Clients don't have internet connection after connecting to "Internet" SSID after running Mana Toolkit

[mastertwitter09]

Hi guys,

My problem is, after running "sudo ./start-nat-full.sh" inside /usr/share/mana-toolkit/run-mana and the script runs, when I try connecting a host to the access point, that host doesn't receive internet connection.

Here's the full list of my configuration.

Kali Linux 1.1.0 running in VMWare Workstation Installed mana-toolkit using "apt-get install mana-toolkit" command.

When I run the program, my network connection manager is STOPPED. This disconnects my internet connection inside the Kali Linux virtual machine. Is this fine?

The configuration inside start-nat-full.sh:

upstream=eth0 phy=wlan0

I am connecting a macbook air or iPad Mini as hosts -- each device doesn't receive internet connectivity. All I can see is "internet", "androidAP", and generated SSID based from my router.

---

Before running the program

My ifconfig

wlan0 Link encap:Ethernet HWaddr f0:7d:68:6b:60:29
inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::f27d:68ff:fe6b:6029/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29110 errors:0 dropped:0 overruns:0 frame:0 TX packets:29399 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23951877 (22.8 MiB) TX bytes:4350956 (4.1 MiB)

My netstat -rn

Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

After running the program (while it's running)

My ifconfig

wlan0 Link encap:Ethernet HWaddr 00:11:22:33:44:00
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::211:22ff:fe33:4400/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29655 errors:0 dropped:0 overruns:0 frame:0 TX packets:29674 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:24064849 (22.9 MiB) TX bytes:4423155 (4.2 MiB)

My netstat-rn

root@WRT54G:~# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.0 10.0.0.1 255.255.255.0 UG 0 0 0 wlan0 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

---

This is what I see when I initiated "sudo ./start-nat-full.sh".

hostname WRT54G [ ok ] Stopping network connection manager: NetworkManager. Permanent MAC: f0:7d:68:6b:60:29 (D-link Corporation) Current MAC: f0:7d:68:6b:60:29 (D-link Corporation) New MAC: 4c:56:57:d1:12:d7 (unknown) Configuration file: /etc/mana-toolkit/hostapd-karma.conf Using interface wlan0 with hwaddr 00:11:22:33:44:00 and ssid "Internet" wlan0: interface state UNINITIALIZED->ENABLED wlan0: AP-ENABLED Internet Systems Consortium DHCP Server 4.2.2 Copyright 2004-2011 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Wrote 1 leases to leases file. Listening on LPF/wlan0/00:11:22:33:44:00/10.0.0.0/24 Sending on LPF/wlan0/00:11:22:33:44:00/10.0.0.0/24 Sending on Socket/fallback/fallback-net /usr/share/mana-toolkit/run-mana Hit enter to kill me Generated RSA key for leaf certs. SSLsplit (built 2014-05-26) Copyright (c) 2009-2014, Daniel Roethlisberger daniel@roe.ch http://www.roe.ch/SSLsplit Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER NAT engines: netfilter* tproxy netfilter: IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f) rtlinked against OpenSSL 1.0.1e 11 Feb 2013 (1000105f) TLS Server Name Indication (SNI) supported OpenSSL is thread-safe with THREADID Using SSL_MODE_RELEASE_BUFFERS Using direct access workaround when loading certs SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG compiled against libevent 2.0.19-stable rtlinked against libevent 2.0.19-stable 1 CPU cores detected proxyspecs:

• [0.0.0.0]:10025 tcp plain netfilter
• [0.0.0.0]:10465 ssl plain netfilter
• [0.0.0.0]:10110 tcp plain netfilter
• [0.0.0.0]:10995 ssl plain netfilter
• [0.0.0.0]:10143 tcp plain netfilter
• [0.0.0.0]:10993 ssl plain netfilter
• [0.0.0.0]:10080 tcp http netfilter
• [0.0.0.0]:10443 ssl http netfilter Loaded CA: '/C=ZA/ST=Gauteng/L=Pretoria/O=SensePost/OU=MANA/CN=MANA/emailAddress=research@sensepost.com' evdns cannot parse resolv.conf: no nameservers listed in file (6) sslsplit: failed to initialize proxy. Non spoofing imap.gmail.com Non spoofing www.google.com Non spoofing www.apple.com Non spoofing to 127.0.0.1 Specific domain IP .domain.com with 192.168.1.1 binded to UDP port 53. waiting requests. WARNING: No route found for IPv6 destination :: (no default route?) MANA (FireLamb) : [+] Saving output to /var/lib/mana-toolkit/lamb_braai/ MANA (FireLamb) : [+] Listening for cookie traffic on interface wlan0

sslstrip 0.9 + by Moxie Marlinspike running...

• POC by Leonardo Nve serving a request.

---

This is what I see when I run "service apache2 restart"

[....] Restarting web server: apache2Warning: DocumentRoot [/usr/share/mana-toolkit/www/facebook] does not exist apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName Warning: DocumentRoot [/usr/share/mana-toolkit/www/facebook] does not exist apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName . ok

---

[mastertwitter09]

Update:

I tried running the command "sudo ./start-noupstream.sh".

While I was not able to see the captive portal on my iPad, my iPad using google chrome did see "google.com/fp" and when I clicked gmail.com, I was redirected to a spoofed site created by mana toolkit. However, when I typed my username and password and press the button, I didn't see it recorded on /var/lib/mana-toolkit? Where can I see it?

Also, facebook.com is not working. Kindly see the screenshots below.

[vdb212]

firelamb?

[mastertwitter09]

Anyone? The problem remains the same, hosts connected on the access point don't have internet connection.

[singe]

Network Manager is killed because it prevents hostapd from working if it's controlling the wifi card. Of course if you need it for upstream then you'll have this problem. Either manually configure your upstream NIC or have Network Manager blacklist your mana NIC (http://askubuntu.com/questions/21914/how-can-i-make-networkmanager-ignore-my-wireless-card)

The FB site was never done since FB makes it a PITA to copy their site without upstream. Thinking of just using an image. Happy for any help.

On 25 May 2015, at 1:12 AM, mastertwitter09 notifications@github.com wrote:

Anyone? The problem remains the same, hosts connected on the access point don't have internet connection.

— Reply to this email directly or view it on GitHub.

[khanfar]

any one success internet connection ????

[ghost]

"However, when I typed my username and password and press the button, I didn't see it recorded on /var/lib/mana-toolkit? Where can I see it?"

After starting the noupstream AP,In a 2nd terminal run the command: tcpdump -i [interface] -w /root/Desktop/mana

Login to google on your Test Victim Device...

Open the created file from your Desktop with wireshark then filter for "pass" should get you the login information.

Wish i could test this,but persoanlly having a problem getting traffic to redirect to the portal at all on my android test device.

[singe]

The google creds are recorded in the apache logs for the site. Unfortunately, I haven't created a parser to extract them yet.