Hostbase ( Fake Rogue AP attack )

Discussion in 'Беспроводные технологии/Wi-Fi/Wardriving' started by mani4, 19 Mar 2017.

  1. mani4

    mani4 Member

    Joined:
    15 Dec 2015
    Messages:
    22
    Likes Received:
    48
    Reputations:
    0
    Bash скрипт для продвинутой атаки с фэйковой точкой доступа.
    Этот скрип быстро отключает подключенного к точке доступа клиента,
    создает поддельную точку доступа с шифрованием WPA,
    создаёт большие помехи и вытесняет целевую точку доступа нашей фэйковой точкой доступа (работает только против WINDOWS систем )
    Запрашивает нажать кнопку WPS вместо того чтобы запрашивать ввести пароль WPA, что выглядит очень подозрительно...

    Я думаю этот проэкт может быть настоящей бомбой, и открывает новое течение в развитии техники
    ROGUE AP ATTACK.

    ссылка на github.com

    https://github.com/Koala633/hostbase
     
    uzeerpc, Mednik, RomanxD and 2 others like this.
  2. yx-ex

    yx-ex Well-Known Member

    Joined:
    14 May 2011
    Messages:
    758
    Likes Received:
    787
    Reputations:
    10
    Это конечно очень здорово.Единственное скажу-за всю свою жизнь(не буду говорить за всех),я еще ни разу не видел в общении и не наблюдал чтобы при мне хоть кто-нибудь вообще хоть раз нажимал эту кнопку.Не знаю,может быть недостаточно много присутствовал в ситуациях с выяснением паролей(хотя и не могу сказать что мало,почти все соседи и знакомые меня зовут помочь с инетом и вайфаем),но при мне человек всегда интересовался самим паролем вместо того чтобы даже хоть раз обратить внимание на эту кнопку.Я как бы не претендую на абсолютную истину,но увы,при мне ни разу про эту кнопку никогда никто не вспоминал,и при проблемах с подключением к вайфай также никому даже в голову не приходило обратить внимание на эту кнопку.Подозреваю что вообще почти все обычные пользователи роутеров и не догадываются что это за кнопка и для чего она вообще..))
     
    Kakoluk, V777, Veil and 5 others like this.
  3. Kevin Shindel

    Kevin Shindel Elder - Старейшина

    Joined:
    24 May 2015
    Messages:
    1,011
    Likes Received:
    1,192
    Reputations:
    62
    Многие юзвери при упоминании слова WPS не понимают вообще о чём идет речь... согласен с ух-ех.
     
    Veil, Mednik, fffsfs and 2 others like this.
  4. koala633

    koala633 Member

    Joined:
    19 Mar 2017
    Messages:
    10
    Likes Received:
    10
    Reputations:
    0
    Bonjour à tous :)

    Im using google translate so sorry if i don't understand all you say but i will try to do my best.The WPS button of the router is shown on the fake page when the user see it, every router have his own button so i make this example for 2 most popular router in France ( im french).When the user push this button, we connect to his router with a sample WPS/PBC request and the key is registered with wpa_supplicant.THere is a english PDF with the script you can see more things into if you want.

    Another thing how to translate my language to the Russia Language ? : Cool:
     
  5. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    Well, there is a big bunch of different router manufacturers and models in Russia, each have different web admin interface. Some of them are rebranded by local ISPs, so the interface is totally unique.

    And there are still some router models which don't have WPS at all...

    So, this kind of attack is probably possible in Russia, but difficult to exploit.
     
    Veil likes this.
  6. fffsfs

    fffsfs Member

    Joined:
    17 Jan 2017
    Messages:
    268
    Likes Received:
    10
    Reputations:
    0
    Сами говорите шары не будет WPS отключают, а потом говорите что не знают что такое WPS
     
  7. koala633

    koala633 Member

    Joined:
    19 Mar 2017
    Messages:
    10
    Likes Received:
    10
    Reputations:
    0
    QUOTE="binarymaster, post: 4062607, member: 148032"]Well, there is a big bunch of different router manufacturers and models in Russia, each have different web admin interface. Some of them are rebranded by local ISPs, so the interface is totally unique.

    And there are still some router models which don't have WPS at all...

    So, this kind of attack is probably possible in Russia, but difficult to exploit.[/QUOTE]

    Hello, ah i see... hard to use in this case agree with you.

    Maybe other attack can be use again entreprise network for mitm attack ( i do the script in this case too) hostapd create encrypted AP in WPA, there is no open network at all in this case it can be a very quiet and silencious attack, hostapd is very powerful tool and you can create 3 fake encrypted ap networks at the same time.The client doesn't have to know the password of your fake encrypted network cause we open hostapd_cli every 120 seconds (delay for a wps connect).Many scripts are using hostapd and airbase on open networks because they get stuck with the WPA and how to connect the client into the fake AP.I worked on rogue AP since long time and with the WPS and hostapd we can do a lot of fun things.An encrypted network is not suspicious than a open network.

