PwnSTAR - A Bash Script For Creating a "Malicious" Software-Enabled Access Point


PwnSTAR is a bash script that can create and launch a fake Access Point (or you can call it "a malicious access point"). It offers a wide variety of attack options, including sniffing, phishing, spoofing and etc.

Note: It is designed for Kali Linux, but it will run on any flavor of Linux with a little tweaking.

PwnSTAR Screenshot

Let's take a look at its features:
  • Takes care of configuration of interfaces, MACspoofing, airbase-ng, and isc-dhcp-server.
  • Steals WPA handshakes
  • Phishes email credentials
  • Serves web pages: supplied or provide your own (Note: place each of the web folders separately into /var/www. Do not move the index files out of their respective folders; the script will move them to the correct location as required.)
  • Sniffing with ferret and sslstrip
  • Adds a captive portal to the front-end of the fake AP
  • Assorted exploits
  • de-auth with MDK3, aireplay-ng or airdrop-ng
PwnSTAR PDF Options Screenshot


Basic Menu:
1) Honeypot: get the victim onto your AP, then use nmap, metasploit etc (no internet access given)

2) Grab WPA handshake

3) Sniffing: provide internet access, then be MITM

4) Simple web server with dnsspoof: redirect the victim to your webpage

5) Karmetasploit

6) Browser_autopwn

1) Relies on auto-connections, that means, the device connects without the owner being aware. You can attempt to exploit it by creating a spoofed fake AP of an access point where the target device was previously connected.

2) Sometimes it is quicker to steal the handshake than sniff it passively. Set up the AP with the same name and channel as the target, and then DOS the target. Airbase will save a pcap containing the handshake to /root/PwnSTAR-n.cap.

3) Provides an open network so that you can sniff the victim's activities.

4) Uses Apache to serve a malicious web page. 
  • "hotspot_3" is a simple phishing web page.
  • "portal_simple" is a captive portal which allows you to edit the index.html with the name of the portal (eg: "Joe's CyberCafe").
  • "portal_hotspot3" phishes credentials, and then allows clients through the portal to the internet.
  • "portal_pdf" forces the client to download a malicious pdf (with classical Java applet) in order to pass through the portal

5&6) Provides all the config files to properly set-up Karmetasploit and Browser_autopwn.

Advanced Menu:
a) Captive portals (phish/sniff)

b) Captive portal + PDF exploit (targets Adobe Reader < v9.3)

c) MSXML 0day (CVE-2012-1889: MSXML Uninitialized Memory Corruption)

d) Java_jre17_jmxbean

e) Choose another browser exploit

a) Uses IPtables rules to route the clients. This is a fully functioning captive portal and can track and block/allow multiple connections simultaneously. Avoids the problems of DNS-spoofing. There are two built-in web options:
  • Serves hotspot3. Doesn't allow clients onto the Internet until credentials have been given.
  • Allows you to add a personal header to the index.php. You could probably copy the PHP functions from this page onto a cloned page, and load that instead.

b) A captive portal which blocks the client until they have downloaded a pdf. This contains a malicious java applet. Includes a virgin pdf to which you can add your own payload.

c&d) Launches a couple of example browser exploits

e) Gives a skeleton framework for loading any browser exploit of your choice. Edit PwnSTAR browser_exploit_fn directly for more control.

No comments

Powered by Blogger.