Tuesday, August 27, 2013

Fake AP on Kali Linux

At the time of this post there is a lot of wrong information on how to setup a fake AP on Kali Linux.  This seems to be mostly because Kali Linux uses the isc-dhcp-server package and not dhcp3.  Right now SET’s fake AP doesn’t work due to this.  I’m sure that will be fixed soon, @dave_rel1k puts a lot of effort into that tool which is why it is so great.  But for right now, it doesn’t work for setting up a fake AP.  So if you google around you find videos about Websploit like this one: http://www.youtube.com/watch?v=DXGj2vxdzvo

Well that doesn’t work either for the same reason.  How frustrating is that?  I found two tools that do work with some setup.  Easy-Creds and PwnSTAR.  While both worked I decided I liked Easy-Creds better but I’ll help you get both going now.


Check the github page and see if Brav0Hax added the install.sh script there yet https://github.com/brav0hax/easy-creds.  If so, download everything from github.  If there is no install.sh file download the tarball from there: http://sourceforge.net/projects/easy-creds/files/easy-creds-v3.7.3.tar.gz/download.  Untar the file and run the install.sh script.

Two things will fail but that is OK.  First, it tries to install and older version of lilssl, no worries.  The other is the dhcp3 server.  So manually run apt-get install isc-dhcp-server.  Now in case you played with dhpc3 or another script that I mentioned above, make sure there is no /etc/dhcp3 directory.  If there is delete it or things won’t work.  The directory isc-dhcp-server uses is /etc/dhcp and there is a dhcpd.conf file in there, that is the one you will use.

Now download the current version of the easy-creds.sh script from github https://github.com/brav0hax/easy-creds and copy if over the version that you installed with install.sh (probably /opt/easy-creds/easy-creds.sh).

Run updatedb one last time for good luck.

The cool thing about this install script is it always setups FreeRADIUS-WPE for you all automated, which is another whole blog post.

Now run the script.    Pick option 1 and then 4, and then 7:

Note: the version at the top is 3.8-dev.  If you are running something older things won’t work.

I found if you don’t do this the AP you setup is a bit flaky and karmetasploit won’t work, and you want that to work now don’t you?  Finally, in the Prerequisites & Configurations menu select 5 and add at0 to the INTERFACES in the file it opens up as so:

Remember to save the file when you exit.  Now you are ready to go.

Create a Fake AP:
Simply pick FakeAP Attacks from the main menu, select the one you want, and fill in the info it asks for.  In almost all cases its example is exactly what you want to use.  It is as easy as that. The Static attack will setup an AP with a name that you set, if you are testing it that is the easiest to use for a test so you can connect to it and make sure everything is working.  The EvilTwin will simply respond to whatever clients ask for, which is probably what you want to do for real, but can be harder to test.
Brov0Hax has some good videos for this tool, here is a good one for setting up the Static AP:


First, do everything I just told you to do in the setup of Easy-Creds.  That is right, that tool’s setup automates things and it is all the same requirements.  So if you skipped that tool, go back and start from the beginning. 

Next, run Eterm, select Background, Pixmap, None.  Then Eterm, Save Them Settings and Save User Settings.  You may not have to do this, but for me the Eterm pop up windows all had messed up backgrounds that made it impossible for me to read the text.  It was crazy annoying, if that happens to you, that is how you fix it.

I also recommend reading the README.txt as well.

Create a Fake AP:
Run the script and pick and option and go through the menu.  It is almost that easy since you set things up for Easy-Creds:
Now there is one catch, when you see this:

You just lost your Internet connection.  In another windows bring it back up and don’t move on until you can ping google.com or things won’t work.  I found I just needed to do a dhclient eth0 and everything was all fixed.  I don’t know why this happens.


Both tools do slightly different things.  Easy-Creds has the handy install script which helps a lot with setting things up for both tools and it doesn’t kill your LAN connection like PwnSTAR does. The one thing PwnSTAR does that Easy-Creds doesn’t is it offers a “Both” option for Evil Twin where it will both broadcast a specific SSID and respond to whatever the client ask for.  I like that.  Easy-Creds looks like it is one or the other only.  Other than that Easy-Creds seems cleaner and seems to work more consistently.  Overall that is the tool I would recommend you use right now.  I’m sure SET and Websploit will update their tools as well before too long and they will start working again.  Until then, you now know what to do.

No comments:

Post a Comment