How to: E-Z setup a Multi Mode WLAN based on a Fake AP

[Nick_the_Greek]

khemael,

welcome to the forums.

You can open with a text editor the wlan.conf file and change the MTU_VALUE to 1500. If you read all previous posts you will see that there is a problem with Alpha cards. If you have one for a different brand, try this one.

Nick.

[sudoaptget]

When i run your script I get this error once it tries to start airbase. An xterm windows pops up and disappears followed by this printed in my terminal.

Quote:

nternet gateway is: 192.168.15.4
Primary DNS server: 192.168.15.4

Software Access Point options
Wireless interface: mon0
ESSID: Free Wifi
MAC address: 00-e0-4c-83-5b-e9
Channel: (Channel 1)
Mode: Simple WLAN

Waiting 10 seconds for the soft AP to be established
at0: ERROR while getting interface flags: No such device
SIOCSIFADDR: No such device
at0: ERROR while getting interface flags: No such device
SIOCSIFNETMASK: No such device
SIOCADDRT: No such process
SIOCSIFMTU: No such device
Starting DHCP Server V3.1.1
root@laptop:~/wlan_0.7.3a/wlan_0.7.3a# Internet Systems Consortium DHCP Server V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit
Wrote 0 leases to leases file.

No subnet declaration for at0 (0.0.0.0).
** Ignoring requests on at0. If this is not what
you want, please write a subnet declaration
in your dhcpd.conf file for the network segment
to which interface at0 is attached. **


Not configured to listen on any interfaces!

Any ideas?

[Nick_the_Greek]

Please download from the 1st post.

Today I add WEP encryption and nbpps (number of packets per second transmission rate)

WEP encryption (40 and 104bits) is working (I hope) for all types of the SoftAP:
1) Any card + airbase-ng
2) Madwifi-ng master mode
3) Madwifi-ng (monitor mode) + airbase-ng.

You will be prompted to enter a key. Valid keys are:
1) WEP 40bits : Any ASCII key with 5 characters ( ex abcde )
2) WEP 40bits : Any HEX key with 10 characters ( ex ab:cd:ef:01:23 )
3) WEP 104bits : Any ASCII key with 13 characters ( ex aaaaaaaaaaaaa )
4) WEP 104bits : Any HEX key with 26 characters ( ex ab:ab:ab:ab:ab:ab:cd:ef:01:23:45:56:67 )

Currently I don't allow any special characters for ASCII keys. It will be fix that soon.

You shouldn't be allowed to enter a wrong key (I am validating user inputs thanks to Gitsink) so you can't do something wrong.

If you don't want to use WEP encryption press enter to leave blank the password.

I personally test all the modes and all the types of encryptions and keys (ASCII - HEX) and it seems to work. There are many combinations and maybe I missed something. Please let me now if something wrong is founded.

The beautiful part start when I tried to crack the WEP key of the SoftAP. I was able to crack the WEP key, no fancy stuff aireplay-ng -3 bla bla, and even with the same card who broadcast the SoftAP. mon0 for softAP and mon1 to inject.

I tried also with 2 cards. One broadcasting and the other injects.
And finally with 3 cards. One broadcasting - second connected and third injects.

I believe this could be very useful to people that don't own a AP and they want to do some experimentations. So, anyone who just learned how to crack a WEP key and he wants to make this in action, he can use the script to practice with.

Leave your neighborhood's AP alone. Do it your self.

On the other hand. (hypothesis)Let's say you just cracked my (or anyone's) AP's WEP key. You are getting Internet from me and you happily surfing to the web. I found out that you are stealing my Internet. What I do? I bring up with the script a SoftAP with the exact same option with the real one. ESSID, MAC address , channel, and WEP key. Do you have the knowledge to find out that the AP that your connected is a fake one? Can you imagine the rests?
So, please think before you act.

Among other things this is why I write this script. So anyone can do practice at least with one or two wifi-cards.

