Jump to content

MK2: Jasagerpwn [script] [video]


Recommended Posts

Have you confirmed that on the attacking machine (I assume it's the BT5 one) that you can access internet?

Yes.

Have you disabled dnsmasq on the router?

Yep.

Have you tried to view the DNS entries on the victim machine?

Nope. Victim is an iPhone. I've just tested by trying to visit a website using the domain name (http://www.google.com). That generates the DNS request I'm seeing in wireshark but the Victim never gets a DNS response and Safari times out. If I visit google by numeric IP, the page renders just fine.

Have you you set the DNS server on the router to that of the gateway your attacking machine is using?
Don't believe I've tried this yet. I'll test this out tomorrow evening and post the results. Thanks for the assistance. :)
Link to comment
Share on other sites

  • Replies 95
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

First thing, If it is an iPhone as a victim, I would try and make sure that its not connected to a cellular network.. Simply because I am not super familiar with the mechanics of the iPhone connectivity.

May I suggest using a virtual machine for terms of testing, this can even be done on the attacker machine assuming you have enough wireless cards (You might actually need like 3 to do that.)

The way the DNS mechanics in the script are working is by redirecting the DNS requests through the attacker machine and off to the gateway of the attacker machine

This is the IPtables command which is handling those requests on line 142.

iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to $gatewayIP

One thing you can try is changing the $gatewayIP variable on line 142 to "4.2.2.2" or "8.8.8.8" and see if that helps, If it does then its an issue with the network which you are trying to tunnel it through. The line should look like the following..

iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to 4.2.2.2

Good luck.

Edited by leg3nd
Link to comment
Share on other sites

One thing you can try is changing the $gatewayIP variable on line 142 to "4.2.2.2" or "8.8.8.8" and see if that helps, If it does then its an issue with the network which you are trying to tunnel it through. The line should look like the following..

iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to 4.2.2.2

Good luck.

Looks like you are bang on the money. I altered this line and DNS started resolving straight away.

So, are you saying that $gatewayIP should be the IP Address for my internet gateway/router? On line 77 it looks like $gatewayIP is set. I stuck an 'echo $gatewayIP' just before line 142, just to get visibility of what it's being set to, and currently it is being set to 0.0.0.0? I manually set it to my router IP (192.168.0.254) and everything worked as expected. Is $gatewayIP supposed to be 0.0.0.0 or is this a bug in the script or a peculiarity in my setup?

Thanks for your help with this...it's proving to be a great learning exercise. Really appreciate it. :)

Link to comment
Share on other sites

Ah interesting.. Others have had issues with this before.

0.0.0.0 is representing a default route, but is actually supposed to be returning the gateway(routers IP address), So I assume there is an issue with the awk statement I am using to parse it.

Sounds like a bug while parsing the variable for that variable. Would you mind PMing me or posting the output of "route -n" when you are using the setup described earlier that would be great. Until I am able to update it just go ahead and replace that line yourself, should work fine.

Appreciate it. :)

Link to comment
Share on other sites

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.254   0.0.0.0         UG    0      0        0 wlan0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

I'm not familiar with Awk but had a play anyway. It seems that "getline" may be the problem. Using "route -n | awk '/^0.0.0.0/ {print $2}'" returns the correct gateway IP. Not sure if that works for everyone though. ;)

Link to comment
Share on other sites

  • 3 weeks later...

JasagerPwn and armitage

whats up

you are amazing, your jasgerpwn is extremely well written

i was just wondering how to incorporate the armitage user-face with it

how to connect to armitage instead of just msfconsole.

this would make post exploitation easier.

it would make managing victims easier.

if you could give me a pm or a post on the forums i would really appreciate it.

thanks again

Ty

Link to comment
Share on other sites

Sorry, not much of a fan of GUI. I am sure if you really wanted to, you could just use one of the attacks, close the msfconsole window, and start armitage to use the same listeners that msfconsole was.

When you run the script, there will be metasploit RC (resource) files stored in /tmp. You may reference those to use the correct port/payload listener.

Link to comment
Share on other sites

Yes I used to run it in a VM all the time.

The settings on the router are the same. But you will need to setup a bridged network adapter for the gateway interface and use the attacking card, alfa etc, as a USB device for the VM (NOT BRIDGED).

