Pwnstar9.0 for Kali 2.0 is released for general use and testing.

The Pwnstar9mv2.zip package contains the following;

1. Pwnstar9.0-K2mv2-6.sh

2. webpage folder

hotspot_3
portal_pdf
portal_hotspotaccess
portal_simpleaccess
routerwpa1
routerwpa1access
routerwpa2
routerwpa2access
routerwpa3
routerwpa3access
routerwpa5
routerwpa5access

3. MITMf directory

4. mitmf.sh

5. impact-master

6. Pwnstar9-K2-help.txt


Package designed for WPA Phishing and sniffing


You can download Pwnstar9-K2.zip package at:

https://github.com/musket33/Pwnstar9.0-for-WPA-Phishing


http://www.datafilehost.com/d/6b262f3b


Musket Team Labs

For those unable to download because of the portalpdf file try this download. The portalpdf folder in the webpage folder has been removed. The pdf attack listed in the Basic Menu will therefore not function as the rqr folder will be missing. This will not affect other Menu selections listed as tested in the help file


http://www.datafilehost.com/d/5cca5a16

hmm...

923

virus total kicks back 38/50 on this.

To: turtlebacon

Thanks

The original author constructed a portal+pdf attack. The virus you see listed is part of that package and is included in all Pwnstar9.0 versions both stock and musket team.

We have included a download listed above that does not include the portal+pdf web page folder.

Let us know if you have any other problems

MTeams

make video how you start option 4 i cannot contect for rouge AP with my phone :@ :@ :@

Have a problem with it.
This is the steps I've made.
Kali Linux 2.0 (Tried both Vmware and HD installation)

Apt-get update && upgrade
I installed all the dependencies, set the various permission, placed the various files in root and the portal pages to /var/www
bash pwnstar etc..
I have a wired connection (through Lan) and two adapters:
RTL8187
RT2800

Once I open the script, i followed the various Yes or Not, as long as It creates the rogueAP.
I provided internet access, writing "eth0" when the program asks which interface will be used to provide i.a. (so I selected the option for HTTPS-HTTP trap)
I placed the RogueAP channel on 1,that is the same of the victim's router.
Realtek for AP, Ralink for mdk3 attacks.

The problem is that, even if I can see the various broadcast requests, NO ONE connects to the fake AP. And, I repeat, mdk3 deauth works well.
What's the problem?
I tried 48h for one victim router, and I tried other routers too, but nothing happened.

Can you kindly help me?
Thanks.

To Mark:

The best way to test this program is to go thru the four steps we outline in both the main Pwnstar thread set up by Vulpi and in our help files.


Setup Pwnstar9

With a second wifi device.


1. See if the rogueAP name is seen.

2. Test if the second wifi device can connect(associate) to the rogueAP

3. Test to see if the second device can call up the phishing page.

4. Test to see if data can be written to the formdata.txt file from the second computer.

Advanced Testing

5. Deauth the targetAP and see if you can connect to it thru your second wifi device.

6. Deauth the targetAP and see if you can still connect to the rogueAP and pass data.


If the above all works it is just a matter of getting a phish to bite. WPA phishing is a social engineering attack. Computers are not forced onto the rogueAP, the client has to choose to connect. Read our suggestions about rogueAP names in the help files. MTeams suggest you explore all other avenues while you WPA Phish in this order:

1. Pixiedust
2. Reaver
3. Brute Force Run thru 8-10 numeric strings and then a good WPA dictionary - Use elcomsoft
4. Listen for probe requests of WPA key in clear text by collecting essidprobe data.

You should test item three and use the mithf program also. Connect your own device to the rogueAP and you can see all the data being past/


MTeams

Dear mmusket33,

Great work by your MusketTeams keeping this tool working. It's a favorite for end-user security awareness training.

The tool works fine for the captive portal and phishing attack. I am having trouble getting the sniffing functionality to match what I was getting with sslstrip. Once the target was through the phishing portal it was no problem to grab demo outlook.com credentials. Now I can't seem to get the MITMf script to work to sniff after browsing authorized. Any tips on troubleshooting would be greatly appreciated. Alternatively could I still use sslstrip?

To socialcred

First you can only use MITMf with Basic Menu item 3. You cannot use it with Basic menu item 4 or 9a because Apache2 runs and takes over the port. You mention browsing authorized which leads us to thinking you are trying to use it with a portal/phishing page which again requires Apache2.

We note this limitation in the help files.

If this is not the case then outline your menu choices etc and we will try an duplicate your problem and correct it.

MTeams

Dear Mmusket33,

Thanks for pointing out my error. You are correct I was trying to use it as a follow on to the captive portal phishing attack. I didn't read the help files carefully enough. Should the sslstrip attack still work after 9a?