Anyway. There are limitations for the above and as usually it refers to alpha cards and to madwifi-ng drives.

airbase-ng [Aircrack-ng]

Quote:

Some drivers like r8187 don't capture packets transmitted by itself. The implication of this is that the softAP will not show up in airodump-ng. You can get around this by using two wireless cards, one to inject and one to capture. Alternatively, you can use the rtl8187 driver.

The madwifi-ng currently does not support the Caffe-Latte or Hirte attacks. The root cause is deep within the madwifi-ng driver. The driver does not properly synchronize speeds with the client and thus the client never receives the packets. If you need to use these attacks, try using the ath5k driver.

As for nbpps, in wlan.conf at the end of it you will find two new tags:

Code:

Nbpps_USE no
Nbpps_VALUE 200

Nbpps refers to -x option in airbase-ng. When Nbpps_USE is set to yes then the script will use the Nbpps_VALUE which in this case is 200. By default (in the script) this option is disabled as you can see above. If you want to play with it, set it to yes and change the Nbpps_VALUE to any value from 1 to 1000. (airbase-ng's default value is 100). I can not say I have notice any huge differences with that. Maybe it will help the alpha cards. Don't know.
That is all.
Enjoy

Nick

PS sudoaptget : Your card can support injection? Obviously airbase-ng doesn't start correctly. Check again your wireless interfaces names.

[sudoaptget]

Yes it supports injection, in fact im even able to run airbase manually just fine using the directions you posted and =Tape= followed at hxxp://forums.remote-exploit.org/newbie-area/28101-dhcp3-issue-airbase-ng.html#post159457

Here is all the info i think could be useful.

This is the output of my iwconfig. Im using wlan0 as my internet connection and wlan1 will be my softAP. wlan1 is currently in monitor mode and has the mon0 interface.

Quote:

wlan0 IEEE 802.11bg ESSID:"Eat More Babies"
Mode:Managed Frequency:2.462 GHz Access Point: 00:24:B2:13:730
Bit Rate=18 Mb/s Tx-Power=27 dBm
Retry min limit:7 RTS thrff Fragment thr=2352 B
Encryption key:3319-A3AF-17DD-ACC5-67E3-5731-A69B-A48F [2] Security modepen
Power Managementff
Link Quality=100/100 Signal level:-38 dBm Noise level=-100 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

wmaster1 no wireless extensions.

wlan1 IEEE 802.11bg ESSID:""
Mode:Managed Frequency:2.417 GHz Access Point: Not-Associated
Tx-Power=27 dBm
Retry min limit:7 RTS thrff Fragment thr=2352 B
Encryption keyff
Power Managementff
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

mon0 IEEE 802.11bg Mode:Monitor Frequency:2.417 GHz Tx-Power=27 dBm
Retry min limit:7 RTS thrff Fragment thr=2352 B
Encryption keyff
Power Managementff
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Results of the injection test on mon0

Quote:

07:57:00 Trying broadcast probe requests...
07:57:00 Injection is working!
07:57:02 Found 1 AP

07:57:02 Trying directed probe requests...
07:57:02 00:1F:33:F8:A9:E0 - channel: 2 - 'Britts-Wireless'
07:57:05 Ping (min/avg/max): 17.917ms/110.832ms/141.413ms Power: -73.87
07:57:05 30/30: 100%

[Nick_the_Greek]

Quote:

Originally Posted by sudoaptget

Yes it supports injection, in fact im even able to run airbase manually just fine using the directions you posted and =Tape= followed at hxxp://forums.remote-exploit.org/newbie-area/28101-dhcp3-issue-airbase-ng.html#post159457
I'm pretty well lost as to why i'm getting these errors.

Quote:

Internet gateway is: 192.168.15.4
Primary DNS server: 192.168.15.4

Software Access Point options
Wireless interface: mon0
ESSID: Free Wifi
MAC address: 00-e0-4c-83-5b-e9
Channel: (Channel 1)
Mode: Simple WLAN

Just notice that your ESSID is "Free Wifi". Don't leave spaces between the 2 words. Make it as "Free_wifi".

