Jump to content

MANA Attack, for the Pineapple.


Zylla

Recommended Posts

MANA-Toolkit!
Pineapple NANO + TETRA.

(IPK installation-files, and source-files ready to compile with OpenWRT-SDK)


MANA Toolkit includes a working version of SSLstrip2+dns2proxy for the Pineapples.

Last update: 22.07.2018
Changelog:

  • Taxonomy part of hostapd is activated.
  • Updated to follow upstream, same updated source-code as Sensepost is using.
  • Changes have been done to installation part! Remember to read the output!
  • Will no longer use a copy of my python-library. But download the needed python packages fro

SSLstrip2, SSLsplit, dns2proxy, crackapd, net-creds, firelamb and every part of the MANA-Toolkit comes with the package. (Even aslEAP)
EAP penetration testing is now very feasible.
 

Install procedure:

root@Pineapple:~# wget -qO- https://raw.githubusercontent.com/adde88/hostapd-mana/master/INSTALL.sh | bash -s -- -v -v

After a little while you should get a message saying installation was successful. But we're not quite done. You need to install the python-dependencies with this command:

root@Pineapple:~# install-mana-depends


How do i start MANA?
Make sure you are not using wlan1 for anything. (For example having it in monitor mode)
If you are, hostapd-mana will not be able to set the interface to 'master' mode

Type 'launch-mana' in the terminal to launch the attack.
The attack should go silently into the background while at the same time giving output to the screen and to the log-files.

root@Pineapple:~# launch-mana

Type 'kill-mana' in the terminal to stop the attack.

root@Pineapple:~# kill-mana

 

Module:
https://github.com/adde88/ManaToolkit
I have released a "pre-release" version of the Mana Toolkit "Module" for the Pineapples.
This lets you launch the attack from the Pineapples web-interface.
General feedback or tips for improving the module are greatly appreciated!
 

Github repo. + source-codes:
https://github.com/adde88/hostapd-mana-openwrt
https://github.com/adde88/hostapd-mana
https://github.com/adde88/ManaToolkit  (The Mana Toolkit Module - dev. stage)


The first repo. contains the IPK files you need to install everything, but it also contains the files you need to build it yourself with a proper SDK.
The second repo. is used by the SDK. The SDK Makefile will download everything it needs from this repo. to build the MANA-Toolkit package.
You don’t need to touch the second repo. to get anything up and running. (OpenWRT-SDK shouold handle this automatically.)
The third repo. is the MANA Toolkit "Module", that needs testing and feedback from you guys.
   It also has a new dev-branch that contains my latest fresh changes, but it's not as stable as the master branch.

Important directories:
Config files/etc/mana-toolkit/
Log files: /pineapple/modules/ManaToolkit/log   (This is the log-directory, even if you don't have the Module installed)

You will find the usual MANA Tools at:  /usr/share/mana-toolkit/

OPKG Installation Files: (For those who want to install it manually):
https://github.com/adde88/hostapd-mana-openwrt/raw/master/bin/ar71xx/packages/base/asleap_2.2-1_ar71xx.ipk
https://github.com/adde88/hostapd-mana-openwrt/raw/master/bin/ar71xx/packages/base/hostapd-mana_2.6-15_ar71xx.ipk

 

Donations are very helpful, and would help me contribute towards keeping all of these custom tools ported and up-to-date.
Donations

Link to comment
Share on other sites

  • Replies 445
  • Created
  • Last Reply

Hi Zylla,

thanks for your hard work and share! :wink: I´m just stucking in the dark - what i should do with the MANA-Toolkit on the pineapple. Is it better then the PineAP itself or do you combine them ? The EAP thing is new on the pineapple (i mean).

In which case do you use it on your pineapple ?

Link to comment
Share on other sites

This is under development. So the only thing the startup-script will do at the moment is to behave as a normal AP would on wlan1, (with the mana patches)
It will try to fool clients that are probing for networks to connect to it.
If my phone is looking for "FREE_WIFI", the Pineapple would then send a probe-response with that SSID.
  Other clients will NOT see this probe-responses/SSID, like they will with PineAP, or Karma. So it's a bit "stealthier".

When the script is "completed" it should run just like it would on a computer.

  • hostapd-mana - modified hostapd that implements new karma attacks and looks a lot like PineAP
  • crackapd - a tool for offloading the cracking of EAP credentials to an external tool (asleap) and re-adding them to the hostapd EAP config (auto crack 'n add)
  • sslstrip-hsts - Modified sslstrip + dns2proxy
  • Firelamb - captures and writes cookies to a firefox profile for easy use.