Again thanks for keeping a favorite tool working!

To: socialcred

Okay we threw a little time at the problem here is a solution.

If you run Basic Menu 3 sniff there is no portal page and no problem.

However if you are running a Portal Page and want to sniff with sslslip+ the portal page is gone once you run ANY of the sniffing features so you must let the client get past the portal and begin accessing the internet before you sniff. Here are the variations when running 9a with pwnstar9.0(PS9).

1. Start PS9
2. Run Basic Menu 9a as internet access must be provided
3. If you select the https-http trap feature then once you start the sniffing features the client can only access https requests. If however you select to not use the trap then once the sniffing features are started the client can access both http and https requests. This though means the client cannot pass thru thr portal and get internet access unless a http request is made.

4. Once PS9 is running you will see in yellow:

Enter Line Number of operation to be conducted.

Select 3 sniff victims and additional xterm windows with ferret and sslstrip will open in turn and start writing data as it comes thru. This selection will also rewrite some iptables allowing sslstrip to function.

To allow mitmf(ie sslstrip+) to function you must unbind port 10000 if it is bound

Open a terminal window

Type fuser -k 10000/tcp

or fuser -n tcp 10000

You will get a bunch of Cannot Stat file etc warnings and then

10000/tcp 4677

The 4677 digit is a numerical string designating the process and can be any numeric string

Now type killall -9 and the numeric string seen, in this case 4677

killall -9 4677

You will get an error message ignore it

Now run mitmf.sh and it runs fine. Just give it time to get the python script to run.

We are working on a mitmf.sh that runs all this for you. Will post it here when completed. However we think Basic Menu 3 is a better feature.

MTeams

To mmusket33,

Would you consider sharing your code on github (https://github.com)or bitbucket (https://bitbucket.com)? They are much better platforms for sharing code than free file upload sites. Also it would allow us to contribute your codebase (that is if you accept pull requests).

Regardless of your decision thanks for the tool.

To pip,

The original author Vulpi has posted his version on github

MTeams adapted it for WPA phishing

Our view is once we release any code to the community, the code belongs to the community not us.

Hence if you think it wise to post two(2) versions on github that would be your decision. We have no objection to you posting if you wish.

Dear Mmusket33,

I appreciate the time your team spent on dealing with my question. I will be in a position to run tests soon. I just tried using the phish/sniff advanced attack after allowing the victim through the phishing captive portal and the sslstrip attack still works! In fact, it works faster than on the prior version of Kali. Congrats on a great framework for wifi attack demonstrations for end-user security. Sometimes users don't believe the training until they see the attacks in class!

You mention browsing authorized which leads us to thinking you are trying to use it with a portal/phishing page which again requires Apache2

Hi,

I appreciate your effort on pwnstar project. I want to ask your opinion on the following scenario:

I'm starting your version of pwnstar on a kali 2.0 virtual machine, using (9-a). Everything its created normaly. Im using "portal-hotspott" page. I'm using as test devices an iPhone 5 and an iPhone 6. I can connect to the pwnstar created network and i'm receiving the portal page on any http request. Credentials are captured and shown to formdata.txt.

The problem is that after few minutes (sometimes 1-2 min , sometimes 5-6) im loosing the connection to the pwnstar network and I can't reconnect because the pwnstar network disappear from spectrum.

Any ideas on how to debug this?

Thank you in advance.
Frank

To Frank,

Unfortunately MTeams has never run the program in a virtual machine. We suggest you make a persistent usb install of kali 2.0 or do a Harddrive install and then test the program and see if the problem disappears. Do not try and run the program from a live only usb, the persistent feature must be set up. If at that time the problem still exists then we will try and assist you BUT this problem doesnot exist on our computers.

MTeams

Repeated message, delete please

Hi mmusket33 !

In vk496/Linset, there's a feature to auto test the captured wpa passphrase (the one user entered on the fake accesspoint page) in realtime, by trying it on a previous captured WPA handshake packet.

If the user types a password that cracks the handshake, then the fake page shows a success message and disables the fake ap automatically.

Is there a similar function in your "pwnstar9.0-K2-mv2-6.sh" ?

BTW, i've read a lot and only tested pwnstar9.0-K2-mv2-6.sh till now, i'm about to download wifislax to try linset as it seems to have some bugs in kali.

Anyway, which of these do you think is the best ? pwnstar or linset ?

To brunoaduarte

First reference linset. MTeams may not be aware of the authors latest works. MTeams did debug and translate and then release a linset version but it probably will only run in kali1.10a due to the airmon-ng problems.

