Soft AP / Phishing Script [Release]

[VulpiArgenti]

I did it with script.And There was a mistake i can surf net only when gateway(and dns) set to 192.168.0.1 (default script value),not 192.168.1.1(my routers ip).
but when I can surf with opera mini,sslstrip and others didn't work.

Hi buddy, this is a confusing post!
Do I understand that the network and client surfing now works, but sslstrip doesn't? If so

1. see post #26
2. confirm sslstrip works when launched manually
3. try sslstrip in a simpler set-up eg MiTM on your home network

[thad0ctor]

can you add a function that allows you to save all the consoles (or atleast the karmetasplot terminal) to a log files, or if they are already logged could you please direct me towards the directory?

[VulpiArgenti]

Hi thad0ctor, thanks for taking an interest. User feedback is very helpful, as you know!

Depending which modules you run, current logging is:

sslstrip: /root/sslstrip.log
ferret: /root/hamster.txt, and /root/sniff-date-eth.pcap
WPA2 handshakes: /root/PwnSTAR-n.cap
hotspot credentials: /var/www/hotspot/formdata.txt

In the unlikely event that karmetasploit cracks anyone, I presume the loot will be saved in the default postgresql database.

If you think anything else needs logging, let me know and I will fix it up.

[thad0ctor]

I was pretty interested in getting the logged cookies from karmasploit if that is poossible.

Keep up the good work, I love this script and I definately plan on borrowing the idea of the background color you have going, its pretty sweet! keep up the good work!

[VulpiArgenti]

OK I'll look into it.

Out of interest, do you find karmetasploit much use?
In my test lab, it only works against unpatched XP and OSX Leopard. It never fires against new systems.

[thad0ctor]

I found it pretty good to get a quick identification of the Operating Systems and browsers of the victims you are attacking as well as to get cookies and a basic idea of the sites / POST requests victims are trying to access. Like you mentioned, it really isn't ideal for exploiting onew systems but I'm sure with some custom exploits / payloads you could get some hits.

[VulpiArgenti]

Fair enough.

The cookies are in the default db

Code:

msf > notes

I don't have a way of automatically sorting them from the script but its easy enough to scroll/copy/paste from msfconsole.

[VulpiArgenti]

[MAJOR UPDATE]

Version 0.6 released http://code.google.com/p/pwn-star/downloads/list

New Features in PwnSTAR

advanced menu (big plans for filling this over time)

captive portal using iptables and php:

accepts/denies based on MAC

can track multiple clients (your hardware permitting!)

writes sslstrip iptables rules per client/MAC

Improvements:

backup index to backup directory (no longer overwrites previous backups)

sleeps reduced - runs faster

error-checking

------------------------------------------------------------------------

Two new www directories to be used from the advanced menu:

1. Portal_hotspot: looks the same as hotspot but uses the new captive-portal system

2. Portal_simple: very plain (less dodgy looking than hotspot?). Allows the splash page name to be changed to whatever you fancy e.g. Joe's Cybercafe, Goldmann-Sucks Private Net. Set the essid of the AP to match this.

------------------------------------------------------------------------

Remember to set www-data permissions

Requires: dnotify

------------------------------------------------------------------------

Coming next: Adding an exploit to the captive portal page

------------------------------------------------------------------------

Comments, ideas, requests and bug-reports welcome

------------------------------------------------------------------------
The starting point for the iptables was http://simple-and-hot.blogspot.com.a...-yourself.html

[deviney]

first off this is a really good script but i keep getting the error below with the mac addressing and this is stopping me from deauthing. Also its not giving my victems internet connection :/ not sure if that because of the mac address problem or not but il post the output anyways. Hope you can tell me a fix because il be kicking some ass if i get this workin btw have you thought about adding yamen into the script?

You may need to start an internet connection

Are we giving internet access? (y/n)
y

Available interfaces:
eth0 00:0c:29:78:7f:0a
wlan1 00-0C-D0-24-15-04-00-00-00-00-00-00-00-00-00-00

Enter internet connected interface
eth0

Not macchanging eth0. Do it yourself if required

Available wireless interfaces:
wlan1 00-0C-D0-24-15-04-00-00-00-00-00-00-00-00-00-00

Wireless interface to use for AP?
wlan1

Starting monitor mode...

Best to macchange wlan1 and mon5...

Random MAC? (y). Or manual (m)
y

Changing MAC Address; wlan1 and mon5...

Current MAC: 00:0c:d0:24:15:04 (Symetrix)
Faked MAC: 08:00:2c:5c:1c:aa (Britton Lee Inc.)
Current MAC: 00:c0:ca:61:c9:35 (Alfa, Inc.)
ERROR: Incorrect format: MAC lenght is 17. 08-00-2C-5C-1C-AA-40-B0-00-00-00-00-00-00-00-00(47)

Note: best to start the AP on the same channel as the target

Do you want to scan eg to discover target channel, ESSID etc? (y/n)

[VulpiArgenti]

Hi deviney,

This output is the problem: wlan1 00-0C-D0-24-15-04-00-00-00-00-00-00-00-00-00-00. I've seen these extra 0's with aircrack, but not ifconfig.

Could you post details of your setup, and the output of:

Code:

 ifconfig -a | grep wlan

As a temporary measure, instead of accepting a random MAC, select manual and then enter a (sensible) value. I suspect that will work.