I do not suggest you install this yet, if you don't know that much about hostapd, mana-toolkit, etc.
If you watch the presentation from Sensepost about MANA, or read about it, you should get some ideas about what the Pineapple could do. :)

Link to comment
Share on other sites

  • 2 weeks later...

im tring to tweak the script,to run it on a MKV.

changed in the script wlan1 to wlan0/0-1 but still getting errors:

rfkill: Cannot open RFKILL control device
nl80211: Could not configure driver mode
nl80211 driver initialization failed.
hostapd_free_hapd_data: Interface wlan0 wasn't started

rfkill is installed for what i see, but it seems to not work correctly.

my guess is that wlan0 is initialized with the karma hostpd config file. But the file is not static and located in the /temp/ folder.

Im searching the script that starts wlan0/0-1 or creates the hostpad file to modify it to the mana config file. Anybody a hint where is located?

Link to comment
Share on other sites

1 minute ago, Mr.miYagi said:

im tring to tweak the script,to run it on a MKV.

changed in the script wlan1 to wlan0/0-1 but still getting errors:


rfkill: Cannot open RFKILL control device
nl80211: Could not configure driver mode
nl80211 driver initialization failed.
hostapd_free_hapd_data: Interface wlan0 wasn't started

rfkill is installed for what i see, but it seems to not work correctly.

my guess is that wlan0 is initialized with the karma hostpd config file. But the file is not static and located in the /temp/ folder.

Im searching the script that starts wlan0/0-1 or creates the hostpad file to modify it to the mana config file. Anybody a hint where is located?

The rfkill warning can safely be ignored. I get it aswell.
Regarding the driver failing to initialize. The most common problem is that the device is already in use by another hostapd/karma process.
Try this:

#!/bin/bash
killall hostapd
airmon-ng check kill
/usr/share/mana-toolkit/run-mana/mana-pineapple.sh


 

Link to comment
Share on other sites

thanks for the fast reply.

i think its why the interface wlan0 is initialized with the karma hostpd. still no luck, killing hostapd  before starting the script.

root@WiFi Router:~# killall hostapd
root@WiFi Router:~# airmon-ng check kill
Killing these processes:

 3014 root      1816 S    /usr/sbin/wpa_supplicant -B -P /var/run/wpa_supplica
 3049 root      1380 S    udhcpc -p /var/run/udhcpc-wlan1.pid -s /lib/netifd/d
 3408 root      1376 S    grep wpa_action\|wpa_supplicant\|wpa_cli\|dhclient\|

root@WiFi Router:~# /usr/share/mana-toolkit/run-mana/mana-pineapple.sh
Pineapple seems to be: ONLINE.
RTNETLINK answers: File exists
Configuration file: /etc/mana-toolkit/hostapd-mana.conf
rfkill: Cannot open RFKILL control device
nl80211: Could not configure driver mode
nl80211 driver initialization failed.
hostapd_free_hapd_data: Interface wlan0 wasn't started
MANA has started successfully! Press enter to kill it properly

 

Link to comment
Share on other sites

Are you running the MKV in client mode?
Because i see that wpa_supplicant is running, and also udhcpc (dhcp client).
If wpa_supplicant is running on wlan0 or wlan0-1 it will interfere with launching hostapd on the same interface.

Link to comment
Share on other sites

yes i am. but also when i stop it. i have the same error.

but running top i saw that:

 1832     1 root     S     1856   3%   0% /usr/sbin/hostapd -P /var/run/wifi-ph

/var/run/hostapd-phy0.conf


and it restarts automatically. I think a sort of cronjob is running to keep it alive.

 

i think the best is to swap it to the mana conf file

 

Link to comment
Share on other sites

Test this then.
 

#!/bin/bash
uci set wireless.@wifi-iface[0].mode='sta'
uci set wireless.@wifi-iface[1].mode='sta'
uci set wireless.@wifi-iface[2].mode='sta'
uci commit wireless
wifi

This will edit your /etc/config/wireless file abit
To check what setting you already have, you can run: uci show wireless,or just make a backup of your /etc/config/wireless file.

Try to run those commands i wrote above, if it doesn't work then i'd like to see how your original /etc/config/wireless file looks like :)

Link to comment
Share on other sites

Thanks for your patience.

Solution was

reset wifi settings

run your script (not sure is necessary)

and bam:

 

ANA - Attempting to generate Broadcast response : xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MANA - Attempting to generate Broadcast response : xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MANA - Attempting to generate Broadcast response : xxxxxxxxxxxxxxxxxxxxxx
MANA - Attempting to generate Broadcast response : xxxxxxxxxxxxxxxxxxxxxxxxxx
MANA - Attempting to generate Broadcast response :xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

seems to run very nice till now

now i try to get sslstrip and the other toll to run properly.

 

Thanks a lot
 

Link to comment
Share on other sites

My startup-script just takes care of loading hostapd-mana with the config file, sets up a dhcp-server, modifies iptables correctly, and loads: ssltrip2, dns2proxy, sslsplit, net-creds with the correct settings.

You could also just launch hostapd-mana from the console, and supply the config file. But the clients will not connect properly, recive an ip-adress and so forth.