Link to comment
Share on other sites

leg3nd,

Thanks for the fast reply, I was able to setup my pineapple with jasagerPwn using the VM

I have a few questions

1.-

I'm having a problem every time I start jasagerPwn

This is the message I get



>] Stopping services and programs...
[>] Checking Environment...
cp: cannot create regular file `/pentest/exploits/framework2/scripts/meterpreter/': No such file or directory
[>] Creating scripts...
[>] Enabling ipv4 Forwarding...
[>] Starting up DHCP3...
[>] Loading URL Snarf/Driftnet...
[>] Setting up IP Tables...
[~] leg3nd's JasagerPwn v1.2 Rev Started! More @ www.info-s3curity.com
[~] ALL Attacks are now operating system agnostic OSX/MS/Linux!!

Any ideas on how can I resolved this is issue, "I have the latest version of metasploit" but my says framework2, your script USED to say framework3 but I changed it to Frameworks2

This is my configuration on your script



#SCRIPT CONFIGURATION BELOW - ADJUST TO YOUR WIFI CONFIGURATION
gatewayIFACE="wlan0" #Interface connected to the internet (gateway) to share, EG wlan0,eth1,usb0,ppp0,etc
fonIP="192.168.10.2" #IP for ethernet interface facing the Fon, the dhcp.conf is below to change subnet.
fonEthernet="eth0" #Ethernet interface facing the Jasager/Fon router, EG eth0,eth1,eth2
wirelessAtkIFACE="wlan1" #Wireless Interface to attack with, EG wlan0,ath0,wifi0
monIFACE="mon0" #Monitor Interface for Attacks from airmon-ng
macMode="set" #Mac spoofing mode - set / random (case sensitive)
fakeMac="00:e0:f7:99:e1:30" # 00:e0:f7:99:e1:30 (Cisco Systems, Inc.)
ourAPmac="00:12:CF:A4:35:78" #Pineapple MAC so we dont DeAuth Ourselves
MSFpath="/pentest/exploits/framework3" #Metasploit Location (if not BT5, use msf3 directory)
DomainName="Networking.com" #Domain name for DHCP configuration.
######################################################################################################################

2.-

I noticed that The DHCP Server on my Pineapple keeps coming backup, is this something I need to disable every time, or can I permanently disable it by changing the "/etc/config/dhcp" file, if that is possible, what settings should I use.

:D I hope you can help me with these two questions.

Thanks,

Link to comment
Share on other sites

1.-Any ideas on how can I resolved this is issue, "I have the latest version of metasploit" but my says framework2, your script USED to say framework3 but I changed it to Frameworks2

[b]cp: cannot create regular file `/pentest/exploits/framework2/scripts/meterpreter/': No such file or directory[/b]

Well, on BT5 I've used

MSFpath="/pentest/exploits/framework"

*It is a symlink to /opt/framework/msf3

And it seems to work just fine.

2.- I noticed that The DHCP Server on my Pineapple keeps coming backup, is this something I need to disable every time, or can I permanently disable it by changing the "/etc/config/dhcp" file, if that is possible, what settings should I use.

You disabled it through ssh, with

/etc/init.d/dnsmasq stop
/etc/init.d/dnsmasq disable

If you are having problems with victims being unable to resolve hostnames, just replace $gatewayIP with your gateway IP, on line 142.

Link to comment
Share on other sites

leg3nd,

Thanks for the fast reply, I was able to setup my pineapple with jasagerPwn using the VM

I have a few questions

1.-

I noticed that The DHCP Server on my Pineapple keeps coming backup, is this something I need to disable every time, or can I permanently disable it by changing the "/etc/config/dhcp" file, if that is possible, what settings should I use.

2.-

how can I check the DHCP Pool on BT5 "list of clients"

3.-

DeAuthorization.

If I have my pineapple running, and I'm using two alfa cards (wlan0 for internet connection, and wlan1 for attacks.

would DeAuthorization affect the alfa card wlan0?

I checked your script, and I see the option to add the Pineapple's mac address, but not for my Internet connection card

:D I hope you can help me with these two questions.

Thanks,

Link to comment
Share on other sites

Jmanuel, Everything MFVX said is exactly correct. Would have been the same response I would have given.

The metasploit location changed in backtrack 5 when metasploit upgraded to 4.0. I will go ahead and fix the bug in the next revision, but /pentest/exploits/framework/ should work fine.

Regarding the DHCP server on the pineapple, run the commands he gave and it should be disabled.

/etc/init.d/dnsmasq stop
/etc/init.d/dnsmasq disable

I have had no issues with this method, but if for whatever reason you do, you may want to try to disable it in the web interface.

With Deauthoriztion attacks, the "WirelessAtkIFACE" will be used for the attack. While the "gatewayIFACE" will be used for your connection to the internet. You can try to use the "gatewayIFACE" for attacking (by simply setting both variables to wlan0), but it will likely effect the stability of your connection and is not recommended.

