Jump to content

3g + Ubuntu 10.04 + Pineaple = Ics

bobbyb1980
 Share

Recommended Posts

bobbyb1980 Newbie

bobbyb1980

Posted
Posted

Hello.

After successfully getting 3g ICS setup I thought I'd share how I got it done. The goal is to share 3G via a 3G USB Modem to the router (pineapple) who then goes on to give that internet via wifi to other victims. A rouge 3G AP.

The victim will connect to the pineapple via wifi. The pineapple will be connected via ethernet to the attacking machine, where a 3G modem is connected that will give internet. Hopefully this makes sense.

(ppp0) Internet 3G >---< (eth1) attacking machine >---< pineapple >---< victim

I will also assume that internet/3g is already working as that can be a handful.

ATTACKING MACHINE

OS - Ubuntu 10.04

IP - 192.168.0.2 (eth0)

172.20.0.178 (ppp0)

DNS - 1.1.1.1

2.2.2.2

PINEAPPLE

IP - 192.168.0.1 (br-lan)

GW - 192.168.0.2

DNS - 1.1.1.1

2.2.2.2

VICTIM

IP - 192.168.0.249

GW - 192.168.0.2

DNS - 1.1.1.1

2.2.2.2

STEP ONE - PREPARE ATTACK MACHINE

Before we connect the pineapple, first we must find DNS info from the internet facing interface. This can be done by issuing: cat /etc/resolv.conf. Make note of these servers, as they will be necessary. Once internet is confirmed working, the Pineapple will then be connected.

A. SET IPTABLES

I haven't played around with the exact iptables configurations myself yet as Firestarter (sudo apt-get install firestarter) does the trick fine. It's point and click and pretty easy to follow, just check "Enable Internet Connection Sharing" and tell it what interfaces to bridge and it will do it. I am bridging ppp0 to eth0.

B. SSH INTO PINEAPPLE

Almost all of the configurations will be made via command line (it's possible to use openwrt and other guis to config this but not as reliable either).

ssh 192.168.0.1 -l root

STEP TWO - PREPARE PINEAPPLE

The pineapple should be up. It should be able to speak to the internet but no DNS. So we'll set the DNS servers by first navigating to the /etc directory. Then issue: nano /etc/resolv.conf. Nano is my favorite txt editor because it's simple and easy to use, so I'll assume you can figure it out. We want to make the file (/etc/resolv.conf) look like this:

nameserver 1.1.1.1
nameserver 2.2.2.2

Then save the file (CTRL-X) and exit. The pineapple should be able to ping google.com, verify that. Once verified we need to edit /etc/config/dhcp.conf so that when victims connect they get the right DHCP info. The /etc/config/dhcp.conf file should look like this:

config 'dnsmasq'
	option 'domainneeded' '1'
	option 'boguspriv' '1'
	option 'filterwin2k' '0'
	option 'localise_queries' '1'
	option 'local' '/lan/'
	option 'domain' 'lan'
	option 'expandhosts' '1'
	option 'nonegcache' '0'
	option 'authoritative' '1'
	option 'readethers' '1'
	option 'leasefile' '/tmp/dhcp.leases'
	option 'resolvfile' '/tmp/resolv.conf.auto'

config 'dhcp' 'lan'
	option 'interface' 'lan'
	option 'start' '100'
	option 'limit' '150'
	option 'leasetime' '720m'
	list 'dhcp_option' '3,192.168.0.2' ###### this is the IP of the attacking machine
	list 'dhcp_option' '6,192.168.0.1,1.1.1.1,2.2.2.2'###### this is the IP of the pineapple, then the DNS servers from ppp0 on the attacking machine
	option 'ignore' '0'

config 'dhcp' 'wan'
	option 'interface' 'wan'
	option 'start' '100'
	option 'limit' '150'
	option 'leasetime' '720m'
	option 'ignore' '1'

config 'host'
	option 'ip' '192.168.0.2' ###### this is the ip of the attacking machine

STEP THREE - START KARMA (via web interface 192.168.0.1:1471)

The is pretty much the meat and potatoes of things. You should now be bale to connect a victim to the Pineapple and the victim can access the 3g internet via wifi. Now is the fun part. Here you can use SSLStrip + Iptables to reroute traffic and sniff it. Personally I don't like this attack as SSLStrip can be kind of obvious to the victim (it's slow plus no SSL). I prefer to DNS Spoof to a malicious java applet for a meterpreter session. Or you can rickroll the pineapple to to a page with a malicious java applet for a meterpreter session also. Then pretty much anyone who connects will be pwned, and if you have karma running that can be a lot of people. Of course just as a proof of concept.

Link to comment
Share on other sites
httpCRASH Newbie

httpCRASH

Posted
Posted

I will also assume that internet/3g is already working as that can be a handful.

after a couple of fail attempts because of in-complete guides, i got my iphone connected as eth1,

so i decided to make a quick youtube video with the steps, so that others would not have the same trouble (and so that i can remeber it myself the next time) ;)

http://www.youtube.com/user/ZeppDK?feature=mhee#p/u/1/YoVCbt5Bim0

im thinking of remaking it in HD, and typing a little faster :lol:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...