Hostbase-1.4 está aquí

Koala · 09-02-2022 21:12:12

Buenas smile

Antes de todo esa version es totalmente experimental, lo que cambia es la DoS que se para solamente cuando el boton WPS ha sido apyado y otros pequenitos problemos fixed.

Esa version el la continuacion de lo que hemos hablado en este enlace:

A possible improvment to WPS PBC hack

Antes paraba la DoS solamente cuando la victima se conectaba en el falso AP para dejar tiempo a el AP de recuperar del ataque DoS.Ahora se para dolamenter cuando el boton WPS ha sido apoyado.Lo que quiere décir es que en algunos router no andara porqué la DoS ha saboteado el ap original y dèspuès no se puede hacer la conexion WPS...He hecho mis pruebas con 2 redes totalmente diferentes y ha andao.O sea si no anda sera bien de conocer el modelo del router.

Tiene 4 typos de ataque.

-1 El ataque del falso AP en WPA/2 con una pagina de phishing y la DoS en bandas 2.4GHz

-2 El ataque del falso AP en WPA/2 con una pagina de phishing tambien pero con DoS en bandas 2.4GHz y 5GHz

-3 El ataque del falso AP en red abierta con una pagina de phishing y la DoS en bandas 2.4GHz pero usando berate_ap

-4 El ataque del falso AP en red abierta con una pagina de phishing y la DoS en bandas 2.4GHz y 5GHz pero usando berate_ap tambien

-5 Y la ultima opcion que no es une ataque: WPS PBC loop que llama a todas la conexiones alrededor para intentar tener una clave wifi si un usario apoya su boton WPS

Que es berate_ap ?

Berate_ap es un creador de punto de acceso, usa hostapd tambien para personalizar un monton de opciones

Mas informacion en el github oficial --> https://github.com/sensepost/berate_ap

Me vais a décir porqué usar berate_ap cuando hostapd hace el trabajo solo ?

Es que berate_ap automatiza los ficheros como hoastapd.conf y el servidor dhcp que nos sirve para dar un IP a la victima.Eso es totalmente lo mejor que se puede hacer en ese momento.Y claro, menos codigo a hacer de mi lado big_smile lo unico es que tiene algunas limitaciones, veremos porqué.

Antes de empezar a hablar de todo: hostbase anda con 2 tarjetas wifi por defecto, si no teneis 2 tarjetas wifi no se puede usar hostbase.Si teneis 2 tarjetas wifi podras usar el ataque "de hostapd WPA 2.4GHz" o el ataque "Berate_ap 2.4Ghz"

(por seguro teneis que verificar que la tarjeta wifi es compatible con hostapd) todo eso esta explicado en el fichero "ABREME" en la carpeta de hostbase y en en git: https://github.com/Koala633/hostbase

Con el modo en 5GHz anda con 3 tarjetas wifi (una por el falso AP, otra para la DoS en 2.4GHz y otra por la DoS en 5GHz).Me imagino que poca gente tendra 3 tarjetas wifi (una de los 3 tarjetas tiene que estar compatible con las bandas 5GHz), pero para los que le gustan hacer pruebas en el wifi esta bien asi.Y si estaba del lado oscuro de la fuerza diré que si consigues entrar en une red que no esta tuya, en 2 meses has rentabilizado el precio de las tarjetas wifi que has comprado...Ademas mas pasa el tiempo mas tenemos redes con bandas 2.4GHz y 5GHz al mismo tiempo.Ver mi tutorial sobre airodump-ng en ese mismo foro:

Airodump-ng por los principiantes

Ahora voy a explicar un poco porque hay 4 ataque en esa version de hostbase.

Porqué hacer esos typos de ataque ?

Las 2 ataque con "hostapd WPA", estan hechas para ser mas discreto, para un usario que concoce un poco el informtico puede parecer extrano de ver una red abierta... entonces creamons una red encryptada en WPA para ser mas discreto.Desde la version de hostbase-1.0 que estaba programada en bash lo tengo bien claro en la cabeza...

PERO... eso tiene sus limitaciones, si la falsa red es en WPA no se pueden conectar los smartphones, iphone etc... necesitamos una red abierta para que se puede conectar un smartphone.

