bobbyb1980 Posted November 24, 2011 Share Posted November 24, 2011 Hello. After successfully getting 3g ICS setup I thought I'd share how I got it done. The goal is to share 3G via a 3G USB Modem to the router (pineapple) who then goes on to give that internet via wifi to other victims. A rouge 3G AP. The victim will connect to the pineapple via wifi. The pineapple will be connected via ethernet to the attacking machine, where a 3G modem is connected that will give internet. Hopefully this makes sense. (ppp0) Internet 3G >---< (eth1) attacking machine >---< pineapple >---< victim I will also assume that internet/3g is already working as that can be a handful. ATTACKING MACHINE OS - Ubuntu 10.04 IP - 192.168.0.2 (eth0) 172.20.0.178 (ppp0) DNS - 1.1.1.1 2.2.2.2 PINEAPPLE IP - 192.168.0.1 (br-lan) GW - 192.168.0.2 DNS - 1.1.1.1 2.2.2.2 VICTIM IP - 192.168.0.249 GW - 192.168.0.2 DNS - 1.1.1.1 2.2.2.2 STEP ONE - PREPARE ATTACK MACHINE Before we connect the pineapple, first we must find DNS info from the internet facing interface. This can be done by issuing: cat /etc/resolv.conf. Make note of these servers, as they will be necessary. Once internet is confirmed working, the Pineapple will then be connected. A. SET IPTABLES I haven't played around with the exact iptables configurations myself yet as Firestarter (sudo apt-get install firestarter) does the trick fine. It's point and click and pretty easy to follow, just check "Enable Internet Connection Sharing" and tell it what interfaces to bridge and it will do it. I am bridging ppp0 to eth0. B. SSH INTO PINEAPPLE Almost all of the configurations will be made via command line (it's possible to use openwrt and other guis to config this but not as reliable either). ssh 192.168.0.1 -l root STEP TWO - PREPARE PINEAPPLE The pineapple should be up. It should be able to speak to the internet but no DNS. So we'll set the DNS servers by first navigating to the /etc directory. Then issue: nano /etc/resolv.conf. Nano is my favorite txt editor because it's simple and easy to use, so I'll assume you can figure it out. We want to make the file (/etc/resolv.conf) look like this: nameserver 1.1.1.1 nameserver 2.2.2.2 Then save the file (CTRL-X) and exit. The pineapple should be able to ping google.com, verify that. Once verified we need to edit /etc/config/dhcp.conf so that when victims connect they get the right DHCP info. The /etc/config/dhcp.conf file should look like this: config 'dnsmasq' option 'domainneeded' '1' option 'boguspriv' '1' option 'filterwin2k' '0' option 'localise_queries' '1' option 'local' '/lan/' option 'domain' 'lan' option 'expandhosts' '1' option 'nonegcache' '0' option 'authoritative' '1' option 'readethers' '1' option 'leasefile' '/tmp/dhcp.leases' option 'resolvfile' '/tmp/resolv.conf.auto' config 'dhcp' 'lan' option 'interface' 'lan' option 'start' '100' option 'limit' '150' option 'leasetime' '720m' list 'dhcp_option' '3,192.168.0.2' ###### this is the IP of the attacking machine list 'dhcp_option' '6,192.168.0.1,1.1.1.1,2.2.2.2'###### this is the IP of the pineapple, then the DNS servers from ppp0 on the attacking machine option 'ignore' '0' config 'dhcp' 'wan' option 'interface' 'wan' option 'start' '100' option 'limit' '150' option 'leasetime' '720m' option 'ignore' '1' config 'host' option 'ip' '192.168.0.2' ###### this is the ip of the attacking machine STEP THREE - START KARMA (via web interface 192.168.0.1:1471) The is pretty much the meat and potatoes of things. You should now be bale to connect a victim to the Pineapple and the victim can access the 3g internet via wifi. Now is the fun part. Here you can use SSLStrip + Iptables to reroute traffic and sniff it. Personally I don't like this attack as SSLStrip can be kind of obvious to the victim (it's slow plus no SSL). I prefer to DNS Spoof to a malicious java applet for a meterpreter session. Or you can rickroll the pineapple to to a page with a malicious java applet for a meterpreter session also. Then pretty much anyone who connects will be pwned, and if you have karma running that can be a lot of people. Of course just as a proof of concept. Quote Link to comment Share on other sites More sharing options...
itsm0ld Posted November 24, 2011 Share Posted November 24, 2011 Nice write up bobby1980! I also love nano but its not installed on the mark 2 so here is the code to get it. Note the mark 2 must be able to connect to the internet first... opkg update opkg install libncurses nano Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted November 24, 2011 Share Posted November 24, 2011 This is very similar to the way the Mark 3 was built, mostly inspired by Echoblack's guide here: http://forums.hak5.org/index.php?showtopic=15200 Quote Link to comment Share on other sites More sharing options...
stuffses Posted November 29, 2011 Share Posted November 29, 2011 I have an MKIII, would these instructions work with it? Quote Link to comment Share on other sites More sharing options...
httpCRASH Posted November 29, 2011 Share Posted November 29, 2011 I will also assume that internet/3g is already working as that can be a handful. after a couple of fail attempts because of in-complete guides, i got my iphone connected as eth1, so i decided to make a quick youtube video with the steps, so that others would not have the same trouble (and so that i can remeber it myself the next time) ;) http://www.youtube.com/user/ZeppDK?feature=mhee#p/u/1/YoVCbt5Bim0 im thinking of remaking it in HD, and typing a little faster Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.