bobbyb1980 Posted November 24, 2011 Share Posted November 24, 2011 Hello. After successfully getting 3g ICS setup I thought I'd share how I got it done. The goal is to share 3G via a 3G USB Modem to the router (pineapple) who then goes on to give that internet via wifi to other victims. A rouge 3G AP. The victim will connect to the pineapple via wifi. The pineapple will be connected via ethernet to the attacking machine, where a 3G modem is connected that will give internet. Hopefully this makes sense. (ppp0) Internet 3G >---< (eth1) attacking machine >---< pineapple >---< victim I will also assume that internet/3g is already working as that can be a handful. ATTACKING MACHINE OS - Ubuntu 10.04 IP - 192.168.0.2 (eth0) 172.20.0.178 (ppp0) DNS - 126.96.36.199 188.8.131.52 PINEAPPLE IP - 192.168.0.1 (br-lan) GW - 192.168.0.2 DNS - 184.108.40.206 220.127.116.11 VICTIM IP - 192.168.0.249 GW - 192.168.0.2 DNS - 18.104.22.168 22.214.171.124 STEP ONE - PREPARE ATTACK MACHINE Before we connect the pineapple, first we must find DNS info from the internet facing interface. This can be done by issuing: cat /etc/resolv.conf. Make note of these servers, as they will be necessary. Once internet is confirmed working, the Pineapple will then be connected. A. SET IPTABLES I haven't played around with the exact iptables configurations myself yet as Firestarter (sudo apt-get install firestarter) does the trick fine. It's point and click and pretty easy to follow, just check "Enable Internet Connection Sharing" and tell it what interfaces to bridge and it will do it. I am bridging ppp0 to eth0. B. SSH INTO PINEAPPLE Almost all of the configurations will be made via command line (it's possible to use openwrt and other guis to config this but not as reliable either). ssh 192.168.0.1 -l root STEP TWO - PREPARE PINEAPPLE The pineapple should be up. It should be able to speak to the internet but no DNS. So we'll set the DNS servers by first navigating to the /etc directory. Then issue: nano /etc/resolv.conf. Nano is my favorite txt editor because it's simple and easy to use, so I'll assume you can figure it out. We want to make the file (/etc/resolv.conf) look like this: nameserver 126.96.36.199 nameserver 188.8.131.52 Then save the file (CTRL-X) and exit. The pineapple should be able to ping google.com, verify that. Once verified we need to edit /etc/config/dhcp.conf so that when victims connect they get the right DHCP info. The /etc/config/dhcp.conf file should look like this: config 'dnsmasq' option 'domainneeded' '1' option 'boguspriv' '1' option 'filterwin2k' '0' option 'localise_queries' '1' option 'local' '/lan/' option 'domain' 'lan' option 'expandhosts' '1' option 'nonegcache' '0' option 'authoritative' '1' option 'readethers' '1' option 'leasefile' '/tmp/dhcp.leases' option 'resolvfile' '/tmp/resolv.conf.auto' config 'dhcp' 'lan' option 'interface' 'lan' option 'start' '100' option 'limit' '150' option 'leasetime' '720m' list 'dhcp_option' '3,192.168.0.2' ###### this is the IP of the attacking machine list 'dhcp_option' '6,192.168.0.1,184.108.40.206,220.127.116.11'###### this is the IP of the pineapple, then the DNS servers from ppp0 on the attacking machine option 'ignore' '0' config 'dhcp' 'wan' option 'interface' 'wan' option 'start' '100' option 'limit' '150' option 'leasetime' '720m' option 'ignore' '1' config 'host' option 'ip' '192.168.0.2' ###### this is the ip of the attacking machine STEP THREE - START KARMA (via web interface 192.168.0.1:1471) The is pretty much the meat and potatoes of things. You should now be bale to connect a victim to the Pineapple and the victim can access the 3g internet via wifi. Now is the fun part. Here you can use SSLStrip + Iptables to reroute traffic and sniff it. Personally I don't like this attack as SSLStrip can be kind of obvious to the victim (it's slow plus no SSL). I prefer to DNS Spoof to a malicious java applet for a meterpreter session. Or you can rickroll the pineapple to to a page with a malicious java applet for a meterpreter session also. Then pretty much anyone who connects will be pwned, and if you have karma running that can be a lot of people. Of course just as a proof of concept. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.