sometimes I wish it would be more GUI-like to the point where i can at first enter all the attack vektors and parameters and then simply hit launch to start it off. I read it through mostly, and now i am at a point where i understand most of it. I tested option 4 for example, works smoothly with dns-spoof! But when I want to grant internet access after credentials have been entered it fails to redirect the victims to 192.168.1.1 where the hotspot is (advanced options, then option a) ). Now my question: Does this part of the script work for you? (i tested also another iptable-configuration from an alternative blog). The IPtables do not work for me. Is there an option to dnsspoof only unknown macs or something like that? any suggestions?

regards

sud0jud0

[VulpiArgenti]

I read it through mostly

Thanks for making the effort to do this. Let me know if you come up with any improvements in the code.

Does this part of the script work for you?

All parts of the script work for me

fails to redirect the victims to 192.168.1.1 where the hotspot is (advanced options, then option a)

There are a lot of moving parts here so you will need to troubleshoot the whole sequence. Try to narrow down the point of failure and get back to me.
The iptables filter by MAC, so will obviously fail if the php does not obtain a valid MAC.
The relevant php is:

PHP Code:

} else { 
    // Attempt to get the client's mac address
    $mac = shell_exec("$arp -a ".$_SERVER['REMOTE_ADDR']);
    preg_match('/..:..:..:..:..:../',$mac , $matches);
    @$mac = $matches[0]; 


You could add in something like "echo $mac" to check this php is working.

You can look at the iptables by:

Code:

iptables -L -t nat

which for me gives:

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            MAC YO:UR:MA:C:: 
(snip)

[charonsecurity]

Hi!
I love the idea of your script, and look forward to using it. I have run into a wall and hope I can get your help in solving my issue. Basically my problem is I can not get a fake AP to go up. I believe it has to do with the "at0" portions of code. Forgive me for lacking knowledge in this area. After running the script with no luck I took a look at the code and its seems the issue arises once I get to the part, "ifconfig at0 up $ap_ip netmask $ap_sm" around line 645, "I've made some comments to remind me where in the code so the line #'s might not match up)

So in a separate terminal, I ran the code "ifconfig at0 up" where I get an error, "at0: ERROR while getting interface flags: No such device".. This is where I am assuming why I am not getting an Fake AP's from going up. If I run ifconfig, the interfaces I do have listed are eth0, wlan0, lo. So with that in mind I tried changing you're code to supplement all at0 with eth0, and again with wlan0 and mon0.. and still no luck. The script still runs well, however I notice once it starts airbase, I will see it try to set up again on at0. I'm not sure where airbase is getting that from as I have commented out all references to "at0" in trying to troubleshoot this. (Perhaps default for airbase?) So now I'm at a loss.

I would love to help contribute anyway I can, and look forward to you're response!
Thank you,
--Charon

*Edit
I was able to get a Fake AP up by doing the following;
First I put my wlan0 into monitor mode: ifconfig start wlan0
And then I used this command: airbase-ng -e "CharonTESTap" -c 9 mon0
And got this output:
00:17:45 Created tap interface at0
00:17:45 Trying to set MTU on at0 to 1500
00:17:45 Trying to set MTU on mon0 to 1800
00:17:45 Access Point with BSSID 88:53:2E:87:4F:AB started.
..
After checking my my phone sure enough the Fake Ap is now there, but I can not get it to happen with the script. I hope this additional info is useful.

Edit 2*
So I felt bad giving such lofty info on my issue and spent most of the night researching and reading up. The I came up to what a TAP interface was and boom! it was like a lightbulb going off in my head. An at0 interface is a Software based interface. d'oh. Reverted all the code back to original. So now I'm going to focus on the codes part that calls up airbase. I'm thinking it might be a timing issue, but still not sure. Still not working for me ... yet. But I'm sure it will be soon

Edit 3*
Yay. One problem solved! After "echo -e "$info\nOK, We're finally starting airbase-ng..." Line 640 or so, I changed the sleep value to 30. That sure enough gives it the time to put up the at0 interface finally. Now I am having dhcp problems to troubleshoot. I may need to do a fresh install as I've done so much to my system and have no idea where the trouble is at now.

Edit 4* Last Edit (hopefull)
So I did a fresh install of BT, did the update and dist upgrade, and installed the prerequisites. Tried the script again, and was finally able to get the Fake AP to go up! Yay. Not sure where I had the issue to solve that problem. I had to modify several Sleep functions (mostly plus 5) to many of them, and after that was able to connect and monitor the traffic on at0 with wireshark. Very tired now lol, so I will try the other functions tomorrow.

Sorry this post became more of a troubleshooting post for me asking for help and solving it all in the same place. I am happy though, cause I learned a lot of new stuff I didn't know before. I hope its useful for someone as well

[VulpiArgenti]

Well done for troubleshooting it yourself; all part of the never-ending learning curve . Timing can be an issue in a long script: I'm trying to run it as fast as possible for most users, but this proves to be too quick for a minority, particularly those in a VM. The "sleeps" at lines 378 and 640 are the crucial ones to get right.