using ettercap and an evil twin with ARP deauth attack to inject a BeEF hook

[nicbit]

Hi, before I start, sorry for my n00bness, I just started learning this a few days ago  .
After getting BeEF up and running with port forwarding, I decided to attempt to right a script which would create a rouge AP, and force users to connect to it using an ARP deauthentication attack. Then, It would use ettercap's abilities to inject the javascript hook into every website visited on that rouge AP. This would inject the hook by using a filter located at filter/BeEF.ef.  Here is my script:

Code: [Select]

echo monitoring device:
read MON
echo MAC adress of network:
read MAC
echo Name of network:
read NAME
echo starting attack...
airbase-ng -e $NAME -a $MAC $MON &
aireplay-ng -0 0 --ignore-negative-one $MON &
ettercap -T -F filter/BeEF.ef
However, when I attempted to run this script, it did not work  . Ive been trying to figure out what was wrong with this for the past 4 hours, to no avail.
Thanks in advance!

[RedBullAddicted]

You actually know how to setup a fake access point or evil twin? What about dhcp and ip forwarding and stuff like that? Let me give you a hint. Up there, right below your name in the grey bar which holds the logo of the website is a box with the term "Search..." inside. I want you to click that box. You will see that the term "Search..." disappears and a blinking cursor will appear instead. Now I want you to type "eviltwin" into that box and press enter. If you did that correct you will be presented with a search result from the "Scripting Languages" Board and I am sure that one could give you a basic idea how to create an evil twin. Feel free to modify what you may find to suit your needs.

Cheers
RBA

[nicbit]

Thanks for the quick response
As you implied, Aircrack does not provide DHCP services. After attempting to fix this egregious error with the following code:

Code: [Select]

#Taking user input
echo "Enter the SSID of the hotspot you wish to create"
read SSID
echo "Enter the channel you want your hotspot to broadcast on"
read CHANNEL
echo "Enter your wireless interface (ex: wlan0)"
read INTERFACE
#stopping all previous aircrack processes
airmon-ng check kill
#creating mon0
airmon-ng start $INTERFACE
#Starting up the hotspot (no DHCP yet)
airbase-ng --essid $SSID -c $CHANNEL mon0 &
#setting up at0
wait(5)
ifconfig at0 up
#########!!!!!!!!!-NOTE TO SELF: MAKE SURE TO CHANGE THE NETMASK, IP, AND GATEWAY TO FIT NEEDS-!!!!!!!!!#########
ifconfig at0 up 192.168.2.1/24
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1
service network-manager restart
service isc-dhcp-server restart
echo "dhcp server up"
I noticed a few oddities (namely typing in these commands by hand produce a different result than running them). What caught my eye is that the error code implied that the logical interface at0 had not been created yet, even though it should have been created by airbase. I was hoping you could provide an explanation for this.

Due to this massive confusion, I was curious about what other languages (as I can program in about 18 different programming languages: C++, Java, Ruby, Lua, etc...) these features are available in, as I am still very unfamiliar with BASH (obviously) and feel that reimplementing at least part of these libraries may help me. If not, is this functionality provided in a DSL?
Thanks in advance!

[RedBullAddicted]

It seems like you try to create the tap interface from your created monitoring interface. I am not sure if this gonna work.
Have a look at the documentation of airbase-ng. I am sure that would help: http://www.aircrack-ng.org/doku.php?id=airbase-ng
Go ahead and kill that network-manager.. no one needs it anyways. In these scenarios network-manager is known to cause errors.

18 different languages.. not going to comment on this. Aircrack is open source and as far as I know mainly written in c. Go and have a look at the source. Shouldn't be a problem for you to understand it and maybe port it.

If not, is this functionality provided in a DSL?
Thanks in advance!

I have no clue what to say about that. Don't want to be harsh but this does not make any sense at all.

[nicbit]

Thanks for the response!
I will need to look at the source code available for aircrack. Also, sorry about the DSL's, I forgot that in programming, DSL has a completely different meaning than in networking... In Programming, DSL stands for a domain specific language i.e. a language which is only used for one specific application. A good example of this is matlab, which one would use heavily in mathematics, but would never think of using in networking. In general, domain specific languages are not "bogged down" with all of the unnecessary components (in Java, for example, one may never use the the 3d sound production, but they are still present In case one may need to use them) and are generally much better at their intended purpose than many mainstream languages may be. Perhaps, this question can be better stated as: does there exist any programming languages built specifically for penetration testing?
Thanks!