Edited by leg3nd
Link to comment
Share on other sites

Leg3nd, could you please change one more thing on the next version of the script?

It would be great if you add one more variable on the "setup", so users can hard-code the gateway IP instead of trusting on "route -n" method. I did it on mine and I think it would be better for the other users.

You could also add a note recommending the upgrade to sslstrip 0.9. I've had some errors with 0.8. http://www.thoughtcrime.org/software/sslstrip/

Also, I'm trying to make some kind of "fake captive portal" (a page hosted on the attacker's computer, where the victim has to enter some info or read an alert. I guess I could do that with your 2,3 and 4 attacks. When I figure that, may I PM you to incorporate on the main version of the script?

Other cool thing would be some kind of selective redirect. Something like: redirect IPs 192.168.0.50 and 192.168.0.55 to a warning page when they try to visit hak5.org (Hey, fellow hak5 user, you are using a creepy-evil-poisoned AP. Be sure to use an ssh tunnel!).

Now, one more question:

How easy would be for the owner of the network you are using to provide internet to your victims to discover that there is an attack like this happening?

How would he do that? Something besides seeing someone using high amounts of band?

_

Sorry if my english seems confusing. I'm not a native speaker, but i'm working on that.

Link to comment
Share on other sites

Not sure what you are implying for the "Captive portal page". Go ahead and PM me with details of the vector and I can try to work it in.

I will indeed update it to sslstrip 0.9, I was aware it was released but again have not had the time to update the script. Although I have manually updated my own to use 0.9 and the errors still persist.

Selective redirect would be kinda cool, I would have to do some brainstorming to implement this effectively. If I do something like this, I need to implement a menu system to manage it, which I would also like to contain hostnames and mac addresses as well as the IP.

Regarding detection of rogue access points, they can be very difficult to detect especially at a non-end user level. A couple ways it CAN be detected are with wireless IDS/IPS systems, SSID spam (if your responding to alot of probes it will result in a large list of APs on the client machines, or simply opening up airodump-ng and noticing the very strange behavior that occurs on the access point.

Personally, When I go to something like say DefCon.. I use a very very basic script which detects when your gateway mac address changes and/or when your networks subnet changes. This seems to mitigate most man in the middle attacks.

Thanks for the feedback! I'll try and get on some of this tomorrow.

Edited by leg3nd
Link to comment
Share on other sites

Regarding detection of rogue access points, they can be very difficult to detect especially at a non-end user level. A couple ways it CAN be detected are with wireless IDS/IPS systems, SSID spam (if your responding to alot of probes it will result in a large list of APs on the client machines, or simply opening up airodump-ng and noticing the very strange behavior that occurs on the access point.

Personally, When I go to something like say DefCon.. I use a very very basic script which detects when your gateway mac address changes and/or when your networks subnet changes. This seems to mitigate most man in the middle attacks.

My worry is on the internet access being shared part. Lets say I have the following network:

______

The Internet -wifi-> Building Network -wire-> Someone's WIFI AP -wifi-> Attacker's Notebook -wire-> Wifi Pineapple -wifi-> Victim's PC

______

My doubt is how could the administrator of the network I'm forwarding traffic to could detect that Attacker's Notebook is doing nasty things.

Link to comment
Share on other sites

Anything that you and your clients are doing is going through their network. But all of the attacks, meaning payloads containing code signatures, conspicuous redirects, etc, are being conducted on your pineapples network.

If you look at the example you gave, "Victims PC" is only 1 hop away from "Attacker's Notebook". Traffic such a meterpreter session does not go further then that.

As for SSLstrip, don't quote me on this because I am not positive, but I believe that all the SSL traffic should be going through as SSL at any point past the attacker machine. The traffic containing credentials if only sent in cleartext as it passes through your systems proxy (sslstrip), then is sent back out as SSL.

Regardless, I don't think the admin has many ways to detect it other then clients connecting/disconnecting on wireless. The traffic he would see looks like normal web traffic, and the payloads never touch that network regardless.

Link to comment
Share on other sites

I'm having issues getting airdrop-ng to run. I get this error message every time, I try apt-get install python-dev but it didnt help

#################################################

# Welcome to AirDrop-ng #

#################################################

Pylorcon error, do you have it installed?

Airdrop-ng will now exit

Sent 0 Packets

Exiting Program, Please take your card mon0 out of monitor mode

Link to comment
Share on other sites

Just something cool I've found today, and might be useful to someone: XDA - Android: WiFiKill

So, if you don't have and injection-capable dongle, you can use and rooted android phone to connect to the other APs and make the users look for other AP.