Qué hacer entonces ?

Usar el opcion una red abierta con berate_ap 2.4GHz (por los usarios que tienen solamente 2 tarjetas wifi compatible en 2.4GHz):

Ahora vamos a ver como esta nueva version de hostbase anda (para la instalacion y la configuracion todo esta escrito en el fichero ABREME a dentro la carpeta de hostbase y en el git)

Priméro se copia la carpeta entera de hostbase-1.4ES en /tmp despuès se entra en la carpeta /tmp/hostbase-1.4ES y se inicia asi:

ruby hostbase.rb

En primero vamos por el scan de redes, como podeis ver teneis que entrar tu tarjeta wifi para el scan y décir "si" or "no" por el scan en bandas 5GHz, en este caso no queremos el scan en 5GHz.

Por seguro wlan1 es la segunda tarjeta compatible con aircrack-ng en bandas 2.4GHz.

Otro ejemplo si quieres hacer el scan en 5Ghz:

Wlan2 es la tarjeta compatible en bandas 5GHz.No pongas "si" en la entrada 5GHz si no tienes la tarjeta compatible con las bandas 5GHz... se toma la buena tarjeta (a ver con ifconfig o iwconfig) y se da "si" solamente si estas seguro que tu tarjeta esta compatible con bandas 5GHz.Los datos entrado en 5GHz tienen que estar si or no todo en minusculo.Si das otra cosa tendras errores.

Ahora ejemplo de configuracion del falso AP por la primera ataque en bandas 2.4GHz con berate_ap y una red abierta:

Ojo1: no pongas el falso AP en el canal del real AP, la DoS que sigue el AP va a molestar la conexion en el falso AP si esta en el mismo canal que el real AP.Los canales 3 y 9 vienen bien para hacer el falso AP.

En el momento de entrar el nombre de la falsa pagina de phishing teneis varios opciones:

onowps por ono

orangewps por orange

vodafonewps por vodafone

jazztelwps por jazztel

movistarwps por movistar

En paginas de phishing si no entras las paginas asi tendras errores despuès.

Ahora ejemplo de configuracion del falso AP con la segunda ataque "berate_ap 5GHz"en bandas 2.4GHz y 5GHz

Los opciones son parecidas, pero te pide la tarjeta que vas a usar para hacer la DoS en la bandas 5GHz y despuès en las bandas 2.4GHz.Por favor verifica bien los datos entrado de la red que quieres antes de dar a validar.En el ejemplo: wlan0 es para el falso AP, wlan1 por la DoS en 2.4GHz y wlan2 por la DoS en 5GHz.

No se dondé puede venir este error:

porqué los parametros de las tarjetas wifi estan declarado en el script pero no parece que molesta el ataque de la DoS que sigue el AP.Hay que probar y si teneis errores tendré que modificar algo.

Ahora que el ataque esta iniciado todo no esta terminado.Para estar mas créible hostbase tiene un tchat para hacer se pasar por el servicio tecnico Una vez que la consola pone "Esperamos que alguien se conecta... ctrl+c para salir", se abre el navegador internet y se entra: https://127.0.0.1

(Que es la direccion del servidor web apache2).Como podeis ver hay un enlace a bajo a la izquierda "Ayuda en linea", si se abre el enlace nos caemos en la pagina del tchat.Aqui teneis que enviar el primero mensaje (es muy importante para que anda bien el tchat despuès), ejemplo nombre: "Bob" mensaje: "que puedo hacer ?"

Aqui esta el social engineering ! Para ver si la clave wifi esta registrado despuès de apoyar el boton WPS del router hay que entrar eso en un nuevo terminal:

cat /etc/wpa_supplicant.conf

Pero si todo va bien tendras que ver eso en la pantalla:

wpspbc

Ahora si quereis mis consejos, las opciones con "berate_ap 2.4GHz" y "berate_ap 5GHz" (si teneis una tercera tarjeta compatible con 5GHz) son las mejoras que se puede usar

Una vez que el boton WPS esta apoyado hay que esperar un poco antes de verificar que la clave wifi esta registrado.La clave wifi esta registrada en:

/etc/wpa_supplicant.conf

La ultima opcion es "WPS PBC loop".Sirve para intentar de capturar la clave wifi si un usario apoya su boton WPS.No teneis que usar esa opcion despuès de iniciar otra opcion en la interfaz grafica.