[proxx]

Thanks for the quick response
As you implied, Aircrack does not provide DHCP services. After attempting to fix this egregious error with the following code:

Code: [Select]

#Taking user input
echo "Enter the SSID of the hotspot you wish to create"
read SSID
echo "Enter the channel you want your hotspot to broadcast on"
read CHANNEL
echo "Enter your wireless interface (ex: wlan0)"
read INTERFACE
#stopping all previous aircrack processes
airmon-ng check kill
#creating mon0
airmon-ng start $INTERFACE
#Starting up the hotspot (no DHCP yet)
airbase-ng --essid $SSID -c $CHANNEL mon0 &
#setting up at0
wait(5)
ifconfig at0 up
#########!!!!!!!!!-NOTE TO SELF: MAKE SURE TO CHANGE THE NETMASK, IP, AND GATEWAY TO FIT NEEDS-!!!!!!!!!#########
ifconfig at0 up 192.168.2.1/24
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1
service network-manager restart
service isc-dhcp-server restart
echo "dhcp server up"
I noticed a few oddities (namely typing in these commands by hand produce a different result than running them). What caught my eye is that the error code implied that the logical interface at0 had not been created yet, even though it should have been created by airbase. I was hoping you could provide an explanation for this.

Due to this massive confusion, I was curious about what other languages (as I can program in about 18 different programming languages: C++, Java, Ruby, Lua, etc...) these features are available in, as I am still very unfamiliar with BASH (obviously) and feel that reimplementing at least part of these libraries may help me. If not, is this functionality provided in a DSL?
Thanks in advance!

However, when I attempted to run this script, it did not work

So far you told us what it does and you know that it does not.
I would suggest by telling something more about the origin of "did not work" we could actually make suggestions, if I find the strenght.

[nicbit]

sorry about my lack of specificity... I believe the problem is that the DHCP server, though I specifically started it, is not enabled, as when I attempt to connect to the AP, I always obtain the error "unable to connect to network." Currently, because of the trouble airbase and ISC-DHCP (why did they need to upgrade from DHCP3!!! WHY!?!?!) I am planning on reimplementing this as a library, in which, the following functionality will be available:
1. automatic DHCP forwarding (but can be further specified)
2. ARP spoofing and packet injection
3. an interface for rouge AP's to be set up
4. easy packet interception/injection
geered specifically twoard easy accsess from various programming languages as - at least to my knowlege - aircrack and other tools like that do not interface to multiple languages (other than BASH, of course.) I was contemplating writing this in java (with jpcap) or in c++, but having noticed that almost all of the networking libraries were implemented in ruby, python, or the god forsaken Perl, I was curious if there were any severe disadvantages to writing this in a compiled language.
Thanks!

[proxx]

sorry about my lack of specificity... I believe the problem is that the DHCP server, though I specifically started it, is not enabled, as when I attempt to connect to the AP, I always obtain the error "unable to connect to network." Currently, because of the trouble airbase and ISC-DHCP (why did they need to upgrade from DHCP3!!! WHY!?!?!) I am planning on reimplementing this as a library, in which, the following functionality will be available:
1. automatic DHCP forwarding (but can be further specified)
2. ARP spoofing and packet injection
3. an interface for rouge AP's to be set up
4. easy packet interception/injection
geered specifically twoard easy accsess from various programming languages as - at least to my knowlege - aircrack and other tools like that do not interface to multiple languages (other than BASH, of course.) I was contemplating writing this in java (with jpcap) or in c++, but having noticed that almost all of the networking libraries were implemented in ruby, python, or the god forsaken Perl, I was curious if there were any severe disadvantages to writing this in a compiled language.
Thanks!

I can see how you get in trouble.
You make it really difficult for yourself.

I suggest you just do it step by step manually and cofirm that it is working.
For example is the DHCPd running ? does it lease addresses?(Netstat, ps)
Does the routing/bridging work?
Did you use wireshark to see what is really happening ?
Can you associate a client with a static IP address ?
etc.

And apart from all that stuff.
What chipset do you use? is it supported by airbase-ng, does injection work on the card?
Did you consider using hostAPD instead of airbase?

[RedBullAddicted]

Thanks for the response!
I will need to look at the source code available for aircrack. Also, sorry about the DSL's, I forgot that in programming, DSL has a completely different meaning than in networking... In Programming, DSL stands for a domain specific language i.e. a language which is only used for one specific application. A good example of this is matlab, which one would use heavily in mathematics, but would never think of using in networking. In general, domain specific languages are not "bogged down" with all of the unnecessary components (in Java, for example, one may never use the the 3d sound production, but they are still present In case one may need to use them) and are generally much better at their intended purpose than many mainstream languages may be. Perhaps, this question can be better stated as: does there exist any programming languages built specifically for penetration testing?
Thanks!

Didn't know that. Thanks for the explanation.

geered specifically twoard easy accsess from various programming languages as - at least to my knowlege - aircrack and other tools like that do not interface to multiple languages (other than BASH, of course.)
Thanks!

Not quite sure what you mean with that. You are executing system commands with your bash script and nearly all languages I know (I am not a programmer and I do not know many languages) provide some kind of a exec function which gives you the possibility to do the same things you are doing in your bash script.

Btw. If you plan to stay here I would suggest writing an introduction in our members introduction board.