Also, you can use usb tether to provide wireless to your notebook if your native card doesn't have the required linux drivers. Just check usb0.

Edited by MFVX
Link to comment
Share on other sites

Just something cool I've found today, and might be useful to someone: XDA - Android: WiFiKill

So, if you don't have and injection-capable dongle, you can use and rooted android phone to connect to the other APs and make the users look for other AP.

Also, you can use usb tether to provide wireless to your notebook if your native card doesn't have the required linux drivers. Just check usb0.

That is interesting, have you tried this app out?

Link to comment
Share on other sites

Also, you can use usb tether to provide wireless to your notebook if your native card doesn't have the required linux drivers. Just check usb0.

This is the only way I used to use the pineapple, but then Verizon began throttling services at peak hours causing my 2.5MB/s down to drop to a whopping 100Kbs/down. This may not be the case for everyone though.

Jmanuel, are you sure your running the installer correctly? Should be something along these lines to install it (in backtrack 5)..

apt-get -y install linux-headers-$(uname -r) build-essential make patch autoconf python python-dev make patch gettext autoconf python-psyco subversion tcl8.5 openssl zlib1g zlib1g-dev libssh2-1-dev libssl-dev libnl1 libnl-dev libpcap0.8 libpcap0.8-dev python-scapy cracklib-runtime
chmod +x /pentest/wireless/aircrack-ng/scripts/airdrop-ng/install.py
cd /pentest/wireless/aircrack-ng/scripts/airdrop-ng/ && python install.py
airdrop-ng -u OUIUPDATE

Link to comment
Share on other sites

That is interesting, have you tried this app out?

Not yet. I don't want to do this kind of thing on my workplace. I'm just waiting till I go back home.

EDIT: Yep, it works fine! Just a little bit dangerous to be distributed that way.

Edited by MFVX
Link to comment
Share on other sites

This is the only way I used to use the pineapple, but then Verizon began throttling services at peak hours causing my 2.5MB/s down to drop to a whopping 100Kbs/down. This may not be the case for everyone though.

Jmanuel, are you sure your running the installer correctly? Should be something along these lines to install it (in backtrack 5)..

apt-get -y install linux-headers-$(uname -r) build-essential make patch autoconf python python-dev make patch gettext autoconf python-psyco subversion tcl8.5 openssl zlib1g zlib1g-dev libssh2-1-dev libssl-dev libnl1 libnl-dev libpcap0.8 libpcap0.8-dev python-scapy cracklib-runtime
chmod +x /pentest/wireless/aircrack-ng/scripts/airdrop-ng/install.py
cd /pentest/wireless/aircrack-ng/scripts/airdrop-ng/ && python install.py
airdrop-ng -u OUIUPDATE

You Are right. for whatever reason airdrop-ng didn't installed properly.

Now, I tested airdrop-ng on the same laptop that I use to run jasagerPwn.

It does deauthorize my laptop from my "homenet" network for a few seconds, but it only does it once, and instead connecting to my "pineapple" network, it connects back to "homenet"

what's the best method to do this, or does it work randomly for only a few computers?

one more thing, If I check my network connections, I'm able to see

"pineapple" (The default network name on my pinapple, which is Unsecured)

"homenet" ( The network I use to connect at home, which is secure WPA2-PSK)

"homenet" (fake network, created by my pineapple, which is Unsecured)

If I connect manually to the "pineapple" network, I'm able to get an IP, and I also get connection to the Internet, but if I connect to the fake "homenet" I get 169.254.x.x, any I ideas why I'm not able to get an IP?

Edited by Jmanuel
Link to comment
Share on other sites

Assuming you have Karma turned on, it shouldn't be broadcasting as "pineapple".

Secondly, Karma will only respond to probes for UNSECURED wifi networks. Go into your network settings and manually add a network without WEP/WPA, call it "attwifi" or something. Karma should respond to that probe as it has the same security type as your pineapple(unsecured). A 169 address is a windows thing (Don't remember the name.. but it has one), basically its windows way of saying "Something went wrong and I am bad at handling networks, so I'm going to give you a useless address".

Keep in mind most people have at least 1 saved unsecured network in their windows wifi lists, weather it was that one time they connected at starbucks, or that time they decided to click on their neighbors unsecured wifi.

airdrop-ng should DeAuth everybody consistently EXCEPT your gateway interface (gatewayIFACE) and your pineapples network(Assuming you set the MAC address in the script).

Edited by leg3nd
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...