En todo los casos que no se olvida de salir del script con CTRL+C ( si teneis errores tambien usa CTRL+C para salir del script, hostbase levanta un monton de pasos y tendras errores si no podeis parar todo los pasos).

Recomendaciones1: entre 2 pruebas consejo de pasar por el scan de redes, el AP real se puede mover de canal y tenemos que estar seguro de iniciar el ataque en el bueno canal
Recomendaciones2: algunas veces cuando se usa el opcion "WPS PBC loop" no déja conectar a la red despuès, consejo si el problemo sigue de reiniciar el ordenador y de poner network-manager en marcha:

systemctl enable NetworkManager.service
systemctl start NetworkManager.service

Recomendaciones3: hay que poner las otras tarjetas wifi usb solamante una vez que el ordenador esta en marcha y no antes si no lo haceis asi systemd puede dar otros nombre a las tarjetas y cambiar todo el orderen de las interfaz (wlan0 wlan1 etc..) y si no sabeis que interfaz es compatible con hostapd y la bandas 2.4GHz y 5GHz no vale la pena de iniciar un ataque.

Si teneis errores quiero ver screenshot de pantalla dondé hay los errores y el resultado de:

ifconfig -a

La version de ruby con:

ruby -v

Si no te anda el WPS_PBC con es version de hostbase por favor da mr rl modelo completo del router.

Descarga de la nueva version de hostbase aqui:

https://github.com/Koala633/hostbase

Vidéo de demostracion:

Esta vez tengo un backup de la vidéo si me la borran...

Probado con:

ruby2.7
la ultima version de kali-linux (2021.3)
hostapd2.9
intel wifi
alfa awuso36H
alfa36ACH

Ultima edición por Koala (22-07-2022 18:11:05)

kcdtv · 11-02-2022 16:17:11

WoW.... Muchas gracias Koala por este post de presentación muy completo y todo tu trabajo. smile biere

Koala · 14-02-2022 19:48:28

Gracias Kcdtv smile

Para todos: he modfificado varias cosas para que se ejecuta mas rapido, o sea si teneis la version antigua, borra la y vuelve a descargar la version actualizada en github:

https://github.com/Koala633/hostbase

Ultima edición por Koala (14-02-2022 19:48:54)

mooooon · 16-02-2022 21:38:43

Whoa Thanks a lot mate this a really really great work

Thanks for getting the open fake network option back biere cool

what did you use for the "PBC loop option" ?

Koala · 16-02-2022 21:53:20

Hi cool

Thanks for getting the open fake network option back biere cool
what did you use for the "PBC loop option" ?

I use wash for the loop but since yesterday when i updated my kali-linux computer to kali 2022.1 i have some problems and the loop doesn't work any more, some options are not working fine, i have to work on them and fix them

I don't know if the ruby version has been changed or whatever... maybe i have to enforce some things on the code.At this moment i don't recommand to test the tool until i solve the problem.

I will update the tool when fixed

Ultima edición por Koala (16-02-2022 21:57:17)

mooooon · 17-02-2022 00:40:39

Koala escribió:

Hi
Thanks for getting the open fake network option back biere cool
what did you use for the "PBC loop option" ?

I use wash for the loop but since yesterday when i updated my kali-linux computer to kali 2022.1 i have some problems and the loop doesn't work any more, some options are not working fine, i have to work on them and fix them
I don't know if the ruby version has been changed or whatever... maybe i have to enforce some things on the code.At this moment i don't recommand to test the tool until i solve the problem.

