mubix
-
Posts
516 -
Joined
-
Last visited
-
Days Won
3
Posts posted by mubix
-
-
This has changed ? - You should be able to download the boxes from here now: https://app.vagrantup.com/rapid7
-
Sorry, but building it had to be a per-person item due to how the terms of use are written for the trials of Windows. Sorry
-
What you are doing is opening a TCP port that a payload can talk to, you need to have the payload actually on the device via exploit or command execution before you will actually get a real shell.
-
That means that a connection isn't happening between you handler and your payload. Can the two machines talk to each other?
-
Yup, because you have just set up a handler. The handler is there to receive payloads. You have to use an exploit or otherwise execute a payload before anything will show up there.
-
Good question, I have often thought about the same thing but never tracked it down. You should still be able to get the keys pressed. :/ I'll check it out and post back if I can figure it out. If you have figured it out since you've posted, please let us know
-
When I do physical assessments that have WPA/2 enabled wireless networks I would like to have the ability to walk around the facility with a pineapple in my backpack and have it constantly trying to get a handshake in a reliable way.
Here are a few requirement requests:
- Stability is key. I might only get one walk through to get it done.
- Needs to support more than one WPA ESSID (name). If I am targeting a building and they have a Employee and Guest networks I need to be able to get both in one go. See #1
- Ability to automatically verify the handshake is valid via Aircrack or other tool
- Remove WPA ESSID automatically from the rotation if valid handshake is captured
- Shutdown the pineapple if all captured (save battery) optional setting
- Constantly be re-scanning the area for best AP to target. (If "BOBWIFI") is no longer in range it shouldn't attack it again
- Always target AP with best signal if possible
- Prioritize APs with clients if possible
- Have an auto-on with loaded AP names so I can just plug in the Pineapple when it's go time and not have to configure anything post-boot.
- Have the ability to auto-add APs in the area to a "temp" list while keeping a "target" list.
- List of APs with captured/verified handshakes for easy download of cap file
- Use both wifi cards if possible for 5ghz (TETRA) as well as 2ghz
- Try a few ways to get the handshake, I know there are a few techniques out there but I don't recall them all.
Thoughts?
-
4
-
I'm soo late to this game but I made a video to describe my feelings about it and help where I can to spread the word:part of http://hackingtogether.org/We on this list are for the most part already participating in a social group that has support. I'm not saying we don't have problems, but the ones that don't have such support, who aren't part of any groups or you only see at a con or two, but don't speak, don't participate in CTFs or other side events. Those are the ones (usually) in the most danger of feeling isolated. So, if you know people like that, reach out, invite them to be part of your team, group, or talk.Let us all help to make sure that another life isn't list for avoidable reasons. There are too few of us as it is.
-
Pictures and screenshots could help with troubleshooting. Right now all we have to go on is this:
- You are using a 2GB SD card from an old phone formatted to FAT (I'm assuming this is a microSD
- You tried multiple payloads and they didn't work.
Questions:
- Are you encoding the payloads?
- What payloads have you tried?
- Does it recognize as a keyboard when you plug it in?
- What operating systems have you tried plugging it into?
- inject.bin is in the root folder of the SD card right?
-
HowToGeek has a good write up on cracking WPA - http://www.howtogeek.com/202441/your-wi-fi’s-wpa2-encryption-can-be-cracked-offline-here’s-how/
You also have the Hak5 episode about cracking WPA:
-
@Faelian You need to drop another binary, like a meterpreter binary. Apache automatically de-escalates it's processes/threads down to www-data, which is a built in function of the binary, so even if you SETUID it, it should still act the same giving you only www-data. So in order to gain the persistence, you'd have to put another binary on disk or setuid one that is already there that you can manipulate. Check out this post for more info: https://www.pentestpartners.com/blog/exploiting-suid-executables/
-
@ootuoyetahi sorry, like the others said, I get out to record episodes as much as I can, but this year has been pretty crazy for me
-
With the new Python extension, you can do a ton of things, coupled with the stageless meterpreter, you can run full python scripts ahead of Meterpreter ever attempting a callback.
Link to how to use the extension: https://github.com/rapid7/metasploit-framework/wiki/Python-Extension
-
We have the topics set up. It's just finding time in both the studio and my schedule that I can fly out and knock some episodes out. Seeming to be tough to do these last few months
-
Non root mobile devices, persistent meterpreter!
this is a challenge, how many ways can you launch a meterpreter. I was thinking about a modified phone charger...
What would the phone charger do? It's plugged into a wall on one end, and an iPhone on the other (and everything past I believe iOS 7.0, the phone asks if it should trust the "computer" when trying to do anything). Or if you are targeting Android you still have an issue of cable / computer trust.
-
Please show us how to connect 2 instances of Metasploit together, so for example, I want an instance running on a VPS in the cloud to wait for connections from shell's etc and another running on my laptop and be able control the one in the cloud from my local copy etc so that my local copy retains all the database information and reverse credentials without having my laptop details exposed. I guess i am wanting to use the cloud instance as a remote launch pad does this make any sense??
Why not just use the cloud instance? Metasploit is all commandline driven anyways. And if you are using the GUI it's the same. Do you just want the database local?
-
reverse_tcp connections I use when I know that system can get directly to me. bind_tcp I use when I don't have another option and reverse_http / reverse_https are the ones I use the most.
-
Lots of great info in the README for it: https://github.com/rstprosvc/CounterSploit
-
mreidiv said:
What about using metasploit as a defensive tool ie...Countersploit. Or will that take to long for the show?I knew Coutersploit existed but I haven't tried it out yet. I'll try it out and let you know how it goes, maybe make it into a show
-
Awesome! Create a new topic on the forum and we can discuss it! Looking forward to hearing from all of you and making the Metasploit Minute what you guys want it to be.
-
Sorry don't have the phone anymore. Trying to find a phone that will work good. :/
-
Someone linked me to this on twitter today: http://penturalabs.wordpress.com/2013/07/29/green-for-the-anti-pineapple/
-
Any ideas on why the droid would show USB not connected, when I connect with the exact same cable to a PC it works just fine.
This is what I get in dmesg
[ 996.800000] usb 1-1.2: new high-speed USB device number 29 using ehci-platform [ 996.930000] scsi20 : usb-storage 1-1.2:1.0 [ 997.130000] usbcore: deregistering interface driver usbserial_generic [ 997.130000] USB Serial deregistering driver generic [ 997.140000] usbcore: deregistering interface driver usbserial [ 997.170000] usbcore: registered new interface driver usbserial [ 997.170000] USB Serial support registered for generic [ 997.180000] usbcore: registered new interface driver usbserial_generic [ 997.180000] usbserial: USB Serial Driver core [ 997.590000] usb 1-1.2: USB disconnect, device number 29
-
Mailvelope is still a good solution on Windows. My only hit on the product was that the developer wasn't using the available encryption in Chrome to encrypt his storage so that an offline attacker couldn't get the keys. And yes your point still holds that if people use a good password then the keys will be useless to the attacker.
Metasploitable3 for vmware - download?!
in Metasploit Minute
Posted
Oh come on, most of the work is done for you with the Vagrant boxes. Don't be lazy ?