An update to the script, fakeAP_pwn. This is a bash script to automate creating a 'Fake Access Point' and 'pwn' whoever connects to it! The FakeAP is transparent (allowing the target to afterwards surf the inter-webs once they have been exploited!), and the payload is either SBD (Secure BackDoor - similar to netcat!) or VNC (remote desktop).


Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/fakeAP_pwn-v0.2.mp4

Download Script (fakeAP_pwn-v0.2.5.tar.gz): *Out-Of-Date*



  • Creates a fake AP and DHCP server.
  • Runs a web server & creates an exploit with metasploit.
  • Waits for the target to connect, download and run the exploit.
  • Once successfully exploited it grants access to allow the target to surf the inter-webs.
  • Uploads a backdoor; SBD or VNC, via the exploit
  • The attacker has the option to run a few 'sniffing' programs (from the dnsiff suite) to watch what the target does on the FakeAP!


  • Two interfaces, one for Internet (wired/wireless) and the other for becoming an access point (wireless only - must support monitor mode)
  • A Internet connection (though you could modify it so its non transparent)
  • Airmon-ng, dhcpd3, apache, metasploit, dnsiff suite - All on BackTrack!
  • The script! fakeAP_pwn-v0.2.5.tar.gz (490.3 KB, SHA1:541d91c19ff32777317385218820233a62f1dc76)

Whats in the tar.gz?

  • fakeAP_pwn.sh - Bash script
  • www/index.php - The page the target is forced to see before they have access to the Internet.
  • www/Linux.jpg, OSX.jpg, Windows.jpg - OS pictures
  • www/sbd.exe - SBD Backdoor
  • www/vnc-g0tmi1k.exe - VNC Backdoor

How to use it?

  1. Extract the tar.gz file (via tar zxf fakeAP_pwn-v0.2.5.tar.gz).
  2. Copy the "www" folder to /var/www (cp www/* /var/www/)
  3. Make sure to "Start Network" and to have an IP address. (via start-network and dhclient [Internet Interface])
  4. Edit fakeAP_pwn.sh with your "internet" and "wireless" interface. (You can view your interfaces via ifconfig and use kate to edit the file.)
  5. bash fakeAP_pwn.sh (don't forget to be in the correct folder!)
  6. Wait for a connection...
  7. ...Game Over.


tar zxf fakeAP_pwn-v0.2.5.tar.gz
cd fakeAP_pwn-v0.2.5
cd fakeAP_pwn
cp www/* /var/www
kate fakeAP_pwn.sh
bash fakeAP_pwn.sh


  • This time it should work for everyone, just not me =P
  • The video uses fakeAP_pwn.sh v0.2.1
  • It's worth doing this "manually" (without the script) before using the script, so you have an idea of what's happening, and why. The script is only meant to save time.
  • I'm running BackTrack 4 Final in VM, The target is running Windows 7 Ultimate (fully up-to-date 2010-05-13), with no firewall, no AV and no UAC. Tested with windows XP SP3 Professional as well.
  • The connection is reversed - so the connection comes from the target to the attacker, therefore, as the attacker is the server, it could help out with firewalls...
  • As you can see in the code, one day I plan for this to also "affect" Linux and/or OSX...but its taken me this long to update it - so don't hold your breath!

Song: Medicin - Summer Drummer

Video length: 3:20

Capture length: 8:12

Blog Post: https://blog.g0tmi1k.com/2010/06/script-video-fakeappwn-v025/


  • *Removed silly typos


  • +Added arguments
  • +Checks for superuser
  • +Checks interfaces/paths/files exists
  • +Improved transparent mode (Thanks joker5bb)
  • *General code improvements
  • *Updated the help message


  • +Fakes the MAC address (Thanks joker5bb)
  • +Fix "wicd" bug (Thanks joker5bb)
  • +Randomizes ports each time
  • +Reversed VNC - No need to type in password now
  • +Stops and removes existent backdoors
  • +Stops services and programs (Thanks joker5bb)
  • +Uses "msfencode" - to prevent detection
  • +Webpage now has a "favicon"
  • *Fix a few minor features - Couple of silly typos (Thanks joker5bb)
  • *General code improvements
  • *Improved "clean up" code
  • *Improved the WiFi interface (Thanks joker5bb)
  • *Renamed the backdoor files
  • *Renamed the output windows


  • +Fix gateway bug
  • +Fix DHCP PID Bug
  • +Checks for other index files. And acts on it.
  • +Checks to make sure user copied www/. Else acts on it.
  • +Added more tools to "extra".
  • +Added extra settings (Response to all requests & WiFiName)
  • *Improved debug info
  • *Aligned the output windows
  • *General code improvements
  • *Improved chances of DHCP working (Might need more work)
  • *"Started" work on transparent (Needs more work)
  • *"Started" work on allow a custom backdoor (Needs more work)
  • -Removed Linux/OSX - was confusing people


  • +Remade first release
  • *Created Video


  • +First public release