We prefer the Pwnstar9.0(PS9) approach written by vulpi. MTeams have new phishing pages on the drawing board that will plug right into the MTeam PS9 version.

Furthermore we know of no other phishing progam that will run under Kali2.0 because of the airmon-ng network-manager conflicts. And because Eterm although now available for kali2.0 doesnot work in the kali2.0 environment. We tried to address the Eterm issue in these forums but got nowhere and just gave up.

For us the King of RogueAP programs is Aerial however this program doesnot support phishing web
pages and maynot run in kali2.0. If you find any of these comments in error please correct us.

Reference functions in PS9 - no such handshake module exists. WPA Phishing is a social engineering attack. What is most important is the quality of the web pages and the functionality of the systems interaction with the client. Vulpi provided an easily adaptive program that allows expansion and individual expression. If you use PS9 even if it is an MTeams release thank the original author who made all this possible.

If you find either linset or Aerial run in kali2.0 please advise


MTeams

Pwnstar 9.0K2 cannnot be run in kali-linux-2016.1-i386. MTeams is currently coding around the problems.

Musket Teams

Mmusket33 Thank You

Pwnstar 9.0K2 cannnot be run in kali-linux-2016.1-i386. MTeams is currently coding around the problems.

Musket Teams

Any ETA for 2016.1 release availability?

@JackBauer

I have been in contact with Musket Teams via e-mail. They told me currently they have terminated all work with kali-linux 2016R as they cannot keep a stable operating system functioning. I doubt they are even visiting this site at present. I do see them post in aircrack-ng forums however.

To: JackBauer

As highway9 notes MTeams has terminated all active work with kali2016 until a stable version of Kali2016 emerges. Our RV Team expects that to occur in late June or early July.

We have a Beta Version of PwnStar9.0 for kali2/2016 with new phishing web pages that is running in a persistent usb install of kali2016 that we could send you if you wanted it. MTeams can always use other opinions.

Musket Teams

To: JackBauer

As highway9 notes MTeams has terminated all active work with kali2016 until a stable version of Kali2016 emerges. Our RV Team expects that to occur in late June or early July.

We have a Beta Version of PwnStar9.0 for kali2/2016 with new phishing web pages that is running in a persistent usb install of kali2016 that we could send you if you wanted it. MTeams can always use other opinions.

Musket Teams

Thanks MMusket, i'll be glad to test this Beta on my Kali 2016.
Waiting for it...

MTeams has terminated all active work with kali2016 until a stable version of Kali2016 emerges.

Musket Teams

let'see what happens with Devuan also. I'm hoping that someone will come out with pentest/techie OS with it as its core.

Tested Pwnstar 9.0 K2 on Kali 2016 rolling, It works fine, Installed MITF separately as seen here https://github.com/byt3bl33d3r/MITMf/wiki/Installation

Works fine, thanks M Team. You guys have been doing a great work with keeping us alive with new tools.

Looking forward for a great hammer for WPA/WPS PIN breaker

Cheers!

i use 2 adapter wireless wlan0 and wlan1 .. testing on client with android phone can connect to AP.. but when i choose options 3 ( give client internet connection and snifing ), this options can't launch .... so the client can't open the webpage....

To machx

Thanks for the tests we will reference this address when we release the updated PS9 supporting passive DOS thru RogueAP clones.



To R.volv3.R

Web page support does not exist for item three. MTeams is currently working on a new version of PS9. Our focus has been on items 4 and 9a. If you want to provide internet access then select 9a. If you use the HTTP Trap then when the client tries to access a https site the client is passed on to the site HOWEVER the minute a http site is request the iphishing web page is seen.

Internet access for an associated client thru selection 9a is dependent on the quality of the internet connection you have established thru your device. Poor,weak or slow access will result in page timeouts for the client. This does not affect the phishing web page. Hence if the HTTP trap is used a client requesting a https site will get the site or the page will time out but no certificate warning will be seen if the site requested is valid. All our android phones work fine.

MTeams

Hi Mmusket333 - I do enjoy your scripts. They are helping me while I learn various things about my home router. I am having some trouble with the version of PwnSTAR I'm using. I believe I have the K2mv2-6. The issue I am having is creating a MITM with internet access.

A couple of things I can't seem to pinpoint;

1. It launches 2 APs. One named Default and the other the ESSID I specify.
2. No internet access is given, and when given the option of choosing which option out of 3, I choose number 3 "Give Internet access and sniff". I keep getting the error (Option not available in this attack mode). Happens when trying to use a Honey Pot as well.
3. The DHCP client error I'm getting - tail:unrecognized file system type for /var/lib/dhcp/dhcpd.leases - not sure if this is why my connected clients can't get internet

Once I get through this I'll be able to move onto the next step :)

Would it be possible to get the beta script to test that out?