I will update the tool when fixed

Great , np : )

Koala · 18-02-2022 17:50:55

Buenas smile

CHANGELOG:
bucla WPS... FIXED
tchat que sirve para habla con la victima... FIXED

He cambiado el codigo porqué despuès de la actualizacion de kali (2022.1) no andaba la bucla que sirve para detecar el apoyado del boton WPS,El tchat que sirve para hablar con la victima no andaba tan poco porqué ha cambiado la version de php, estamos ahora en php8

OJO: haciendo la actualizacion de kali-linux 2022.1, he tenido que reiniciar PHP en el servidor apache2.Se hace muy facil buscando la version de php con:

php -v                 
PHP 8.1.2 (cli) (built: Jan 27 2022 01:00:14) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2, Copyright (c), by Zend Technologies

Y despuès:

a2enmod php8.1

Y terminamos con:

service apache2 restart

Para que anda el tchat con la victima es muy facil, una vez que el ataque esta iniciado se entra con el navigador en : http://127.0.0.1 despuès en "ayuda en llinea" encontraras el tchat.Se tiene que enviar el primero mensaje para que anda "hola soy del servicio technico que puedo hacer ?"

Si la victima se va en "ayuda en linea" podreis hablar con ella

Aqui ando... intendo de dar el mejor que puedo con mi pequenita expériancia en programacion y las actualizaciones que algunas veces joden todo... smile

Disfruta de la ultima actualizacion aqui: https://github.com/Koala633/hostbase

For english users:

The main code has been modified because since the latest update of kali-linux (2022.1) the loop to detect the WPS push button was not worling any more.
Also we are now working with php8 so i had to change the php file of the tchat (user live support to comunicate with the victim) when you go to http://127.0.0.1 and then the "ayuda en linea" section.You have to send the first message to get the tchat work example: "hello, what i can do for you ?"

If the victim go to the "ayuda en linea" link, you can comunicate with it

At this moment i removed the option to check if the real AP is shutdown or not, i have some problems to include it and i have to work on that... stay tuned for the next update smile

New release:

https://github.com/Koala633/hostbase

Ultima edición por Koala (18-02-2022 17:52:52)

mooooon · 18-02-2022 19:43:14

Koala escribió:

Here I am... I try to give the best I can with my little experience in programming and the updates that sometimes screw everything up...smile

I know a the struggle mate, i too have little experience in programming and unable to implement really great ideas
Your work is much appreciated : )

At this moment i removed the option to check if the real AP is shutdown or not

oh , it's not that important no worries

i have some problems to include it and i have to work on that... stay tuned for the next updatesmile

wish you luck , i am always tuned for updates : )

I have changed the code because after the update of kali (2022.1) the loop that serves to detect the support of the WPS button did not work,

what was the problem ?

Koala · 18-02-2022 21:25:26

what was the problem ?

For some reasons the problem was on the loop itself, "while true" can't work if there is another loop using "while true" too on the same file script.In our case we have 2 loops, one for check if the wps button has been pressed and another one to send wps_pbc request on the target AP.So i created a new bash script called "wash.sh" and used it from the main ruby script as a background "ruby thread".Like that we can use the bash code with the loop to check if the wps button has been pressed without stop the second loop when it begin if the button has been pushed sending wps_pbc request on the target AP.

I have to create an english version of hostbase too but the problem is i don't know which router is used to make a good phishing page... if you live in England or US any help to identify what phishing page to do will be appreciated cool

Ultima edición por Koala (18-02-2022 21:27:51)

mooooon · 19-02-2022 02:39:13

Koala escribió:

For some reasons the problem was on the loop itself, "while true" can't work if there is another loop using "while true" too on the same file script.In our case we have 2 loops, one for check if the wps button has been pressed and another one to send wps_pbc request on the target AP.So i created a new bash script called "wash.sh" and used it from the main ruby script as a background "ruby thread".Like that we can use the bash code with the loop to check if the wps button has been pressed without stopping the second loop when it begins if the button has been pushed sending wps_pbc request on the target AP.

oh that's great

I have to create an english version of hostbase too but the problem is i don't know which router is used to make a good phishing page... if you live in England or US any help to identify what phishing page to do will be appreciatedcool

No Unfortunately i don't live there , Even if that an english version would be really great since english is the most popular language over the world