I'd love to see ppl. work on improving the script though, so feel free to share ideas. :)

Link to comment
Share on other sites

SSLstrip seems to miss some dependencies:

Traceback (most recent call last):
  File "/usr/share/mana-toolkit/sslstrip-hsts/sslstrip2/sslstrip.py", line 27, in <module>
    from twisted.web import http

 

 

And for getting hostnames in the Client page (WEBGUI)

modify: nano /pineapple/modules/Clients/api/module.php

the line

leases = explode("\n", @file_get_contents('/var/run/dnsmasq.leases'));

leases = explode("\n", @file_get_contents('/var/lib/misc/dnsmasq.leases'));

Link to comment
Share on other sites

Yeah, SSLstrip+ is "broken" currently, because some python-libraries needs to be updated. (Twisted, Zope, etc..)
I have gotten it to run by cross-compiling the python-packages myself, but it took alot of tweaking. So the easiest solution would be to just wait for the packages to get updated.
I would guess that's a high-priority, given that it actually runs pretty nice on the Nano, not to mention the Tetra!

I'll see if i have a copy of that python directory, with the working libraries. (If you wanted to test sslstrip+)
You would then just owerwrite your current python dir (/usr/lib/python2.7) with my copy. And it should run.

Link to comment
Share on other sites

https://github.com/adde88/hostapd-mana-openwrt/blob/master/python2.7.tar.gz

Here is a copy of my /usr/lib/python2.7 folder.
The contents of this file needs to be extracted into your /usr/lib/python2.7 folder, if you want to run SSLstrip+ on the Pineapple.
This currently works to get SSLstrip+ up and running. (And everything else in the mana-toolkit)

It's not the prettiest "fix", but it works. I'll update it when i get time.

Remember!
If your python2.7 folder is located on the SD-card, you need to extract this to /sd/usr/lib/python2.7
Or another dir. on the sd-card, and then make a sym-link reference from that folder to /usr/lib/python2.7
This folder is 30MB big when extracted!
Do NOT extract it anywhere on your internal-storage, except for the Pineapple Tetra. Which has the capacity.

Link to comment
Share on other sites

thanks for the advise.

Installed an sdcard. But sslstrip is still missing some modules (twisted web etc).

i try to find out whats the matter. mybe i have to reinstall python or register the modules in some wise.

 

 

Thank i apreciate much your help. Thanks

Link to comment
Share on other sites

Twisted and all the other libs you need to run SSLstrip+ is included with the python2.7.tar.gz file i uploaded.
I would start by removing python completely from the device. (Both internal, and sd-card)
Then create this folder on the SD-card: /sd/usr/lib/python2.7/
Extract the contents of the archive to that folder.
Then issue these commands:

rm -r /usr/lib/python2.7/
ln -s /sd/usr/lib/python2.7/ /usr/lib/python2.7


 

Link to comment
Share on other sites

the folder is 100% on the SD and its your folder.

removed all python packages from root: python-base python-light python-openssl phython-sqlite3 python-codecs

reinstalled all to -d sd

removed all files and folders in /sd/usr/lib/python2.7/ and  unpacked your files

get me:

python /usr/share/mana-toolkit/sslstrip-hsts/sslstrip2/sslstrip.py
Traceback (most recent call last):
  File "/usr/share/mana-toolkit/sslstrip-hsts/sslstrip2/sslstrip.py", line 27, in <module>
    from twisted.web import http
ImportError: No module named twisted.web

 

but since in my opkg manager python-twisted web is missing, the system did not reconize anyhow the module, no matter if the files are in the folder. i have to search a python-twisted web package for my version - i think

 

and i saw in line 28 twisted.internet is needed. i try to search a package and  i hope i dont brick it...

Thanks for all the help

 

 

Edit:

Im not the only one, package is missing....

 

Link to comment
Share on other sites

I suspect some files was missing in my last archive.
I've created another archive, and tested it on both my Nano and Tetra. (100% working)
I'll upload it to the github repo. in a few seconds.

Regarding: "opkg not showing twisted-web". That's because you have not used opkg to install twisted, or any of the other libraries. (I'll try to add the modules to the ipk file later, so it gets installed with the toolkit)
To correctly show your python libraries use: pip freeze

 

Link to comment
Share on other sites

Since it's a clone of my python directory the output of pip freeze should be the same on your Pineapple as mine.

Here it goes:
 

root@Pineapple:~# pip freeze
Conch==0.8.0
Twisted==2.5.0
Twisted-Lore==0.3.0
Twisted-Mail==0.4.0
Twisted-Names==0.4.0
Twisted-News==0.3.0
Twisted-Runner==0.2.0
Twisted-Web==0.7.0
Twisted-Words==0.5.0
dnspython==1.14.0
nose==1.3.7
pcapy==0.10.9
py==1.4.31
pyOpenSSL==0.10
pycrypto==2.6
pyrit==0.4.0
pytest==3.0.3
scapy==2.3.1
sslstrip==0.9
wsgiref==0.1.2
zope.interface==4.3.2

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...