    Also windows wpa_supplicant is very bad (it's windows ...) and can be easily confused to put your AP on first position instead of the real.Airbase-ng encrypted rogue AP cafe-latte attack can be used again WPA routers which have hexadecimal password, ( a lot in France :D ) .

    I have some other idea to push the rogue AP at his limit because im sure the limit is not reached yet.I will be very happy to speak with your community member here about what we can perform and what we can do more :)
     
    binarymaster likes this.
  8. fury_makers

    fury_makers Member

    Joined:
    7 Mar 2013
    Messages:
    128
    Likes Received:
    20
    Reputations:
    0
    Нашел еще одну проблему при использовании mdk3 точка доступа просто меняет канал и продолжает работать без видимых проблем. Есть решения даной проблемы?
     
  9. koala633

    koala633 Member

    Joined:
    19 Mar 2017
    Messages:
    10
    Likes Received:
    10
    Reputations:
    0
    Sorry google translate is little confusing sometimes,

    Do you mean the target AP is changing his channel when you use mdk3 againt it ? or it is your fake ap is changing the chanel by himself ?
     
  10. yx-ex

    yx-ex Well-Known Member

    Joined:
    14 May 2011
    Messages:
    758
    Likes Received:
    787
    Reputations:
    10
    Фраза "обычных людей" в его посте ни о чем вам не говорит? 99 процентов (повторяю) обычных людей не знают где находится кнопка WPS на роутере, а закрывают взлом роутеров по WPS не обычные люди,а производители роутеров закрывая дыры в уязвимостях WPS. Вы хоть следите за ходом мыслей людей и пишите по существу вопроса,а не смешав всё в кучу в голове.
     
    khamyk and kuz like this.
  11. yx-ex

    yx-ex Well-Known Member

    Joined:
    14 May 2011
    Messages:
    758
    Likes Received:
    787
    Reputations:
    10
    Google Translator traduit facilement du français en russe et du russe en français, que je l'ai fait aujourd'hui. Pas très bonne qualité, mais le sens est clair .Cet est mieux que rien )))
     
  12. koala633

    koala633 Member

    Joined:
    19 Mar 2017
    Messages:
    10
    Likes Received:
    10
    Reputations:
    0
    спасибо :)
     
  13. khamyk

    khamyk Well-Known Member

    Joined:
    30 Dec 2013
    Messages:
    552
    Likes Received:
    337
    Reputations:
    0
    Yes,the AP is changing his channel when attacker use mdk3.
     
  14. koala633

    koala633 Member

    Joined:
    19 Mar 2017
    Messages:
    10
    Likes Received:
    10
    Reputations:
    0
    Некоторые изменения маршрутизаторы канала регулярно, хотя они rares.Pour избежать этого, мы должны смотреть на станции, а не routeur.

    Exemple: когда станция отсоединены и должна помешать ему вступая в его сеть légitime.

    Le Сеть по умолчанию записывается в окнах так окон приложения Wireless Manager способен обнаружить изменения в configuration.Regardons его ближе:



    Code:
    mdk3 ${intmoniteur} d -g -t "${BSSID}" -c "${canal}"
    
    
    sleep 20;
    
    
    airbase-ng -c "${canal}" -a "${BSSID}" --essid "${ESSID}" -W 1 ${intmoniteur}
    
    
    sleep 4;
    Мы должны смотреть на станцию, прежде чем ap.Windows сохраняет сеть в менеджере и окна Wireless и в состоянии обнаружить изменения поэтому configurations.
    On будет полагать, что сетевая конфигурация изменилась.
    Первым шагом и отключить станцию и подождать немного (сон 20), а второй, чтобы начать вторую команду авиабазу с параметрами истинного réseau.
    En делают как его, станция больше не будет подключаться к сети, даже если он меняет canal.
    L'utilisateur см сообщение ниже его сети, какие настройки сети не совпадают зарегистрированных.
    Между тем поддельные ваше объявление будет отображаться в верхней части списка беспроводных сетей (см PDF несанкционированной партии) .
    Есть будет намного более вероятно, что пользователь подключается к сети ложного взгляда, что она не может sien.Cette не атака является более эффективным с двумя WiFi карты,
    чтобы создать поддельную сеть и один для реальной сети DDOS и сделать Buger на станции злобу utilisateur.
    Si этого есть проблемы, десантирования -ng также очень эффективен.
     
    mani4 likes this.
  15. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    That's why I prefer to write in english without Google Translate. :D

    It translates some words which should not be translated - particularly program names (airbase-ng, aireplay-ng, etc.)
     
    khamyk likes this.
  16. koala633

    koala633 Member

    Joined:
    19 Mar 2017
    Messages:
    10
    Likes Received:
    10
    Reputations:
    0
    Yes google is a stupid bot :D

    Previous message:

    The first thing to do is disconnect the station then wait a little (sleep 20) and launch another airbase command.The network of the user is registered on his windows network manager, if you change one of the parameters, windows will not recognize the network.