But before that, You need to make the script/tool user friendly as for it's lacking
1. listing the available cards and allowing the user to select from just like fluxion
2. scanning the networks and listing them with a star beside their name to indicate that the network has targets connected to it and allowing the user to select from the list by just typing a number just like fluxion
3. Remove the need to move the script folder to /tmp/ folder

These are basic features that are included in all evil twin scripts , i know that you may not be able to do these features but you can borrow code from the other scripts
, they are open source after all

After that then maybe your tool become known and popular , other wise you know that most users won't like the usability of the script because it's a little bit hard

With these things left aside

For the UK/US phishing page we can know the most popular routers from their amazon page or from shodan
And the customer support phishing is a bit to much ... i think the wps phishing is enough
as for users like to just leave the evil twin attack on while they do something else ... and that's not the case for "customer support phishing" page

I have a couple of suggestions for the phishing pages problem

But first the networks scan should show the routers model that we get from wash
so they know which networks to target , in other words we should use wash for scanning networks instead

1. A generic page asking users to push the wps button with pictures of the logo which will work mostly with no problem

2. we collect one for each vendor (Router Manufacturer) not model , or let the user put the page used for the attack them selves

3. We Do it using an advanced way (my usual "crazy ideas" )
if the attacking device has network access , we simply grab the router model from the WPS probes
and google it with the inurl filter and filetype:pdf
using a list of official Router Vendors documentation pages

And using python rindex() function
we can search for wps in the returned file
and return the matches of the pages

and we present them to the user to choose which one fits
And then simply merge it with the html page with a big ass header saying " Press the button...etc"

or if we can detect if a pdf page has an image or not
it can be done then 100% automatically in a very advanced way that works for all devices
Then we make the script automatically submit the page to github so the more users use the tool the more we have already ready pages in our collection and normally we would get the common router models pages in no time since they are common and then users will be happy haha

but this totally not necessary, Points 1 or 2 are more than enough

this how it looks like for most routers when searching the pdf manual

That's all what i have in mind about this, and if the tool get popular enough then maybe users start submitting pages and then we would have a lot of them

I will be posting a really crazy method in the next couple of days that will maybe change the wifi hacking game : ]

Regards

Koala · 19-02-2022 05:36:34

But before that, You need to make the script/tool user friendly as for it's lacking
1. listing the available cards and allowing the user to select from just like fluxion
2. scanning the networks and listing them with a star beside their name to indicate that the network has targets connected to it and allowing the user to select from the list by just typing a number just like fluxion
3. Remove the need to move the script folder to /tmp/ folder

I consider that but like you said i don't know if i will be able to do those things with my little level of programming.

These are basic features that are included in all evil twin scripts , i know that you may not be able to do these features but you can borrow code from the other scripts
, they are open source after all

Two things:
first i have respect for the other developers (linset, fluxion airgeddon etc...) and i will never use the same code (or little bit changed) than the others tools.The reason is if another tools use my code or my idéas about the wps_pbc without mention or link the original hostbase project, i will not appreciate that.

Second: hostbase is made in ruby when the other scripts are made in bash or python.That mean i have to create an entire new code including your suggestions without borrow code from the other scripts.

1. A generic page asking users to push the wps button with pictures of the logo which will work mostly with no problem
2. we collect one for each vendor (Router Manufacturer) not model , or let the user put the page used for the attack them selves
3. We Do it using an advanced way (my usual "crazy ideas" )
if the attacking device has network access , we simply grab the router model from the WPS probes
and google it with the inurl filter and filetype:pdf
using a list of official Router Vendors documentation pages
And using python rindex() function
we can search for wps in the returned file
and return the matches of the pages
and we present them to the user to choose which one fits
And then simply merge it with the html page with a big ass header saying " Press the button...etc"
or if we can detect if a pdf page has an image or not
it can be done then 100% automatically in a very advanced way that works for all devices
Then we make the script automatically submit the page to github so the more users use the tool the more we have already ready pages in our collection and normally we would get the common router models pages in no time since they are common and then users will be happy haha

Good ideas by the way cool

Automatically upload the new page to github isn't possible but making a pull request maybe yes

I will be posting a really crazy method in the next couple of days that will maybe change the wifi hacking game : ]

Fine wink

Now to respect this forum, i suggest for the following messages to speak spanish language because maybe all users don't understand the english and can't participate to this thread smile

Ultima edición por Koala (19-02-2022 05:39:12)

mooooon · 19-02-2022 21:28:38

Koala escribió:

and i will never use the same code (or little bit changed) than the other tools. The reason is if another tools use my code or my ideas about the wps_pbc without mention or link the original hostbase project , i will not appreciate that.

