I had a lot of trouble with this and only really was able to complete it with the help of Gitsnik & Nick The Greek on the Remote Exploit forums.. awesome help there guys ;)
The steps involved are basically ;
- Configure dhcpd.conf
- Start the fake ap with airbase-ng
- Configure IP tables to pass through to host internet
- Capture / Monitor network traffic with tool of choice
In this case my test setup is as follows ;
> Using back|track4 pre final
> Using WiFi dongle to create a connection to internet on wlan1 (through gateway 192.168.1.1)
> Using my netbook wireless card (Atheros) to create the fake ap
First to create/configure the dhcpd.conf file for later use ;
nano /etc/dhcp3/dhcpd.conf
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 4.2.2.2;
range 192.168.2.130 192.168.2.140;
}
Ctrl X --> y --> Enter to save the file.
Then to start the fake ap with airbase, the interface needs to be in monitor mode ;
airmon-ng
airmon-ng start wlan0
airbase-ng -e "TEST_AP" -c 9 mon0This will create a simple tap interface, on at0, with no encryption, on channel 9 and with the essid TEST_AP.
In this case I already had an internet connection up and running on wlan1, hence the warning messages, however this was of no further consequence.
Then bring the interface up and assign subnet and gateway;
ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
Then start DHCP, I was getting errors on the dhcpd settings, this is where the help came in :)
Needed to give further privilages to the dhcpd.
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
Then to point the command to the alternative dhcpd.conf file and the alternative .pid file
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0
Then to setup the iptables to route the traffic through the tap interface to the internet connection (internet connection being the one wlan1 is connected to over my 192.168.1.1 gateway).
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1
Now basically you have a fake ap which people can connect to and browse the internet.. all through your connection.
Obviously this can be abused in any number of ways, all traffic can be captured and analyzed;
dsniff could be run on it together with urlsnarf, driftnet etc., sessions could be hijacked in real time..
So goes to show that you should be wary of free access points..
Great script, almost have it working but i needed to tweak the dhcpd. conf file a little bit to get it to start. Ill put it below. Everything is working fine but the connected client cant do DNS lookups although connectivity to the outside is good. Any ideas why?
ReplyDelete-------------------------------------
subnet 192.168.2.128 netmask 255.255.255.128 {
range 192.168.2.130 192.168.2.140;
option domain-name-servers 4.2.2.2;
option routers 192.168.2.129;
option broadcast-address 192.168.2.255;
default-least-time 600;
max-lease-time 7200;
ddns-update-style ad-hoc;
}
Great howto, just got my fakeap up and running also =)
ReplyDeleteHow to configure the file dhcpd.conf according to my configurations?
ReplyDelete@@lex0429: check again your DNS server
ReplyDeleteyou can use google dns : 8.8.8.8
or open dns
how do you configure the dhcpd.conf and iptables using eth0 in backtrack 4 vmware when the host os uses a pppoe connection(adsl connection)? can you post a sample. thanks.
ReplyDeleteThat souds complicated..
ReplyDeleteFirst off, airbase is meant for creating a fake AP.
eth0 is (usually) a wired NIC, I assume this is incorrect in your case an that it is a usb wireless adapter ?
I have to admit however that I lack the knowledge to help you in any technical details regarding PPOE connections.
you know this guide would be really great if it was updated.
ReplyDeletei cant follow it at all (im on debian 6) and it uses ISC for everything including dhcp
the files are in different place
it would also be nice if you would have used eth0 (wired card) and showed us your /etc/network/interfaces so i can see your gateways and dns in there?
also do you use /etc/resolv.conf and add nameserver there
i think the guide could be done better...i can ping outside world but no dns
You are free to look elsewhere on the mighty Google for alternatives...
ReplyDeleteIt is clearly mentioned on which OS it is used, and any shortcomings or new requirements for different OS' are not of any consequence to the original post.
Having said that, I do realise that keeping info upto date is important, but also, please realise this is a BLOG made on a certain time line and not a forum or information providing system that is required to be maintained upto a certain date..
Seriously Tape, that guy above has nothing better to do and shouldn't be using a computer much less Linux if he thinks everything should be a handout. Go find somewhere that clearly states this is a tutorial using "Debian 6" Tape mentioned countless times this tutorial is to be used for BT4 He is what we would call a Troll lol Great Blog by the way Tape and keep up the great tutorials they are very informative.
ReplyDeleteso i was able to get the AP up, connect with a client, but i can't seem to get to the internet. i see the traffic going to at0, but nothing hitting wlan0 (my internet connection).
ReplyDeletehelp?
you are the best bro !
ReplyDeletehow do i setup on eth0 - for my wwww and wlan0 for fakeAP ?
ReplyDeleteHi
ReplyDeleteI am trying with BT5 r2 but having trouble with
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
invalid user dhcpd:dhcpd used root instead then
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0
no pid file
thanks
All seems to work well and my wireless test client connects and get's an IP address but doesn't seem to want to route out via the wired internet connection on eth0 :(
ReplyDeleteI've changed this line to reflect my internet connection in on eth0:
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
And I've tried this line exactly as you had it but also with the IP address of my router as I'm presuming this points data out to the net:
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1
Cheers
great howto. is there a possibility to post page to catch wpa password?
ReplyDeleteHave a look at the post I made on cracking WPA/WPA2 with oclHashcat+ ;
Deletehttp://adaywithtape.blogspot.nl/2012/02/wpa-cracking-with-oclhashcat-plus.html
If you are having trouble with DNS....remove this line:
ReplyDeleteiptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1
I've got everything running (I'm using Ubuntu).
ReplyDeleteIn the dhcpd.config file i had to use ddns-update-style interim; , Because ad-hoc is no longer supported.
Maybe this is what post above is saying (due tot he date of Post)
Thanks tape
I forgot to mention I have no internet access from client machine!!!
ReplyDeleteWhere have i gone wrong ???