Nick.

[sudoaptget]

Wow I feel like a tard now. I spent all Saturday trying to figure that out and its a freekin underscore. Lol thanks for the help and the great script.

[Nick_the_Greek]

Just find out a small bug.

Whatever you create a SoftAP in "master mode" or "monitor mode + airbase-ng" you will get a message like:

Quote:

Number of packets per second: xxx

Where xxx will be the default value (100) or if it was changed, in wlan.conf, then will be that value

This is wrong because the nbpps value refers only to airbase-ng created SoftAP's. If you see that message in master mode that doesn't mean that this value is used also. In airbase created APs this value is used normally, as explained in previous post.

I will fix that very soon.

Does anyone try the script with WEP encryption?

Quote:

Originally Posted by sudoaptget

I spent all Saturday trying to figure that out and its a freekin underscore.

Sometimes we stack in the very simple things.

To avoid situations like this, I will change the script in the near future, so you will not be allowed to enter a not valid character.

Nick

[Nick_the_Greek]

Today I fixed some things.

The Nbpps bug is fixed. It will be displayed and used only if we have a airbase-ng based SoftAP.

User inputs filtering: (sudoaptget 's post was the beginning)
ESSID : Can be any printable character: a-z A-Z 0-9 and ~`!@##$%^&*()_-+=|]}[{'";:?/>.<, up to 31 characters long. No spaces allowed.( POSIX Character Classes [:graph:] ) Please pay extra attention when you are using special characters in the ESSID. Some clients will refuse to connect to this one.
MAC address: 12 HEX characters long. (01:ab:23:cd:45:ef) [optional input]
Channel : Any number from 1 to 13. [optional input]

WEP encryption keys filtering:

40 or 104 bit ASCII keys : Can be any printable character: a-z A-Z 0-9 and ~`!@##$%^&*()_-+=|]}[{'";:?/>.<, 5 or 13 characters long. No spaces allowed.( POSIX Character Classes [:graph:] )

40 or 104 bit HEX keys :Can be any HEX character 10 or 26 characters long.

and of course if WEP key is blank then we have not encryption. OPEN

Enjoy

Nick

As usual, please download from the 1st post.

[Nick_the_Greek]

Today I add one new mode.

It's Air chat. You may already know about this, but my thought was that it will be nice to have (BT4 users) our own version of it. You may check these links for further information:

https://wardriving-forum.de/forum/wi...rchat-Tutorial (in German)
https://wardriving-forum.de/forum/sh...ad.php?t=66648 (in German)
YouTube - Fishing Windows Clients with airbase-ng and airchat
and
< SEDesign /> - Webdevelopment, Webmapping, GIS on Web ET-Chat v2.1a

When you extract the wlan_0.8.0a.tar.bz2 (D/L for 1st post) you will get among the other files one new bz2. (airchat.tar.bz2) .You don't have to extract it anywhere. Just leave it in the same directory with the wlan_nick.sh. The script will extract its files to the right place which is /var/www/.

ONE IMPORTANT NOTE.
The script will clean up the /var/www/ folder (only that, not its sub-folders).
If you already have at /var/www/ folder any files it will be wise to make a backup of them. The script will back up the /var/www/ to $HOME_DIR/backup/www/ and you will be able to restore the files of it at any time you will re-ran the script. But I am saying just in case...

Now, in this mode (No 7) the clients will be forced to chat with the box that is running the script via web browsers. Here is a screen-shot from the server's side:
http://uploadingit.com/file/plkrbgazlxvyfjg7/mode7.jpg

One last thing, I am not using dnsspoof. Just a simple iptable rule. Normally no matter what the clients enter for ULRs in their browsers they will be forced to see our Air-chat page and chat with the server.

Enjoy

Nick

[yeehawjared]

nice! can't wait to use #7 on my next flight Great work, been using your script non-stop since day 1. Thanks again, this has been a very educational project.