To: rexii

First None of your items have anything to do with errors in Pwnstar9.0

1. The 2 APs is a bug in aircrack. This bug has been corrected in newer versions. So update/upgrade your installation and this should go away. For reference see aircrack-ng forums although there are some commentary here in kali under airbase-ng

2. To use item 3 you must provide internet access. You state no internet access given

3. The tail unrecognized file system type is a bug in tail AND will have NO effect on anything just ignore it. If you want details just google tail and the warning. When we issue the newer Pwnstar which we are working on at present a comment about tail warning errors has already been added to the menu texts.

MTeams

i think no internet access because when start pwnstar all wlan will disconect , if we use LAN cable .. it will still have internet connection and can give internet access to victim..

To: rexii

First None of your items have anything to do with errors in Pwnstar9.0

1. The 2 APs is a bug in aircrack. This bug has been corrected in newer versions. So update/upgrade your installation and this should go away. For reference see aircrack-ng forums although there are some commentary here in kali under airbase-ng

2. To use item 3 you must provide internet access. You state no internet access given

3. The tail unrecognized file system type is a bug in tail AND will have NO effect on anything just ignore it. If you want details just google tail and the warning. When we issue the newer Pwnstar which we are working on at present a comment about tail warning errors has already been added to the menu texts.

MTeams

Oh I see! I thought they were errors in the script interacting with my distribution. thank you so much for clarifying that! I really appreciate it.

Yes I do realise I need to offer internet for item three, but I can't get the internet flowing, and I assumed originally it was the tail bug in the dhcp window. Learner Driver here! I am still trying to get the internet working through item three. Keeps telling me that the attack is not available in that mode.

Will practice more! Thanks MTeams!

To: R.3volv3.R and rexiii

Reference internet access

Suggest you download Netmanmac and turn off all your connect automatically setting. Also you must spoof your internet connected device thru Network Manager menus only.

If you use airmon-ng check kill you loose the ability to connect to the internet. Using service commands like service NetworkManager restart WILL NOT restore full function to your Network Manager menu. The only way to restore full function is to reboot the computer.

If you do not use airmon-ng check kill BUT type service NetworkManager restart to initialize new mac addresses or autoconnect settings you will again loose full function of Network Manager and again you must reboot the computer.

MTeams has noticed that unless the internet access is strong a web page will not be seen. If you select the HTTPS pass thru then either the web page is seen or the program constantly tries to load a page.

MTeams cannot test wired interfaces and are interested in any reports


Suggest you test 9a first and then 3.


You cannot run portions of this script using kali 2016R. The current version is for kali 2.0

We have spent more time coding around Network Manager then actually writing any other code.

MTeams

To rexiii

MTeams is working on a newer version of Pwnstar9 that would support kali2016.

We found that internet access could not be provided when using kali2016R. Our RV group suspected Apache2 so we tried

apt-get install apache2

A few files were loaded and after that internet access was again up and running.

So if you are using 9a and no internet access is seen try the apt-get install routine.

MTeams

mmusket33,

I have been a long time reader of these forums and one of the reasons I have joined is to say a huge thanks to you for your posts on this forum.

Also thank you for the work you do on the scripts you freely provide. You make Kali more usable for the average guy.

Please keep up the good work as I am sure many more people really appreciate your efforts.

Keeping DNS internet link active thru the Captive portal in the musket version of Pwnstar9

When running the Captive portal selections 9a and 3 in the musket version of Pwnstar 9.0, a internet connection is required. Without the connection the phishing page will not run nor will the HTTPS-HTTP trap function.


The trap allows the phish to access the internet when a HTTPS request is made BUT if a HTTP is made the phishing page is provided,


MTeams is currently updating Pwnstar9 for kali rolling R2 and WPA Phishing. Until this update is released suggest when using the captive portal selections 9a and 3, users run the following in a terminal window if 9a or 3 are selected.

while true; do ping -c 1 www.google.com; killall -q ping; sleep 1; ping -c 1 www.facebook.com; killall -q ping; sleep 1; done

If you wish to launch in an xterm window then

xterm -g 80x5+0-0 -T "DNS REsponse Test" -e "while true; do ping -c 1 www.google.com; killall -q ping; sleep 1; ping -c 1 www.facebook.com; killall -q ping; sleep 1; done"

The xterm window will be seen in the lower lefthand corner of the screen

This doesnot apply to selection 4 in the Pwnstar menu which does not use the captive portal.

Musket Teams