    Step 1: kick the station
    Code:
    mdk3 ${intmoniteur} d -g -t "${BSSID}" -c "${canal}"
    sleep 20;
    Step 2: launch the airbase command with the parameters of the real network (same ssid, bssid and canal).

    Code:
    airbase-ng -c "${canal}" -a "${BSSID}" --essid "${ESSID}" -W 1 ${intmoniteur}
    That will affect the windows manager of the user and the user can't connect any more to his network because windows has detected that the parameters has been changed and the following message appear if he try to connect "The configuration not match with the network".The real network can change his chanel but the user will stay without internet cause of the windows network manager wich not allow the connection.This is a crucial point of the attack, i recommend to read the pdf i puted on the git with the english version, he explain a lot of things with pictures.If you have any question i will try to do my best to answer correctly :)


    To make this attack more powerful i recommend to use at same time mdk3 and airbase-ng on a second wireless card.
     
    binarymaster likes this.
  17. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
  18. fire-dance

    fire-dance Elder - Старейшина

    Joined:
    12 May 2015
    Messages:
    1,004
    Likes Received:
    666
    Reputations:
    12
    все интересно стало у меня такая же проблема переходит на другой канал при мдк3, немного не понятно кривой переводчик, есть какая нибудь программа для такого?
    вот роутер
    http://zalil.su/6030154
    вот что по мак адресу определил сайт http://3wifi.stascorp.com/
    http://zalil.su/5284839
     
  19. koala633

    koala633 Member

    Joined:
    19 Mar 2017
    Messages:
    10
    Likes Received:
    10
    Reputations:
    0
    Hi ;)

    If the target AP is changing his channel is maybe due to a manual reboot of the user, i don't know wich router is used in Russia but in Spain and France the router doesn't change his channel alone.

    If the target AP continue to change his channel try to set up mdk3 manualy in a new shell and enter the target bssid without specifying any channel, like that mdk3 will track the target bssid instead of the channel.The intelligence association mode and the amok mode are i think the best settings to use with mdk3, just try to set up it manualy if the target AP change his channel and let me know what happen.
     
    mani4 and hydra like this.
  20. koala633

    koala633 Member

    Joined:
    19 Mar 2017
    Messages:
    10
    Likes Received:
    10
    Reputations:
    0
    Hi all :cool:


    i made an update of the script.Remember this script work with kali/ubuntu and need 2 wireless card for a more powerfull attack.


    CHANGELOG:
    Trap function with ctrl+c to exit quickly the script and clean up files
    Working directory is now /tmp instead of /root
    Only one install script for kali/linux instead of 2 separate before
    Apache2 is automatically configured for http
    Network-manager is now automatically started by ending the script with ctrl+c or with the "Quit" option
    Added compatibility with wireless card rename wlx* by system.d
    Active DoS attack on the master channel's to continue kick users if target AP change his channel.
    PDF included: --> please read it <--


    To get the update download the folder "hostbase" the hostbase english version doesn't have the update included inside but both are in english.I will delete the old hostbase english version later.


    When downloaded:
    Go inside the hostbase folder and launch the installation script dependency:
    Code:
    bash newinstall.sh
    Then when install finished, you will have the choice between hostbase1.0 and hostbase0.9.

    The 0.9 ask for the key
    The 1.0 ask for wps push button

    At the first install all is going to do automaticaly but for the next use copy the hostbase folder into /tmp and start it like that:
    Code:
    cd /tmp/hostbase
    bash hostbase1.0.sh
    For 0.9 version
    Code:
    cd /tmp/hostbase/hostbaseV0.9
    bash hostbase0.9.sh
    If you want to use the phishing page of your country, you will have to change the name on the script.Don't forget to start with the passive scan (option 5) for scan around and for kill any trouble process (network-manager etc...)

    This script is a rogue AP based script and use WPA rogue AP with wps open session to let the victim come to us.
    Also a new DoS is incorpored to track every second you want the channel of the target AP.


    Available here:

    https://github.com/Koala633/hostbase


    Enjoy it ;)


    Ps: not for beginner usage
     
    #20 koala633, 6 May 2017
    Last edited: 6 May 2017
    Majgap, binarymaster and mani4 like this.