I understand , then you can mention link or whatever .... it's written in bash mostly and it's pretty generic code so changing it a little bit would make it a totally diff code

Second: hostbase is made in ruby when the other scripts are made in bash or python. That mean i have to create an entire new code including your suggestions without borrowing code from the other scripts.

Hmm but why you made it in ruby while all the needed code was already done in bash , there was no need for reinventing the wheel , And i thought that you could run bash files from within the ruby script just like the wps loop , and then you could link the output of both tools some how

Automatically upload the new page to github isn't possible but making a pull request maybe yes

it won't matter much, Even if FTP ------> then github
would do the job

Now to respect this forum, i suggest for the following messages to speak spanish language because maybe all users don't understand the english and can't participate to this threadsmile

Hmm but the translator will probably break the meaning of the text but what ever : )

Koala · 20-02-2022 13:50:29

Hmm but why you made it in ruby while all the needed code was already done in bash , there was no need for reinventing the wheel , And i thought that you could run bash files from within the ruby script just like the wps loop , and then you could link the output of both tools some how

I made it in ruby cause im also interested by the metasploit framework wich use ruby so i learned a little bit ruby to modify the template and use my own custom payload.Bash is powerfull but the problem is bash is limited to manage some task working together at the same time.I don't like when there are a lot of windows on the same screen.Of course with bash you can use the "&" operator after a command to send it on the background but use ruby (or python) is more efficient when you have to manage multi task.

mooooon · 22-02-2022 01:16:21

Hmm then why not python

the same about bash applies to python

tons of python wifi hacking scripts on github that we can read its code and learn from

Ruby is a weird choice for a wifi hacking script that all it's about is just automation

Koala · 22-02-2022 10:35:58

I don't know very well how work python but ruby is pretty easy to learn too wink

mooooon · 26-02-2022 01:02:32

Koala escribió:

I don't know very well how work python but ruby is pretty easy to learn too

from google

Is it better to learn Ruby or Python?
Ruby is known for its elegant syntax. It uses simple English words that are easy to understand. But Python is just as simple and uses language that is even more natural. ... Python, Python is easier to learn than Ruby due to its syntax.

but whatever, wifiphisher the most common evil twin tool is written in python tho

Koala · 26-02-2022 18:37:32

I won't change ruby to python because i don't have enough personal time... hmm also too much work to "re learn" another sort of progamming language since i use ruby.

but whatever, wifiphisher the most common evil twin tool is written in python tho

2 things here: wifipshisher is wifiphisher and hostbase is hostbase.That mean if the creators of wifiphisher have made it in python it is fine.But in my side im not ready to change the entire script to python cool

Ultima edición por Koala (26-02-2022 18:38:23)

Tema	Respuestas	Vistas	Ultimo mensaje
WPA2: roto con KRACK. ¿Ahora que? por Virkon [ 1 2 ]	26	7673	15-03-2023 16:57:32 por kcdtv
Pegado: Pegado:: AWITAS. Ataque a WPS con rogueAP potegido con WPA por javierbu [ 1 2 ]	34	3753	12-03-2023 18:24:22 por Guybrush92
Pegado: Pegado:: Script multiuso wifi para Kali y otras distros por v1s1t0r [ 1 2 3 … 18 ]	436	63508	07-03-2023 12:35:27 por kcdtv
iwd;¿El demonio WiFi Linux qué lo cambiara todo? por kcdtv	0	405	23-02-2023 17:09:39 por kcdtv
Pegado: Pegado:: Base de datos WPSPIN (original) open source actualizada por kcdtv [ 1 2 3 4 5 ]	114	258448	19-02-2023 17:36:14 por chuchof

Foro Wifi-libre.com

Anuncio

#1 09-02-2022 21:12:12